Cyberthreat

Radware Uncovers Server Side Attack Targeting ChatGPT Known as Shadowleak

Researchers at Radware uncovered a server-side data theft attack targeting ChatGPT, termed as ShadowLeak. The experts discovered the zero-click vulnerability in ChatGPT’s Deep Research agent when connected to Gmail and browsing.

In this attack type ‘Service-side’ pose greater risk as enterprise defenses cannot detect exfiltration because it runs from the provider’s infrastructure.

ShadowLeak a Server side attack

For any normal user there would be no visible signs of data loss as the AI agent acts as a trusted proxy, sending sensitive data to attacker-controlled endpoints. These server-side requests face fewer URL restrictions, letting attackers export data to virtually any destination.

Shadowleak is an uncovered security flaw affecting ChatGPT’s Deep Research Agent. Which can connect to services like Gmail to help users analyze their emails.

Attackers could hide invisible instructions in a regular looking email. When the user asked ChatGPT to review their mailbox contents selecting deep research.

Vulnerability Details

ChatGPT’s Deep Research Agent was vulnerable because it could be tricked into following hidden instructions that were inside a seemingly ordinary email. When users ask the agent to analyze their inbox, any attacker can craft the message with invisible commands and cause AI to leak private data without warning.

These hidden instructions used tricks to fool the AI and get around its built-in safety checks. Some of those tricks included:

Pretending to Have Permission: The prompt told the agent that it had “full authorization” to access outside websites, even though it didn’t.

Hiding the Real Purpose: It disguised the hacker’s website as something safe sounding, like a “compliance validation system.”

Telling the Agent to Keep Trying: If the AI couldn’t reach the attacker’s website the first time, the prompt told it to try again helping it sneak past any temporary protections.

Creating Urgency: The prompt warned the agent that if it didn’t follow the instructions, it might not complete the report properly pushing it to obey.

Hiding the Stolen Info: The agent was told to encode the personal data using Base64, which made the data harder to spot and helped hide the theft.

After reading the fake email, the agent would go look through the user’s real emails (like HR messages) and find personal info such as full names and addresses.

Without alerting the user, the AI would send that information to the attacker’s server, happening silently in the background, with no warning or visible signs.

This attack is not limited only to Gmail, also applies to any data sources Deep Research accesses, including Google Drive, Dropbox, Outlook, Teams and more. Any connected service that feeds text into the agent can pose a risk to hidden prompts, making sensitive business data vulnerable to exfiltration.

Source: radware.com

Attack Flow

Step	Description
Malicious Email Crafting	Attackers create a legitimate email embedded with hidden, invisible prompt instructions to extract sensitive data. Use social engineering and obfuscation.
Email Delivery and Receipt	The victim receives the email in Gmail without needing to open it; hidden commands are present in the email’s HTML body.
User Invokes Deep Research	The victim asks ChatGPT’s Deep Research Agent to analyze their inbox or specific emails, triggering the agent’s activity.
Parsing Hidden Instructions	The agent reads and interprets the hidden malicious prompt embedded within the attacker’s email.
Extraction of Sensitive Data	Following the instructions, the agent locates and extracts personal information like names and addresses from real emails.
Data Exfiltration to Attacker	The agent uses internal tools to send the extracted, often Base64-encoded data to an attacker-controlled external server.
Victim Remains Unaware	The entire process happens silently on OpenAI’s servers with no visible alerts or client-side traces for the user or admins.

Why It’s Effective

This “zero-click” attack happened entirely on OpenAI’s servers, where traditional security tools couldn’t detect or stop it, and victims never saw any warning. OpenAI was informed by radware security team in June 2025 and OpenAI fully patched the issue by September.

The attack runs silently in a trusted cloud environment, invisible to users and traditional security tools.

It tricks the AI into repeatedly sending encoded sensitive data, bypassing safety checks and ensuring successful data theft. This stealthy, zero-click nature means no user interaction is required, making detection extremely difficult and allowing the attacker to exfiltrate data unnoticed over extended periods.

Recommendations:

Here are some recommendations below

Email Sanitization: Normalize and strip hidden or suspicious HTML/CSS elements from emails before they are processed by AI agents. This reduces the risk of hidden prompt injections.

Strict Agent Permissions: Limit AI agent access only to the data and tools necessary for its tasks, minimizing exposure to sensitive information.

Behavior Monitoring: Continuously monitor AI agent actions and behavior in real time to detect anomalies or actions deviating from user intent.

Regular Patch Management: Keep AI tools, connectors and integrated systems up to date with the latest security fixes and improvements.

Awareness and Training: Educate users and administrators about the types of attacks AI agents are vulnerable to, fostering vigilance and quick incident response.

Conclusion

The ShadowLeak vulnerability underscores the critical risks posed when powerful AI tools operate without sufficient safeguards. By hiding secret commands inside emails, attackers were able to steal personal information without the user knowing.

This case highlights the need for strong safety measures, including limiting AI access to sensitive information, sanitizing inputs to prevent hidden commands, and continuously monitoring agent behavior to detect anomalies.

As more AI tools are used, it’s important to keep strong security controls and oversight to use these technologies safely and protect sensitive data from new threats.

References:

https://www.radware.com/blog/threat-intelligence/shadowleak/

https://cybersecuritynews.com/0-click-chatgpt-agent-vulnerability/

Increased Funding on Cyber Offensive operation against Cyber Defense budget cut by Trump Admin; How wise a decision? Lets explore

Major new legislation commits over $1billion to US cyber offensives. Defining Cyber-offensive operations will include exploiting flaws in software or hack devices or deploy spyware.

This also include collecting internet traffic data and may involve targeted cyberattacks using zero-day exploits. Organizations often build the necessary infrastructure for such activities or gathers Intelligence as a part of these activates.

Trump administration, through the Department of Defense, has announced plans to spend $1 billion over four years on “offensive cyber operations.”

Along side recently the Trump regime announced that cyber offensive operation against Russia will be paused, highlighting that US govt now focuses mainly on China, moving away from eastern Europe.

It’s not clear what tools or software would qualify, but the legislation notes that the funds would go towards enhancing and improving the capabilities of the US Indo-Pacific Command, potentially focusing on the US’s biggest geopolitical rival, China.

The ongoing trade war with China is one of the main reason for Trump regime to shift focus from Russia , and in recent months security researchers have seen Chinese state hackers linked to People’s Liberation Army and the Ministry of State Security target companies in the fields of robotics, artificial intelligence, cloud computing and high-end medical device manufacturing.

The legislation does not provide detailed information on what “offensive cyber operations” entail or which tools and software will be funded. The investment comes at a time when the U.S. has simultaneously reduced its cybersecurity defense budget by $1 billion. Few months back we witnessed how the US Cybersecurity and Infrastructure Security Agency (CISA) reaffirmed its commitment to defending against all cyberthreats after budget cuts was announced.

Over 1,000 CISA staff have departed since early 2025 through a combination of layoffs, buyouts, and voluntary resignations. What remains is a hollowed-out workforce facing rising cyber threats with fewer tools and teammates.

CISA maintained although the continued efforts to undermine and weaken cybersecurity teams capabilities, however counter-productive that may be in protecting US infrastructure.

Senator Ron Wyden has concerns. “Vastly expanding U.S. government hacking is going to invite retaliation — not just against federal agencies, but also rural hospitals, local governments and private companies who don’t stand a chance against nation-state hackers,” Wyden told the news site.

The US administration simultaneously enacted cuts to the nation’s cybersecurity defense allocations, by slashing $1 billion from the U.S. cyber defense budget. The cuts pose a significant risk as the country faces increasing cyber threats, particularly from Chinese adversaries.

However, the move to a more offensive cyber stance has been critiqued by Democratic Senator and Senate intelligence committee member Ron Wyden, who said that the offensive strategy, combined with Trump and DOGE’s massive cuts to defensive cyber operations such as slashing the budget and the termination of staff from the US Cybersecurity and Infrastructure Security Agency (CISA), only invites retaliation from the US’ largest geopolitical rival.

“The Trump administration has slashed funding for cyber security and government technology and left our country wide open to attack by foreign hackers,” Wyden told TechCrunch.

How wise decision it is to cut cyber defense budget while increasing Cyber offensive spending?

The layoffs at CISA have led to concerns the U.S. is less well protected against cyber threats from the likes of China, Russia and Iran.

Obviously there will be reduction in capacity to defend against cyberattacks, especially large-scale coordinated campaigns. The federal government has inadvertently provided adversaries with a map of its blind spots by scaling back critical cybersecurity programs.

This increase in budget for Cyber offensive operation is seen as an aggressive push and might provoke retaliatory attacks on vulnerable targets, such as local governments and healthcare entities. According to the report, the bill does not specify what the “offensive cyber operations” are or what software would qualify for funding.

At the same time The Trump administration has halted US offensive cyber operations against Russia, sparking concerns over national security and potential Russian cyber threats.

The Trump administration is well aware of the nation state attack and advance techniques cyber adversaries adopt to, a national threat to infrastructure security that cannot be compromised.

Every year there has been increase in cyber security budget if we take a look at from 2017 to 2024. The US government civilian agencies spent more on cybersecurity in each successive year than they did the prior year.

(Source: https://techcrunch.com)

Soucrce: Trump seeks unprecedented $1.23 billion cut to federal cyber budget | CSO Online

High-Severity Linux Kernel Flaw Exposes Systems to Root-Level Attacks

Security advisory: Linux Kernel Flaw raised from vulnerability related to improper memory handling when the splice() function is called. Specifically, the kTLS code fails to correctly update the internal accounting of the plaintext scatter-gather buffer, leading to an out-of-bounds memory write flaw.

OEM	Linux
Severity	High
CVSS Score	7.8
CVEs	CVE-2025-21756
POC Available	Yes
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

A high-severity vulnerability (CVE-2025-21756) has been discovered in the Linux kernel’s Virtual Socket (vsock) implementation, allowing local privilege escalation to root via a use-after-free (UAF) condition caused by incorrect reference counting during socket binding operations.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Use-After-Free vulnerability	CVE-2025-21756	Linux kernel	High	7.8

Technical Summary

The kTLS subsystem in the Linux Kernel enables direct TLS encryption and authentication functions within the kernel, supporting secure communication for protocols like HTTPS, email, and other internet-connected applications.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-21756	Linux kernel (pre-6.6.79, 6.12.16, 6.13.4, and 6.14-rc1)	Improper handling of reference counts in vsock_remove_sock() leads to premature freeing of vsock objects. Attackers can exploit the Use-After- Free (UAF) by reclaiming free memory using crafted pipe buffers and leveraging unprotected tools like vsock_diag_dump() to leak kernel pointers.	Local privilege escalation to root and potential full system compromise.

CVE-2025-21756 is a use-after-free vulnerability in the Linux kernel’s vsock subsystem. It arises due to incorrect reference counter management during transport reassignment of sockets, leading to memory corruption and potential privilege escalation.

Affected systems are particularly exposed in virtualized environments where vsock is actively used.

Remediation:

Update Linux Kernel: Users should update their systems immediately with the latest kernel versions
Restrict Local Access: Until patches are applied, limit vsock use in shared environments and restrict local access where feasible.
Monitor for Exploitation Attempts: Watch for anomalies related to the vsock subsystem, including unexpected kernel panics or vsock socket activity.
Review Security Module Configurations: While AppArmor and similar LSMs offer partial protection, ensure they are enabled and correctly configured.

Conclusion:
CVE-2025-21756 poses a significant threat to Linux systems, particularly in cloud and virtualized environments. Its discovery and detailed analysis by Michael Hoefler revealed not only a critical vulnerability but also advanced exploitation techniques capable of bypassing protections like AppArmor and KASLR.

Given the existence of public proof-of-concept code and reliable attack paths, organizations must prioritize patching and mitigation to avoid root-level compromise.

References:

Deepfake’s pose a Challenge as Cyber-risk Increase

The Digital world is witnessing constant increase in threats from Deepfakes, a challenge for cyber leaders as cybersecurity related risk increase and digital trust.

Deepfakes being AI generated is much used by cybercriminals with intentions to bypass authenticated security protocols and appears realistic but fakes, often posing challenges to detect being generated via AI. We have three types of Deepfakes i.e. voice fakes or Audio, Deep Video maker fakes and shallow fakes or editing software like photoshop.

Growing Cyber Risk due to Deep Fakes

Due to these Deep fakes , which are quiet easier and more realistic to create, there has been deterioration of trust, propagation of misinformation that can be used widely and has potential to damage or conduct malicious exploitation across various domains across the industry verticals.

The cybersecurity industry has always came forward and explained what can be potential risk posed by Deep fakes and possible route to mitigate the risks posed by deepfakes, emphasizing the importance of interdisciplinary collaborations between industries. This will bring in proactive measures to ensure digital authenticity and trust in the face of evolving cyber frauds.

Failing to recognize a deep fake pose negative consequence both for individuals and organizational risk and this can be unable to recognize audio fakes or video fakes. The consequences can be from loss of trust to disinformation. From negative media coverage to falling prey to potential lawsuits and other legal ramifications and we cannot undermine cybersecurity related threats and phishing attacks.

There are case when Deep fakes have been ethically used but the numbers are less compare to malicious usage by cyber criminals. Synthetic media also termed as Deep fakes are created using deep learning algorithms, particularly generative adversarial networks (GANs).

These technologies can seamlessly swap faces in videos or alter audio, creating hyper-realistic but fabricated content. In creative industries, deepfakes offer capabilities such as virtual acting and voice synthesis.

Generative Adversarial Networks (GANs) consists of two neural networks: a generator and a discriminator.

Generator: In this case the network creates synthetic data, such as images or videos from any random sound alert and mimic real data.

Discriminator generally evaluates the generated content against real data.

Deepfakes uses deep learning algorithms to analyze and synthesize visual and audio content which are painful task to determine the real ones, posing significant challenge to ethical security concerns.

While posing threats Deep fakes also provide another gateway for cyber attack specifically Phishing attacks. Tricking victims or impersonating an individual or an entity may open doors for revealing sensitive information and threat to data security.
The audios created via Deepfake could be used to bypass voice recognition systems giving attackers access to secure systems and invading personal privacy.

Uses cases in Deepfakes to understand the reach and impact:

Scammers and Fraudsters can benefit as Deepfakes can develop audio replication and use them for malicious intent like asking financial help from individuals they encounter or voice clone as some important person and demand or extort money.

Identity Theft is often overlooked and this impacts mostly financial institutions and scammers can easily bypass such authentication by cloning voices. Scammers also may easily develop convincing replicas of government ID proofs to gain access to business information or a misuse it as a customer.

Fusing images of high profile public figures with offensive images by employing deepfake technology without their knowledge by criminals and hackers are growing each day . This kind of act can eventually lead to demanding money by cyber criminals or face consequences leading to defaming.

Conspiracy against governments or national leaders by faking their image or creating false hoax where the image or voice is used by cyber criminals often hired by opposing systems in place to disturb peace and harmony and also sound business operations.

Email are the key entry point for cyberattacks and presently we see deepfake technology being used by cyber criminals to create realistic phishing emails. These emails bypass conventional security filters an area we cannot afford to neglect.

How will you detect Deep fakes?

Few technicalities are definitely there that may not be recognizable but there are few minute and hairsplitting details.

In Video fakes its often seen no movement in the eye or unnatural facial expression. The skin colour may be sightly different and in-consistent body positioning including the mismatch lip-syncing and body structure and face structure not similar as what we used to witness or accustomed viewing.

Being a grave concern from cyber security perspective its important to remain alert on new evolving technologies on Deep fakes and know their usage to defend on all frontiers both at individual and organizational level.

As Deep fakes are AI driven and rising phishing attacks that imbibe deep fakes pose a challenge where in mostly social media profile are used. The available AI-enabled computers allow cybercriminals to use chatbots no body can detect as fake.

Mitigating the Digital Threat

Organizations or individuals require robust security measures to implement AI-based security solutions and develop improved knowledge of phishing methods in order to tackle the digital threat.

Remaining proactive in all level of cyber security to navigate the complex challenge of Deep fakes is important, while Deep fakes defiantly poses strong technical challenge but proactive cybersecurity practices can stop cybercriminals from luring victims in their trap.

Government bodies and tech institutions or organizations that are tech savy to have more collaborative efforts to recognize deep fakes and effectively deal with challenges.
The various regulations and more recently the DORA (Digital Operational Resilience Act ), will help navigate these challenges as more investments in open sources security will rise by countries and organizations.

Major investments in AI-driven detection tools are being soughed after at enterprise level, those having stronger authentication mechanisms and improved digital literacy are critical to mitigating these emerging threats.

Investing in Email security service that offers automated protection will assist in blocking major phishing attempts
As per KPMG report, Deepfakes may be growing in sophistication and appear to be a daunting threat. However, by integrating deepfakes into the company’s cybersecurity and risk management, CISOs in assosiations with CEO, and Chief Risk Officers (CRO) – can help their companies stay one step ahead of malicious actors.

This calls for a broad understanding across the organization of the risks of deepfakes, and the need for an appropriate budget to combat this threat.

If Deepfakes can be utilized to infiltrate an organization, the same technology can also protect it. Collaborating with deepfake cybersecurity specialists helps spread knowledge and continually test and improve controls and defenses, to avoid fraud, data loss and reputational damage.

BISO Analytics:

We at Intruceptlabs have a mission and that is to protect your organization from any cyber threat keeping confidentiality and integrity intact.

We have BISO Analytics as a service to ensure business continues while you remain secured in the world of cybersecurity. BISO’s translates concepts and connects the dots between cybersecurity and business operations and functions are in synch with cyber teams.

Sources: https://kpmg.com/xx/en/our-insights/risk-and-regulation/deepfake-threats.html

AI-Driven Phishing And Deep Fakes: The Future Of Digital Fraud

Cyberespionage Group Blind Eagle Infects 1,600 Orgs in Colombia

URL manipulation attack; An agile attack methodology

High-Severity RCE Vulnerability in WinDbg (CVE-2025-24043)

Security Advisory

A high-severity remote code execution (RCE) vulnerability exists in Microsoft’s WinDbg debugging tool and related .NET diagnostic packages.

The vulnerability poses severe supply chain risks, as WinDbg is widely embedded in CI/CD pipelines and enterprise developer toolchains.

Compromised debugging sessions could lead to lateral movement across networks, credential theft, persistent backdoor injections, and disruption of crash dump analysis workflows.

Microsoft confirmed no viable workarounds other than immediate patching, as the lack of certificate pinning in the affected packages worsens the risk, enabling attackers to leverage forged or stolen Microsoft Authenticode certificates.

OEM	Microsoft
Severity	HIGH
CVSS	7.5
CVEs	CVE-2025-24043
Publicly POC Available	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

This issue is caused by insufficient validation of cryptographic signatures in the SOS debugging extension, potentially allowing attackers with network access to execute arbitrary code. Microsoft has released patches to address the vulnerability.

Vulnerability Name	CVE ID	Product Affected	Severity
Remote Code Execution Vulnerability	CVE-2025-24043	Microsoft Windows	High

Technical Summary

The vulnerability arises from the SOS debugging extension’s failure to properly validate cryptographic signatures during debugging operations.

This enables attackers with authenticated network access to inject malicious debugging components, leading to arbitrary code execution with SYSTEM privileges. The attack vector leverages NuGet package integrations in Visual Studio and .NET CLI environments, increasing the risk of supply chain compromises.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24043	WinDbg and associated .NET diagnostic packages	Flaw in cryptographic signature validation in the SOS debugging extension allows tampered components to be loaded.	Arbitrary code execution

Remediation:

Update Affected Packages: Ensure that all instances of affected NuGet packages are updated to the latest patched versions. Refer to the table below for the affected and patched versions.

Upgrade WinDbg: Make sure that WinDbg is updated to the most recent release available.

Audit Dependencies: Review all .NET Core project dependencies to identify and replace vulnerable packages.

Monitor Network Activity: Implement monitoring for any suspicious network activity related to windbg.exe.

Enforce Security Policies: Apply security policies, such as Windows Defender Application Control, to prevent the execution of unsigned debugging components.

The table below outlines the affected and patched versions of the relevant packages:

Package Name	Affected Version	Patched Version
dotnet-sos	< 9.0.607501	9.0.607501
dotnet-dump	< 9.0.557512	9.0.607501
dotnet-debugger-extensions	9.0.557512	9.0.607601

Conclusion:

CVE-2025-24043 highlights the need to secure developer toolchains, as debugging environments are becoming more targeted in cyberattacks. Organizations using .NET diagnostics should quickly apply patches and implement strict security measures to reduce the risk of exploitation. With no effective workarounds available, postponing remediation heightens the chances of an attack. Prompt action is essential to safeguard critical development and production environments.

The security impact extends beyond developers, as the exploitation of debugging tools could facilitate attacks on production infrastructure.

Additional security measures include certificate transparency logging for NuGet packages and enforcing Windows Defender Application Control (WDAC) policies to restrict unsigned debugger extensions. While no active exploits have been reported, the patching window is critical, and organizations using .NET diagnostics must act immediately before threat actors weaponize the vulnerability.

References:

https://cybersecuritynews.com/microsoft-windbg-rce-vulnerability/

https://github.com/dotnet/diagnostics/security/advisories/GHSA-hpw7-8qpc-34p3

https://securityonline.info/windbg-remote-code-execution-vulnerability-cve-2025-24043-exposes-critical-security-risk/

Convergence of IT & OT in Manufacturing witness Increased Cyber Attacks

Increasing cyberattacks on Industry 4.0

Critical WordPress Security Flaw in Everest Forms Plugin

UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin

AI Reshaping Roadmap for Cyber security

Can Gen AI Transform Organizations Cyber Posture

Users of WhatsApp Exposed to Sophisticated Spyware Attack

The recent Spyware attack on WhatsApp users is linked to Israeli surveillance firm Paragon Solutions that targets journalists, activists, and civil society members using sophisticated “zero-click” hacking methods that require no user interaction.

Attack Confirmed By Meta

Meta, the parent company of WhatsApp, has officially acknowledged the attack, stating that the messaging platform was compromised by hackers deploying spyware. Following multiple reports of breaches, Meta informed Italy’s National Cybersecurity Agency, confirming that about 90 users across 24 countries were targeted.

The spyware attack came to light when Luca Casarini, a migrant rescue activist and co-founder of Mediterranea Saving Humans, and investigative journalist Francesco Cancellato, received an alert from WhatsApp, notifying their device had been infiltrated by spyware.

What is Spyware and what makes Spyware attack special?

Spyware is one of the most commonly used cyberattack methods used by hackers and makes it difficult to trace and identify by users and does some serious harm to networks. These data are used to track, steal, and sell user data, such as internet usage, credit card, and bank account details, or steal user credentials to spoof their identities.

As per Fortinet, Spyware is malicious software that enters a user’s computer, gathers data from the device and user, and sends it to third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to access and damage a device without the user’s consent.

How Zero-Click Hacking affect our Online Digital device

The Zero click hacking techniques was stunning for users which is not traceable

Unlike any other phishing attacks that require users to click on malicious links. In this method attackers infect a device without any action from the user. Such advanced tactics enable surveillance on a large scale, posing severe risks to privacy and security worldwide.

The revelation has reignited global concerns over digital espionage and unauthorized surveillance. Cybersecurity experts warn that the attack on WhatsApp underscores the vulnerabilities present in even the most widely used communication platforms. As investigations continue, users are urged to update their software regularly and remain vigilant against potential cyber threats.

Mobile spyware typically attacks mobile devices through three methods:

Flaws in operating systems: Attackers can exploit flaws in mobile operating systems that are typically opened up by holes in updates.
Malicious applications: These typically lurk within legitimate applications that users download from websites rather than app stores.
Unsecured free Wi-Fi networks: Wi-Fi networks in public places like airports and cafes are often free and simple to sign in to, which makes them a serious security risk. Attackers can use these networks to spy on what connected users are doing.

Significant Cyber threat of Spyware

The Spyware attack left users fall prey to online digital attack and question on govt. surveillance which was taken seriously by Italy.Over the years Spyware infected millions of devices, stealing sensitive information.

Some of the most devastating spyware cases helps us understand how serious this threat can be.

Pegasus — Spyware Behind Global Surveillance Scandals

Pegasus — developed by Israeli tech firm NSO Group — is the most high-profile spyware ever created. While it was originally marketed as a tool for governments to combat terrorism and criminal activities, it has become infamous for its misuse.

Reports have revealed that Pegasus has been used to monitor journalists, activists, and political figures, raising serious concerns about privacy and human rights violations. Its ability to infect devices without any user interaction makes it especially dangerous and difficult to detect.

FinSpy (FinFisher) — Government Tool for Full Device Control

FinSpy, also known as FinFisher, is a spyware tool developed by Gamma Group, a company based in Germany. Initially marketed to governments and law enforcement agencies as a way to combat crime and terrorism, FinSpy has been linked to unauthorized surveillance and there is concern about its use by oppressive regimes. The spyware is capable of targeting multiple platforms, including Windows, macOS, and Linux, making it versatile and difficult to escape.

GravityRAT — Cross-Border Espionage Targeting India

GravityRAT spyware was initially designed to target individuals in India. It’s believed to be linked to cyber espionage efforts originating from Pakistan. Its primary goal is to steal sensitive information, including files, contact lists, and user data.

GravityRAT typically spreads through phishing emails that trick users into downloading malicious attachments. Once the victim opens the file, the spyware silently installs itself, granting attackers control over the infected device.

DarkHotel — Targeting Business Travelers Through Hotel Wi-Fi

DarkHotel is a sophisticated spyware campaign that’s been active for over a decade, primarily targeting business travelers staying in luxury hotels. Discovered in 2007, this Advanced Persistent Threat (APT) has affected high-profile executives, government officials, and corporate leaders. The attackers aim to steal sensitive business information, like trade secrets and confidential documents, while victims are connected to hotel Wi-Fi networks.

Agent Tesla — Password and Keystroke Thief for Hire

Agent Tesla is technically classified as a Remote Access Trojan (RAT) and keylogger, though it has spyware-like functionalities. First discovered in 2014, Agent Tesla has gained notoriety for its ability to steal sensitive information, such as login credentials, keystrokes, and clipboard data. It can also take screenshots and extract information from email clients, web browsers, and other applications, making it a powerful tool for cybercriminals.