Microsoft: April updates trigger BitLocker key prompts on some servers
Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update.
Aggiornamenti Microsoft aprile 2026: corretta una zero-day in SharePoint già sfruttata
Il Patch Tuesday di aprile 2026 corregge 165 vulnerabilità tra cui una zero-day su SharePoint già attivamente sfruttata, l'exploit BlueHammer su Microsoft Defender rilasciato pubblicamente da un ricercatore scontento e una falla critica nel servizio IKE di Windows. Urgente l’updati dei propri sistemi
Microsoft fixes bug behind Windows Server 2025 automatic upgrades
Microsoft has finally fixed a known issue that was causing systems running Windows Server 2019 and 2022 to "unexpectedly" upgrade to Windows Server 2025.
Unpacking the Unpackable: Malformed APKs as an Anti-Analysis Technique
This article explores the most common malformation techniques in the wild and introduces Malfixer, a new open-source tool developed by Cleafy's TIR team to detect and repair malformed APKs, enabling more effective malware analysis and response.
The n8n n8mare: How threat actors are misusing AI workflow automation
Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026.
AgiBot, Unitree, UBTech e non solo: mentre negli Stati Uniti si attende l’arrivo di Optimus di Tesla, le società cinesi di robotica sono pronte a invadere il mercato, puntando soprattutto sulle applicazioni industriali
Il mercato delle interfacce cervello-computer (BCI) si condensa di concorrenti e si addensa di nubi. Uscite dai laboratori, queste interfacce si stanno guadagnando un’utilità pratica che pone interrogativi tecnici, etici e normativi
Microsoft adds Windows protections for malicious Remote Desktop files
Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection (.rdp) files, adding warnings and disabling risky shared resources by default.
Crypto-exchange Kraken extorted by hackers after insider breach
The Kraken cryptocurrency exchange announced that a cybercrime group is trying to extort the company by threatening to release videos showing internal systems that host client data.
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed "BlueHammer." Separately, Google Chrome fixed its…
Over 100 Chrome extensions in Web Store target users accounts and data
More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud.
Chasing Phantoms: How a Multi-Stage Stealer Abuses Signed Binaries to…
Phantom Stealer is the latest variant to emerge from this ecosystem, leveraging phishing campaigns to deploy a multi-stage payload that harvests browser credentials, cryptocurrency wallet data, and Discord authentication tokens, then exfiltrates everything over attacker-controlled Telegram, Discord, or FTP channels. This research walks through the full infection chain, details the data harvesting techniques observed, and provides actionable detection guidance to help defenders identify and disrupt Phantom Stealer activity in their environments. Key Findings Multi-stage process chain: Phantom Stealer nests three layers of executables using process hollowing, complicating forensic analysis and detection. Infection Timeline & Analysis Researchers analyzed a sample of Phantom Stealer in the Binary Defense malware lab to outline the infection chain noted in recent campaigns. This is a significant evasion technique: by hollowing its own process and injecting into the newly created child, Phantom Stealer ensures the malicious code never runs in its original process context. The child process then dropped an additional copy of Phantom Stealer, resulting in a total of three nested files within the process chain. By launching a legitimate, Microsoft-signed copy of msedge.exe with specific command-line flags,including --no-sandbox and a temporary --user-data-dir, Phantom Stealer gains a trusted process context from which to conduct all subsequent data harvesting. Stage Technique Observable Data Source Persistence Scheduled task creation schtasks.exe /Create with "Updates\" naming convention; corresponding TaskCache registry writes Process creation logs, Registry monitoring Evasion Process hollowing Parent process spawning identical child with hollowed memory; three nested layers of the same payload EDR telemetry, Memory forensics Reconnaissance WMI system fingerprinting WMI queries for Win32_Processor and Win32_VideoController from non-standard parent processes WMI trace logs, Sysmon Event ID 1 Defense evasion Signed binary proxy execution msedge.exe launched with --no-sandbox flag and temporary --user-data-dir from a non-browser parent Process creation logs, Command-line auditing Credential access Browser credential harvesting cookie_exporter.exe spawned by injected msedge.exe; access to Login Data and Web Data SQLite files File access auditing, EDR telemetry Credential access Credential Manager enumeration Vault credential reads from injected msedge.exe process context Windows Vault/Credential logs Collection Keylogging WH_KEYBOARD_LL hook set from non-standard process API monitoring, EDR telemetry Discovery Public IP lookup HTTP GET to icanhazip[.]com or similar IP-echo services Network proxy logs, DNS monitoring Exfiltration C2 over web services Outbound HTTPS to api.telegram[.]org, Discord webhook URLs, or unexpected FTP connections Network traffic analysis, Firewall logs For actionable detection rules and threat hunting queries, check out the ARC Labs GitHub repository.
McGraw-Hill confirms data breach following extortion threat
Education company McGraw-Hill has confirmed in a statement to BleepingComputer that hackers exploited a Salesforce misconfiguration and accessed its internal data.
Windows 11 cumulative updates KB5083769 & KB5082052 released
Microsoft has released Windows 11 KB5083769 and KB5082052 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features.
Fake Ledger Live app on Apple’s App Store stole $9.5M in crypto
A malicious Ledger Live app for macOS available from Apple's App Store has drained approximately $9.5 million in cryptocurrency from 50 victims in just a few days this month.
Fornitori rilevanti NIS: ecco le FAQ per una loro corretta individuazione
A conclusione dei lavori dell’ottavo tavolo tecnico NIS, l’ACN ha pubblicato la Determinazione 127437/2026 che aggiorna le modalità di utilizzo della piattaforma digitale NIS e, soprattutto, introduce l’obbligo di elencare i fornitori rilevanti NIS. Ecco tutto quello che c’è da sapere
Microsoft rolls out fast-track to reinstate Windows hardware dev accounts
Microsoft has rolled out a fast-track process to help developers regain access to accounts recently suspended from its Windows Hardware Program, following widespread complaints that they were locked out without warning.
Controlli di sicurezza granulari: proteggere e-mail e backup senza bloccare il business è un’arte
Effettuata la classificazione di dati e asset, è necessario definire requisiti di sicurezza specifici, identificare controlli appropriati e implementare tutto in modo coerente. Ecco le best practice per guidare l'implementazione pratica di controlli granulari e automatizzati