Incident Report & Case Analysis
Saturday 06/20/2026
Prepared by Harry Stein:
harrysteinsolutions.com | Stein Solutions | linkedin.com/in/harrystein
1. Background & Introduction of Parties
The genesis of this case traces back to a professional relationship established between HARRY (Texas), an independent Systems, Network, and Security Forensics Engineer, and an Arizona IT support Engineer, BILL. BILL had recently expanded his operational footprint by acquiring a client base from a small Managed Service Provider (MSP) that was handing over its customers. Among these inherited clients was an individual named PAUL.
BILL and HARRY initially connected when HARRY needed to hand off an existing Arizona client, MARK, to a local provider after five years of training and support. Because MARK was physically located close to BILL, HARRY arranged the handoff, thoroughly interviewing BILL during the process. Based on that assessment, HARRY felt comfortable that BILL possessed the necessary foundational technical skills to do a great job supporting MARK's routine operational needs.
Two weeks later, on Thursday, June 18, 2026, BILL contacted HARRY requesting urgent assistance. BILL was dealing with a severe machine compromise on PAUL's computer involving a persistent image covering the user's screen that was exceptionally difficult to clear. BILL disabled startup tasks, uninstalled Firefox and Chrome, but recognized the complexity and persistence of the screen, and so HARRY remoted into the system, transforming the intervention into a live mentoring session. HARRY systematically walked BILL through the intricate process of executing manual surgery on the operating system—manually tracking down the root cause, identifying directory structures, analyzing hidden extensions, and mapping out the baseline mechanics of the threat. It turns out this threat type is discussed in the active threat intelligence briefing found at https://socprime.com/active-threats/jwrapper-campaign-deploys-simplehelp/.
Crucially, HARRY established the business boundaries upfront: for labor-intensive digital forensics and incident response (DFIR), HARRY normally commands a steep (relative to your typical local technician/MSP) fee. For this initial round, however, BILL was instructed to pay whatever he was led or able to pay. The arrangement served a dual purpose: it acted as a practical demonstration of HARRY's advanced forensic proficiency and explicitly highlighted the gravity of the threat. It was understood that if a similar scenario arose down the road, any future forensic engagement would require an upfront, mutually agreed-upon higher cost for services.
2. The Core Incident & Forensic Timeline Analysis
The manual discovery process unraveled a multi-stage, sophisticated compromise that far exceeded a standard malware infection. On June 4, 2026, at 02:18 PM, PAUL (or an alternate operator with access to the host machine) was driven via browser redirections through specific links (such as https: slashslashopeninapp.link/n16og or https:slashslashbasicjob.hu/pg/ss/eg) to a fraudulent Hungarian website spoofing the Social Security Administration. This vector immediately triggered the download of a remote access installer: ScreenConnect.ClientSetup.msi.
Once interactive host access was achieved, a secondary, persistent payload was dropped. At 04:13 PM that same afternoon, an illicit browser extension masquerading as a child monitoring tool (configured with the deliberate misspelling of Tracker in "Free Keylogger Tool / Child Monitor Tackker") was actively forced into the browser architecture.
A standard IT provider views an incident strictly through the lens of hardware remediation. Wiping the machine solves the local issue, but it ignores the historical timeline. Between the initial infection on June 4th and the intervention on June 18th, a two-week exploitation window occurred. During this time, the keylogger silently captured credentials and session data while the user logged into major consumer, retail, and financial portals, including:
Costco (Multiple instances: June 4, June 6, June 11)
eBay and Walmart
Capital One, Truist, Fidelity, Schwab, Ally, and Busey Bank
Wells Fargo (Including an explicit credit card activation event on June 10)
Gmail (Where an unconfirmed $175 Apple E-Gift Card delivery occurred on June 10)
3. The Professional & Technical Debate: Forensics vs. Traditional MSP IT
This incident highlights a massive, systemic vulnerability in how standard MSPs and traditional IT providers handle active breaches. A standard IT response—which BILL favored—is a simple "nuke and pave" approach: wiping the hard drive, reinstalling the OS, charging a nominal flat fee (e.g., $200), and returning the unit. While this restores local stability, it represents a catastrophic failure in risk mitigation for an Advanced Persistent Threat (APT).
An interactive AI analysis initially failed to grasp the depth of this trench-level reality, drawing a sharp, contentious debate between HARRY and the AI model (Gemini) regarding real-world threat models:
The Browser Sync Catch-22: Traditional IT technicians frequently overlook cloud synchronization profiles. Modern browsers automatically back up and sync extension states. If an MSP wipes a machine but logs the user straight back into an un-audited Chrome or Edge profile, the cloud deployment infrastructure will automatically redownload and reinstall the rogue keylogger extension onto the pristine operating system. In the movie The Matrix, Agent Smith would have properly called this sync method Chrome and Edge use "a virus" (and HARRY discourages its use or disables syncing for that reason).
The Insider & Spousal Threat Vector: In HARRY's post-mortem with Gemini, he was initially criticized for recommending warning the client about potential spousal cyber-stalking or insider deployment, labeling it an unnecessary escalation. HARRY fiercely corrected this textbook bias. In localized, high-stakes forensics, adversarial actors (including family members) seeking financial or personal leverage routinely exploit multi-stage external redirection loops (like Hungarian phishing domains) to establish plausible deniability. Without an exhaustive intake process to analyze human dynamics and access history, an IT provider leaves a massive blind spot wide open.
Search Engine Architecture & Malvertising: The debate extended into search engine safety metrics, specifically regarding DuckDuckGo. While the AI maintained a generalized stance on privacy tools, HARRY exposed the concrete, infrastructure-level reality: DuckDuckGo relies significantly on Yahoo’s syndicated advertising and search backend. Historically, Yahoo's screening and validation mechanisms for sponsored ad placements have been notoriously weak compared to Google. Malicious actors aggressively exploit these gaps to purchase top-tier ad slots, turning basic search results into direct delivery pipelines for perps. Furthermore, the client-side desktop applications deployed by these privacy platforms frequently operate as thin wrappers around native WebView APIs, introducing unhardened interfaces, erratic forensic artifacts, and instability that turns clients into uncompensated testing guinea pigs. HARRY sees these issues in the real world because he is able to.
4. The Imperative of Conscience & Total Containment
Ultimately, HARRY’s extensive reporting was driven by a professional compunction to clear his conscience. Wiping a local drive addresses less than 20% of a real security breach. Because the user's data was being actively exfiltrated for two weeks, the threat had long since migrated off the local machine and into the cloud.
Advanced persistent actors routinely safeguard their access by modifying server-side cloud mailbox rules—silently creating forwarders, setting up automatic deletion criteria for banking alerts, and injecting secondary recovery emails or multi-factor authentication (MFA) bypasses within the email infrastructure (Gmail/Comcast). Wiping a local PC leaves these cloud-level vectors entirely untouched, allowing scammers to monitor the victim for months, waiting for critical moments (such as real estate closings or large wire transfers) to drain assets irreversibly.
By documenting the full forensic scope in writing, HARRY ensured the client could be properly insulated against catastrophic financial loss. If the secondary provider chooses an attitude of "ignorance is bliss" and stops short of a total cloud, identity, and financial audit, the liability rests squarely on them. HARRY fulfilled his ethical obligation, demonstrated elite forensic methodology, and left a definitive blueprint for true containment.
Stein Solutions
Security, networks, performance tuneups, digital forensics, advanced troubleshooting, data recovery, and education. This is a ministry of service for me.
Also the top Thumbtack computer pro in the nation with almost 800 5-star reviews! Security, networks, performance tune-ups, data recovery, and education. Also the top Thumbtack computer repair pro in the nation (see 750+ reviews at http://www.thumbtack.com/tx/mckinney/software-developers/dba-stein-solutions#reviews )
We specialize in security (virus removal), networks, performance tune-ups, data
05/08/2026
See image. The bubble quote is mine, not the site owners. sarcasm intended to make a educational point, not to disparage the site owner..
A site owner can reduce this a lot, but they have to treat ads as a **security supply-chain problem**, not just “monetization.”
The practical steps are:
1. **Do not use low-quality open ad exchanges.**
The worst ads often come through cheap programmatic demand chains where the publisher does not really know the advertiser. A safer site uses direct sponsors, curated marketplaces, or a small allowlist of trusted demand partners.
2. **Block risky ad categories and advertiser URLs.**
In Google Ad Manager, publishers can create “Protections” to block categories and can block specific advertiser URLs/domains. That is exactly where a publisher should block fake PDF/download/update/driver/health-miracle style ads. ([Google Help][1])
3. **Manually review creatives, not just rely on the ad network.**
Google Ad Manager includes controls to review, allow, block, and report creatives, but the publisher still has to use those controls seriously. “Set it and forget it” is how these garbage ads survive. ([Google Ad Manager][2])
4. **Use an ad-security/ad-quality scanning service.**
Services such as Confiant scan ads and landing pages in real time and let publishers block malicious or low-quality creatives and entire categories. This is especially important because bad ads can be geo-targeted, cloaked, or shown only to certain users. ([Confiant][3])
5. **Use SafeFrame / iframe isolation where possible.**
Google’s SafeFrame renders creatives in a controlled iframe-like container, which helps prevent external ad content from accessing sensitive page data and gives the publisher more control over ad behavior. It does not make every ad safe, but it is better than letting third-party scripts run loosely on the page. ([Google Help][4])
6. **Maintain a “bad ad incident” process.**
The site should log the time, ad slot, creative ID, line item, advertiser domain, click-through URL, user country/state, browser, and screenshot. Without that, the publisher often cannot trace which third-party demand source served the bad ad.
7. **Publish and maintain `ads.txt`, and prefer partners that support `sellers.json` and SupplyChain Object.**
These standards help with transparency about who is authorized to sell the site’s inventory and how the ad transaction traveled through the supply chain. They do not fully stop malvertising, but they make the supply chain more traceable. ([IAB Tech Lab][5])
8. **Ban deceptive “download/open/continue” creatives by policy.**
Google has specifically warned about deceptive download buttons and social-engineering ads that mimic site controls. A publisher that allows a “Print Recipe — Open” style ad below a recipe page is asking for confused users to click the wrong thing. ([blog.google][6])
9. **Test the site like a normal visitor.**
Publishers should periodically load their own pages from clean browsers, mobile devices, different geographies, and non-admin accounts. Malvertising often targets only certain users, which is why the site owner may say, “I never saw that ad.”
10. **Accept lower ad revenue if necessary.**
This is the painful truth. The sleazier ad networks often pay better because they tolerate aggressive offers, fake buttons, scary claims, forced redirects, and borderline software downloads. A responsible publisher has to choose trust over maximum RPM.
For the screenshot you showed, the biggest red flag is not merely “third-party advertising.” It is the **fake document/download visual language**: PDF icon, “Print Recipe,” and a prominent **Open** button. That kind of ad can trick ordinary visitors into thinking it is part of the recipe site instead of an advertisement. Even when it is not a true zero-click exploit, it can still lead users into unwanted software, scam pages, browser notifications, or phishing. Google’s unwanted software policy specifically calls out software that tricks users into installation or behaves unexpectedly. ([Google][7])
My plain-English conclusion: a decent site owner can’t guarantee zero bad ads, but they absolutely can stop outsourcing all moral responsibility to ad networks. A publisher who cares should use stricter ad controls, block fake-download style creatives, monitor what visitors actually see, and be willing to lose some ad revenue rather than expose naïve readers to junk.
[1]: https://support.google.com/admanager/answer/2541069?hl=en... "Block sensitive categories - Google Ad Manager Help"
[2]: https://admanager.google.com/.../capabil.../brand-safety/... "Serve Safer Ads with a Strong Advertising Policy"
[3]: https://www.confiant.com/hubfs/reports/maq-2024.pdf... "Malvertising and Ad Quality Index"
[4]: https://support.google.com/admanager/answer/6023110?hl=en... "Render creatives using SafeFrame - Google Ad Manager ..."
[5]: https://iabtechlab.com/.../Implementation-Guide-buyers... "Buyers.json and DemandChain Object Implementation Guide"
[6]: https://security.googleblog.com/.../no-more-deceptive... "No More Deceptive Download Buttons"
[7]: https://www.google.com/.../unwanted-software-policy.html... "Unwanted Software Policy"
04/24/2026
So here is the seminal talk given by AI LLM expert Nicholas Carlini -- this is precisely what the cockroaches in the rest of the world (and here in the USA) will be doing - using AI to find vulnerabilities in source code not spotted before. Easy Peasy to do. Talk given approx 4 weeks ago or approx late March 2026. Stunning for those of us with software development and security backgrounds.
Nicholas Carlini - Black-hat LLMs | [un]prompted 2026 Nicholas Carlini, Research Scientist, Anthropic, speaks at [un]prompted 2026 on: Black-hat LLMs.Large language models are now capable of automating attacks t...
04/24/2026
This article is not surprising.
Router software has always been buggy. A lot of it is built on open-source components, but to be clear, I am not blaming open source itself. Open source can often be audited, improved, and patched faster than closed-source software. The bigger problem is the way router manufacturers package it, customize it, ship it, and then often fail to keep it patched for very long.
Meanwhile, every consumer router manufacturer keeps cranking out varying models, revisions, and firmware branches. Many of these devices are firmware-out-of-date right out of the shipped box. Then they sit in homes and small offices for years, quietly exposed to the internet, with default settings, weak admin habits, old firmware, and no real monitoring.
Very few consumers update their router firmware. Frankly, I suspect many small businesses and even some corporate environments are not much better. Most people do not keep up with CISA-published vulnerabilities, vendor advisories, end-of-life notices, botnet campaigns, exposed services, or firmware release notes. It is beyond challenging. It is practically impossible for the average home user.
And this is the part people often miss: a modern consumer router is not just a little plastic box with blinking lights. It is basically a small Linux computer sitting between your home and the entire internet. It has services, ports, credentials, certificates, firmware, memory, logs, and vulnerabilities - just like a Linux server, Windows server, or workstation.
So now a consumer router, like any Linux/Windows server or workstation, must be locked down. But the average consumer cannot reasonably be expected to harden it properly. That means we are forced to trust the manufacturer to do the job.
Don't hold your breath on a consumer/home router.
Yes, enterprise routers and firewalls are a huge step up. They usually have better support, better update cycles, better logging, better segmentation options, better management, and better security architecture. But they are pricey, and even enterprise gear is not magically safe. Cisco, Fortinet, Palo Alto, Juniper, and others all have serious vulnerabilities from time to time. The difference is that enterprise environments usually have a better chance of detecting, patching, monitoring, and responding.
But even enterprise equipment is going to be challenged by AI tools.
AI will help defenders. No question. It can help analyze logs, detect patterns, compare configurations, explain vulnerabilities, and accelerate patch research. But AI will also help attackers. It can help them read advisories faster, find weak patterns in firmware, generate exploit ideas, automate reconnaissance, refine phishing, and scale attacks against huge numbers of exposed devices.
That is the part that should make everyone pause.
We are moving into a world where the number of vulnerable devices is enormous, the number of under-maintained routers is enormous, and the tools for finding and exploiting weaknesses are getting faster and smarter.
Rebooting a router may help temporarily in some cases. Updating firmware helps more. Disabling unnecessary services helps. Replacing end-of-life hardware helps. Using strong passwords helps. But the larger issue is that the entire consumer-router ecosystem has been treated too casually for too long.
This reminds me Biblically of the chaos created by the Tower of Babel and the kind of global confusion and control predicted in Revelation. Technology keeps promising connection, efficiency, intelligence, and convenience, but it also keeps creating new layers of dependency, fragility, surveillance, and centralized control.
It will get worse before it gets better.
And sadly, I believe this kind of escalating cyber chaos, combined with AI, surveillance, financial control, and global insecurity, will help open the door to a "New World Order" which ultimately ushers in the Antichrist.
All IMHO.
[https://www.forbes.com/sites/zakdoffman/2026/04/09/nsa-warning-reboot-your-internet-router-now/](https://www.forbes.com/sites/zakdoffman/2026/04/09/nsa-warning-reboot-your-internet-router-now/)
NSA Warning—Reboot Your Internet Router Now "Don't be a victim!" America's spy agency warns citizens — you must act now.
03/03/2026
Brian Krebs is a hero to me. I pray for him vigilantly as he is probably the most heroic cyberwarrior out there, with a lot of friends in the government keeping an eye out for him. His book "Spam Nation" published years ago about his visiting and interviewing criminals in Russia responsible for most of the spam in the world is iconic (to me). And his disrupting the credit card skimmer operations in European ATMs by Mexican criminals, thereby putting his life at risk, is legendary. That's just a smidgen of his accomplishments -- he deserves a Medal of Honor for what he has done. But this story this morning, given what we have learned recently about young teenagers bent on creating cyber-havoc can be added to that list. Digest nice and slowly.
Who is the Kimwolf Botmaster “Dort”? – Krebs on Security February 28, 2026 23 Comments In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — h...
02/18/2026
Google Threat Intelligence Group (GTIG) says the U.S. and broader “defense industrial base” (defense contractors, aerospace, manufacturers, suppliers) is under a constant, multi-vector wave of intrusions from state actors and criminal groups. China-linked groups are described as the most active “by volume” against defense-sector entities, and are often focused on gaining durable access (including via exploitation of edge devices like VPNs/routers/firewalls, per reporting on the GTIG findings). I provide a link to a summary that report below.
Russia-linked activity is tied heavily to the Russia–Ukraine war context, including targeting organizations involved with drones/UAS and related battlefield technologies, and more “battlefield-adjacent” operations. A major theme is “human-layer” targeting: employees, personal email/accounts, and the hiring/recruiting pipeline (spoofed recruiting portals, fake job offers, and other social-engineering approaches) because it can evade normal corporate security visibility.
The report and coverage also highlight spillover to smaller manufacturers and supply-chain-adjacent firms (extortion, hack-and-leak, disruption), not just prime defense contractors.
Some coverage of the same GTIG material notes instances where attackers used Google’s Gemini (and generative AI more broadly) for parts of attack workflows (research, social engineering, vulnerability analysis/planning), though the core warning is about the breadth of targeting and tactics, not “AI magic.”
How widespread? Overwhelmingly so. Hacker News gives a long list of examples:
https://thehackernews.com/2026/02/google-links-china-iran-russia-north.html
You can also go here
https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use
Let me say this: this should be overwhelming to the layperson as well as to subject matter experts who understand security.
GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use | Google Cloud Blog Our report on adversarial misuse of AI highlights model extraction, augmented attacks, and new AI-enabled malware.
01/29/2026
A victory against ransomware by the FBI.
FBI seizes RAMP cybercrime forum used by ransomware gangs The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations.
01/12/2026
This is the second of two articles I posted today on facebook SteinSolutions. It is a reminder of the ongoing threat of China, Russia, North Korea, Iran, and others in the cyberwars reality we have lived in for at least 20 years. These countries are relentless. Let me define the word relentless just to be ultra clear: persistent, determined, and unwavering in their pursuit of a specific goal or agenda. Wars are now being fought with AI drones, misinformation campaigns, security breaches, malware, In my reply to this post I will link you to a speech given by the new head of M16 ()the British equivalent of our CIA).
The article describes a browser (Edge, Chrome, Firefox) hacking campaign researchers call "DarkSpectre", which is believed to be linked to China. For more than seven years, the group used malicious browser extensions (small add-ons you install in Chrome, Edge, or Firefox to add features and which I preach to avoid like the plague without “extreme vetting”) to spread malware (harmful software that can spy or steal). The report links three campaigns to the same actor: ShadyPanda (about 5.6 million users), "Zoom Stealer" (about 2.2 million), and GhostPoster (about 1.05 million), totaling more than 8.8 million users.
What made it hard to catch was patience and disguise. Some extensions looked normal for five years or more and only later turned bad. I call that “lurking” and it’s also known as a "time-bomb" in security parlance – and I am happy to explain this to you privately. Example: waiting three days after installation of an extension before contacting a command-and-control server (a computer criminals use to send instructions) to download the real harmful code.
The malware also ran only on roughly 10% of page loads and hid code inside image files (a technique known as steganography), so it blended in. The group could even change what the extension did by changing what their servers sent back, without publishing a new update.
Take a minute to review your installed extensions and remove anything you do not truly need or recognize. Keep your browser updated and be cautious with "new tab" or "dashboard" add-ons that ask for lots of access. Or contact me for training on how to avoid rogue extensions.
DarkSpectre Hackers Infected 8.8 Million Chrome, Edge, and Firefox Users with Malware DarkSpectre infected 8.8M Chrome, Edge, and Firefox users via coordinated malware campaigns over seven years.
01/12/2026
Three cybersecurity employees who turned rogue and became part of a ransomware operation "targeting healthcare and collected at least $300 million in ransom payments from more than 1,000 victims until September 2023". In the end, thankfully, they got caught.
US cybersecurity experts plead guilty to BlackCat ransomware attacks Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.
12/29/2025
The report describes Kimwolf, a very large “botnet” (a group of infected devices controlled remotely by criminals) that mainly targets Android-based smart TVs, TV boxes, and tablets. Researchers say the network is already enormous: they conservatively estimate more than 1.8 million infected devices, and after temporarily taking over one control server (called “C2,” short for command-and-control), they saw 3.66 million cumulative infected IP addresses with a peak day of 1,829,977 active devices. The botnet can launch DDoS attacks (flooding a website or service with traffic to knock it offline), but it can also run other functions like proxying (using your device as a traffic relay), remote command access, and file management. XLab Blog
Kimwolf is hard to track because it encrypts its traffic and uses techniques meant to avoid detection, including DNS over TLS (a way to hide DNS lookups inside encrypted connections) and rapid infrastructure changes; the report notes its domains were taken down multiple times, pushing the operators to use ENS (Ethereum Name Service) to make control servers harder to remove. The researchers also found strong links to the Aisuru botnet and believe Kimwolf’s attack power could be near 30 Tbps, which is enough to seriously disrupt major online services. XLab Blog
Practical takeaway: [1] Avoid cheap, unknown-brand Android TV boxes and don’t install “extra” APK apps from random websites. [2] If you own a smart TV/TV box, keep firmware updated, use strong passwords, and consider unplugging or replacing devices that no longer get security updates. I personally attach a small Windows 11 laptop with an HDMI cable to the dumbed-down TV and feel like I have more security and a better understanding of what is going on. Total cost: $150 (a 14” Intel i5-10th gen laptop 256GB SSD, 16GB Ram, Windows 11 Pro. The laptop becomes a Windows desktop I understand and can manage. What’s in your wallet?
Kudos to Pierluigi Paganini for his SECURITY AFFAIRS MALWARE NEWSLETTER for pointing me to this interesting article. URL is URL is
Kimwolf Exposed: The Massive Android Botnet with 1.8 Million Infected Devices Background On October 24, 2025, a trusted partner in the security community provided us with a brand-new botnet sample. The most distinctive feature of this sample was its C2 domain, 14emeliaterracewestroxburyma02132[.]su, which at the time ranked 2nd in the Cloudflare Domain Rankings. A week later,...
Click here to claim your Sponsored Listing.
Location
Website
Address
75070
