Google is taking decisive action against apps that drain excessive battery power, introducing a new warning system that will alert users before they download power-hungry applications. Starting March 1, 2026, apps that fail to meet Google’s battery-efficiency standards may see reduced visibility on the Play Store and display warnings on their listing pages. The tech […]
The notorious Everest ransomware group has claimed responsibility for a major cyber breach against Under Armour, the global sportswear giant, alleging the theft of 343 GB of internal data that could impact millions of customers and employees worldwide.
The announcement, posted on the group’s dark web leak site on November 16, 2025, includes a sample of stolen records to substantiate the claims, escalating concerns over potential identity theft and phishing risks.
According to Everest, the compromised dataset encompasses a vast array of personal and corporate information from Under Armour’s systems.
Everest Ransomware Group Armour Breach
This includes millions of client records with transaction histories, user IDs, email addresses, physical addresses, phone numbers, passport details, gender information, and both work and personal email contacts.
Employee data from various countries is also implicated, alongside internal company documents. The sample provided by the hackers reveals sensitive customer shopping histories, product catalogs with SKUs, prices, and availability, as well as marketing logs and user behavior analytics.
These details suggest the breach targeted Under Armour’s customer relationship management, personalization, or e-commerce databases, potentially originating from marketing or product registration systems.
Everest, active since 2021, has a track record of high-profile attacks, including claims against AT&T’s carrier database, which exposed over 500,000 users, 1.5 million passenger records from Dublin Airport, and internal files from Coca-Cola.
The group issued a seven-day ultimatum to Under Armour via Tox messenger, demanding contact before the countdown timer expires and threatening to leak the data if the demand is not fully met. No ransom amount was specified in the initial post, but Everest’s pattern involves escalating leaks for non-compliant victims.
Under Armour, headquartered in Baltimore, Maryland, has not yet publicly confirmed or denied the breach as of November 18. The company, which serves over 190 countries and boasts brands like MyFitnessPal (previously hit in a 2018 incident affecting 150 million users), could face significant fallout.
Past breaches at the firm exposed usernames, emails, and hashed passwords, but spared financial data; this incident appears far broader, potentially including passports and transaction logs that enable targeted fraud.
Cybersecurity experts warn that such exposures heighten the risk of supply chain attacks and social engineering. “Ransomware groups like Everest are pivoting to data exfiltration over encryption, turning breaches into intelligence goldmines,” noted a Mandiant analyst.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has not yet listed this in its Known Exploited Vulnerabilities catalog, but similar incidents have prompted federal alerts.
Customers are urged to monitor accounts for unusual activity, change passwords on Under Armour-linked services, enable multi-factor authentication, and watch for phishing emails masquerading as breach notifications.
Enterprises should scan for Everest indicators of compromise, such as Qakbot malware or Cobalt Strike beacons, which the group often uses. Under Armour has been contacted for comment; until verified, these remain allegations, but the sample’s detail lends credibility.
In a landmark operation targeting cybercriminal infrastructure, the East Netherlands cybercrime team conducted a major takedown of a rogue hosting company suspected of facilitating a broad spectrum of malicious activities. During the coordinated enforcement action on November 12th, law enforcement seized approximately 250 physical servers located in data centers across The Hague and Zoetermeer. The […]
Since mid-2024, a sophisticated Iranian-backed threat group known as UNC1549 has been conducting targeted campaigns against aerospace, aviation, and defense organizations across the globe.
The hackers employ an advanced dual approach, combining carefully crafted phishing campaigns with the exploitation of trusted connections between primary targets and their third-party suppliers.
This strategy proves particularly effective against well-defended organizations like defense contractors, which often leave their vendors as softer targets for initial compromise.
The threat group’s operational methods demonstrate significant evolution and tactical sophistication. Operating from late 2023 through 2025, UNC1549 leverages highly targeted, role-relevant phishing emails to establish initial footholds.
Once inside a network, they employ creative lateral movement techniques, including stealing victim source code to craft spear-phishing campaigns using lookalike domains that bypass security proxies.
The group also abuses internal service ticketing systems to harvest credentials from unsuspecting employees.
Google Cloud security analysts identified that UNC1549 deploys custom tooling designed specifically to evade detection and complicate forensic investigations.
Notably, every post-exploitation payload identified during investigations carried a unique hash, even when multiple samples of the same backdoor variant appeared within a single victim network.
This level of customization underscores the group’s substantial resources and commitment to operational security.
One of the most technically significant aspects of UNC1549’s operations involves their use of search order hijacking for malware persistence.
This technique involves placing malicious DLLs within legitimate software installation directories, allowing attackers to achieve persistent execution when administrators or users run the legitimate software.
Phishing email sent by UNC1549 (Source – Google Cloud)
The group has successfully exploited this vulnerability in widely-used enterprise solutions, including FortiGate, VMWare, Citrix, Microsoft, and NVIDIA executables.
Initial access
In these cases, researchers detected that UNC1549 deliberately installed legitimate software after gaining initial access, specifically to abuse this DLL search order hijacking capability.
The TWOSTROKE backdoor exemplifies this technical sophistication. This custom C++ backdoor communicates through SSL-encrypted TCP connections on port 443, making it difficult to distinguish from legitimate traffic.
Upon execution, TWOSTROKE generates a unique victim identifier by retrieving the fully qualified DNS computer name using the Windows API function GetComputerNameExW(ComputerNameDnsFullyQualified).
This name undergoes XOR encryption using a static key, converts to lowercase hexadecimal, and extracts the first eight characters before reversing them to create the bot ID.
TWOSTROKE’s command set enables extensive post-compromise capabilities, including system information collection, dynamic DLL loading, file manipulation, and persistent backdoor functionality.
The malware receives hex-encoded payloads from command servers containing multiple commands separated by “@##@” delimiters. Commands range from file uploads and shell command execution to directory listing and file deletion operations.
UNC1549’s campaign prioritizes long-term persistence and anticipates investigator response. They strategically deploy backdoors that remain dormant for months, activating only after victims attempt remediation.
This approach, combined with extensive reverse SSH shell usage and domains mimicking victim industries, creates a challenging operational environment for defenders.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Microsoft on Monday disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 5.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps).
The tech giant said it was the largest DDoS attack ever observed in the cloud, and that it originated from a TurboMirai-class Internet of
A critical security flaw has been discovered in the widely used W3 Total Cache WordPress plugin, putting over 1 million websites at serious risk. The vulnerability allows attackers to take complete control of affected websites without needing any login credentials. Field Value CVE ID CVE-2025-9501 Plugin Name W3 Total Cache Affected Versions Before 2.8.13 Fixed […]
Google has announced the public preview of its Alert Triage and Investigation agent, a significant advancement in artificial intelligence-driven security operations.
The intelligent agent is now embedded directly within Google Security Operations, helping security teams process alerts faster and more effectively.
The new agent represents a significant step toward Google’s vision of an “Agentic SOC,” a security operations center powered by intelligent automation.
Instead of having security analysts check every alert by hand, the agent checks them itself, collects information, and decides whether they are real threats or harmless.
This capability allows security teams to focus their attention on alerts that genuinely require human expertise.
During private preview testing, the agent investigated hundreds of thousands of alerts across various organizations and industries.
Feedback from financial services firms and major retailers revealed substantial time savings. Google analysts reported that the agent’s comprehensive investigation summaries enabled faster decision-making.
While consolidating complex information that would otherwise require manual queries and analysis.
The investigation process begins when alerts are generated in Google’s detection engine. The agent reviews each alert and creates a dynamic investigation plan on line with Mandiant experts’ best practices.
How the Agent Works
It then executes multiple analytical capabilities, including YARA-L searches, to retrieve relevant events.
Threat intelligence enrichment using Google Threat Intelligence, command-line analysis for encoded or obfuscated commands, and process tree reconstruction to understand the full scope of potential attacks.
After completing its investigation, the agent decides whether the alert is real and assigns a confidence score indicating how sure it is.
Google emphasizes explainability throughout the agent’s process. The system references its sources and outlines investigation steps so analysts understand how recommendations were reached.
The company uses multiple evaluation techniques, including comparisons with human experts and AI evaluation methods, to ensure accuracy and continuous improvement.
All eligible Google Security Operations Enterprise and Enterprise Plus users can opt into the public preview immediately by clicking the Gemini icon within Google Security Operations.
Investigations begin automatically after enrollment, though users can also trigger investigations manually. Google plans to bring the agent to general availability in 2026 with additional enhancements to investigation depth and workflow integration.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning about a severe vulnerability in Lynx+ Gateway devices that could expose sensitive information in clear text during transmission.
The flaw allows attackers to catch network traffic and obtain plaintext credentials and other confidential data. The vulnerability, tracked as CVE-2025-62765, stems from the product’s failure to encrypt data during transmission.
This cleartext transmission vulnerability poses a significant security risk for organizations that rely on Lynx+ Gateway technology, particularly those managing critical infrastructure or handling sensitive communications.
Lynx+ Gateway Vulnerability
An attacker with network access could exploit this weakness by monitoring traffic flowing through the affected gateway.
The lack of encryption means that credentials, authentication tokens, and other sensitive information transmitted across the network remain visible to potential threat actors.
According to CISA, no authentication or user interaction is required to launch an attack, making this vulnerability particularly dangerous.
The vulnerability has received a CVSS v3 base score of 7.5, indicating a high-severity threat.
The CVSS v3 vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A: N) shows the attack can be executed remotely with low complexity and requires no privileges.
The vulnerability severely impacts confidentiality without affecting integrity or availability. The CVSS v4 score is even more severe at 8.7, reflecting the evolving assessment of this threat.
The CVSS v4 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA: N) confirms that the attack vector remains network-based, with minimal barriers to exploitation.
Organizations using Lynx+ Gateway devices should prioritize patching this vulnerability immediately. CISA recommends implementing network segmentation to limit exposure and monitoring for suspicious network activity.
Additionally, organizations should consider implementing encrypted communication channels and reviewing access logs for signs of unauthorized traffic interception.
Until patches are available, administrators should restrict network access to affected gateways and implement additional monitoring controls.
Given the critical nature of this flaw, this update should be treated as a high-priority security incident requiring urgent attention from network and security teams.
A sophisticated threat actor has orchestrated a multi-stage ransomware attack spanning nine days, leveraging compromised Remote Desktop Protocol (RDP) credentials to infiltrate a corporate network, exfiltrate sensitive data, and deploy Lynx ransomware across critical infrastructure. The attack initiated with a successful RDP login using pre-compromised credentials a critical indicator that the threat actor obtained valid […]
A critical vulnerability was discovered in the AI-Bolit component of Imunify security products, raising concerns across the web hosting and Linux server communities. This flaw could let attackers execute arbitrary code and escalate their privileges to root, risking the integrity of millions of servers worldwide. Imunify, a security platform widely used on web hosting servers, […]
.webp)