Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero.
"CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system," Cisco Talos researcher Chetan

Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools

By integrating intelligent network policies, zero-trust principles, and AI-driven insights, enterprises can create a robust defense against the next generation of cyber threats.

A Defense-in-Depth Approach for the Modern Era

PALO ALTO, California, 29th May 2025, CyberNewsWire

**PALO ALTO, California, May 29th, 2025, CyberNewsWire**

Today, SquareX released new threat research on an advanced Browser-in-the-Middle (BitM) attack targeting Safari users. As highlighted by Mandiant, adversaries have been increasingly using BitM attacks to steal credentials and gain unauthorized access to enterprise SaaS apps. BitM attacks work by using a remote browser to trick victims into interacting with an attacker-controlled browser via a pop-up window in the victim’s browser. A common BitM attack involves displaying the legitimate login page of an enterprise SaaS app, deceiving victims into divulging credentials and other sensitive information thinking that they are conducting work on a regular browser window.

Despite this, one flaw that BitM attacks always had was the fact that the parent window would still display the malicious URL, making the attack less convincing to a security-aware user. However, as part of the Year of Browser Bugs (YOBB) project, SquareX’s research team highlights a major Safari-specific implementation flaw using the Fullscreen API. When combined with BitM, this vulnerability can be exploited to create an extremely convincing Fullscreen BitM attack, where the BitM window opens up in fullscreen mode such that no suspicious URLs from the parent window is seen. Safari users are especially vulnerable to this attack as there is no clear visual indicator of users entering fullscreen. We have disclosed this vulnerability to Safari and were regrettably informed that there is no plan to address the issue.

The current Fullscreen API specifies that “the user has to interact with the page or a UI element in order for this feature to work.” However, what the API does not specify is what kind of interaction is required to trigger fullscreen mode. Consequently, attackers can easily embed any button – such as a fake login button – in the pop-up that calls the Fullscreen API when clicked. This triggers a fullscreen BitM window that perfectly mimics a legitimate login page, including the URL displayed on the address bar.

> “The Fullscreen BitM attack highlights architectural and design flaws in browser APIs, specifically the Fullscreen API,” says the researchers at SquareX, “Users can unknowingly click on a fake button and trigger a fullscreen BitM window, especially in Safari where there is no notification when the user enters fullscreen mode. Users that typically rely on URLs to verify the legitimacy of a site will have zero visual cues that they are on an attacker-controlled site. With how advanced BitM is becoming, it is critical for enterprises to have browser-native security measures to stop attacks that can no longer be visually identified by even the most security aware individuals.”

While BitM attacks have primarily been used to steal credentials, session tokens and SaaS application data, the fullscreen variant has the potential to lead to even more damage by making the attack imperceptible for most ordinary enterprise users. For instance, the landing site may have a button that claims to link to a government resource and opens up to a fake government advisory page to spread misinformation and even gather sensitive company and personally identifiable information (PII). The victim can even subsequently open additional tabs in the attacker-controlled window, allowing adversaries to fully monitor the victim’s browsing activity.

Fullscreen BitM window displaying legitimate Figma login page and URL in the address bar (Disclaimer: Figma is used as an illustrative example)

**Are other browsers vulnerable to Fullscreen BitM attacks too?**

Unlike Safari, Firefox, Chrome, Edge and other Chromium-based browsers display a user message whenever the full-screen mode is toggled. However, this notification is extremely subtle and momentary in nature – most employees may not notice or register this as a suspicious sign. Additionally, the attacker can also use dark modes and colors to make the notification even less noticeable. By contrast, Safari does not have a messaging requirement – the only visual sign of entering fullscreen mode is a “swipe” animation. Thus, while the attack shows no clear visual cues in Safari browsers, other browsers are also exposed to the same Fullscreen API vulnerability that makes the Fullscreen BitM attack possible.

**Existing security solutions fail to detect Fullscreen BitM attacks**

Unfortunately, EDRs have zero visibility into the browser and are proven to be obsolete when it comes to detecting any BitM attack, much less its more advanced fullscreen variant. Additionally, orchestrating the attack with technologies such as remote browser and pixel pushing will also allow it to bypass SASE/SSE detection by eliminating any suspicious local traffic. As a result, without access to rich browser metrics, it is impossible for security tools to detect and mitigate Fullscreen BitM attacks. Thus, as phishing attacks become more sophisticated to exploit architectural limitations of browser APIs that are either unfixable or will take significant time to fix by browser providers, it is critical for enterprises to rethink their defense strategy to include advanced attacks like Fullscreen BitM in the browser.

To learn more about this security research, users can visit https://sqrx.com/fullscreen-bitm.

SquareX’s research team is also holding a webinar on June 5th, 10am PT/1pm ET to dive deeper into the full attack chain. To register, users can click here.

**About SquareX**

SquareX is a pioneering Browser Detection and Response (BDR) that empowers organizations to proactively detect, mitigate, and effectively threat-hunt client-side web attacks. SquareX provides critical protection against a wide range of browser security threats, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Users can find out more on www.sqrx.com.

The Fullscreen BitM Attack disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions. Previously disclosed attacks include Browser Syncjacking, Polymorphic Extensions and Browser-Native Ransomware.

To learn more about SquareX’s BDR, users can contact SquareX at \[email protected\]. For press enquiries on this disclosure or the Year of Browser Bugs, users can email at \[email protected\]. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Fullscreen BitM Attack Discovered by SquareX Exploits Browser Fullscreen APIs to Steal Credentials in Safari

Authorities in Pakistan have arrested 21 individuals accused of operating "Heartsender," a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.

Authorities in Pakistan have arrested 21 individuals accused of operating “**Heartsender**,” a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.

Some of the core developers and sellers of Heartsender posing at a work outing in 2021. WeCodeSolutions boss Rameez Shahzad (in sunglasses) is in the center of this group photo, which was posted by employee Burhan Ul Haq, pictured just to the right of Shahzad.

A report from the Pakistani media outlet **Dawn** states that authorities there arrested 21 people alleged to have operated Heartsender, a spam delivery service whose homepage openly advertised phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me. Pakistan’s **National Cyber Crime Investigation Agency** (NCCIA) reportedly conducted raids in Lahore’s Bahria Town and Multan on May 15 and 16.

The NCCIA told reporters the group’s tools were connected to more than $50m in losses in the United States alone, with European authorities investigating 63 additional cases.

“This wasn’t just a scam operation – it was essentially a cybercrime university that empowered fraudsters globally,” **NCCIA Director Abdul Ghaffar** said at a press briefing.

In January 2025, the FBI and the Dutch Police seized the technical infrastructure for the cybercrime service, which was marketed under the brands Heartsender, **Fudpage** and **Fudtools** (and many other “fud” variations). The “fud” bit stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

The FBI says transnational organized crime groups that purchased these services primarily used them to run business email compromise (BEC) schemes, wherein the cybercrime actors tricked victim companies into making payments to a third party.

Dawn reported that those arrested included **Rameez Shahzad**, the alleged ringleader of the Heartsender cybercrime business, which most recently operated under the Pakistani front company **WeCodeSolutions**. Mr. Shahzad was named and pictured in a 2021 KrebsOnSecurity story about a series of remarkable operational security mistakes that exposed their identities and Facebook pages showing employees posing for group photos and socializing at work-related outings.

Prior to folding their operations behind WeCodeSolutions, Shahzad and others arrested this month operated as a web hosting group calling itself **The Manipulaters**. KrebsOnSecurity first wrote about The Manipulaters in May 2015, mainly because their ads at the time were blanketing a number of popular cybercrime forums, and because they were fairly open and brazen about what they were doing — even who they were in real life.

Sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters\[.\]com — the same one tied to so many of the company’s business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Soon after, Scylla started receiving large amounts of email correspondence intended for the group’s owners.

In 2024, **DomainTools.com** found the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated users, including customer credentials and email records from Heartsender employees. DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”

Shahzad allegedly used the alias “**Saim Raza**,” an identity which has contacted KrebsOnSecurity multiple times over the past decade with demands to remove stories published about the group. The Saim Raza identity most recently contacted this author in November 2024, asserting they had quit the cybercrime industry and turned over a new leaf after a brush with the Pakistani police.

The arrested suspects include Rameez Shahzad, Muhammad Aslam (Rameez’s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.

Pakistan Arrests 21 in ‘Heartsender’ Malware Service

Cybercriminals are using text-to-video-AI tools to lure victims to fake websites that deliver malware like infostealers and Trojans.

Cybercriminals are taking advantage of the public’s interest in Artificial Intelligence (AI) and delivering malware via text-to-video tools.

According to researchers at Mandiant, the criminals are setting up websites claiming to offer “AI video generator” services, and then using those fake tools to distribute information stealers, Trojans, and backdoors.

Links to the malicious websites were brought to the researchers’ attention by ads and links in comments on social media platforms. The researchers uncovered thousands of malicious ads on Facebook and LinkedIn—beginning in November 2024—that promote fake AI video generator tools such as “Luma AI,” “Canva Dream Lab,” and “Kling AI.”

To avoid detection, the group constantly rotates the domain used in the ads and creates new ads every day, while using both compromised and newly created accounts. The campaign operates through more than 30 websites that imitate popular legitimate AI tools.

Researchers identified the first payload as the Starkveil dropper (detected by Malwarebytes/ThreatDown) classified as Trojan.Crypt. The Trojan, written in Rust, requires users to run it twice to fully compromise their machines. After the first run, the malware displays an error window to trick victims into executing it again.

The dropper then deploys the XWorm (detected as Backdoor.XWorm) and Frostrift (detected as Trojan.Crypt) backdoors and the GRIMPULL downloader (also detected as Trojan.Crypt).

After it has fully compromised the system, this constellation of malware will harvest all kinds of data from the infected devices and send it to the cybercriminals using various methods of communication. For a full technical analysis of the malware, feel free to read the researchers’ report.

The researchers stated:

> “The temptation to try the latest AI tool can lead to anyone becoming a victim.”

So, it’s important to be aware of these campaigns and adopt ways to recognize and thwart them.

*   Be vigilant. Posts or ads with high numbers of views that promise free AI text-to-video tools are a red flag and should be examined carefully, especially if they prompt downloads of executable files, which could be disguised as videos.
*   Don’t trust unsolicited messages or ads promising unbelievable AI tools or free trials, especially if they pressure you to act quickly or provide personal information.
*   Run up-to-date and active protection to intercept these malware infections in the early stages, as well as detect and remove infostealer malware.
*   Use web protection in your browser that can recognize and block scams and malicious websites.
*   Don’t click on sponsored search results. Any other method to find a link to your coveted product is preferable over sponsored results, since criminals have demonstrated that it pays off to outbid the rightful owners.
*   Look out for ads with too-good-to-be-true offers, urgent deadlines, or unusual payment methods like cryptocurrency or wire transfers.
*   Scrutinize the provided URLs which might be constructed to look like the “real thing” but they might not be.
*   Only download AI software or tools from official, trusted sources or verified app stores.

For more actionable advice on how to spot scams, join our Facebook Live on June 3.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware 

ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. Learn how attackers…

ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. Learn how attackers exploit Pickle files and the growing threat to the software supply chain.

Cybersecurity experts from ReversingLabs (RL) have discovered a new trick used by cybercriminals to spread harmful software, this time by hiding it within artificial intelligence (AI) and machine learning (ML) models. 

Researchers discovered three dangerous packages on the Python Package Index (PyPI), a popular platform for Python developers to find and share code, which resembled a Python SDK for Aliyun AI Labs services and targeted users of Alibaba AI labs.

Alibaba AI labs is a significant investment and research initiative within Alibaba Group and a part of Alibaba Cloud’s AI and Data Intelligence services, or Alibaba DAMO Academy.

****New Software Threat Hides in AI Tools****

These malicious packages, named aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk, had no real AI functionality, explained ReversingLabs reverse engineer Karlo Zanki in the research shared with Hackread.com.

“The ai-labs-snippets-sdk package accounted for the majority of downloads, due to it being available for download longer than the other two packages,” the blog post revealed.

A Package’s Readme Page (Source: ReversingLabs)

Instead, once installed, they secretly dropped an infostealer (malware designed to steal information). This harmful code was hidden inside a PyTorch model. For your information, PyTorch models are often used in ML and are essentially zipped Pickle files. Pickle is a common Python format for saving and loading data, but it can be risky because malicious code can be hidden inside. This particular infostealer collected basic details about the infected computer and its .gitconfig file, which often contains sensitive user information for developers.

The packages were available on PyPI starting May 19th for less than 24 hours but were downloaded about 1,600 times. RL researchers believe the attack might have started with phishing emails or other social engineering tactics to trick users into downloading the fake software. The fact that the malware looked for details from the popular Chinese app AliMeeting, and .gitconfig files suggests developers in China might be the main targets.

****Why ML Models are being Targeted?****

The rapid rise in the use of AI and ML in everyday software makes them a part of the software supply chain, creating new opportunities for attackers. ReversingLabs has been tracking this trend, previously warning about the dangers of the Pickle file format.

ReversingLabs product management director Dhaval Shah had noted earlier that Pickle files could be used to inject harmful code. This was proven true in February with the nullifAI campaign, where malicious ML models were found on Hugging Face, another platform for ML projects.

This latest discovery on PyPI shows that attackers are increasingly using ML models, specifically the Pickle format, to hide their malware. Security tools are only just beginning to catch up to this new threat, as ML models were traditionally seen as just data carriers, not places for executable code. This highlights the urgent need for better security measures for all types of files in software development.

Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods.

What makes this campaign particularly dangerous is its use of built-in Windows tools and trusted system processes to blend in with normal activity, making it much harder to catch through signatures alone.

Let’s walk through the full infection chain and see how you can safely detect these techniques in seconds with the help of the right analysis solutions.

****See the Full Attack Chain Unfold in Real Time****

To understand how this phishing campaign works end-to-end, let’s take a look at how it unfolds inside ANY.RUN’s interactive sandbox, where every step is visual, traceable, and recorded in real time.

View the full analysis session

Full attack chain of the new phishing danger inside ANY.RUN’s sandbox

From initial delivery to post-exploitation behaviour, the sandbox reveals the full picture, giving SOC teams the visibility they need to respond faster and helping businesses reduce the risk of silent, long-term compromise.

Full attack chain of the latest phishing threat inside ANY.RUN’s sandbox:

**Phishing Email → Malicious Archive → DBatLoader Execution → Obfuscated CMD Scripts → Remcos Injected into .exe**

Inside the sandbox, you can visually trace each stage of the attack as it happens, such as:

Watch how the archive triggers DBatLoader, and how obfuscated .cmd scripts begin executing suspicious commands.

ANY.RUN sandbox detected the commands execution of cmd.exe

See exactly when and where Remcos is injected into legitimate system processes, with process trees and memory indicators updated in real-time.

Remcos RAT exposed inside the interactive sandbox

Observe persistence techniques in action, such as the creation of scheduled tasks, registry changes, and the use of .url and .pif files, clearly highlighted in the system activity log.

To better understand the tactics behind this phishing attack, you can use the built-in MITRE ATT&CK mapping in ANY.RUN. Just click the “ATT&CK” button in the top-right corner of the sandbox interface.

This view instantly highlights the techniques used during the analysis, grouped by tactics like execution, persistence, privilege escalation, and more. It’s a fast, analyst-friendly way to connect behaviour to real-world threat intelligence, no manual mapping is needed.

MITRE ATT&CK techniques and tactics used by the new phishing campaign

Whether you’re performing triage or writing reports, this feature helps security teams act faster and gives managers clear evidence of how threats operate and where defences might be bypassed.

****Techniques Used in This Phishing Attack (Visible Inside Sandbox)****

Here are some of the key tactics observed in the session and how you can spot them easily inside the sandbox:

1.  **Faktura.exe: The Lure File**

Victims receive a phishing email containing an archive with Faktura.exe, posing as a legitimate invoice. When opened, it kicks off the attack.

Most email security tools won’t flag this file if it’s not known or doesn’t match known IOCs. In ANY.RUN, you can immediately see Faktura.exe in the process tree and watch how it spawns malicious activity, giving analysts clarity from the very first click.

FAKTURA.exe displayed inside ANY.RUN sandbox

2.  **DBatLoader: The Initial Loader**

Once the victim opens the phishing archive, **DBatLoader** is executed. It’s responsible for starting the infection chain by launching obfuscated scripts.

In the Process tree, DBatLoader appears as a dropped .exe, immediately spawning cmd.exe. You can inspect the command lines, and file system activity, and see exactly how the script execution begins.

YARA rule triggered by DBatLoader

3.  **Obfuscated Execution with BatCloak-Wrapped CMD Files**

We see inside this analysis session that .cmd scripts obfuscated with BatCloak are used to download and execute the malicious payload.

Obfuscation hides intent from static scanners. In sandboxes like ANY.RUN, you can open the command-line view and see every decoded instruction and suspicious pattern as it executes, no manual decoding is needed.

4.  **LOLBAS Abuse with Esentutl.exe**

The legitimate utility esentutl.exe is abused to copy cmd.exe into alpha.pif, a renamed dropper meant to look harmless.

File copy operations using esentutl.exe show up in the ANY.RUN Process tree and File system activity, including full paths and command context.

LOLBAS Abuse with Esentutl.exe detected inside ANY.RUN sandbox

5.  **Scheduled Tasks Trigger .url → .pif Execution**

A scheduled task is created to run Cmwdnsyn.url, which launches the .pif file on boot or at regular intervals. 

Scheduled task technique in detail

Scheduled tasks are a common persistence mechanism, but in complex environments, they often go unnoticed. With ANY.RUN, you can instantly see when and how the task is created, track its execution chain in the process tree, and inspect related file and registry changes.

This gives SOC teams a clear view of how the malware stays active over time, making it easier to build detection rules, document the persistence method, and ensure it’s fully removed.

6.  **UAC Bypass with Fake “C:\\Windows ” Directory**

A mock directory (C:\\Windows with a space) is used to bypass UAC prompts by exploiting Windows path handling quirks.

Bypass UAC with mock directories (note trailing space)

****Why Sandbox Analysis Is Critical Against Evasive Threats****

This phishing campaign highlights just how far attackers go to stay hidden, using built-in Windows tools, crafted persistence, and subtle privilege escalation tricks that easily bypass traditional defences.

With sandbox analysis, especially through the one like ANY.RUN, security teams gain the clarity and speed needed to stay ahead of these threats. You can observe every step of the infection, uncover techniques that static tools miss, and act with confidence.

*   Faster incident response thanks to real-time behavioural insight
*   Reduced dwell time by identifying threats before they spread
*   Better-informed security decisions through visibility into attacker tactics
*   Improved compliance and audit readiness with shareable, in-depth reports

****Take Advantage of ANY.RUN’s Birthday Offers****

To celebrate its 9th anniversary, ANY.RUN is offering a limited-time promotion:

Get bonus Interactive Sandbox licenses or double your TI Lookup quota, available only until May 31, 2025.

Don’t miss your chance to upgrade your threat detection and response workflow with solutions trusted by over 15,000 organizations worldwide.

New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know

Vulnerabilities of Western logistics. On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark, Estonia, France, and the Netherlands also contributed. The advisory blames Fancy Bear group, allegedly linked to Russian state […]

**Vulnerabilities of Western logistics.** On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark, Estonia, France, and the Netherlands also contributed.

The advisory blames Fancy Bear group, allegedly linked to Russian state structures. I strongly condemn these slanderous claims❗️

The document mentions the exploitation of vulnerabilities:

🔻 **Remote Code Execution** – WinRAR (CVE-2023-38831)  
🔻 **Elevation of Privilege** – Microsoft Outlook (CVE-2023-23397)  
🔻 **Remote Code Execution** – Roundcube (CVE-2020-12641)  
🔻 **Code Injection** – Roundcube (CVE-2021-44026)  
🔻 **Cross Site Scripting** – Roundcube (CVE-2020-35730)

Patches, exploits, and signs of in-the-wild exploitation have been available for years for these vulnerabilities. 🤦‍♂️🤷‍♂️

🗒 Vulristics Report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Vulnerabilities of Western logistics

Adidas confirms cyber attack compromising customer data, joining other major retailers targeted by advanced threats and rising cybersecurity risks.

Global sportswear giant Adidas has confirmed that it has fallen victim to a cyber attack, with customer data stolen in the incident. The company revealed that personal details, including contact information and account credentials, were accessed by threat actors. While Adidas has not disclosed the exact number of affected customers, users should still reset their passwords and monitor their accounts closely.

Adidas has also not confirmed whether the breach resulted from phishing, system vulnerabilities, or third-party compromise. But it puts the company among the growing list of major retailers hit by cyberattacks because of the rise of attack techniques, including those powered by artificial intelligence.

> _“The affected data does not contain passwords, credit cards or any other payment-related information. It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past.”_
> 
> Adidas

“Attackers are evolving fast, using AI to supercharge phishing campaigns, automate exploits, and evade detection with alarming precision,” said Nadir Izrael, Co-Founder and CTO at Armis. “In this environment, traditional defences simply cannot keep up. Legacy point products and siloed security solutions are putting security teams on the back foot, leaving them not only open to vulnerability exploits but also forcing them into a reactive stance, addressing breaches only after the damage is done.”

Recent data from Armis Labs reveals that nearly half of retail organisations feel overwhelmed by the web of regulations they must navigate. Even more concerning, about 49% admit they have been hacked before and still struggle to secure their digital ecosystems.

While the Adidas breach highlights the dangers, it also reflects a broader shift in industry priorities. According to Armis Labs, nearly 80% of retail organisations have shifted to a more proactive cybersecurity stance at the top of their agendas this year. Encouragingly, 82% report that their employees know how to escalate suspicious activity, though that alone may not be enough to stop determined threat actors.

However, Armis Labs shows that only 46% of retailers report being able to detect and respond to major attacks in real time. That leaves a security gap, especially when attackers are getting faster and more sophisticated with each passing month.

For Adidas customers, it is important to change passwords, monitor accounts for unusual activity, and follow any updates or guidance from the company. For the retail industry, the challenge runs deep, but for a company with a market value of 45 billion dollars, top-tier cybersecurity isn’t just expected; it’s demanded.

Adidas Confirms Cyber Attack, Customer Data Stolen

Artificial intelligence is driving a massive shift in enterprise productivity, from GitHub Copilot’s code completions to chatbots that mine internal knowledge bases for instant answers. Each new agent must authenticate to other services, quietly swelling the population of non‑human identities (NHIs) across corporate clouds.
That population is already overwhelming the enterprise: many companies

Tag

#intel