Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: cybercrime/malcode

A retention-aware system turns a computer’s storage chip into a cybersecurity shield

Hackers are ruthless. They can take control of your computer, delete files and disappear without a trace. However, FIU cybersecurity researcher Weidong Zhu has discovered a way to transform a computer’s storage chip into an additional tool for cyber defense. Working with collaborators at the University of Florida, Zhu created a system that makes data on these chips last longer—extending the lifespan of your files in the critical window after your computer is compromised. The work is published in the journal Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security.

“Our system extends recoverable data history up to 126 days,” said Zhu, an assistant professor at FIU’s Knight Foundation School of Computing & Information Sciences whose work is part of the Center for Integrated Security, Privacy, and Trustworthy AI (CIERTA). “Even if your computer is infected, your data can survive on your drive.”

Storage chips, known as solid-state drives (SSDs), have intrigued cybersecurity researchers for years. As hardware—not software—they offer unique safety benefits during an attack.

Dutch Authorities Dismantle Botnet Linked to 17 Million Infected Devices

Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks.

The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the platform’s backend infrastructure.

According to a statement issued by the NCSC, police officials seized a subset of these servers from a hosting provider that provided the infrastructure. The provider is said to have subsequently taken the botnet offline following its use for criminal purposes.

Critical Windows Netlogon RCE flaw now exploited in attacks

The Centre for Cybersecurity Belgium (CCB), the country’s national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks.

Netlogon is a remote procedure call (RPC) interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks.

Microsoft patched this vulnerability (CVE-2026–41089) during the May 2026 Patch Tuesday, describing it as a stack-based buffer overflow in Windows Netlogon that allows attackers without privileges to gain remote code execution on targeted domain controllers.

WordPress malware campaign hides payloads in Steam profiles

Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data.

The threat actor used invisible Unicode characters to encode a payload that builds a URL to a malicious script. By leveraging Valve’s platform, the attacker avoids maintaining a separate C2 infrastructure and evades traditional detection methods.

Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.

ChatGPT share links abused to host fake outage pages to deliver malware

Threat actors are abusing ChatGPT’s content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application.

The “LLMShare” campaign, discovered by Push Security, uses Google ads to direct users searching for ChatGPT to a malicious shared ChatGPT page hosted on chatgpt.com, allowing the attack to be delivered through a legitimate OpenAI domain.

Users who click the advertisement are taken to a legitimate ChatGPT shared page, but instead of seeing a chat conversation, they are presented with a rendered outage notice claiming the web version is unavailable and that they should download the desktop application instead.

From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market

DDoS attacks are increasingly being sold like subscription services, complete with pricing tiers, support, and reseller programs. Flare explores how the DDoS-as-a-Service market has evolved from scattered tools into polished attack platforms.

Dutch govt disrupts malware botnet with 17 million infected devices

Dutch authorities have taken offline a massive botnet of 17 million devices and seized more than 200 servers at a local provider that supported the operation.

The action was carried out following an investigation from the Police in collaboration with the country’s cybersecurity agency, the National Cyber Security Centre (NCSC).

According to the authorities, the seized servers controlled “computers, tablets, and smartphones to carry out cyberattacks.”

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware.

“The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.”

The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026–35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.

GreyVibe hackers use ChatGPT, Gemini to power cyberattacks

A likely Russian threat group tracked as GreyVibe has been using AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sectors.

The cyberespionage campaign has been active since at least August 2025 and appears to align with Russian state interests, although researchers cannot confidently classify it as a nation-state operation.

Cybersecurity company WithSecure discovered the activity in January this year and determined that its focus is on Ukrainian or Ukraine-related organizations.

/* */