Posts

https://www.file-upload.org/595vpd94x562

https://dgdrive.pro/a8hzjgfh73jb

https://streama2z.xyz/l0bwfokrcviq/Desi_Cute_GF_Having_Sex_Wid_BF_in_Hotel_Room_New.mp4

https://streamtape.com/v/90P3yxbA06iDP0/Desi_Cute_GF_Having_Sex_Wid_BF_in_Hotel_Room_New.mp4

shadow · Dec 17, 2025

https://dgdrive.site/929kr2jlsy9m

wakonline168 · Dec 17, 2025

Lisa Carlehed - In Your Arms (2015)1080p

Duration: 00:03:38 Resolution: 1920x1080 Format: mp4 Size: 91.13 MB
https://filejoker.net/cqu321nixgmw

shadow · Dec 17, 2025

https://dgdrive.site/33lxowktbgae

shadow · Dec 17, 2025

Леонидас · Dec 17, 2025

Amazon Web Services (AWS) users that have their Identity and Access Management (IAM) credentials hijacked in order to facilitate bitcoin mining have been the target of an ongoing campaign that has been detected.

According to a new report that was shared by the tech giant prior to publication, the activity, which was discovered for the first time on November 2, 2025 by Amazon's GuardDuty managed threat detection service and its automated security monitoring systems, makes use of techniques that have never been seen before in order to impede incident response and continue unimpeded.

"Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2," Amazon stated in its announcement. "Within 10 minutes of the threat actor gaining initial access, crypto miners were operational."

The unknown adversary uses compromised IAM user credentials with administrative-like privileges to initiate a discovery phase that is designed to probe the environment for EC2 service quotas and test their permissions. This is accomplished by invoking the RunInstances API with the "DryRun" flag set. This is the beginning of the multi-stage attack chain.

This activation of the "DryRun" option is essential and deliberate since it enables the attackers to confirm their IAM rights without actually starting instances. As a result, they are able to avoid incurring costs and reduce the amount of forensic trail they leave behind. The last objective of the stage is to ascertain whether or not the infrastructure that is being targeted is suitable for the deployment of the miner software.

During the next step of the infection, the threat actor will call CreateServiceLinkedRole and CreateRole in order to generate IAM roles for autoscaling groups and AWS Lambda, respectively. This will cause the infection to progress even further. Following the creation of the roles, the policy known as "AWSLambdaBasicExecutionRole" is subsequently associated to the Lambda role.

It is believed that the threat actor has built dozens of ECS clusters across the environment, with some instances topping fifty ECS clusters in a single attack. This information is based on the activity that has been seen up to this point.

"They then called RegisterTaskDefinition with a malicious DockerHub image yenik65958/secret:user," Amazon stated in its statement. "With the same string used for the cluster creation, the actor then created a service, using the task definition to initiate crypto mining on ECS Fargate nodes."

After the DockerHub image was taken down, it was configured to execute a shell script as soon as it was deployed. This script would commence bitcoin mining using the RandomVIREL mining algorithm. However, the image has since been removed. Furthermore, it has been noted that the threat actor is constructing autoscaling groups that are configured to scale from 20 to 999 instances. This is done in an effort to take advantage of EC2 service quotas and maximize resource consumption.

The EC2 activity has targeted both high-performance GPU and machine learning instances and compute, memory, and general-purpose instances.

By utilizing the ModifyInstanceAttribute action with the "disableApiTermination" parameter set to "True," this campaign is able to distinguish itself from others. This action prohibits an instance from being terminated by utilizing the Amazon EC2 console, command line interface, or API. This, in turn, has the effect of requiring victims to re-enable API termination before deleting the resources that were affected by the vulnerability.

"Instance termination protection can impair incident response capabilities and disrupt automated remediation controls," Amazon stated in its announcement. "This technique demonstrates an understanding of common security response procedures and intent to maximize the duration of mining operations."

The security issue that is connected with ModifyInstanceAttribute has been brought to light on multiple occasions, including this one. Harsha Koushik, a security researcher, presented a proof-of-concept (PoC) in April 2024. The PoC outlined how the action may be exploited to take control of instances, exfiltrate instance role credentials, and even take control of the entire Amazon Web Services account.

Furthermore, the attacks involve the creation of a Lambda function that can be invoked by any principal and an IAM user called "user-x1x2x3x4" to which the AWS managed policy known as "AmazonSESFullAccess" is attached. This provides the adversary with full access to the Amazon Simple Email Service (SES), which allows them to likely carry out phishing attacks.

AWS users are being urged by Amazon to take the following precautions in order to protect themselves from the threat:

Implement stringent controls for the management of identities and access.
As an alternative to long-term access keys, you should use ephemeral credentials.
All users should be required to use multi-factor authentication (MFA).
The principle of least privilege, often known as PoLP, should be applied to IAM principals in order to restrict access.
Install security controls on the container in order to search for suspicious photos.
Keep an eye out for any odd requests for CPU allocation in the ECS job definitions.
In order to log events across all AWS services, you can use AWS CloudTrail.
Ensure AWS GuardDuty is enabled to permit automatic response procedures
"The threat actor's scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies," Amazon stated in its conclusion.

Леонидас · Dec 17, 2025

It has been stated by Google that it would be eliminating its dark web report tool in February 2026. This announcement comes less than two years after the feature was initially introduced to provide users with a means of monitoring whether or not their personal information is discovered on the dark web.

In order to achieve this goal, the practice of scanning for new breaches on the dark web will be discontinued on January 15, 2026, and the feature will be discontinued as of February 16, 2026.

According to a support document published by Google, "While the report did offer general information, feedback showed that it did not provide helpful next steps." "We're making this change to instead focus on tools that give you more clear, actionable steps to protect your information online."

The tech giant has stated that it will remove all data associated with the dark web report once the tool is terminated in February. However, it has also mentioned that customers have the option to delete their monitoring profile in advance by following the steps that are listed below:

Refer to the report on the dark web.
Edit monitoring profile can be found under the heading "Results with your information."
Select "Delete monitoring profile" from the drop-down menu at the bottom. Take out
Google released the dark web report in March 2023 with the intention of combating online identity fraud that is caused by information that has been stolen through data breaches and made available on the dark web. The purpose of the report was to search the dark web for personal information, including names, addresses, email addresses, phone numbers, and Social Security numbers, and to alert users whenever such information was discovered.

In July of 2024, Google broadened the scope of the product to encompass all account holders, going beyond the scope of Google One users.

In addition, Google is encouraging users to improve the privacy and security of their accounts by generating a passkey for phishing-resistant multi-factor authentication (MFA) and eliminating their personal information from Google Search results through the usage of the Results about you feature.

Леонидас · Dec 17, 2025

Through the use of logo files that are related with seventeen Mozilla Firefox browser add-ons, a new campaign known as GhostPoster has been able to incorporate malicious JavaScript code. This code is aimed to hijack affiliate links, inject tracking code, and commit click and ad fraud.

According to Koi Security, which was the one who uncovered the campaign, the extensions have been downloaded more than 50,000 times cumulatively. It is no longer possible to purchase the add-ons.

These browser apps were offered as virtual private networks (VPNs), screenshot utilities, ad blockers, and copies of Google Translate that were not officially supported. Dark Mode is the add-on that has been around the longest, having been released on October 25, 2024. It provided users with the ability to enable a dark look for all websites. A complete list of the add-ons for the browser can be found below:

Weather (weather-best-forecast) Screenshot of a Free Virtual Private Network
Expression of the Mouse (crxMouse)
"Cache" is a quick website loader.
A Free Downloader for MP3s
To use Google Translate, right-click on the Google Translate icon.
Dark Reader Dark Mode is a free download of the Google Global VPN, which is available forever.
Using Google Bing as a translator (Baidu) I-like-weather, also known as DeepL Weather
(google-translate-pro-extension) Google Translate Google Translate
Free videos that may be viewed on Libertv.
Best Ad Blocker, Ad Stop (Ad Stop)
Right-clicking on Google Translate displays the translation tool.
According to security researchers Lotan Sery and Noga Gouldman, "What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away the security protections contained within your browser, and opens a backdoor for remote code execution."

The sequence of attacks starts when the logo file is retrieved when one of the extensions that were specified earlier is loaded upon the system. The malicious code examines the file in order to locate a marker that contains the "===" sign. This is done in order to extract JavaScript code, which is a loader that communicates with an external server (such as "www.liveupdt[.]com" or "www.dealctr[.]com") in order to acquire the primary payload. The loader waits for a period of forty-eight hours between each attempt.

Additionally, in order to avoid detection even further, the loader is set up to get the payload just ten percent of the time. In order to circumvent the efforts that are being made to monitor network traffic, this unpredictability is a planned choice that has been implemented. The payload that was returned is a comprehensive toolkit that has been custom-encoded and is capable of monetizing browser activity without the victims' awareness through four different methods:

This practice, known as affiliate link hijacking, involves the theft of affiliate links to e-commerce websites such as Taobao or JD.com, so robbing real affiliates of their earning potential.
In order to covertly profile the victim, tracking injection is a technique that involves inserting the Google Analytics tracking code into each and every web page that the victim visits.
The removal of security headers from HTTP answers, such as Content-Security-Policy and X-Frame-Options, is known as security header stripping. This practice leaves users vulnerable to security threats such as clickjacking and cross-site scripting.
Hidden iframe injection is a technique that involves inserting invisible iframes into web pages in order to load URLs from servers controlled by the attacker and enable click and advertisement fraud.
This technique, known as CAPTCHA bypass, makes use of a variety of techniques to circumvent CAPTCHA challenges and avoid bot detection protections.
"Why would malicious software desire to circumvent CAPTCHAs? The researchers said that this is due to the fact that certain actions, such as the concealed iframe injections, cause bot detection to occur. "The malware needs to prove it's 'human' to keep operating."

In addition to probability checks, the add-ons also have time-based delays, which prevent the virus from acting until more than six days following the installation of the add-on. The existence of these multilayer evasion strategies makes it more difficult to discover what is taking place behind the scenes.

It is important to note that not all of the extensions mentioned above employ the same steganographic attack chain. However, all of them display the same behavior and communicate with the same command-and-control (C2) infrastructure, which indicates that they are all the product of a single threat actor or group that has experimented with a variety of lures and methods.

A popular VPN extension for Google Chrome and Microsoft Edge was discovered to be secretly capturing artificial intelligence conversations from ChatGPT, Claude, and Gemini and then exfiltrating them to data brokers. This new development comes just a few days subsequent to the discovery. An additional Chrome addon known as FreeVPN was released in August of 2025. The collection of screenshots, information about the system, and the locations of users was observed by one one.

"Free virtual private networks (VPNs) promise privacy, but nothing in life comes for free," Koi Security warned. "Again and again, they deliver surveillance instead."