Security & IT News

New York, New York, April 1st, 2026, CyberNewswire

Today, most malware are called fileless because they try to reduce their footprint on the infected computer filesystem to the bare minimum. But they need to write something think about persistence. They can use the registry as an alternative storage location. But some scripts still rely on files that are executed at boot time. For example, via a Run key: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v csgh4Pbzclmp /t REG_SZ /d \ %APPDATA%\Microsoft\Windows\Templates\dwm.cmd\ /f nul 2 1 The file located in %APPDATA% will be executed at boot time. From the attacker s point of view, there is a problem: The original script copies itself: copy /Y %~f0 %APPDATA%\Microsoft\Windows\Templates\dwm.cmd nul 2 1 Just after the copy operation, a PowerShell one-liner is executed: powershell -w h -c try{Remove-Item -Path '%APPDATA%\Microsoft\Windows\Templates\dwm.cmd :Zone.Identifier ' -Force -ErrorAction SilentlyContinue}catch{} nul 2 1 PowerShell will try to remove the alternate-data-stream (ADS) :Zone.Identifier that Windows adds during file operations. The :Zone.Identifier indicates the source of the file (1 = My Computer, 2 = Local intranet, 3 = Trusted sites, 4 = Internet, 5 = Restricted sites). It's not clear if a copy will drop or conserver the ADS. I did not find an official Microsoft documentation but, if you ask to a LLM, it will tell you that they are not preserved. They are wrong! In my Windows 10 lab, I downloaded a copy of BinaryNinja. An ADS was added to the file. After a copy to test.ext , the new file has still the ADS! By removing the ADS, the malicious script makes the file look less suspicious if the system is scanned to search for downloaded files (a classic operation performed in DFIR investigations). For the story, the script will later invoke another PowerShell that will drop a DonutLoader on the victim's computer. Xavier Mertens (@xme) Xameco Senior ISC Handler - Freelance Cyber Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Google has fixed the fourth Chrome vulnerability exploited in zero-day attacks since the start of the year. [...]

Post-quantum cryptography explained, risks of quantum attacks, and steps to secure data, systems, and infrastructure for a quantum-resilient…

Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here , but—even better—Menton has a long essay laying out the basic concepts and ideas. The whole thing is important and well worth reading, and I hesitate to excerpt. Here’s a taste: The NeuroCompiler is where raw sensory data gets interpreted before you’re consciously aware of it. It decides what things mean, and it does this fast, automatic, and mostly invisible. It’s also where the majority of cognitive exploits actually land, right in this sweet spot between perception and conscious thought. This is my term for what Daniel Kahneman called System 1 thinking . If the Sensory Interface is the intake port, the NeuroCompiler is what turns that input into “filtered meaning” before the Mind Kernel ever sees it. It takes raw signal (e.g., photons, sound waves, chemical gradients, pressure) and translates it into something actionable based on binary categories like threat or safe, familiar or novel, trustworthy or suspicious. The speed is both an evolutionary feature and a modern bug. Processing here is fast enough to get you out of the way of a thrown object before you’ve consciously registered it. But “good enough most of the time” means “predictably wrong some of the time…. A critical architectural feature: the NeuroCompiler can route its output directly back to the Sensory Interface and out as behavior, skipping the conscious awareness of the Mind Kernel entirely . Reflex and startle responses use this mechanism, making this bypass pathway enormously useful for survival. Yet it leaves a wide-open backdoor. If the layer that holds access to skepticism and deliberate evaluation can be bypassed completely, a host of exploits become possible that would otherwise fail. That’s just one of the five levels Melton talks about: sensory interface, neurocompiler, mind kernel, the mesh, and cultural substrate. Melton’s taxonomy is compelling, and her parallels to IT systems are fascinating. I have long said that a genius idea is one that’s incredibly obvious once you hear it, but one that no one has said before. This is the first time I’ve heard cognition described in this way.

Most UK manufacturers compromised last year suffered financial loss, says ESET

Threat actors hijacked the popular npm package axios to spread RAT malware after compromising an open‑source maintainer’s account, researchers warn

Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement. "North Korean

Google announced that the AI-powered Google Drive ransomware detection feature has reached general availability and is now enabled by default for all paying users. [...]

Microsoft released an emergency update to fix the March 2026 KB5079391 non-security preview update, which was pulled over the weekend due to installation issues. [...]

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The AI recruiting startup confirmed a security incident after an extortion hacking crew took credit for stealing data from the company's systems.

Anthropic says it accidentally leaked the source code for Claude Code, which is closed source, but the company says no customer data or credentials were exposed. [...]

Google is rolling out a new feature in the U.S. that allows users to change their @gmail address or create a new alias. [...]

Proton has announced a new video conferencing service named Meet and positioned it as a privacy-focused alternative to mainstream services like Google Meet, Zoom, and Microsoft Teams. [...]

The GIGABYTE Control Center is vulnerable to an arbitrary file-write flaw that could allow a remote, unauthenticated attacker to access files on vulnerable hosts. [...]

Vulnerabilities in the Vim and GNU Emacs text editors, discovered using simple prompts with the Claude assistant, allow remote code execution simply by opening a file. [...]

Google on Monday said it's officially rolling out Android developer verification to all developers to combat the problem of bad actors distributing harmful apps while "hiding behind anonymity." The development comes ahead of a planned verification mandate that goes into effect in Brazil, Indonesia, Singapore, and Thailand this September, before it expands globally next year. As part of this

Cisco has suffered a cyberattack after threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment and steal source code belonging to the company and its customers. [...]

Critical infrastructure (CI) organizations underpin national security, public safety, and the economy. In 2026, the cyber threat landscape facing these sectors is structurally different than it was even two years ago. What Microsoft Threat Intelligence is observing across critical infrastructure environments right now is not a forecast. It is already happening. Threat actors are no longer focused solely on data theft or opportunistic disruption. They are establishing persistent access, footholds they can sit in quietly, undetected, and activate at the moment of maximum disruption. That is the threat CI leaders need to be preparing for today. Not someday. Now. Given these rising threats, governments worldwide are advancing policies and regulations to require critical infrastructure organizations to prioritize continuous readiness and proactive defense. The regulatory trajectory is clear. The U.S. National Cybersecurity Strategy published in March 2023 explicitly frames cybersecurity of critical infrastructure as a national security imperative. Japan issued a basic policy to implement the Active Cyber Defense legislation in 2025 . Europe continues to implement the NIS2 Directive across the essential sectors. And Canada is advancing a more prescriptive approach to critical infrastructure security through Bill C8 . What Microsoft Threat Intelligence hears from law enforcement agencies reinforces what we observe in our own telemetry. For example, Operation Winter SHIELD is a joint initiative led by the FBI Cyber Division focused on helping CI organizations move from awareness to verified readiness. Implementation not just awareness, not just policy. It is what closes the gap between knowing you are a target and being ready when it matters. The water sector offers a clear illustration of what that implementation gap looks like in practice and what it takes to close it. The findings from Microsoft, released on March 19, 2026, in collaboration with the Cyber Readiness Institute and the Center on Cyber Technology and Innovation show that hands-on coaching paired with practical training materially improves cyber readiness in water and wastewater utilities in ways that guidance alone does not. When attacks succeed, communities face safety concerns, loss of trust, and service disruptions. That is not an abstraction. That is what is at stake across every CI sector. To say that environments CI organizations are defending today were not designed for the threat they are facing is an understatement. Legacy systems now operate within hybrid IT–OT environments connected by cloud-based identity, remote access, and complex vendor ecosystems that did not exist when those systems were built. Identity has become the central control layer across all of it. Microsoft Threat Intelligence and Incident Response investigations show a convergence of identity-driven intrusion, living-off-the-land (LOTL) persistence, and nation-state prepositioning across CI. Against this backdr