Chrome 0 Day, Ivanti Exploits, Macos Stealers, Crypto Heists, etc.

Table of Contents

Everything feels safe – until something small slips in. If a simple check is missed, or if a reliable tool is misused, even a powerful system can break. Most threats don’t start with an alarm. They sneak in small things we overlook. Small bugs, reused passwords, quiet connections – that’s all you need.

Staying safe isn’t just about responding quickly. It’s about catching these early signs before they explode into real problems. That’s why this week’s update is important. From stealth tactics to unexpected entry points, the storylines to come reveal how quickly the risks spread, and what smart teams are doing to stay ahead. I’ll jump in.

⚡This week’s threat

US disrupts N. Korea’s IT Worker Scheme – Prosecutors said they not only stole secret data, looted cryptocurrency, looted cryptocurrency, but also stolen and looted pay, but also discovered North Korean IT staff working for more than 100 US companies over the US in one incident targeting an unnamed blockchain company in Atlanta. This action is the latest step to stop the scheme, and we have seen North Korea gain thousands of people using fake identities to be hired as IT workers for businesses based in the West and elsewhere in the world. Authorities conducted 21 searches in 14 states last month, adding them to searches conducted in October 2024 in eight locations across three states. In at least one case, North Korean IT workers accessed “contains confidential employer data and source code (ITAR) data” after being hired by a California-based defense contractor developing equipment and technologies with artificial intelligence. Together, the coordinated actions have led to one individual being arrested, 21 web domains, 29 financial accounts being used to wash tens of thousands of dollars, leading to the seizing of nearly 200 laptops and remote access devices, including KVM. The US State Department offers rewards of up to $5 million for information that leads to “disruption in the financial mechanisms of those engaged in specific activities supporting North Korea.” The action is said to have not only falsified their IDs to Western tech companies, but also disguised “Americans” with the work of over 100 US companies and stole the identities of “more than 80 Americans” sent to the Kim administration.

🔔Top News

Chinese threat actors use Ivanti’s flaws to target French organizations – The China-related invasion set known as Houken targeted many entities in early September 2024, spanning the French government, telecommunications, media, finance and transportation sectors. Attacks have been observed to pave the way for PHP web shells, deploying kernel rootkits, and even patching vulnerabilities. Houken is an early access broker that gains footholds on the target network and is suspected of passing access to other threat actors for post-explosion activity after tracking.
New chrome exploited in the wild 0 days – Google has released a security update to address the confusion flaws of the Chrome web browser type. The exact nature of the attack is currently unknown, but it is believed to have been deployed as part of a highly targeted attack due to the fact that it was discovered by Google’s Threat Analysis Group (TAG), which specializes in detecting government-sponsored attacks. Patched with Windows version 138.0.7204.96/.97, MacOS version 138.0.7204.92/.93, Linux version 138.0.7204.96.
US sanctions Russian bulletproof hosting provider Aeza – The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has approved AEZA Group, a Russian-based bulletproof hosting (BPH) service provider. This provided infrastructure that allowed threat malware and ransomware to provide steerer malware and ransomware such as Bianrun, Redline, Meduza and Lumma. Additionally, three of the company’s subsidiaries and four major individuals associated with them are licensed. These include AEZA Group CEO Arseni Aleksandrovich Penzev, general director Yurii Meruzhanovich Bozoyan, technical director Vladimir Vyacheslavovich Gast, and Igor Anatolyevich Knyazev.
Nighteagle targets the AI and military sector in China – It has been observed that a previously undocumented threat actor known as Nighteagle leverages zero-day exploit chains in Microsoft Exchange to provide GO-based Chisel utility and steals mailbox data from compromised accounts. The threat actor, believed to be active since 2023, is targeting China’s high-tech, chip semiconductors, quantum technology, artificial intelligence and military verticals, says Qianxin’s Red Drip Team. This disclosure comes just after another spear phishing campaign called Dragonclone, which picked up Chinese telecom companies to breed Veletrix and Vshell. Phishing email itself, seqrite Labs contains a malicious ZIP archive containing legitimate binaries and malicious DLL files, and uses DLL sideload to launch the Veletrix loader. Malware is designed to load shellcode directly into memory, an enemy simulation framework called vshell. The use of VShell is notable as it is widely adopted by various Chinese hacking groups to target western organizations. Seqrite Labs said the activity shares similarities in action with Earth Lamia and UNC5174, indicating that the campaign is likely to be a Chinese group’s job.
North Korea targets crypto business with NIM malware – Bluenoroff tracked North Korean threat actors are deploying new techniques to infect crypto businesses with Macos malware designed to steal credentials from web browsers, iCloud keychain data and telegram application information. The attack impersonates the victim’s trusted contacts, invites them to Telegram, seduces employees of Web3 and crypto-related organizations, and installs NIM-compiled MacOS malware via fake Zoom software updates under the pretext of setting up a meeting. Fake updates are designed to run Applescript payloads and are used to provide two MACH-O binaries to turn off two independent execution chains. One leads to running scripts to harvest data, while the other compiled from NIM source code is used to set up host persistence. The two components promote data delamination and persistence.

Pean Trend CVE

Hackers jump quickly to a newly discovered software flaw. Whether you missed an update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below is how to create a wave of high-risk vulnerabilities this week. Check the list, patch quickly, and go one step ahead.

This week’s list includes CVE-2025-32462, CVE-2025-32463 (SUDO), CVE-2025-20309 (CVE-2025-20309 (CISCO Unified CM and Unified CM SME), CVE-49596 (Anthropic MCP Inspector), CVE-2025-6554 (Google Chrome-chrome-chrome). CVE-2025-5623, CVE-2025-5624, CVE-2025-5630 (D-Link DIR-816 router), CVE-2025-49151, CVE-2025-49152, CVE-2025-49153 (Microsens NMP Web+), CVE-2025-16463 (CVE-2025-36630 (Tenable Nessus), CVE-2025-52891 (ModSecurity Web Application Firewall), CVE-2025-48927, CVE-2025-48928 (Telemessage TM SGNL), CVE-2024-58248 (Nopcommerce), CVe-Merce) Seata), CVE-2025-47812 (WING FTP), CVE-2025-4404 (FreeIPA), CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192 (CVE-2025-6192) CVE-2025-1735, CVE-2025-6491 (PHP), CVE-2025-53367 (djvulibre), and CVE-2025-49826 (next.js).

Cyber Around the world of cyber

Apple and Google App Stores offer China-related VPN apps – Both Apple and Google’s online stores offer free Virtual Private Network (VPN) apps with private connections with Chinese companies, which could pose privacy risks. According to the Tech Transparency Project, there are 13 Virtual Private Network (VPN) apps in 11 apps (common to both) in Apple’s App Store and Google’s Play Store (7 common to both). “VPNs are particularly concerned because the entire online activity is routed through the application for anyone using a VPN,” TTP director Katie Paul told NBC News. “As for a VPN owned by China, this means that this data can be handed over to the Chinese government under Chinese state law.”
Scattered spiders use teleports for persistence – The infamous cybercrime group known as the scattered spiders is leveraging new persistence mechanisms, including the use of teleport, an infrastructure access platform that was not previously associated with threat actors. Findings show that bad actors weaponize legitimate management tools to maintain permanent access to compromised networks. “After gaining admin-level cloud access, the attacker installed a teleport agent on the compromised Amazon EC2 server to establish a permanent remote command and control (C2) channel,” Rapid7 said. “Teleporting is a legitimate open source tool for managing remote infrastructure, but it was adopted here for malicious purposes. This effectively gave attackers permanent remote shell access to those cloud servers, even if their initial user credentials or VPN access was revoked. A security tool that could flag custom malware.”
Linux servers targeted by Crypto Miners – Improperly protected Linux servers, especially weak SSH credentials, are being targeted by threat actors to drop cryptocurrency miners and rope them into DDOS botnets. Attacks also lead to the deployment of proxy tools such as Tinyproxy and Sing-Box, allowing threat actors to establish host persistence. “Attackers can use the infected system as a proxy to hide in another attack case or sell access to the proxy node for criminal profit,” Ahnlab said. Another set of attacks singled out MySQL server to provide variants of GH0st rats, as well as other payloads such as Asyncrat, DDostf DDOS Botnet, XWorm, Hploader, and even the legitimate remote control tool Zoho ManageNENGINE. Xworm has emerged as one of the most versatile and widely distributed remote access trojans in the current threat landscape, showing outstanding adaptability to its delivery mechanisms and establishing it as a horrifying tool for the Cybercriminal toolbox. The recent attacks, mounted by threat actors linked to China, employ a Trojanized MSI installer that poses as WhatsApp to provide a Trojan horse in attacks targeting users in East and Southeast Asia. “The attack chain includes encrypted shellcode embedded in image files, PowerShell scripts for persistence via scheduled tasks and shellcode loaders,” says Broadcom. “The final payload is a modified Xworm rat with enhanced ability to detect telegram placement and report infected systems via a telegram-based mechanism.”
Iran’s IRGC Intelligence Group 13 Details – The Domaintools Investigations (DTI) team sheds light on a shadow entity called Intelligence Group 13, a secret cyberstrike unit that functions under Iran’s Islamic Revolutionary Guard (IRGC), promoting cyberspy, industrial thwarts, and psychological warfare. Embedded in the Shahid Kaveh Cyber Group, Intelligence Group 13 powers CyberAV3ngers, an Iranian group that has been attributed to attacks targeting Israeli and US water authorities and SCADA systems. DTI is a symbolic messaging designed to project rebellion and psychological influence.
Open VSX is used to distribute malicious code extensions and code extensions – Almost 200,000 developers have downloaded two malicious VSCODE extensions from the Open VSX registry. Both extensions are named Solidity Language, which scans existing ConnectWise ScreenConnect remote desktop software and, if present, download and install the malicious version from the attacker control server. The extension was then removed from the market. The findings once again show that openness is not necessarily comparable to safety. “The highly openness that makes open VSX attractive also introduces risks that will help reduce the more curated VS code marketplace,” says John Tuckner of Secure Annex.
New campaign will distribute MassLogger malware – Visual Basic Script (VBE) files that are likely to be distributed via phishing emails are used to provide sophisticated variants of MassLogger, Chrome browsers, log keystrokes, capture clipboard content, and steeler malware that allows you to upload files to remote servers. “Initially, this variant appeared to be a typical script-based threat, but deeper analysis revealed it was a multi-stage fireless malware that relies heavily on the Windows registry to store and run malicious payloads,” says Seqrite Labs.
Western companies do not take action against Funnull – In May 2025, the US Treasury authorized Philippines-based Funnull to implement supply chain attacks against the widely used polyfill (.) IO JavaScript library, providing infrastructure for implementing romance bait scams. However, a new analysis from Silent Push and Cybersecurity journalist Brian Krebs found that many US tech companies still host accounts related to Funnull’s admin Liu “Steve” Lizhi, including X, Github, LinkedIn, Facebook, Google Groups, Medium, PayPal, WordPress, Hugging Face, Gravatar, Vercel, and Flickr. Facebook, Github, LinkedIn, and PayPal profiles have been suspended or deleted.
Russia will be jailed for 16 years for pro-Uklein cyberattack – Russia has been sentenced to 16 years in security prisons for launching a distributed denied denied (DDO) attack on critical infrastructure in the country. Andrei Smirnov was arrested in the city of Belobo, Siberia in 2023 and charged with treason. Russian officials said Smirnov joined the Ukrainian “cyber forces” and launched the attack at the request of Ukrainian intelligence agency.
FileFix will be upgraded – Security researcher MRD0X details the variant of FileFix, a spin on popular Clickfix social engineering tactics that allow malicious scripts to be executed while bypassing Windows’ Mark of the Web (MOTW) protection using the way web browsers handle stored HTML web pages. “When you save an HTML page using ctrl+s or right-click > Save,” the researchers said, and if “web page, single file” or “full” type is selected, the downloaded file does not have a MOTW,” “In addition, this behavior only applies if the saved web page has MIME type text/HTML or Application/XHTML+XML.” The new attack essentially attempts to trick the user into saving HTML pages (using CTRL+S), rename them to HTML application (HTA) files, and have built-in commands run automatically within JavaScript at startup. With the possibility of an attack scenario, the enemy can design a fake web page that will press CTROL + S and name the file “MFABACKUPCODES2025.HTA” and prompt the user to save the backup multifactor authentication (MFA) code. The victim is then instructed to open the HTA file so that the code is saved properly. “The easiest way to prevent this technique from working is to prevent MSHTA.EXE from running the HTA file,” the researchers pointed out. “This is a good solution unless someone can use this technique with other file types.”
KeyMous+, Elitestress front? – The Hacktivist group known as KeyMous+ has emerged as a key player in the cyberlands, claiming responsibility for over 700 dispersal denied (DDOS) attacks in 2025 alone. The group claims, according to Radware, is made up of “North African hackers,” with the victim list extending to government websites, French and Indian telecom providers, financial platforms in Morocco and the UAE, educational institutions in Danish, and manufacturing infrastructure in Israel. This seemingly random target selection with no clear ideological agenda or enemies sets it apart from traditional Hattivist groups. Additionally, the activity looks like a marketing persona for the DDOS-For Hire service known as Elitestress. This finding indicates that there is a possibility of keyous+, which can span the boundary between hattivism and commercial aspirations. It also highlights a new kind of threat actor whose motivations are opaque and more driven by profits, and provides a tool for confusion when clicking the button. The development is developing as Intel 471 stated that it has identified two new Kremlin Hacktivist groups named Twonet and the Russian IT troops. Both have been primarily involved in DDOS attacks and emerged earlier this year, but the latter has also been found to recruit insiders for key infrastructure organizations in Ukraine.
.ES TLD abuse surges 19 times – Malicious campaigns launched from the .ES domain witnessed a 19-fold increase between the fourth quarter of 2024 and the first quarter of 2025, becoming the third most common behind .com and .ru. “This increase applies to both one-stage URLs (links embedded in emails or attachments) and two-stage URLs (sites visited after the embedded URL),” Cofense said. “These second stage URLs typically host phishing pages or exftrate information for their credentials. These second stage URLs have seen the biggest increase in .ES TLD abuse.” As of May, 1,373 subdomains were hosting malicious web pages with 447 .ES-based domains. An interesting finding is that 99% of them are hosted on CloudFlare, and most of the phishing pages use CloudFlare Turnstile Captcha. “CloudFlare has recently deployed web pages via command line using pages hosted on (.) pages, but it is unclear whether there are other reasons, such as whether recent migration to domains that create easy-to-deploy domains attracted threat actors to hosting services across various platforms, or how Cloudflare abuses them.
The rise of malicious LNK files – Weaponization of Windows Shortcuts (LNK) files for malware distribution is up 50%, according to a malicious sample that rose from 21,098 in 2023 to 68,392 in 2024, according to telemetry data collected by Palo Alto Networks Unit 42. Unintentionally launching malware,” said the Unit 42 researchers.

Percentage of system targets for malicious file execution

The FBI is investigating ransomware negotiators for kickbacks of fear tor – The US Federal Bureau of Investigation (FBI) is investigating former employees of security company DigitalMint, which allegedly cut ransomware payments. According to Bloomberg, employees allegedly assisted the company’s customers in negotiating the ransom during the ransomware attack. However, unknown to them, employees make secret deals with ransomware gangs and take slices of ransom that the company ends up paying. DigitalMint said it fired the employee immediately after hearing the investigation and began notifying customers.
CloudFlare Open Source Orange Meets – CloudFlare has implemented end-to-end encryption (E2EE) in the video calling app Orange Meets, and has made its transparency solution open source. The Web Infrastructure Company said the solution is driven by a selective forwarding unit (SFU) and uses messaging layer security (MLS) to establish end-to-end encryption for group communications. “To do so, we set up an MLS group, built a WASM (compiled from Rust) service worker that streams encryption and decryption, designed a new concatenation protocol for the group called the specified committer algorithm, and officially modeled it in TLA+.
Russia builds a database of known con artists – The Russian government has announced plans to build a database of known phone scammers that include audio samples, phone numbers and caller IDs. Once the service is launched on April 1, 2026, domestic mobile operators are expected to display fraud warnings on their phone screens for calls from known fraud numbers. Audio recordings will be shared with law enforcement for possible investigations.
C4 bomb bypassing app-bound encryption in Google Chrome – Last year, Google introduced a new security measure called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems. Steelers have found a way to defeat this guardrail, but Cyberark details another method known as C4 (short for Chrome Cookie Cipher Cracker) attack, allowing cookies to be deciphered as a modest user. “In addition, this technique allowed us to exploit new security features from Google to attack Windows machines and access data that would normally be available only to privileged system users,” said security researcher Ari Novick. This technique essentially employs padding oracle attacks to brute force encryption, bypass System-DPAPI, and recover cookie keys. Following the responsible disclosure in December 2024, Google has introduced a “partial solution” to fix padding oracle attacks. However, it is disabled by default.
Exploit attempt targets flaws in Apache Tomcat and camel – Malicious actors are investigating servers running vulnerable versions of Apache Tomcat and Camel that have not been edited for CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891 to achieve remote code execution. Palo Alto Networks said it blocked 125,856 probe/scan/exploit attempts from over 70 countries related to these vulnerabilities in March 2025.
Start issuing certificates for IP addresses – Let’s Encrypt began issuing IP addresses certificates this month. These certificates are short-lived and are valid for only 6 days. This tends to refer to a decrease in certificate lifespan. Potential scenarios where an IP address certificate may be required include providing a hosting provider’s default page, accessing websites without domain names, protecting DNS on HTTPS (DOH) services, protecting network-attached storage servers, and securing mediocre connections within cloud hosting infrastructure.
Google OpenSources Privacy Techniques for Age Verification – As online services increasingly introduced barriers to age verification, Google has derived Zero Knowledge Proof (ZKP) libraries in open source, helping people to verify their age without abandoning sensitive information. “In amateur terminology, ZKP allows people to prove something about them is true without exchanging other data,” Google said. “For example, anyone visiting the website can verify that they are over 18 without sharing anything else.” The ZKP library, known as Longfellow ZK, is currently being vetted by independent academic and industry experts. The results of the review are expected to be available by August 1, 2025.
Apple adds ML-KEM to iOS and MacOS 26 – Speaking of encryption solutions, Apple has added post-Quantum encryption support to its operating system. Future versions of iOS, iPados, MacOS, and Visionos will use hybrid quantum secure key exchanges to support the FIPS 203 (aka ML-KEM) encryption algorithm. “ClientHello messages from iOS 26, iPados 26, Macos Tahoe 26, and Visionos 26 devices include x25519mlkem768 in the supported_groups extension and key sharing corresponding to the Key_share extension,” Apple said. “If your server supports X25519MLKEM768, you can select X25519MLKEM768 or use another group advertised in the ClientHello message.”
Spain arrests 2 for leaking personal data from government officials – Spanish police have arrested a 19-year-old computer science student and an accomplice who allegedly leaked personal data from a senior government official and journalist. The main suspect, identified as Yoel OQ, was taken into custody at his parents’ home on Gran Canaria. His alleged accomplice, Christian Ezekiel SM, was also arrested, according to local media citing law enforcement sources. The duo is said to be “a serious threat to national security.”
AT&T launches wireless account lock to prevent SIM replacement attacks – US mobile carrier AT&T has launched a new feature to lock your account and prevent SIM exchange attacks. Wireless Account Lock can only be enabled via AT&T’s Myat&T app. Once enabled, it will be blocked until changes to customer invoice details or wireless number forwarding are disabled again. Similar features exist for other carriers such as T-Mobile, Verizon, and Google FI. “Locks force extra steps before making important account changes. For example, it prevents you from purchasing devices with your account or performing SIM swaps.
Pakistani freelancer behind the website that deploys steelers – The Pakistani Freelance group of web developers is behind a network of over 300 websites that infect users with information-stolen malware, according to Intrinsec. These websites are built for third parties and are believed to have built-in search engine optimization technology and Google Ads to maximize visibility and victim involvement. “In addition, there is no extradition treaty between the US and Pakistan, so there is little to do to prosecute the Pakistanis behind these malicious activities,” the company said. “Servers and domains can be seized, but they are merely temporary measurements until something new is rebuilt.” The development coincides with the emergence of new steeler variants such as Amatera Stealer (ACR Stealer) and Odyssey Stealer (Poseidon Stealer), making it the latest participant in the crowded field of Infostealer malware.
Spain details 21 suspects in connection with investment fraud – Spanish authorities have detained 21 suspects on the charge of running an investment fraud ring. The group ran a call centre in Barcelona, used social media ads to promote fake investment platforms, defeated hundreds of casualties across the country and invested money, winning 10 million euros ($11.8 million) in gangs. In late June 2025, US authorities handed over Ghanaian national Joseph Kwadou Badu Bohten and faced charges related to romance and inheritance schemes targeting seniors from 2013 to March 2023. “Akhimie admitted to scamming more than $6 million from more than 400 victims, many of whom were vulnerable, even among the elderly,” the U.S. Department of Justice said.
Chinese student sentenced to prison in the UK for Smithing Campaign – Chinese student Louishen Zion was declared in a London court to run an SMS blaster between March 22 and 27, 2025 to run an SMS blaster intended to harvest personal information. The Association UK finances said. “Then, Link brings them to a malicious site designed to harvest personal details.”
Microsoft takes action against email bombing and file system redirection attacks – Microsoft has revealed that Exchange Online Protection and Microsoft Defender’s default email bombing protection features are deployed. “By intelligently tracking message volumes at various sources and time intervals, this new detection leverages signals related to sender history patterns and spam content. This prevents email bombs from being dropped into the user’s inbox, and messages are sent to the junk folder,” Microsoft said. Separately, Tech Giant also details a new mitigation called RedirectionGuard, introduced in Windows 11 to mitigate File System Redirection Attack.
Hunter International is closing – In an unusual event, Hunter International Ransomware operations have been shut down and they have pledged to release free decryption keys for all past victims. The group announced the shutdown of messages posted on the Dark Web Leak site on July 3, 2025. “After careful consideration, we decided to close the Hunter International Project in light of recent developments,” he did not elaborate on what these “recent developments” were. The operation began in November 2023 and was a brand of Hive ransomware brand whose infrastructure was seized earlier that year. The end of Hunters International is no surprise given that a report from Group-IB earlier this year discovered that the group had already rebranded and started a fear tor-only operation known as World Leaks. Despite these claims, French security company Lexfo said it had identified the victims of a global leak where ransomware had been deployed on the network before being forced. According to Databreaches.net, World Leaks is run by individuals who were previously associated with Hunter International. World Leaks also claims it has not been in contact with Hunter International. However, Group-IB said the shutdown is “designed to control the story and delay attribution.”

🎥Cybersecurity Webinar

The future of login: AI, trust, privacy clashes – Users are rejecting creepy AI and requesting frictionless logins. This webinar uncovers exclusive findings from the Auth0 2025 Trends report, revealing how identity threats are evolving and how key teams design trust-first login flows that users love. If you still rely on outdated UX patterns or ignore privacy shifts, you are already behind.
PIP installation may be malware – where to fix it – Installing PIP is not only dangerous. It’s dangerous. Repjacks, fake packaging, and infected containers are quietly addicted to thousands of apps. This is not a theory, it’s happening now. Join top security experts to reveal how the Python ecosystem is being attacked, the tools that tools like Sigstore and SLS actually do, and the actual steps you need to secure your build before it’s too late.

🔧Cybersecurity Tools

CloudFlare’s Orange Meets – This is a fully end-to-end, encrypted video calling app that runs completely on the client side – not needed for servers or SFUs. Built with WeBRTC, Rust, and Messaging Layer Security (MLS), it supports secure group calls with real-time key rotation and officially validated logic. It’s open source, scalable, ready to use or customize.
Octelium – A free, open source, self-hosted platform for secure, zero trust access. Replace VPNs, tunnels, and gateways with identity-based secret access and fine-grained policy-driven controls. Built on Kubernetes, it supports both client and browser-based access, and works with apps, APIs, SSH, databases, and more, without exposing your infrastructure.

Disclaimer: These newly released tools are for educational use only and have not been fully audited. Use at your own risk – refer to the code, test it safely, and apply appropriate protection measures.

🔒Tip of the Week

Shrink offensive surface with smart defaults – Many cyberattacks begin by leveraging legitimate Windows features that are rarely needed by most users and environments. Legacy protocols such as Office Macros, Windows Script Host, LLMNR over TCP/IP, NetBios, and background COM scripting interfaces are common causes. However, even more ambiguous surfaces, such as ActiveX controls, component object models elevation paths, or exposed DCOM/RPC endpoints, can become entry points for lateral movement and privilege escalation.

Beyond basic hardening, consider advanced techniques such as disabling optional features in Win32 via “dism/online/disable-feature”, disabling legacy input/output subsystems (such as 16-bit support via NTVDM), or auditing unexpected network listeners using “NetStat -Abno” and “sysinternals tcpview”. Apply Software Restriction Policy (SRP) or Applocker to block execution from the TEMP directory, USB drive, or User Profile folder. PowerShell is enhanced in constrained language mode, allowing AMSI logging to catch script obfuscation attempts.

For users who need a secure default without diving into the registry or GPO, Hardentools offers a balanced baseline. Click once to disable commonly exploited script engines, running office macros, and certain Windows Explorer behavior. However, to go further, combine it with community scripts such as “Attack Surface Analyzer” (by Microsoft) or tools such as O&O Shutup10++ to disable telemetry and reduce exposure to cloud-connected attack vectors.

The more ambiguous the vector, the less likely it is that the defender is watching it, but that’s exactly why the attacker loves it. Effective attack surface reductions do not only minimize visible services. It’s about quietly knowing what’s enabled and ensuring it’s necessary. This week we’re going beyond basic macroblocking. Stop silent risk by referring to what is running under the hood.

Conclusion

Protecting external attackers is one thing. When the risk is already inside, that’s another thing. This week’s revelations about stolen identity, fake employment and silent access show how to turn trust into a weapon.

The takeaway is clear. Identity is not just a login, it is a boundary of security. And if it fails, everything behind it is in danger.