Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.
Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of LangChain for more sophisticated and non-linear agentic workflows. According to statistics on the Python Package Index (PyPI), LangChain, LangChain-Core, and LangGraph have been downloaded more than 52 million, 23 million, and 9 million times last week alone.
"Each vulnerability exposes a different class of enterprise data: filesystem files, environment secrets, and conversation history," Cyera security researcher Vladimir Tokarev said in a report published Thursday.
The issues, in a nutshell, offer three independent paths that an attacker can leverage to drain sensitive data from any enterprise LangChain deployment. Details of the vulnerabilities are as follows -
CVE-2026-34070 (CVSS score: 7.5) - A path traversal vulnerability in LangChain ("langchain_core/prompts/loading.py") that allows access to arbitrary files without any validation via its prompt-loading API by supplying a specially crafted prompt template.
CVE-2025-68664 (CVSS score: 9.3) - A deserialization of untrusted data vulnerability in LangChain that leaks API keys and environment secrets by passing as input a data structure that tricks the application into interpreting it as an already serialized LangChain object rather than regular user data.
CVE-2025-67644 (CVSS score: 7.3) - An SQL injection vulnerability in LangGraph SQLite checkpoint implementation that allows an attacker to manipulate SQL queries through metadata filter keys and run arbitrary SQL queries against the database.
Successful exploitation of the aforementioned flaws could allow an attacker to read sensitive files like Docker configurations, siphon sensitive secrets via prompt injection, and access conversation histories associated with sensitive workflows. It's worth noting that details of CVE-2025-68664 were also shared by Cyata in December 2025, giving it the cryptonym LangGrinch.
The vulnerabilities have been patched in the following versions -
The findings once again underscore how artificial intelligence (AI) plumbing is not immune to classic security vulnerabilities, potentially putting entire systems at risk.
The development comes days after a critical security flaw impacting Langflow (CVE-2026-33017, CVSS score: 9.3) has come under active exploitation within 20 hours of public disclosure, enabling attackers to exfiltrate sensitive data from developer environments.
Naveen Sunkavally, chief architect at Horizon3.ai, said the vulnerability shares the same root cause as CVE-2025-3248, and stems from unauthenticated endpoints executing arbitrary code. With threat actors moving quickly to exploit newly disclosed flaws, it's essential that users apply the patches as soon as possible for optimal protection.
"LangChain doesn't exist in isolation. It sits at the center of a massive dependency web that stretches across the AI stack. Hundreds of libraries wrap LangChain, extend it, or depend on it," Cyera said. "When a vulnerability exists in LangChain’s core, it doesn’t just affect direct users. It ripples outward through every downstream library, every wrapper, every integration that inherits the vulnerable code path."
from The Hacker News https://ift.tt/SVngJMr
via IFTTT
Welcome to this week’s edition of the Threat Source newsletter.
Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited “Project Hail Mary” movie adaptation. I read (and cried over) the book by Andy Weir, who’s also the author of “The Martian,” about a year ago and, shortly after, found out it was being made into a movie.
(I know what you’re thinking: Two movie-themed editions in two weeks? It’s every cinephile’s dream!)
Anyway, the story centers around a biologist and science teacher named Ryland Grace (Ryan Gosling), who wakes up from a coma on a spaceship lightyears away from Earth, his two crewmembers long dead. Our planet’s sun is slowly dimming, its energy being consumed by alien microbes called “astrophage” that are infecting all the stars in our stellar neighborhood — except one. Grace’s task is to figure out why this star is unaffected and send the solution back to Earth. It's a one-way trip, and he’ll eventually die in space alone... or so he thinks.
The movie met 99.9% of my expectations, which is rare for an adaptation. The humor was spot-on, the soundtrack was gorgeous, and the puppetry — yes, the puppetry (mild spoilers for Rocky, Grace’s new alien friend) — was out-of-this-world.
While it is a story about space, it’s first and foremost about communication, trust, and collaboration — things we’re no strangers to at Talos, especially when creating the Year in Review report (which isavailable now). The entire processof creating this report, from raw data to final design, is only a little bit less monumental than stopping alien microbes from plunging the earth into an ice age.
The process begins with Talos’ Strategic Analysis team, who leverage the vast amount of Cisco’s telemetry, Talos research, and data from Talos Incident Response cases to analyze trends over the past year. This analysis is synthesized into a comprehensive report, which undergoes rigorous review and proofing at multiple levels. While the report is being drafted, the Strategic Comms team develops a detailed schedule of content and collateral to promote it both internally and externally, meeting weekly to track our progress. Once the text is finalized, it moves to our design team, who transform the data into a visually stunning, accessible format. Even after the report launches, the work continues: We produce videos, answer your questions on Reddit (today only!), record podcasts, create social media graphics, and collaborate across Cisco to ensure our findings reach the right people.
We do this for the good of the community. Our report isn’t gated, and it never will be; you can read it right in your browser without filling out fake names and emails in annoying forms. Talos’ job is to keep as many people as safe as possible, and that means free access to critical information. Here's a taste of our findings:
React2Shell was the No. 1 most targeted CVE in 2025 despite only being discovered in December. ToolShell was No. 3 despite being released in June.
About 25% of the vulnerabilities on our top 100 list affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks.
Nearly a third of MFA spray attacks targeted identity and access management (IAM) applications.
Attackers continued to rely heavily on phishing for initial access, observed in 40% of Talos IR cases. 35% of cases involved internal phishing.
Qilin was the most seen ransomware variant in 2025, with over 40 victims each month except January.
We also offer insights on AI and state-sponsored threats, so be sure to view the full report.
In “Project Hail Mary,” Grace and his alien friend, Rocky, realize that they can't save their respective worlds alone. The Talos Year in Review is the result of a massive, cross-functional mission. It takes collaboration between all of Talos’ teams to turn complex, often daunting telemetry into actionable intelligence for the community.
When we share knowledge, communicate clearly, and work together, the results are, to quote Rocky, “Amaze! Amaze! Amaze!”
Stay tuned over the coming days and weeks as we break each section down into the most important 2025 Year in Review findings you need to know.
The one big thing
One of the main themes from the 2025Year in Review's vulnerability data is that attackers are targeting identity by compromising the infrastructure that sits around it, including physical hardware devices, software, and management platforms. Network components act as de facto identity gateways, allowing adversaries to impersonate users, bypass MFA, and traverse networks undetected. Attackers overwhelmingly prefer high-access targets that require minimal exploitation steps and yield maximum operational payoff.
Why do I care?
Identity-centric network components act as control points for the entire environment, meaning their compromise can invalidate MFA, bypass segmentation, and grant immediate access to high-value resources. Network management platforms give adversaries direct access to privileged administrative functions, device credentials, and automation pipelines that touch hundreds of downstream systems. Compromising a single ADC or management platform can expose dozens of downstream systems, making these devices powerful force multipliers.
So now what?
Organizations should consider the impact on identity when prioritizing the patching of network devices. ADCs must be protected as identity control points, not merely performance appliances. Defenders should focus on these high-leverage vulnerability classes that enable identity compromise, policy manipulation, and infrastructure-wide escalation. Read the full Year in Review for more information.
Top security headlines of the week
U.S. Department of Energy publishes five-year energy security plan
The three goals are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents. (SecurityWeek)
Someone has publicly leaked an exploit kit that can hack millions of iPhones
Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. (TechCrunch)
CheckmarxKICScodescannertargeted inwideningsupplychainhit
Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. (Dark Reading)
Attackers hide infostealer in copyright infringement notices
Aimed at organizations in critical sectors, including healthcare, government, hospitality, and education, it attempts to install PureLog Stealer, a low-cost infostealer easy for threat actors to use. (Dark Reading)
Oracle releases emergency patch for critical identity manager vulnerability
CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. (SecurityWeek)
Can’t get enough Talos?
Today only: Ask us anything
Talos and Splunk researchers are standing by on Reddit to answer your questions about the Year in Review, Top 50 Cybersecurity Threats report, or just about anything else you want to know. It’s halfway over, so post your questions now!
Year in Review highlights
In 2025, attackers moved fast, but they also played the long game. This short video highlights the biggest trends from the 2025 Talos Year in Review and what they reveal about where the threat landscape is headed.
Gravy, glutes, and the Talos Year in Review
Hazel, Bill, Joe, and Dave discuss the 2025 Year in Review, supported as always by the Turkey Lurkey Man. We also discuss the cyber activity tied to the situation in the Middle East.
Cybersecurity’s double-header
With the recent release of the Year in Review and Splunk’s Top 50 Cybersecurity Threats report, Amy, Bill, and Lou break down the most critical trends that shaped the security landscape last year.
A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.
The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that's also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021.
Rapid7 described the covert access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks.
The campaign is characterized by the use of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the threat actor the ability to persistently inhabit networks of interest. One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor.
"Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels," Rapid7 Labs said in a report shared with The Hacker News. "Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."
"There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself."
The attack chains begin with the threat actor targeting internet-facing infrastructure and exposed edge services, such as VPN appliances, firewalls, and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts, to obtain initial access.
Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities. Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Central to Red Menshen's operations, however, is BPFDoor. It features two distinct components: One is a passive backdoor deployed on the compromised Linux system to inspect incoming traffic for a predefined "magic" packet by installing a BPF filter and spawning a remote shell upon receiving such a packet. The other integral part of the framework is a controller that's administered by the attacker and is responsible for sending the specially formatted packets.
"The controller is also designed to operate within the victim’s environment itself," Rapid7 explained. "In this mode, it can masquerade as legitimate system processes and trigger additional implants across internal hosts by sending activation packets or by opening a local listener to receive shell connections, effectively enabling controlled lateral movement between compromised systems."
What's more, certain BPFDoor artifacts have been found to support the Stream Control Transmission Protocol (SCTP), potentially enabling the adversary to monitor telecom-native protocols and gain visibility into subscriber behavior and location, and even track individuals of interest.
These aspects demonstrate that the functionality of BPFdoor goes beyond a stealthy Linux backdoor. "BPFdoor functions as an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations," the security vendor added.
It doesn't end there. A previously undocumented variant of BPFdoor incorporates architectural changes to make it more evasive and stay undetected for prolonged periods in modern enterprise and telecom environments. These include concealing the trigger packet within seemingly legitimate HTTPS traffic and introducing a novel parsing mechanism that ensures the string "9999" appears at a fixed byte offset within the request.
This camouflage, in turn, allows the magic packet to stay hidden inside HTTPS traffic and avoid causing shifts to the position of data inside the request, and allows the implant to always check for the marker at a specific byte offset and, if it's present, interpret it as the activation command.
The newly discovered sample also debuts a "lightweight communication mechanism" that uses the Internet Control Message Protocol (ICMP) for interacting between two infected hosts.
"These findings reflect a broader evolution in adversary tradecraft," Rapid7 said. "Attackers are embedding implants deeper into the computing stack — targeting operating system kernels and infrastructure platforms rather than relying solely on user-space malware."
"Telecom environments — combining bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G/5G core components — provide ideal terrain for low-noise, long-term persistence. By blending into legitimate hardware services and container runtimes, implants can evade traditional endpoint monitoring and remain undetected for extended periods."
from The Hacker News https://ift.tt/nRkmG2u
via IFTTT
Some weeks in security feel loud. This one feels sneaky. Less big dramatic fireworks, more of that slow creeping sense that too many people are getting way too comfortable abusing things they probably shouldn’t even be touching.
There’s a little bit of everything in this one, too. Weird delivery tricks, old problems coming back in slightly worse forms, shady infrastructure doing shady infrastructure things, and the usual reminder that if criminals find a workflow annoying, they’ll just make a new one by Friday. Efficient little parasites. You almost have to respect the commitment.
A few of these updates have that nasty “yeah, that tracks” energy. Stuff that sounds niche right up until you picture it landing in a real environment with real users clicking real nonsense because they’re busy and tired and just trying to get through the day. Then it stops being abstract pretty fast.
So yeah, this week’s ThreatsDay Bulletin is a solid scroll-before-you-log-off kind of read. Nothing here needs a full panic spiral, but some of it definitely deserves a raised eyebrow and maybe a muttered: “Oh come on.” Let’s get into it.
Google has unveiled a 2029 timeline to secure the quantum era with post-quantum cryptography (PQC) migration, urging other engineering teams to follow suit. "This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates," the tech giant said. "Quantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures. The threat to encryption is relevant today with store-now-decrypt-later attacks, while digital signatures are a future threat that require the transition to PQC prior to a Cryptographically Relevant Quantum Computer (CRQC). That's why we've adjusted our threat model to prioritize PQC migration for authentication services." As part of the effort, the company said Android 17 is integrating PQC digital signature protection using the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). This includes upgrading the Android Verified Boot (AVB) with support for ML-DSA to ensure that the software loaded during the boot sequence remains highly resistant to unauthorized tampering. The second PQC upgrade concerns the transition of Remote Attestation to a fully PQC-compliant architecture and updating Android Keystore to natively support ML-DSA.
GitHub said it's introducing AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks. "These detections complement CodeQL by surfacing potential vulnerabilities in areas that are difficult to support with traditional static analysis alone," GitHub said. "This hybrid detection model helps surface vulnerabilities – and suggested fixes – directly to developers within the pull request workflow." The Microsoft subsidiary said the move is designed to uncover security issues "in areas that are difficult to support with traditional static analysis alone." The new hybrid model is expected to enter public preview in early Q2 2026.
The Russian threat actor known as Sandworm (aka APT-C-13) has been attributed with moderate confidence to an attack campaign that leverages pirated versions of legitimate software like Microsoft Office ("Microsoft.Office.2025x64.v2025.iso") as lures to deliver different backdoors tracked as Tambur, Sumbur, Kalambur, and DemiMur to high-value targets. It's assessed that these attacks use Telegram as a distribution vector, using social engineering tactics to target Ukrainian users seeking software cracks. Tambur is designed to spawn SSH reverse tunnels to issue malicious commands, while Kalambur revolves around intranet penetration, remote desktop (RDP) takeover, and persistent communication. Sumbur is a successor to Kalambur with improved obfuscation techniques. DemiMur is mainly used to tamper with the trust chain and evade detection. "Attackers use this module to force the import of a forged DemiMurCA.crt root certificate into the operating system's trusted root certificate authority store," the 360 Advanced Threat Research Institute said. "When subsequent scripts are executed, Windows automatically verifies the validity of the signature block and deems it 'trusted.'"
A cryptocurrency scam called ShieldGuard claimed to be a blockchain project that presented itself as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts through a browser extension. Ironically, further analysis revealed that it was built to drain digital assets from wallets. The scam was advertised via a dedicated website ("shieldguards[.]net"), as well as an X account (@ShieldGuardsNet) and a Telegram channel (@ShieldsGuard). "The project was promoted using a multi-level marketing campaign in which users would be rewarded for early use of the extension (via a cryptocurrency 'airdrop') and for promoting the capability to other users," Okta said. "ShieldGuard appears designed to harvest wallet addresses and other sensitive data for major cryptocurrency platforms including Binance, Coinbase, MetaMask, OpenSea, Phantom and Uniswap, as well as for users of Google services. The extension also extracts the full HTML of pages after a user signs into Binance, Coinbase, OpenSea or Uniswap via their browser." The threat actor behind the activity is assessed to be Russian-speaking.
Sophos said it identified multiple detections on Android devices for malicious activity associated with the Keenadu backdoor. "Keenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process," the company said. "As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device." Keenadu acts as a downloader for second-stage malware, with the infected devices containing two system-level APK files: PriLauncher.apk and PriLauncher3QuickStep.apk. Over 500 unique compromised Android devices across nearly 50 models have been detected as of March 4, 2026. The devices are mostly low-cost models produced by Allview, BLU, Dcode, DOOGEE, Gigaset, Gionee, Lava, and Ulefone. The identified infections were spread globally, with devices located in 40 countries.
In early March, Europol and Microsoft announced the seizure of 330 active Tycoon2FA domains and legal action against multiple individuals linked to the PhaaS. According to CrowdStrike, the takedown effort left only a minor dent in Tycoon2FA's operations, which are now back to pre-disruption levels. On March 4 and 5, following the law enforcement operation, Tycoon2FA activity volume dropped to roughly 25%, but returned to previous levels shortly after, with "daily levels of cloud compromise active remediations returning to early 2026 levels," CrowdStrike said. "Additionally, Tycoon2FA's TTPs have not changed following the takedown, indicating that the service's operations may persist beyond this disruption." These TTPs include phishing emails directing to malicious CAPTCHA pages, session cookie theft upon CAPTCHA validation, use of JavaScript payloads for email address extraction, credential proxying via malicious JavaScript files, and use of stolen credentials to access the victims' cloud environments. Post-disruption campaigns have leveraged malicious URLs, URL shortener services, links to legitimate presentation software that include malicious redirects to Tycoon2FA infrastructure, and attacker-controlled infrastructure impersonating construction entities, and compromised SharePoint infrastructure from known contacts that retrieves XLSX and PDF files. The short-lived disruption is proof that without arrests or physical seizures, it's easy for cybercriminals to recover and replace the impacted infrastructure.
Phishing campaigns are weaponizing fake meeting invites for various video conference applications, including Zoom, Microsoft Teams, and Google Meet, to distribute remote access tools. "The attackers trick corporate users to execute the payload by claiming a mandatory software update is required to join the video call, redirecting victims to typo-squatted domains, such as zoom-meet.us," Netskope said. "The payload, disguised as a software update, is a digitally signed remote monitoring and management (RMM) tool such as Datto RMM, LogMeIn, or ScreenConnect. These tools enable attackers to remotely access victims' machines and gain full administrative control over their endpoints, potentially leading to data theft or the deployment of more destructive malware."
Attackers are using copyright-infringement notices in a fileless phishing campaign targeting healthcare and government organizations in Germany and Canada that delivers the PureLogs data-stealing malware. "The attack likely relies on phishing emails that lure victims into downloading a malicious executable tailored to the victim's local language," Trend Micro said. "Once executed, the malware deploys a multistage infection chain designed for evasion. Notably, it downloads an encrypted payload disguised as a PDF file, then retrieves the decryption password remotely from attacker-controlled infrastructure. The extracted payload launches a Python-based loader that decrypts and executes the final .NET PureLogs stealer malware in memory." The Python dropper specifically leverages two .NET loaders to load the stealer malware, with one acting as a backup in case either of them is blocked or killed by an endpoint control. The routine also incorporates anti-virtual machine techniques to evade automated analysis environments, as well as employs in-memory execution to complicate detection efforts. "By disguising malicious executables as legal notices, using encrypted payloads masquerading as PDF files, remotely retrieving dynamic decryption keys, and leveraging a renamed WinRAR utility for extraction, the operators effectively minimize static indicators and hinder automated analysis," the company added. "The Python-based loader and dual .NET loaders introduce redundancy and fileless execution pathways, ensuring that the final PureLog Stealer payload is launched reliably and without leaving artifacts on disk."
The Larva-26002 threat actor continues to target improperly managed MS-SQL servers. "In January 2024, the Larva-26002 threat actor attacked MS-SQL servers to install the Trigona and Mimic ransomware," AhnLab said. In the latest attacks, the threat actors exploited the Bulk Copy Program (BCP) utility of MS-SQL servers to stage the malware locally and deploy a scanner malware named ICE Cloud Client. Written in Go, it functions as both a scanner and a brute-force tool to break into susceptible MS-SQL servers. "The strings contained in the binary are written in Turkish, and the emoticons used suggest that the author utilized generative AI," the company added.
New research has flagged a critical vulnerability in ClawHub, a skills marketplace for OpenClaw, that an attacker could exploit to position their skill as the #1 skill. The flaw stems from the fact that a download counter function named "increment()," which is used to keep track of skill downloads, was exposed as a public mutation rather than an internal private function. Without authentication, rate limiting, or deduplication mechanisms in place, an attacker could continuously trigger the endpoint to artificially inflate the download metric for a given skill. "An attacker can call downloads:increment with a single curl request with any valid skill ID, bypassing every protection in the download flow and inflating any skill's downloads counter without limit," security researcher Noa Gazit said. By gaming the rankings, the threat actor could device an unsuspecting developer into installing malicious skills. The issue has since been mitigated by ClawHub following responsible disclosure by Silverfort on March 16, 2026.
Five newly discovered malicious npm packages have been found to typosquat a legitimate cryptocurrency library and exfiltrate private keys to a single hard-coded Telegram bot. All the packages, ethersproject-wallet, base-x-64, bs58-basic, raydium-bs58, and base_xd, were published under the account "galedonovan." According to Socket, "each package hooks a function that developers routinely pass private keys through. When that function is called at runtime, the package silently sends the key to a Telegram bot before returning the expected result. The user's code behaves normally, and there is no visible error or side effect."
A Google Forms campaign is using business-related lures, such as job interviews, project briefs, and financial documents, to distribute malware, including the PureHVNC remote access trojan (RAT). "Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain," Malwarebytes said. "The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system." Another campaign has been observed using obfuscated Visual Basic Script (VBScript) files to deliver PhantomVAI Loader via PNG image files hosted on Internet Archive to ultimately install Remcos RAT and XWorm.
A sophisticated, multi-stage malware campaign directed at customer support staff working for Web3 companies is leveraging suspicious links sent via customer support chat to initiate an attack chain that delivers a malicious executable disguised as a photograph, which then retrieves a second-stage loader from an AWS S3 dead drop. This loader proceeds to retrieve an implant named Farfli (aka Gh0st RAT) that's launched via DLL side-loading to establish persistent communication with threat actor-controlled infrastructure. The campaign has been attributed to APT-Q-27 (aka GoldenEyeDog), a financially motivated threat group suspected to be operating out of China since at least 2022. A similar campaign involving the distribution of sketchy links via Zendesk was documented by CyStack last month. The techniques observed include staging payloads inside a directory designed to resemble a Windows Update cache, DLL side-loading, and in-memory execution of the final backdoor. The end goal is to reduce on-disk footprints, blend into normal system behaviour, and make retrospective detection harder.
Cloud phones are internet-based virtual phone systems powered by Android that allow users to send and receive voice calls, messages, and access features just like a physical device. While early fraud waves leveraged "virtual" Android devices hosted on physical phone farms for social media engagement manipulation, fake app reviews and installs, SMS spam, and ad fraud, subsequent iterations have evolved into cloud-based virtual mobile infrastructures that use emulators to mimic phone behavior. Along with it expanded the abuse of cloud phones – sold in the form of phone box devices – for financial fraud expanded. Threat actors can buy, sell, and move cloud phones with pre-loaded e-wallets and pre-verified bank cards and accounts for use in Account TakeOver (ATO) and Authorized Push Payment (APP) scams, Group-IB said. In this scheme, unsuspecting users are tricked into providing their personal banking credentials to fraudsters impersonating bank workers or government officials in order to complete the verification process on the fraudsters' cloud phone. These cloud phone devices with configured bank cards and accounts are then sold to other parties on darknet markets. "Major cloud phone platforms like LDCloud, Redfinger, and GeeLark offer device rentals for as little as $0.10-0.50 per hour, making fraud infrastructure accessible to anyone with minimal capital investment," the company added. "Darknet markets actively trade pre-verified dropper accounts created on cloud phones, with Revolut and Wise accounts priced at $50-200 each, often including continued access to the cloud phone instance."
The Shadowserver Foundation said it's seeing over 511,000 end-of-life Microsoft IIS instances in its daily scans, out of which over 227,000 instances are beyond the official Microsoft Extended Security Updates (ESU) period. Most of them are located in China, the U.S., France, the U.K., Italy, Brazil, India, Japan, Australia, and Russia.
Indian authorities have ordered a comprehensive audit of CCTV systems across the nation following the exposure of a Pakistan-linked spy network that exploited surveillance cameras for espionage purposes. The solar-powered devices, installed at various railway stations and other important infrastructure, allegedly transmitted live footage to handlers linked to Pakistan's Inter-Services Intelligence (ISI). The Indian government has outlined measures to strengthen the security of CCTV systems, such as mandatory documentation of the origin of critical components, testing of devices against vulnerabilities that could allow unauthorized remote access, and testing of devices for compliance. In tandem, at least 22 people have been arrested in connection with a Pakistan-linked network that engaged in reconnaissance activity. This included five men and a woman who have been accused of taking photos and videos of railway stations and military bases and sending them to handlers in Pakistan. These individuals were recruited through social media and encrypted messaging apps, luring them with payments ranging from ₹5,000 to ₹20,000 per "assignment." Compromised CCTV systems can facilitate military operations and intelligence gathering. During the U.S.–Israel–Iran conflict last month, Check Point Research found a sharp surge in exploitation attempts targeting IP cameras by Iran-affiliated threat actors.
A new traffic distribution (TDS) codenamed TOXICSNAKE has been used to route victims to phishing, scam funnels, or malware payloads. The attacks begin with a first-stage JavaScript loader that's capable of fingerprinting a site visitor, and either returns a redirect URL or a link to a malicious payload.
In a new report, Halcyon has revealed that the custom built Crytox PowerShell Encryptor is able to evade endpoint detection and response (EDR) solutions without the need for additional tooling like HRSword. "Crytox targeting continues to focus on virtual infrastructure (hypervisors, VM servers), entry via VPN exploitation, and manual hands-on-keyboard execution, which are all consistent with a deliberate, targeted operation rather than high-volume automated campaigns," the company said. The development comes as the INC ransomware group has claimed attacks against ten law firms and legal services organizations within a 48-hour period. "The volume, sector specificity, and timing of these postings suggest the possibility of a coordinated campaign or a shared upstream compromise, such as a supply chain event affecting a common legal technology provider or managed services vendor," Halcyon noted.
New research from Hudson Rock has found a machine belonging to the North Korea IT worker scheme that was accidentally infected with the Lumma Stealer malware after the local user downloaded malicious payloads when searching for GTA V cheats. Interestingly, the exfiltrated stealer logs contained corporate CDN credentials for Funnull, a content delivery network (CDN) that has been leveraged by state-sponsored actors. The operator used a "massive matrix of synthetic identities" across Western freelance platforms and global hosting providers, while also using five distinct Chrome profiles and one Edge profile to compartmentalize their operations. It's believed that the machine owner was either a willing facilitator (i.e., a laptop farm host based out of Indonesia) or a North Korean operative.
The 2024 Polyfill[.]io supply chain attack has been linked to North Korean threat actors after a North Korean operative made a fatal operational security (OPSEC) blunder by downloading a fake software setup file and infected their own machine with the Lumma Stealer. While the attack was initially linked to Funnull, Hudson Rock discovered that the threat actor downloaded a password-protected ZIP archive hosted on MediaFire that was deceptively named to appear as a legitimate software installer. The evidence collected by the malware from the North Korean hacker's endpoint included credentials for the Funnull DNS management portal, credentials for the Polyfill Cloudflare tenant (proving that the weaponized domain was under the threat actor's control), and conversations regarding the malicious domain configuration changes made during the peak of the attack. While the threat actor used the "Brian" persona to pull off the attack, they also mange other identities to conduct IT worker fraud by securing a gig at cryptocurrency exchange Gate and exploiting the access to obtain intelligence on their employer's security posture and understand blind spots in compliance systems. The same operative, under the "Wenyi Han" alias, is also said to have conducted strategic, state-sponsored data exfiltration, illustrating the severity of the IT worker threat.
A U.S. judge granted a motion to dismiss a case against tech giant Meta brought by a former WhatsApp employee, Attaullah Baig, who accused the company of ignoring privacy and security issues, and putting users' information in danger. According to Courthouse News Service, the judge said, "the complaint does not contain sufficient facts to show that the plaintiff reported violations of SEC rules or regulations, the plaintiff did not plead facts regarding the elements of securities fraud or wire fraud, and his reporting cybersecurity violations does not relate to rules governing internal accounting controls." Meta said, "Mr. Baig's allegations misrepresent the hard work of our security team. We're proud of our strong record of protecting people’s privacy and security, and will continue building on it."
Hong Kong police can now demand phone or computer passwords from those who are suspected of breaching the National Security Law (NSL). Those who refuse to share the passwords could face up to a year in jail and a fine of up to $12,700, and individuals who provide "false or misleading information" could face up to three years in jail. The amendments to the NSL ensure that "activities endangering national security can be effectively prevented, suppressed and punished, and at the same time the lawful rights and interests of individuals and organisations are adequately protected," authorities said.
A new Android RAT named Oblivion RAT is being sold as a malware-as-a-service (MaaS) platform on cybercrime networks for $300/month. "The platform includes a web-based APK builder for the implant, a separate dropper builder that generates convincing fake Google Play update pages, and a C2 panel for real-time device control," iVerify said. "Pricing runs $300/month, $700/3 months, $1,300/6 months, or $2,200 lifetime, with 7-day demo accounts available." Oblivion is distributed via dropper APKs sent to victims as part of social engineering attacks. Once installed, the dropper apps present a Google Play update flow to sideload the embedded RAT payload. As with other Android malware families, Oblivion abuses Android's accessibility services API to grant itself additional permissions and steal sensitive data. "The core of the social engineering is the Accessibility Page builder, which generates a pixel-perfect replica of Android's accessibility service settings screen," iVerify said. "Every text element is operator-controlled: page title, section headers, the Enable button, and a descriptive info message. When the victim taps Enable, they grant the implant's accessibility service full control over the device UI."
Disruptions don’t really stick anymore. Stuff gets taken down, shuffled around, then quietly comes back like nothing happened. Same tactics, slightly cleaner execution.
A lot of this leans on built-in trust. Familiar tools, normal flows, things people stop questioning. That gap between “looks fine” and “definitely not fine” is still doing most of the work.
Nothing here is shocking on its own. Put together, though, it’s a bit uncomfortable. Scroll on.
from The Hacker News https://ift.tt/gN7fjK3
via IFTTT
In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a "double-header" discussion. With the recent release of the Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats report, we’re breaking down the most critical trends that shaped the security landscape last year — all based on Cisco telemetry, Talos' original research, and Talos Incident Response engagements.
From the professionalization of ransomware-as-a-service to the persistent challenge of decade-old vulnerabilities, this episode moves beyond the headlines to provide a practical roadmap for defenders. You’ll get tips on how to prioritize your defenses and reduce your attack surface for the year ahead.
The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
"When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared vulnerabilities alone don't prove shared authorship," Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in a statement.
"Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase. What began as a precision espionage tool is now deployed indiscriminately."
Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
Although the use of the kit was first used by a customer of an unnamed surveillance company early last year, it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a mass exploitation campaign that employed a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation, a sophisticated campaign targeting iOS devices that involved the exploitation of four vulnerabilities in Apple's mobile operating system.
The latest findings from Kaspersky indicated the kernel exploits in both Triangulation and Coruna were created by the same author, with Coruna also using four additional kernel exploits. The Russian security vendor said all these exploits are built on the same kernel exploitation framework and share common code.
Specifically, the code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation. The check for iOS 17.2, on the other hand, is meant to take into account the newer exploits, Kaspersky said.
The starting point of the attack is when a user visits a compromised website on Safari, causing a stager to fingerprint the browser and serve the appropriate exploit based on the browser and operating system version. This, in turn, paves the way for the execution of a payload that triggers the kernel exploit.
"After downloading the necessary components, the payload begins executing kernel exploits, Mach-O loaders, and the malware launcher," Kaspersky said. "The payload selects an appropriate Mach-O loader based on the firmware version, CPU, and presence of the iokit-open-service permission."
The launcher is the primary orchestrator responsible for initiating the post-exploitation activities, leveraging the kernel exploit to drop and execute the final implant. It also cleans up exploitation artifacts to cover up the forensic trail.
"Originally developed for cyber-espionage purposes, this framework is now being used by cybercriminals of a broader kind, placing millions of users with unpatched devices at risk," Larin said. "Given its modular design and ease of reuse, we expect that other threat actors will begin incorporating it into their attacks."
The development comes as a new version of iPhone exploit kit DarkSword has been leaked on GitHub, raising concerns that it could equip more threat actors with advanced capabilities to compromise devices, effectively turning what was once an elite hacking tool into a mass exploitation framework. The release of the new version was first reported by TechCrunch.
from The Hacker News https://ift.tt/w6JMkK2
via IFTTT
Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.
"Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week.
The attack, which targeted a car maker's e-commerce website, is said to have been facilitated by PolyShell, a new vulnerability impacting Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.
Notably, the vulnerability has since come under mass exploitation since March 19, 2026, with more than 50 IP addresses participating in the scanning activity. The Dutch security company said it has found PolyShell attacks on 56.7% of all vulnerable stores.
The skimmer is designed as a self-executing script that establishes a WebRTC peer connection to a hard-coded IP address ("202.181.177[.]177") over UDP port 3479 and retrieves JavaScript code that's subsequently injected into the web page for stealing payment information.
The use of WebRTC marks a significant evolution in skimmer attacks, as it bypasses Content Security Policy (CSP) directives.
"A store with a strict CSP that blocks all unauthorized HTTP connections is still wide open to WebRTC-based exfiltration," Sansec noted. "The traffic itself is also harder to detect. WebRTC DataChannels run over DTLS-encrypted UDP, not HTTP. Network security tools that inspect HTTP traffic will never see the stolen data leave."
Adobe released a fix for PolyShell in version 2.4.9-beta1 released on March 10, 2026. But the patch has yet to reach the production versions.
As mitigations, site owners are recommended to block access to the "pub/media/custom_options/" directory and scan the stores for web shells, backdoors, and other malware.
from The Hacker News https://ift.tt/M1FZPed
via IFTTT
The alleged administrator of the LeakBase cybercrime forum has been arrested by Russian law enforcement authorities, state media reported Thursday.
According to TASS and MVD Media, a news website linked to the Russian Interior Ministry, the suspect is a resident of the city of Taganrog. The suspect is said to have been detained for creating and managing a criminal site that allowed stolen personal databases to be traded since 2021.
In addition, technical equipment and other items of evidentiary value were confiscated during a search of the suspect's residence.
"The platform hosted hundreds of millions of user accounts, bank details, usernames, and passwords, as well as corporate documents obtained through hacking," said Irina Volk, an official spokesperson for the Russian Ministry of Internal Affairs. "More than 147,000 users registered on the forum could buy and sell this data, as well as use it to commit fraudulent acts against citizens."
LeakBase was dismantled in a law enforcement operation earlier this month. The U.S. Department of Justice (DoJ) said the cybercrime forum was one of the world's largest hubs for cybercriminals to buy and sell stolen data and cybercrime tools.
This included hundreds of millions of account credentials and financial information such as credit and debit card numbers, banking account and routing information, usernames, and associated passwords that could be abused to conduct account takeover attacks.
The platform had over 142,000 members and more than 215,000 messages between members as of December 2025. Visitors to the clearnet site were greeted with a seizure banner that said "All forum content, including users' accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes."
LeakBase is the work of a threat actor who goes by the online aliases Chucky, beakdaz, Chuckies, Sqlrip. In reports published following the takedown of the forum, KELA and TriTrace Investigations linked Chucky to a 33-year-old individual from Taganrog.
from The Hacker News https://ift.tt/05NBeiq
via IFTTT
Identity attacks no longer hinge on who a cyberattacker compromises, but on what that identity can access. As organizations manage growing numbers of human, non-human, and agentic identities, their access fabric multiplies across apps, resources, and environments, which increases both operational complexity for identity teams and risk exposure for security teams.
Redefining identity security for the modern enterprise
The challenge isn’t just scale, it’s fragmentation. From our latest Secure Access report, research shows that 32% of organizations say their access management solutions are duplicative, and 40% say they have too many different vendors. That fragmentation for security vendors makes it harder to maintain consistent access controls and correlate risk across identities. When risk is distributed across dozens of disconnected accounts and permissions, visibility fragments and blind spots emerge—creating ideal conditions for cyberattackers to move laterally without detection. Securing identity in this reality requires more than incremental improvements. It calls for a shift from fragmented controls to an integrated, end-to-end approach that treats identity as a shared control plane that is informed by a continuous, foundational security signal.
Why fragmentation fails—and what must replace it
With the traditional model of identity security—built on siloed directories, disconnected access policies, and bolt-on threat detection—cyberattackers don’t have to break defenses, they just move between them. Permissions go uncorrelated, access policies drift as environments evolve, and lateral movement hides in the gaps.
For defenders, this creates a dangerous imbalance. Identity signals flood the security operations center (SOC) without the context to act, while identity teams enforce access without visibility into active cyberthreats. Risk accumulates across systems, but responsibility—and insight—remains fragmented.
Fixing this doesn’t require more alerts or point solutions. It requires an integrated fabric that brings together all of the identities, access, and signals.
A modern identity security solution must unify three critical layers:
The identity infrastructure: The systems and services that underpin every access decision. This includes the identity provider, authentication services, single sign-on (SSO), user and group management, and the systems that establish and maintain trust across the enterprise. Without this foundation, there is no authoritative source of truth for who an identity is, what it can access, or how it should be governed. It’s the layer many security vendors lack—and the one Microsoft delivers at global scale.
The identity control plane: Where privileged identity management and access decisions are enforced in real time, based on dynamic risk signals, behavioral context, and policy intent. This is where identity and security converge to adapt access as conditions change, powering real-time response to identity threats.
End-to-end identity threat protection: Before a cyberattack, it proactively reduces posture risk by eliminating excessive access and closing identity exposure gaps. When threats emerge, it detects identity misuse in real time, surfaces lateral movement, and drives rapid containment—connecting integrated signals and response across the full attack lifecycle.
When these layers operate in isolation, risk is missed. When they operate as one, identity becomes a powerful security signal—enabling earlier detection, smarter decisions, and faster response.
Redefining identity security for real-time defense
Microsoft is delivering a new standard for identity security solution—one that unifies identity infrastructure, access control, and threat response into a single, real-time platform built for speed, precision, and autonomy.
We start with the identity infrastructure: the foundational identity layer powered by Microsoft Entra. As one of the most widely adopted identity platforms in the world with billions of authentications managed daily, it provides resilient SSO, user and group management, and trust establishment at global scale—a layer many security vendors simply don’t have access to.
We collapse identity sprawl, correlating related accounts across cloud and on-premises into a single identity view, so risk assessment is no longer scattered across disconnected systems. This gives security teams a real‑time understanding of what an identity and its correlated accounts can access, not just who it is—allowing them to spot dangerous access paths early, limit impact, and disrupt lateral movement before attackers turn access into impact. Likewise, it gives identity teams visibility into whether a user flagged as a high risk was just a one-off or if its associated with other accounts, informing what access decisions to make.
On top of that foundation is a real-time identity control plane designed for how attacks actually unfold. Microsoft Entra Conditional Access continuously evaluates risk as access is used, not just when it’s granted—tracking signals from identity, device, network, and broader threat intelligence throughout the session. As conditions change, access adapts in real time, helping identity teams limit exposure and prevent risky access while giving security teams the ability to interrupt attack paths while activity is still in motion. This is adaptive access driven by connected intelligence—not static policy.
And when risk turns into a threat, we act—automatically and inline, which results in a faster response. Microsoft’s threat protection is differentiated by automatic attack disruption: a capability that intervenes mid-attack to isolate compromised assets by terminating user sessions, revoking access, and applying just-in-time hardening to stop lateral movement and privilege escalation. It’s not just detection—it’s defense in motion.
To accelerate response, we’ve extended Microsoft Security Copilot’s triage agent to identity. It uses AI to filter noise, surface high-confidence alerts, and guide analysts with clear, explainable insights—reducing time to action and analyst fatigue.
This end-to-end approach shifts identity from an expanding source of exposure into a strategic advantage. Instead of reacting after access has already been abused, it helps ensure that risk is evaluated continuously, access decisions are made in real-time, and organizations can defend more effectively as attack paths emerge to stop identity‑based attacks before they escalate into business impact.
Innovation that moves the industry forward
At RSAC 2026, we announced a set of innovations in identity security that are designed to help organizations move from fragmented awareness to confident, identity-centric protection:
The new identity security dashboard in Microsoft Defender doesn’t just summarize alerts, it reveals where identity risk actually concentrates across human and nonhuman identities, account types, and providers. Instead of hopping between consoles, teams can immediately see which access paths matter most, where blast radius is largest, and where action will have the greatest impact.
A new unified identity risk score correlates together more than 100 trillion signals across Microsoft Security including identity behavior, access risk, and threat signals into a single, actionable view of risk. This allows teams to move directly from understanding exposure to enforcing protection—applying controls at the point of access, natively through risk-based Conditional Access policies.
Adaptive risk remediation helps identity and security teams contain modern cyberattacks more efficiently while maintaining strong protection. When risk is detected, users easily regain access and Microsoft Entra ID Protection adapts risk remediation based on the type of cyberthreat and the credentials used. This reduces reliance on help desk processes and lowers manual response effort.
Automatic attack disruption fundamentally changes the outcome of identity-based attacks. Instead of detecting suspicious behavior and waiting for the security teams to respond, it intervenes while cyberattacks are in progress—terminating sessions, revoking access, and applying just-in-time hardening to shut down cyberattacker movement before lateral spread or privilege escalation can occur.
Security Copilot’s triage agent now extends to identity. Using AI to collapse signal overload into clear, recommended action, the agent surfaces high confidence threats, explaining why they matter, and guides analysts to the right response while attacks are still unfolding. The result is faster containment with far less analyst fatigue.
Expanded coverage across the modern identity fabric, including deeper visibility into non-human identities and new integrations with third-party platforms like SailPoint and CyberArk—providing protection that spans the full ecosystem, not just first-party assets.
A new coverage and maturity view helps organizations assess their current identity security posture, identify gaps, and prioritize next steps—transforming identity protection from a static checklist into a dynamic, guided journey.
These innovations are deeply integrated, continuously reinforced, and designed to work together—enabling security and identity teams to operate from a shared source of truth, with shared context, and shared urgency. Read more about redefining identity security for the modern enterprise.
They are designed to help organizations shift from reactive identity management to proactive identity defense—and from fragmented tools to a unified platform built for real-time security across human, non-human, and agentic identities.
Learn more
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
In the public sector, desktop computing isn’t just an IT concern—it’s–critical infrastructure. Every endpoint underpins how agencies deliver services, protect sensitive data, and keep essential operations running for citizens who depend on them. Yet many government organizations are still constrained by aging desktop models that struggle to balance security, cost control, user experience, and resilience.As threat surfaces expand and work becomes more distributed, the traditional approach to managing desktops is increasingly misaligned with the realities of modern public service.
A solution for sovereign clouds
Today Citrix is announcing the Citrix Platform for Public Sector, a new solution designed for organizations that need secure access to applications and data while meeting stringent requirements, such as FedRAMP High, air-gapped deployments, or sovereign cloud mandates. Government agencies face tremendous pressure to modernize while navigating expanding cybersecurity and compliance requirements. Citrix Platform for Public Sector is designed to enable agencies to retain ownership of their cloud tenant and data, with Citrix providing engineering expertise to help build and manage the underlying infrastructure in a single-tenant model that ensures data isolation within country boundaries.
This new Citrix solution’s mission is to deliver virtual desktops, networking, and Zero Trust Network Access secure access technologies, providing ultra-secure access to applications and data. It is delivered with a fully automated deployment that complies with Citrix’s best practices and is managed entirely within the respective sovereign region, offering strong technical controls, sovereign assurances, and protections designed to meet data isolation needs.
Our Citrix Co-President Sridhar Mullapudi says of this newest addition to the Citrix public sector portfolio: “Security and sovereignty are critical requirements for public sector modernization. Citrix Platform for Public Sector delivers virtual desktops, networking, and zero trust access in a single-tenant model designed for sovereign and air-gapped environments — so agencies can modernize securely while keeping control of their tenant, data boundary, and day-to-day operations.”
In the Gartner® 2025 Critical Capabilities for Desktop as a Service report, Citrix is ranked 1st across all five use cases, including remote workers, high security and compliance, high performance, custom enterprise architectures and on-premises/hybrid. In our opinion, this recognition in the report was earned through the superior user experience, security, performance, operational efficiency, and cost-effectiveness of our platform. Citrix Platform for Public Sector supports agencies with high-assurance security and operational consistency across deployment environments, including on-premises data centers and multi-cloud or hybrid approaches.
The solution also addresses a common problem in government environments: inconsistent capability delivery between commercial and classified environments.
Citrix Platform for Public Sector provides consistency regardless of where it’s deployed—supporting unclassified, secret, and top-secret networks; commercial and government clouds; sovereign clouds; edge devices; and on-premises data centers.
With Citrix Platform for Public Sector, customers have the control and assurance that only sovereign cloud tenant administrators and Citrix employees residing in their respective regions can manage day-to-day operations, including access to data centers and technical support for the Citrix Platform for Public Sector.
Availability
Citrix Platform for Public Sector is now available for Microsoft Azure, Amazon Web Services, Google Cloud Platform, Oracle Cloud Infrastructure, ThinkOn, and other sovereign, private, or commercial clouds. Find out more details about Citrix Platform for Public Sector on our TechZone blog.
Please contact your Citrix account team or Citrix partner for more information.
from Citrix Blogs https://ift.tt/CNzYmTi
via IFTTT
More organizations are looking at running GenAI models on their own infrastructure, whether to meet data residency requirements, reduce cloud spend, or simply maintain control over sensitive workloads. This article walks through how to do that on Windows Server 2025 using Microsoft Foundry Local: what it is, how it’s structured, and how to get your first model running.
Foundry Local is only supported on Windows Server 2025. When installed, it automatically selects the right model variant for your hardware: CUDA for NVIDIA GPUs, the NPU variant for Qualcomm, and a CPU fallback when no accelerator is present. Supported GPU hardware includes NVIDIA (2000 series or newer), AMD GPU (6000 series or newer), AMD NPU, and Intel iGPU.
Windows Server 2025 as a Local AI Platform
Windows Server 2025 introduced several capabilities that make it a legitimate platform for AI workloads: GPU partitioning (GPU-P), Discrete Device Assignment (DDA) for passing physical GPUs directly into VMs, and Hyper-V scaling up to 2,048 vCPUs per Gen 2 VM. These aren’t marginal improvements, they matter when you’re trying to run inference workloads on shared infrastructure without rebuilding your virtualization stack.
That said, Windows Server handles the OS and virtualization layer. For actual GenAI inference, you need an inference engine on top of that, which is what Foundry Local provides.
How Foundry Local Works
Foundry Local is built around three components that sit on top of each other.
ONNX Runtime is the inference engine underneath. It’s a high-performance runtime that supports deep neural networks, traditional ML models, and generative AI. Its key advantage is hardware abstraction: it integrates with TensorRT on NVIDIA, OpenVINO on Intel, and DirectML on Windows, so the same deployment works across different accelerator configurations without hardware-specific code.
Model Cache stores downloaded models locally so they’re available for inference immediately. You manage it through the Foundry CLI or the REST API. The cache location is configurable, which matters on servers where the OS drive has limited space.
Foundry Local Service sits on top of both. It exposes an OpenAI-compatible REST server, so any tool or SDK that works with OpenAI endpoints will work here with minimal changes. The endpoint is dynamically allocated when the service starts, find it with foundry service status.
Getting Started
Foundry Local isn’t installed by default, but winget makes it straightforward. Run the following in PowerShell or Windows Terminal:
# Install Foundry Local
winget install Microsoft.FoundryLocal
# Upgrade to a newer version when available
winget upgrade –id Microsoft.FoundryLocal
# Start the service
foundry service start
# Check status and find the active endpoint
foundry service status
# List available models from the Foundry catalog
foundry model list
The first time you run foundry model list, it downloads execution providers for your hardware. You’ll see a progress bar – this only happens once.
foundry model list — first-run download of hardware execution providers
Once the catalog is loaded, pull down a model and run it:
foundry model download phi-4-mini
foundry model run phi-4-mini
Downloading and running phi-4-mini
On this machine, an Azure VM without a GPU, Foundry selected the generic-cpu variant automatically. Inference runs directly on the CPU, which is fine for evaluation. Phi-4-mini is useful for verifying that the service works end-to-end, though it has a high hallucination rate and isn’t suitable for production use cases where accuracy matters.
Once the model is loaded, you get an interactive prompt for direct testing and a live REST endpoint for your applications.
Interactive mode and REST endpoint ready for use
The REST interface follows the OpenAI API convention. Key things to know:
Endpoint: It changes each time the service starts. Find it with foundry service status or the /openai/status endpoint, don’t hardcode it.
Usage: Send standard HTTP requests to run models and retrieve results. Any OpenAI-compatible SDK works out of the box.
The Foundry team has also published a browser-based WebUI for managing models without the CLI: FoundryWebUI on GitHub. It’s IIS-compatible and a good option if you prefer a visual interface.
Managing the Model Cache
A few commands worth knowing for day-to-day model management:
# List models currently in cache
foundry cache list
# Remove a specific model
foundry cache remove <model-name>
# Change the cache directory
foundry cache cd <path>
Model Lifecycle
Models move through five stages in Foundry Local:
Download: Pulls the model from the Foundry catalog to local disk. One-time operation per model version.
Load: Moves the model into memory for inference. A TTL (time-to-live) controls how long it stays loaded, default is 600 seconds.
Run: Executes inference for incoming requests. This is where CPU or GPU resources are consumed.
Unload: Removes the model from memory when the TTL expires. It remains on disk and reloads on demand.
Delete: Removes the model from the local cache entirely to reclaim disk space.
Scenarios for On-Premises AI
Running AI inference on-premises makes sense for several concrete reasons, even for organizations already invested in cloud AI:
Data residency. Finance, healthcare, and government organizations often operate under regulations that require sensitive data to stay within specific borders or facilities. Running inference on-premises means that data, including the payloads sent to the model, never leaves the datacenter.
Low latency. For real-time applications like factory automation, edge equipment, or high-frequency systems, the round-trip to a cloud endpoint is often unacceptable. Local inference eliminates that delay.
Disconnected environments. Ships, remote industrial sites, and air-gapped facilities can’t depend on cloud connectivity. Once models are cached locally, Foundry Local runs with no external dependencies.
Control and auditability. Some organizations require full ownership of the infrastructure and software stack, particularly when working with proprietary or fine-tuned models they’re unwilling to process outside their own environment.
Limitations: What Foundry Local Is Not
It’s worth being direct: Foundry Local is designed for single-user or developer scenarios. It processes inference requests sequentially, one at a time, which creates a hard ceiling on concurrent load.
The root cause is the absence of continuous batching. Without it, every request is treated as an isolated operation regardless of how many arrive simultaneously. GPU utilization stays low, queue depth grows linearly with concurrent users, and latency for anyone waiting in the queue is entirely dependent on when the previous request finishes.
Under increasing load, this shows up in two ways:
Throughput drops as requests pile up and processing remains strictly sequential.
Latency grows rapidly, making the service feel slow to users beyond the first one.
Microsoft doesn’t position Foundry Local as a multi-user inference server, and it isn’t one. For prototyping, model evaluation, and single-user integrations it works well. For anything serving multiple users or applications at scale, you’ll need a different solution.
Alternatives for High-Throughput On-Premises Workloads
If the requirement is AI at scale with everything staying on-premises, there are two viable paths:
Dedicated AI platforms such as Red Hat OpenShift AI provide a managed, scalable environment for deploying ML models on-premises. They handle GPU virtualization, resource scheduling, and model lifecycle management at an enterprise level.
Custom inference services built on vLLM. vLLM has become the standard framework for high-throughput LLM inference. Its PagedAttention mechanism significantly improves GPU memory utilization and handles concurrent requests far more efficiently than standard runtimes, making it practical to build a scalable self-hosted inference service. The operational overhead is real, but so is the performance headroom.
Foundry Local is the right starting point for evaluating models and building on Windows Server. When you outgrow it, these are the natural next steps.
from StarWind Blog https://ift.tt/5Z3HEgt
via IFTTT
