- 0 comments
- 64 views
-
Tech
Tech Articles from a wide variety of topics and categories
- 0 comments
- 83 views
-
- 0 comments
- 57 views
-
- 0 comments
- 77 views
-
- 0 comments
- 60 views
-
- 0 comments
- 61 views
-
- 0 comments
- 63 views
-
- 0 comments
- 65 views
-
- 0 comments
- 64 views
-
- 0 comments
- 63 views
-
- 0 comments
- 71 views
-
- 0 comments
- 66 views
-
- 0 comments
- 64 views
-
- 0 comments
- 77 views
-
- 0 comments
- 69 views
-
That’s why we’re proud to announce that NETSCOUT’s Omnis Cyber Intelligence has been named “Overall Network Security Solution of the Year” in the ninth annual CyberSecurity Breakthrough Awards. This recognition honors the most innovative companies and technologies shaping the future of cybersecurity, and we’re thrilled to be counted among them.
What sets us apart
The challenge: Visibility gaps create risk
Modern enterprises face expanding attack surfaces, hybrid cloud environments, and increasing operational complexity. Security teams are flooded with alerts but lack the visibility to see what’s truly happening behind them.
Many tools promise detection, but few deliver the clarity and confidence that come from true visibility. Without that clarity, investigations stall, threats linger, and response times grow longer, creating risk that no organization can afford.
The innovation: Always-on, packet-based intelligence
Omnis Cyber Intelligence changes that dynamic by delivering a continuous, comprehensive view of network activity. Built on NETSCOUT’s industry-leading deep packet inspection (DPI) at scale, Omnis Cyber Intelligence continuously captures, analyzes, and stores high-fidelity network metadata, independent of detections.
This always-on visibility ensures nothing slips through the cracks. Security teams gain full context into every connection, even before an alert fires. Omnis Cyber Intelligence’s on-sensor storage architecture minimizes data movement, helping organizations meet compliance and data-sovereignty requirements by keeping sensitive data close to its source.
The impact: Bridging the gap between detection and response
While most solutions stop at detection, Omnis Cyber Intelligence goes further. By combining real-time analytics with historical network context, it bridges the critical gap between alert and action, empowering analysts to understand how and why an attack occurred.
Whether hunting zero-day threats, analyzing encrypted traffic, or investigating suspicious behavior across cloud and on-prem environments, Omnis Cyber Intelligence provides the context, clarity, and confidence teams need to act decisively. And with integrations across major ecosystems, including AWS, Microsoft, Google Cloud, and more, Omnis Cyber Intelligence delivers end-to-end visibility for today’s distributed enterprises.
Recognition of innovation
The CyberSecurity Breakthrough Awards program received thousands of nominations from more than 20 countries. Winners were selected for redefining how we safeguard the digital world through innovation, performance, and measurable impact.
As Steve Johansson, managing director at CyberSecurity Breakthrough, noted, “Modern network complexities create blind spots that limit understanding, insight, and automation based on network behavior. Omnis Cyber Intelligence addresses these complexities and delivers complete network transparency, accelerating incident response and improving overall security posture.”
Setting the standard for network security
For decades, NETSCOUT has delivered packet-level visibility at scale, helping the world’s largest enterprises and service providers maintain performance and security across the most demanding environments.
This award validates what our customers already know: When you can see everything, you can stop anything. We’re honored by this recognition and even more committed to helping organizations around the world defend with clarity, respond with confidence, and continuously outsmart evolving threats.
Learn more about how NETSCOUT Omnis Cyber Intelligence can help by providing comprehensive network visibility with scalable deep packet inspection (DPI) to detect, investigate, and respond to threats more efficiently.
View the full article
- 0 comments
- 84 views
-
- 0 comments
- 60 views
-
Understanding zero-day attacks
What is a zero-day vulnerability, exploit, and attack?
A zero-day vulnerability refers to a software security flaw that is unknown to the vendor. When attackers exploit this vulnerability, it becomes a zero-day exploit. A zero-day attack occurs when malicious actors use this exploit to compromise a system before a patch is available.
Why “zero-day”?
The term “zero-day” signifies that the vendor has zero days to address the vulnerability before it is exploited. This urgency highlights the critical nature of these threats because they can be leveraged by attackers immediately upon discovery.
Common targets of zero-day attacks
Zero-day attacks often target operating systems, web browsers, enterprise software, and Internet of Things (IoT) devices. These platforms are integral to daily operations, making them attractive targets for attackers seeking to maximize impact.
Why zero-day attacks are so effective
Zero-day attacks have several advantages in the cybersecurity landscape. Due to their novel nature, they can be challenging to detect and understand. Here are some common reasons they work when deployed against unsuspecting targets:
No available patch: These exploits are unknown to both vendors and defenders, meaning they have not been identified and patched yet, leaving the door open for attackers. High-value targets: These attacks are often used in cyber espionage, ransomware campaigns, and advanced persistent threats (APTs) to target high-value assets with sensitive data. Difficult to detect: These exploits often are missed by traditional detection tools, especially those relying on signature-based detection, allowing adversaries to operate undetected. Speed and stealth: Successful breaches are more likely with zero-day attacks because attackers act quickly and quietly, allowing them to exploit vulnerabilities before they are identified and patched. Precision targeting: The target of these exploits is often a specific individual or organization. Spear-phishing and zero-click attacks are common tactics used to initiate the breach. Real-world zero-day attack examples
No organization is immune to being targeted by a zero-day attack. In the real world, many key services, organizations, and platforms can be targeted by zero-day exploits:
Nation-state sabotage: State-sponsored attackers can target critical infrastructure and utilities with zero-day exploits, rendering key services and life-saving utilities unavailable. Mobile surveillance: In telecommunications, carriers have witnessed zero-click exploits being used in mobile surveillance. This leads to compromised devices without any user interaction. Supply chain attacks: Global supply chains are appealing targets because they have a wide impact. In exploiting zero-day vulnerabilities, attackers can impact several groups in one attack, such as consumers, manufacturers, employees, and more. Frequently targeted platforms: Web browsers and email servers are common targets of zero-day attacks. These are widely used, increasing the potential for significant disruption. How zero-day vulnerabilities are discovered and used
There are multiple groups and methodologies that work to discover, use, and inform organizations of zero-day vulnerabilities. These include:
White-hat researchers: Often ethical hackers, also known as white-hat researchers, discover zero-day vulnerabilities via bug bounty programs and responsible disclosure. This helps vendors identify and address these issues. Black-hat hackers: On the flip side, if a black-hat hacker identifies a vulnerability before it is patched, the hacker can leverage it for gain, often selling exploits on the dark web. Government agencies: Some government agencies engage in offensive cyber operations, stockpiling exploits for strategic purposes. They also can inform organizations and vendors of these exploits, much like white-hat researchers. Thorough investigation: Internal security teams can leverage investigation capabilities, such as packet-level insights, to discover and understand zero-day threats, preventing future occurrences. How to defend against zero-day attacks
There are several measures security and network teams can take to more effectively avoid zero-day attacks. Some examples include:
Leverage threat investigation: Detection alone often misses the unknown. Thorough investigation, leveraging deep packet inspection (DPI) at scale and forensic analysis, is key to identifying and preventing zero-day attacks from being successful now and in the future. Patch quickly: Prioritizing updates and effective vulnerability management is essential to mitigating the risk of zero-day attacks. Use behavior-based detection: Employing solutions such as endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR) in combination with a strong investigation focus can help identify anomalous behavior that can signify zero-day exploits are being leveraged. Adopt zero-trust principles: Implementing a zero-trust security architecture, limiting user access, and continuously verifying identities can reduce the risk of unauthorized access to sensitive data. Segment the network: Strategic network segmentation helps contain breaches and minimizes lateral movement within a compromised system. Stay informed: Subscribing to security advisories and threat intelligence feeds helps keep organizations informed on emerging threats and vulnerabilities. FAQs about zero-day attacks
What makes zero-day attacks different from other cyberthreats?
Zero-day attacks exploit unknown vulnerabilities, making them particularly challenging to defend against compared with threats targeting known vulnerabilities.
Can antivirus software detect zero-day exploits?
Traditional antivirus software may struggle to detect zero-day exploits due to its reliance on signature-based detection methods.
Are zero-day vulnerabilities illegal to sell or use?
Although selling or using zero-day vulnerabilities for malicious purposes is illegal, ethical disclosure through bug bounty programs is encouraged.
How long do zero-day exploits typically remain undetected?
The duration for which a zero-day exploit remains undetected varies, but it can range from days to months, depending on the complexity of the exploit and the vigilance of security teams.
Staying ahead of emerging threats with investigation
Zero-day attacks represent a significant threat in the cybersecurity landscape, exploiting unknown vulnerabilities to devastating effect. Understanding these attacks and implementing proactive defensive strategies is essential for staying ahead of emerging threats.
Detection alone is not enough. Detection-focused tools such as EDR, NDR, and XDR on their own miss the unknown, allowing zero-day attacks to have a better chance of success. Leveraging investigation, powered by packet data, empowers teams with the actionable data to detect, understand, and prevent future attacks. Packets do not lie, and the network is the only place adversaries cannot hide.
Learn more about Omnis Cyber Intelligence.
View the full article
- 0 comments
- 77 views
-
According to ESG, 53% of organizations rely on network visibility and telemetry as their primary line of defense. In fact, nearly two-thirds use the network in some capacity to kick off their threat detection and response processes. Even more telling, 93% of SecOps and NetOps teams now share the same network visibility tools, which is a sign that the network has become the unifying language of operations.
So, why in an era dominated by extended detection and response (XDR) and cloud-native tooling does the network remain the first place security teams look? The answer is simple: Packets don’t lie.
Why packets still matter
Endpoints can be tampered with. Logs can be incomplete. Cloud providers can limit visibility. But network packets capture every transaction, every communication, and every anomaly, without bias. This is why, despite some vendors dismissing network detection and response (NDR) as “old-school” or “on-premises,” ESG found that 41% of organizations actually see network tools as the best-equipped technology for providing visibility across hybrid, multicloud environments.
The truth is that the network has evolved right alongside the environments it protects. It’s no longer just about physical appliances watching traffic at the perimeter. Today’s NDR solutions scale across data centers, virtual servers, and multicloud ecosystems, providing a single vantage point where everything converges.
Detection is only step one
But here’s where we believe the conversation needs to change. Detection, while critical, is just the first step. The real challenge, and the real value, lies in understanding a threat through the investigation phase.
Think about it: an alert tells you something happened. But only investigation tells you what it was, how it happened, and what to do about it. That’s the gap where attackers thrive and where security operations center (SOC) teams often lose valuable time.
And this is where network visibility proves its worth beyond being just a “first line of defense.” With full packet capture and deep network intelligence, security teams can pivot from “we detected something” to “we understand everything about it.” That shift is the difference between chasing alerts and actually stopping adversaries in their tracks.
Why NETSCOUT Omnis Cyber Intelligence
At NETSCOUT, we’ve seen this shift firsthand. Omnis Cyber Intelligence isn’t just about spotting anomalies; it’s about giving analysts the complete, packet-level context they need to investigate confidently. By unifying SecOps and NetOps on a shared foundation of visibility, Omnis Cyber Intelligence helps eliminate blind spots that attackers exploit.
Because at the end of the day, detection will always be table stakes. Investigation is where the real impact is made. Network packets provide the single source of truth across on-premises, hybrid, and cloud environments, serving as the foundation that makes it all possible.
Learn more about the ESG report.
Learn how NETSCOUT Omnis Cyber Intelligence can help by providing comprehensive network visibility with scalable deep packet inspection (DPI) to detect, investigate, and respond to threats more efficiently.
View the full article
- 0 comments
- 82 views
-
- 0 comments
- 60 views
-
- 0 comments
- 69 views
-
- 0 comments
- 61 views
-
WINS dates from Windows NT in 1994 and has long since been displaced by the more modern Domain Name System (DNS). It was deprecated in 2021 to coincide with the appearance of Windows Server 2022. This meant it would be supported but no longer developed, a clear signal that the clock was ticking.
Now, Microsoft has said, the last operating system to support WINS will be Windows Server 2025. That’s what determines the nine-year final migration deadline — the lifespan of Windows Server 2025 on the Long-Term Servicing Channel (LTSC).
“Organizations using WINS are strongly encouraged to migrate to modern DNS-based name resolution solutions,” the company said, perhaps stating the obvious, in a Windows Message Center advisory in early November.
According to Microsoft, the timescale is generous. “Our goal is to make planning and migrations as predictable and low-stress as possible. With advanced notice and a support runway, organizations can confidently modernize their environments at their own pace,” it said.
Cutting out WINS
Future versions of Windows without support for WINS will lose the WINS Server role and associated binaries, the WINS Microsoft Management Console (MMC) snap-in, and WINS automation APIs and related management interfaces, the company added.
WINS migration is yet another legacy issue inherited from the creative ferment of computer networking in the 1980s and 1990s. That era needed solutions to lots of networking problems in a hurry, especially how to turn a desktop PC operating system such as DOS or Windows into a practical server platform.
WINS solved an important challenge: how to connect the names used to identify computers using the 1980s’ NetBIOS network naming system with modern IP addresses. DNS, a hierarchical system that worked for Internet as well as network addresses, had rendered NetBIOS obsolete. But both ended up co-existing, examples of how the industry delivered more than one answer to the same problem.
Today, the arguments for getting rid of WINS extend beyond its obsolescence. It is also a security risk. In 2017, Fortinet’s FortiGuard Labs discovered a WINS Server remote memory corruption vulnerability in Windows Server 2008, 2012, and 2016.
Microsoft’s reply to Fortinet made interesting reading: “A fix would require a complete overhaul of the code to be considered comprehensive. The functionality provided by WINS was replaced by DNS and Microsoft has advised customers to migrate away from it.”
In short, Microsoft had no plans to patch the issue. Its solution was that customers migrate away from WINS, a process it has since become clear could still be ongoing for some customers into the 2030s.
Why WINS is still in use
Organizations still using WINS are likely to fall into one of two categories: those using it to support old technologies with long lifecycles such as operational technology (OT) systems, and those that have simply half-forgotten that they are still using it.
“For OT stacks built around WINS/NetBIOS, replacing them isn’t trivial because changing name resolution touches safety‑critical systems and bespoke integrations,” said Kieran Bhardwaj, head of security engineering at UK cyber security consultancy Bridewell, which specializes in advising on critical infrastructure.
“Legacy technologies persist because some niche systems like industrial/OT environments are engineered for multi‑decade lifecycles. Many control systems are architecturally fixed and can’t be re‑platformed,” he said. “It’s also hard for Microsoft: WINS sits deep in the networking stack which means removing a once‑core component demands exhaustive regression to avoid unintended breakage.”
Equally, according to William Wright of pen-testing company Closed Door Security, WINS was still running on some networks for the same reason that many legacy technologies overstay their usefulness: migration apathy.
“Most organizations running WINS today probably aren’t actively using it for anything critical. They’ve just never had a compelling reason to turn it off,” he said. “It’s been quietly replicating in the background, consuming minimal resources, causing no obvious problems. That’s the nature of legacy infrastructure: It persists not because it’s needed, but because removing it requires effort and carries risk, while leaving it alone is free,” said Wright.
WINS is a security risk
WINS had major design limitations that made it a security risk, said Wright. “WINS has no mechanism to verify the legitimacy of name registrations, which makes it vulnerable to spoofing attacks,” said Wright.
“An attacker on the network can register malicious entries, including Web Proxy Auto-Discovery (WPAD) records to intercept web traffic, or redirect connections to systems they control. It’s a straightforward path for lateral movement,” he said.
Finding WINS still turned on inside a network was a godsend to hackers using open-source tools such as Responder to conduct name resolution poisoning attacks against legacy Windows protocols such as Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS), Wright added.
Worse, the presence of WINS often indicated that a target was using other vulnerable legacy protocols. “Systems often fall back to NetBIOS broadcast queries when WINS isn’t available, which are spoofable on local networks. This is exactly what tools like Responder exploit, and it remains a common technique in penetration testing and real-world attacks alike.”
Network inventory
Organizations looking to rip WINS out should start with an inventory to find out where it is being used, Bhardwaj said: “Many organizations don’t realize a legacy asset still relies on WINS, so proactively inventory older segments and OT/ICS networks and verify resolution paths before the next upgrade window.”
“The trade-off is that customers still using WINS must put in the work to move to DNS by auditing dependencies, modernizing or isolating legacy workloads, and implementing DNS. But the payoff is a simpler, more secure platform.
In the end, even the brightest and best-performing technologies will one day be legacy. Migrating from WINS is a test of how well organizations are dealing with this wider problem. “There’s way too much legacy that is unused and that presents an attack surface for no reason,” said Bhardwaj.
This article first appeared on Computerworld.
View the full article
- 0 comments
- 79 views
-
Jaiz Anuar – Shutterstock.com
Hacks greifen immer stärker Unternehmen an, weil die Beute in Form von Lösegeld und Daten dort aussichtreicher ist als bei Privatpersonen. Das bedeutet jedoch nicht, dass eine Einzelperson kein lohnendes Opfer ist. Im Gegenteil – Computer von Individuen zu infizieren kann sich für Kriminelle auszahlen, insbesondere wenn sie Botnetze oder Residential-Proxy-Netzwerke einrichten.
Doch wie kann man herausfinden, ob der eigene Rechner infiziert ist, selbst ohne Vorkenntnisse und Fachwissen? Ein kostenloses Tool GreyNoise IP Check von GreyNoise Labs hilft zu überprüfen, ob die eigene IP-Adresse bei schädlichen Scans erfasst wurde.
Diese Vorsichtsmaßnahme begründen die Experten so: „Manchmal installieren Nutzer wissentlich Software, die solche Aktionen ausführt, und verdienen damit ein paar Euro. Häufiger jedoch schleicht sich Malware unbemerkt auf Geräte ein, meist über schädliche Apps oder Browsererweiterungen, und verwandelt diese im Hintergrund in Knotenpunkte in der Infrastruktur anderer.“
Analysieren und scannen
Grundsätzlich gibt es diverse Möglichkeiten, um festzustellen, ob jemand Teil eines schädlichen Botnetzes geworden ist, nämlich, indem Geräteprotokolle, Konfigurationen, Netzwerkverkehr und Aktivitätsmuster analysiert werden. Ein Tool, das lediglich die IP-Adresse überprüft, sei aber die schonendste Methode, erklärt GreyNoise.
Interessenten wird beim Besuch der IP-Check-Webseite, eines von drei möglichen Ergebnissen angezeigt:
Der Rechner ist sauber, es wurden also keine schädlichen Scan-Aktivitäten festgestellt. Etwas Schädliches beziehungsweise Verdächtiges wurde gefunden, die IP-Adresse wurde beim Scannen des Internets erfasst oder ist in der GreyNoice-Datenbank verzeichnet. User sollten Geräte in ihrem Netzwerk überprüfen. Die IP-Adresse des Users gehört zu einem VPN, einem Unternehmensnetzwerk oder einem Cloud-Anbieter, und die Scan-Aktivität ist für diese Umgebungen normal. Korrelationen zwischen Installationen und Scans
Wenn eine Aktivität mit der angegebenen IP-Adresse korreliert wird, zeigt die Plattform auch einen 90-tägigen Verlauf an. Das soll helfen, einen potenziellen Infektionsherd zu identifizieren und Abwehrmaßnahmen vornehmen.
Bei einem positiven Befund wird eine Zeitleiste mit den Aktivitäten der letzten 90 Tage ausgegeben.
GreyNoise
JSON-Option für Fortgeschrittene
Für technisch versierte Nutzer bietet GreyNoise außerdem eine nicht authentifizierte, rate-limit-free JSON-API. Diese ist über curl zugänglich und kann in Skripte oder Prüfsysteme integriert werden.
Dies liefert strukturierte Daten zur fraglichen IP-Adresse, die in MDM-Systeme, VPN-Verbindungsskripte oder Netzwerk-Onboarding-Prozesse integriert werden können. Der Hersteller merkt an, dass Entwickler die Informationen in jeder beliebigen Programmiersprache verwenden können – solange ein curl-ähnlicher User-Agent vorhanden ist.
View the full article
- 0 comments
- 652 views
-
Jaiz Anuar – Shutterstock.com
Hacks greifen immer stärker Unternehmen an, weil die Beute in Form von Lösegeld und Daten dort aussichtreicher ist als bei Privatpersonen. Das bedeutet jedoch nicht, dass eine Einzelperson kein lohnendes Opfer ist. Im Gegenteil – Computer von Individuen zu infizieren kann sich für Kriminelle auszahlen, insbesondere wenn sie Botnetze oder Residential-Proxy-Netzwerke einrichten.
Doch wie kann man herausfinden, ob der eigene Rechner infiziert ist, selbst ohne Vorkenntnisse und Fachwissen? Ein kostenloses Tool GreyNoise IP Check von GreyNoise Labs hilft zu überprüfen, ob die eigene IP-Adresse bei schädlichen Scans erfasst wurde.
Diese Vorsichtsmaßnahme begründen die Experten so: „Manchmal installieren Nutzer wissentlich Software, die solche Aktionen ausführt, und verdienen damit ein paar Euro. Häufiger jedoch schleicht sich Malware unbemerkt auf Geräte ein, meist über schädliche Apps oder Browsererweiterungen, und verwandelt diese im Hintergrund in Knotenpunkte in der Infrastruktur anderer.“
Analysieren und scannen
Grundsätzlich gibt es diverse Möglichkeiten, um festzustellen, ob jemand Teil eines schädlichen Botnetzes geworden ist, nämlich, indem Geräteprotokolle, Konfigurationen, Netzwerkverkehr und Aktivitätsmuster analysiert werden. Ein Tool, das lediglich die IP-Adresse überprüft, sei aber die schonendste Methode, erklärt GreyNoise.
Interessenten wird beim Besuch der IP-Check-Webseite, eines von drei möglichen Ergebnissen angezeigt:
Der Rechner ist sauber, es wurden also keine schädlichen Scan-Aktivitäten festgestellt. Etwas Schädliches beziehungsweise Verdächtiges wurde gefunden, die IP-Adresse wurde beim Scannen des Internets erfasst oder ist in der GreyNoice-Datenbank verzeichnet. User sollten Geräte in ihrem Netzwerk überprüfen. Die IP-Adresse des Users gehört zu einem VPN, einem Unternehmensnetzwerk oder einem Cloud-Anbieter, und die Scan-Aktivität ist für diese Umgebungen normal. Korrelationen zwischen Installationen und Scans
Wenn eine Aktivität mit der angegebenen IP-Adresse korreliert wird, zeigt die Plattform auch einen 90-tägigen Verlauf an. Das soll helfen, einen potenziellen Infektionsherd zu identifizieren und Abwehrmaßnahmen vornehmen.
Bei einem positiven Befund wird eine Zeitleiste mit den Aktivitäten der letzten 90 Tage ausgegeben.
GreyNoise
JSON-Option für Fortgeschrittene
Für technisch versierte Nutzer bietet GreyNoise außerdem eine nicht authentifizierte, rate-limit-free JSON-API. Diese ist über curl zugänglich und kann in Skripte oder Prüfsysteme integriert werden.
Dies liefert strukturierte Daten zur fraglichen IP-Adresse, die in MDM-Systeme, VPN-Verbindungsskripte oder Netzwerk-Onboarding-Prozesse integriert werden können. Der Hersteller merkt an, dass Entwickler die Informationen in jeder beliebigen Programmiersprache verwenden können – solange ein curl-ähnlicher User-Agent vorhanden ist.
View the full article
- 0 comments
- 681 views
-
They report finding a “full stack” operation behind the attacks, where code hosting, package distribution, staging servers and command-and control (C2) infrastructure are orchestrated much like a legitimate software development and delivery pipeline — and offer honest developers fresh advice on protecting themselves against the attacks.
In the latest wave, threat actors uploaded almost 200 new malicious NPM packages, with more than 31,000 recorded downloads. The campaign lures victims with fake job interviews and coding assignments related to Web3 and blockchain projects, asking them to pull dependencies for a “test project”. But the NPM packages they install are Trojan horses.
The latest packages identified by Socket ultimately deliver a new payload with upgraded credential theft, system monitoring and remote access capabilities, enabling them to take over developers’ accounts and machines.
Point defense
Based on its latest analysis, Socket advised developers to focus on the weak points this campaign exploits, and to treat every “npm install” as potential remote code execution, restrict what continuous-integration runners can access, enforce network egress controls, and review the code of any new templates or utilities pulled from GitHub. Teams should also scrutinize unfamiliar helper packages, pin known-good versions, and use lockfiles instead of auto-updating dependencies, it advised.
Automated package analysis can further reduce risk, with real-time scans catching threats including import-time loaders, network probing, and bulk data exfiltration before they hit developer machines or CI systems.
With these checks in place, dependency onboarding and code review become effective filters for blocking Contagious Interview-style attacks early, Socket said.
Coding tasks lead to malware delivery
These defensive measures are effective because Contagious Interview’s entry vector relies heavily on social engineering, using fake interview tasks to trick developers into installing compromised dependencies.
The campaign exploits NPM, a widely used package registry for JavaScript and Node.js, by publishing packages that appear benign but carry hidden payloads. The malicious packages including one named “tailwind-magic” mimic legitimate libraries (in this case, a typosquatted version of the genuine “tailwind-merge” utility) to avoid suspicion.
When an unsuspecting developer installs such a package, a post-install script triggers and reaches out to a staging endpoint hosted on Vercel. That endpoint in turn delivers a live payload fetched from a threat-actor controlled GitHub account named “stardev0914”. From there the payload, a variant of OtterCookie that also folds in capabilities from the campaign’s other signature payload, BeaverTail, executes and establishes a remote connection to the attackers’ control server. The malware then silently harvests credentials, crypto-wallet data, browser profiles and more.
“Tracing the malicious npm package tailwind-magic led us to a Vercel-hosted staging endpoint, tetrismic[.]vercel[.]app,and from there to the threat actor controlled GitHub account which contained 18 repositories,” Socket’s senior threat intelligence analyst Kirill Boychenko said in a blog post, crediting related research by Kieran Miyamoto that helped confirm the malicious GitHub account stardev0914.
A ‘full stack’adversary: GitHub, Vercel, and NPM
What makes this campaign stand out is the layered infrastructure behind it. Socket’s analysis traced not just the NPM packages but also how the attackers built a complete delivery pipeline: malware serving repositories on GitHub, staging servers on Vercel, and separate C2 servers for exfiltration and remote command execution.
Through this setup, attackers can rotate payloads, update malware unobtrusively, and tailor deployments per target—all while blending deeply into the legitimate developer ecosystem, according to Boychenko.
Once installed, OtterCookie doesn’t just run and vanish: It remains persistent, capable of logging keystrokes, hijacking the clipboard, scanning the filesystem, capturing screenshots, and grabbing browser and wallet credentials across Windows, macOS and Linux.
The campaign actors’ intensified NPM activity arrives at a worrying moment for the JavaScript and open-source ecosystem. In recent months, the community has seen a flurry of NPM-based attacks — including worm-style campaigns that transformed popular packages into Trojan horses, automated credential theft, and widespread supply chain compromise across both development and CI environments.
This article was first published on Infoworld.
View the full article
- 0 comments
- 67 views
-
That’s the paradox in a nutshell. In an environment where product teams must constantly test new technologies and ship updates at record speed, traditional end-of-line audits wouldn’t keep up. Security has to move upstream. It must be built into everyday operations, with proactive, actionable measures that empower innovation instead of slowing it down.
CISOs, then, must work more closely with teams from the initial stages to establish clear and practical risk tolerances and build security into development workflows.
Partner early to shape outcomes
CISOs don’t get leverage by showing up at the finish line. They must ditch the gatekeeper mindset and become true partners from Day Zero. In the past, when security measures were only brought in at the final stage, decision-makers were left with a difficult choice: accept project delays or face unmitigated risks. When product cycles were quarterly and speed did not determine competition, this approach made sense. In today’s reality with AI-driven product development, such a process breaks in an environment now made up of weekly sprints, continuous delivery and vendor-driven dependencies.
When security understands revenue goals, customer promises and regulatory exposure, guidance becomes specific and enabling. Begin by embedding a security liaison with each product squad so there is always a known face to engage in identity, data flows, logging and encryption decisions as they form. We should not want to see engineers opening two-week tickets for a simple question. There should be open “office hours,” chat channels and quick calls so they can get immediate feedback on decisions like API design, encryption requirements and regional data moves.
Bureaucracy must be deprecated in our environment. Show up at sprint planning and early design reviews to ask the questions that matter — authentication paths, least-privilege access, logging coverage and how changes will be monitored in production through SIEM and EDR. When security officers sit at the same table, the conversation changes from “Can we do this?” to “How do we do this securely?” and better outcomes follow from day one.
Set risk tolerances and guardrails
Teams slow down when they are unsure how to proceed. Take away some of the decision-making and ensure an integration of authentication, authorization and accounting into the development process. For authentication, establish and leverage enterprise identity management solutions rather than allowing the development of accounts written to databases that can be easily compromised. CISOs must also ensure they define standard role-based access control levels that ensure clear separation of duties is in place in the solution design. For accounting, don’t just create logs; ensure high-cardinality data is being captured for anomaly detection and this data is being integrated into a central security operations center for threat detection and response. Product development teams should not be tasked with security operations responsibilities; other teams should maintain the eye-on-glass visibility into the threats facing the solutions in production.
CISOs must define the organization’s risk appetite in business language that removes ambiguity. Specify which third-party profiles require deep assessment and which can run as bounded pilots with compensating controls. State which vulnerability severities must block a merge and which can proceed with a time-bound remediation plan. Clarify what data classifications may cross regions and what protections must travel with them.
Then translate those choices into automation. Bake guardrails into CI/CD and infrastructure-as-code so enforcement is consistent and visible. Scan each code commit for vulnerabilities, and if a change breaches a critical policy, the build fails with a clear reason and a path to resolution. If it sits within tolerance, it moves forward without manual intervention. The result is governance as an accelerator: predictable, transparent and aligned with how design engineers work.
Build secure-by-design into fast developer lifecycles
When developers deploy code multiple times a day, a “final security review” before launch just wouldn’t work. This traditional, end-of-line gating model doesn’t just block innovation but also fails to catch real-world risks. To be effective, security must be embedded during development, not just inspected after.
If the secure path is harder than the insecure path, developers will choose the easy way every single time. Our job isn’t to hand out a 50-page PDF; it’s to bake security right into their developer environment, giving them pre-vetted, hardened templates that are secure by default. This means offering standard service templates with authentication and authorization already built in. When the secure component is easier to use than the insecure alternative, developers can adopt it easily and will adopt it every time.
Automation is the enforcement layer for this strategy. When security tools are integrated directly into the CI/CD pipeline, feedback becomes available almost in real-time. This allows the team to “fail fast” on critical risks while providing actionable fixes.
This discipline must further extend into production. Even with world-class DevSecOps, we know a zero-day or configuration drift can happen. That’s why we rely on over-arching web application shielding solutions that integrate a robust web application firewall with runtime application attack mitigation and self-protection. These solutions mitigate vulnerabilities and risks in real-time while the application is running in production. They buy the development teams the crucial time they need to resolve the underlying issue without service interruption or breach, ensuring that even if all other controls fail, we have a way to block and tackle in the critical moment.
Runtime telemetry and risk-based alerting are the final checks on this coverage. This promotes a cultural change that enables engineers to take full ownership of their applications, from the initial line of code all the way to production. Security, in turn, achieves thorough, lasting coverage without becoming a bottleneck.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
View the full article
- 0 comments
- 60 views
-
But generating embeddings comes with trade-offs. Using a hosted API for embedding generation often results in reduced data privacy, higher call costs, and time-consuming model regeneration. When your data is private or constantly evolving (think internal documentation, proprietary code, or customer support content), these limitations quickly become blockers.
Instead of sending data to a remote service, you can easily run local embedding models on-premises with Docker Model Runner. Model Runner brings the power of modern embeddings to your local environment, giving you privacy, control, and cost-efficiency out of the box.
In this post, you’ll learn how to use embedding models for semantic search. We’ll start by covering the theory behind embedding and why developers should run them. Then, we’ll wrap up with a practical example, using Model Runner, to help you get started.
Understanding semantic search embeddings
Let’s take a moment to first demystify what embeddings are.
Embeddings represent words, sentences, and even code as high-dimensional numerical vectors that capture semantic relationships. In this vector space, similar items cluster together, while dissimilar ones are farther apart.
For example, a traditional keyword search looks for exact matches. If you search for “authentication”, you’ll only find documents containing that exact term. But with embeddings, searching for “user login” might also surface results about authentication, session management, or security tokens because the model understands that these are semantically related ideas.
This makes embeddings the foundation for more intelligent search, retrieval, and discovery — where systems understand what you mean, not just what you type.
For a deeper perspective on how language and meaning intersect in AI, check out “The Language of Artificial Intelligence”.
How Vector Similarity Enables Semantic Search with Embeddings
Here’s where the math behind semantic search comes in, and it’s elegantly simple.
Once text is converted into vectors (lists of numbers), we can measure how similar two pieces of text are using cosine similarity:
Similarity = A ⋅ B / ||A|| x ||B||
Where:
A is your query vector (e.g., “user login”), B is another vector (e.g., a code snippet or document). The result is a similarity score, typically between 0 and 1, where values closer to 1 mean the texts are more similar in meaning.
In practice:
A search query and a relevant document will have a high cosine similarity. Irrelevant results will have low similarity. This simple mathematical measure allows you to rank documents by how semantically close they are to your query, which powers features like:
Natural language search over docs or code RAG pipelines that retrieve contextually relevant snippets Deduplication or clustering of related content With Model Runner, you can generate these embeddings locally, feed them into a vector database (like Milvus, Qdrant, or pgvector), and start building your own semantic search system without sending a single byte to a third-party API.
Why use Docker Model Runner to run embedding models
With Model Runner, you don’t have to worry about setting up environments or dependencies. Just pull a model, start the runner, and you’re ready to generate embeddings, all inside a familiar Docker workflow.
Full data privacy
Your sensitive data never leaves your environment. Whether you’re embedding source code, internal documents, or customer content, you can rest assured that everything stays local — no third-party API calls, no network exposure.
Zero cost per embedding
There are no usage-based API costs. Once you have the model running locally, you can generate, update, or rebuild your embeddings as often as you need, at no extra cost.
That means iterating on your dataset or experimenting with new prompts won’t affect your budget.
Performance and control
Run the model that best fits your use case, leveraging your own CPU or GPU for inference.
Models are distributed as OCI artifacts, so they integrate seamlessly into your existing Docker workflows, CI/CD pipelines, and local development setups. This means you can manage and version models just like any other container image, ensuring consistency and reproducibility across environments.
Model Runner lets you bring models to your data, not the other way around, unlocking local, private, and cost-effective AI workflows.
Hands-on: Generating embeddings with Docker Model Runner
Now that we understand what embeddings are and how they capture semantic meaning, let’s see how simple it is to generate embeddings locally using Model Runner.
Step 1. Pull the model
docker model pull ai/qwen3-embedding Step 2. Generate Embeddings
You can now send text to this endpoint via curl or your preferred HTTP client:
curl http://localhost:12434/engines/v1/embeddings \ -H "Content-Type: application/json" \ -d '{ "model": "ai/qwen3-embedding", "input": "A dog is an animal" }' The response will include a list of embedding vectors, which is a numerical representation of your input text.
You can store these vectors in a vector database like Milvus, Qdrant, or pgvector to perform semantic search or similarity queries.
Example use case: Semantic search over your codebase
Let’s make it practical.
Imagine you want to enable semantic code search across your project repository.
The process will look like:
Step 1. Chunk and embed your code
Split your codebase into logical chunks. Generate embeddings for each chunk using your local Docker Model Runner endpoint.
Step 2. Store embeddings
Save those embeddings along with metadata (file name, path, etc.). You would usually use a Vector Database to store these embeddings, but in this demo, we’re going to store them in a file for simplicity.
Step 3. Query by meaning
When a developer searches “user login”, you embed the query and compare it to your stored vectors using cosine similarity.
We have included a demo in the Docker Model Runner repository that does exactly that.
Figure 1: Codebase example demo with embeddings stats, example queries, and search results.
Conclusion
Embeddings help applications work with intelligent meaning, not just keywords. The old hassle was wiring up third-party APIs, juggling data privacy, and watching per-call costs creep up.
Docker Model Runner flips the script. Now, you can run embedding models locally where your data lives with full control over your data and infrastructure. Ship semantic search, RAG pipelines, or custom search with a consistent Docker workflow — private, cost-effective, and reproducible.
No usage fees. No external dependencies. By bringing models directly to your data, Docker makes it easier than ever to explore, experiment, and innovate, safely and at your own pace.
How you can get involved
The strength of Docker Model Runner lies in its community, and there’s always room to grow. We need your help to make this project the best it can be. To get involved, you can:
Star the repository: Show your support and help us gain visibility by starring the Docker Model Runner repo. Contribute your ideas: Have an idea for a new feature or a bug fix? Create an issue to discuss it. Or fork the repository, make your changes, and submit a pull request. We’re excited to see what ideas you have! Spread the word: Tell your friends, colleagues, and anyone else who might be interested in running AI models with Docker. We’re incredibly excited about this new chapter for Docker Model Runner, and we can’t wait to see what we can build together. Let’s get to work!
Get started with Docker Model Runner →
Learn more
Check out Docker Model Runner integration with vLLM announcement Visit our Model Runner GitHub repo! Docker Model Runner is open-source, and we welcome collaboration and contributions from the community! Get started with Docker Model Runner with a simple hello GenAI application
View the full article
- 0 comments
- 63 views
-
- 0 comments
- 659 views
-
- 0 comments
- 65 views
-
This review spotlights a premier educational offering engineered specifically for Bangalore’s tech workforce: the Java with Springboot Training in Bangalore. Here’s why this program represents a strategic investment for developers committed to advancing their careers in one of the world’s most dynamic tech hubs.
The Bangalore Context: Why Spring Boot Skills Are Non-Negotiable
Bangalore’s technology ecosystem thrives on innovation, with companies across sectors—from established IT services firms to agile SaaS startups—embracing microservices and cloud-native architectures. Spring Boot has become the framework of choice for these implementations, offering developers the ability to create production-ready applications with remarkable efficiency.
For professionals in Bangalore, mastering Spring Boot translates to:
Enhanced employability across backend development, cloud engineering, and full-stack roles Alignment with industry trends toward containerized applications and distributed systems Competitive salary positioning in a market that rewards specialized technical expertise Versatility across company types—from multinational corporations to innovative Bangalore-based startups Curriculum Deep Dive: What You’ll Actually Learn
The Java with Springboot Training in Bangalore provides a comprehensive learning pathway that progresses from foundational principles to sophisticated implementation patterns:
Core Technical Competencies:
Spring Framework Fundamentals: Master Dependency Injection, Aspect-Oriented Programming, and Spring MVC architecture Spring Boot Application Development: Build production-grade applications with auto-configuration and embedded servers RESTful Web Services: Design and implement scalable, secure APIs following industry best practices Data Persistence Strategies: Work with Spring Data JPA, Hibernate, and advanced database integration techniques Microservices Architecture: Design, develop, and deploy independent service-based systems Application Security: Implement robust authentication and authorization using Spring Security Advanced Integrations: Connect applications with messaging systems (Kafka/RabbitMQ), caching solutions (Redis), and third-party APIs Testing Methodologies: Apply comprehensive testing approaches from unit tests to end-to-end validation Differentiating Factors: Why This Program Excels
Beyond comprehensive content, several distinguishing features make this training particularly valuable for Bangalore’s tech community:
Expert Mentorship from Industry Authority: The program is guided by Rajesh Kumar, whose 20+ years of international experience encompasses development, operations, and architecture. His practical insights bridge the gap between theoretical knowledge and real-world implementation—particularly valuable in Bangalore’s results-driven environment. Project-Based Learning with Local Relevance: Case studies and projects mirror challenges faced by Bangalore-based organizations, ensuring skills are directly applicable to local market needs. Flexible Learning Modalities: Designed for Bangalore’s busy professionals, the program offers weekend batches, evening sessions, and corporate training options. Career Advancement Support: The training includes guidance on portfolio development, interview techniques, and navigating Bangalore’s specific technology hiring landscape. DevOpsSchool: A Trusted Educational Partner in Bangalore
The institution behind the training significantly impacts learning outcomes. DevOpsSchool has established credibility as a specialized educational provider through:
Focused Technology Expertise: Concentrating exclusively on high-demand areas including DevOps, Cloud platforms, Container orchestration, and modern development frameworks Industry-Aligned Curriculum: Course content evolves based on direct input from Bangalore’s technology employers and shifting industry standards Professional Community Access: Students connect with Bangalore’s broader tech ecosystem through alumni networks, forums, and industry events Practical Learning Orientation: Emphasis on hands-on implementation and real-world problem-solving rather than theoretical abstraction Value Proposition: Clear Benefits for Bangalore Professionals
Program FeatureDirect Career Impact in BangaloreComprehensive Spring Boot MasteryPositions you for senior developer and technical architect rolesReal-World Project ExperienceProvides tangible evidence of expertise for interviews with top tech firmsMicroservices & Cloud ExpertiseAligns with Bangalore’s industry movement toward distributed architecturesIndustry Best PracticesPrepares you for the quality standards of Bangalore’s leading technology companiesFlexible Learning OptionsEnables skill development alongside professional commitments Target Audience: Who Will Benefit Most?
This program delivers exceptional value for:
Java developers in Bangalore seeking to modernize their skills with Spring Boot and microservices Software engineers aiming to transition into backend or cloud-native development roles IT professionals building enterprise-grade applications for Bangalore’s diverse market Career-focused individuals preferring structured, mentor-guided education over self-directed learning Corporate teams needing to upskill development staff with current, industry-relevant technologies Advance Your Technical Career in Bangalore’s Innovation Hub
The Java with Springboot Training in Bangalore from DevOpsSchool represents more than skill development—it’s strategic career investment. In Bangalore’s innovation-driven environment, possessing expert-level Spring Boot knowledge positions you for leadership roles, challenging projects, and accelerated professional growth.
Ready to advance your development capabilities in Bangalore’s competitive tech landscape? This training provides the comprehensive knowledge, practical experience, and professional guidance needed to excel.
Take the decisive step toward becoming a Spring Boot expert in Bangalore:
Email: [email protected] Phone & WhatsApp (India): +91 84094 92687 Phone & WhatsApp (USA): +1 (469) 756-6329 Website: https://www.devopsschool.com/ Invest in expertise that Bangalore’s technology sector demands. Build with precision, lead with innovation.
View the full article
- 0 comments
- 69 views
-
The Modern Java Ecosystem: Spring Boot’s Transformative Approach
Java continues to dominate enterprise software development, with Spring Boot revolutionizing application development through its convention-over-configuration methodology. This powerful framework simplifies production-ready application creation by reducing boilerplate code and configuration complexity. For Hyderabad’s growing technology community—including established IT companies, emerging startups, and enterprise development centers—mastering Java with Spring Boot enables faster development cycles, streamlined deployment processes, and enhanced application performance. Engaging in focused Java with Spring Boot training in Hyderabad provides the essential foundation for building contemporary, enterprise-grade applications that meet evolving business requirements.
Addressing the Skills Gap: Practical Learning Solutions
While online resources offer theoretical knowledge, they often lack the structured methodology needed for mastering Spring Boot in real-world development contexts. Professional Java with Spring Boot training in Hyderabad addresses this educational gap through:
Comprehensive Learning Pathway: Systematic progression from Java fundamentals to advanced Spring Boot concepts Hands-On Development Sessions: Practical coding workshops building real-world applications Industry Best Practices: Proven methodologies for creating maintainable, scalable backend architectures Expert-Led Instruction: Guidance from experienced developers with Hyderabad-specific industry insights Project-Based Learning: Implementation of complete applications from concept to deployment This practical approach transforms theoretical knowledge into applicable skills, ensuring immediate implementation in professional settings and enhancing career prospects for Hyderabad’s technology professionals.
A Premier Educational Platform: The DevOpsSchool Advantage
Selecting the right learning platform is crucial for effective skill development. DevOpsSchool has established itself as a leading provider of technology education, offering comprehensive programs across software development, DevOps, cloud technologies, and enterprise frameworks. The platform distinguishes itself through its practitioner-focused methodology, combining theoretical knowledge with hands-on implementation to ensure immediate workplace applicability.
The DevOpsSchool educational framework includes:
Industry-Relevant Curriculum: Content continuously updated to reflect current tools, technologies, and market demands Flexible Learning Formats: Options including classroom sessions in Hyderabad, live online instruction, weekend batches, and corporate training Certification Preparation: Structured guidance for industry-recognized credentials that validate skills and enhance professional credibility Practical Implementation: Real-world projects and case studies that bridge the gap between learning and professional application Career Support Services: Interview preparation, resume building, and placement assistance for participants Continuous Learning Access: Lifetime access to updated materials and community support Engaging with DevOpsSchool represents a strategic investment in career development, offering practical skills that address Hyderabad’s growing demand for Spring Boot expertise across various industries including healthcare, finance, and IT services.
Comprehensive Learning Curriculum: From Fundamentals to Mastery
The intensive Java with Spring Boot training in Hyderabad curriculum is meticulously designed to develop both foundational understanding and advanced implementation capabilities:
Core Learning Modules:
Java Programming Fundamentals: Modern Java features, object-oriented principles, collections framework, and functional programming concepts Spring Framework Core: Dependency Injection, Aspect-Oriented Programming, Spring MVC architecture, and data access strategies Spring Boot Essentials: Auto-configuration mechanisms, starter dependencies, embedded servers, and application properties management RESTful API Development: Building scalable REST APIs, request handling, response formatting, and API documentation with Swagger Data Persistence Solutions: Spring Data JPA implementation, database integration, transaction management, and query optimization Security Implementation: Spring Security configuration, authentication mechanisms, authorization protocols, and OAuth2 integration Testing Methodologies: Comprehensive unit testing with JUnit, integration testing, and test-driven development practices Deployment Strategies: Containerization with Docker, CI/CD pipeline integration, and cloud deployment methodologies Advanced Specialization Topics:
Microservices Architecture: Distributed system design with Spring Cloud, service discovery, and API gateway implementation Reactive Programming: Spring WebFlux, reactive data access, and non-blocking application development Performance Optimization: Caching strategies with Redis/Ehcache, database optimization techniques, and application monitoring Cloud-Native Development: Deploying Spring Boot applications to AWS, Azure, and Google Cloud platforms Real-World Project Implementation: Capstone project developing complete enterprise applications with front-end integration Expert Mentorship: Learning from Industry Authority Rajesh Kumar
The program’s distinctive quality stems from mentorship by Rajesh Kumar, a globally recognized technology expert with over two decades of pioneering experience across software development, DevOps, and enterprise architecture. While renowned for his expertise in cloud technologies, container orchestration, and DevOps methodologies, Rajesh brings comprehensive understanding of modern application development frameworks and architectural best practices.
Education under Rajesh Kumar’s guidance provides access to insights developed through extensive practical implementation across international projects. His instructional philosophy emphasizes architectural thinking, code quality, and production-readiness, ensuring participants understand both technical implementation and business impact considerations. This holistic approach guarantees that the training maintains industry-relevant standards and delivers tangible professional value to Hyderabad’s growing developer community.
Hyderabad’s Growing Demand for Spring Boot Expertise
Hyderabad’s expanding technology ecosystem presents unique opportunities that make Spring Boot skills particularly valuable:
Pharmaceutical and Healthcare Hub: Growing need for enterprise applications in healthcare and life sciences industries Financial Technology Growth: Increasing demand for robust banking and financial applications Emerging Startup Ecosystem: Rapidly developing startup community requiring efficient application development capabilities IT Services Expansion: Established IT companies enhancing their enterprise application development services Educational Institution Partnerships: Growing collaborations between industry and academic institutions for skill development Government Digital Initiatives: Increasing digital transformation projects across public sector organizations Training Methodology Comparison
Evaluation CriteriaProfessional Classroom TrainingOnline Learning PlatformsSelf-Directed StudyLearning StructureSystematic, instructor-guided progression with personalized attentionOften fragmented, lacking cohesive structureUnorganized, potentially overwhelmingPractical ExperienceHands-on labs with immediate instructor support and feedbackLimited practical exercises, minimal guidanceDependent on personal projects, no expert reviewProblem ResolutionReal-time expert assistance during learning sessionsDelayed forum responses, varying qualityTime-consuming self-research, potential frustrationNetworking OpportunitiesDirect interaction with industry professionals and peersLimited community engagementMinimal professional connectionsProject GuidanceMentored implementation of real-world projectsTheoretical examples without practical applicationNo structured project development supportCareer AdvancementIndustry insights, interview preparation, and placement supportBasic information without personalized guidanceNo career development assistanceHyderabad-Specific ContextLocal industry insights and Hyderabad market understandingGeneric content without regional relevanceNo local market awareness Career Opportunities with Spring Boot Skills
Mastering Spring Boot opens diverse career pathways in Hyderabad’s technology market:
Backend Development Specialist: Focusing on server-side application development and optimization Full-Stack Development Professional: Building complete applications with modern frameworks API Development Expert: Designing and implementing enterprise-grade RESTful services Microservices Architecture Consultant: Designing distributed systems for Hyderabad’s growing enterprise sector Technical Leadership Roles: Leading development teams in Hyderabad’s expanding IT companies Solution Architecture Positions: Designing enterprise solutions for Hyderabad’s traditional and emerging industries Ideal Program Participants
This comprehensive program serves multiple professional segments:
Experienced Java Developers upgrading skills to modern Spring Boot frameworks Software Engineers transitioning to enterprise backend development roles Full-Stack Developers enhancing their server-side development capabilities Recent Technical Graduates building industry-relevant development skills IT Professionals shifting to Java-based development careers Technical Managers understanding modern application development practices Career Transition Professionals entering Hyderabad’s growing tech sector Program Delivery Methodology
The training methodology emphasizes practical implementation:
70% Hands-On Coding: Extensive programming exercises and real project development 20% Theoretical Foundation: Essential framework concepts and architectural principles 10% Industry Practices: Production standards, best practices, and Hyderabad market insights Real Application Development: Building deployable applications with industry relevance Code Quality Emphasis: Expert reviews focusing on maintainability and scalability Industry Case Studies: Real-world examples from Hyderabad’s technology landscape Hyderabad’s Educational Advantages
The city offers distinctive benefits for technology learners:
Strong Educational Foundation: Presence of premier engineering and technology institutions Growing Tech Community: Expanding developer networks and professional communities Industry-Academia Collaboration: Increasing partnerships between companies and educational institutions Cost-Effective Learning: Quality education at competitive pricing structures Regional Industry Focus: Understanding of Hyderabad’s specific industry requirements Cultural Learning Environment: Supportive educational atmosphere conducive to skill development Measurable Learning Outcomes
Participants achieve comprehensive skill development:
Production-Ready Development Skills: Ability to build and deploy enterprise applications Framework Proficiency: Comprehensive understanding of Spring Boot ecosystem Architectural Competence: Knowledge of system design principles and patterns Problem-Solving Capability: Skills to address complex development challenges Industry Recognition: Enhanced employability in Hyderabad’s growing tech market Certification Achievement: Industry-recognized credentials validating expertise Flexible Learning Options
The program accommodates diverse learner needs:
Weekend Learning Programs: For working professionals balancing career and education Weekday Intensive Courses: For focused, accelerated skill development Corporate Training Solutions: Customized programs for organizational teams Hybrid Learning Models: Combining online convenience with classroom interaction Part-Time Learning Options: Flexible schedules for various professional commitments Project-Focused Learning: Emphasis on practical implementation and portfolio development Conclusion: Building Your Development Career in Hyderabad
In Hyderabad’s expanding technology environment, specialized skills in Java and Spring Boot provide significant advantages for career progression and professional success. Pursuing comprehensive Java with Spring Boot training in Hyderabad represents a strategic investment that delivers measurable returns through enhanced capabilities, successful project implementation, and professional recognition.
The integration of expert instruction, practical curriculum, and hands-on project work creates a transformative learning experience that prepares developers for the evolving demands of Hyderabad’s technology sector. As organizations increasingly adopt modern frameworks and digital transformation accelerates across traditional industries, expertise in Spring Boot becomes increasingly valuable for individual advancement and organizational innovation.
Ready to enhance your backend development capabilities in Hyderabad’s growing tech market? Contact DevOpsSchool today to explore learning opportunities, Hyderabad batch schedules, or customized organizational training solutions.
Contact DevOpsSchool:
Email: [email protected] Phone & WhatsApp (India): +91 84094 92687 Phone & WhatsApp (USA): +1 (469) 756-6329 Website: DevOpsSchool Begin your journey toward backend development excellence. Explore comprehensive program details here: Java with Spring Boot training in Hyderabad
View the full article
- 0 comments
- 64 views
-
The Modern Java Ecosystem: Spring Boot’s Revolutionary Impact
Java maintains its stronghold in enterprise software development, with Spring Boot transforming application development through its convention-over-configuration methodology. This sophisticated framework simplifies production-ready application creation by reducing boilerplate code and configuration complexity. For Chennai’s growing technology community—including established IT companies, emerging startups, and enterprise development centers—mastering Java with Spring Boot enables accelerated development cycles, streamlined deployment processes, and enhanced application performance. Participating in focused Java with Spring Boot training in Chennai establishes the essential foundation for building modern, enterprise-grade applications that meet evolving business requirements.
Addressing the Skills Gap: Practical Learning Approaches
While digital resources provide theoretical knowledge, they often lack the structured methodology needed for mastering Spring Boot in real-world development contexts. Professional Java with Spring Boot training in Chennai addresses this educational gap through:
Structured Learning Progression: Systematic advancement from Java fundamentals to advanced Spring Boot concepts Practical Development Sessions: Hands-on coding workshops building real-world applications Industry Best Practices: Proven methodologies for creating maintainable, scalable backend architectures Expert-Led Instruction: Guidance from experienced developers with Chennai-specific industry insights Project-Based Learning: Implementation of complete applications from concept to deployment This practical approach transforms theoretical knowledge into applicable skills, ensuring immediate implementation in professional settings and enhancing career prospects for Chennai’s technology professionals.
A Leading Educational Platform: The DevOpsSchool Advantage
Selecting the right learning platform is crucial for effective skill development. DevOpsSchool has established itself as a premier provider of technology education, offering comprehensive programs across software development, DevOps, cloud technologies, and enterprise frameworks. The platform distinguishes itself through its practitioner-focused methodology, combining theoretical knowledge with hands-on implementation to ensure immediate workplace applicability.
The DevOpsSchool educational framework includes:
Industry-Relevant Curriculum: Content continuously updated to reflect current tools, technologies, and market demands Flexible Learning Formats: Options including classroom sessions in Chennai, live online instruction, weekend batches, and corporate training Certification Preparation: Structured guidance for industry-recognized credentials that validate skills and enhance professional credibility Practical Implementation: Real-world projects and case studies that bridge the gap between learning and professional application Career Support Services: Interview preparation, resume building, and placement assistance for participants Continuous Learning Access: Lifetime access to updated materials and community support Engaging with DevOpsSchool represents a strategic investment in career development, offering practical skills that address Chennai’s growing demand for Spring Boot expertise across various industries including healthcare, finance, automotive, and IT services.
Comprehensive Learning Curriculum: From Fundamentals to Mastery
The intensive Java with Spring Boot training in Chennai curriculum is meticulously designed to develop both foundational understanding and advanced implementation capabilities:
Core Learning Modules:
Java Programming Fundamentals: Modern Java features, object-oriented principles, collections framework, and functional programming concepts Spring Framework Core: Dependency Injection, Aspect-Oriented Programming, Spring MVC architecture, and data access strategies Spring Boot Essentials: Auto-configuration mechanisms, starter dependencies, embedded servers, and application properties management RESTful API Development: Building scalable REST APIs, request handling, response formatting, and API documentation with Swagger Data Persistence Solutions: Spring Data JPA implementation, database integration, transaction management, and query optimization Security Implementation: Spring Security configuration, authentication mechanisms, authorization protocols, and OAuth2 integration Testing Methodologies: Comprehensive unit testing with JUnit, integration testing, and test-driven development practices Deployment Strategies: Containerization with Docker, CI/CD pipeline integration, and cloud deployment methodologies Advanced Specialization Topics:
Microservices Architecture: Distributed system design with Spring Cloud, service discovery, and API gateway implementation Reactive Programming: Spring WebFlux, reactive data access, and non-blocking application development Performance Optimization: Caching strategies with Redis/Ehcache, database optimization techniques, and application monitoring Cloud-Native Development: Deploying Spring Boot applications to AWS, Azure, and Google Cloud platforms Real-World Project Implementation: Capstone project developing complete enterprise applications with front-end integration Expert Mentorship: Learning from Industry Authority Rajesh Kumar
The program’s distinctive quality stems from mentorship by Rajesh Kumar, a globally recognized technology expert with over two decades of pioneering experience across software development, DevOps, and enterprise architecture. While renowned for his expertise in cloud technologies, container orchestration, and DevOps methodologies, Rajesh brings comprehensive understanding of modern application development frameworks and architectural best practices.
Education under Rajesh Kumar’s guidance provides access to insights developed through extensive practical implementation across international projects. His instructional philosophy emphasizes architectural thinking, code quality, and production-readiness, ensuring participants understand both technical implementation and business impact considerations. This holistic approach guarantees that the training maintains industry-relevant standards and delivers tangible professional value to Chennai’s growing developer community.
Chennai’s Growing Demand for Spring Boot Expertise
Chennai’s expanding technology ecosystem presents unique opportunities that make Spring Boot skills particularly valuable:
Automotive and Manufacturing Hub: Growing need for enterprise applications in traditional industries undergoing digital transformation Healthcare Technology Growth: Increasing demand for scalable healthcare applications and systems Financial Services Expansion: Development of robust banking and financial applications Startup Ecosystem Development: Emerging startup community requiring rapid application development capabilities IT Services Enhancement: Established IT companies expanding their enterprise application development services Educational Institution Collaboration: Growing partnerships between industry and academic institutions for skill development Training Methodology Comparison
Evaluation CriteriaProfessional Classroom TrainingOnline Learning PlatformsSelf-Directed StudyLearning StructureSystematic, instructor-guided progression with personalized attentionOften fragmented, lacking cohesive structureUnorganized, potentially overwhelmingPractical ExperienceHands-on labs with immediate instructor support and feedbackLimited practical exercises, minimal guidanceDependent on personal projects, no expert reviewProblem ResolutionReal-time expert assistance during learning sessionsDelayed forum responses, varying qualityTime-consuming self-research, potential frustrationNetworking OpportunitiesDirect interaction with industry professionals and peersLimited community engagementMinimal professional connectionsProject GuidanceMentored implementation of real-world projectsTheoretical examples without practical applicationNo structured project development supportCareer AdvancementIndustry insights, interview preparation, and placement supportBasic information without personalized guidanceNo career development assistanceChennai-Specific ContextLocal industry insights and Chennai market understandingGeneric content without regional relevanceNo local market awareness Career Opportunities with Spring Boot Skills
Mastering Spring Boot opens diverse career pathways in Chennai’s technology market:
Backend Development Specialist: Focusing on server-side application development and optimization Full-Stack Development Professional: Building complete applications with modern frameworks API Development Expert: Designing and implementing enterprise-grade RESTful services Microservices Architecture Consultant: Designing distributed systems for Chennai’s growing enterprise sector Technical Leadership Roles: Leading development teams in Chennai’s expanding IT companies Solution Architecture Positions: Designing enterprise solutions for Chennai’s traditional industries Ideal Program Participants
This comprehensive program serves multiple professional segments:
Experienced Java Developers upgrading skills to modern Spring Boot frameworks Software Engineers transitioning to enterprise backend development roles Full-Stack Developers enhancing their server-side development capabilities Recent Technical Graduates building industry-relevant development skills IT Professionals shifting to Java-based development careers Technical Managers understanding modern application development practices Career Transition Professionals entering Chennai’s growing tech sector Program Delivery Methodology
The training methodology emphasizes practical implementation:
70% Hands-On Coding: Extensive programming exercises and real project development 20% Theoretical Foundation: Essential framework concepts and architectural principles 10% Industry Practices: Production standards, best practices, and Chennai market insights Real Application Development: Building deployable applications with industry relevance Code Quality Emphasis: Expert reviews focusing on maintainability and scalability Industry Case Studies: Real-world examples from Chennai’s technology landscape Chennai’s Educational Advantages
The city offers distinctive benefits for technology learners:
Strong Educational Foundation: Presence of premier engineering and technology institutions Growing Tech Community: Expanding developer networks and professional communities Industry-Academia Collaboration: Increasing partnerships between companies and educational institutions Cost-Effective Learning: Quality education at competitive pricing structures Regional Industry Focus: Understanding of Chennai’s specific industry requirements Cultural Learning Environment: Supportive educational atmosphere conducive to skill development Measurable Learning Outcomes
Participants achieve comprehensive skill development:
Production-Ready Development Skills: Ability to build and deploy enterprise applications Framework Proficiency: Comprehensive understanding of Spring Boot ecosystem Architectural Competence: Knowledge of system design principles and patterns Problem-Solving Capability: Skills to address complex development challenges Industry Recognition: Enhanced employability in Chennai’s growing tech market Certification Achievement: Industry-recognized credentials validating expertise Flexible Learning Options
The program accommodates diverse learner needs:
Weekend Learning Programs: For working professionals balancing career and education Weekday Intensive Courses: For focused, accelerated skill development Corporate Training Solutions: Customized programs for organizational teams Hybrid Learning Models: Combining online convenience with classroom interaction Part-Time Learning Options: Flexible schedules for various professional commitments Project-Focused Learning: Emphasis on practical implementation and portfolio development Conclusion: Building Your Development Career in Chennai
In Chennai’s expanding technology environment, specialized skills in Java and Spring Boot provide significant advantages for career progression and professional success. Pursuing comprehensive Java with Spring Boot training in Chennai represents a strategic investment that delivers measurable returns through enhanced capabilities, successful project implementation, and professional recognition.
The integration of expert instruction, practical curriculum, and hands-on project work creates a transformative learning experience that prepares developers for the evolving demands of Chennai’s technology sector. As organizations increasingly adopt modern frameworks and digital transformation accelerates across traditional industries, expertise in Spring Boot becomes increasingly valuable for individual advancement and organizational innovation.
Ready to enhance your backend development capabilities in Chennai’s growing tech market? Contact DevOpsSchool today to explore learning opportunities, Chennai batch schedules, or customized organizational training solutions.
Contact DevOpsSchool:
Email: [email protected] Phone & WhatsApp (India): +91 84094 92687 Phone & WhatsApp (USA): +1 (469) 756-6329 Website: DevOpsSchool Begin your journey toward backend development excellence. Explore comprehensive program details here: Java with Spring Boot training in Chennai
View the full article
- 0 comments
- 61 views
-
The Evolving Java Ecosystem: Spring Boot’s Transformative Role
Java maintains its prominence in enterprise software development, with Spring Boot revolutionizing how applications are constructed and deployed. This sophisticated framework simplifies production-grade application development by eliminating much of the configuration complexity traditionally associated with Spring projects. For Bangalore’s diverse technology community—spanning multinational corporations, innovative startups, and established IT companies—mastering Java with Spring Boot enables faster development cycles, streamlined deployment processes, and enhanced application performance. Engaging in focused Java with Spring Boot training in Bangalore provides the essential foundation for building modern, enterprise-ready applications.
Bridging Skills Development: Practical Learning Approaches
While online resources offer introductory knowledge, they often lack the structured approach necessary for mastering complex frameworks like Spring Boot in enterprise contexts. Professional Java with Spring Boot training in Bangalore addresses this educational need through:
Structured Learning Path: Systematic progression from Java fundamentals to advanced Spring Boot features Practical Development Workshops: Hands-on coding sessions building real-world applications Industry Best Practices: Proven methodologies for creating maintainable, scalable backend systems Expert-Led Instruction: Guidance from experienced developers with Bangalore-specific industry insights This comprehensive approach transforms theoretical understanding into practical expertise, ensuring immediate application in professional environments.
A Leading Platform for Technology Education
Selecting the right educational partner is crucial for effective skill development. DevOpsSchool has established itself as a premier destination for technology education, offering comprehensive programs across software development, DevOps, cloud technologies, and enterprise frameworks. The platform distinguishes itself through its commitment to practical, mentor-driven learning that directly translates into professional competency and career advancement.
The DevOpsSchool advantage includes:
Industry-Relevant Curriculum: Content continuously updated by practitioners to reflect current tools and market demands Flexible Learning Formats: Options including classroom sessions in Bangalore, live online instruction, and corporate training Certification Pathways: Structured preparation for credentials that validate skills and enhance professional credibility Hands-On Project Work: Real-world application development and problem-solving exercises Continuous Learning Support: Access to resources, code repositories, and expert guidance beyond course completion Engaging with DevOpsSchool represents an investment in education that emphasizes practical application and career-focused outcomes.
Comprehensive Curriculum: Java and Spring Boot Mastery
The intensive Java with Spring Boot training in Bangalore curriculum is designed to develop both foundational understanding and advanced implementation skills:
Core Learning Components:
Java Fundamentals Review: Modern Java features, object-oriented principles, and functional programming Spring Framework Essentials: Dependency Injection, Aspect-Oriented Programming, and Spring MVC Spring Boot Core Concepts: Auto-configuration, starter dependencies, and embedded servers REST API Development: Building robust, scalable RESTful web services Data Access and Management: Spring Data JPA, database integration, and transaction management Security Implementation: Spring Security, authentication, and authorization mechanisms Testing Strategies: Unit testing, integration testing, and test-driven development Deployment and DevOps Integration: Containerization with Docker, CI/CD pipeline integration Advanced Topics Covered:
Microservices Architecture: Building distributed systems with Spring Cloud Reactive Programming: Spring WebFlux and reactive data access Performance Optimization: Caching strategies, database optimization, and monitoring Cloud-Native Development: Deploying Spring Boot applications to cloud platforms Real-World Project: Capstone project implementing full-stack application development Learning from Industry Authority Rajesh Kumar
The program’s exceptional quality is anchored in mentorship from Rajesh Kumar, an internationally recognized expert with over two decades of pioneering experience across software development, DevOps, and enterprise architecture. While renowned for his expertise in DevOps, cloud technologies, and container orchestration, Rajesh brings comprehensive understanding of modern application development frameworks and architectural patterns.
Education under Rajesh Kumar’s guidance provides insights developed through extensive practical implementation across global projects. His instructional approach emphasizes architectural thinking and production-readiness, ensuring participants understand both coding practices and system design considerations. This methodology guarantees that the training maintains rigorous standards and delivers tangible professional value.
Why Bangalore Needs Spring Boot Expertise
Bangalore’s technology ecosystem presents unique opportunities that make Spring Boot skills particularly valuable:
Enterprise Software Hub: Home to numerous companies building large-scale enterprise applications Startup Innovation Center: Booming startup ecosystem requiring rapid application development Digital Transformation Initiatives: Organizations modernizing legacy systems and adopting microservices Global Delivery Centers: International companies developing solutions for global markets Talent Development Focus: Strong emphasis on continuous skill enhancement and professional growth Training Approach Comparison
Evaluation FactorProfessional Classroom TrainingOnline TutorialsSelf-Study ApproachLearning StructureSystematic, mentor-guided progressionFragmented, often incomplete coverageUnstructured, potentially overwhelmingPractical ExperienceHands-on labs with instructor supportLimited coding examples, no feedbackDependent on personal project ideasProblem ResolutionImmediate expert assistance during sessionsForum-based, delayed responsesSelf-research, time-consumingNetworking OpportunitiesDirect interaction with peers and industry professionalsIsolated learning experienceLimited professional connectionsProject GuidanceMentored capstone project developmentTheoretical project suggestionsNo expert review or feedbackCareer SupportIndustry insights and professional guidanceInformation only, no personalized adviceNo career development support Career Pathways with Java Spring Boot Skills
Mastering Spring Boot opens multiple career opportunities in Bangalore’s technology market:
Backend Developer: Specializing in server-side application development Full-Stack Engineer: Building complete applications with modern frameworks API Developer: Designing and implementing RESTful web services Microservices Architect: Designing distributed system architectures Technical Lead: Guiding development teams and architectural decisions Target Audience
This program is ideally suited for:
Java Developers seeking to modernize their skills with Spring Boot Software Engineers transitioning to backend development roles Full-Stack Developers enhancing their server-side capabilities Technical Graduates building enterprise-ready development skills IT Professionals moving into Java-based development roles Technical Managers understanding modern application development practices Program Delivery Methodology
The training employs a practical, hands-on approach:
70% Practical Coding: Extensive programming exercises and project work 20% Theoretical Concepts: Essential framework principles and architecture 10% Best Practices: Industry standards and production considerations Real-World Projects: Development of actual applications from concept to deployment Code Reviews: Expert feedback on implementation approaches and code quality Bangalore’s Tech Infrastructure Advantage
The city offers unique advantages for technology learners:
Industry Connections: Direct access to technology companies and professionals Learning Community: Vibrant developer communities and meetups Infrastructure Support: State-of-the-art training facilities and resources Career Opportunities: Immediate application of skills in local job market Continuous Learning: Access to workshops, conferences, and tech events Success Metrics
Participants typically achieve:
Production-Ready Skills: Ability to develop deployable applications Framework Mastery: Comprehensive understanding of Spring Boot ecosystem Architectural Understanding: Knowledge of system design and best practices Problem-Solving Ability: Skills to tackle complex development challenges Career Advancement: Enhanced job prospects and professional recognition Learning Flexibility Options
The program accommodates diverse learner needs:
Weekend Batches: For working professionals balancing career and education Weekday Intensive Programs: For focused, accelerated learning Corporate Training: Customized programs for organizational teams Hybrid Learning: Combining online and classroom experiences Project-Based Learning: Emphasis on practical implementation Conclusion: Building Your Development Future in Bangalore
In Bangalore’s competitive technology environment, specialized skills in Java and Spring Boot provide significant advantages for career advancement and professional influence. Pursuing comprehensive Java with Spring Boot training in Bangalore represents a strategic investment that delivers measurable returns through enhanced capabilities, successful project implementation, and professional recognition.
The combination of expert instruction, practical curriculum, and hands-on project work creates a transformative learning experience that prepares developers for the evolving demands of the software industry. As organizations increasingly adopt modern frameworks and cloud-native architectures, expertise in Spring Boot becomes increasingly valuable for individual advancement and organizational success.
Ready to advance your backend development capabilities? Contact DevOpsSchool today to explore learning opportunities, Bangalore batch schedules, or customized organizational solutions.
Contact DevOpsSchool:
Email: [email protected] Phone & WhatsApp (India): +91 84094 92687 Phone & WhatsApp (USA): +1 (469) 756-6329 Website: DevOpsSchool Begin your journey toward backend development mastery. Explore comprehensive program details here: Java with Spring Boot training in Bangalore
View the full article
- 0 comments
- 68 views
-
The Evolution of Technical Learning Environments
Technology education has experienced a profound shift, transitioning from certification-centric programs to immersive, application-focused learning journeys. As enterprises increasingly implement DevOps principles, cloud-native infrastructures, and automated workflows, the demand for authentic, hands-on training has intensified. The most impactful learning experiences transcend curriculum to include the expertise and teaching methodology of instructors. Direction from top DevOps & different tools trainers ensures professionals can implement solutions with confidence across diverse work environments.
Distinguishing Exceptional Training Professionals
Identifying effective training begins with recognizing what differentiates superior instructors from conventional educators. The most accomplished trainers typically demonstrate these essential qualities:
Real-World Industry Experience: Practical implementation knowledge derived from enterprise environments Current Technical Proficiency: Up-to-date familiarity with evolving tools, platforms, and methodologies Clear Communication Skills: Ability to translate complex concepts into comprehensible, applicable knowledge Validated Instructional Approaches: Structured methods that balance theoretical foundations with practical implementation Industry-Relevant Content: Curriculum anchored in contemporary challenges and proven solutions These attributes ensure learning outcomes translate into immediate workplace value, extending well beyond certification attainment.
A Premier Destination for Technology Education
Selecting the appropriate educational platform is fundamental to successful skill development. DevOpsSchool has positioned itself as a leading provider of technology education, offering comprehensive programs across DevOps, cloud computing, containerization, and automation. What distinguishes this platform is its dedication to practical, mentor-led learning that directly enhances professional capability and career trajectory.
The DevOpsSchool advantage encompasses:
Industry-Aligned Curriculum: Content continuously refreshed by practitioners to reflect current tools and market demands Flexible Learning Formats: Multiple options including live online sessions, in-person instruction, and customized corporate training Certification Preparation: Structured guidance for credentials that validate skills and enhance professional credibility Continuous Learning Community: Access to resources, forums, and networking extending beyond program completion Enterprise Solutions: Tailored programs designed to elevate organizational team capabilities Engaging with this educational platform represents an investment in practical, career-advancing learning.
Learning from Industry Authority Rajesh Kumar
The foundation of exceptional training programs lies in the quality of mentorship and instruction. Prominent programs frequently feature guidance from Rajesh Kumar, an internationally recognized expert with over two decades of pioneering work across DevOps, DevSecOps, Site Reliability Engineering (SRE), and Cloud-Native technologies. His expertise spans critical domains including Kubernetes, DataOps, AIOps, MLOps, and comprehensive cloud platforms.
Education under Rajesh Kumar’s guidance provides access to insights cultivated through extensive practical implementation across global initiatives. His instructional philosophy emphasizes strategic application, ensuring participants understand both technical execution and business implications. This methodology guarantees training maintains rigorous standards, aligns with industry requirements, and delivers measurable professional value.
Comprehensive Learning Pathways
Quality training platforms offer structured progression through essential skill development:
Core Technology Areas:
DevOps Fundamentals: Principles, practices, and cultural dimensions of DevOps transformation Cloud Platform Mastery: Comprehensive training across AWS, Azure, Google Cloud, and hybrid environments Containerization Expertise: Docker, Kubernetes, and container orchestration at operational scale Automation Frameworks: Infrastructure as Code, configuration management, and CI/CD pipeline implementation Security Integration: DevSecOps practices and security automation within development workflows Monitoring and Observability: Modern approaches to system monitoring, logging, and performance optimization Advanced Specializations:
Site Reliability Engineering (SRE): Implementing SRE principles and operational excellence DataOps and MLOps: Streamlining data pipelines and machine learning operations Cloud-Native Development: Building and deploying applications using cloud-native principles Infrastructure Automation: Advanced implementation with Terraform, Ansible, and Puppet Training Methodology Comparison
Assessment FactorExpert-Led Professional TrainingStandard Online CoursesSelf-Guided LearningInstructional QualityGuided by industry practitioners with extensive implementation experienceOften delivered by instructors with limited real-world exposureNo expert guidance or mentorshipCurriculum DepthComprehensive coverage from basics to advanced implementationTypically fragmented, focusing on specific tools without contextUnstructured, potentially overwhelmingPractical ApplicationExtensive hands-on laboratories based on real-world scenariosLimited examples and theoretical exercisesDependent on personal project availabilityLearning FlexibilityMultiple formats including live interactive sessionsPrimarily self-paced, pre-recorded contentCompletely self-directedProfessional SupportDirect access to mentors and professional networksForum-based, delayed responsesIsolated learning experienceCareer ImpactIndustry recognition and certification pathwaysKnowledge without formal credential alignmentNo professional validation The Contemporary Need for Quality Training
Modern professionals encounter several challenges that make quality training essential:
Rapid Technological Evolution: Tools and platforms evolve continuously, demanding ongoing education Industry Skill Deficiencies: Organizations experience difficulties finding talent with current, relevant expertise Career Advancement Requirements: Professionals must consistently upgrade skills to maintain competitiveness Implementation Complexities: Theoretical knowledge alone fails to guarantee successful deployment Certification Significance: Industry-recognized credentials increasingly influence hiring and promotion decisions Current Industry Requirements
Market trends indicate substantial demand for professionals skilled in:
Cloud Migration and Management: Steering organizations through cloud adoption and optimization Container Orchestration: Implementing and administering Kubernetes in production environments Infrastructure as Code: Automating infrastructure provisioning and management CI/CD Pipeline Development: Building and sustaining efficient delivery pipelines Security Automation: Integrating security throughout development and deployment processes Monitoring Solutions: Implementing comprehensive observability and monitoring systems Formulating Your Learning Strategy
Developing an effective professional development approach involves:
Assessment Phase:
Current Skills Analysis: Honest evaluation of existing knowledge and skill gaps Career Objectives Formulation: Clear articulation of professional goals and desired outcomes Industry Trends Examination: Understanding market requirements and emerging opportunities Learning Preference Identification: Recognizing preferred instructional methods and formats Selection Criteria:
Instructor Qualifications: Verifying trainer experience and industry recognition Curriculum Pertinence: Ensuring content corresponds with current industry practices Practical Components: Assessing hands-on opportunities and real-world scenarios Community and Support: Evaluating post-training resources and networking possibilities Outcome Validation: Understanding certification value and industry recognition Optimizing Learning Outcomes
Once quality training is identified, successful implementation involves:
Preparatory Foundation: Building fundamental knowledge before advanced training Active Participation: Engaging fully in interactive sessions and discussions Practical Implementation: Applying learned concepts in actual or simulated environments Community Engagement: Participating in professional networks and forums Continuous Development: Maintaining skill enhancement beyond initial training Organizational Advantages
Quality training delivers benefits beyond individual skill development:
Team Capability Enhancement: Upskilling entire teams for improved collaboration and productivity Process Optimization: Implementing efficient workflows and automation Innovation Facilitation: Empowering teams to adopt new technologies and approaches Risk Mitigation: Building expertise to manage complex implementations successfully Competitive Differentiation: Cultivating capabilities that distinguish organizations in the marketplace Measuring Training Efficacy
Quality training programs demonstrate value through:
Immediate Skill Utilization: Practical application of learned concepts in work environments Certification Accomplishment: Successful completion of industry-recognized credentials Career Progression: Promotion, role expansion, or new opportunities following training Organizational Contribution: Tangible improvements in processes, efficiency, or innovation Professional Recognition: Acknowledgment as subject matter experts within organizations Evolving Educational Approaches
The training landscape continues to evolve with these trends:
Personalized Learning Trajectories: Customized training based on individual objectives and skill levels Interactive Learning Platforms: Advanced platforms offering simulated environments and hands-on practice Community-Driven Education: Increased emphasis on peer learning and professional networks Continuous Skill Verification: Ongoing assessment and credentialing beyond initial certification Workflow Integration: Training that connects directly with professional tools and environments Conclusion: Constructing Your Professional Future
In today’s dynamic technology environment, quality education guided by experienced professionals represents a strategic career investment. The journey to expert training extends beyond certification to building practical expertise that delivers immediate value and long-term advancement.
The synthesis of expert mentorship, practical curriculum, and supportive learning environments creates transformative educational experiences that prepare professionals for evolving industry demands. As organizations increasingly prioritize efficient practices, automation, and innovation, expertise guided by experienced practitioners becomes increasingly valuable.
Prepared to advance your technical capabilities with expert guidance? Contact DevOpsSchool today to explore learning opportunities, program schedules, or customized organizational solutions.
Contact DevOpsSchool:
Email: [email protected] Phone & WhatsApp (India): +91 84094 92687 Phone & WhatsApp (USA): +1 (469) 756-6329 Website: DevOpsSchool
View the full article
- 0 comments
- 65 views
-
- 0 comments
- 61 views
-
- 0 comments
- 66 views
-
- 0 comments
- 67 views
-
- 0 comments
- 67 views
-
- 0 comments
- 73 views
-
This reversal from the company that practically wrote the playbook on distributed systems sent shockwaves through the cloud-native community. Amazon later removed the original blog post, but the internet never forgets, as you’ll see later.
I’ve been speaking up against unnecessary or premature use of microservices architecture for five, six years now. After Amazon Prime Video went back to a monolith, I came across several eminent architects who are also speaking against microservices as default.
And yet in most tech circles, microservices are still viewed as the only way to build modern software. They dominate conferences, blogs, and job listings. Teams adopt them not because their requirements justify it, but because it feels like the obvious (and résumé-boosting) choice. “Cloud-native” has become synonymous with “microservices-by-default”, as if other approaches are as obsolete as floppy disks.
Microservices do solve real problems, but at a massive scale. Most teams don’t actually operate at that scale.
With this article, I urge you to reflect on the question the industry has mostly stopped asking: Should microservices be the default choice for building at scale? We’ll look at reversal stories and insights from seasoned architects, and weigh the trade-offs and alternatives. After considering all of this, you can decide whether your problem really needs a constellation of microservices.
Microservices: The Agility-Complexity Trade-Off
On paper, microservices look impressive. Instead of one big monolith, you split your application into many small services. Each one can be written in any language, owned by a small team, and deployed on its own schedule. If you need more capacity, you can scale only the part that’s under load. The promise is elegant: independent deployability, autonomous teams, multi-language stacks, and elastic scaling.
But the catch is that every split creates a seam, and every seam is a potential failure point. Inside a monolith, function calls are instant and predictable. Across services, those same calls become network requests: slower, failure-prone, sometimes returning inconsistent data. With dozens (or hundreds) of services, you need version management, schema evolution, distributed transactions, tracing, centralized logging, and heavy-duty CI/CD pipelines just to keep things running.
This Gartner diagram captures the trade-off perfectly: microservices exchange the simplicity of one codebase for the complexity of many.
At a massive scale (think Netflix), that trade-off may be worth it. But when operational benefits don’t outweigh the costs, teams end up paying a steep price in debugging, coordination, and glue code just to hold their product together.
Microservices make sense in very specific scenarios where distinct business capabilities need independent scaling and deployment. For example, payment processing (security-critical, rarely updated) differs fundamentally from recommendation engine (memory-intensive, constantly A/B tested). These components have different scaling patterns, deployment cycles, and risk profiles, which justify separate services.
The success of microservices hinges on clear business domain boundaries that match your team structure, as Conway’s Law predicts. If your organization naturally splits into autonomous teams that own distinct capabilities, microservices might work. (So, most “one-and-a-half pizza” startups don’t qualify, do they?)
That’s why microservices work effectively for companies like Amazon and Uber—although not always.
In fact, most organizations lack the prerequisites: dedicated service ownership, mature CI/CD, robust monitoring, and crucially, scale that justifies the operational overhead. Startups that adapt microservices prematurely often regret their decision.
So ask yourself:
Are you using microservices to solve an independent scaling problem, or are you inviting more complexity than your solution needs?
The Great Microservices Reversal
Ironically, even though tech giants are the ones that are most likely to benefit from microservices, many of these very same companies are walking back their microservices architectures, and the results are eye-opening.
Amazon Prime Video: 90% Cost Reduction with a Monolith
In May 2023, Amazon engineers admitted the unthinkable: Prime Video had abandoned microservices for a monolith. Their Video Quality Analysis (VQA) team had built what looked like a textbook distributed system: AWS Step Functions and Lambda monitored thousands of video streams through independent, scalable components. On paper, it was serverless perfection.
In practice, it was a disaster. “We realized that distributed approach wasn’t bringing a lot of benefits in our specific use case,” said Marcin Kolny in the now-archived Prime Video Engineering blog. Their “infinitely scalable” system crumbled at just 5% of expected load due to orchestration overhead.
The fix was embarrassingly simple: collapse everything into a single process. It resulted in 90% lower costs and faster performance.
Twilio Segment: From 140 Services to One Fast Monolith
Back in 2018, Twilio Segment, a customer data platform, documented a similar reversal in their brutally honest post “Goodbye Microservices”.
Their system had sprawled into 140+ services, creating operational chaos. At one point, three full-time engineers spent most of their time firefighting instead of building. As they admitted, “Instead of enabling us to move faster, the small team found themselves mired in exploding complexity. Essential benefits of this architecture became burdens. As our velocity plummeted, our defect rate exploded.”
Their solution was radical but effective: collapse all 140+ services into a single monolith. The impact was immediate. Test suites that once took an hour now finished in milliseconds. Developer productivity soared: they shipped 46 improvements to shared libraries in a year, up from 32 in the microservices era.
Shopify: Sanity over Hype
Shopify runs one of the largest Ruby on Rails codebases in the world (2.8M+ lines). Instead of chasing microservices, they deliberately chose a modular monolith: a single codebase with clear component boundaries.
Shopify’s engineers concluded that “microservices would bring their own set of challenges”, so they chose modularity without the operational overhead.
All these examples beg the question:
If even the pioneers of microservices are retreating, why are we still treating it as gospel?
Expert Voices against Microservices Mania
Some of the most respected voices in software architecture—people behind many of the systems we all admire—are also cautioning against microservices and repeating mistakes they’ve seen play out at scale. (After all, cheerleaders don’t play the game; cloud DevRels rarely build at scale.)
Rails Creator: Simplicity over Sophistication
David Heinemeier Hansson (DHH), the creator of Ruby on Rails, has long advocated simplicity over architectural trends. His analysis of the Amazon Prime Video reversal puts it bluntly:
“The real-world results of all this theory are finally in, and it’s clear that in practice, microservices pose perhaps the biggest siren song for needlessly complicating your system.”
DHH’s image of a siren song is apt: microservices promise elegance but leave teams wrecked on the rocks of complexity.
Microservices: Mistake of The Decade?
Jason Warner, former CTO of GitHub, doesn’t mince words while commenting on microservices:
“I’m convinced that one of the biggest architectural mistakes of the past decade was going full microservice.”
Warner understands scale: GitHub runs at internet scale, and he’s led engineering at Heroku and Canonical. His critique cuts deeper because it’s lived experience, beyond theoretical advice:
“90% of all companies in the world could probably just be a monolith running against a primary db cluster with db backups, some caches and proxies and be done with it.”
GraphQL Co-Creator: “Don’t”
Then there’s Nick Schrock, co-creator of GraphQL. If anyone had a reason to cheer for distributed systems, it’d be him. Instead, he says:
“Microservices are such a fundamentally and catastrophically bad idea that there are going to be an entire cohort of multi-billion companies built that do nothing but contain the damage that they have wrought.”
He goes on to describe microservices as organizational gambles:
“[Y]ou end up with these services that you have to maintain forever that match the org structure and the product requirements from five years ago. Today, they don’t make a lot of sense.”
The person who literally built tools to fix distributed system pain says don’t distribute unless you must, maybe it’s time to listen.
Other Voices Questioning Microservice Maximalism
Other engineering leaders are also reconsidering microservice maximalism.
At Uber, Gergely Orosz admitted:
“We’re moving many of our microservices to macroservices (well-sized services). Exactly b/c testing and maintaining thousands of microservices is not only hard – it can cause more trouble long-term than it solves the short-term.”
Uber still runs microservices where they’re justified, but they’re choosing their battles.
Kelsey Hightower, known for his work with Kubernetes and Google Cloud, cut through the microservices hype with CS101:
“I’m willing to wager a monolith will outperform every microservice architecture. Just do the math on the network latency between each service and the amount of serialization and deserialization of each request.”
He subsequently deleted this tweet, but the network math still grades microservices.
When pioneers like these, including those who actually solved distributed systems at scale, start waving red flags, it’s worth taking note.
My question here is:
If GitHub’s CTO thinks 90% of companies don’t need microservices, are you sure yours is part of the 10%?
The Hidden Costs of Microservices
Microservices demand such caution because of these hidden costs that teams often underestimate.
Operational Costs
A monolith is simple: in-process function calls.
Microservices replace that with networks. Every request now travels across machines, through load balancers, service meshes, and authentication layers, creating more failure points and infrastructure needs. You suddenly need service discovery (how services find each other), distributed tracing (tracking requests across services), centralized logging (aggregating logs from multiple services), and monitoring systems that understand service topology.
Each of these is necessary, but together they’re complex and expensive. Duplicated data requires extra storage. Constant service-to-service calls rack up network egress fees. Cloud costs scale faster than the apps they host. Prime Video’s workflow spent more on orchestrating S3 data transfers between services than on actual processing.
Developer Productivity Drain
In microservices, the hard part isn’t writing code; it’s navigating distributed system interactions.
In “The macro problem with microservices“, Stack Overflow identifies a critical productivity drain: distributed state forces developers to write defensive code that constantly checks for partial failures.
In a monolith, a developer can follow a code path end-to-end within one repo. In microservices, one feature might span four or five repos with different dependencies and deploy cycles. Adding a single field triggers weeks of coordination: you need to update one service, then wait for consumers to adopt, version your APIs, manage rollouts, and so on. Different teams will also typically maintain different microservices using different tech stacks, so there’s a risk that they unintentionally break something as well. Breaking changes that a compiler would catch in a monolith now surface as runtime errors in production.
Testing and Deployment Complexity
Monolith integration and end-to-end tests are faster because they run locally, in memory. Distributed systems don’t allow that luxury: real confidence requires integration and end-to-end tests across numerous service boundaries. So these tests are slower, more brittle, and require staging environments that resemble production, all of which effectively double infrastructure costs and slow feedback loops.
Many teams discover this only after their test suite becomes a bottleneck. Deployment orchestration adds another layer. Rolling updates across interdependent services require careful sequencing to avoid breaking contracts. Version incompatibility disturbs frequently: Service A works with Service B v2.1 but breaks with v2.2.
Failed deployments leave systems partially updated and difficult to recover.
Data Management and Consistency
The most underestimated complexity of microservices lies in data consistency across service boundaries.
Monoliths benefit from ACID transactions: operations complete entirely or fail entirely. Microservices split that across services, forcing you to build distributed saga (multi-step workflows with rollback logic), live with eventual consistency (data only becomes correct after a delay), or write compensation logic (extra code to undo partial failures). What was once a single database transaction now spans network hops, retries, and partial failures. Debugging inconsistent orders or payments gets much harder when state is duplicated across services.
As research confirms, data duplication, correctness challenges, and transactional complexity are the top pain points in microservice systems.
The Compounding Effect
These complexities multiply. Operational overhead makes debugging harder, which slows testing, which makes deployments riskier, which creates more incidents. Microservices don’t just shift complexity from code to operations; they tax every part of your engineering process.
Unless your scale demands it, that tax often outweighs the benefits.
Think about it:
If every network hop adds complexity and cost, does your use case really justify the price?
Beyond Microservices: Smarter Architectural Alternatives
Before defaulting to microservices, it’s worth considering how simpler, well-structured architectures can deliver comparable scalability without the distributed complexity tax. Two noteworthy alternatives are modular monoliths and service-oriented architectures.
Modular Monoliths: Structure without Distribution
Unlike traditional monoliths that become tangled messes, modular monoliths enforce strict internal boundaries through clear module APIs and disciplined separation. Each module exposes well-defined interfaces, enabling teams to work independently while deploying a single, coherent system.
As Kent Beck explains in “Monolith -> Services: Theory & Practice”, modular monoliths manage coupling through organizational discipline rather than distributed networks. The key difference: modules still communicate via explicit contracts like microservices, but they use fast, reliable function calls instead of HTTP requests that are vulnerable to network latency and partial failures.
Why does it work?
Simpler operations: microservices-level organization with monolithic simplicity Stronger consistency: full ACID transactions Easier debugging: one traceable system, no hunting for bugs in the ELK haystack Better performance: function calls beat network hops
Here’s some real-world proof: Shopify’s 2.8 million-line codebase handles 30TB per minute with separate teams owning distinct modules, yet everything deploys together. Facebook runs similarly. (And principal architect Keith Adams jokes that if you want to be talked out of microservices, he’s your guy.)
With recent developments in frameworks like Spring Modulith, Django, Laravel, and Rails (as seen at scale with Shopify), modular monoliths are poised to gain wider traction in the years ahead.
Service-Oriented Architecture: The Middle Ground
Service-oriented architecture (SOA) sits between monoliths and microservices, favoring larger, domain-driven services instead of dozens or hundreds of tiny ones. These services often communicate via an enterprise service bus (ESB), which reduces orchestration overhead while preserving separation of concerns.
Instead of splitting authentication, user preferences, and notifications into separate microservices, SOA might combine them into a single “User Service”, simplifying coordination while preserving autonomy and targeted scaling. SOA provides enterprise-grade modularity without ultra-fine-grained distribution overhead.
Here’s why it works:
Right-sized boundaries: fewer, domain-aligned services instead of sprawl Targeted scalability: scale services tied to real business domains Pragmatic complexity: avoids ultra-fine-grained overhead while retaining modular reasoning
SOA has also been proven to work at scale. Norwegian Air Shuttle, Europe’s 9th-largest airline, used SOA to boost agility across complex flight operations. Credit Suisse’s SOA rollout powered millions of service calls per day back in the early 2000s.
Choosing Wisely: Fit over Hype
The problem you’re solving should justify your architecture.
I often use this analogy in consulting: You don’t need a sword to cut a lemon—a knife suffices. And as timeless wisdom reminds us, simplicity is the ultimate sophistication.
In all likelihood, you’re not Google (you don’t need Google-level fault tolerance), or Amazon (you don’t need massive write availability), or LinkedIn (you don’t handle billions of events a day). Most applications don’t operate at that scale, demanding fundamentally different solutions than ultra-distributed architectures.
For most systems, well-structured modular monoliths (for most common applications, including startups) or SOA (enterprises) deliver comparable scalability and resilience as microservices, without the distributed complexity tax. Alternatively, you may also consider well-sized services (macroservices, or what Gartner proposed as miniservices) instead of tons of microservices.
It’s worth asking:
If simpler architectures can deliver comparable scalability, why are you choosing the complexity of microservices?
Docker: Built for Any Architecture
Docker isn’t just for microservices—it works great across all kinds of architectures like monoliths, SOA, APIs, and event-driven systems. The real benefit is that Docker gives you consistent performance, easier deployment, and flexibility to scale up your apps no matter what architectural approach you’re using.
Docker packages applications cleanly, keeps environments consistent from laptop to production, simplifies dependency management, and isolates applications from the host system. A Dockerized monolith offers all these benefits, minus the orchestration overhead of microservices.
Microsoft’s guidance on containerizing monoliths clarifies that scaling containers is “far faster and easier than deploying additional VMs”, whether you run one service or fifty. Twilio Segment observed that containerized monoliths can “horizontally scale your environment easily by spinning up more containers and shutting them down when demand subsides.” For many applications, scaling the whole app is exactly what’s needed.
As for DevOps, a monolith in Docker is lighter to operate than a full-blown microservices setup. Logging aggregation becomes simpler when you’re collecting from identical containers rather than disparate services with different formats. Monitoring and debugging remain centralized, and troubleshooting avoids tracing requests across service boundaries.
So, it’s definitely worth considering:
Even without the complexity of microservices, Docker gives you the same advantages — clean deployments, easy scaling, and consistent environments. So why not keep it?
Wrapping Up
A few years ago, my then-8-year-old wanted a bicycle. He’d mostly ride around our apartment complex, maybe venture into the nearby lane. He didn’t need 21 gears, but those shiny shifters had him smitten—imagine riding faster by changing those gears! He absolutely wanted that mechanically complex beauty. (It’s hard to argue with a starry-eyed kid… or a founder :P).
Once he started riding the new bike, the gears slipped, the chain jammed, and the bicycle spent more time broken than on the road. Eventually, we had to dump it.
I wasn’t able to convince him back then that a simpler bicycle could’ve served him better, but maybe this article will convince a few grown-ups making architectural decisions.
We techies love indulging in complex systems. (Check: were you already thinking, What’s complex about bicycles with gears??) But the more moving parts you add, the more often they break. Complexity often creates more problems than it solves.
The point I’m making isn’t to dump microservices entirely—it’s to pick an architecture that fits your actual needs, not what the cloud giant is pushing (while quietly rolling back their own commit). Most likely, modular monoliths or well-designed SOA will serve your needs better and make your team more productive.
So here’s the million-dollar question:
Will you design for cloud-native hype or for your own business requirements?
Do you really need microservices?
View the full article
- 0 comments
- 155 views
-
- 0 comments
- 74 views
-
- 0 comments
- 72 views
-
- 0 comments
- 66 views
-
- 0 comments
- 64 views
-
- 0 comments
- 71 views
-
- 0 comments
- 72 views
-
- 0 comments
- 63 views
-
- 0 comments
- 73 views
-
Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters. Members of these gangs hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.
In May 2025, SLSH members launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The group later launched a data leak portal that threatened to publish the internal data of three dozen companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS.
The new extortion website tied to ShinyHunters, which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.
Last week, the SLSH Telegram channel featured an offer to recruit and reward “insiders,” employees at large companies who agree to share internal access to their employer’s network for a share of whatever ransom payment is ultimately paid by the victim company.
SLSH has solicited insider access previously, but their latest call for disgruntled employees started making the rounds on social media at the same time news broke that the cybersecurity firm Crowdstrike had fired an employee for allegedly sharing screenshots of internal systems with the hacker group (Crowdstrike said their systems were never compromised and that it has turned the matter over to law enforcement agencies).
The Telegram server for the Scattered LAPSUS$ Hunters has been attempting to recruit insiders at large companies.
Members of SLSH have traditionally used other ransomware gangs’ encryptors in attacks, including malware from ransomware affiliate programs like ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.
The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel. Previously, Rey was an administrator of the data leak website for Hellcat, a ransomware group that surfaced in late 2024 and was involved in attacks on companies including Schneider Electric, Telefonica, and Orange Romania.
A recent, slightly redacted screenshot of the Scattered LAPSUS$ Hunters Telegram channel description, showing Rey as one of three administrators.
Also in 2024, Rey would take over as administrator of the most recent incarnation of BreachForums, an English-language cybercrime forum whose domain names have been seized on multiple occasions by the FBI and/or by international authorities. In April 2025, Rey posted on Twitter/X about another FBI seizure of BreachForums.
On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion.
“This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors,” the FBI said.
Incredibly, Rey would make a series of critical operational security mistakes last year that provided multiple avenues to ascertain and confirm his real-life identity and location. Read on to learn how it all unraveled for Rey.
WHO IS REY?
According to the cyber intelligence firm Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, authoring more than 200 posts between February 2024 and July 2025. Intel 471 says Rey previously used the handle “Hikki-Chan” on BreachForums, where their first post shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC).
In that February 2024 post about the CDC, Hikki-Chan says they could be reached at the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called “Pantifan” a copy of an extortion email they said they received that included their email address and password.
The message that @wristmug cut and pasted appears to have been part of an automated email scam that claims it was sent by a hacker who has compromised your computer and used your webcam to record a video of you while you were watching porn. These missives threaten to release the video to all your contacts unless you pay a Bitcoin ransom, and they typically reference a real password the recipient has used previously.
“Noooooo,” the @wristmug account wrote in mock horror after posting a screenshot of the scam message. “I must be done guys.”
A message posted to Telegram by Rey/@wristmug.
In posting their screenshot, @wristmug redacted the username portion of the email address referenced in the body of the scam message. However, they did not redact their previously-used password, and they left the domain portion of their email address (@proton.me) visible in the screenshot.
O5TDEV
Searching on @wristmug’s rather unique 15-character password in the breach tracking service Spycloud finds it is known to have been used by just one email address: [email protected]. According to Spycloud, those credentials were exposed at least twice in early 2024 when this user’s device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords and authentication cookies (a finding that was initially revealed in March 2025 by the cyber intelligence firm KELA).
Intel 471 shows the email address [email protected] belonged to a BreachForums member who went by the username o5tdev. Searching on this nickname in Google brings up at least two website defacement archives showing that a user named o5tdev was previously involved in defacing sites with pro-Palestinian messages. The screenshot below, for example, shows that 05tdev was part of a group called Cyb3r Drag0nz Team.
Rey/o5tdev’s defacement pages. Image: archive.org.
A 2023 report from SentinelOne described Cyb3r Drag0nz Team as a hacktivist group with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity.
“Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks,” SentinelOne reported. “To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.”
The cyber intelligence firm Flashpoint finds the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels like “Ghost of Palestine” [full disclosure: Flashpoint is currently an advertiser on this blog].
‘I’M A GINTY’
Flashpoint shows that Rey’s Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called Jacuzzi, where this user shared several personal details, including that their father was an airline pilot. Rey claimed in 2024 to be 15 years old, and to have family connections to Ireland.
Specifically, Rey mentioned in several Telegram chats that he had Irish heritage, even posting a graphic that shows the prevalence of the surname “Ginty.”
Rey, on Telegram claiming to have association to the surname “Ginty.” Image: Flashpoint.
Spycloud indexed hundreds of credentials stolen from [email protected], and those details indicate that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 show there are multiple users of the infected PC, but that all shared the same last name of Khader and an address in Amman, Jordan.
The “autofill” data lifted from Rey’s family PC contains an entry for a 46-year-old Zaid Khader that says his mother’s maiden name was Ginty. The infostealer data also shows Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines.
MEET SAIF
The infostealer data makes clear that Rey’s full name is Saif Al-Din Khader. Having no luck contacting Saif directly, KrebsOnSecurity sent an email to his father Zaid. The message invited the father to respond via email, phone or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy.
Less than two hours later, I received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him.
“I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,'” said Saif, who told me he turns 16 years old next month. “So I decided to talk to you directly.”
Saif explained that he’d already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldn’t just suddenly quit the group.
“Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on,” he said.
The former Hellcat ransomware site. Image: Kelacyber.com
He also shared that ShinySp1d3r is just a rehash of Hellcat ransomware, except modified with AI tools. “I gave the source code of Hellcat ransomware out basically.”
Saif claims he reached out on his own recently to the Telegram account for Operation Endgame, the codename for an ongoing law enforcement operation targeting cybercrime services, vendors and their customers.
“I’m already cooperating with law enforcement,” Saif said. “In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September.”
Saif suggested that a story about him right now could endanger any further cooperation he may be able to provide. He also said he wasn’t sure if the U.S. or European authorities had been in contact with the Jordanian government about his involvement with the hacking group.
“A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate,” Saif said. “I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.”
Saif shared a screenshot that indicated he’d contacted Europol authorities late last month. But he couldn’t name any law enforcement officials he said were responding to his inquiries, and KrebsOnSecurity was unable to verify his claims.
“I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say,” Saif said.
View the full article
- 0 comments
- 80 views
-
We always default to upstream patching when possible because it protects everyone who depends on these libraries – not just Docker users. Upstream patches require effort. You have to submit a PR and get it approved by the project. That can mean back and forth with maintainers. Security teams are under intense time pressures. But when we fix expr-eval for LangChain.js, we’re protecting not just Kibana users but every application that depends on that library. That’s over one million weekly downloads that become more secure.
Another Nested Dependency, Another Ticking Time Bomb
CVE-2025-12735 originated in expr-eval, a JavaScript expression parser and evaluator library. The vulnerability allowed attackers to inject crafted variables into evaluate(), enabling untrusted code paths to execute logic the application never intended. Three layers deep into the dependency chain, there was a critical RCE vulnerability in unmaintained code. In practice, this gave attackers a pathway to execute malicious behavior within affected applications. The library hadn’t been updated in years. LangChain.js depends on expr-eval, which means any application or service built with LangChain.js inherits the vulnerability. This includes AI assistants, workflow tools, and LLM-powered applications widely deployed across the industry. Kibana was affected by the same dependency chain.
This matters because LangChain.js has become a foundational component in modern application development. The library provides a framework for building applications powered by large language models, and it has been downloaded millions of times from npm. As of November 18, 2025, the npm package langchain (which includes LangChain.js) receives approximately 1,018,076 weekly downloads. Organizations use LangChain.js to build chatbots, document analysis systems, customer service platforms, and AI-powered search tools. When a vulnerability exists in LangChain.js or its dependencies, it potentially affects thousands of production applications across the technology industry.
This is exactly the attack surface that sophisticated adversaries target. The 2024 XZ Utils backdoor attempt demonstrated how attackers focus on dependencies precisely because they affect so many downstream projects. Old vulnerabilities remain a persistent challenge because organizations focus on direct dependencies while nested dependencies slip through the cracks.
Why We Must Fix at the Source, Fast
Many security and hardened image vendors scan for CVEs, flag them, and patch their own images. The vulnerability remains in the upstream project. The next build cycle reintroduces it. The problem persists for every other user of that dependency chain. This approach treats symptoms instead of causes. You patch your copy of Kibana. The next developer who builds from upstream gets the vulnerable version. Other container image providers may still ship the vulnerable dependency until their next update cycle. When the next CVE gets assigned to expr-eval, the cycle repeats.
Docker takes a different approach. When the Docker Security team identified CVE-2025-12735 in Kibana, we traced it back through the dependency chain to expr-eval. Rather than applying a surface-level patch, we replaced the unmaintained library with math-expression-evaluator, an actively maintained alternative that did not have the vulnerability. Then we contributed that fix upstream to LangChain.js: Pull Request #9391.
This approach delivers three outcomes:
Docker Hardened Images users got immediate protection. The updated Kibana image shipped without the vulnerable dependency. There was no waiting for upstream maintainers and no emergency patching required.
The entire LangChain.js ecosystem will benefit. Once the PR merged, every project using LangChain.js inherits the fix automatically. Web applications, data processing pipelines, AI tools, and analytics platforms all get safer because the fix lives where it belongs.
Future builds are secure by default. Docker doesn’t have to maintain downstream patches or worry about the vulnerability reappearing in the next release cycle. The fix lives in the upstream project where it belongs.
Docker Hardened Images responded faster than other vendors. We identified the root cause, selected a maintained replacement, verified it worked correctly, and contributed the fix back to the upstream project. This is possible because Docker’s security architecture is designed for a high-speed workflow without sacrificing thoroughness or attention to detail. (We are also, as a team, strongly committed to contributing back to open source!) Continuous dependency analysis through Docker Scout identifies issues the moment they’re disclosed. Deep supply chain visibility shows not just what packages are in an image but the entire dependency chain. Direct upstream engagement means we can contribute fixes rather than wait for maintainers to respond to bug reports.
What This Means for Your Organization
If you’re running Kibana in production, CVE-2025-12735 posed a critical risk. Organizations using Docker Hardened Images received immediate protection with secure, minimal, production-ready container images built from source and backed by a fast SLA that ensures rapid remediation.. The updated image shipped with expr-eval replaced by a maintained alternative. No emergency patching was required and there was no downtime. Organizations using other container distributions may still be exposed. Check your Kibana images for the vulnerable expr-eval dependency. If you’re running upstream Kibana, monitor for the LangChain.js update that incorporates Docker’s fix.
But the implications extend beyond this single CVE. The nested dependency problem affects every modern application. Your development teams probably don’t know what libraries are three or four levels deep in your dependency trees. Your security scanners might not catch them. Your vendors might not fix them upstream.
Helping Open Source Projects Helps Us All
The container ecosystem depends on thousands of open source projects. Most are maintained by small teams, often volunteers, who juggle security alongside feature development, bug fixes, and user support. When vulnerabilities emerge, maintainers may lack resources for immediate response.
Commercial vendors who benefit from open source have a responsibility to contribute back. When Docker Security fixes vulnerabilities upstream, open source maintainers get security support at no cost. The entire community benefits from hardened dependencies. Docker builds trust with the projects that power modern infrastructure. Future vulnerabilities become easier to address as relationships deepen. Together, we are more secure.
Docker is not the only company to push patches upstream, but it is a core part of our DNA. We don’t just protect our own customers but strengthen the entire ecosystem. Fixes go upstream so everyone benefits. The focus is on eliminating vulnerabilities at their source rather than playing endless rounds of patch-and-scan.
Modern supply chain attacks move faster than traditional security response times. Docker Hardened Images and Docker Scout are designed to match that speed while strengthening the entire ecosystem through upstream contributions. When vulnerabilities emerge, our customers get immediate protection. When our fixes go upstream, everyone gets safer.
Learn more about how Docker Hardened Images deliver security that protects your organization and strengthens the ecosystem.
View the full article
- 0 comments
- 116 views
-
- 0 comments
- 62 views
-
- 0 comments
- 65 views
-
- 0 comments
- 72 views
-
- 0 comments
- 73 views
-
- 0 comments
- 68 views
-
- 0 comments
- 68 views
-
As organizations move toward more intelligent and adaptive security operations, the question becomes unavoidable: How do you know your SOC is truly ready for AI?
The answer lies in treating AI readiness as something quantifiable; not philosophical.
View the full article
- 0 comments
- 65 views
-
A More Effective Way to Run Local Coding Agents Safely.
We’re working on an approach that lets you run coding agents in purpose-built, isolated local environments. Local sandboxes from Docker that wrap agents in containers that mirror your local workspace and enforce strict boundaries across all the coding agents you use. The idea is to give agents the access they need while maintaining isolation from your local system.
Today’s experimental release runs agents as containers inside Docker Desktop’s VM, but we will be switching to running them inside of dedicated microVMs for more defense in depth and to improve the experience of agents executing Docker containers securely.
What’s Available Now (Experimental Preview).
This is an experimental preview. Commands may change and you shouldn’t rely on this for production workflows yet.
Here’s what you get today:
Container-based isolation: Agents can run code, install packages, and modify files within a bind mounted workspace directory. Filesystem isolation: Process containment, resource limits, and filesystem scoping, protecting your local system. Broad agent support: Native support for Claude Code and Gemini CLI, with more coding agents support coming soon. Why We Are Taking this Approach.
We don’t think operating system-level approaches have the right long-term shape:
They sandbox only the agent process itself, not the full environment the agent needs. This means the agent constantly needs to access the host system for basic tasks (installing packages, running code, managing dependencies), leading to constant permission prompts that interrupt workflows. They aren’t consistent across platforms. Container-based isolation is designed for exactly the kind of dynamic, iterative workflows that coding agents need. You get flexibility without brittleness.
Although this structure is meant to be general-purpose, we’re starting for specific, pre-configured coding agents. Rather than trying to be a solution for all kinds of agents out of the box, this approach lets us solve real developer problems and deliver a great experience. We’ll support other use cases in the future, but for now, coding agents are where we can make the biggest impact.
Here’s How You Can Try It.
Today’s experimental preview works natively with Claude Code and Gemini CLI. We’re building for other agents developers use.
With Docker Desktop 4.50 and later installed, run: docker sandbox run <agent>
This creates a new isolated environment with your current working directory bind mounted.
What’s Next.
Better support and UX for running multiple agents in parallel Granular network access controls Granular token and secret management for multi-agent workflows Centralized policy management and auditability MicroVM-based isolation architecture Support for additional coding agents Try It and Share Your Feedback.
We’re building this alongside developers. As you experiment with Docker Sandboxes, we want to hear about your use cases and what matters most to your workflow.
Send your feedback to: [email protected]
We believe sandboxing should be how every coding agent runs, everywhere. This is an early step, and we need your input to get there. We’re building toward a future where there’s no compromise: where you can let your agents run free while protecting everything that matters.
View the full article
- 0 comments
- 73 views
-
- 0 comments
- 73 views
-
At the foundation are Docker Hardened Images, which are ultra-minimal, continuously patched containers that cut the attack surface by up to 95% and achieve near-zero CVEs. These images, combined with Docker Scout’s real-time vulnerability analysis, allow teams to prevent, detect, and resolve issues early, keeping innovation and security in sync. The result: 92% of enterprises report fewer application vulnerabilities, and 60% see reductions of 25% or more.
Docker also secures agentic AI development through the MCP Catalog, Toolkit, and Gateway. These tools provide a trusted, containerized way to run Model Context Protocol (MCP) servers that power AI agents, ensuring communication happens in a secure, auditable, and isolated environment. According to theCUBE Research, 87% of organizations reduced AI setup time by over 25%, and 95% improved AI testing and validation, demonstrating that Docker makes AI development both faster and safer.
With built-in Zero Trust principles, role-based access controls, and compliance support for SOC 2, ISO 27001, and FedRAMP, Docker simplifies adherence to enterprise-grade standards without slowing developers down. The payoff is clear: 69% of enterprises report ROI above 101%, driven in part by fewer security incidents, faster delivery, and improved productivity. In short, Docker’s modern approach to DevSecOps enables enterprises to build, ship, and scale software that’s not only fast, but fundamentally secure.
Docker’s impact on software supply chain security
Docker has evolved into a complete development platform that helps enterprises build, secure, and deploy modern and agentic AI applications with trusted DevSecOps and containerization practices. From Docker Hardened Images, which are secure, minimal, and production-ready container images with near-zero CVEs, to Docker Scout’s real-time vulnerability insights and the MCP Toolkit for trusted AI agents, teams gain a unified foundation for software supply chain security.
Every part of the Docker ecosystem is designed to blend in with existing developer workflows while making security affordable, transparent, and universal. Whether you want to explore the breadth of the Docker Hardened Images catalog, analyze your own image data with Docker Scout, or test secure AI integration through the MCP Gateway, it is easy to see how Docker embeds security by default, not as an afterthought.
Review additional resources
Read more in our latest blog about ROI of working with Docker theCUBE Research Report and eBook – economic validation of Docker Explore Docker Hardened Images and start a 30-day free trial View Hardened Images and Helm Charts on Docker Hub Explore Docker Scout
View the full article
- 0 comments
- 64 views
-
- 0 comments
- 69 views
-
- 0 comments
- 67 views
-
- 0 comments
- 67 views
-
- 0 comments
- 70 views
-
This variant executed during npm’s preinstall phase, harvesting developer credentials, GitHub tokens, and cloud provider secrets before packages even finished installing. Stolen credentials appeared in public GitHub repositories labeled “Sha1-Hulud: The Second Coming,” creating a secondary attack vector as threat actors recycled tokens to publish additional malicious packages. Researchers tracked approximately 1,000 new compromised repositories appearing every 30 minutes at the attack’s peak.
For teams using npm packages in their containerized applications, this attack represented exposure not just to credential theft initially but also to systematic supply chain compromise that could persist across rebuild cycles and burrow deep into supply chains.
Docker’s real-time response architecture
According to Google Mandiant’s 2023 vulnerability analysis, the average time-to-exploit for vulnerabilities has collapsed from 63 days in 2018-19 to just five days. With Shai Hulud-type attacks on the rise, the likely compression of the vulnerability window will move from days to hours.
Within hours of security researchers publishing indicators of compromise, Docker Security created DSA-2025-1124, a Docker Security Advisory that encoded detection rules for the Shai Hulud 2.0 malware signatures. This advisory immediately entered Docker Scout’s continuous monitoring pipeline, where it followed the same automated workflow that handles CVE ingestion.
Here’s how the protection deployed:
Automatic threat intelligence ingestion: Docker Scout continuously ingests security intelligence from multiple published sources. Scout’s ingestion pipeline identified the malicious package indicators and malware signatures from these sources and propagated them within seconds.
Instant supply chain analysis: Docker Scout cross-referenced the threat intelligence against SBOMs from all Docker Hardened Images and customer images under Scout protection. This analysis identified which images, if any, contained dependencies from the compromised package ecosystem, enabling immediate risk assessment across the entire Docker registry.
Automated detection distribution: The DSA containing Shai Hulud 2.0 detection rules propagated through Scout’s monitoring infrastructure automatically. Every Docker Scout-protected environment gained the ability to flag malicious packages based on the latest threat intelligence, without requiring manual policy updates or signature downloads.
Continuous verification: As Docker Security performed immediate scans of all Docker GitHub Enterprise repositories (which returned no findings), the same SBOM-based verification confirmed that Docker Hardened Images contained no compromised packages.
From threat disclosure to deployed protection, the response cycle completed in hours. Organizations using Docker Scout received alerts identifying any exposure to the compromised packages while the attack was still unfolding, allowing them to mount a timely response and protect their infrastructure.
Why Docker’s approach creates verifiable protection
Docker’s response to Shai Hulud 2.0 demonstrates why security architecture must assume attacks will move faster than human response times.
Real-time protection: Traditional vulnerability management treats each threat as a discrete event requiring investigation, triage, and manual remediation. Docker Scout’s architecture treats threat intelligence as streaming data, continuously updating detection capabilities the moment new indicators become available.
Unified telemetry eliminates blind spots: The integration between Scout’s monitoring, DHI’s build pipeline, and Docker’s supply chain tracking provides complete visibility into what’s running and where it came from. When the Shai Hulud malware attempted to compromise the npm ecosystem, Docker’s architecture could immediately answer: “Do we have exposure?”
Cryptographic verification enables trust under fire: Every Docker Hardened Image ships with complete SBOMs, cryptographic signatures, and verifiable build provenance. During an active supply chain attack, this transparency becomes operational capability. Security teams can prove to auditors, incident responders, and leadership exactly what’s running in production, which versions are deployed, and whether any compromised packages made it through the supply chain.
Speed that matches attack velocity: Self-propagating malware spreads through automated exploitation. This means you have to move fast. Docker’s remediation pipeline doesn’t wait for security teams to file tickets or schedule maintenance windows. When threats emerge, the pipeline automatically initiates detection updates, verifies image integrity, and flags exposure based on factual SBOM data.
The five pillars prove themselves under pressure
Docker’s security architecture rests on five pillars that proved themselves under pressure: minimal attack surface, complete SBOMs, verifiable provenance, exploitability context, and cryptographic verification. During Shai Hulud 2.0, these worked together as implemented controls that functioned automatically, enabling teams to verify exposure immediately through SBOMs, prove integrity through cryptographic signatures, and focus response on actually weaponized packages. Even if your organization does not use Docker Hardened Images, by using Docker Scout you get the same detection speed via Scout-generated SBOMs, which are optimized for transparency and speed.
Supply chain security at container speed
We believe that increasingly, modern supply chain attacks targeting the package infrastructure will be designed to outrun traditional security response times. The only viable response is security architecture and response mechanism that can match this speed.
If your security team is still chasing alerts from last month’s supply chain attack, or if you’re uncertain whether your container images contain compromised dependencies, Docker offers a different approach.
Learn more about how Docker Scout and Hardened Images deliver continuous, verifiable protection, or contact our team to discuss how real-time security architecture applies to your specific environment.
View the full article
- 0 comments
- 69 views
-
Superbox media streaming boxes for sale on Walmart.com.
Superbox bills itself as an affordable way for households to stream all of the television and movie content they could possibly want, without the hassle of monthly subscription fees — for a one-time payment of nearly $400.
“Tired of confusing cable bills and hidden fees?,” Superbox’s website asks in a recent blog post titled, “Cheap Cable TV for Low Income: Watch TV, No Monthly Bills.”
“Real cheap cable TV for low income solutions does exist,” the blog continues. “This guide breaks down the best alternatives to stop overpaying, from free over-the-air options to one-time purchase devices that eliminate monthly bills.”
Superbox claims that watching a stream of movies, TV shows, and sporting events won’t violate U.S. copyright law.
“SuperBox is just like any other Android TV box on the market, we can not control what software customers will use,” the company’s website maintains. “And you won’t encounter a law issue unless uploading, downloading, or broadcasting content to a large group.”
A blog post from the Superbox website.
There is nothing illegal about the sale or use of the Superbox itself, which can be used strictly as a way to stream content at providers where users already have a paid subscription. But that is not why people are shelling out $400 for these machines. The only way to watch those 2,200+ channels for free with a Superbox is to install several apps made for the device that enable them to stream this content.
Superbox’s homepage includes a prominent message stating the company does “not sell access to or preinstall any apps that bypass paywalls or provide access to unauthorized content.” The company explains that they merely provide the hardware, while customers choose which apps to install.
“We only sell the hardware device,” the notice states. “Customers must use official apps and licensed services; unauthorized use may violate copyright law.”
Superbox is technically correct here, except for maybe the part about how customers must use official apps and licensed services: Before the Superbox can stream those thousands of channels, users must configure the device to update itself, and the first step involves ripping out Google’s official Play store and replacing it with something called the “App Store” or “Blue TV Store.”
Superbox does this because the device does not use the official Google-certified Android TV system, and its apps will not load otherwise. Only after the Google Play store has been supplanted by this unofficial App Store do the various movie and video streaming apps that are built specifically for the Superbox appear available for download (again, outside of Google’s app ecosystem).
Experts say while these Android streaming boxes generally do what they advertise — enabling buyers to stream video content that would normally require a paid subscription — the apps that enable the streaming also ensnare the user’s Internet connection in a distributed residential proxy network that uses the devices to relay traffic from others.
Ashley is a senior solutions engineer at Censys, a cyber intelligence company that indexes Internet-connected devices, services and hosts. Ashley requested that only her first name be used in this story.
In a recent video interview, Ashley showed off several Superbox models that Censys was studying in the malware lab — including one purchased off the shelf at BestBuy.
“I’m sure a lot of people are thinking, ‘Hey, how bad could it be if it’s for sale at the big box stores?'” she said. “But the more I looked, things got weirder and weirder.”
Ashley said she found the Superbox devices immediately contacted a server at the Chinese instant messaging service Tencent QQ, as well as a residential proxy service called Grass IO.
GET GRASSED
Also known as getgrass[.]io, Grass says it is “a decentralized network that allows users to earn rewards by sharing their unused Internet bandwidth with AI labs and other companies.”
“Buyers seek unused internet bandwidth to access a more diverse range of IP addresses, which enables them to see certain websites from a retail perspective,” the Grass website explains. “By utilizing your unused internet bandwidth, they can conduct market research, or perform tasks like web scraping to train AI.”
Reached via Twitter/X, Grass founder Andrej Radonjic told KrebsOnSecurity he’d never heard of a Superbox, and that Grass has no affiliation with the device maker.
“It looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass,” Radonjic said. “The point of grass is to be an opt-in network. You download the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs out there that hijack people’s bandwidth to help webscraping companies.”
Radonjic said Grass has implemented “a robust system to identify network abusers,” and that if it discovers anyone trying to misuse or circumvent its terms of service, the company takes steps to stop it and prevent those users from earning points or rewards.
Superbox’s parent company, Super Media Technology Company Ltd., lists its street address as a UPS store in Fountain Valley, Calif. The company did not respond to multiple inquiries.
According to this teardown by behindmlm.com, a blog that covers multi-level marketing (MLM) schemes, Grass’s compensation plan is built around “grass points,” which are earned through the use of the Grass app and through app usage by recruited affiliates. Affiliates can earn 5,000 grass points for clocking 100 hours usage of Grass’s app, but they must progress through ten affiliate tiers or ranks before they can redeem their grass points (presumably for some type of cryptocurrency). The 10th or “Titan” tier requires affiliates to accumulate a whopping 50 million grass points, or recruit at least 221 more affiliates.
Radonjic said Grass’s system has changed in recent months, and confirmed the company has a referral program where users can earn Grass Uptime Points by contributing their own bandwidth and/or by inviting other users to participate.
“Users are not required to participate in the referral program to earn Grass Uptime Points or to receive Grass Tokens,” Radonjic said. “Grass is in the process of phasing out the referral program and has introduced an updated Grass Points model.”
A review of the Terms and Conditions page for getgrass[.]io at the Wayback Machine shows Grass’s parent company has changed names at least five times in the course of its two-year existence. Searching the Wayback Machine on getgrass[.]io shows that in June 2023 Grass was owned by a company called Wynd Network. By March 2024, the owner was listed as Lower Tribeca Corp. in the Bahamas. By August 2024, Grass was controlled by a Half Space Labs Limited, and in November 2024 the company was owned by Grass OpCo (BVI) Ltd. Currently, the Grass website says its parent is just Grass OpCo Ltd (no BVI in the name).
Radonjic acknowledged that Grass has undergone “a handful of corporate clean-ups over the last couple of years,” but described them as administrative changes that had no operational impact. “These reflect normal early-stage restructuring as the project moved from initial development…into the current structure under the Grass Foundation,” he said.
UNBOXING
Censys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined. She also discovered the streaming boxes included powerful network analysis and remote access tools, such as Tcpdump and Netcat.
“This thing DNS hijacked my router, did ARP poisoning to the point where things fall off the network so they can assume that IP, and attempted to bypass controls,” she said. “I have root on all of them now, and they actually have a folder called ‘secondstage.’ These devices also have Netcat and Tcpdump on them, and yet they are supposed to be streaming devices.”
A quick online search shows various Superbox models and many similar Android streaming devices for sale at a wide range of top retail destinations, including Amazon, BestBuy, Newegg, and Walmart. Newegg.com, for example, currently lists more than three dozen Superbox models. In all cases, the products are sold by third-party merchants on these platforms, but in many instances the fulfillment comes from the e-commerce platform itself.
“Newegg is pretty bad now with these devices,” Ashley said. “Ebay is the funniest, because they have Superbox in Spanish — the SuperCaja — which is very popular.”
Superbox devices for sale via Newegg.com.
Ashley said Amazon recently cracked down on Android streaming devices branded as Superbox, but that those listings can still be found under the more generic title “modem and router combo” (which may be slightly closer to the truth about the device’s behavior).
Superbox doesn’t advertise its products in the conventional sense. Rather, it seems to rely on lesser-known influencers on places like Youtube and TikTok to promote the devices. Meanwhile, Ashley said, Superbox pays those influencers 50 percent of the value of each device they sell.
“It’s weird to me because influencer marketing usually caps compensation at 15 percent, and it means they don’t care about the money,” she said. “This is about building their network.”
A TikTok influencer casually mentions and promotes Superbox while chatting with her followers over a glass of wine.
BADBOX
As plentiful as the Superbox is on e-commerce sites, it is just one brand in an ocean of no-name Android-based TV boxes available to consumers. While these devices generally do provide buyers with “free” streaming content, they also tend to include factory-installed malware or require the installation of third-party apps that engage the user’s Internet address in advertising fraud.
In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud. Google said the BADBOX 2.0 botnet, in addition to compromising multiple types of devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces.
Some of the unofficial Android devices flagged by Google as part of the Badbox 2.0 botnet are still widely for sale at major e-commerce vendors. Image: Google.
Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites. For example, searching for the “X88Pro 10” and the “T95” Android streaming boxes finds both continue to be peddled by Amazon sellers.
Google’s lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malicious software prior to the user’s purchase, or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.
“Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services known to be used for malicious activity,” the FBI said.
The FBI said BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. The original BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase.
Riley Kilmer is founder of Spur, a company that tracks residential proxy networks. Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network.
Kilmer and others say IPidea is merely a rebrand of 911S5 Proxy, a China-based proxy provider sanctioned last year by the U.S. Department of the Treasury for operating a botnet that helped criminals steal billions of dollars from financial institutions, credit card issuers, and federal lending programs (the U.S. Department of Justice also arrested the alleged owner of 911S5).
How are most IPidea customers using the proxy service? According to the proxy detection service Synthient, six of the top ten destinations for IPidea proxies involved traffic that has been linked to either ad fraud or credential stuffing (account takeover attempts).
Kilmer said companies like Grass are probably being truthful when they say that some of their customers are companies performing web scraping to train artificial intelligence efforts, because a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. By routing this unwelcome traffic through residential IP addresses, Kilmer said, content scraping firms can make it far trickier to filter out.
“Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,” Kilmer told KrebsOnSecurity. “Everybody wanted to monetize their own data pots, and how they monetize that is different across the board.”
SOME FRIENDLY ADVICE
Products like Superbox are drawing increased interest from consumers as more popular network television shows and sportscasts migrate to subscription streaming services, and as people begin to realize they’re spending as much or more on streaming services than they previously paid for cable or satellite TV.
These streaming devices from no-name technology vendors are another example of the maxim, “If something is free, you are the product,” meaning the company is making money by selling access to and/or information about its users and their data.
Superbox owners might counter, “Free? I paid $400 for that device!” But remember: Just because you paid a lot for something doesn’t mean you are done paying for it, or that somehow you are the only one who might be worse off from the transaction.
It may be that many Superbox customers don’t care if someone uses their Internet connection to tunnel traffic for ad fraud and account takeovers; for them, it beats paying for multiple streaming services each month. My guess, however, is that quite a few people who buy (or are gifted) these products have little understanding of the bargain they’re making when they plug them into an Internet router.
Superbox performs some serious linguistic gymnastics to claim its products don’t violate copyright laws, and that its customers alone are responsible for understanding and observing any local laws on the matter. However, buyer beware: If you’re a resident of the United States, you should know that using these devices for unauthorized streaming violates the Digital Millennium Copyright Act (DMCA), and can incur legal action, fines, and potential warnings and/or suspension of service by your Internet service provider.
According to the FBI, there are several signs to look for that may indicate a streaming device you own is malicious, including:
-The presence of suspicious marketplaces where apps are downloaded.
-Requiring Google Play Protect settings to be disabled.
-Generic TV streaming devices advertised as unlocked or capable of accessing free content.
-IoT devices advertised from unrecognizable brands.
-Android devices that are not Play Protect certified.
-Unexplained or suspicious Internet traffic.
This explainer from the Electronic Frontier Foundation delves a bit deeper into each of the potential symptoms listed above.
View the full article
- 0 comments
- 71 views
-
- 0 comments
- 61 views
-
- 0 comments
- 64 views
-
- 0 comments
- 661 views
-
- 0 comments
- 65 views
-
- 0 comments
- 66 views
-
- 0 comments
- 69 views
-
- 0 comments
- 66 views
-
- 0 comments
- 71 views
-
Want to try it out? Download Rovo Dev CLI here.
Unleash agentic AI in your terminal
Rovo Dev in the CLI is crafted for developers who thrive in the terminal environment. It transforms into an intelligent AI partner that understands, codes, and integrates seamlessly with your existing tools.
It addresses key challenges faced by software engineers through:
Code understanding and navigation: Gain insights into your codebase, generate documentation, and receive code explanations without leaving your terminal. Development acceleration: Speed up your development cycle with AI-assisted code completion, intelligent refactoring suggestions, automated testing, and interactive debugging. Atlassian ecosystem: Seamlessly work with Jira issues, update Confluence documentation, and manage your development tasks directly from the terminal – no more context switching between tools. Security and administration: Implement robust permission controls and protocols while efficiently tracking resource utilization and managing user access through role-based permissions. Maintain comprehensive usage monitoring and cost management. Extensibility and customization: Configure tool permissions, optimize your workflow, and extend functionality by connecting your MCP server to match your team’s specific needs. Raising the bar – Scoring #1 on SWE-bench
Rovo Dev CLI achieves the highest score on the SWE-bench full benchmark leaderboard, reaching 41.98% resolve rate across 2,294 tasks in the full dataset, surpassing all other submissions. Maintained by researchers at Princeton and Stanford, SWE-bench is the leading benchmark for evaluating AI agents on real-world issue resolution, testing their ability to make context-aware code edits across open-source projects.
This officially published score positions Atlassian at #1 on the leaderboard, demonstrating our leadership in practical AI applications for software development and underscoring Rovo Dev’s advanced capabilities in real-world code understanding and automated problem solving. See the full leaderboard here.
How teams are using Rovo Dev CLI
Teams using Rovo Dev CLI have quickly made it part of their daily workflow. Engineers rely on it to stay focused by offloading routine tasks like code navigation, feature implementation, and documentation generation. The agent helps developers understand new codebases, implement features with web-integrated research via MCP servers, and assist in complex code migrations, all without leaving the terminal environment.
By eliminating the need to switch between different tools and interfaces, Rovo Dev helps development teams stay in their flow state while working on what matters most.
Let’s explore how Rovo Dev brings intelligent assistance to your terminal through real-world development scenarios:
Explore and understand your codebase
Understanding your codebase is the first step to productive development. Watch as Rovo Dev analyzes entire repositories in seconds, answering natural language questions about code structure and technical implementations to help developers quickly navigate complex projects.
Connect to Jira, Confluence, and Bitbucket
See how you can connect MCP servers to Rovo Dev. In this example, we connect with Jira, Confluence, and Bitbucket to complete a work item end-to-end. From retrieving web data to updating the codebase, all in the terminal, with zero manual coding. And, if you’re using Jira with GitHub, we’ve got you covered, too.
Adaptive memory system
Rovo Dev’s intelligence grows with your project through its memory system. Watch how it uses memory files to retain project knowledge and adapt its behavior – you can even customize its personality to match your team’s style!
Code migration assistance
Finally, witness how Rovo Dev helps to tackle larger challenges like codebase migrations. Through structured analysis and step-by-step execution, it helps manage complex transitions while keeping developers in control of the process.
These demonstrations showcase just a few ways Rovo Dev can enhance your development workflow. Whether you’re exploring new codebases, implementing features, or managing large-scale changes, Rovo Dev serves as your intelligent partner in the terminal.
Join the future of development
Rovo Dev is your context-aware AI teammate for the entire software development lifecycle. Powered by Atlassian’s Teamwork Graph, Rovo Dev understands your company, your projects, and your goals, and connects the dots across Jira, Confluence, Bitbucket, Compass, and more.
Rovo Dev in the CLI is the first enterprise-ready agent experience available in your terminal, designed to enhance productivity and streamline your software development process.
We invite you to download Rovo Dev in the CLI and learn more about additional Rovo Dev capabilities. Your feedback will be invaluable in helping us refine and enhance this powerful tool. Welcome to the era of intelligent development on the command line!
Get started with Rovo Dev CLI The post Rovo Dev agent, now available in the CLI appeared first on Work Life by Atlassian.
View the full article
- 0 comments
- 69 views
-
Here’s our takeaways from the event about software supply chain security trends:
Software supply chain attacks reach unprecedented scale leveraging open source packages
An analysis of recent software supply chain attacks by JFrog’s CTO Asaf Karas shed light on how malicious actors leverage AI and software supply chains on their exploits. Recent attacks combine existing techniques, like phishing, in combination with AI prompts that recursively write and execute code in order to compromise hundreds of thousands of systems running popular open source packages. A few examples include Shai Hulud, Red Donkey, and the recent NPM package phishing attack. So far, despite these attacks’ scale, damages have been limited due to the still rudimentary nature of these exploits. Expect more software supply chain attacks as well as more sophistication in the coming year.
New Roles of Governance as a Security Layer
The best way to avoid software supply chain attacks is to not have malicious code entering software supply chains in the first place. That’s where governance comes into play. Taking control of gate points during the software development lifecycle, for example during dependency scanning, build pipelines, and deployments is not enough. It is necessary to block malicious or risky code before it enters the software supply chain. Not only that, but also tools need increased interoperability to detect all potential attack vectors.
Addressing MCP Challenges in AI Development
MCP’s ability to leverage both deterministic and non-deterministic outcomes by connecting an LLM client to many different servers seems to be the main reasons companies are betting on the technology to build applications that deliver value to customers. Moreover, because each server can run independently from one another, it becomes possible to add governance layers on MCP servers, reducing risks of hallucination or unexpected results. Overall, we agree with JFrog’s assessment and look forward to opportunities where Docker and JFrog MCP technologies can work together for a safer and smoother enterprise AI developer experience.
Building on Strong Open Source Foundations Is Core in the AI Era
The fireside chat between Gal Marder, JFrog’s Chief Strategy Officer, and Michael Donovan, Docker’s VP of Product, explored how organizations can protect themselves from risks in unverified open source dependencies. They emphasized the importance of starting with strong foundations: using hardened images, maintaining them throughout their lifecycle, including those that have reached end of life, and ensuring visibility and governance across every stage. Strong third-party integrations are essential to manage this complexity effectively and extend security and trust from development to delivery.
Conclusion: Build strong foundations, keep it consistent, stay ahead
Software development is changing fast as AI becomes part of everyone’s workflow, developers and attackers alike. The best way to stay ahead is to build protection early by starting with strong foundations and keep it consistent across every stage with governance, visibility, and strong partnerships. Only then can teams innovate with confidence and speed as the landscape evolves. Exciting times!
Learn more
Subscribe to the Docker Navigator Newsletter Explore the MCP Catalog: Discover containerized, security-hardened MCP servers Explore the DHI Catalog: Discover secure, minimal, production-ready container images Docker Partner Programs: Discover trusted partners, tools, and integrations New to Docker? Create an account Have questions? The Docker community is here to help View the full article
- 0 comments
- 64 views
-
CVE-2025-58181 affects SSH servers parsing GSSAPI authentication requests. The vulnerability allows attackers to trigger unbounded memory consumption by exploiting the server’s failure to validate the number of mechanisms specified in authentication requests. CVE-2025-47914 impacts SSH Agent servers that fail to validate message sizes when processing identity requests, potentially causing system panics when malformed messages arrive. (These two vulnerabilities came just days after CVE-2025-47913, a high-severity vulnerability affecting the same Golang component that Docker also quickly patched)
For teams running Go applications with SSH functionality in their containers, leaving these vulnerabilities unpatched creates exposure to denial-of-service attacks and potential system instability.
How Docker achieves lightning fast vulnerability response
When these CVEs hit the Golang project’s security feed, Docker Hardened Images customers had patched versions available in less than 24 hours. This rapid response stems from Docker Scout’s continuous monitoring architecture and DHI’s automated remediation pipeline.
Here’s how it works:
Continuous CVE ingestion: Unlike vulnerability scanning that runs on batch schedules, Docker Scout continuously ingests CVE information from upstream sources including GitHub security advisories, the National Vulnerability Database, and project-specific feeds. The moment CVE data becomes available, Scout begins analysis.
Instant impact assessment: Within seconds of CVE ingestion, Scout identifies which Docker Hardened Images are affected based in Scout’s comprehensive SBOM database. This immediate notification allows the remediation process to start without delay.
Automated patching workflow: Depending on the vulnerability and package, Docker either patches automatically or triggers a manual review process for complex changes. For these Golang SSH vulnerabilities, the team initiated builds immediately after upstream patches became available.
Cascading builds: Once the patched Golang package builds successfully, the system automatically triggers rebuilds of all dependent packages and images. Every Docker Hardened Image containing the affected golang.org/x/crypto/ssh package gets rebuilt with the security fix.
The entire process, from CVE disclosure to patched images available to customers, was completed in under 24 hours. Customers using Docker Scout received immediate notifications about the vulnerabilities and the availability of patched versions.
Why Docker’s Security Response Is Different
One of Docker’s key differentiators is its continuous, real-time monitoring, rather than periodic batch scanning. Traditional vulnerability management relies on daily or weekly scans, leaving containers exposed to known vulnerabilities for hours or even days.
With Docker Scout’s real-time CVE ingestion, detection starts the moment a vulnerability is published, enabling remediation within seconds and minimizing exposure.
This foundation powers Docker Hardened Images (DHI), where packages and dependencies are continuously tracked and automatically updated when issues arise. For example, when vulnerabilities were found in the golang.org/x/crypto library, all affected images were rebuilt and released within a day. Customers simply pull the latest tags to stay secure, no manual patching, emergency maintenance, or impact triage required.
But continuous monitoring is just the foundation. What truly sets Docker apart is how that real-time intelligence flows into an automated, transparent, and trusted remediation pipeline, built on over a decade of experience securing and maintaining the Docker Official Images program.These are the same images trusted and used by millions of developers and organizations worldwide, forming the foundation of countless production environments. That long-standing operational experience in continuously maintaining, rebuilding, and distributing secure images at global scale gives Docker a proven track record in delivering reliability, consistency, and trust few others can match.
Beyond automation, Docker’s AI guardrails add yet another layer of protection. Purpose-built for the Hardened Images pipeline, these AI systems continuously analyze upstream code changes, flag risky patterns, and prevent flawed dependencies from entering the supply chain. Unlike standard coding assistants, Docker’s AI guardrails are informed by manual, project-specific reviews, blending human expertise with adaptive intelligence. When the system detects a high-confidence issue such as an inverted error check, ignored failure, or resource mismanagement, it halts the release until a Docker engineer verifies and applies the fix. This human-in-the-loop model ensures vulnerabilities are caught long before they can reach customers, turning AI into a force multiplier for safety, not a replacement for human judgment.
Another critical differentiator is complete transparency. Consider what happens when a security scanner still flags a vulnerability even after you’ve pulled a patched image. With DHI, every image includes a comprehensive and accurate Software Bill of Materials (SBOM) that provides definitive visibility into what’s actually inside your container. When a scanner reports a supposedly remediated image as vulnerable, teams can verify the exact package versions and patch status directly from the SBOM instead of relying on scanner heuristics.
This transparency also extends to how Docker Scout handles CVE data. Docker relies entirely on independent, third-party sources for vulnerability decisions and prioritization, including the National Vulnerability Database (NVD), GitHub Security Advisories, and upstream project maintainers. This approach is essential because traditional scanners often depend on pattern matching and heuristics that can produce false positives. They may miss vendor-specific patches, overlook backported fixes, or flag vulnerabilities that have already been remediated due to database lag. In some cases, even vendor-recommended scanners fail to detect unpatched vulnerabilities, creating a false sense of security.
Without an accurate SBOM and objective CVE data, teams waste valuable time chasing phantom vulnerabilities or debating false positives with compliance auditors. Docker’s approach eliminates that uncertainty. Because the SBOM is generated directly from the build process, not inferred after the fact, it provides definitive evidence of what’s inside each image and why certain CVEs do or don’t apply. This transforms vulnerability management from guesswork and debate into objective, verifiable security assurance, backed by transparent, third-party data.
CVEs don’t have to disrupt your week
Managing vulnerabilities consumes significant engineering time. When critical CVEs drop, teams rush to assess impact, test patches, and coordinate deployments. Docker Hardened Images eliminate this overhead by continuously updating base images with complete transparency into their contents with rapid turnarounds to reduce your exposure window.
If you’re tired of vulnerability whack-a-mole disrupting your team’s roadmap, Docker Hardened Images offers a better path forward. Learn more about how Docker Scout and Hardened Images can reduce your vulnerability management burden, or contact our team to discuss your specific security requirements.
View the full article
- 0 comments
- 70 views
-
As AI and automation reshape modern cyber defense, SOC maturity assessments have become the critical lens through which organizations evaluate their operational effectiveness.
Understanding where your SOC stands on the AI maturity model isn’t about passing a test. It’s about knowing whether your technology, processes, and people are capable of supporting and scaling AI-driven operations.
View the full article
- 0 comments
- 64 views
-
Mozilla Monitor. Image Mozilla Monitor Plus video on Youtube.
In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus, which offered data broker site scans and automated personal data removal from Onerep.
“We will continue to offer our free Monitor data breach service, which is integrated into Firefox’s credential manager, and we are focused on integrating more of our privacy and security experiences in Firefox, including our VPN, for free,” the advisory reads.
Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025. After that, those subscribers will automatically receive a prorated refund for the unused portion of their subscription.
“We explored several options to keep Monitor Plus going, but our high standards for vendors, and the realities of the data broker ecosystem made it challenging to consistently deliver the level of value and reliability we expect for our users,” Mozilla statement reads.
On March 14, 2024, KrebsOnSecurity published an investigation showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Shelest released a lengthy statement wherein he acknowledged maintaining an ownership stake in Nuwber, a data broker he founded in 2015 — around the same time he launched Onerep.
View the full article
- 0 comments
- 92 views
-
At around 6:30 EST/11:30 UTC on Nov. 18, Cloudflare’s status page acknowledged the company was experiencing “an internal service degradation.” After several hours of Cloudflare services coming back up and failing again, many websites behind Cloudflare found they could not migrate away from using the company’s services because the Cloudflare portal was unreachable and/or because they also were getting their domain name system (DNS) services from Cloudflare.
However, some customers did manage to pivot their domains away from Cloudflare during the outage. And many of those organizations probably need to take a closer look at their web application firewall (WAF) logs during that time, said Aaron Turner, a faculty member at IANS Research.
Turner said Cloudflare’s WAF does a good job filtering out malicious traffic that matches any one of the top ten types of application-layer attacks, including credential stuffing, cross-site scripting, SQL injection, bot attacks and API abuse. But he said this outage might be a good opportunity for Cloudflare customers to better understand how their own app and website defenses may be failing without Cloudflare’s help.
“Your developers could have been lazy in the past for SQL injection because Cloudflare stopped that stuff at the edge,” Turner said. “Maybe you didn’t have the best security QA [quality assurance] for certain things because Cloudflare was the control layer to compensate for that.”
Turner said one company he’s working with saw a huge increase in log volume and they are still trying to figure out what was “legit malicious” versus just noise.
“It looks like there was about an eight hour window when several high-profile sites decided to bypass Cloudflare for the sake of availability,” Turner said. “Many companies have essentially relied on Cloudflare for the OWASP Top Ten [web application vulnerabilities] and a whole range of bot blocking. How much badness could have happened in that window? Any organization that made that decision needs to look closely at any exposed infrastructure to see if they have someone persisting after they’ve switched back to Cloudflare protections.”
Turner said some cybercrime groups likely noticed when an online merchant they normally stalk stopped using Cloudflare’s services during the outage.
“Let’s say you were an attacker, trying to grind your way into a target, but you felt that Cloudflare was in the way in the past,” he said. “Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage. You’re now going to launch a whole bunch of new attacks because the protective layer is no longer in place.”
Nicole Scott, senior product marketing manager at the McLean, Va. based Replica Cyber, called yesterday’s outage “a free tabletop exercise, whether you meant to run one or not.”
“That few-hour window was a live stress test of how your organization routes around its own control plane and shadow IT blossoms under the sunlamp of time pressure,” Scott said in a post on LinkedIn. “Yes, look at the traffic that hit you while protections were weakened. But also look hard at the behavior inside your org.”
Scott said organizations seeking security insights from the Cloudflare outage should ask themselves:
1. What was turned off or bypassed (WAF, bot protections, geo blocks), and for how long?
2. What emergency DNS or routing changes were made, and who approved them?
3. Did people shift work to personal devices, home Wi-Fi, or unsanctioned Software-as-a-Service providers to get around the outage?
4. Did anyone stand up new services, tunnels, or vendor accounts “just for now”?
5. Is there a plan to unwind those changes, or are they now permanent workarounds?
6. For the next incident, what’s the intentional fallback plan, instead of decentralized improvisation?
In a postmortem published Tuesday evening, Cloudflare said the disruption was not caused, directly or indirectly, by a cyberattack or malicious activity of any kind.
“Instead, it was triggered by a change to one of our database systems’ permissions which caused the database to output multiple entries into a ‘feature file’ used by our Bot Management system,” Cloudflare CEO Matthew Prince wrote. “That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network.”
Cloudflare estimates that roughly 20 percent of websites use its services, and with much of the modern web relying heavily on a handful of other cloud providers including AWS and Azure, even a brief outage at one of these platforms can create a single point of failure for many organizations.
Martin Greenfield, CEO at the IT consultancy Quod Orbis, said Tuesday’s outage was another reminder that many organizations may be putting too many of their eggs in one basket.
“There are several practical and overdue fixes,” Greenfield advised. “Split your estate. Spread WAF and DDoS protection across multiple zones. Use multi-vendor DNS. Segment applications so a single provider outage doesn’t cascade. And continuously monitor controls to detect single-vendor dependency.”
View the full article
- 0 comments
- 70 views
-
View the full article
- 0 comments
- 62 views
-
View the full article
- 0 comments
- 114 views
-
Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215. Despite the flaw’s zero-day status, Microsoft has assigned it an “important” rating rather than critical, because exploiting it requires an attacker to already have access to the target’s device.
“These types of vulnerabilities are often exploited as part of a more complex attack chain,” said Johannes Ullrich, dean of research for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”
Ben McCarthy, lead cybersecurity engineer at Immersive, called attention to CVE-2025-60274, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications.
“The patch for this should be an organization’s highest priority,” McCarthy said. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.”
Microsoft patched a critical bug in Office — CVE-2025-62199 — that can lead to remote code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane.
Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account.
Judging from the comments on last month’s Patch Tuesday post, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll, cyber incident response manager at Nightwing, notes that Microsoft has recently released an out-of-band update to address issues when trying to enroll in the Windows 10 Consumer Extended Security Update program.
“If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll said. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.”
Chris Goettl at Ivanti notes that in addition to Microsoft updates today, third-party updates from Adobe and Mozilla have already been released. Also, an update for Google Chrome is expected soon, which means Edge will also be in need of its own update.
The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on any updates gone awry.
As always, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.
[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]
View the full article
- 0 comments
- 71 views
-
Data Residency and Processing Reference
Updated "Data Residency and Processing Reference" document to add Ireland to TAM Locations, removed observe from processing and storage heading, and removed timescale from sub-processors section due to Calypso AI acquisition. View the full article
- 0 comments
- 67 views
-
Changelogs
Added SaaS release changelogs for November 16, 2025 release.
WAAP Updates
Added new Enable API Discovery on BIG-IP Virtual Server guide.
Customer Edge Updates
Added new Deploy Secure Mesh Site v2 on Baremetal (ClickOps) guide to explain how to create a CE Site on a baremetal server.
Added new Events Reference guide, which lists new event notifications for CE deployments.
Updated the following guides for the launch instance options:
Deploy Secure Mesh Site v2 in AWS (ClickOps) Deploy Secure Mesh Site v2 in Azure (ClickOps) Deploy Secure Mesh Site v2 in GCP (ClickOps) Load Balancer Updates
Added new Create UDP Load Balancer guide to explain how to create a UDP load balancer.
Bot Defense Updates
Added new Configure the Bot Defense Infrastructure guide to explain how to add and configure the infrastructure that hosts your Bot Defense system.
Added new Configure Bot Defense on an HTTP Load Balancer guide.
Added new Bot Detection Rules Overview page to explain how to deploy and manage bot detection rules.
Updated the View Bot Defense Dashboards and Reports guide with information about the new Forensics Panel in the Traffic Analyzer, new filtering capabilities in all Bot Defense reports, and minor updates to the information displayed in each report.
CDN Updates
Updated the Observe and Optimize a CDN Distribution guide with information about monitoring cacheable content for a content delivery network (CDN). Miscellaneous Updates
Updated the Alerts Reference guide.
View the full article
- 0 comments
- 64 views
-
In a lawsuit filed in the Southern District of New York on November 12, Google sued to unmask and disrupt 25 “John Doe” defendants allegedly linked to the sale of Lighthouse, a sophisticated phishing kit that makes it simple for even novices to steal payment card data from mobile users. Google said Lighthouse has harmed more than a million victims across 120 countries.
A component of the Chinese phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.
Lighthouse is one of several prolific phishing-as-a-service operations known as the “Smishing Triad,” and collectively they are responsible for sending millions of text messages that spoof the U.S. Postal Service to supposedly collect some outstanding delivery fee, or that pretend to be a local toll road operator warning of a delinquent toll fee. More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms.
Regardless of the text message lure used or brand used, the basic scam remains the same: After the visitor enters their payment information, the phishing site will automatically attempt to enroll the card as a mobile wallet from Apple or Google. The phishing site then tells the visitor that their bank is going to verify the transaction by sending a one-time code that needs to be entered into the payment page before the transaction can be completed.
If the recipient provides that one-time code, the scammers can link the victim’s card data to a mobile wallet on a device that they control. Researchers say the fraudsters usually load several stolen wallets onto each mobile device, and wait 7-10 days after that enrollment before selling the phones or using them for fraud.
Google called the scale of the Lighthouse phishing attacks “staggering.” A May 2025 report from Silent Push found the domains used by the Smishing Triad are rotated frequently, with approximately 25,000 phishing domains active during any 8-day period.
Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites. The complaint says Lighthouse offers over 600 templates for phishing websites of more than 400 entities, and that Google’s logos were featured on at least a quarter of those templates.
Google is also pursuing Lighthouse under the Racketeer Influenced and Corrupt Organizations (RICO) Act, saying the Lighthouse phishing enterprise encompasses several connected threat actor groups that work together to design and implement complex criminal schemes targeting the general public.
According to Google, those threat actor teams include a “developer group” that supplies the phishing software and templates; a “data broker group” that provides a list of targets; a “spammer group” that provides the tools to send fraudulent text messages in volume; a “theft group,” in charge of monetizing the phished information; and an “administrative group,” which runs their Telegram support channels and discussion groups designed to facilitate collaboration and recruit new members.
“While different members of the Enterprise may play different roles in the Schemes, they all collaborate to execute phishing attacks that rely on the Lighthouse software,” Google’s complaint alleges. “None of the Enterprise’s Schemes can generate revenue without collaboration and cooperation among the members of the Enterprise. All of the threat actor groups are connected to one another through historical and current business ties, including through their use of Lighthouse and the online community supporting its use, which exists on both YouTube and Telegram channels.”
Silent Push’s May report observed that the Smishing Triad boasts it has “300+ front desk staff worldwide” involved in Lighthouse, staff that is mainly used to support various aspects of the group’s fraud and cash-out schemes.
An image shared by an SMS phishing group shows a panel of mobile phones responsible for mass-sending phishing messages. These panels require a live operator because the one-time codes being shared by phishing victims must be used quickly as they generally expire within a few minutes.
Google alleges that in addition to blasting out text messages spoofing known brands, Lighthouse makes it easy for customers to mass-create fake e-commerce websites that are advertised using Google Ads accounts (and paid for with stolen credit cards). These phony merchants collect payment card information at checkout, and then prompt the customer to expect and share a one-time code sent from their financial institution.
Once again, that one-time code is being sent by the bank because the fake e-commerce site has just attempted to enroll the victim’s payment card data in a mobile wallet. By the time a victim understands they will likely never receive the item they just purchased from the fake e-commerce shop, the scammers have already run through hundreds of dollars in fraudulent charges, often at high-end electronics stores or jewelers.
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years. Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.
“You find this shop by searching for a particular product online or whatever, and you think you’re getting a good deal,” Merrill said. “But of course you never receive the product, and they will phish that one-time code at checkout.”
Merrill said some of the phishing templates include payment buttons for services like PayPal, and that victims who choose to pay through PayPal can also see their PayPal accounts hijacked.
A fake e-commerce site from the Smishing Triad spoofing PayPal on a mobile device.
“The main advantage of the fake e-commerce site is that it doesn’t require them to send out message lures,” Merrill said, noting that the fake vendor sites have more staying power than traditional phishing sites because it takes far longer for them to be flagged for fraud.
Merrill said Google’s legal action may temporarily disrupt the Lighthouse operators, and could make it easier for U.S. federal authorities to bring criminal charges against the group. But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing service voluntarily turning out the lights.
Merrill said Google’s lawsuit also can help lay the groundwork for future disruptive actions against Lighthouse and other phishing-as-a-service entities that are operating almost entirely on Chinese networks. According to Silent Push, a majority of the phishing sites created with these kits are sitting at two Chinese hosting companies: Tencent (AS132203) and Alibaba (AS45102).
“Once Google has a default judgment against the Lighthouse guys in court, theoretically they could use that to go to Alibaba and Tencent and say, ‘These guys have been found guilty, here are their domains and IP addresses, we want you to shut these down or we’ll include you in the case.'”
If Google can bring that kind of legal pressure consistently over time, Merrill said, they might succeed in increasing costs for the phishers and more frequently disrupting their operations.
“If you take all of these Chinese phishing kit developers, I have to believe it’s tens of thousands of Chinese-speaking people involved,” he said. “The Lighthouse guys will probably burn down their Telegram channels and disappear for a while. They might call it something else or redevelop their service entirely. But I don’t believe for a minute they’re going to close up shop and leave forever.”
View the full article
- 0 comments
- 100 views
-
AI readiness goes beyond adopting automation or integrating machine learning; it’s about creating the technical and organizational foundation that allows AI to perform safely, reliably, and at scale.
Many teams say they’re “AI-ready” when they deploy a new SOAR playbook or connect a threat intel API.
In reality, AI readiness means your entire security operation - from log ingestion to human workflows is truly designed to support, trust, and learn from AI decisions.
View the full article
- 0 comments
- 59 views
-
Network Firewall Updates
Updated the F5 Distributed Cloud Services IP Address and Domain Reference for Firewall or Proxy Settings reference guide to include new IP addresses for Regional Edge (RE) allowlisting. View the full article
- 0 comments
- 72 views
-
A TP-Link WiFi 6 AX1800 Smart WiFi Router (Archer AX20).
The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States. The story said U.S. Department of Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government.
TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years, and that its critics have vastly overstated the company’s market share (TP-Link puts it at around 30 percent). TP-Link says it has headquarters in California, with a branch in Singapore, and that it manufactures in Vietnam. The company says it researches, designs, develops and manufactures everything except its chipsets in-house.
TP-Link Systems told The Post it has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies, and that it operates them without Chinese government supervision.
“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”
Cost is a big reason TP-Link devices are so prevalent in the consumer and small business market: As this February 2025 story from Wired observed regarding the proposed ban, TP-Link has long had a reputation for flooding the market with devices that are considerably cheaper than comparable models from other vendors. That price point (and consistently excellent performance ratings) has made TP-Link a favorite among Internet service providers (ISPs) that provide routers to their customers.
In August 2024, the chairman and the ranking member of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party called for an investigation into TP-Link devices, which they said were found on U.S. military bases and for sale at exchanges that sell them to members of the military and their families.
“TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting,” the House lawmakers warned in a letter (PDF) to the director of the Commerce Department. “When combined with the PRC government’s common use of SOHO [small office/home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”
The letter cited a May 2023 blog post by Check Point Research about a Chinese state-sponsored hacking group dubbed “Camaro Dragon” that used a malicious firmware implant for some TP-Link routers to carry out a sequence of targeted cyberattacks against European foreign affairs entities. Check Point said while it only found the malicious firmware on TP-Link devices, “the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk.”
In a report published in October 2024, Microsoft said it was tracking a network of compromised TP-Link small office and home office routers that has been abused by multiple distinct Chinese state-sponsored hacking groups since 2021. Microsoft found the hacker groups were leveraging the compromised TP-Link systems to conduct “password spraying” attacks against Microsoft accounts. Password spraying involves rapidly attempting to access a large number of accounts (usernames/email addresses) with a relatively small number of commonly used passwords.
TP-Link rightly points out that most of its competitors likewise source components from China. The company also correctly notes that advanced persistent threat (APT) groups from China and other nations have leveraged vulnerabilities in products from their competitors, such as Cisco and Netgear.
But that may be cold comfort for TP-Link customers who are now wondering if it’s smart to continue using these products, or whether it makes sense to buy more costly networking gear that might only be marginally less vulnerable to compromise.
Almost without exception, the hardware and software that ships with most consumer-grade routers includes a number of default settings that need to be changed before the devices can be safely connected to the Internet. For example, bring a new router online without changing the default username and password and chances are it will only take a few minutes before it is probed and possibly compromised by some type of Internet-of-Things botnet. Also, it is incredibly common for the firmware in a brand new router to be dangerously out of date by the time it is purchased and unboxed.
Until quite recently, the idea that router manufacturers should make it easier for their customers to use these products safely was something of an anathema to this industry. Consumers were largely left to figure that out on their own, with predictably disastrous results.
But over the past few years, many manufacturers of popular consumer routers have begun forcing users to perform basic hygiene — such as changing the default password and updating the internal firmware — before the devices can be used as a router. For example, most brands of “mesh” wireless routers — like Amazon’s Eero, Netgear’s Orbi series, or Asus’s ZenWifi — require online registration that automates these critical steps going forward (or at least through their stated support lifecycle).
For better or worse, less expensive, traditional consumer routers like those from Belkin and Linksys also now automate this setup by heavily steering customers toward installing a mobile app to complete the installation (this often comes as a shock to people more accustomed to manually configuring a router). Still, these products tend to put the onus on users to check for and install available updates periodically. Also, they’re often powered by underwhelming or else bloated firmware, and a dearth of configurable options.
Of course, not everyone wants to fiddle with mobile apps or is comfortable with registering their router so that it can be managed or monitored remotely in the cloud. For those hands-on folks — and for power users seeking more advanced router features like VPNs, ad blockers and network monitoring — the best advice is to check if your router’s stock firmware can be replaced with open-source alternatives, such as OpenWrt or DD-WRT.
These open-source firmware options are compatible with a wide range of devices, and they generally offer more features and configurability. Open-source firmware can even help extend the life of routers years after the vendor stops supporting the underlying hardware, but it still requires users to manually check for and install any available updates.
Happily, TP-Link users spooked by the proposed ban may have an alternative to outright junking these devices, as many TP-Link routers also support open-source firmware options like OpenWRT. While this approach may not eliminate any potential hardware-specific security flaws, it could serve as an effective hedge against more common vendor-specific vulnerabilities, such as undocumented user accounts, hard-coded credentials, and weaknesses that allow attackers to bypass authentication.
Regardless of the brand, if your router is more than four or five years old it may be worth upgrading for performance reasons alone — particularly if your home or office is primarily accessing the Internet through WiFi.
NB: The Post’s story notes that a substantial portion of TP-Link routers and those of its competitors are purchased or leased through ISPs. In these cases, the devices are typically managed and updated remotely by your ISP, and equipped with custom profiles responsible for authenticating your device to the ISP’s network. If this describes your setup, please do not attempt to modify or replace these devices without first consulting with your Internet provider.
View the full article
- 0 comments
- 76 views
-
Website: https://www.bharattechawards.com/
Bharat Tech Summit Awards 2025
8 November 2025 | Venue: Hotel Taj Ambassador, New Delhi
Organized by: Global Tech Policy Confederation (GTPC)
In collaboration with: Confederation of All India Traders (CAIT)
The Bharat Tech Summit & Awards 2025 stands as India’s most influential convergence of technology, policy, and leadership — an annual celebration that unites innovators, visionaries, and policymakers to shape Bharat’s $20-Trillion Digital Vision 2045.
Under the theme “Celebrating Visionaries • Igniting Innovation • Empowering Transformation,” this landmark event amplifies Bharat’s technological sovereignty, highlighting advances across Cybersecurity, AI, Cloud, IoT, Semiconductors, and Digital Infrastructure.
As Bharat accelerates its digital transformation, cyber resilience emerges as the backbone of national progress.
Sessions led by cybersecurity leaders from Tata Communications, Honda, Palo Alto Networks, PwC, and EY explore:
• Building Zero-Trust and resilient digital frameworks
• AI-driven cyber defense and intelligence
• Securing digital infrastructure for a $20-trillion economy
• Cyber education and upskilling for national readiness
The Bharat Tech Summit & Awards 2025 is not merely an event — it’s a movement towards a secure, scalable, and sustainable digital Bharat.
By fostering collaboration between government, industry, startups, and academia, the summit redefines India’s role in the global technology landscape.
Join us to celebrate Bharat’s technological evolution — where innovation meets integrity, and leadership inspires transformation.
Learn more at: https://www.bharattechawards.com/
The post Bharat Tech Summit Awards 2025 appeared first on CISO MAG | Cyber Security Magazine.
View the full article
- 0 comments
- 74 views
-
True AI maturity isn’t about the number of machine learning models you’ve deployed or how many alerts your SOAR can auto-close. It’s about how deeply AI is embedded into the SOC workflow, from data ingestion and enrichment to automated response and analyst decision support.
In other words, it’s not “Do you have AI?” — it’s “How well does your AI operate within your SOC?”
View the full article
- 0 comments
- 66 views
-
Accelerate time to value: Launch apps in weeks not months with Forge, and build powerful AI-powered agents and automations in Studio for any team, industry or workflow. Monetize faster: Reach 300,000+ customers—including 80% of the Fortune 500—and tap into $6B+ in Marketplace lifetime sales with built-in billing, analytics, and go-to-market support. Grow recurring revenue: Flexible pricing and ongoing service models help you scale your business. Build with trust: Rely on Atlassian’s enterprise-grade security, compliance, and governance—trusted by the world’s leading enterprises. Join the Atlassian Ecosystem, your launchpad for innovation, growth, and lasting impact.
The world of software is moving fast and AI is redefining what’s possible for teams everywhere. For Atlassian partners, this moment presents a once-in-a-generation opportunity to build smarter, more connected, and more valuable solutions for customers.
The Atlassian platform empowers partners to accelerate time to value, unlock new recurring revenue streams, and scale confidently, all on a foundation of enterprise-grade trust and governance. With Atlassian developer platform, you can go from idea to monetized solution in weeks, not months, and reach 300,000+ global customers through the Atlassian Marketplace.
Here’s how you can seize this next wave of opportunity:
Build and launch powerful products faster
Build faster on Atlassian’s platform—focus on your IP, not plumbing.
Forge gives you developer-grade infrastructure to rapidly build, launch and scale enterprise-ready apps—faster than ever before. With pre-built frameworks, APIs, and enterprise-ready tools, Forge accelerates your path from idea to production, embedding intelligence and automation directly into Jira, Confluence, and more.
Once your foundation is set, Rovo Studio empowers anyone to quickly build, customize, and deploy intelligent solutions across the Atlassian Ecosystem. Describe your solution in natural language, and Rovo Studio turns it into powerful agents and automations in minutes—moving you from idea to impact at unprecedented speed.
Result: ship innovative, AI-powered solutions faster and with less risk.
As partner and part of the Atlassian Ecosystem, we empower you to deliver solutions that meet the rigorous demands of global enterprises. By building on Atlassian’s secure, transparent, and compliant platform—the same trusted infrastructure that powers Jira, Confluence, and Bitbucket—you inherit enterprise-grade reliability, transparency & trust by default.
Enterprise-grade trust: Leverage Atlassian’s permission-aware platform, data residency compliant storage, and strict egress controls to raise the bar for customer trust. Performance and scalability: Deliver apps and solutions on infrastructure designed for millions of daily users, ensuring consistent reliability as you grow. Security by default: Rely on the same robust controls that safeguard Atlassian Cloud customers, giving enterprise clients peace of mind. Atlassian’s robust infrastructure and commitment to compliance enable you to unlock new opportunities, drive innovation, and deliver exceptional value to some of the world’s most trusted organizations.
By building on Atlassian and monetizing your solution through the Atlassian Marketplace, you can confidently assure enterprise customers that what you offer is built on a foundation they can depend on—enabling productivity, growth, and peace of mind.
Monetize through the Atlassian Marketplace
With a thriving ecosystem of millions of monthly active users and 6,000+ apps, the Atlassian Marketplace is a proven engine for partner growth, driving over $6B in lifetime sales and giving you access to 300,000+ customers worldwide.
Now, you can go beyond app listings to deliver ongoing, intelligent services that create recurring value and recurring revenue.
Flexible monetization: Reach a broader audience by offering both standard and advanced editions, empowering you to customize pricing and packaging for every customer segment. Simplified go-to-market: Access co-marketing opportunities, enablement programs, and Marketplace promotions to help scale your reach. Shared growth: Tap into Atlassian’s sales and partner success motions to bring your solution to joint customers. With flexible pricing options and building for new, advanced solutions that keep you at the forefront of innovation, your app becomes more than an add-on. It becomes a core part of how customers get work done across Atlassian products, accelerating teams into the future.
How to get started
Ready to build the next generation of intelligent solutions on Atlassian’s platform? Here’s how to start:
Define your value. Identify the problem you solve for Atlassian customers and how it fits within the ecosystem. Leverage the platform foundation. Use Atlassian’s APIs, app frameworks, and AI capabilities to build quickly and securely. Launch and monetize. Publish your app on the Atlassian Marketplace, tap into our partner programs, and scale through joint go-to-market opportunities. But don’t just take it from us.
Opus Guard, an Atlassian Marketplace Partner, leveraged Atlassian’s Forge platform and Rovo to build an AI-assisted Content Retention Manager for Confluence, enabling automated, secure, and scalable content classification and data governance. Using Forge, they developed a Rovo Agent module that integrates with Rovo Chat, allowing users to analyze, classify, and manage Confluence content directly within Atlassian Cloud, while ensuring data never leaves the secure environment. Rovo’s LLM-powered agents and actions, implemented as Forge functions, provide expert-level content analysis and recommendations, streamlining compliance and retention workflows for users.
This case demonstrates how partnering with and building on Atlassian empowers developers to rapidly deliver innovative, enterprise-grade solutions that seamlessly integrate with Atlassian’s trusted cloud ecosystem, unlocking new value for customers and partners alike.
The moment is now
The convergence of AI, automation, and collaboration is transforming how teams work, and as an Atlassian partner, you’ll be at the center of it all.
By building on the Atlassian platform, you gain the power to innovate faster, build with confidence, and grow your business alongside us. Whether you’re an established Marketplace leader or just starting your journey, this is your moment to shape the future of teamwork.
Build with speed. Build with trust. Build with Atlassian.
To get started, create your partner profile today.
The post Partner with Atlassian and unlock your next wave of growth appeared first on Work Life by Atlassian.
View the full article
- 0 comments
- 78 views
-
The #1 and #3 positions in this chart are Aisuru botnet controllers with their full domain names redacted. Source: radar.cloudflare.com.
Aisuru is a rapidly growing botnet comprising hundreds of thousands of hacked Internet of Things (IoT) devices, such as poorly secured Internet routers and security cameras. The botnet has increased in size and firepower significantly since its debut in 2024, demonstrating the ability to launch record distributed denial-of-service (DDoS) attacks nearing 30 terabits of data per second.
Until recently, Aisuru’s malicious code instructed all infected systems to use DNS servers from Google — specifically, the servers at 8.8.8.8. But in early October, Aisuru switched to invoking Cloudflare’s main DNS server — 1.1.1.1 — and over the past week domains used by Aisuru to control infected systems started populating Cloudflare’s top domain rankings.
As screenshots of Aisuru domains claiming two of the Top 10 positions ping-ponged across social media, many feared this was yet another sign that an already untamable botnet was running completely amok. One Aisuru botnet domain that sat prominently for days at #1 on the list was someone’s street address in Massachusetts followed by “.com”. Other Aisuru domains mimicked those belonging to major cloud providers.
Cloudflare tried to address these security, brand confusion and privacy concerns by partially redacting the malicious domains, and adding a warning at the top of its rankings:
“Note that the top 100 domains and trending domains lists include domains with organic activity as well as domains with emerging malicious behavior.”
Cloudflare CEO Matthew Prince told KrebsOnSecurity the company’s domain ranking system is fairly simplistic, and that it merely measures the volume of DNS queries to 1.1.1.1.
“The attacker is just generating a ton of requests, maybe to influence the ranking but also to attack our DNS service,” Prince said, adding that Cloudflare has heard reports of other large public DNS services seeing similar uptick in attacks. “We’re fixing the ranking to make it smarter. And, in the meantime, redacting any sites we classify as malware.”
Renee Burton, vice president of threat intel at the DNS security firm Infoblox, said many people erroneously assumed that the skewed Cloudflare domain rankings meant there were more bot-infected devices than there were regular devices querying sites like Google and Apple and Microsoft.
“Cloudflare’s documentation is clear — they know that when it comes to ranking domains you have to make choices on how to normalize things,” Burton wrote on LinkedIn. “There are many aspects that are simply out of your control. Why is it hard? Because reasons. TTL values, caching, prefetching, architecture, load balancing. Things that have shared control between the domain owner and everything in between.”
Alex Greenland is CEO of the anti-phishing and security firm Epi. Greenland said he understands the technical reason why Aisuru botnet domains are showing up in Cloudflare’s rankings (those rankings are based on DNS query volume, not actual web visits). But he said they’re still not meant to be there.
“It’s a failure on Cloudflare’s part, and reveals a compromise of the trust and integrity of their rankings,” he said.
Greenland said Cloudflare planned for its Domain Rankings to list the most popular domains as used by human users, and it was never meant to be a raw calculation of query frequency or traffic volume going through their 1.1.1.1 DNS resolver.
“They spelled out how their popularity algorithm is designed to reflect real human use and exclude automated traffic (they said they’re good at this),” Greenland wrote on LinkedIn. “So something has evidently gone wrong internally. We should have two rankings: one representing trust and real human use, and another derived from raw DNS volume.”
Why might it be a good idea to wholly separate malicious domains from the list? Greenland notes that Cloudflare Domain Rankings see widespread use for trust and safety determination, by browsers, DNS resolvers, safe browsing APIs and things like TRANCO.
“TRANCO is a respected open source list of the top million domains, and Cloudflare Radar is one of their five data providers,” he continued. “So there can be serious knock-on effects when a malicious domain features in Cloudflare’s top 10/100/1000/million. To many people and systems, the top 10 and 100 are naively considered safe and trusted, even though algorithmically-defined top-N lists will always be somewhat crude.”
Over this past week, Cloudflare started redacting portions of the malicious Aisuru domains from its Top Domains list, leaving only their domain suffix visible. Sometime in the past 24 hours, Cloudflare appears to have begun hiding the malicious Aisuru domains entirely from the web version of that list. However, downloading a spreadsheet of the current Top 200 domains from Cloudflare Radar shows an Aisuru domain still at the very top.
According to Cloudflare’s website, the majority of DNS queries to the top Aisuru domains — nearly 52 percent — originated from the United States. This tracks with my reporting from early October, which found Aisuru was drawing most of its firepower from IoT devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon.
Experts tracking Aisuru say the botnet relies on well more than a hundred control servers, and that for the moment at least most of those domains are registered in the .su top-level domain (TLD). Dot-su is the TLD assigned to the former Soviet Union (.su’s Wikipedia page says the TLD was created just 15 months before the fall of the Berlin wall).
A Cloudflare blog post from October 27 found that .su had the highest “DNS magnitude” of any TLD, referring to a metric estimating the popularity of a TLD based on the number of unique networks querying Cloudflare’s 1.1.1.1 resolver. The report concluded that the top .su hostnames were associated with a popular online world-building game, and that more than half of the queries for that TLD came from the United States, Brazil and Germany [it’s worth noting that servers for the world-building game Minecraft were some of Aisuru’s most frequent targets].
A simple and crude way to detect Aisuru bot activity on a network may be to set an alert on any systems attempting to contact domains ending in .su. This TLD is frequently abused for cybercrime and by cybercrime forums and services, and blocking access to it entirely is unlikely to raise any legitimate complaints.
View the full article
- 0 comments
- 66 views
-
View the full article
- 0 comments
- 50 views
-
Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. federal charging documents only by his online handle “MrICQ.” According to a 13-year-old indictment (PDF) filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group known as “Jabber Zeus.”
Image: lockedup dot wtf.
The Jabber Zeus name is derived from the malware they used — a custom version of the ZeuS banking trojan — that stole banking login credentials and would send the group a Jabber instant message each time a new victim entered a one-time passcode at a financial institution website. The gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently intercept any data that victims submit in a web-based form.
Once inside a victim company’s accounts, the Jabber Zeus crew would modify the firm’s payroll to add dozens of “money mules,” people recruited through elaborate work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits — minus their commissions — via wire transfers to other mules in Ukraine and the United Kingdom.
The 2012 indictment targeting the Jabber Zeus crew named MrICQ as “John Doe #3,” and said this person handled incoming notifications of newly compromised victims. The Department of Justice (DOJ) said MrICQ also helped the group launder the proceeds of their heists through electronic currency exchange services.
Two sources familiar with the Jabber Zeus investigation said Rybtsov was arrested in Italy, although the exact date and circumstances of his arrest remain unclear. A summary of recent decisions (PDF) published by the Italian Supreme Court states that in April 2025, Rybtsov lost a final appeal to avoid extradition to the United States.
According to the mugshot website lockedup[.]wtf, Rybtsov arrived in Nebraska on October 9, and was being held under an arrest warrant from the U.S. Federal Bureau of Investigation (FBI).
The data breach tracking service Constella Intelligence found breached records from the business profiling site bvdinfo[.]com showing that a 41-year-old Yuriy Igorevich Rybtsov worked in a building at 59 Barnaulska St. in Donetsk. Further searching on this address in Constella finds the same apartment building was shared by a business registered to Vyacheslav “Tank” Penchukov, the leader of the Jabber Zeus crew in Ukraine.
Vyacheslav “Tank” Penchukov, seen here performing as “DJ Slava Rich” in Ukraine, in an undated photo from social media.
Penchukov was arrested in 2022 while traveling to meet his wife in Switzerland. Last year, a federal court in Nebraska sentenced Penchukov to 18 years in prison and ordered him to pay more than $73 million in restitution.
Lawrence Baldwin is founder of myNetWatchman, a threat intelligence company based in Georgia that began tracking and disrupting the Jabber Zeus gang in 2009. myNetWatchman had secretly gained access to the Jabber chat server used by the Ukrainian hackers, allowing Baldwin to eavesdrop on the daily conversations between MrICQ and other Jabber Zeus members.
Baldwin shared those real-time chat records with multiple state and federal law enforcement agencies, and with this reporter. Between 2010 and 2013, I spent several hours each day alerting small businesses across the country that their payroll accounts were about to be drained by these cybercriminals.
Those notifications, and Baldwin’s tireless efforts, saved countless would-be victims a great deal of money. In most cases, however, we were already too late. Nevertheless, the pilfered Jabber Zeus group chats provided the basis for dozens of stories published here about small businesses fighting their banks in court over six- and seven-figure financial losses.
Baldwin said the Jabber Zeus crew was far ahead of its peers in several respects. For starters, their intercepted chats showed they worked to create a highly customized botnet directly with the author of the original Zeus Trojan — Evgeniy Mikhailovich Bogachev, a Russian man who has long been on the FBI’s “Most Wanted” list. The feds have a standing $3 million reward for information leading to Bogachev’s arrest.
Evgeniy M. Bogachev, in undated photos.
The core innovation of Jabber Zeus was an alert that MrICQ would receive each time a new victim entered a one-time password code into a phishing page mimicking their financial institution. The gang’s internal name for this component was “Leprechaun,” (the video below from myNetWatchman shows it in action). Jabber Zeus would actually re-write the HTML code as displayed in the victim’s browser, allowing them to intercept any passcodes sent by the victim’s bank for multi-factor authentication.
“These guys had compromised such a large number of victims that they were getting buried in a tsunami of stolen banking credentials,” Baldwin told KrebsOnSecurity. “But the whole point of Leprechaun was to isolate the highest-value credentials — the commercial bank accounts with two-factor authentication turned on. They knew these were far juicier targets because they clearly had a lot more money to protect.”
Baldwin said the Jabber Zeus trojan also included a custom “backconnect” component that allowed the hackers to relay their bank account takeovers through the victim’s own infected PC.
“The Jabber Zeus crew were literally connecting to the victim’s bank account from the victim’s IP address, or from the remote control function and by fully emulating the device,” he said. “That trojan was like a hot knife through butter of what everyone thought was state-of-the-art secure online banking at the time.”
Although the Jabber Zeus crew was in direct contact with the Zeus author, the chats intercepted by myNetWatchman show Bogachev frequently ignored the group’s pleas for help. The government says the real leader of the Jabber Zeus crew was Maksim Yakubets, a 38-year Ukrainian man with Russian citizenship who went by the hacker handle “Aqua.”
Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI
The Jabber chats intercepted by Baldwin show that Aqua interacted almost daily with MrICQ, Tank and other members of the hacking team, often facilitating the group’s money mule and cashout activities remotely from Russia.
The government says Yakubets/Aqua would later emerge as the leader of an elite cybercrime ring of at least 17 hackers that referred to themselves internally as “Evil Corp.” Members of Evil Corp developed and used the Dridex (a.k.a. Bugat) trojan, which helped them siphon more than $100 million from hundreds of victim companies in the United States and Europe.
This 2019 story about the government’s $5 million bounty for information leading to Yakubets’s arrest includes excerpts of conversations between Aqua, Tank, Bogachev and other Jabber Zeus crew members discussing stories I’d written about their victims. Both Baldwin and I were interviewed at length for a new weekly six-part podcast by the BBC that delves deep into the history of Evil Corp. Episode One focuses on the evolution of Zeus, while the second episode centers on an investigation into the group by former FBI agent Jim Craig.
Image: https://www.bbc.co.uk/programmes/w3ct89y8
View the full article
- 0 comments
- 98 views
-
CQ Blue was built to solve that. It’s our AI-driven strategy designed to make SOCs more efficient, accurate, and agile — without losing the human expertise that defines great security.
At the center of CQ Blue is the SOC Triage Agent, an intelligent layer of automation that works alongside analysts to triage alerts, reduce fatigue, and improve detection outcomes. Across its four pillars — Efficiency, Accuracy, Speed, and Empowerment — it redefines what modern managed security looks like.
View the full article
- 0 comments
- 60 views
-
In this Threat Analysis report, Cybereason Security Services investigates the flow of a Tangerine Turkey campaign observed in Cybereason EDR. Tangerine Turkey is a threat actor identified as a visual basic script (VBS) worm used to facilitate cryptomining activity.
View the full article
- 0 comments
- 61 views
-
First identified in August 2024, Aisuru has spread to at least 700,000 IoT systems, such as poorly secured Internet routers and security cameras. Aisuru’s overlords have used their massive botnet to clobber targets with headline-grabbing DDoS attacks, flooding targeted hosts with blasts of junk requests from all infected systems simultaneously.
In June, Aisuru hit KrebsOnSecurity.com with a DDoS clocking at 6.3 terabits per second — the biggest attack that Google had ever mitigated at the time. In the weeks and months that followed, Aisuru’s operators demonstrated DDoS capabilities of nearly 30 terabits of data per second — well beyond the attack mitigation capabilities of most Internet destinations.
These digital sieges have been particularly disruptive this year for U.S.-based Internet service providers (ISPs), in part because Aisuru recently succeeded in taking over a large number of IoT devices in the United States. And when Aisuru launches attacks, the volume of outgoing traffic from infected systems on these ISPs is often so high that it can disrupt or degrade Internet service for adjacent (non-botted) customers of the ISPs.
“Multiple broadband access network operators have experienced significant operational impact due to outbound DDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises,” wrote Roland Dobbins, principal engineer at Netscout, in a recent executive summary on Aisuru. “Outbound/crossbound attack traffic exceeding 1Tb/sec from compromised customer premise equipment (CPE) devices has caused significant disruption to wireline and wireless broadband access networks. High-throughput attacks have caused chassis-based router line card failures.”
The incessant attacks from Aisuru have caught the attention of federal authorities in the United States and Europe (many of Aisuru’s victims are customers of ISPs and hosting providers based in Europe). Quite recently, some of the world’s largest ISPs have started informally sharing block lists identifying the rapidly shifting locations of the servers that the attackers use to control the activities of the botnet.
Experts say the Aisuru botmasters recently updated their malware so that compromised devices can more easily be rented to so-called “residential proxy” providers. These proxy services allow paying customers to route their Internet communications through someone else’s device, providing anonymity and the ability to appear as a regular Internet user in almost any major city worldwide.
From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence. But they are massively abused for hiding cybercrime activity (think advertising fraud, credential stuffing) because they can make it difficult to trace malicious traffic to its original source.
And as we’ll see in a moment, this entire shadowy industry appears to be shifting its focus toward enabling aggressive content scraping activity that continuously feeds raw data into large language models (LLMs) built to support various AI projects.
‘INSANE’ GROWTH
Riley Kilmer is co-founder of spur.us, a service that tracks proxy networks. Kilmer said all of the top proxy services have grown substantially over the past six months.
“I just checked, and in the last 90 days we’ve seen 250 million unique residential proxy IPs,” Kilmer said. “That is insane. That is so high of a number, it’s unheard of. These proxies are absolutely everywhere now.”
Today, Spur says it is tracking an unprecedented spike in available proxies across all providers, including;
LUMINATI_PROXY 11,856,421
NETNUT_PROXY 10,982,458
ABCPROXY_PROXY 9,294,419
OXYLABS_PROXY 6,754,790
IPIDEA_PROXY 3,209,313
EARNFM_PROXY 2,659,913
NODEMAVEN_PROXY 2,627,851
INFATICA_PROXY 2,335,194
IPROYAL_PROXY 2,032,027
YILU_PROXY 1,549,155
Reached for comment about the apparent rapid growth in their proxy network, Oxylabs (#4 on Spur’s list) said while their proxy pool did grow recently, it did so at nowhere near the rate cited by Spur.
“We don’t systematically track other providers’ figures, and we’re not aware of any instances of 10× or 100× growth, especially when it comes to a few bigger companies that are legitimate businesses,” the company said in a written statement.
Bright Data was formerly known as Luminati Networks, the name that is currently at the top of Spur’s list of the biggest residential proxy networks. Bright Data likewise told KrebsOnSecurity that Spur’s current estimates of its proxy network are dramatically overstated and inaccurate.
“We did not actively initiate nor do we see any 10x or 100x expansion of our network, which leads me to believe that someone might be presenting these IPs as Bright Data’s in some way,” said Rony Shalit, Bright Data’s chief compliance and ethics officer. “In many cases in the past, due to us being the leading data collection proxy provider, IPs were falsely tagged as being part of our network, or while being used by other proxy providers for malicious activity.”
“Our network is only sourced from verified IP providers and a robust opt-in only residential peers, which we work hard and in complete transparency to obtain,” Shalit continued. “Every DC, ISP or SDK partner is reviewed and approved, and every residential peer must actively opt in to be part of our network.”
HK NETWORK
Even Spur acknowledges that Luminati and Oxylabs are unlike most other proxy services on their top proxy providers list, in that these providers actually adhere to “know-your-customer” policies, such as requiring video calls with all customers, and strictly blocking customers from reselling access.
Benjamin Brundage is founder of Synthient, a startup that helps companies detect proxy networks. Brundage said if there is increasing confusion around which proxy networks are the most worrisome, it’s because nearly all of these lesser-known proxy services have evolved into highly incestuous bandwidth resellers. What’s more, he said, some proxy providers do not appreciate being tracked and have been known to take aggressive steps to confuse systems that scan the Internet for residential proxy nodes.
Brundage said most proxy services today have created their own software development kit or SDK that other app developers can bundle with their code to earn revenue. These SDKs quietly modify the user’s device so that some portion of their bandwidth can be used to forward traffic from proxy service customers.
“Proxy providers have pools of constantly churning IP addresses,” he said. “These IP addresses are sourced through various means, such as bandwidth-sharing apps, botnets, Android SDKs, and more. These providers will often either directly approach resellers or offer a reseller program that allows users to resell bandwidth through their platform.”
Many SDK providers say they require full consent before allowing their software to be installed on end-user devices. Still, those opt-in agreements and consent checkboxes may be little more than a formality for cybercriminals like the Aisuru botmasters, who can earn a commission each time one of their infected devices is forced to install some SDK that enables one or more of these proxy services.
Depending on its structure, a single provider may operate hundreds of different proxy pools at a time — all maintained through other means, Brundage said.
“Often, you’ll see resellers maintaining their own proxy pool in addition to an upstream provider,” he said. “It allows them to market a proxy pool to high-value clients and offer an unlimited bandwidth plan for cheap reduce their own costs.”
Some proxy providers appear to be directly in league with botmasters. Brundage identified one proxy seller that was aggressively advertising cheap and plentiful bandwidth to content scraping companies. After scanning that provider’s pool of available proxies, Brundage said he found a one-to-one match with IP addresses he’d previously mapped to the Aisuru botnet.
Brundage says that by almost any measurement, the world’s largest residential proxy service is IPidea, a China-based proxy network. IPidea is #5 on Spur’s Top 10, and Brundage said its brands include ABCProxy (#3), Roxlabs, LunaProxy, PIA S5 Proxy, PyProxy, 922Proxy, 360Proxy, IP2World, and Cherry Proxy. Spur’s Kilmer said they also track Yilu Proxy (#10) as IPidea.
Brundage said all of these providers operate under a corporate umbrella known on the cybercrime forums as “HK Network.”
“The way it works is there’s this whole reseller ecosystem, where IPidea will be incredibly aggressive and approach all these proxy providers with the offer, ‘Hey, if you guys buy bandwidth from us, we’ll give you these amazing reseller prices,'” Brundage explained. “But they’re also very aggressive in recruiting resellers for their apps.”
A graphic depicting the relationship between proxy providers that Synthient found are white labeling IPidea proxies. Image: Synthient.com.
Those apps include a range of low-cost and “free” virtual private networking (VPN) services that indeed allow users to enjoy a free VPN, but which also turn the user’s device into a traffic relay that can be rented to cybercriminals, or else parceled out to countless other proxy networks.
“They have all this bandwidth to offload,” Brundage said of IPidea and its sister networks. “And they can do it through their own platforms, or they go get resellers to do it for them by advertising on sketchy hacker forums to reach more people.”
One of IPidea’s core brands is 922S5Proxy, which is a not-so-subtle nod to the 911S5Proxy service that was hugely popular between 2015 and 2022. In July 2022, KrebsOnSecurity published a deep dive into 911S5Proxy’s origins and apparent owners in China. Less than a week later, 911S5Proxy announced it was closing down after the company’s servers were massively hacked.
That 2022 story named Yunhe Wang from Beijing as the apparent owner and/or manager of the 911S5 proxy service. In May 2024, the U.S. Department of Justice arrested Mr Wang, alleging that his network was used to steal billions of dollars from financial institutions, credit card issuers, and federal lending programs. At the same time, the U.S. Treasury Department announced sanctions against Wang and two other Chinese nationals for operating 911S5Proxy.
The website for 922Proxy.
DATA SCRAPING FOR AI
In recent months, multiple experts who track botnet and proxy activity have shared that a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. That’s because by routing it through residential IP addresses, content scraping firms can make their traffic far trickier to filter out.
“It’s really difficult to block, because there’s a risk of blocking real people,” Spur’s Kilmer said of the LLM scraping activity that is fed through individual residential IP addresses, which are often shared by multiple customers at once.
Kilmer says the AI industry has brought a veneer of legitimacy to residential proxy business, which has heretofore mostly been associated with sketchy affiliate money making programs, automated abuse, and unwanted Internet traffic.
“Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,” Kilmer said. “Everybody wanted to monetize their own data pots, and how they monetize that is different across the board.”
Kilmer said many LLM-related scrapers rely on residential proxies in cases where the content provider has restricted access to their platform in some way, such as forcing interaction through an app, or keeping all content behind a login page with multi-factor authentication.
“Where the cost of data is out of reach — there is some exclusivity or reason they can’t access the data — they’ll turn to residential proxies so they look like a real person accessing that data,” Kilmer said of the content scraping efforts.
Aggressive AI crawlers increasingly are overloading community-maintained infrastructure, causing what amounts to persistent DDoS attacks on vital public resources. A report earlier this year from LibreNews found some open-source projects now see as much as 97 percent of their traffic originating from AI company bots, dramatically increasing bandwidth costs, service instability, and burdening already stretched-thin maintainers.
Cloudflare is now experimenting with tools that will allow content creators to charge a fee to AI crawlers to scrape their websites. The company’s “pay-per-crawl” feature is currently in a private beta, and it lets publishers set their own prices that bots must pay before scraping content.
On October 22, the social media and news network Reddit sued Oxylabs (PDF) and several other proxy providers, alleging that their systems enabled the mass-scraping of Reddit user content even though Reddit had taken steps to block such activity.
“Recognizing that Reddit denies scrapers like them access to its site, Defendants scrape the data from Google’s search results instead,” the lawsuit alleges. “They do so by masking their identities, hiding their locations, and disguising their web scrapers as regular people (among other techniques) to circumvent or bypass the security restrictions meant to stop them.”
Denas Grybauskas, chief governance and strategy officer at Oxylabs, said the company was shocked and disappointed by the lawsuit.
“Reddit has made no attempt to speak with us directly or communicate any potential concerns,” Grybauskas said in a written statement. “Oxylabs has always been and will continue to be a pioneer and an industry leader in public data collection, and it will not hesitate to defend itself against these allegations. Oxylabs’ position is that no company should claim ownership of public data that does not belong to them. It is possible that it is just an attempt to sell the same public data at an inflated price.”
As big and powerful as Aisuru may be, it is hardly the only botnet that is contributing to the overall broad availability of residential proxies. For example, on June 5 the FBI’s Internet Crime Complaint Center warned that an IoT malware threat dubbed BADBOX 2.0 had compromised millions of smart-TV boxes, digital projectors, vehicle infotainment units, picture frames, and other IoT devices.
In July, Google filed a lawsuit in New York federal court against the Badbox botnet’s alleged perpetrators. Google said the Badbox 2.0 botnet “compromised more than 10 million uncertified devices running Android’s open-source software, which lacks Google’s security protections. Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes.”
A FAMILIAR DOMAIN NAME
Brundage said the Aisuru botmasters have their own SDK, and for some reason part of its code tells many newly-infected systems to query the domain name fuckbriankrebs[.]com. This may be little more than an elaborate “screw you” to this site’s author: One of the botnet’s alleged partners goes by the handle “Forky,” and was identified in June by KrebsOnSecurity as a young man from Sao Paulo, Brazil.
Brundage noted that only systems infected with Aisuru’s Android SDK will be forced to resolve the domain. Initially, there was some discussion about whether the domain might have some utility as a “kill switch” capable of disrupting the botnet’s operations, although Brundage and others interviewed for this story say that is unlikely.
A tiny sample of the traffic after a DNS server was enabled on the newly registered domain fuckbriankrebs dot com. Each unique IP address requested its own unique subdomain. Image: Seralys.
For one thing, they said, if the domain was somehow critical to the operation of the botnet, why was it still unregistered and actively for-sale? Why indeed, we asked. Happily, the domain name was deftly snatched up last week by Philippe Caturegli, “chief hacking officer” for the security intelligence company Seralys.
Caturegli enabled a passive DNS server on that domain and within a few hours received more than 700,000 requests for unique subdomains on fuckbriankrebs[.]com.
But even with that visibility into Aisuru, it is difficult to use this domain check-in feature to measure its true size, Brundage said. After all, he said, the systems that are phoning home to the domain are only a small portion of the overall botnet.
“The bots are hardcoded to just spam lookups on the subdomains,” he said. “So anytime an infection occurs or it runs in the background, it will do one of those DNS queries.”
Caturegli briefly configured all subdomains on fuckbriankrebs dot com to display this ASCII art image to visiting systems today.
The domain fuckbriankrebs[.]com has a storied history. On its initial launch in 2009, it was used to spread malicious software by the Cutwail spam botnet. In 2011, the domain was involved in a notable DDoS against this website from a botnet powered by Russkill (a.k.a. “Dirt Jumper”).
Domaintools.com finds that in 2015, fuckbriankrebs[.]com was registered to an email address attributed to David “Abdilo” Crees, a 27-year-old Australian man sentenced in May 2025 to time served for cybercrime convictions related to the Lizard Squad hacking group.
Update, Nov. 1, 2025, 10:25 a.m. ET: An earlier version of this story erroneously cited Spur’s proxy numbers from earlier this year; Spur said those numbers conflated residential proxies — which are rotating and attached to real end-user devices — with “ISP proxies” located at AT&T. ISP proxies, Spur said, involve tricking an ISP into routing a large number of IP addresses that are resold as far more static datacenter proxies.
View the full article
- 0 comments
- 165 views
-
|
|
|