⚡ Weekly Recap: Critical SAP Exploit, AI-Powered Phishing, Major Breaches, New CVEs & More

⚡ Weekly Recap: Critical SAP Exploit, AI-Powered Phishing, Major Breaches, New CVEs & More

What happens when cybercriminals no longer need deep skills to breach your defenses? Today's attackers are armed with powerful tools that do the heavy lifting — from AI-powered phishing kits to large botnets ready to strike. And they're not just after big corporations. Anyone can be a target when fake identities, hijacked infrastructure, and insider tricks are used to slip past security unnoticed.

This week's threats are a reminder: waiting to react is no longer an option. Every delay gives attackers more ground.

⚡ Threat of the Week

Critical SAP NetWeaver Flaw Exploited as 0-Day — A critical security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) has been exploited by unknown threat actors to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. The attacks have also been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections.

Firewalls are Obsolete in the AI Era. It's Time for a Modern Security Approach

Companies need to rethink how they protect their private and public use of AI and how they defend against AI-powered attacks. Traditional firewalls, VPNs, and public-facing IPs expose your attack surface and are no match in the AI era. It's time for a modern approach with Zscaler Zero Trust + AI.

See "Zero Trust + AI" in Action ➝

🔔 Top News

• Darcula Phishing Kit Gets GenAI Upgrade — The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities to facilitate phishing form generation in various languages, form field customization, and translation of phishing forms into local languages. The updates further lower the technical barrier for creating phishing pages, making it quick and easy for even a novice criminal to set up complex smishing scams. The Darcula PhaaS suite is user-friendly. All that an aspiring scammer needs to do is sign up for the Darcula service, enter a legitimate brand site, and the platform will generate a bespoke, spoofed phishing version. "Darcula is not just a phishing platform; it's a service model designed for scale," Netcraft said. "Users pay for access to a suite of tools that enable impersonation of organizations in nearly every country. Built using modern technologies like JavaScript frameworks, Docker, and Harbor, the infrastructure mirrors that of legitimate SaaS companies."
• Contagious Interview Sets Up Fake Firms — North Korea-linked threat actors behind the Contagious Interview have set up front companies named BlockNovas LLC, Angeloper Agency, and SoftGlide LLC as a way to distribute malware during the fake hiring process. The activity exemplifies the sophisticated social engineering tactics employed by North Korean threat actors to lure developers. The disclosure comes as Pyongyang hackers are increasingly leveraging artificial intelligence as part of the fraudulent IT worker scheme. At the heart of these operations lies a comprehensive suite of AI-enhanced tools that work in concert and are used to create synthetic personas in order to sustain the deception. The facilitators utilize unified messaging services that provide a way to manage multiple personas across various communication channels simultaneously. These services also incorporate AI-powered translation, transcription, and summarization capabilities to help the IT workers communicate with their prospective employers.
• Suspected Russian Hackers Use New Tactic to Access Microsoft 365 Accounts — Multiple suspected Russia-linked threat actors like UTA0352 and UTA0355 are "aggressively" targeting individuals and organizations with ties to Ukraine and human rights with an aim to gain unauthorized access to Microsoft 365 accounts since early March 2025. "These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code," Volexity said. "These recent campaigns benefit from all user interactions taking place on Microsoft's official infrastructure; there is no attacker-hosted infrastructure used in these attacks."
• Threat Actors Exploit Google Infrastructure for Phishing Attack — Unknown threat actors have leveraged a novel approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. The sophisticated phishing attack bypassed email authentication checks, and sought to trick email recipients into clicking on bogus links that are designed to harvest their Google Account credentials. Google has since plugged the attack pathway.
• Lotus Panda Targets Southeast Asia With Sagerunex — The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. The activity has been found to employ DLL side-loading techniques to drop a backdoor named Sagerunex, as well as two credential stealers ChromeKatz and CredentialKatz that are equipped to siphon passwords and cookies stored in the Google Chrome web browser. In recent months, a cyber espionage campaign known as Operation Cobalt Whisper has targeted multiple industries in Hong Kong and Pakistan, including defense, education, environmental engineering, electrotechnical engineering, energy, cybersecurity, aviation and healthcare, with phasing emails that serve as a conduit to deliver Cobalt Strike. The Pakistan Navy has also been targeted by a likely nation-state adversary to distribute a stealthy infostealer called Sync-Scheduler to the targeted victims. While the tactics exhibited in the campaign overlap with those of SideWinder and Bitter APT, there is no ample evidence to link it to a specific threat actor. And that's not all. Chinese cybersecurity researchers have been targeted by a Vietnamese threat group known as APT32 between mid-September and early October 2024 to deploy Cobalt Strike via trojanized GitHub projects.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week's list includes — CVE-2024-58136, CVE-2025-32432 (Craft CMS), CVE-2025-31324 (SAP NetWeaver), CVE-2025-27610 (Rack), CVE-2025-34028 (Commvault Command Center), CVE-2025-2567 (Lantronix Xport), CVE-2025-33028 (WinZip), CVE-2025-21204 (Microsoft Windows), CVE-2025-1021 (Synology DiskStation Manager), CVE-2025-0618 (FireEye EDR Agent), CVE-2025-1763 (GitLab), CVE-2025-32818 (SonicWall SonicOS), CVE-2025-3248 (Langflow), CVE-2025-21605 (Redis), CVE-2025-23249, CVE-2025-23250, and CVE-2025-23251 (NVIDIA NeMo Framework), CVE-2025-22228 (Spring Framework, NetApp), and CVE-2025-3935 (ScreenConnect).

📰 Around the Cyber World

• Lumma Stealer Adopts New Tricks to Evade Detection — The information stealer known as Lumma, which has been advertised as a Malware-as-a-Service (MaaS) starting at $250 a month, is being distributed extensively using various methods such as pirated media, adult content, and cracked software sites, as well as fake Telegram channels for such content to redirect users to fraudulent CAPTCHA verifications that leverage the ClickFix tactic to trick users into downloading and running the malware via PowerShell and MSHTA commands. The stealer, for its part, uses techniques like DLL side-loading and injecting the payload into the overlay section of free software to trigger a complex infection process. "The overlay section is typically used for legitimate software functionality, such as displaying graphical interfaces or handling certain input events," Kaspersky said. "By modifying this section of the software, the adversary can inject the malicious payload without disrupting the normal operation of the application. This method is particularly insidious because the software continues to appear legitimate while the malicious code silently executes in the background." Lumma Stealer has remained an active threat since its debut in 2022, continually receiving updates to evade detection through features like code flow obfuscation, dynamic resolution of API functions during runtime, Heaven's gate, and disabling ETWTi callbacks. It's also designed to detect virtual and sandbox environments. As of August 2023, Lumma Stealer team began testing an AI-based feature to determine if an infected user log is a bot or not. The widespread adoption of Lumma Stealer is also evidenced by the use of diverse infection vectors, which have leveraged the stealer to deliver additional payloads like Amadey. "The operators of LummaStealer run an internal marketplace on Telegram […] where thousands of logs are bought and sold daily," Cybereason said. "They also include features like a rating system to encourage quality sellers, advanced search options for both passwords and cookies, and a wide price range. Coupled with 24/7 support, the marketplace aims to provide a seamless experience for anyone trading stolen data, reflecting a trend seen across various Telegram and darknet-based stealer communities." According to data from IBM X-Force, there has been an 84% weekly average increase in infostealers delivered via phishing emails last year, compared to 2023.
• New SessionShark AiTM Phishing Kit Advertised — A new adversary-in-the-middle (AiTM) phishing kit called SessionShark O365 2FA/MFA is being showcased as a way for threat actors to bypass Microsoft 365 multi-factor authentication (MFA) protections. Ostensibly marketed for educational purposes to avoid liability, the service claims to be equipped with a range of anti-detection and stealth capabilities to avoid detection by bots and automated security scanners using CAPTCHA checks, integrate with Cloudflare's services, and access comprehensive logs via a dedicated panel. "This duplicitous marketing strategy is common in underground forums – it provides a thin veneer of deniability (to avoid forum bans or legal issues) but fools no one about the true purpose," SlashNext said. "Phrases like 'for educational purposes' or 'ethical hacking perspective' in the ad copy are a wink and nod to buyers that this is a hacking tool, not a classroom demo."
• Elusive Comet Abuses Zoom Remote Control Feature for Crypto Theft — Security researchers are calling attention to a campaign called Elusive Comet that employs sophisticated social engineering tactics with the goal of tricking victims into installing malware and ultimately stealing their cryptocurrency. Ostensibly operating a venture capital firm named Aureon Capital, the threat actor is estimated to be responsible for millions of dollars in stolen funds. "Elusive Comet maintains a strong online presence with extensive history in order to establish and maintain legitimacy," Security Alliance said. "This is accomplished by setting up polished websites and active social media profiles, as well as creating profiles which impersonate real people with notable credentials." Attacks commence with an outreach phase wherein potential victims are approached over Twitter DMs or email, inviting them to be a guest on their podcast or for an interview. The invitations are sent through Calendly links to schedule a Zoom meeting. Once the invite is accepted, victims are urged to join the Zoom call and share their screen to present their work, at which point the threat actors use the videoconferencing software to request control over the potential victim's computer by changing their display name to "Zoom" and make it appear as a system notification. Granting remote access allows Elusive Comet to install malware such as GOOPDATE for facilitating cryptocurrency theft, as highlighted by Jake Gallen, the chief executive of non-fungible token platform Emblem Vault who had over $100,000 of his personal assets stolen. The attacks have also been observed delivering information stealers and remote access trojans to enable data exfiltration. "What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," Trail of Bits said. "The Elusive Comet campaign succeeds through a sophisticated blend of social proof, time pressure, and interface manipulation that exploits normal business workflows." It's not clear who is behind the campaign, but evidence points to it being North Korea, which has been observed scheduling fake Zoom calls with targets under the pretext of meeting with venture capitalists or discussing a partnership opportunity, and deceiving them into installing malware to address non-existent audio issues.
• Power Parasites Goes After Bangladesh, Nepal, India — An active campaign is targeting individuals across Asian countries, including Bangladesh, Nepal, and India, with job and investment scams via combination of deceptive websites masquerading as energy firms and other major firms, social media groups, Youtube videos, and Telegram channels since September 2024. The activity cluster, which is designed to trick victims into parting with their banking details or personal financial information, has been codenamed Power Parasites. "These campaigns are typically shared with potential victims on social media networks, over email, or via direct messaging channels," Silent Push said.
• Several Extensions Found with Risky Features — Fifty-eight suspicious Google Chrome extensions have been discovered containing risky features, such as monitoring browsing behavior, accessing cookies for domains, altering search providers, and potentially executing remote scripts, according to Secure Annex researcher John Tuckner. The most interesting aspect of these extensions is that they are hidden, meaning they don't show up on Chrome Web Store searches, but they can be accessed should users have the direct URL. This indicates that threat actors are using unconventional ways to evade detection while aggressively pushing them through ads and malicious sites. The extensions have been cumulatively installed on roughly 5.98 million devices. A Google spokesperson told The Hacker News that "we're aware of the report and investigating."
• Mitre releases ATT&CK v17 — Mitre has released a new version of its ATT&CK framework, the compendium of adversary tactics and techniques it puts together to help defenders. The latest version introduces four new techniques targeting the VMware ESXi platform, while adapting 34 existing ones. Two notable changes include the renaming of Network platform to Network Devices to better reflect techniques used to target network devices such as routers, switches, and load balancers, and the merging of two sub-techniques DLL Side-Loading and DLL Search Order Hijacking into one category called "Hijack Execution Flow: DLL" by taking into account their overlapping nature. Also added to ATT&CK v17 is a technique named "Remote Access Tools: Remote Access Hardware" that highlights Democratic People's Republic of Korea (DPRK) remote work schemes.
• CISA Discontinues Use of Censys and VirusTotal — Hundreds of staff in the Cybersecurity and Infrastructure Security Agency (CISA) have been notified that the agency discontinued the use of Censys late last month and Google-owned VirusTotal on April 20, 2025. "We understand the importance of these tools in our operations and are actively exploring alternative tools to ensure minimal disruption," Nextgov quoted an email sent to CISA staffers. "We are confident that we will find suitable alternatives soon." The development days after the cybersecurity industry was sent into a tailspin after an internal memo from MITRE revealed that the U.S. would no longer support its flagship CVE Program. However, at the eleventh hour, CISA reversed course and extended the contract by about 11 months. "To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse," Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, said. "There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure.
• How Windows PC Manager Could Be Hijacked — Cybersecurity researchers have outlined two scenarios where releases associated with the PC Manager tool, a software designed to help optimize and manage Windows computers, could have been hijacked by attackers via WinGet repository (ZDI-23-1527), 'aka.ms' URLs, and the official "pcmanager.microsoft[.]com" subdomain of Microsoft (ZDI-23-1528), due to overly permissive Shared Access Signature (SAS) tokens. Successful exploitation of the vulnerabilities to execute arbitrary code on customers' endpoints without requiring any authentication. "If an attack had been carried out, cybercriminals could have compromised software supply chains for distribution of malware, allowed them to replace software releases, and alter distributed PC Manager executables," Trend Micro said. The issues, both of which carry a CVSS score of 10.0, have since been addressed by Microsoft in October 2023.
• New Magecart Campaigns Observed in the Wild — A new credit card skimming (aka Magecart) campaign has been observed injecting malicious code into compromised e-commerce sites with the goal of intercepting payment data entered by users in checkout forms. The attacks involve gaining access to the sites' backend systems using credentials stolen through an information stealer, leveraging it to upload a malicious PHP page directly to the server. The PHP script acts as a web shell to gain remote control of the site and pollute the database by inserting a malicious JavaScript code. The JavaScript is designed to capture payment information, checking the validity of the numbers entered, and exfiltrate the information via a WebSocket connection and as an image. Credit card data stolen via web skimmers are typically sold on carding forums like Savastan0, where they are purchased by other threat actors to further criminal activity in exchange for a cryptocurrency payment. "Savastan0's rules establish that a buyer only has 10 minutes to use a checker, otherwise the card cannot be refunded," Yarix said. "Every check costs $0.30. Without making any transaction, card checker services may be used to 'soft check' the authenticity of cards. This lowers the possibility of alerting the legitimate owner to the activity or warning anti-fraud systems. It may also be used to infer expiration dates and CVV codes, among other missing information." The disclosure comes as Jscrambler detailed a stealthy web skimming campaign that infiltrated 17 Caritas Spain websites running WooCommerce using a modular kit designed to stay undetected while intercepting sensitive payment data. "The skimming campaign, like many, was executed in two stages," Jscrambler said. "Stage one served as the loader, laying the groundwork for the attack. Stage two held the skimmer logic itself, injected a fake payment form, and exfiltrated sensitive data." The exact initial infection vector remains unknown, although there is evidence pointing to the fact that the threat actors have persistent access to the WooCommerce installation. Jscrambler said the stolen card details are validated within 10 minutes of exfiltration, indicating some level of automation.
• 4Chan Makes a Return — Infamous imageboard site 4chan has come partly back online after a hack took the site down for nearly two weeks. In a post on its blog, it said "a hacker using a U.K. IP address exploited an out-of-date software package on one of 4chan's servers, via a bogus PDF upload. With this entry point, they were eventually able to gain access to one of 4chan's servers, including database access and access to our own administrative dashboard. The hacker spent several hours exfiltrating database tables and much of 4chan's source code." 4chan said the breached server has been replaced and that PDF uploads have been temporarily disabled on boards that supported the feature.
• SK Telecom Discloses Breach — SK Telecom, South Korea's largest mobile operator, has alerted customers that a malware infection allowed threat actors to access their sensitive USIM-related information. The company said it became aware of the incident on April 19, 2025, around 11 p.m. local time. SK Telecom, however, emphasized that there is no evidence the information has been misused in any manner. The attack has not been claimed by any known threat actor or group.
• New Flaws in Kentico Xperience CMS — Cybersecurity researchers have detailed a now-patched vulnerability in the Kentico Xperience content management system (CMS) application (CVE-2025-2748, CVSS score: 6.5) that results in a stored cross-site scripting (XSS) attack by taking advantage of the fact it does not fully validate or filter files uploaded via the multiple-file upload functionality. The bug essentially allows an attacker to distribute a malicious payload as an unauthenticated user when uploading multiple files to the application. This issue affects Kentico Xperience through 13.0.178. Also addressed by Kentico are three other vulnerabilities, WT-2025-0006 (authentication bypass), WT-2025-0007 (Post-authentication Remote Code Execution), and WT-2025-0011 (Authentication Bypass), that can achieve Remote Code Execution against fully-patched deployments.
• Indian Banks Ordered to Migrate to ".bank[.]in" Domains by October 31 — In Febraury 2025, India's central bank, the Reserve Bank of India (RBI), introduced an exclusive ".bank[.]in" internet domain for banks in the country to combat digital financial fraud. In a new directive issued last week, the RBI has urged banks to commence the migration to the new domain and complete the process by October 31, 2025. To that end, banks are required to contact the Institute for Development and Research in Banking Technology (IDRBT) to initiate the registration process.
• New DDoS Botnet Powered by 1.33 Million Devices — The largest ever DDoS botnet consisting of 1.33 million devices has been observed targeting the "Betting shops" microsegment and lasted approximately 2.5 hours in late March 2025. Over 50% of the compromised devices are located in Brazil, followed by Argentina, Russia, Iraq, and Mexico, per Qrator Labs. The disclosure coincided with an emerging threat campaign targeting poorly managed MS-SQL servers to deploy Ammyy Admin and PetitPotato malware for remote access and privilege escalation. "The attackers exploit vulnerable servers, execute commands to gather system information and use WGet to install the malware," Broadcom said. "They also enable RDP services and add new user accounts to maintain persistent access."
• Scallywag Uses Bogus WordPress Extensions For Ad Fraud — A collection of four WordPress plugins – Soralink, Yu Idea, WPSafeLink, and Droplink – collectively dubbed Scallywag is being advertised as a fraud-as-a-service operation to help monetize digital piracy and URL-shortening services. "These modules redirect users through one or more intermediary pages to request and render ads before delivering the promised content or shortened URL," the HUMAN Satori Threat Intelligence and Research Team said. At its peak, Scallywag accounted for 1.4 billion fraudulent bid requests a day across 407 cash out domains. The attack process begins with a user visiting a movie piracy catalog site. Once the content to be viewed is chosen, they are redirect a Scallywag-associated cashout blog loaded with ads before leading to their final destination, where the content is hosted. HUMAN said new cash out sites have emerged amid continued crackdown on the scheme, underscoring what appears to be a game of whack-a-mole with the fraudsters.
• Microsoft Officially Begins Recall Rollout — Microsoft has made available its artificial intelligence (AI) powered Recall feature on Copilot+ PC, nearly a year after it was announced to immense privacy and security backlash. The concerns led the company to make it an opt-in feature and rearchitect the system with improved controls to prevent unauthorized access. "We've implemented extensive security considerations, such as Windows Hello sign-in, data encryption and isolation in Recall to help keep your data safe and secure," Microsoft said. "Recall data is processed locally on your device, meaning it is not sent to the cloud and is not shared with Microsoft and Microsoft will not share your data with third-parties." Security researcher Kevin Beaumont said Microsoft has made "serious efforts" to address some of the substantive security complaints, but noted that filtering sensitive data from snapshots can be hit-or-miss.
• Cybercrime Costs Victims $16 billion in 2024 — The U.S. Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center, or IC3, recorded 859,532 complaints in 2024, of which 256,256 complaints led to a staggering loss of $16.6 billion, a 33% increase in losses from 2023. "Fraud represented the bulk of reported losses in 2024, and ransomware was again the most pervasive threat to critical infrastructure, with complaints rising 9% from 2023," IC3 said. "As a group, those over the age of 60 suffered the most losses and submitted the most complaints." Investment, business email compromise (BEC), tech support scams took the top three slots for the most loss. Hong Kong, Vietnam, Mexico, the Philippines, India, and China were the main international destinations for fraudulent wire transactions. Ransomware attack reports to the FBI totalled 3,156 in 2024, up from 2,825 in 2023 and 2,385 in 2022. As many as 67 new ransomware variants were recognized in 2024.
• Japan Warns of Unauthorized Stock Trading via Stolen Credentials — Japan's Financial Services Agency (FSA) is alerting users of unauthorized transactions on internet stock trading services using stolen credentials harvested from phishing websites impersonating their legitimate counterparts. There have been 1,454 fraudulent transactions to date. These unauthorized trading transactions are worth almost ¥100 billion ($700 million) since February.
• FBI Seeks Info on Salt Typhoon — The FBI said it's seeking information about a Chinese hacking group called Salt Typhoon and its compromise of U.S. telecom companies. "Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale," the agency said. "This activity resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests."
• Privacy Watchdog Files GDPR Complaint Against Ubisoft — Austrian privacy non-profit noyb has accused French video game developer and publisher Ubisoft of violating the General Data Protection Regulation (GDPR) laws in the region by forces its customers to connect to the internet every time they launch a single player game even in scenarios where they don't have any online features. "This allows Ubisoft to collect people's gaming behaviour. Among other things, the company collects data about when you start a game, for how long you play it and when you close it," noyb said. "Even after the complainant explicitly asked why he is forced to be online, Ubisoft failed to disclose why this is going on." The complaint comes close on the heels of noyb calling out the complex "cooperation mechanism" to handle complaints between the Data Protection Authority (DPA) in the users' Member State and the DPA in the company's Member State. "This regulation could have been a game changer for exercising people's fundamental rights. Instead, it looks like it will waste thousands of hours in already overworked authorities by prescribing various useless and overly complex procedural steps, which translates to millions in taxpayer money," Max Schrems said. "At the same time, procedures will be slower and also more complex for business and citizens alike. Enforcement of GDPR rights of normal people will be even harder to reach."
• Flaw in SSL.com DCV Process — A flaw in SSL.com's domain control validation (DCV) process could have allowed attackers to bypass verification and issue fraudulent SSL certificates for any domain linked to certain email providers such as aliyun[.]com. A total of 11 certificates are said to have been issued in this manner.
• Asian Scam Operations Expand Globally — The United Nations Office on Drugs and Crime (UNODC) has revealed that scam centers run by East and Southeast Asian organized crime gangs have spread like a "cancer" in response to law enforcement efforts, resulting in a global expansion. Nigeria, Zambia, Angola, Brazil, and Peru are some of the new spillover sites where Asian-led groups have migrated to. "The dispersal of these sophisticated criminal networks within areas of weakest governance has attracted new players, benefited from and fueled corruption, and enabled the illicit industry to continue to scale and consolidate, culminating in hundreds of industrial-scale scam centres generating just under US $40 billion in annual profits," the UNODC said.

🎥 Cybersecurity Webinars

1. AI-Powered Impersonation Is Beating MFA—Here's How to Shut the Door on Identity-Based Attacks — AI-driven impersonation is making traditional MFA useless—and attackers are getting in without ever stealing a password. In this session, you'll learn how to stop identity-based attacks before they start, using real-time verification, access checks, and advanced deepfake detection. From account takeover prevention to AI-powered identity proofing, see how modern defenses can shut the door on imposters. Join the webinar to see it in action.
2. Smart AI Agents Need Smarter Security—Here's How to Start — AI agents are helping teams move faster—but without the right security, they can expose sensitive data or be manipulated by attackers. This session walks you through how to build AI agents securely, with practical steps, key controls, and overlooked risks you need to know. Learn how to reduce exposure without losing productivity, and keep your AI tools safe, reliable, and under control. Register now to start securing your AI the right way.

🔧 Cybersecurity Tools

• Varalyze — It is a unified threat intelligence toolkit that connects data from sources like AbuseIPDB, VirusTotal, and URLScan to streamline threat analysis. It automates intel gathering, speeds up triage, and generates clear, actionable reports — all in one simple, Python-powered platform.
• Cookiecrumbler — Tired of cookie pop-ups interrupting your browsing or breaking site functionality? Cookiecrumbler is a smart tool designed to automatically detect and analyze cookie consent notices on websites. Whether you're debugging web compatibility issues or identifying cookie banners that slip past existing blockers, Cookiecrumbler helps you spot them fast. It works as a web app, can run local crawls, and even integrates with other systems — no deep technical skills needed.
• Eyeballer — It is a smart tool for penetration testers that analyzes large batches of website screenshots to quickly identify high-value targets like login pages, outdated sites, and active web apps. Instead of wasting time on parked domains or harmless 404s, Eyeballer helps you focus on what's likely vulnerable, speeding up triage in wide-scope network tests. Just feed in your screenshots and let Eyeballer highlight what matters.

🔒 Tip of the Week

Don't Let Video Calls Become Backdoors — Attackers are now using fake meeting invites to trick people into giving them remote access during video calls. They set up fake interviews or business meetings, then request screen control — sometimes even changing their name to "Zoom" to make it look like a system message. If you click "Allow" without thinking, they can take over your computer, steal data, or install malware.

To stay safe, disable remote control features if you don't need them. On Zoom, turn it off in Settings under "In Meeting (Basic)." Always double-check who's asking for access, and never approve control just because it looks official. Use browser-based tools like Google Meet when possible — they're safer because they can't easily take control of your system.

For extra protection, Mac users can block Zoom (or any app) from getting special permissions like "Accessibility," which is needed for remote control. IT teams can also set this up across all company devices. And watch out for invites from odd emails or links — real companies won't use personal accounts or fake booking pages. Stay alert, and don't let a simple click turn into a big problem.

Conclusion

The most effective defenses often start with asking better questions. Are your systems behaving in ways you truly understand? How might attackers use your trusted tools against you?

Now is the time to explore security beyond technology — look into how your team handles trust, communication, and unusual behavior. Map out where human judgment meets automation, and where attackers might find blind spots.

Curiosity isn't just for research — it's a powerful shield when used to challenge assumptions and uncover hidden risks.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

________________________________________________________________________________________________________________________________
Original Article Published at The Hackers News
________________________________________________________________________________________________________________________________