New TEE[.]fail Attack Breaks Intel and AMD Trusted Execution Environments via DDR5 Memory Weakness
Security researchers have disclosed a critical hardware-based vulnerability known as TEE[.]fail, which undermines the foundational guarantees of Intel TDX and AMD SEV-SNP Trusted Execution Environments (TEEs). The attack exploits deterministic encryption flaws within DDR5 memory, enabling adversaries with physical access to intercept and analyze encrypted memory traffic. By using a low-cost DDR5 bus interposer built from off-the-shelf electronics, attackers can correlate identical ciphertext blocks to reveal patterns in protected memory, ultimately leading to full key extraction. The researchers demonstrated that even advanced confidential computing systems can be compromised cheaply and covertly, challenging long-standing assumptions about hardware-backed isolation and data protection in cloud and datacenter environments. More alarmingly, the team successfully extracted ECDSA attestation keys from Intel’s Provisioning Certification Enclave, forging TDX quotes that passed official verification at the “UpToDate” trust level. This completely compromises the attestation process, allowing attackers to impersonate trusted systems and deploy unauthorized workloads. The researchers also confirmed cross-platform impact, showing that stolen attestation keys could bypass Nvidia’s GPU Confidential Computing protections, enabling unverified AI or cryptocurrency mining operations at scale. The portable attack rig—concealed within a standard briefcase—demonstrates that physical infiltration of datacenters no longer requires sophisticated laboratory tools. The TEE.fail exploit reveals a systemic design flaw in deterministic memory-protection encryption and underscores the urgent need for TEEs to adopt probabilistic encryption and tamper-resistant attestation mechanisms.
Gunra Ransomware Deploys Dual-Platform Encryption Across Windows and Linux Systems
Gunra ransomware has rapidly gained attention since its emergence in April 2025 for its ability to target both Windows and Linux environments using separate, customized malware variants. This dual-platform strategy allows attackers to maximize impact across mixed enterprise infrastructures, a tactic increasingly observed in large-scale ransomware campaigns. The group has launched systematic attacks across multiple sectors worldwide, leveraging operational flexibility to tailor each intrusion to its victim’s environment. Both variants rely on command-line parameters to define encryption scope and performance, including thread count, target path, file extensions, encryption ratio, and RSA key path. However, their underlying cryptographic implementations differ sharply, creating distinct risk profiles across platforms. The Linux variant employs the ChaCha20 encryption algorithm but uses a flawed random-number-generation method based on the time() function. Because this process executes too quickly, multiple encryption threads share identical seed values, resulting in predictable key and nonce sequences. This severe weakness allows researchers to brute-force keys by testing only 256 possible byte values, making decryption of Linux-encrypted files feasible. In contrast, the Windows version employs ChaCha8 encryption alongside Microsoft’s CryptGenRandom() API, producing secure, unpredictable values that resist brute-force recovery. The disparity highlights the developers’ uneven cryptographic expertise and creates asymmetric risks across environments. Security experts recommend isolating infected systems immediately and exploiting the known Linux-based infection weakness for data recovery, while Windows victims should prepare for standard ransomware containment and recovery protocols.
Herodotus Android Trojan Mimics Human Typing to Evade Banking Fraud Detection
A newly identified Android banking trojan dubbed Herodotus has emerged as one of the most advanced mobile threats of 2025, combining elements of existing malware families with innovative evasion techniques. Herodotus has been distributed through malicious campaigns in Italy and Brazil, often delivered via SMiShing messages that direct victims to download malicious APKs. Although it shares infrastructure with well-known families, including Hook and Octo, forensic analysis links Herodotus more closely to Brokewell, from which it borrows certain code fragments. The malware is being sold as Malware-as-a-Service by the threat actor “K1R0,” signaling the rapid commercialization of advanced mobile fraud tools. Its infection chain begins with a custom dropper that bypasses Android 13+ restrictions on Accessibility Services, using deceptive overlays to trick users into granting full device control. Once active, Herodotus retrieves app lists from infected devices, sending them to its command-and-control server, which then deploys fake overlay screens that mimic legitimate banking applications to steal login credentials and two-factor authentication codes. What makes Herodotus uniquely dangerous is its ability to simulate human behavior during device takeover operations. Unlike traditional remote access trojans that instantly paste text strings, Herodotus introduces randomized delays of 300 to 3000 milliseconds between each character input, closely mimicking real human typing speed. This feature, configurable through a “Delayed text” option in the attacker’s control panel, allows the malware to evade behavioral biometric systems that detect automated interactions. ThreatFabric researchers note that this humanization of fraudulent transactions marks a significant evolution in mobile banking malware, making detection far more challenging. Combined with its accessibility abuse, overlay-based credential theft, and SMS interception capabilities, Herodotus exemplifies a new generation of Android threats designed to persist within financial ecosystems while appearing indistinguishable from legitimate user activity.
Beast Ransomware Rapidly Spreads Through Active SMB Connections
Beast ransomware has emerged as one of 2025’s most aggressive threats, leveraging SMB port scanning to spread laterally and encrypt entire enterprise networks. Evolving from the Monster ransomware lineage, Beast operates under a Ransomware-as-a-Service model, empowering affiliates to run independent extortion campaigns. Since July 2025, it has targeted at least 16 organizations across manufacturing, construction, healthcare, business services, and education. Once inside a network, often via phishing lures disguised as copyright or job-related communications, the malware scans for active SMB connections to locate shared drives and open network resources. This allows it to encrypt multiple systems simultaneously while evading detection. Many infections are preceded by Vidar Infostealer, which harvests credentials and reconnaissance data for more effective deployment. The ransomware uses the ChaCha20 encryption algorithm and embeds metadata within encrypted files, making recovery impossible without the attackers’ decryption keys. Beast’s developers have implemented regional geofencing to avoid systems in CIS countries, implying the operators’ origins or alliances lie within those regions. To maximize impact, Beast terminates database, antivirus, and backup processes before deleting shadow copies through WMI queries, eliminating system restore options. Researchers also discovered a hidden GUI accessible via the “Ctrl+Alt+666” shortcut, allowing manual encryption control. With its rapid propagation and robust cryptography, Beast exemplifies the new wave of ransomware engineered for maximum disruption. Security teams are urged to strengthen network segmentation, apply strict SMB controls, and maintain offline backups to mitigate the escalating threat.
