Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

A new phishing campaign is targeting users across **Latin America**, and at the center of it is Grandoreiro, a banking trojan known for stealing sensitive financial data. With geofencing and stealthy evasion tactics, this malware is proving difficult to catch with standard defenses.

Let’s take a closer look at the campaign, how the attack unfolds, and what makes it so effective.

****Grandoreiro Attack Overview****

Between February 19 and March 14, researchers noticed a surge in phishing activity tied to Grandoreiro, and signs show the campaign is still ongoing.

A spike of Grandoreiro was detected

Grandoreiro has been around for years, constantly evolving to stay ahead of detection. It’s designed to steal banking credentials, monitor user activity, and grant remote access to attackers.

One of the standout techniques in this campaign is geofencing. Before running, the malware checks the victim’s IP address to determine their location. If the user isn’t in a targeted Latin American country, the malware simply stops executing. This makes the campaign more focused, reduces unnecessary exposure, and helps it slip past global security monitoring.

****Grandoreiro Attack Chain****

Grandoreiro is known for slipping past traditional security tools, making it tough to detect using automated solutions alone. However, with the help of interactive sandboxes, it’s possible to observe the malware’s full behavior in real time.

Here’s a complete look at the execution chain inside a secure sandbox: 

**View sandbox analysis session**

The full execution chain of Grandoreiro is displayed inside ANY.RUN sandbox

Understanding the who, when, and how behind this campaign will help security teams proactively strengthen their defenses. Real-time threat analysis platforms not only uncover these details but also make them immediately actionable.

****Initial Access: Phishing Email****

The infection begins with a phishing page that lures the victim into clicking a link or downloading a fake PDF document. Instead of a PDF, the file is actually a compressed archive (.ZIP or .RAR) containing the Grandoreiro loader.

Phishing link with a fake PDF document displayed inside ANY.RUN sandbox

**Execution & Geofencing**

Once the file is extracted and opened, the malware sends a request to ip-apicom to determine the user’s geolocation.

If the IP address falls outside the targeted LATAM countries, the malware halts execution, but if it matches a targeted region, the attack proceeds.

Suricata rule triggered inside ANY.RUN sandbox

**DNS Evasion: Google DNS**

Grandoreiro avoids local DNS queries by sending a request to dns.google. It provides the domain name of its command-and-control (C2) server, which Google resolves to an IP address.

This step helps it bypass DNS-based blocking mechanisms and improves its chances of successful communication.

Traditional solutions often miss these evasion tricks, but ANY.RUN captures them in real time, helping teams build effective detection logic that actually reflects how modern malware behaves.

**Connection to C2**

After resolving the C2 domain, the malware sends a GET request to the retrieved IP address to establish a connection. This opens the door for the attacker to deliver additional payloads, steal credentials, or take remote control of the infected machine.

**Grandoreiro in Action: Tactics & Techniques**

Establishing a connection to the C2 server is just the beginning. Once communication is successful, Grandoreiro kicks off a series of actions designed to stay hidden, gather data, and prepare for further exploitation.

In this specific attack, ANY.RUN’s sandbox reveals a wide range of techniques triggered across multiple MITRE ATT&CK categories. You can see all of them mapped in the ATT&CK tab of the analysis session:

MITRE ATT&CK tactics and techniques used by adversaries

****Detection & Response Tips****

Detecting Grandoreiro isn’t easy; it blends in well and uses clever tricks. But here’s how you can stay one step ahead:

*   **Watch for phishing lures** posing as PDF downloads (often .ZIP or .RAR archives).

*   **Monitor external DNS requests**, especially to dns.google, right after execution.

*   **Flag geolocation lookups** to services like ip-apicom; it’s a key part of Grandoreiro’s filtering tactic.

*   **Use behavior-based analysis** to catch post-execution tactics like file deletion, credential access, or system discovery.

****Catch the Attack Before It Spreads****

The Grandoreiro campaign shows how modern threats evolve and why visibility into behavior matters more than ever.

With ANY.RUN sandbox, security teams can interact with malware in real time, uncover hidden tactics, and respond with confidence. From phishing to post-exploitation, everything is mapped, visualized, and ready for action.

Grandoreiro Strikes Again: Geofenced Phishing Attacks Target LATAM

Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild. Eleven of those flaws earned Microsoft's most-dire "critical" rating, meaning malware or malcontents could exploit them with little to no interaction from Windows users.

**Microsoft** today released updates to plug at least 121 security holes in its **Windows** operating systems and software, including one vulnerability that is already being exploited in the wild. Eleven of those flaws earned Microsoft’s most-dire “critical” rating, meaning malware or malcontents could exploit them with little to no interaction from Windows users.

The zero-day flaw already seeing exploitation is CVE-2025-29824, a local elevation of privilege bug in the Windows **Common Log File System** (CLFS) driver.  Microsoft rates it as “important,” but as **Chris Goettl** from **Ivanti** points out, risk-based prioritization warrants treating it as critical.

This CLFS component of Windows is no stranger to Patch Tuesday: According to Tenable’s **Satnam Narang**, since 2022 Microsoft has patched 32 CLFS vulnerabilities — averaging 10 per year — with six of them exploited in the wild. The last CLFS zero-day was patched in December 2024.

Narang notes that while flaws allowing attackers to install arbitrary code are consistently top overall Patch Tuesday features, the data is reversed for zero-day exploitation.

“For the past two years, elevation of privilege flaws have led the pack and, so far in 2025, account for over half of all zero-days exploited,” Narang wrote.

Rapid7’s **Adam Barnett** warns that any Windows defenders responsible for an LDAP server — which means almost any organization with a non-trivial Microsoft footprint — should add patching for the critical flaw CVE-2025-26663 to their to-do list.

“With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker,” Barnett said. “Anyone wondering if today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of LDAP critical RCEs published at the end of last year was likely easier to exploit than today’s example, since today’s CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.”

Among the critical updates Microsoft patched this month are remote code execution flaws in **Windows Remote Desktop** services (RDP), including CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482; only the latter two are rated “critical,” and Microsoft marked both of them as “Exploitation More Likely.”

Perhaps the most widespread vulnerabilities fixed this month were in web browsers. **Google Chrome** updated to fix 13 flaws this week, and **Mozilla Firefox** fixed eight bugs, with possibly more updates coming later this week for **Microsoft** **Edge**.

As it tends to do on Patch Tuesdays, **Adobe** has released 12 updates resolving 54 security holes across a range of products, including **ColdFusion**, **Adobe Commerce**, **Experience Manager Forms**, **After Effects**, **Media Encoder**, **Bridge**, **Premiere Pro**, **Photoshop**, **Animate**, **AEM Screens**, and **FrameMaker**.

**Apple** users may need to patch as well. On March 31, Apple released a huge security update (more than three gigabytes in size) to fix issues in a range of their products, including at least one zero-day flaw.

And in case you missed it, on March 31, 2025 **Apple** released a rather large batch of security updates for a wide range of their products, from **macOS** to the **iOS** operating systems on **iPhones** and **iPads**.

Earlier today, Microsoft included a note saying **Windows 10** security updates weren’t available but would be released as soon as possible. It appears from browsing askwoody.com that this snafu has since been rectified. Either way, if you run into complications applying any of these updates please leave a note about it in the comments below, because the chances are good that someone else had the same problem.

As ever, please consider backing up your data and or devices prior to updating, which makes it far less complicated to undo a software update gone awry. For more granular details on today’s Patch Tuesday, check out the SANS Internet Storm Center’s roundup. Microsoft’s update guide for April 2025 is here.

For more details on Patch Tuesday, check out the write-ups from Action1 and Automox.

Patch Tuesday, April 2025 Edition

Beware of deceptive Google Ads targeting QuickBooks and always confirm the website URL before logging in, as fake sites can bypass even 2FA.

The pressure of the looming tax filing deadline (April 15th in the US) can make anyone rush online tasks. Cybercriminals are acutely aware of this increased activity and are exploiting trusted platforms like Google to target Intuit QuickBooks users.

By purchasing prominent Google Ads, they are creating highly convincing fake login pages designed to pilfer sensitive information, including usernames, passwords, and even one-time passcodes (OTPs) – the keys to someone’s financial data needed for tax compliance.

Understanding this deceptive tactic is the first step in protecting yourself from falling victim.

**Brand impersonation: from Google ad to phishing page**

Accounting and tax preparation software has traditionally been a common lure for scammers, particularly those related to online support operating out of large call centres in India and surrounding areas.

Late last year, we documented a fraudulent QuickBooks installer that was laced with malware and generated a fake pop up to trick users into calling for assistance.

This time, the attack is even more dangerous as it goes after victims’ login credentials for QuickBooks. It starts from a Google search, showing an ad that impersonates Intuit’s branding for “QuickBooks Online”.

This leads to a fraudulent website that is essentially a lookalike.

Domain Name: QUICCKBOORKS-ACCCOUNTING .COM  
Registrar URL: https://www.hostinger.com  
Creation Date: 2025-04-07T01:44:46Z

Unbeknownst to victims, the sign-in page is actually a phishing portal that will steal account credentials in real-time and leak them to the criminals behind this scheme.

**  
One-time passcode workaround**

Passwords alone offer a limited level of security because they can be easily guessed, stolen through phishing, or compromised in data breaches. It is highly recommended to enhance account protection by enabling a second form of authentication like one-time passcodes sent to your device or utilizing a 2FA app for an extra layer of verification.

Phishing kits have evolved to become increasingly sophisticated, with some now capable of circumventing one-time passcodes and 2FA. These kits often employ “man-in-the-middle” or “adversary-in-the-middle” (AiTM) techniques.

When a victim enters their credentials and the one-time passcode on a fake login page created by the phishing kit, this information is intercepted in real-time and relayed to the attacker. The attacker can then use these stolen credentials and the valid one-time passcode to log in to the victim’s account before the passcode expires.

**Conclusion**

Cybercriminals often intensify their efforts to target accounting software like QuickBooks during or around tax season, hoping to capitalize on the increased volume of financial transactions and the time-sensitive nature of tax preparations.

Deceptive Google ads can be designed to closely resemble legitimate QuickBooks search results, leading unsuspecting users to fake login pages that harvest their credentials, financial data, or even install malware.

OTP and 2FA still significantly increase security against a vast majority of attacks, especially automated attempts and less sophisticated phishing, making them essential layers of protection when used on authentic platforms.

However, even with the added security of one-time passcodes and 2FA, these measures are rendered ineffective if the initial login occurs through a malicious website reached via a deceptive ad.

Therefore, it is critical to access your QuickBooks account and conduct all sensitive activities directly through the official Intuit QuickBooks website or application, carefully verifying the URL.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Malicious QuickBooks domains**

quicckboocks-accounting\[.\]com  
quicckbooks-accounting\[.\]com  
quicckrbooks-acccounting\[.\]com  
quicfkbooks-accounting\[.\]com  
quichkbooks-accounting\[.\]com  
quicjkbooks-accounting\[.\]com  
quickboorks-acccounting\[.\]com  
quickboorks-accountings\[.\]com  
quicnkbooks-accounting\[.\]com  
quicrkbookrs-accounting\[.\]com  
quicrkbooks-acccounting\[.\]com  
quicrkbooks-accountting\[.\]com  
quicrkboorks-accounnting\[.\]com  
quicrkboorks-accounting\[.\]com  
quicrkbrooks-online\[.\]com  
quicrkrbooks-accounting\[.\]com  
quictkbooks-accounting\[.\]com  
quicvkbooks-accounting\[.\]com  
quicxkbooks-accounting\[.\]com  
quirckbooks-accounting\[.\]com

 Tax deadline threat: QuickBooks phishing scam exploits Google Ads 

Cwmbran in Wales holds the Guinness World Record for the most roundabouts—at least according to Google AI Overviews. Except that's not actually true...

Cwmbran in Wales, a town with a population of just under 50,000, holds the Guinness World Record for the most roundabouts—at least according to Google AI Overviews.

Except that’s not actually true…

Ben Black has been publishing lighthearted fake stories on April Fools’ Day for his community news site Cwmbran Life since 2018. The April Fools include the erection of a Hollywood-style sign on a mountain, and the creation of a nudist cold-water swimming club at a lake.   

In 2020, Black published a fake story saying Cwmbran had been recognized by Guinness World Records for having the highest number of roundabouts per square kilometer.  

He fabricated a random number of roundabouts, added a quote from a fictitious resident, and clearly stated that the “news” was an April Fool’s Day joke several hours later. 

So it came as quite a surprise when Black discovered that Google AI Overviews picked up this story as real news recently.  

The thing about April Fools’ Day is that it is treated very differently to every other day online. Normal news outlets publish deliberately fake news stories and we, as people with knowledge of April Fools Day, can use that to assess if something is true. Google AI obviously didn’t get that memo.

As Black said:

> _“It’s not a dangerous story, but it shows how fake news can easily spread even if it’s from a trusted news source.”_ 

Google AI Overviews has been under scrutiny since testing last year after generating false information, including advising people on the minimum required pebbles to eat in a day or using gasoline to cook spaghetti faster.

Black decided not to publish an April Fools’ prank this year due to his busy schedule and his recent experience with Google, which has made him hesitant about future pranks. 

We feel similar about online pranks coming from us, a cybersecurity company that you can trust, so we opted out of April Fools’ Day this year too.

 Google AI taken for a ride by April Fools’ Day joke 

Google has issued patches for 62 vulnerabilities in Android, including two actively exploited zero-days.

Google has patched 62 vulnerabilities in Android, including two actively exploited zero-days in its April 2025 Android Security Bulletin.

When we say “zero-day” we mean an exploitable software vulnerability for which there was no patch at the time of the vulnerability being exploited or published. The term reflects the amount of time that a vulnerable organization has to protect against the threat by patching—zero days.

The April updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-04-05 or later then you can consider the issues as fixed. The difference with patch level 2025-04-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical details**

The zero-days are both located in the kernel:

CVE-2024-53150: an out-of-bounds flaw in the USB sub-component of the Linux Kernel that could result in information disclosure. Local attackers can exploit this flaw to access sensitive information on vulnerable devices without user interaction.

The out of bounds vulnerability was caused by the USB-audio driver code which failed to check the length of each descriptor before passing it on.  There are currently no details on how CVE-2024-53150 has been exploited in real-world attacks, by whom, and who may have been targeted in those attacks.

CVE-2024-53197: a privilege escalation flaw in the USB audio sub-component of the Linux Kernel. Again, no user interaction is required.

This vulnerability is the missing link to CVE-2024-50302 and CVE-2024-53104 which put together were reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Google fixes two actively exploited zero-day vulnerabilities in Android 

Google has shipped patches for 62 vulnerabilities, two of which it said have been exploited in the wild.
The two high-severity vulnerabilities are listed below -

CVE-2024-53150 (CVSS score: 7.8) - An out-of-bounds flaw in the USB sub-component of Kernel that could result in information disclosure
CVE-2024-53197 (CVSS score: 7.8) - A privilege escalation flaw in the USB sub-component of Kernel

Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities

Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files.

Thursday, April 3, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter. 

They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had _Starry Night_, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty. 

If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out: 

Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There's more content coming out every week this month. Oh, you can also download the report itself here, which is useful. 

Here’s a two-minute animated overview. Watch those bad boy bar charts come to life. 

The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f\*\*\*\*\*s." Part 2 is coming out tomorrow, April 4th. 

This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”). 

A couple of the report’s top findings: 

*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases. 
*   Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.

**The one big thing **

Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Why do I care? **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. 

**So now what? **

Ways our customers can detect and block this threat are listed in this dedicated blog post.

**Top security headlines of the week**

**Gootloader Malware Resurfaces in Google Ads for Legal Docs**: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading) 

**UK threatens £100K-a-day fines under new cyber bill:** The tech secretary revealed the landmark legislation's full details for first time. (The Register) 

**Hacker linked to Oracle Cloud intrusion threatens to sell stolen data**: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive) 

**WordPress attackers hide malware in overlooked plugins directory**: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)

**Can’t get enough Talos? **

I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings: 

*   **CNET:** Phishing Emails Aren't as Obvious Anymore. Here's How to Spot Them
*   **The Register**: Ransomware crews add 'EDR killers' to their arsenal - and some aren't even malware
*   **SiliconANGLE**: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
*   **CyberScoop:** Identity lapses ensnared organizations at scale in 2024

**Upcoming events where you can find Talos**

*   RSA (April 28 – May 1) San Francisco, CA  
*   PIVOTcon (May 7 – 9) Malaga, Spain  
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** **9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376  Typical Filename: c0dwjdi6a.dll   VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

**SHA 256:** **5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1**   
MD5: 3e10a74a7613d1cae4b9749d7ec93515    
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1   
Typical Filename: IMG001.exe    
Claimed Product: N/A    
Detection Name: Win.Dropper.Coinminer::1201 

**SHA256:** **47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**  
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos

One mighty fine-looking report

Phishers are putting QR codes as images in attachments because it helps them bypass email filters.

Recently we’ve been seeing quite a few phishing campaigns using QR codes in email attachments.

The lure and the targets are varied, but the use of a QR code to get someone to visit the phishing site is fast becoming a preferred method for cybercriminals.

There are several reasons why cybercriminals might want to use QR codes:

*   The QR code is likely to be scanned with a phone, which are often less well protected against malicious websites or even completely unprotected.
*   Phones are also likely personal devices which provide attackers with a direct path to sensitive personal accounts. For example, banking apps will be often be installed on the same device.
*   QR codes are impossible for humans to identify as malicious at first glance.
*   Links in emails are usually analyzed by email filters, whereas QR codes can be embedded as an image which many email filters will ignore.
*   The use of QR codes in other applications like banking apps, may invoke a certain level of trust.

Combined with other known phishing techniques, QR codes provide criminals with a potent tool for collecting usernames and passwords, distributing malware, and other malicious activities.

Since any QR code scanner should show you the URL before following the link, the phishers often combine the use of QR codes with that of URL shorteners to further hide the real destination.

The attackers can even embed the QR codes in professionally designed documents mimicking HR portals, payroll updates, tax reviews, or e-signature services (e.g. DocuSign, Adobe), which increases the perceived legitimacy of the phish. Here’s one example we’ve seen:

> “To conveniently access and navigate the contents of the updated Employee Handbook, please scan the QR code provided below. This will direct you to the digital version of the handbook for easy reference and exploration.
> 
> {QR code}
> 
> Should you have any questions, Please do not hesitate to contact the HR department.”

The employee handbook example above comes from a four-page document showing a handbook which has been allegedly changed, and ends with specific instructions to open the QR code with the camera app of the smartphone:

> “Step-by-step guide
> 
> 1\. Open your camera app:
> 
> Launch the camera app on your smartphone
> 
> 2\. Point at the QR code:
> 
> Align your camera lens with the QR code, ensuring it is fully visible within the frame.
> 
> 3\. Wait for recognition:
> 
> Your phone will automatically detect the QR code and display a notification or link on the screen.
> 
> 4\. Access the content:
> 
> Tap on the notification or link to open the information associated with the QR code.”

The QR code in this example took anyone that followed the link to a website that redirected based on the email address. Personal email addresses would see generic advertising, but corporate email addresses would be prompted to log in with their Microsoft account.

So, this one was clearly looking to compromise a corporate account, but you can easily imagine how a phisher with another goal in mind could use a list of email addresses obtained in a breach, and with such a list run a targeted campaign.

Malwarebytes customers were protected against this phishing site.

Android warning (in Dutch)

**What can you do to avoid QR code phishing?******Keep your device up to date****

Many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.

You’ll get notifications when updates are available for you, but you can also check for them yourself. For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

**Scan a QR code with the same security mindset as clicking a link**

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link, and look for another way to get the information or download you want.

Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable features like these.

**Use anti-malware protection on your devices**

Your mobile devices are in need of protection just as much as your computer. Malwarebytes protects devices with Malwarebytes for Android and Malwarebytes for iOS.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 QR codes sent in attachments are the new favorite for phishers 

The first-of-its-kind solution integrates with company codebases, enabling AI agents to work in-context and generate production-grade, front-end code in minutes.

AutonomyAI, a company focused on enhancing front-end software development for businesses, has announced its launch from stealth with $4 million in pre-seed funding, with participation from Inbound Capital, Gilad Shany of IoN Partners and Vikram Makhiija, Senior Director at Google Cloud Security, among others.

Research firm IDC predicts that by 2028, the market for AI-supporting technology investments will reach $749 billion, with 67% of the $227 billion projected spend for 2025 going towards business integrations such as AI agents. This figure surpasses cloud and digital service provider investments for the first time. Speaking at Davos 2025, Salesforce CEO Marc Benioff proclaimed that the deployment of an Agentic AI suite has allowed him to better redistribute resources in the company. His remarks echo the growing sentiment regarding the use of AI to increase efficiency at organizational levels. 

AutonomyAI’s proprietary Agentic Context Engine (ACE) comprehends organizational frameworks, powering a suite of autonomous AI agents for companies to integrate into their front-end development workflows to yield consistent, production-ready results. The ACE-powered agents understand the nuances of a company’s codebase and organizational standard, enabling them to execute tasks with the precision and stability expected from a senior developer in minutes, such as fetching key external information like UI designs, and utilizing components from the codebase without needing a developer to specify, supervise, refactor, or test the code. 

“Until now, AI solutions for code development operated in silos, lacking context about the organization and its goals, helping individual developers complete their tasks rather than perform the tasks for them in accordance with the company’s sprint cycles,” said Adir Ben-Yehuda, CEO. “We inform our agents of the business’s needs, enabling them to simply ‘run with it’. This is pragmatic AI – the future of AI-driven development.”

AutonomyAI believes that plugging in AI agents to organizational contexts is the key to unlocking the true efficiency of AI, significantly accelerating innovation without any sacrifice to quality.

“Autonomy AI is the first AI coding solution that truly comprehends and adapts to the unique context of a business, empowering engineers to dramatically increase their efficiency while allowing organizations to put more resources into business logic and high-impact projects,” said Arik Faingold, Chairman and co-founder of AutonomyAI. Gilad Shany, investor and Managing Partner at ION Crossover, added, “AutonomyAI’s leadership team’s vision represents a fundamental shift in how organizations use AI, which will soon become the new standard.” 

AutonomyAI developed its solution on the backs of co-founder and CTO Tammuz Dubnov and an engineering team that includes four former CTOs, who saw the potential impact of AI agents on the velocity of R&D. The company’s funded emergence from stealth, its engineering team’s deep expertise, and its innovative ACE-powered AI agents position AutonomyAI to lead the emerging market for AI-powered development.

****About AutonomyAI****

Co-founded by Arik Faingold (Co-founder of Pentera and Comm-IT) and Tammuz Dubnov (CTO), and led by Adir Ben-Yehuda (CEO), AutonomyAI’s mission is to transform the way software companies develop front-end code with its Agentic Context Engine (ACE) and suite of AI agents that plug into organizational frameworks and generate ‘production-grade’ code in minutes, enabling organizations to redistribute their resources more efficiency towards more strategic and innovative projects.

AutonomyAI Emerges from Stealth with $4M Pre-Seed Funding to Transform Front-End Development with Autonomous AI Agents

Cybersecurity researchers have disclosed details of a new vulnerability impacting Google's Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target's device without their approval.
The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings that were originally disclosed by

Tag

#google