Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

During a recent investigation into AMOS InfoStealer, Kroll Threat Intelligence Team has discovered a troubling new delivery vector that leverages the growing trust users place in AI tools. In this case, attackers leveraged ChatGPT as the source of guidance, tricking victims into initiating the infection, presenting it as a legitimate solution to a common technical problem. Victims were tricked into believing they were running a harmless command to fix a sound issue on their Mac device.

This is the second in our Retail Resilience series. Check out the first article, Cyber Risk in UK Retail: A Golden Quarter Under Threat Threat actors have retail firmly in their sights. High profile breaches across giants, from Cartier, Co-op and Adidas to Marks & Spencer, underscore just how much is at stake. With sprawling customer data, complex supply chains and relentless digital transformation, the sector is a prime target for sophisticated threat groups.

Kroll Threat Intelligence is tracking a second wave of ‘Shai-Hulud’ NPM compromises, named as ‘Sha1-Hulud’ (based on the GitHub action name created as well as the public repository description it creates to publish credentials).

In today’s industrial environments, the single biggest barrier to securing operations is not technology, not budget, not even talent–it’s visibility. You cannot protect what you cannot see. In Operational Technology (OT), visibility has two dimensions: Without this combined view, organizations are left guessing where their crown jewels sit, how traffic flows across the environment and where vulnerabilities or attack paths may hide.

A cyberattack is one of the most devastating experiences a company can go through. Yet for Jaycee Roth and Justin Harvey, being there for organizations when the worst happens is business-as-usual. As part of the Digital Forensics and Incident Response (DFIR) team within Kroll’s Cyber and Data Resilience business, their guidance and support ensures companies can recover fully from the disruption caused by a security incident.

This article has been authored by Cynthia Yang and Sorabh Chopra. As cyber threats evolve, traditional credential management falls short. A mature identity and access management (IAM) framework is essential to secure digital identities and reduce risk.

Kroll has recently seen a widespread installation of an application called Calendaromatic, that Kroll Threat Intelligence (TI) is currently classifying as a potentially unwanted program (adware) but displays some functionality that gives it the potential to conduct more malicious behaviors.

As organizations adapt to hybrid work, cloud adoption, and expanding digital ecosystems, traditional perimeter-based security models are no longer enough. Zero Trust has emerged as a leading framework to help reduce risk, improve visibility, and strengthen resilience, but implementation remains a challenge for many. This whitepaper explores how organizations can adopt Zero Trust in a practical, phased approach, aligned to real business and risk priorities.

The eDiscovery landscape is undergoing a profound transformation, driven by the rapid evolution of artificial intelligence (AI). What was once a labor-intensive, manual process is now being revolutionized by technologies capable of analyzing vast volumes of data with speed, precision and insight. AI is not just a buzzword; it’s a catalyst for smarter, faster and more defensible legal workflows.

Starting in July 2025, Kroll has observed a new delivery method coming from the XWORM malware family. Previously known to leverage a self-contained executable in order to drop the final payload, XWORM now uses Ghost Crypt which is a service publicized on HackForums and used to exploit DLL side-loading vulnerabilities in known applications. The service includes support for a range of malware families, including LUMMASTEALER, BLUELOADER, RHADAMANTHYS, XWORM, DCRAT, PURELOADER, STEALC and others.