Stein Solutions

01/12/2026

This is the second of two articles I posted today on facebook SteinSolutions. It is a reminder of the ongoing threat of China, Russia, North Korea, Iran, and others in the cyberwars reality we have lived in for at least 20 years. These countries are relentless. Let me define the word relentless just to be ultra clear: persistent, determined, and unwavering in their pursuit of a specific goal or agenda. Wars are now being fought with AI drones, misinformation campaigns, security breaches, malware, In my reply to this post I will link you to a speech given by the new head of M16 ()the British equivalent of our CIA).

The article describes a browser (Edge, Chrome, Firefox) hacking campaign researchers call "DarkSpectre", which is believed to be linked to China. For more than seven years, the group used malicious browser extensions (small add-ons you install in Chrome, Edge, or Firefox to add features and which I preach to avoid like the plague without “extreme vetting”) to spread malware (harmful software that can spy or steal). The report links three campaigns to the same actor: ShadyPanda (about 5.6 million users), "Zoom Stealer" (about 2.2 million), and GhostPoster (about 1.05 million), totaling more than 8.8 million users.

What made it hard to catch was patience and disguise. Some extensions looked normal for five years or more and only later turned bad. I call that “lurking” and it’s also known as a "time-bomb" in security parlance – and I am happy to explain this to you privately. Example: waiting three days after installation of an extension before contacting a command-and-control server (a computer criminals use to send instructions) to download the real harmful code.

The malware also ran only on roughly 10% of page loads and hid code inside image files (a technique known as steganography), so it blended in. The group could even change what the extension did by changing what their servers sent back, without publishing a new update.

Take a minute to review your installed extensions and remove anything you do not truly need or recognize. Keep your browser updated and be cautious with "new tab" or "dashboard" add-ons that ask for lots of access. Or contact me for training on how to avoid rogue extensions.

DarkSpectre infected 8.8M Chrome, Edge, and Firefox users via coordinated malware campaigns over seven years.

01/12/2026

Three cybersecurity employees who turned rogue and became part of a ransomware operation "targeting healthcare and collected at least $300 million in ransom payments from more than 1,000 victims until September 2023". In the end, thankfully, they got caught.

Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.

12/29/2025

The report describes Kimwolf, a very large “botnet” (a group of infected devices controlled remotely by criminals) that mainly targets Android-based smart TVs, TV boxes, and tablets. Researchers say the network is already enormous: they conservatively estimate more than 1.8 million infected devices, and after temporarily taking over one control server (called “C2,” short for command-and-control), they saw 3.66 million cumulative infected IP addresses with a peak day of 1,829,977 active devices. The botnet can launch DDoS attacks (flooding a website or service with traffic to knock it offline), but it can also run other functions like proxying (using your device as a traffic relay), remote command access, and file management. XLab Blog
Kimwolf is hard to track because it encrypts its traffic and uses techniques meant to avoid detection, including DNS over TLS (a way to hide DNS lookups inside encrypted connections) and rapid infrastructure changes; the report notes its domains were taken down multiple times, pushing the operators to use ENS (Ethereum Name Service) to make control servers harder to remove. The researchers also found strong links to the Aisuru botnet and believe Kimwolf’s attack power could be near 30 Tbps, which is enough to seriously disrupt major online services. XLab Blog

Practical takeaway: [1] Avoid cheap, unknown-brand Android TV boxes and don’t install “extra” APK apps from random websites. [2] If you own a smart TV/TV box, keep firmware updated, use strong passwords, and consider unplugging or replacing devices that no longer get security updates. I personally attach a small Windows 11 laptop with an HDMI cable to the dumbed-down TV and feel like I have more security and a better understanding of what is going on. Total cost: $150 (a 14” Intel i5-10th gen laptop 256GB SSD, 16GB Ram, Windows 11 Pro. The laptop becomes a Windows desktop I understand and can manage. What’s in your wallet?

Kudos to Pierluigi Paganini for his SECURITY AFFAIRS MALWARE NEWSLETTER for pointing me to this interesting article. URL is URL is

Background On October 24, 2025, a trusted partner in the security community provided us with a brand-new botnet sample. The most distinctive feature of this sample was its C2 domain, 14emeliaterracewestroxburyma02132[.]su, which at the time ranked 2nd in the Cloudflare Domain Rankings. A week later,...

12/29/2025

Greetings Firefox users. I abandoned Firefox as my go to browser many years ago because of stability issues. I remain a fan of Mozilla however. I just don’t feel as though Firefox can keep up with all the security vulnerabilities Chrome and Edge close weekly (and even they have trouble keeping up IMO).

This article explains how a malware campaign called GhostPoster infected more than 50,000 Firefox users across 17 add-ons by hiding code inside a browser extension’s logo image. A browser extension is a small add-on that runs inside your web browser (like a VPN, translator, or ad blocker). In one example, “Free VPN Forever” (my adage applies: ‘if it’s free do some extreme vetting or run-to-the-hills and say NO!’) reads its own logo.png image file, searches the picture’s raw bytes for a marker (“===”), and then extracts and runs a hidden JavaScript code stored after the real image data. This hiding trick is called steganography in security lingo (hiding data inside a normal-looking file).

That hidden code was only a loader, meaning a small downloader whose job is to fetch the real malicious program from attacker-controlled websites. To avoid detection, it checked in only every 48 hours and usually did nothing, downloading the full payload only about 10% of the time. Once active, the malware could hijack shopping affiliate links (so criminals get the commission), add tracking to pages you visit, and remove browser safety protections (called “security headers”) that help stop clickjacking (tricking you into clicking something you did not intend).

Practical takeaway: Uninstall unfamiliar extensions, especially “free VPN” (but also recipes, weather, package tracking, driving directions, yada yada – it’s a long list and the goal is to make you forget what you once learned "there is no such thing as a free lunch" -- and trick you into installing something useful and of course "free" -- instead you need to hire a very smart professional to establish his or her vetting approach and not rubber stamp approval) -- and only install add-ons from publishers you recognize – and even that incurs a risk if their source code is infiltrated, which if very popular, *WILL BE INFILTRATED* sooner or later (that’s how cockroaches operate)!

If you suspect you installed one of these, remove it and run a full Microsoft Defender or antivirus scan and call me as there is a chance the malware will escape detection from all your efforts (BTW I’m not cheap and warning: I will point out all the issues your I/T and Security staff have and they will not like me. Kudos to Pierluigi Paganini for his SECURITY AFFAIRS MALWARE NEWSLETTER for pointing me to this interesting article.

This link will take you to a page that’s not on LinkedIn

12/21/2025

This Forbes warning describes a new Microsoft-account takeover trick called ConsentFix, which is a twist on the older “ClickFix” scam. Instead of sending you to a fake login page to steal your password, attackers lure you from Google search results or a compromised site to a convincing “Cloudflare verification/CAPTCHA” screen that asks for your work email. If you type an address they’re targeting, the page tells you to click Sign In, which opens a real Microsoft sign-in page in a new tab—so it looks safe and familiar.

After you successfully sign in, Microsoft redirects your browser to a special “localhost” link that includes an authorization code. The scam’s key step is that it then instructs you to copy and paste that link back into the original page. When you do, the criminals can capture that code and trade it for access tokens, effectively taking control of your Microsoft account without stealing your password and without defeating MFA/passkeys, because you authenticated normally on Microsoft’s own site. If you ever see instructions to “fix” an issue by copying/pasting a sign-in link or code into another website, treat it as an attack and close the page or as I like to say "RUN TO THE HILLS" (meaning run as far and fast away from this sophisticated trap -- if you call me and describe what is going on I will say "RUN TO THE HILLS" or "EVERY CRIMINAL OUT THERE IS LOOKING FOR YOU TO TRICK YOU SO WHY AREN'T YOU RUNNING OUT THE DOOR TO THE HILLS AS FAR AWAY AS POSSIBLE FROM THE COMPUTER WHERE YOU WILL GET YOURSELF IN TROUBLE" :-)

Summary: Know when to RUN TO THE HILLS!

If you see this message, your Microsoft account is under attack by hackers.

12/21/2025

I keep telling people "there is no such thing as a free lunch". That is, there are still people out there who will look for a tool they need and find a free version of it and install it and then.. it's all over. This is called "social engineering" namely tricking you into downloading something you desire and then infecting you for years...

The article warns that criminals are spreading harmful software by tricking people in two very common places: “cracked” (pirated) software downloads and YouTube videos that promise easy installs.

In the first scheme, someone searches for a free copy of a real program (the article mentions Microsoft Word), gets sent to a file-sharing link, and downloads a ZIP file that looks legitimate. Inside the zip file is a renamed Python program (“Setup.exe”) that quietly pulls down a stealthy loader called **Count Loader**, which then stays on the computer by creating a fake-looking scheduled task (with a Google-style name) that can run repeatedly for years.

Once CountLoader is in, it can download more malware—specifically an “information stealer” (the article names ACR Stealer) designed to grab sensitive data from the computer.

The article also describes a second campaign where compromised YouTube accounts (“YouTube Ghost Network”) share videos with fake installer links that drop another loader, GachiLoader; researchers flagged about 100 videos with roughly 220,000 views. GachiLoader may request administrator permission and then try to weaken Microsoft Defender before delivering password-stealing malware (including Rhadamanthys in at least one case).

How is your free lunch doing?

Researchers uncover malware campaigns using cracked software and compromised YouTube videos to deliver CountLoader, GachiLoader, and info stealers.

12/08/2025

This is interesting. Fortunately, this is very high-end spyware meant to target diplomats, politicians, lawyers, journalists, etc. I say fortunately because most of us are not among these. The spying uses "Intellexa’s Predator spyware" -- you can learn more about that sophistication from Google - https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue

https://www.ntd.com/apple-google-alert-users-to-global-spyware-hacking-campaigns_1112199.html

Commercial surveillance vendor Intellexa continues to thrive and exploit mobile zero-day vulnerabilities.

11/22/2025

https://www.malwarebytes.com/blog/news/2025/11/gmail-is-reading-your-emails-and-attachments-to-train-its-ai-unless-you-turn-it-off

A new Gmail update may allow Google to use your private messages and attachments for AI training. Here's how to turn it off.

09/15/2025

I have been teaching people to stay away from most extensions in the Edge/Chrome store (I no longer support Firefox). One of my heroes is Wladimir Palant and I posted on his web page a very informative article, IMO.

The body of the message is included here:
*************************************************************
If someone copies this the link back to this page is

https://palant.info/2025/01/13/chrome-web-store-is-a-mess/

First, if anyone reads this, know and understand that Vladimir is a tireless and dedicated professional genius who 100% understands the dangers of the Chrome Web Store. I am a bonafide DFIR engineer and malware hunter and my credentials are below. This is not a self-promotion. I am a senior citizen and exhausted from the tireless work of the only way to stop the bad guys: teach people, one person at a time, to “run to the hills” away from (most) extensions. I have taught over 1,100 people over the last 12 years.

No matter what Google tells you about their efforts to build in security or redesign how extensions must be architected and whatever guardrails they put in, the old adage applies: “the bad guys will always be a step or two ahead of the good guys”. I could make a very strong case for this but I could not evangelize and run the experiments that Vladmir does. However, he does precisely what I would do, given enough time. So kudos and gratitude to Vladmir.

Every warning Vladmir gives I have been giving people for years. Vladmir, as former developer of AdBlock, establishes my credibility but my clients already trust my judgement.

I have written simple PowerShell scripts that set the policy in the registry to never allow any extension to be added to Chrome, Edge or Firefox and a few customers gladly take this code. It’s doing well. If it was extremely widespread bad guys would code around it. That’s the beauty of teaching people one at a time, quietly. Each one is one less target the perps can go after. Making small chinks in the evil criminals armor is better than doing nothing.

I teach extreme vetting and done quickly. There are many red flags to look for and if any, even one, arise, “run to the hills” and give it up. A Fortune 1000 company who writes an extension will not have even one red flag. Anyone else’s extension has a higher chance of being infiltrated, lurking for years and then slipping a pushed update that Chrome misses (and what Vladmir has proven by watching those 1600 extensions daily until bam! one leaps at you and does it’s dirty deeds YEARS LATER. I call that “lurking”. I also use use static analysis tools by AnyRun and Hybrid Analysis. I cannot afford these $5K annual subscription and the free version is limited. But if it doesn’t kill you to use these tools, it will make you stronger. They run it in a sandbox for 60 seconds which is a long way off waiting 5 years for a new version to rear it’s ugly head. And each older version may morph itself in ways that no one has the time to study the JavaScript code to understand what it does.

But Anyrun and Hybrid will at least tell you if it sees any of the patterns from MITRE ATT&CK (see https://d3fend.mitre.org/ ). Some extensions have 100s of files and that exceeds what can be uploaded (even in a single zip file) but you can turn the entire set of code into a single runnable hta or .js file. Not exactly the same as running under the Google extension model but adequate for static MITRE analysis and a 60-second run.

For example, I recently checked out a C**r extension (name omitted but will disclose if you PM me). This code should have been doable in a few hundred lines of .js. But it was 11,000 lines. My PowerShell script produced two lines of non-obfuscated code (whew!) and a web site java script beautifier turned it into those 11,00 lines. It had many MITRE ATT&CK patterns in it. Hybrid said it was SUSPICIOUS at a score of 30/100.

I don’t have the time to ramp up on studying this code (I was an expert C++ and C # programmer for many years). But 11,000 lines and all those MITRE issues is a red flag to ….. “run to the hills”. I am not interested in why there may be a good reason for there to be 11,000 lines of code but I simply will not take the risk nor should you. There was only a simple web site for the tool and it had all my vetting red flags (not address, no phone, not “About Us”, no nothing). Except for the author (gmail) email to contact -- I researched that email and found nothing. I asked him/her a simple question about his/her country of origin and as you might expect, no answer (red flag #2) as come in. Final VERDICT: guilty.
I have thought long and hard, as have some of you and Vladmir, why Google seemingly doesn’t care. The answer is my own opinion: they put some extensions out there of their own to spy on criminals and terrorists and they want not-so-smart criminals to risk using these tools so that they can be caught. There are 100s of things the intelligence agencies will do to get intelligence and Google and Microsoft are going to cooperate in the interest of national security.

That makes ordinary people who add extensions and trust Google, intentional collateral damage.

But not my customers. :-) They have been taught to say “no” to every prompt and block all notifications in the browser. But it’s not easy, without even more work to do, to stop push technology updates both from the Edge/Chrome web stores or the Microsoft Store. There should be an option to prompt to update:

Extension Track-Package-and-give-you-weather :-) wants to update. Select 1 to 4
1. update now
2. do not update right now, check another time
3. review changes made for this version (developer must provide at least 100 words?)|
4. skip this update all together and return to browser
I would teach my clients if it is a not-so-well-known extension, select option 4.

Another suggestion would be for Google to upload to Hybrid Analysis and only permit it if the score is below a certain threshold. Google already has something like this behind the scenes as a super-powerful web app that does 1000x more than VirusTotal. Very cool! But it is ONLY SOLD TO corporations who should (and smart ones do) studying everything.

But small fry consultants like Vladmir or I even begging to able to upload perhaps one file a week is met with a NO. That is saying “we don’t care about how smart you are – don’t mess with our intelligence efforts – we only cater to corporations”.

That just further cements how important it is for Google to get malware in the form of extensions into the everyday non-corporate household. It breaks my heart. Laugh all you want, but there is a long history of the NSA/CIA working this way and an elite Google team can tell you all about it but never will! I draw these conclusions from abductive logic, the hallmark of a very smart person like Vladmir or myself, to understand the criminal mind and spy vs. spy. (Other examples: which VPN companies does CIA own – at least one in the past? Which node(s) do they run in the TOR network to get even scant and incomplete information? Why did Dropbox CEO state fact check that no one in the planet can see any of your cloud files stored on their servers and then admit they lied about it and would show files to certain subpoenas? Etc., etc.

Finally, I have now run into a new sad issue which is this: Norton 360 is very popular and is sold with popular Norton LifeLock. Gen Digital purchased Norton who purchased Avast some time ago and incorporated it into their product and it installs a Norton Secure browser which is really the AVG Secure browser which is really a Chromium based browser that Avast promoted when they purchased AVG. There are many reasons not to use this browser but all of my customers with Norton who rely on Chrome find the icon for the Secure Browser similar to Google Chrome. But the location of extensions is completely different from the well know Edge, Chrome, and Firefox add-ons locations. In fact, depending on whether the customer started/has the AVG, Avast or Norton version determines the path. And all those wonderful tools like Nirsofer’s browseraddsonsview now have to be called from the command line to check those locations and to do so is not documented clearly by Nirsofer but it can be figured out. Shame on Norton. They could atone by making a free tool similar to browseraddsonsview that dumps the addons to a CSV.

Don’t hold your breath.

Thanks and if anyone wants to volunteer to study C**r PM me at misterharrystein and the add the @ and gmail and .com. Identify yourself with a linkedin when you write.

Blessings,

Harry https://www.linkedin.com/in/harrystein https://www.facebook.com/steinsolutions

07/27/2025

This just goes to show you when it comes to greed and criminal behavior, people will go to lengths you can't even imagine until you read about it.

North Korea made millions from the scheme.

06/30/2025

Breaches occur all the time and it's a bad look for the CISO of the company who expects to be fired (a scapegoat is needed) and that CISO gets a better paying job -- not that he is unqualified but because that's how the carousel of CISOs work. It's understood you will be employed and receive bonuses until a breach, no matter whose fault it is and how unavoidable it was. Additionally, they are expected to reduce headcount because of AI -- a mistake but profits and the shareholders always trump over anything else. IMO. I learned this from a highly regard CISO at a conference where he described to the audience how this is normal and how his genius friends all accept that as normal. Thus I expect a change in Krispy Kreme CISO in the next few months. Thoughts?

Krispy Kreme is warning tens of thousands of Americans that they are now at risk of identity theft and fraud following a major cybersecurity incident.

06/30/2025

On this page I have recently slowed down posting my know-how that I feel does not get print in security blogs, linkedin, etc. My focus is elderly people (50s - 100s) getting scammed and needing to understand basics - I try to teach in a simple way that goes against the grain of what they (and many other younger readers) think, namely the myth that your PC, Mac, iPad, iPhone, Android phone is safe. Or about the scams very well documented on the AARP site.
Examples:
1. 95% of extensions you will install are now or in the next few years will be unsafe, not 1/10 of 1%.
2. Same for apps from the Microsoft Store.
3. Just say "NO" to everything. You won't miss out on anything and will be a lot safer - (Nancy Reagan).
4. Bad guys will always be one to two steps ahead of the good guys.
5. Your antivirus is not the weakest link on your computer. Why? Because 50% of all viruses out there today have not even been discovered yet by *ALL* (repeat *ALL*) antiviruses combined.
6. It is easy for the bad guys to write malware.
7. Companies don't care if they have a breach. They expect it. They understand it's not a matter of if, but when. Home consumers don't matter -- revenues come from selling software and services to profitable companies who take security seriously and don't overwork and underpay their security staff. When the breach happens, they report it and let you know the damage and next steps. But don't expect this from companies outside the Fortune 500 -- the lesser profitable companies and startups are usually security illiterate and sell to home users who download their apps that eventually gets breached/infiltrated and pushed out to you with the latest wonderful technology that silently pushed updates to users daily, weekly, etc. - almost impossible to stop a breached product/app. What must you do: self-educate, learn, learn, learn. "Assume the worst because it's even worse than that!"

Now here is a site that posts many recent articles that the editor thinks are relevant. How do I decide if this site is useful for me or you? I read/skim all the articles because I understand them. I ask myself "does this have relevance to the over-1000 humans I have helped in the last 12 years or what I learned when I managed 125 computers in a law firm and discovered over 150 new viruses in less than five years and got most of my gray hairs)." If the answer is yes, I will take note. If the entire page has 1/2 of it's articles with impactful relevance, I will share that with you. If there is only one article, I will share the one article with you.

As you read this, remember: the goal is to self-educate with ways a good mentor deems effective. Many companies or books offer training with the goal of profit in mind. I do this as a ministry to take my God-given skills and share with people who can't afford it (I still charge moderately because I just can't afford to do otherwise).

Now here is an exercise for you before you read the link articles below. Take this entire message and past it as a prompt to chatgpt or Gemini (I have no idea what it will say)...
***************
PROMPT: recently, a so-called security expert Harry Stein posted the following and on a scale of 1-10 where 1 he is an idiot and 10 he knows what he talking about, how would you rate him. No comments. Just a bottom-line rating. I will ask for comments afterwards.

Here is what he said:
[paste everything above the ******** line here]

I did this and my score was 9! I did not ask chatGPT to change my tone or grammar. I did not go back and read what I said. It's raw.

Thoughts?

Here is the shareable link and below is the blog site I am going to investigate this evening.

https://chatgpt.com/share/6862143c-1b4c-8004-941d-78c85e6f1495

https://dailyhodl.com/scams-hacks-breaches/

Shared via ChatGPT