Malware Activity
How Hackers Are Using AI and Malware to Bypass Security
Recent reports warn that AI assistants like Microsoft Copilot and Grok, which can browse the internet and access URLs, are being exploited by hackers as hidden communication channels. Instead of connecting directly to malicious servers, cybercriminals use these trusted AI tools to send commands and steal data, making their activities harder to detect. Attackers create simple programs that leverage the AI’s browsing features to hide malicious traffic within normal web activity, bypassing traditional security defenses. At the same time, a dangerous Android malware called Keenadu has been discovered, capable of taking full control of infected devices by embedding itself deep into firmware, often during manufacturing or through malicious updates. Keenadu can steal sensitive information and monitor user activity, and it’s spread through fake apps and infected firmware, with some devices in countries like Russia, Japan, and Brazil affected. Experts recommend replacing infected devices or flashing trusted firmware, and Google is actively removing malicious apps from the Play Store. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: AI Platforms Can Be Abused for Stealthy Malware Communication article
- TheHackerNews: Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies article
- BleepingComputer: New Keenadu Backdoor Found in Android Firmware, Google Play Apps article
- SecurityWeek: Malware & Threats New Keenadu Android Malware Found on Thousands of Devices article
Threat Actor Activity
State of Texas Files Lawsuit Against TP-Link, Claiming Router Hacking Risks and User Deception
In a new lawsuit filed by Texas against the networking company TP-Link Systems, Texas alleges that the company allowed Chinese state-backed hackers to exploit firmware vulnerabilities in their routers while falsely marketing them as secure. The lawsuit, initiated by Texas Attorney General Ken Paxton, also claims TP-Link misled consumers by labeling products “Made in Vietnam” despite sourcing components from China. This is significant due to Chinese laws that could compel firms with Chinese supply-chain ties to cooperate with intelligence services. Paxton’s office highlights multiple security failures, including TP-Link devices being used in credential-theft botnets linked to Chinese hackers in 2023 by Check Point Research. The lawsuit demands civil monetary penalties and injunctions requiring TP-Link to disclose its Chinese origins and stop collecting data without consent. TP-Link, however, denies the allegations, asserting its independence from Chinese government control and stating that US user data is stored on Amazon Web Services servers. TP-Link emphasizes its operations are based in the US, with its founder residing in California. Despite concerns from the US intelligence community, some experts believe the lawsuit’s impact may be limited, given the complex international implications.
Vulnerabilities
UNC6201 Exploits Dell RecoverPoint Zero-Day for Persistent VMware Espionage Using GRIMBOLT and Ghost NIC Techniques
Security researchers from Mandiant and Google Threat Intelligence Group (GTIG) have revealed that a suspected China-linked threat actor UNC6201 has conducted a long-running espionage campaign since mid-2024 exploiting a critical hardcoded-credential vulnerability (
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
