In partnership with
⏱️ ≈ 7-minute read
Editor’s Note: If you’re still treating credentials like a password-reset problem, this week is going to feel uncomfortable. Identity keeps showing up in breach reports, AI is helping adversaries move faster, and operational downtime is now a negotiating tactic. Meanwhile, we’re deploying AI agents at scale and hoping governance catches up later. Bold strategy.
📬 This Week’s Clickables
📌 Big News
Nation-state actors experiment with Gemini for recon and phishing; Identity dominates breach investigations🚨 Can’t Miss
Fake CAPTCHA malware delivery; Notepad RCE via Markdown; energy cyber policy momentum; ransomware time-to-encryption collapses🤖 AI in Cyber
Gemini-powered Android malware; AI collapses response windows; AI assistants abused as C2; threat groups scale with AI🧪 Strange Cyber Story
Malware turns ATMs into cash-dispensing slot machines
🚨 Big News
🧭 State-Backed Hackers Using Gemini for Recon and Phishing
Intro: AI is not launching autonomous cyberattacks. It is making preparation faster and cheaper.
What Happened: Google threat intelligence reporting shows state-backed actors experimenting with Gemini to support reconnaissance, target research, and phishing lure development. The activity does not indicate self-directed AI attacks, but rather AI-assisted workflow acceleration in the early phases of operations.
Why It’s Important: The messy middle of cyber operations has traditionally required time and manual effort. AI compresses research cycles, improves language fluency in phishing campaigns, and reduces operational friction. That benefits well-resourced adversaries and lowers the barrier for less capable ones.
The Other Side: Defenders are leveraging AI too. Detection enrichment, automated triage, and behavior analytics are improving. The dynamic is not "AI wins." It is "AI amplifies whoever uses it well."
👉 Takeaway: AI is not replacing attackers. It is accelerating them.
TL;DR: Nation-states are using AI to move faster, not magically hack better.
Further Reading:
The Hacker News
Trust-First AI, Built Into Your Browser
Agentic workflows are everywhere. Real trust is still rare.
Norton Neo is the world’s first AI-native browser designed from the ground up for safety, speed, and clarity. It brings AI directly into how you browse, search, and work without forcing you to prompt, manage, or babysit it.
Key Features:
Privacy and security are built into its DNA.
Tabs organize themselves intelligently.
A personal memory adapts to how you work over time.
This is zero-prompt productivity. AI that anticipates what you need next, so you can stay focused on doing real work instead of managing tools.
If agentic AI is the trend, Neo is the browser that makes it trustworthy.
Try Norton Neo and experience the future of browsing.
🔐 Identity Weaknesses Present in Nearly 90% of Breaches
Intro: If you want a single “how did this happen,” identity keeps winning.
What Happened: Palo Alto Networks’ Unit 42 incident response data shows identity-related weaknesses appearing in nearly 90% of investigations. Stolen credentials, MFA friction that is easy to bypass, token abuse, and cloud permission sprawl remain dominant entry points. In many cases, attackers did not exploit zero-days. They logged in with valid access.
Why It’s Important: Modern breaches are increasingly credential-first events. Once adversaries gain authenticated access, lateral movement and privilege escalation often follow quickly because governance and visibility lag behind infrastructure growth. Cloud IAM complexity is turning minor misconfigurations into material risk.
The Other Side: None of this requires exotic fixes. Phishing-resistant MFA, stronger conditional access, least privilege enforcement, and real-time authentication monitoring can eliminate a large portion of these incidents. The tooling exists. Discipline is the differentiator.
👉 Takeaway: Identity is the control plane. If it’s weak, everything behind it is negotiable.
TL;DR: Attackers do not need to break in when they can log in.
Further Reading:
IT Pro
Unit 42 Incident Response Report
“There are only two types of companies: those that have been hacked and those that will be.” — Robert Mueller, former FBI Director🔥 Can’t Miss
🧠 Windows PCs Targeted by Fake CAPTCHA Scam Leading to StealC Malware
Victims are redirected to convincing fake CAPTCHA pages that instruct them to copy and paste PowerShell commands to “verify” they are human. That single step stages an infection chain leading to StealC infostealer deployment. Social engineering has entered the guided self-compromise era.
👉 Key takeaway: Humans remain the most scriptable part of the stack.📝 Microsoft Patches Notepad RCE Triggered by Malicious Markdown Links
A vulnerability in Windows Notepad allowed specially crafted Markdown links to trigger remote code execution through protocol handling abuse. The issue reinforces a familiar lesson: default utilities inherit enterprise risk. Even small apps can become enterprise-wide exposure points.
👉 Key takeaway: “It’s just Notepad” is not a security strategy.🏛️ Five Energy Sector Cyber Bills Advance in US House
A slate of cybersecurity-focused bills aimed at strengthening energy infrastructure defenses has cleared a House panel. Proposals focus on resilience, reporting, and coordination. Whether mandates or guidance, regulatory momentum is building around critical infrastructure security.
👉 Key takeaway: Critical infrastructure security is moving from best practice to political priority.⚡ Time-to-Encryption Shrinks to Under 3 Hours in New Ransomware Cases
Recent incident response reporting shows ransomware operators moving from initial access to encryption in less than three hours in some cases. Faster toolkits, better playbooks, and identity-based footholds are collapsing dwell time. Detection delays now carry immediate operational consequences.
👉 Key takeaway: If you are not detecting lateral movement quickly, encryption may already be in progress.
Trusted by 125K+ IT pros
Modern IT decisions don’t come from a single headline—they come from understanding how everything connects.
IT Brew brings together the stories shaping the IT landscape, from cybersecurity and cloud to enterprise software and IT operations, so teams can see the full picture—not just isolated updates.
Less scrolling. Better context. Smarter decisions. And it’s completely free.
🤖 AI in Cyber
🧠 PromptSpy Android Malware Abuses Gemini AI for Persistence
Researchers have uncovered a new Android malware family that leverages Google’s Gemini generative AI during execution to help it persist on infected devices. It marks one of the first observed real-world cases where AI is integrated directly into malware logic rather than just used for content generation or reconnaissance.
👉 Key takeaway: AI is no longer just a backend tool — attackers are embedding it into operational malware workflows.⚡ From Exposure to Exploitation: How AI Collapses Your Response Window
New analysis shows AI-driven automation is compressing the defender advantage, enabling attackers to scan, model, and move toward exploitation within hours. A growing percentage of vulnerabilities are now being exploited on or before public disclosure, shrinking traditional remediation timelines.
👉 Key takeaway: The attack lifecycle is compressing — defenders need AI-accelerated visibility or risk being outpaced.🧑💻 Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies
Security researchers demonstrated that AI assistants with browsing or URL-fetching capabilities can be repurposed as stealth command-and-control relays. By blending malicious traffic with legitimate AI service requests, attackers may evade traditional detection controls.
👉 Key takeaway: Productivity AI can double as covert infrastructure if guardrails are weak.🔍 Threat Groups Use AI to Speed Up and Scale Cyberattacks
Reporting shows threat actors are increasingly using AI to automate reconnaissance, vulnerability discovery, and exploitation attempts at scale. Instead of isolated campaigns, attackers can now orchestrate parallel operations across wide target sets.
👉 Key takeaway: AI is removing manual bottlenecks and enabling scale-first cyber operations.
🧟♂️ Strange Cyber
🎰 Malware Turns ATMs Into Cash-Spitting Slot Machines
Intro: Jackpotting is back and this time it is not a conference demo. It is a $20 million problem.
What Happened: The FBI has warned of a surge in ATM “jackpotting” attacks, where criminals install malware on machines to force them to dispense cash on demand. More than 700 incidents were reported in 2025, resulting in over $20 million in losses. Unlike card skimming, these attacks do not rely on stealing customer credentials. They compromise the machine itself.
Why It’s Important: This is cybercrime crossing fully into the physical world. When attackers can directly manipulate embedded systems to trigger financial loss, the blast radius moves beyond data theft into immediate operational damage. ATM fleets, often running legacy software and distributed across wide geographies, present a uniquely difficult defense challenge.
The Other Side: Financial institutions are not unaware of jackpotting, but inconsistent physical security controls, delayed patch cycles, and exposed maintenance ports continue to create openings. Hardening endpoints is not enough if physical access controls lag behind.
👉 Takeaway: When malware starts dispensing cash instead of stealing data, cyber risk becomes tangible and expensive.
TL;DR: Hackers are using malware to make ATMs spit out money. It is weird. It is real. It is costly.
Further Reading:
SecurityWeek
Enjoying Exzec Cyber? Forward this to one person who cares about staying ahead of attacks
Hate everything you see or have other feedback? Reply back to this email!