In an advisory issued by the Computer Emergency Readiness and Response Team Nigeria, the agency said Microsoft released out-of-band security updates to fix the flaw, tracked as CVE-2026-21509.

The vulnerability carries a CVSS score of 7.8 and is already being exploited.

Microsoft confirmed the issue allows attackers to bypass security protections in Office by getting a user to open a specially crafted document. The attack requires user interaction. However, the Preview Pane is not considered an attack path.

According to the advisory, the flaw bypasses Object Linking and Embedding protections designed to shield users from vulnerable COM/ OLE controls.

If exploited, it can allow malicious code to run, enable further compromise of a system, and increase the risk of malware delivery, data theft or lateral movement within an organisation.

Several versions of Microsoft Office are affected. These include Office 2016, both 32-bit and 64-bit editions, Office 2019 in 32-bit and 64-bit versions, Microsoft 365 Apps, and Office 2021 and later releases.

Microsoft noted: “Office 2021 and later versions are automatically protected through a service-side mitigation, but users must restart their Office applications for the protection to take effect.”

For Office 2016 and 2019, users should install the latest out-of-band security updates without delay. Those running Office 2021 and newer versions need to restart their applications to activate the service-side protection.

Where organisations cannot apply updates immediately, the advisory recommends implementing a registry-based mitigation and maintaining general security hygiene.

The agency also advised organisations to educate staff on the risks of opening unsolicited or unexpected Office documents. It further urged the use of endpoint protection and email filtering tools, while calling for close monitoring of systems for suspicious Microsoft Office-related activity.

Given that exploitation has already been confirmed, the agency said immediate action is necessary to reduce exposure.

The company, founded by Cy Khormaee and Ryan Luo, both of whom previously worked on Google’s Safe Browsing and reCAPTCHA projects, seeks to ensure autonomous AI agents outsmart today’s phishing, malware, and business email compromise (BEC) attacks. 

Unlike rule-based systems, which attackers usually bypass, AegisAI’s system learns in real-time and adapts to evolving threats.

Email is still the easiest entry point for attackers. Traditional filters struggle against AI-powered phishing campaigns, which are more convincing than ever. 

A 2024 study found that phishing emails written by large language models had a 54% click-through rate, compared to 12% for human-written messages. This gap reveals how much more effective AI-powered lures have become, and how ill-prepared most defences are.

Attackers are no longer just relying on domains, they now exploit trusted services such as Salesforce, Zoom, and Google, making their content appear legitimate enough to bypass conventional filters. This has left enterprises exposed, with security teams overwhelmed by alerts and false positives.

AegisAI’s Pitch

Instead of static rules or user training manuals, AegisAI brings what it calls a network of AI agents that inspect and neutralise threats automatically. The company says customers are already seeing up to 90% fewer false positives compared to traditional solutions.

The platform integrates with Microsoft 365 and Google Workspace, with minimal setup required. Security teams can view real-time dashboards showing attempted intrusions, from AI-generated spear phishing to fuzzing attempts.

Co-founder and CEO Cy Khormaee explained the motivation, “We’ve spent almost a decade each protecting billions of users at Google, we’ve seen firsthand how enterprise email defences are falling behind. We’re seeing the sophistication of AI powered attacks increase rapidly while existing email security defences are standing still. This leaves security leaders without the tools they need to defend their organisations.”

Ryan Luo, co-founder and CTO, added, “We don’t believe in creating more alerts — we believe in creating better security outcomes. Our mission is to protect organisations without adding operational burden and to give security teams the reliable intelligence they need to focus on what matters most.”

Pilot customers say the results have been decisive. Bam Azizi, CEO of Mesh, stated, “As a former security founder, I’ve seen the cat-and-mouse game play out for decades—especially in email security, where attackers constantly evolve to trick employees. Aegis is the first solution that truly changes the game.

“They came into Mesh and stopped attackers in their tracks. Our dashboard shows everything from fuzzing attempts to AI-generated spear phishing and BEC, and Aegis catches them all—without my team wasting time managing rules.”

At Lokker, CEO Ian Cohen said the system immediately flagged threats aimed at critical teams, “We immediately saw threats to our accounting, engineering, and executive teams in the dashboard. Aegis enabled us to see and stop these threats without our team manually hunting them down.”

Backed by Accel and Foundation Capital

The $13 million seed round was co-led by Accel and Foundation Capital. The funds will drive product development, expand engineering talent, and accelerate go-to-market efforts.

According to Eric Wolford, Partner at Accel: “The AI era will inevitably drive disruption in email—the easiest attack vector. We were looking for a team that was AI-native—people who didn’t just whitewash with AI—people who had the DNA and career investments in the development of AI. Cy and Ryan were that right team. They are both AI-native and have spent an enormous amount of time in email security at Google.”

Following a stealth phase with fintech and tech companies, AegisAI is now moving into wider commercial deployment. Its founders argue that the industry doesn’t need more alerts or user training but tools that stop threats before they reach employees’ inboxes.

With both the scale of AI-driven attacks rising and traditional defences falling short, AegisAI is aiming to be a timely safeguard in one of cybersecurity’s biggest challenges.

This campaign leverages advertisements from seemingly reputable brands, including Netflix, Office 365, and CapCut, to deceive users into downloading malware disguised as legitimate software.

The primary target of this campaign appears to be older male users, with the goal of seizing control of their Facebook accounts and harvesting personal data. 

According to Bitdefender, cybercriminals create convincing ads that mimic authentic services or popular applications, such as free, ad-free Netflix streaming and productivity tools, enticing users to click. 

Once a user interacts with these ads, they are redirected to MediaFire, a cloud storage platform where a malicious ZIP file awaits. The malware, embedded within this ZIP, uses Electron applications that visually replicate the advertised software but operate covertly to capture the user’s information.

One of the distinguishing features of the SYS01 malware is its adaptability. It is programmed to bypass many security detection systems, employing advanced techniques such as sandbox evasion and constant code updates from command and control servers. 

Bitdefender highlights that cybercriminals swiftly alter the malware’s code whenever cybersecurity companies detect and block a particular version, which allows the campaign to continue undetected on Meta’s platforms.

This malware’s design compromises individual Facebook accounts and also exploits business accounts. Hijacked accounts are repurposed by attackers to distribute further malicious ads, thereby expanding the campaign’s reach. 

This strategic use of compromised accounts has enabled the campaign to extend globally, impacting users across continents, including Europe, North America, and Asia.

Initially discovered in September 2024, the SYS01 infostealer has reportedly affected millions of users. Bitdefender emphasises that the malware remains active and continuously evolves, with new ads appearing daily.

The firm advises users to exercise caution when encountering online advertisements that promise free or premium services, even from recognisable brands.

Facebook users are advised to avoid clicking on suspicious ads and to be wary of software downloads from unofficial sources.

During an exclusive media roundtable hosted by the cybersecurity firm, which provided insights into the trends and developments impacting the cybersecurity sector in the first six months of the year 2024, Gbolabo Awelewa, chief solutions officer at Cybervergent, explained the importance of cybersecurity vigilance. 

“In the past, we did a lot of this work without making it public. As tech people, we worked with our customers and didn’t realize how much we could improve the ecosystem by sharing these insights,” Awelewa said, pointing to the need for greater transparency within the industry.

The rise in cyber-attacks in Africa surged by 37%, with organizations facing an average of 2,960 attacks per week. 

This surge, coupled with evolving threats, stressed the importance of SOCs in monitoring, detecting, and mitigating risks. 

The SOC was likened to a fitness trainer, providing personalized recommendations to strengthen organizational cybersecurity measures, ensuring that systems remain resilient even in the dynamic threat space.

The H1 report also disclosed that 19,920 endpoints were actively protected, while 226,103 security events were resolved through automated processes. However, the SOC also faced challenges, including the identification of 13,305 false positives, which the platform meticulously filtered out.

Cyber Weaknesses and Challenges 

The report shed light on weaknesses that continue to affect organizations, particularly in sectors like financial services and healthcare. 

One major issue identified was the use of outdated legacy systems. “Many organizations, especially in financial services, are using legacy systems that are out of support. These systems often have vulnerabilities that can be exploited,” Awelewa said. 

He noted that efforts to put compensating controls around such systems often lead to further complications, especially when resources are limited.

Other challenges included human error, insufficient training, and a lack of awareness of the latest security standards, which left many organizations vulnerable to breaches. 

Awelewa further explained that fraud cases are often a result of intentional human actions, disguised as errors. “The biggest leaks in organizations today are due to human error — both intentional and unintentional,” he added.

Malware Trends and Threat Landscape 

The report detailed several emerging malware threats that organizations faced, including SocGholish, which uses social engineering to trick users into downloading malicious files, and Scattered Spider (UNC3944), which bypasses multi-factor authentication and infiltrates through cloud identities. 

The growing threat of Rilide Stealer was also revealed. This targets Chromium-based browsers to steal email credentials and crypto assets, as well as Vidar Infostealer, which compromises everything from crypto wallets to web browsers.

One of the most concerning malware identified was Vidar Infoskiller, a particularly dangerous tool that targets Windows-based applications and crypto wallets. Awelewa described the malware as “capable of bypassing multiple security layers, leading to serious financial losses.” 

He advised organizations to regularly update their software and educate employees on the latest phishing tactics to mitigate such risks.

Industry-Specific Challenges 

Cybervergent’s report also disclosed sector-specific cybersecurity challenges. For instance, the healthcare sector faces several difficulties in handling sensitive patient data within complex systems, while the education sector is constrained by limited budgets, preventing investments in advanced security measures. 

The manufacturing and retail sectors were noted for their struggle in balancing operational technology (OT) and IT security.

SOC as a Pillar of Resilience 

Cybervergent’s SOC played a very important role in defending against these evolving threats by continuously monitoring alerts, events, and threat indicators. 

A total of 116,580 detection analytics were applied, and SOC analysts meticulously examined 304,522 events, leading to the identification of 42,200 potentially malicious activities. This approach allowed the SOC to tailor cybersecurity measures to improve clients’ overall cyber health.

Awelewa likened the SOC’s role to that of a fitness coach, constantly guiding organizations to strengthen their security posture. “Our job is to spot threats early and help our customers respond quickly. It’s all about being proactive,” he reiterated, stressing the need for organizations to adopt assertive cybersecurity measures instead of reactive approaches.

Cybervergent — H2 Focus on Zero-Day Exploits and CaaS 

For the second half of 2024, Cybervergent looks to focus on combating zero-day exploits, strengthening cloud security, and addressing the rise of Cybercrime-as-a-Service (CaaS). 

Awelewa emphasized the need for organizations to fortify their defences, particularly against insider threats and sophisticated ransomware attacks.

He called on all organizations to prioritize cybersecurity, treating it not just as a compliance requirement but as an integral component of their operational strategy.

Remaining vigilant and investing in strong security tools will enable companies to build a more resilient defence even as the digital environment becomes more hostile.

“In cybersecurity, it’s not about if an attack will happen, but when. Preparedness is key,” Awelewa concluded.

• Ransomware attacks saw a sharp increase once again over the past year.
• AI and the increase in mobile-connected devices provide further areas of vulnerability for cybercriminals to exploit.
• Early detection can reduce the cost of breaches up to a thousandfold.

Following two years of high but stable loss activity, 2023 saw a worrying resurgence in ransomware and extortion losses, as the cyber threat landscape continues to evolve.

Hackers are increasingly targeting IT and physical supply chains, launching mass cyber-attacks, and finding new ways to extort money from businesses, large and small.

It’s little wonder that our customers and clients rank cyber risk as their top concern in the annual Allianz Risk Barometer survey.

Ransomware claims activity was up by more than 50% year-on-year in 2023. Meanwhile, so-called Ransomware-as-a-Service (RaaS) kits, where prices start from as little as US$40, have been a key driver in the rising frequency of attacks overall.

Gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to four.

Most ransomware attacks now involve the theft of personal or sensitive commercial data for, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage.

As a global insurer, Allianz Commercial’s analysis of large cyber losses (€1mn+) in recent years shows that the number of cases in which data is exfiltrated is increasing – doubling from 40% in 2019 to almost 80% in 2022, with activity in 2023 tracking even higher.

Protecting an organization against intrusion therefore is a cat-and-mouse game, in which cyber criminals have the advantage.

Threat actors are now exploring ways to use artificial intelligence (AI) to automate and accelerate  cyber-attacks, creating more effective malware and phishing. Combined with the explosion in connected mobile devices and 5G-enabled Internet of Things (IoT), the avenues for cyber-attacks look only likely to increase in the future.

At Allianz, our global team of risk engineers regularly monitors the cyber landscape, assisting companies with mitigating emerging risks. Threats currently on our radar include:

1. The power of AI (to accelerate cyber-attacks)

Threat actors are already using AI-powered language models like ChatGPT to write code. Generative AI can help less proficient threat actors create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute. We expect an increased utilization of AI by malicious actors in the future, necessitating even stronger cybersecurity measures.

Voice simulation software has already become a powerful addition to the cyber criminal’s arsenal. There was the case of the CEO of a British energy provider transferring around US$250,000 to a scammer after they received a call from what they thought was the head of the unit’s parent company, asking them to wire money to a supplier. The voice was generated using AI. Deepfake video technology designed and sold for phishing frauds can also now be found online, for prices as low as US $20 per minute.

It is not all bad news though. We might see more AI-enabled incidents in the future, but investment in detection backed by AI should also help to catch more incidents earlier.

2. Mobile devices expose personal and corporate data

Lax security and the mixing of personal and corporate data on mobile devices, including smartphones, tablets, and laptops, is an attractive combination for cybercriminals. Allianz Commercial has seen a growing number of incidents caused by poor cyber security around mobile devices.

During the pandemic, many organizations enabled new ways of accessing their corporate network via private devices, without the need for multi-factor authentication (MFA). This also resulted in several successful cyber-attacks and large insurance claims.

Criminals are now targeting mobile devices with specific malware to gain remote access, steal login credentials, or deploy ransomware. Personal devices tend to have less stringent security measures. Utilizing public wi-fi on such devices can increase their vulnerability, including exposure to phishing attacks via social media.

The rollout of 5G technology is also an area of potential concern if not managed appropriately, given it will power even more connected devices, including sophisticated applications – from driverless cars to smart cities.

However, many IoT devices do not have a good record when it comes to cyber security, are easily discoverable, and will not have MFA mechanisms, which, together with the addition of AI, presents a serious cyber threat. Even today we see devices with default passwords that are available on the internet.

3. Cyber security skills shortage affects the cost and frequency of incidents

A growing shortage of professionals will increasingly complicate cybersecurity efforts. The current global cyber security workforce Gap stands at more than four million people with demand growing twice as fast as supply. Gartner predicts that a lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025.

In short, because technology is moving so fast, there are not enough experienced people to keep pace with the threats. It’s very hard to get good cyber security engineers, which means companies are more exposed to cyber events.

Without skilled personnel, it is more difficult to predict and prevent incidents, which could mean more losses in the future. The shortage of cyber security experts also impacts the cost of an incident.

Organizations with a high level of security skills shortage had a US$5.36mn average data breach cost, around 20% higher than the actual average cost, according to the IBM Cost of a Data Breach Report 2023.

Early detection is key to combating emerging cyber threats

Preventing a cyber-attack is becoming harder, and the stakes are higher. As a result, early detection and response capabilities and tools are becoming ever more important.

If you have an undetected loophole in your network, it is a potential Achilles heel. And if you do not have effective early detection tools it can lead to longer unplanned downtime, increased costs, and have a greater impact on customers, revenue, profitability, as well as your reputation.

The lion’s share of IT security budgets is currently spent on prevention with around 35% directed to detection and response.

However, if undetected an intrusion can quickly escalate, and once data is encrypted and/or stolen, the costs snowball – as much as 1,000 times higher than if an incident is not detected and contained early. The difference between a €20,000 loss turning into a €20mn one.

Looking forward, detection tools will be the next logical step for most companies to invest in. Ultimately, early detection and effective response capabilities will be key to mitigating the impact of cyber-attacks, as well as ensuring a sustainable cyber insurance market going forward.

[Featured Image Credit]

In its advisory of August 8, 2022, NCC-CSIRT classified the virus, first identified by the McAfee Mobile Research Team, as high in probability and damage potential.

The malware infiltrated the Google Play Store in the form of several device cleaners or optimization apps.

According to the summary provided by NCC-CSIRT “Upon installation, it can run malicious services without the user opening the app. It also spams the user with irrelevant advertisements. The apps have received downloads ranging from 100,000 to over a million.

“Some of the apps HiddenAds masquerades as are: Junk Cleaner, EasyCleaner, Power Doctor, Carpet Clean, Super Clean, Meteor Clean, Strong Clean, Windy Clean, Fingertip Cleaner, Keep Clean, Full Clean – Clean Cache, Quick Cleaner, and Cool Clean.

“When a user installs any of the aforementioned apps, whether the user has opened the app or not, a malicious service is immediately installed on the device. The app will then attempt to blend into the app tray by changing its icon to the Google Play icon that every Android user is familiar with. Its name will also change to ‘Google Play’ or ‘Setting’. The device will then be bombarded with ads in a variety of deceptive ways, severely impairing the user experience,” the advisory stated.

Anyone that installs the compromised app will experience their device performance suffering significantly, clicking on the ads may result in stealth downloads/installation of other malware, users may inadvertently subscribe to services and be billed on a monthly basis, and the privacy of users will be jeopardized.

NCC-CSIRT advised users to avoid downloading questionable apps or apps they are unsure about while those who have installed any of the identified malicious apps should immediately delete them.

It further disclosed that where the malicious app’s icon and name have changed, it can be identified by the fact that it is removable while the legitimate Google Play app cannot be uninstalled.

The advisory recommended the installation of anti-virus/anti-malware software with a proven track record for detecting and removing malware.

The Computer Security Incident Response Team (CSIRT) is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large. The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risks incidents by preparing, protecting and securing the Nigerian cyberspace to forestall attacks, problems or related events.

Such implants are notoriously difficult to remove and are of limited visibility to security products.

Having first appeared in the wild in the northern Spring of 2021, MoonBounce demonstrates a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits.

The campaign has been attributed with considerable confidence to the well-known advanced persistent threat (APT) actor APT41.

UEFI firmware is a critical component in the vast majority of machines; its code is responsible for booting up the device and passing control to the software that loads the operating system.

This code rests in what’s called SPI flash, a non-volatile storage external to the hard disk. If this firmware contains malicious code, then this code will be launched before the operating system, making malware implanted by a firmware bootkit especially difficult to delete; it can’t be removed simply by reformatting a hard drive or reinstalling an OS.

What’s more, because the code is located outside of the hard drive, such bootkits’ activity go virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device.

MoonBounce is only the third reported UEFI bootkit found in the wild. It appeared in the northern Spring of 2021 and was first discovered by Kaspersky researchers when looking at the activity of their Firmware Scanner, which has been included in Kaspersky products since the beginning of 2019 to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images.

When compared to the two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce demonstrates significant advancement with a more complicated attack flow and greater technical sophistication.

The implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence.

Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a command & control server in order to retrieve further malicious payloads, which we were unable to retrieve.

It’s worth noting that the infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint.

While investigating MoonBounce, Kaspersky researchers uncovered several malicious loaders and post-exploitation malware across several nodes of the same network.

This includes ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys threat actor.

It could be that MoonBounce downloads these pieces of malware or that previous infection by one of these pieces of malware serves as way of compromising the machine so that MoonBounce can gain a foothold in the network.

Another possible infection method for MoonBounce would be if the machine was compromised before it was supplied to the target company. In either case, it is assessed that the infection occurs through remote access to the targeted machine.

In addition, while LoJax and MosaicRegressor utilised additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack.

In the overall campaign against the network in question, it was evident that the attackers carried out a wide range of actions, such as archiving files and gathering network information.

Commands used by attackers throughout their activity suggest they were interested in lateral movement and exfiltration of data, and, given that a UEFI implant was used, it is likely the attackers were interested in conducting ongoing espionage activity.

Kaspersky has attributed MoonBounce with considerable confidence to APT41, which has been widely reported to be a Chinese-speaking threat actor that’s conducted cyberespionage and cybercrime campaigns around the world since at least 2012.

In addition, the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors.

So far, the firmware bootkit has only been found on a single machine for a holding company in the high-tech market; however, other affiliated malicious samples (e.g. ScrambleCross and its loaders) have been found on the networks of several other victims.

“While we can’t definitely connect the additional malware implants found during our investigation with MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one other to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” adds Denis Legezo, senior security researcher with GReAT.

“Perhaps more importantly, this latest UEFI bootkit shows same notable advancements when compared to MosaicRegressor, which we reported on back in 2020. In fact, transforming a previously benign core component in firmware to one that can facilitate malware deployment on the system is an innovation that was not seen in previous comparable firmware bootkits in the wild and makes the threat far stealthier. We predicted back in 2018 that UEFI threats would gain in popularity, and this trend does appear to be materialising. We would not be surprised to find additional bootkits in 2022. Fortunately, vendors have begun paying more attention to firmware attacks, and more firmware security technologies, such as BootGuard and Trusted Platform Modules, are gradually being adopted,” comments Mark Lechtik, senior security researcher with the Global Research and Analysis Team (GReAT) at Kaspersky.