Risky Bulletin: New fingerprinting technique can track Tor users

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by runZero, the Total Attack Surface & Exposure Management platform. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.

Firefox and Tor Browser users are advised to install the latest security patches to address a bug that can allow threat actors to track them across the internet.

The bug works in normal browsing mode, in private browsing windows, and, in the case of Tor, across different Tor sessions.

The issue, found by the team at FingerprintJS, resides in IndexedDB, a Firefox API that allows websites to store data inside a user's browser for future visits.

The bug allows a threat actor to create an IndexedDB database on the user's browser—when they visit a malicious website or see a malicious ad.

The bug itself is that IndexedDB will return the contents of that database in the same order every time, which creates a universal fingerprint ideal for tracking.

The operator of a website or a network of sites would be able to distinguish between users and track them by querying for the IndexedDB content and matching the "DB order" to a known fingerprint.

This was patched in Firefox 150, Firefox ESR 140.10, and Tor Browser 15.0.10, released last week, and is tracked as CVE-2026-6770.

FingerprintJS says the bug impacts both Firefox and the Tor Browser because the issue is in the Firefox core engine, Gecko, and how IndexedDB was implemented.

Mozilla did not share how the issue was patched but researchers argued that IndexedDB should not be exposing its internal storage ordering, or it should be returning content based on a preset order.

The bug is quite bad but went largely unnoticed because everyone was too hyped last week about an AI company's LLM allegedly finding 271 vulnerabilities in Firefox that aren't even in the patch notes and might not even be that important.

Risky Business Podcasts

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat, Adam, and James at the helm!

Breaches, hacks, and security incidents

OneIndia hacked: An Afghani hacktivist group has breached Indian media group OneIndia to broadcast a political message over its digital streaming platforms. The hack took place last week and was claimed by a group named the True Muslim Afghans. The message attacked the Indian government for its close ties with the current Taliban regime in Afghanistan. OneIndia has more than 30 million subscribers. [Pakistan Today]

Two DeFi hacks: The Giddy and Purrlend DeFi platforms have been hacked and lost $1.3 million and $1.5 million, respectively. The two incidents are the 11th and 12th hack recorded this month. Crypto platforms lost more than $606 million over the past 18 days alone. [Yahoo Finance]

Hasbro delays financial results: American toy maker Hasbro has delayed publishing its first quarter financial results. The company is still restoring systems after a March cyberattack. Hasbro says the incident caused delays to shipping and invoicing, but also to the process of compiling all its financial results. [CybersecurityDive]

Itron cyberattack: American utility provider Itron has disclosed a security breach of its internal corporate systems. The incident was discovered on April 13 and has already been resolved. The company says its cyber insurance will cover most of the costs. [Minichart]

Favelle Favco ransomware attack: Heavy crane maker Favelle Favco has been hit by the SafePay ransomware group and its data leaked online last week. [InsuranceBusinessMag]

Harrison County cyber incident: Harrison County, one of West Virginia's largest counties, has disclosed a cybersecurity incident, likely a ransomware attack. [DysruptionHub]

PDVSA was likely Lotus Wiper: Both Kim Zetter and Oleg Shakirov have interesting pieces about how the ransomware attack on Petróleos de Venezuela, or PDVSA, might have actually been Lotus Wiper. It probably was, and it probably was CyberCom.

Canada Life breach: Hackers have stolen customer data from Canadian life insurance provider Canada Life. The company traced the incident to a compromised employee account. Canada Life says it contained the incident and is now investigating what data was stolen.

Carnival data leaked: Hackers have leaked the personal data of 7.5 million customers of cruise ship operator Carnival. The data was stolen in a hack this year by the ShinyHunters hacking collective. Other major companies hit by the group in the same campaign also include fashion retailer Zara, store chain 7-Eleven, online course portal Udemy, and medical device maker Medtronic.

General tech and privacy

GitHub outage reverts merges: Microsoft has fixed a GitHub outage that caused the platform to revert merged code. More than 2,000 pull requests were affected on Thursday over a three-hour window. Developers who updated code on April 23 are advised to check if their desired code was merged correctly.

Russia's external traffic grows: Despite sustained efforts to censor the internet, the share of external, foreign traffic coming into Russia has increased by a fifth. [Forbes]

Microsoft Entra passkeys on Windows: Support for Microsoft Entra passkeys on Windows will be generally available by the end of the month.

Copilot can now be removed: Microsoft has added a new group policy that will let system administrators remove Copilot from a company's network.

Windows 11 gets ways to avoid forced restarts: Microsoft will add new features to Windows 11 to prevent forced updates and restarts. The new features will let users delay updates as long as they want instead of a maximum five weeks and the ability to separate driver updates from OS updates. Users will also get new user interface elements to restart or shut down their PC without applying the update and forcing the user into a new OS version that may break app compatibility. The new features are identical to old Windows 10 controls and are currently rolling out to Windows 11 Insiders for testing.

Government, politics, and policy

Türkiye passes social media ban for kids: The Turkish Parliament has passed a law to ban children under 15 from social media platforms. The law mandates that social media networks verify the age of new users and add parental control options for children over 15. Companies that don't comply will be fined and could also face bandwidth limitations. Officials fast-tracked the law after a 14-your-old shot nine students and a teacher earlier this month. [Associated Press]

Nigeria launches IPv6 plan: The Nigerian government has launched a three-year plan to upgrade its internet connectivity and transition to the IPv6 protocol. [TechCabal]

New Cambodian anti-scam agencies: The Cambodian government has created four regional working groups to help police track down and dismantle scam operations in the country.[FreshNews] [h/t CyberScamMonitor]

US accuses China of stealing its AI: The Trump administration has accused China of stealing US artificial ​intelligence technologies on an industrial scale. In a memo to agency heads, the White House says China used distillation attacks against US AI labs. Chinese companies are allegedly using proxy accounts and jailbreaking techniques to expose and copy how US AI models work. [BBC // White House memo, PDF]

US router ban also covers hotspots: The FCC's ban on foreign-made routers also applies to portable hotspot devices. The FCC banned the sale of foreign-made routers in the US at the end of last month. In a FAQ page published last week, the FCC said the ban will not apply to enterprise-grade routers but only to routers meant for regular consumers. So far, Eero and Netgear have secured FCC exemptions to sell their products in the US. [PCMag]

Sponsor section

In this Risky Business sponsor interview, Casey Ellis chats to RunZero’s founder and CEO HD Moore about RunZero’s new release: 4.9. It drops this week and doubles down on OT scanning. Animated world and network maps add another layer to visualisation and for those that have been asking: yes, there’s a dark mode.

Arrests, cybercrime, and threat intel

SMS blaster group arrested in Canada: Canadian authorities have charged three suspects in connection to an SMS blaster operation. The tree drove around the Toronto area with a fake mobile tower in their car, sending SMS spam to nearby smartphones. The scheme had been going since at least November of last year. Two suspects were arrested last month and a third turned themselves in last week. Authorities said this was the first SMS blaster case recorded in Canada.

ATM bombers detained: Dutch authorities have arrested nine suspects who used explosives to steam money from ATMs. The group has been operating since mid-2023 in the Netherlands, Germany, and Switzerland. Cybercrime groups stole an estimated €19 million last year using explosives and other physical attacks against ATMs.

Modbus campaign: Security researchers have tracked a large-scale campaign that sought to fingerprint Modbus-based industrial PLC devices. The campaign hit its spike last year, between September and November. According to Cato Networks, some activity suggests the attackers likely manipulated or disrupted devices.

Intellexa's secret partner: Israeli spyware maker Intellexa acquired vulnerabilities in Google products from a US company in 2020. Greek journalists described the unnamed company as working exclusively with Western government bodies and with offices near the GCHQ in the UK. The company allegedly provided Intellexa with Android and iOS infection chains using a revenue sharing scheme. The secret deal came to light last week after the broker who arranged it sued Intellexa in a Greek court. [Antenna.gr] [h/t Jurre van Bergen]

Intellexa's Helios platform: And speaking of Intellexa, the company is now promoting its newer hacking platform named Helios, as a newer version of Predator. [In.gr] [h/t Vas Panagiotopoulos]

Prompt injections seen in the wild: Google is seeing prompt injection attacks in the wild. The observed attacks usually fell into five categories—pranks, attempts to control AI summaries, SEO ranking manipulation, attempts to deter AI crawlers, and malicious cases. The malicious attacks either sought to steal data and passwords, or sought to destroy the machine of users employing AI agents. Google joins security firm Forcepoint in seeing a surge of AI prompt injection attacks in the wild.

The Filipino freeloader: An individual from the Philippines has abused almost 1,000 accounts on 11 AI services to gain access to free computing resources. The entire scheme was controlled through GitHub and automated scripts that replaced accounts and API keys within seconds of being banned. According to AI platform MuleRun, which uncovered the scheme, the individual was causing up to $10,000 in monthly losses.

GlassWorm campaign hits VSCode extensions again: Socket Security has spotted a new wave of the GlassWorm self-replicating worm, this one hitting 73 VSCode extensions.

WC26 phishing infrastructure is up: Phishing infrastructure targeting FIFA World Cup 2026 fans is being stood up at record pace as the tournament is getting closer. Some of the sites target FIFA accounts, some seek card details, while others are plain out merchandise fraud. [Flare]

Fibergrid profile: A well-known bulletproof hosting provider named Fibergrid is currently hosting more than 16,700 fake and scammy online shops.

Malware technical reports

The Fast16 mystery resolved: SentinelOne has discovered a previously unknown malware family that was likely used in cyber sabotage almost two decades ago. The Fast16 malware targets high-precision calculation software used for advanced physics, cryptographic, and nuclear research workloads. The malware targets a PC's memory to alter the software's computational results. Clues of the malware's existence have been available since the Shadow Brokers leak in 2017. [SentinelOne]

Urelas is still alive: A malware strain used for cheating at poker is still active 14 years later, with a new sample being spotted this month. The Urelas malware infects Windows systems, locates card game clients, takes screenshots of an active game, and uploads it to a web server. The malware was first seen in 2012 and only targets Korean poker and badugi gaming clients.

New Morpheus spyware: A new Android spyware is being used in the wild. According to Osservatorio Nessuno, the new Morpheus spyware appears to be the work of IPS, a known Italian vendor of surveillance tools. Evidence suggests the malware is being distributed via elaborate social‑engineering campaigns. Researchers describe Morpheus as a low‑cost alternative to more expensive surveillance and hacking tools. [TechCrunch ]

Kali365 PhaaS: Arctic Wolf has spotted the Kali365 phishing service used in device code phishing campaigns.

BlackFile ransomware: A threat actor tracked as CL-CRI-1116, believed to have originated from The Com community, is launching attacks with the new BlackFile ransomware.

agenteV2: ANY.RUN looks at phishing campaigns spreading the agenteV2 backdoor in Brazil.

Needle CaaS: While investigating the Phorpiex botnet, Breakglass researchers have found a new Crimeware-as-a-Service platform named Needle that provides customers with access to "browser and desktop wallet spoofers covering 8+ blockchains, a stealer, form grabber, clipper, builder system, launcher framework, and Telegram-integrated C2."

PhantomStealer: Breakglass looks at PhantomStealer, a new infostealer spotted last month and already used in the wild.

StealC: Oliver Zehentleitner has published a report on a malvertising campaign leading to malicious GitHub repos that spread the StealC infostealer.

Vidar infostealer: Intrinsec and Point Wild look at Vidar activity this year, the new king of the infostealer market.

"The analysis of this Vidar variant highlights a key reality of the 2026 threat landscape: information stealers have evolved into stealthy, multi-stage frameworks built for scale and efficiency. While much focus is placed on initial access, the real impact lies in post-exploitation, where data theft and exfiltration are carried out with precision."

Sponsor section

In this product demo Patrick Gray hosts Ali Cheikh while he shows off how you can use runZero to scan for and manage vulnerabilities in your environment.

APTs, cyber-espionage, and info-ops

APT36's DeskRAT: Breakglass looks at APT36 (Transparent Tribe) campaigns targeting Indian military operations with the DeskRAT.

Spamouflage targets Tibet elections: Chinese info-op group Spamouflage has spent the past months targeting the Tibetan Parliament-in-Exile elections that took place over the weekend. The influence operation consisted of 90 Facebook profiles and 13 Instagram profiles. It was also active on Tumblr and Twitter. The campaign's main theme was that leaders were all corrupt and power-hungry.

Tropic Trooper: Zscaler has spotted the Tropic Trooper (Earth Centaur, Pirate Panda, KeyBoy) APT launching attacks against Chinese-speaking users individuals in Taiwan, as well as targets in South Korea and Japan.

TGR-STA-1030 (aka UNC6619) goes after LATAM: An espionage group tracked as TGR-STA-1030 (aka UNC6619) that targeted European government and critical infrastructure organizations last year has been seen active again, this time targeting Central and South America. Palo Alto Networks, which has been tracking the group, says the same TTPs apply.

Vulnerabilities, security research, and bug bounty

PhantomRPC vulnerability: A newly disclosed vulnerability can allow threat actors to gain SYSTEM access on Windows PCs. The PhantomRPC technique allows attackers to impersonate the privileges of different RPC servers exposed by system services. Kaspersky reported the issue to Microsoft last September but Microsoft did not release a patch nor a CVE.

Ladybird RCE: Infosec AI research outfit Calif has used AI to find a remote code execution bug in Ladybird, a web browser that launched in 2024 on a completely new codebase, without forks from other major browsers.

Breeze Cache exploitation: Hackers are exploiting a vulnerability in the Breeze Cache plugin to take over websites. Attacks began last week. The plugin is currently installed on more than 400,000 websites.

ActiveMQ Jolokia exploitation: Threat actors are exploiting Apache ActiveMQ, a popular Java middleware server. The attacks are exploiting two bugs (CVE-2026-34197 and CVE-2024-32114) in the Jolokia component. The bugs, when combined, allow threat actors to bypass authentication and run malicious code on the underlying server.

APT 28 zero-day: Akamai has published a write-up covering two Windows Shell vulnerabilities, tracked as CVE-2026-21510 and CVE-2026-32202. The first one was a zero-day exploited by Russian group APT28. It was patched in February. The latter was patched this month and is a variation of the first, stemming from an incomplete patch. Microsoft the second one was exploited. It is unclear if this was exploited on purpose or if the initial APT28 attacks accidentally worked against the second one after the patch was rolled out.

KEV update: CISA has updated its KEV database with eight new vulnerabilities that are being exploited in the wild.

• CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
• CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
• CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
• CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability

Atlassian security updates: Atlassian released 38 security updates last week, part of the company's April Patch Tuesday. Six of them are RCEs.

Other security updates: Citrix, ConnectWise, GitLab, TP-Link.

Infosec industry

Threat/trend reports: EAST, Proxyware, and Security Scanner have recently published reports and summaries covering various threats and infosec industry trends.

New tool—Pike: Security firm Synacktiv has released Pike, an experimental LLM agent that generates and analyzes Linux program execution traces.

New tool—Trailmark: Security firm Trail of Bits has open-sourced Trailmark, a library that parses source code into a queryable call graph of functions, classes, call relationships, and semantic metadata.

New tool—Rogue Binary: Security researcher Matt Kirkland has open-sourced Rogue Binary, an MCP for binary analysis and malware triage using AI agents.

New tool—Snoop: Security researcher Adir Shitrit has published Snoop, a modern syscall tracer built on eBPF.

BSidesSLC 2025 videos: Talks from the BSides Salt Lake City 2026 security conference, which took place earlier this month, are now available on YouTube. 

[un]prompted videos: Talks from the [un]prompted 2026 security conference, which took place last month, are available on YouTube.

Risky Business podcasts

In this episode, Anthropic’s Nicholas Carlini joins Patrick Gray and James Wilson to talk about advancements in AI-driven vulnerability research and exploit development.