A federal jury on Tuesday decided that NSO Group must pay Meta-owned WhatsApp WhatsApp approximately $168 million in monetary damages, more than four months after a federal judge ruled that the Israeli company violated U.S. laws by exploiting WhatsApp servers to deploy Pegasus spyware, targeting over 1,400 individuals globally.
WhatsApp originally filed the lawsuit against NSO Group in 2019,

NSO Group Fined $168M for Targeting 1,400 WhatsApp Users With Pegasus Spyware

ASUS has disclosed a critical security flaw impacting routers with AiCloud enabled that could permit remote attackers to perform unauthorized execution of functions on susceptible devices.
The vulnerability, tracked as CVE-2025-2492, has a CVSS score of 9.2 out of a maximum of 10.0.

"An improper authentication control vulnerability exists in certain ASUS router firmware series,"

ASUS Confirms Critical Flaw in AiCloud Routers; Users Urged to Update Firmware

A new variant of the hello pervert emails claims that the target's system is infected with njRAT and spoofs the victims email address

In a new version of the old “Hello pervert”  emails, scammers are relying on classic email spoofing techniques to try and convince victims that they have lost control of their email account and computer systems.

Email spoofing basically comes down to sending emails with a false sender address, a method in use in various ways by scammers. Obviously, pretending to be someone else can have its advantages, especially if that someone else holds a position of power or trust with regards to the receiver.

But sending a message to the victim’s from their _own_ email address might convince the victim that they have lost access over their own account.

The text of the email roughly looks like this:

> “As you may have noticed, I sent you an email from your email account
> 
> This means I have full access to your account
> 
> I’ve been watching you for a few months
> 
> The thing is, you got infected with a njrat through an adult site you visited
> 
> If you don’t know about this, let me explain
> 
> The njrat gives me full access and control over your device.
> 
> This means I can see everything on your screen, turn on the camera and microphone, but you don’t know it
> 
> I also have access to all your contacts and all your correspondence.
> 
> On the left half of the screen, I made a video showing how you satisfied yourself, on the right half you see the video you watched.
> 
> With a click of a mouse I can send this video to all your emails and contacts on social networks
> 
> I can also see access to all your communications and messaging programs that you use.
> 
> If you want to avoid this,
> 
> Transfer the amount of 1200 USD to my bitcoin address (“write buy bitcoin or find for bitcoin exchange if you don’t know”)
> 
> My Bitcoin address (BTC wallet): 1FJg6nuRLLv4iQLNFPTpGwZfKjHJQnmwFs
> 
> After payment is received, I will delete the video and you will not hear from me again
> 
> I’m giving you 48 hours to pay
> 
> Do not forget that I will see you when you open the message, the counter will start
> 
> If I see you’ve shared this message with someone else, the video will be posted immediately”

If the victim decides to search for “njrat” they’ll find that it’s a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, upload/download files, view the victim’s desktop, and more.

Scary stuff, and it supports the claims the scammer makes.

But, as with all sextortion scams, this threat is an entirely empty one. There is more than likely no lurid video, no “njrat,” no list of contacts. Instead, there is just a threat which is meant to drive panic which is meant to drive payment.

When we checked, we were happy to see that the scammers’ Bitcoin wallet is empty, although they could have set up a separate one for each victim.

**How to recognize sextortion emails**

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

*   The emails often look as if they came from one of your own email addresses.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email, the scammer claims to have used “Pegasus” or some Trojan to spy on you through your own computer.
*   The scammer says they know “your password” or compromised your account.
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**What to do when you receive an email like this**

First of all, even if it’s only to reassure yourself, scan your computer with an anti-malware solution that can detect and remove njRAT (if present).

Second, if your computer is clean, check if your email account has not been compromised. Change the password and enable 2FA if possible.

Don’t respond to the scammer, since that will confirm that the email address is in use and the mail is read. This could invoke more emails from scammers.

Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.

Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.

For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

 “I sent you an email from your email account,” sextortion scam claims 

The Israeli spyware maker, still on the US Commerce Department’s “blacklist,” has hired a new lobbying firm with direct ties to the Trump administration, a WIRED investigation has found.

Shortly after Donald Trump declared victory in November, NSO Group cofounder and majority owner Omri Lavie rushed to X to congratulate him, speaking of a “new chapter where the world goes back to common sense,” while accusing the outgoing Biden administration of being “weak.” In another tweet, he gushed in Hebrew that Republicans “won in every category: the presidency, Congress, Senate, and the popular vote.”

Lavie’s enthusiasm is understandable. His company—frequently associated with alleged human rights abuses, most recently in February when journalists in Serbia were targeted with its Pegasus spyware—had a significant stake in a Trump victory, with the hopes of regaining the ability to freely do business with US entities. In a comment to Amnesty International, NSO stated, in part, that its “commitment to maintain the highest standard of ethical conduct as well as confidentiality towards our customers is paramount and is consistent with industry norms and our legal obligations.”

The Israeli spyware vendor has been on the US Commerce Department’s “blacklist” for more than three years, meaning it cannot do business with US companies without specific government approval. NSO Group poured at least $1.8 million into an aggressive pre-election lobbying effort, focusing primarily on Republican senators and representatives, with some meetings occurring as often as eight times. Yet the company remains on the Entity List.

Now, with a new occupant in the White House, NSO Group appears to be shifting its political strategy.

The company seems to have either terminated or altered its engagement with several of its previous lobbying consultancies in Washington—some of which were closely aligned with the Democrats—and has started working with a key new lobbying partner: the Vogel Group.

Founded by Alex Vogel, who served as chief counsel to former Senate majority leader Bill Frist, the Vogel Group is providing NSO Group with “strategic advisory on cybersecurity policy matters,” according to lobbying disclosure documents filed on March 10.

The Vogel Group’s connection to the Trump administration includes areas of key interest to NSO Group. One of the Israeli spyware vendor’s new lobbyists, Jonathan Fahey, joined Vogel’s Washington, DC, office as a principal on January 29 and served in various roles during Trump's first term, including acting director and acting principal legal adviser at Immigration and Customs Enforcement, deputy assistant secretary at the Department of Homeland Security, and general counsel to the White House Office of National Drug Control Policy—all three relevant departments for a company selling surveillance technology.

Another Vogel Group staffer, Hayden Jewett, is listed in disclosure records as assigned to lobby on behalf of NSO group. Jewett served as a congressional staff liaison to President Trump’s 2016 inauguration, facilitating coordination between congressional offices and the inaugural committee.

Law firm Holtzman Vogel—of which Alex Vogel is a partner—was founded by his wife, Jill Holtzman Vogel, a former Virginia state senator, a former chief counsel of the Republican National Committee (RNC), and a current principal at the Vogel Group. The firm has reportedly worked for the National Republican Senatorial Committee and the National Republican Congressional Committee and received in 2024 over $9.3 million in reported payments, with significant political funding from Republican organizations.

Holtzman Vogel also represented former Metropolitan Police Department lieutenant Andrew Zabavsky, who was pardoned by Trump in January 2025 for his conviction for obstruction of justice related to the investigation into the death of 20-year-old Karon Hylton-Brown, a case that sparked protests ahead of the 2020 US election.

Bill McGinley, a principal at the Vogel Group and former assistant to the president and cabinet secretary during Trump’s first term, left the lobbying firm after Trump appointed him to White House counsel on November 12. He was then reassigned as counsel to the so-called Department of Government Efficiency (DOGE) on December 4, only to leave on January 23.

“Lobbyists and advisers who have passed through the revolving door, having worked in the previous Trump White House or for the campaign, as well as those who are big campaign donors have a unique ability to bend the ear of the new administration,” says Dan Auble, a senior researcher at the nonprofit OpenSecrets, which tracks US political spending. “That access is very valuable.”

NSO Group spokesperson Gil Lainer declined to comment on the scope of the contract with the Vogel Group when asked by WIRED. The Vogel Group did not respond to WIRED’s request for comment.

**Closing the Circle**

NSO Group’s recent lobbying efforts appear to have mainly focused on Republican lawmakers, more than executive branch power players, particularly as the Biden administration had been engaged in a crackdown on commercial spyware. The company previously worked with several lobbying contractors, with whom it appears to have either terminated or altered its registrations.

These include its registrations under Foreign Agents Registration Act (FARA) with Pillsbury Winthrop Shaw Pittman LLP and Chartwell Strategy Group, as well as registrations under the Lobbying Disclosure Act (LDA) with law firms Paul Hastings LLP and Steptoe LLP. Pillsbury previously engaged Chartwell Strategy Group to provide NSO Group with “strategic communications counsel.” Chartwell Strategy Group has now, for the first time, registered under the LDA as a lobbyist for NSO Group, while the only current active registration of NSO Group under FARA is with Paul Hastings LLP.

Lobbyists representing foreign commercial interests—if their work is not intended to benefit a foreign government or political party—can be exempt from FARA and instead register under the LDA, which has no requirement to report specific meetings and is, overall, far less transparent than FARA.

Much of the public knowledge about NSO Group’s lobbying efforts came from FARA filings. Since both the Vogel Group and Chartwell Strategy Group are now registered under the LDA, it will now be more difficult to monitor their lobbying efforts.

Examining NSO Group's past and present consultants reveals numerous individuals who, one way or another, have been associated with the Trump administration. These people are not all lobbyists, but they do have direct connections to Trump world. They include David Tamasi, managing director at Chartwell Strategy and DC chairman of Trump’s 2016 joint fundraising committee, who bundled more than $500,000 for Trump’s campaign and the RNC in 2020, and at least $15,000 in 2024. His firm, a key player in NSO Group’s lobbying, had been actively preparing clients for Trump’s return.

Other NSO-connected figures also have close Trump ties: Bryan Lanza, a partner at Mercury Public Affairs, which consulted for the company from 2020 to 2021, is a veteran Trump ally; Michael Flynn, Trump’s former national security adviser, was paid nearly $100,000 by NSO Group’s parent firms, according to the The Washington Post, and was recently appointed by Trump to a West Point advisory board; Jeff Miller, who raised millions for Trump, received $170,000 from an NSO-linked company and was spotted at Trump’s 2024 election night event at Mar-a-Lago; and Rod Rosenstein, Trump’s former deputy attorney general, represented NSO Group in a lawsuit and previously helped justify Trump’s firing of FBI director James Comey.

Pillsbury Winthrop Shaw Pittman LLP, Chartwell Strategy Group, Paul Hastings LLP, and Steptoe LLP did not reply to WIRED’s request for comment. Nor did Flynn, Miller, or Rosenstein. Tamasi did not respond in time for publication.

**What Counts as a Win**

As of early March—before Vogel Group’s registration as a lobbyist for NSO Group—there had been no indication that the Trump administration intended to remove the company from the Entity List, according to a source familiar with the administration’s moves regarding spyware, who asked not to be named in order to discuss confidential matters. However, recent comments by NSO Group’s Lavie soft-peddled the impact of the Entity List on the company’s ability to operate in the US.

“\[The Americans\], when they say ‘blacklist,’ it sounds much more dramatic to me than it actually is,” Lavie claimed during an interview in Hebrew on an Israeli podcast following Trump’s election. He added: “You can still do business in the United States; it is definitely not a barrier for us to sell in the US.”

“In practice, we are on the list of Commerce, and what this does for us from a regulatory perspective, it simply forces American companies—if we want to buy technology from them—to ask for permission to sell us the technology. That's all,” Lavie said.

​​Lobbying efforts can target different parts of the US government. By lobbying the executive branch (the president and agencies), lobbyists can influence how laws are enforced rather than what the laws say. In contrast, when lobbying Congress, the focus is on passing, blocking, or amending laws by influencing legislators.

For example, for a company to be removed from the Entity List, it must go through a lengthy administrative process that includes a review by an interagency committee composed of representatives from the departments of Commerce, State, and Defense, among others. Although Congress could theoretically influence this process, it is not directly involved.

During the presidential transition period, NSO Group mainly focused on Congress and reached out to at least 10 Republican senators, representatives, and their staff, before beginning its outreach with the incoming administration. On February 2, the company shared its annual transparency report with Trump’s new deputy national security adviser, Alex Wong.

The Vogel Group could play a key role in supporting NSO Group if it attempts to engage with the new executive branch, including the president’s executive office, the National Security Council, and the State, Justice, and Commerce Departments, among other relevant agencies. Such engagement might aim not only at addressing NSO Group’s placement on the Entity List, but also at challenging the spyware-related visa restrictions imposed by the previous administration. In addition, the firm could potentially assist in efforts to roll back Executive Order 14093, signed by President Joe Biden, which continues to restrict the US government’s use of commercial spyware.

Asked whether the Trump administration intends to uphold the EO, White House press secretary Karoline Leavitt declined to comment.

“Much is at stake if the US revokes Executive Order 14093, an order that sets standards on US acquisition of spyware, as access to the US market, and US purchasing power, are great tools in shaping the global scope and scale of the market for spyware,” says Jen Roberts, the Atlantic Council’s associate director of the Cyber Statecraft Initiative and coauthor of a recent major report on the commercial spyware industry. Roberts also highlighted the need to better regulate US outbound investment into such technologies.

**Watching for Signs**

During Trump's first term, the FBI secretly acquired the Pegasus spyware for limited testing in 2019 and seriously contemplated its operational deployment; while during the final months of the administration in 2020, the US initiated a deal that financed the purchase of the Israeli spyware for Colombian security forces, according to the Colombian ambassador to the US and reported by Drop Site News. (The deal was finalized in 2021, after Trump left office.) In an official statement, NSO Group confirmed its dealings with Colombia but denied claims that the software was purchased irregularly. The New York Times also reported that in 2018 the CIA had purchased Pegasus for the government of Djibouti to conduct counterterrorism operations, while the Secret Service held discussions with NSO Group the same year.

The access and influence NSO Group could attain through lobbying efforts by companies like the Vogel Group and Chartwell Strategy Group could lead to a more favorable political environment and, in turn, potentially increase business opportunities under a second Trump administration—something very hard for outsiders to measure, given the opaque nature of government procurement of surveillance technologies.

In the coming weeks and months, NSO Group’s interactions with US government officials, facilitated by its lobbying, will be critical in achieving such a favorable political environment. Caroline Glick, an adviser to Israeli prime minister Benjamin Netanyahu, has also been recently lobbying the Trump White House—among others—on the matter of “request\[ing\] to check for options for lifting sanctions on Israeli technology companies,” according to reports in the Israeli media.

Experts closely monitoring the commercial spyware industry are raising the alarm about the prospect of NSO Group regaining business under Trump—further exacerbated by new reports that the company has been simultaneously pushing its interests on the international stage through the so-called Pall Mall Process, a UK- and France-led initiative to regulate such technologies.

“NSO has become a toxic brand that is widely associated not just with human rights abuses but also with national security threats to US, UK, France, and other countries,” says Natalia Krapiva, senior tech-legal counsel at civil-liberties-focused nonprofit Access Now.

Lainer, the NSO Group spokesperson, tells WIRED that the company “complies with all laws and regulations and sells only to vetted intelligence and law enforcement agencies, which use these technologies daily to prevent crime and terror attacks.” Lainer adds that NSO “has initiated and implemented the industry’s leading compliance and human rights program, which protects against misuse by government entities and investigates all credible claims of misuse”

Ultimately, the current administration will have the final say on how the US regulates NSO Group.

Senator Ron Wyden of Oregon, who has actively worked to address concerns related to surveillance and spyware, tells WIRED that “the Biden Administration blacklisted NSO” because its tool was used to “maliciously targeting journalists, human rights workers, and even US government officials around the world on behalf of foreign dictators and making all Americans less safe.”

“If Donald Trump puts the NSO Group back in business,” Wyden adds, “he'll be directly responsible for opening up new threats to our national security and enabling atrocities by foreign dictators.”

Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America

Citizen Lab's investigation reveals sophisticated spyware attacks exploiting WhatsApp vulnerabilities, implicating Paragon Solutions. Learn how their research exposed these threats and the implications for digital privacy.

Cybersecurity researchers at the Citizen Lab at the University of Toronto have exposed the use of sophisticated spyware named **Graphite**, developed by the Israeli firm Paragon Solutions, to target high-profile individuals through WhatsApp.

Their **investigation** reveals that a previously unknown zero-day vulnerability in WhatsApp’s software allowed the spyware to be installed on devices through a zero-click exploit, allowing adversaries to gain unauthorized access to targeted phones.

For your information **zero-click exploits** mean that a device can be compromised without the user clicking a link, opening a file, or performing any other action.

Attack flow explained (Source: The Citizen Lab)

****Graphite Spyware Servers Worldwide****

Paragon Solutions, established in 2019 by figures including former Israeli Prime Minister Ehud Barak, claims to differentiate itself by adhering to ethical standards, unlike other spyware vendors like the **NSO Group**.

However, Citizen Lab’s researchers mapped out servers attributed to Graphite, and identified suspected deployments against journalists, human rights activists, and government critics across multiple countries. This includes:

*   Italy
*   Israel
*   Canada
*   Cyprus
*   Denmark
*   Australia
*   Singapore

WhatsApp’s parent company, Meta, has confirmed that approximately 90 users in 24 countries were targeted. However, since the researchers are based in Canada; a significant aspect of the investigation focused on a Canadian client, the Ontario Provincial Police (OPP). The analysis uncovered links between Paragon and the OPP, revealing a systematic use of spyware capabilities among Ontario-based police services.

The Italian connection proved to be a focal point of the investigation. Forensic analysis of Android devices belonging to individuals notified by WhatsApp, including journalist Francesco Cancellato and Mediterranea Saving Humans founders Luca Casarini and Dr. Giuseppe Caccia, revealed clear indications of Graphite spyware.

Researchers identified a unique Android forensic artifact, BIGPRETZEL, which confirmed the presence of Paragon’s spyware on these devices. The Italian government initially **denied** any involvement but later **acknowledged** having contracts with Paragon.

Furthermore, the investigation extended to an iPhone belonging to David Yambio, a close associate of the confirmed Paragon targets. Apple threat notifications received by Yambio, coupled with forensic analysis, revealed an attempted infection with novel spyware, subsequently patched by Apple in iOS 18.

In response to Citizen Lab’s findings, Meta, along with Apple and Google, collaborated to address the security vulnerability. WhatsApp implemented a server-side fix, eliminating the need for users to update their apps. Apple also released a patch for its iOS operating system to protect iPhone users.

WhatsApp subsequently **notified** the targeted users. “If we believe that your device has come under threat, we may notify you about it directly via a WhatsApp chat,” the notification read.

****WhatsApp Attacks Persist Despite NSO Group Lawsuit Win****

Hackread.com earlier **reported** that the infamous Israeli spyware company, NSO Group, was held legally liable for compromising hundreds of WhatsApp accounts. Court found NSO Group responsible for breaching WhatsApp’s terms of service and exploiting a vulnerability to install its powerful Pegasus spyware on at least 1,400 devices, targeting journalists, human rights activists, political dissidents, and government officials.

Interestingly, CyberScoop **reported** in November 2024 that NSO Group continued to develop new malware based on WhatsApp exploits, even after Meta filed a lawsuit against them and that when WhatsApp disabled the Eden exploit, NSO Group created the Erised vector to target users until May 2020.

Now, the Citizen Lab’s findings indicate that Israeli spyware firms are continually focusing on exploiting WhatsApp vulnerabilities for spyware deployment and aggressively using them against journalists and activists.  

These cases show the never-ending struggle between technology companies and malicious actors seeking to compromise user privacy and the critical need for continuous caution, stricter security measures, and legal accountability within the spyware industry to protect digital privacy and **human rights**.

Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit

Experts are warning about the proliferating market for targeted spyware and espionage. Why should we be concerned?

Experts are again warning about the proliferating market for targeted spyware and espionage.

Before we dive into the world of targeted spyware, it’s worth looking at a few of the main players that are active in and against this industry.

**Paragon Solutions** is an Israeli company which sells high-end surveillance technology primarily to government clients, positioning its products as essential for combating crime and national security. The name of Paragon’s spyware is Graphite.

However, a lot of controversy arose when it faced allegations over the targeting of specific WhatsApp users, including journalists and civil society members, leading to a cease-and-desist notice from WhatsApp. Following these allegations, Paragon Solutions ended its contract with Italy after Italian citizens were found to have been targeted.

The **NSO group** creates the high-level spyware known as Pegasus, and has also been caught spying on WhatsApp users. The NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public.

On the opposite side of the fence, **CitizenLab** is an interdisciplinary laboratory based in Toronto, Canada. CitizenLab focuses on studying information controls that impact the openness and security of the internet and pose threats to human rights.

The work done by CitizenLab has led to greater understanding of the global digital surveillance landscape and its implications for human rights.

Often, we will see newly found vulnerabilities in iOS, WhatsApp and other software credited to CitizenLab or one of its associates. They often find these vulnerabilities by analyzing devices of individuals infected with high-level spyware.

In an interview with TheRecord, founder Ronald Deibert said CitizenLab routinely checks people’s phones for spyware. Over time, the researchers at CitizenLab have honed their forensic skills to the level that they can pinpoint the moment of infection for the device right down to the second.

In a recent article, CitizenLab explained in great detail how it cooperated with Meta on uncovering a WhatsApp zero-day vulnerability and how it traced it back to Paragon and the Italian government.

While most of us will, hopefully, never have to deal or worry about getting infected with high-level spyware, we may end up falling victim to the vulnerabilities that are used to infect targets.

Both Paragon and the NSO group have brought many zero-day vulnerabilities to light in browsers and other online applications by using them to compromise mobile devices.

Zero-day vulnerabilities are hard to come by and therefore expensive. But once they are used against victims, there is a good chance that at some point they will be discovered and patched.

But small-time criminals will pick them up and try to use them against people who haven’t had a chance or the time to update their device yet.

Which is why we, on this blog, and through Malwarebytes’ Trusted Advisor, always urge people to keep their devices up-to-date.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Targeted spyware and why it&#8217;s a concern to us 

A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023.
French cybersecurity company Sekoia said it observed the unknown threat actors leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and

PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices

Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

TP-Link is one of the most popular router manufacturers in the US, but the company is facing a potential ban due to security concerns about its links to China. A December report from The Wall Street Journal revealed that the US Commerce, Defense, and Justice Departments are investigating TP-Link, though no evidence of deliberate wrongdoing has yet emerged.

“We are a US company,” Jeff Barney, president of TP-Link told WIRED, “We have no affiliation with TP-Link Tech, which focuses on mainland China, and we can prove our separateness.”

The investigation was sparked by a letter from John Moolenaar, a Republican for Michigan, and Raja Krishnamoorthi, a Democrat of Illinois. Both are on the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. They outlined concerns that Chinese state-sponsored hackers may be able to compromise TP-Link’s routers more easily than other brands and thereby infiltrate US systems, and that TP-Link is subject to Chinese law, meaning it can be forced to hand over sensitive US information by Chinese intelligence officials.

Photograph: Simon Hill

TP-Link was founded in China in 1996 by two brothers, and TP-Link USA was established in 2008. It wasn’t until 2022 that the Chinese and US wings began to split. The process of moving the 170 subsidiaries and all the related ownership out of Hong Kong and into the United States was delayed by the pandemic, says Barney, but it was divested and restructured by 2024.

TP-Link now has headquarters in California and Singapore and manufactures in Vietnam. It researches, designs, develops, and manufactures everything except chipsets in-house, according to Barney. “Our entities in China are governed directly by us, our employees badged by us, secured by us, in our own facilities.” He also says TP-Link has shared documentation with investigators and that its factory in Vietnam was audited by US retail partners like Walmart, Best Buy, and Costco.

“Everybody has a Nexus in China,” Barney says. He claims that American rival Netgear uses Chinese ODMs (original device manufacturers) to build its products and that even Apple relies on manufacturing in China. Netgear says its routers are manufactured in Taiwan, Vietnam, and Thailand, not China.

**Competition Concerns**

The WSJ report suggests that TP-Link has a leading 64.9 percent share of the US router market, but TP-Link disputes this. The company claims its share hovered around 20 percent for the last few years, but jumped to a 36.5 percent unit share and a 30.7 percent dollar share in 2024. But even TP-Link’s lower estimate shows a company in the ascendancy. This dominance has been driven by aggressively low prices and a relatively early roll-out of Wi-Fi 7 routers, perceived by some as a concerted effort to flood the US market.

“Technology should not be exorbitant,” Barney says. “We're trying to democratize these products.”

However, the wide product range raises questions, with many wondering how TP-Link can profit from routers sold at such low prices compared to the competition. Former CNET reviewer Dong Ngo explores this point on the in-depth router review website, Dong Knows.

Concerns about the links between Chinese companies and its government are nothing new. The ban on Huawei’s networking equipment and US sanctions came after years of cybersecurity concerns and intellectual property lawsuits brought by US companies. The TikTok ban is not being enforced by President Donald Trump’s administration, but owner ByteDance is still under pressure to divest its US operations. These situations can be tricky for the average person to navigate because the lines between shoddy security, Chinese espionage, US protectionism, and the growing trade war are distinctly blurry and are not mutually exclusive.

It’s no secret that US competitor Netgear has been lobbying the US government on “cybersecurity and strategic competition with China.” Netgear has had a tough couple of years after adopting a premium pricing strategy that did not resonate with consumers. It has also been embroiled in litigation against TP-Link for patent infringement, resulting in TP-Link paying a $135 million settlement in September 2024.

**Are TP-Link Routers Secure?**

TP-Link has signed CISA’s “Secure by Design” pledge and is part of the Technical Exchange Group. It has a vulnerability disclosure program, where independent researchers and the security community can report potential issues to security@tp-link.com. It claims report response time was 8.4 days on average in 2023, with patches released in an average of 38.5 days. The company is also planning to launch a bug bounty program.

Barney claims TP-Link’s rate of vulnerabilities per product is significantly lower than many of its peers, including Netgear and Cisco, citing public data collected by Finite State, an independent US cybersecurity company, from CVE Details, VulDB, and CISA (Cybersecurity and Infrastructure Security Agency), but not everyone agrees.

“TP-Link does not have a great reputation for patching vulnerabilities or working with security researchers, which does raise alarm bells,” Pieter Arntz, malware intelligence researcher for Malwarebytes told WIRED via email.

Photograph: TP-Link; Data Source: U.S. Cybersecurity and Infrastructure Security Agency

TP-Link was criticized in a recent Microsoft report over a “password spraying” hack that mostly impacted its routers, and the report suggested Chinese “nation-state threat actor activity.” Barney says these were end-of-service products and that Asus and Netgear routers were also impacted.

Other incidents include a Check Point Research exposé of a malicious firmware implant for TP-Link routers, linked to a Chinese state-sponsored “advanced persistent threat” group dubbed “Camaro Dragon.” Cyfirma researchers also found TP-Link router vulnerabilities for sale on underground forums.

“It’s also a challenge because regardless of the home router vendor, there will always be vulnerabilities found,” Arntz says.

A part of the problem with older routers is that the onus is often on the user to download and install updates, and this is rarely automatic or as simple as clicking on “update,” which means many patches are never installed, creating vulnerable devices for any savvy cybercriminals or nation-states. Even months after TP-Link released patches for a vulnerability on its popular Archer AX21 router, hackers continue to scan for and exploit it on unpatched routers.

These security concerns are moot in the face of built-in backdoors. Backdoors can be pieces of code or even hardware added to the circuit board that enables remote parties to gain access and potentially control the device. There’s no evidence that TP-Link devices have backdoors, but, as Ngo points out, when you use an online account with your router, you are already giving the company access through the front door. Whether remote connectivity is justified by the need for automatic software updates, remote control access, or other features for users, it effectively gives the manufacturer access to your router.

**Should You Worry?**

Ultimately, the concern isn’t so much about the Chinese government or other malicious actors spying on your web browsing habits—though that is possible—it’s the idea they might employ your router as a part of a botnet to launch a cyberattack on a US government agency or major service provider.

The NSA has been concerned about Chinese hackers for some time now, and China's Salt Typhoon spies continue to infiltrate US internet service providers and telecommunications companies. Speaking on the _NatSec Tech_ podcast recently, former special assistant to the president and cybersecurity coordinator on the US National Security Council, Rob Joyce, likened TP-Link routers to a Trojan Horse and suggested China is pre-positioning for a potentially devastating attack on US infrastructure.

While some cybersecurity experts suggest a ban is imminent, Barney is confident that TP-Link routers won’t be banned. Investigations are ongoing. Even if the government doesn't find anything or decides against a ban, it won’t publicly clear TP-Link. It’s more likely the investigation will fade from the news.

Photograph: Simon Hill

For owners of a TP-Link router or anyone considering buying one, it all boils down to trust. We've tested and recommend several TP-Link routers and Deco mesh systems in our buying guides because they offer good value and great performance. But we continually update our guides and will monitor the situation before deciding whether we need to reconsider those recommendations.

There’s no easy fix because all the major router manufacturers have issues with vulnerabilities, and most of them require you to use an online account. You can go down the rabbit hole with router security, or seek out security-focused brands like Firewalla, but expect to pay more for your equipment in both time and money.

Even if you stick with what you have, there are steps you can take to be more secure online. We recommend using a VPN service and learning a little about router settings. Malwarebytes’ Arntz says the most secure router is the one on which you are comfortable changing the settings: credentials, firewall options, and especially installing updates.

Here’s his advice for home TP-Link router owners who are concerned:

*   First, update your login credentials. Ensure you have moved away from the default login credentials set by the router manufacturer (or internet provider). Make this password different from your Wi-Fi name and password. And remember, length equals strength when it comes to passwords.
*   Second, patch your device and set a reminder to check regularly for firmware updates.
*   Third, turn on the firewall and Wi-Fi encryption. You can find these settings by logging into your router from its app or website.
*   Finally, consider purchasing a new router from a different vendor with a less problematic history.

TP-Link also manufactures a wide range of smart home devices marketed under the Tapo brand, including everything from security cameras to water leak detectors. These are not part of the current investigation, which seems to be focused solely on routers. TP-Link says it has applied to the FCC’s Cyber Trust Mark program administered by UL Solutions, which ensures that internet-of-things devices are tested and labeled secure. Sadly, there is no such program for routers.

The US Is Considering a TP-Link Router Ban—Should You Worry?

The vulnerability could allow a threat actor to disable the security feature on a locked device and gain access to user data.

Source: Simon Dack via Alamy Stock Photo

NEWS BRIEF

Apple has released a security update for a vulnerability that the tech giant reports may have been exploited in an "extremely sophisticated attack."

Not only that, but these attacks targeted specific individuals, though Apple has not provided any further information.

The vulnerability, tracked as CVE-2025-24200, could allow for a physical attack to disable USB Restricted Mode on a locked device.

USB Restricted Mode is a feature that makes it more difficult for threat actors to unlock a user's phone. When active, a phone's lightning port will only allow charging after the device has been locked for more than an hour, meaning that if an unauthorized actor attempted to connect a locked iPhone to a device to access its data, they could only do so with the necessary credentials.

The security update to fix this vulnerability is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch third generation and later, iPad Pro 11-inch first generation and later, iPad Air third generation and later, iPad seventh generation and later, and iPad mini fifth generation and later.

Users of any of these devices should install updates as soon as possible and can check if they're updated to the latest software version by going to their settings.

These kinds of vulnerabilities are usually deployed by commercial spyware vendors, such as Pegasus, to target particular individuals, so the average user shouldn't be concerned about being targeted while the details of the attack remain unpublished. However, if they are published, copycat cybercriminals will try to imitate this attack vector, hence the urgency in updating to the latest version.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Releases Urgent Patch for USB Vulnerability

Apple has released an out-of-band security update for a vulnerability which it says may have been exploited in an "extremely sophisticated attack against specific targeted individuals.”

Apple has released an emergency security update for a vulnerability which it says may have been exploited in an “extremely sophisticated attack against specific targeted individuals.”

The update is available for:

*   iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
*   iPadOS 17.7.5 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update now

**Technical details**

The new-found zero-day vulnerability is tracked as CVE-2025-24200. When exploited, the vulnerability would allow an attacker to disable USB Restricted Mode on a locked device. The attack would require physical access to your device

The introduction of USB Restricted Mode feature came with iOS 11.4.1 in July 2018. The feature was designed to make it more difficult for attackers to unlock your iPhone. When USB Restricted Mode is active, your device’s Lightning port (where you plug in the charging cable) will only allow charging after the device has been locked for more than an hour. This means that if someone tries to connect your locked iPhone to a computer or other device to access its data, they won’t be able to do so unless they have your passcode.

To enhance data security, especially when traveling or in public places, it is recommended that you enable USB Restricted Mode in your device settings. If your iPhone, iPad or iPod Touch is running iOS 11.4.1 or later, USB Restricted Mode is automatically on by default, but if you want to check and enable USB Restricted Mode, this can be done by going to **Settings** > **Face ID & Passcode** or **Touch ID & Passcode** > **(USB) Accessories** and toggling off (grey) the **(USB) Accessories** option. Enabling this setting adds an extra layer of protection against unauthorized data access.

Accessories are safe now

Please note: toggling the option to green turns this feature off.

Vulnerabilities like these typically target specific individuals as deployed by commercial spyware vendors like Pegasus and Paragon. This means the average user does not need to fear attacks as long as the details are not published. But once they are, other cybercriminals will try to copy them.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#asus