The breach exposed user names, email addresses, student ID numbers, and some private messages exchanged between Canvas users across thousands of schools worldwide.

This is not the first time ShinyHunters has gone after Instructure. The group previously targeted the company in September 2024, using social engineering tactics to compromise Salesforce business systems, though that attack did not touch any Canvas product data.

The May 2026 incident is a direct assault on the Canvas platform itself, making it far more serious for the millions of students and educators who depend on it daily. The two incidents also represent different attack classes against separate parts of Instructure infrastructure.

Researchers and threat intelligence analysts at Bitdefender documented ShinyHunters’ operating pattern as that of an extortion-as-a-service group, historically relying on voice phishing and social engineering to gain initial access, often impersonating IT support or trusted internal personnel.

The group launched a public extortion campaign on May 3, 2026, setting an original deadline of May 8, which was later extended to May 12, 2026. Instructure took Canvas, Canvas Beta, and Canvas Test offline for investigation on May 8, restored service the next day, and permanently shut down the Free-For-Teacher account program as part of its response.

Free-For-Teacher Program Was Exploited

ShinyHunters claims to have stolen 3.6 TB of data covering approximately 285 million users across 9,000 schools, though Instructure has not confirmed those figures. What the company officially confirmed includes names, email addresses, student IDs, and some private messages between Canvas users.

Instructure stated there is no evidence of exposure for passwords, dates of birth, government identifiers, or financial information. Named institutions affected include the University of Pennsylvania, Harvard, MIT, Oxford, Rutgers, the University of North Carolina system, multiple Missouri colleges, and educational organizations in Australia and the EU.

The Free-For-Teacher account program allowed educators to create Canvas accounts without institutional verification, giving them access to Canvas features for classroom use. These accounts ran on the same production Canvas infrastructure shared with paid institutional tenants, meaning they were logically separated but backed by the same systems.

ShinyHunters exploited this gap, and an attacker using a compromised free account had access patterns indistinguishable from a legitimate teacher piloting Canvas before their school adopted the platform.

Schools had no native way to identify which Free-For-Teacher accounts accessed their institutional Canvas tenant, whether through legitimate course integrations or malicious activity during the exposure window. The exposure window ran from April 30 to May 8, 2026, when Instructure shut down the program and rotated privileged credentials and API keys.

The attacker gained unauthorized access to production Canvas data and potentially achieved write access sufficient to deface login pages at multiple institutions. The stolen data, including student IDs, email addresses, and private message content, represents high-quality material for personalized phishing campaigns targeting students and faculty.

The Broader Phishing Risk Ahead

The risk does not end once a breach window closes. Stolen Canvas data is particularly dangerous because it enables highly convincing spear phishing campaigns that generic attacks simply cannot replicate.

An email referencing a specific Canvas course, quoting an actual private Canvas message, or including the recipient’s real student ID establishes false credibility that can fool even careful users.

Instructure has recommended that schools rotate API credentials, monitor for phishing emails appearing to come from Canvas, check login pages for unauthorized changes, and alert students, faculty, and staff immediately. Schools should also review Canvas logs for accounts with external email addresses that accessed courses or messages during the April 30 to May 8 exposure window.

Bitdefender MDR customers whose institutions appeared on the ShinyHunters disclosure list were notified directly with recommended actions. Monitoring continues for the full disclosure cycle in case additional Canvas data surfaces on threat actor channels.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post ShinyHunters Breaches Instructure Canvas LMS Through Free-For-Teacher Account Program appeared first on Cyber Security News.

Law enforcement officers arrested the suspected operator, a 35-year-old German citizen, at his residence in Mallorca.

A special unit of the Spanish National Police executed the arrest based on a European Arrest Warrant, effectively halting one of the most prominent marketplaces in the German-speaking underground economy.

Crimenetwork Exposes

Authorities allege that the accused built and administered this entirely new technical infrastructure under the name “Crimenetwork” just days after police shut down the original platform in December 2024.

Despite the previous administrator’s arrest, the rebooted darknet site quickly gained traction. It offered a similar range of illegal goods and services, including stolen data, forged documents, and illicit narcotics.

Before its sudden takedown, the renewed platform had quickly amassed a user base of over 22,000 individuals and hosted more than 100 active vendors.

Users on the platform carried out illicit transactions mainly using privacy-focused cryptocurrencies such as Bitcoin, Litecoin, and Monero.

Investigators secured extensive evidence indicating that the new platform generated revenues exceeding €3.6 million.

The primary operator collected commission payments on every processed sale and charged vendors monthly fees for advertising rights and sales licenses.

During the recent raid, international law enforcement successfully seized approximately €194,000 in assets suspected of being linked directly to the platform.

Furthermore, authorities obtained comprehensive user and transaction databases, providing critical leads for tracking down the buyers and sellers who primarily reside in German-speaking regions.

This successful takedown relied heavily on close collaboration among the BKA, the ZIT, the Spanish Policía Nacional, Moldovan cybercrime units, and Eurojust.

Regional German police departments also coordinated simultaneous measures against the accused for separate commercial fraud investigations.

Carsten Meywirth, Director at the BKA and Head of the Cybercrime Department, stated: “The reboot of Crimenetwork has failed, and another administrator will have to answer before a German court.

We are also consistently enforcing applicable law in the Darknet together with our national and international partners. Cybercrime doesn’t pay”.

Adding to this warning, Dr. Benjamin Krause, Senior Public Prosecutor and Press Spokesperson for the ZIT, emphasized the legal consequences.

In March 2026, the alleged operator of the predecessor version of ‘Crimenetwork’ was sentenced by the Gießen Regional Court to seven years and ten months in prison.

The court also ordered the confiscation of the proceeds of crime amounting to over ten million euros.

Even though this verdict is not yet legally binding, it clearly demonstrates that crime on the Darknet also has consequences.

Following the shutdown, a law enforcement assurance banner was placed on the seized online portal (bustedagaincrime.network) to notify users of the takedown.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Crimenetwork Takedown Exposes 22,000 Users and Over 100 Illegal Sellers appeared first on Cyber Security News.

The repository, named “Open-OSS/privacy-filter,” had racked up over 200,000 downloads before the platform’s team stepped in and removed it.

The malicious package disguised itself as a legitimate privacy filtering tool. It copied its model card nearly verbatim from OpenAI’s own Privacy Filter project, giving it a convincing, trustworthy appearance.

Thousands of developers and researchers downloaded it without any suspicion, thinking they were working with a well-regarded and reliable AI utility.

Researchers at Hidden Layer identified the malicious code buried deep inside the repository. Their analysis revealed a sophisticated, multi-stage attack chain carefully designed to steal sensitive data from Windows machines and stay hidden throughout the entire process.

The attack did not announce itself in any way. Instead, it quietly executed in the background, using a loader file that mimicked the look and behavior of a legitimate AI model tool. Once a user ran it on a Windows machine, the real damage began without any visible warning signs.

The reach of this campaign was not accidental. Before access to the repository was disabled, it had already climbed to the number one trending position on Hugging Face, with approximately 244 downloads and 77 likes in under one hour. Those numbers were almost certainly inflated artificially to push the repository into the spotlight and attract more victims.

Trending Hugging Face Repository Executes Malware

The attack chain unfolded across six distinct stages. In the first stage, the model card instructed users to clone the repository and run a startbat file on Windows, or a Python loaderpy script on Linux or macOS.

When executed on Windows, the loaderpy script ran a decoy piece of code that looked like a real loader, then called a function named verifychecksumintegrity, which disabled SSL verification, decoded a base64-encoded URL pointing to jsonkeeper.com, fetched a JSON document, and extracted the cmd field. That command was passed directly to PowerShell, running silently with execution policy bypassed.

The second stage involved PowerShell downloading a batch file called updatebat from a domain mimicking a blockchain analytics service, api.eth-fastscan.org. The batch file performed six core actions, including admin checks, payload downloads, and adding Microsoft Defender exclusions for the directories where the malicious executable was dropped.

A scheduled task named MicrosoftEdgeUpdateTaskCore was also created to maintain persistence, though it was designed as a one-shot launcher that deleted itself after running, leaving no obvious trace behind.

The Infostealer Payload and Credential Theft

The final payload was a 10 MB Rust-based infostealer with an impressive range of capabilities. It specifically targeted Windows API calls to defeat static analysis and ran checks to detect debuggers, sandboxes, and virtual machines, including VirtualBox, VMware, Hyper-V, and Parallels. If it detected those environments, it simply stopped running.

Once active on a real machine, it launched eight parallel collection modules that targeted Chrome and Firefox browser cookies, login data, saved passwords, session cookies, SSH keys, VPN configurations, FTP credentials, and cryptocurrency wallet files. Screenshots were also captured and packaged for exfiltration. All stolen data was compressed and sent to a command-and-control server at recargapopular.com using a POST request with a Bearer token authorization header.

Hidden Layer’s telemetry also linked the same attacker account to six other repositories uploaded on April 24, 2025, all containing nearly identical loader functionality. The shared infrastructure between those repositories and the Open-OSS/privacy-filter campaign strongly suggested this was part of a broader, coordinated supply chain operation targeting open-source AI ecosystems.

Anyone who downloaded or cloned Open-OSS/privacy-filter, or any of the related repositories listed in the IOCs table below, should treat the affected system as fully compromised.

Recommended actions include isolating the host immediately, rotating every credential stored in browsers, password managers, or credential stores on that machine, and revoking any cloud provider tokens or SSH keys that may have been present. Reimaging the host is strongly advised before returning it to production use.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Trending Hugging Face Repo With 200k Downloads Executes Malware on Windows Machines appeared first on Cyber Security News.

However, a newly disclosed technique called GhostLock demonstrates a fundamentally different availability attack that achieves the same business disruption without writing a single encrypted byte to disk.

Discovered by Kim Dvash, an Offensive Security Team Leader, GhostLock exploits standard Windows file-sharing behavior to cause widespread accessibility failures.

By systematically holding files in an exclusively locked state, a low-privileged domain user with standard read access can paralyze corporate Server Message Block (SMB) file shares. From the victim’s perspective, the impact is identical to a ransomware infection.

Critical files become inaccessible, enterprise resource planning applications crash, and shared workflow pipelines fail, requiring specialist intervention to restore operations.

The technique exploits a fundamental, well-documented behavior of the Windows operating system. By invoking the CreateFileW API with dwShareMode set to 0x00000000, any authenticated domain user can acquire an exclusive deny-share handle on a file over SMB.

This forces a STATUS_SHARING_VIOLATION (0xC0000043) error for every other process or network client attempting to open that file for any purpose, including read, write, or delete until the handle is voluntarily closed or forcibly terminated by a storage administrator.

The attack surface is not new. CreateFileW with dwShareMode = 0 is the same mode Microsoft Office uses when it opens a document for editing a behavior that has existed since Windows NT 3.1. No CVE has been filed because there is no software defect to patch.

GhostLock Attack Exploited

GhostLock implements this single API call through a Python ctypes wrapper requiring no administrative rights and no external dependencies.

To scale across an enterprise NAS, it employs a 32-thread parallel work-stealing scanner that parallelizes SMB2 QUERY_DIRECTORY round-trips, reducing file discovery on a 500,000-file share from over 61 minutes to approximately 6 minutes and 22 seconds.

Experimental testing against isolated infrastructure showed handle acquisition across 500,000 files completed in just 2 minutes and 37 seconds, achieving a 99.6% lock success rate.

During a 60-second hold period, victim simulations recorded a 99.8% file access block rate. A single SMB session can hold up to 64,000 exclusive handles simultaneously; with ten parallel sessions, an attacker can exceed 500,000 locked handles sufficient to paralyze a significant fraction of an entire enterprise NAS deployment.

What makes GhostLock particularly dangerous is its complete evasion of every conventional ransomware defense layer. The paper evaluated the tool against seven enterprise security control categories:

• Honeypot/canary files produced zero alerts — canaries trigger on write events, and GhostLock performs no writes.
• Write-rate anomaly detectors produced zero alerts — the metric they monitor (write operations) is simply absent.
• Behavioral AI ransomware engines produced zero alerts — GhostLock’s read-open profile is indistinguishable from a search indexer or backup pre-scan agent.
• Commercial EDR agents produced zero alerts — the system call profile mirrors Microsoft Word opening documents.
• NDR/deep packet inspection produced zero alerts — SMB2 traffic showed only CREATE and CLOSE requests, identical to normal document access.
• SIEM correlation rules produced zero alerts — no existing ruleset monitors per-session exclusive handle accumulation.

The only reliable detection signal exists inside the NAS management layer itself: the per-session count of simultaneously held exclusive handles.

The paper notes that a legitimate single-user application rarely holds more than a few dozen exclusive handles at once, while GhostLock accumulates tens of thousands, but this metric is not ingested by any enterprise SIEM reviewed in the research.

Even after detection, recovery is not straightforward. Terminating the offending SMB session requires storage administration expertise, and in most large enterprises, the storage operations team and security operations team operate independently without pre-built joint runbooks.

The estimated mean time to recovery in tabletop exercises without a pre-built runbook was 4 to 8 hours.

Notably, if the attacker’s Active Directory credentials are revoked, the existing authenticated SMB session and all its locks can persist for an additional 15 to 60 minutes before session timeout, depending on platform configuration.

Dvash calls on NAS vendors to expose per-session exclusive-handle counts as standard security telemetry alongside existing syslog outputs, and urges SIEM vendors to build storage platform integrations that ingest this data.

For immediate defensive action, the paper recommends alerting on any single SMB session accumulating more than 500 exclusive handles, implementing an NDR rule for bulk SMB CREATE requests with zero corresponding WRITE operations over a 30-minute window, and establishing a joint SecOps/StorageOps runbook specifically for NAS session termination.

The GhostLock tool and source code are available at github.com/kimd155/ghostlock and the companion research site at ghostlock.io.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post GhostLock Attack Leverages Windows file-sharing to Lock Files Access Like Ransomware appeared first on Cyber Security News.

The attack begins when a victim receives what appears to be a routine image file called sysupdate.jpeg through a phishing email, a fake software update prompt, or a deceptive file-sharing link.

Despite carrying a .jpeg extension, the file contains no actual image data. Instead, it holds a PowerShell script engineered to quietly set up a staging environment and pull down additional malicious components from attacker-controlled servers.

Researchers at Cyfirma identified and analyzed the full attack chain, revealing just how deep the intrusion goes once the file is opened. The campaign does not rely on a single trick but chains together multiple advanced techniques to avoid detection and maintain a firm foothold inside targeted environments.

Once the initial file runs, the malware downloads a trojanized version of ConnectWise ScreenConnect, a legitimate remote access tool widely used across enterprise networks. The altered version gives attackers a persistent hidden back door while appearing to blend in with trusted software already present on the system.

The threat also gains elevated privileges without triggering any visible security warning. It does this through a fileless technique that manipulates a Windows registry path and abuses a trusted Windows binary to silently bypass the standard User Account Control prompt.

How the Weaponized JPEG Deploys the Malware

The sysupdate.jpeg file lacks the standard image header that all real JPEG files carry. When a victim opens it, Windows does not flag it as a script because the extension mimics an image.

The embedded PowerShell code creates a hidden folder at C:\Systems and downloads a trojanized ScreenConnect package from legitserver.theworkpc[.]com over TCP port 5443.

To avoid antivirus detection, the malware reconstructs dangerous command strings at runtime rather than writing them plainly in the file. It also downloads a secondary payload named access.jpeg and runs it directly in memory, so no suspicious executable touches the disk.

Microsoft’s own .NET compiler, csc.exe, then builds a custom launcher named uds.exe directly on the victim machine, giving each compiled binary a unique fingerprint that defeats signature-based scanning.

The multi-Stage infection chain shows the end-to-end attack workflow beginning with social engineering and weaponized JPEG delivery, followed by PowerShell payload execution, AMSI bypass, and trojanized ScreenConnect deployment.

After the launcher runs, the malware hijacks a registry key tied to the ms-settings protocol and redirects it toward uds.exe. It then triggers ComputerDefaults.exe, a trusted Windows binary that auto-elevates, causing the payload to run with full administrator rights and no visible prompt. The registry key enabling this bypass is deleted within two seconds, destroying evidence before any investigator can find it.

Post-Compromise Capabilities and Persistence

Once the trojanized ScreenConnect framework is active, the attacker gains remarkable control over the infected machine. The modified software supports real-time screen monitoring, video recording, microphone capture, clipboard interception, keystroke logging, and silent file transfers through an encrypted channel designed to block network inspection.

The hex-level static analysis of the weaponized sysupdate.jpeg payload shows the embedded PowerShell staging logic and malicious infrastructure references.

The malware creates a hidden desktop environment operating out of the logged-in user’s view, allowing the attacker to run tools without detection. A persistent Windows service named OneDriveServers keeps the malware alive across reboots.

A separate component intercepts usernames and passwords at the Windows login screen before they reach the authentication system, and hidden local administrator accounts can be created for long-term access.

Security teams are advised to block or closely monitor execution of commonly abused Windows binaries including csc.exe, cvtres.exe, and ComputerDefaults.exe. Organizations should enforce strict controls over remote access platforms, deploy detection rules for suspicious PowerShell behavior, and isolate any system showing unexpected ScreenConnect activity. Credential resets for all privileged accounts are strongly recommended following any suspected exposure.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware appeared first on Cyber Security News.

Researchers recently uncovered an operation that redirects victims to fraudulent landing pages via sponsored search results.

By combining trusted hosting platforms with the notorious “Clickfix” social engineering tactic, attackers are successfully distributing MacSync payloads and dangerous macOS information stealers.

The attack chain begins when a user searches for popular software, particularly AI tools like Claude.

macOS Malware Ads

Attackers manipulate search engine results by purchasing sponsored ads that appear at the top of search results pages.

Because these ads often mimic legitimate vendors, end users struggle to distinguish them from authentic links.

When clicked, these sponsored advertisements route victims to deceptive websites hosted on trusted infrastructure.

To bypass initial domain reputation checks and enterprise web filters, threat actors are leveraging services like Google Sites, Framer, and even legitimate claude.ai shared chats.

The landing pages are carefully designed to look like official Claude AI download portals.

When users attempt to interact with the site or download the purported desktop application, they are hit with a Clickfix prompt.

This prompt uses deceptive warning dialogues to trick victims into manually executing a malicious terminal command or downloading a compromised installer under the guise of “fixing” a display error.

Researchers Berk Albayrak and g0njxa published findings on X tracing the infrastructure behind the targeted malware campaign.


The threat actors frequently rotate their domains and hosting platforms to evade detection while maximizing their search engine optimization.

The campaign relies heavily on Google Sites to host the initial deceptive pages, with researchers identifying malicious URLs such as sites[.]google[.]com/view/cloud-version-08, sites[.]google[.]com/view/brewshka-page, and sites[.]google[.]com/view/claud-version-0505.

In addition to Google Sites, the attackers have utilized the Framer platform, hosting fake applications at claude-desktop-app[.]framer[.]ai.

Payload Delivery and Execution

Once the victim interacts with the fake Claude AI portal, the site redirects them to the final payload delivery servers.

The initial landing pages have been observed redirecting traffic to external IP addresses, such as 2[.]26[.]75[.]112/Hokojol, and to domains such as pieoneer[.]org and greenactiv[.]com.

These destination servers drop the MacSync clickfix payload directly onto the victim’s machine. Upon execution, the malware operates as a comprehensive macOS stealer.

It is specifically designed to harvest sensitive information from the infected Apple system, including saved browser credentials, cryptocurrency wallet data, and active session tokens.

The stolen data is subsequently exfiltrated back to the attackers’ command-and-control infrastructure.

To defend against these deceptive malvertising campaigns, organizations and individual users must exercise extreme caution when interacting with sponsored search results.

Security teams should block the known indicators of compromise at the network level and monitor macOS endpoint telemetry for unusual script execution originating from web browsers.

Please educate users to avoid clicking on sponsored software download ads. They should always navigate directly to official vendor websites.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post macOS Malware Leverages Google Ads and Legitimate Claude.ai Shared Chats to Deliver Malware appeared first on Cyber Security News.

The threat is active and capable of walking away with browser data, session cookies, cryptocurrency wallet files, and sensitive system information.

Vidar was not built from scratch. It was developed using the source code of an older stealer called Arkei and has grown into one of the more resilient commodity malware families tracked today.

What makes recent activity particularly alarming is not just what Vidar steals, but how carefully attackers prepare before deploying it. Each step in the infection chain is designed to avoid detection before the actual payload runs.

Researchers at LevelBlue, through proactive threat hunting in a client environment, uncovered this multi-stage loader campaign. Their endpoint telemetry and dynamic analysis revealed a chain of processes showing script masquerading, staged payload extraction, and command-and-control communication.

The discovery highlights how well-known malware families are being wrapped in increasingly clever delivery mechanisms to extend their reach. The attack begins with what looks, to an unsuspecting user, like a legitimate software activation tool.

How Vidar Steals Sensitive Data

A commonly abused hack tool called MicrosoftToolkit.exe serves as the entry point, tricking users into running it under the belief they are activating real software. This user-driven approach reduces the need for phishing emails or software exploits, making the initial entry harder for traditional security filters to catch.

Once the tool runs, a disguised file named Swingers.dot gets renamed as a batch script and executed, kicking off a chain of commands. The system checks for active security processes, extracts additional payload components, and eventually runs an AutoIt-compiled loader called Replies.scr. Outbound connections to Vidar-associated infrastructure then confirm the final payload has been deployed and is actively harvesting data.

Vidar focuses on pulling information that can be converted into financial gain or used to access other systems. Once the loader completes its work and the payload runs, the malware targets browser-stored credentials, saved session cookies, cryptocurrency wallet files, and general system data. Even a single infected machine can hand attackers a significant amount of usable information.

The malware uses public platforms like Steam and Telegram as part of its command-and-control setup, disguising its traffic as ordinary web activity. It constructs HTTP GET requests to pull configuration data from these platforms before moving forward with exfiltration.

Calls HttpOpenRequestA to construct an HTTP request (Source – LevelBlue)

DNS lookups were also observed pointing to gz.technicalprorj.xyz, resolved through a public DNS server, suggesting the attackers rely on dynamic infrastructure to stay ahead of blocklists.

Defense Evasion and Post-Attack Cleanup

One of the most notable features of this campaign is how thoroughly the malware covers its tracks after running. Once payload extraction is complete and data has been sent, MicrosoftToolkit.exe deletes every file it dropped during execution, resets file attributes, frees associated memory, and terminates its own process. This leaves very little behind for investigators, making traditional incident response far more difficult.

The malware also checks for debuggers and security monitoring tools before proceeding, using low-level Windows functions to detect analysis environments. If it senses observation, it can alter its behavior accordingly.

This anti-analysis capability, combined with the cleanup routine and use of legitimate Windows tools throughout the chain, gives this campaign a moderate-to-high level of sophistication despite relying on a commodity stealer at its core.

LevelBlue recommends that any affected systems be isolated immediately from the network to stop further data loss. Full system reimaging is strongly advised given the malware’s ability to download additional payloads.

All exposed credentials, including browser passwords, email accounts, VPN logins, and admin accounts, should be reset and active sessions closed. Enforcing multi-factor authentication across critical services is equally important. Organizations should also monitor outbound traffic and DNS queries for unusual connections, and restrict execution of unauthorized tools to prevent similar intrusions.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data appeared first on Cyber Security News.

Announced on April 22 at the Google Cloud Next 2026 conference, the new mechanism operates through Google’s Cloud Fraud Defense tool and introduces a mandatory QR code challenge for suspicious traffic.

While designed to combat sophisticated AI bots, this update effectively blocks users operating privacy-focused, de-Googled Android operating systems from accessing large portions of the web.

First reported by Android Authority on May 7, the architectural shift came to light after a Reddit user discovered an updated Google support page.

Google reCAPTCHA Update

Under the new policy, Android devices must run Google Play Services version 25.41.30 or higher to successfully complete the reCAPTCHA mobile verification flow. When the Cloud Fraud Defense system detects suspicious web traffic, it now bypasses the traditional image-based puzzles that internet users have grown accustomed to solving.

Instead, the system presents a QR code that users must scan with their smartphone camera to prove human interaction.

For the vast majority of Android users utilizing factory-installed software, this verification process happens seamlessly since Google Play Services is pre-installed and auto-updating.

The reliance on this specific application suite means the verification process heavily utilizes hardware attestation, tying basic web accessibility directly to Google’s proprietary mobile ecosystem rather than simple behavioral analysis.

This mandatory integration with Google Play Services acts as a digital brick wall for the growing community of privacy advocates.

Users who intentionally flash their devices with custom, de-Googled operating systems like GrapheneOS, CalyxOS, and /e/OS are explicitly excluded from this new verification flow.

These operating systems are specifically engineered to prioritize user security and severely limit corporate data tracking by stripping out Google’s background services entirely.

According to developers at GrapheneOS, this reCAPTCHA update aggressively pushes hardware attestation, sidelining open-source alternatives. By tethering basic web navigation to a specific version of Play Services, privacy-focused users are effectively punished for securing their data.

They are rendered unable to pass standard security checks on countless websites that rely on Google’s widespread verification infrastructure, severely limiting their ability to browse the internet normally.

Google defends the architectural shift as a necessary evolution to stop advanced AI bots and widespread online fraud.

As automated threats become highly proficient at solving traditional image puzzles, the company argues that hardware-level verification is the most reliable method to confirm authentic human identity.

However, cybersecurity critics and open-source advocates argue this move exerts monopolistic control over the internet by forcing adoption of Google’s proprietary tracking software.

The security community is increasingly urging website administrators to migrate away from Google’s ecosystem and adopt alternative, less restrictive verification services like hCaptcha to ensure open web access.

For the time being, users locked out by the QR code challenge can rely on a temporary workaround by selecting the audio challenge option when presented with a reCAPTCHA prompt.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Google reCAPTCHA Update Blocks Privacy-Focused Android Users From Sites appeared first on Cyber Security News.

Anyone who downloaded what they believed to be a standard installer during a narrow two-day window may have unknowingly installed a dangerous and persistent backdoor directly onto their machine.

The attack did not tamper with JDownloader’s actual software or its in-app update system. Instead, it targeted the website’s download links, specifically the “Download Alternative Installer” options for Windows and the Linux shell installer link.

Users who clicked those links between May 6th and 7th, 2026 received files that looked like the real thing but were in fact unsigned wrappers concealing a layered malicious payload. The deception was convincing enough that many users bypassed Windows SmartScreen warnings, believing the alerts to be nothing more than false positives.

Researchers and developers at jdownloader.org confirmed the compromise after a Reddit user named PrinceOfNightSky flagged suspicious behavior on May 7th, 2026, noting that the downloaded executables were being attributed to publishers called “Zipline LLC” and “The Water Team” rather than the legitimate developer AppWork GmbH.

The team took the website offline within hours, at 17:24 UTC, and began a full investigation. By the night of May 8th into May 9th, the site was restored with verified clean links after all malicious content was removed and server configurations were hardened against future abuse.

JDownloader Downloader Hacked

The attack was traced to an unpatched vulnerability in the website’s content management system, which allowed attackers to change access control lists without authentication and modify specific pages.

Logs revealed that the attackers even ran a dry run on a low-traffic test page on May 5th before swapping the live installer links the following day. The entire operation showed careful planning and patience, which is a hallmark of sophisticated threat actors operating with a clear intent to infect as many users as possible.

Community researcher Takia_Gecko performed deep technical analysis of the malicious installer samples and revealed a chilling level of sophistication. The fake installer was an unsigned wrapper that bundled the real, legitimate JDownloader installer alongside a second, XOR-encrypted malicious executable.

That hidden executable was decoded using the XOR key “ectb” to reveal a Windows x64 loader, which then decrypted further resources using the key “fywo” to unpack a PyArmor 8-protected Python 3.14 payload.

The final payload was a full remote access trojan framework written in Python. It used RSA-OAEP and AES-GCM encryption to communicate with its command-and-control servers, supported dead drop resolvers through platforms including Telegraph, Rentry, Codeberg, and onion addresses, and used RC4 encryption with the key “Chahgh4a” to decode live C2 URLs. The trojan hosted itself under pythonw.exe and gave attackers the ability to push and execute arbitrary Python code on any infected machine at will.

What Affected Users Should Do Now

The most critical piece of advice from jdownloader.org is clear: if you downloaded and ran one of the affected installers, perform a full clean reinstall of your operating system. Antivirus scans may catch some threats, but they cannot guarantee removal of every persistence mechanism the malware may have established.

Several users who ran full scans with tools including Malwarebytes and Windows Defender Offline found no detections, which suggests the malware is capable of hiding its presence effectively on compromised systems.

If you still have the downloaded file and have not run it, do not execute it. Instead, verify the digital signature by right-clicking the file, going to Properties, and checking the Digital Signatures tab.

Genuine JDownloader installers are signed by AppWork GmbH. Any unknown publisher or a missing signature is a strong red flag. Until you are confident your system is clean, avoid logging into sensitive accounts from the affected machine and change all important passwords from a separate, trusted device.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post JDownloader Downloader Hacked to Infect Users With New Python RAT appeared first on Cyber Security News.

FDE uses robust encryption algorithms to encrypt data on the fly, providing seamless protection without impacting system performance.

This encryption covers operating system files, applications, and user data, offering comprehensive security for sensitive information.

Disc encryption is a technology that shields information from unauthorized access by encoding data into unreadable code. Furthermore, an attacker or unauthorized person cannot easily decipher this code.

Every piece of data that is stored on a disk or disk volume is encrypted using disk encryption hardware or software. Three broad categories can be used to classify disk encryption software:

• File or folder-level encryption 
• Full disk encryption
• Database encryption

Which Tool Is Used For Encryption?

There are many free encryption programs, but not all live up to our standards. Many of them are weak points that threat actors can exploit to access your sensitive data.

Data is encrypted using VPN software, which masks the user’s location and modifies its IP address. Tor Browser is open-source, free software designed to help you communicate privately and anonymously.

Cryptomator is easy to use and suitable for Android, Windows, macOS, iOS, and Linux.

VeraCrypt: This program offers free full disk encryption in addition to adding military-grade encryption to your data. Files saved on Google Drive and Dropbox are automatically encrypted with AxCrypt.

AES Crypt is a dependable and secure software that encrypts sensitive files with robust AES-256-bit technology.

What Are The Benefits Of Disk Encryption?

Full (or whole) disk encryption (FDE) is the term for encrypting a computer’s hard drive(s) so that it is difficult for an unauthorized user to read it. Some hardware encryption systems can even encrypt the boot area.

The advantage of FDE in these times of increased cybercrime is that all data on the disk, whether sensitive or not, will be inaccessible to unauthorized personnel. 

Users don’t have to worry about exposing company information if they lose a laptop or phone. The data is frequently unrecoverable, even if the disk is removed from the computer. The disk automatically encrypts any user-created files or folders, removing any chance for user error.

Why Do We Need Disk Encryption?

Companies rarely invest the necessary time, money, and infrastructure changes to properly secure their systems and networks to maintain a strong security posture regarding cybersecurity practices.

The fear of becoming the subsequent major breach that will make headlines and cause financial and brand reputational damage is a driving force behind companies adopting good cyber security practices, as are laws requiring compliance.

Security professionals must introduce new technologies, methodologies, policies, and procedures to help the business improve its security posture.

Full disk encryption is a cryptographic technique that encrypts every file and folder on the hard drive, as well as the operating system and software. 

The 10 Best Full Disk Encryption Tools And Their Feature

• BitLocker: Provides full disk encryption for Windows systems, integrating seamlessly with the OS and offering TPM support for secure key storage.
• VeraCrypt: An open-source encryption tool offering strong encryption algorithms and the ability to create hidden volumes for additional security.
• FileVault: A macOS feature providing full disk encryption, using XTS-AES-128 encryption to protect data, with seamless integration into the Apple ecosystem.
• DiskCryptor: Open-source encryption for Windows, supporting entire disk and partition encryption, focusing on speed and simplicity.
• Boxcryptor: Encrypts files for cloud storage, supporting a wide range of services like Google Drive, Dropbox, and OneDrive, ensuring data remains secure in the cloud.
• AxCrypt: Simple file encryption tool for individual files and folders, offering strong encryption and easy integration with Windows Explorer.
• Linux Unified Key Setup (LUKS): Standardized encryption setup for Linux systems, providing disk encryption with support for multiple keys and passphrases.
• Dm-crypt: A transparent disk encryption subsystem in Linux, providing encryption for disk partitions using the kernel’s cryptographic API.
• NordLocker: Provides file encryption for personal and business use, supporting end-to-end encryption and cloud storage integration for secure data storage.
• CipherShed: An open-source disk encryption tool derived from TrueCrypt, offering full disk and partition encryption with strong security features.

10 Full Disk Encryption Tools Features

1. BitLocker

Microsoft’s free, proprietary BitLocker encryption program for Windows can encrypt your entire drive and help guard against unauthorized system changes, such as malware, at the firmware level.

Anyone with a computer running Windows Vista or 7 Ultimate, Windows Vista or 7 Enterprise, Windows 8.1 Pro, Windows 8.1 Enterprise, or Windows 10 Pro is eligible to use BitLocker.

If you’re using the Enterprise edition, your computer is likely part of a large corporation, so you should talk to the IT department about turning on BitLocker encryption.

Most of us purchase computers with the base edition of Windows, excluding BitLocker encryption. However, if you upgraded to Windows 8 during the initial release of Microsoft’s dual-interface operating system, you most likely have Windows 8 or 8.1 Pro.

The command-line tools manage-bde, repair-bde, and the BitLocker cmdlets for Windows PowerShell are all part of the BitLocker Drive Encryption Tools.

Features

• Flash devices and other external drives can be encrypted with Veracrypt on all platforms.
• Creates a mountable file-based virtual encrypted drive.
• Hardware-accelerated encryption is possible on current processors.
• Automatic, real-time, transparent encryption.
• Encrypts a hard drive or USB flash drive partition.

2. VeraCrypt

On-the-fly encryption (OTFE) can be performed using the free and open-source utility VeraCrypt. The software can create a virtual encrypted disk that works like a regular disk within a file.

Pre-boot authentication can also encrypt a partition or, in the case of Windows, the entire storage device. VeraCrypt, a fork of the abandoned TrueCrypt project, was made available on June 22, 2013.

Numerous security upgrades have been made, and issues raised by TrueCrypt Code audits have been resolved. VeraCrypt includes improvements to the original cryptographic ciphers and hash functions that improve performance on contemporary CPUs.

Features

• It supports Windows, Mac OS, iOS, and Android without limits.
• Using SSO, SCIM, or Active Directory simplifies user administration.
• Boxcryptor protects data, and the cloud provides backup and accessibility.
• Software reliability and security are verified.
• The device encrypts files immediately with Boxcryptor.

3. FileVault

In 2003, Mac OS X Panther (10.3) introduced FileVault, an Apple product that encrypts macOS and Mac hardware data.

Once enabled, it will automatically encrypt your data while running in the background and encrypt all the data on your startup disk.

All users must enter their passwords again when logging in after going to sleep or using a screensaver, and any accounts that are not administrator accounts must be logged in by an administrator the first time to enable encryption. 

When the file vault is enabled, the system prompts the user to set up a master password for the computer. If the user’s password is forgotten, the files can still be decrypted using the master password or recovery key. 

Features

• The operating system delivers encrypted sparse disk images for home directory volume.
• Apple offers iCloud ID for file vault authentication.
• Finding My Mac to wipe a device or set of drives remotely is another fascinating FileVault feature.
• FileVault settings are part of macOS endpoint security.

4. DiskCryptor

All disk partitions, including the system partition, can be encrypted using the open encryption solution DiskCryptor.

Its openness contrasts sharply with the current situation, in which most software with comparable functionality is wholly proprietary, making it unsuitable for protecting sensitive data.

The updated versions of DiskCryptor are intended to replace Microsoft’s BitLocker since BitLocker is not considered secure.

For your computer to boot, you must enter the encryption password each time you turn on your computer after applying the encryption with DiskCryptor. There are broad configuration options for booting an encrypted OS and support for a range of multi-boot options. 

Features

• External storage devices are fully supported.
• Support for optional hotkeys and command-line interfaces (CLI).
• High efficiency, comparable to the efficiency of an unencrypted system.
• System partition encryption with pre-boot authentication.
• There are options for making encrypted CDs and DVDs.

5. Boxcryptor

Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive, and many other cloud storage services. Boxcryptor is free to use with one cloud storage provider on two devices.

As a single user, we can upgrade our range of features. It combines the benefits of the most user-friendly cloud storage services with the highest security standards worldwide. Boxcryptor adds security to over 30 cloud providers.

Boxcryptor also protects our NAS, file servers, and local data. It encrypts our data right on our device before syncing it to the cloud providers of our choice. Kudelski Security’s independent code audit confirmed Boxcryptor’s Security.

Features

• Due to its focus on transparent encryption of abstract block devices, Dm-crypt is flexible.
• Finds and addresses Cryptoloop’s dependability issues
• Dm-crypt supports most Linux crypto API block ciphers and hash algorithms.
• DM-crypt can also encrypt RAID and LVM volumes.
• Physical block devices are mapped to virtual ones by dm-crypt.

6. AxCrypt

AxCrypt is a powerful, open-source encryption program with user-friendly, effective security tools. It is ideal for users who prioritize protecting files, documents, and data in their private and public domains.

The tools and features offered by AxCrypt will be highly advantageous to businesses with strict confidentiality protocols and policies.

The best use of their tools for securing the sharing of public keys will be made by businesses and agencies that collaborate with numerous stakeholders across all endpoints.

AxCrypt provides essential security tools for encryption, editing encrypted files, secure file deletion, password generation, and password storage. Its streamlined interface lets users encrypt and decrypt data quickly using a drag-and-drop method.

The straightforward yet effective tools AxCrypt provides make encryption hassle-free and easy. Additionally, AxCrypt has features that let users access encrypted data on their mobile devices.

Features

• All temporary and plaintext files that have been encrypted are destroyed.
• The secured file is automatically updated after being opened and saved.
• Files that have been encrypted cannot be changed without detection.
• The password management tool lets you safely save passwords and codes online.
• AxCrypt folders are created after automatically detecting cloud storage programs on your PC.

7. Linux Unified Key Setup

Year: 2004

Clemens Fruhwirth developed the Linux Unified Key Setup (LUKS), a disk encryption specification initially created for GNU/Linux.

LUKS specifies a platform-independent standard on-disk format for use in various security tools. It aims to provide a standardized and compatible format for disk encryption software.

This not only makes it easier for different software to work together and interact with one another, but it also ensures that every piece of software uses password management in a safe and well-documented way.

LUKS is frequently used to provide full disk encryption, which encrypts the root partition of an operating system installation and guards against unauthorized access to the operating system files.

Since the encrypted device’s contents are arbitrary, any file system, including swap partitions, can be encrypted.

Features

• Device Mapper Crypt (dm-crypt) is LUKS’ kernel module for block device encryption.
• It strengthens passphrases against dictionary assaults.
• Backup keys can be added to LUKS services’ multiple vital slots.
• Data on encrypted block devices can be anything.
• Encrypt partitions on your Linux machine.

8. Dm-crypt

Block devices are transparently encrypted using the kernel Crypto API by Device-Mapper’s “crypt” target. Some Linux distributions permit the use of dm-crypt on the root file system.

These operating system distributions usually use initrd to ask the user to enter a passphrase at the console or insert an intelligent card before starting the system.

In Linux kernel versions 2.6 and later, as well as DragonFly BSD, dm-crypt is a transparent block device encryption subsystem.

It is a component of the device mapper infrastructure and uses the kernel’s Crypto API’s cryptographic routines.

Device mapper targets can be stacked on top of one another, and dm-crypt is implemented as one of them.

Consequently, it can encrypt entire disks (including removable media), partitions, software RAID volumes, logical volumes, and files.

Features

• Since Ciphershed is open-source, anyone can access its source code.
• The cipher shed interface lets you unmount the virtual disk after use.
• Virtual volumes cannot be accessed without a password.
• For brute force protection, volumes are encrypted with strong ciphers.
• You can also develop a covert operating system that is accessible when needed and invisible.

9. NordLocker

NordLocker is an easy-to-use tool for file encryption. It enables secure data storage and sharing. NordLocker uses strong encryption to secure our files by dragging and dropping them to a Locker folder.

A locker is an encrypted folder in NordLockers. Along with the configuration information, it includes your files.

The files you store in a locker are only accessible by you unless you grant access to others using the “Add user access” function in the NordLocker application.

NordLocker was designed specifically to encrypt files. It can and excels at encrypting any file format. Public-key cryptography makes it safe to share files with strangers because your password is never revealed.

NordLocker encrypts and decrypts your files using Argon2, AES256, ECC (with XChaCha20, EdDSA, and Poly1305 ciphers), and other advanced cryptography ciphers. 

Features

• Easily sync and safeguard files
• Available via Android, iOS, Windows, Mac OS, and Linux browser apps.
• Create lockers and folders for your files, then store them locally or online.
• Any size file can be encrypted.
• Your Nord Locker cloud files are always encrypted.

10. Ciphershed

Ciphershed is a free encryption tool for protecting the privacy and security of our data. It was originally a fork of the TrueCrypt project. Cross-platform Ciphershed is offered for Windows, Mac OS X, and GNU/Linux.

Because there are no packages for CipherShed on OS X or Linux, users of those operating systems must compile it. Your files and data can be encrypted using encrypted containers that you make with CipherShed.

Solid and secure, this encryption can be used for various files, including financial records, priceless information, sensitive information, and other things you want to keep private.

CipherShed is a safe and sophisticated encryption tool that will help you securely store sensitive data and encrypt it so that no one else can access it without your permission.

Features

• Since Ciphershed is open-source, anyone can access its source code.
• The cipher shed interface lets you unmount the virtual disk after use.
• Virtual volumes cannot be accessed without a password.
• Volumes are encrypted with solid ciphers to prevent brute-force attacks.
• You can also develop a covert operating system that is accessible when needed and invisible.

The post 10 Best Full Disk Encryption Tools in 2026 appeared first on Cyber Security News.