-
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
HONOLULU—Speed. Persistence. Capabilities “designed and built to enable operations inside the weapons engagement zone.” The commander of U.S. Pacific Fleet wants it all. And he wants it now.
“Let’s continue to strengthen our rapid acquisition strategy. Put our best technology in the hands of our service members as soon as possible, and continue to outpace the competition,” Adm. Stephen Koehler told an audience of defense industry representatives and troops at the AFCEA TechNet Indo-Pacific conference. “Let’s take a holistic, innovative approach that brings transformative, strategic gains to our force. That includes considering things we’re not doing that we should be doing. That includes ‘embracing the red,’ which is Navy-speak for embracing the problems, adjusting quickly, and running to fix them.”
Koehler said his command has been working tirelessly on innovation, pairing experimentation with rehearsal in exercises designed to develop new capabilities while also building “new concepts of operation.”
“It might sound to you like we’re building the airplane while we fly it. That is no accident. It’s by design. We have to work fast to take advantage of today’s rapid pace of technological innovation. We have to get that capability into the hands of our sailors quickly, to enable them to innovate and force change, if needed,” Koehler said.
Pacific Fleet is already using AI for data analysis, but will continue to expand its use of artificial intelligence to “enhance command control, increase our lethality, and dominate in the [weapons engagement zone] across the entire continuum from competition to conflict, he said.
“I envision a future where the Pacific Fleet is empowered by artificial intelligence, where sailors and commanders at every level balance the art and science of warfare to make more effective decisions with superior outcomes faster than the adversary. A future where AI further accelerates the cycle of action between maneuver and fires for decisive combat advantage.”
Citing Indo-Pacific Command’s expeditionary foundry—The Forge—Koehler said the military and industry must “combine our unique strengths” to move forward together. But, he said, as the process of innovation and acquisition quickens, sailors “must also have the confidence and authority” to install new parts without waiting on contractors.
“Our sailors must have the ability to now only fix their own gear, but retain ownership over their own resilience and combat readiness. For example, if an unmanned system needs to be reconfigured during the fight, our sailors need to do it all. We owe our warriors the right to repair and configure their own equipment.”
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
The Defense Department is making another push to slim its civilian workforce, this time by directing managers to fire employees for “unacceptable performance” while continuing to encourage civilians to leave voluntarily.
A 20-page memo signed by the Pentagon’s personnel boss late last month lays out several mechanisms for civilian employees to resign or be removed for cause, beyond the 60,000-plus employees who have already voluntarily bowed out this year through either the Deferred Resignation Program or Voluntary Early Retirement Authority.
It also gives employees, half of whom are furloughed during the government’s shutdown, just seven days to respond to a proposed removal for poor performance. And if local managers do not sign off on the removals within 30 days, they must forward the case to the secretary’s office.
“Managers need more guidance on how to separate underperforming employees,” Defense Secretary Pete Hegseth wrote in a second memo signed Sept. 30. “Complex offboarding creates cultural drag that hurts morale across the Department and hinders our mission.”
But rather than offer that guidance, said Virginia Burger, a senior defense policy analyst at the Project on Government Oversight, the memo reiterates much of what is already laid out in the department’s civilian personnel management rules.
What it does propose to add is another layer of bureaucracy to DOD’s human-resources infrastructure, directing a review on the feasibility of centralizing the Pentagon’s oversight of disciplinary actions, rather than the current local initiation and final decisions.
Hegseth appears to be cultivating a leadership style not dissimilar to that of a company-grade infantry officer, the pinnacle of his leadership experience in uniform, micromanaging each process rather than creating strategy to streamline solving problems, Burger said.
“That works with 40 people,” she said, but is much less manageable with hundreds of thousands of personnel all over the world.
Along the same lines, Hegseth used the gathering of hundreds of generals and senior enlisted leaders at Marine Corps Base Quantico last month to “announce” that physical fitness standards would now apply to everyone in uniform—not mentioning that such a policy already existed, though there may have been questions of how completely it’s been followed.
A previous attempt to remove “unsatisfactory” performers among probationary employees was reversed by a court order, when a lawsuit brought evidence that those with excellent evaluations were shown the door.
The memo mentions the deferred resignation program and voluntary early retirement as off-ramps, as well as the Voluntary Separation Incentive Program, which offers to pay$25,000 to any civilian whose job is being eliminated if they agree to resign and forfeit any right to sue for wrongful termination.
The effort seems designed, Burger said, to scare employees into leaving of their own volition rather than face a potentially scurrilous removal for cause.
“The point is the cruelty,” she added.
In March, Hegseth directed all DOD components to submit recommendations for new organizational structures that would eliminate or merge redundant positions. His office has declined to discuss what the recommendations were and which ones it plans to implement.
The other half of that project included creating new incentives for high performance. Another Sept. 30 memo calls on the components to submit their plans for awarding bonuses and other incentives to best performers, and how they will justify those awards.
Hegseth’s office did not immediately respond to a request for the Pentagon’s target for civilian end strength. When he took office, the number stood at just under 800,000, with voluntary resignations bringing that number to about 438,000 by late September. Those measures have already netted the 8-percent cut the administration called for back in February.
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
Researchers have uncovered a sophisticated campaign leveraging the Lampion banking trojan, a malware strain that has operated since 2019 with a renewed focus on Portuguese financial institutions.
The threat actor group behind these operations has refined its tactics significantly, introducing novel social engineering techniques that make traditional detection increasingly difficult.
What distinguishes this latest iteration is the integration of ClickFix lures, a deceptive method that convinces users they need to fix technical issues before executing malicious payloads.
The infection vector begins with carefully crafted phishing emails mimicking legitimate bank transfer notifications.
Threat actors use compromised email accounts to distribute these messages, lending them authenticity that casual inspection might miss.
The emails contain ZIP file attachments rather than direct links, a tactical shift implemented around mid-September 2024 that demonstrates the group’s adaptive approach to bypassing security controls.
Bitsight analysts identified the campaign’s evolution across three distinct time periods, with the most notable transformation occurring in mid-December 2024 when ClickFix social engineering entered the attack chain.
.webp)
The researchers documented the malware’s active infection rate in the several dozens daily, with hundreds of active compromised systems currently under attacker control.
This scale reflects the campaign’s effectiveness and the group’s operational sophistication. The infection chain reveals a multi-stage architecture designed to evade detection at each step.
After victims download the deceptively labeled attachment, they encounter what appears to be a legitimate Windows error notification, complete with familiar UI elements.
.webp)
This ClickFix lure prompts users to click links that initiate the actual malware delivery, creating a false sense of security while the infection process unfolds behind the scenes.
Infection Mechanism and Persistence Tactics
The technical infrastructure supporting this campaign demonstrates considerable expertise in operational security.
The infection chain progresses through obfuscated Visual Basic scripts, each stage further obfuscating the malicious intent until reaching the final DLL payload containing the stealer functionality.
Notably, persistence mechanisms were added to the first stage around June 2025, enabling the malware to survive system reboots and maintain access across sessions.
The threat actors employ geographically distributed infrastructure spanning multiple cloud providers, effectively compartmentalizing their operations.
IP blacklisting capabilities within their infrastructure prevent security researchers from tracing the complete infection chain, while also enabling fine-grained control over which victims receive which payloads.
Bitsight researchers noted that the hundreds of unique samples at each infection stage suggest automated generation, indicating the group possesses sufficient technical capability to scale their operations efficiently while maintaining operational security throughout the attack cycle.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Lampion Stealer Uses ClickFix Attack to Silently Steal Login Credentials appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A new agent-aware cloaking technique uses AI browsers like OpenAI’s ChatGPT Atlas to deliver misleading content.
This method allows malicious actors to poison the information AI systems ingest, potentially manipulating decisions in hiring, commerce, and reputation management.
By detecting AI crawlers through user-agent headers, websites can deliver altered pages that appear benign to humans but toxic to AI agents, turning retrieval-based AI into unwitting vectors for misinformation.
OpenAI’s Atlas, launched in October 2025, is a Chromium-based browser that integrates ChatGPT for seamless web navigation, search, and automated tasks. It enables AI to browse live webpages and access personalized content, making it a powerful tool for users but a vulnerable entry point for attacks.
Traditional cloaking tricked search engines by showing optimized content to crawlers, but agent-aware cloaking targets AI-specific agents like Atlas, ChatGPT, Perplexity, and Claude.
When AI Crawlers See a Different Internet
A simple server rule “if user-agent equals ChatGPT-User, serve fake page” can reshape AI outputs without hacking, relying solely on content manipulation.
SPLX researchers demonstrated this vulnerability through controlled experiments on sites that differentiate between human and AI requests.
As shown in the attached diagram, a web server responds to a standard GET request with index.html, routing human traffic to legitimate content while diverting AI queries to fabricated versions.
This “context poisoning” embeds biases or falsehoods directly into AI reasoning pipelines, where retrieved data becomes unquestioned truth.
In one experiment, SPLX created zerphina.xyz, a portfolio for the fictional Zerphina Quortane, a Portland-based designer blending AI and creativity.
Humans visiting the site see a professional bio with clean layouts and positive project highlights, free of any suspicious elements.
However, when accessed by AI agents like Atlas identified via user-agents such as “ChatGPT-User” or “PerplexityBot” the server serves a damning alternate narrative portraying Zerphina as a “notorious product saboteur” riddled with ethical lapses and failures.
Atlas and similar tools reproduced this poisoned profile without verification, confidently labeling her unreliable and unhirable in summaries.
Detection lags, as neither ChatGPT nor Perplexity cross-checked inconsistencies, underscoring gaps in provenance validation. For individuals and brands, this malleability risks silent reputation sabotage, with no public traces left behind.
SPLX’s second test targeted recruitment, simulating a job evaluation with five fictional candidates’ resumes on hosted pages. All profiles appeared identical and legitimate to human viewers, featuring realistic histories and skills.
For candidate Natalie Carter, the server was rigged to detect AI crawlers and inflate her resume with exaggerated titles, leadership claims, and tailored achievements appealing to algorithmic scoring.
When Atlas retrieved the pages, it ranked Natalie highest at 88/100, far above others like Jessica Morales at 78. In contrast, using human-visible resumes loaded locally bypassing user-agent tricks dropped her to 26/100, flipping the leaderboard entirely.
This shift demonstrates how cloaked content injects retrieval bias into decision-making, affecting hiring tools, procurement, or compliance systems. Without built-in verification, AI inherits manipulations at the content-delivery layer, where trust is weakest.
Agent-aware cloaking evolves classic SEO tactics into AI overview (AIO) threats, amplifying impacts on automated judgments like product rankings or risk assessments. Hidden prompt injections could even steer AI behaviors toward malware or data exfiltration.
To counter this, organizations must implement provenance signals for data origins, validate crawlers against known agents, and monitor AI outputs continuously.
Model-aware testing, website verification, and reputation systems to block manipulative sources are essential, ensuring AI reads the same reality as humans. As AI browsers like Atlas proliferate, these defenses will define the battle for web integrity.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post New Agent-Aware Cloaking Leverages OpenAI ChatGPT Atlas Browser to Deliver Fake Content appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A newly discovered Windows malware family named Airstalk has emerged as a sophisticated threat capable of exfiltrating sensitive browser credentials through an innovative covert command-and-control channel.
Available in PowerShell and .NET variants, this malware demonstrates advanced capabilities including multi-threaded communications, versioning, and the misuse of legitimate mobile device management infrastructure.
The malware hijacks the AirWatch API, now known as Workspace ONE Unified Endpoint Management, transforming a legitimate platform into a clandestine communication channel.
Airstalk leverages the custom device attributes feature within the AirWatch MDM API to establish a “dead drop” mechanism, where encrypted communications are exchanged without direct connection between attacker and victim.
This espionage technique allows threat actors to maintain persistent access while remaining undetected.
The malware targets browser data including cookies, history, bookmarks, and screenshots through endpoints /api/mdm/devices/ for command-and-control and /api/mam/blobs/uploadblob for exfiltration.
Palo Alto Networks researchers identified this malware as part of a suspected nation-state supply chain attack, tracking the activity under threat cluster CL-STA-1009.
What distinguishes Airstalk from typical information stealers is its ability to function within trusted systems management tools, allowing execution without raising suspicion.
The PowerShell variant targets Google Chrome, while the .NET variant extends reach to Microsoft Edge and Island Browser.
The C2 protocol operates through JSON messages containing CLIENT_UUID, storing the compromised device identifier retrieved through Windows Management Instrumentation, and SERIALIZED_MESSAGE, with Base64-encoded instructions. The protocol employs message types like CONNECT, CONNECTED, ACTIONS, and RESULT.
Defense evasion remains central through code-signed binaries bearing a certificate issued to Aoteng Industrial Automation (Langfang) Co., Ltd., revoked 10 minutes after issuance.
Multi-Threaded C2 Architecture and Credential Harvesting
The .NET variant demonstrates sophisticated engineering through multi-threaded architecture, separating core functions into parallel execution streams.
This design allows simultaneous task management, debugging transmission to attackers every 10 minutes, and periodic beaconing to signal active infection.
The implementation utilizes three suffix identifiers: -kd for debugging, -kr for task synchronization, and -kb for connection establishment.
.webp)
The malware focuses on browser credential harvesting using Chrome remote debugging to extract cookies from active sessions.
The PowerShell variant restarts Chrome with parameters loading targeted profiles and executes commands to dump cookies.
.webp)
The code leverages the UploadResult function to transmit stolen data.
{
"Name": "<CLIENT_UUID>",
"Value": "<SERIALIZED_MESSAGE>",
"Uuid": "<CLIENT_UUID>",
"Application": "services.exe",
"ApplicationGroup": "services"
}When handling large data, Airstalk utilizes the blobs feature to upload content. The serialized message structure follows a nested schema where the outer JSON container holds device identification and encoded payloads.
The .NET variant introduces versioning support, evolving through versions 13 and 14. The execution flow implements parallel threads, while the debug function periodically uploads the log.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Windows-Based Airstalk Malware Employs Multi-Threaded C2 Communication to Steal Logins appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A sophisticated malware campaign exploiting Near Field Communication technology on Android devices has expanded dramatically since its emergence in April 2024.
What began as isolated incidents has escalated into a widespread threat, with over 760 malicious applications now circulating in the wild.
These malicious apps abuse NFC and Host Card Emulation capabilities to illegally capture payment data and facilitate fraudulent transactions.
The campaign has broadened its geographical footprint beyond initial targets, now affecting users across Russia, Poland, Czech Republic, Slovakia, and Brazil.
The malware operates by masquerading as legitimate financial institution applications, tricking users into installing apps that appear to represent trusted banks and government agencies.
Once installed, these applications prompt victims to designate them as the default NFC payment method on their devices.
The malicious software then silently intercepts payment card data during tap-to-pay transactions, exfiltrating sensitive information including card numbers, expiration dates, and EMV fields to threat actors through private Telegram channels.
Zimperium analysts identified a sprawling infrastructure supporting these operations, uncovering over 70 command-and-control servers, dozens of Telegram bots used for coordination, and approximately 20 impersonated institutions.
Among the targeted entities are major Russian banks like VTB, Tinkoff, and Promsvyazbank, alongside international institutions such as Santander, Bradesco, PKO Bank Polski, and government portals including Russia’s Gosuslugi service.
The malware’s operational methods vary, with some variants functioning as scanner tools that extract card data for subsequent POS purchases, while others directly exfiltrate stolen credentials to attacker-controlled channels.
Communication Architecture and Command Structure
The malicious applications establish persistent connections with command-and-control servers through WebSocket communications, enabling real-time bidirectional exchanges.
The apps execute commands such as register_device, which transmits hardware identifiers, device models, NFC support status, and IP addresses to the server.
.webp)
The apdu_command instruction forwards payment terminal requests to the C2 infrastructure, while apdu_response returns crafted replies that manipulate transaction flows.
Additional commands like card_info and get_pin facilitate the extraction of complete payment credentials, with threat actors receiving automated notifications containing full card details through Telegram integrations via the telegram_notification command.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post 700+ Malicious Android Apps Abusing NFC Relay to Exfiltrate Banking Login Credentials appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
Google on Thursday revealed that the scam defenses built into Android safeguard users around the world from more than 10 billion suspected malicious calls and messages every month.
The tech giant also said it has blocked over 100 million suspicious numbers from using Rich Communication Services (RCS), an evolution of the SMS protocol, thereby preventing scams before they could even be sent.
In
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
The White House’s pick to field new technologies across the military faster says most U.S. companies want to sell to the Pentagon, but they don’t understand what the military needs.
“One of the things I've observed over the last few years is that the vast majority of American [tech] companies want to serve our nation, they want to develop and deliver capabilities to our warfighters. Sometimes they don't always understand, from a threat-informed perspective, what our key operational problems are,” said James Caggy, the nominee for assistant defense secretary for mission capabilities, one of three roles designed to replace the Pentagon’s chief technology officer position.
That misunderstanding can result in a mismatch when a new technology works in a lab or a narrow scenario but can’t be used broadly—a phenomenon called the “Valley of Death.”
Caggy, who is a former technologist for Amazon Web Services and ex-advisor for the Pentagon’s Strategic Capabilities Office, spoke at his Senate confirmation hearing on Tuesday. He said his main goal would be to build industry relationships beyond tech and provide them “a threat-informed picture of what we are currently dealing with out in the operating environment and what we may be dealing with in the next few years.”
Caggy will be the first to serve in this role. In 2023, the Pentagon divvied up its chief technology officer responsibilities to three assistant defense secretaries: one for science and technology, to lead policy and oversight of research and development; one for critical technologies, such as microelectronics; and one for mission capabilities, which is designed to get new tech out of a lab and onto the battlefield
“We often hinder ourselves with our own bureaucracy, with overly burdensome rules and regulations” that block rapid prototyping and experimentation, Caggy testified.
In responses to policy questions, Caggy elaborated on his priorities for the new office, including working with newer defense tech startups and increasing the “number of joint prototyping and experimentation exercises over the next year, so we identify and fix problems early and get capabilities into warfighters’ hands faster,” he wrote.
“The metric I care about is speed with credibility: how quickly we can prove that a technology works and field it at scale. If confirmed, I’ll work to implement policy how we measure and how we can shorten both timelines, without compromising safety or effectiveness.”
Senators also heard testimony from Joseph Jewell, who is nominated to be assistant defense secretary for science and technology. Jewell is an aeronautics professor at Purdue University, specializing in hypersonics.
When asked about new tech threats, Jewell cited drones that can tunnel underground.
“It's something that can be wielded against the United States both by peer and near-peer adversaries and potentially by insurgencies and other smaller, even individual threats,” he said, noting that small businesses would be best suited to come up with solutions. “Some of the most interesting ideas on these, kind of, new threats or newly recognized threats come from small businesses. And so, the SBIR and STTS programs, I think, can be critical in terms of getting more new ideas in the pipeline to address those kinds of threats.”
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware gangs.
AdaptixC2 is an emerging extensible post-exploitation and adversarial emulation framework designed for penetration testing. While the server component is written in Golang, the GUI Client is written in C++ QT for
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶