Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for India Introduces Bug ...

 Firewall Daily

The Unique Identification Authority of India has introduced a structured UIDAI bug bounty program designed to strengthen the cybersecurity of India’s Aadhaar ecosystem. The initiative is one of the authority’s first organized efforts to engage independent cybersecurity professionals and ethical hackers in   show more ...

identifying vulnerabilities across its digital platforms.  As part of the broader Indian government bug bounty efforts to protect critical digital infrastructure, the program invites experts to report potential security weaknesses before they can be exploited responsibly.  UIDAI Bug Bounty Program Targets Key Aadhaar Platforms  Under the new UIDAI bug bounty initiative, a panel of 20 experienced security researchers and ethical hackers has been selected to participate in the program. These experts will assess several critical digital assets managed by UIDAI, including the official website, the myAadhaar portal, and the Secure QR Code application used in Aadhaar authentication processes.  The researchers will examine these platforms to uncover potential vulnerabilities in the systems. Once a flaw is identified, participants must follow responsible disclosure practices by reporting it directly to UIDAI through the program’s official channels.  Each reported vulnerability will be evaluated and categorized by severity. Like other major Indian government bug bounty initiatives, the program uses a four-tier classification system: Critical, High, Medium, and Low risk. Rewards will be granted to participating researchers depending on the seriousness and potential impact of the discovered issue.  The Indian government has stated that the UIDAI bug bounty program is intended to proactively identify and address security gaps before they can be exploited by malicious actors.  Collaboration with Cybersecurity Firm  To manage and coordinate the initiative effectively, UIDAI is implementing the program in collaboration with ComOlho IT Private Limited, a cybersecurity solutions provider. The company will assist in overseeing the vulnerability submission process, coordinating with researchers, and supporting the overall management of the UIDAI bug bounty program.  The collaboration is expected to streamline communication between ethical hackers and government teams responsible for maintaining the Aadhaar infrastructure.  According to UIDAI, ensuring robust information security has become increasingly important as more services move to digital platforms. Aadhaar, which is used across numerous public and private services in India, requires a resilient cybersecurity framework to protect sensitive user data.  The authority already maintains multiple layers of protection across its systems. These include regular security audits, vulnerability assessments, penetration testing, and continuous monitoring of digital infrastructure. The UIDAI bug bounty program adds a defensive layer by enabling external experts to discover vulnerabilities that may not be detected during internal security checks.  By inviting independent researchers to test its systems, the Indian government's bug bounty initiative aims to enhance the resilience of Aadhaar’s digital architecture and ensure that potential weaknesses are addressed promptly.  Bug Bounty Program Becoming Standard Security Practice  The Ministry of Electronics and Information Technology (MeitY) noted that bug bounty programs are widely adopted by leading technology companies around the world to improve the security and reliability of digital systems. Through the UIDAI bug bounty program, the Indian government is applying similar practices within its public digital infrastructure.  The UIDAI bug bounty program also forms part of a broader network of Indian government bug bounty and vulnerability disclosure initiatives designed to safeguard digital infrastructure.  One of the key programs is run by the Indian Computer Emergency Response Team (CERT-In), which facilitates responsible vulnerability disclosure policies aimed at protecting the country’s “Digital India” infrastructure. CERT-In enables researchers to report vulnerabilities affecting government digital services.  Another initiative is managed by the National Critical Information Infrastructure Protection Centre (NCIIPC). The organization encourages security researchers to identify and report critical vulnerabilities in government websites and infrastructure, particularly those under the .gov.in domain.  In addition to these programs, specific platforms have also launched targeted bug bounty initiatives. For example, the government’s Aarogya Setu application previously ran a bug bounty program offering rewards of up to INR 1 lakh (1,083 USD) for valid vulnerability reports.  How Researchers Can Participate Participation in many Indian government bug bounty programs is open to cybersecurity professionals and ethical hackers. Vulnerabilities affecting government infrastructure can typically be reported through CERT-In’s disclosure channels.  For NCIIPC initiatives, researchers are required to complete a Vulnerability Disclosure Form and submit it via email to rvdp@nciipc.gov.in. Some programs, including the UIDAI bug bounty, may involve stricter eligibility requirements. In certain cases, researchers must demonstrate a strong track record in cybersecurity, such as appearing in the top 100 recognized bug bounty leaderboards.  Most Indian government bug bounty programs are free to participate in, and several offer monetary rewards for high-impact vulnerability discoveries. 

image for Who Is Handala — T ...

 Cyber Warfare

On the morning of March 11, employees at Stryker offices worldwide switched on their computers and found them blank — login screens replaced by a logo most had never seen. A small, barefoot boy with a slingshot, the symbol of Handala. The attack on Stryker Corporation — a Fortune 500 medical technology giant that   show more ...

supplies surgical equipment, orthopedic implants, and neurotechnology to hospitals globally — ranks as one of the most operationally destructive cyberattacks ever executed against a U.S. healthcare company. Stryker reported $25 billion in revenue in 2025 and employs approximately 56,000 people, with its products embedded in hospital supply chains worldwide. What hit it was not ransomware. The attackers came to destroy, not extort. Stryker confirmed the incident in a Form 8-K filing with the U.S. SEC, describing "a global disruption to the Company's Microsoft environment" and stating it had no indication of ransomware or malware and believed the incident was contained. The company's own filing, however, understated what employees were already reporting on the ground. Employees in the United States, Ireland, Costa Rica, and Australia reported that managed Windows laptops and mobile devices had been remotely wiped. "My wife had 3 Stryker managed devices wiped around 3:30 AM EDT. Their Entra login page was defaced with the Handala logo," a Reddit user said. Another claimed the situation as "bad" and said: "Many colleagues phones have been wiped. Instructed to remove intune, company portal, teams, VPN from personal devices. Personal phone so have lost access to my eSim. Unable to log in to many things due to 2-factor authentication. Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams. Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices and extracted 50 terabytes of data, forcing Stryker to shut down operations across 79 countries. Stryker in a midnight update said it was still working on complete restoration post the cyberattack. "We are continuing to resolve the disruption impacting our global network, resulting from the cyber attack.  At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only.  Our products like Mako, Vocera and LIFEPAK35 are fully safe to use.  We have visibility to the orders entered before the event, and they will be shipped as soon as our system communications are restored. Any orders that have come in after the event are being examined. We are working to ensure our electronic ordering system is back up and running as quickly as possible. It is safe to communicate with Stryker employees and sales representatives by email and phone, and within your facility." - Stryker's update on the cyberattack The mechanism behind the attack points to a calculated abuse of Microsoft Intune — a cloud-based platform enterprises use to manage and push policy updates to all enrolled devices from a single console. A wiper is malware that permanently erases data rather than encrypting it for ransom. In short, an attacker with admin-level access to Intune effectively is holding a kill switch for every enrolled endpoint in the organization. The Handala branding that appeared on screens before the wipe confirmed that access had been established and held well before the destructive phase began — this was a deliberate, staged operation. So Who Exactly is Handala? Handala — also known as Handala Hack Team, Hatef, and Hamsa — first surfaced in December 2023 as a hacktivist operation linked to Iran's Ministry of Intelligence and Security (MOIS), initially targeting Israeli organizations with destructive malware designed to wipe both Windows and Linux devices, explained researchers at AI-powered threat intelligence firm, Cyble. The group takes its name and visual branding from the iconic Palestinian cartoon character created by Naji al-Ali — a child refugee who never grows up and always turns his back to the viewer. The hacktivist branding, however, obscures a more serious intelligence attribution. Multiple threat intelligence firms assess Handala as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor optimized for psychological and reputational disruption — breaking into systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure. Check Point Research found repeated overlaps between MuddyWater — another MOIS-affiliated group — and Void Manticore, including shared criminal tooling. Handala has used Rhadamanthys, a commercial infostealer sold on dark web forums, pairing it with custom data wipers in phishing lures that impersonated F5 software updates and even Israel's own National Cyber Directorate. Cyble has observed Handala hackers using Hamsa and Hatef data wipers in its previous campaigns targeted mainly at Israeli entities. [caption id="attachment_110112" align="aligncenter" width="500"] Source: Cyble Research and Intelligence Labs[/caption] Also read: Iran-linked Threat Group Handala Actively Targets Israel Void Manticore's attack playbook follows a consistent pattern of Handala too. Initial access through unpatched web servers, VPN gateways, and remote access solutions; lateral movement using living-off-the-land tools like PowerShell and scheduled tasks; and final-stage deployment of destructive wiper families designed to erase file systems and corrupt boot records. The group's prior targets read like a map of sensitive sectors. Since the start of the Iran-Israel war, Handala has claimed to have wiped Israeli military weather servers, intercepted security feeds in Jerusalem, stolen and wiped data from various companies, doxxed Israeli intelligence officers, and breached an Israeli oil and gas exploration company. Most recently, threat intelligence reporting documented the group publishing identifying details for 50 senior Israeli Air Force officers — names, IDs, addresses, and phone numbers. Handala stated the Stryker attack was carried out in retaliation for a U.S. military strike on a school in Minab, Iran, that reportedly killed more than 175 people, most of them children. [caption id="attachment_110115" align="aligncenter" width="500"] Stryker Cyberattack Claim by Handala (Source: X)[/caption] Stryker has no direct connection to military operations, though it did secure a $450 million Department of Defense contract in 2025 to supply medical devices to the U.S. military. That contract likely put a target on Stryker's back. Recent reporting indicates that MOIS-affiliated groups, including Handala, infiltrated U.S. and Israeli infrastructure weeks before the military operations conducted as part of Operation Epic Fury, suggesting pre-positioned access rather than reactive intrusion. In other words, Handala may have been inside Stryker's environment long before anyone noticed. Check Point researchers also observed Handala routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials — a deliberate technique to blend reconnaissance traffic into legitimate satellite internet usage and frustrate IP-based blocking. The hacker collective on Wednesday also claimed hacking another Israeli company Verifone, a leading provider of payment solutions and point-of-sale terminals to countries across the globe, but the company did not immediately respond to The Cyber Express to confirm or deny these reports until the time of publishing this article.

image for The State of Cyber W ...

 Firewall Daily

Cyber operations no longer occur only during wartime. Digital activity now runs continuously alongside diplomacy, sanctions, and military tensions. This has become particularly visible amid escalating hostilities involving Iran, Israel, and the United States, where intelligence agencies have warned of possible   show more ...

retaliatory cyber activity linked to the conflict. In this environment, cyber warfare 2026 is highlighted by persistent nation-state cyberattacks, covert intrusion campaigns, and strategic influence operations.  Governments, telecommunications networks, cloud platforms, and identity systems have become the primary targets. Threat researchers point to three converging factors: ongoing state-sponsored cyber threats, a mature cybercriminal ecosystem that sells infrastructure and access, and automation technologies that enable scalable phishing, impersonation, and cyber espionage 2026 operations.  These dynamics have turned cyberspace into a strategic domain of conflict. Espionage, disruption, influence operations, and financial crime frequently overlap, reflecting the realities of hybrid warfare cybersecurity. As geopolitical tensions rise, organizations face geopolitical cyber risk, where real-world conflicts are mirrored in the digital domain.  Cyber Warfare 2026: What We Know So Far  From 2025 to 2026, the global threat environment has produced several notable signals indicating how modern cyber conflict is evolving. Threat intelligence monitoring of underground forums revealed multiple offers of high-value system access throughout 2025. Examples include widely confirmed events, like on January 9, 2026, the cybercrime collective ShinyHunters published a manifesto alongside the leaked database of the BreachForums platform, exposing metadata for 323,986 users, including email addresses, hashed passwords, IP addresses, and registration details. Analysts believe some data may have been intentionally falsified for operational security.  Vulnerability exploitation also intensified. In February 2026, Microsoft patched six actively exploited zero-day vulnerabilities affecting components including SmartScreen, Windows Desktop Window Manager, and Remote Desktop Services. Soon afterward, the U.S. Cybersecurity and Infrastructure Security Agency added VMware Aria Operations vulnerability CVE-2026-22719 to its Known Exploited Vulnerabilities catalog due to confirmed exploitation in the wild.  By March 10, 2026, intelligence reporting warned of potential retaliatory cyber activity connected to escalating tensions involving Iran. Following the warning, cyber activity linked to the conflict increased across the Middle East. After the February 2026 U.S.–Israel strikes against Iranian targets, security researchers reported a surge of retaliatory cyber operations and hacktivist campaigns targeting organizations in Israel, the United States, and allied countries. Analysts tracked dozens of incidents ranging from distributed-denial-of-service attacks and website defacements to alleged data breaches claimed by pro-Iranian and pro-Palestinian hacker groups.  Several groups publicly promoted operations such as “#Op_Israel_USA,” claiming attacks against Israeli telecom services, government websites, and Western organizations. Hacktivist collectives, including Handala Hack and Dark Storm Team, used Telegram and underground forums to claim responsibility for disruptions and alleged system compromises.  Decoding Nation-State Cyberattacks  China-Linked Cyber Espionage Campaigns  Strategic espionage still exists as one of the most consistent features of cyber espionage in 2026. National threat assessments highlight that state actors, including China, are almost certainly attempting to cause a disruptive effect and manipulate industrial control systems in support of broader strategic goals.  Government networks, research institutions, and emerging technology sectors remain priority targets. Telecommunications infrastructure has also become a major collection point because it offers both intelligence visibility and operational leverage.  Threat intelligence summaries from the telecom sector, specifically, from Cyble’s Telecommunications Sector Threat Landscape Report 2025, documented 444 security incidents and 90 ransomware attacks against telecom companies in 2025 alone. The concentration of activity reinforces telecom networks as a strategic surveillance layer for nation-state cyberattacks.  Russia-Linked Operations and Military Intelligence Campaigns  Russian cyber operations have remained closely tied to geopolitical conflict, particularly in Europe and regions affected by the war in Ukraine. Security research identified activity consistent with the Russian threat group APT28 targeting government and military entities using a Microsoft Office vulnerability, CVE-2026-21509. The campaign reportedly involved a multi-stage attack chain designed to remain stealthy during post-exploitation phases.  Another example involved attackers weaponizing a previously patched WinRAR vulnerability (CVE-2025-8088). Even after patches become available, such flaws frequently remain exploitable due to slow enterprise patch adoption, making them attractive tools in state-sponsored cyber threats.  North Korea and Financially Motivated Cyber Operations  North Korean cyber activity continues to blur the line between espionage and organized crime. One of the most widely reported examples involved the attribution of a $1.5 billion cryptocurrency theft from Bybit in February 2025 to the Lazarus Group.  Financial theft serves both economic and strategic purposes for the North Korean state. At the same time, identity-based fraud has become another operational method.   The New Digital Battlefield  Critical infrastructure still exists a primary target in cyber warfare 2026, with industrial control systems (ICS) and operational technology networks at high risk of manipulation by state actors to disrupt public administration, utilities, and transportation systems.   While detailed technical disclosures of confirmed sabotage are limited, attackers increasingly focus on cloud and identity systems, exploiting stolen credentials, authentication tokens, and legitimate administrative tools to move laterally and gain broad access.   Supply chains further amplify systemic risk, as compromises of third-party vendors can cascade across multiple organizations, making supply-chain attacks an efficient vector for nation-state cyberattacks, particularly against critical infrastructure and government networks.  AI and the Evolution of Cyber Operations  Artificial intelligence is reshaping the cyber threat landscape, although its direct role in confirmed state operations remains difficult to measure.  Threat intelligence monitoring shows the rise of Deepfake-as-a-Service markets and advertisements offering identity verification bypass tools or synthetic video generation. In 2025, deepfakes were involved in more than 30 percent of high-impact corporate impersonation attacks.  Phishing campaigns are also becoming more automated. The CCAPAC Annual Report 2025 indicates that 82.6 percent of phishing emails now contain AI-generated elements, enabling attackers to scale highly convincing impersonation attempts.  Malware development may also be changing. Security researchers have reported experimental malware families capable of modifying behavior during attacks using language-model-based components. While technical documentation remains limited, such developments hint at how automation could shape future cyber warfare 2026 strategies.  Another area of rapid change is vulnerability discovery. AI-assisted code analysis has already demonstrated the ability to locate hundreds of severe software vulnerabilities in open-source projects within short timeframes, accelerating both defensive research and offensive exploitation.  The Vulnerability Landscape Driving Modern Cyber Conflict  Software vulnerabilities remain one of the most reliable entry points for attackers.  Examples from 2026 include:  CVE-2026-24423, a remote code execution vulnerability in SmarterMail exploited in ransomware campaigns.  CVE-2026-22719, a VMware Aria Operations command-injection flaw actively exploited in the wild.  CVE-2026-2441, the first actively exploited Chrome zero-day reported in 2026.  Security researchers documented 90 zero-day vulnerabilities exploited in 2025, nearly half of which targeted enterprise technology systems. The pace of discovery continues to accelerate. One vulnerability monitoring report tracked 1,782 vulnerabilities disclosed in a single week, including 282 public proof-of-concept exploits. This quick weaponization cycle increases geopolitical cyber risk, as attackers can quickly convert newly discovered flaws into operational tools.  Conclusion  In 2026, digital conflict is a permanent part of global competition, with state-sponsored cyber threats exploiting supply chains, identity systems, and critical infrastructure to expand geopolitical risk. Criminal ecosystems further blur espionage and financially motivated attacks, complicating attribution. Cyble delivers AI-powered threat intelligence and autonomous defense through platforms like Cyble Blaze AI, giving organizations real-time visibility, automated protection, and proactive mitigation. Book a personalized demo today to stay protected from modern cyber threats.  References:  https://cybersecuritynews.com/breachforums-hack/  https://thecyberexpress.com/microsoft-patch-tuesday-february-2026/  https://nvd.nist.gov/vuln/detail/CVE-2026-22719  https://abc17news.com/politics/national-politics/cnn-us-politics/2026/03/10/us-intelligence-community-ramps-up-warnings-of-possible-retaliatory-attacks-by-iran/  https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/  https://www.intel471.com/blog/israeli-us-strikes-against-iran-triggers-a-surge-in-hacktivist-activity  https://cyble.com/resources/research-reports/telecommunications-sector-threat-landscape-report-2025/  https://www.helpnetsecurity.com/2026/02/03/russian-hackers-are-exploiting-recently-patched-microsoft-office-vulnerability-cve-2026-21509/  https://www.thaicert.or.th/en/2026/01/29/winrar-vulnerability-cve-2025-8088-continues-to-be-actively-exploited-by-hackers/  https://www.theguardian.com/world/2025/feb/27/north-korea-bybit-crypto-exchange-hack-fbi  https://ccapac.asia/wp-content/uploads/2025/10/CCAPAC_AnnualReport2025_AIcybersecTrendsThreatsSolutions.pdf  https://www.cybersecuritydive.com/news/half-exploited-zero-day-flaws-enterprise-grade-technology/814021/ 

image for Vulnerability in Med ...

 Firewall Daily

Security researchers have identified a serious Android phone vulnerability that could affect the global smartphone ecosystem. The flaw, discovered by the security research team at Ledger, may expose sensitive information from millions of Android smartphones powered by certain Android chipsets. According to   show more ...

researchers, the issue could potentially impact devices representing roughly 25% of Android phones worldwide.  The vulnerability involves specific Android chipsets produced by MediaTek and affects devices that use Trustonic’s Trusted Execution Environment (TEE). Researchers warned that attackers with brief physical access to a vulnerable device could extract sensitive data, including encryption keys and cryptocurrency wallet seed phrases, in less than a minute.  Android Phone Vulnerability Linked to Boot Chain Weakness  The security issue was identified by Ledger’s internal white-hat security unit, known as the Donjon team. Their investigation revealed that the Android phone vulnerability originates in the device’s boot chain, a critical security process that verifies system components when a phone powers on.  Normally, the boot chain ensures that each stage of the startup process is cryptographically validated before the next stage loads. This mechanism is designed to protect the device’s encryption keys and keep sensitive information secure until the operating system is fully loaded.  However, in certain Android smartphones powered by affected Android chipsets, researchers found that attackers could exploit a weakness before the Android operating system finishes loading. By connecting the phone to a computer via USB, an attacker could bypass several security protections.  The researchers demonstrated that this process allowed automated attempts to guess a user’s PIN, decrypt the phone’s storage, and recover sensitive information such as messages and cryptocurrency wallet seed phrases.  Proof-of-Concept Attack Completed in 45 Seconds  During a proof-of-concept demonstration, Ledger’s Donjon team showed how the Android phone vulnerability could be exploited in under a minute. In their test, a Nothing CMF Phone 1 was connected to a laptop using a USB cable.  Within 45 seconds, researchers were able to recover the device’s PIN code, decrypt its encrypted storage, and extract seed phrases from six cryptocurrency wallet applications: Trust Wallet, Base, Kraken Wallet, Rabby, Tangem, and Phantom.  The attack required only a brief physical connection to a computer and did not involve installing malware or interacting with the phone’s screen. Researchers noted that the vulnerability could allow attackers to obtain the root cryptographic keys responsible for securing full-disk encryption on affected Android smartphones. Once those keys are extracted, the phone’s data can be decrypted offline.  Android Chipsets and Devices Potentially Affected  The Android phone vulnerability specifically affects devices powered by certain MediaTek Android chipsets that rely on Trustonic’s Trusted Execution Environment. MediaTek processors are widely used in Android smartphones, particularly in the budget and midrange device segments.  Industry estimates suggest MediaTek chips power approximately one quarter of Android handsets worldwide, meaning the issue could potentially affect around 25% of Android phones, although not all devices using MediaTek hardware are vulnerable.  The vulnerability has been documented under security case number 2026-20435 in a MediaTek security bulletin. The company has already distributed a firmware fix to smartphone manufacturers, but the patch must be implemented and delivered to users through device updates.  Until those updates are installed, affected Android smartphones could remain vulnerable.  MediaTek confirmed that it provided a security fix to original equipment manufacturers (OEMs) in January.  Charles Guillemet, Chief Technology Officer at Ledger, emphasized that smartphones were never designed to function as highly secure storage systems for sensitive digital assets.  “Smartphones were never designed to be vaults,” Guillemet said.  He added: “If your crypto sits on a phone, it's only as safe as the weakest link in that phone's hardware, firmware, or software.”  Ledger advised users of potentially affected Android smartphones to install the latest available security updates as soon as they become available. 

image for India Outlines Legal ...

 Cyber News

As artificial intelligence (AI) continues to reshape how people interact with technology, the conversation around AI child safety in India is becoming increasingly important. From AI-powered toys to social media algorithms, digital technologies are now deeply embedded in the lives of children. While these tools can   show more ...

support learning and innovation, they also raise serious concerns around privacy, exploitation, and online harm. The Indian government says it is aware of these risks. In a recent statement in Indian Parliament, Union Minister for Electronics and IT Ashwini Vaishnaw listed a series of legal and regulatory safeguards designed to strengthen AI child safety in India and reduce potential risks from emerging technologies. The focus, officials say, is on ensuring that the growth of artificial intelligence does not come at the expense of children's online safety. AI Child Safety in India Backed by Existing IT Laws One of the strongest pillars supporting AI child safety in India is the long-standing Information Technology Act, 2000. The law requires online platforms to prevent the hosting or sharing of harmful content involving children, including sexually explicit material or content that promotes violence. Under the law and its associated rules, social media platforms must remove unlawful content quickly after receiving government or court notifications. In some sensitive cases, such as non-consensual intimate content—platforms are required to act within two hours. These provisions are particularly relevant in the AI era, where harmful content can spread rapidly across platforms or be generated using advanced technologies. Authorities say the law also requires platforms to report certain offences to authorities under legislation such as the Protection of Children from Sexual Offences Act, 2012, reinforcing the broader legal framework designed to protect minors online. Data Protection Rules Strengthen AI Governance in India Another key element supporting AI child safety in India is the Digital Personal Data Protection Act, 2023. The law introduces strict rules around how children’s personal data can be collected and used, including data gathered through emerging technologies such as AI-powered toys or apps. The law requires companies to obtain verifiable parental consent before processing a child’s personal data. It also places strong limits on practices such as behavioural tracking, targeted advertising, or monitoring directed at children. In practical terms, these rules are meant to ensure that AI systems interacting with children cannot quietly collect or exploit personal data without parental oversight. Responsible AI Development Remains a Policy Priority Beyond existing laws, the government has also issued India AI Governance Guidelines to encourage ethical and responsible AI development. These guidelines specifically recognize children as a vulnerable group that could face long-term harm from poorly designed AI systems. They recommend risk assessment frameworks and monitoring mechanisms to help policymakers identify potential AI-related harms early. The emphasis on responsible development reflects India’s broader AI strategy—one that aims to expand innovation while keeping citizens protected. As officials often emphasize, the country’s AI roadmap is closely aligned with Indian Prime Minister Narendra Modi’s vision of democratizing technology and ensuring that digital transformation benefits society as a whole. Cybercrime Reporting and Enforcement Measures Protecting children online is not just about policy. Enforcement tools also play a critical role in strengthening AI child safety in India. The government operates the Indian Cyber Crime Coordination Centre and the National Cyber Crime Reporting Portal, allowing citizens to report cybercrimes, including crimes targeting children. Authorities have also worked with internet service providers to block websites hosting child sexual abuse material using global databases maintained by organizations such as the Internet Watch Foundation. In addition, law enforcement agencies receive support through training programs and cyber forensic infrastructure funded under national cybercrime prevention initiatives. Awareness and Education Remain Essential Legal frameworks alone cannot guarantee AI child safety in India. Public awareness remains just as important. Government-backed programs such as Information Security Education and Awareness (ISEA) have conducted thousands of workshops across India, reaching students, teachers, police personnel, and members of the public. Research and guidance from bodies like the National Commission for Protection of Child Rights have also helped shape cyber safety guidelines for schools, parents, and educators. A Strong Framework, but Implementation Matters India now has a growing set of laws, policies, and awareness programs aimed at strengthening AI child safety in India. Taken together, these measures signal a clear attempt to build guardrails around emerging technologies. But regulations alone cannot solve the problem. As AI systems become more advanced, experts argue that enforcement, platform accountability, and digital literacy will be just as critical as legislation. Without strong implementation, even well-designed safeguards risk falling short. The challenge for India moving forward is to ensure that its ambition to lead in AI innovation does not outpace the protections needed for its youngest digital citizens.

image for AMOS and Amatera dis ...

 Business

We recently discussed how malicious actors are spreading the AMOS infostealer for macOS via Google Ads, leveraging a chat with an AI assistant on the actual OpenAI website to host malicious instructions. We decided to dig a little deeper, only to discover several similar malicious campaigns where attackers attempt to   show more ...

slip users malware disguised as popular AI tools through Google Search ads. If the victims are searching for macOS-specific tools, the payload deployed is the very same AMOS; if they’re on Windows, it’s the Amatera infostealer instead. These campaigns use the popular Chinese AI Doubao, the viral AI assistant OpenClaw, or the coding assistant Claude Code as bait. This means such campaigns pose a threat not only to home users but also to organizations. The reality is that corporate employees are increasingly using coding assistants like Claude Code, and workflow automation agents like OpenClaw. This brings its own set of risks, which is why many organizations have yet to officially approve (or pay for) access to such tools. Consequently, some employees take matters into their own hands to find these trendy tools, and head straight to Google. They type in a search query and are served a sponsored link leading to a malicious installation guide. Let’s take a closer look at how this attack plays out, using a Claude Code distribution campaign discovered in early March as an example. The search query So, a user starts looking for a place to download the Anthropic agent and types something like “Claude Code download” into the search bar. The search engine returns a list of links, with “sponsored links” (paid advertisements) sitting at the top. One of these ads leads the user to a malicious page featuring fake documentation. Interestingly, the site itself is built on Squarespace, a legitimate website builder that helps it bypass anti-phishing filters. Search results with ads in Romania and Brazil The attackers’ site meticulously mimics the original Claude Code documentation, complete with installation instructions. Just like the real deal, it prompts the user to copy and run a command. However, once executed, it installs not an AI agent but malware. Essentially, this is just another flavor of the ClickFix attack — one that has earned its own nickname: InstallFix. Malicious site mimicking installation instructions Genuine Claude Code site with installation instructions Malicious payload Just like with the original Claude Code, the command for macOS attempts to install an application using the curl command-line utility. In reality, it deploys the AMOS spyware — previously described by our experts on Securelist — which was used in a similar past campaign. In the case of Windows, the malware is installed using the system utility mshta.exe, which executes HTML-based applications instead of curl, which is used for the genuine Claude Code. This utility deploys the Amatera infostealer, which harvests browser data, crypto-wallet info, as well as information from the user folder, and sends it to a remote server at 144{.}124.235.102. How to keep your company safe Interest in AI agents continues to grow, and the emergence of new tools and their rising popularity are creating fresh attack vectors. Specifically, attempting to seek out third-party AI tools can not only jeopardize the source code of projects on the victim’s computer but also lead to the compromise of secrets, confidential corporate files, and user accounts. To prevent this from happening, the first step should be educating employees about these dangers and the tricks used by threat actors. This can be done using our training platform: Kaspersky Automated Security Awareness. Incidentally, it includes a specialized lesson on the use of AI in corporate environments. Additionally, we recommend protecting all corporate devices with proven cybersecurity solutions. We also suggest checking out our previously published article on three approaches to minimizing the risks of using shadow AI.

image for What Orgs Can Learn ...

 Feed

In this Reporters' Notebook, we discuss cyberattackers targeting the Milan-Cortina Winter Games, adding them to a long list of global sporting events in the crosshairs. Though the attack surface is grander, there are key defense takeaways for regular enterprises too.

 Cybercrime

The latest round of sanctions targeted Amnokgang Technology Development Company — a North Korean company that manages delegations of IT workers — and Quangvietdnbg International Services Company — a Vietnamese firm used by North Korean actors for currency conversion services.

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched

 Feed

Apple on Wednesday backported fixes for a security flaw in iOS, iPadOS, and macOS Sonoma to older versions after it was found to be used as part of the Coruna exploit kit. The vulnerability, tracked as CVE-2023-43010, relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content. The iPhone maker said the issue was

 Feed

Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud. The Android malware range from traditional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged remote administration tools such as SURXRAT. PixRevolution, according to

 Feed

Phishing has quietly turned into one of the hardest enterprise threats to expose early. Instead of crude lures and obvious payloads, modern campaigns rely on trusted infrastructure, legitimate-looking authentication flows, and encrypted traffic that conceals malicious behavior from traditional detection layers. For CISOs, the priority is now clear: scale phishing detection in a way that helps

 Feed

Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of “yeah… this is probably going to show up in real incidents sooner than we’d like.” The pattern this week feels familiar in a slightly annoying way. Old tricks are getting polished. New research shows how

 Feed

The most dangerous phishing campaigns aren’t just designed to fool employees. Many are designed to exhaust the analysts investigating them. When a phishing investigation takes 12 hours instead of five minutes, the outcome can shift from a contained incident to a breach. For years, the cybersecurity industry has focused on the front door of phishing defense: employee training, email gateways that

 Feed

Cybersecurity researchers have disclosed details of a new banking malware targeting Brazilian users that's written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem. The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed VENON by Brazilian

 Feed

Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163. "Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take

 Law & order

A Wikipedia security engineer accidentally wakes a dormant JavaScript worm that hadn't stirred since 2024 - and within minutes, giant woodpecker images are plastered across the internet's favourite encyclopaedia. Meanwhile, a crypto contractor hired to help the US Marshals manage seized digital assets   show more ...

allegedly decides to help himself to $46 million of it - and then brags about it on a recorded Telegram call. Plus: Graham champions Asterix, Trisha discovers the fantasy novels of Robin Hobb, and someone called "Lick" ends up in the nick. All this, and much more, in episode 458 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Tricia Howard.

 Guest blog

Signal, the encrypted messaging app trusted by security-savvy users around the world, has confirmed that hackers have managed to takeover accounts - with government officials and journalists among those being targeted. Read more in my article on the Hot for Security blog.

2026-03
Aggregator history
Thursday, March 12
SUN
MON
TUE
WED
THU
FRI
SAT
March