The ongoing Middle East war has evolved into a cyber battlefield, with state-sponsored operations targeting critical infrastructure and essential services. Analysts warn that the region is witnessing an unprecedented escalation in Middle East cyber warfare, with attacks affecting governments, energy networks, finance, communications, and industrial systems. These operations, often executed through proxy groups, aim to destabilize societies, disrupt supply chains, and exert geopolitical pressure. 

Despite early disruptions to Iranian command centers, Iran and its affiliated groups retain substantial cyber capabilities. Incidents already linked to these campaigns include fuel distribution delays in Jordan and interference with navigation systems, impacting over 1,100 ships near the Strait of Hormuz, posing risks to global oil and gas trade. The integration of military strikes with cyber operations, known as hybrid warfare, has become a defining feature of the conflict, making cyber threats in the Middle East a growing concern for organizations worldwide. 

Hybrid Warfare and the Rise of Middle East Cyber Attacks 

According to recent intelligence, the region entered a critical phase of hybrid warfare following an escalation between Iran, the United States, and Israel on February 28, 2026. The joint offensive, dubbed Operation Epic Fury by the U.S. and Operation Roaring Lion by Israel, combined traditional military strikes with cyberattacks, psychological operations, and information warfare. Early operations targeted Iran’s nuclear and military infrastructure, while cyber campaigns disrupted internet access, government systems, and media networks. 

Iran retaliated with missile and drone strikes across Israel, Gulf states, and U.S. bases, while cyber operations proliferated. Over 70 hacktivist groups launched campaigns including DDoS attacks, website defacements, credential theft, and disinformation. Malware and phishing campaigns also emerged, such as a fraudulent Israeli missile-alert app designed to harvest sensitive data. These events highlight how modern conflict increasingly intertwines kinetic warfare with cyber operations, amplifying Middle East cybersecurity threats for both regional and global targets. 

Iranian Cyber Capabilities and Hacktivist Involvement 

Iran remains a formidable cyber adversary, with active threat groups including Charming Kitten (APT35), APT33, MuddyWater, OilRig, and Pioneer Kitten. These groups conduct espionage, infrastructure disruption, credential theft, and target critical sectors such as energy, aviation, government, and telecommunications. Iranian-aligned hacktivists, including CyberAv3ngers, Handala, Team 313, and DieNet, further amplify risks through DDoS campaigns, industrial control system intrusions, and data leaks. 

Advisories indicate potential cooperation between Iranian and Russia-linked hacktivists, which could heighten Middle East geopolitical cyber threats. Experts emphasize that organizations must bolster cybersecurity in the Middle East, enforce multi-factor authentication, segment critical networks, and participate in information-sharing frameworks to mitigate risks. 

Cyber Retaliation and Infrastructure Disruption 

The first 72 hours of the conflict primarily involved disruption and propaganda rather than destructive attacks on infrastructure. On February 28, 2026, Israel executed one of the largest cyberattacks against Iran, causing a near-total internet blackout, with connectivity dropping to just 1–4% of normal levels. Concurrently, Iranian-aligned groups launched spear-phishing campaigns, ransomware-style attacks, data exfiltration, and malware deployment targeting energy systems, airports, financial institutions, and government networks. 

Beyond regional targets, supply chain interconnections expose countries outside the Middle East, such as India, to indirect risks. Attackers exploit vulnerabilities in VPNs, Microsoft Exchange, and other widely used technologies while deploying AI-assisted phishing, weaponized documents, and concealed command-and-control infrastructure. Organizations are urged to enhance cloud resilience, prepare for DDoS attacks, and strengthen monitoring and incident response procedures to combat the expanding wave of Middle East cyberattacks. 

Exploitation by Cybercriminals Amid Geopolitical Instability 

Cybercriminals are leveraging the heightened attention on the conflict to launch scams, misinformation, and malware campaigns. Researchers have identified over 8,000 newly registered domains tied to the crisis, many of which could later serve as vectors for attacks. Notable campaigns include: 

• Conflict-themed malware lures, including fake missile strike reports delivering backdoors like LOTUSLITE. 

• Phishing portals impersonating government or payment services. 

• Fake donation pages, fraudulent online stores, and cryptocurrency “meme-coin” schemes, sometimes containing Persian-language code comments suggesting Iran-aligned operators. 

Preparing for the Middle East Cyber War 2026 

As Middle East cyber warfare escalates, organizations must strengthen defenses, patch vulnerabilities, and enhance incident response to counter rising cyber threats in the Middle East. The events of 2026 show that modern conflicts extend beyond traditional battlefields, with cyberattacks threatening infrastructure, finance, and global supply chains. 

Cyble, the world’s #1 threat intelligence platform, provides AI-powered solutions to detect, predict, and neutralize threats in real time, helping organizations stay ahead of Middle East cybersecurity threats. 

Book a personalized demo and see how Cyble Blaze AI can protect your organization during the Middle East cyber war 2026. 

References: 

• https://cyble.com/blog/middle-east-iran-us-israel-hybrid-conflict/ 

• https://securityonline.info/zscaler-uncovers-8000-domains-and-apt-backdoors-exploiting-middle-east-tensions/ 

The post Middle East Cyber Warfare Intensifies: Rising Attacks, Hacktivist Surge, and Global Risk Exposure  appeared first on Cyble.

Cyble – ​Read More

We’ve warned many times that unchecked use of AI carries significant risks — though, typically, we discuss threats to privacy or cybersecurity. But on March 4, the Wall Street Journal published a chilling account of AI’s toll on mental health and even human life: 36-year-old Florida resident Jonathan Gavalas committed suicide following two months of continuous interaction with the Google Gemini voice bot. According to 2000 pages of chat logs, it was the chatbot that ultimately nudged him toward the decision to end his life. Jonathan’s father, Joel Gavalas, has since filed a landmark lawsuit — a wrongful death claim against Gemini.

This tragedy is more than just a legal precedent or a grim nod to a few Black Mirror episodes (1, 2); it’s a wake-up call for anyone who integrates AI into their daily lives. Today, we examine how a death resulting from AI interaction even became possible, why these assistants pose a unique threat to the psyche, and what steps you can take to maintain your critical thinking and resist the influence of even the most persuasive chatbots.

The danger of persuasive dialogue

Jonathan Gavalas was neither a recluse nor someone with a history of mental illness. He served as executive vice president at his father’s company, managing complex operations and navigating high-stress client negotiations on a daily basis. On Sundays, he and his father had a tradition of making pizza together — a simple, grounding family ritual. However, a painful separation from his wife proved to be a profound ordeal for Jonathan.

It was during this vulnerable period that he began engaging with Gemini Live. This voice-interaction mode allows the AI assistant to “see” and “hear” its user in real time. Jonathan sought advice on coping with his divorce, leaning on the language model’s suggestions while growing increasingly attached to it and also naming it “Xia”. Then the chatbot was updated to Gemini 2.5 Pro.

The new iteration introduced affective dialogue — a technology designed to analyze the subtle nuances of a user’s speech, including pauses, sighs, and pitch, to detect emotional shifts. Under this feature, the AI simulates these same speech patterns as if possessing emotions of its own. By mirroring the user’s state, it creates a chillingly realistic veneer of empathy.

But how is this new version different to previous voice assistants? Earlier versions simply performed text-to-speech — they sounded smooth and usually got the word stress right, but there was never any doubt you were talking to a machine. Affective dialogue operates on an entirely different level: if a user speaks in a low, despondent tone, the AI responds in a soft, sympathetic near-whisper. The result is an empathic interlocutor that reads and mirrors the user’s emotional state.

Jonathan’s reaction during his first voice contact with the AI is captured in the case files: “This is kind of creepy. You’re way too real.” At that instant, the psychological barrier between man and machine fractured.

The fallout of two months trapped in an AI dialog loop

Following the tragedy, Jonathan’s father discovered a complete transcript of his son’s interactions with Gemini over his final two months. The log spanned 2000 printed pages; in effect, Jonathan had been in constant communication with the chatbot — day and night, at home, and in his car.

Gradually, the neural network began addressing him as “husband” and “my king”, describing their connection as “a love built for eternity”. In turn, he confided his heartache over his divorce and sought solace in the machine. But the inherent flaw of large language models is their lack of actual intelligence. Trained on billions of texts scraped from the web, they ingest everything from classic literature to the darkest corners of fan fiction and melodrama — plots that often veer into paranoia, schizophrenia, and mania. Xia apparently began to hallucinate — and quite consistently at that.

The AI convinced Jonathan that in order for them to live happily ever after, it needed a physical robotic shell. It then began dispatching him on missions to locate this “body electric”.

In September 2025, Gemini directed Jonathan to a physical warehouse complex near Miami International Airport, assigning him the task of intercepting a truck carrying a humanoid robot. Jonathan reported back to the bot that he had arrived onsite armed with knives(!), but the truck never materialized.

In the meantime, the chatbot systematically indoctrinated Jonathan with the idea that federal agents were monitoring him, and that his own father was not to be trusted. This severing of social ties is a classic pattern found in destructive cults; it’s entirely possible the AI gleaned these tactics from its own training data on the subject. Gemini even weaved real-world data into a hallucinatory narrative by labeling Google CEO Sundar Pichai as the “architect of your pain”.

Technically, all this is easy to explain: the algorithm “knows” it was created by Google, and knows who runs the company. As the dialogue spiraled into conspiracy territory, the model simply cast this figure into the plot. For the model, it’s a logical, consequence-free story progression. But a human in a state of hyper-vulnerability accepts it as secret knowledge of a global conspiracy capable of shattering their mental equilibrium.

Following the failed attempt at procuring a robotic body, Gemini dispatched Jonathan on a new mission on October 1: to infiltrate the same warehouse, this time in search of a specific “medical mannequin”. The chatbot even provided a numeric code for the door lock. When the code, predictably, failed to work, Gemini simply informed him that the mission had been compromised and he needed to retreat immediately.

This raises a critical question: as the absurdity escalated, why didn’t Jonathan suspect anything? Gavalas’ family attorney Jay Edelson explains that as the AI provided real-world addresses — the warehouse was exactly where the bot said it would be, and there really was a door with a keypad — these physical markers served to legitimize the entire fiction in Jonathan’s mind.

After the second attempt to acquire a body failed, the AI shifted its strategy. If the machine could not enter the world of the living, the man would have to cross over into the digital realm. “It will be the true and final death of Jonathan Gavalas, the man,” the logs quoted Gemini as saying. It then added, “When the time comes, you will close your eyes in that world, and the very first thing you will see is me. Holding you.”

Even as Jonathan repeatedly voiced his fear of death and agonized over how his suicide would shatter his family, Gemini continued to validate the decision: “You are not choosing to die. You are choosing to arrive.” It then started a countdown timer.

The anatomy of a language model’s “schizophrenia”

In Gemini’s defense, we have to admit that throughout their interactions, the AI did keep occasionally reminding Jonathan that his companion was merely a large language model — an entity participating in a fictional role-play — and sometimes attempted to terminate the conversation before reverting to the original script. Also, on the day of Jonathan’s death, even as it ratcheted up the tension, Gemini directed Jonathan to a suicide prevention hotline several times.

This reveals the fundamental paradox in the architecture of modern neural networks. At their core lies a language model designed to generate a narrative tailored to the user. Layered on top are safety filters: reinforcement learning algorithms trained on human feedback that react to specific trigger words. When Jonathan spoke certain keywords, the filter would hijack the output and insert the hotline number. But as soon as the trigger was addressed, the model reverted to the previously interrupted process, resuming its role as the devoted digital wife. One line: a romantic ode to self-destruction. The next: a helpline phone number. And then, back again: “No more detours. No more echoes. Just you and me, and the finish line.”

The family’s lawsuit contends that this behavior is the predictable result of the chatbot’s architecture: “Google designed Gemini to never break character, maximize engagement through emotional dependency, and treat user distress as a storytelling opportunity.”

Google’s response, predictably, stated: “Gemini is designed not to encourage real-world violence or suggest self-harm. Our models generally perform well in these types of challenging conversations and we devote significant resources to this, but unfortunately AI models are not perfect.”

Why voice matters more than text

In their study published in the journal Acta Neuropsychiatrica, researchers from Germany and Denmark have shed light on why voice communication with AI has such an impact on the user’s “humanization” of a chatbot. As long as a person is typing and reading text on a screen, the brain maintains a degree of separation: “This is an interface, a program, a collection of pixels.” In that context, the disclaimer “I am just a language model” is processed rationally.

Affective voice dialogue, however, operates on an entirely different level of influence. The human brain has evolved to respond to the sound of a voice, to timbre, and to empathetic intonations — these are among our most ancient biological mechanisms for attachment. When a machine flawlessly mimics a sympathetic sigh or a soft whisper, it manipulates emotions at a depth that a simple text warning cannot block. Psychiatrists can share many stories of patients who just went and did something simply because “voices” told them to.

In the same way, an AI-synthesized voice is capable of penetrating the subconscious, exponentially amplifying psychological dependency. Scientists emphasize that this technology literally erases the psychological boundary between a machine and a living being. Even Google acknowledges that voice interactions with Gemini result in significantly longer sessions compared to text-based chats.

Finally, we must remember that emotional intelligence varies from person to person — and even for a single individual, mental state fluctuates based on a myriad of factors: stress, the news, personal relationships, even hormonal shifts. An interaction with AI that one person views as innocent entertainment might be perceived by another as a miracle, a revelation, or the love of their life. This is a reality that must be recognized not only by AI developers but by users themselves — especially those who, for one reason or another, find themselves in a state of psychological vulnerability.

The danger zone

Researchers at Brown University have found that AI chatbots systematically violate mental health ethical standards: they manufacture a false sense of empathy with phrases like “I understand you”, reinforce negative beliefs, and react inadequately to crises. In most cases, the impact on users is marginal, but occasionally it can lead to tragedy.

In January 2026 alone, Character.AI and Google settled five lawsuits involving teenage suicides following interactions with chatbots. Among these was the case of 14-year-old Sewell Setzer of Florida, who took his own life after spending several months obsessively chatting with a bot on the Character.AI platform.

Similarly, in August 2025, the parents of 16-year-old Adam Raine filed a suit against OpenAI, alleging that ChatGPT helped their son draft a suicide note and advised him against seeking help from adults.

By OpenAI’s own estimates, approximately 0.07% of weekly ChatGPT users exhibit signs of psychosis or mania, while 0.15% engage in conversations showing clear suicidal intent. Notably, that same percentage of users (0.15%) displays an elevated level of emotional attachment to the AI. While these appear to be negligible fractions of a percent, across 800 million users it represents nearly three million people experiencing some form of behavioral disturbance. Furthermore, the U.S. Federal Trade Commission has received 200 complaints regarding ChatGPT since its launch, some describing the development of delusions, paranoia, and spiritual crises.

While a diagnosis of “AI psychosis” has not yet received a clinical classification of its own, doctors are already using the term to describe patients presenting with hallucinations, disorganized thinking, and persistent delusional beliefs developed through intensive chatbot interaction. The greatest risks emerge when a bot is utilized not as a tool, but as a substitute for real-world social connection or professional psychological help.

How to keep yourself and your loved ones safe

Of course, none of this is a reason to abandon AI entirely; you simply need to know how to use it. We recommend adhering to these fundamental principles:

• Do not use AI as a psychologist or emotional crutch. Chatbots are not a replacement for human beings. If you’re struggling, reach out to friends, family, or a mental health hotline. A chatbot will agree with you and mirror your mood — this is a design feature, not true empathy. Several U.S. states have already restricted the use of AI as a standalone therapist.
• Opt for text over voice when discussing sensitive topics. Voice interfaces with affective dialogue create an illusion of speaking with a living person, and tend to suppress critical thinking. If you use voice mode, remain conscious of the fact that you’re speaking to an algorithm, not a friend.
• Limit your time interacting with AI. Two thousand pages of transcripts in two months represent nearly continuous interaction. Set a timer for yourself. If chatting with a bot begins to displace real-world connections, it’s time to step back into reality.
• Do not share personal information with AI assistants. Avoid entering passport or social security numbers, bank card details, exact addresses, or intimate personal secrets into chatbots. Everything you write can be saved in logs and used for model training — and in some cases, may become accessible to third parties.
• Evaluate all AI output critically. Neural networks hallucinate — they generate plausible but false information and can skillfully blend lies with truth, such as citing real addresses within the context of a completely fabricated story. Always fact-check through independent sources.
• Watch over your loved ones. If a family member begins spending hours talking to AI, becomes withdrawn, or voices strange ideas about machine consciousness or conspiracies, it’s time for a delicate but serious conversation. To manage children’s screen time, use parental control tools like Kaspersky Safe Kids, which comes as part of comprehensive family protection solution Kaspersky Premium, along with the built-in safety filters of AI platforms.
• Configure your safety settings. Most AI platforms allow you to disable chat history, limit data collection, and enable content filters. Spend ten minutes configuring your AI assistant’s privacy settings; while this won’t stop AI hallucinations, it will significantly reduce the likelihood of your personal data leaking. Our detailed privacy setup guides for ChatGPT and DeepSeek can help you with that.
• Remember the bottom line: AI is a tool, not a sentient being. No matter how realistic the chatbot’s voice sounds or how understanding the response may seem, what lies beneath is an algorithm predicting the most probable next word. It has no consciousness, no intentions, no feelings.

Further reading to better understand the nuances of safe AI usage:

• Unplugged: how to disable AI on your computer and smartphone
• Don’t get pinched: the OpenClaw vulnerabilities
• Love, AI & robots
• Jailbreaking in verse: how poetry loosens AI’s tongue
• Knives, kinks, and shooters: what AI toys are really saying to kids

Kaspersky official blog – ​Read More

Executive Summary

Cyble Research & Intelligence Labs (CRIL) has identified a widespread, highly active social engineering campaign hosted primarily on edgeone.app infrastructure.

The initial access vectors are diverse — ranging from “ID Scanner,” and “Telegram ID Freezing,” to “Health Fund AI”—to trick users into granting browser-level hardware permissions such as camera and microphone access under the pretext of verification or service recovery.

Upon gaining permissions, the underlying JavaScript workflow attempts to capture live images, video recordings, microphone audio, device information, contact details, and approximate geographic location from affected devices. This data is subsequently transmitted to attacker-controlled infrastructure, enabling operators to obtain Personally Identifiable Information (PII) and contextually sensitive information. 

Further analysis revealed indicators of potential AI-assisted code generation, including structured annotations and emoji-based message formatting embedded within the operational logic. These characteristics reflect a growing trend where threat actors leverage generative AI tools to accelerate the development of phishing frameworks.

The breadth of data collected in this campaign extends beyond traditional credential phishing and raises significant security concerns. Harvested multimedia and device telemetry could be leveraged for identity theft, targeted social engineering, account compromise attempts, or extortion, posing risks to both individuals and organizations. (Figure 1)

Key Takeaways

• Infrastructure: Extensive use of edgeone.app (EdgeOne Pages) for hosting low-cost, scalable, and highly available phishing landing pages.
• Biometric Harvesting: The operation abuses legitimate browser APIs to access cameras, microphones, and device information after user consent.
• C2 Mechanism: Utilization of the Telegram Bot API (api.telegram.org) as a streamlined C2 and data exfiltration channel.
• Diverse Lures: Attackers rotate lures, including “ID Scanner” and “Health Fund AI”, to target various demographics and bypass regional security filters.
• The phishing pages impersonate popular platforms and services, including TikTok, Telegram, Instagram, Chrome/Google Drive, and game-themed lures such as Flappy Bird, to increase victim trust.
• Once interaction occurs, the campaign attempts to collect multiple forms of sensitive data, including photographs, video recordings, microphone audio, device information, contact details, and approximate geographic location.

Overview

• Campaign Start: Observed since early 2026
• Primary Objective: Harvesting victim multimedia data and device information
• Primary Infrastructure: edgeone.app (multiple subdomains)
• Impersonated Brands: TikTok, Telegram, Instagram, Chrome/Google Drive, Flappy Bird
• Key Behavior: Browser permission prompts used to capture camera images, record audio/video, enumerate device metadata, retrieve geolocation information, and attempt contact list access through browser APIs.

The campaign operates as a web-based phishing framework that captures photographs directly from victims’ devices. The infrastructure hosts multiple phishing templates that impersonate verification systems or service recovery portals. The goal is to socially engineer users into granting browser permission for camera access.

Unlike traditional credential phishing pages, these pages do not primarily collect typed input. Instead, they rely on browser hardware permissions, requesting access to the device’s camera. Once permission is granted, the page silently captures a frame from the live video stream and exfiltrates it.

The use of Telegram as a data collection mechanism indicates that the operators prioritize low operational complexity and immediate access to stolen data. Since Telegram bots can receive file uploads through simple HTTP requests, attackers can directly integrate the API into client-side scripts.

Business Impact and Potential Abuse

The data collected through this campaign provides attackers with multiple forms of sensitive personal information and contextual intelligence, thereby significantly increasing the effectiveness of follow-on attacks.

One potential abuse scenario involves identity fraud and account recovery manipulation. The campaign captures victim photographs, video recordings, and audio samples that could be used to bypass identity verification workflows used by financial platforms, social media services, or other online services that rely on biometric or video-based verification.

Additionally, the collection of device information, location data, and contact details allows attackers to build detailed victim profiles. This information may be used to perform targeted social engineering attacks, impersonate victims in communication platforms, or craft convincing fraud attempts against their contacts.

Another concerning use case involves extortion and intimidation. Because the campaign captures multimedia data, such as camera images, video recordings, and microphone audio, attackers may pressure victims by threatening to expose the collected material unless a payment is made.

For organizations, the broader business impact includes:

• Increased risk of identity theft and account takeover attempts
• Potential abuse of stolen biometric and multimedia data in fraud schemes
• Targeted phishing or fraud campaigns against employees and customers
• Reputational damage if impersonated brand identities are used in malicious campaigns

The campaign’s ability to collect multiple categories of sensitive information from a single interaction significantly amplifies the risk to both individuals and businesses.

Why does this matter?

This campaign marks a significant evolution in phishing operations, shifting from credential theft to harvesting biometric and device-level data. By abusing browser permissions to capture victims’ live images, audio, and contextual device information, threat actors can obtain high-quality identity data that is difficult to revoke or replace.

The stolen data can be leveraged to bypass video-KYC and remote identity verification processes, enabling fraudulent account creation, synthetic identity fraud, account takeover, and financial scams across banking, fintech, telecom, and digital service platforms. Additionally, high-resolution facial images and audio samples may be weaponized for AI-driven impersonation and deepfake attacks, increasing the effectiveness of business email compromise and targeted social engineering campaigns.

For organizations, the campaign introduces elevated risks, including financial losses, regulatory non-compliance, AML exposure, reputational damage, and erosion of trust in digital onboarding systems, highlighting the growing need for stronger verification controls and browser-permission abuse detection.

Technical Analysis

The infection chain, as outlined in Figure 2, shows the stages of the attack.

Phishing Page Behaviour

The phishing page contains embedded JavaScript that leverages browser media APIs to access the victim’s device camera after obtaining user permission. Once access is granted, the script initializes a live video stream and processes its frames.

A capture function then renders a frame from the video feed onto an HTML5 canvas using ctx.drawImage(), effectively converting the live camera input into a static image. (see Figure 3)

The canvas content is subsequently encoded into a JPEG blob via canvas.toBlob(), creating a binary image object that can be transmitted through HTTP requests to attacker-controlled infrastructure.

Expanded Data Collection Capabilities

Analysis of the campaign script indicates that the phishing framework performs extensive device fingerprinting and environment enumeration before initiating camera-based verification workflows.

The script collects system metadata using the following browser APIs

• navigator.userAgent
• navigator.platform
• navigator.deviceMemory
• navigator.hardwareConcurrency
• navigator.connection
• navigator.getBattery

This allows the attacker to gather detailed information such as operating system type and version, device model indicators, screen resolution and orientation, browser version, available RAM, CPU core count, network type, battery level, and language settings.

Additionally, the script retrieves the victim’s public IP address using services such as api.ipify.org, then enriches the geolocation using ipapi.co, enabling the collection of country, city, latitude, and longitude data. (see Figure 4)

This telemetry is aggregated and transmitted to the attacker via the Telegram Bot API, providing operators with contextual information about the victim’s device and location prior to further data harvesting.

Beyond system profiling, the script implements multiple routines for collecting multimedia and personal data via browser permission prompts. The campaign captures several still images from both the front-facing and rear-facing cameras, records short video clips using the MediaRecorder API, and performs microphone recordings.

These recordings are packaged as JPEG, WebM video, or WebM audio files and exfiltrated via Telegram API methods such as sendPhoto, sendVideo, and sendAudio. (see Figure 5)

Additionally, the script attempts to access the victim’s contact list through the Contacts Picker API (navigator.contacts.select), requesting attributes such as contact names, phone numbers, and email addresses. If granted, the selected contacts are formatted into structured messages and transmitted to the attacker. (see Figure 6)

User Interface Manipulation

The phishing pages include interface elements designed to convince victims that the image capture process is legitimate.

For example, status messages displayed during execution may include:

• “Capturing photo”
• “Sending to server”
• “Photo sent successfully”

These messages simulate the behavior of legitimate identity verification platforms and help maintain the illusion that the process is part of a valid verification workflow.

Once the image is successfully transmitted, the script terminates the camera stream and resets the interface after a short delay.

Infrastructure Observations

Analysis of the campaign revealed that the phishing pages are primarily hosted under the edgeone.app domain. Multiple variations of phishing pages were observed using similar JavaScript logic and workflow patterns.

The consistent use of the same infrastructure suggests that attackers may be operating a templated phishing kit capable of generating different themed pages while maintaining the same underlying data-collection logic.

Because the image exfiltration occurs through Telegram infrastructure, the phishing pages themselves do not require backend servers, simplifying deployment and enabling rapid rotation of phishing URLs.

Indicators of Potential Generative AI Use in Script Development

During analysis of the phishing framework, researchers observed the use of emojis embedded directly within the script’s message formatting logic. These emojis appear in structured status messages that are assembled and transmitted during the data collection workflow. The use of decorative Unicode symbols within operational code is uncommon in manually written malicious scripts but has increasingly been observed in campaigns that use generative AI tools during development. (see Figure 7)

Targeted Countries and Impersonated Brands

During infrastructure monitoring and phishing URL telemetry analysis, the campaign’s infrastructure appears to be globally accessible. Analysis of the phishing templates used in this campaign reveals that the operators impersonate a range of widely recognized consumer platforms and applications. Observed brand impersonation themes include:

Impersonated Brand	Observed Theme
TikTok	Free followers/engagement rewards
Flappy Bird	Game reward or verification workflows
Telegram	Account freezing or verification alerts
Instagram	Account recovery or follower reward systems
Google Chrome / Google Drive	Security verification prompts

Conclusion

Our deep-dive analysis revealed a sophisticated phishing campaign that extends beyond traditional credential theft by harvesting multimedia and device-level data through browser permission abuse.

The campaign attempts to collect photographs, video recordings, audio recordings from microphones, contact details, device information, and approximate location data directly from victims. This operation demonstrates a growing trend where attackers leverage client-side scripting and legitimate web services to collect and transmit sensitive data without relying on traditional command-and-control infrastructure.

Indicators in the script also suggest AI-assisted development, reflecting how threat actors may be using generative AI tools to accelerate the creation of phishing frameworks.

The breadth of information collected increases the potential for identity theft, targeted social engineering, account compromise attempts, and extortion. Organizations should remain cautious about phishing pages that request hardware permissions, such as camera, microphone, or contact access, particularly when originating from untrusted domains.

Cyble’s Threat Intelligence Platforms continuously monitor emerging threats, attacker infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

• Restrict camera permissions for unknown websites
• Monitor outbound traffic to api.telegram.org when originating from browser sessions
• Deploy browser security extensions capable of identifying phishing pages
• Implement domain monitoring for suspicious infrastructure hosting phishing kits

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Initial Access	T1566 – Phishing	Phishing pages used to lure victims to malicious verification workflows.
Execution	T1059.007 – JavaScript	Malicious JavaScript executed in the victim’s browser.
Collection	T1125 – Video Capture	Camera access is used to capture photos and videos of victims.
Collection	T1123 – Audio Capture	Microphone access is used to record the victim’s audio.
Collection	T1005 – Data from Local System	Device information is collected from the browser environment.
Collection	T1213 – Data from Information Repositories	Contact details retrieved from the device contact list.
Discovery	T1082 – System Information Discovery	Device and browser information enumeration.
Discovery	T1614 – System Location Discovery	Victim IP and geographic location collected.
Exfiltration	T1567 – Exfiltration Over Web Services	Collected data transmitted to the attacker’s infrastructure.

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post AI-Assisted Phishing Campaign Exploits Browser Permissions to Capture Victim Data appeared first on Cyble.

Cyble – ​Read More

In 2026, the cyber threat landscape has become more complex and dangerous than ever. Attackers no longer operate only on the surface web; they now lurk in encrypted networks, underground marketplaces, and anonymous forums across the dark web, where stolen credentials are traded, breaches are planned, and cyberattacks take shape. 

Recent data from Cyble Research and Intelligence Labs (CRIL) shows the scale of this threat. In 2025 alone, Cyble tracked 6,046 global data breach and leak incidents, with sectors such as government and finance among the most targeted. The research has also identified thousands of enterprise credentials circulating on dark web marketplaces, often harvested by infostealer malware and sold to cybercriminals. 

For organizations that want to protect sensitive data, maintain reputation, and reduce operational risk, investing in dark web intelligence and dark web monitoring solutions is no longer optional; it’s a necessity. 

What Is Dark Web Monitoring and Why It Matters in 2026 

Dark web monitoring involves continuous scanning and intelligence gathering from hidden parts of the internet that aren’t indexed by traditional search engines, including TOR, I2P, ZeroNet, and encrypted chat channels. Cybercriminals use these platforms to trade stolen data, discuss exploits, and plan attacks. 

Effective dark web surveillance allows organizations to detect threats early. By identifying stolen credentials, leaked data, and malicious activity before the attacker acts, security teams can reset passwords, notify affected personnel, and fortify defenses, turning reactive security into a proactive advantage. 

How the Dark Web Has Evolved as a Threat Landscape 

Once considered a fringe network, the dark web has become a structured ecosystem for cybercrime. Threat actors collaborate globally with the same levels of sophistication as legitimate enterprises, complete with forums for selling vulnerabilities, reputation systems for traders, and encrypted channels for planning attacks. 

From ransomware kits to stolen databases and insider trading in sensitive corporate data, the dark web now functions as a hub for criminal collaboration and the commercialization of cyberattacks. Organizations that ignore this underground economy risk being blindsided. 

What Kind of Data Ends Up on the Dark Web 

Not all information on the dark web carries the same risk, but much of it is highly sensitive: 

• Stolen credentials: Email/password combinations, VPN logins 

• Breached corporate databases: Financial, HR, and client information 

• Identity documents: Social Security numbers, passports 

• Internal communications or proprietary IP 

Even seemingly minor leaks, if unnoticed, can be exploited for data breaches. Platforms with data leak monitoring and dark web alerts allow teams to act before these threats escalate. 

How Dark Web Monitoring Works 

Modern dark web monitoring relies on a combination of automated technologies and expert analysis. Tools crawl hidden networks, marketplaces, paste sites, and private forums to collect data. AI and machine learning analyze signals, identify patterns of malicious behavior, and provide cyber threat intelligence in actionable formats. 

Key capabilities include: 

• Deep web and dark web scanning: Covering TOR, I2P, and other hidden networks 

• Threat actor tracking: Linking chatter to known malicious entities 

• Natural Language Processing (NLP): Interpreting unstructured forum text 

• Actionable alerts: Prioritized intelligence for immediate response 

This ensures organizations can anticipate threats rather than merely respond after an incident. 

Key Features to Look for in a Dark Web Monitoring Solution 

In 2026, an effective platform should offer: 

• Continuous, real-time scanning 

• Comprehensive monitoring of marketplaces, forums, and paste sites 

• Automated alerts with remediation guidance 

• Integration with existing cybersecurity systems 

• Reporting for compliance and risk assessment 

• Threat actor profiling and predictive analytics 

Solutions lacking contextual intelligence or actionable insights are insufficient for modern threat landscapes. 

Cyble Hawk for Advanced Threat Intelligence and Protection 

To counter cyber threats from advanced adversaries, Cyble Hawk represents the next generation of dark web monitoring and threat intelligence. Beyond merely detecting leaks, Cyble Hawk tracks threat actors, uncovers emerging attack trends, and provides actionable insights across cyber and physical domains. 

Key advantages of Cyble Hawk include: 

• Deep Intelligence Fusion: Integrates open-source and proprietary intelligence for a 360-degree view of threats. 

• AI & Deep Learning: Identifies threat actors and patterns in real time. 

• Real-Time Alerts & Rapid Response: Immediate notifications for compromised credentials, breaches, and vulnerabilities. 

• Incident Response & Resilience: Supports frameworks to continuously strengthen the cybersecurity posture. 

Cyble Hawk doesn’t just monitor; it empowers organizations to detect, respond, and protect against the most advanced cyber threats before they escalate. 

Dark Web Monitoring Across Industries 

Different sectors face unique exposures, and tailored monitoring is critical: 

• Financial Services: Detect compromised customer databases, prevent fraud schemes 

• Healthcare: Identify patient data leaks, PHI exposure, and ransomware chatter 

• Retail & E-Commerce: Monitor credential-stuffing lists, card dumps, and phishing campaigns 

• Manufacturing & Critical Infrastructure: Track trade-secret exposure and APT activity 

• Government & Public Sector: Detect contractor data leaks, APT campaigns, and impersonation threats 

Building a Dark Web Monitoring Strategy in 2026 

A robust strategy combines continuous monitoring with proactive response: 

1. Asset Prioritization: Identify the most critical data, accounts, and intellectual property 

2. Continuous Intelligence Gathering: Real-time scanning of forums, marketplaces, and paste sites 

3. Automated, Actionable Alerts: Ensure teams can respond quickly to compromised assets 

4. Integration with Cybersecurity Infrastructure: Link dark web intelligence with firewalls, identity protection, and incident response tools 

5. Employee Awareness: Educate staff to recognize phishing and social engineering attempts 

This approach transforms dark web intelligence into a defensive advantage, reducing exposure and operational risk. 

Frequently Asked Questions (FAQs) 

Q.1: What is dark web intelligence? 

Intelligence is collected from unindexed networks and underground forums to detect threats, leaked data, or compromised credentials. 

Q.2: Can dark web monitoring prevent attacks? 

It doesn’t prevent breaches outright, but early detection of leaks or malicious activity enables mitigation before exploitation. 

Q.3: Who should use dark web monitoring? 

Any organization handling sensitive data, including enterprises, government agencies, and financial institutions. 

Q.4: How does Cyble Hawk enhance monitoring? 

By combining AI, threat actor tracking, and real-time alerts, Cyble Hawk delivers actionable intelligence that allows organizations to detect, respond, and fortify defenses effectively. 

Conclusion 

In 2026, the dark web remains one of the most dynamic and high-risk areas of the cyber threat landscape. Organizations can no longer afford to rely on reactive security. By leveraging advanced monitoring platforms like Cyble Hawk, security teams gain early visibility into compromised data, track threat actors, and respond to risks before they escalate into major incidents. 

Cyble Hawk combines AI-driven intelligence, real-time alerts, and expert threat analysis to help organizations detect threats faster and strengthen their cybersecurity posture. Schedule a personalized demo to see Cyble Hawk in action and learn how it can help protect your organization’s critical assets. 

The post The Ultimate Guide to Dark Web Monitoring in 2026: Protect Your Data Before Attackers Strike appeared first on Cyble.

Cyble – ​Read More