Trending Topics

Entra ID “Agent IDs” Show How Quiet Admin Roles Become Prime Targets

Recent research into Microsoft Entra ID has highlighted that attackers increasingly target service identities and mid-tier admin roles, not just classic Global Administrator accounts. By compromising identities that sit behind “trusted” first‑party applications or automation, threat actors can quietly pivot into powerful roles, register or hijack domains, and eventually impersonate Global Admins without ever directly attacking a human user’s account. In this model, an app or “agent” identity with broad delegated rights becomes the real crown jewel, because it already has the reach and permissions attackers want and often operates with far less scrutiny than interactive admin accounts. Several case studies underscore the risk. Datadog and other researchers have shown how roles such as Application Administrator and Cloud Application Administrator can be abused to take over high‑privilege service principals, such as Exchange Online, then use built‑in permissions to add federated domains and forge SAML tokens for any hybrid user, including Global Administrators. Separate work on legacy “actor tokens” and the deprecated Azure AD Graph API revealed that flaws in Entra ID's token validation could have allowed attackers to impersonate users, including admins, across arbitrary tenants, enabling them to reach Global Admin in almost any organization without prior access. In both patterns, the common thread is that attackers do not need to phish or brute-force a human admin; they exploit trusted application identities and token flows that tenants themselves configured and rely on. For defenders, this shifts the focus from just hardening user accounts to treating every high-privilege app and “agent” identity as a potential administrator. Microsoft’s own guidance now stresses strict scoping and time‑bound use of powerful roles, regular auditing of service principals for unexpected credential or permission changes, and separating day‑to‑day user accounts from accounts with Entra admin roles. Organizations should also monitor for suspicious domain registration and federation changes, watch for unusual use of first‑party applications with broad directory permissions, and decommission legacy APIs and token types that no longer enforce modern validation rules. In practical terms, that means building an inventory of all app and agent identities that can touch identity settings, mail, and cloud resources, then enforcing least privilege and strong change monitoring on them, because in an Entra tenant, an overlooked “agent” with the right role can be as dangerous as any Global Administrator.

China’s State Hackers Turn Botnets into Industrial-Scale Attack Infrastructure

China-aligned threat actors are no longer just building ad hoc botnets for single campaigns; they are industrializing them into long-lived “covert networks” that serve as reusable attack infrastructure for multiple state-backed hacking units. According to analysis of recent US and allied advisories, these networks consist of hundreds of thousands of compromised SOHO routers, IoT devices, cameras, DVRs, and NAS boxes that Chinese contractors build, maintain, and sell as infrastructure-as-a-service for espionage and disruption operations. This approach gives Beijing’s operators low-cost, deniable entry points around the world, allowing them to conduct reconnaissance, malware deployment, and data theft in ways that resemble normal consumer traffic, making attribution significantly harder. Recent cases show how far this model has evolved. The FBI and US Department of Justice have already disrupted several of these botnets, including KV and Raptor Train, which supported the Volt Typhoon and Flax Typhoon campaigns against US critical infrastructure and Taiwanese targets by routing attacks through hundreds of thousands of hijacked routers and smart devices. Court filings describe how Integrity Technology Group, a Beijing-based company tied to Flax Typhoon, openly sold customers access to an application called KRLab that let them log in and run malicious commands across infected devices, effectively turning a Mirai-based botnet into a commercial product line for state use. Allied agencies say this is now the norm rather than the exception, with multiple Chinese cybersecurity firms operating legally within China while quietly building and maintaining large proxy networks that any China-nexus actor can tap into for global operations. For defenders, the operational challenge is that these covert networks blur the line between criminal botnets and state infrastructure, and they heavily exploit long-standing weaknesses in consumer and edge hardware security. Most of the devices enrolled still shipped with factory-default passwords or unpatched firmware, which made them trivial to conscript and difficult for owners to notice once compromised. Governments have begun to respond with both technical operations and policy, from FBI-led botnet takedowns to new US Federal Communications Commission restrictions on importing high-risk foreign-made routers, but the advisory consensus is clear: organizations must assume inbound traffic from residential IP space and “normal” devices could be part of a nation-state proxy network. That means tightening monitoring of edge traffic, hardening and segmenting any SOHO-class gear used in branch or remote setups, enforcing unique credentials and firmware updates on all internet-facing devices, and treating large, distributed bursts of suspicious traffic as potential state-backed operations rather than just commodity DDoS noise.

Pastebin-Hosted PowerShell Script Poses as Windows Update to Steal Telegram Sessions

Researchers have uncovered a purpose-built PowerShell script hosted on Pastebin that quietly steals Telegram session data, rather than behaving like a typical malware dropper or infostealer. The script is titled “Windows Telemetry Update,” a name chosen to mimic legitimate maintenance tasks on Windows systems so that users are more likely to run it without suspicion. Once executed, it immediately collects basic host information such as username, computer name, and public IP, then focuses on locating Telegram Desktop installations and their session data. The core objective is to grab Telegram desktop session files and send them to the attacker’s Telegram bot, allowing the operator to hijack accounts without needing passwords or SMS codes. The script searches under the user’s AppData folders for standard and beta Telegram Desktop directories, compresses any session data it finds into a temporary archive named “diag[.]zip,” and then uploads this archive via the Telegram Bot API using a bot token controlled by the attacker. Even when Telegram is not installed, the script still sends a “no installation found” notification, allowing the operator to track which executions hit viable targets. A related web-based stealer component targets Telegram Web sessions by harvesting key values from the browser’s local storage, then exfiltrates them through the same bot infrastructure. Flare analysts found two versions of the script on Pastebin under the same account, with the first containing a flawed upload routine and the second fully functional, suggesting the operator was still testing and refining the tool at the time of discovery. Neither version includes advanced obfuscation, persistence, or automated distribution, indicating the threat is currently in a validation phase rather than a widespread campaign. However, the working variant and overlapping bot infrastructure suggest it is ready for scale if paired with effective phishing or social engineering. Security teams and users who suspect this script has been run are advised to immediately terminate all active Telegram sessions through the app’s settings, re-authenticate on trusted devices only, and monitor for unauthorized logins or messages, while organizations should also treat any host that executed the script as potentially compromised and review PowerShell execution policies and logging around Pastebin-originated scripts.

LMDeploy SSRF Flaw Let Attackers Turn AI Inference Engines into Internal Network Proxies Within Hours

A newly disclosed server-side request forgery vulnerability in LMDeploy, tracked as CVE-2026-33626, has given attackers a fast and powerful way to pivot from public AI endpoints into cloud metadata services and internal networks. LMDeploy, developed by Shanghai AI Laboratory’s InternLM project, is widely used to serve vision-language and text models like InternVL2 and Qwen2-VL through an OpenAI-compatible API, and versions before 0.12.3 contain a bug in the vision module’s image loader that blindly fetches URLs supplied by users. When a chat or inference request includes an image URL, the vulnerable load_image() function in lmdeploy/vl/utils[.]py will retrieve that URL from the server side without checking whether it points to localhost, cloud instance metadata, or other private IP ranges, effectively allowing external users to make the model server issue HTTP requests on their behalf. Threat researchers say exploitation began less than 13 hours after GitHub published the initial advisory, with Sysdig’s honeypots seeing the first real-world attack attempt just 12 hours and 31 minutes after disclosure. In an eight-minute session on one vulnerable instance, an attacker used the image URL parameter as a generic SSRF primitive to probe the environment, starting with the AWS Instance Metadata Service at 169.254.169[.]254 for possible IAM credential theft, then scanning localhost for Redis, MySQL, and an internal HTTP admin interface, while also using an out-of-band callback service to confirm that the server could reach arbitrary external domains. They went further by hitting unauthenticated LMDeploy distributed-serving endpoints under /distserve, attempting to disrupt internal links between prefill and decode engines, which could degrade or break inference traffic across a cluster and demonstrate an understanding of LMDeploy’s architecture. CVE-2026-33626 is rated high severity because it turns what appears to be a harmless vision-LLM feature into an internal reconnaissance and disruption tool, even without traditional remote code execution. On a cloud-hosted, internet-exposed LMDeploy node with open egress, a determined attacker could exploit the flaw to access metadata services, scan internal ports, reach back-end services not exposed to the internet, or interfere with model-serving components, all via a single crafted inference request. The maintainers have fixed the issue in LMDeploy 0.12.3 by introducing stricter URL validation and blocking requests to loopback, link-local, and private ranges, and security vendors are urging organizations to upgrade immediately, lock down outbound traffic from inference and GPU nodes, require IMDSv2 with tokens on any AWS instances, and treat AI-serving components as high-value, internet-facing applications that need the same SSRF defenses and egress controls as any other web-exposed microservice.

Chinese Engineer’s Years-Long Phishing Scheme Exposes NASA’s Human Weak Spot

A newly highlighted case shows how a single, persistent spear-phishing campaign tricked NASA employees and other US government staff into handing over restricted aerospace software, without any malware or network exploits. US prosecutors and NASA’s Office of Inspector General say Chinese national Song Wu spent years impersonating trusted professors and engineers over Gmail, convincing victims that they were simply sharing tools with long‑time collaborators. In reality, they were emailing export‑controlled modeling and computational fluid dynamics software used for missile design and advanced aerodynamics, directly to an engineer at Aviation Industry Corporation of China, a major state-owned aerospace and defense conglomerate. Investigators describe a methodical social engineering play rather than a “hack” in the technical sense. Wu reportedly researched his targets in depth, created look‑alike accounts for well‑known academics and colleagues, and sent highly tailored requests for specific NASA-developed tools, such as CBAero and the Direct Simulation Monte Carlo Analysis Code, which are designated for US‑only or government‑only release. Between 2017 and 2021,, he contacted dozens of scientists and engineers across NASA, the Air Force, Navy, Army, FAA, major universities, and private aerospace firms, framing his requests as routine code or model sharing within a research community. In several cases, the approach worked, leading victims to unknowingly violate export‑control rules by sending sensitive software outside approved channels, which investigators say could have supported both industrial and military applications in China. The case underscores that even highly technical organizations remain most vulnerable at the human level. There was no zero‑day exploit or backdoor in these incidents, only well-crafted emails and a believable story that bypassed normal caution. Wu, now indicted on multiple counts of wire fraud and aggravated identity theft and facing potentially decades in prison if ever apprehended, allegedly ran the scheme for years before it was detected and disrupted. For NASA and its partners, the lesson is that strict controls on export‑restricted tools are only as strong as the people enforcing them; verifying unusual software requests through out‑of‑band channels, limiting who can distribute sensitive code, and continuously training staff to distrust unsolicited “colleague” requests are now as critical as firewalls and intrusion detection when adversaries focus on social engineering instead of technical exploits.