Wednesday, July 1, 2026

StarWind Virtual SAN Free: A PowerShell Scripting Quick Start

StarWind Virtual SAN Free is a great HA storage solution for homelabbers and even production. Unlike the trial license that expires in 30 days, the free license is eternal would work for much longer (stay tuned for the upcoming changes in VSAN Free licensing).

There are some caveats, though: no GUI for LUNs creation and support means the community forum. Our engineers will happily help you there.

Management and initial setup run entirely through PowerShell. You can build your own scripts from the included samples, and you’ll want to. The CreateHA script is the most commonly asked question on the forum. What follows covers scripts for both Linux and Windows installations, plus how to standardize deployments across multiple sites.

Deployment workflow

1. Grab the deployment guide for your hypervisor from the resource library. Follow it until you hit the step where you create StarWind Highly Available (HA) devices.

2. Stop there.

3. Create HA devices with the script below, then pick the guide back up where you left off. Check your system against the StarWind VSAN system requirements and the best practices guide before you start.

How to get the scripts?

CreateHA_2 and CreateHA_3 ship inside the StarWindX module, which you install from the same executable as StarWind VSAN itself. The latest build is on the downloads page.

Pick the right hypervisor during download. (Check your confirmation email if you lost the link.)

The Windows installer is straightforward:

1. Run it as Administrator.

2. Hit Next.

wp-image-34478

3. Select Management Console from the drop-down and tick Integration Component Library. The Windows Management Console works for monitoring even in the Free edition, and neither piece asks for a license key. Just pay attention to what you select.

wp-image-34479

4. Click Next again.

wp-image-34480

5. Create a desktop icon if you want one, then hit Next once more.

wp-image-34481

6. Then click Install.

wp-image-34482

For Linux-based setups (i.e., bare metal and CVM), grab the installer from the Web UI. Hit the gear icon, then Downloads. Once Management Console and StarWindX are on the box, the samples sit at C:\Program Files\StarWind Software\StarWind\StarWindX\Samples\powershell.

The script

Now, lets take a look at the script. The script below is pretty much a standard Create2HA.ps1 with some minor adjustments.

param($addr="172.27.31.198", $port=3261, $user="root", $password="starwind",

$addr2="172.27.31.199", $port2=$port, $user2=$user, $password2=$password,

#common

$initMethod="NotSynchronize",

$size=1024,

$sectorSize=512,

$failover=0,

$bmpType=1,

$bmpStrategy=0,

#primary node

$imagePath="/mnt/sdb1/volume1",

$imageName="test2",

$createImage=$true,

$storageName="",

$targetAlias="test2",

$poolName="pool1",

$syncSessionCount=1,

$aluaOptimized=$true,

$cacheMode="none",

$cacheSize=0,

$syncInterface="#p2=172.16.20.231:3260,172.27.21.231:3260",

$hbInterface="#p2=172.16.10.231:3260,172.27.31.199:3260",

$createTarget=$true,

$bmpFolderPath="",

#secondary node

$imagePath2="/mnt/sdb1/volume1",

$imageName2="test2",

$createImage2=$true,

$storageName2="",

$targetAlias2="test2",

$poolName2="pool1",

$syncSessionCount2=1,

$aluaOptimized2=$false,

$cacheMode2=$cacheMode,

$cacheSize2=$cacheSize,

$syncInterface2="#p1=172.16.20.230:3260,172.27.21.230:3260",

$hbInterface2="#p1=172.16.10.230:3260,172.27.31.198:3260",

$createTarget2=$true,

$bmpFolderPath2=""

) 


The full parameter list is documented in the configuration guide. A few need explanation.

User and password

The defaults for talking to the service are root/starwind. They stay the same even if your CVM uses different credentials.

The password is stored encrypted in

C:\Program Files\StarWind Software\Starwind\StarWind.cfg

For CVM and Linux bare-metal deployments, that path is

/opt/starwind/starwind-virtual-san/drive_c/starwind/StarWind.cfg

initMethod

Do you want initial sync to happen or not? Skipping synchronization when creating devices saves time. The script uses NotSynchronize for this reason, though you can also set this to SyncFromFirst, SyncFromSecond, or SyncFromThird to force a full sync from a specific node right away.

size

Device size in MB.

sectorSize

Either 4096 or 512. A sector size of 512 is required for Linux-based systems (and it works fine on Windows too). VMs running databases sometimes behave oddly with 512.

failover

Set 0 for Heartbeat, 1 for Node Majority. In CreateHA_3.ps1, you can set this parameter to 1 to create a 3-way replica using Node Majority. Node Majority relies only on synchronization links for communication. You can drop the heartbeat line entirely. If you need a 2-way mirrored device with Node Majority, use CreateHAPartnerWitness.ps1 or CreateHASmbWitness.ps1 instead. Learn more about failover strategies here.

bitmap block

RAM works most of the time. If you’re unsure, or there is no storage faster than the data disk connected, leave it as is. Learn more about bitmap here

imagePath

Where the device sits. Watch your forward and backward slashes. In CVM, HA devices sit on the block device formatted as XFS while creating a volume.

imageName

Name for the imagefile.img. That isn’t the target name yet. Stay consistent. You can use the same name on both nodes.

storageName

Leave it. It’s only used if you’re adding a partner to an existing device.

targetAlias

The iSCSI target name. Choose it carefully. It can be node-specific like host1-target1. In practice target1 is enough. The same name works on both nodes.

poolName

Leave it. It relates to SMI-S provider work.

syncSessionCount

Leave it. This controls how many iSCSI sessions an HA device establishes over a sync interface. A value of 1 is enough in most cases. You can try 2. Don’t expect a positive performance impact. It’s rarely set higher than that.

aluaOptimized

Leave it as is.

Caching

In most cases you don’t need a cache. Unlike the controller cache, it isn’t battery-backed. Learn more here about how caching works.

syncInterface

The partner synchronization IP address. This must be a dedicated IP that is not used for data or management traffic.

hbInterface

The partner heartbeat IP addresses. VSAN uses heartbeat only for ping. You can set heartbeat over the data and management links if you want. At least one StarWind communication path should go over a different NIC to avoid split-brain.

For Windows-based installations, the same rules apply. Watch your slashes. The imagePath should look like My computer\C\starwind

Common issues

Things go sideways. Usually it’s one of five things.

  • It might not work on the first attempt. Remove leftover files from C:\Program Files\StarWind Software\StarWind\headers and from the underlying storage. For CVM and Linux, check /opt/starwind/starwind-virtual-san/drive_c/starwind/headers.
  • Back up your working script. Updating StarWindX overwrites anything saved in the default folder at C:\Program Files\StarWind Software\StarWind\StarWindX\Samples\powershell.
  • StarWindX and StarWind VSAN versions must match. Use the same executable as the installed service version. If you installed VSAN from that executable, you’re fine. For CVM, check the Dashboards view. Compare the VSAN build shown there against the executable by right-clicking it, choosing Properties, then Details.
  • Open ports 3260 and 3261 in the firewall. Port 3261 is for the Management Console. 3260 is for iSCSI.
  • If you’re running multiple iSCSI connections in Windows – like 127.0.0.1 plus two partner IPs – set iScsiDiscoveryListInterfaces to 1. This is Windows-specific. Actually, it also applies to compute and storage separated scenarios.

Adding a partner to an existing device

Make sure every device is synchronized and connected from both replication partners to every node that consumes the storage.

  1. Stop the StarWindService on one node. On CVM or Linux, run:
    sudo systemctl stop starwind-virtual-san.

    For Windows, open services.msc and stop the StarWind Virtual SAN service.

  2. Navigate to C:\Program Files\StarWind Software\StarWind. On CVM, that’s /opt/starwind/starwind-virtual-san/drive_c/starwind/StarWind.cfg.
  3. Copy StarWind.cfg.
  4. Edit it as described above.
  5. Start the StarWindService.
  6. Wait for fast synchronization to finish.
  7. Repeat on the other node.
  8. What about CreateHA_3?

    CreateHA_3 builds a 3-way-mirrored HA device and supports both Node Majority and Heartbeat failover strategies, which is why you need to be careful with the interface parameters.

    For a 2-way mirrored HA device using Node Majority, use CreateHAPartnerWitness.ps1 or CreateHASmbWitness.ps1. Those scripts have the same syntax but use only synchronization networks for heartbeat. They don’t use dedicated heartbeat networks. In CreateHA_3, pay attention to the sync- and hbInterface parameters. Double-check that you’re entering the replication partner IPs, not the local node IPs, for both heartbeat and sync interfaces.

    FAQ

    Why might replication be taking a while?

    Check the $initMethod value and the device size.

    Replication fails with error 200

    Two things usually cause this. First, check if there is leftover content in the destination directory or /headers folder. Second, verify the interfaces are set up correctly on both primary and secondary nodes.

    The device is created on one node but not the other

    Verify interface configuration on both sides.

    Sync keeps interrupting

    Check MTU values and make sure they’re aligned across the entire stack. If you suspect networking, start with MTU at the base 1500. That’s 1514 for most Windows drivers.

    How do I create a device from an existing .img file?

    There isn’t a stock script for that. You’ll need to write your own. Good luck.

    Final configuration checks

    Creating a device properly is how you avoid split-brain. The displayed script configures redundant paths to keep HA devices resilient against NIC failures.

    If you’re deploying StarWind VSAN for the first time, stick to the default Create2HA.ps1 parameters. Get the two nodes talking, verify the sync completes, and only then start tuning cache or failover strategies.



from StarWind Blog https://ift.tt/rNc0wF1
via IFTTT

Microsoft named a leader in the Frost Radar for cloud and application runtime security

Cloud security is shifting from visibility to contextual risk reduction, extending into the applications, APIs, and workloads where attacks actually occur. Because modern workloads are built and run in the cloud, security teams must understand which exposures matter most, prioritize what can truly be exploited, and reduce risk across the full stack from infrastructure to application runtime.

As organizations expand across multicloud and hybrid environments, they adopt modern architectures built on containers, Kubernetes, microservices, APIs, and AI-powered workloads. This increases both the volume and interconnectedness of security signals. The challenge is no longer identifying individual risks, but determining how vulnerabilities, identities, and data exposures combine across infrastructure and the applications running on it to create real attack paths, and which of these are most critical to fix at the source. Effective risk reduction depends on understanding which of these paths are actually reachable and exploitable in a live environment.

Frost & Sullivan’s 2026 Frost Radar™ for Cloud/Application Runtime Security (CARS) reflects this shift. The report highlights how cloud security is evolving from a collection of posture and workload capabilities into a unified runtime risk operations model, correlating signals across code, cloud, runtime, applications, and security operations center (SOC) workflows to prioritize and reduce risk continuously.

Within this evolving market, Microsoft is positioned as a visionary leader because of the scale of its hyperscale ecosystem, operational breadth of Microsoft Defender for Cloud when integrated with Microsoft Defender XDR, and large customer base. That recognition reflects where the category is heading: toward platforms that connect cloud and application security into one operational view of risk.

Why cloud security is being redefined

The Frost Radar makes a clear point: cloud security is no longer about visibility or compliance alone. It is becoming an operational discipline for reducing risk across the full runtime—from cloud infrastructure to the application code executing on top of it.

Modern environments introduce complexity across:

  • Multicloud and hybrid infrastructure.
  • Rapid development and continuous deployment.
  • Containers, serverless, microservices, and APIs.
  • AI-powered workloads, agents, and machine identities.

This complexity exposes the limits of traditional, siloed tools—where cloud posture, workload protection, and application security each live in their own console. Organizations now need platforms that can:

  • Correlate posture, runtime, identity, data, and application signals.
  • Prioritize risk based on exploitability—not severity alone.
  • Integrate security across development, cloud operations, and the SOC.
  • Validate whether a vulnerability is actually reachable inside a running application.

This is the shift the report describes: from detecting issues to operationalizing risk reduction across the lifecycle—and across both cloud and application layers.

What distinguishes leading platforms

Frost & Sullivan evaluates providers on growth and innovation—but, more importantly, on how effectively they help organizations manage real risk. Five themes define the next generation of platforms:

  1. Platform unification over point solutions.
  2. Code-to-cloud-to-SOC integration.
  3. Risk prioritization based on exploitability.
  4. Correlation across identity, data, cloud, and application context.
  5. Expansion into AI-powered workloads.

Taken together, these capabilities represent a move from fragmented visibility to connected, contextual risk management that spans cloud detection and response (CDR) and application detection and response (ADR)—the two halves the market is converging into a single runtime fabric.

How Microsoft help organizations manage real risk

1. Connect signals to prioritize real attack paths

Most security tools surface large volumes of findings across cloud infrastructure and applications, but isolated findings do not reflect how cyberattacks actually happen. Threat actors exploit how misconfigurations, excessive permissions, and data exposure combine to create a path to critical assets.

Microsoft Defender for Cloud correlates posture, identity, data, and runtime signals to identify which risks are truly exploitable. A misconfigured storage resource on its own may appear low priority. However, when it is exposed to the internet, combined with excessive access permissions, and connected to sensitive data, it becomes part of a clear attack path that can be used to compromise the environment.

What this means: Security teams can prioritize real attack paths instead of individual findings, helping to reduce alert fatigue and improve remediation speed and precision.

2. Continuously validate and act on risk across the lifecycle

Security needs to operate continuously across development, runtime, and operations, spanning both the application and the cloud environment it runs in. Defender for Cloud connects insights across code and infrastructure definitions, cloud configuration and runtime context, application and API layers, and security operations workflows through Defender XDR.

A vulnerability identified before deployment can be tracked through to runtime, where it is evaluated in the context of the running environment and surfaced in security operations if it is determined to be exploitable.

What this means: Organizations can continuously validate risk and respond more effectively by connecting development, cloud environments, and security operations.

3. Reducing complexity across fragmented cloud and application security workflows

As environments scale, fragmented tools and workflows make it difficult to understand how risks connect and where to focus first. When cloud infrastructure and application security are managed separately, investigation becomes slower and more manual.

Defender for Cloud helps bring these signals together in a single investigative flow, where risks can be analyzed across configuration, runtime context, application behavior, and identity exposure.

Instead of switching between separate tools, security teams can investigate a single incident across its initial misconfiguration, runtime impact, application behavior, and identity exposure, a more connected experience.

What this means: Security teams can investigate faster, prioritize risk more efficiently, focus on what matters most, and respond more quickly across fragmented cloud and application environments.

What this signals for security leaders

The Frost Radar offers a signal for where cloud security is headed: toward platforms that connect context across cloud and application environments so teams can prioritize the risks most likely to be exploited and reduce exposure faster. Security leaders should now ask:

  • Can the platform correlate signals across identity, endpoints, data, cloud, runtime, and applications?
  • Does it span the full code-to-cloud lifecycle—and reach into the SOC?
  • Can it prioritize risk based on exploitability—not just severity?
  • Does it bring cloud detection and response together with application detection and response?
  • Can it scale across multicloud and AI environments?

These are the capabilities that define the next generation of cloud and application runtime security.

Bottom line

Frost & Sullivan’s 2026 CARS analysis reinforces a clear shift: cloud security is moving from fragmented visibility to unified, contextual risk management across the entire lifecycle—and across both the cloud and the application layer.

Microsoft’s position as a visionary leader in the Frost Radar reflects this shift—bringing together posture, runtime, identity, endpoints, data, and application signals into a connected platform that helps organizations prioritize and reduce risk continuously.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft named a leader in the Frost Radar for cloud and application runtime security appeared first on Microsoft Security Blog.



from Microsoft Security Blog https://ift.tt/yS2zpDX
via IFTTT

HCP Terraform Powered by Infragraph Limited Availability Launch

Migrating to the cloud was supposed to make infrastructure easier to provision and manage. For many enterprises, the reality has become much more complicated. New pain points emerged that undermine the cloud’s speed, security, and scale.

Take the “normal” state for organizations now: infrastructure data stored in silos. As a result, rarely is there a unified picture of what's happening across hybrid and multi-cloud environments. Instead, platform teams cobble it together themselves — or end up buying different tools to help, creating even more sprawl. They struggle to track who owns and is responsible for different resources. Security patching and risk mitigation get harder, complexity grows, and costs escalate.

This is where HCP Terraform powered by Infragraph helps.

Infragraph now in limited availability

We’re excited to announce that HCP Terraform powered by Infragraph is now available to current HCP Terraform Standard and Premium customers using HCP Terraform in US instances. With the move to limited availability, the Infragraph connector ecosystem is increasing to include Microsoft Azure, GitHub, and Terraform Enterprise with more to come in the future. Additionally, users will see updates to the graph explorer and query builder, giving them better visibility and tools to gain insights into their data. All of this, along with continued improvements around UX, usability, onboarding, and user role assignments are launching in this release.

In this limited availability release, eligible teams can explore their cloud infrastructure through a live, connected view of resources, relationships, and state to help them better understand ownership, identify issues, and take action faster. This gives teams a powerful new way to explore, understand, and act on their cloud infrastructure.

Recap: connectors and what’s available

Infragraph connects directly to your cloud and infrastructure sources to map out relationships and surface insights. Today, you can leverage connectors across environments like AWS and Azure, bringing together infrastructure, configuration, and state data into a unified graph view.

With these connectors, you’re able to go beyond static inventories to being able to understand how resources relate, where risk lives, and what requires action.

See all managed volumes, mapped through their VMs and VPCs

With this in mind, here are some quick ways to start deriving value from Infragraph.

Queries our customers are using today

Infragraph uses a query interface to allow users to view and search through their data. It enables users to build queries to gain insights about their infrastructure estate through low code and JSON queries with future support for NL2Q. 

Teams are already using Infragraph queries to answer critical operational questions in seconds. For example, below see all the Git commits that starts with the keyword COMPLIANCE and their associated Git branch, repository and organization.

Graph Query Example
  • View AWS/Azure resources connected to the same .tfstate
    Understand how infrastructure managed by Terraform is linked, making it easier to assess blast radius and dependencies.

View TF state file managed VMs (or resource groups) across AWS and Azure (the blue nodes and the red nodes clusters around them are Azure resources; and the red nodes clustered around the brown TF state file node are the AWS resources)
  • View security rules and regions of EC2 instances
    Quickly audit configurations, identify exposure risks, and ensure resources are deployed in expected regions.

  • See what’s not under management
    Surface unmanaged or orphaned resources to improve governance and reduce unexpected costs.

These queries turn complex infrastructure data into actionable insights for platform team leaders and engineers, DevOps and SecOps teams, and beyond — no manual stitching required. Now with the right, unified data and context, teams can put their energy into mission-critical updates as opposed to wasting cycle collecting and verifying data from varied sources that quickly goes out of date.

Share these queries with your team

Insights are most powerful when they’re shared. Infragraph makes it easy to operationalize queries across your team:

Step 1 – Add your team

Invite teammates to Infragraph as contributors or viewers so they can collaborate on insights.

Step 2 – Create and save a query

Build a query tailored to your use case and save it to your query catalog.

Step 3 – Share for action

Link the saved query directly with teammates so they can investigate and take action.

Step 4 – Revisit and stay up to date

Queries stay live — revisit them anytime to see how your environment is evolving.

The best way to begin getting value is by exploring Infragraph saved queries and adding your team today!

Get started

Start turning infrastructure visibility into action. Learn more about how to get started with Infragraph today!



from HashiCorp Blog https://ift.tt/aQw7chL
via IFTTT

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365

  • Cisco Talos identified a fully-featured phishing-as-a-service (PhaaS) operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026.
  • The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC) operations, and SharePoint exfiltration — all accessible to operators through a React-based dashboard.
  • Analysis of the platform's publicly served JavaScript bundle reveals the complete post-compromise toolkit available to affiliates, including capabilities not previously detailed in public reporting on EvilTokens.
  • The phishing kit deploys a seven-layer anti-analysis system combining client-side behavioral verification with XOR-encrypted payloads, a more sophisticated evasion approach than the server-side X-Antibot-Token mechanism documented in prior EvilTokens research.

Background: EvilTokens and device code phishing-as-a-service

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365

In March 2026, Sekoia published a two-part analysis of EvilTokens, a PhaaS platform that abuses Microsoft's OAuth 2.0 Device Authorization Grant (RFC 8628) to capture victim tokens while bypassing multi-factor authentication (MFA) entirely. Microsoft confirmed the campaign's scale in April 2026, noting significantly higher success rates than previous device code attacks, AI-powered personalized lures, and a post-compromise pipeline that included automated device registration for persistent access.

By the time of Microsoft's publication, Sekoia had documented approximately 500 Cloudflare Workers domains and over 1,000 total phishing pages operating under the EvilTokens umbrella, with affiliates targeting finance professionals, HR staff, and logistics personnel across global regions.

EvilTokens' second-stage capabilities, revealed in Sekoia's Part 2 research, include an AI-augmented BEC pipeline chaining Groq-hosted Llama models for financial exposure scoring and GPT-4o-mini for email translation, producing three tailored BEC scenarios per compromised mailbox. The platform sells access at $1,500 one-time plus $500/month, with a standalone "Portal Browser" for $500 lifetime.

The lure in the wild: Vendor-impersonation invoice fraud

Most public reporting on EvilTokens covers the panel and the kit. What it has not shown is how an ARToken lure actually reaches an inbox. Talos recovered two near-identical messages, sent roughly four minutes apart on April 20, 2026, that initiate the chain. The tradecraft is targeted, not spray-and-pray.

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 1. A sample ARToken phishing email

The messages spoof an accounts-payable contact at a legitimate Wisconsin contractor, addressed to an accounts-payable recipient at a U.S. life-sciences company — abusing a real vendor relationship rather than inventing a sender. The lure theme is an outstanding-invoice query ("the following invoices appear to still be outstanding… advise when this will be processed"), the kind of message accounts-payable staff are conditioned to act on. Other features of note in this email include:

  • The From header presents the vendor's real domain, but Reply-To quietly redirects replies to an unrelated domain — a classic reply-pivot that keeps any victim response away from the spoofed organization.
  • All three checks fail: SPF, DKIM (body-hash mismatch), and DMARC (compauth=none reason=405). The display identity is not authenticated from the sending path.
  • Each message carries short random hex strings and an inline signature image (pumber.png), consistent with light per-message mutation to frustrate exact-match content rules.
  • The visible anchor text reads as the vendor's genuine SharePoint tenant: “https[:]//mononapfp.sharepoint[.]com/:f:/document/INV-IgCx1X50pgUjR7iAjZL2fuQaAW4GfKVs6wHT3BYv9sgwW7g”

However, the actual href points to a near-identical look-alike tenant — the vendor's name with the .com folded directly into the tenant label — under a different, attacker-controlled Microsoft 365 workspace. Because the destination is still a genuine sharepoint.com host, it inherits SharePoint's clean reputation: “https[:]//mononapfpcom.sharepoint[.]com/:f:/g/IgAdH_aaBPMcQbtINZzC1TsLARj3dHj63MnKjvnY-QJrKEc"

Discovery: The ARToken Panel

ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 2. ARToken login page.

During investigation of phishing infrastructure targeting a Talos IR engagement, we identified a management panel at “dashboard-bl.pamconj[.]com” serving a React single-page application (SPA) with a 1.7MB compiled JavaScript bundle. The page title reads "ARToken Panel."

SPA architecture exposes all client-side code including routes, UI labels, component logic, and API endpoint paths in the JavaScript bundle regardless of authentication state. No credentials were required or bypassed.

The associated command-and-control (C2) API operates at “spx.pamconj[.]com”, and phishing lures deploy through Cloudflare Workers accounts including “clear90489058903-document.workers[.]dev”.

Linking ARToken to EvilTokens

The connection between ARToken and EvilTokens rests on multiple overlapping technical indicators:

  • Identical API contract: ARToken's phishing kit issues POST /api/device/start with a JSON body containing userId, clientMode: "broker", login_hint, and redirect_url. The C2 responds with device_code, user_code, verification_uri, and expires_in matching the EvilTokens API contract documented by Sekoia exactly.
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 3. Code request logic.
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 4. Code handling logic.
  • Shared clientMode: "broker" semantics: This parameter instructs the backend to use Microsoft's Authentication Broker (WAM) flow for PRT acquisition. It is not a standard OAuth parameter it is specific to EvilTokens' implementation of persistent token capture.
  • Matching deployment model: Both platforms deploy phishing lures to Cloudflare Workers using UUID-prefixed subdomain patterns. ARToken uses {uuid}-docviewer.workers.dev, {uuid}-onedrive.workers.dev, and {uuid}-adobe2.workers.dev. EvilTokens uses [service]-[random].[target]-s-account.workers.dev. The naming convention and lure themes (Adobe, OneDrive, document viewers) overlap directly.
  • Identical PRT lifecycle:ARToken's API surface includes /prt/setup, /prt/refresh, /prt/renew, /prt/reacquire, and /prt/cookie, the same Primary Refresh Token persistence chain Sekoia documented as EvilTokens' core differentiator over traditional AitM phishing platforms.
  • Shared operational model: Both platforms operate as multi-tenant PhaaS with isolated operator workspaces, Telegram bot notifications on token capture, subscription-based access, and template editors for lure customization.

Technical analysis: The phishing kit 

Layer Mechanism Purpose
1 User-Agent regex Blocks headless browsers, Selenium, Puppeteer, Playwright, crawlers, wget, curl
2 navigator.webdriver check Detects automation frameworks
3 Browser feature fingerprinting Identifies environments missing window.chrome, navigator.vendor, or touch/mouse APIs
4 Window dimension analysis Catches headless defaults reporting 0x0 outer dimensions
5 Interaction telemetry Requires 3+ mouse moves or 1+ touch events before enabling payload
6 Timing gate Minimum 800ms elapsed since page load
7 Movement pattern analysis Validates mouse coordinate trajectories for organic (non-linear) motion
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 5. Human verification logic.
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Figure 6. Bot detection logic.

This client-side behavioral verification is notably more sophisticated than the server-side X-Antibot-Token mechanism (SHA-256 of secret + timestamp + "antibot" with 5-minute validity window) documented in Sekoia's EvilTokensresearch. The divergence is consistent with EvilTokens' known practice of selling anti-bot pages as a separate product through a dedicated Telegram bot. Affiliates may deploy upgraded or custom anti-analysis modules independently of the core platform.

The phishing payload itself fires on DOMContentLoaded and:

  1. Attempts to steal any existing JWT from localStorage (key: artoken_jwt) for victim session correlation
  2. Extracts the victim's email from the URL ?hint= parameter
  3. Calls the C2 at /device/start with the hardcoded operator UUID 84eb384d-cd3e-4c90-a283-c960ce557913
  4. Displays the returned device code with a countdown timer (default: 900 seconds)
  5. Directs the victim to “microsoft.com/devicelogin”

The kit includes persistAfterPassChange: false, an explicit signal that the operator understands refresh tokens are revoked on password reset and must exfiltrate data or escalate to PRT before the victim responds.

XOR payload encryption

The JavaScript payload is delivered encrypted with a 16-byte XOR key ([233,69,224,219,53,48,213,165,119,243,77,151,101,148,15,227]), decrypted at runtime. This differs from EvilTokens' documented AES-GCM Web Crypto API encryption. The decoded sample analyzed here represents the inner payload after decryption consistent with EvilTokens' delivery model of encrypting phishing content and decrypting client-side to evade static analysis by URL scanners.

The full operator toolkit

The ARToken panel's API surface reveals the complete post-compromise workflow available to operators:

Token management and persistence

Once a victim completes device code authentication, their captured token appears in the ARToken dashboard. Operators can:

  • Refresh tokens to maintain access
  • Escalate to PRT via the /prt/setup → /prt/refresh → /prt/cookie chain, achieving persistence that survives password resets
  • Export and backup tokens in bulk
  • Import tokens from external sources (enabling cross-platform token trading)
  • Share tokens with other operators via generated links with granular permissions

The UI advertises, "PRT-enabled - Persists across password changes."

Email operations (ARTSender)

The built-in BEC tool provides:

  • Full Outlook inbox read access per compromised account
  • Email sending as the victim with BCC batch support and configurable inter-send delays
  • Inbox rule creation for forwarding and auto-deletion (evidence suppression)
  • Keyword-based monitoring across all compromised accounts simultaneously
  • Email attachment access and download

SharePoint and OneDrive access

Operators can browse, upload, download, and manage permissions on victim SharePoint sites and OneDrive files, enabling document theft and malicious file placement for lateral phishing.

Infrastructure automation

The panel integrates directly with Cloudflare's API for:

  • Authenticating via API token or Global API key
  • Listing deployed Workers
  • Deploying phishing templates directly to Workers from the panel
  • Managing allowed origins and worker name prefixes
  • Configuring device code proxy servers

Desktop session browser (ARTBrowser)

A standalone Windows application, functionally equivalent to EvilTokens' "Portal Browser," enables operators to browse victim Microsoft 365 sessions using captured tokens outside the web panel. The admin configures a download URL through the settings panel.

Capabilities not previously documented

Several ARToken features extend beyond what Sekoia's research covered:

Capability Description
Box Monitor Cross-account keyword monitoring. Operators define terms and receive matches from all compromised mailboxes
Inbox rule manipulation Programmatic creation of forwarding and hiding rules for evidence suppression
Token import Ingest tokens captured by other tools or purchased externally
Shared access links Collaborative token access between operators with role-based permissions
Geo-dynamic templates Lure placeholders ({city}, {country_code}, {state}) that resolve based on victim geolocation
Full SharePoint operations Site resolution, file upload/download, permission management

These features indicate the platform is more mature than a simple device code phishing kit — it is a complete BEC operations environment.

MITRE ATT&CK techniques 

Tactic Technique ID
Initial Access Phishing: Spearphishing Link T1566.002
Credential Access Steal Application Access Token T1528
Persistence Account Manipulation: Additional Cloud Credentials T1098.001
Collection Email Collection: Remote Email Collection T1114.002
Lateral Movement Use Alternate Authentication Material: Application Access Token T1550.001
Impact Account Access Removal T1531
Resource Development Acquire Infrastructure: Web Services T1583.006
Stealth Obfuscated Files or Information T1027
Stealth Virtualization/Sandbox Evasion: System Checks T1497.001

Indicators of compromise

The IOCs can also be found in our GitHub repository here.



from Cisco Talos Blog https://bit.ly/4blItwC
via IFTTT

Microsoft Accelerates Post-Quantum Cryptography Shift to 2029

Microsoft on Tuesday said it's accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected.

"Advances in quantum research and development have shifted the risk horizon," Mark Russinovich, chief technology officer of Microsoft Azure, said. "We believe cryptographically relevant quantum computers could arrive sooner than previously expected – and the work required to prepare is significant, so organizations need to start now."

To that end, the Windows maker is speeding up the Microsoft Quantum Safe Program (QSP) timeline with the goal of transitioning critical products and services to post-quantum cryptography (PQC) by 2029. The company is also planning to incorporate PQC requirements into its Secure Future Initiative (SFI).

Some key focus areas include upgrading network cryptography by adopting TLS 1.3, building crypto-agility for stored data to facilitate the ability to change cryptography without having to redesign the underlying systems, and transitioning to PQC algorithms to secure trust chains, such as code signing, certificate issuance, key protection, and update pipelines.

"This brings quantum-safe readiness into the same disciplined engineering framework we use for other critical security outcomes: clear ownership, measurable milestones, and transparent progress," Russinovich said. "Embedding these capabilities into our platforms empowers customers to move sooner and more confidently."

Microsoft also noted that crypto-agility is essential for post-quantum migration, calling for the need to remove hard-coded algorithm assumptions, persist adequate information to reconstruct the cryptographic context, and build systems such that algorithm upgrades become routine engineering tasks rather than emergency rewrites.

"Crypto-agility requires either self-describing cryptographic metadata or versioned ciphertext formats so implementations can read legacy data while writing with the newest approved algorithms," it explained. "A well-designed crypto-agile system should aim to read older ciphertext formats long enough to support migration, while writing new data with the newest approved configuration."

The development comes days after U.S. President Donald Trump signed an executive order setting hard deadlines for federal agencies to move high-value assets and high-impact systems to PQC.

Earlier this March, Google announced a new program in its Chrome browser to ensure that HTTPS certificates are secure against the future risk posed by quantum computers. That same month, the tech giant publicly committed to migrating its own infrastructure to be quantum secure by 2029. Web infrastructure company Cloudflare has also followed suit with similar plans to move towards PQC by the same year.

The threat is compounded by what's called "harvest now, decrypt later," where adversaries can collect encrypted data now in hopes of decoding it later once a large-scale quantum machine becomes operational.

What's more, a team of researchers from Google disclosed it had drastically improved upon the quantum algorithm to break elliptic curve cryptography, specifically the 256-bit elliptic curve discrete logarithm (ECDLP-256), using fewer qubits and gates than previously realized.

Separately, a group of academics from Caltech and Oratomic demonstrated a new error-correction approach that could make Shor's algorithm practical with as few as 10,000 reconfigurable qubits and potentially break RSA-2048 and P-256.



from The Hacker News https://bit.ly/3TdcwQT
via IFTTT

Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware

Large language models keep inventing web addresses that do not exist. Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way.

Palo Alto Networks' Unit 42 calls the trick phantom squatting, and its new research shows it is already happening in the wild.

The reason it matters is trust. Developers and AI assistants increasingly treat the links a model hands back as real. When a model invents a domain that does not exist yet, whoever registers it first inherits all of that misplaced trust, with no phishing email and no malicious ad required.

To measure the problem, Unit 42 asked two AI models 685,339 questions about 913 well-known brands across technology, finance, healthcare, government, gambling, and other sectors.

The models produced 2.1 million links. Threat intelligence already flagged 13,229 of them as outright malicious, meaning the AI was handing out known-bad addresses. Roughly 250,000 of the invented domains had no owner yet, each a ready target for whoever registers it first.

How phantom squatting works

The attack works because a brand-new domain has no reputation. Blocklists, threat feeds, and reputation scores all need a site to misbehave for a while before they flag it.

A freshly registered phantom domain has no such record, so those filters have nothing to flag. By the time they catch up, the victim has already been sent to the site by a tool they trust.

Two details make it worse. The fake domains were not sitting in the training data: both models shipped before the real malicious sites existed, so the addresses come from the models' own language patterns, not memory. And those patterns are consistent.

Different models often invent the same fake domain for the same question, which makes an attacker's next target easy to guess. Turning up a model's "creativity" setting only produced more invented domains. As Unit 42's researchers put it, the vector "exploits a structural property of LLM architectures that remains inherently unpatchable."

Two observed cases

Two cases show the full loop. On March 8, 2026, Unit 42's system predicted that AI models would invent a domain resembling a national postal service's online marketplace. Both models generated it at every temperature setting, a strong sign that they treated the fake site as fact.

Twenty-three days later, on March 31, an attacker registered that exact domain and stood up a phishing kit named Montana Empire. The kit copied the real storefront in real time. It stole card numbers, bank-transfer details, and national ID data.

A Telegram bot lets the operator approve victims' one-time passcodes by hand. The giveaway: leftover project files and session logs showed the criminal had built the kit with an AI coding assistant. Attacker and defender reached the same fake domain the same way, by asking an AI.

In the second case, Unit 42 flagged a hallucinated postal-service domain a full 51 days before an attacker registered it. The attacker then wrapped it in a pixel-perfect brand clone, added a fake 4.8-star rating and a claim of over two million users, and used it to push a malicious Android app.

Other detected domains impersonated a major UAE bank that an attacker had already been abusing for nearly a year, a European bank, and sports-betting sites aimed at users in Bangladesh.

An old trick with a new target

Phantom squatting is the domain version of slopsquatting, where attackers register the fake software package names that AI coding tools invent. That is not a hypothetical.

A large USENIX study found code-generating models routinely suggest package names that do not exist, and the PhantomRaven campaign turned exactly that behavior into malware hidden in 126 npm packages with more than 86,000 installs.

It points to a larger shift: model output is becoming input. Developers, agents, and security teams act on AI-generated links and names before anyone verifies them, and AI keeps shrinking the time defenders have to react.

It also lands in a world where brand-impersonation phishing is now a paid service, with kits like Lucid and Lighthouse standing up 17,500 fake domains against 316 brands in 74 countries.

What to do

Because models hallucinate consistently, security teams can map which fake domains a model is likely to produce and watch for anyone registering them, often with weeks of warning. For everyone else, the practical steps are simple:

  • Do not trust a link just because an AI gave it. Confirm the domain is the real, official one before you type a password or paste it into code.
  • Keep AI agents from automatically opening or downloading from model-generated links without a check. An agent has no instinct to hesitate the way a person might.
  • Treat anything a model writes as an unverified draft, not an authority.

That window is open, and it rewards whoever moves first. The real question, as Unit 42 frames it, is simply whether defenders or attackers reach these domains sooner.



from The Hacker News https://bit.ly/4xP3j14
via IFTTT

Five Ways pfSense Plus Secures Your Networks

pfSense® Plus is trusted by millions of organizations worldwide, from small businesses to large enterprises and government agencies, to secure their networks against an ever-evolving landscape of internet threats. Built on a rock-solid open-source foundation and continuously developed by Netgate®, pfSense Plus delivers enterprise-class security features without the enterprise price tag.

Here are five of the most important security features that make pfSense Plus a compelling choice for organizations serious about network security.

1. Stateful Firewall

At the core of pfSense Plus is a powerful stateful packet inspection firewall that monitors every connection passing through your network. Unlike simple packet filters that evaluate traffic in isolation, stateful inspection tracks the state of every active connection and makes decisions based on the full context of network sessions.

This means pfSense Plus can identify and block malicious traffic that might appear legitimate when examined packet by packet, including spoofed connections, unexpected inbound traffic, and protocols behaving abnormally. Administrators can create granular firewall rules based on source, destination, port, protocol, interface, and time of day, providing precise control over which traffic is permitted and which is blocked.

For organizations managing complex network environments with multiple segments, VLANs, and DMZs, the pfSense Plus firewall provides the flexibility to enforce different security policies across the entire network from a single interface.

2. Intrusion Detection and Prevention

pfSense Plus integrates leading intrusion detection and prevention systems, including Snort and Suricata, to provide deep packet inspection and real-time threat detection across your network traffic.

While the firewall enforces access control based on rules you define, IDS/IPS goes further by analyzing traffic content for known attack signatures, behavioral anomalies, and emerging threats. When a threat is detected, the system can alert administrators, log the event, or automatically block the offending traffic in real time.

This is particularly valuable for detecting threats originating from otherwise legitimate sources, such as compromised internal devices, malware communicating over allowed ports, or exploitation attempts targeting web applications and network services. Regular signature updates ensure protection keeps pace with the latest threat intelligence.

3. VPN – Comprehensive Connectivity for Every Use Case

One of the most versatile capabilities of pfSense Plus is its extensive VPN support, covering both site-to-site connectivity and remote user access across a wide range of protocols and deployment scenarios.

For site-to-site VPNs, pfSense Plus supports IPsec with IKEv1 and IKEv2, providing robust encrypted tunnels between office locations, data centers, and cloud environments. IPsec's broad compatibility makes it the right choice for connecting pfSense Plus to third-party firewalls, cloud gateways, and partner networks. OpenVPN and WireGuard site-to-site tunnels provide a flexible and fast alternative where IPsec may not be practical.

For remote user access, pfSense Plus offers multiple options to match different organizational requirements. OpenVPN provides a mature, widely supported SSL VPN solution compatible with clients on Windows, macOS, Linux, iOS, and Android. It includes support for certificate-based authentication, multi-factor authentication, and split tunneling. WireGuard® delivers a modern, lightweight alternative with significantly faster connection establishment and exceptional throughput, making it ideal for performance-sensitive remote work scenarios. IPsec IKEv2 with EAP authentication provides native compatibility with built-in VPN clients on Windows, macOS, and iOS without requiring additional software installation.

This breadth of VPN options means pfSense Plus can meet the needs of any organization, whether connecting two offices across the country, enabling hundreds of remote workers, or providing secure access to cloud infrastructure, all managed from a single platform.

4. DNS and IP Threat Blocking

pfSense Plus integrates DNS-based blocking, IP reputation filtering, and geographic restrictions to prevent connections to known malicious destinations before they can cause harm. This blocking can be performed using static lists or dynamic block lists provided via subscription services or the security community. This is effective against malware, phishing, ransomware command-and-control infrastructure, and unwanted content categories.

5. High Availability and Failover

Network security is only effective when the network is available. pfSense Plus supports High Availability configurations using the Common Address Redundancy Protocol (CARP), enabling two pfSense Plus instances to operate as an active-passive pair with automatic failover.

In a High Availability deployment, a secondary pfSense Plus instance continuously monitors the primary firewall and assumes all network responsibilities within seconds if the primary becomes unavailable, whether due to hardware failure, software issues, or maintenance. State synchronization between the two instances ensures active connections are preserved across the failover event, minimizing disruption to users and services.

For organizations where downtime carries significant operational or financial consequences, High Availability transforms pfSense Plus from a capable firewall into a resilient, mission-critical security platform. Combined with redundant internet connections and multi-WAN failover, pfSense Plus can eliminate single points of failure across the entire network edge.

Conclusion

pfSense Plus delivers a comprehensive security platform that addresses threats at multiple layers, from stateful packet inspection and intrusion prevention to DNS-based filtering and High Availability. Combined with its extensive VPN capabilities and flexible traffic management, pfSense Plus gives organizations the tools to build a strong, layered security posture without the complexity or cost of traditional enterprise security vendors.

Whether you're protecting a small business, a distributed enterprise, or critical infrastructure, pfSense Plus provides the depth, flexibility, and performance to keep your organization secure.

Explore pfSense Plus features or find the right appliance for your environment



from Blog https://bit.ly/4xXUe65
via IFTTT

Anthropic Restores Claude Fable 5 After U.S. Lifts Jailbreak-Linked Export Controls

Anthropic is putting Claude Fable 5 back online worldwide. On June 30, the U.S. Commerce Department lifted the export controls it had imposed on Fable and its more tightly controlled sibling Mythos 5 about two and a half weeks earlier.

Fable 5 returns to users on Wednesday, July 1, across Claude.ai, the Claude Platform, Claude Code, and Claude Cowork.

Export controls restrict who can receive or use a technology. The June 12 order told Anthropic to cut off both models for any foreign national, inside or outside the United States, including its own non-citizen staff.

The rule took effect at once, and the company had no reliable way to check every user's nationality in real time, so it shut both models down for everyone.

The trigger was a jailbreak: a prompt that gets a model to bypass its safety rules. Amazon researchers found one in Fable 5. By Anthropic's account, the prompt got the model to flag a few software flaws and, in one case, to write code showing how a flaw could be abused.

Anthropic played the finding down. It says the same requests work on plenty of weaker models too, including its own Claude Opus 4.8, OpenAI's GPT-5.5, and China's Kimi K2.7. The company calls the flagged behavior routine defensive security work, not a hidden super-capability.

The government and the partner that reported the jailbreak saw it as serious enough to justify emergency controls.

To settle the concern, Anthropic trained a new safety filter, called a classifier, that watches for the exact technique in the report and blocks it. The company says it now stops that technique in more than 99% of tries, as of the June 30 write-up. Blocked requests get handed to the weaker Opus 4.8 instead, and the user is told. The trade-off is more false alarms on normal coding and debugging.

Mythos 5, the same underlying model with fewer safety guardrails, stays on a shorter leash. Access returned June 26 for roughly 100 U.S. companies and federal agencies that defend critical infrastructure. Anthropic says it is still working with the government to widen access.

Commerce Secretary Howard Lutnick, who signed off on the reversal, said his department had spent two weeks reviewing the models with Anthropic. In his letter, the company agreed to hunt for security problems on its own, coordinate on future launches, and report any malicious use it spots.

The negotiations were reportedly led by co-founder Tom Brown rather than CEO Dario Amodei, who has clashed with the administration for much of the year.

The fight was messy from the start. Multiple reports, including from The Wall Street Journal, said Amazon's research and concerns from CEO Andy Jassy helped drive the original order. Former AI czar David Sacks accused Anthropic of having "prioritized the continued offering of the consumer model over safety." Others read it as an overcorrection.

University of Sydney AI governance researcher Francesco Bailo told Al Jazeera the reversal looked like the government conceding it had gone too far, and a group of security leaders had signed an open letter asking for the controls to be lifted.

Hanging over all of it was competition. The pause landed just as cheap, capable Chinese open-source models were gaining ground, and several executives warned that freezing U.S. models handed rivals free time to catch up.

Anthropic is also proposing something the industry has lacked: a shared way to rank how dangerous a jailbreak really is. With Amazon, Microsoft, Google, and other partners, it wants to score each one on four things:

  • Capability gain: how much further the jailbreak takes a user beyond the tools they already have.
  • Breadth: how many different attacks the same trick unlocks.
  • Ease of weaponization: how much skill and effort it takes to turn it into a real attack.
  • Discoverability: how easy the trick is to find or copy.

For the worst cases, such as a jailbreak that enables attacks on power grids or banks, Anthropic says it will start deploying fixes the moment severity is confirmed, and it is standing up a team to watch jailbreak reports around the clock.

It also opened a HackerOne program for researchers to report new Fable 5 jailbreaks, and promised the U.S. government earlier access to test future frontier models before release.

Anthropic is not the only lab in this position. Days earlier, OpenAI previewed GPT-5.6 to a small, government-approved group rather than the public, citing the same dual-use worry: a model good enough to help defenders patch bugs is also good enough to help attackers find them.

The risk is not hypothetical. Earlier this spring, Anthropic tested a prior Mythos model that found and exploited zero-day bugs across every major operating system and browser on command, including a 27-year-old flaw in OpenBSD. Its red team turned freshly disclosed bugs into working exploits in under a day.

The immediate crisis is over. The bigger question is not. A June 2 executive order created a voluntary path for companies to have frontier models reviewed before release. It also set up a classified benchmark to decide which models count as "covered," while ruling out any mandatory license to ship one. Fable 5 never went through that path.

The government reached for export controls instead. That is the tell: when Washington wants to move fast on a frontier model, it still has no binding process, only improvised ones.



from The Hacker News https://bit.ly/4eTOjXi
via IFTTT

Tuesday, June 30, 2026

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner.

The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks. The attack was observed over a 19-day window between March 27 and April 15, 2026.

"In this campaign, a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached," Trend Micro researchers Simon Dulude and John Zhang said in a technical report published last week.

At a high level, the malware is designed to terminate competing cryptocurrency miner processes associated with Kinsing, WatchDog, Rocke, and Outlaw, delete rival wallet and key material, disable host-level security controls, establish cron-based persistence, beacon to an external server ("83.142.209[.]214:80), and deploy a custom miner. It can also propagate to other systems through reused SSH keys, effectively turning an exposed Langflow instance into a pathway for broader compromise.

This involves exploiting the Langflow flaw to run an attacker-supplied Python script, which, in turn, is configured to launch a remotely hosted shell script that acts as a dropper whose primary responsibility is to check if a binary called "lambsys" is already running on the host.

Subsequently, it downloads the binary on the machine using curl or wget, launches it as a detached process, and spreads itself to every SSH-reachable host the victim can authenticate to. The binary, an ELF executable written in Go, is also engineered to disable AppArmor, Ubuntu's Uncomplicated Firewall, iptables, SELinux, the kernel NMI watchdog, and Alibaba Cloud's Aliyun agent.

In addition, the malware removes system logs to cover up the tracks, and removes the immutable attribute from files like "~/.ssh/," "~/.ssh/authorized_keys," "/etc/crontab," and "/etc/ld.so.preload," "/tmp/," "/var/tmp/," and "/var/spool/cron" in order to make its modifications, and then reapplies the immutable attribute to "/tmp/" and "/var/tmp/."

Illicit cryptocurrency mining operations are known to set the "chattr +i" attribute on these files to ensure that they cannot be modified, renamed, or deleted by any user, including the superuser. The binary's behavior reflects that the threat actor behind the operation is aware of persistence methods adopted by rival cryptojacking groups.

In the final stage, the binary contacts the same server to fetch a TAR archive and extracts from it a bespoke XMRig miner. Once the miner begins execution, the archive file is wiped from the file system. It further sends a request to ipinfo[.]io to obtain the host's public IP address and location, allowing the threat actors to make operational decisions on the fly.

The first is pool selection. Given that mining pools tend to be geographically distributed, connecting the miner to a pool near the victim can minimize latency and maximize hash rate. The second reason behind obtaining this information is geo-fencing, as it gives the threat actors a way to exclude victims in certain regions.

"Lambsys does not run its attack logic as Go functions," the researchers explained. "Instead, it forks a cascade of short-lived sh -c subprocesses, each executing one shell command (one pkill, one chattr, one sysctl). The design trades stealth for reliability. If one of 51 pkill commands fails, the failure is contained to that subprocess, and the other 50 carry on."

Trend Micro said an artifact belonging to the previous iteration of the same binary was compiled in May 2024, indicating that the threat actors behind the campaign have likely been iterating on the family for over two years, while taking steps to evade detection by antivirus tools.

Over the past year, a number of security flaws in Langflow have come under active exploitation. In June 2025, another critical vulnerability (CVE-2025-3248, CVSS score: 9.8) was abused to distribute the Flodrix botnet malware.

"This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments," Trend Micro said. "The payload might be familiar, but the delivery vector is not. A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure."



from The Hacker News https://ift.tt/2nONzLP
via IFTTT

What the Numbers Say About FIFA 2026 Cyber Risk

The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages.

Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering financial services, transportation, hospitality, and gambling. Here are three findings worth reading carefully.

1 in 3 FIFA Partners Can't Block Email Impersonation

Pre-tournament research by Proofpoint found that more than one-third of official FIFA World Cup 2026 partners lack sufficient DMARC enforcement to prevent domain spoofing. That means attackers can send an email that appears to come from a sponsor, a vendor, or a logistics partner, with no technical barrier stopping it.

The World Cup supply chain is enormous. Airlines, hotels, broadcast partners, merchandise contractors, and catering companies. Every procurement email traveling that chain is a potential interception point. High transaction volumes, tight deadlines, and the operational chaos of a global event create exactly the conditions that suppress payment verification rigor.

Check Point's attack surface management and digital brand protection capabilities are built for this kind of external exposure, continuously monitoring partner ecosystems for authentication gaps and impersonation infrastructure before attackers can use them.

Fake Sportsbook Apps Surged 60x Above Baseline

A controlled comparison across eight major sportsbook brands, covering 60-day windows in 2025 and 2026 using identical methodology, found zero impersonator app detections in the non-tournament baseline. The pre-tournament window found 64. That is roughly 60 times the baseline rate, concentrated in April and May 2026, and concentrated on Google Play.

At least five distinct developer accounts published apps spoofing two or more different sportsbook brands within hours or days of each other. This is a coordinated multi-brand operation, timed to tournament activation.

The attack surface here extends well beyond the app stores. Check Point Exposure Management also identified active Russian-language Telegram channels operating as fake tipster services, routing followers through referral links to generate affiliate commissions on fraudulent deposits. The channels split their picks across the audience, so roughly half the subscribers always "win" enough to keep depositing. The sportsbook pays the affiliate commission on every conversion.

Check Point's dark web monitoring covers Telegram channels at this depth, giving security and fraud teams visibility into the operations before the tournament window-branded content fully activates.

The Fake Hotel and Travel Sites Were Built Two Months Before Kickoff

Check Point Exposure Management tracked monthly registrations of FIFA-themed lookalike domains targeting travel and hospitality services from November 2025 through May 2026. April 2026 alone accounted for 21.9% of the entire 12-month sample, eight weeks before kickoff. March and April together represent 34%.

Hotel and lodging brands account for 56% of the total Travel and tour brands account for another 27%. The sites were built to intercept fans at the point of purchase, when urgency was highest, and verification habits were the weakest.

A small number of registrars carry most of the infrastructure. GoDaddy, Hostinger, Namecheap, Porkbun, and IONOS together host 56% of the fraudulent domains. One interesting finding worth flagging is .top TLD accounts for 28% of registrations. .top is a phishing-favored generic TLD with low abuse-response thresholds and cheap registration costs. Actors who want infrastructure that stays up choose it deliberately.

A subset of the domains also has MX records configured. That means they can receive email, run reply-path impersonation, and intercept password-reset flows from victim accounts. These are active phishing infrastructures, registered and staged before the tournament started.

Check Point's phishing and brand protection capabilities continuously monitor for this kind of pre-positioned infrastructure, with a 99% takedown success rate and an average mean time to remediation of 12 hours. For organizations whose brands are being cloned at scale ahead of a global event, detection speed and remediation speed are the only variables that matter.

What This Means

Security teams supporting any organization in the financial, travel, hospitality, or gambling sectors should treat the current period as elevated, not because the threat landscape changed with the opening match, but because threat actors were already positioned before it started.

Read the full FIFA World Cup 2026 Cyber Threat Report or contact Check Point Exposure Management if you're seeing escalation.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/fvaNk8z
via IFTTT

Windows 10 End of Life: What Now for Your Old Hardware?

Windows 10 has been the reliable workhorse for millions of users since 2015. On October 14, 2025, Microsoft officially ended support. So if you did not opt for Extended Security Updates (ESU) which saves you until October 13, 2026, you have no more free security updates, no feature improvements, and no official technical help. Your PC will still boot and run, but it will become an increasingly attractive target for malware, ransomware, and other threats.

As someone who has been tinkering with hardware, virtualization, and operating systems for years, I’ve seen this cycle many times for older versions of Windows. Today I want to give you practical options – especially for home users and small businesses running perfectly usable older machines.

Option 1: Stay on Windows 10 with Extended Security Updates (ESU)

Microsoft offers a one-year Extended Security Updates program until October 13, 2026. This is not a full support extension – just critical security patches.

For home users / consumers: Enroll via Settings > Update & Security > Windows Update. Options include free if you sync settings with Windows Backup, redeem Microsoft Rewards points, or pay a one-time fee (around $30 USD equivalent).

For small businesses with domain-joined or managed machines, check commercial ESU options through volume licensing – these tend to be more structured and potentially costlier.

My take: This buys you one year of breathing room. It’s a good bridge if you need time to plan migration or hardware refresh. After 2026, you’re on your own unless Microsoft extends it again. Details about W10 ESU at Microsoft here.

Option 2: Force Windows 11 on Unsupported Hardware with Rufus

If you want to use W 11 on older PC (unsupported), know that you can. Many older PCs (pre-8th gen Intel, no TPM 2.0, etc.) are blocked from official Windows 11 upgrades. Rufus – the fantastic open-source tool – makes it easy.

Note: I have also written a post about Fly OOB utility which is another great tool that allows you to avoid the ISO downloads and modification. In fact, you don’t need no modified ISOs you’re scared to download. Just two official Microsoft files + one tiny portable app → modern Windows 11 on your old machine – Check our post Windows 11 on ANY Old PC in 2025: FlyOOBE 2.0 Makes It Easy. FlyOOBE 2.0 is the nicest thing anyone has done for older computers in a decade.

With Rufus, you’ll need to download the latest Windows 11 ISO from Microsoft, run Rufus, select the ISO, and in the options bypass TPM, Secure Boot, RAM, and CPU checks. Create the USB and boot up your system to install/upgrade to Windows 11.

Rufus is flexible. It creates modified Windows 11 installation media that bypasses the TPM/Secure Boot/CPU checks, and you can use it in two main ways:

1. In-place upgrade (keep your files, apps, and settings)

This is the most convenient option for most home users and small businesses.

  • Create the bootable USB with Rufus (select the bypass options).
  • While still running Windows 10, insert the USB, open it, and run setup.exe.
  • During the setup wizard, you should see the option to “Keep personal files and apps”.

This works like a normal Windows 10 → 11 upgrade but on unsupported hardware. Many users successfully do this without losing anything. It’s the path I usually recommend first if your current Windows 10 installation is stable and not too cluttered. You can still debloat your Windows 11 afterwards with Windows ISO Debloater.

2. Clean install (fresh start)

You boot from the Rufus USB and wipe the drive (or a partition). This is cleaner long-term – especially on older hardware – because it removes years of accumulated junk, drivers, and registry clutter. However, you’ll need to reinstall your programs and restore your data from backup.

My practical advice (in the spirit of my blog):

  • If your PC is working fine today → try the in-place upgrade first. It’s faster and less disruptive.
  • If the machine feels slow, has random issues, or you’re moving from HDD to SSD → go for the clean install. The difference in snappiness can be noticeable.

Important notes:

  • Always back up important data before any upgrade (OneDrive, external drive, or NAS).
  • You can also perform an image-level backup (use Free Veeam Agent for Windows) and save the whole system to a file stored on an external USB drive.
  • After installation (especially in-place), Windows Update should still work on unsupported hardware for now, though Microsoft can change this in the future.
  • Test performance after the upgrade. On borderline old hardware, even the in-place version of Windows 11 can feel a bit heavier than Windows 10.

The reality check on performance: On older hardware, Windows 11 often feels noticeably heavier than Windows 10. Higher idle RAM usage, more background processes, more active services, and a more demanding UI can make the system sluggish – especially on 8 GB RAM machines, mechanical HDDs, or older CPUs. Fans spin up more, battery life drops, and everyday tasks feel less snappy. Test thoroughly (dual-boot or VM) before committing. For small businesses, weigh security gains against productivity hits.

Option 3: Switch to Linux – The Smart Long-Term Play for Old Hardware

Linux has matured tremendously and often breathes new life into older PCs.

Why Linux shines here:

  • Lightweight distributions run beautifully on hardware that struggles with modern Windows.
  • Years of security updates, free, no forced upgrades.
  • Excellent for browsing, documents, media, and many business tasks.

Recommendations:

  • Linux Mint Cinnamon or Ubuntu – Most Windows-like for beginners.
  • Linux Mint XFCE or Xubuntu – For low-spec machines.
  • Pop!_OS or Fedora – Strong hardware support.
  • Or Deepin Linux or Winux (looks like Windows tbh).

For small businesses: Non-critical machines (kiosks, admin stations) migrate well. Test line-of-business software; use web versions or VMs for anything Windows-only.

Office and Outlook on Linux: The Big Question for Home Users and SMBs

This is often the make-or-break point when considering Linux. Many home users and small businesses rely on Microsoft Office files and Outlook for email, calendars, contacts, and collaboration. More often than not, years and years of emails are usually archived in large PST files stored locally on each Workstation (hopefully those important files are backed up?).

For general Office work: LibreOffice is the star. It’s free, handles .docx, .xlsx, and .pptx files very well for most needs, and comes pre-installed on many distros. OnlyOffice is another strong contender – especially its desktop version – with a cleaner, more Microsoft-like interface and excellent collaboration features in the paid/self-hosted versions. For simple needs, the web versions of Microsoft 365 work fine in any Linux browser.

LibreOffice is the most prominent completely free, open-source European desktop office suite, offering strong compatibility with Microsoft formats but lacking built-in cloud collaboration.

For browser-based, real-time collaborative suites, CryptPad (France) and Drime (France) are the top low-cost options, with CryptPad offering a robust free tier for encrypted document editing and Drime providing affordable plans starting at €2.39 per month for comprehensive cloud storage and team features.

 

Drime collaborative cloud

Drime collaborative cloud

 

Staying in the Microsoft 365 collaborative ecosystem: You don’t have to abandon M365 entirely. The full web apps (Word, Excel, Teams, etc.) run smoothly on Linux via Chrome, Firefox, or Edge.

Many users create Progressive Web Apps (PWAs) or use tools like Web Apps in Linux Mint to make them feel more like desktop programs. This keeps real-time collaboration, shared calendars, and OneDrive intact without installing anything heavy. The main limitations are slightly fewer advanced features compared to native desktop apps and the need for a reliable internet connection.

Outlook replacements:

  • Thunderbird (free, from Mozilla) is the go-to for most Linux users. It handles multiple accounts, calendars (via add-ons), and tasks well. With the OWL add-on (paid), it integrates nicely with Exchange/Outlook.com accounts.
  • Evolution is another solid choice, especially if you need deeper Microsoft Exchange support.
  • For a modern look, try Mailspring.

These aren’t perfect 1:1 clones of Outlook’s full feature set (especially complex rules or shared mailboxes in larger setups), but they cover 80-90% of what most home users and small businesses actually need.

What about old PST archive files? Outlook’s proprietary PST format isn’t directly readable everywhere, but Linux has good tools. The easiest graphical way is Evolution – it has a built-in PST importer.

Evolution is the only client on Linux that fully supports Microsoft exchange and Google out of the box without any plugins.

 

Evolution email client with built-in PST import

Evolution email client with built-in PST import

 

Command-line users can install pst-utils (contains readpst) to export emails to standard mbox format for import into Thunderbird or other clients. This works reliably for archived emails, contacts, and calendars in most cases.

Cheaper collaborative alternatives to full M365:

  • OnlyOffice (Community Edition free for small teams) or self-hosted Nextcloud with office apps.
  • Google Workspace — Affordable and excellent real-time collaboration.
  • Zoho Workplace — Often cheaper than Microsoft for small businesses with strong email and docs.

For many small businesses, a mix works best: LibreOffice/OnlyOffice for local work + M365 web or a lighter cloud suite for collaboration. Test your key workflows first – most people adapt quickly.

If you care about data, privacy and

What to Do with Your Old Hardware – Practical Decisions

  1. Still good daily driver? → Linux first, or Windows 10 + ESU for one year.
  2. Needs specific Windows software? → Windows 11 via Rufus (test performance) or isolated Windows 10 machine.
  3. Really ancient? → Repurpose as NAS, media server, or lightweight Linux desktop.
  4. Business critical? → Plan a hardware refresh where compliance demands it.

Final Words

Don’t panic-buy new hardware. Many 2015–2020 machines still have life left. Windows 10 ESU gives breathing room, Rufus unlocks Windows 11 (with caveats), but Linux often delivers the best performance and longevity – especially when paired with LibreOffice, Thunderbird/Evolution Email clients, and selective use of M365 web apps.

Evaluate your real needs (Office compatibility, email archives, collaboration), test in a live USB session, and choose what keeps you secure and productive without unnecessary cost.

Linux OS got much better than 10 years ago. While 10 – 15 years ago the integrations were sometimes with rough edges, things got smooth over time with apps that are usable, clean and can replace Microsoft’s tools for a fraction of the cost. We live in a world where you can save money on unnecessary paid licenses. Think of it!

FAQ

What happens after Windows 10 end of support?
Your PC will still work, but it no longer gets regular security updates, feature updates, or technical support from Microsoft unless you enroll in ESU.

Can I keep using Windows 10 safely?
Yes, but only as a temporary option. ESU can buy more time, but it does not add new features or full technical support.

Can I install Windows 11 on unsupported hardware?
Yes, tools like Rufus can bypass some Windows 11 hardware checks, but performance and future update behavior should be tested first.

Is Linux a good option for old PCs?
For many older machines, yes. Lightweight Linux distributions can be faster than modern Windows and still cover browsing, office work, media, and basic business tasks.

Should small businesses replace old Windows 10 PCs?
Not always. Non-critical machines may be upgraded, moved to Linux, or repurposed. Business-critical devices should be reviewed for security, compliance, software needs, and performance.



from StarWind Blog https://ift.tt/wvyRhpU
via IFTTT