Microsoft has released its monthly security update for April 2026, which includes 165 vulnerabilities affecting a wide range of products, including eight Microsoft marked as “critical.”
CVE-2026-23666 is a critical Denial of Service (DoS) vulnerability that affects the .NET framework. Successful exploitation could allow the attacker to deny service over the network.
CVE-2026-32157 is a critical use after free vulnerability in the Remote Desktop Client that results in code execution. Attack requires an authorized user on the client to connect to a malicious server, which could result in code execution on the client.
CVE-2026-32190 is a critical user after free vulnerability in Microsoft Office that can result in local code execution. Attacker is remote but attack is carried out locally. Code from the local machine needs to be executed to exploit the vulnerability.
CVE-2026-33114 is a critical untrusted pointer deference vulnerability in Microsoft Office Word that could allow the attacker to execute code locally. Code from the local machine needs to be executed to exploit this vulnerability.
CVE-2026-33115 is a critical use after free vulnerability in Microsoft Office word that can result in local code execution. Similar to CVE-2026-33114 and CVE-2026-32190 the attacker is remote, but code needs to be executed from the local machine to exploit the vulnerability.
CVE-2026-33824 is a critical double free vulnerability in the Widows Internet Key Exchange (IKE) extension, allowing remote code execution. An unauthenticated attacker can send specially crafted packets to a Windows machine with IKE version 2 enabled to potentially enable remote code execution. Additional mitigations can include blocking inbound traffic on UDP ports 500 and 4500 if IKE is not in use.
CVE-2026-33826 is a critical improper input validation in Windows Active Directory that can result in code execution over an adjacent network. Requires an authenticated attacker to send specially crafted RPC calls to an RPC host. Can result in remote code execution. Note that successful exploitation requires the attacker be in the same restricted Active Directory domain as the target system.
CVE-2026-33827 is a critical race condition vulnerability in Windows TCP/IP that can result in remote code execution. Successful exploitation requires the attacker to win a race condition along with additional actions prior to exploitation to prepare the target environment. An unauthenticated actor can send specially crafted IPv6 packets to a Windows node where IPSec is enabled to potentially achieve remote code execution.
CVE-2026-32201 is an important improper input validation vulnerability in Microsoft Office SharePoint that can allow an unauthorized user to perform spoofing. An attacker that successfully exploits this vulnerability could view some sensitive information and make changes to disclosed information. This vulnerability has already been detected as being exploited in the wild.
The majority of the remaining vulnerabilities are labeled as important with a two moderate and one low vulnerability also being patched. Talos would like to highlight the several additional important vulnerabilities that Microsoft has deemed as “more likely” to be exploited.
· CVE-2026-32225 – Windows Shell Security Feature Bypass Vulnerability
· CVE-2026-33825 – Microsoft Defender Elevation of Privilege Vulnerability
A complete list of all other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are: 1:65902-1:65903, 1:66242-1:66251, 1:66259-1:66260, 1:66264-1:66267, 1:66275-1:66276
The following Snort 3 rules are also available: 1:301398, 1:301468-1:3101472, 1:301475, 1:301477-1:301478, 1:301480
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-14 21:09:462026-04-14 21:09:46Microsoft Patch Tuesday for April 2026 – Snort Rule and Prominent Vulnerabilities
It’s one of those coincidences: independent university research teams stumble onto something new and prep their papers for publication — only to realize they’ve solved the exact same puzzle using slightly different methods. That’s exactly what happened with GDDRHammer and GeForge. These two studies describe Rowhammer-style attacks that are so similar the researchers decided to publish them as a joint effort. Then, while we were putting this post together, a third study surfaced — GPUBreach — detailing yet another comparable attack. So today we’re looking at all three.
All three theoretical attacks target graphics accelerators, though this term is not entirely accurate anymore since these devices are so good at parallel processing, they’ve moved far beyond just rendering frames in a game and are now the backbone of AI systems. It’s this industrial use case that is most at risk. Picture a cloud provider renting out GPU resources to all comers. These new attacks demonstrate how, in theory, a single malicious customer could go beyond seizing control of an accelerator to compromise the entire server, access sensitive data, and potentially hack the provider’s entire infrastructure. Let’s break down why this kind of attack is even possible.
Rowhammer in a nutshell
We covered Rowhammer in-depth in previous posts, but here’s the quick version. The original attack was first proposed back in 2014, and it exploits the actual physical properties of RAM chips. Individual memory cells are simple components arranged in tight rows. In theory, reading or writing to one cell shouldn’t affect its neighbors. However, because these chips are packed so densely — with millions or even billions of cells per chip — writing to one spot can sometimes modify the cells next to it.
The 2014 study showed that this isn’t just a recipe for random data corruption; it can be weaponized. By repeatedly accessing (or “hammering”, hence the name) a specific area of memory, an attacker can intentionally flip bits in adjacent cells. If an attacker manages to flip the right bits, he can bypass critical security measures to snag sensitive data or run unauthorized code with full privileges.
Since that first discovery, we’ve seen a constant arms race between new Rowhammer defenses and clever ways to bypass them. We’ve also seen the attack evolve to target newer standards like DDR4 and DDR5. That’s a key takeaway here: for every new type of memory that hits the market, researchers essentially have to reinvent the attack from scratch.
Attacking GDDR6 video memory
The first Rowhammer attack on GPUs was presented back in 2025, but the results were relatively modest. At the time, researchers were able to force bit-flips in GDDR6 memory cells, and show how that data corruption could degrade the performance of an AI system.
These latest papers, however, warn of much more damaging attacks on video memory. Using slightly different techniques, GDDRHammer and GeForge manipulate the page tables — basically the master structures that track where data lives in the GPU’s memory. This enables an attacker to read or write to any part of the video memory, and even reach into the main system RAM managed by the CPU. Modifications to page tables are possible because the researchers have found a way to hammer memory cells much more efficiently. They pulled this off despite the hardware using Target Row Refresh, a core defense designed specifically to stop Rowhammer. TRR detects repeated access to specific cells, and forces a data refresh in the neighboring rows to hamper the attack. However, the researchers discovered a specific pattern of access that can bypass TRR.
How realistic are these GPU attacks?
As is usually the case with this type of research, pulling off these attacks in the real world comes with a lot of contingencies. First off, different GPUs behave differently. For instance, the GeForge attack was significantly more effective on the consumer-grade GeForce RTX 3060. On the industrial-strength Nvidia RTX A6000, the attack’s efficiency dropped by more than five times — even though both cards use the exact same GDDR6 memory standard. Going back to our hypothetical scenario of a malicious cloud customer: for an attack to work, they’d first need to identify exactly which accelerator they’ve been assigned, then profile their exploit specifically for that hardware. In short, this would have to be an incredibly sophisticated and expensive targeted attack.
It’s also worth noting that GDDR6 isn’t the latest and greatest anymore. Consumer devices are moving to GDDR7, while professional-grade hardware often uses high-speed HBM memory. These systems come with ECC (Error Correction Code), a built-in mechanism that checks data integrity. ECC can actually be enabled on cards like the Nvidia A6000; while it might take a small bite out of performance, it effectively makes both of these attacks impossible.
Another tool available to owners of AI-focused servers is enabling the IOMMU (input–output memory management unit) — a system that isolates the GPU’s memory from the CPU’s memory. This will prevent an attack from escalating from the graphics accelerator to the main processor and compromising the entire server. This is where the third study, GPUBreach, comes into play. Its main differentiator from GDDRHammer and GeForge is that it can actually bypass even IOMMU protection! It pulls this off by exploiting some fairly traditional bugs found in NVIDIA drivers.
So, despite the existing hurdles, these three studies prove that Rowhammer attacks remain a potent threat. This is especially true in our current AI boom, which relies on massive, expensive, and potentially vulnerable infrastructure packed with dozens or even hundreds of thousands of computing devices. The Rowhammer timeline goes to show that technical barriers almost never hold for long. In standard RAM, researchers have managed to bypass not only basic fixes like Target Row Refresh, but also more advanced — and theoretically bulletproof — solutions like ECC memory. While the extreme complexity of these exploits means they’ll likely never become a mass-market threat, for anyone running expensive computing systems, they’re definitely a risk factor that can’t be ignored.
Across the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence.
But when you look at how these operations actually unfold, similar tactics, techniques, and procedures (TTPs) keep appearing: access through vulnerabilities and identity, and access that remains under the radar for a considerable period of time.
Here are the dominant themes from the state-sponsored section of the Talos Year in Review, available now.
China
China-nexus threat activity stood out this year for both volume and efficiency, with Talos investigations increasing by nearly 75% compared to 2024.
Newly disclosed vulnerabilities were exploited almost immediately (e.g., ToolShell), sometimes before patches were widely available. At the same time, long-standing, unpatched vulnerabilities in networking devices and widely used software continued to provide reliable entry points for these types of adversary.
Once inside, the focus shifts to persistence. Web shells, custom backdoors, tunneling tools, and credential harvesting all support long-term access.
There’s also more overlap than ever before between state-sponsored and financially motivated activity. It is likely that in some cases, state-sponsored actors conducted operations for personal profit alongside espionage-focused missions, while in others, cybercriminals collected valuable information during an attack that could be sold to espionage-motivated actors for further exploitation, providing them dual revenue streams.
Russia
Russian-linked cyber activity remains closely tied to their geopolitical objectives, particularly the war in Ukraine.
Many operations continue to rely on unpatched, older vulnerabilities (especially in networking devices) to gain initial access. These flaws provide a dependable way in for adversaries and support long-term intelligence gathering.
Russia’s offensive cyber activity is highly correlated with developments in the larger geopolitical sphere. For example, the announcement of sanctions intended to apply pressure on Russia by both the U.S. and E.U. often corresponded with our observed levels of Russian cyber activity.
Common malware families like Dark Crystal RAT (DCRAT), Remcos RAT, and Smoke Loader appeared frequently in Talos investigations on operations against Ukraine in 2025. These families aren’t exclusive to Russia-nexus threat actors, but they continue to be effective in environments where patching and visibility are inconsistent, and should therefore be high priority targets for defense and monitoring.
North Korea
North Korea cyber operations leaned heavily into social engineering and insider access in 2025. These operations were both for financial and espionage purposes.
Campaigns like Contagious Interview (orchestrated by Famous Chollima) used fake recruiters from legitimate companies to socially engineering targets to execute code or hand over credentials. From there, actors stole cryptocurrency, exfiltrated data, and established persistent access.
North Korean cyber actors also pulled off the largest cryptocurrency heist in history in 2025, stealing $1.5 billion. Additionally, thousands of IT workers used stolen identities and AI-generated profiles to secure positions at Fortune 500 companies, generating billions in annual revenue for North Korea’s nuclear weapons and ballistic missiles programs.
Iran
Iranian cyber threat activity in 2025 combined visible disruption with long-term access.
Hacktivist operations increased by 60% in response to geopolitical events, particularly the Israel-Hamas conflict. These campaigns, which include distributed denial-of-service (DDoS) attacks, defacements, and other disruptive operations, are often designed to generate attention and shape narratives.
At the same time, more traditional advanced persistent threat (APT) activity focused on persistence. Groups such as ShroudedSnooper targeted sectors like telecommunications, using custom compact backdoors designed to blend into normal traffic and remain undetected.
ShroudedSnooper is an APT that public reporting widely attributes to Iran’s Ministry of Intelligence and Security (MOIS). It is very likely an initial access group that passes operations off to secondary threat actors for long term espionage or destructive attacks.
For current threat intelligence related to the developing conflict in Iran, follow our coverage on the Talos blog.
Guidance for defenders
Though the state-sponsored activity that we tracked for the Talos Year in Review have different objectives, they still have the same reliance on gaining and maintaining access. The following guidance is recommended for security teams:
Don’t ignore older systems: Both newly disclosed and long-known vulnerabilities are actively exploited.
Prioritize identity security: Credentialed access and social engineering remain reliable entry points.
Increase visibility into network and edge infrastructure: These systems are common targets for persistent access.
Expect activity to follow global events: Sanctions, conflicts, and political developments often correlate with spikes in activity. Follow the Talos blog to keep informed of new state sponsored activity and campaigns.
Inspect for long-term presence: Many state-sponsored operations are designed to persist stealthily over time, not trigger immediate disruption.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-14 15:06:382026-04-14 15:06:38State-sponsored threats: Different objectives, similar access paths
Modern phishing campaigns increasingly abuse legitimate services. Cloud platforms, file-sharing tools, trusted domains, and widely used SaaS applications are now part of the attacker’s toolkit. Instead of breaking trust, attackers borrow it.
This shift creates a dangerous asymmetry. Security controls often whitelist or inherently trust these services, while users are far less likely to question them. The result is a smoother path from inbox to infection.
Key Takeaways
Attackers are shifting to trusted cloud infrastructure (Google Storage) to bypass email filters and reputation checks.
The multi-stage chain uses obfuscated JS/VBS/PowerShell and legitimate RegSvcs.exe for process injection, making static detection ineffective.
Remcos RAT provides full remote control, keylogging, and data exfiltration — turning one compromised endpoint into a persistent foothold.
Credential harvesting combined with malware delivery creates dual risk: immediate data theft plus long-term network compromise.
Traditional EDR relying on file reputation misses these attacks; behavioral sandboxing and real-time TI are required.
The New Face of Phishing: When “Legitimate” Becomes Lethal
According to ANY.RUN’s annual Malware Trends Report for 2025, phishing driven by multi-stage redirect chains and trusted-cloud hosting has become the dominant attack vector, with RATs and backdoors rising 28% and 68% respectively. The abuse of legitimate platforms has made traditional reputation-based filtering fundamentally unreliable.
Early detection is no longer simply a technical performance metric. It is a business continuity imperative. When threats hide inside trusted infrastructure, the window between initial infection and serious organizational impact can be measured in hours, not days. Security teams that cannot identify and contain an attack in its earliest stages — before the payload executes, before the C2 channel is established, before the attacker pivots deeper into the network — face an exponentially harder response challenge.
Phishing Campaign Hiding Remcos RAT Inside Google Cloud Storage
In April 2026, ANY.RUN’s threat research team identified a sophisticated multi-stage phishing campaign that perfectly exemplifies this new breed of attack. The campaign abuses Google Cloud Storage to host HTML phishing pages themed as Google Drive document viewers, ultimately delivering the Remcos Remote Access Trojan (RAT).
The attackers parked their phishing pages on a legitimate, widely-trusted Google domain. This single architectural choice allowed the campaign to bypass a wide range of conventional email security gateways and web filtering tools.
Convincing Google Drive-themed phishing pages are hosted on storage.googleapis.com subdomains such as pa-bids, com-bid, contract-bid-0, in-bids, and out-bid. Examples include URLs like hxxps://storage[.]googleapis[.]com/com-bid/GoogleDrive.html. These pages mimic legitimate Google Workspace sign-in flows, complete with branded logos, file-type icons (PDF, DOC, SHEET, SLIDE), and prompts to “Sign in to view document in Google Drive.”
The pages are crafted to harvest full account credentials: email address, password, and one-time passcode. But the credential theft is just the opening act. After a “successful login,” the page prompts the download of a file named Bid-Packet-INV-Document.js, which serves as the entry point for the malware delivery chain.
Attack Chain
The delivery chain is deliberately complex and layered to evade detection at every stage:
1. Phishing Email Delivery. Because the sending domain and the linked domain are both associated with legitimate Google infrastructure, the email passes standard DMARC, SPF, and DKIM authentication checks, and is not flagged by reputation-based email filters.
2. Fake Google Drive Login Page. The googleapis.com link opens a convincing replica of the Google Drive interface, prompting the victim to authenticate with their email address, password, and one-time passcode. Credentials entered here are captured and exfiltrated to the attacker’s command-and-control infrastructure.
3. Malicious JavaScript Download. The victim is prompted to download Bid-Packet-INV-Document.js, presented as a business document. When executed under Windows Script Host, this JavaScript file contains time-based evasion logic — it can delay execution to avoid sandbox detection environments that analyze behavior within a fixed time window.
4. VBS Chain and Persistence. The JavaScript launches a first VBS stage, which downloads and silently executes a second VBS file. This second stage drops components into %APPDATA%WindowsUpdate (folder name chosen to blend in with legitimate Windows processes) and configures Startup persistence, ensuring the malware survives system reboots.
Malicious script activity captured by the sandbox
5. PowerShell Orchestration. A PowerShell script (DYHVQ.ps1) then orchestrates the loading of an obfuscated portable executable stored as ZIFDG.tmp, which contains the Remcos RAT payload. To remain stealthy, the chain simultaneously fetches an additional obfuscated .NET loader from Textbin, a text-hosting service, loading it directly in memory via Assembly.Load, leaving no file on disk for traditional antivirus engines to scan.
6. Process Hollowing via RegSvcs.exe. The .NET loader abuses RegSvcs.exe for process hollowing. Because RegSvcs.exe is signed by Microsoft and carries a clean reputation on VirusTotal, its execution appears benign in endpoint logs. The loader creates or starts RegSvcs.exe from %TEMP%, hollowing the process and injecting the Remcos payload into its memory space. The result is a partially fileless Remcos instance: most of the malicious logic executes entirely in memory, never touching the disk in a form that a signature-based scanner would recognize.
Remcos RAT detected in the sandbox analysis
7. C2 Establishment. Remcos establishes an encrypted communication channel back to the attacker’s command-and-control server and writes persistence entries into the Windows Registry under HKEY_CURRENT_USERSoftwareRemcos-{ID}, ensuring continued access across reboots. From this point, the attacker has full, persistent, covert control over the compromised endpoint.
ANY.RUN’s sandbox analysis clearly visualizes this chain: wscript.exe spawns multiple VBS and JS scripts, cmd.exe and powershell.exe handle staging, and RegSvcs.exe is flagged for Remcos behavior. The entire process tree demonstrates how attackers chain living-off-the-land binaries (LOLBins) with obfuscation and in-memory execution.
Why This Attack Works — and Why Remcos Makes It So Dangerous
The attack succeeds because it weaponizes trust at every layer. Google Storage provides reputation immunity. RegSvcs.exe is a signed Microsoft binary used for .NET service installation: its clean hash means endpoint protection rarely flags it. Combined with heavy obfuscation, time-based evasion, and fileless techniques, the campaign slips past static analysis and many EDR rules that rely on file reputation or known malicious domains.
At the heart of the final payload is Remcos RAT — a commercially available Remote Access Trojan that has become a favorite among cybercriminals due to its affordability, ease of use, and powerful feature set. It grants attackers full remote control over the compromised system. Capabilities include keylogging, credential harvesting from browsers and password managers, screenshot capture, file upload/download, remote command execution, microphone and webcam access, and clipboard monitoring. It supports persistence mechanisms, anti-analysis tricks, and encrypted C2 communication.
The dangers of Remcos extend far beyond initial access. It serves as a beachhead for further attacks: ransomware deployment, lateral movement across the corporate network, data exfiltration of intellectual property or customer records, and even supply-chain compromise if the infected machine belongs to a vendor. Because it runs in memory inside a trusted process, it can remain undetected for weeks or months, silently harvesting sensitive data.
Why This Matters for Businesses
Enterprises face amplified risk because these campaigns target high-value users (executives, finance teams, and procurement staff) who routinely handle sensitive documents and have elevated privileges. A single successful infection can lead to:
Data Breaches and Regulatory Fines: Stolen credentials and exfiltrated files can trigger GDPR, CCPA, or industry-specific compliance violations costing millions.
Financial Losses: Direct wire fraud from compromised email accounts or indirect losses from ransomware.
Operational Disruption: Lateral movement can encrypt servers or exfiltrate intellectual property, halting production or R&D.
Reputation Damage: Clients and partners lose trust when a breach is publicly disclosed.
Supply-Chain Ripple Effects: If a vendor’s system is compromised via this vector, attackers can pivot into larger organizations.
In attacks that exploit legitimate services, the Mean Time to Detect (MTTD) for conventional security tools is dramatically extended. When the initial link is clean, the host domain is trusted, and the payload runs inside a legitimate Microsoft process, the alert chain that SOC teams depend on generates few or no signals. The attacker operates in silence while gathering intelligence, escalating privileges, and expanding their foothold.
Enabling Proactive Protection Against Trust-Abuse Phishing
Defending against phishing campaigns that abuse legitimate services requires a security capability that operates at the behavioral level — one that can observe what happens after a link is clicked or a file is opened, not just assess whether a URL or hash matches a known-bad list. ANY.RUN’s Enterprise Suite is built precisely for this purpose, and its three core modules address the threat at complementary stages of the detection and response lifecycle.
Triage & Response: See the Full Kill Chain Before It Reaches Production
The foundation of ANY.RUN’s detection capability is its Interactive Sandbox: a cloud-based, fully interactive analysis environment that allows security analysts to safely detonate suspicious files and URLs in real time. Unlike automated sandboxes that analyze behavior passively within a fixed time window, ANY.RUN’s sandbox supports genuine human interaction: analysts can click, type, scroll, and navigate within the isolated virtual machine, triggering behavior that might be blocked by time-delay evasion or anti-automation logic.
In the Google Cloud Storage / Remcos campaign, this capability is decisive. The malicious JavaScript embedded time-based evasion logic is a mechanism designed specifically to defeat automated sandbox analysis. An interactive sandbox can wait out that delay, manually trigger the next stage, and observe the complete execution chain from the initial JS download through the VBS stages, the PowerShell orchestration, the process hollowing via RegSvcs.exe, and the final Remcos C2 callback.
Reduce the risk of delayed detection
Help your team investigate faster and respond earlier
The result is not just a verdict but a full behavioral map: every process spawned, every network connection initiated, every registry key written, every file dropped. This map translates directly into actionable detection logic — MITRE ATT&CK-mapped TTPs, Sigma rules that can be deployed to SIEM and EDR platforms, and concrete IOCs that can be operationalized across the security stack.
MITRE ATT&CK matrix of the attack analyzed in the sandbox
For SOC teams, this means the difference between seeing an alert that says ‘suspicious JavaScript file’ and understanding the complete threat: this is Remcos RAT, delivered via process hollowing, with these C2 addresses, using these persistence mechanisms, and these are the detection rules that will catch the next variant.
Threat Hunting: Enrich, Pivot, and Hunt Proactively
ANY.RUN’s Threat Intelligence Lookup is a searchable, continuously updated database of threat intelligence drawn from real-time malware analysis conducted by a community of over 600,000 cybersecurity professionals and 15,000 organizations worldwide. It functions as a force multiplier for threat hunting and incident response, providing instant enrichment for any indicator — IP address, domain, file hash, URL, or behavioral signature.
In the context of the Google Cloud Storage / Remcos campaign, Threat Intelligence Lookup enables analysts to move rapidly from a single observed indicator to a comprehensive understanding of the campaign’s scope. A C2 IP address flagged by sandbox analysis can be pivoted to reveal all associated Remcos samples in the database, the infrastructure pattern used across the campaign, related file hashes, and behavioral indicators that might be present in other systems.
Domain associated with Google Cloud Storage/Remcos campaign in TI Lookup
This pivoting capability is particularly valuable for detecting multi-stage attacks where the initial indicators are clean (a googleapis.com URL, a signed Microsoft binary) but later-stage indicators — C2 domains, specific PowerShell script signatures, anomalous RegSvcs.exe activity — can be correlated against historical data to confirm campaign attribution and expand detection coverage.
For threat hunters, Threat Intelligence Lookup supports proactive campaign identification before an organization is impacted. YARA-based searches, combined with industry and geography filters, allow security teams to identify whether active campaigns are targeting their specific sector and region and to build detection rules based on real-world attacker behavior rather than theoretical models.
ANY.RUN’s Threat Intelligence Feeds deliver a continuous stream of fresh, verified malicious indicators directly into an organization’s security infrastructure — SIEM, SOAR, TIP, XDR — via STIX/TAXII and API/SDK integrations. These feeds are generated from live sandbox analysis across the ANY.RUN community, meaning they reflect actual attacker behavior observed in real-world campaigns, not synthetic or retrospectively compiled threat data.
TI Feeds benefits and integrations
A critical differentiator is the uniqueness rate: ANY.RUN reports that 99% of indicators in its feeds are unique to the platform, not duplicated from public threat intel sources. The feeds also dramatically reduce Tier 1 analyst workload by providing malicious-only alerts with full behavioral context, cutting through the alert fatigue that plagues security operations teams dealing with high volumes of false positives from tools that cannot distinguish between legitimate googleapis.com traffic and the specific pattern of googleapis.com traffic used in this campaign.
The Google Storage phishing campaign delivering Remcos RAT is a wake-up call. As attackers continue to abuse trusted cloud services and legitimate binaries, organizations can no longer rely on reputation or signatures alone. Early detection through behavioral analysis and proactive threat intelligence is no longer optional — it is essential for survival.
By leveraging ANY.RUN’s Enterprise Suite, security leaders can stay ahead of these evolving threats, protect critical assets, and maintain business continuity in an increasingly hostile digital landscape. The time to strengthen defenses is now — before the next bid document lands in your inbox.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls.
FAQ
What makes this Google Storage phishing campaign different from traditional attacks?
It hosts the phishing page on legitimate storage.googleapis.com domains instead of suspicious new sites, bypassing URL reputation filters entirely.
How does the attack ultimately deliver Remcos RAT?
Through a layered chain of JS, VBS, PowerShell, and in-memory loading that culminates in process hollowing of the trusted RegSvcs.exe binary.
Why is RegSvcs.exe particularly dangerous in this context?
It is a signed Microsoft .NET binary with a clean VirusTotal reputation, allowing attackers to inject the Remcos payload without triggering file-based alerts.
What capabilities does Remcos RAT provide to attackers?
Full remote access, keylogging, credential theft, file exfiltration, screenshot capture, and persistence — all while running inside legitimate processes.
How can ANY.RUN’s sandbox help my team detect similar threats?
It detonates suspicious files/URLs in a safe environment, reveals the complete behavioral chain, and provides IOCs and process trees for immediate response.
What should businesses do immediately to protect against these attacks?
Enable behavioral analysis tools, integrate real-time threat intelligence feeds, train staff on cloud-storage lures, and test suspicious links in an interactive sandbox before opening.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-14 11:06:342026-04-14 11:06:34When Trust Becomes a Weapon: Google Cloud Storage Phishing Deploying Remcos RAT
The smart-home craze has connected everything — from your lightbulbs to your tea kettle — to the internet, and the adult industry isn’t sitting this one out: manufacturers are releasing more smart models than ever. While syncing a sex toy to your smartphone unlocks some cool extra features, it also opens the door to potential security and privacy headaches. The good news? You can significantly lower most of these risks just by tweaking your settings and adjusting your usage habits.
How sex-toy apps actually work
To be clear upfront, while researchers have successfully hijacked sex toys in controlled experiments, the odds of a hacker remotely taking over your vibrator in the real world are pretty slim. In this post, we focus on the more realistic risks: your privacy and the safety of your data.
Most modern adult toys link up with the manufacturer’s app. These apps offer a range of usage options: you can control the device yourself, or hand over the remote to a partner — anywhere in the world via the internet.
Beyond just basic controls, many of these apps have social features: private messaging, group chats, calls, and even video sessions. In fact, you don’t even need a physical device to use some of them; you just create an account. Because of this, some of these services have essentially evolved into niche dating platforms.
The toy and your phone talk to each other via Bluetooth — with minimal risks. To handle social features or remote control, the app connects to a cloud server. This creates a constant stream of data moving back and forth: everything from commands to private messages.
Here’s the catch: even if you only use the app to control your toy locally via Bluetooth, you still get connected to that cloud server. That means you’re inheriting all the security and privacy risks.
The main risks of using sex-toy apps
Sex-toy apps are typically free. In practice, this means the primary way these services make money is by collecting data — which is often excessive. It’s not hard to find buyers of this information; it could be ad services, data brokers, or other companies interested in building detailed user profiles.
Developers of intimate apps suffer from frequent data breaches, and in this sense they’re no different from many other online services that spring a leak regularly. However, unlike a breach at an online pet food store, a data leak from a sex toy app can have much more serious consequences for the user. For sex industry workers, such as those who use webcams, these data breaches pose a direct threat to their physical safety.
Vulnerabilities within the service’s infrastructure warrant special attention. These types of bugs can be exploited by hackers to gain unauthorized access to other people’s accounts.
The inclusion of broad social features essentially turns sex-toy apps into just another messaging platform. However, while we usually know if mainstream messengers use end-to-end encryption, or what vulnerabilities they face, every sex-toy app has to be evaluated individually.
Without end-to-end encryption, user chats may be accessible on the server side. This means that if the service is compromised, the contents of those messages could end up in the hands of hackers. Furthermore, the sex toy manufacturer itself, or its individual employees, could have access to your chats.
Finally, the user’s account and everything in it can be hijacked by bad actors if it isn’t protected by a strong password and, ideally, two-factor authentication.
How to lower the risks when using sex-toy apps
Now that we’ve covered the threats, let’s talk about how to defend yourself. The most obvious choice is to skip installing the app altogether. Thankfully, most sex toys still come with physical buttons — unlike, say, smart mattresses, which often require an app just to function. For those who want the extra features, here are some practical tips for setting up and using these services.
Create an account with a dedicated email address
Set up a separate email address just for registering your account in the intimate app. This should be a “clean” email with no links to any other online services you use. Naturally, the username for this email account shouldn’t include your real name or any other easily identifiable info.
Using an anonymous email protects your reputation if the app suffers a data breach. The risk of this happening is far from theoretical. For instance, back in 2015, a hacking group named The Impact Team leaked the user database of Ashley Madison, a dating site for people seeking extramarital affairs.
To create an anonymous email, pick a service that doesn’t require a phone number at all, or lets you skip that step. Besides your real name, we also recommend leaving out your birth date, your usual social media handles, and any other details that could lead back to you.
Don’t sign up via Google, Apple, social media, or your phone number
The reasoning here is basically the same as the previous point. However, it’s worth highlighting that signing up through Google, Apple, social media, or your phone number is actually just about the worst way to go.
Using Google or social media accounts gives the app permission to, among other things, access certain data from those profiles. In the context of intimate apps, this is especially risky because it creates a direct link between highly sensitive data and your real-world identity.
Keep your real info out of your profile
Once you’re in the app, don’t use any information that could be traced back to you. Come up with an anonymous handle (if you’re feeling uninspired, use a random nickname generator), pick a fake birthday, and choose a random location.
Using fictional info means you don’t have to sweat being outed if the service ever leaks your data. You’re also protecting yourself from stalking, blackmail, and other threats that come with someone being able to pin your real identity to your account.
Hide your face and distinguishing marks when sharing private media
As we’ve mentioned throughout this post, these apps often include social features used for swapping intimate photos and videos. Even if you trust the person you’re chatting with, those files can be saved, forwarded, or used without your consent. When combined with other account info, they can make it easy to figure out who you are.
We recommend never sending intimate media that shows your face or anything else that identifies you — think recognizable home decor, personal items, documents, unique clothing, tattoos, or jewelry.
Set a strong password and enable two-factor authentication, if available
If a hacker breaks into your sex toy account, they’re getting access to your most private data. Because of that, your account needs a rock-solid password. Just to be clear, here’s what we mean by a strong password:
It’s at least 16 characters long.
It uses a mix of uppercase and lowercase letters, numbers, and special characters (like $ or @).
It’s not a real word or a well-known phrase.
It’s unique and not reused for any of your other accounts.
It doesn’t include personal info that’s easy for an outsider to find.
We also recommend turning on two-factor authentication (2FA) if the service offers it. Your best bet is to use 2FA one-time codes from an authenticator app, as it’s the most secure and completely anonymous option. You can dive deeper into creating and storing secure passwords, as well as different 2FA methods, in our dedicated blogposts.
Grant only the necessary app permissions
Every mobile app asks for permission to access certain features of your phone like Bluetooth, location, your camera, or your storage. Every extra “yes” you give expands the amount of data the app can scoop up.
We suggest being extra cautious about what you let these services see, especially when it comes to sex-toy apps. By tightening these permissions, you cut down on the amount of info that can be collected or shared without your say-so.
Take a second to think about the absolute bare minimum you’re willing to allow a sex-toy app to access. For example, there’s usually no reason for it to track your location or access your camera and mic. If you do want to upload photos, it’s better to grant access only to specific files rather than giving the app the keys to your entire photo library.
Stop apps from tracking your activity
In your iOS settings, you can block apps from collecting data about what you do and linking it to a single advertising ID. This practice, known as tracking, allows companies to stitch together data from different apps, websites, and services to build a comprehensive profile of you for targeted ads or behavioral analysis.
We strongly recommend disabling tracking for all sex-toy apps so that sensitive details about your private life don’t end up as part of your advertising profile.
Unfortunately, Android doesn’t have an exact equivalent for this setting. To minimize data collection on those devices, you’ll need to turn off ad personalization, and manually delete or reset your advertising ID every now and then. You can find more tips on dodging ad tracking in our dedicated guide.
Keep your apps and operating system up to date
Updates aren’t just about shiny new features; they also fix security bugs. Outdated versions of apps and operating systems often have vulnerabilities that hackers are just waiting to exploit.
Staying on top of your updates helps close these gaps, and lowers the risk of data breaches or unauthorized access. To make sure you don’t miss any critical fixes, it’s best to turn on automatic updates whenever possible.
Security is in your hands
Smart sex-toys and their companion apps naturally handle sensitive data, which means they require extra care when it comes to setup and daily use. That said, you can eliminate — or at least significantly reduce — most risks by following basic security rules. Essentially, it comes down to sharing as little personal info as possible with the app and, of course, using a rock-solid password.
Want more tips on keeping your intimate life private in the digital age? Check out these posts:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-13 11:06:382026-04-13 11:06:38How to protect your privacy while using smart sex toys | Kaspersky official blog
If you’ve been the victim of fraud, you’re likely already a lead on a ‘sucker list’ – and if you’re not careful, your ordeal may be about to get worse.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-11 05:06:282026-04-11 05:06:28Recovery scammers hit you when you’re down: Here’s how to avoid a second strike
At the NDSS Symposium 2026 in San Diego in February, a group of respected researchers presented a study unveiling the AirSnitch attack, which bypasses the Wi-Fi client isolation feature — also commonly known as guest network or device isolation. This attack allows connecting to a single wireless network via an access point, and then gaining access to other connected devices, including those using entirely different service set identifiers (SSIDs) on that same hardware. Targeted devices could easily be running on wireless subnets protected by WPA2 or WPA3 protocols. The attack doesn’t actually break encryption; instead, it exploits the way access points handle group keys and packet routing.
In practical terms, this means that a guest network provides very little in the way of real security. If your guest and employee networks are running on the same physical device, AirSnitch allows a connected attacker to inject malicious traffic into neighboring SSIDs. In some cases, they can even pull off a full-blown man-in-the-middle (MitM) attack.
Wi-Fi security and the role of isolation
Wi-Fi security is constantly evolving; every time a practical attack is made against the latest generation of protection, the industry shifts toward more complex algorithms and procedures. This cycle started with the FMS attacks used to crack WEP encryption keys, and continues to this day: recent examples include the KRACK attacks on WPA2, and the FragAttacks, which impacted every security protocol version from WEP all the way through WPA3.
Attacking modern Wi-Fi networks effectively (and quietly) is no small feat. Most professionals agree that using WPA2/WPA3 with complex keys and separating networks based on their purpose is usually enough for protection. However, only specialists really know that client isolation was never actually standardized within the IEEE 802.11 protocols. Different manufacturers implement isolation in completely different ways — using Layer 2 or Layer 3 of network architecture; in other words, handling it at either the router or the Wi-Fi controller level — meaning the behavior of isolated subnets varies wildly depending on your specific access point or router model.
While marketing claims that client isolation is perfect for keeping restaurant or hotel guests from attacking one another — or ensuring corporate visitors can’t access anything but the internet — in reality, isolation often relies on people not trying to hack it. This is exactly what the AirSnitch research highlights.
Types of AirSnitch attacks
The name AirSnitch doesn’t just refer to a single vulnerability, but a whole family of architectural flaws found in Wi-Fi access points. It’s also the name of an open-source tool used to test routers for these specific weaknesses. However, security professionals need to keep in mind that there’s only a very thin line between testing and attacking.
The model for all these attacks is the same: a malicious client is connected to an access point (AP) where isolation is active. Other users — the targets — are connected to the same SSID or even different SSIDs on that same AP. This is a very realistic scenario; for example, a guest network might be open and unencrypted, or an attacker could simply get the guest Wi-Fi password by posing as a legitimate visitor.
For certain AirSnitch attacks, the attacker needs to know the victim’s MAC or IP address beforehand. Ultimately, how effective each attack is depends on the specific hardware manufacturer (more on that below).
GTK attack
After the WPA2/WPA3 handshake, the access point and the clients agree on a Group Transient Key (GTK) to handle broadcast traffic. In this scenario, the attacker wraps packets destined for a specific victim inside a broadcast traffic envelope. They then send these directly to the victim while spoofing the access point’s MAC address. This attack only allows for traffic injection, meaning the attacker won’t receive a response. However, even that is enough to deliver malicious ICMPv6 routing advertisements, or DNS and ARP messages to the client — effectively bypassing isolation. This is the most universal version of the attack working on any WPA2/WPA3 network that uses a shared GTK. That said, some enterprise-grade access points support GTK randomization for each individual client, which renders this specific method ineffective.
Broadcast packet redirection
This version of the attack doesn’t even require the attacker to authenticate at the access point first. The attacker sends packets to the AP with a broadcast destination address (FF:FF:FF:FF:FF:FF) and the ToDS flag set to 1. As a result, many access points treat this packet as legitimate broadcast traffic; they encrypt it using the GTK, and blast it out to every client on the subnet, including the victim. Just like in the previous method, traffic specifically meant for a single victim can be pre-packaged inside.
Router redirection
This attack exploits an architectural gap between Layer 2 and Layer 3 security found in some manufacturers’ hardware. The attacker sends a packet to the access point, setting the victim’s IP address as the destination at the network layer (L3). However, at the wireless layer (L2), the destination is set to the access point’s own MAC address, so the isolation filter doesn’t trip. The routing subsystem (L3) then dutifully routes the packet back out to the victim, bypassing the L2 isolation entirely. Like the previous methods, this is another transmit-only attack where the attacker can’t see the reply.
Port stealing to intercept packets
The attacker connects to the network using a spoofed version of the victim’s MAC address, and floods the network with ARP responses claiming, “this MAC address is on my port and SSID”. The target network’s router updates its MAC tables, and starts sending the victim’s traffic to this new port instead. Consequently, traffic intended for the victim ends up with the attacker — even if the victim is connected to a completely different SSID.
In a scenario where the attacker connects via an open, unencrypted network, this means traffic meant for a client on a WPA2/WPA3-secured network is actually broadcast over the open air, where not only the attacker but anyone nearby can sniff it.
Port stealing to send packets
In this version, the attacker connects directly to the victim’s Wi-Fi adapter, and bombards it with ARP requests spoofing the access point’s MAC address. As a result, the victim’s computer starts sending its outgoing traffic to the attacker instead of the network. By running both stealing attacks simultaneously, an attacker can, in several scenarios, execute a full MitM attack.
Practical consequences of AirSnitch attacks
By combining several of the techniques described above, a hacker can pull off some pretty serious moves:
Complete bidirectional traffic interception for a MitM attack. This means they can snatch and modify data moving between the victim and the access point without the victim ever knowing.
Hopping between SSIDs. An attacker sitting on a guest network can reach hosts on a locked-down corporate network if both are running off the same physical access point.
Attacks on RADIUS. Since many companies use RADIUS authentication for their corporate Wi-Fi, an attacker can spoof the access point’s MAC address to intercept initial RADIUS authentication packets. From there, they can brute-force the shared secret. Once they have that, they can spin up a rogue RADIUS server and access point to hijack data from any device that connects to it.
Exposing unencrypted data from “secure” subnets: Traffic that’s supposed to be sent to a client under the protection of WPA2/WPA3 can be retransmitted onto an open guest network, where it’s essentially broadcast for anyone to hear.
To pull off these attacks effectively, a hacker needs a device capable of simultaneous data transmission and reception with both the victim’s adapter and the access point. In a real-world scenario, this usually means a laptop with two Wi-Fi adapters running specifically configured Linux drivers. It’s worth noting that the attack isn’t exactly silent: it requires a flood of ARP packets, it can cause brief Wi-Fi glitches when it starts, and network speeds might tank to around 10Mbps. Despite these red flags, it’s still very much a practical threat in many environments.
Vulnerable devices
As part of the study, several enterprise and home access points and routers were put to the test. The list included products from Cisco, Netgear, Ubiquiti, Tenda, D-Link, TP-Link, LANCOM, and ASUS, as well as routers running popular community firmware like DD-WRT and OpenWrt. Every single device tested was vulnerable to at least some of the attacks described here. Even more concerning, the D-Link DIR-3040 and LANCOM LX-6500 were susceptible to every single variation of AirSnitch.
Interestingly, some routers were equipped with protective mechanisms that blocked the attacks, even though the underlying architectural flaws were still present. For example, the Tenda RX2 Pro automatically disconnects any client whose MAC address appears on two BSSIDs simultaneously, which effectively shuts down port stealing.
The researchers emphasize that any network administrator or IT security team serious about defense should test their own specific configurations. That’s the only way to pinpoint exactly which threats are relevant to your organization’s setup.
How to protect your corporate network from AirSnitch
The threat is most immediate for organizations running guest and corporate Wi-Fi networks on the same access points without additional VLAN segmentation. There are also significant risks for companies using RADIUS with outdated settings or weak shared secrets for wireless authentication.
The bottom line is that we need to stop viewing client isolation on an access point as a real security measure, and start seeing it as just a convenience feature. Real security needs to be handled differently:
Segment the network using VLANs. Each SSID should have its own VLAN, with strict 802.1Q packet tagging maintained all the way from the access point to the firewall or router.
Implement stricter packet inspection at the routing level — depending on the hardware capabilities. Features like Dynamic ARP Inspection, DHCP snooping, and limiting the number of MAC addresses per port help defend against IP/MAC spoofing.
Enable individual GTK keys for each client, if your equipment supports it.
Use more resilient RADIUS and 802.1X settings, including modern cipher suites and robust shared secrets.
Log and analyze EAP/RADIUS authentication anomalies in your SIEM. This helps track many attack attempts beyond just AirSnitch. Other red flag events to watch for include the same MAC address appearing on different SSIDs, spikes in ARP requests, or clients rapidly jumping between BSSIDs or VLANs.
Apply security at higher levels of the network topology. Many of these attacks lose their punch if the organization has universally implemented TLS and HSTS for all business application traffic, requires an active VPN for all Wi-Fi connections, or has fully embraced a Zero Trust architecture.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-10 18:06:372026-04-10 18:06:37How to protect your organization from AirSnitch Wi-Fi vulnerabilities | Kaspersky official blog
One of the clearest trends in the 2025 Talos Year in Review is just how quickly vulnerabilities are now being turned into working exploits. What used to take weeks or months is now happening in days, sometimes hours — and in some cases, exploitation is beginning almost immediately after vulnerability details are made public.
The process of exploitation itself is changing. With the increasing availability of proof-of-concept code, automation, and AI-assisted tooling, certain vulnerabilities can very quickly become weaponized, which is what we saw with React2Shell.
At the same time, the data shows that attackers are not just chasing new vulnerabilities. They are consistently targeting what is exposed, accessible, and valuable.
On one end of the spectrum, near-instant exploitation. On the other, long-standing vulnerabilities that remain unaddressed.
Attackers are using a combination of speed, scale, and accessibility to reduce the window defenders have to respond, while increasing the impact when they can’t.
In the latest episode of the Talos Threat Perspective, we explore what the ‘industrialization of exploitation’ looks like in practice, and what it means for defenders trying to prioritise risk in an increasingly compressed timeline.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-10 16:06:342026-04-10 16:06:34[Video] The TTP Ep. 22: The Collapse of the Patch Window
Welcome to this week’s edition of the Threat Source newsletter.
“Study hard what interests you the most in the most undisciplined, irreverent and original manner possible.” ― Richard Feynman
“I had discovered that learning something, no matter how complex, wasn’t hard when I had a reason to want to know it.” ― Homer Hickam, Rocket Boys
*looks around at – gestures – everything*
*opens a new tab in the browser, takes in the newest news on AI, a new tab on supply chains, a new tab on vulnerability, and a new tab on active exploitation and zero-days*
*closes tabs and throws laptop into the nearest bin, à la Ron Swanson*
*opens other laptop, avoids the internet*
*puts on headphones for deep work binaural audio*
*cracks knuckles*
I’m often asked about why I bring up board games and video games when interviewing perspective analysts or threat hunters, so I’m going to give the 8,000 foot view on my thoughts. With everything that is going on, now more than ever we need the most curious people on the planet on our side.
What’s the very first and most important step to securing any environment? Knowing the environment, inside and out. When you play any gameyou must understand the rules: the standard opening moves of chess, or Go, or perhaps the common resource-gathering patterns in strategy games. Once you understand what “normal” play looks like, you can immediately spot when an opponent makes a move that is inefficient or unusual — an anomalous trigger that, if spotted, can lead to victory.
When experienced players recognize patterns (a specific chess gambit, a defensive build in a strategy game, etc.), they don’t just react to the current move — they predict several moves into the future from both players, especially if they know their opponents’ tendencies. As players gain experience and play against other skilled players, they begin involving feints or decoys (false flags, if you will). A player might sacrifice a minor piece to distract you from their true objective. Learning to look past that “noise” to find the real motivation is the key to taking your experience and skill to the next level.
Threat actors rarely follow a predictable script. They constantly evolve tactics, techniques, and procedures (TTPs). Developing the mental flexibility to handle those unexpected, non-standard behaviors is essential in identifying the unknowns.
The transition from board games to threat hunting is rooted in the development of critical thinking and situational awareness. While board games provide a controlled environment to practice these skills, the core competency — that ability to identify the why behind a deviation — is exactly what will make you a successful threat hunter.
“I prefer to speak in metaphor: That way, no logic can trap me, and no rule can bind me, and no fact can limit me or decide for me what’s possible.” ― Claire Oshetsky, Chouette
The one big thing
Cisco Talos has observed threat actors weaponizing legitimate SaaS notification pipelines, such as those in GitHub and Jira, to deliver phishing and spam emails. By leveragingthese platforms’ official infrastructure, attackers bypass traditional email authentication protocols like SPF, DKIM, and DMARC. This “Platform-as-a-Proxy” (PaaP) technique exploits the implicit trust organizations place in system-generated notifications to facilitate credential harvesting. These campaigns effectively mask malicious intent behind the reputation of trusted enterprise tools.
Why do I care?
Traditional email security gateways are often blind to these attacks because the emails are technically authenticated and originate from verified, trusted domains. This technique exploits “automation fatigue,” where users are conditioned to reflexively trust system-generated alerts from business-critical platforms. Consequently, attackers can bypass standard perimeter defenses, making it harder to distinguish between legitimate business communications and sophisticated phishing attempts.
So now what?
Transition to a Zero-Trust approach by implementing instance-level verification and cross-referencing notifications against internal SaaS directories. Security teams should ingest SaaS API logs into their SIEM to detect anomalous precursor activities, such as suspicious project creation or mass invitations. Additionally, introduce friction for high-risk interactions by requiring out-of-band verification and apply semantic intent analysis to identify notifications that deviate from a platform’s established functional baseline.
Top security headlines of the week
Tech giants launch AI-powered “ProjectGlasswing” Major technology companies have joined forces in an effort to use advanced artificial intelligence to identify and address security flaws in the world’s most critical software systems. (CyberScoop)
Russian government hackers broke into thousands of home routers to steal passwords Fancy Bear, or APT 28, is known for its high-profile hacks and spying operations, including the breach of the U.S. Democratic National Committee in 2016 and the destructive hack that hit satellite provider Viasat in 2022. (TechCrunch)
Storm-1175 deploys Medusa ransomware at “high velocity” Storm-1175 has rapidly exploited more than a dozen n-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor’s Privileged Remote Access. (Dark Reading)
North Korean hackers poseastrading firm to steal $285M from Drift A group of individuals approached Drift staff at a “major crypto conference,” presenting as a professional quantitative trading firm. They went so far as to deposit $1M of their own money into a Drift Ecosystem Vault between December 2025 and January 2026. (HackRead)
Telehealth giant Hims & Hers says its customer support system was hacked A spokesperson for Hims & Hers said the company was hit by a social engineering attack, and the stolen data “primarily included customer names and email addresses.” (TechCrunch)
Can’t get enough Talos?
New Lua-based malwareobservedin targeted attacks against Taiwanese organizations Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”
Vulnerabilities old and new and something React2 2025 was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of the year.
From the field to the report and back again The same Year in Review report that Talos IR casework feeds into is the report that defenders should be feeding back into their own preparation cycles. Here’s how you can start.
Talos Takes:2025’sransomware trends and zombie vulnerabilities In this episode, Amy and Pierre Cadieux unpack the ransomware and vulnerability trends that defined 2025. From the persistent ransomware threats targeting the manufacturing sector to the rise of stealthy “living off the land” tactics, we break down what these shifts mean for your defense strategy.
Germany’s economy is a precision machine: finance fuels it, manufacturing builds it, telecom connects it, IT optimizes it, and healthcare sustains it. The country sits at the crossroads of industrial power and digital transformation, making it irresistibly attractive to attackers.
In this article, we explore real-world attacks targeting five critical German industries, analyzed by ANY.RUN’s analysts using Interactive Sandbox and Threat Intelligence Lookup. Each case is not theory. It is a live wire, recently observed, carefully dissected.
Executive Summary
Germany’s top industries are under coordinated pressure, not isolated attacks.
Identity is the new perimeter: attackers are bypassing infrastructure defenses by hijacking sessions and abusing legitimate authentication flows.
Phishing has evolved into real-time session interception, rendering traditional MFA insufficient on its own.
Attackers adapt lures to business context, increasing success rates against employees.
Threat intelligence is no longer optional: it is critical for reducing detection time, preventing escalation, and protecting revenue
Germany’s Digital Landscape: A High-Value Target
Why Germany?
Largest economy in Europe with strong global ties;
Highly digitized enterprise sector;
Deep reliance on Microsoft 365, cloud services, and SaaS ecosystems;
Critical industries interconnected across supply chains.
Germany’s industrial backbone — the Mittelstand of small and medium-sized enterprises, alongside globally recognized corporations in chemicals, automotive, and engineering — represents a vast attack surface. These organizations often store sensitive IP, manage critical infrastructure, and handle large financial transactions, yet historically have underinvested in cybersecurity relative to their size and importance.
Geopolitics adds fuel to the fire provoking a sharp increase in professional, often state-directed attacks by APT groups (Advanced Persistent Threats) linked to geopolitical conflicts. Germany’s role in the EU, NATO, and global trade makes it a high-value intelligence target for foreign actors.
In 2024, cyberattacks caused approximately €178.6 billion in financial losses to German businesses, equivalent to 67% of all damage from corporate crime. (Bitkom).
83% of German businesses fell victim to ransomware in 2024, according to the Cyber Security Report 2025 by Schwarz Digits.
The BSI’s 2024/2025 reports describe the IT security situation as “tense,” with 309,000 new malware variants appearing daily, ransomware attacks up 77%, and 22 state-sponsored APT groups active on German soil.
Phishing remains the most prevalent attack vector. The BSI confirmed that phishing attacks expanded well beyond the financial sector in 2024, with attackers impersonating streaming services, logistics firms, government agencies, and enterprise software platforms like Microsoft 365.
How German Companies Can Discover Industry-Specific Cyberattacks
ANY.RUN’s Threat Intelligence Lookup, a searchable database of threat data from live malware analysis by a community of over 15K SOC teams, supports the mapping of attack indicators to specific sectors and regions.
A local cyberthreat landscape can be revealed by combining lookups for an industry and a malware sample submission country, and by limiting the search period to see the most recent threats.
1. Finance: FlowerStorm Targets a German Investment Firm
Financial organizations in Germany operate in a high-trust, high-value environment:
Sensitive investment and client data;
Heavy use of cloud-based collaboration tools;
Strict compliance requirements
This makes employee credentials a golden key. Microsoft 365 credential theft is a dominant threat vector in this sector. Attackers seek to compromise corporate email accounts to intercept transactions, conduct Business Email Compromise (BEC) fraud, or use valid credentials as a launchpad for deeper network intrusion.
Threat in Focus: Spearphishing with FlowerStorm
FlowerStorm attack in ANY.RUN’s Interactive Sandbox
Target A German investment company managing portfolios in private equity, real estate, and hedge funds. The attack was precision-targeted: the victim’s corporate email address was embedded directly into the phishing link, encoded in Base64.
Email encoded in spearphishing link
Attack Type Spearphishing (targeted credential theft) for Microsoft 365 accounts. ANY.RUN’s sandbox classified this threat as FlowerStorm — a sophisticated phishing-as-a-service platform known for its multi-stage evasion techniques and precision targeting.
Kill Chain
In this case, the attacks starts with a malicious URL. However, as we can see in other analysis sessions, such links are usually delivered via phishing emails containing a PDF attachment. Inside the PDF is a QR code — a deliberate choice to bypass email-based URL scanners that cannot decode visual content.
The victim scans the QR code and is taken to a landing page with a salary-related lure.
Fake letter about a salary raise
The page loads a FingerprintJS script to profile the victim’s browser before showing any phishing content. This profiling helps attackers filter out security researchers and automated scanners.
Cloudflare Turnstile CAPTCHA is activated, blocking automated analysis tools and sandbox detection attempts.
The victim is redirected to the main phishing domain, which presents a pixel-perfect replica of the Microsoft 365 sign-in page, including a full OAuth flow simulation with client_id, redirect_uri, and response_type parameters.
Credentials entered by the victim are immediately exfiltrated to attacker-controlled infrastructure.
Why It Works FlowerStorm combines multiple layers of evasion (QR codes, browser fingerprinting, CAPTCHA, Base64 encoding) with surgical targeting. The salary-themed lure is psychologically effective: employees in a finance firm expect payroll-related communications, reducing suspicion. The Microsoft 365 OAuth imitation is technically convincing enough to fool even security-conscious users.
2. Healthcare: Microsoft OAuth Abuse Targets a Research Center
This creates a perfect storm for authentication abuse attacks.
Healthcare breaches carry compounded consequences: regulatory penalties under GDPR, reputational damage, potential disruption to patient care, and the loss of research data that may represent years of work and significant public investment.
Threat in Focus: Microsoft OAuth Abuse with Fake Outlook Login
Spearphishing attack personalized by email
Target Germany’s largest medical research center. The attack was highly targeted: the victim’s corporate email appeared in plaintext in the OAuth state parameter and in Base64 in the URL fragment of the phishing page.
Attack Type Phishing via Microsoft OAuth abuse combined with a fake Outlook login page. The attackers exploited Microsoft’s legitimate OAuth 2.0 authentication mechanism, substituting a malicious redirect_uri to capture credentials after the authentication handshake.
Kill Chain
The victim receives a link that begins as a legitimate request to login.microsoftonline.com. The redirect_uri, however, points to a compromised website. The state parameter contains the victim’s email address in plaintext.
If no active Microsoft session exists, Microsoft returns an error=interaction_required response and redirects the user to the redirect_uri, the compromised WordPress site (saicares.com.au), which loads an intermediate invoice.html page.
The intermediate page pulls content from ArDrive (a decentralized storage platform), adding another layer of obfuscation and hosting that is difficult to block.
The victim is redirected to ogbarberschool[.]com — the primary phishing page. The victim’s email appears in the URL fragment both in Base64 and in plaintext, creating a personalized login experience.
The phishing page contains obfuscated JavaScript and displays a convincing fake Outlook login form.
Forged Outlook page
Credentials entered by the victim are exfiltrated via a POST request to jewbreats[.]org/rexuzo/owa/apiowa[.]php. Suricata network rules flagged this as a suspicious unencrypted POST request transmitting an email address.
Personal data exfiltrated to attackers’ server
Why It Works This attack is particularly dangerous because it begins with a genuine Microsoft domain. A victim who inspects the initial link sees a legitimate login.microsoftonline.com URL, providing false reassurance. By the time the malicious redirect occurs, the victim is already engaged. The use of a compromised WordPress site and decentralized storage makes the infrastructure difficult to detect and take down quickly.
3. Technology: Reverse Proxy Phishing Targets an IT Company
IT companies:
Manage infrastructure and credentials;
Have privileged access across systems;
Are often stepping stones for supply chain attacks.
The sector’s familiarity with technology can create a paradoxical blind spot: IT professionals may be more likely to click links in emails that appear technical or work-related, assuming their technical knowledge makes them immune to social engineering.
Threat in Focus: EvilProxy + EvilGinx2 Combined Attack
Phishing detected by ANY.RUN Sandbox
Target A German IT company. The attack targeted a specific employee, whose email was extracted from the data parameter of a Microsoft Safe Links wrapper, indicating the attacker had prior visibility into the target’s email infrastructure.
Attack Type Phishing via a combination of EvilProxy and EvilGinx2: two reverse proxy tools used in tandem. EvilProxy serves as the primary credential harvesting platform, while EvilGinx2 handles session token interception. Together, they create a real-time proxy of Microsoft’s login infrastructure capable of bypassing multi-factor authentication.
Kill Chain
The victim receives a phishing email urging them to “Review document,” a work-relevant lure that fits the daily workflow of an IT professional.
Fake business email with call to action
The embedded link routes through a Mailchimp tracking URL (aviture[.]us7[.]list-manage[.]com), a legitimate email marketing service that lends the link apparent credibility and bypasses reputation-based URL filters.
Mailchimp redirects to larozada[.]com, a compromised WordPress site hosting an intermediate page with a Cloudflare Turnstile CAPTCHA.
After CAPTCHA verification, the victim is routed through a Cloudflare Workers serverless function, which performs additional routing to frustrate analysis and attribution.
The final destination is the main phishing domain (googlmicrozonfaceb0xfileshar3instacloud0fftkdoctormedixxqqw[.]digital) — an EvilProxy instance that reverse-proxies the real Microsoft Login page in real time. The victim sees an authentic Microsoft experience.
As the victim authenticates, EvilProxy intercepts the session cookie. The attacker now has a valid authenticated session. No password or MFA code required.
Why It Works The use of legitimate services (Mailchimp, Cloudflare Workers, WordPress) at each stage of the attack chain makes it nearly impossible for conventional email filters and web gateways to block. The final EvilProxy stage defeats MFA entirely by hijacking the post-authentication session rather than attempting to steal the second factor. This is an adversary-in-the-middle attack that neutralizes one of the most commonly recommended security controls.
Using TI Lookup, we can see that larozada[.]com is intensely correlated with this attack scenario:
Interactive Sandbox contains hundreds of malware samples using this domain
Integrate Threat Intelligence Feeds in your security stack to have it continuously updated with a real-time stream of indicators (domains, URLs, IPs) for early detection and timely response.
Protect revenue, reputation, and operations with enterprise-grade threat analysis and intelligence. Reduce risk with ANY.RUN
Sit at the heart of communications infrastructure;
Handle massive volumes of user data;
Operate complex, distributed environments.
Telecom companies are targeted for multiple strategic reasons: access to customer data at scale, the potential for SIM-swapping attacks, the ability to intercept communications, and the value of internal network access for espionage or infrastructure disruption.
Account takeover via Microsoft 365 credential theft is a priority threat for this sector, as telecom employees use cloud platforms extensively for internal communications, customer management, and operational coordination.
Threat in Focus: EvilProxy without personalization
Phishing page abusing Microsoft services
Target An employee of a German telecommunications company. Unlike the finance and healthcare cases, this campaign used a non-personalized phishing page (no email embedded in the URL) suggesting a broader campaign that may target multiple companies simultaneously rather than a single individual.
Attack Type Phishing via EvilProxy (Phishing-as-a-Service) — a commercial reverse proxy platform that proxies the real Microsoft login page in real time, intercepting session tokens and bypassing MFA without ever needing to steal a password.
Kill Chain
The victim receives a link pointing to portfolio-hrpcjqg[.]format.com/gallery — a legitimate portfolio hosting platform (Format.com). Using a reputable platform as the first hop bypasses domain reputation filters.
Non-personalized phishing page on a legitimate website
Format.com redirects to signin[.]securedocsportal.com/cyb3rusr131 — a phishing domain crafted to resemble a secure document signing portal, a plausible context for a telecom business user.
Cloudflare Turnstile CAPTCHA filters automated scanners and security tools.
After passing CAPTCHA, the victim reaches a page mimicking Microsoft 365 OAuth authorization, complete with client_id and redirect_uri parameters pointing to office.com for added legitimacy.
EvilProxy proxies the real Microsoft Login through its own subdomains, giving the victim a fully functional Microsoft login experience.
The victim enters credentials and completes MFA. EvilProxy intercepts the session cookie in real time, granting the attacker full authenticated access to the victim’s Microsoft 365 account without needing the password or MFA token.
Why It Works EvilProxy is commercially available as a service, dramatically lowering the skill threshold for attackers. The use of a legitimate portfolio platform as the initial URL makes detection by email gateways extremely difficult. The MFA bypass via session cookie theft is highly effective against organizations that believe MFA alone is sufficient protection.
5. Manufacturing: Brand-Impersonation and Teams Lure
Germany’s manufacturing sector:
Is globally dominant;
Relies on internal communication platforms;
Often integrates IT and OT environments.
Germany’s manufacturing sector is the engine of its economy, encompassing global leaders in chemicals, automotive, engineering, and consumer goods. They are also increasingly connected: Industry 4.0 technologies, IoT sensors, operational technology (OT), and cloud-integrated production systems have blurred the line between IT and physical operations.
The consequences of a successful attack extend beyond data loss to potential operational shutdown, physical equipment damage, and supply chain disruption.
Social engineering attacks targeting manufacturing employees are particularly effective because plant-floor and operations staff are not traditionally cybersecurity-trained, and Microsoft Teams has become a standard communication tool across these large organizations.
Threat in Focus: Teams Voice Message Phishing
Fake Microsoft Teams phishing attack
Target A large German industrial conglomerate, a global producer of chemical products and consumer goods. This attack was unusually specific: the phishing domains were registered to include the target company’s name, and the fake login page was styled to match the company’s Microsoft Teams branding — indicating advance reconnaissance.
Attack Type Phishing via EvilProxy using a Microsoft Teams voice message as bait. The attack was delivered via Amazon SES, a legitimate email delivery infrastructure, making it difficult for email security tools to flag based on sender reputation.
Kill Chain
The victim receives an email sent through Amazon SES, notifying them of a missed voice message in Microsoft Teams — a common notification that workers in large organizations receive regularly
Fake email voice message notification
The link leads to voicbx[.]com, a redirect service mimicking a Teams voice notification interface.
Redirects to noncrappyandroidapps[.]com for an anti-bot verification step.
TinyURL then routes the victim to teams-ms365[.]cloud, a phishing domain mimicking Microsoft Teams infrastructure.
The victim lands on a fake Teams voice message page, styled specifically to match the target company’s branding — a degree of customization that indicates prior research into the target.
When the victim attempts to play the voice message, they are redirected to EvilProxy domains that also contain the company’s name in the URL.
The victim enters their credentials into a fake Okta authentication page and completes MFA. EvilProxy intercepts the session cookie, granting the attacker full access to the corporate Microsoft 365 environment without requiring the password or MFA factor.
Why It Works The combination of a highly plausible lure (missed Teams voice message), delivery via Amazon SES (bypassing sender reputation filters), and company-branded phishing pages makes this attack unusually convincing. The use of Okta for the fake authentication page suggests the attackers were aware of the target company’s specific identity infrastructure.
Food for Thought: What CISOs Need to Be Aware Of
1. Five Critical German Industries Are Under Active Attack Right Now
All five cases have been collected between January and March 2026. Finance, healthcare, IT, telecommunications, and manufacturing, the five most economically significant sectors in Germany, are not theoretical targets. They are active targets. This is systematic pressure on the German economy, not isolated incidents.
ANY.RUN’s Threat Intelligence Lookup data reinforces this: searching for EvilProxy and FlowerStorm threats linked to German organizations over the past 60 days returned more than 220 analyses, confirming that these campaigns are ongoing and widespread.
Industries targeted by modern phishing campaigns in Germany
2. Selective Targeting Is a Growing Trend
Several of these attacks show clear signs of advance reconnaissance. Phishing domains were registered with the target company’s name embedded, pages were styled to match corporate branding, and victim email addresses were pre-loaded into URLs. This level of preparation (particularly in the manufacturing case) goes beyond generic mass phishing and suggests attackers are investing in targeted intelligence gathering before launching campaigns. Some cases also used universal phishing pages, indicating a mix of targeted and mass-scale approaches within the same threat actor ecosystem.
3. Social Engineering Is Being Adapted to Professional Context
The lures used in these attacks are not generic. A salary-themed document for a finance employee, a missed Teams voice message for a manufacturing executive, a “Review document” prompt for an IT professional. Attackers appear to be selecting bait that fits the professional context of their targets, increasing click rates and reducing suspicion. This contextual adaptation of social engineering is a significant evolution in phishing tradecraft.
4. Phishing-as-a-Service Platforms Have Democratized MFA Bypass
EvilProxy, EvilGinx2, and FlowerStorm are not bespoke tools used by elite threat actors. They are commercially available phishing platforms sold as services. This means the barrier to launching a sophisticated, MFA-bypassing attack against a German enterprise is now accessible to a broad range of cybercriminals. These platforms proxy real Microsoft login pages in real time, intercept session cookies after successful MFA completion, and provide the attacker with a fully authenticated session — all without ever knowing the victim’s password or one-time code.
Organizations that rely on MFA as their primary defense against credential theft need to understand that adversary-in-the-middle phishing renders standard MFA ineffective. Phishing-resistant MFA (such as FIDO2 hardware keys) and Zero Trust session validation are required to defend against these techniques.
Protecting High-Risk Organizations: A Practical Approach for Decision-Makers
For executives across finance, healthcare, telecom, IT, and manufacturing, cybersecurity is no longer just a technical function. It is a business continuity and risk management discipline.
The attacks described in this article share a common trait: they move fast, abuse trusted services, and bypass traditional defenses.
To counter this, organizations need more than tools. They need a workflow-driven approach, where threat intelligence and malware analysis directly improve how the SOC operates.
Here is how this translates into measurable protection across core SOC workflows.
1. Monitoring: Detect Earlier, Reduce Exposure
The Challenge: Detection gaps, delayed visibility into new campaigns, and high volumes of low-context alerts.
The Challenge: Limited visibility into attack scope and delayed containment decisions.
What to do:
Use Interactive Sandbox to analyze full attack chains (redirects, payloads, exfiltration);
Correlate findings with TI Lookup to understand spread and related infrastructure;
Generate detailed reports for response and compliance.
Incidents are no longer black boxes. Teams gain full kill-chain visibility within seconds and reduce response time significantly
Business impact:
Faster containment and remediation (90% of threats visible in 60 seconds);
Reduced operational disruption;
Lower likelihood of repeat incidents.
Executive outcome: minimized financial and operational impact from active threats.
4. Threat Hunting: Shift from Reactive to Proactive Security
The Challenge: Outdated data, manual validation, and lack of prioritization based on business risk.
What to do:
Use TI Feeds to track emerging threats targeting your industry and region;
Pivot with TI Lookup across related indicators and campaigns;
Use sandbox insights to refine detection logic and hunt hypotheses.
Threat hunting becomes data-driven and context-aware, leveraging live attack activity across thousands of organizations.
Business impact:
Detection of threats before alerts trigger;
Reduced attacker dwell time;
More precise prioritization of high-risk threats.
Executive outcome: improved risk visibility and proactive defense posture.
Operational Impact → Business Outcomes
When these capabilities are aligned across workflows, the effect compounds:
Operational gains:
Faster case processing (minutes saved per investigation);
Higher detection rates (up to +36%);
Fewer escalations and analyst overload;
Shorter incident lifecycle.
Business outcomes:
Reduced risk of breaches and account takeover;
Lower cost of security operations;
Minimized downtime and service disruption;
Stronger compliance and audit readiness;
The difference between a resilient organization and a vulnerable one is not whether attacks happen. It is whether your teams can see threats early, understand them instantly, and act before impact spreads.
By combining TI Feeds (visibility), TI Lookup (context), and Interactive Sandbox (depth), you turn security operations into a measurable business advantage, not just a defensive necessity.
Accelerate investigations and stop threats earlier.
Leverage sandbox visibility and TI to improve SOC performance.
The five attacks documented in this report share a common thread: they are sophisticated, targeted, and actively exploiting the trust that German employees place in familiar platforms like Microsoft 365, Outlook, and Teams. They represent a new generation of phishing campaigns that have moved far beyond bulk spam — into precision-engineered operations that research their targets, customize their lures, and deploy infrastructure specifically designed to survive detection.
The good news is that these attacks are detectable. ANY.RUN’s Interactive Sandbox can analyze suspicious URLs and files in real time, tracing every redirect, every script, every network connection in the attack chain. The Threat Intelligence Lookup provides historical context — showing how many organizations have seen the same indicators, which industries are most targeted, and what threat families are most active.
In an economy where a single successful breach can cost billions and disrupt national supply chains, visibility and speed of response will define resilience.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls.
FAQ
Why are German companies increasingly targeted by cybercriminals?
Germany’s strong economy, high digitalization, and reliance on cloud services make its organizations high-value targets with scalable attack surfaces.
What industries are most at risk?
Finance, healthcare, IT, telecom, and manufacturing show consistently high risk due to data sensitivity, operational complexity, and business impact.
What makes modern phishing attacks more dangerous?
They now use reverse proxy tools and OAuth abuse to capture authenticated sessions, allowing attackers to bypass MFA and access accounts in real time.
What is session hijacking and why does it matter?
Session hijacking allows attackers to steal active login sessions instead of credentials, granting immediate access without needing passwords again.
How does threat intelligence help prevent attacks?
It provides context, detection speed, and visibility into attacker infrastructure, enabling faster decisions and proactive defense.
What is the difference between TI Lookup and TI Feeds?
TI Lookup is used for investigating specific indicators in real time, while TI Feeds provide continuous streams of threat data for proactive blocking.
Can these attacks be stopped before impact?
Yes, with the right combination of threat intelligence, sandboxing, and fast-response workflows, organizations can detect and contain threats early.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-09 13:06:342026-04-09 13:06:34How Phishing Is Targeting Germany’s Economy: Active Threats from Finance to Manufacturing
![[Video] The TTP Ep. 22: The Collapse of the Patch Window](https://storage.ghost.io/c/af/a0/afa04ee3-414f-4481-8d23-7e7c146f192e/content/images/2026/04/YiR2025_cover_2x1-3.jpg)
