Posts by Negan

Mozilla Firefox gets new anti-fingerprinting defenses

Mozilla announced a major privacy upgrade in Firefox 145 that reduces even more the number of users vulnerable to digital fingerprinting.

The new protections will initially be available only in Private Browsing Mode and Enhanced Tracking Protection (ETP) Strict mode. After testing and optimization, they will be enabled by default in the Firefox web browser.

Fingerprinting is a tracking technique that allows tracking users' browsing activity and identifying them across websites and browser sessions, even when cookies are blocked or with private browsing active.

Subtle identifiers, like timezone, hardware and browser details, can be used to create a unique digital signature to identify users on the internet.

This type of data can be your browser's version, operating system, screen resolution and color depth, system language, installed fonts, time zone, GPU rendering behavior, CPU cores, touchscreen capabilities, and device memory.

Firefox’s existing anti-fingerprinting system, part of the software’s ‘Enhanced Tracking Protection’ mechanism, blocks many known tracking and fingerprinting scripts, most of which are intrinsically pervasive and not related to improving the user’s experience.

“Since 2021, Firefox has been incrementally advancing fingerprinting protections, covering the most pervasive fingerprinting techniques,” explains Mozilla.

“These include things like how your graphics card draws images, which fonts your computer has, and even tiny differences in how it performs math.”

These anti-fingerprinting blocks, which Mozilla marks as ‘Phase 1 Protections’ reduced trackability to roughly 35%, compared to the baseline 65% for now protections at all.

Now, ‘Phase 2’ protections are being rolled out, which block requests to discover installed fonts, hardware details, number of processor cores, multi-touch support, and dock/taskbar dimensions.

Specifically, the new protections constitute the following:

• Random noise is added to background images only when a site reads them back, not when they are just displayed.
• Only standard OS fonts are used; local fonts are blocked, except for key language fonts like Japanese, Thai, Arabic, Chinese, Korean, and Hebrew.
• Touch support is reported as 0, 1, or 5.
• The available screen resolution is the screen height minus 48 pixels.
• Processor cores are always reported as 2.

As a result of these additional measures, only 20% of users can still be uniquely fingerprinted and persistently tracked.

Mozilla explained that it cannot aggressively block everything to reduce trackability further, as this would eventually lead to usability issues that break legitimate website features.

Various productivity tools rely on actual real-time and location data to provide the intended functionality, so a portal of exchange needs to be maintained, even if its size is shrinking.

Those who are facing usability problems with the new layers of protection are given the option to disable them on specific sites.

Firefox 145 will be officially released tomorrow, but users can already download an installer for their OS from Mozilla’s FTP server.

Note that this is the first release that doesn’t offer a 32-bit Linux version, which Mozilla deprecated due to waning user demand not making its development and testing worthwhile anymore.

Mozilla Firefox gets new anti-fingerprinting defenses

Mozilla announced a major privacy upgrade in Firefox 145 that reduces even more the number of users vulnerable to digital fingerprinting.

www.bleepingcomputer.com

Rhadamanthys infostealer disrupted as cybercriminals lose server access

The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.

Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.

The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data.

According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.

In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.

"If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," wrote one of the customers.

Another Rhadamanthys subscriber claimed they were having the same issues, with their server's SSH access now also requiring certificate-based logins.

"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard," wrote another subscriber.

A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.

G0njxa told BleepingComputer that the Tor onion sites for the malware operation are also offline but do not currently have a police seizure banner, so it is unclear who exactly is behind the disruption.

Multiple researchers who have spoken to BleepingComputer believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.

The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday.

Rhadamanthys infostealer disrupted as cybercriminals lose server access

The Rhadamanthys infostealer operation has been disrupted, with numerous "customers" of the malware-as-a-service reporting that they no longer have access to…

www.bleepingcomputer.com

Quote from Negan

And its here for 25H2

Just installed, no issues

Quote from Morro

I only use WhatsApp on cellphone, never saw a need to install it on Windows. But, 1gb ram use, that is huge for an app like that.

I have it on my iPhone and Laptop, i use both frequently , i really like the Desktop app, because at work easy to stay in touch and no need to hold the phone all the time.

My WA is not updated yet.. lets see.....

Meta just killed native WhatsApp on Windows 11, now it opens WebView, uses 1GB RAM all the time

https://www.windowslatest.com/2025/11/12/meta-just-killed-native-whatsapp-on-windows-11-now-it-opens-webview-uses-1gb-ram-all-the-time/

WhatsApp on Windows 11 has just got a ‘major’ upgrade, and you’re probably going to hate it because it simply loads web.whatsapp.com in a WebView2 container. This means WhatsApp on Windows 11 is cooked, and it’s back to being absolute garbage in terms of performance.

WhatsApp is one of those Windows apps that went from being a web wrapper to a native app and then back to the web again after all these years of investment.

WhatsApp for Windows was originally an Electron app, and it was eventually replaced with UWP after years of investment. Four years later, WhatsApp is going back to WebView2, abandoning the original WinUI/UWP native idea.

I blame the layoffs

My understanding is that the recent layoffs at Mark Zuckerberg-headed Meta likely disbanded the entire team behind the native WhatsApp. I don’t see any other reason why Meta would abandon its native app for Windows. Meta will save costs by maintaining the web app codebase on Windows, but you’re going to hate the experience.

How bad is the new WhatsApp for Windows 11?

Our tests showed that new Chromium/WebView2-based WhatsApp for Windows 11 uses up to 300MB of RAM when you are on the login screen and doing nothing. On the other hand, the old/native WhatsApp uses just 18MB of RAM and even slips to less than 10MB when left idle on the login screen.

After logging in, WhatsApp (new) memory usage increased to 2GB while trying to load all my chats. On average, it used 1.2GB when left idle in the background.

You’d realise how bad this is when I tell you the benchmarks for the native WhatsApp for comparison. I tested the old/native WhatsApp, and it uses just 190MB most of the time, dropping to less than 100MB when it’s completely idle. At worst, it would reach 300MB, which can happen only when the chat is really active.

“WhatsApp” is new version and “WhatsApp Beta” is old UPW/WinUI in the screenshot

By the looks of things, this new WhatsApp for Windows 11 can touch 3GB RAM if you have too many active conversations.

It’s absolutely garbage, and it should not be allowed inside the Microsoft Store. You’re better off using WhatsApp on the web (Edge/Chrome) than updating/downloading this new WebView2-based app.

In fact, it appears that WhatsApp web (web.whatsapp.com) in any browser is less terrible than this WebView2 container.

New WhatsApp is a performance nightmare

An app can use a lot of memory, and it does not necessarily mean it’s a performance nightmare, but the issue with the new WhatsApp is that it feels sluggish. You’re going to notice sluggish performance, long loading time, and other performance issues when browsing different conversations.

We also noticed that it does not work well with Windows notifications. It also struggles with Windows 11’s Do Not Disturb mode or Active Hours. And there are delayed notifications problems as well.

Can you avoid this new WhatsApp upgrade on Windows 11? Yes, but not for a very long time

Windows Latest found that WhatsApp version 2.2584.3.0 replaces the native (WinUI/UWP) app and is rolling out in all regions via the Microsoft Store. Do not download it, and you might still be allowed to use the native app for the next days.

However, Windows Latest has learned that all users will be logged out eventually and forced to use the WebView2-based WhatsApp.

This ‘upgrade’ ships as the WhatsApp native experience rolls out on Apple Watch, which has 115 million consumers, while Windows has over one billion active monthly devices. Clearly, numbers are not always enough, and I am not sure if I can really blame Meta when Microsoft also does not make native apps for Windows anymore.

And its here for 25H2

Let’s see of it’s there.

Quote from simmerskool

it listens...

To you ?

Why don’t malware authors ever get invited to parties?

The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control.

"Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs," the Genians Security Center (GSC) said in a technical report.

What's notable about the attacks targeting Android devices is also the destructive ability of the threat actors to exploit Google's asset tracking services Find Hub (formerly Find My Device) to remotely reset victim devices, thereby leading to the unauthorized deletion of personal data. The activity was detected in early September 2025.

The development marks the first time the hacking group has weaponized legitimate management functions to remotely reset mobile devices. The activity is also preceded by an attack chain in which the attackers approach targets via spear-phishing emails to obtain access to their computers, and leverage their logged-in KakaoTalk chat app sessions to distribute the malicious payloads to their contacts in the form of a ZIP archive.

The spear-phishing emails are said to mimic legitimate entities like the National Tax Service to deceive recipients into opening malicious attachments to deliver remote access trojans like Lilith RAT that can remotely commandeer compromised machines and deliver additional payloads.

Konni Attack Flow

"The threat actor stayed hidden in the compromised computer for over a year, spying via the webcam and operating the system when the user was absent," GSC noted. "In this process, the access obtained during the initial intrusion enables system control and additional information collection, while evasion tactics allow long-term concealment."

The deployed malware on the victim's computer allows the threat actors to carry out internal reconnaissance and monitoring, as well as exfiltrate victims' Google and Naver account credentials. The stolen Google credentials are then used to log in to Google's Find Hub and initiate a remote wipe of their devices.

In one case, the attackers have been found to sign into a recovery email account registered under Naver, delete security alert emails from Google, and empty the inbox's trash folder to cover up traces of the nefarious activity.

The ZIP file propagated via the messaging app contains a malicious Microsoft Installer (MSI) package ("Stress Clear.msi"), which abuses a valid signature issued to a Chinese company to give the application an illusion of legitimacy. Once launched, it invokes a batch script to perform initial setup and proceeds to run a Visual Basic Script (VB Script) that displays a fake error message about a language pack compatibility issue, while the malicious commands are executed in the background.

This includes launching an AutoIt script that's configured to run every minute by means of a scheduled task in order to execute additional commands received from an external server ("116.202.99[.]218"). While the malware shares some similarities with Lilith RAT, it has been codenamed EndRAT (aka EndClient RAT by security researcher Ovi Liber) due to the differences observed.

The list of supported commands is as follows -

• shellStart, to start a remote shell session
• shellStop, to stop remote shell
• refresh, to send system information
• list, to list drives or root directory
• goUp, to move up one directory
• download, to exfiltrate a file
• upload, to receive a file
• run, to execute a program on host
• delete, to delete a file on host

Genians said the Konni APT actors have also utilized an AutoIt script to launch Remcos RAT version 7.0.4, which was released by its maintainers, Breaking Security, on September 10, 2025, indicating that the adversary is actively using newer versions of the trojan in its attacks. Also observed on victim devices are Quasar RAT and RftRAT, another trojan previously put to use by Kimsuky in 2023.

"This suggests that the malware is tailored to Korea-focused operations and that obtaining relevant data and conducting in-depth analysis requires substantial effort," the South Korean cybersecurity company said.

Lazarus Group's New Comebacker Variant Detailed#

The disclosure comes as ENKI detailed the Lazarus Group's use of an updated version of the Comebacker malware in attacks aimed at aerospace and defense organizations using tailored Microsoft Word document lures consistent with an espionage campaign. The lures impersonate Airbus, Edge Group, and the Indian Institute of Technology Kanpur.

The infection chain kicks off when victims open the file and enable macros, causing the embedded VBA code to execute and deliver a decoy document that's displayed to the user, along with a loader component that's responsible for launching Comebacker in memory.

The malware, for its part, establishes communication with a command-and-control (C2) server over HTTPS and enters into a loop to poll for new commands or download an encrypted payload and execute it.

"The actor's use of highly specific lure documents indicates that this is a targeted spear phishing campaign," ENKI said in a technical report. "Although there are no reports of victims so far, the C2 infrastructure remains active at the time of this publication."

Kimsuky Uses a New JavaScript Dropper#

The findings also coincide with the discovery of a new JavaScript-based malware dropper that has been employed by Kimsuky in its recent operations, demonstrating the actor's continued refinement of its malware arsenal. The initial access mechanism by which the JavaScript malware is distributed is currently not known.

Kimsuky JavaScript Dropper Flow

The starting point of the attack is an initial JavaScript file ("themes.js") that contacts an adversary-controlled infrastructure to fetch more JavaScript code that's capable of executing commands, exfiltrating data, and retrieving a third-stage JavaScript payload to create a scheduled task to launch the first JavaScript file every minute and launch an empty Word document, likely as a decoy.

"Since the Word document is empty and does not run any macros in the background, it may be a lure," the Pulsedive Threat Research said in an analysis published last week.

Konni Hackers Turn Google’s Find Hub into a Remote Data-Wiping Weapon

Konni and Lazarus launch new North Korea-linked attacks using RATs, fake lures, and Google exploits.

thehackernews.com

Google's Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet's Triofox file-sharing and remote access platform.

The critical vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), allows an attacker to bypass authentication and access the configuration pages, resulting in the upload and execution of arbitrary payloads.

The tech giant said it observed a threat cluster tracked as UNC6485 weaponizing the flaw as far back as August 24, 2025, nearly a month after Gladinet released patches for the flaw in version 16.7.10368.56560. It's worth noting that CVE-2025-12480 is the third flaw in Triofox that has come under active exploitation this year alone, after CVE-2025-30406 and CVE-2025-11371.

"Added protection for the initial configuration pages," according to release notes for the software. "These pages can no longer be accessed after Triofox has been set up."

Mandiant said the threat actor weaponized the unauthenticated access vulnerability to gain access to the configuration pages, and then used them to create a new native admin account, Cluster Admin, by running the setup process. The newly created account was subsequently used to conduct follow-on activities.

"To achieve code execution, the attacker logged in using the newly created Admin account. The attacker uploaded malicious files to execute them using the built-in antivirus feature," security researchers Stallone D'Souza, Praveeth DSouza, Bill Glynn, Kevin O'Flynn, and Yash Gupta said.

"To set up the antivirus feature, the user is allowed to provide an arbitrary path for the selected anti-virus. The file configured as the antivirus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account."

The attackers, per Mandiant, ran their malicious batch script ("centre_report.bat") by configuring the path of the antivirus engine to point to the script. The script is designed to download an installer for Zoho Unified Endpoint Management System (UEMS) from 84.200.80[.]252, and use it to deploy remote access programs like Zoho Assist and AnyDesk on the host.

The remote access afforded by Zoho Assist was leveraged to conduct reconnaissance, followed by attempts to change passwords for existing accounts and add them to local administrators and the "Domain Admins" group for privilege escalation.

As a way to sidestep detection, the threat actors downloaded tools like Plink and PuTTY to set up an encrypted tunnel to a command-and-control (C2) server over port 433 via SSH with the ultimate goal of allowing inbound RDP traffic.

While the ultimate objective of the campaign remains unknown, it's advised that Triofox users update to the latest version, audit admin accounts, and verify that Triofox's antivirus engine is not configured to execute unauthorized scripts or binaries.

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

Mandiant reveals hackers exploited Triofox CVE-2025-12480 to gain admin control and deploy remote tools.

thehackernews.com

Quote from Negan

Finished Walking Dead - Dead City.

Now trying Robin Hood 2025

External Content youtu.be

Content embedded from external sources will not be displayed without your consent.

Display all external content

Through the activation of external content, you agree that personal data may be transferred to third party platforms. We have provided more information on this in our privacy policy.

Well after 10 mins of the first episode, i am done. This is so not Robin Hood.

Quote from Negan

Went to :

NCIS: Tony & Ziva

External Content www.youtube.com

Content embedded from external sources will not be displayed without your consent.

Display all external content

Through the activation of external content, you agree that personal data may be transferred to third party platforms. We have provided more information on this in our privacy policy.

Very good, just finished this season, so far they both want to do a Season 2, but not confirmed yet.

Will there be a NCIS: Tony & Ziva season 2?

What does the future hold for one of the franchise's most popular couples?

www.radiotimes.com

Except the Jackie Chan movie, there is not really a movie i want to see.
I am more like a Series fan.

I have added some new Emoticons.

Quote from MoonlitPoise

That movie looks really good; I wouldn't mind seeing it. Jackie Chan looks old in it, though. I know he's 71 now, but in my head, I'll always picture him as the much younger guy from all his big action movies.

Waiting for somewhere i can get this movie. My brother in Law saw it in Malaysia in the cinema, he told me, its a must see.

- Same style as the official HEA-P.COM website from Trident

Quote from Trident

The new logo more closely relates CyberTopix to the Hawk Eye ecosystem of products.

Meanwhile, changes are expected on the official website for HEA—the website will slowly be migrated from in browser transpilation to pre-compiled code.

This means that the website JavaScript will be trimmed by approximately 5 megabytes (for some pages).

The loading times will be shortened (at least halved), which is essential for efficient SEO.

Support pages coming soon, with official forum of the project being CyberTopix.

What do you think of the new logo?

Display More

Thanks for the logo Trident , amazing job!

Our forum is ready to support for HEA.
Let’s make this a great succes !

Finished Kung Fu Hustle