Europol and partners dismantle Tycoon 2FA phishing service used to bypass MFA, disrupting a global phishing-as-a-service operation targeting organisations.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
From design influences to software featuers to how the event was filmed, here’s how Apple left its mark at MWC 2026 without even trying.
Latest news – Read More
The Phone 4a series brings fun and thoughtful design, plus camera upgrades and seriously useful features, to Nothing’s lineup.
Latest news – Read More
If you don’t go searching for AI services, they’ll find you all the same. Every major tech company feels a moral obligation not just to develop an AI assistant, integrated chatbot, or autonomous agent, but to bake it into their existing mainstream products and forcibly activate it for tens of millions of users. Here are just a few examples from the last six months:
On the flip side, geeks have rushed to build their own “personal Jarvises” by renting VPS instances or hoarding Mac minis to run the OpenClaw AI agent. Unfortunately, OpenClaw’s security issues with default settings turned out to be so massive that it’s already been dubbed the biggest cybersecurity threat of 2026.
Beyond the sheer annoyance of having something shoved down your throat, this AI epidemic brings some very real practical risks and headaches. AI assistants hoover up every bit of data they can get their hands on, parsing the context of the websites you visit, analyzing your saved documents, reading through your chats, and so on. This gives AI companies an unprecedentedly intimate look into every user’s life.
A leak of this data during a cyberattack — whether from the AI provider’s servers or from the cache on your own machine — could be catastrophic. These assistants can see and cache everything you can, including data usually tucked behind multiple layers of security: banking info, medical diagnoses, private messages, and other sensitive intel. We took a deep dive into how this plays out when we broke down the issues with the AI-powered Copilot+ Recall system, which Microsoft also planned to force-feed to everyone. On top of that, AI can be a total resource hog, eating up RAM, GPU cycles, and storage, which often leads to a noticeable hit to system performance.
For those who want to sit out the AI storm and avoid these half-baked, rushed-to-market neural network assistants, we’ve put together a quick guide on how to kill the AI in popular apps and services.
Google’s AI assistant features in Mail and Docs are lumped together under the umbrella of “smart features”. In addition to the large language model, this includes various minor conveniences, like automatically adding meetings to your calendar when you receive an invite in Gmail. Unfortunately, it’s an all-or-nothing deal: you have to disable all of the “smart features” to get rid of the AI.
To do this, open Gmail, click the Settings (gear) icon, and then select See all settings. On the General tab, scroll down to Google Workspace smart features. Click Manage Workspace smart feature settings and toggle off two options: Smart features in Google Workspace and Smart features in other Google products. We also recommend unchecking the box next to Turn on smart features in Gmail, Chat, and Meet on the same general settings tab. You’ll need to restart your Google apps afterward (which usually happens automatically).
You can kill off AI Overviews in search results on both desktops and smartphones (including iPhones), and the fix is the same across the board. The simplest way to bypass the AI overview on a case-by-case basis is to append -ai to your search query — for example, how to make pizza -ai. Unfortunately, this method occasionally glitches, causing Google to abruptly claim it found absolutely nothing for your request.
If that happens, you can achieve the same result by switching the search results page to Web mode. To do this, select the Web filter immediately below the search bar — you’ll often find it tucked away under the More button.
A more radical solution is to jump ship to a different search engine entirely. For instance, DuckDuckGo not only tracks users less and shows little ads, but it also offers a dedicated AI-free search — just bookmark the search page at noai.duckduckgo.com.
Chrome currently has two types of AI features baked in. The first communicates with Google’s servers and handles things like the smart assistant, an autonomous browsing AI agent, and smart search. The second handles locally more utility-based tasks, such as identifying phishing pages or grouping browser tabs. The first group of settings is labeled AI mode, while the second contains the term Gemini Nano.
To disable them, type chrome://flags into the address bar and hit Enter. You’ll see a list of system flags and a search bar; type “AI” into that search bar. This will filter the massive list down to about a dozen AI features (and a few other settings where those letters just happen to appear in a longer word). The second search term you’ll need in this window is “Gemini“.
After reviewing the options, you can disable the unwanted AI features — or just turn them all off — but the bare minimum should include:
Set all of these to Disabled.
While Firefox doesn’t have its own built-in chatbots and hasn’t (yet) tried to force upon users agent-based features, the browser does come equipped with smart-tab grouping, a sidebar for chatbots, and a few other perks. Generally, AI in Firefox is much less “in your face” than in Chrome or Edge. But if you still want to pull the plug, you’ve two ways to do it.
The first method is available in recent Firefox releases — starting with version 148, a dedicated AI Controls section appeared in the browser settings, though the controls are currently a bit sparse. You can use a single toggle to completely Block AI enhancements, shutting down AI features entirely. You can also specify whether you want to use On-device AI by downloading small local models (currently just for translations) and configure AI chatbot providers in sidebar, choosing between Anthropic Claude, ChatGPT, Copilot, Google Gemini, and Le Chat Mistral.
The second path — for older versions of Firefox — requires a trip into the hidden system settings. Type about:config into the address bar, hit Enter, and click the button to confirm that you accept the risk of poking around under the hood.
A massive list of settings will appear along with a search bar. Type “ML” to filter for settings related to machine learning.
To disable AI in Firefox, toggle the browser.ml.enabled setting to false. This should disable all AI features across the board, but community forums suggest this isn’t always enough to do the trick. For a scorched-earth approach, set the following parameters to false (or selectively keep only what you need):
This will kill off chatbot integrations, AI-generated link descriptions, assistants and extensions, local translation of websites, tab grouping, and other AI-driven features.
Microsoft has managed to bake AI into almost every single one of its products, and turning it off is often no easy task — especially since the AI sometimes has a habit of resurrecting itself without your involvement.
Microsoft’s browser is packed with AI features, ranging from Copilot to automated search. To shut them down, follow the same logic as with Chrome: type edge://flags into the Edge address bar, hit Enter, then type “AI” or “Copilot” into the search box. From there, you can toggle off the unwanted AI features, such as:
Another way to ditch Copilot is to enter edge://settings/appearance/copilotAndSidebar into the address bar. Here, you can customize the look of the Copilot sidebar and tweak personalization options for results and notifications. Don’t forget to peek into the Copilot section under App-specific settings — you’ll find some additional controls tucked away there.
Microsoft Copilot comes in two flavors: as a component of Windows (Microsoft Copilot), and as part of the Office suite (Microsoft 365 Copilot). Their functions are similar, but you’ll have to disable one or both depending on exactly what the Redmond engineers decided to shove onto your machine.
The simplest thing you can do is just uninstall the app entirely. Right-click the Copilot entry in the Start menu and select Uninstall. If that option isn’t there, head over to your installed apps list (Start → Settings → Apps) and uninstall Copilot from there.
In certain builds of Windows 11, Copilot is baked directly into the OS, so a simple uninstall might not work. In that case, you can toggle it off via the settings: Start → Settings → Personalization → Taskbar → turn off Copilot.
If you ever have a change of heart, you can always reinstall Copilot from the Microsoft Store.
It’s worth noting that many users have complained about Copilot automatically reinstalling itself, so you might want to do a weekly check for a couple of months to make sure it hasn’t staged a comeback. For those who are comfortable tinkering with the System Registry (and understand the consequences), you can follow this detailed guide to prevent Copilot’s silent resurrection by disabling the SilentInstalledAppsEnabled flag and adding/enabling the TurnOffWindowsCopilot parameter.
The Microsoft Recall feature, first introduced in 2024, works by constantly taking screenshots of your computer screen and having a neural network analyze them. All that extracted information is dumped into a database, which you can then search using an AI assistant. We’ve previously written in detail about the massive security risks Microsoft Recall poses.
Under pressure from cybersecurity experts, Microsoft was forced to push the launch of this feature from 2024 to 2025, significantly beefing up the protection of the stored data. However, the core of Recall remains the same: your computer still remembers your every move by constantly snapping screenshots and OCR-ing the content. And while the feature is no longer enabled by default, it’s absolutely worth checking to make sure it hasn’t been activated on your machine.
To check, head to the settings: Start → Settings → Privacy & Security → Recall & snapshots. Ensure the Save snapshots toggle is turned off, and click Delete snapshots to wipe any previously collected data, just in case.
You can also check out our detailed guide on how to disable and completely remove Microsoft Recall.
AI has seeped into every corner of Windows, even into File Explorer and Notepad. You might even trigger AI features just by accidentally highlighting text in an app — a feature Microsoft calls “AI Actions”. To shut this down, head to Start → Settings → Privacy & Security → Click to do.
Notepad has received its own special Copilot treatment, so you’ll need to disable AI there separately. Open the Notepad settings, find the AI features section, and toggle Copilot off.
Finally, Microsoft has even managed to bake Copilot into Paint. Unfortunately, as of right now, there is no official way to disable the AI features within the Paint app itself.
In several regions, WhatsApp users have started seeing typical AI additions like suggested replies, AI message summaries, and a brand-new Chat with Meta AI button. While Meta claims the first two features process data locally on your device and don’t ship your chats off to their servers, verifying that is no small feat. Luckily, turning them off is straightforward.
To disable Suggested Replies, go to Settings → Chats → Suggestions & smart replies and toggle off Suggested replies. You can also kill off AI Sticker suggestions in that same menu. As for the AI message summaries, those are managed in a different location: Settings → Notifications → AI message summaries.
Given the sheer variety of manufacturers and Android flavors, there’s no one-size-fits-all instruction manual for every single phone. Today, we’ll focus on killing off Google’s AI services — but if you’re using a device from Samsung, Xiaomi, or others, don’t forget to check your specific manufacturer’s AI settings. Just a heads-up: fully scrubbing every trace of AI might be a tall order — if it’s even possible at all.
In Google Messages, the AI features are tucked away in the settings: tap your account picture, select Messages settings, then Gemini in Messages, and toggle the assistant off.
Broadly speaking, the Gemini chatbot is a standalone app that you can uninstall by heading to your phone’s settings and selecting Apps. However, given Google’s master plan to replace the long-standing Google Assistant with Gemini, uninstalling it might become difficult — or even impossible — down the road.
If you can’t completely uninstall Gemini, head into the app to kill its features manually. Tap your profile icon, select Gemini Apps activity, and then choose Turn off or Turn off and delete activity. Next, tap the profile icon again and go to the Connected Apps setting (it may be hiding under the Personal Intelligence setting). From here, you should disable all the apps where you don’t want Gemini poking its nose in.
Apple’s platform-level AI features, collectively known as Apple Intelligence, are refreshingly straightforward to disable. In your settings — on desktops, smartphones, and tablets alike — simply look for the section labeled Apple Intelligence & Siri. By the way, depending on your region and the language you’ve selected for your OS and Siri, Apple Intelligence might not even be available to you yet.
Other posts to help you tune the AI tools on your devices:
Kaspersky official blog – Read More
In early February 2026, Cyble Research & Intelligence Labs (CRIL) identified a new Linux malware strain delivered through a loader structure previously associated with ShadowHS activity. While ShadowHS samples deployed post-exploitation tooling, the newly observed payload is operationally different. We have named it ClipXDaemon, an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments.
At the time of this writing, there is no evidence that ShadowHS and ClipXDaemon originate from the same malware author or campaign. The structural overlap in the loader stems from the use of bincrypter, an open-source shell-script encryption framework hosted on GitHub. Both campaigns appear to have leveraged this public tool independently.
ClipXDaemon differs fundamentally from traditional Linux malware. It contains no command-and-control (C2) logic, performs no beaconing, and requires no remote tasking. Instead, it monetizes victims directly by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them in real time with attacker-controlled addresses.
It employs stealth techniques, including process masquerading and Wayland session avoidance, in which the attack chain operates entirely locally, without network communication, infrastructure, or operator interaction after execution, making detection and response significantly more challenging.
The campaign is particularly relevant now, given the growing adoption of Linux among developers, traders, and crypto users, many of whom rely on X11-based GUI environments. This represents an evolution in Linux financial malware: autonomous, C2-less, stealthy, and user-focused.
The ShadowHS malware family, documented in January 2026, used encrypted shell loaders to execute an in-memory, weaponized hackshell payload targeting server environments and was associated with post-exploitation tooling.
ClipXDaemon reflects a strategic pivot. While the staging wrapper remains structurally similar, the delivered payload is entirely different: an autonomous cryptocurrency clipboard hijacker focused on Linux users.
Both ShadowHS samples and ClipXDaemon leverage the publicly available bincrypter framework to encrypt and wrap shell payloads. However, the reuse of a commodity open-source obfuscation tool does not constitute evidence of actor overlap. This indicates a broader trend where attackers are increasingly weaponizing legitimate open-source utilities to reduce development overhead.
This case illustrates several macro-level shifts in the threat landscape. Linux malware is becoming more specialized, targeting financial workflows directly rather than deploying general-purpose remote access tools.
Operational exposure is minimized by eliminating network communication entirely. Modular reuse of publicly available encryption wrappers allows rapid payload swapping without rebuilding infrastructure.
ClipXDaemon therefore represents both a tactical evolution in Linux clipboard hijacking and a strategic example of open-source tool weaponization in financially motivated campaigns.
Bincrypt Obfuscated Loader
The initial loader used in this campaign matches the structural output generated by bincrypter. The wrapper script stores an encrypted payload blob inline, base64-decodes it at runtime, strips non-printable characters, derives AES-256-CBC decryption parameters, decompresses via gzip, and executes the decrypted stage directly from memory. (See Figure 1)
The decryption stub, variable naming conventions (short uppercase variables such as P and S), OpenSSL invocation pattern, and execution via /proc/self/fd align with bincrypter-generated output. When replicated in a controlled environment using bincrypter, the structural characteristics match closely. (See Figure 2)
However, the presence of bincrypter does not imply shared authorship between ShadowHS and ClipXDaemon. Bincrypter is a public, open-source tool. Its reuse reflects convenience and operational efficiency rather than coordinated campaign lineage.
The same loader logic is retained across versions. Differences are confined to the embedded base64 password (P), the salt (S), the encrypted configuration blob (C), the payload offset (R), and the derived AES key.
| Component | ShadowHS loader | ClipXDaemon loader |
| P (base64) | U014VW9KeTh5SGhtSXR2QQo= | SXlFWndTTzBZclRmRzRTbgo= |
| Decoded Password | SMxUoJy8yHhmItvA | IyEZwSO0YrTfG4Sn |
| Salt (S) | 92KemmzRUsREnkdk | 96vN4N7cG87KIHzD |
| C (encrypted config) | S1A76XhLvaqIQ+7WsT+Euw== | MqxlKG3gEwF0BmQiV63bPQ== |
| R (offset) | 4817 | 7452 |
| Final AES key | 92KemmzRUsREnkdk-SMxUoJy8yHhmItvA | 96vN4N7cG87KIHzD-IyEZwSO0YrTfG4Sn |
This indicates that the loader functions as a reusable staging framework, with payloads swapped at build time rather than behavioral modification.
In-Memory Dropper Execution
Once the loader decrypts and decompresses an intermediate dropper, it does not write the script to disk. Instead, it executes it directly through a file descriptor under /proc/self/fd. This avoids static inspection of the decrypted stage and minimizes disk artifacts.
Upon execution, the decrypted dropper writes a message to STDOUT for purely cosmetic purposes, thereby disguising itself as legitimate software. (See Figure 3)
Subsequently, it contains an embedded base64-encoded ELF binary, which is decoded & written to a file with a randomized name (between eight and nineteen characters, with a numeric suffix). (See Figure 4)
The ELF binary is dropped at ~/.local/bin/<random_name>. The path selection is deliberate, considering that it resides in userland, requires no elevated privileges, and allows blending with legitimate user-installed binaries. (See Figure 5)
Persistence
After writing the file, the dropper marks it executable, launches it in the background, and appends an execution line to ~/.profile. (See Figure 6)
By modifying ~/.profile, the implant ensures it is executed during future interactive login sessions. This is a user-level persistence mechanism that does not require cron jobs, systemd services, or root access. This indicates that the targeting profile is more consistent with Linux environments than with servers.
Payload Architecture: X11-Dependent Design
The deployed ELF binary is a 64-bit Linux executable dynamically linked against X11 libraries. At the time of writing, it goes undetected by security vendors on VirusTotal. (See Figure 7)
Execution begins with a simple environmental gate: the program checks whether the WAYLAND_DISPLAY environment variable is present.
This is done because Wayland’s design prevents global clipboard scraping as X11 allows. By explicitly disabling itself in Wayland sessions, it avoids runtime failure and reduces noise. This indicates that the implant is designed specifically for X11. This environmental awareness indicates familiarity with modern Linux architecture. (See Figure 8)
Daemonization and Process Masquerading
After passing the environment check, the payload performs a double-fork daemonization sequence. It detaches from the controlling terminal, creates a new session, forks again, closes standard file descriptors, changes the working directory to root, and resets the file mode mask. (See Figure 9)
Immediately afterward, it calls prctl(PR_SET_NAME, …), altering its process name to resemble a kernel worker thread — specifically mimicking kworker/0:2-events. It also modifies argv[0] to reinforce this disguise. (See Figure 10)
This technique is designed to reduce suspicion during casual inspection with tools such as ps or top, as kernel worker names are familiar to Linux administrators and are often ignored.
This technique is not intended to defeat forensic examination; rather, it aims at camouflage rather than perfect stealth.
Clipboard Monitoring Loop
Once daemonized, the implant connects to the X server using standard X11 APIs. If a display connection cannot be established, execution halts. If successful, the program enters a continuous polling loop that iterates every 200 milliseconds, retrieving the contents of the CLIPBOARD selection. (See Figure 11)
Clipboard retrieval is implemented using the native X11 selection protocol rather than a shortcut API. The malware resolves the “CLIPBOARD” and “UTF8_STRING” atoms, creates a hidden 1×1 window, and calls XConvertSelection to request clipboard data in UTF-8 format. It then blocks on SelectionNotify events via XNextEvent until the clipboard owner responds.
Once delivered, the data is extracted with XGetWindowProperty, duplicated into process memory, and the temporary window is destroyed. This ensures clean, synchronous acquisition of human-readable clipboard text without visible UI artifacts. (See Figure 12)
The retrieved text is evaluated against a set of regular expressions corresponding to cryptocurrency wallet formats. If a match is detected, the malware transitions from passive monitoring to active hijacking. It claims clipboard ownership using XSetSelectionOwner, again through a hidden window, and waits for SelectionRequest events.
When a paste operation occurs, the implant responds by supplying the attacker-controlled wallet address via XChangeProperty and XSendEvent, gracefully completing the X11 selection handshake. (See Figure 13)
The 200ms polling interval balances responsiveness and resource invisibility. Replacement occurs fast enough to precede typical paste actions while maintaining low CPU usage. The implant does not intercept keystrokes or monitor network traffic; it simply abuses X11’s trust model — reading clipboard contents, matching wallet patterns, and serving malicious replacements at paste time.
Configuration Protection Using ChaCha20
Wallet regex patterns and replacement addresses are not stored in plaintext. They are encrypted in binary using a ChaCha20 stream cipher with a static 256-bit key and a counter. This avoids revealing configuration buffers during static analysis.
At runtime, a static 256-bit key and counter are used to decrypt configuration buffers in memory. Only after decryption are the regular expressions compiled and replacement wallet addresses stored in memory. (See Figure 14)
This prevents trivial extraction using static string analysis but does not protect communications, as no command-and-control channel exists. The cryptographic implementation is functional rather than advanced. It is sufficient to defeat naive inspection but offers limited resistance to dynamic analysis.
Cryptocurrency Targeting
Dynamic instrumentation revealed that the payload matches multiple cryptocurrency wallet formats. Below is an example showing a Monero address match (See Figure 15)
Below are the regex being matched (extracted post-decryption) :
Ethereum: “^0x[0-9a-fA-F]{40}$”
Monero: “^[4][0-9AB][1-9A-HJ-NP-Za-km-z]{93}$”
Bitcoin: “^(bc1|[13])[a-km-zA-HJ-NP-Z1-9]{25,34}$”
Dogecoin: “^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$”
TON: “^(EQ|UQ)[A-Za-z0-9_-]{46}$”
Litecoin: “^([LM3]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}||ltc1[a-z0-9]{39,59})$”
Ripple: “^r[1-9A-HJ-NP-Za-km-z]{25,34}$”
Tron: “^T[A-Za-z1-9]{33}$”
The implant operates entirely offline, with encrypted replacement addresses hardcoded and static. Upon detection, the clipboard is overwritten with attacker wallet addresses embedded in the binary (in encrypted form). (See Figure 16)
Observed replacement wallets include:
| Cryptocurrency | Attacker Wallet Address |
| Ethereum | 0x502010513bf2d2B908A3C33DE5B65314831646e7 |
| Monero | 424bEKfpB6C9LkdfNmg61pMEnAitjde8YWFsCP1JXRYhfu4Tp5EdbUBjCYf9kRBYGzWoZqRYMhWfGAm1N5h6wSPg8bSrbB9 |
| Bitcoin | bc1qe8g2rgac5rssdf5jxcyytrs769359ltle3ekle |
| Dogecoin | DTkSZNdtYDGndq1kRv5Z2SuTxJZ2Ddacjk |
| TON | (monitored only – NO replacement found) |
| Litecoin | ltc1q7d2d39ur47rz7mca4ajzam2ep74ccdwvqre6ej |
| Ripple (XRP) | (monitored only – NO replacement found) |
| Tron | TBupDdRjUscZhsDWjSvuwdevnj8eBrE1htn |
Additional regex patterns indicate monitoring of TON and Ripple wallet formats, although replacement addresses were not observed for those assets.
Absence of Command-and-Control Infrastructure
No network communication was observed during analysis. The binary does not initiate DNS queries, HTTP requests, or socket connections and carries no embedded domains or IP addresses.
This C2-less architecture fundamentally alters the traditional malware kill chain. There is no beaconing stage, no tasking loop, no data exfiltration channel, and no infrastructure to dismantle. Monetization occurs directly at the endpoint when a victim pastes a manipulated wallet address and executes a cryptocurrency transaction.
This model reduces the attacker’s operational risk. Since there are no servers to seize, no traffic to sinkhole, and no indicators derived from network telemetry, the detection strategy must rely on host-based behavioral analysis rather than network security controls.
The campaign illustrates a growing trend: financially motivated malware that eliminates the need for infrastructure. Combined with the reuse of publicly available tools such as bincrypter for payload staging, this approach lowers development costs, accelerates deployment, and complicates attribution.
ClipXDaemon is therefore notable not only for its technical design but for what it represents — the increasing weaponization of open-source tooling and the emergence of autonomous, infrastructure-less financial malware targeting Linux users.
The analysis of ClipXDaemon reflects a meaningful shift in Linux malware tradecraft — not in the sophistication of exploitation, but in operational design. The threat eliminates the need for command-and-control infrastructure entirely, collapsing the traditional kill chain into a localized, self-contained monetization loop.
There are no external beacons, tasking servers, or data exfiltration channels. Revenue generation depends solely on clipboard interception and user transaction behavior.
While ClipXDaemon reuses the same loader framework previously observed in ShadowHS reporting, there is no evidence of convergence in attribution. The shared component – bincrypter- is an openly available obfuscation framework.
Its reuse highlights a broader trend in the threat landscape; adversaries increasingly operationalize legitimate open-source tooling to accelerate development cycles and standardize staging mechanisms. This modular reuse model lowers barriers to entry while complicating campaign clustering and attribution analysis.
ClipXDaemon’s strength lies in precision targeting, environmental awareness, and architectural minimalism. As Linux adoption grows within cryptocurrency and developer communities, financially motivated userland implants such as this are likely to increase in frequency.
Cyble’s Threat Intelligence Platforms continuously monitor emerging threats, attacker infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.
Our Recommendations
We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:
From a detection standpoint, this architectural choice significantly reduces conventional visibility. Network-based detections, domain-reputation feeds, and infrastructure takedown strategies are ineffective against implants that never communicate externally. Instead, detection must pivot toward behavioral telemetry within the endpoint. Given the absence of network indicators, defensive strategies must prioritize endpoint visibility and behavioral controls.
Harden Linux Environments
Monitor Userland Persistence
Detect Process Masquerading
Instrument X11 API Abuse
Implement Behavioral EDR Controls
User Awareness Controls
Organizations operating Linux environments in cryptocurrency-sensitive roles should consider clipboard manipulation threats as part of their baseline threat model.
| Tactic | Technique ID | Procedure |
| Execution | Command and Scripting Interpreter (T1059.004) | The initial loader runs via a shell wrapper generated with bincrypter, which decrypts and launches the embedded dropper. |
| Defense Evasion | Obfuscated Files or Information (T1027) | The loader uses AES-256-CBC encryption and gzip compression to conceal payload contents. The ELF configuration is further encrypted with ChaCha20. |
| Defense Evasion | Reflective Code Loading (T1620) | The intermediate dropper executes directly from /proc/self/fd, avoiding on-disk script artifacts. |
| Persistence | Shell Configuration Modification (T1547) | The dropper adds execution of the ELF payload to ~/.profile, enabling persistence upon user login. |
| Discovery | System Information Discovery (T1082) | The payload checks for the presence of Wayland (WAYLAND_DISPLAY) to determine whether execution is viable. |
| Defense Evasion | Masquerading (T1036) | The payload renames itself using prctl(PR_SET_NAME) to mimic kernel worker threads. |
| Credential Access / Collection | Clipboard Data (T1115) | The payload abuses X11 selection APIs to retrieve clipboard contents and monitor cryptocurrency wallet patterns. |
| Impact | Data Manipulation (T1565) | The malware modifies clipboard data in transit by replacing legitimate wallet addresses with attacker-controlled addresses. |
| Indicators | Indicator Type | Description |
| 87ab42a2a58479cf17e5ce1b2a2e8f915d539899993848e5db679c218f0e7287 | SHA-256 | Bincrypter loader script |
| 23099eea9c4f85ff62a4f43634d431bbed0bf6b039a3f228b1c047f1c2f0cd11 | SHA-256 | Dropper Script |
| b6bb28160532400eafad532842e4ba9add6d6bbba4f7e7c85e3dbb650369eb00 | SHA-256 | ClipXDaemon ELF binary |
| 0x502010513bf2d2B908A3C33DE5B65314831646e7 | Ethereum | Attacker Wallet Address |
| 424bEKfpB6C9LkdfNmg61pMEnAitjde8YWFsCP1JXRYhfu4Tp5EdbUBjCYf9kRBYGzWoZqRYMhWfGAm1N5h6wSPg8bSrbB9 | Monero | Attacker Wallet Address |
| bc1qe8g2rgac5rssdf5jxcyytrs769359ltle3ekle | Bitcoin | Attacker Wallet Address |
| DTkSZNdtYDGndq1kRv5Z2SuTxJZ2Ddacjk | Dogecoin | Attacker Wallet Address |
| ltc1q7d2d39ur47rz7mca4ajzam2ep74ccdwvqre6ej | Litecoin | Attacker Wallet Address |
| TBupDdRjUscZhsDWjSvuwdevnj8eBrE1ht | Tron | Attacker Wallet Address |
The post ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered via Bincrypter-Based Loader appeared first on Cyble.
Cyble – Read More
The PC vs. Mac debate might never be solved, but how does the ThinkPad compare to the MacBook?
Latest news – Read More
A suspected Iran-nexus threat actor has been attributed to a campaign targeting government officials in Iraq by impersonating the country’s Ministry of Foreign Affairs to deliver a set of never-before-seen malware.
Zscaler ThreatLabz, which observed the activity in January 2026, is tracking the cluster under the name Dust Specter. The attacks, which manifest in the form of two different
The Hacker News – Read More
UAT-9244 used dynamic-link library (DLL) side-loading to activate multiple stages of their infection chain. The actor executed “wsprint[.]exe”, a benign executable that loaded the malicious DLL-based loader “BugSplatRc64[.]dll”. The DLL reads a data file named “WSPrint[.]dll” from disk, decrypts its contents, and executes them in memory to activate TernDoor, the final payload.
TernDoor is a variant of CrowDoor, a backdoor deployed in recent intrusions linked to China-nexus APTs such as FamousSparrow and Earth Estries. CrowDoor is a variant of SparrowDoor, another backdoor attributed to FamousSparrow. CrowDoor has also been observed in previous Tropic Trooper intrusions, indicating a close operational relationship with FamousSparrow. Based on the overlap in tooling; tactics, techniques, and procedures (TTPs); and victimology, we assess with high confidence that UAT-9244 closely overlaps with FamousSparrow and Tropic Trooper.
Although UAT-9244 and Salt Typhoon both target telecommunications service providers, Talos has not been able to verify or establish a solid connection between the two clusters.
The DLL-based loader, “BugSplatRc64.dll”, will load the “WSPrint.dll” file from the current directory, which will be decoded using the key “qwiozpVngruhg123”.
The decoded shellcode is position-independent and decodes and decompresses the final payload. The final payload is the TernDoor implant.
The final shellcode consists of the TernDoor backdoor. TernDoor is a variant of CrowDoor, actively developed and used by UAT-9244 since at least November 2024. TernDoor deviates from CrowDoor in the following aspects:
The TernDoor infection chain is persisted on the system using either a scheduled task or the Registry Run key.
The scheduled task is named “WSPrint” and created using the command:
schtasks /create /tn WSPrint /tr "C:ProgramDataWSPrintWSPrint.exe" /ru "SYSTEM" /sc onstart /F
Furthermore, TernDoor modifies the following task-related registry keys to hide the task:
A Registry Run key may also be set to run the executable on user login:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun | Default = C:ProgramDataWSPrintWSPrint.exe
Unlike CrowDoor, TernDoor only supports one command line switch: “-u”, passed to WSPrint.exe. This is the switch for uninstalling the malware from the system and it deletes all malware files from the operating directory, as well as terminates malicious processes.
Like previous variants of CrowDoor, TernDoor also checks to ensure it has been injected into “msiexec[.]exe”. The implant decodes its configuration that can specify the following information:
TernDoor’s capabilities resemble those of previously disclosed CrowDoor samples:
The accompanying Windows driver, WSPrint.sys, is dropped to disk and then activated using a windows service:
The driver creates a device named “\Device\VMTool” and symbolically links it to “\DosDevices\VMTool”. It can terminate, suspend, or resume processes specified by TernDoor — likely a means of evasion.
All the C2 IP addresses discovered by Talos were associated with the following SSL certificate on port 443:
SSL_fingerprint_sha256= 0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8 SSL_fingerprint_SHA1= 2b170a6d90fceba72aba3c7bc5c40b9725f43788 Data: Version: V3 Serial Number: 1 Thumbprint: 2b170a6d90fceba72aba3c7bc5c40b9725f43788 Signature Algorithm: Issuer: C=US ST=Some-State O=Internet Widgits Pty Ltd CN=8.8.8.8 Validity Not Before: 2022-09-04 12:54:51 Not After: 2023-09-04 12:54:51 Subject: C=US ST=Some-State O=Internet Widgits Pty Ltd CN=8.8.8.8
Pivoting off this certificate, Talos found an additional 18 IPs likely being used by UAT-9244. This list is provided in the indicators of compromise (IOCs) section.
One of the DLL-based loaders was also hosted on the IP “212.11.64[.]105”. On this server, we discovered a set of shell scripts and an accompanying malware family we track as “PeerTime.”
PeerTime is an ELF based backdoor that is compiled for a variety of architectures such as ARM, AARCH, PPC, MIPS etc., indicating that UAT-9244 can use it to infect a variety of embedded systems.
PeerTime is deployed through a shellscript that downloads the PeerTime loader ELF binary and an instrumentor binary.
The instrumentor ELF binary will check for the presence of docker on the compromised host using the commands docker and docker –q.
If docker is found, then the PeerTime loader is executed using:
docker <path_of_PeerTime_loader_ELF>
The instrumentor consists of debug strings in Simplified Chinese, indicating that it is a custom binary created and deployed by Chinese-speaking threat actors:
获取当前程序路径错误: //Error retrieving current program path: 删除当前程序错误: // Error deleting current program:
PeerTime consists of a loader that will decrypt and decompress the final PeerTime ELF payload and run it in memory. The PeerTime loader has the ability to rename its process to a benign process to evade detection.
PeerTime uses the BitTorrent protocol to obtain C2 information, download files from its peers, and execute them on the infected host. The payloads are written to disk and copied to the specified locations using BusyBox. As of now, PeerTime consists of two versions: one written in C/C++ and a newer version written in Rust.
PeerTime is also known as “angrypeer” and can be tracked in VirusTotal using the “malware_config:angrypeer” query. Malware configurations in VirusTotal are identified using Mandiant’s/GTIG’s Backscatter tool.
Infrastructure used by UAT-9244 also hosts another set of shell scripts and payloads designed to establish compromised Linux based systems including edge devices as operational relay boxes (ORBs) that scan and brute force Tomcat, Postgres, and SSH servers.
The shell script will download two components:
The instrumentor binary is an ELF file written in GoLang. It checks if the BruteEntry is already running on the system using “pgrep”:
pgrep <path_to_BruteEntry>
And then starts the brute forcer agent:
./<path_to_BruteEntry>
BruteEntry is also written in GoLang and begins by registering with the C2 server by providing it with the infected system’s IP address and computer name:
{“ip”:“value”, “hostname”:“value”}
The C2 responds with a JSON that assigns an agent_id to the infected host:
{“agent_id”:“value”, “server”:“value”}
where “server” = version string of BruteEntry such as “brute-force-server-v1.0”
BruteEntry will then ask the C2 for tasks to perform by sending a GET request to the C2 at the URI, where limit=1000 is the maximum number of vulnerable IPs to scan:
/tasks/<agent_id>?limit=1000
The C2 responds with a JSON that consists of “tasks” containing the list of IPs to brute force:
{"tasks":[
{"id":,"target":":","type":""},
{"id":,"target":":","type":""},
. . . . .
] }
The “type” field in the json defines the type of scan to conduct — either “tomcat”,“postgres”, or “ssh”.
The agent will then use a set of embedded credentials to attempt to brute force into either a Tomcat server application at the URL “https[://]<IP>:<Port>/manager/html”, or will brute force into a Postgres instance, either defined in the JSON (<IP><Port>) from the C2 or using the port 5432 if no port is specified.
Any successful logins are then POSTED back to the C2:
{"batch":[
{"task_id":<task_id>,"success":<true/false>,"note":" <notes on the task>"},
{"task_id":<task_id>,"success":<true/false>,"note":" <notes on the task>"},
......
]}
In this instance, “success” indicates if the brute force was successful (true or false), and “notes” provides specific information on whether the brute force was successful. If the login failed, the note reads “All credentials tried.” If it succeeded, the note reads “Cracked by agent <agent_id> | Version <agent_version>”.
The following ClamAV signatures detect and block this threat:
The following SNORT® rules (SIDs) detect and block this threat: 65551
711d9427ee43bc2186b9124f31cba2db5f54ec9a0d56dc2948e1a4377bada289 3c098a687947938e36ab34b9f09a11ebd82d50089cbfe6e237d810faa729f8ff f36913607356a32ea106103387105c635fa923f8ed98ad0194b66ec79e379a02
A5e413456ce9fc60bb44d442b72546e9e4118a61894fbe4b5c56e4dfad6055e3 075b20a21ea6a0d2201a12a049f332ecc61348fc0ad3cfee038c6ad6aa44e744 1f5635a512a923e98a90cdc1b2fb988a2da78706e07e419dae9e1a54dd4d682b
2d2ca7d21310b14f5f5641bbf4a9ff4c3e566b1fbbd370034c6844cedc8f0538
154[.]205[.]154[.]82:443 207[.]148[.]121[.]95:443 207[.]148[.]120[.]52:443 212[.]11[.]64[.]105
149[.]28[.]25[.]33 154[.]205[.]154[.]194 154[.]205[.]154[.]65 154[.]205[.]154[.]70 154[.]223[.]21[.]130 154[.]223[.]21[.]194 158[.]247[.]238[.]240 216[.]238[.]112[.]222 216[.]238[.]123[.]242 216[.]238[.]94[.]37 38[.]54[.]125[.]134 38[.]60[.]199[.]34 45[.]32[.]106[.]94 45[.]77[.]34[.]194 45[.]77[.]41[.]141 47[.]76[.]100[.]159 64[.]190[.]113[.]170 64[.]95[.]10[.]253
ebcb2691b7c92cdf2b2ff5e2d753abeea8cb325c16596cd839e6bd147f80e38a 00735a8a50d2856c11150ef1e29c05acebce7ad3edad00e37c7f043aacb46330 74fbc8360d4c95d64d7acaa4d18943dce2d41f91d080b0b5e435d8bce52861a5 babc81fc9c998e9dc4ab545f0e112e34d2641e1333bc81aaa131abd061a5b604 e34c9159e6e78c59518a14c5b96bddfee094b684f99d4f69b13371284a014e87 2c3f2261b00ea45e25eb4e9de2b7ff8e41f311c0b3d986461f834022c08b3b99 3fcced9332301ff70b20c98c9434c858400013d659afa6bb5149cffb0206357d a313f76fca50fff1bcd6f2c6cbc1268985f8c0a3a05fe7f43c4fc0ac3aff84dc 03eac9eb7f4b4bc494ef0496ee23cabbf38f883896838ed813741d8f64ac9fde 17652d7bb5fe0454023db4fc7f608df0dbe6af237be31258e16ba52f0e895e26 74d1a678bdc4bb9f33321e94e3bd1bc1740472ed734231fc46af720072ecb77e
c9fc2af30f769d856b88b3051f19fdb663b3e0a0916279df9bbcba93c6a110c9
34d64b3cd9430e85edefcb883973a086dd5de9917e05fabec89b1f4ab9627e91 1cedf01dd4b7e50181d0e781825c66957b862941395d77c8bd7705114f319c80 bfc35f12d00fa4b40c5fbce9e37d704e12a52262709bcbdf09f97890bc40cad5 f3e899789b56429f483e5096e1f473335024f1f763e2d428132338e30352b89e 6ec070457d1f6f239cb02c5e1576a3660cca98f3a07eec6e4e107f698d7fe555 15d937803f90c2b9e277ff94d3e98ff30015ecc7f4623a158e3c98861e5cb278 7b70cd956f082b1029d02b4cb7608893f2de7fa9c500d7d7febdd0f745ac3cb6 d78b3c6df8f3756a7e310cf7435fdba201dd03ec9f97420a0db683489a01a7c9 3fcadde4b414a18b2fed56c1ec59d97977123615fbbf411a1c78425445a6e71c 3d9fbfc2c056eac857ba54e5ed134aa45a4b8322ee9f9353ba32e5b2ca71b0e3 c9a42423ef08bd7f183915780d39530eba5e4e25968c51965ff8bb3026965a28 38eeaa4eaad72feb3f8e6993565fcc548d8e7bb93642590f00fa24aacc0e2862 56bead2933e91366e4a0d5761daf5b238a7f2c22e597664ef67b3ecae20ab326 6a2d23cc8746a83e9a3b974788fce0e414706b8e75ff390426dd7e10b19967b3 9a7225c17e4bad3ffe7f080530d36f4f8aca5c116b913caa91ab9b0cee85638e 870e791af14caaf395c56028176a9c3f4c1ff0318ef3112d57ecd3d4a1be2ef9
185[.]196[.]10[.]247 xtibh[.]com xcit76[.]com
bloopencil[.]net 185[.]196[.]10[.]38
1fcdd5a417db31e5e07d32cecfa69e53f0dce95b7130ad9c03b92249f001801d
66ce42258062e902bd7f9e90ad5453a901cfc424f0ea497c4d14f063f3acd329 d5eb979cb8a72706bfa591fa57d4ebf7d13cecdc9377b0192375e2f570f796df
66adeedfb739774fcc09aa7426c8fad29f8047ab4caee8040d07c0e84d011611 66bdce93de3b02cf9cdadad18ca1504ac83e379a752d51f60deae6dcbafe4e31
212[.]11[.]64[.]105 185[.]196[.]10[.]247
023467e236a95d5f0e62e26445d430d749c59312f66cf136e6e2c2d526c46ba1 f8066833e47814793d8c58743622b051070dac09cb010c323970c81b59260f84 06b23d84fd7afd525dfd7860ebd561dcdd72ccbeb51981d5d9a75acf068d0a2a
Cisco Talos Blog – Read More
The Taipei District Prosecutors Office initiated its investigation in October after Chen Zhi, the founder of the Prince Group, was indicted by U.S. prosecutors on money laundering charges.
The Record from Recorded Future News – Read More
The gravest AI-powered threat to your cybersecurity isn’t coming from external hackers. Review these strategic recommendations for handling the risks from within.
Latest news – Read More