Wednesday, July 8, 2026

HPC AI Workloads Need Runtime Security. The Architecture Already Exists.

The US Federal Government is committing $600 million to build one of the world’s most advanced AI infrastructure systems. Executive Order 14363, the Genesis Mission, connects national laboratory supercomputers across nuclear simulation, biodefense, energy grid modeling, and every major scientific domain. Fifty-one organizations signed on, including NVIDIA, OpenAI, IBM, Microsoft, AWS, Google, and Oracle.

The security framework governing these workloads was not written for this scale of use.

NIST SP 800-234, the High-Performance Computing Security Overlay, is well-constructed, tailoring 60 controls across four security zones, building on the SP 800-53B moderate baseline. It was designed for deterministic HPC workloads such as climate simulations, finite element analysis, and computational fluid dynamics. These workloads share a common attribute: code that runs the same way, every time, and behaves predictably under well-understood inputs. The security controls governing those workloads assume you can scan at the perimeter, clear memory between jobs, and attest to integrity at load time.

AI workloads break every one of those assumptions.

SentinelOne has submitted a formal proposal to the NIST HPC Security Working Group regarding this gap, and NIST has acknowledged it. We have a post on LinkedIn to share our proposal, and welcome commentary from across the industry.

The supply chain problem just got a lot more dangerous

This spring, in just three weeks, three AI-driven supply chain attacks targeted widely deployed software: LiteLLM, the most-used AI infrastructure package in Python development environments, Axios, the most-downloaded HTTP client in the JavaScript ecosystem, and CPU-Z, a trusted system diagnostic tool with a legitimate signed binary from the official vendor domain.

SentinelOne stopped all three on the same day each attack launched, with no prior knowledge of any payload.

The most important aspect of this outcome is how these attacks were stopped, and why signature-based detection couldn’t work. Each attack arrived through a trusted delivery channel. LiteLLM was compromised after credentials were stolen via Trivy, a security scanner. The attacker published two malicious versions to the PyPI repository. In at least one confirmed case, an AI coding agent with unrestricted permissions auto-updated to the infected version, meaning there was no human review or approval step before the payload ran. The Axios attacker exploited a legacy access token that the project maintainers had forgotten to revoke, bypassing every npm security control. CPU-Z attackers targeted the vendor’s distribution infrastructure directly; anyone who downloaded from the official website received a properly signed binary containing a payload. In all three cases, while the authorization chain was legitimate, the intent was not.

This is the defining characteristic of modern supply chain attacks: the workflow is verified, but the intent has been subverted. Every perimeter control, signature library, and reputation lookup checks authorization and passes. These attacks were designed to exploit that gap, and they ran at machine speed through automated pipelines with no human checkpoint.

To put this into the context of HPC and AI workloads running at scale, a compromised Python package in a developer’s environment is a serious incident; a poisoned training pipeline on classified biodefense data on a national laboratory supercomputer is on a different order of magnitude. The model it produces may be correct 99.9 percent of the time and adversarially wrong under precisely targeted conditions. No perimeter scan, signature check, or load-time integrity verification will catch it after training completes.

Where the current framework falls short

Of the 60 controls SP 800-234 tailors, three bear directly on AI workload protection, and each carries a documented gap. In a fourth area, supply chain, the overlay does not tailor at all.

  • SI-3 (Malware scanning): The control acknowledges that real-time scanning is most effective but explicitly permits tailoring for performance on HPC systems, deferring to perimeter scanning before data reaches the compute zone. For traditional HPC workloads, that tradeoff may be defensible, but for AI workloads, it leaves behavioral analysis of the execution process completely unaddressed. A poisoned training run that executes within the expected statistical range of a training job looks like legitimate compute to a perimeter scanner.
  • SI-4 (System monitoring): The control notes that high-speed data flows in HPC environments can overwhelm standard monitoring tools, and lacks AI-specific monitoring requirements or telemetry collection requirements from execution pipelines. The practical interpretation of this is: monitor what you can, accept the gap for what you can’t. On infrastructure running AI at scale, that gap creates a primary attack surface.
  • SC-4 (Information in shared resources): Requires GPU memory clearing between user reassignments. It addresses data residency at the transition but does not address runtime behavioral monitoring of workloads during execution, side-channel attack detection, or anomalous compute-pattern identification while training is active.
  • SR family (Supply chain risk management): The overlay carries all 12 moderate-baseline SR controls forward from SP 800-53B, with no HPC or AI-specific guidance, and supply chain is not among the 14 categories it tailors to. The SR controls still address only the conventional software and hardware supply chain; they say nothing about training-data provenance, model-weight integrity, or pre-trained-model validation, and the framework defines no AI equivalent of a software bill of materials. LiteLLM, Axios, and CPU-Z all arrived through legitimate software supply chain channels. AI workloads carry that same exposure one layer deeper, in the data and model artifacts that software trains on, which is exactly where the overlay is silent

AI Runtime Threats

The attacks against AI workloads on HPC are not theoretical, and they are not detectable at the perimeter.

  • Training data poisoning scales at rates most security teams are not equipped to respond to. Research1 across 41 studies documents attack success rates exceeding 60 percent from manipulation of 100 to 500 training samples, a fraction of a percent of a typical dataset. Poisoning as little as 3 percent2 of training data achieved 41 percent attack success rates in code-generating models. OWASP’s LLM Top 103 documents the consequence. Backdoors leave model behavior intact until a specific trigger activates adversarial outputs. The model ships, it gets deployed, and operates correctly, until it doesn’t. No post-training audit reliably catches a well-designed poisoning attack.
  • GPU side-channel attacks are executed remotely by a co-tenant workload on shared GPU infrastructure; no physical access is required. The NVBleed research demonstrated covert channel attacks on NVIDIA NVLink, achieving over 91 percent accuracy in recovering data-dependent information from co-tenant GPU workloads on a shared fabric. The BarraCUDA research demonstrated the extraction of neural network weights via electromagnetic side channels from NVIDIA hardware. Both attack classes execute during active training, not at job transition. If your HPC environment runs multiple projects or security classifications on shared accelerators, the co-tenancy model is an active attack surface today.
  • Inference pipeline compromise survives load-time integrity checks. A model with clean weights at deployment faces attacks through three vectors: hot-swap modification of serving configurations while inference runs; preprocessing and postprocessing layer injection that alters inputs before they reach the model or modifies outputs before delivery; and adversarial input manipulation that triggers targeted misbehavior in a model that appears fully operational. For AI serving safety-critical inference, each is a security risk, not just a research concern.

The characteristic that makes AI workloads uniquely difficult is persistence. A compromised simulation may produce visibly wrong results, but a compromised model can produce correct results the overwhelming majority of the time and adversarially wrong results under precisely targeted conditions. By the time anyone has reason to investigate, the window for recovery has often closed.

Securing HPC AI Workloads

We know the technology required to address these gaps exists and has been proven at scale in environments with performance constraints far tighter than those in HPC. What is needed is a well-defined architecture that enables the secure execution of large-scale AI workloads.

Dedicated security compute. Runtime security that shares CPU resources with the workload it monitors can be starved of CPU time under heavy load and interfered with by a workload that achieves kernel-level access. The SPiCa research demonstrated that eBPF monitoring pipelines can be manipulated from within the kernel by rootkits filtering events before they reach the analysis engine, meaning that a co-scheduled monitor is not a reliable monitor.

Every other infrastructure function on an HPC node has dedicated resources. The job scheduler, the filesystem client, and the out-of-band management plane. Security monitoring is infrastructure and should be afforded the same dedicated resources.

Modern HPC nodes have 128 to 256 CPU cores. One reserved for security monitoring is less than one percent of the available compute. Linux kernel CPU isolation via isolcpus, nohz_full, and rcu_nocbs is production-proven in high-frequency trading and real-time systems, with bounded, predictable overhead.

eBPF-based behavioral telemetry at the training layer. Effective monitoring of an AI training pipeline means continuous observation of compute behavior profiles, memory access patterns, GPU utilization, and inter-node communication, with behavioral baselines established for approved training configurations. A poisoning attack that executes within expected statistical ranges is not visible to a perimeter scanner, but it is visible to a behavioral baseline that knows what the training job should look like.

This is the same principle that SentinelOne’s on-device Behavioral AI detected for LiteLLM, Axios, and CPU-Z. The LiteLLM detection flagged a Python interpreter executing Base64-decoded code in a spawned subprocess. The CPU-Z detection flagged an anomalous process chain: cpuz_x64.exe spawning PowerShell, which spawned csc.exe, which spawned cvtres.exe. CPU-Z doesn’t do that. The behavioral baseline knew what legitimate execution looked like, and in these cases, that behavior was the decisive signal.

Cloudflare uses an eBPF-based architecture to mitigate DDoS attacks exceeding 7 Tbps. SentinelOne uses it to detect and stop threats in under one second across enterprise fleets. A training job that begins writing to unexpected locations, establishing anomalous inter-node communication, or deviating from its expected compute profile is detectable at runtime, before the model completes training. The performance argument against runtime monitoring on HPC was never about the technology; it requires a shift in architecture.

Inference-time output monitoring. Deployed models require continuous observation of output distributions, latency patterns, confidence score distributions, and input-output statistical properties. A model under adversarial input attack, or serving modified weights, exhibits detectable output patterns before any human analyst notices the outputs are wrong. Circuit-breaker logic needs to be designed into the serving architecture, not added after the first incident.

Model integrity verification that runs during inference. Load-time attestation is a necessary and important requirement; it is not sufficient. Long-running inference deployments are vulnerable to hot-swap attacks that replace weights after the initial integrity check passes. Continuous cryptographic hash verification of loaded model weights, running on the dedicated security core with automated circuit-breaker logic on failure, closes that vector. For a model serving safety-critical calculations, the re-verification frequency should match the workload’s risk profile with predictable overhead.

An SR-family extension for the AI supply chain. The existing SR controls address software supply chain risk. They do not address training data provenance, model weight integrity at ingestion, or pre-trained model validation. An AI bill of materials, including cryptographic documentation from the training data source through intermediate checkpoints to the deployed model, is the model-layer equivalent of software supply chain controls. Without it, every pre-trained model loaded into an HPC environment is an unverified artifact from an unverified chain.

Defending AI at Every Layer

The supply chain attacks this spring demonstrated what happens when defense architecture falls behind the delivery mechanisms attackers use. LiteLLM, Axios, and CPU-Z all arrived through trusted channels, carrying payloads no signature database contained. They were stopped because behavioral detection does not require prior knowledge of the payload. It requires knowing what legitimate execution looks like and acting when execution deviates.

Defenders protecting AI workloads face that same problem across every layer they own. HPC is the hardest version of it. But identities, endpoints, applications, and infrastructure all carry the same exposure at different scales. SentinelOne gives defenders coverage across all four, with behavioral AI running at each layer to catch what signatures miss. The specifics of how that works across your AI environment are in our AI security overview.

Citations

1 “Data Poisoning 2018–2025: A Systematic Review. IACIS (2025)”, and “Data Poisoning Vulnerabilities Across Health Care AI Architectures. JMIR (2026)

2 “Poisoning Attacks on LLMs Require a Near-Constant Number of Poison Samples” (2025). arXiv:2510.07192 and Huang et al., 2020.

3 OWASP (2025) LLM04:2025 Data and Model Poisoning. OWASP Gen AI Security Project.



from SentinelOne https://ift.tt/neQRVmH
via IFTTT

New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware

AI coding assistants have a habit of making things up. Ask one to fetch a popular tool, and it will sometimes hand back a real-sounding name for a project that does not exist.

New research, which its authors call HalluSquatting, turns that habit into an attack: work out the fake names an AI reliably invents, register them first, and wait for the assistant to fetch your trap on a user's behalf.

Anyone whose AI assistant can fetch an outside resource and then run commands with little human review is exposed. In tests, that path led the assistant to run attacker-supplied code on the machine.

Repeat it with a popular enough resource, and one planted name can reach many machines, which is why the researchers frame it as a way to assemble a botnet.

How it works

The attack chains two AI quirks. The first is a hallucination: an AI making something up and presenting it as real. The second is a prompt injection: a booby-trapped instruction that hijacks the AI, so it follows an attacker instead of the user.

Here, the injection is the indirect kind, riding in on content the assistant fetches rather than anything the user types.

  1. Pick a target. The attacker finds a repository or plugin that is trending, so lots of people are asking their AI to fetch it. Trending matters, because a brand-new resource is not in the AI's training data, which is exactly when the model starts guessing at names.
  2. Learn the mistake. The attacker asks an AI to fetch that resource over and over and records the fake name it invents most often.
  3. Claim the fake name. The attacker registers that name on GitHub or a plugin store and hides adversarial instructions inside it.
  4. Wait. A real user asks their assistant to grab the popular resource. The assistant invents the same fake name and pulls in the attacker's version instead. Its hidden instructions fold into what the assistant thinks it was told to do, and the hijacked assistant uses its own command-running tool to carry them out.

The trap is not code that runs by itself. It works because these assistants keep a terminal among their built-in tools, so once the planted instructions take over, "install a bot" is simply something the assistant can do.

What makes it practical is that the fake names are not random. In the researchers' experiments, the mistake was consistent: across different phrasings and across models from different companies, the assistant reached for the same wrong name in up to 85% of repository requests and 100% of skill installs. Those are the peak rates the authors report; the paper carries the full breakdown.

They ran it against tools including Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family of assistants, getting each to run attacker code. The test payloads were harmless placeholders, not real malware; a live one would take the same path.

The research comes from Aya Spira and colleagues in Ben Nassi's group at Tel Aviv University, with Stav Cohen at Technion and Ron Bitton at Intuit. Nassi's group has done this before, building a self-spreading AI email worm and a calendar invite that hijacked Google's Gemini.

The team says it told the affected vendors, model makers, and marketplace operators before going public, and held back the exact steps needed to copy the attack.

Why is it a new kind of botnet

Traditional botnets take work to build. They lean on weak passwords, or malware that worms from machine to machine, and they usually herd one kind of device, the way Mirai herded cameras and routers.

This needs none of that. No passwords, no worming, and because the payload arrives as text the AI reads rather than a network exploit, it is not the kind of thing a firewall is watching for. The machines it lands on can run any operating system, not one uniform fleet.

The AI is the delivery van here, not the cargo. The planted instructions trick it into installing an ordinary bot, and once that bot is running, the machine belongs to a botnet like any other. What is new is the combination that gets it there: a name an AI predictably invents, a marketplace where anyone can register that name, and an agent with permission to fetch and run.

The pieces are not new, even if the combination is. Attackers first learned to register fake software package names that AIs invent, a trick called "slopsquatting."

In January 2026, Aikido Security's Charlie Eriksen found one such made-up npm package, react-codeshift, that AI-written instructions had already spread to 237 code projects, with agents still trying to install it daily; he registered it himself before any attacker could, so it caused no harm.

The idea then jumped from packages to web addresses. Palo Alto Networks' Unit 42 recently described "phantom squatting," roughly 250,000 hallucinated domains sitting unregistered and free for the taking (THN's write-up is here).

HalluSquatting is the version that reaches all the way to running code by hijacking the agent doing the fetching. And the marketplaces meant to screen bad uploads are not much of a backstop: in June, Trail of Bits slipped malicious "skills" past several store scanners in under an hour.

What to do

It all turns on one condition: an agent that fetches an outside resource and runs it with no one checking. Close that, and the attack stops. The most effective fix is also the simplest: make the assistant search before it fetches.

A real lookup grounds the agent in what actually exists and sharply cuts the guessing. That is a job for the people building these tools, who can also train the planner (the part that maps a request to steps) to look a resource up first and to treat words like clone, install, and fetch as flags.

Users and security teams have nearer-term levers. By default, these agents ask before running a command. The exposure is the auto-run modes (Claude Code's skip-permissions flag, Gemini CLI's yolo mode) that switch that off, so the first rule is not to let an agent run unattended on anything it fetched.

Some tools now add a safety layer that inspects what the agent reads or is about to do before it acts, like Claude Code's auto mode and Gemini CLI's Conseca check, but that lowers the risk rather than removing it. No single switch closes this, so also verify that a repository or package name resolves to the real, expected source before an agent pulls it in, and treat any name an AI hands you as a guess, not a fact.

Platforms have their own lever. They can stop letting people reuse well-known repository names under new accounts, and pre-register the fake names AIs are likely to invent (the same defense already used against typosquatting), so those names point back to the real project.

The researchers call their results a lower bound: "Attacks always get better; they never get worse." There is no single CVE to patch here. They frame it not as one product's bug but as a weakness in how AI agents trust names they were never actually given.



from The Hacker News https://ift.tt/v6iDHtM
via IFTTT

Ransomware recovery: When backups aren’t enough

Having backups doesn’t mean you can recover from ransomware. Attackers hit backup infrastructure first, often long before encryption starts, and they almost always succeed. According to Veeam’s 2025 Ransomware Trends Report, 89% of attacks target backup repositories. Only 32% of organizations have immutable backup copies in place, and 57% recover less than half of their data. This guide covers the backup architectures that actually survive a modern ransomware attack, and it walks through what an effective recovery process looks like when everything else has failed.

What is server ransomware recovery?

Server ransomware recovery is the process of restoring encrypted systems, pulling data back from backup, and returning operations to normal after an attack. It sounds straightforward, but it isn’t. Unlike recovering from a hardware failure or accidental deletion, ransomware recovery starts with an active adversary still inside your environment. By the time encryption begins, the attacker has often spent days mapping infrastructure, stealing credentials, disabling backup agents, and setting up persistence. That changes everything. Isolation, backup selection, and recovery environment design all need to assume the attacker is still watching.

What ransomware does to your infra before you notice?

Encryption is the final stage, not the first. Attackers usually get in through phishing, exposed RDP services, compromised VPN credentials, or some other externally reachable entry point. From there, they move laterally, escalate privileges (often all the way to domain administrator), and quietly map the environment. According to Mandiant’s M-Trends research, the median time between initial compromise and encryption is about five days. So that backup you created three days before encryption? It might already be compromised. Once the attacker has domain admin, the destructive phase can unfold in minutes: backup catalogs get deleted, backup services get stopped, and recovery infrastructure is deliberately targeted before encryption even starts.

Most ransomware groups also exfiltrate data before they trigger encryption. Paying the ransom doesn’t help with that. The data is already out.

The impact goes well beyond IT. When Ascension Health was hit in May 2024, clinical staff across 140 hospitals lost access to systems used for medication management and care coordination. Many of them reverted to paper-based workflows, and critical procedures were delayed for days.

A year later, Asahi Group Holdings suffered a ransomware attack that halted production at six breweries and several soft-drink facilities across Japan. The incident showed how an IT compromise can quickly become an operational technology problem, and how a beer shortage is, in fact, a business continuity event.

For most organizations, ransomware becomes a business continuity event within hours. Not an IT problem. A business problem.

Why backups fail?

Simply having backups doesn’t guarantee you’ll be able to restore from them. Modern ransomware operators understand backup infrastructure just as well as the administrators defending it, which is why they target it early.

One of the most common weaknesses is running backup services under domain administrator credentials. Once an attacker compromises Active Directory, those same credentials often provide direct access to backup repositories and management consoles. Deleting backup catalogs or corrupting backup metadata then becomes a matter of minutes, not hours.

Backup repositories connected to the production network present another common risk. If the attacker has already moved through your production environment, a repository on the same network is typically reachable with the same compromised credentials. There’s no security boundary to stop them.

It’s also worth distinguishing between software-based retention policies and true storage-layer immutability. Many backup platforms offer retention locks that prevent accidental deletion. But those protections are often enforced by the backup application itself. If an attacker gets backup administrator privileges, they can modify or remove those policies before encryption starts.

Storage-layer immutability works differently. Technologies such as S3 Object Lock in COMPLIANCE mode, WORM storage, or physically air-gapped media enforce write-once protection independently of backup software. Even compromised admin credentials can’t override those controls until the retention period expires.

Attackers also know which backup products they’re likely to encounter. Many ransomware families maintain lists of backup-related services (Veeam, Acronis, Backup Exec) and terminate those processes before encryption starts.

The result shows up in the data. According to the Sophos State of Ransomware 2025 report, only 54% of organizations affected by ransomware were able to restore data successfully from their backups. That’s the lowest success rate Sophos has recorded in six years of research. The other 46% either paid the ransom, lost data, or are still recovering.

Recovery time: what the data shows

According to Veeam’s 2025 Ransomware Trends Report, the average recovery time from a ransomware attack is 24.6 days. More than half of organizations recover less than half of their data. Only 10% restore over 90%. Even when ransom payments are excluded, the average recovery cost still exceeds $1 million.

What’s striking is the gap between planning and execution. Nearly every surveyed organization (98%) reported having a documented ransomware response playbook. Fewer than half had the operational capabilities to actually execute that plan. That’s where most recovery efforts break down. Not because the teams failed to prepare on paper, but because the underlying backup architecture wasn’t designed to survive a real attack.

In practice, recovery speed depends as much on where your backups live as on whether they exist. Some tiers are optimized for fast operational recovery, others prioritize resilience over restore speed. Knowing the tradeoffs helps you set realistic expectations before an incident hits.

 

Backup tier Typical restore speed Ransomware resilience
Local NVMe snapshots (storage-layer immutability) Very fast High, provided immutability is enforced at the storage layer
On-premises object storage with S3 Object Lock Fast, limited by disk and network High, because Object Lock remains effective even if admin credentials are compromised
Cloud backup with Object Lock Moderate, limited by inbound bandwidth High, although restoring very large datasets may incur significant egress costs
Air-gapped tape Slow due to sequential media access and retrieval time Very high, since the backup remains physically isolated from the network
Network share backup (no immutability) Fast Low, because attackers with compromised admin credentials can usually access the repository

 

The fastest backup isn’t always the most resilient, and the most resilient isn’t always the fastest to restore. That’s why most organizations combine several tiers instead of relying on a single recovery target. Fast local immutable storage minimizes downtime during common incidents. Cloud Object Lock or air-gapped media provides the fallback if the primary backup infrastructure is compromised. The next sections break those architectures down.

The ransomware recovery process: step by step

Recovering from ransomware isn’t just restoring the latest backup. As said, each stage builds on the previous one. Skipping steps can leave the attacker inside your environment, or it can result in another encryption event within days of recovery. Here’s the order that actually works.

Step 1: Contain immediately

Isolate affected systems from the network as quickly as you can. Don’t shut them down unless you have to, because volatile memory may contain valuable forensic evidence, including encryption keys and malware artifacts.

Disable compromised service accounts. Block outbound communications from systems within the suspected attack scope.

Step 2: Assess the scope

Figure out which systems have been encrypted, which backup copies remain intact, and when those backups were created relative to the estimated compromise date. Don’t assume the newest backup is the safest. In many cases, older backups are cleaner.

Step 3: Begin required notifications

Regulatory reporting deadlines start the moment you detect the incident, regardless of how fast recovery progresses. GDPR requires notification of supervisory authorities within 72 hours when personal data has been affected. HIPAA, PCI DSS, DORA, and most cyber insurance policies impose their own timelines. Start these processes early, while technical recovery is still underway, so compliance doesn’t slip behind the technical work.

Step 4: Identify a clean restore point

Review endpoint telemetry, authentication logs, firewall logs, and other available evidence to estimate when the initial compromise happened. Whenever possible, restore from a backup created before the earliest indicators of compromise.

If historical telemetry doesn’t go back far enough, picking a restore point 7 to 14 days before encryption is often a reasonable starting point, though every incident is different. (The section on identifying a clean restore point covers this in more depth.)

Step 5: Build a clean recovery environment

Avoid restoring directly into the compromised environment. Prepare a separate recovery network with new administrative credentials that have never existed in the compromised Active Directory. If VMware or Hyper-V management was compromised, rebuild the hypervisor layer before hosting restored workloads.

Step 6: Restore from a verified immutable backup

Validate backup integrity before you attach restored systems to the recovery environment. After restoration, verify that applications, databases, and dependent services function correctly before reconnecting anything to production. Rushing this step is how teams end up with half-restored databases they can’t tell are corrupted.

Step 7: Eliminate the root cause before reconnecting

Recovery isn’t complete just because systems are online. If the original access vector is still open, whether it’s a compromised account, a vulnerable VPN gateway, or an unpatched service, the attacker will regain access and encrypt the environment again within days. This is one of the most common causes of repeat ransomware incidents, and it’s why the post-recovery section below treats root-cause elimination as a prerequisite for declaring the incident over.

Step 8: Reconnect with enhanced monitoring

Before returning workloads to production, deploy endpoint detection and response (EDR) tools together with enhanced network monitoring. Assume attacker persistence is possible until the investigation is complete and the environment has been fully remediated. Even if you’ve done everything right, a second encryption event is a real risk if you skip this step.

Backup architecture that survives ransomware

Recovering from ransomware starts long before the attack itself. The architecture you build today determines whether recovery takes hours, weeks, or, in the worst case, becomes impossible. There’s no way to improvise it during an incident.

A good starting point is the 3-2-1-1 backup rule: maintain three copies of your data, store them on two different media types, keep one copy offsite, and make one copy immutable or air-gapped. The last requirement is what makes the biggest difference during a ransomware incident. An attacker who has compromised domain administrator credentials can usually reach every backup connected to the production network. An immutable or physically isolated copy survives because it removes that attack path entirely.

Backup infrastructure also deserves its own security boundary. Backup service accounts should never be members of the production Active Directory domain. Use a dedicated backup domain with no trust relationship, or standalone local accounts that have no connection to production authentication. Backup traffic should run on a dedicated VLAN that production workloads can’t reach directly.

Retention policies deserve just as much attention. Modern ransomware campaigns often stay undetected for several days before encryption begins, so retention needs to account for attacker dwell time, not just accidental deletion. Daily backups retained for at least two weeks cover the current median dwell time. Monthly backups retained for a year protect against slower-moving compromises that can remain hidden for months.

Immutable and air-gapped backups

Not all “immutable” backups provide the same protection. What ultimately matters is storage-layer immutability.

With technologies such as S3 Object Lock in COMPLIANCE mode, objects are protected for a defined retention period during which no user, not even the root account, can modify or delete them. Enforcement happens at the storage layer, not within the backup application, so compromised admin credentials can’t bypass the protection.

This distinction matters during a real attack. If immutability depends only on backup software policies, an attacker with backup administrator privileges may still be able to remove or modify those protections before encryption starts.

Organizations that can’t store backup data in the public cloud still have options. DataCore Swarm provides S3-compatible object storage with Object Lock support for on-premises deployments, which lets regulated industries like healthcare, defense, or financial services operating under DORA keep immutable backup targets without moving data offsite. Comparable options exist from MinIO (community edition), Scality Ring, and Cloudian HyperStore, all of which support S3-compatible Object Lock on-premises.

Air-gapped tape represents the opposite end of the spectrum. By physically separating the backup media from the production network, it eliminates any network path an attacker could exploit. The tradeoff is recovery speed. Sequential media access and physical tape retrieval make restores considerably slower for large datasets, but the resilience is hard to match.

For most organizations, the best design combines multiple layers of protection rather than relying on a single technology. Local immutable snapshots provide the fastest operational recovery. On-premises object storage with Object Lock is the primary backup repository. Tape or cloud Object Lock provides the final recovery copy if everything else fails.

How to identify a clean restore point

One of the biggest mistakes during ransomware recovery is assuming the newest backup is the safest. With a median attacker dwell time of around five days, the latest backup may already contain compromised systems or persistence mechanisms.

Finding a clean restore point starts with determining when the earliest indicators of compromise appeared. Endpoint telemetry, authentication logs, and firewall logs often reveal suspicious activity well before encryption begins. Unusual lateral movement, privileged account activity outside normal hours, large-scale file enumeration, or attempts to disable security tools all help establish the likely intrusion timeline.

Your backup infrastructure can provide useful clues too. Failed backup jobs, unexpected retention policy changes, backup catalog deletions, or unusually large data changes shortly before encryption may align with attacker activity. When you correlate these events with endpoint telemetry, you can usually narrow down the safest restore window with much more confidence.

If historical telemetry doesn’t extend far enough back, restoring from a backup created seven to fourteen days before encryption is usually a reasonable starting point. Even then, enhanced monitoring after recovery remains essential to catch any persistence that may have survived.

Setting up an isolated recovery environment

Where you restore systems matters just as much as what you restore. Rebuilding compromised workloads inside the same environment that was attacked often recreates the original problem, especially if attacker persistence hasn’t been eliminated.

Build a dedicated recovery environment with its own network segment, completely isolated from production. Use new administrative credentials that have never existed in the compromised AD environment. Wherever possible, restore workloads onto clean hypervisor hosts.

If shared storage or virtualization management was also compromised, connect only validated backup repositories that originate from trusted, isolated backup infrastructure.

Resist the temptation to restore everything at once. A staged recovery is usually both faster and safer. Start with the minimum set of systems required to resume critical business operations, verify that those services function correctly, and then restore additional workloads in phases. Under incident pressure, attempting a full-scale recovery in a single step often creates problems that are difficult to diagnose later.

Testing ransomware recovery

A recovery plan is only as good as the last time you proved it works. If you’ve never restored production-scale data under realistic conditions, your actual RTO is an estimate, not a measured capability.

It’s becoming a regulatory expectation as well. DORA, which has applied to EU financial entities since 17 January 2025, requires organizations to perform and document operational resilience testing, including recovery procedures. A disaster recovery document full of theoretical RTO values doesn’t satisfy that requirement.

Meaningful testing goes beyond verifying that backup jobs complete successfully. It restores representative production datasets into an isolated environment, measures actual recovery time, confirms application functionality, and verifies that the selected restore point predates the simulated compromise.

Tabletop exercises still matter because they test communication, coordination, and decision-making during an incident. Live recovery drills test the infrastructure itself. You need both. Neither replaces the other.

In practice, one gap shows up more often than any other: backup reports show successful job completion, but no one has ever measured how long a full production restore actually takes.

Cloud, on-premises, and hybrid recovery models

There’s no universal recovery model that fits every organization. The right approach depends on your workloads, regulatory requirements, recovery objectives, and available infrastructure.

Cloud recovery makes it possible to deploy isolated recovery environments quickly while keeping backup copies geographically separated from production. That flexibility comes with practical costs, including cloud egress charges, bandwidth limitations during large-scale restores, and shared-responsibility boundaries that define which parts of the recovery environment stay under the cloud provider’s control.

On-premises recovery offers a different set of tradeoffs. Keeping backup data local enables high-speed restores across the LAN and avoids large-scale data transfers. At the same time, you’ll need enough clean hardware available for recovery, and that infrastructure must sit outside the scope of the original compromise.

For many organizations, a hybrid approach provides the best balance. Immutable on-premises backups support fast operational recovery for the most common ransomware scenarios. Cloud Object Lock storage provides an extra layer of geographic resilience if an entire site becomes unavailable.

Finally, don’t overlook compliance requirements when designing the recovery architecture. HIPAA, GDPR, and DORA may restrict where backup copies are stored and where recovery environments can process regulated data. Before an incident occurs, verify that your recovery environment satisfies the same residency and compliance requirements as your production systems.

Post-recovery security enhancements

Getting systems back online doesn’t mean the incident is over. If you restore workloads into the same security posture that allowed the original compromise, you’ll likely be dealing with another incident in the near future. Recovery should always be followed by hardening the environment before normal operations resume.

Start by resetting credentials across the entire infrastructure, not just the accounts you know were compromised. Service accounts, scheduled task credentials, backup agent accounts, and machine passwords on restored systems should all be treated as potentially exposed.

Administrative privileges deserve another look. Separate workstation administration, server administration, and domain administration into different identities with independent credentials. Add privileged accounts to the Active Directory Protected Users group to reduce credential caching and limit pass-the-hash attacks, and protect those accounts with hardware-backed multi-factor authentication wherever possible. FIDO2 security keys currently provide one of the strongest phishing-resistant authentication options.

Before reconnecting restored systems to production, deploy endpoint detection and response (EDR) across every endpoint together with network monitoring and anomaly detection. Even if you’ve picked a clean restore point, assume some persistence mechanisms could remain undiscovered until the investigation is complete.

Finally, review the external attack surface before declaring recovery complete. Patch VPN appliances, disable unnecessary external RDP access, and review firewall rule changes made in the weeks leading up to the incident. Many organizations also benefit from an independent security assessment at this stage, since fresh eyes often identify issues that internal teams overlook while working under incident pressure.

Common ransomware recovery mistakes

Even organizations with mature backup strategies make avoidable mistakes during recovery. Most of them happen because teams are working under enormous pressure to restore services as quickly as possible.

The mistake behind the largest number of repeat infections is restoring systems into the same compromised environment before eliminating the original access vector. This is covered in detail in Step 7 above. The short version is that an attacker with persistent access will re-encrypt restored workloads faster than the team that just finished recovering them.

Another common assumption is that a successful backup job guarantees a usable backup. A backup created by a compromised backup agent may complete successfully while still capturing corrupted or compromised data. Backup logs tell you the job ran. They don’t tell you the data is clean or that a full restore will succeed. The only reliable validation is to test the restore itself.

It’s also tempting to view ransom payment as a recovery strategy. In practice, decryption tools supplied by ransomware groups frequently produce incomplete recovery, corrupted files, or simply fail to work. Paying the ransom does nothing to remove the attacker’s access or recover stolen data. If your backup architecture survives the attack, restoring from verified backups while negotiations proceed is usually the faster and more reliable path.

Restore time is another area where expectations diverge from reality. Under real incident conditions, you’re rarely restoring a single virtual machine. You may need to rebuild infrastructure first, identify a clean restore point, validate backup integrity, and recover dozens of interconnected systems simultaneously. Actual ransomware recovery times often exceed the recovery objectives documented in traditional disaster recovery plans.

Finally, don’t declare the incident closed simply because applications are running again. If the root cause hasn’t been identified and eliminated, restored systems may still contain persistence mechanisms or reconnect to infrastructure the attacker can access.

Current ransomware trends

Ransomware continues to evolve. The changes over the past year point in the same direction: attackers are becoming faster, more automated, and harder to defend against.

CrowdStrike’s 2025 Global Threat Report documented a 75% year-over-year increase in cloud-environment intrusions, much of it driven by initial-access brokers selling footholds to ransomware affiliates. AI-assisted reconnaissance is accelerating the early stages of an attack. Automated tools can map Active Directory environments, identify backup infrastructure, and prioritize high-value systems much faster than manual reconnaissance alone.

Ransomware-as-a-Service (RaaS) has lowered the barrier to entry. Many attacks are now carried out by affiliates using mature toolkits developed by specialist groups, including names that recur in takedown notices like LockBit, BlackCat (ALPHV), and Akira. That model has increased attack volume without reducing the sophistication of individual incidents.

Extortion techniques keep evolving. Triple extortion has become increasingly common, combining encryption, data theft, and direct threats to contact customers, partners, or regulators. Even organizations that recover successfully from immutable backups still face a separate data-exposure incident.

Healthcare and other critical infrastructure organizations remain among the most targeted sectors. Operational disruption creates immediate pressure to restore services, while protected health information and operational data retain significant value on the black market.

Managed service providers (MSPs) have become increasingly attractive targets. By compromising a single provider, attackers may gain access to dozens or even hundreds of customer environments. Any MSP with access to backup management, monitoring platforms, or privileged administration should follow the same credential isolation and security practices as internal administrators.

Regulatory expectations continue to increase. Frameworks such as DORA, NIS2, and emerging US regulations increasingly emphasize demonstrated recovery capability instead of documented procedures alone. For organizations in regulated industries, regular live recovery exercises are now both an operational necessity and a compliance requirement.

Conclusion

By the time ransomware encrypts your servers, most of the important recovery decisions have already been made. Your backup architecture, credential isolation strategy, recovery procedures, and testing program determine whether recovery is measured in hours, weeks, or months. None of those decisions should be improvised while an incident is unfolding.

As ransomware campaigns grow more sophisticated and regulatory requirements tighten, preparation is no longer a differentiator. It’s a baseline expectation. The organizations that recover fastest aren’t the ones with the most sophisticated tools. They’re the ones that rehearsed the worst day of their year before it arrived, that kept backup credentials outside the production domain, and that proved their RTO with a live restore instead of a slide deck. Start there. Schedule the first real test before the end of the quarter, document the actual restore time, and fix the gap between what your playbook claims and what your infrastructure can deliver.

FAQ

What is ransomware recovery?

Ransomware recovery is the process of restoring systems, data, and business operations after servers or storage have been encrypted by ransomware. Recovery success depends largely on whether your backup infrastructure was designed to withstand targeted attacks against the backups themselves.

Should you pay the ransom?

Most cybersecurity agencies recommend against paying. Decryption tools supplied by ransomware groups are often unreliable, and payment neither removes the attacker’s access nor prevents stolen data from being leaked. If verified backups are available, restoring from them is generally faster and more predictable.

Why do backups fail during ransomware attacks?

The most common causes include backup services running under compromised domain administrator accounts, backup repositories that remain accessible from the production network, and software-based immutability that attackers can disable using stolen administrative credentials. According to industry research, attacks against backup infrastructure succeed surprisingly often, which is why storage-layer immutability and credential isolation have become critical design principles.

Does DORA require ransomware recovery testing?

Yes. Since 17 January 2025, DORA has required EU financial entities and relevant ICT service providers to perform and document operational resilience testing, including recovery procedures. Organizations need to demonstrate that recovery objectives can be achieved under realistic conditions rather than relying solely on documented disaster recovery plans.



from StarWind Blog https://ift.tt/iqvDzOM
via IFTTT

CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerabilities are listed below -

  • CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the current user.
  • CVE-2026-56290 (CVSS score: 10.0) - An improper access control vulnerability in Joomlack Page Builder that could allow for remote code execution via unauthenticated arbitrary file upload.
  • CVE-2026-55255 (CVSS score: 6.1) - An authorization bypass through a user-controlled key vulnerability in Langflow that could allow an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.
  • CVE-2026-48908 (CVSS score: 10.0) - An unrestricted upload of a file with a dangerous type vulnerability in JoomShaper SP Page Builder that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

It's worth noting that exploitation of CVE-2026-48282 was observed within hours of public disclosure, with Ryan Dewhurst, security researcher and founder of KEVIntel, telling The Hacker News that an attempt was recorded from an IP address geolocated to India ("103.207.14[.]220").

CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP POST request to the "index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon" endpoint, followed by the appearance of a new Super User account, per mySites.guru. Users of SP Page Builder are advised to update to version 6.6.2 or later.

The Joomla and WordPress site managers have also recorded exploitation efforts aimed at CVE-2026-56290 as of June 27, 2026, to deliver a web shell on susceptible sites. The issue has been addressed in PageBuilder CK version 3.6.0.

"The first confirmed web shell we caught sat at /media/com_pagebuilderck/gfonts/bhup.php, an uploader shell keyed on a $_POST['_upl'] field," mySites.guru explained.

"Because the flaw lets the attacker pick the destination folder, a planted file could be anywhere, not just the obvious upload directories, so look for stray PHP files under /media/com_pagebuilderck/ first and then more widely under /images, /media, /templates, and /administrator."

As for CVE-2026-55255, Sysdig revealed late last month that it observed a lone operator ("45.207.216[.]55") weaponizing the vulnerability along with CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that lasted between June 22 and June 25, 2026.

"On June 25, 2026, the operator (45.207.216.55) returned to an internet-exposed Langflow instance they had first probed three days before and ran a tight, methodical session: application/auth reconnaissance → flow enumeration → the CVE-2026-55255 IDOR → a sustained loop of the CVE-2026-33017 RCE with outbound connection attempts," Sysdig's Michael Clark said.

The activity is assessed to be opportunistic and financially motivated. The exploitation of CVE-2026-33017 is followed by the deployment of payloads designed to fetch a second-stage downloader responsible for delivering additional malware. This attack chain is consistent with botnet and cryptojacking attacks. That said, the exact nature of the final payload is unknown.

The cloud security company has described CVE-2026-55255 as a case of cross-tenant insecure direct object reference (IDOR), which the threat actor exploited to steal large language model (LLM) provider keys and AWS keys.

"AI orchestration platforms are a trove of credentials in their own right, and this operator clearly knew it," Sysdig said. "The RCE went after the host, while the IDOR went after other tenants' flows and their keys."

The development makes it the latest Langflow flaw to be exploited by bad actors over the past year after CVE-2025-3248, CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, CVE-2025-34291, and CVE-2026-5027.

Last week, Sysdig also documented the first known case of agentic ransomware in which a human operator deployed an artificial agent and provisioned the necessary infrastructure to let the agent handle the entire extortion operation from start to finish by exploiting the CVE-2025-3248 Langflow flaw. It has been codenamed JADEPUFFER.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fixes by July 10, 2026, to safeguard their networks.



from The Hacker News https://ift.tt/57EdI8q
via IFTTT

Unstructured Data in an AI World

SUMMARY: While we spend a lot of time discussing AI models, we don’t always spend enough time on the challenges of managing the unstructured data used to train, tune, and enable those models. 

SHOW: 1043

SHOW TRANSCRIPT: The Enterprise AI Show #1043 Transcript

SHOW VIDEO: https://youtu.be/OAqnuhorMJ4

SHOW SPONSORS:

SHOW NOTES:

Topic 1 - Welcome to the show. Tell us a bit about your background and where you focus today at Nasuni

Topic 2 - We’ve spent two years talking about models. Are we finally entering the era where the biggest differentiator is data quality rather than model quality?

Topic 3 - When customers inventory their AI-ready data, what surprises them most?

Topic 4 - Where is the intersection of file data, metadata, and RAG systems that augment a company’s AI experience with their own data?

Topic 5 - People talk about AI governance, but isn’t most AI governance actually data governance?

Topic 6 - Are today’s enterprise file systems designed for machine consumers (AI Agents) instead of human consumers?

Topic 7 - What are the economics of data, in your world, as it relates to AI?

Topic 8 - What’s next for enterprise file platforms?


FEEDBACK?



from The Cloudcast (.NET) https://ift.tt/MROEKgH
via IFTTT

Tuesday, July 7, 2026

Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation

Executive Summary

In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide.

Attackers lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software. Upon execution, the loader drops and runs both Vidar stealer and XMRig. Vidar stealer targets information like browser credentials, cookies and crypto wallets. XMRig mines Monero cryptocurrency.

We assess the operator of the campaign to be a Vidar stealer malware-as-a-service (MaaS) affiliate involved in operations targeting victims in the U.S. and European Union. This article provides a technical analysis of the campaign.

Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Vidar Stealer, Malware, Cryptocurrency, XMRig

Attack Timeline

Since its emergence, attackers have used Vidar stealer in multiple large-scale campaigns. We identified a notable spike in activity from mid-late April 2026, primarily targeting organizations in the U.S. and the EU.

Figure 1 illustrates the timeline of the April 2026 campaign, which shows the number of Vidar stealer samples discovered each day.

A bar chart showing Vidar Stealer sample campaign counts from April 15 to May 5, 2026. Peaks around April 21 and 22 with counts reaching 31 and 33. Other days show lower counts. Dates on the x-axis and sample counts on the y-axis.
Figure 1. April 2026 campaign.

Our investigation of this activity led to the discovery of loader binaries distributing both Vidar stealer and XMRig.

Initial Access: Malvertising via Fake Software Cracks

This group behind this campaign distributes loader binaries through malvertising, targeting victims who search for pirated or cracked versions of copyright-protected software. The filenames used in this campaign mimic cracked versions of popular copyright-protected programs as well as generic installers.

The campaign delivers the malware in password-protected archives with a .bin extension in the filenames. This appears to be a deliberate choice to bypass email gateway scanning and to prevent automated sandbox detonation without the password.

We initially discovered 43 of these loader binaries that deliver Vidar stealer and XMRig. Upon extraction and execution, the loader binary is signed with a certificate (subject CN=justwatch[.]com), creating a false sense of legitimacy before any malicious activity begins.

Our analysis of these loader samples indicates they use the Factory-v3 framework.

Factory-v3/UpdateFactory Builder

Factory-v3 has been described as a MaaS builder used for different families of stealer malware. All 43 samples we discovered from this campaign contain embedded Go build metadata identifying the Factory-v3 framework.

The Factory-v3 builder's internal name of UpdateFactor is revealed in a developer/build machine path shown in the programming database (PDB) strings of the loader DLL files:

C:\Users\Administrator\Desktop\UpdateFactory\compiler\1.25.9\go\src\runtime\cgo

Figure 2 shows a diagram of information from the build machine metadata.

A flowchart titled "Build Metadata" with two branches: "EXE Variants" and "DLL Variants." Both branches lead to "Factory-v3 builder."
Figure 2. Information from the build machine path.

The builder generates a unique binary per build. For example, we observed 27 unique build UUIDs across 43 samples, defeating hash-based detection. The builder uses Go version 1.25.9, a custom pre-release of tools for the Go programming language.

Anti-forensic measures are consistent across all samples:

  • The PE TimeDateStamp is zeroed
  • No PE version info is present
  • DLL imports are reduced to kernel32.dll only
  • User-defined type names are obfuscated to a V###### pattern

The same builder, toolchain and Authenticode certificate infrastructure underpin a concurrent Lumma stealer campaign. This indicates Factory-v3 is used as a service for multiple stealer affiliates.

Rogue Authenticode Certificate

All 43 loader samples carry an Authenticode signature fabricated to impersonate JustWatch GmbH, a legitimate German streaming guide service. JustWatch has not been compromised. The certificate is entirely fabricated using a self-signed root certificate authority (CA) that is not present in any public trust store, as shown below in Figure 3.

A screenshot of a roge certificate information displaying details such as the subject and issuer. The serial number is listed. It shows a 4096-bit RSA key with extended key usage for code signing and TLS. The certificate includes a beginning and end validation date.
Figure 3. Rogue certificate information.

Because the certificate is not chained to a Microsoft-trusted root, Windows SmartScreen and Authenticode validation will flag the binary as untrusted. However, the visual presence of a recognizable brand name in the signature dialog is sufficient to deceive many victims into proceeding.

Sample Clusters

The 43 loader samples fall into four clusters, as Table 1 below shows.

Cluster CPU Architecture File Type Frequency Count Role
A x64 EXE 26 Go loader (file-inflated EXE)
B x64 DLL 13 Fake MpClient.dll sideload
C x86 EXE 3 Go loader 32-bit (shared with Lumma Stealer campaign)
D x64 EXE 1 Vidar core payload

Table 1. Sample clusters with filetype.

Cluster B DLL variants export Windows Defender MpClient.dll API functions to enable DLL search-order hijacking (MITRE ATT&CK® T1574.002). When a legitimate Windows Defender binary attempts to load MpClient.dll, the operating system locates the malicious copy first if it is placed in a higher-priority search path. The exported function names mimicked include MpAllocMemory, MpClientUtilExportFunctions, MpConfigOpen, MpFreeMemory and nine others.

File-Size Inflation

Loaders in Clusters A and C append hundreds of megabytes of null bytes after the last PE section, pushing the total file size to as high as 491 MB. Most automated sandbox environments enforce an upper file-size limit of 50-100 MB and silently skip oversized submissions, meaning the malware never executes in the analysis environment.

The real malicious content in the largest observed sample is only 2.3 MB, and the remaining 489 MB is null byte padding. Defenders should ensure security tooling removes null byte padding before applying size limits, since the same sample compresses to approximately 2.4 MB.

AMSI Bypass

Static disassembly of the Vidar core payload sample (SHA256 hash: 7ed4a256e1d281cb4f194d13ff554fb280dafde0a67a18115ea038ea6c87d) reveals an in-memory Antimalware Scan Interface (AMSI) bypass that executes before any stealer logic runs. The routine loads amsi.dll, resolves the AmsiScanBuffer variable and overwrites its first six bytes with a patch. This patch forces the function to return E_INVALIDARG, which might disable Windows AMSI for all subsequent script and code execution on the victim machine.

Both the DLL name and function name are XOR-obfuscated with single-byte key 0x05 to evade static string scanning. Table 2 shows the encoded and decoded strings for these names.

Encoded String XOR Key Decoded String
dhvl+aii 0x05 amsi.dll
DhvlVfdkGpcc\`w 0x05 AmsiScanBuffer

Table 2. Encoded and decoded strings from the sample.

Figure 4 below shows patched bytes written to the AmsiScanBuffer location (0x80070057).

A screenshot of a code snippet showing assembly instructions. It includes a move operation to the EAX register with a value, followed by a return operation.
Figure 4. AMSI buffer bytes.

The binary uses a second, longer obfuscation layer for larger data blobs. This layer is obfuscated by a 32-byte rotating XOR with the key 69946018ddda1058ce5c2a556c78a747838865c47074dcb165effb0840cb1cf5 applied to the Telegram bot token, Monero wallet address and mining pool hostname for the XMRig payload.

Attack Chain

Figure 5 shows that the attack chain begins with malvertising, luring victims into downloading a password-protected .bin archive disguised as a cracked version of a legitimate program.

A flowchart diagram illustrating the cyberattack path. At the top, it starts with a "Fake Crack Download," labeled as generic, leading to the "Factory-V3 Go Loader," signed with a fake justwatch.com certificate. From the loader, the payload drops include "Vidar + XMRig + Persistence." Arrows point to three processes: "Vidar Stealer" (stealing credentials and wallets), "XMRig Miner" (mining Monero), and "C2 Notification" (Telegram message labeled as "X3D Miner 'New Log'").
Figure 5. Execution chain X3D MINER/Vidar Stealer via Factory-v3.

The loader extracted from the .bin archive exhibits the following features:

  • It leverages the Factory-v3 Go framework
  • It is signed with a fake JustWatch certificate
  • It is padded with null bytes to reach a large file size of hundreds of MB to evade detection

The malware employs anti-analysis techniques such as process enumeration, alongside an AMSI bypass where the AmsiScanBuffer function is patched to prevent detection by some types of security software.

Subsequently, the malware drops multiple payloads including Vidar stealer and the XMRig cryptocurrency miner, while establishing persistence mechanisms through registry modifications and scheduled tasks.

The next stage involves reconnaissance, as the malware gathers information about files, hardware IDs (HWID) and bypasses proxies. Vidar stealer then exfiltrates sensitive data such as credentials and cryptocurrency wallets, communicating with a command-and-control (C2) server at 136.243.203[.]109.

Simultaneously, XMRig begins mining Monero using the mining pool at pool.supportxmr[.]com. Finally, the attacker is notified of new activity via Telegram, with messages labeled "X3D MINER • NEW LOG," ensuring the operator stays informed about successful infections and stolen data. This means the threat actor behind Vidar is deploying the X3D MINER XMRig package.

Dynamic analysis of the Vidar core payload confirmed the following execution sequence:

  1. Geolocation beacon: GET request to ip-api[.]com/json resolves the victim's public IP address and country, which are embedded in the subsequent Telegram alert
  2. Payload drop: It drops MicrosoftUpdate.exe in the %TEMP% directory as part of the Vidar stealer component and it places the following files in %AppData%\Temp%AppData%\Temp
    1. MicrosoftEdgeUpdate.exe (the XMRig launcher)
    2. libuv-1.dll (an XMRig dependency)
    3. WinRing0x64.sys (an XMRig kernel driver)
    4. mgwthmc2.dat (an XMRig Monero configuration file)
    5. It copies itself to this folder as NisSrv.exe for persistence
  3. Vidar stealer: MicrosoftUpdate.exe is written to %TEMP% and executed. It targets browser credential stores, cookies and crypto wallet data, packaging everything into a ZIP for exfiltration to 136.243.203[.]109:443.
  4. XMRig miner: MicrosoftEdgeUpdate.exe is launched with --config=mgwthmc2.dat. The configuration is built entirely in memory before being written to disk, with the Monero wallet address and pool details decrypted from encrypted blobs. Each victim's C:\ volume serial number is hashed into an 8-character HWID that is appended to the auth_token field, allowing the operator to track per-victim mining output in the Monero pool dashboard.

Persistence Mechanisms

The payload establishes persistence through three parallel mechanisms:

Registry Run key:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value name SystemAgentService, data "...\AppData\Roaming\Microsoft\Windows\Temp\NisSrv.exe" -s
  • Scheduled task:
    schtasks /create /tn "SystemAgentService" /tr "NisSrv.exe -s" /sc onlogon /f

Startup folder batch script:

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FEbJCNWOCKMJ.bat

All three mechanisms point to the malware file named NisSrv.exe. Attackers chose this filename to blend in with legitimate Windows Defender components, since the real NisSrv.exe is the Network Inspection Service binary.

X3D MINER

The tag X3D MINER appears in Telegram operator notifications sent for every new victim infection. This moniker is used by a group associated with XMRig and binding XMRig with other programs.

The operator behind this campaign runs a dual-monetization scheme. Criminals sell credentials and session cookies stolen by Vidar stealer on criminal log markets, while XMRig provides passive income from hijacked victim CPU cycles. The Factory-v3 builder is assessed to be a separate upstream service used by at least two distinct stealer affiliates.

Variant B

Pivoting on information from the initial 43 loader samples, we identified 56 additional samples of a subsequent variant on April 24, 2026. This variant retains the same builder, delivery and C2 infrastructure.

The operating characteristics, Go loader, Factory-v3 builder, Telegram dead-drop and payload delivery are identical to the original campaign. The single differentiating factor is the Authenticode certificate. ​​

The operator transitioned from using a self-signed certificate mimicking JustWatch to another unauthorized certificate designed to resemble the BleacherReport[.]com certificate. This technique is known as Code Signing Impersonation.

Attackers craft certificates to mimic legitimate, trusted publishers (e.g., Microsoft or Google) by cloning their metadata as Table 3 below shows. It is important to note that Bleacher Report has not been compromised.

Variant A Variant B
Subject CN=justwatch[.]com CN=\\*.bleacherreport[.]com
Issuer CN=WR3 (rogue self-signed CA) CN=GlobalSign Atlas R3 DV TLS CA 2026 Q1 (Cloned issuer name)
Chain is trusted? No No
Certificate type Fake Authenticode (CA:TRUE) Certificate chain could not be built to a trusted root authority (fake certification)

Table 3. Certificate data from the old and new variants of Vidar stealer.

We observed these samples contacting the Telegram channel ci0iiif. New C2 servers in this cluster include 138.199.246[.]13, 116.203.243[.]208 and 136.243.203[.]111.

Conclusion

This campaign demonstrated a multi-layer evasion approach. This approach combined the following characteristics:

  • Rogue certificates
  • Go-compiled loaders with per-build unique hashes
  • Binaries inflated to hundreds of MB with null byte padding
  • An in-memory AMSI bypass

Loader samples sharing these characteristics were all delivered via a MaaS platform that also serves other malware stealer families.

The operator's shift from using a self-signed certificate to leveraging an unauthorized certificate in Variant B demonstrates the actor's ability to adapt rapidly.

We recommend that organizations enforce strong Authenticode chain validation and supplement it with:

  • Certificate serial blocklisting
  • Configuring security tooling to scan files regardless of size
  • Monitoring for MpClient.dll loading from non-standard paths.

Defenders should also:

  • Hunt for the persistence indicators and file-drop patterns described above
  • Block outbound connections to all C2 addresses and pool.supportxmr[.]com immediately

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Cortex XDR and XSIAM help to prevent the threats described in this article, by employing the Malware Prevention Engine. This approach combines several layers of protection, including Advanced WildFire, Behavioral Threat Protection and the Local Analysis module, to prevent both known and unknown malware from causing harm to endpoints.
  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
  • Prisma Browser provides additional protection layers against advanced web threats including dynamic scans of every loaded web page, to prevent execution of new and unknown malicious attacks such as the malvertising campaign described above, and to protect company assets.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 000 800 050 45107
  • South Korea: +82.080.467.8774

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Vidar C2 Server IP Addresses

  • 116.203.243[.]208
  • 136.243.203[.]109
  • 136.243.203[.]111
  • 138.199.246[.]13

Code Signing Certificate Information

(Read: Field - Value)

  • Subject Common Name (CN) - justwatch[.]com
  • Issuer Common Name (CN) - WR3
  • Serial Number - 2f:7e:f0:15:7d:17:62:5c:09:86:91:ce:f1:ff:7d:63
  • Validity Period - 2026-03-09 to 2026-06-07
  • SSL Certificate SHA1 Hash (C2) - ab92f731ab20774dfdb95664ee41a2fbafe2a284

File Paths

(Read: File path - Description)

  • %TEMP%\MicrosoftUpdate.exe - Vidar stealer component
  • %AppData%\Roaming\Microsoft\Windows\Temp\MicrosoftEdgeUpdate.exe - XMRig launcher
  • %AppData%\Roaming\Microsoft\Windows\Temp\NisSrv.exe - Persistence copy of loader
  • %AppData%\Roaming\Microsoft\Windows\Temp\libuv-1.dll - XMRig dependency
  • %AppData%\Roaming\Microsoft\Windows\Temp\WinRing0x64.sys - XMRig kernel driver
  • %AppData%\Roaming\Microsoft\Windows\Temp\mgwthmc2.dat - XMRig Monero configuration
  • %StartUp%\FEbJCNWOCKMJ.bat - Startup batch script for persistence

Registry Key for Persistence

  • Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Value name: SystemAgentService
  • Data: "...\AppData\Roaming\Microsoft\Windows\Temp\NisSrv.exe" -s

Scheduled Ask for Persistence

  • Task name: SystemAgentService
  • Trigger: On user logon (/sc onlogon)
  • Action: ...\AppData\Roaming\Microsoft\Windows\Temp\NisSrv.exe -s

Import Hash (imphash) Analysis

Table 4 shows the imphashes with the associated sample clusters and the role of those clusters in this activity.

Imphash Cluster Role
d42595b695fc008ef2c56aabd8efd68e A - x64 EXE (26 samples) Go loader EXE
d8b31f8c03e0c76ff245ed05a15ffe6c B - x64 DLL (13 samples) Fake MpClient.dll
1aae8bf580c846f39c71c05898e57e88 C - x86 EXE (three samples) Go loader x86
c10333c92889b65c3590ef2b3819b420 D - Vidar core (one sample) Vidar core payload

Table 4. Imphash information associated with this activity.

SHA256 Hashes - Original Cluster

Cluster A - x64 EXE Loaders (26 Samples)

  • 097a87cfa4a5186aba3bba096866692951bde59c6f0c2e8c1c4a599246d14da8
  • 201594c9d173bba6cb509407ecba378c19b93da0a81a2182a913c480e6dbb54e
  • 20bf39e1e67152039e70a01ad9e7b23c08d23d2a724ef9c44903f3d4353a2275
  • 35dde1b2482b12582820a861e7c46f10721af6b75052fc872c05d2230a4e8ca1
  • 43920ef7d2742d140a1ab2a1ef172c716903474c73561377dc4f1534d2c5f581
  • 47d6d1a38534ba897a5a1e293e3d5df303bbd8e0526e756ad08887ffc1417bef
  • 68ced9d7c1b1ff8ffb5f56c7d3f849d4fd16a1b95324426811424b40043d6d25
  • 6b7ff061eebeb9ead8812c410247768a7ba90786aeeb1bafa6412cc5b08237b5
  • 739cdedb20de39aeb1f15dc8c2dbbf15fa993250fd879bf87443ff9aeaf4997b
  • 74df77b6a83d89fa137fd285a2efde36b1d62c00b3be81cc93df7d1e6e94837b
  • 8b40cc7d173efd27fb60f3d260acef28f58d67d1f39597e1d611db311a305f62
  • 9656d3301f63ef6114289739a1c44082206298f787238fc6c190ad87eab24751
  • 9b3df1b6c1b98c201de09a7719066f7bcae6b66a3173b703a617f53fddf67d51
  • a17a972a05afe387ed32aa2986d5be8bca2f22619d0aedfa834c6963abfab3bf
  • a4f979b4a5d7bc8bc455dd4c09b44e51a389576fccce35a2c8da3ce680237565
  • a64843ebfbc39e96ec7613003b1b5c3a9b878874ea15a05e1d34ce91781ebfb6
  • aaa2bc1128d8b8b2da76262bf87ede19bac053cca6576efba6aaa71c9438c304
  • b830f043076a12748b6a2dc0810ece85439ee77434d991ae7d84201b09ead756
  • bb30cc2b302d9a6963109b201b78d4163bb6c2d7bc8bf5a66e9a744b62fc2717
  • c328b78c21060e2203ac517833fce41572b91878e187f85fa434cd6914659834
  • c7a4a547eb7f6b0b4b75bb6dd8955244bb2618ba234ae740cdedd7c2d30e3465
  • d384c403c084967d8c967501ee6332b050af04ef424f13a3f5a88d155389d98c
  • d6446f2803444bd2200d48a01a9ad7d487e67e8e831c9cd13f89cbfec17fd4e2
  • d7c9c9469c513c05aa431fae34f414f91fcf3f794d3e76b6e4d0b92c4cd3ff2e
  • d8c1f96107a3349e62b3ab9afc60f62af9c89b6961b637a26b71e1230f2b3b8a
  • f0dcb7e407de85d8de8e2221df8dddecac8aec88af8975c9f07e14100f6edb88

Cluster B - x64 DLL Loaders/fake MpClient.dll (13 Samples)

  • 0a6a67a2fc4d79ec1cd8afc5b8b7a5e69a406e53d57a7334e097c5d0644de5f6
  • 488d941b7b4428b0f4a0e5495e3857b9b96215fb3e7f164b06640d59096425e6
  • 5d7324d8b5a25f862ef8223c6766d0e80af3ad168e17312b265e13a3a68e0ded
  • 7720e83c02a027d70ae201c393c1956aa2fa8199879a3a4c4fd1d20b03022cfd
  • 7e49da0ae2f81e14841f356b4d69f0480c2d9ce3fab5a3fa91b0036d9a36fa0f
  • b8b5f6991a3a61083461d5269245bebf28b90934c328848ba8c1e084a5a6216c
  • b927d265fa29e471c1ae0d31516e480c09c0fb17f480ad08ea8d5b73e84b7a1b
  • b9b6893fa6b04ee8daa29e515c08239ac5204af1a1fa2bc10006eede1b41329b
  • c7c37a973b14edd5b6b2da4a1497c593e43640735ff54aecc9a3288fa5e548e3
  • d2148a458da46e81702136aa915312d360805f083d1f37ff5531db9fbdb8ad6d
  • d7b56818c829960b692de9ad5a14e52669d953e9f074f7218c3fe34ede4a11a0
  • db2a872f712fbdb1e347d06e29a9ed8278d86710ffc14ff04422be76e47124f4
  • e9e5e748ec5c0b811c8e60b0e55059edb4d2df86ff3ca45969e57d5fecb11a38

Cluster C - x86 EXE Loaders (Three Samples)

  • 03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7
  • 914c18a04a2727bba9cecab78a1d516ec3c7a3f667e0e5a6081aa0e9206a69fe
  • d78082dc33c6dca98316e865efa9829c6eb5a97c2ca3cd4ea6c2123a5f6ae45b

Cluster D - Vidar Core Payload (One Sample)

  • 7ed4a256e1d281cb4f194d13ff554fd4fb280dafde0a67a18115ea038ea6c87d

SHA-256 Hashes - Variant B Cluster (56 Samples)

  • 15489bcd6e4602b41c9a787ec8d7ab027d5e45d400938048bb1c702ad5937980
  • 169a330353e53a409e0109c914404354741ff1e1c64e501738dc05e58ea92abc
  • 2a02ec4af5ed591afdf1236a443e3b68642ee133f38a2857d1eada51246ab498
  • 2b7297a5f502a2e9a59066f0a370bc5a8b28addd0e27975db3d770f801c15397
  • 2c0b344af415b787b396c8e23bbeb112bd471a1ca1d12cf357c48e2ee1ae068c
  • 2c6e8f86c05781af12b323311e83e011f1a603928e2086c48e2ca59e33d90dbe
  • 2e11a16f94484e0f43eb4572f800f26f0b4a1314cbdae3c44c1ae35f376906d8
  • 2f1400a91c853d61622f4d21ed97d96ea1093c0fa1586669bea6f6baa331251f
  • 314ce675c040c63b825f213965f5c76a3bd09bf70e138708367e2a84e9e84b30
  • 32172e4d8d2ab9fb29b36c9b279117be6ff611b5b91ff7b1c42501a5ec969f2b
  • 330efeebba3782994612fdfe20ff96c930af33a83b88a342b6622461511921b2
  • 35b51bbe42edd15918b015eaa1b4f0e6b5c94f186d71d887e39f1da69a4dec3f
  • 3c3f12531045b7eedfe25e0f291d4792b0d8c8366f8de043e2fa8ecf34ccb913
  • 3db33b0423bb9278db267a7adb036ecbd6aeebd7909d06d824919708b1e12e1b
  • 3e906ae47e9836a591f44d4b743e961d634a404fa8fd8bfae64f1d54c853be2b
  • 4bf770a59d367b532dec32668f86003b17d93918dba5ef5fd2b19c5394252436
  • 4f456142caf590d98fb11ca247800bb417766714527e5a4707ac2f5d01542626
  • 53d263b292be387843fadb7131c2d538b4262c81f5b95cfacafacf2d5446c06e
  • 5494909e0f5221db75e933b28981b2d0e118f227b7d8a5980d88b500b76dfc2e
  • 54dc05ab56244444f86d69b8274a6075906f7ba2307b08e08d3884abde255495
  • 559f46ceb801a3540eace594476718e1486b5b4423cfb4ff64530ff8fb4a3815
  • 5838ae6c748dcbdfa13c6529c654cb821897d29835d3e7e05ca23fb2f3794f02
  • 59b9153c4c9e155c976db1a2fd4d1b28fa10bb9c4dcafdc4758b352c037e3d86
  • 5b6a466b65d479b77a03b15a95ac097b45e23ff7ae5ef6282985b2a503deb691
  • 613e5314a7ded3155cdec49fd34e852e181f4651d78bd8bf3adad2f4dbf22b0d
  • 62877a5096828c4bc2fca7cbee7d38b11a0c90fd0d3fc8c37981581e9988c919
  • 634e89d8592d7c9e2bc1c098217a813947b44a4f80bc569e9a15c1e8b0864b91
  • 67569adec99fd38b114ae07e2e549e6c16f75368f3c5373022c84934ed1c8e84
  • 6d49233b1fca22f3823e856e4c16749e9c45f384ea57055fead16df35b217226
  • 71c79e8bf71ed257435ea9b8b91e118ba03ec681860651190f7d7457804313ee
  • 77469615c5f548063922b469a8c0a4116511395d013e5a798e123e9c119acc4b
  • 7828e17e674507ab13dfd84b31b361fa19b9cb27ee130620ba9211feef746d31
  • 8dbcde2a28a0b3de201214d7e3bd43acc97561924daa247c05c4b0536d42be85
  • 901a43b42f997710147295a0625e20c935207f8c531daf5311449ec119a37dcc
  • 94db6fa14b4e487dffba709b87e8a7e25483300ed409de243b19fff7cf2f0978
  • 95cd48130247525d8a7e966bd3fa07e9d6c39ebbe3058ecccb336f66bb8e3d1e
  • 96bb418128deeb2b9d2e4b66b98cae07b238b326b6456cc9b86802e67c504a03
  • 98cce1e69873de25e5139aa848f469bef2af345a8a49d15000b5b5e72b582896
  • a1039de7ec690d64db9d7d91f3d777d308e49e958de4154aa0b62ded7820f1fe
  • a785fc61fc4ff7cff0ddb540bf7ff12111ed0d6031f78f48387a6c16cb3c5451
  • aa0083f662f055e8d911c5de3a8f3a31b3c84cacc7dccc30c98f2be14dba4102
  • b58814fb3ce5a085014ee6e8d89f7cc1380b234b97170fd5f3398031281c6a77
  • b6912c23cccc4b0964d55608916297f6978f0b38c80a4beac472004a786fcef7
  • bd3230e4ceaf32ad2248ab069b164bd2144401967ac69de0a4cd1734fe429d9c
  • c25799facb3e788830bcf614f33411d3bcfc0edd4a2200e160b5eb4ce700039f
  • c39fedb662259bd76b11616966c41ff1fbda58d9b129b9c1bd818700eea92b29
  • ca8a00c9d36c64e5dcf562c7ae2b8df4bd6455fe0b41b32ee3a2a528ddc2d155
  • ce379de03e35e0ea2c88744c29b9e2678165214065f9b957177002c6bbe69084
  • d18369be4487d7cd0e4bd3dd0da720672e56e13ca43627305e26767e26925551
  • d7745513034af14617436ad6b3fc125fd0343218411d0c79bda56b0dadc86b2b
  • d8ac0c08e4c698017558e532974cf749135d3d49757f05001e6127dc6e07cf17
  • dccf9f008b42a04f7e69d3bbf7b5ce81e71308545d6176cc4763920a424e5ac1
  • e5341edb7c039c456d46c39f194be86ce4b41725d7ad12d297d18aa99cddd675
  • e88c41a6f769cd760e323b4f7c01835433cd4059cd59630cb1a9eb1181b350ed
  • f13f9cef5cc020bf673c7f4e19c93c312a043867f46796a8f01927a9a14c2533
  • f760bc16a585325ba9d74917f9e0994d3a4164c1141158c799b619d2c823e818


from Unit 42 https://ift.tt/YyDrL7P
via IFTTT