FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials

A joint law enforcement operation has dismantled LeakBase, one of the world's largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools.

The LeakBase forum, per the U.S. Department of Justice (DoJ), had over 142,000 members and more than 215,000 messages between members as of December 2025. Those attempting to access the forum's website ("leakbase[.]la") are now greeted with a seizure banner that says it was confiscated by the U.S. Federal Bureau of Investigation (FBI) as part of an international law enforcement effort.

"All forum content, including users' accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes," the banner reads.

Available in English and accessible over the clearnet, LeakBase offered hacked databases, including hundreds of millions of account credentials and financial information such as credit and debit card numbers, banking account and routing information, usernames, and associated passwords that could be abused to facilitate account takeovers.

According to a report published by Flare in April 2023, LeakBase explicitly prohibited users from peddling or publishing Russian databases, likely in an attempt to avoid scrutiny. The forum has been active since 2021.

LeakBase is one of the aliases for Chucky, who also goes by the monikers Chuckies and Sqlrip across various underground forums. Per SOCRadar, the threat actor has a track record of sharing vast collections of databases, often containing sensitive information from global entities.

What's more, SpyCloud revealed early last month that the forum had been down for a few days and that Chucky was looking for a new hosting provider. Some of the other known administrators and moderators of LeakBase include BloodyMery, OrderCheck, and TSR.

As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K.

In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware. The information could be weaponized to conduct account takeover, fraud, and other cyber intrusions.

The agency said around 100 enforcement actions were conducted across the world, including taking unspecified measures against 37 of the most active users of the platforms.

"The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages, and IP logs for evidentiary purposes," said Assistant Director Brett Leatherman of the FBI's Cyber Division.

from The Hacker News https://ift.tt/RJ0Xyz9
via IFTTT

149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict

Cybersecurity researchers have warned of a surge in retaliatory hacktivist activity following the U.S.-Israel coordinated military campaign against Iran, codenamed Epic Fury and Roaring Lion.

"The hacktivist threat in the Middle East is highly lopsided, with two groups, Keymous+ and DieNet, driving nearly 70% of all attack activity between February 28 and March 2," Radware said in a Tuesday report. The first distributed denial-of-service (DDoS) attack was launched by Hider Nex (aka Tunisian Maskers Cyber Force) on February 28, 2026.

According to details shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that supports pro-Palestinian causes. It leverages a hack-and-leak strategy combining DDoS attacks with data breaches to leak sensitive data and advance its geopolitical agenda. The group emerged in mid-2025.

In all, a total of 149 hacktivist DDoS claims were recorded targeting 110 distinct organizations across 16 countries. The attacks were carried out by 12 different groups, including Keymous+, DieNet, and NoName057(16), which accounted for 74.6% of all activity.

Of these attacks, the vast majority, 107, were concentrated in the Middle East, disproportionately targeting public infrastructure and state-level targets. Europe was the target of 22.8% of the total global activity during the time period. Nearly 47.8% of all targeted organizations globally belonged to the government sector, followed by finance (11.9%) and telecommunications (6.7%) sectors.

"The digital front is expanding alongside the physical one in the region, with hacktivist groups simultaneously targeting more nations in the Middle East than ever before," Radware said. "The distribution of attacks within the region was heavily concentrated in three specific nations: Kuwait, Israel, and Jordan, with Kuwait accounting for 28%, Israel for 27.1%, and Jordan for 21.5% of the total attack claims."

Besides Keymous+, DieNet, and NoName057(16), some of the other groups that have engaged in disruptive operations include Nation of Saviors (NOS), the Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, the Cyber Islamic Resistance, Dark Storm Team, the FAD Team, Evil Markhors, and PalachPro, per data from Flashpoint, Palo Alto Networks Unit 42, and Radware.

The current scope of cyber attacks is listed below -

• Pro-Russian hacktivist groups like Cardinal and Russian Legion claimed to have breached Israeli military networks, including its Iron Dome missile defense system.
• An active SMS phishing campaign has been observed using a rogue replica of the Israeli Home Front Command RedAlert application to deliver mobile surveillance and data-exfiltrating malware. "By manipulating victims into sideloading this malicious APK under the guise of an urgent wartime update, the adversaries successfully deploy a fully functional alert interface that masks an invasive surveillance engine designed to prey on a hyper-vigilant population," CloudSEK said.
• Iran's Islamic Revolutionary Guard Corps (IRGC) targeted the energy and digital infrastructure sectors in the Middle East, striking Saudi Aramco and an Amazon Web Services data center in the U.A.E. with an intent to "inflict maximum global economic pain as a counter-pressure to military losses," Flashpoint said.
• Cotton Sandstorm (aka Haywire Kitten) revived its old cyber persona, Altoufan Team, claiming to have hacked websites in Bahrain. "This reflects the reactive nature of the actor's campaigns and a high probability of their further involvement in intrusions across the Middle East amid the conflict," Check Point said.
• Data gathered by Nozomi Networks shows that the Iranian state-sponsored hacking group known as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail) was the fourth most active actor in the second half of 2025, focusing its attacks on defense, aerospace, telecommunications, and regional government entities to advance the nation's geopolitical priorities.
• Major Iranian cryptocurrency exchanges have remained operational but announced operational adjustments, either suspending or batching withdrawals, and issuing risk guidance urging users to prepare for possible connectivity disruption.
• "What we're seeing in Iran is not clear evidence of mass capital flight, but rather a market managing volatility under constrained connectivity and regulatory intervention," said Ari Redbord, Global Head of Policy at TRM Labs. "For years, Iran has operated a shadow economy that, in part, has used crypto to evade sanctions, including through sophisticated offshore infrastructure. What we’re seeing now – under the strain of war, connectivity shutdowns, and volatile markets – is a real-time stress test of that infrastructure and the regime's ability to leverage it."
• Sophos said it "observed a surge in hacktivist activity, but not an escalation in risk," primarily from pro-Iran personas, including Handala Hack team and APT Iran in the form of DDoS attacks, website defacements, and unverified claims of compromises involving Israeli infrastructure.
• The U.K. National Cyber Security Centre (NCSC) alerted organizations to a heightened risk of Iranian cyber attacks, urging them to strengthen their cybersecurity posture to better respond to DDoS attacks, phishing activity, and ICS Targeting.

In a post shared on LinkedIn, Cynthia Kaiser, ransomware research center SVP at Halcyon and former Deputy Assistant Director with the Federal Bureau of Investigation's Cyber Division, said Iran has a track record of using cyber operations to retaliate against "perceived political slights," adding these activities have increasingly incorporated ransomware. 

"Tehran has long preferred to turn a blind, or at least indifferent, eye to private cyber operations against targets in the US, Israel, and other allied countries," Kaiser added. "That's because having access to cyber criminals gives the government options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact."

Cybersecurity company SentinelOne has also assessed with high confidence that organizations in Israel, the U.S., and allied nations are likely to face direct or indirect targeting, particularly within government, critical infrastructure, defense, financial services, academic, and media sectors.

"Iranian threat actors have historically demonstrated a willingness to blend espionage, disruption, and psychological impact operations to advance strategic objectives," Nozomi Networks said. "In periods of instability, these operations often intensify, targeting critical infrastructure, energy networks, government entities, and private industry far beyond the immediate conflict zone."

To counter the risk posed by the kinetic conflict, organizations are advised to activate continuous monitoring to reflect escalated threat activity, update threat intelligence signatures, reduce external attack surface, conduct comprehensive exposure reviews of connected assets, validate proper segmentation between information technology and operational technology networks, and ensure proper isolation of IoT devices.

"In past conflicts, Tehran's cyber actors have aligned their activity with broader strategic objectives that increase pressure and visibility at targets, including energy, critical infrastructure, finance, telecommunications, and healthcare," Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in a statement shared with The Hacker News.

"Iranian adversaries have continued to evolve their tradecraft, expanding beyond traditional intrusions into cloud and identity-focused operations, which positions them to act rapidly across hybrid enterprise environments with increased scale and impact."

from The Hacker News https://ift.tt/dPmS0pR
via IFTTT

Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

1. Operational overview of Tycoon2FA
2. Mitigation and protection guidance
3. Microsoft Defender detections

Following its emergence in August 2023, Tycoon2FA rapidly became one of the most widespread phishing-as-a-service (PhaaS) platforms, enabling campaigns responsible for tens of millions of phishing messages reaching over 500,000 organizations each month worldwide. The phishing kit—developed, supported, and advertised by the threat actor tracked by Microsoft Threat Intelligence as Storm-1747—provided adversary-in-the-middle (AiTM) capabilities that allowed even less skilled threat actors to bypass multifactor authentication (MFA), significantly lowering the barrier to conducting account compromise at scale.

Campaigns leveraging Tycoon2FA have appeared across nearly all sectors including education, healthcare, finance, non-profit, and government. Its rise in popularity among cybercriminals likely stemmed from disruptions of other popular phishing services like Caffeine and RaccoonO365. In collaboration with Europol and industry partners, Microsoft’s Digital Crimes Unit (DCU) facilitated a disruption of Tycoon2FA’s infrastructure and operations.

Figure 1. Monthly volume of Tycoon2FA-related phishing messages

Tycoon2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. It also allowed threat actors using its service to establish persistence and to access sensitive information even after passwords are reset, unless active sessions and tokens were explicitly revoked. This worked by intercepting session cookies generated during the authentication process, simultaneously capturing user credentials. The MFA codes were subsequently relayed through Tycoon2FA’s proxy servers to the authenticating service.

To evade detection, Tycoon2FA used techniques like anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages. Targets are often lured through phishing emails containing attachments like .svg, .pdf, .html, or .docx files, often embedded with QR codes or JavaScript.

This blog provides a comprehensive up-to-date analysis of Tycoon2FA’s progression and scale. We share specific examples of the Tycoon2FA service panel, including a detailed analysis of Tycoon2FA infrastructure. Defending against Tycoon2FA and similar AiTM phishing threats requires a layered approach that blends technical controls with user awareness. This blog also provides Microsoft Defender detection and hunting guidance, as well as resources on how to set up mail flow rules, enforce spoof protections, and configure third-party connectors to prevent spoofed phishing messages from reaching user inboxes.

MICROSOFT DEFENDER

Autonomous defense & expert-led services ›

Operational overview of Tycoon2FA

Tycoon2FA customer panel

Tycoon2FA phishing services were advertised and sold to cybercriminals on applications like Telegram and Signal. Phish kits were observed to start at $120 USD for access to the panel for 10 days and $350 for access to the panel for a month, but these prices could vary.

Tycoon2FA is operated through a web‑based administration panel provided on a per user basis that centrally integrates all functionality provided by the Tycoon2FA PhaaS platform. The panel serves as a single dashboard for configuring, tracking, and refining campaigns. While it does not include built‑in mailer capabilities, the panel provides the core components needed to support phishing campaigns. This includes pre‑built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking. This design makes the platform accessible to less technically skilled actors while still offering sufficient flexibility for more experienced operators.

Figure 2. Tycoon2FA admin panel sign-in screen

After signing in, Tycoon2FA customers are presented with a dashboard used to configure, monitor, and manage phishing campaigns. Campaign operators can configure a broad set of campaign parameters that control how phishing content is delivered and presented to targets. Key settings include lure template selection and branding customization, redirection routing, MFA interception behavior, CAPTCHA appearance and logic, attachment generation, and exfiltration configuration. Campaign operators can choose from highly configurable landing pages and sign-in themes that impersonate widely trusted services such as Microsoft 365, Outlook, SharePoint, OneDrive, and Google, increasing the perceived legitimacy of attacks.

Figure 3. Phishing page theme selection and configuration settings

Campaign operators can also configure how the malicious content is delivered through attachments. Options include generating EML files, PDFs, and QR codes, offering multiple ways to package and distribute phishing lures.

Figure 4. Malicious attachment options

The panel also allows operators to manage redirect chains and routing logic, including the use of intermediate pages and decoy destinations. Support for automated subdomain rotation and intermediary Cloudflare Workers-based URLs enables campaigns to adapt quickly as infrastructure is identified or blocked. The following is a visual example of redirect and routing options, including intermediate pages and decoy destinations used within a phishing campaign.

Figure 5. Redirect chain and routing configuration

Once configured, these settings control the appearance and behavior of the phishing pages delivered to targets. The following examples show how selected themes (Microsoft 365 and Outlook) are rendered as legitimate-looking sign-in pages presented to targets.

Figure 6. Sample Tycoon2FA phishing pages

Beyond campaign configuration, the panel provides detailed visibility into victim interaction and authentication outcomes. Operators can track valid and invalid sign-in attempts, MFA usage, and session cookie capture, with victim data organized by attributes such as targeted service, browser, location, and authentication status. Captured credentials and session cookies can be viewed or downloaded directly within the panel and/or forwarded to Telegram for near‑real‑time monitoring. The following image shows a summary view of victim account outcomes for threat actors to review and track.

Figure 7. Tycoon2FA panel dashboard

Captured session information including account attributes, browsers and location metadata, and authentication artifacts are exfiltrated through Telegram bot.

Figure 8. Exfiltrated session information

In addition to configuration and campaign management features, the panel includes a section for announcements and updates related to the service. These updates reflect regular maintenance and ongoing changes, indicating that the service continues to evolve.

Figure 9. Tycoon2FA announcement and update panel

By combining centralized configuration, real-time visibility, and regular platform updates, the service enables scalable AiTM phishing operations that can adapt quickly to defensive measures. This balance of usability, adaptability, and sustained development has contributed to Tycoon2FA’s adoption across a wide range of campaigns.

Tycoon2FA infrastructure

Tycoon2FA’s infrastructure has shifted from static, high-entropy domains to a fast-moving ecosystem with diverse top-level domains (TLDs) and short-lived (often 24-72 hours) fully qualified domain names (FQDNs), with the majority hosted on Cloudflare. A key change is the move toward a broader mix of TLDs. Early tracking showed heavier use of regional TLDs like .es and .ru, but recent campaigns increasingly rotated across inexpensive generic TLDs that require little to no identity verification. Examples include .space, .email, .solutions, .live, .today, and .calendar, as well as second-level domains such as .sa[.]com, .in[.]net, and .com[.]de.

Tycoon2FA generated large numbers of subdomains for individual phishing campaigns, used them briefly, then dropped them and spun up new ones. Parent root domains might remain registered for weeks or months, but nearly all campaign-specific FQDNs were temporary. The rapid turnover complicated detection efforts, such as building reliable blocklists or relying on reputation-based defenses.

Subdomain patterns have also shifted toward more readable formats. Instead of high entropy or algorithmically generated strings, like those used in July 2025, newly observed subdomains used recognizable words tied to common workflows or services, like those observed in December 2025.

July 2025 campaign URL structure examples:

• hxxps://qonnfp.wnrathttb[.]ru/Fe2yiyoKvg3YTfV!/$EMAIL_ADDRESS
• hxxps://piwf.ariitdc[.]es/kv2gVMHLZ@dNeXt/$EMAIL_ADDRESS
• hxxps://q9y3.efwzxgd[.]es/MEaap8nZG5A@c8T/*EMAIL_ADDRESS
• hxxps://kzagniw[.]es/LI6vGlx7@1wPztdy

December 2025 campaign URL structure examples:

• hxxps://immutable.nathacha[.]digital/T@uWhi6jqZQH7/#?EMAIL_ADDRESS
• hxxps://mock.zuyistoo[.]today/pry1r75TisN5S@8yDDQI/$EMAIL_ADDRESS
• hxxps://astro.thorousha[.]ru/vojd4e50fw4o!g/$ENCODED EMAIL_ADDRESS
• hxxps://branch.cricomai[.]sa[.]com/b@GrBOPttIrJA/*EMAIL_ADDRESS
• hxxps://mysql.vecedoo[.]online/JB5ow79@fKst02/#EMAIL_ADDRESS
• hxxps://backend.vmfuiojitnlb[.]es/CGyP9!CbhSU22YT2/

Some subdomains resembled everyday processes or tech terms like cloud, desktop, application, and survey, while others echoed developer or admin vocabulary like python, terminal, xml, and faq. Software as a service (SaaS) brand names have appeared in subdomains as well, such as docker, zendesk, azure, microsoft, sharepoint, onedrive, and nordvpn. This shift was likely used to reduce user suspicion and to evade detection models that rely on entropy or string irregularity.

Tycoon2FA’s success stemmed from closely mimicking legitimate authentication processes while covertly intercepting both user credentials and session tokens, granting attackers full access to targeted accounts. Tycoon2FA operators could bypass nearly all commonly deployed MFA methods, including SMS codes, one-time passcodes, and push notifications. The attack chain was typical yet highly effective and started with phishing the user through email, followed by a multilayer redirect chain, then a spoofed sign-in page with AiTM relay, and authentication relay culminating in token theft.

Tycoon2FA phishing emails

In observed campaigns, threat actors gained initial access through phishing emails that used either embedded links or malicious attachments. Most of Tycoon2FA’s lures fell into four categories:

• PDF or DOC/DOCX attachments with QR codes
• SVG files containing embedded redirect logic
• HTML attachments with short messages
• Redirect links that appear to come from trusted services

Email lures were crafted from ready-made templates that impersonated trusted business applications like Microsoft 365, Azure, Okta, OneDrive, Docusign, and SharePoint. These templates spanned themes from generic notifications (like voicemail and shared document access) to targeted workflows (like human resources (HR) updates, corporate documents, and financial statements). In addition to spoofing trusted brands, phishing emails often leveraged compromised accounts with existing threads to increase legitimacy.

While Tycoon2FA supplied hosting infrastructures, along with various phishing and landing page related templates, email distribution was not provided by the service.

Defense evasion

From a defense standpoint, Tycoon2FA stood out for its continuously updated evasion and attack techniques. A defining feature was the use of constantly changing custom CAPTCHA pages that regenerated frequently and varied across campaigns. As a result, static signatures and narrowly scoped detection logic became less effective over time. Before credentials were entered, targets encounter the custom CAPTCHA challenge, which was designed to block automated scanners and ensure real users reach the phishing content. These challenges often used randomized HTML5 canvas elements, making them hard to bypass with automation. While Cloudflare Turnstile was once the primary CAPTCHA, Tycoon2FA shifted to using a rotating set of custom CAPTCHA challenges. The CAPTCHA acted as a gate in the flow, legitimizing the process and nudging the target to continue.

Figure 10. Custom CAPTCHA pages observed on Tycoon2FA domains

After the CAPTCHA challenge, the user was shown a dynamically generated sign-in portal that mirrored the targeted service’s branding and authentication flow, most often Microsoft or Gmail. The page might even include company branding to enhance legitimacy. When the user submitted credentials, Tycoon2FA immediately relayed them to the real service, triggering the genuine MFA challenge. The phishing page then displayed the same MFA prompt (for example, number matching or code entry). Once the user completed MFA, the attacker captured the session cookie and gained real-time access without needing further authentication, even if the password was changed later. These pages were created with heavily obfuscated and randomized JavaScript and HTML, designed to evade signature-based detection and other security tools.

The phishing kit also disrupted analysis through obfuscation and dynamic code generation, including nonfunctional dead code, to defeat consistent fingerprinting. When the campaign infrastructure encountered an unexpected or invalid server response (for example, a geolocation outside the allowed targeting zone), the kit replaced phishing content with a decoy page or a benign redirect to avoid exposing the live credential phishing site.

Tycoon2FA further complicated investigation by actively checking for analysis of environments or browser automation and adjusting page behavior if detected. These evasive measures included:

• Intercepting user input
  • Keystroke monitoring
  • Blocking copy/paste and right click functions
• Detecting or blocking automated inspection
  • Automation tools (for example, PhantomJS, Burp Suite)
  • Disabling common developer tool shortcuts
• Validating and filtering incoming traffic
  • Browser fingerprinting
  • Datacenter IP filtering
  • Geolocation restrictions
  • Suspicious user agent profiling
• Increased obfuscation
  • Encoded content (Base64, Base91)
  • Fragmented or concatenated strings
  • Invisible Unicode characters
  • Layered URL/URI encoding
  • Dead or nonfunctional script

If analysis was suspected at any point, the kit redirected to a legitimate decoy site or threw a 404 error.

Complementing these anti-analysis measures, Tycoon2FA used increasingly complex redirect logic. Instead of sending victims directly to the phishing page, it chained multiple intermediate hosts, such as Azure Blob Storage, Firebase, Wix, TikTok, or Google resources, to lend legitimacy to the redirect path. Recent changes combined these redirect chains with encoded Uniform Resource Identifier (URI) strings that obscured full URL paths and landing points, frustrating both static URL extraction and detonation attempts. Stacked together, these tactics made Tycoon2FA a resilient, fast-moving system that evaded both automated and manual detection efforts.

Credential theft and account access

Captured credentials and session tokens were exfiltrated over encrypted channels, often via Telegram bots. Attackers could then access sensitive data and establish persistence by modifying mailbox rules, registering new authenticator apps, or launching follow-on phishing campaigns from compromised accounts. The following diagram breaks down the AiTM process.

Figure 11. AiTM authentication process

Tycoon2FA illustrated the evolution of phishing kits in response to rising enterprise defenses, adapting its lures, infrastructure, and evasion techniques to stay ahead of detection. As organizations increasingly adopt MFA, attackers are shifting to tools that target the authentication process itself instead of attempting to circumvent it. Coupled with affordability, scalability, and ease of use, Tycoon2FA posed a persistent and significant threat to both consumer and enterprise accounts, especially those that rely on MFA as a primary safeguard.

Mitigation and protection guidance

Mitigating threats from phishing actors begins with securing user identity by eliminating traditional credentials and adopting passwordless, phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkeys.

Microsoft Threat Intelligence recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to significantly reduce the risk of account compromise. Learn how to require phishing-resistant MFA for admin roles and plan a passwordless deployment.

Passwordless authentication improves security as well as enhances user experience and reduces IT overhead. Explore Microsoft’s overview of passwordless authentication and authentication strength guidance to understand how to align your organization’s policies with best practices. For broader strategies on defending against identity-based attacks, refer to Microsoft’s blog on evolving identity attack techniques.

If Microsoft Defender alerts indicate suspicious activity or confirmed compromised account or a system, it’s essential to act quickly and thoroughly. The following are recommended remediation steps for each affected identity:

1. Reset credentials – Immediately reset the account’s password and revoke any active sessions or tokens. This ensures that any stolen credentials can no longer be used.
2. Re-register or remove MFA devices – Review users’ MFA devices, specifically those recently added or updated.
3. Revert unauthorized payroll or financial changes – If the attacker modified payroll or financial configurations, such as direct deposit details, revert them to their original state and notify the appropriate internal teams.
4. Remove malicious inbox rules – Attackers often create inbox rules to hide their activity or forward sensitive data. Review and delete any suspicious or unauthorized rules.
5. Verify MFA reconfiguration – Confirm that the user has successfully reconfigured MFA and that the new setup uses secure, phishing-resistant methods.

To defend against the wide range of phishing threats, Microsoft Threat Intelligence recommends the following mitigation steps:

• Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
• Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Turn on Safe Links and Safe Attachments in Microsoft Defender for Office 365.
• Enable network protection in Microsoft Defender for Endpoint.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants
• Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.
• Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully.
• Configure Microsoft Entra with increased security.
• Pilot and deploy phishing-resistant authentication methods for users.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.

Microsoft Defender detections

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

Tactic	Observed activity	Microsoft Defender coverage
Initial access	Threat actor gains access to account through phishing	Microsoft Defender for Office 365 – A potentially malicious URL click was detected – Email messages containing malicious file removed after delivery – Email messages containing malicious URL removed after delivery – Email messages from a campaign removed after delivery. – Email messages removed after delivery – Email reported by user as malware or phish – A user clicked through to a potentially malicious URL – Suspicious email sending patterns detected Microsoft Defender XDR – User compromised in AiTM phishing attack – Authentication request from AiTM-related phishing page – Risky sign-in after clicking a possible AiTM phishing URL – Successful network connection to IP associated with an AiTM phishing kit – Successful network connection to a known AiTM phishing kit – Suspicious network connection to a known AiTM phishing kit – Possible compromise of user credentials through an AiTM phishing attack – Potential user compromise via AiTM phishing attack – AiTM phishing attack results in user account compromise – Possible AiTM attempt based on suspicious sign-in attributes – User signed in to a known AiTM phishing page
Defense evasion	Threat actors create an inbox rule post-compromise	Microsoft Defender for Cloud Apps – Possible BEC-related inbox rule – Suspicious inbox manipulation rule
Credential access, Collection	Threat actors use AiTM to support follow-on behaviors	Microsoft Defender for Endpoint – Suspicious activity likely indicative of a connection to an adversary-in-the-middle (AiTM) phishing site

Additionally, using Microsoft Defender for Cloud Apps connectors, Microsoft Defender XDR raises AiTM-related alerts in multiple scenarios. For Microsoft Entra ID customers using Microsoft Edge, attempts by attackers to replay session cookies to access cloud applications are detected by Microsoft Defender XDR through Defender for Cloud Apps connectors for Microsoft Office 365 and Azure. In such scenarios, Microsoft Defender XDR raises the following alerts:

• Stolen session cookie was used
• User compromised through session cookie hijack

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

• Possible AiTM phishing attempt
• Risky sign-in attempt after clicking a possible AiTM phishing URL

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:

• Actor profile: Storm-1747
• Tool profile: Tycoon2FA
• Technique profile: Adversary-in-the-middle credential phishing

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Advanced hunting

Microsoft Defender customers can run the following advanced hunting queries to find activity associated with Tycoon2FA.

Suspicious sign-in attempts

Find identities potentially compromised by AiTM attacks:

AADSignInEventsBeta
| where Timestamp > ago(7d)
| where IsManaged != 1
| where IsCompliant != 1
//Filtering only for medium and high risk sign-in
| where RiskLevelDuringSignIn in (50, 100)
| where ClientAppUsed == "Browser"
| where isempty(DeviceTrustType)
| where isnotempty(State) or isnotempty(Country) or isnotempty(City)
| where isnotempty(IPAddress)
| where isnotempty(AccountObjectId)
| where isempty(DeviceName)
| where isempty(AadDeviceId)
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn, Browser

Suspicious URL clicks from emails

Look for any suspicious URL clicks from emails by a user before their risky sign-in:

UrlClickEvents
| where Timestamp between (start .. end) //Timestamp around time proximity of Risky signin by user
| where AccountUpn has "

from Microsoft Security Blog https://ift.tt/60go1T8
via IFTTT

Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1

Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.

The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It's not effective against the latest version of iOS. The findings were first reported by WIRED.

"The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses," according to GTIG. "The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks."

The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December.

It's currently not known how the exploit kit changed hands, but the findings point to an active market for second-hand zero-day exploits, allowing other threat actors to reuse them for their own objectives. In a related report, iVerify said the exploit kit has similarities to previous frameworks developed by threat actors affiliated with the U.S. government.

"Coruna is one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations," iVerify said.

The mobile security vendor said the use of the sophisticated exploit framework marks the first observed mass exploitation against iOS devices, indicating that spyware attacks are shifting from being highly targeted to broad deployment.

Google said it first captured parts of an iOS exploit chain used by a customer of an unnamed surveillance company early last year, with the exploits integrated into a never-before-seen JavaScript framework. The framework is designed to fingerprint the device to determine if it's real and gather details, including the specific iPhone model and iOS software version it is running.

The framework then loads the appropriate WebKit remote code execution (RCE) exploit based on the fingerprint data, followed by executing a pointer authentication code (PAC) bypass. The exploit in question relates to CVE-2024-23222, a type confusion bug in WebKit that was patched by Apple in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5.

Fast forward to July 2025, the same JavaScript framework was detected on the domain "cdn.uacounter[.]com," which was loaded as a hidden iFrame on compromised Ukrainian websites. This included websites catering to industrial equipment, retail tools, local services, and e-commerce. A suspected Russian espionage group named UNC6353 is assessed to be behind the campaign.

What's interesting about the activity was that the framework was delivered only to certain iPhone users from a specific geolocation. The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, the last of which is a use-after-free flaw in WebKit.

It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023. However, the security release notes were updated to include an entry for the vulnerability only on November 11, 2025.

The third time a JavaScript framework was detected in the wild was in December 2025. A cluster of fake Chinese websites, most of them related to finance, were found to drop the iOS exploit kit, while urging users to visit them from an iPhone or iPad for a better user experience. The activity is attributed to a threat cluster tracked as UNC6691.

Once these websites are accessed via an iOS device, a hidden iFrame is injected to deliver the Coruna exploit kit containing CVE-2024-23222. The exploit delivery, in this case, was not constrained by any geolocation criteria.

Further analysis of the threat actor's infrastructure led to the discovery of a debug version of the exploit kit, along with various samples covering five full iOS exploit chains. A total of 23 exploits covering versions from iOS 13 to iOS 17.2.1 have been identified.

Some of the CVEs exploited by the kit and the corresponding iOS versions they targeted are listed below -

"Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation," Google said. "The Coruna exploit kit also embeds reusable modules to ease the exploitation of the aforementioned vulnerabilities."

In December 2023, the Russian government claimed the campaign was the work of the U.S. National Security Agency, accusing it of hacking "several thousand" Apple devices belonging to domestic subscribers and foreign diplomats as part of a "reconnaissance operation."

UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that's designed to decode QR codes from images and run additional modules retrieved from an external server, allowing it to exfiltrate cryptocurrency wallets or sensitive information from various apps like Base, Bitget Wallet, Exodus, and MetaMask, among others.

"The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers do not respond," GTIG added. "The implant embeds a custom domain generation algorithm (DGA) using the string 'lazarus' as a seed to generate a list of predictable domains. The domains will have 15 characters and use .xyz as a TLD. The attackers use Google's public DNS resolver to validate if the domains are active."

A notable aspect of Coruna is that it skips execution on devices in Lockdown Mode, or if the user is in private browsing. To counter the threat, iPhone users are advised to keep their devices up to date, and enable Lockdown Mode for enhanced security.

from The Hacker News https://ift.tt/bS17odH
via IFTTT

New RFP Template for AI Usage Control and AI Governance

As AI becomes the central engine for enterprise productivity, security leaders are finally getting the green light — and the budget — to secure it. But there’s a quiet crisis unfolding in the boardroom: many organizations know they need "AI Governance," but they have no idea what they are actually looking for.

The CISO’s Dilemma: You Have the AI Budget, but Do You Have the Requirements?

As AI becomes the central engine for enterprise productivity, security leaders are finally getting the green light—and the budget—to secure it. But there’s a quiet crisis unfolding in the boardroom: many organizations know they need "AI Governance," but they have no idea what they are actually looking for.

Without a structured way to evaluate the exploding market of AI Usage Control (AUC) solutions, teams risk "investing" in legacy tools that were never built for the age of agentic workflows and shadow browser extensions.

A new RFP Guide for Evaluating AI Usage Control and AI Governance Solutions has been released to solve this exact problem. It’s not just a checklist; it’s a technical framework designed to help security architects and CISOs move from vague "AI security" goals to specific, measurable project criteria.

Stop Fighting App Proliferation; Start Governing Interactions

The conventional wisdom says that to secure AI, you need to catalog every application your employees touch. This is a losing battle. The RFP Guide argues for a counterintuitive shift: AI security isn’t an "app" problem; it’s an interaction problem.

If you focus on the app, you’re always playing catch-up with the 500+ new GPT-based tools launched every week. If you focus on the interaction (i.e., the moment a prompt is typed or a file is uploaded) you gain control that is tool-agnostic.

The benefit for you: By using this RFP to demand "interaction-level inspection," you stop being a bottleneck for innovation and start being a guardian of data, regardless of which "Shadow AI" tool your marketing team just discovered.

Why Your Current Security Stack is Failing the AI Test

Many vendors claim they "do AI security" as a checkbox feature within their CASB or SSE. The RFP Guide helps you see through this marketing. Most legacy tools rely on network-layer visibility, which is blind to what happens inside a browser-side panel or an encrypted IDE plugin.

The Guide forces vendors to answer the hard questions:

• Can you detect AI usage in Incognito mode?
• Do you support "AI-native" browsers like Atlas, Dia, or Comet?
• Can you distinguish between a corporate identity and a personal one in the same session?

The benefit for you: This structured approach prevents "feature-wash" by forcing vendors to prove they can operate at the point of interaction without requiring heavy endpoint agents or disruptive network changes.

The 8 Pillars of a Mature AI Governance Project

The RFP Template provides a technical grading system across eight critical domains to ensure your chosen solution is future-proof:

Section	What You’re Actually Testing
1. AI Discovery & Coverage	Visibility across browsers, SaaS, extensions, and IDEs.
2. Contextual Awareness	Does the tool understand who is asking and why?
3. Policy Governance	Can you block PII but allow benign summaries?
4. Real-Time Enforcement	Stopping a leak before the "Enter" key is hit.
5. Auditability	Providing "compliance-ready" reports for the board.
6. Architecture Fit	Can it be deployed in hours without breaking the network?
7. Deployment & Management	Ensuring the tool isn't a burden on your IT staff.
8. Vendor Futureproofing	Readiness for autonomous, agent-driven workflows.

Governance Isn’t a Policy Document. It’s Enforceable, Measurable Controls.

The goal of this RFP isn't just to gather data; it's to grade it. The Guide includes a response format that requires vendors to provide more than just a "Yes/No." Rather, they must describe the how and provide references.

This level of structure takes the guesswork out of procurement. Instead of a subjective "feeling" about a vendor, you get a score-based comparison of how they handle real-world risks like prompt injections and unmanaged BYOD environments.

Your Next Step: Define Your Requirements Before the Market Defines Them for You

Use the RFP Guide for Evaluating AI Usage Control Solutions to take the lead. It will help you standardize your evaluation, accelerate your research, and ultimately enable safe AI adoption that scales with the business.

Download the RFP Guide and Template Here to start building your AI governance framework today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/1gy3uC9
via IFTTT

Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux

Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that's functional on Windows, macOS, and Linux systems.

The names of the packages are listed below -

• nhattuanbl/lara-helper (37 Downloads)
• nhattuanbl/simple-queue (29 Downloads)
• nhattuanbl/lara-swagger (49 Downloads)

According to Socket, the package "nhattuanbl/lara-swagger" does not directly embed malicious code, lists "nhattuanbl/lara-helper" as a Composer dependency, causing it to install the RAT. The packages are still available for download from the PHP package registry.

Both lara-helper and simple-queue have been found to contain a PHP file named "src/helper.php," which employs a number of tricks to complicate static analysis by making use of techniques like control flow obfuscation, encoding domain names, command names, and file paths, and randomized identifiers for variable and function names. 

"Once loaded, the payload connects to a C2 server at helper.leuleu[.]net:2096, sends system reconnaissance data, and waits for commands -- giving the operator full remote access to the host," security researcher Kush Pandya said.

This includes sending system information and parsing commands received from the C2 server for subsequent execution on the compromised host. The communication occurs over TCP using PHP's stream_socket_client(). The list of supported commands is below -

• ping, to send a heartbeat automatically every 60 seconds
• info, to send system reconnaissance data to the C2 server
• cmd, to run a shell command
• powershell, to run a PowerShell command
• run, to run a shell command in the background
• screenshot, to capture the screen using imagegrabscreen()
• download, to read a file from disk
• upload, to a file on disk and grant it read, write, and execute permissions to all users
• stop, to the socket, and exit

"For shell execution, the RAT probes disable_functions and picks the first available method from: popen, proc_open, exec, shell_exec, system, passthru," Pandya said. 'This makes it resilient to common PHP hardening configurations."

While the C2 server is currently non-responsive, the RAT is configured such that it retries the connection every 15 seconds in a persistent loop, making it a security risk. Users who have installed the packages are advised to assume compromise, remove them, rotate all secrets accessible from the application environment, and audit outbound traffic to the C2 server.

Besides the aforementioned three packages, the threat actor behind the operation has published three other libraries ("nhattuanbl/lara-media," "nhattuanbl/snooze," and "nhattuanbl/syslog") that are clean, likely in an effort to build credibility and trick users into installing the malicious ones.

"Any Laravel application that installed lara-helper or simple-queue is running a persistent RAT. The threat actor has full remote shell access, can read and write arbitrary files, and receives an ongoing system profile for each connected host," Socket said.

"Because activation happens at application boot (via service provider) or class autoloads (via simple-queue), the RAT runs in the same process as the web application with the same filesystem permissions and environment variables, including database credentials, API keys, and .env contents."

from The Hacker News https://ift.tt/UV54pte
via IFTTT

Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations

Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control (C2) framework as a precursor to data exfiltration or ransomware attack.

The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline.

"In one organization, the adversary moved from initial access to nine additional endpoints over the course of eleven hours, deploying a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence, with the speed of lateral movement strongly suggesting the end goal was data exfiltration, ransomware, or both," researchers Michael Tigges, Anna Pham, and Bryan Masters said.

It's worth noting that the modus operandi is consistent with email bombing and Microsoft Teams phishing attacks orchestrated by threat actors associated with the Black Basta ransomware operation in the past. While the cybercrime group appears to have gone silent following a public leak of its internal chat logs last year, the continued presence of the group's playbook suggests two possible scenarios.

One possibility is that former Black Basta affiliates have moved on to other ransomware operations and are using them to mount fresh attacks, or two, rival threat actors have adopted the same strategy to conduct social engineering and obtain initial access. 

The attack chain begins with a spam campaign aiming to overwhelm a target's inboxes with junk emails. In the next step, the threat actors, masquerading as IT support, contact the recipients and trick them into granting remote access to their machines either via a Quick Assist session or by installing tools like AnyDesk to help remediate the problem.

With the access in place, the adversary wastes no time launching the web browser and navigating to a fake landing page hosted on Amazon Web Services (AWS) that impersonates Microsoft and instructs the victim to enter their email address to access Outlook's anti-spam rules update system and update the spam rules.

Clicking a button to "Update rules configuration" on the counterfeit page triggers the execution of a script that displays an overlay asking the user to enter their password.

"This mechanism serves two purposes: it allows the threat actor (TA) to harvest credentials, which, when combined with the required email address, provides access to the control panel; concurrently, it adds a layer of authenticity to the interaction, convincing the user the process is genuine," Huntress said.

The attack also hinges on downloading the supposed anti-spam patch, which, in turn, leads to the execution of a legitimate binary named "ADNotificationManager.exe" (or "DLPUserAgent.exe" and "Werfault.exe") to sideload a malicious DLL. The DLL payload implements defense evasion and executes the Havoc shellcode payload by spawning a thread containing the Demon agent.

At least one of the identified DLLs ("vcruntime140_1.dll") incorporates additional tricks to sidestep detection by security software using control flow obfuscation, timing-based delay loops, and techniques like Hell's Gate and Halo's Gate to hook ntdll.dll functions and bypass endpoint detection and response (EDR) solutions.

"Following the successful deployment of the Havoc Demon on the beachhead host, the threat actors began lateral movement across the victim environment," the researchers said. "While the initial social engineering and malware delivery demonstrated some interesting techniques, the hands-on-keyboard activity that followed was comparatively straightforward."

This includes creating scheduled tasks to launch the Havoc Demon payload every time the infected endpoints are rebooted, providing the threat actors with persistent remote access. That said, the threat actor has been found to deploy legitimate remote monitoring and management (RMM) tools like Level RMM and XEOX on some compromised hosts instead of Havoc, thus diversifying their persistence mechanisms.

Some important takeaways from these attacks are that threat actors are more than happy to impersonate IT staff and call personal phone numbers if it improves the success rate, techniques like defense evasion that were once limited to attacks on large firms or state-sponsored campaigns are becoming increasingly common, and commodity malware is customized to bypass pattern-based signatures.

Also of note is the speed at which attacks progress swiftly and aggressively from initial compromise to lateral movement, as well as the numerous methods used to maintain persistence.

"What begins as a phone call from 'IT support' ends with a fully instrumented network compromise – modified Havoc Demons deployed across endpoints, legitimate RMM tools repurposed as backup persistence," Huntress concluded. "This campaign is a case study in how modern adversaries layer sophistication at every stage: social engineering to get in the door, DLL sideloading to stay invisible, and diversified persistence to survive remediation."

from The Hacker News https://ift.tt/iCKQF2y
via IFTTT

How to properly boot a migrated Windows vSphere VM in Proxmox

To properly boot a migrated Windows vSphere VM in Proxmox during a migration, you must follow a specific procedure.

Windows VMs are quite sensitive to virtual platform changes. This is because the storage controller configured in the source environment often causes issues, the mismatch between the original controller and the new Proxmox drivers (which are not yet loaded) must be resolved to avoid boot failures.

If you are migrating Linux-based VMs, you typically won’t face major booting issues. Usually, you only need to update the network configuration to reflect the new NIC names assigned by the Proxmox environment.

Prerequisites

Before migrating a Windows vSphere VM to Proxmox, install the Proxmox (VirtIO) drivers for Windows and uninstall VMware Tools. To streamline this transition, you can utilize automation scripts.

Use a solution like Veeam Backup & Replication to backup the VM and restore it directly to the Proxmox node.

Alternatively, you can use a utility such as the StarWind V2V Converter to handle the disk format transition.

Before powering on the VM

Once the VM has been migrated to Proxmox, certain configurations are required to ensure a successful first boot.

Attempting to power on the VM without first selecting the correct storage controller will result in a boot failure (BSOD). This occurs because the Windows OS has not yet loaded the drivers for the Proxmox-specific controller.

Boot a migrated Windows vSphere VM in Proxmox

To ensure Windows can properly boot a migrated Windows vSphere VM in Proxmox, you must temporarily switch the disk interface to SATA.

Navigate to the Hardware section and select the primary Hard Disk and click Detach.

 

Click Yes to confirm. The disk will appear as Unused Disk.

 

Double click the Unused Disk and select SATA in the Bus/Device dropdown menu. Click Add.

 

The Hard Disk is now configured to use the SATA controller, which is natively supported by Windows without additional drivers.

 

In the Options section, double click Boot Order and tick the checkbox for the sata0 Device. Click OK.

 

The Boot Order is now properly configured. Power on the VM.

 

The VM will now boot using the newly configured SATA disk. If the configuration is correct, the Windows login screen should appear within a few moments.

HotAdd VirtIO controller

For optimal disk I/O performance, you should transition from the SATA interface to the VirtIO controller once the initial boot is successful.

Since Windows won’t recognize a VirtIO boot disk without the driver already being present in the OS, you must force the OS to load it to properly to boot a migrated Windows vSphere VM in Proxmox.

With the VM powered on, navigate to Hardware and select Add > Hard Disk.

 

Hot add add a small 1 GB Disk size to the selected Storage and set the Bus/Device to VirtIO Block. Click Add. Windows will detect new hardware.

 

Restart the VM to ensure the driver is fully initialized and active.

 

Once the driver is active in Windows, you can move your primary OS disk to the faster controller. Shut down the VM.

Configure the VirtIO Controller

Select the 1 GB disk and click Detach.

 

Click Yes to confirm.

 

Select the resulting Unused Disk and click Remove.

 

Click Yes to confirm.

 

Select your main SATA drive and click Detach.

 

Click Yes to confirm.

 

Double click the Unused Disk and change the Bus/Device from SATA to VirtIO Block. Click Add.

 

The Hard Disk is now configured to use the VirtIO controller.

 

Double click the SCSI Controller and select VirtIO SCSI single as controller Type. Click OK.

 

Go to Options > Boot Order, and enable the new virtio0 Device and click OK.

 

Once both the SCSI Controller and the Hard Disk are configured to use VirtIO, you can power on the virtual machine.

Power on the VM

The VM now utilizes the VirtIO SCSI controller, and which offers the lowest overhead and highest throughput available in a Proxmox environment.

 

By following this procedure you bypass the common Inaccessible Boot Device (BSOD) errors that typically occur when you boot a migrated Windows vSphere VM in Proxmox.

from StarWind Blog https://ift.tt/7S61DHY
via IFTTT