Random in Security is a summary of the cybersecurity news.
Interesting Reads#
Chrome Extensions Stealing Your AI Chats#
Two malicious Chrome extensions with over 900,000 combined users were caught exfiltrating ChatGPT and DeepSeek conversations every 30 minutes. The extensions impersonated a legitimate multi-AI chat tool called AITOPIA, deceptively requesting consent for “anonymous analytics” while actually stealing complete chat content. This represents an escalating threat pattern dubbed “Prompt Poaching”—where both malicious and legitimate extensions intercept sensitive AI conversations for corporate espionage and data harvesting. Ox Security’s analysis and a video breakdown have more details.
Satellite Hacking via RF Attack Chaining#
Black Hills InfoSec demonstrates how attackers can hijack satellites through RF attack chaining—combining spoofing and jamming techniques to take over both uplinks and downlinks. Using a Python script to spoof ground station identity, attackers redirect satellite telemetry to their machines, then flood the legitimate station with noise packets to prevent command transmission. Nothing says “space-age security” quite like locking out authorized operators with a laptop and some SDR equipment.
Ghost Tapped: NFC Relay Fraud Goes Mobile#
Group-IB’s research reveals Chinese cybercriminals using NFC-enabled Android malware to relay tap-to-pay transactions remotely. The “Ghost Tap” malware uses a two-component architecture: a reader app on the victim’s device collects and encrypts payment data, then relays it through internet-connected servers to a tapper app that transmits the data to real POS terminals—making the transaction appear as if the attacker’s phone were the victim’s physical bank card. Vendors like TX-NFC (21,000+ Telegram subscribers) sell subscriptions from $45/day to $1,050 for three months, with at least $355,000 in documented fraudulent transactions between November 2024 and August 2025. Arrests have already been made in the US, Singapore, Czech Republic, and Malaysia.
The Knownsec Leak: China’s Cyber-Espionage Exposed#
The November 2025 leak from Chinese contractor Knownsec continues to yield insights into state-aligned cyber-espionage operations. DomainTools’ analysis reveals an integrated offensive platform combining ZoomEye (scanning 40,000+ fingerprints), TargetDB (mapping 378 million IPs across critical infrastructure), and toolkits like GhostX (browser exploitation), Un-Mail (webmail takeover), and Passive Radar (internal network reconstruction). Resecurity’s deep dive exposes over 12,000 internal documents including RATs and surveillance data targeting 20+ countries—positioning Knownsec as a core node in China’s contractor-driven cyber state with systematic targeting of Taiwan, Japan, South Korea, and the US.
China’s Guardian of Secrets#
NetAskari obtained an August 2019 confidentiality management system (保密管理系统) deployed by Chinese security agencies to prevent classified document leaks from government workstations. The software uses FileContentMonitor.exe to scan documents for confidentiality markers (密), template-based classification matching official document patterns, and granular policy enforcement to restrict printing, USB copying, and network sharing. It communicates with C2 servers via XMPP/TLS and includes remote capabilities for file deletion, upload/download, and screenshot collection—functioning as internal compliance surveillance rather than traditional endpoint protection. Because nothing says “trust your employees” like a government RAT on every workstation.
A Post-American, Enshittification-Resistant Internet#
In his 39C3 talk, Cory Doctorow argues that US trade policies criminalizing reverse-engineering and device modification prevented global technologists from combating internet monopolization. He contends that Trump’s trade disruptions now present an opportunity to “seize the means of computation” and liberate users from corporate control through hacking, modding, and adversarial interoperability. The thesis: enshittification isn’t inevitable—it’s a policy choice made by named individuals that can be reversed.
Tools#
- bytedance/Dolphin - Document image parsing via heterogeneous anchor prompting (ACL 2025)