BertvB posted a photo:
Close-up of a Common Moorhen (Gallinula chloropus) swimming gracefully through a calm, weed-covered pond.
UPDATED A new extortion brand called Pink – which may be a rebrand of BlackFile – uses voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments, steal their sensitive data, and threaten to leak it unless the victims pay a ransom demand. Palo Alto Networks' Unit 42 first spotted the gang, which it tracks as cluster CL-CRI-1147, and its data-leak site, which went live on May 31. “Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims,” the threat-intelligence biz said in a LinkedIn post. Google Threat Intelligence is not so sure it's a new gang, however. "After retiring the BlackFile brand in May 2026, we assess the group launched the 'Redact' brand and has now potentially surfaced as 'Pink,," Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, told us. "This new operation exhibits hallmarks of UNC6671, including similar credential-harvesting infrastructure, data leak site (DLS), and recurring messaging that claims to 'improve the security' of victims who pay. Additionally, we attribute the Pink (CL-CRI-1147) domains recently published by Unit42 to UNC6671." Regardless whether it's brand new or just a new coat of paint, the tactics are very familiar. Pink is one of many goon squads to use these social-engineering tactics to steal employees’ credentials and bypass multi-factor authentication, using this access to burgle companies’ cloud storage and databases. Chaotic crime crew Lapsus$, during its 2021 and 2022 extortion spree that hit Nvidia, Microsoft, and Okta, among others, popularized this style of phone-based intrusions before Scattered Spider picked up the mantle. Scattered Spider is perhaps best known for its 2023 Las Vegas casino digital heists, and reportedly bragged that all it took to break into MGM's networks was a 10-minute call with the help desk. Over the last few years, ShinyHunters has used this same playbook to steal sensitive data from Ticketmaster, AT&T, and other Salesforce customers, and thousands of schools and universities that use Canvas’ digital learning platform. Despite multiple arrests across all three gangs, they keep coming back to victimize more organizations. Most incident responders, including Google’s Mandiant and Unit 42, link many of these criminal collectives to The Com, a loosely knit group of primarily English speakers made up of several interconnected networks of hackers, SIM swappers, and extortionists, with some of its subgroups offering real-life violent crime for hire. According to Unit 42, this latest cluster of extortion activity is also “likely a Com-affiliated actor.” And after investigating “multiple” of these extortion attacks over the past few months, on Monday, they spotted something that led them to Pink’s name-and-shame website. “On June 1, 2026, an existing extortion negotiation that had never received a response, attributed to a likely Com-related cluster, received new communication from a threat actor via a free webmail account,” Unit 42 analysts Richard Emerson and Cuong Dinh said in a Wednesday threat-intel post. “The actor provided a new qTox ID and a leak site associated with the Pink brand, but referenced exfiltrating almost identical information from the original extortion notice.” Pink data thieves set a 72-hour deadline for the victim to respond before leaking the stolen goods. After gaining access to the victim’s account, the criminals snoop around for valuable corporate and customer data from platforms like SharePoint and OneDrive. After exfiltrating the stolen files, Pink attackers use compromised victim accounts and internal Teams messages to extort the company. “The actor reuses second-level domains to target multiple organizations, and the third-level domain typically thematically represents the target,” Emerson and Dinh wrote. They also listed the following phishing domains as indicators of compromise: passkeyadd[.]com passkeydeploy[.]com deploypasskey[.]com Along with these three IP addresses: 185[.]178.208[.]153 (hosted phishing domains) 172[.]93.100[.]252 (accessed compromised accounts) 96[.]232.20[.]66 (residential proxy IP responsible for extortion email creation) Plus, these user-agent strings were observed during data exfiltration: Microsoft.Graph.Client/5.62.0 python-requests/2.28.1 python-requests/2.33.1 Network defenders can use these to assist in threat-hunting efforts. And be very wary of help desk calls, both from people claiming to be employees locked out of corporate accounts and from those purporting to be support staff rolling out a mandatory MFA update or other emergency. ®
Blanche, whom Trump plans to nominate to replace ex-attorney general, served as Bondi’s deputy at DoJ
Former attorney general Pam Bondi told lawmakers that Todd Blanche, the man Donald Trump has lined up to replace her, was “in charge” of the US Department of Justice’s controversial handling of the Jeffrey Epstein case.
Appearing before the House oversight and reform committee, which is investigating the late financier and convicted sex offender, Bondi also said she was “not certain of the extent” that Trump knew about the crimes of Epstein and Ghislaine Maxwell, the longtime associate of Epstein who is serving a 20-year sentence for sex-trafficking crimes, before they became public.
Continue reading...Spain will depart from Santiago de Compostela at 10am on Friday morning bound for Chattanooga, via Nashville, but seven of the eight men who made their debuts in the final preparation game before the World Cup will not be on board with them. Nor will the seleccion be flying west with a victory after they bid adios with a 1-1 draw against Iraq at Estadio Riazor. Which may not sound very good – and it really was not very good either, a 22-minute cameo from Mikel Merino about the best thing about it – but is no cause for alarm.
Luis de la Fuente’s side will still be among the favourites in the US, Canada and Mexico and rightly so; this was not really his side, at least not recognisably so.
Continue reading...
On Tuesday, we published an article about an internal Microsoft strategy document that explained the company wanted to “make people addicted” to its new AI assistant, Scout. Thursday, Microsoft CEO Satya Nadella told staff that he was “not sure what this document is or who is writing and leaking this nonsense,” according to a message obtained by The Information.
The document we reported on was not some random document. As we wrote at the time, the strategy document was written by Microsoft executives Omar Shahine, Jakob Werner, and some sort of AI writing tool. This information is in our original article and is readily available to Nadella. We wrote: “The document seen by 404 Media lists Shahine and another executive, Jakob Werner, as its authors. The document itself, however, notes that it was ‘co-created turn-by-turn with AI. Human verified every sentence.’”
Shahine is the leader of Microsoft’s Scout project, as he has written numerous times on his own blog, on his LinkedIn, and on Microsoft’s own announcement of the software. In attempting to distance himself from his own company’s executives and strategy documents, Nadella has revealed that he either does not know how to read or does not know what is happening with some of the company’s highest-profile products.
Phase one of the company’s launch plan for Scout, which was previously called ClawPilot internally, was to “make people addicted. Continue shipping the standalone ClawPilot experience. Pilot the UX, grow the user base, and build the skill and tool ecosystem that makes people depend on it daily. This is already happening organically.”
In Nadella’s message to staff reported by The Information Thursday, he wrote “this is absolutely a non goal! If anything we are doing the exact opposite. We want to make sure AI empowers and adds real value to human endeavor and broad economic growth! We should make sure that our teams are clear about this. Not sure what this document is or who is writing and leaking this nonsense! They may want to go work elsewhere…..” Nadella then linked to an aggregation of our article published by Futurism.
As mentioned, the document was written by Shahine. Shahine is not some random Microsoft employee, he is the person who imagined, pitched, and brought Scout to fruition, as he has tirelessly documented over and over and over again in many, many LinkedIn posts and on his personal blog. His job title is “Corporate Vice President of Microsoft Scout,” and he is the person who announced the product on Microsoft’s official blog. His biography on Microsoft’s website is “Omar Shahine is a Corporate Vice President at Microsoft where he leads Microsoft Scout.” Again, Shahine’s name is listed as the author at the top of the document we reported on.
Nadella’s message and a statement given by Microsoft to The Information by a spokesperson are instructive in showing in the ways that big tech deals with journalists who deign to write articles that the companies would rather not exist. A Microsoft spokesperson told The Information Scout is for “helping people accomplish tasks more effectively—not encouraging dependency. Our goal isn’t more screen time. It’s more time back.” Microsoft did not say this to us; Microsoft said nothing to us.
Before we published this article, as we do with almost every article that mentions any company, we reached out to Microsoft for comment. We specifically said that we were writing an article about the “make people addicted” language and asked for comment, context, and more information about that language. Microsoft did not answer our questions, ignored the fact that we asked about “addiction,” and simply sent us a link to its public announcement for Scout. The company then attacked our report internally and externally to another media outlet.
If Nadella is Looking For the Guy Who Did This, maybe he should read the documents his own company produces, or ask the guy who made it.