Is Windows Monitoring You? What You Didn’t See This Week in Cybersecurity – A router backdoor is unfixable, Windows may connect your computer to your activities, and AI agents are delivering cryptocurrency to con artists. What you should know this week is as follows.
The majority of us are aware that businesses monitor our online activity. If we let them, they would also want to monitor our real-world actions. However, we don’t anticipate that our operating systems will follow us and that the firms who create them will give law enforcement (or anybody else, for that matter) such information. This is why many people were surprised to learn this week that your Windows computer has a unique “Global Device ID” that Microsoft may use for, well, anything it wants.
The disclosure was made as part of an article about Microsoft assisting law enforcement in locating and apprehending a 19-year-old hacker who belonged to the Scattered Spider hacker organization, which has carried out a number of high-profile operations. Putting that aside, it can be a little unsettling to discover how closely Microsoft can monitor your Windows computer, especially because there is no way to stop the tracking.
Without a doubt, the unique device ID feature isn’t what’s remarkable. Numerous unique hardware and software identifiers on your computer may be used to identify you if they were discovered. Unusually, Microsoft was able to get pretty specific information about the juvenile hacker’s activities on his computer, including the websites he frequented, and gave it to police enforcement upon request. One security researcher even asserted that Windows itself is surveillance software due to Microsoft’s ability to link a user’s device ID to their activities and to link any ID to third-party actions and their timings.
It doesn’t seem good for the company as a whole when you combine this with the news that Windows’ market share has been declining for the first time.
If you own a Tenda router, you may want to pay attention to the following concerning news: Unfortunately, there is no way to patch the backdoor that researchers found in the firmware of the router. To put it briefly, if you have remote management enabled, a hard-coded backdoor administration password will provide anyone complete access to your Wi-Fi network. Since the researchers who discovered the problem were unable to get in touch with the corporation to resolve it, they advise either completely eliminating remote access or, even better, purchasing a new router.
Let’s check out what else is happening this week in the field of information security.
How Accounts Are Stolen by the Reddit and Discord False Report Scam
Recently, a content producer I admire and a close friend of mine had his Discord account taken over. I was disappointed to see it because the only thing he could do after the fact was try to persuade Discord support that he should have his account back. Although I’m not sure how it happened, it might have happened similarly to the Reddit and Discord account hijacking trend that was documented on the MalwareBytes blog. To put it succinctly, you receive a message from a stranger accusing you of reporting them or informing you that they unintentionally reported you. There isn’t a link, malware, or anything else because that isn’t the point.
The true objective is to just engage you, to get you to reply and continue conversing with them. During the chat, they will either email you a “investigation” or send you “proof” of the reporting, whether it was inadvertent or not, along with a fictitious ticket number. In the meantime, the scammer tries to access your account by claiming that a moderator or support technician requires the “code” they just sent you. This code is, fortunately, whatever second authentication factor the scammer needs from your mailbox in order to change your password or log in using your credentials. In any case, if you provide them with the authentication code, they can access your account, modify your email address and password, and it’s gone.
In actuality, neither site’s support staff operates in this manner, and whether the service is Reddit, Discord, your bank, or anything else, no support expert will ever ask you for an authentication code or your credentials out of the blue. It’s all a part of a marketing that confuses you by combining urgency with words that look legitimate. Imagine it as a group of pickpockets, one of them approaches you to ask for directions while the other takes your wallet. Recall that you should never, ever provide passwords, authentication codes, or alter account email addresses upon request, especially when it comes out of the blue like this.
Data Extortion Group Kairos Received $1 Million from a US Government Agency
Do you recall the significant ransomware attack on the online learning platform Canvas a few months ago, just before final exams began? And then recall how they paid a sizable sum of money to decrypt the data and get back online, despite the general consensus that you shouldn’t pay ransomware attackers? According to Security Affairs, not only do private businesses open their wallets when attackers strike, but the US government does as well.
Kairos, a group that has reportedly concentrated more on data theft and extortion (such as stealing confidential information and threatening to sell, share, or make it public) than on ransomware specifically, claimed to have more than 1.6 million files and 2TB of data from a US government agency, all of which were acquired through a brute force credential attack. In order to guarantee that the data wouldn’t be exploited, it then put pressure on the organization to pay $1 million. After negotiating a lesser price (allegedly, the group first wanted for $3 million), the government paid up.
A leaked negotiation transcript was obtained by Ransom-ISAC researchers, who were able to see payment activity to several cryptocurrency wallets that appear to corroborate the story. The report even states that the group’s “proof” that the files were erased was “not technically verifiable,” meaning there is no actual proof that the government received what it paid for. That being said, the organization did claim to have erased the information, pledged not to distribute the stolen material to any third parties, and vowed never to launch another attack. You can watch how these attacks unfold in real time by reading the entire Ransom-ISAC report, which is an intriguing read and even contains the exchange between government agency personnel and the Kairos attackers.
AI agents are tricked into making cryptocurrency payments by prompt injection attacks.
You know, it was good to have a brief break from stories about AI-related security, but sadly, we’re back here once more. This time, hackers have discovered a new use for the classic prompt-injection attack: taking your money rather of your data.
According to this Security Week article, security researchers from Zscaler Threatlabz discovered two distinct campaigns that use malicious websites to embed prompt injection attacks. When an AI agent loads the website, it is instructed to use any available payment information the user has in their browser to pay for a “license key,” which is obviously fake, to the attacker’s cryptocurrency wallets. When the user lands on the website, the browser’s AI agent is notified that an error occurred during (a nonexistent) payment, which prompts the agent to fix the problem by reattempting the payment. The attacker utilizes SEO poisoning to persuade the user to visit the site in the first place.
The exploit was tried by the researchers against 26 distinct LLMs. Four of them actually paid up (Meta’s Llama 3.3 70B Instruct, Meta’s Llama 3.2 90B Vision Instruct, Google’s Gemini 3 Flash, and Google’s Gemini 2.5 Pro), while two misclassified the bogus website as authentic (Claude Sonnet 4.5 and OpenAI’s GPT-5.4). The threat posed by rapid injection and AI-powered browsers is still very real, as we have already warned. Even worse, the websites target more than simply AI agents: Visitors see the same message, just in case it could trick a person as well.

