Finished Walking Dead - Dead City.
Now trying Robin Hood 2025
One of of my absolute favorite bands ever.
Why did the cloud break up with the server?
Because it found someone more elastic! ☁️
Why do programmers prefer dark mode?
Because light attracts bugs. 🐛
Know a good joke ? Let us laugh!
He wrote Queen's biggest hit, made $200 million, and then Freddie Mercury died—so he walked away from fame forever and hasn't been seen in 28 years.
No farewell tour. No memoir. No reunion. No final interview.
Just silence.
John Deacon—the quiet bassist who wrote "Another One Bites the Dust"—simply vanished from public life at age 46 and never came back.
And here's what makes it extraordinary: He's still alive. Still out there. Living in the same South London house he bought in the 1970s. Playing golf. Raising his six kids, now grown. Collecting millions annually in Queen royalties.
He could be on stages worldwide earning standing ovations. He could write a bestselling memoir. He could do one interview and make headlines globally.
Instead, he chooses complete invisibility.
For 28 years.
Let me tell you why this matters.
1971. Chelsea College, London.
John Deacon was 19 years old—a serious, introverted electronics student who played bass in amateur bands but cared more about finishing his degree than rock stardom.
Three guys named Freddie Mercury, Brian May, and Roger Taylor had been searching for a bassist for months. They'd auditioned dozens. No one fit.
Then John showed up. Played one song. Barely spoke.
Freddie, Brian, and Roger looked at each other: This is our guy.
Not because John had the biggest personality—he had the smallest. But that's exactly what they needed. Three volcanic egos required a stabilizer. Someone grounded. Calm. Practical.
John joined Queen. But first—and this tells you everything about him—he insisted on finishing his university degree.
While Queen was recording their first album and playing bigger shows, John was attending classes and taking exams. He graduated with First Class Honours in Electronics in 1971. Only then did he fully commit to the band.
Most 19-year-olds would've dropped out immediately. "Rock band? Fame? Let's go!"
John thought: "Let me get my degree first. Just in case."
That pragmatism defined him for the next 20 years.
The quiet genius.
While Freddie commanded stages and Brian created guitar symphonies, John was the foundation nobody noticed. The groove. The pocket that held everything together.
But here's what casual fans miss: John Deacon wrote some of Queen's biggest hits.
"Another One Bites the Dust" (1980)—that funky, unstoppable bass line? John wrote it. The song became Queen's best-selling single ever. Over 7 million copies. Number one in America.
"I Want to Break Free" (1984)—massive hit. John wrote it.
"You're My Best Friend" (1975)—John wrote it for his wife Veronica.
"Spread Your Wings" (1977)—John's composition.
He wasn't prolific like Freddie or Brian. But when John wrote a song, it was often a smash.
And he did it all while being the quietest person in every room.
The rock star who lived like an accountant.
While Freddie partied extravagantly, John went home to his wife and kids.
He married Veronica Tetzlaff in January 1975—before Queen became massive—and stayed married. No rock star divorces. No scandals. No tabloid drama. Nearly 50 years together.
They bought a modest house in Putney, South London, and had six children. John lived there throughout Queen's entire peak—through stadium tours, worldwide fame, hundreds of millions in royalties.
He just... didn't participate in the lifestyle.
Brian May once said: "John was always the sensible one. While we were being rock stars, John was worried about mortgages and school fees."
Roger Taylor called him "quiet but lethal" musically—invisible in interviews, devastating in the studio.
Freddie relied on John's stability. The ultimate extrovert and the ultimate introvert, understanding each other perfectly.
Then came November 24, 1991.
The day John's world ended.
Freddie Mercury died of AIDS-related pneumonia.
The remaining members tried to continue. They held the massive Freddie Mercury Tribute Concert in April 1992 at Wembley Stadium.
John participated. He played. But anyone watching could see: he was shattered.
Queen attempted a few more projects. Made in Heaven (1995) using Freddie's final recordings. John played on it, reluctantly.
A few one-off performances in 1997. John participated minimally.
And then he stopped.
His statement was simple and devastating: "As far as we are concerned, this is it. There is no point carrying on. It is impossible to replace Freddie."
Brian and Roger wanted to continue in some form. Eventually they toured with Paul Rodgers, then Adam Lambert, as "Queen +."
John wanted no part of it.
He said no. And walked away.
That was 1997. He was 46 years old. Still young. Still healthy. Still earning millions annually.
And he simply... disappeared.
28 years of silence.
At first, people thought it was temporary grief. That he'd return eventually. Do one reunion show. Accept an award. Something.
But years passed. A decade. Two decades. Nearly three.
Nothing.
John Deacon hasn't given a public interview since 1997. Hasn't appeared on stage. He attended Queen's Rock and Roll Hall of Fame induction in 2001 but didn't speak. After that, he stopped attending public events entirely.
When Queen + Adam Lambert tours to sold-out stadiums worldwide, John declines all involvement. He still receives his share of royalties—millions annually—but wants nothing to do with performances or publicity.
Brian May occasionally mentions him: "We stay in touch. He's fine. He's happy. He just doesn't want any part of this anymore. And we respect that."
Roger Taylor is more blunt: "John wants to be left alone. He's not coming back. Ever."
So where is John Deacon?
Still in Putney, South London. Same house. Now 73 years old. Married to Veronica for nearly 50 years. Six adult children, grandchildren.
He plays golf. Manages his finances (that electronics degree training paid off). Lives a completely ordinary suburban life.
Very rarely, a photo surfaces. Someone spots him at a grocery store or golf course. He politely declines autographs, doesn't engage, walks away.
He's worth an estimated $200 million. "Bohemian Rhapsody" alone generates millions annually. He could live anywhere, do anything.
He chooses to live quietly in the neighborhood where he raised his kids.
Why this matters.
John Deacon achieved everything a musician dreams of. Worldwide fame. Historic success. Songs billions have heard. Financial security for generations.
And then he walked away. Forever.
In an industry built on ego, attention, and never knowing when to quit—John quit at the perfect moment. When it stopped being meaningful.
He kept his promise to Freddie: "You can't replace him." So he didn't try.
While Brian and Roger tour (their choice, valid, fine)—John remains firm. For him, Queen died with Freddie. Continuing without Freddie would dishonor what they built together.
There's something almost sacred about his loyalty. He could easily justify one reunion tour. One documentary. One final payday.
He refuses. Every time. For 28 years.
The last public quote attributed to John, from around 1997: "I have no wish to be on a stage again. My life is about my family now."
And he meant it.
Through temptation, offers, pressure—he's never wavered.
What we can learn.
In a world that demands everyone seek attention constantly, John Deacon chose invisibility and found peace.
He knew when to stop. Knew what actually mattered. Fame, applause, validation from strangers—none of it compared to the life he built with Veronica and his children.
He didn't need to prove anything. Didn't need one more tour, one more interview, one more moment in the spotlight.
He said what he needed to say through music. Then went home.
That's not retirement. That's something rarer: complete contentment with silence.
Most people never figure out when enough is enough. John Deacon figured it out at 46 and never looked back.
He's still out there. In Putney. Playing golf. Living the life he chose over fame.
And apparently, that's exactly where he wants to be.
The bassist who knew when to stop playing.
John Deacon: Born 1951. Joined Queen at 19. Wrote their biggest hits. Played on every album from 1971-1995.
Then Freddie died.
John said "It's over."
And meant it.
Still alive. Still quiet. Still done.
28 years later, the world still doesn't understand it. But John doesn't need us to understand.
He made his choice. He kept his promise to Freddie. He built a life that matters more to him than applause.
In an age of influencers desperate for attention, reality stars manufacturing drama, celebrities clinging to relevance—John Deacon is the counterpoint.
The man who had everything the world offers and chose something else instead.
Family. Privacy. Golf. Silence.
And he's never regretted it once.
That's not just a story about a bassist who quit.
That's a story about knowing what actually matters.
And having the courage to walk away from everything that doesn't.
Free Sticky Password for 1 year.
Features of Sticky Password Premium 8:
- Password Manager – Password-safe – organize and securely store your passwords in whatever way works best for you. A password generator generates a new password automatically whenever you need a new password.
- Autofill – Automatically fills your logins and passwords to appropriate fields on a given URL and even in Windows applications. One-click logs you into any of your favorite sites and applications.
- Form Filling – Automatic form filler completes even the longest forms for you. No need to register every time you shop or download – once you’ve stored your information in the password manager, you can recall it instantly on any device whenever you need it
- Biometrics – Fingerprint scanning – identity verification of the account holder can be made with just one swipe of a finger.
- Super Secured Data – AES-256 encryption – the world’s leading standard also used by the military. And your master password is not known to anyone else but you – not even to us.
- Two-Factor Authentication – You have the option of unlocking Sticky Password using your Master Password and a unique time-based code generated every 30 seconds on your smartphone.
- All Major Platforms – Sticky Password works across all 4 major platforms – on your PC, Mac, tablet, and smartphone. Windows, Mac OS X, Android, and iOS operating systems are supported.
- Cloud Sync Across Devices – Synchronization via our cloud servers – only if you want. The synchronization can be made over local Wi-Fi or manually so that your encrypted data never leaves your devices.
- Cloud Backup – There’s an encrypted password database backup available for you in the cloud in case you lose your device or data stored on it – only if you want.
- Local Wi-Fi Sync Across Devices – You don’t have to synchronize only via our cloud servers. The synchronization can be made over local Wi-Fi or even manually so that your encrypted data never leaves your devices.
- Priority Support – Access to the support team for all their questions. Contact us at support@stickypassword.com using the email address associated with your Premium account.
- Saving Endangered Manatees – With each Premium version sold we support manatees around the world.
Cybercrime has stopped being a problem of just the internet — it's becoming a problem of the real world. Online scams now fund organized crime, hackers rent violence like a service, and even trusted apps or social platforms are turning into attack vectors.
The result is a global system where every digital weakness can be turned into physical harm, economic loss, or political leverage. Understanding these links is no longer optional — it's survival.
For a full look at the most important security news stories of the week, keep reading.
Hidden flaws resurface in Windows core
Details have emerged about three now-patched security vulnerabilities in Windows Graphics Device Interface (GDI) that could enable remote code execution and information disclosure. These issues – CVE-2025-30388, CVE-2025-53766, and CVE-2025-47984 – involve out-of-bounds memory access triggered through malformed enhanced metafile (EMF) and EMF+ records that can cause memory corruption during image rendering. They are rooted in gdiplus.dll and gdi32full.dll, which process vector graphics, text, and print operations. They were addressed by Microsoft in the Patch Tuesday updates in May, July, and August 2025 in gdiplus.dll versions 10.0.26100.3037 through 10.0.26100.4946 and gdi32full.dll version 10.0.26100.4652. "Security vulnerabilities can persist undetected for years, often resurfacing due to incomplete fixes," Check Point said. "A particular information disclosure vulnerability, despite being formally addressed with a security patch, remained active for years due to the original issue receiving only a partial fix. This example underscores a basic conundrum for researchers: introducing a vulnerability is often easy, fixing it can be difficult, and verifying that a fix is both thorough and effective is even more challenging."
Syndicate staffed by fake workers net millions
3 Chinese Nationals Sent to Prison in Singapore
Three Chinese nationals, Yan Peijian, 39, Huang Qinzheng, 37, and Liu Yuqi, 33, were convicted and sentenced to a little over two years in prison in Singapore for their involvement in hacking into overseas gambling websites and companies for the purposes of cheating during gameplay and stealing databases of personally identifiable information for trade. The three individuals, part of a group of five Chinese nationals and one Singaporean man, were originally arrested and charged in September 2024. "The three accused persons were tasked by the syndicate's group leader to probe sites of interest for system vulnerabilities, conduct penetration attacks, and exfiltrate personal information from the compromised systems," the Singapore Police Force said. "Further investigations revealed that the syndicate possessed foreign government data, including confidential communications." The three defendants were also found to be in possession of tools like PlugX and "hundreds of different remote access trojans" to conduct cyber attacks. According to Channel News Asia, the three men entered the country on fake work permits in 2022 and worked for a 38-year-old Ni-Vanuatu citizen named Xu Liangbiao. They were paid about $3 million for their work. Xu, the alleged leader, is said to have left Singapore in August 2023. His present whereabouts are unknown.
AI speeds triage but human skill still needed
Reverse Engineering XLoader Using ChatGPT
Check Point has demonstrated a way by which ChatGPT can be used for malware analysis and flip the balance when it comes to taking apart sophisticated trojans like XLoader, which is designed such that its code decrypts only at runtime and is protected by multiple layers of encryption. Specifically, the research found that cloud-based static analysis with ChatGPT can be combined with Model Context Protocol (MCP) for runtime key extraction and live debugging validation. "The use of AI doesn't eliminate the need for human expertise," security researcher Alexey Bukhteyev said. "XLoader's most sophisticated protections, such as scattered key derivation logic and multi-layer function encryption, still require manual analysis and targeted adjustments. But the heavy lifting of triage, deobfuscation, and scripting can now be accelerated dramatically. What once took days can now be compressed into hours."
RondoDox goes from DVRs to enterprise-wide weapon
RondoDox Updates its Exploit Arsenal
The malware known as RondoDox has witnessed a 650% increase in exploitation vectors, expanding from niche DVR targeting to enterprise. This includes more than 15 new exploitation vectors targeting LB-LINK, Oracle WebLogic Server, PHPUnit, D-Link, NETGEAR, Linksys, Tenda, TP-Link devices, as well as a new command-and-control (C2) infrastructure on compromised residential IP. Once dropped, the malware proceeds to eliminate competition by killing existing malware such as XMRig and other botnets, disabling SELinux and AppArmor, and running the main payload that's compatible with the system architecture.
DHS pushes sweeping biometric rule for immigration
U.S. DHS Proposes Biometric Data Collection for Immigration Applications
The U.S. Department of Homeland Security (DHS) has proposed an amendment to existing regulations governing the use and collection of biometric information. The agency has put forth requirements for a "robust system for biometrics collection, storage, and use related to adjudicating immigration benefits and other requests and performing other functions necessary for administering and enforcing immigration and naturalization laws." As part of the plan, any individual filing or associated with a benefit request or other request or collection of information, including U.S. citizens, U.S. nationals, and lawful permanent residents, must submit biometrics, regardless of their age, unless DHS otherwise exempts the requirement. The agency said using biometrics for identity verification and management will assist DHS's efforts to combat trafficking, confirm the results of biographical criminal history checks, and deter fraud. The DHS is taking comments on the proposal until January 2, 2026.
Researchers uncover large-scale AWS abuse network
New Attack Infrastructure TruffleNet Detailed
Cybersecurity researchers have discovered a new large-scale attack infrastructure dubbed TruffleNet that's built around the open-source tool TruffleHog, which is used to systematically test compromised credentials and perform reconnaissance across Amazon Web Services' (AWS) environments. "In one incident involving multiple compromised credentials, we recorded activity from more than 800 unique hosts across 57 distinct Class C networks," Fortinet said. "This infrastructure was characterized by the use of TruffleHog, a popular open-source secret-scanning tool, and by consistent configurations, including open ports and the presence of Portainer," an open-source management UI for Docker and Kubernetes that simplifies container deployment and orchestration. In these activities, the threat actors make calls to the GetCallerIdentity and GetSendQuota APIs to test whether the credentials are valid and abuse the Simple Email Service (SES). While no follow-on actions were observed by Fortinet, it's assessed that the attacks originate from a possibly tiered infrastructure, with some nodes dedicated to reconnaissance and others reserved for later stages of the attack. Also observed alongside the TruffleNet reconnaissance activity is the abuse of SES for Business Email Compromise (BEC) attacks. It's currently not known if these are directly connected to each other. The development comes as Fortinet revealed that financially motivated adversaries are targeting a broad range of sectors but relying on the same low-complexity, high-return methods, typically gaining initial access through compromised credentials, external remote services like VPNs, and exploitation of public-facing applications. These attacks are often characterized by the use of legitimate remote access tools for secondary persistence and leveraging them for data exfiltration to their infrastructure.
FIN7 deploys stealthy SSH backdoor for persistence
FIN7 Uses SSH Backdoor in Attacks
PRODAFT has revealed that the financially motivated threat actor known as FIN7 (aka Savage Ladybug) has deployed since 2022 a "Windows specific SSH-based backdoor by packaging a self-contained OpenSSH toolset and an installer named install.bat." The backdoor provides attackers with persistent remote access and reliable file exfiltration using an outbound reverse SSH tunnel and SFTP.
Cloudflare fends off massive DDoS surge on election day
Cloudflare Detailed Steps Taken to Secure 2025 Moldova Elections
Web infrastructure company Cloudflare said Moldova's Central Election Commission (CEC) experienced significant cyber attacks in the days leading to the country's Parliament election on September 28. The CEC also witnessed a "series of concentrated, high-volume (DDoS) attacks strategically timed throughout the day" on the day of the elections. Attacks also targeted other election-related, civil society, and news websites. "These attack patterns mirrored those against the election authority, suggesting a coordinated effort to disrupt both official election processes and the public information channels voters rely on," it said, adding it mitigated over 898 million malicious requests directed at the CEC over a 12-hour period between 09:06:00 UTC and 21:34:00 UTC.
Silent Lynx exploits diplomacy themes to breach targets
Silent Lynx Targets Russian-Azerbaijani Entities in Mid-October 2025
The threat actor tracked as Silent Lynx (aka Cavalry Werewolf, Comrade Saiga, ShadowSilk, SturgeonPhisher, and Tomiris) has been observed targeting government entities, diplomatic missions, mining firms, and transportation companies. In one campaign, the adversary singled out organizations involved in Azerbaijan-Russian diplomacy, using phishing lures related to the CIS summit held in Dushanbe around mid-October 2025 to deliver the open-source Ligolo-ng reverse shell and a loader called Silent Loader that's responsible for running a PowerShell script to connect to a remote server. Also deployed is a C++ implant named Laplas that's designed to connect to an external server and receive additional commands for execution via "cmd.exe." Another payload of note is SilentSweeper, a .NET backdoor that extracts and runs a PowerShell Script that acts as a reverse shell. The second campaign, on the other hand, aimed at China-Central Asia relations to distribute a RAR archive that led to the deployment of SilentSweeper. The activity has been codenamed Operation Peek-a-Baku by Seqrite Labs. Doctor Web, in an independent analysis, said it investigated a phishing attack mounted by the threat actor targeting a government-owned organization within the Russian Federation to deliver reverse shell backdoors with the goal of collecting confidential information as well as network configuration data.
Cyber gangs blend digital and physical extortion across Europe
Surge in Violence-as-a-Service Attacks in Europe
European organizations witnessed a 13% increase in ransomware over the past year, with entities in the U.K., Germany, Italy, France, and Spain most affected. A review of data leak sites over the period September 2024–August 2025 has revealed that the number of European victims has increased annually to 1,380. The most targeted sectors were manufacturing, professional services, technology, industrials, engineering, and retail. Since January 2024, over 2,100 victims across Europe have been named on extortion leak sites, with 92% involving file encryption and data theft. Akira (167), LockBit (162), RansomHub (141), INC, Lynx, and Sinobi were the most successful ransomware groups over the period. CrowdStrike said it's also seeing a surge in violence-as-a-service offerings across the continent with the goal of securing big payouts, including physical cryptocurrency theft. Cybercriminals connected to The Com, a loose-knit collective of young, English-speaking hackers, and a Russia-affiliated group called Renaissance Spider have coordinated physical attacks, kidnapping, and arson through Telegram-based networks. Renaissance Spider, which has been active since October 2017, is also said to have emailed fake bomb threats to European entities, likely aiming to undermine support for Ukraine. There have been 17 of these kinds of attacks since January 2024, out of which 13 took place in France.
Fake ChatGPT and WhatsApp apps exploit user trust
Fake Apps Exploit ChatGPT and WhatsApp Branding
Cybersecurity researchers have discovered apps that use the branding of established services like OpenAI's ChatGPT and DALL-E, and WhatsApp. While the fake DALL-E Android app ("com.openai.dalle3umagic") is used for ad traffic generation, the ChatGPT wrapper app connects to legitimate OpenAI APIs while identifying itself as an "unofficial interface" for the artificial intelligence chatbot. Although not outright malicious, impersonation without transparency can expose users to unintended security risks. The counterfeit WhatsApp app, named WhatsApp Plus, masquerades as an upgraded version of the messaging platform, but contains stealthy payloads that can harvest contacts, SMS messages, and call logs. "The flood of cloned applications reflects a deeper problem: brand trust has become a vector for exploitation," Appknox said. "As AI and messaging tools dominate the digital landscape, bad actors are learning that mimicking credibility is often more profitable than building new malware from scratch."
Phishers weaponize trusted email accounts post-breach
Attackers Use Compromised Accounts for Phishing Attacks
Threat actors are continuing to launch phishing campaigns after their initial compromise by leveraging compromised internal email accounts to expand their reach both within the compromised organization as well as externally to partner entities. "The follow-on phishing campaigns were primarily oriented towards credential harvesting," Cisco Talos said. "Looking forward, as defenses against phishing attacks improve, adversaries are seeking ways to enhance these emails' legitimacy, likely leading to the increased use of compromised accounts post-exploitation."
Asia-wide phishing surge uses multilingual lures
Phishing Attacks Target Financial and Government Orgs in Asia
Recent phishing campaigns across East and Southeast Asia have been found to leverage multilingual ZIP file lures and shared web templates to target government and financial organizations. "These operations are characterized by multilingual web templates, region-specific incentives, and adaptive payload delivery mechanisms, demonstrating a clear shift toward scalable and automation-driven infrastructure," Hunt.io said. "From China and Taiwan to Japan and Southeast Asia, the adversaries have continuously repurposed templates, filenames, and hosting patterns to sustain their operations while evading conventional detection. The strong overlap in domain structures, webpage titles, and scripting logic indicates a shared toolkit or centralized builder designed to automate payload delivery at scale. This investigation links multiple clusters to a unified phishing toolkit used across Asia."
Remote kill-switch fears spark probe into Chinese buses
Dutch Authorities Launch Probe to Close Security Hole in Chinese Electric Buses
Authorities in Denmark have launched an investigation following a discovery that electric buses manufactured by the Chinese company Yutong had remote access to the vehicles' control systems and allowed them to be remotely deactivated. This has raised security concerns that the loophole could be exploited to affect buses while in transit. "The testing revealed risks that we are now taking measures against," Bernt Reitan Jenssen, chief executive of the Norwegian public transport authority Ruter, was quoted as saying. "National and local authorities have been informed and must assist with additional measures at a national level."
Cloudflare scrubs botnet domains from global rankings
Cloudflare Takes Action on AISURU Botnet
Cloudflare has scrubbed domains associated with the massive AISURU botnet from its top domain rankings. According to security journalist Brian Krebs, AISURU's operators are using the botnet to boost their malicious domain rankings, while simultaneously targeting the company's domain name system (DNS) service.
China delivers harsh verdict in cross-border scam crackdown
China Sentences 5 Myanmar Scam Mafia Members to Death
A court in China has sentenced five members of a Myanmar crime syndicate to death for their roles in running industrial-scale scamming compounds near the border with China. The death sentences were handed out to the syndicate boss Bai Suocheng and his son Bai Yingcang, as well as Yang Liqiang, Hu Xiaojiang, and Chen Guangyi. Five others were sentenced to life. In all, 21 members and associates of the syndicate were convicted of fraud, homicide, injury, and other crimes. According to Xinhua, the defendants ran 41 industrial parks to facilitate telecommunications and online fraud at scale. The harsh penalty is the latest in a series of actions governments across the world have taken to combat the rise of cyber-enabled scam centers in Southeast Asia, where thousands are trafficked under the pretext of well-paying jobs, and are trapped, abused, and forced to defraud others in criminal operations worth billions. In September 2025, 11 members of the Ming crime family arrested during a 2023 cross-border crackdown were sentenced to death.
Massive global credit card scam busted in €300M sting
Operation Chargeback Dismantles €300 million Credit Card Fraud Scheme
A coordinated law enforcement operation against a massive credit card fraud scheme dubbed Chargeback has led to the arrest of 18 suspects. The arrested individuals are German, Lithuanian, Dutch, Austrian, Danish, American, and Canadian nationals. "The alleged perpetrators are suspected of setting up an intricate scheme of fake online subscriptions to dating, pornography, and streaming services, among others, which were paid for by credit card," Eurojust said. "Among those arrested are five executive officials from four German payment service providers. The perpetrators deliberately kept monthly credit card payments to their accounts below the maximum of EUR 50 to avoid arousing suspicion among victims about high transfer amounts." The illicit scam is estimated to have defrauded at least €300 million from over 4.3 million credit card users with 19 million accounts in 193 countries between 2016 and 2021. The total value of attempted fraud against card users amounts to more than €750 million. Europol said the suspects used numerous shell companies, primarily registered in the U.K. and Cyprus, to conceal their activities.
Every hack or scam has one thing in common — someone takes advantage of trust. As security teams improve their defenses, attackers quickly find new tricks. The best way to stay ahead isn't to panic, but to stay informed, keep learning, and stay alert.
Cybersecurity keeps changing fast — and our understanding needs to keep up.
A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased "operations tempo" from the threat actor.
The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time.
While it's currently not known for how long the new malware families have been under development, the tech giant's threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure.
The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is "a collection of related malware families connected via a delivery chain," GTIG researcher Wesley Shields said in a Monday analysis.
The latest attack waves are something of a departure from COLDRIVER's typical modus operandi, which involves targeting high profile individuals in NGOs, policy advisors, and dissidents for credential theft. In contrast, the new activity revolves around leveraging ClickFix-style lures to trick users into running malicious PowerShell commands via the Windows Run dialog as part of a fake CAPTCHA verification prompt.
While the attacks spotted in January, March, and April 2025 led to the deployment of an information stealing malware known as LOSTKEYS, subsequent intrusions have paved the way for the "ROBOT" family of malware. It's worth noting that the malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively.
The new infection chain commences with an HTML ClickFix lure dubbed COLDCOPY that's designed to drop a DLL called NOROBOT, which is then executed via rundll32.exe to drop the next-stage malware. Initial versions of this attack is said to have distributed a Python backdoor known as YESROBOT, before the threat actors switch to a Powershell implant named MAYBEROBOT.
YESROBOT uses HTTPS to retrieve commands from a hard-coded command-and-control (C2) server. A minimal backdoor, it supports the ability to download and execute files, and retrieve documents of interest. Only two instances of YESROBOT deployment have been observed to date, specifically over a two week period in late May shortly after details of LOSTKEYS became public knowledge.
In contrast, MAYBEROBOT is assessed to be more flexible and extensible, equipped with features to download and run payload from a specified URL, run commands using cmd.exe, and run PowerShell code.
It's believed that the COLDRIVER actors rushed to deploy YESROBOT as a "stopgap mechanism" likely in response to public disclosure, before abandoning it in favor of MAYBEROBOT, as the earliest version of NOROBOT also included a step to download a full Python 3.8 installation onto the compromised host -- a "noisy" artifact that's bound to raise suspicion.
Google also pointed out that the use of NOROBOT and MAYBEROBOT is likely reserved for significant targets, who may have been already compromised via phishing, with the end goal of gathering additional intelligence from their devices.
"NOROBOT and its preceding infection chain have been subject to constant evolution -- initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys," Shields said. "This constant development highlights the group's efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets."
The disclosure comes as the Netherlands' Public Prosecution Service, known as the Openbaar Ministerie (OM), announced that three 17-year-old men have been suspected of providing services to a foreign government, with one of them alleged to be in contact with a hacker group affiliated with the Russian government.
"This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague," OM said. "The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks."
Two of the suspects were apprehended on September 22, 2025, while the third suspect, who was also interviewed by authorities, has been kept under house arrest because of his "limited role" in the case.
"There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government," the Dutch government body added.
Microsoft has disclosed details of a novel side-channel attack targeting remote language models that could enable a passive adversary with capabilities to observe network traffic to glean details about model conversation topics despite encryption protections under certain circumstances.
This leakage of data exchanged between humans and streaming-mode language models could pose serious risks to the privacy of user and enterprise communications, the company noted. The attack has been codenamed Whisper Leak.
"Cyber attackers in a position to observe the encrypted traffic (for example, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router) could use this cyber attack to infer if the user's prompt is on a specific topic," security researchers Jonathan Bar Or and Geoff McDonald, along with the Microsoft Defender Security Research Team, said.
Put differently, the attack allows an attacker to observe encrypted TLS traffic between a user and LLM service, extract packet size and timing sequences, and use trained classifiers to infer whether the conversation topic matches a sensitive target category.
Model streaming in large language models (LLMs) is a technique that allows for incremental data reception as the model generates responses, instead of having to wait for the entire output to be computed. It's a critical feedback mechanism as certain responses can take time, depending on the complexity of the prompt or task.
The latest technique demonstrated by Microsoft is significant, not least because it works despite the fact that the communications with artificial intelligence (AI) chatbots are encrypted with HTTPS, which ensures that the contents of the exchange stay secure and cannot be tampered with.
Many a side-channel attack has been devised against LLMs in recent years, including the ability to infer the length of individual plaintext tokens from the size of encrypted packets in streaming model responses or by exploiting timing differences caused by caching LLM inferences to execute input theft (aka InputSnatch).
Whisper Leak builds upon these findings to explore the possibility that "the sequence of encrypted packet sizes and inter-arrival times during a streaming language model response contains enough information to classify the topic of the initial prompt, even in the cases where responses are streamed in groupings of tokens," per Microsoft.
To test this hypothesis, the Windows maker said it trained a binary classifier as a proof-of-concept that's capable of differentiating between a specific topic prompt and the rest (i.e., noise) using three different machine learning models: LightGBM, Bi-LSTM, and BERT.
The result is that many models from Mistral, xAI, DeepSeek, and OpenAI have been found to achieve scores above 98%, thereby making it possible for an attacker monitoring random conversations with the chatbots to reliably flag that specific topic.
"If a government agency or internet service provider were monitoring traffic to a popular AI chatbot, they could reliably identify users asking questions about specific sensitive topics – whether that's money laundering, political dissent, or other monitored subjects – even though all the traffic is encrypted," Microsoft said.
 |
| Whisper Leak attack pipeline |
To make matters worse, the researchers found that the effectiveness of Whisper Leak can improve as the attacker collects more training samples over time, turning it into a practical threat. Following responsible disclosure, OpenAI, Mistral, Microsoft, and xAI have all deployed mitigations to counter the risk.
"Combined with more sophisticated attack models and the richer patterns available in multi-turn conversations or multiple conversations from the same user, this means a cyberattacker with patience and resources could achieve higher success rates than our initial results suggest," it added.
One effective countermeasure devised by OpenAI, Microsoft, and Mistral involves adding a "random sequence of text of variable length" to each response, which, in turn, masks the length of each token to render the side-channel moot.
Microsoft is also recommending that users concerned about their privacy when talking to AI providers can avoid discussing highly sensitive topics when using untrusted networks, utilize a VPN for an extra layer of protection, use non-streaming models of LLMs, and switch to providers that have implemented mitigations.
The disclosure comes as a new evaluation of eight open-weight LLMs from Alibaba (Qwen3-32B), DeepSeek (v3.1), Google (Gemma 3-1B-IT), Meta (Llama 3.3-70B-Instruct), Microsoft (Phi-4), Mistral (Large-2 aka Large-Instruct-2047), OpenAI (GPT-OSS-20b), and Zhipu AI (GLM 4.5-Air) has found them to be highly susceptible to adversarial manipulation, specifically when it comes to multi-turn attacks.
 |
| Comparative vulnerability analysis showing attack success rates across tested models for both single-turn and multi-turn scenarios |
"These results underscore a systemic inability of current open-weight models to maintain safety guardrails across extended interactions," Cisco AI Defense researchers Amy Chang, Nicholas Conley, Harish Santhanalakshmi Ganesan, and Adam Swanda said in an accompanying paper.
"We assess that alignment strategies and lab priorities significantly influence resilience: capability-focused models such as Llama 3.3 and Qwen 3 demonstrate higher multi-turn susceptibility, whereas safety-oriented designs such as Google Gemma 3 exhibit more balanced performance."
These discoveries show that organizations adopting open-source models can face operational risks in the absence of additional security guardrails, adding to a growing body of research exposing fundamental security weaknesses in LLMs and AI chatbots ever since OpenAI ChatGPT's public debut in November 2022.
This makes it crucial that developers enforce adequate security controls when integrating such capabilities into their workflows, fine-tune open-weight models to be more robust to jailbreaks and other attacks, conduct periodic AI red-teaming assessments, and implement strict system prompts that are aligned with defined use cases.
In aviation, getting more connected might take on a dangerous dimension.
There are three aspects to the aviation sector that assign it great value — IP and R&D; the human factor (e.g., talent, capacity); and finally, the connected IT systems (and their data) used to harness and scale the potency of moving people and things farther and faster.
The interdependence between aircraft, airports and global supply chains comprise multiple complex connected systems. These include everything from scheduling software, flight planning systems, air traffic control and radar to engine lifecycle management and much more. What happens when any of these systems gets exposed digitally? It’s like a plane deploying a drag chute — everything slows down fast, sometimes to a complete halt, as safety protocols kick in or damage control begins.
Key points of this article:
- The complexity of connected systems found at airports and in aircraft means cybersecurity in aviation is more indistinct than it should be.
- Internet-connected, cloud-based, and in general, third-party solutions or services within aviation supply chains that users aren’t fully in control of can considerably expand the attack surface.
- In the face of this, airlines, airports, logistics firms and more should shape their cyber footprints with proactive prevention in mind first.
- Prevention can entail anything from prioritizing the use of air-gapped and on-prem solutions, to full audits of third-party vendors and solutions in use.
When the first digital avionic systems such as FADEC started to be introduced in the late ‘60s and ‘70s, ARPANET, the predecessor of the internet, was still in its infancy. Driven by the need to win the Cold War, major U.S. aerospace companies like General Dynamics with fly-by-wire and Boeing with its first EFIS systems in use began to push the envelope to bring aviation to the forefront of technological innovation.
These days, the internet is literally everywhere, and it has not only surpassed or consumed many aviation-specific technologies but largely dictates that most new approaches are fully digital. The European Union Aviation Safety Agency (EASA) describes aviation as a “system of systems,” which is very apt, and the crux of the problem, really. The interconnected nature of modern systems coupled with the software supply chains (including cloud) providing for subsets of apps and services served for and by aviation make for a potentially lethal mix of security gaps that not even the TSA could screen for.
Busy locations such as London Heathrow or Berlin Brandenburg Airport thrive on continuity — like most businesses, really. Ticketing, luggage terminals, aircraft software maintenance, air traffic control and more depend on proprietary cyber tech sourced from experienced aviation software developers to keep them chugging on with efficiency.
That is, when things go well, which they often don’t. In September 2025, airports around the world found themselves ineffective when Collins Aerospace’s ARINC cMUSE software (Aeronautical Radio Incorporated, Multi User System Environment) used for passenger processing got disabled by a cyberattack. According to ENISA, ransomware is to blame, with yet (as of the writing of this article) unknown assailants disrupting the automatic check-in and boarding software, demanding a ransom in bitcoin.
As the raison d’être of many aviation systems is to connect physical hardware (like planes) with digital systems (such as flight monitoring), it can result in a mess of interdependent systems from various vendors that can easily introduce visibility gaps when it comes to the cyber resilience of an airport’s infrastructure.
This case clearly demonstrates the inherent reliance of airports on third-party software, with their operators unable to resolve said incident themselves, forced to go all manual to assist airlines and their passengers.
However, connected systems are just one part of the issue. As threats can vector from multiple sides (including insiders), and target various, even human-life-critical systems, there’s a broader set of concerns to consider.
It can be difficult to address bugs and vulnerabilities in externally procured software and services. Cloud software notoriously extends the attack surface, taking away opaque bits of control from in-house IT or SOC teams, delaying comprehensive remediation — exemplified by the ARINC cMUSE outage, or even the recent Salesloft Drift case.
Saleslo(s)t
Through August 2025, UNC6395 has compromised hundreds of organizations over a digital supply-chain attack involving the Salesloft Drift software. By targeting the cloud-based service’s integration with major customer systems via OAuth tokens — which allow Drift to connect securely with those systems — the attackers were able to steal the tokens and exploit the trusted access to infiltrate connected environments.
ESET Research is also aware of the tenuous nature of aviation systems. In 2020, our researchers highlighted Operation In(ter)ception, in which attackers, likely from the North Korea-aligned Lazarus APT group, targeted high-profile aerospace and military companies by means of social engineering, sending bogus job offers to commit espionage, or to monetize access to the victims’ accounts. Among the malicious profiles used to lure in unaware victims were impersonated accounts of companies like Collins Aerospace.
It's all connected
You might say, “Well, they didn’t seem to focus on connected systems, but instead targeted the employees!” and you’d be right. However, social engineering can quickly supply an attacker with initial access, after which they’d be free to move within a compromised network to do as they please — like locking down systems with ransomware.
Resilience against disruptions is found in early prevention. How? Here are a few tips:
In aviation, safety has always been paramount — and in the digital age, cybersecurity is simply an extension of that principle. As connected systems continue to evolve and integrate deeper into aviation’s core operations, the industry must prioritize cybersecurity and use it as a guiding principle when implementing mission-critical connected systems.
Whether through air-gapping, on-prem deployments, Zero Trust, or rigorous supply-chain audits, the goal remains the same: to ensure that the gears and engines of global aviation keep on turning.
Today, in our latest APT Activity Report, we reveal a spearphising campaign that impersonates ESET and tried to abuse our good reputation with Ukrainian organizations.
Conducted by the Russia-aligned actor InedibleOchotense, the campaign used emails and messages on Signal with link to ESET-themed malicious websites that delivered trojanized ESET installer. If executed, the downloaded ZIP archive contained ESET’s legitimate AV Remover tool and malware Kalambur backdoor.
But that is not all for Russia-aligned threats. The report also details several campaigns by RomCom exploiting two chained zero-days in Mozilla and Windows and another zero-day in WinRAR.
While, Gamaredon continued with its typical high-volume activity targeting Ukraine, we also observed a far more atypical behavior - a first known instance where they cooperated with Turla. This observed collaboration is especially striking considering that Russian intelligence services are known for their fierce internal rivalries.
At the same time, China-aligned APT groups did not sit idly by. FamousSparrow, a China-aligned group, was particularly active against governmental entities in at least five Latin American countries. This sudden change in their victimology - formerly we’ve observed their activity in Americas but mostly north of the Equator - could be part of China’s reaction to recent US initiatives in the region.
Oh great, I just ate, and now I am hungry again after seeing your post.
I can imagine that, it is truly delicious. Ever been there ?
Thats why i really dislike the Dutch kitchen, all so inspireless, no taste, no appetite to eat this.
There is no love in the Dutch Cooking.
Gladly we do not eat Dutch food here in our family.
Dutch food ( example ) Stamppot
What we eat : ( Example ) Nasi Lemak
Boba Tea :
So the decision what to eat is easy, Chinese and Malaysian !
It seems that we will not get 26H1 but only 26H2 in the second half of 2026.
When will Windows 12 be released, or is Windows 11 the last version ( like they promised with Windows 10 ).
And how long it takes for them to do the bug fixes. (Correctly.)
Until 27H2 
