Feed aggregator

Article URL: https://wikicity.app/

Comments URL: https://news.ycombinator.com/item?id=47353972

Points: 2

# Comments: 1

Article URL: https://openai.com/index/harness-engineering/

Comments URL: https://news.ycombinator.com/item?id=47353971

Points: 3

# Comments: 0

Article URL: https://www.youtube.com/watch?v=T4Upf_B9RLQ

Comments URL: https://news.ycombinator.com/item?id=47353967

Points: 2

# Comments: 0

I built Understudy because a lot of real work still spans native desktop apps, browser tabs, terminals, and chat tools. Most current agents live in only one of those surfaces.

Understudy is a local-first desktop agent runtime that can operate GUI apps, browsers, shell tools, files, and messaging in one session. The part I'm most interested in feedback on is teach-by-demonstration: you do a task once, the agent records screen video + semantic events, extracts the intent rather than coordinates, and turns it into a reusable skill.

Demo video: https://www.youtube.com/watch?v=3d5cRGnlb_0

In the demo I teach it: Google Image search -> download a photo -> remove background in Pixelmator Pro -> export -> send via Telegram. Then I ask it to do the same for Elon Musk. The replay isn't a brittle macro: the published skill stores intent steps, route options, and GUI hints only as a fallback. In this example it can also prefer faster routes when they are available instead of repeating every GUI step.

Current state: macOS only. Layers 1-2 are working today; Layers 3-4 are partial and still early.

npm install -g @understudy-ai/understudy understudy wizard GitHub: https://github.com/understudy-ai/understudy

Happy to answer questions about the architecture, teach-by-demonstration, or the limits of the current implementation.

Comments URL: https://news.ycombinator.com/item?id=47353957

Points: 2

# Comments: 0

Article URL: https://github.com/LakshmiSravyaVedantham/inboxscan

Comments URL: https://news.ycombinator.com/item?id=47353953

Points: 1

# Comments: 1

Like del.icio.us in the old days?

Ideally, this list of URLs grows. I add new URLs, and others who follow the list can see the updates.

Comments URL: https://news.ycombinator.com/item?id=47353908

Points: 1

# Comments: 1

Article URL: https://mydbanotebook.org/posts/work_mem-its-a-trap/

Comments URL: https://news.ycombinator.com/item?id=47353892

Points: 1

# Comments: 0

In this article

1. From search to stolen credentials: Storm-2561 attack chain
2. Defending against credential theft campaigns
3. Microsoft Defender detection and hunting guidance
4. Indicators of compromise

In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign that uses fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning. The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. Microsoft Threat Intelligence attributes this activity to the cybercriminal threat actor Storm-2561.

Active since May 2025, Storm-2561 is known for distributing malware through SEO poisoning and impersonating popular software vendors. The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and software branding to avoid user suspicion and steal sensitive information. By targeting users who are actively searching for enterprise VPN software, attackers take advantage of both user urgency and implicit trust in search engine rankings. The malicious ZIP files that contain fake installer files are hosted on GitHub repositories, which have since been taken down. Additionally, the trojans are digitally signed by a legitimate certificate that has since been revoked.

STORM-2561

Learn how Microsoft names threat actors ↗

In this blog, we share our in-depth analysis of the tactics, techniques, and procedures (TTPs) and indicators of compromise in this Storm-2561 campaign, highlighting the social engineering techniques that the threat actor used to improve perceived legitimacy, avoid suspicion, and evade detection. We also share protection and mitigation recommendations, as well as Microsoft Defender detection and hunting guidance.

MICROSOFT DEFENDER EXPERTS

Around the clock, expert-led defense ↗

From search to stolen credentials: Storm-2561 attack chain

In this campaign, users searching for legitimate VPN software are redirected from search results to spoofed websites that closely mimic trusted VPN products but instead deploy malware designed to harvest credentials and VPN data. When users click to download the software, they are redirected to a malicious GitHub repository (no longer available) that hosts the fake VPN client for direct download.

The GitHub repo hosts a ZIP file containing a Microsoft Windows Installer (MSI) installer file that mimics a legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation. The fake VPN software enables credential collection and exfiltration while appearing like a benign VPN client application.

This campaign exhibits characteristics consistent with financially motivated cybercrime operations employed by Storm-2561. The malicious components are digitally signed by “Taiyuan Lihua Near Information Technology Co., Ltd.”

Figure 1. Storm-2561 campaign attack chain Initial access and execution

The initial access vector relies on abusing SEO to push malicious websites to the top of search results for queries such as “Pulse VPN download” or “Pulse Secure client,” but Microsoft has observed spoofing of various VPN software brands and has observed the GitHub link at the following two domains: vpn-fortinet[.]com and ivanti-vpn[.]org.

Once the user lands on the malicious website and clicks to download the software, the malware is delivered through a ZIP download hosted at hxxps[:]//github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip. At the time of this report, this repository is no longer active.

Figure 2. Screenshot from actor-controlled website vpn-fortinet[.]com masquerading as Fortinet Figure 3. Code snippet from vpn-fortinet[.]com showing download of VPN-CLIENT.zip hosted on GitHub

When the user launches the malicious MSI masquerading as a legitimate Pulse Secure VPN installer embedded within the downloaded ZIP file, the MSI file installs Pulse.exe along with malicious DLL files to a directory structure that closely resembles a real Pulse Secure installation path: %CommonFiles%\Pulse Secure. This installation path blends in with legitimate VPN software to appear trustworthy and avoid raising user suspicion.

Alongside the primary application, the installer drops malicious DLLs, dwmapi.dll and inspector.dll, into the Pulse Secure directory. The dwmapi.dll file is an in-memory loader that drops and launches an embedded shellcode payload that loads and launches the inspector.dll file, a variant of the infostealer Hyrax. The Hyrax infostealer extracts URI and VPN sign-in credentials before exfiltrating them to attacker-controlled command-and-control (C2) infrastructure.

Code signing abuse

The MSI file and the malicious DLLs are signed with a valid digital certificate, which is now revoked, from Taiyuan Lihua Near Information Technology Co., Ltd. This abuse of code signing serves multiple purposes:

• Bypasses default Windows security warnings for unsigned code
• Might bypass application whitelisting policies that trust signed binaries
• Reduces security tool alerts focused on unsigned malware
• Provides false legitimacy to the installation process

Microsoft identified several other files signed with the same certificates. These files also masqueraded as VPN software. These IOCs are included in the below.

Credential theft

The fake VPN client presents a graphical user interface that closely mimics the legitimate VPN client, prompting the user to enter their credentials. Rather than establishing a VPN connection, the application captures the credentials entered and exfiltrates them to attacker-controlled C2 infrastructure (194.76.226[.]93:8080). This approach relies on visual deception and immediate user interaction, allowing attackers to harvest credentials as soon as the target attempts to sign in. The credential theft operation follows the below structured sequence:

• UI presentation: A fake VPN sign-in dialog is displayed to the user, closely resembling the legitimate Pulse Secure client.
• Error display: After credentials are submitted, a fake error message is shown to the user.
• Redirection: The user is instructed to download and install the legitimate Pulse Secure VPN client.
• Access to stored VPN data: The inspector.dll component accesses stored VPN configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat.
• Data exfiltration: Stolen credentials and VPN configuration data are transmitted to attacker-controlled infrastructure.

Persistence

To maintain access, the MSI malware establishes persistence during installation through the Windows RunOnce registry key, adding the Pulse.exe malware to run when the device reboots.

Defense evasion

One of the most sophisticated aspects of this campaign is the post-credential theft redirection strategy. After successfully capturing user credentials, the malicious application conducts the following actions:

• Displays a convincing error message indicating installation failure
• Provides instructions to download the legitimate Pulse VPN client from official sources
• In certain instances, opens the user’s browser to the legitimate VPN website

If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user. Users are likely to attribute the initial installation failure to technical issues, not malware.

Defending against credential theft campaigns

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. 
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 
• Enable network protection in Microsoft Defender for Endpoint. 
• Turn on web protection in Microsoft Defender for Endpoint. 
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. 
• Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. 
• Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using Group Policy. 
• Turn on the following attack surface reduction rule to block or audit activity associated with this threat:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 

Microsoft Defender detection and hunting guidance

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Tactic Observed activity Microsoft Defender coverage ExecutionPayloads deployed on the device.Microsoft Defender Antivirus
– Trojan:Win32/Malgent
– TrojanSpy:Win64/Hyrax  

Microsoft Defender for Endpoint (set to block mode)
– An active ‘Malagent’ malware was blocked
– An active ‘Hyrax’ credential theft malware was blocked  
– Microsoft Defender for Endpoint VPN launched from unusual locationDefense evasionThe fake VPN software side-loads malicious DLL files during installation.Microsoft Defender for Endpoint
– An executable file loaded an unexpected DLL filePersistenceThe Pulse.exe malware runs when the device reboots.Microsoft Defender for Endpoint
– Anomaly detected in ASEP registry Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

MICROSOFT SECURITY COPILOT

Protect at the speed and scale of AI ↗

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Actor Profile: Storm-2561
• Activity Profile: Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR customers can run the following advanced hunting queries to find related activity in their networks:

Files signed by Taiyuan Lihua Near Information Technology Co., Ltd.

Look for files signed with Taiyuan Lihua Near Information Technology Co., Ltd. signer.

let a = DeviceFileCertificateInfo | where Signer == "Taiyuan Lihua Near Information Technology Co., Ltd." | distinct SHA1; DeviceProcessEvents | where SHA1 in(a)

Identify suspicious DLLs in Pulse Secure folder

Identify launching of malicious DLL files in folders masquerading as Pulse Secure.

DeviceImageLoadEvents | where FolderPath contains "Pulse Secure" and FolderPath contains "Program Files" and (FolderPath contains "\\JUNS\\" or FolderPath contains "\\JAMUI\\") | where FileName has_any("inspector.dll","dwmapi.dll") Indicators of compromise IndicatorTypeDescription57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62fSHA-256ZIP file retrieved from GitHub (VPN-Client.zip)862f004679d3b142d9d2c729e78df716aeeda0c7a87a11324742a5a8eda9b557SHA-256Suspicious MSI file downloaded from the masqueraded Ivanti pulse VPN client domain (VPN-Client.msi)6c9ab17a4aff2cdf408815ec120718f19f1a31c13fc5889167065d448a40dfe6SHA-256Suspicious DLL file loaded by the above executables; also signed by Taiyuan Lihua Near Information Technology Co., Ltd. (dwmapi.dll)6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415caSHA-256Malicious DLL that steals data from C:\ProgramData\Pulse Secure\ConnectionStore\connstore.dat and exfiltrating it (inspector.dll)44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba832397697c209953ef0252b95b904893cb07fa975SHA-256Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Pulse.exe)85c4837e3337165d24c6690ca63a3274dfaaa03b2ddaca7f1d18b3b169c6aac1SHA-256Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Sophos-Connect-Client.exe)98f21b8fa426fc79aa82e28669faac9a9c7fce9b49d75bbec7b60167e21963c9SHA-256Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (GlobalProtect-VPN.exe)cfa4781ebfa5a8d68b233efb723dbde434ca70b2f76ff28127ecf13753bfe011SHA-256Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (VPN-Client.exe)26db3fd959f12a61d19d102c1a0fb5ee7ae3661fa2b301135cdb686298989179SHA-256Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (vpn.exe)44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba8SHA-256Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Pulse.exe)eb8b81277c80eeb3c094d0a168533b07366e759a8671af8bfbe12d8bc87650c9SHA-256Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (WiredAccessMethod.dll)8ebe082a4b52ad737f7ed33ccc61024c9f020fd085c7985e9c90dc2008a15adcSHA-256Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd.(PulseSecureService.exe)194.76.226[.]93IP addressIP address where stolen data is sentcheckpoint-vpn[.]comDomainSuspect initial access domaincisco-secure-client[.]esDomainSuspect initial access domainforticlient-for-mac[.]comDomainSuspect initial access domainforticlient-vpn[.]deDomainSuspect initial access domainforticlient-vpn[.]frDomainSuspect initial access domainforticlient-vpn[.]itDomainSuspect initial access domainforticlient[.]caDomainSuspect initial access domainforticlient.co[.]ukDomainSuspect initial access domainforticlient[.]noDomainSuspect initial access domainfortinet-vpn[.]comDomainSuspect initial access domainivanti-vpn[.]orgDomainInitial access domain (GitHub ZIP)ivanti-secure-access[.]deDomainSuspect initial access domainivanti-pulsesecure[.]comDomainSuspect initial access domainsonicwall-netextender[.]nlDomainSuspect initial access domainsophos-connect[.]orgDomainSuspect initial access domainvpn-fortinet[.]comDomainInitial access domain (GitHub ZIP)watchguard-vpn[.]comDomainSuspect initial access domainvpn-connection[.]proDomainC2 where stolen credentials are sentmyconnection[.]proDomainC2 where stolen credentials are senthxxps://github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zipURLGitHub URL hosting VPN-CLIENT.zip file (no longer available) References

• SEO Poisoning Targets Ivanti VPN: Credential Theft Alert (Zscaler)
• Storm-2561 distributes trojanized SonicWall NetExtender SilentRoute (Microsoft)
• A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign (Cyjax)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft appeared first on Microsoft Security Blog.

In a previous post, I introduced VS Code Agent Kanban. The key idea in this extension is the formalisation of a plan, todo implement flow that required the agent to converse in markdown files that I'd been using for a while - but manually managing the files (The reasoning and benefits of that flow are covered in the linked post). This post covers the evolution of that process to the use of Git Worktrees.

Comments URL: https://news.ycombinator.com/item?id=47353854

Points: 3

# Comments: 0

Article URL: https://www.rodriguez.today/articles/emergent-event-driven-workflows

Comments URL: https://news.ycombinator.com/item?id=47353852

Points: 1

# Comments: 0

Hi HN, I’m Adrien. I run a dev agency and work as a fractional CTO. I lost too much billable hours simply because I forgot to start or stop a timer. It’s a friction point that fails exactly when you're most focused on deep work.

I realized my calendar was already a perfect, 100% accurate log of my week. If a meeting or a task happened, it’s in my agenda. So I built Timescanner to turn those [Client] tags in my calendar into invoices.

Why I built it this way:

- Privacy by design: your calendar is the database. We don't store your events on our servers. It’s a Google Calendar / iCal parser that keeps your data where it belongs.

- Zero new habits: if you already use your calendar to manage your day, you’re already 100% done with time tracking.

- Simplicity over complexity: it's a straightforward parser. No "AI guessing", no complex backend. No additional cognitive load.

Happy to answer any questions about how to use your calendar to track your time (and be productive)!

Comments URL: https://news.ycombinator.com/item?id=47353840

Points: 1

# Comments: 2

Article URL: https://www.theverge.com/ai-artificial-intelligence/893625/anthropic-claude-ai-charts-diagrams

Comments URL: https://news.ycombinator.com/item?id=47353837

Points: 1

# Comments: 0

Built this because I wanted a better browser runtime for Openclaw, which can run on any server no only on Mac mini, emm. When it needs me to login or perform some operations, I can simply use noVNC to operate, and then leave everything else to it.

Comments URL: https://news.ycombinator.com/item?id=47353827

Points: 1

# Comments: 0

Amid a paralyzing breach of medical tech firm Stryker, the group has come to represent Iran's use of “hacktivism” as cover for chaotic, retaliatory state-sponsored cyberattacks.

Article URL: https://nypost.com/2026/03/11/opinion/dont-buy-green-china-hype-heres-beijings-real-energy-agenda/

Comments URL: https://news.ycombinator.com/item?id=47352919

Points: 1

# Comments: 0

Article URL: https://github.com/Barent/natshell

Comments URL: https://news.ycombinator.com/item?id=47352860

Points: 1

# Comments: 1

Article URL: https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare

Comments URL: https://news.ycombinator.com/item?id=47352859

Points: 2

# Comments: 0

Article URL: https://testflight.apple.com/join/SB16NCfr

Comments URL: https://news.ycombinator.com/item?id=47352834

Points: 1

# Comments: 1

Article URL: https://bsky.app/profile/404media.co/post/3mgupw4v3ak2j

Comments URL: https://news.ycombinator.com/item?id=47352819

Points: 8

# Comments: 0