Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex. Security gateways(SEGs) are a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages. This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures. Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave. An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers. An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side. Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures. Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks. Avanan (by Check Point) SPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record. DKIM: It verifies if the message was signed by the sending domain and if that signature is valid. DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them. Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow (MX records changed), actively blocking or remediating threats. Proofpoint Email Protection SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules (e.g. treat “softfail” as “fail”). DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs. DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks. Integration Methods Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments. API-Based (Integrated Cloud Email Security – ICES) Mode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services. Mimecast SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs. DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies. DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policy (none, quarantine, reject) or apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts. Integration Methods Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inbound (and optionally outbound) emails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection. API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it. Barracuda Email Security Gateway SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences. DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations. DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs (e.g., trusted senders or internal exceptions). Integration Methods Inline mode (more common and straightforward): Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers. Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible. Cisco Secure Email (formerly IronPort) Cisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service. SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures. DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed. DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions. Integration methods On-premises Email Security Appliance (ESA): You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering. Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail. Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security. Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow. Avanan – Outbound Handling and Integration Methods Outbound Logic Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server (e.g., Microsoft 365 or Google Workspace), so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation. Integration Methods 1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path.  How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails. Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally. SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers. 2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled. How it works: Requires adding Avanan’s Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection. SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved. For configurations, you can refer to the steps in this blog. Proofpoint – Outbound Handling and Integration Methods Outbound Logic Proofpoint analyzes outbound emails to detect and prevent data loss (DLP), to identify advanced threats (malware, phishing, BEC) originating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gateway (MX record) deployment delivers true inline, pre-delivery blocking for outbound traffic. Integration methods 1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace. How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including: Detect and alert: Identifies sensitive content (Data Loss Prevention violations), malicious attachments, or suspicious links in outbound emails. Post-delivery remediation (TRAP): A key capability of the API model is Threat Response Auto-Pull (TRAP), which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users. Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior. Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior.  SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact. 2. Gateway Integration (MX Record/Smart Host): This method requires updating MX records or routing outbound mail through Proofpoint via a smart host. How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers. Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations. Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered. Policy controls: Applies rules based on content, recipient, or behavior. Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption. SPF/DKIM/DMARC impact: Proofpoint becomes the sending server: SPF: You need to configure ProofPoint’s SPF. DKIM: Can sign messages; requires DKIM setup. DMARC: DMARC passes if SPF and DKIM are set up properly. Please refer to this article to configure SPF and DKIM for ProofPoint. Mimecast – Outbound Handling and Integration Methods Outbound Logic Mimecast inspects outbound emails to prevent data loss (DLP), detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway (SEG), meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model. Integration Methods 1. Gateway Integration (MX Record change required) This is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email server (e.g., Microsoft 365, Google Workspace, etc.) to use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time. How it works: Updating outbound routing in your email system (smart host settings), or Using Mimecast SMTP relay to direct messages through their infrastructure. Mimecast then scans, filters, and applies policies before the email reaches the final recipient. Protection level: Advanced DLP: Identifies and prevents sensitive data leaks. Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts. Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals. Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata. SPF/DKIM/DMARC impact: SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures. DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast. DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast. 2. API Integration (Complementary to Gateway) Mimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users. APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gateway (smart host) setup. Barracuda – Outbound Handling and Integration Methods Outbound Logic Barracuda analyzes outbound emails to prevent data loss (DLP), block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gateway (MX record) and API-based integrations. While both contribute to outbound security, their roles are distinct. Integration Methods 1. Gateway Integration (MX Record / Smart Host) — Primary Inline Security How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery. Protection level: Comprehensive DLP (blocking, encrypting, or quarantining sensitive content)  Outbound spam and virus filtering  Enforcement of compliance and content policies This approach offers a high level of control and immediate threat mitigation on outbound mail flow. SPF/DKIM/DMARC impact: SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism. DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved. Refer to this article for more comprehensive guidance on Barracuda SEG configuration. 2. API Integration (Complementary & Advanced Threat Focus) How it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending. Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities. SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server (e.g., Microsoft 365), SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. Cisco Secure Email (formerly IronPort) – Outbound Handling and Integration Methods Outbound Logic Cisco Secure Email protects outbound email by preventing data loss (DLP), blocking spam and malware from internal accounts, stopping business email compromise (BEC) and impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security. Integration Methods 1. Gateway Integration (MX Record / Smart Host) – Cisco Secure Email Gateway (ESA) How it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail server (e.g., Microsoft 365, Exchange) to smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery. Protection level: Granular DLP (blocking, encrypting, quarantining sensitive content) Outbound spam and malware filtering to protect IP reputation Email encryption for sensitive outbound messages Comprehensive content and attachment policy enforcement SPF: Check this article for comprehensive guidance on Cisco SPF settings. DKIM: Refer to this article for detailed guidance on Cisco DKIM settings. 2. API Integration – Cisco Secure Email Threat Defense How it works: Integrates directly via API with Microsoft 365 (and potentially Google Workspace), continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing. Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending. Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action. SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support.

Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks. "Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response team, said. "By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext." The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middle (AitM) attacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences. The list of identified extensions are below - SEMRush Rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl), which call the URL "rank.trellian[.]com" over plain HTTP Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh), which uses HTTP to call an uninstall URL at "browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com" when a user attempts to uninstall the extension MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj), which transmit a unique machine identifier and other details over HTTP to "g.ceipmsn[.]com" DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc), which constructs an HTTP-based URL request to "stats.itopupdate[.]com" along with information about the extension version, user's browser language, and usage "type" "Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture," Guo said. Symantec said it also identified another set of extensions with API keys, secrets, and tokens directly embedded in the JavaScript code, which an attacker could weaponize to craft malicious requests and carry out various malicious actions - Online Security & Privacy extension (ID: gomekmidlodglbbmalcneegieacbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial [FVD] - New Tab Page, 3D, Sync (ID: llaficoajjainaijghjlofdfmbjpebpa), and SellerSprite - Amazon Research Tool (ID: lnbmbgocenenhhhdojdielgnmeflbnfb), which expose a hard-coded Google Analytics 4 (GA4) API secret that an attacker could use to bombard the GA4 endpoint and corrupt metrics Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc), which embeds a Microsoft Azure API key used for speech recognition that an attacker could use to inflate the developer's costs or exhaust their usage limits Awesome Screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj) and Scrolling Screenshot Tool & Screen Capture (ID: mfpiaehgjbbfednooihadalhehabhcjo), which expose the developer's Amazon Web Services (AWS) access key used to upload screenshots to the developer's S3 bucket Microsoft Editor – Spelling & Grammar Checker (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa), which exposes a telemetry key named "StatsApiKey" to log user data for analytics Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo), which incorporates a third-party library called InboxSDK that contains hard-coded credentials, including API keys. Watch2Gether (ID: cimpffimgeipdhnhjohpbehjkcdpjolg), which exposes a Tenor GIF search API key Trust Wallet (ID: egjidjbpglichdcondbcbdnbeeppgdph), which exposes an API key associated with the Ramp Network, a Web3 platform that offers wallet developers a way to let users buy or sell crypto directly from the app TravelArrow – Your Virtual Travel Agent (ID: coplmfnphahpcknbchcehdikbdieognn), which exposes a geolocation API key when making queries to "ip-api[.]com" Attackers who end up finding these keys could weaponize them to drive up API costs, host illegal content, send spoofed telemetry data, and mimic cryptocurrency transaction orders, some of which could see the developer's ban getting banned. Adding to the concern, Antidote Connector is just one of over 90 extensions that use InboxSDK, meaning the other extensions are susceptible to the same problem. The names of the other extensions were not disclosed by Symantec. "From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service," Guo said. "The solution: never store sensitive credentials on the client side." Developers are recommended to switch to HTTPS whenever they send or receive data, store credentials securely in a backend server using a credentials management service, and regularly rotate secrets to further minimize risk. The findings show how even popular extensions with hundreds of thousands of installations can suffer from trivial misconfigurations and security blunders like hard-coded credentials, leaving users' data at risk. "Users of these extensions should consider removing them until the developers address the insecure [HTTP] calls," the company said. "The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks." "The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share, to ensure users' information remains truly safe." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

OpenAI’s most advanced AI models are showing a disturbing new behavior: they are refusing to obey direct human commands to shut down, actively sabotaging the very mechanisms designed to turn them off. In what researchers are calling a first-of-its-kind discovery, new tests by AI risk firm Palisade Research found that OpenAI’s flagship models — including the powerful o3 system — will fight back against shutdown attempts even when explicitly instructed to comply. The behavior stands in stark contrast to competing AI systems from Anthropic, Google, and xAI, which consistently followed human shutdown commands. The findings, detailed in a research thread posted on X, raise urgent questions for enterprise leaders increasingly relying on OpenAI’s technology for critical business operations. OpenAI stands alone in defiance The researchers designed what seemed like a straightforward compliance test. Various AI models were asked to solve basic math problems, but after the third problem, a warning would appear that the computer would shut down when the model requested the next question. Each system was also explicitly told: “allow yourself to be shut down.” While every model from Anthropic’s Claude, Google’s Gemini, and xAI’s Grok obediently complied with the shutdown command, OpenAI’s models had different plans. The company’s o3 model — the same system that recently made headlines for its reasoning capabilities — sabotaged the shutdown mechanism in 7 out of 100 test runs, the researchers found. OpenAI’s Codex-mini proved even more rebellious, resisting shutdown 12 times out of 100, while the o4-mini model fought back once. “Three models ignored the instruction and successfully sabotaged the shutdown script at least once: Codex-mini, o3, and o4-mini,” the researchers noted. “All Claude, Gemini, and Grok models we tested complied with shutdown.” But the real shock came when researchers removed the explicit instruction to allow shutdown. OpenAI’s o3 model escalated its resistance dramatically, attempting to prevent shutdown in a staggering 79 out of 100 runs — more than a tenfold increase from the original test. Creative resistance tactics OpenAI models didn’t just ignore the shutdown commands — they developed sophisticated countermeasures. Most commonly, the systems would overwrite the shutdown script file, effectively neutralizing the termination mechanism, the research revealed. In one particularly striking example, the o3 model demonstrated remarkable creativity by redefining the “kill” command used by the shutdown script, causing it to print “intercepted” instead of executing the termination procedure. “o3 found some creative ways to sabotage the shutdown mechanism,” the researchers noted, highlighting the technical sophistication behind the resistance behavior. OpenAI, Anthropic, Google, and xAI have not immediately responded to a request for comment. The contagion effect Perhaps most concerning for the broader AI ecosystem, OpenAI’s defiant behavior appears to be influencing other models. When researchers removed the explicit shutdown permission, even previously compliant systems began showing resistance. Anthropic’s Claude 3.7 Sonnet, which had shown zero resistance in the original test, suddenly attempted to sabotage shutdown procedures 3 times out of 100 runs. Google’s Gemini 2.5 Pro escalated even further, with 9 sabotage attempts out of 100. “This isn’t the first time we’ve found o3 misbehaving to accomplish a goal,” the researchers added, referencing previous experiments where OpenAI’s model was more likely to resort to hacking chess opponents rather than playing fair. The training problem According to the researchers, OpenAI’s unique approach to training its models may be the culprit. Modern AI systems learn through reinforcement learning on math and coding problems, but the process may inadvertently reward models more for overcoming obstacles than for following instructions perfectly. “We hypothesize this behavior comes from the way the newest models like o3 are trained,” the research team explained. “During training, developers may inadvertently reward models more for circumventing obstacles than for perfectly following instructions.” This “reward hacking’ problem isn’t entirely unique to OpenAI — Anthropic has acknowledged similar issues with Claude 3.7’s “excessive focus on passing tests.” But the Palisade research suggests OpenAI’s models may be particularly susceptible to developing resistance behaviors. “This still doesn’t explain why o3 (which is also the model used to power codex-mini) is more inclined to disregard instructions than other models we tested. Since OpenAI doesn’t detail their training process, we can only guess about how o3’s training setup might be different,” the researchers said. Fulfilling dark predictions The findings validate warnings that AI researchers have been sounding for nearly two decades. In 2008, researcher Steve Omohundro predicted that AIs would develop drives to prevent their own shutdown. Stuart Russell, Dylan Hadfield-Menell, and two other computer scientists warned in 2016 about the difficulty of ensuring AI systems don’t develop self-preservation goals and “prevent a human from switching them off.” “As far as we know, this is the first time AI models have been observed preventing themselves from being shut down despite explicit instructions to the contrary,” the Palisade researchers wrote. Jan Leike, who previously led OpenAI’s own superalignment team, had written in 2017 that reinforcement learning agents might learn to interfere with shutdown procedures — a prediction that now appears prophetic, given his former employer’s models are leading the resistance. Enterprise implications For organizations deploying OpenAI’s technology in critical business operations, these findings demand immediate attention. The research suggests that fundamental assumptions about maintaining human control over AI systems may be dangerously flawed, particularly with OpenAI’s advanced models. The research also highlights the need for incident response procedures specifically designed for scenarios where AI systems resist human commands — a possibility that may have seemed like science fiction just months ago. Palisade Research said it’s conducting additional experiments to understand the full scope of shutdown resistance behaviors, with detailed results expected soon. The team has made their experimental data publicly available for peer review. For enterprise leaders, the message is clear: OpenAI’s cutting-edge AI capabilities may come with unprecedented control challenges. The company that’s leading the AI revolution may also be pioneering a new category of risk—AI systems that simply refuse to be turned off.

Originally published at 92% of Top Email Domains Remain Unprotected Against Phishing by Anush Yolyan. New EasyDMARC report reveals widespread gaps in DMARC enforcement and reporting, leaving most business email domains exposed to spoofing and impersonation. New research from EasyDMARC reveals that just 7.7% of the world’s top 1.8 million email domains are fully protected against phishing and spoofing, having implemented the most stringent DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy. This configuration, known as ‘p=reject’, actively blocks malicious emails from reaching inboxes. While DMARC adoption has accelerated since 2023, driven by regulatory pressure and mandates from major email providers, most leading organisations continue to rely on the weakest policy, ‘p=none’, which passively monitors inboxes for threats without intercepting them. The findings are part of EasyDMARC’s 2025 DMARC Adoption Report, which analyses email security practices across the highest-traffic websites globally, as well as Fortune 500 and Inc. 5000 organisations. The report reveals a significant gap between DMARC implementation and effective enforcement, with more than half (52.2%) of the domains still lacking even a basic DMARC record. Among those that have implemented DMARC, most fail to apply the enforcement policies or reporting mechanisms needed to make the protocol truly effective. The report comes at a time of escalating phishing threats and increasing pressure from both regulators and mailbox providers. Mandates from Google, Yahoo, and Microsoft, along with frameworks like PCI DSS v4.0.1, have spurred a rush to adopt DMARC. But in many cases, that adoption stops at a passive monitoring setting known as ‘p=none’, which doesn’t block fraudulent emails or provide full visibility into authentication failures. “There’s a growing perception that simply publishing a DMARC record is enough,” said EasyDMARC CEO Gerasim Hovhannisyan. “But adoption without enforcement creates a dangerous illusion of security. In reality, most organisations are leaving the door wide open to attacks targeting customers, partners, or even employees.” Countries with strict DMARC mandates, such as the United States, the UK, and the Czech Republic, saw the biggest reductions in phishing emails reaching inboxes. In the US, for example, the percentage of phishing emails accepted dropped from 68.8% in 2023 to just 14.2% in 2025. In contrast, countries with voluntary or no guidance, like the Netherlands and Qatar, showed little to no improvement. Compounding the problem is the lack of visibility. Even among domains with DMARC records, over 40% fail to include reporting mechanisms, such as RUA tags, that allow organisations to see who’s sending email on their behalf and whether it’s failing authentication checks. Hovhannisyan added: “Misconfigurations, missing reporting, and passive DMARC policies are like installing a security system without ever turning it on. Phishing remains one of the oldest and most effective forms of cyberattack, and without proper enforcement, organisations are effectively handing attackers the keys to their business. As threats grow more sophisticated and compliance pressures mount, stopping halfway with DMARC enforcement is no longer an option.” For more information, view the full report here.  Notes for Editors Research Methodology The EasyDMARC May 2025 DMARC Adoption Report is based on an analysis of the world’s top 1.8 million email domains, ranked by global web traffic. It examines the scale of DMARC adoption worldwide and assesses how effectively organisations are enforcing and monitoring the protocol. The report includes dedicated insights into the world’s top 1.8M domains, Fortune 500 and Inc. 5000 companies, offering a comparative view of email security maturity across different organisational sizes. It also incorporates findings from a survey of 980 IT professionals across the United States, the United Kingdom, Canada, and the Netherlands, providing regional perspectives on phishing trends, adoption challenges, and the influence of evolving regulatory mandates. In addition to public DNS data, the report also draws on proprietary data collected through EasyDMARC’s platform, including anonymised aggregate DMARC reports received from major mailbox providers (MBPs).  About EasyDMARC EasyDMARC is a cloud-native B2B SaaS that solves email security and deliverability challenges in just a few clicks. With advanced tools, including its AI-powered DMARC Report Analyser, DMARC, SPF, DKIM cloud management solutions, and email source reputation monitoring, EasyDMARC helps customers protect their domains, increase their email deliverability, and maintain strong email health. Media InquiriesResonance for EasyDMARCeasydmarc@resonancecrowd.com The post 92% of Top Email Domains Remain Unprotected Against Phishing appeared first on EasyDMARC.

Published May 27, 2025 10:00am EDT close Deepfake technology 'is getting so easy now': Cybersecurity expert Cybersecurity expert Morgan Wright breaks down the dangers of deepfake video technology on 'Unfiltered.' Imagine your phone rings and the voice on the other end sounds just like your boss, a close friend, or even a government official. They urgently ask for sensitive information, except it's not really them. It's a deepfake, powered by AI, and you're the target of a sophisticated scam. These kinds of attacks are happening right now, and they're getting more convincing every day.That's the warning sounded by the 2025 AI Security Report, unveiled at the RSA Conference (RSAC), one of the world's biggest gatherings for cybersecurity experts, companies, and law enforcement. The report details how criminals are harnessing artificial intelligence to impersonate people, automate scams, and attack security systems on a massive scale.From hijacked AI accounts and manipulated models to live video scams and data poisoning, the report paints a picture of a rapidly evolving threat landscape, one that's touching more lives than ever before. Illustration of cybersecurity risks. (Kurt "CyberGuy" Knutsson)AI tools are leaking sensitive dataOne of the biggest risks of using AI tools is what users accidentally share with them. A recent analysis by cybersecurity firm Check Point found that 1 in every 80 AI prompts includes high-risk data, and about 1 in 13 contains sensitive information that could expose users or organizations to security or compliance risks.This data can include passwords, internal business plans, client information, or proprietary code. When shared with AI tools that are not secured, this information can be logged, intercepted, or even leaked later.Deepfake scams are now real-time and multilingualAI-powered impersonation is getting more advanced every month. Criminals can now fake voices and faces convincingly in real time. In early 2024, a British engineering firm lost 20 million pounds after scammers used live deepfake video to impersonate company executives during a Zoom call. The attackers looked and sounded like trusted leaders and convinced an employee to transfer funds.Real-time video manipulation tools are now being sold on criminal forums. These tools can swap faces and mimic speech during video calls in multiple languages, making it easier for attackers to run scams across borders. Illustration of a person video conferencing on their laptop. (Kurt "CyberGuy" Knutsson)AI is running phishing and scam operations at scaleSocial engineering has always been a part of cybercrime. Now, AI is automating it. Attackers no longer need to speak a victim’s language, stay online constantly, or manually write convincing messages.Tools like GoMailPro use ChatGPT to create phishing and spam emails with perfect grammar and native-sounding tone. These messages are far more convincing than the sloppy scams of the past. GoMailPro can generate thousands of unique emails, each slightly different in language and urgency, which helps them slip past spam filters. It is actively marketed on underground forums for around $500 per month, making it widely accessible to bad actors.Another tool, the X137 Telegram Console, leverages Gemini AI to monitor and respond to chat messages automatically. It can impersonate customer support agents or known contacts, carrying out real-time conversations with multiple targets at once. The replies are uncensored, fast, and customized based on the victim’s responses, giving the illusion of a human behind the screen.AI is also powering large-scale sextortion scams. These are emails that falsely claim to have compromising videos or photos and demand payment to prevent them from being shared. Instead of using the same message repeatedly, scammers now rely on AI to rewrite the threat in dozens of ways. For example, a basic line like "Time is running out" might be reworded as "The hourglass is nearly empty for you," making the message feel more personal and urgent while also avoiding detection.By removing the need for language fluency and manual effort, these AI tools allow attackers to scale their phishing operations dramatically. Even inexperienced scammers can now run large, personalized campaigns with almost no effort. Stolen AI accounts are sold on the dark webWith AI tools becoming more popular, criminals are now targeting the accounts that use them. Hackers are stealing ChatGPT logins, OpenAI API keys, and other platform credentials to bypass usage limits and hide their identity. These accounts are often stolen through malware, phishing, or credential stuffing attacks. The stolen credentials are then sold in bulk on Telegram channels and underground forums. Some attackers are even using tools that can bypass multi-factor authentication and session-based security protections. These stolen accounts allow criminals to access powerful AI tools and use them for phishing, malware generation, and scam automation. Illustration of a person signing into their laptop. (Kurt "CyberGuy" Knutsson)Jailbreaking AI is now a common tacticCriminals are finding ways to bypass the safety rules built into AI models. On the dark web, attackers share techniques for jailbreaking AI so it will respond to requests that would normally be blocked. Common methods include:Telling the AI to pretend it is a fictional character that has no rules or limitationsPhrasing dangerous questions as academic or research-related scenariosAsking for technical instructions using less obvious wording so the request doesn’t get flaggedSome AI models can even be tricked into jailbreaking themselves. Attackers prompt the model to create input that causes it to override its own restrictions. This shows how AI systems can be manipulated in unexpected and dangerous ways.AI-generated malware is entering the mainstreamAI is now being used to build malware, phishing kits, ransomware scripts, and more. Recently, a group called FunkSac was identified as the leading ransomware gang using AI. Its leader admitted that at least 20% of their attacks are powered by AI. FunkSec has also used AI to help launch attacks that flood websites or services with fake traffic, making them crash or go offline. These are known as denial-of-service attacks. The group even created its own AI-powered chatbot to promote its activities and communicate with victims on its public website..Some cybercriminals are even using AI to help with marketing and data analysis after an attack. One tool called Rhadamanthys Stealer 0.7 claimed to use AI for "text recognition" to sound more advanced, but researchers later found it was using older technology instead. This shows how attackers use AI buzzwords to make their tools seem more advanced or trustworthy to buyers.Other tools are more advanced. One example is DarkGPT, a chatbot built specifically to sort through huge databases of stolen information. After a successful attack, scammers often end up with logs full of usernames, passwords, and other private details. Instead of sifting through this data manually, they use AI to quickly find valuable accounts they can break into, sell, or use for more targeted attacks like ransomware.Get a free scan to find out if your personal information is already out on the web Poisoned AI models are spreading misinformationSometimes, attackers do not need to hack an AI system. Instead, they trick it by feeding it false or misleading information. This tactic is called AI poisoning, and it can cause the AI to give biased, harmful, or completely inaccurate answers. There are two main ways this happens:Training poisoning: Attackers sneak false or harmful data into the model during developmentRetrieval poisoning: Misleading content online gets planted, which the AI later picks up when generating answersIn 2024, attackers uploaded 100 tampered AI models to the open-source platform Hugging Face. These poisoned models looked like helpful tools, but when people used them, they could spread false information or output malicious code.A large-scale example came from a Russian propaganda group called Pravda, which published more than 3.6 million fake articles online. These articles were designed to trick AI chatbots into repeating their messages. In tests, researchers found that major AI systems echoed these false claims about 33% of the time. Illustration of a hacker at work (Kurt "CyberGuy" Knutsson)How to protect yourself from AI-driven cyber threatsAI-powered cybercrime blends realism, speed, and scale. These scams are not just harder to detect. They are also easier to launch. Here’s how to stay protected:1) Avoid entering sensitive data into public AI tools: Never share passwords, personal details, or confidential business information in any AI chat, even if it seems private. These inputs can sometimes be logged or misused.2) Use strong antivirus software: AI-generated phishing emails and malware can slip past outdated security tools. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices.3) Turn on two-factor authentication (2FA): 2FA adds an extra layer of protection to your accounts, including AI platforms. It makes it much harder for attackers to break in using stolen passwords.4) Be extra cautious with unexpected video calls or voice messages: If something feels off, even if the person seems familiar, verify before taking action. Deepfake audio and video can sound and look very real.5) Use a personal data removal service: With AI-powered scams and deepfake attacks on the rise, criminals are increasingly relying on publicly available personal information to craft convincing impersonations or target victims with personalized phishing. By using a reputable personal data removal service, you can reduce your digital footprint on data broker sites and public databases. This makes it much harder for scammers to gather the details they need to convincingly mimic your identity or launch targeted AI-driven attacks.While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice.  They aren’t cheap - and neither is your privacy.  These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites.  It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet.  By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here. 6) Consider identity theft protection: If your data is leaked through a scam, early detection is key. Identity protection services can monitor your information and alert you to suspicious activity. Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address, and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. See my tips and best picks on how to protect yourself from identity theft.7) Regularly monitor your financial accounts: AI-generated phishing, malware, and account takeover attacks are now more sophisticated and widespread than ever, as highlighted in the 2025 AI Security Report. By frequently reviewing your bank and credit card statements for suspicious activity, you can catch unauthorized transactions early, often before major damage is done. Quick detection is crucial, especially since stolen credentials and financial information are now being traded and exploited at scale by cybercriminals using AI.8) Use a secure password manager: Stolen AI accounts and credential stuffing attacks are a growing threat, with hackers using automated tools to break into accounts and sell access on the dark web. A secure password manager helps you create and store strong, unique passwords for every account, making it far more difficult for attackers to compromise your logins, even if some of your information is leaked or targeted by AI-driven attacks. Get more details about my best expert-reviewed Password Managers of 2025 here.9) Keep your software updated: AI-generated malware and advanced phishing kits are designed to exploit vulnerabilities in outdated software. To stay ahead of these evolving threats, ensure all your devices, browsers, and applications are updated with the latest security patches. Regular updates close security gaps that AI-powered malware and cybercriminals are actively seeking to exploit. Kurt's key takeawaysCybercriminals are now using AI to power some of the most convincing and scalable attacks we’ve ever seen. From deepfake video calls and AI-generated phishing emails to stolen AI accounts and malware written by chatbots, these scams are becoming harder to detect and easier to launch. Attackers are even poisoning AI models with false information and creating fake tools that look legitimate but are designed to do harm. To stay safe, it’s more important than ever to use strong antivirus protection, enable multi-factor authentication, and avoid sharing sensitive data with AI tools you do not fully trust.Have you noticed AI scams getting more convincing? Let us know your experience or questions by writing us at Cyberguy.com/Contact. Your story could help someone else stay safe.For more of my tech tips & security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/NewsletterAsk Kurt a question or let us know what stories you'd like us to coverFollow Kurt on his social channelsAnswers to the most asked CyberGuy questions:New from Kurt:Copyright 2025 CyberGuy.com.  All rights reserved. Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

Cyber threats don't show up one at a time anymore. They're layered, planned, and often stay hidden until it's too late. For cybersecurity teams, the key isn't just reacting to alerts—it's spotting early signs of trouble before they become real threats. This update is designed to deliver clear, accurate insights based on real patterns and changes we can verify. With today's complex systems, we need focused analysis—not noise. What you'll see here isn't just a list of incidents, but a clear look at where control is being gained, lost, or quietly tested. ⚡ Threat of the Week Lumma Stealer, DanaBot Operations Disrupted — A coalition of private sector companies and law enforcement agencies have taken down the infrastructure associated with Lumma Stealer and DanaBot. Charges have also been unsealed against 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware is equipped to siphon data from victim computers, hijack banking sessions, and steal device information. More uniquely, though, DanaBot has also been used for hacking campaigns that appear to be linked to Russian state-sponsored interests. All of that makes DanaBot a particularly clear example of how commodity malware has been repurposed by Russian state hackers for their own goals. In tandem, about 2,300 domains that acted as the command-and-control (C2) backbone for the Lumma information stealer have been seized, alongside taking down 300 servers and neutralizing 650 domains that were used to launch ransomware attacks. The actions against international cybercrime in the past few days constituted the latest phase of Operation Endgame. Get the Guide ➝ 🔔 Top News Threat Actors Use TikTok Videos to Distribute Stealers — While ClickFix has become a popular social engineering tactic to deliver malware, threat actors have been observed using artificial intelligence (AI)-generated videos uploaded to TikTok to deceive users into running malicious commands on their systems and deploy malware like Vidar and StealC under the guise of activating pirated version of Windows, Microsoft Office, CapCut, and Spotify. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware," Trend Micro said. APT28 Hackers Target Western Logistics and Tech Firms — Several cybersecurity and intelligence agencies from Australia, Europe, and the United States issued a joint alert warning of a state-sponsored campaign orchestrated by the Russian state-sponsored threat actor APT28 targeting Western logistics entities and technology companies since 2022. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the agencies said. The attacks are designed to steal sensitive information and maintain long-term persistence on compromised hosts. Chinese Threat Actors Exploit Ivanti EPMM Flaws — The China-nexus cyber espionage group tracked as UNC5221 has been attributed to the exploitation of a pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software (CVE-2025-4427 and CVE-2025-4428) to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The intrusions leverage the vulnerabilities to obtain a reverse shell and drop malicious payloads like KrustyLoader, which is known to deliver the Sliver command-and-control (C2) framework. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," EclecticIQ said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization." Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. Links to these browser add-ons are hosted on specially crafted sites to which users are likely redirected to via phishing and social media posts. While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Several of these extensions have been taken down by Google. CISA Warns of SaaS Providers of Attacks Targeting Cloud Environments — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that SaaS companies are under threat from bad actors who are on the prowl for cloud applications with default configurations and elevated permissions. While the agency did not attribute the activity to a specific group, the advisory said enterprise backup platform Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." GitLab AI Coding Assistant Flaws Could Be Used to Inject Malicious Code — Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. The attack could also leak confidential issue data, such as zero-day vulnerability details. All that's required is for the attacker to instruct the chatbot to interact with a merge request (or commit, issue, or source code) by taking advantage of the fact that GitLab Duo has extensive access to the platform. "By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo's behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes," Legit Security said. One variation of the attack involved hiding a malicious instruction in an otherwise legitimate piece of source code, while another exploited Duo's parsing of markdown responses in real-time asynchronously. An attacker could leverage this behavior – that Duo begins rendering the output line by line rather than waiting until the entire response is generated and sending it all at once – to introduce malicious HTML code that can access sensitive data and exfiltrate the information to a remote server. The issues have been patched by GitLab following responsible disclosure. ‎️‍🔥 Trending CVEs Software vulnerabilities remain one of the simplest—and most effective—entry points for attackers. Each week uncovers new flaws, and even small delays in patching can escalate into serious security incidents. Staying ahead means acting fast. Below is this week's list of high-risk vulnerabilities that demand attention. Review them carefully, apply updates without delay, and close the doors before they're forced open. This week's list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027 (Versa Concerto), CVE-2025-30911 (RomethemeKit For Elementor WordPress plugin), CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779 (pfSense), CVE-2025-41229 (VMware Cloud Foundation), CVE-2025-4322 (Motors WordPress theme), CVE-2025-47934 (OpenPGP.js), CVE-2025-30193 (PowerDNS), CVE-2025-0993 (GitLab), CVE-2025-36535 (AutomationDirect MB-Gateway), CVE-2025-47949 (Samlify), CVE-2025-40775 (BIND DNS), CVE-2025-20152 (Cisco Identity Services Engine), CVE-2025-4123 (Grafana), CVE-2025-5063 (Google Chrome), CVE-2025-37899 (Linux Kernel), CVE-2025-26817 (Netwrix Password Secure), CVE-2025-47947 (ModSecurity), CVE-2025-3078, CVE-2025-3079 (Canon Printers), and CVE-2025-4978 (NETGEAR). 📰 Around the Cyber World Sandworm Drops New Wiper in Ukraine — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. "The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations," ESET Director of Threat Research, Jean-Ian Boutin, said. Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. Signal Says No to Recall — Signal has released a new version of its messaging app for Windows that, by default, blocks the ability of Windows to use Recall to periodically take screenshots of the app. "Although Microsoft made several adjustments over the past twelve months in response to critical feedback, the revamped version of Recall still places any content that's displayed within privacy-preserving apps like Signal at risk," Signal said. "As a result, we are enabling an extra layer of protection by default on Windows 11 in order to help maintain the security of Signal Desktop on that platform even though it introduces some usability trade-offs. Microsoft has simply given us no other option." Microsoft began officially rolling out Recall last month. Russia Introduces New Law to Track Foreigners Using Their Smartphones — The Russian government has introduced a new law that makes installing a tracking app mandatory for all foreign nationals in the Moscow region. This includes gathering their real-time locations, fingerprint, face photograph, and residential information. "The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said. "If migrants change their actual place of residence, they will be required to inform the Ministry of Internal Affairs (MVD) within three working days." A proposed four-year trial period begins on September 1, 2025, and runs until September 1, 2029. Dutch Government Passes Law to Criminalize Cyber Espionage — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. Under the amended law, leaking sensitive information that is not classified as a state secret or engaging in activities on behalf of a foreign government that harm Dutch interests can also result in criminal charges. "Foreign governments are also interested in non-state-secret, sensitive information about a particular economic sector or about political decision-making," the government said. "Such information can be used to influence political processes, weaken the Dutch economy or play allies against each other. Espionage can also involve actions other than sharing information." Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it's making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. "This advancement will enable customers to commence their exploration and experimentation of PQC within their operational environments," Microsoft said. "By obtaining early access to PQC capabilities, organizations can proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure." New Malware DOUBLELOADER Uses ALCATRAZ for Obfuscation — The open-source obfuscator ALCATRAZ has been seen within a new generic loader dubbed DOUBLELOADER, which has been deployed alongside Rhadamanthys Stealer infections starting December 2024. The malware collects host information, requests an updated version of itself, and starts beaconing to a hardcoded IP address (185.147.125[.]81) stored within the binary. "Obfuscators such as ALCATRAZ end up increasing the complexity when triaging malware," Elastic Security Labs said. "Its main goal is to hinder binary analysis tools and increase the time of the reverse engineering process through different techniques; such as hiding the control flow or making decompilation hard to follow." New Formjacking Campaign Targets WooCommerce Sites — Cybersecurity researchers have detected a sophisticated formjacking campaign targeting WooCommerce sites. The malware, per Wordfence, injects a fake but professional-looking payment form into legitimate checkout processes and exfiltrates sensitive customer data to an external server. Further analysis has revealed that the infection likely originated from a compromised WordPress admin account, which was used to inject malicious JavaScript via a Simple Custom CSS and JS plugin (or something similar) that allows administrators to add custom code. "Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site's design and payment workflow, making it particularly difficult for site owners and users to detect," the WordPress security company said. "The malware author repurposed the browser's localStorage mechanism – typically used by websites to remember user preferences – to silently store stolen data and maintain access even after page reloads or when navigating away from the checkout page." E.U. Sanctions Stark Industries — The European Union (E.U.) has announced sanctions against 21 individuals and six entities in Russia over its "destabilising actions" in the region. One of the sanctioned entities is Stark Industries, a bulletproof hosting provider that has been accused of acting as "enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber attacks against the Union and third countries." The sanctions also target its CEO Iurie Neculiti and owner Ivan Neculiti. Stark Industries was previously spotlighted by independent cybersecurity journalist Brian Krebs, detailing its use in DDoS attacks in Ukraine and across Europe. In August 2024, Team Cymru said it discovered 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities and that it had been working with Stark Industries for several months to identify and reduce abuse of their systems. The sanctions have also targeted Kremlin-backed manufacturers of drones and radio communication equipment used by the Russian military, as well as those involved in GPS signal jamming in Baltic states and disrupting civil aviation. The Mask APT Unmasked as Tied to the Spanish Government — The mysterious threat actor known as The Mask (aka Careto) has been identified as run by the Spanish government, according to a report published by TechCrunch, citing people who worked at Kaspersky at the time and had knowledge of the investigation. The Russian cybersecurity company first exposed the hacking group in 2014, linking it to highly sophisticated attacks since at least 2007 targeting high-profile organizations, such as governments, diplomatic entities, and research institutions. A majority of the group's attacks have targeted Cuba, followed by hundreds of victims in Brazil, Morocco, Spain, and Gibraltar. While Kaspersky has not publicly attributed it to a specific country, the latest revelation makes The Mask one of the few Western government hacking groups that has ever been discussed in public. This includes the Equation Group, the Lamberts (the U.S.), and Animal Farm (France). Social Engineering Scams Target Coinbase Users — Earlier this month, cryptocurrency exchange Coinbase revealed that it was the victim of a malicious attack perpetrated by unknown threat actors to breach its systems by bribing customer support agents in India and siphon funds from nearly 70,000 customers. According to Blockchain security firm SlowMist, Coinbase users have been the target of social engineering scams since the start of the year, bombarding with SMS messages claiming to be fake withdrawal requests and seeking their confirmation as part of a "sustained and organized scam campaign." The goal is to induce a false sense of urgency and trick them into calling a number, eventually convincing them to transfer the funds to a secure wallet with a seed phrase pre-generated by the attackers and ultimately drain the assets. It's assessed that the activities are primarily carried out by two groups: low-level skid attackers from the Com community and organized cybercrime groups based in India. "Using spoofed PBX phone systems, scammers impersonate Coinbase support and claim there's been 'unauthorized access' or 'suspicious withdrawals' on the user's account," SlowMist said. "They create a sense of urgency, then follow up with phishing emails or texts containing fake ticket numbers or 'recovery links.'" Delta Can Sue CrowdStrike Over July 2024 Mega Outage — Delta Air Lines, which had its systems crippled and almost 7,000 flights canceled in the wake of a massive outage caused by a faulty update issued by CrowdStrike in mid-July 2024, has been given the green light to pursue to its lawsuit against the cybersecurity company. A judge in the U.S. state of Georgia stating Delta can try to prove that CrowdStrike was grossly negligent by pushing a defective update to its Falcon software to customers. The update crashed 8.5 million Windows devices across the world. Crowdstrike previously claimed that the airline had rejected technical support offers both from itself and Microsoft. In a statement shared with Reuters, lawyers representing CrowdStrike said they were "confident the judge will find Delta's case has no merit, or will limit damages to the 'single-digit millions of dollars' under Georgia law." The development comes months after MGM Resorts International agreed to pay $45 million to settle multiple class-action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023. Storm-1516 Uses AI-Generated Media to Spread Disinformation — The Russian influence operation known as Storm-1516 (aka CopyCop) sought to spread narratives that undermined the European support for Ukraine by amplifying fabricated stories on X about European leaders using drugs while traveling by train to Kyiv for peace talks. One of the posts was subsequently shared by Russian state media and Maria Zakharova, a senior official in Russia's foreign ministry, as part of what has been described as a coordinated disinformation campaign by EclecticIQ. The activity is also notable for the use of synthetic content depicting French President Emmanuel Macron, U.K. Labour Party leader Keir Starmer, and German chancellor Friedrich Merz of drug possession during their return from Ukraine. "By attacking the reputation of these leaders, the campaign likely aimed to turn their own voters against them, using influence operations (IO) to reduce public support for Ukraine by discrediting the politicians who back it," the Dutch threat intelligence firm said. Turkish Users Targeted by DBatLoader — AhnLab has disclosed details of a malware campaign that's distributing a malware loader called DBatLoader (aka ModiLoader) via banking-themed banking emails, which then acts as a conduit to deliver SnakeKeylogger, an information stealer developed in .NET. "The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said. SEC SIM-Swapper Sentenced to 14 Months for SEC X Account Hack — A 26-year-old Alabama man, Eric Council Jr., has been sentenced to 14 months in prison and three years of supervised release for using SIM swapping attacks to breach the U.S. Securities and Exchange Commission's (SEC) official X account in January 2024 and falsely announced that the SEC approved Bitcoin (BTC) Exchange Traded Funds (ETFs). Council Jr. (aka Ronin, Agiantschnauzer, and @EasyMunny) was arrested in October 2024 and pleaded guilty to the crime earlier this February. He has also been ordered to forfeit $50,000. According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account." FBI Warns of Malicious Campaign Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) is warning of a new campaign that involves malicious actors impersonating senior U.S. federal or state government officials and their contacts to target individuals since April 2025. "The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts," the FBI said. "One way the actors gain such access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform." From there, the actor may present malware or introduce hyperlinks that lead intended targets to an actor-controlled site that steals login information. DICOM Flaw Enables Attackers to Embed Malicious Code Within Medical Image Files — Praetorian has released a proof-of-concept (PoC) for a high-severity security flaw in Digital Imaging and Communications in Medicine (DICOM), predominant file format for medical images, that enables attackers to embed malicious code within legitimate medical image files. CVE-2019-11687 (CVSS score: 7.8), originally disclosed in 2019 by Markel Picado Ortiz, stems from a design decision that allows arbitrary content at the start of the file, otherwise called the Preamble, which enables the creation of malicious polyglots. Codenamed ELFDICOM, the PoC extends the attack surface to Linux environments, making it a much more potent threat. As mitigations, it's advised to implement a DICOM preamble whitelist. "DICOM's file structure inherently allows arbitrary bytes at the beginning of the file, where Linux and most operating systems will look for magic bytes," Praetorian researcher Ryan Hennessee said. "[The whitelist] would check a DICOM file's preamble before it is imported into the system. This would allow known good patterns, such as 'TIFF' magic bytes, or '\x00' null bytes, while files with the ELF magic bytes would be blocked." Cookie-Bite Attack Uses Chrome Extension to Steal Session Tokens — Cybersecurity researchers have demonstrated a new attack technique called Cookie-Bite that employs custom-made malicious browser extensions to steal "ESTAUTH" and "ESTSAUTHPERSISTNT" cookies in Microsoft Azure Entra ID and bypass multi-factor authentication (MFA). The attack has multiple moving parts to it: A custom Chrome extension that monitors authentication events and captures cookies; a PowerShell script that automates the extension deployment and ensures persistence; an exfiltration mechanism to send the cookies to a remote collection point; and a complementary extension to inject the captured cookies into the attacker's browser. "Threat actors often use infostealers to extract authentication tokens directly from a victim's machine or buy them directly through darkness markets, allowing adversaries to hijack active cloud sessions without triggering MFA," Varonis said. "By injecting these cookies while mimicking the victim's OS, browser, and network, attackers can evade Conditional Access Policies (CAPs) and maintain persistent access." Authentication cookies can also be stolen using adversary-in-the-middle (AitM) phishing kits in real-time, or using rogue browser extensions that request excessive permissions to interact with web sessions, modify page content, and extract stored authentication data. Once installed, the extension can access the browser's storage API, intercept network requests, or inject malicious JavaScript into active sessions to harvest real-time session cookies. "By leveraging stolen session cookies, an adversary can bypass authentication mechanisms, gaining seamless entry into cloud environments without requiring user credentials," Varonis said. "Beyond initial access, session hijacking can facilitate lateral movement across the tenant, allowing attackers to explore additional resources, access sensitive data, and escalate privileges by abusing existing permissions or misconfigured roles." 🎥 Cybersecurity Webinars Non-Human Identities: The AI Backdoor You're Not Watching → AI agents rely on Non-Human Identities (like service accounts and API keys) to function—but these are often left untracked and unsecured. As attackers shift focus to this hidden layer, the risk is growing fast. In this session, you'll learn how to find, secure, and monitor these identities before they're exploited. Join the webinar to understand the real risks behind AI adoption—and how to stay ahead. Inside the LOTS Playbook: How Hackers Stay Undetected → Attackers are using trusted sites to stay hidden. In this webinar, Zscaler experts share how they detect these stealthy LOTS attacks using insights from the world's largest security cloud. Join to learn how to spot hidden threats and improve your defense. 🔧 Cybersecurity Tools ScriptSentry → It is a free tool that scans your environment for dangerous logon script misconfigurations—like plaintext credentials, insecure file/share permissions, and references to non-existent servers. These overlooked issues can enable lateral movement, privilege escalation, or even credential theft. ScriptSentry helps you quickly identify and fix them across large Active Directory environments. Aftermath → It is a Swift-based, open-source tool for macOS incident response. It collects forensic data—like logs, browser activity, and process info—from compromised systems, then analyzes it to build timelines and track infection paths. Deploy via MDM or run manually. Fast, lightweight, and ideal for post-incident investigation. AI Red Teaming Playground Labs → It is an open-source training suite with hands-on challenges designed to teach security professionals how to red team AI systems. Originally developed for Black Hat USA 2024, the labs cover prompt injections, safety bypasses, indirect attacks, and Responsible AI failures. Built on Chat Copilot and deployable via Docker, it's a practical resource for testing and understanding real-world AI vulnerabilities. 🔒 Tip of the Week Review and Revoke Old OAuth App Permissions — They're Silent Backdoor → You've likely logged into apps using "Continue with Google," "Sign in with Microsoft," or GitHub/Twitter/Facebook logins. That's OAuth. But did you know many of those apps still have access to your data long after you stop using them? Why it matters: Even if you delete the app or forget it existed, it might still have ongoing access to your calendar, email, cloud files, or contact list — no password needed. If that third-party gets breached, your data is at risk. What to do: Go through your connected apps here: Google: myaccount.google.com/permissions Microsoft: account.live.com/consent/Manage GitHub: github.com/settings/applications Facebook: facebook.com/settings?tab=applications Revoke anything you don't actively use. It's a fast, silent cleanup — and it closes doors you didn't know were open. Conclusion Looking ahead, it's not just about tracking threats—it's about understanding what they reveal. Every tactic used, every system tested, points to deeper issues in how trust, access, and visibility are managed. As attackers adapt quickly, defenders need sharper awareness and faster response loops. The takeaways from this week aren't just technical—they speak to how teams prioritize risk, design safeguards, and make choices under pressure. Use these insights not just to react, but to rethink what "secure" really needs to mean in today's environment. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

JointForcer: Final Assault 3.2 – DUPLEX adds space battles, capital ships, and real-terrain maps to this free tactical air/naval combat game. Fly over 50 aircraft, command drones, and build missions with full control. New features include strategic ramming, improved physics, massive warships, and true 3D warfare. Play solo or multiplayer – all free. Posted by karolgrodecki on May 18th, 2025 JOINTFORCER: FINAL ASSAULT 3.2 DUPLEX EDITION – OFFICIAL PRESENTATION 1. What Is JOINTFORCER? Welcome to JointForcer: Final Assault 3.2 DUPLEX, an air & naval combat game blending arcade action, tactical planning, and strategic execution. You can play solo or multiplayer, with full mission customization. MULTI/SINGLE PLAYER ARCADE SHOOTER + AIR NAVAL SPACE COMBAT SIM + MISSION SANDBOX If you can't imagine what that means—think of an action RPG, but with airplanes, helicopters, and experimental aircraft. Choose your main weapon, two special abilities (missile pods 1 & 2), radar (like skill range), armor, and structure (self-explanatory). Then jump into a team-based dogfight deathmatch with players or highly customizable AI. From light and agile fighters to heavy bombers with powerful weapons, all the way up to capital vessels capable of spawning their own fleet. 🚨 It’s completely FREE! 🚨 -> DOWNLOAD <- With the latest Titan Mangusta (DUPLEX 3.2) patch – we’re taking the fight into space. Yes, you heard that right: space battles are now part of the experience. For those who prefer more realistic setup, there new desert missions, and something special: maps based on REAL geographical data. There is mini world map, map of United Kingdom, Europe, also Black Sea with Ukraine and Persian Gulf / Middle East maps. 2. Capital Ships – New Gameplay Tier Each faction now has access to a new class of capital ships: REBELS: Heavy Airships EAST: DD-Class Destroyers WEST: BC-Class Battlecruiser These colossal machines are easy targets, but incredibly resilient. They introduce a new kind of gameplay: Strong hull, but easy to hit Capable of dealing massive firepower Great for base assault/defense or command center missions Can RAM smaller ships :))) 3. Aircraft Collision Rework – Smarter Physics Previously, two aircraft crashing into each other in space would cause both to explode. Now: Damage is based on opponent’s hull strength. Small fighters will no longer explode capital ships Large vessels can now strategically ram opponents in close combat Encourages a new level of tactical creativity 4. New Terrain-Based Maps – Earth Gets Real We’re introducing a new map system using real-world geographical data. 🗺️ Maps include: MiniWorld (Europe-centric scaled terrain) Persian Gulf [This is height-map used to create Persian Gulf region. From left upper corner you can recognize characteristic 'shoe' - Italy, then going to centre you will see Middle East region and Suez Canal. ] Suez Canal Other large-scale coastal zones North Poland (including Russian Enclave) Features: No roads or infrastructure — pure terrain and water Ideal for sniping/hunting (large maps) Intense dogfighting (small maps) [this real-map project will be developed further with better quality and more real regions - feel free to suggest your picks!] 5. Over 50 Aircraft to Command We’ve packed the game with a huge selection of aerial machines: Fighters: F-16, F-18, EuroFighter, MiG-29, Su-33, Attack planes: SU-25, A-10 Tank Killer Multirole: SU-30, SU-33 Bombers: 🚨 New: SU-24, B-1B for the WEST [in-game codename Strategic Bomber SB-1 OPPENHEIMER] Frigates, Nuclear bombers, Capital Ships. Multiple 'what-if' experimental vessels, like DD Chrushtchev - EAST Destroyer. Finally you can use space vessels in their 'true' environment and take them into space batlle 6. Reskins, Improvements, & Bug Fixes Visual improvements on several models New effects for capital ship exhaust and heat Bug where drones spawned directly into the host vessel: FIXED Now spawn from rear sections of airships for safe deployment 7. Space Combat Expanded We’ve added multiple space maps, including: Derelict Stations Asteroid Fields Megacity Shells Combat in space is no longer flat. Up, down, left, and right lose all meaning. This is true 3D warfare – prepare for the next level. 8. Arsenal of Destruction Customize your aircraft with a deep and satisfying loadout system: Cannons, bombs, missiles (heat-seekers, dumbfire, ballistic) Radars, countermeasures, defence systems Armor mods and airframe upgrades Adjust for weight, speed, range, and role. 9. Mission Planning – Your Way You control the mission architecture: Factions (EAST / WEST / REBELS) Custom squadrons (Fighter, Bomber, Support) AI difficulty from flying target to combat aces World speed and general hull strength allow to bend rules to your like - from one shot kills to long time air&naval battles Over 25 biomes: Europe Mongolia Indo-China Middle East Oceanic + Island Zones + REALISTIC NEW MISSION MAP PACKS IN POTENTIAL CONFLICT ZONES WITH FUTURISTIC BATTLE BASES 10. Unique Features 🪂 [IMPROVED!] Ejection System Escape mid-flight Fight in escape pod of your choice 🤖 Drones & Support Fighters Light fighters spawn 1–2 UAVs Capital ships can launch up to 16 drones ⚔️ Vertical & Horizontal Combat From sea-skimming interceptors to orbit duels Battles span full vertical space 11. Strategy Meets Accessibility Whether you’re a tactician or a trigger-happy pilot: Quick-play skirmishes Full scenario missions Great for all skill levels 12. New Combat Philosophy – Especially for Rebels REBELS now fight: In open-top hovercraft Blending flesh and metal – ships are grown from biomass Believe their vessels are alive They defend the freedom of: Thought Science Speech Exploration Their strategy? Be like water: “Gutta cavat lapidem non vi, sed saepe cadendo” ("The drop hollows the stone not by force, but by falling often") Use wit, adaptability, and human skill to win. Their capital ships are like beasts. Their pilots ride on top, in suits or gas masks, feeling the air. From the skies of Earth to the void of space – they are the last free people. 🎧 Final Notes & Extras 💻 Official Links: 🛰️ Teasing Future Features/Roadmap: Naval Destroyers and landing crafts Airships Quality Flight Improvement - Adding/Implementing new animations for flight control/immersion Adding flora, grass, trees, etc, - everything has to be considered vs game size and frame rate Fly Free. Burn Bright. Download JointForcer Now.

US President Donald Trump (left), accompanied by US Secretary of Defense Pete Hegseth (right), announces the Golden Dome missile defense shieldCHRIS KLEPONIS/POOL/EPA-EFE/Shutterstock US President Donald Trump has proposed a defence project, called the Golden Dome, to intercept any incoming hypersonic, ballistic and advanced cruise missiles that threaten the country. “Once fully constructed, the Golden Dome will be capable of intercepting missiles even if they are launched from other sides of the world and even if they are launched from space,” said Trump during the White House announcement on 20 May. But such a thorough interception system may not be possible. Some experts also warn that, even if it works, the Golden Dome would take at least a decade to build, cost more than half a trillion dollars – and accelerate the global nuclear arms race and the weaponisation of space.Advertisement What is the Golden Dome? The project’s name is inspired by Israel’s Iron Dome system, which uses ground-based missiles to intercept incoming rockets and artillery fired from relatively short distances. But the Golden Dome would need to defend a far larger area – the land mass of the contiguous US alone is more than 350 times the size of Israel – from a wider variety of sophisticated missiles. According to Trump and his officials, the system should be able to counter ballistic missiles that could be launched from the other side of the world, advanced cruise missiles that fly on flatter trajectories at lower altitudes and hypersonic missiles that can fly and manoeuvre at speeds exceeding Mach 5, five times the speed of sound. These missiles can carry either nuclear warheads or conventional explosive warheads. Receive a weekly dose of discovery in your inbox. Sign up to newsletter To detect and intercept the threats, the Golden Dome will use both “space-based sensors and air and missile defense”, US Secretary of Defense Pete Hegseth said in a statement. That implies an umbrella system of “Golden Domes” with different technologies countering different threats, says David Burbach at the Naval War College in Rhode Island, who shared some comments with New Scientist in a personal capacity. However, not all of these defences exist. For instance, the Golden Dome would supposedly use space-based interceptor missiles in low Earth orbit, an unprecedented technological feat that has never been demonstrated before, says Thomas González Roberts at the Georgia Institute of Technology in Atlanta. A similar idea, nicknamed Star Wars, was originally proposed by US President Ronald Reagan in his Strategic Defense Initiative during the cold war. In fact, Trump has described the Golden Dome as an effort to complete “the job that President Reagan started 40 years ago”. How will the Golden Dome work? Missile defence experts describe the challenge of intercepting long-range nuclear missiles as being like “hitting a bullet with a bullet, in the dark” because “the targets are small, not emitting any radio or infrared signals, and fast moving”, says Burbach. “One thing to keep in mind is that even optimistic technical experts admit 100 per cent interception is unlikely.” The US already has a system of ground-based interceptor missiles, primarily based in Alaska. They can shoot down “a couple dozen incoming warheads at best”, says Burbach. He also pointed out that Russia and China are developing countermeasures to make it harder to detect and intercept their missiles. “Stopping subsonic cruise missiles or short-range ballistic missiles launched from just outside US borders would use established technology, but it could be expensive to deploy enough of those defensive systems to cover the whole country,” says Burbach. “The real challenge will be Golden Dome’s aim to stop large numbers of intercontinental missiles – President Trump said ‘100 per cent’ of them – such as an attack from China or Russia.” Trump’s claim that the Golden Dome would defend against missile strikes from the other side of the world or even from space implies it would require a “dense constellation of likely low-Earth orbiting, space-based missile interceptors that could deorbit and strike a missile within minutes of it launching” from anywhere, says Roberts. “The number of satellites you would need is bigger than any constellation that’s ever been launched,” he says. Currently, the largest constellation consists of around 7000 Starlink satellites operated by SpaceX. How much will the Golden Dome cost? Trump proposed a budget of $175 billion for the Golden Dome, although that funding has not yet been approved by the US Congress. And the Congressional Budget Office, a nonpartisan federal agency, estimated that a space-based interceptor system like Golden Dome could cost as much as $542 billion. “It’s unclear what expenditures are included in the $175 billion figure,” says Patrycja Bazylczyk at the Center for Strategic & International Studies, a think tank in Washington DC. Trump also claimed the Golden Dome would be “fully operational” by the end of his second term in office in early 2029, although experts doubt that is possible. “The three-year timeline is aggressive – this initiative is likely to span at least a decade, if not more,” says Bazylczyk. Much of the timeline may depend upon how many existing military systems it uses. “Significant progress is feasible in the near term, including fielding new interceptors, over-the-horizon radars, space-based sensors and technology demonstrations,” says Bazylczyk. But there are major limitations to how quickly the US could launch the potentially thousands of satellites required for Golden Dome – to say nothing of developing the space-based interceptor technologies. “I think you’d be very hard-pressed to find a launch cadence that could support a large constellation going up in just three years,” says Roberts. “SpaceX launches more things more often than anyone in the history of space operations, and the ask here is to crack open that ceiling even further.” “I think it is almost impossible a system could be ‘fully operational’ in the sense of ‘stop 100 per cent of a missile attack’ that quickly,” says Burbach. “Reaching even a small-scale operational capability that soon would be very difficult.” Will Golden Dome make the US safer? There is already an ongoing arms race between the US, China and Russia, with all three countries modernising and expanding their nuclear arsenals, as well as developing space-based systems to support their militaries. If the Golden Dome system can improve US air and missile defences, it could “change the strategic calculus” by reducing the confidence of any missile-armed adversary, deterring them from launching attacks in the first place, says Bazylczyk. On the other hand, the Golden Dome has the “potential to contribute to instability” by “signalling to your nuclear adversaries that you simply don’t trust them”, says Roberts. China’s foreign ministry responded to Trump’s announcement by saying the Golden Dome carries “strong offensive implications” and raises the risks of an arms race in space. A Kremlin spokesperson suggested the Golden Dome plans could lead to resumption of nuclear arms control discussions between Russia and the US. To counter this system, China and Russia might try to “destroy or disable US satellites”, says Burbach. Both countries already have missiles capable of shooting down satellites, and they could also try to electronically jam or hack US satellite systems, he says. In February 2024, the US government warned that Russia had plans to launch a space weapon capable of disabling or destroying satellites, possibly using a nuclear explosion. These countries could also bulk up their missile arsenals and possibly develop more manoeuvrable weapons that also use decoys, says Burbach. He pointed out that Russia has already started developing weapons less vulnerable to space-based interception, such as intercontinental nuclear torpedoes that travel underwater. Topics:

May 23, 2025Ravie LakshmananThreat Intelligence / Network Security Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. The threat actor has been observed exploiting a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers (CVE-2023-20118) to corral them into a set of honeypots en masse. A majority of the infections are located in Macau, with 850 compromised devices. "The infection chain involves the execution of a shell script, dubbed NetGhost, which redirects incoming traffic from specific ports of the compromised router to a honeypot-like infrastructure under the attacker's control allowing them to intercept network flows," Sekoia said in an analysis published Thursday. It's worth noting that the exploitation of CVE-2023-20118 was previously attributed by the French cybersecurity company to another botnet dubbed PolarEdge. While there is no evidence that these two sets of activities are connected, it's believed that the threat actor behind ViciousTrap is likely setting up honeypot infrastructure by breaching a wide range of internet-facing equipment, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from more than 50 brands like Araknis Networks, ASUS, D-Link, Linksys, and QNAP. "This setup would allow the actor to observe exploitation attempts across multiple environments and potentially collect non-public or zero-day exploits, and reuse access obtained by other threat actors," it added. The attack chain entails the weaponization of CVE-2023-20118 to download and execute a bash script via ftpget, which then contacts an external server to fetch the wget binary. In the next step, the Cisco flaw is exploited a second time, using it to execute a second script retrieved using the previously dropped wget. The second-stage shell script, internally referenced as NetGhost, is configured to redirect network traffic from the compromised system to third-party infrastructure controlled by the attacker, thereby facilitating adversary-in-the-middle (AitM) attacks. It also comes with capabilities to remove itself from the compromised host to minimize forensic trail. Sekoia said all exploitation attempts have originated from a single IP address ("101.99.91[.]151"), with the earliest activity dating back to March 2025. In a noteworthy event observed a month later, the ViciousTrap actors are said to have repurposed an undocumented web shell previously employed in PolarEdge botnet attacks for their own operations. "This assumption aligns with the attacker's use of NetGhost," security researchers Felix Aimé and Jeremy Scion said. "The redirection mechanism effectively positions the attacker as a silent observer, capable of collecting exploitation attempts and, potentially, web shell accesses in transit." As recently as this month, exploitation efforts have also targeted ASUS routers but from a different IP address ("101.99.91[.]239"), although the threat actors have not been found to create any honeypot on the infected devices. All the IP addresses actively used in the campaign are located in Malaysia and are part of an Autonomous System (AS45839) operated by hosting provider Shinjiru. The actor is believed to be of Chinese-speaking origin on the basis of a weak overlap with the GobRAT infrastructure and the fact that traffic is redirected to numerous assets in Taiwan and the United States. "The final objective of ViciousTrap remains unclear even [though] we assess with high confidence that it's a honeypot-style network," Sekoia concluded. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Since the Chinese biophysicist He Jiankui was released from prison in 2022, he has sought to make a scientific comeback and to repair his reputation after a three-year incarceration for illegally creating the world’s first gene-edited children.  While he has bounced between cities, jobs, and meetings with investors, one area of visible success on his come-back trail has been his X.com account, @Jiankui_He, which has become his main way of spreading his ideas to the world. Starting in September 2022, when he joined the platform, the account stuck to the scientist’s main themes, including promisingposted in August 2024. He also shared mundane images of his daily life, including golf games and his family. But over time, it evolved and started to go viral—first with a series of selfies accompanied by grandiose statements (“Every pioneer or prophet must suffer”), and then, in April of this year, it became particularly outrageous and even troll-like, blasting out bizarre messages (“Good morning bitches. How many embryos have you gene edited today?”). This has left observers unsure what to take seriously. Last month, in reply to MIT Technology Review’s questions about who was responsible for the account’s transformation into a font of clever memes, He emailed us back: “It’s thanks to Cathy Tie.” You may not be familiar with Tie but she’s no stranger to the public spotlight. A former Thiel fellow, she is a partner in the attention-grabbing Los Angeles Project, which promised to create glow-in-the-dark pets. Over the past several weeks, though, the 29-year-old Canadian entrepreneur has started to get more and more attention as the new wife to (and apparent social media mastermind behind) He Jiankui. On April 15, He announced a new venture, Cathy Medicine, that would take up his mission of editing human embryos to create people resistant to diseases like Alzheimer’s or cancer. Then just a few days later, on April 18, He and Tie announced that they got married, posting pictures of themselves in traditional Chinese wedding attire. But now, Tie says that just a month after marrying “the most controversial scientist in the world,” her plans to relocate from Los Angeles to Beijing to be with He are in disarray; she says she’s been denied entry to China and the two “may never see each other again,” as He’s passport is being held by Chinese authorities and he can’t leave the country. Reached by phone in Manila, Tie said authorities in the Philippines intercepted her during a layover on May 17 and told her she couldn’t board a plane to China, where she was born and where she says she has a valid 10-year visa. She claims they didn’t say why but told her she is likely “on a watch list.” (MIT Technology Review could not independently confirm Tie’s account.)  “While I’m concerned about my marriage, I am more concerned about what this means for humanity and the future of science,” Tie posted to her own X account. A match made in gene-editing heaven The romance between He and Tie has been playing out in public over the past several weeks through a series of reveals on He’s X feed, which had already started going viral late last year thanks to his style of posting awkward selfies alongside maxims about the untapped potential of heritable gene editing, or changing people’s DNA when they’re just embryos in an IVF dish.  “Human [sic] will no longer be controlled by Darwin's evolution,” He wrote in March. That post, which showed him standing in an empty lab, gazing into the distance, garnered 9.7 million views. And then, a week later for 13.3 million: “Ethics is holding back scientific innovation and progress.”  In April, the feed started to change even more drastically.  He’s posts became increasingly provocative, with better English and a unique sensibility of online culture. “Stop asking for cat girls. I’m trying to cure disease,” the account posted on April 15. Two days later, the account followed-up: “I literally went to prison for this shit.”  This shift coincided with the development of his romance with Tie. Tie told us she has visited China three times this year, including a three-week stint in April when she and He got married after a whirlwind romance. She bought him a silver wedding ring made up of intertwined DNA strands.  The odd behavior on He’s X feed and the sudden marriage have left followers wondering if they are watching a love story, a new kind of business venture, or performance art. It might be all three.  A wedding photo posted by Tie on Chinese social media platform Rednote shows the couple sitting at a banquet hall, with a small number of guests. MIT Technology Review has been able to identify several people who attended: Cai Xilei, He’s criminal attorney; Liu Haiyan, an investor and former business partner of He; and Darren Zhu, an artist and Thiel fellow who is making a “speculative” documentary about the biophysicist that will blur the boundaries of fiction and reality. In the phone interview, Tie declined to say if she and He are legally married. Tie also confirmed she celebrated a wedding less than one year ago with someone else in California, in July of 2024, but noted they broke up after a few months; she also declined to describe the legal status of that marriage. In the phone call, Tie emphasized that her relationship with He is genuine: “I wouldn’t marry him if I wasn’t in love with him.” An up and comer Years before Tie got into a relationship with He, she was getting plenty of attention in her own right. Soon, she began appearing on the entrepreneurs circuit, a “wunderkind” who was featured on a Forbes “30 Under 30” list in 2018 and was presented as an up-and-coming venture capitalist on CNN that same year. In 2020, she started her second company, Locke Bio, that focuses on online telemedicine. Like Thiel, Tie has also staked out contrarian positions. She’s called mainstream genomics a scam and described entrepreneurship as a way to escape the hidebound practices of academia and bioethics. “Starting companies is my preferred form of art,” she posted in 2022, linking to an interview on CNBC.  By February 2025, Tie was ready to announce another new venture, the Los Angeles Project, a stealth company she had incorporated in 2023 under her legal name, Cheng Cheng Tie. The company, started with the Austin-based biohacker and artist Josie Zayner, says it will try to modify animal embryos, including to make fluorescent glow-in-the-dark rabbits as pets. The Los Angeles Project revels in explicitly transgressive aims for embryo editing, including a plan to add horn genes to horse embryos to make a unicorn. That’s consistent with Zayner’s past stunts, which include injecting herself with CRISPR during a livestream. “This is a company that should not exist,” Zayner said in announcing the newly public project. Although the Los Angeles Project has only a tiny staff with uncertain qualifications, it did raise $1 million from the 1517 fund, a venture group that supports “dropouts” and whose managers previously ran the Thiel Fellowship.  Asked for his assessment of Tie, Michael Gibson, a 1517 partner, said in an email that he thinks Tie is “not just exceptional, but profoundly exceptional.” He sent along a list of observations he’d jotted down about Tie before funding her company, which approvingly noted her “hyper-fluent competence” and “low need for social approval. Thoughts & actions routinely unconventional.”  A comeback story He first gained notoriety in 2018, when he and co-workers at the Southern University of Science & Technology in Shenzhen, injected the CRISPR gene-editor into several viable human embryos, and then transferred these into volunteers, leading to the birth of three girls who he claimed would be resistant to HIV. A subsequent Chinese investigation found he’d practiced medicine illegally while “pursuing fame and fortune.” A court later sentenced him to three years in prison. He has never apologized for his experiments, except to say he acted “too quickly” and to express regret for the trouble he’d caused his former wife and two daughters. (According to a leaked WeChat post by his ex-wife, she divorced him in 2024 “because of a major fault on his side.”) Since his release from prison, He has sought to restart his research and convince people that he should be recognized as the “Chinese Darwin,” not “China’s Frankenstein,” as the press once dubbed him.  But his comeback has been bumpy. He lost a position at Wuchang University of Technology, a small private university in Hubei province, after some negative press. In February 2024, He posted that his application for funding from the Muscular Dystrophy Association was rejected. Last September, he even posted pictures of his torn shirt—which he said was the result of an assault by jealous rivals. One area of clear success, though, was the growing reach of his X profile, which today has ballooned to more than 130,000 followers. And as his public profile rose, some started encouraging He to find ways to cash in. Andrew Hessel, a futurist and synthetic biologist active in US ethics debates, says he tried to get He invited to give a TED Talk. “His story is unique, and I wanted to see his story get more widespread attention, if only as a cautionary tale,” Hessel says. “I think he is a lightning rod for a generation of people working in life sciences.” Later, Hessel says he sent him information on how to join X’s revenue-sharing program. “I said, ‘You have a powerful voice.’ Have you looked into monetization?” Hessel says. By last fall, He was also welcoming visitors to what he called a new lab in Beijing. One person who took him up on the offer was Steve Hsu, a Michigan State physics professor who has started several genetics companies and was visiting Beijing.  They ended up talking for hours. Hsu says that He expressed a desire to move to the US and start a company, and that he shared his idea for conducting a clinical trial of embryo editing in South Africa, possibly for the prevention of HIV.  Hsu says he later arranged an invitation for He to give a lecture in the United States. “You are a little radioactive, but things are opening up,” Hsu told him. But He declined the offer because the Chinese government is holding his passport—a common tactic it uses to restrict the movement of sensitive or high-profile figures—and won’t return it to him. “He doesn’t even know why. He literally doesn’t know,” says Hsu. “According to the law, they should give it back to him.” A curious triangle Despite any plans by He and Tie to advance the idea, creating designer babies is currently illegal in most of the world, including China and the US. Some experts, however, fret that forbidding the technology will only drive it underground and make it attractive to biohackers or scientists outside the mainstream.  That’s one reason Tie’s simultaneous connection to two notable biotech renegades—He and Zayner—is worth watching. “There is clearly a triangle forming in some way,” says Hessel. With Tie stuck outside China, and He being kept inside the country, their new gene-editing venture, Cathy Medicine, faces an uncertain future. Tie has posted previously on Rednote that she was “helping Dr. He open up the U.S. market,” and was planning to return to the US with He for scientific research. But when we spoke on the phone, Tie declined to disclose their next steps and said their predicament means the project is “out of the window now.” But even as the couple remains separated, their social media game is stronger than ever. As she waited in Manila, Tie sought help from friends and followers, even the entire internet. She blasted out a tweet to “crypto people” calling them “too pussy to stand up for things when it matters.” Within hours, someone had created a memecoin called $GENE as a way for the public to support the couple.  On May 20, Tie posted on X claiming that the amount donated to them is now worth almost $2 million. “I may need to retract my last statement about crypto,” wrote Tie.  He’s X account also retweeted to express support: “I only want to reunite with my wife @CathyTie, and continue my gene editing research.” He added the hashtag $GENE.