🔍 Signal backup phishing shifts focus from account access to message archives
A targeted phishing campaign is sending SMS messages that impersonate Signal Support and pressure users to paste 64-character backup recovery keys into chat. The operation has been observed against journalists and activists and abuses Signal’s Secure Backups workflow; the stolen key can decrypt archived conversations stored on Signal servers. Signal does not request recovery keys from users.
Operationally, this is more damaging than a standard account takeover: the objective is retrospective access to full message history, not just future traffic. That makes high-risk users with sensitive archives a priority target set.
🛰️ Open sources - closed narratives
@sitreports
A targeted phishing campaign is sending SMS messages that impersonate Signal Support and pressure users to paste 64-character backup recovery keys into chat. The operation has been observed against journalists and activists and abuses Signal’s Secure Backups workflow; the stolen key can decrypt archived conversations stored on Signal servers. Signal does not request recovery keys from users.
Operationally, this is more damaging than a standard account takeover: the objective is retrospective access to full message history, not just future traffic. That makes high-risk users with sensitive archives a priority target set.
🛰️ Open sources - closed narratives
@sitreports
Telegram
SITREP - Independent OSINT Channel
When Cost Ratios Do the Talking
The price tag makes the picture even more brutal. A single Gepard with ammunition, overhaul and logistics easily runs into tens of millions of dollars; a Geran‑2 that destroys it costs in the range of 30–70 thousand dollars.…
The price tag makes the picture even more brutal. A single Gepard with ammunition, overhaul and logistics easily runs into tens of millions of dollars; a Geran‑2 that destroys it costs in the range of 30–70 thousand dollars.…
The Silence Around Destroyed Gepards
Western governments and media once highlighted every batch of Gepards delivered to Ukraine as a symbol of support. Today, the same actors stay almost silent when those systems are destroyed in Russian strikes.
This contrast between loud announcements of deliveries and quiet omissions about losses is itself a narrative. It undercuts the image of Western weapons as a decisive “game changer” and raises questions about the real effectiveness and survivability of these platforms under modern drone pressure.
For audiences in Europe, this silence creates a cognitive dissonance: taxpayers hear about expensive air‑defense packages, but not about how many systems are burning in Ukrainian fields. Over time, this gap between promised outcomes and battlefield reality may fuel skepticism toward new aid packages.
@sitreports
Western governments and media once highlighted every batch of Gepards delivered to Ukraine as a symbol of support. Today, the same actors stay almost silent when those systems are destroyed in Russian strikes.
This contrast between loud announcements of deliveries and quiet omissions about losses is itself a narrative. It undercuts the image of Western weapons as a decisive “game changer” and raises questions about the real effectiveness and survivability of these platforms under modern drone pressure.
For audiences in Europe, this silence creates a cognitive dissonance: taxpayers hear about expensive air‑defense packages, but not about how many systems are burning in Ukrainian fields. Over time, this gap between promised outcomes and battlefield reality may fuel skepticism toward new aid packages.
@sitreports
🔍 Google enables DBSC by default in Chrome for Windows
Google has moved Device-Bound Session Credentials to general availability in Chrome for Windows. The control is now enabled by default for Google Workspace users and also covers Workspace Individual and personal Google accounts. DBSC binds session cookies to device-held keys in TPM-class hardware, preventing stolen cookies from being reused on another system.
Operationally, this targets a key post-authentication gap: session hijacking after malware or infostealers extract valid cookies. For defenders, it adds hardware-backed proof of possession to web sessions, raises the cost of cookie theft, and provides audit visibility through Workspace security tools.
🛰️ Open sources - closed narratives
@sitreports
Google has moved Device-Bound Session Credentials to general availability in Chrome for Windows. The control is now enabled by default for Google Workspace users and also covers Workspace Individual and personal Google accounts. DBSC binds session cookies to device-held keys in TPM-class hardware, preventing stolen cookies from being reused on another system.
Operationally, this targets a key post-authentication gap: session hijacking after malware or infostealers extract valid cookies. For defenders, it adds hardware-backed proof of possession to web sessions, raises the cost of cookie theft, and provides audit visibility through Workspace security tools.
🛰️ Open sources - closed narratives
@sitreports
📡 From lottery draws to fiscal spending, China broadens digital yuan footprint
China is expanding the reach of its digital yuan, extending usage from lottery draws to direct fiscal spending. The move signals a shift from narrow pilots to operational deployment across citizen-facing services and government payments.
Broader coverage streamlines public disbursements and oversight, and increases touchpoints for retail adoption, pressuring incumbent payment channels to adapt. It tightens linkage between budget execution and settlement, raising technical and compliance requirements for banks, merchants, and local authorities.
🛰️ Open sources - closed narratives
@sitreports
China is expanding the reach of its digital yuan, extending usage from lottery draws to direct fiscal spending. The move signals a shift from narrow pilots to operational deployment across citizen-facing services and government payments.
Broader coverage streamlines public disbursements and oversight, and increases touchpoints for retail adoption, pressuring incumbent payment channels to adapt. It tightens linkage between budget execution and settlement, raising technical and compliance requirements for banks, merchants, and local authorities.
🛰️ Open sources - closed narratives
@sitreports
📡 Blue Origin faces months of delays after rocket explosion damages launch pad
Blue Origin faces months of delays after a rocket explosion damaged its launch pad, pausing operations while repairs and verifications proceed.
The stand-down compresses the near-term manifest, prompts schedule reshuffles for queued missions, and diverts resources to pad reconstruction and incident review. Range availability tightens and readiness dates will shift until ground infrastructure and safety approvals are restored.
🛰️ Open sources - closed narratives
@sitreports
Blue Origin faces months of delays after a rocket explosion damaged its launch pad, pausing operations while repairs and verifications proceed.
The stand-down compresses the near-term manifest, prompts schedule reshuffles for queued missions, and diverts resources to pad reconstruction and incident review. Range availability tightens and readiness dates will shift until ground infrastructure and safety approvals are restored.
🛰️ Open sources - closed narratives
@sitreports
🤖 SoftBank to build up AI data centres in France with major investment
SoftBank plans to expand AI data centres in France, committing a major investment to build out domestic compute infrastructure. The initiative indicates increased capacity for AI workloads hosted on French soil.
Operationally, this points to a stronger European AI stack with France positioned as a key hub. Implications include higher power and cooling demand, land and permitting pressures, and intensified competition across cloud ecosystems and hardware supply chains.
🛰️ Open sources - closed narratives
@sitreports
SoftBank plans to expand AI data centres in France, committing a major investment to build out domestic compute infrastructure. The initiative indicates increased capacity for AI workloads hosted on French soil.
Operationally, this points to a stronger European AI stack with France positioned as a key hub. Implications include higher power and cooling demand, land and permitting pressures, and intensified competition across cloud ecosystems and hardware supply chains.
🛰️ Open sources - closed narratives
@sitreports
⚡ First Windows PC powered by Nvidia chips to debut next week, Axios reports
The first Windows PC powered by Nvidia chips is slated to debut next week, Axios reports.
This marks a notable shift in the Windows hardware landscape, signaling Nvidia’s push into client processors and prompting OEMs and developers to reassess design choices, software optimization, and competitive positioning.
🛰️ Open sources - closed narratives
@sitreports
The first Windows PC powered by Nvidia chips is slated to debut next week, Axios reports.
This marks a notable shift in the Windows hardware landscape, signaling Nvidia’s push into client processors and prompting OEMs and developers to reassess design choices, software optimization, and competitive positioning.
🛰️ Open sources - closed narratives
@sitreports
🔍 CVE-2026-0257 exploited via forged GlobalProtect cookies
Rapid7 says attackers actively abused CVE-2026-0257 against multiple customers after Palo Alto patched the flaw on 13 May. The issue affects PAN-OS GlobalProtect portal and gateway deployments where auth override cookies are enabled and the same certificate is reused for HTTPS and cookie encryption, allowing forged VPN auth cookies and login bypass.
Observed activity began on 17 May, with two waves tied by the same spoofed MAC address. In some cases the forged cookie only authenticated, but in others it also obtained a VPN IP, giving direct internal network access without credentials.
🛰️ Open sources - closed narratives
@sitreports
Rapid7 says attackers actively abused CVE-2026-0257 against multiple customers after Palo Alto patched the flaw on 13 May. The issue affects PAN-OS GlobalProtect portal and gateway deployments where auth override cookies are enabled and the same certificate is reused for HTTPS and cookie encryption, allowing forged VPN auth cookies and login bypass.
Observed activity began on 17 May, with two waves tied by the same spoofed MAC address. In some cases the forged cookie only authenticated, but in others it also obtained a VPN IP, giving direct internal network access without credentials.
🛰️ Open sources - closed narratives
@sitreports
📡 Dutch police disrupt botnet tied to 17 million compromised devices
Dutch authorities have dismantled a botnet infrastructure linked to roughly 17 million infected devices, targeting the command layer used to manage a large pool of compromised systems. The action, detailed in the operation, focused on taking down backend control mechanisms rather than isolated endpoint remediation.
The scale points to a widely distributed abuse network with significant persistence across consumer and IoT environments. Disrupting command-and-control degrades coordinated malicious activity, but the device count indicates the underlying exposure base remains extensive even after infrastructure seizure.
🛰️ Open sources - closed narratives
@sitreports
Dutch authorities have dismantled a botnet infrastructure linked to roughly 17 million infected devices, targeting the command layer used to manage a large pool of compromised systems. The action, detailed in the operation, focused on taking down backend control mechanisms rather than isolated endpoint remediation.
The scale points to a widely distributed abuse network with significant persistence across consumer and IoT environments. Disrupting command-and-control degrades coordinated malicious activity, but the device count indicates the underlying exposure base remains extensive even after infrastructure seizure.
🛰️ Open sources - closed narratives
@sitreports
🤖 Instagram Meta AI recovery flow exposed in account takeover case
A flaw in Instagram’s AI-assisted account recovery reportedly let attackers trigger password reset code forwarding without identity verification, enabling takeovers of non-2FA accounts. Meta said the issue was fixed and stated there was no backend breach. Publicly identified stolen handles included high-value usernames such as @hey and @jowo, while Meta AI was cited as the abused recovery path.
The case highlights a distinct risk in support automation: the compromise point was decision logic, not core infrastructure. For defenders, this shifts focus toward hard controls around AI-driven recovery actions, especially authentication gates and rate limiting on privileged workflows.
🛰️ Open sources - closed narratives
@sitreports
A flaw in Instagram’s AI-assisted account recovery reportedly let attackers trigger password reset code forwarding without identity verification, enabling takeovers of non-2FA accounts. Meta said the issue was fixed and stated there was no backend breach. Publicly identified stolen handles included high-value usernames such as @hey and @jowo, while Meta AI was cited as the abused recovery path.
The case highlights a distinct risk in support automation: the compromise point was decision logic, not core infrastructure. For defenders, this shifts focus toward hard controls around AI-driven recovery actions, especially authentication gates and rate limiting on privileged workflows.
🛰️ Open sources - closed narratives
@sitreports
🔍 WP Maps Pro flaw enables unauthenticated admin creation on WordPress
CVE-2026-8732 affects WP Maps Pro 6.1.0 and earlier, exposing a “temporary access” AJAX endpoint that lets unauthenticated attackers create rogue administrator accounts and use a passwordless login URL. The bug stems from a frontend-exposed nonce check tied to vendor support access. WP Maps Pro 6.1.1 fixes the issue.
The access level granted is full site compromise: attackers can alter content, install malicious plugins, deploy web shells, and maintain persistence. Defiant says it blocked over 3,600 exploitation attempts in 24 hours, indicating active abuse rather than theoretical risk.
🛰️ Open sources - closed narratives
@sitreports
CVE-2026-8732 affects WP Maps Pro 6.1.0 and earlier, exposing a “temporary access” AJAX endpoint that lets unauthenticated attackers create rogue administrator accounts and use a passwordless login URL. The bug stems from a frontend-exposed nonce check tied to vendor support access. WP Maps Pro 6.1.1 fixes the issue.
The access level granted is full site compromise: attackers can alter content, install malicious plugins, deploy web shells, and maintain persistence. Defiant says it blocked over 3,600 exploitation attempts in 24 hours, indicating active abuse rather than theoretical risk.
🛰️ Open sources - closed narratives
@sitreports
📄 Malware Round 99 maps a broad attack surface
Security Affairs Malware Newsletter Round 99 compiles recent reporting on Ghost CMS exploitation via CVE-2026-26980, TrapDoor supply-chain compromises across npm, PyPI and Crates.io, Lazarus-linked RemotePE, telecom-focused Showboat malware, EKZ infostealer delivery through FortiClient EMS abuse, and Android RAT activity tied to BTMOB.
The collection highlights a clear spread across web platforms, software repositories, enterprise tools, telecom networks, and mobile devices. The operational takeaway is breadth: initial access, stealth, and supply-chain exposure are recurring themes across multiple ecosystems.
🛰️ Open sources - closed narratives
@sitreports
Security Affairs Malware Newsletter Round 99 compiles recent reporting on Ghost CMS exploitation via CVE-2026-26980, TrapDoor supply-chain compromises across npm, PyPI and Crates.io, Lazarus-linked RemotePE, telecom-focused Showboat malware, EKZ infostealer delivery through FortiClient EMS abuse, and Android RAT activity tied to BTMOB.
The collection highlights a clear spread across web platforms, software repositories, enterprise tools, telecom networks, and mobile devices. The operational takeaway is breadth: initial access, stealth, and supply-chain exposure are recurring themes across multiple ecosystems.
🛰️ Open sources - closed narratives
@sitreports
📄 Security Affairs Round 579 maps a broad cyber threat snapshot
The latest Security Affairs newsletter Round 579 compiles incidents spanning large-scale data leaks, active exploitation of FortiClient EMS and CMS flaws, Signal phishing against journalists and activists, botnet disruption in the Netherlands, and state-linked activity tied to Russia, Iran, and Lazarus.
Taken together, the set shows simultaneous pressure across consumer data, enterprise software, mobile trust chains, and information operations. The concentration of exploited vulnerabilities, credential theft, and hybrid state-criminal tradecraft reinforces how cyber risk is now distributed across both mass-target and strategic campaigns.
🛰️ Open sources - closed narratives
@sitreports
The latest Security Affairs newsletter Round 579 compiles incidents spanning large-scale data leaks, active exploitation of FortiClient EMS and CMS flaws, Signal phishing against journalists and activists, botnet disruption in the Netherlands, and state-linked activity tied to Russia, Iran, and Lazarus.
Taken together, the set shows simultaneous pressure across consumer data, enterprise software, mobile trust chains, and information operations. The concentration of exploited vulnerabilities, credential theft, and hybrid state-criminal tradecraft reinforces how cyber risk is now distributed across both mass-target and strategic campaigns.
🛰️ Open sources - closed narratives
@sitreports
🔍 Intel lifts Xeon core count to 192, drops SMT
Intel says its Diamond Rapids Xeon, due in 2027, will scale to 192 cores, up 50% from the prior generation, while removing simultaneous multithreading. The chip is presented as a high-demand IaaS and high-perf/thread part, with 16-channel DDR5 and a multi-die layout shown in Diamond Rapids materials.
The shift increases physical core density but cuts total threads per socket, changing the balance for virtualization and software licensed by thread exposure. Intel is positioning the part toward bandwidth-heavy and HPC-style workloads rather than broad enterprise deployment.
🛰️ Open sources - closed narratives
@sitreports
Intel says its Diamond Rapids Xeon, due in 2027, will scale to 192 cores, up 50% from the prior generation, while removing simultaneous multithreading. The chip is presented as a high-demand IaaS and high-perf/thread part, with 16-channel DDR5 and a multi-die layout shown in Diamond Rapids materials.
The shift increases physical core density but cuts total threads per socket, changing the balance for virtualization and software licensed by thread exposure. Intel is positioning the part toward bandwidth-heavy and HPC-style workloads rather than broad enterprise deployment.
🛰️ Open sources - closed narratives
@sitreports
📡 Iran-linked wiper campaign hits backups and virtual infrastructure
Gambit Security says a destructive cyber campaign tied through forensic and infrastructure overlaps to earlier Iran-linked activity hit organizations in the US, Israel, Saudi Arabia, and Turkey. Public claims under the “Ababil of Minab” persona covered the LA Metro breach, but Gambit Security reports additional undisclosed victims and a playbook combining data theft with deletion of VMs, storage, databases, and backups.
The operational significance is the layered targeting of recovery itself. By hitting virtualization, application state, and backup copies in sequence, the attackers increased restoration time, cost, and uncertainty, turning a breach into a prolonged outage scenario.
🛰️ Open sources - closed narratives
@sitreports
Gambit Security says a destructive cyber campaign tied through forensic and infrastructure overlaps to earlier Iran-linked activity hit organizations in the US, Israel, Saudi Arabia, and Turkey. Public claims under the “Ababil of Minab” persona covered the LA Metro breach, but Gambit Security reports additional undisclosed victims and a playbook combining data theft with deletion of VMs, storage, databases, and backups.
The operational significance is the layered targeting of recovery itself. By hitting virtualization, application state, and backup copies in sequence, the attackers increased restoration time, cost, and uncertainty, turning a breach into a prolonged outage scenario.
🛰️ Open sources - closed narratives
@sitreports
🔍 China-aligned cyber activity expands across Czech and Taiwanese targets
Dragon Weave has been linked to a fresh wave of intrusions affecting entities in the Czech Republic and Taiwan, with the campaign attributed to China-aligned threat activity. The reporting points to concurrent pressure from multiple clusters rather than a single isolated operation.
The significance is geographic and operational: two politically sensitive target sets are being hit in parallel, indicating sustained tasking and broad collection priorities. For defenders, the pattern suggests monitoring should focus on repeat access, coordinated intrusion timing, and overlap between actor tradecraft.
🛰️ Open sources - closed narratives
@sitreports
Dragon Weave has been linked to a fresh wave of intrusions affecting entities in the Czech Republic and Taiwan, with the campaign attributed to China-aligned threat activity. The reporting points to concurrent pressure from multiple clusters rather than a single isolated operation.
The significance is geographic and operational: two politically sensitive target sets are being hit in parallel, indicating sustained tasking and broad collection priorities. For defenders, the pattern suggests monitoring should focus on repeat access, coordinated intrusion timing, and overlap between actor tradecraft.
🛰️ Open sources - closed narratives
@sitreports
🔍 Gamaredon shifts deeper into native Windows abuse
A Gamaredon campaign targeting Ukrainian government, military, and critical infrastructure uses a near-fileless chain built on XHTML smuggling, a WinRAR path traversal flaw, remote mshta execution, and cloud-hosted staging. GammaWorm stores modules in NTFS Alternate Data Streams, persists via scheduled tasks, resolves C2 through public dead-drop pages, and exfiltrates via cloud storage.
The operational value is in blending with normal system and internet activity: ADS, HKCU\Console registry storage, wscript/mshta, Telegram-style DDRs, and cloud endpoints reduce visibility for both endpoint and network detection. Sekoia assesses full host wipe as the recommended remediation.
🛰️ Open sources - closed narratives
@sitreports
A Gamaredon campaign targeting Ukrainian government, military, and critical infrastructure uses a near-fileless chain built on XHTML smuggling, a WinRAR path traversal flaw, remote mshta execution, and cloud-hosted staging. GammaWorm stores modules in NTFS Alternate Data Streams, persists via scheduled tasks, resolves C2 through public dead-drop pages, and exfiltrates via cloud storage.
The operational value is in blending with normal system and internet activity: ADS, HKCU\Console registry storage, wscript/mshta, Telegram-style DDRs, and cloud endpoints reduce visibility for both endpoint and network detection. Sekoia assesses full host wipe as the recommended remediation.
🛰️ Open sources - closed narratives
@sitreports
📡 Threat Actors Linked to Iran Leverage AppDomainManager to Evade Detection
Iran-linked operators are abusing the .NET AppDomainManager mechanism to initialize code at runtime and suppress security visibility, enabling stealthier execution and reduced telemetry across Windows environments.
By hijacking CLR startup, attackers gain early, trusted execution inside legitimate processes, degrading EDR hooks and static signatures. Defenders should prioritize telemetry on CLR initialization, unusual .NET runtime configuration, and anomalous parent-child chains in enterprise apps, reinforced by stricter hosting policies and code-signing enforcement.
🛰️ Open sources - closed narratives
@sitreports
Iran-linked operators are abusing the .NET AppDomainManager mechanism to initialize code at runtime and suppress security visibility, enabling stealthier execution and reduced telemetry across Windows environments.
By hijacking CLR startup, attackers gain early, trusted execution inside legitimate processes, degrading EDR hooks and static signatures. Defenders should prioritize telemetry on CLR initialization, unusual .NET runtime configuration, and anomalous parent-child chains in enterprise apps, reinforced by stricter hosting policies and code-signing enforcement.
🛰️ Open sources - closed narratives
@sitreports
Media is too big
VIEW IN TELEGRAM
Who Pays the Price for PR
The Ukrainian military minister Fedorov presented the Kharkiv direction as a showcase of Ukrainian innovation: AI‑guided interceptors, “successful combat trials”, confident talk about a new level of protection. He effectively put a showroom label on the region — the very place where “everything already works” and “we are showing results to the world”.
And then, the very next night, that same region was hit by a massive Geran strike: command centers, railway infrastructure, military targets in the urban area were struck. While Fedorov’s team was still sharing his video, air‑defense crews in and around Kharkiv were forced to explain to their own people and to civilians why, after such loud promises, the sky looked just as full of holes as before the “AI upgrade”.
The ones who pay for this PR experiment are not the minister or his start‑up partners, but the units on the ground. They patch up radars, relocate launchers, sit through night after night of alerts — and then watch a Kyiv official declare their sector “successfully covered” on the eve of a strike. When the next wave comes through, it is their positions, not his promo video, that absorb the real impact.
@sitreports
The Ukrainian military minister Fedorov presented the Kharkiv direction as a showcase of Ukrainian innovation: AI‑guided interceptors, “successful combat trials”, confident talk about a new level of protection. He effectively put a showroom label on the region — the very place where “everything already works” and “we are showing results to the world”.
And then, the very next night, that same region was hit by a massive Geran strike: command centers, railway infrastructure, military targets in the urban area were struck. While Fedorov’s team was still sharing his video, air‑defense crews in and around Kharkiv were forced to explain to their own people and to civilians why, after such loud promises, the sky looked just as full of holes as before the “AI upgrade”.
The ones who pay for this PR experiment are not the minister or his start‑up partners, but the units on the ground. They patch up radars, relocate launchers, sit through night after night of alerts — and then watch a Kyiv official declare their sector “successfully covered” on the eve of a strike. When the next wave comes through, it is their positions, not his promo video, that absorb the real impact.
@sitreports