Daily Digest

Germany just pulled back the curtain on one of the most wanted hackers in ransomware history. The elusive mastermind behind the notorious REvil and GandCrab gangs—known only as “UNKN”—now has a name and a face. Meet Daniil Maksimovich Shchukin, a 31-year-old Russian who allegedly ran two of the most destructive ransomware operations ever seen. The German Federal Criminal Police (BKA) says he’s linked to at least 130 cyberattacks across the country, extorting nearly $2 million euros and causing over 35 million euros in damage. If you’ve ever wondered who’s behind those double-extortion attacks that paralyze hospitals, schools, and businesses, this is your answer.

**What exactly happened** In a stunning move, German authorities publicly identified and doxed the hacker known as “UNKN,” revealing him as Daniil Maksimovich Shchukin. The BKA advisory named Shchukin as the head of both the GandCrab and REvil ransomware gangs—two groups that terrorized organizations worldwide from 2018 to 2021. Alongside Shchukin, the BKA also named 43-year-old Anatoly Sergeevitsch Kravchuk as a co-conspirator. Together, they allegedly extorted nearly $2 million euros across two dozen attacks, causing over 35 million euros in total economic damage in Germany alone. **Who is affected and how** The victims span across Germany—companies, government agencies, and critical infrastructure operators. The attacks weren’t just about locking files; they pioneered the “double extortion” model. First, victims paid to unlock their systems. Then, they paid again to prevent stolen data from being leaked online. This isn’t just a German problem. REvil and GandCrab hit targets globally, including the U.S., where Shchukin’s name appeared in a 2023 Justice Department filing seeking seizure of cryptocurrency accounts tied to REvil proceeds—including over $317,000 in ill-gotten crypto. **The real-world impact and consequences** Beyond the immediate ransom payments, the economic damage is staggering. Hospitals delayed surgeries. Schools shut down. Companies lost months of productivity. The psychological toll on victims—fearing their private data would be dumped online—was immense. For Shchukin, the consequences are now personal. His mugshots are public. His identity is known. And with international law enforcement closing in, his days of operating in the shadows are over. **Technical breakdown (the “how” explained simply)** GandCrab and REvil operated as “ransomware-as-a-service” (RaaS). Think of it like a criminal franchise. Shchukin and his team built the malware and infrastructure. Then they recruited “affiliates”—independent hackers who would break into target networks and deploy the ransomware. When a victim paid, the affiliates got a cut (usually 60-70%), and the gang leaders took the rest. The double extortion twist? Before encrypting files, they stole sensitive data. If victims refused to pay the ransom, the data was published on a “leak site” to maximize pressure. **What should be done — mitigation and recommendations** For organizations: Back up critical data offline. Train employees to spot phishing emails (the most common entry point). Implement multi-factor authentication everywhere. And have an incident response plan ready before the attack hits. For law enforcement: This case shows the power of international cooperation. The BKA, FBI, and other agencies are sharing intelligence and tracking crypto transactions. But more resources are needed to pursue these gangs in their home countries. **Why this matters in the bigger cybersecurity landscape** This takedown is a major blow to the ransomware ecosystem. REvil and GandCrab were trailblazers—they showed criminals how to turn ransomware into a billion-dollar industry. By exposing Shchukin, Germany sends a clear message: even the most anonymous hackers can be unmasked. But the fight isn’t over. New gangs are already filling the void. The real lesson? Ransomware is a persistent threat, but it’s not invincible. Every unmasked leader, every seized wallet, and every public naming chips away at the illusion of impunity.

A Latvian cybercriminal who acted as a "cold case" negotiator for the Russian Karakurt ransomware gang has been sentenced to 8.5 years in a U.S. prison. Deniss Zolotarjovs, 35, was the first member of this notorious extortion group to face American justice—and his case reveals just how far these attackers will go to squeeze victims. Why does this matter? Zolotarjovs didn't just demand money. He weaponized stolen children's health data and even helped take a government 911 system offline. If you run a business, hospital, or local government, this story is a stark warning about the human predators behind ransomware attacks.

**What exactly happened** Deniss Zolotarjovs, a Latvian national living in Moscow, was sentenced to 8.5 years in federal prison after pleading guilty to conspiracy to commit wire fraud and money laundering. Arrested in Georgia in December 2023 and extradited to the U.S., he operated under the alias "Sforza_cesarini" as a key member of the Karakurt extortion group. Karakurt was no ordinary ransomware gang. It was led by former leaders of the infamous Conti ransomware group, one of the most destructive cybercrime operations in history. Zolotarjovs specialized in "cold case extortions"—reopening negotiations with victims who had initially refused to pay. **Who is affected and how** The FBI linked Zolotarjovs to at least six extortion cases against American organizations between August 2021 and November 2023. But his reach was far wider. Court documents show he was involved in attacks against more than 54 companies across multiple sectors. The most chilling detail? He used stolen children's health information to increase pressure on victims. One attack even forced a government entity's 911 system offline, putting lives at risk. This wasn't just about money—it was about maximizing psychological terror. **The real-world impact and consequences** The numbers are staggering. Attacks on just 13 known victim companies resulted in over $56 million in losses, including approximately $2.8 million in ransom payments. But the government admits this is just the tip of the iceberg. Another 41 victim companies paid $13 million in ransom during the same period, but detailed loss statements aren't yet available. The Department of Justice estimates total losses during Zolotarjovs's participation likely reach into the hundreds of millions of dollars. Underreporting of ransomware attacks means the true figure may never be known. **Technical breakdown** Zolotarjovs's role was deceptively simple but devastatingly effective. When initial ransom negotiations stalled and victims stopped communicating, he stepped in. His job was to research targeted companies thoroughly, analyzing stolen personal and health information to find leverage points. He didn't just threaten to leak data—he studied it. Medical records, financial details, personal correspondence. Everything became ammunition to restart negotiations and force payment. He was also linked to attacks by other ransomware groups including Conti, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. **What should be done** This case underscores why incident response plans must include negotiation strategies. If you're hit by ransomware, prepare for the possibility that attackers will weaponize your stolen data against you personally. Organizations should implement robust data classification and access controls to limit what attackers can steal. Regular backups, network segmentation, and employee training remain essential. But equally important is having a crisis communication plan that accounts for psychological pressure tactics like those Zolotarjovs employed. **Why this matters in the bigger cybersecurity landscape** Zolotarjovs is the first Karakurt member to face charges and be sentenced in the U.S. This sets a powerful precedent. It signals that even specialized roles like negotiators—who may never touch a line of code—are now in prosecutors' crosshairs. The timing is significant. On the same day as Zolotarjovs's sentencing, two former employees of Sygnia and DigitalMint received four-year prison sentences for their roles in BlackCat (ALPHV) ransomware attacks. The message is clear: the entire ransomware ecosystem, from coders to negotiators to money launderers, is being dismantled piece by piece.

Google just rewrote the rules of its bug bounty game, and the stakes have never been higher. The tech giant is now offering up to $1.5 million for the most elusive Android exploits—specifically those targeting the Pixel Titan M2 security chip with full-chain, zero-click attacks that can persist after a reboot. But here's the twist: while rewards for the hardest hacks are soaring, payouts for simpler flaws are being slashed. Why? Because AI has made finding and documenting basic bugs almost effortless. If you're a researcher hunting for glory and cash, the message is clear—go big or go home. And if you're an Android or Chrome user, this shift means the threats Google is most worried about are the ones that truly hurt.

**What exactly happened** Google overhauled its Android and Chrome Vulnerability Rewards Programs (VRPs), introducing a new top-tier bounty of $1.5 million. This eye-popping sum is reserved for zero-click, full-chain exploits targeting the Pixel Titan M2 security chip—with persistence. That means an attacker could compromise the device without any user interaction and maintain access even after a reboot. For the same exploit without persistence, the reward drops to $750,000. On the Chrome side, full-chain browser exploits on up-to-date systems now fetch up to $250,000, with an extra $250,128 bonus for successfully bypassing MiraclePtr, a memory safety feature. Google is essentially doubling down on the most technically demanding attack scenarios, while quietly scaling back rewards for vulnerabilities that AI can now easily identify and document. **Who is affected and how** This directly impacts the security researcher community, especially those who hunt Android and Chrome bugs for a living. If you're a part-time bug hunter or rely on finding low-hanging fruit, your payout just got smaller. Google is narrowing the Android program's focus to Linux kernel vulnerabilities in its own maintained components, unless you can prove concrete exploitability on actual devices. For everyday users—that's you and me—this change is a double-edged sword. On one hand, Google is incentivizing discovery of the most dangerous, hard-to-find exploits, which could lead to stronger defenses. On the other, the reduced emphasis on simpler bugs might mean some vulnerabilities slip through the cracks, especially if researchers shift their focus elsewhere. **The real-world impact and consequences** Google paid out a record $17.1 million to 747 researchers in 2025—a 40% increase from 2024 and the highest in the program's history. Total payouts since 2010 now exceed $81.6 million. Despite cutting some individual rewards, Google expects aggregate payouts to rise again in 2026. This suggests the company is betting that fewer, but more impactful, discoveries will drive overall spending up. The practical consequence? The most dangerous attack chains—like those that could silently compromise a Pixel's secure element—are now worth a fortune. But researchers may feel less motivated to report garden-variety bugs, potentially leaving a gap in coverage for less glamorous but still harmful vulnerabilities. **Technical breakdown** The $1.5 million prize targets a specific nightmare scenario: a zero-click exploit chain that compromises the Pixel Titan M2 chip, achieves full system compromise, and survives reboots. This requires chaining multiple vulnerabilities across different layers—likely including the kernel, firmware, and secure element—without any user interaction. It's the kind of exploit that nation-state actors would kill for. For Chrome, the focus is on full-chain browser exploits that work on fully patched systems. The MiraclePtr bonus is particularly interesting—it's a mitigation that makes exploiting use-after-free bugs harder, so bypassing it is a significant achievement. Google is also streamlining submissions: instead of lengthy AI-generated write-ups, they want concise reports with only the essential proof and artifacts. **What should be done** If you're a security researcher, now is the time to sharpen your skills on advanced exploitation techniques. Focus on chaining multiple vulnerabilities, understanding hardware-level attacks, and mastering memory safety bypasses. For Chrome hunters, learning MiraclePtr internals could be a lucrative niche. For organizations and users, this is a reminder to keep devices updated—especially Pixels, which now have a bigger target on their back. Google's emphasis on zero-click exploits means that even if you do everything right, you could still be vulnerable. Enable automatic updates, use strong authentication, and consider additional security layers like endpoint detection. **Why this matters** This restructuring signals a fundamental shift in how Google—and by extension, the industry—values vulnerability research. AI is commoditizing the discovery of simple bugs, forcing researchers to climb the difficulty ladder. The message is clear: the most dangerous threats are those that combine multiple advanced techniques, and Google is willing to pay a premium to find them first. As AI continues to automate the low-hanging fruit, expect other companies to follow suit. The bug bounty landscape is evolving from a volume game to a precision game. And for defenders, the challenge is clear: the attackers are already chasing the same high-value targets.

Imagine a hacker stealing your two-factor authentication codes without ever touching your phone. That's exactly what the new CloudZ malware does. It hijacks Microsoft Phone Link—the app that syncs your Android or iPhone to your Windows PC—to silently siphon SMS messages and one-time passwords. If you use text-based 2FA, your accounts are at risk. This isn't a theoretical attack; it's already happening in the wild since January.

**What exactly happened** Security researchers at Cisco Talos uncovered a new version of the CloudZ remote access tool (RAT) armed with a malicious plugin called Pheno. This plugin exploits Microsoft Phone Link, a built-in Windows 10 and 11 app that lets you make calls, send texts, and view notifications from your phone on your PC. The attack has been active since at least January, and the threat actor's goal is clear: steal credentials and temporary passcodes. By targeting Phone Link, they bypass the need to compromise the mobile device itself. **Who is affected and how** Anyone using Microsoft Phone Link on Windows is a potential target. The malware monitors for active Phone Link sessions and then accesses its local SQLite database. That database contains SMS messages and one-time passwords (OTPs) sent to the victim's phone. The attacker doesn't need to hack your phone. They just need to be inside your Windows machine. Once CloudZ is installed, Pheno does the rest—silently reading your 2FA codes as they arrive. **The real-world impact and consequences** This is a nightmare for anyone relying on SMS-based two-factor authentication. Those six-digit codes you get from your bank, email provider, or social media accounts are now exposed. The attacker can use them to log into your accounts, reset passwords, and lock you out. The consequences go beyond personal accounts. If this hits a corporate device, attackers could intercept authentication codes for VPNs, email, or cloud services. That's a direct path to data breaches and ransomware. **Technical breakdown—how it works** The infection starts when a victim runs a fake ScreenConnect update. This drops a Rust-based loader, which then deploys a .NET loader. That .NET loader installs CloudZ RAT and sets up persistence via a scheduled task. The .NET loader includes anti-analysis checks. It looks for sandbox environments, checks for analysis tools like Wireshark, Fiddler, Procmon, and Sysmon, and even uses time-based evasion to avoid detection. Once CloudZ is running, it can execute file management operations, run shell commands, start screen recording, and manage other plugins. It communicates with its command-and-control server using three rotating user-agent strings and anti-caching headers to avoid detection. Pheno then scans for active Phone Link sessions. When found, it reads the SQLite database file containing SMS and OTP messages. The attacker gets everything without ever touching the phone. **What should be done—mitigation and recommendations** First, stop using SMS-based OTPs. Switch to authenticator apps that don't rely on push notifications that could be intercepted. For sensitive accounts, use phishing-resistant hardware keys like YubiKeys. Organizations should monitor for indicators of compromise published by Cisco Talos, including URLs, hashes, domains, and IP addresses. Blocking these can prevent the initial infection. Users should also be cautious about fake software updates. The entry point here was a fake ScreenConnect update. Always download updates from official sources. **Why this matters in the bigger cybersecurity landscape** This attack highlights a growing trend: attackers are exploiting legitimate system features to bypass security. Microsoft Phone Link is trusted and widely used. By hijacking it, attackers stay under the radar. It also shows the weakness of SMS-based 2FA. Even if you do everything right, your codes can be stolen if your PC is compromised. The industry must move toward more secure authentication methods. CloudZ with Pheno is a reminder that security is only as strong as the weakest link. And sometimes, that link is the convenience of syncing your phone to your PC.

A notorious North Korean hacking group just pulled off a digital heist that feels straight out of a spy thriller. APT37, also known as ScarCruft, has weaponized a video game platform to deliver a brand-new Android backdoor called BirdCall—turning your smartphone into a silent listening device. If you’ve downloaded games from sqgame[.]net, a site popular with Korean communities in China, your device could be compromised. This isn’t just about stolen data; it’s about real-time surveillance, with the malware capable of recording your calls, stealing your contacts, and even eavesdropping through your microphone between 7 PM and 10 PM local time. The stakes are high, and the target is anyone who trusts a gaming hub.

**What exactly happened** In a chilling evolution of cyber-espionage, APT37 has developed an Android version of its BirdCall backdoor, previously only seen on Windows. The malware was distributed through a supply-chain attack on sqgame[.]net, a Chinese gaming platform serving Android, iOS, and Windows games. ESET researchers discovered that since October 2024, the group has crafted at least seven variants of this spyware, specifically targeting Android and Windows users. The platform itself is a cleverly chosen vector—it caters to Koreans in the autonomous Yanbian region of China, a critical transit point for North Korean defectors and refugees. By compromising a trusted gaming hub, ScarCruft ensures its malware reaches high-value targets without raising suspicion. **Who is affected and how** The primary victims are likely individuals with ties to North Korean defector networks, activists, or journalists—anyone whose data could be valuable to the Pyongyang regime. The attack works by trojanizing legitimate APK files on the gaming site. When users download what appears to be a harmless game, they instead install BirdCall, which then begins harvesting sensitive information in the background. **The real-world impact and consequences** This isn’t your average data theft. BirdCall for Android is a full-fledged surveillance tool. It can extract IP geolocation, collect contact lists, call logs, and SMS messages. More disturbingly, it records audio via the microphone during a specific window—7 PM to 10 PM local time—likely to capture conversations when targets are most vulnerable. The malware also takes periodic screenshots and exfiltrates files with extensions like .jpg, .doc, .pdf, and .hwp, targeting documents and media. **Technical breakdown** The Android variant of BirdCall is sophisticated but not yet as feature-rich as its Windows counterpart. It gathers device information (OS, kernel, rooted status, IMEI, MAC address, IP, network details) and sends it to a command-and-control (C2) server. To avoid detection, it plays a silent MP3 in a loop, preventing the system from suspending its process. However, it lacks some Windows capabilities like shell command execution, browser data theft, and file deletion—suggesting it’s still in active development. On Windows, the infection chain starts with a trojanized DLL (mono.dll) that downloads RokRAT, which then deploys the Windows BirdCall. This dual-platform approach shows ScarCruft’s commitment to cross-environment espionage. **What should be done — mitigation and recommendations** The simplest defense is to avoid downloading software from unofficial sources. Stick to official app stores like Google Play, Apple’s App Store, or verified publisher sites. For those who may have used sqgame[.]net, immediately run a security scan with a reputable mobile antivirus tool. Check for unusual battery drain, unexpected audio recordings, or apps requesting excessive permissions. If you suspect infection, factory reset your device and change all passwords from a clean computer. **Why this matters in the bigger cybersecurity landscape** ScarCruft’s move to Android is a significant escalation. It reflects a broader trend where state-sponsored groups expand their toolkits to mobile platforms, recognizing that smartphones are treasure troves of personal and professional data. This attack also highlights the danger of supply-chain compromises in niche communities—where trust in a platform can be weaponized. As North Korea’s cyber capabilities grow, expect more such creative, targeted attacks that blend social engineering with technical stealth. The message is clear: no platform is too small, and no target too obscure, for modern espionage.

A Brazilian anti-DDoS firm was caught red-handed launching the very attacks it claims to protect against. Huge Networks, a company specializing in DDoS mitigation, allegedly ran a botnet that pummeled other Brazilian ISPs for years. The CEO blames a security breach and a rival trying to frame them. But exposed SSH keys and malicious Python scripts tell a different story. If you're a Brazilian ISP or rely on one, your network may have been collateral damage in a cyberwar fought with the enemy's own shield.

**What exactly happened** Security researchers tracked a mysterious DDoS campaign targeting Brazilian ISPs for years. The attacks were massive, persistent, and purely domestic. Then a source shared an open directory archive containing the smoking gun: private SSH keys belonging to Huge Networks' CEO, plus Portuguese-language malware. The archive revealed that Huge Networks—a Miami-founded firm specializing in DDoS protection—was actively controlling a botnet. The malware was designed to launch attacks against other Brazilian network operators, exactly the kind Huge claims to shield. **Who is affected and how** Brazilian ISPs have been the primary targets, suffering repeated network outages and degraded service. But the fallout extends to every business and individual relying on those ISPs for connectivity. If you host a site on a Brazilian provider, you may have experienced unexplained downtime. Huge Networks' own customers are also at risk. They paid for protection from a company that allegedly weaponized its infrastructure against competitors. Trust in DDoS mitigation services—already fragile—takes another hit. **The real-world impact and consequences** These attacks didn't just inconvenience users; they disrupted entire networks. For Brazilian ISPs, prolonged DDoS attacks mean lost revenue, damaged reputations, and potential SLA breaches. For Huge Networks, the exposure could be catastrophic—legal liability, customer exodus, and regulatory scrutiny. The CEO's defense—blaming a competitor—raises more questions than answers. If true, it suggests a shadow war among Brazilian cybersecurity firms, with innocent ISPs caught in the crossfire. **Technical breakdown (explain the "how" simply)** The exposed archive contained Python scripts written in Portuguese, designed to commandeer compromised servers. These scripts used the CEO's private SSH keys to authenticate with Huge Networks' infrastructure, effectively turning the company's own systems into attack launchpads. The botnet likely infected vulnerable servers across Brazil, then used them to flood targets with traffic. The DDoS attacks were "massive" because the botnet leveraged legitimate, high-bandwidth servers—not just home routers. This made mitigation harder and attacks more damaging. **What should be done — mitigation and recommendations** Brazilian ISPs should immediately audit their networks for signs of compromise. Look for unusual outbound traffic patterns, especially from servers running Python scripts or using SSH keys linked to Huge Networks. Huge Networks must conduct a full forensic investigation, not just blame a competitor. They should revoke all compromised SSH keys, rotate credentials, and publicly disclose the breach scope. Customers should demand proof of remediation before renewing contracts. **Why this matters in the bigger cybersecurity landscape** This incident shatters the assumption that DDoS protection providers are inherently trustworthy. If a mitigation firm can be weaponized—whether by insiders, hackers, or rivals—the entire model of centralized DDoS defense is called into question. It also highlights the growing trend of "cyber civil wars" within countries, where local firms attack each other using sophisticated tools. For the global community, this is a wake-up call: the next big DDoS attack might come from the very company you hired to stop it.

A 24-year-old British hacker who climbed the ranks of one of the most feared cybercrime gangs has just pleaded guilty in a U.S. court. Tyler Robert Buchanan, known online as “Tylerb,” admitted to orchestrating a wave of text-message phishing attacks that ripped through major tech companies like Twilio, LastPass, and DoorDash. The result? Tens of millions of dollars in cryptocurrency stolen from investors—and a potential 22-year prison sentence hanging over his head. If you’ve ever used a password manager, ordered food delivery, or held crypto, this case hits close to home. It’s a stark reminder that the most dangerous hackers don’t always break in with code—they talk their way in.

**What exactly happened** Tyler Robert Buchanan, a senior member of the notorious cybercrime group “Scattered Spider,” pleaded guilty to wire fraud conspiracy and aggravated identity theft. The charges stem from a summer 2022 campaign where Buchanan and his crew launched tens of thousands of SMS-based phishing attacks. These weren’t random shots in the dark. They were carefully crafted messages targeting employees at some of the biggest names in tech: Twilio, LastPass, DoorDash, and Mailchimp. The goal? Trick help desk staff into handing over access keys to the kingdom. **Who is affected and how** The immediate victims were the tech companies themselves—but the damage didn’t stop there. Once inside, Scattered Spider used stolen data to pull off SIM-swapping attacks. That’s when criminals transfer your phone number to a device they control, bypassing two-factor authentication and draining cryptocurrency wallets. Individual investors lost tens of millions of dollars. And if you’re a customer of any of those breached companies, your personal data may have been exposed, putting you at risk for future targeted attacks. **The real-world impact and consequences** Buchanan now faces up to 22 years in federal prison, with sentencing set for August 2026. But here’s the twist: his age, lack of prior criminal record, time already served, and cooperation with authorities could significantly reduce that number. Still, the message is clear. The U.S. Justice Department is hunting down international cybercriminals, and even a leaderboard-topping hacker from Scotland isn’t safe. “Tylerb” once sat at #24 on a ranking of the most accomplished English-speaking cyber thieves. Now he’s sitting in a U.S. cell. **Technical breakdown (the “how” explained simply)** Scattered Spider’s specialty is social engineering—tricking people, not systems. In this case, they used SMS phishing (or “smishing”) to impersonate legitimate employees or contractors. They’d call or text the IT help desk, claiming they’d lost access to their account. With just a few convincing details, they’d convince a well-meaning support agent to reset credentials or approve a new device. Once inside, they moved laterally, stole data, and launched SIM swaps to drain crypto accounts. No fancy zero-days needed—just a phone and a smooth script. **What should be done — mitigation and recommendations** For companies: train your help desk to verify identity through multiple channels. Never trust a single phone call or text. Implement hardware security keys for critical access, and use “break glass” procedures for sensitive account changes. For individuals: avoid using SMS-based two-factor authentication. Switch to authenticator apps or hardware tokens. Be skeptical of unexpected texts, even if they appear to come from a trusted service. And if you hold crypto, consider cold storage for large amounts. **Why this matters in the bigger cybersecurity landscape** The Buchanan case is a watershed moment. It proves that law enforcement can and will pursue cybercriminals across borders. But it also highlights a growing threat: English-speaking cybercrime groups like Scattered Spider are becoming more organized, more brazen, and more effective. They don’t need to be code geniuses. They just need to be good at lying. And as long as human trust remains the weakest link in security, these attacks will keep working. The real takeaway? Your company’s strongest firewall is a skeptical help desk.

Russian military hackers just pulled off a heist so quiet it didn't even need malware. They weaponized old, forgotten routers to steal Microsoft Office authentication tokens from over 200 organizations and 5,000 consumer devices. This isn't just a breach. It's a blueprint for how state actors can turn unsupported hardware into a massive, invisible spy network. If you or your organization uses an old router, you could be the unwitting gateway for the next attack.

**What exactly happened** A Russia-linked hacking group known as Forest Blizzard, APT28, or Fancy Bear exploited known flaws in aging Internet routers to mass-harvest Microsoft Office authentication tokens. Microsoft confirmed the campaign hit over 200 organizations and 5,000 consumer devices. The hackers didn't deploy any malicious software. They simply used the routers' existing vulnerabilities to intercept and steal login credentials. **Who is affected and how** The primary targets were government agencies, including ministries of foreign affairs and law enforcement. But the attack also ensnared third-party email providers and ordinary consumers. At its peak in December 2025, the surveillance net captured more than 18,000 routers—mostly unsupported, end-of-life devices or those far behind on security updates. Anyone using an outdated router on a network with Microsoft Office users was at risk. **The real-world impact and consequences** This campaign gave Russian intelligence a quiet backdoor into sensitive communications. Stolen authentication tokens can be used to impersonate legitimate users, access emails, and pivot to deeper network infiltration. The attack echoes Fancy Bear's 2016 playbook against the Democratic National Committee, but with a lower technical footprint. The real danger is that victims may never know their tokens were stolen, since no malware was left behind. **Technical breakdown** Forest Blizzard targeted routers running outdated firmware with known vulnerabilities. These flaws allowed the hackers to intercept network traffic and capture authentication tokens—digital keys that prove a user's identity to Microsoft Office services. Once stolen, the tokens could be reused to access accounts without needing passwords or triggering security alerts. The hackers didn't need to install anything on the routers or the victims' devices. They simply exploited what was already broken. **What should be done** Organizations must inventory their network hardware and replace any end-of-life routers immediately. Enable multi-factor authentication (MFA) for all Microsoft Office accounts to reduce the value of stolen tokens. Monitor for unusual authentication patterns, such as logins from unexpected locations. For consumers, check your router's manufacturer support page and update firmware or replace the device if it's no longer receiving security patches. **Why this matters** This attack highlights a growing trend: state actors exploiting neglected infrastructure rather than deploying complex malware. The FCC's recent policy requiring new routers to be "Made in the USA" may not help, as experts note few consumer-grade routers meet that standard. The real solution is vigilance. As hardware ages, it becomes a liability. Forest Blizzard just showed how easily that liability can become a weapon.

Think fuzzing is just about throwing random data at software until something breaks? Think again. A veteran security researcher just pulled back the curtain on mutational grammar fuzzing — revealing why even this "smart" approach has hidden blind spots that could leave critical bugs undiscovered. If you're relying on fuzzing to harden your software, this matters more than you'd expect.

**What exactly happened** A seasoned bug hunter took a hard look at mutational grammar fuzzing — a technique where the fuzzer understands the structure of valid inputs and mutates them while preserving that structure. Think of it as a chef who knows the recipe but keeps tweaking the ingredients. The researcher, who has used this method to find bugs in browser XSLT implementations and even JIT engines, decided to publicly dissect its flaws. This isn't about a specific vulnerability — it's about a systemic weakness in how we approach automated testing. **Who is affected and how** Anyone building or maintaining software that relies on structured input — parsers, compilers, interpreters, or data processors — should pay attention. That includes web browsers, document readers, programming language runtimes, and XML/JSON processors. The hidden cost? Teams might believe their fuzzing coverage is solid when, in reality, they're missing entire classes of bugs. The researcher's findings suggest that default fuzzing configurations could be leaving dangerous gaps. **The real-world impact and consequences** Here's the uncomfortable truth: more code coverage doesn't always mean more bugs found. The researcher observed that mutational grammar fuzzing tends to get "stuck" exploring small variations of the same sample structures. This creates a dangerous illusion of thorough testing. Your fuzzer might be hitting new code paths, but it's doing so by making tiny, predictable changes to inputs. The truly weird, boundary-pushing mutations that trigger catastrophic failures? Those get systematically ignored. **Technical breakdown — the "how" explained simply** Traditional mutational grammar fuzzing works like this: start with valid samples, mutate them while keeping the grammar intact, and save any sample that triggers new code coverage. The problem? The fuzzer becomes conservative. It favors small, safe mutations that maintain structure — but these rarely produce the bizarre edge cases where real bugs live. The researcher calls this "coverage tunnel vision." The fix they propose is elegantly simple: periodically inject completely fresh, randomly generated samples into the corpus, even if they don't immediately improve coverage. This breaks the fuzzer out of its rut and forces exploration of entirely new structural territories. **What should be done — mitigation and recommendations** First, don't trust your fuzzer's default settings blindly. The researcher found that tweaking mutation strategies based on the specific target yielded dramatically better results — including finding bugs in libxslt faster than with default configurations. Second, experiment with "novelty-driven" approaches. Consider replacing older samples with newer ones even when coverage doesn't change. This keeps the fuzzer from getting comfortable. Third, combine techniques. Use mutational grammar fuzzing for depth, but supplement it with random generation for breadth. The magic happens at the intersection. **Why this matters in the bigger cybersecurity landscape** Fuzzing has become the backbone of modern software security testing. From Google's OSS-Fuzz to Microsoft's Project OneFuzz, we're investing heavily in automated bug finding. But this research exposes a fundamental tension: our tools optimize for what's measurable (code coverage) rather than what matters (finding real bugs). As software grows more complex — with parsers handling everything from PDFs to programming languages — we can't afford to let our testing strategies stagnate. The takeaway is clear: the best fuzzing setup isn't the one that looks most impressive on a coverage dashboard. It's the one that actively fights its own blind spots.

A long-forgotten Windows API just turned out to be a backdoor for privilege escalation, and Microsoft only now patched it after years of quiet exploitation. The GetProcessHandleFromHwnd function, designed to grab a process handle from a window, was actually handing attackers a skeleton key to higher system access. If you’re running Windows 11 24H2 or earlier, your system was vulnerable to a UAC bypass that could let low-privilege code hijack elevated processes. The risk isn’t just theoretical—attackers have been using this API in the wild, specifically through the Quick Assist tool, to silently elevate their privileges. Anyone with standard user access on a vulnerable Windows system could potentially take control of admin-level processes, making this a critical threat for enterprise environments and power users alike.

**What exactly happened** The GetProcessHandleFromHwnd API, introduced years ago in Windows, was supposed to be a harmless convenience function. Its job was simple: given a window handle (HWND), return a process handle to the owning process. But security researchers discovered it was doing much more than advertised—it was opening processes directly in kernel mode, bypassing critical security checks. The real bombshell came when a researcher found this API being used in a UAC bypass exploit through the Quick Assist UI Access application. This wasn’t just a theoretical flaw—it was already weaponized in the wild, allowing attackers to silently elevate their privileges without triggering any user alerts. **Who is affected and how** Every Windows user running versions prior to Windows 11 24H2 is potentially at risk. The vulnerability specifically targets systems where standard users can run code—which is basically every Windows machine in existence. Attackers need only initial access as a low-privileged user to exploit this flaw. The attack vector is particularly insidious because it abuses legitimate Windows components. Quick Assist, a built-in remote assistance tool, was the primary vehicle for the exploit, but the underlying API vulnerability means any application with UI Access privileges could potentially be hijacked. **The real-world impact and consequences** This isn’t your average bug—it’s a privilege escalation goldmine. An attacker who successfully exploits this can gain the same access level as an administrator, effectively bypassing Windows’ entire security model. Once elevated, they can install malware, steal credentials, disable security software, and move laterally across networks. For enterprises, this means a single compromised workstation could become a gateway to the entire domain. The fact that this API was undocumented and poorly understood for years means many security tools never even looked for its abuse, leaving organizations blind to this attack vector. **Technical breakdown** The API’s documentation claimed it used Windows hooks to obtain process handles, but reverse engineering revealed a different story. In Windows 11, the function was implemented as a Win32k kernel call that directly opened processes—no hooks involved. This direct kernel access bypassed User Interface Privilege Isolation (UIPI) checks that normally prevent low-integrity processes from interacting with high-integrity ones. The critical flaw was that the kernel function forgot to check for protected processes. While Microsoft had implemented protections against duplicating handles from protected processes in user mode, the kernel-mode implementation skipped this check entirely. This allowed attackers to obtain full access handles to any process, including those running at higher integrity levels. **What should be done** The fix arrived in Windows 11 24H2, where Microsoft finally patched the kernel function to properly check for protected processes. But for systems still running older versions, the only mitigation is to apply the latest Windows updates or restrict the use of UI Access applications like Quick Assist. Organizations should also monitor for unusual process handle operations, particularly involving UI Access applications. Security teams should treat any unexpected elevation of privileges as a potential indicator of this exploit being used in the wild. **Why this matters** This vulnerability highlights a persistent problem in Windows security: legacy APIs that were designed before modern security models existed. The GetProcessHandleFromHwnd API was created in an era when UIPI and protected processes weren’t even concepts, and Microsoft’s attempts to retrofit security onto these old functions have clearly failed. The fact that this flaw went unnoticed for years, despite being actively exploited, underscores the need for more rigorous security reviews of Windows’ internal APIs. As attackers continue to find these hidden backdoors, the pressure mounts on Microsoft to either deprecate or fundamentally redesign these legacy functions. For now, this patch in 24H2 is a step in the right direction, but it’s a reminder that Windows’ security is only as strong as its oldest, least-understood components.