When security teams talk about attack surface, the conversation usually starts in familiar places. Servers, identity systems, VPN access, cloud workloads, maybe browsers. Those are visible. They show up in diagrams and asset inventories.

What gets less attention are the everyday tools people use to actually get work done.

PDF readers. Compression utilities. Remote access clients. Word processors. Spreadsheet tools. Email clients. Browsers. Screen sharing software. Update managers. The background software that quietly powers normal business activity.

Most organizations do not spend much time debating whether to deploy these. They are simply part of operating in a digital economy. Contracts arrive as PDFs. Finance works in spreadsheets. HR reviews resumes. IT supports users remotely. Executives live in email and browsers. These tools become part of the environment almost by default.

At Action1, where visibility into third-party software exposure across endpoints is a daily focus, these background tools consistently emerge as a defining part of the real-world attack surface.

That commonness is what makes them attractive targets from a threat actor’s perspective.

The value of being ordinary

From the outside, modern enterprises look different. Networks vary. Architectures change. Security stacks evolve. But, inside most environments, the same classes of applications appear again and again, and more often than not, the same software titles dominate the majority of installations.

It is difficult to function in modern business without an email client, document processing software, a browser, and tools for packaging, previewing, and sharing files. Using similar products is less about preference and more about compatibility.

Business depends on exchanging information in formats everyone else can use. Without those standards, we go back to the days of file-format wars, “I cannot open that, we use something else,” and lost time just trying to make data usable. That friction is why the industry standardized, and why the same major names still dominate.

Attackers pay attention to that.

Rather than predicting every custom application an organization might run, they look for overlap. If a vulnerability appears in a widely used PDF engine, spreadsheet parser, email preview component, or remote access utility, the chances it connects with something real are high. The exploit is aimed less at unique architecture and more at familiarity.

Most successful exploitation does not rely on exotic techniques. It relies on muscle memory. Users open PDFs, Word files, spreadsheets, and links all day long. Attackers are betting those actions feel routine enough that nobody hesitates.

That familiarity shapes how campaigns are built, and it should influence how defense strategies are planned.

How probability shapes attacks

Many attacks historically looked like guesswork. An attacker might send a crafted email for Outlook, hoping the recipient uses Outlook. Or attach a weaponized spreadsheet, hoping Excel is present. Or send a malicious PDF, hoping the reader is vulnerable.

There is uncertainty in that approach. The exploit launches before the attacker truly knows what exists on the other end. This increases chances the attack will be detected before being effective, and it risks valuable exploit code to failure, where it may be detected, profiled, then henceforth scanned and detected.

What changes with common utilities is the probability curve.

Email clients, browsers, word processors, spreadsheets, PDF readers, and archive tools appear in most business environments because the work itself requires them. An attacker does not need perfect information to expect something compatible nearby.

Instead of treating exploitation as a one-off guess, attackers think in likelihood. They invest effort where overlap is largest. The more widespread the tool, the more attractive it becomes as an entry point.

That is why vulnerabilities in these utilities move quickly through exploit ecosystems. Once something works in a familiar toolchain, it scales. If one user relies on Outlook, Word, and Adobe, there is a good chance coworkers and business relations do as well for interoperability reasons.

The standard business footprint in practice

These tools also travel together.

If an email clearly originated from Outlook, it already hints at part of the environment. Email workflows connect to document workflows. If Outlook is present, Word and Excel are often nearby.

Each utility reinforces the presence of others.

For attackers, that enables paths rather than isolated exploits. An issue in an email client connects to attachment handling, preview engines, document renderers, shared libraries, and integrations that tend to coexist on the same system.

Instead of targeting a single application, the attack surface starts to resemble the business footprint itself, the collection of tools people rely on every day.

When vulnerabilities appear in that footprint, they attract more attention because they fit naturally into how people already work.

Quiet signals and small leaks

Another part of the story is information people do not realize they share.

Documents often contain metadata. PDFs reference the engine that produced them. Spreadsheets carry formatting behavior tied to specific suites. Email headers expose client details. Browser traffic advertises user agents. File structures reveal habits and versions.

A single attachment, email, or shared document can quietly describe parts of the software stack behind it.

In isolation it does not look sensitive. Often it is not even visible. Over time it builds a picture of what tools are common, what standards they follow, and how files are processed.

What created it, what version, how recently, so when old software details show in current workflows, the software processing it is old. And old software often means years of exploit potential bottled up in one package. That is often what turns speculation into precision.

Those breadcrumbs help attackers shape payloads that align with what exists on the other side, increasing effectiveness while reducing noisy experimentation.

Why third-party software drifts

Most enterprises put real effort into operating system patching. Update pipelines are understood. Browsers update often. Mobile devices follow management policies. Systems start with baselines and are monitored.

Third-party utilities live differently.

Vendors ship different installers. Some auto-update. Some rely on users. Some get disabled by packaging systems. Some stay frozen because workflows depend on a version.

Over time, multiple builds of the same tool spread across endpoints. Some become stale. Some live for years with known vulnerabilities simply because they fell off the radar.

In Action1’s analysis of enterprise environments, it is common to find multiple versions of the same third-party application coexisting, some lagging years behind current security fixes. This fragmentation quietly accumulates exploit potential without triggering obvious alerts.

From a security view, that drift matters because attackers do not need new exploits. They benefit from whatever version still exists somewhere in the footprint. A five-year-old PDF reader quietly carries five years of cumulative exploit potential.

What feels like small technical debt widens the opportunity window for major exploitation.

Trust and everyday behavior

There is also a human side to these tools.

Email, documents, browsers, and archives feel like infrastructure. People trust them like desks and keyboards. Opening a PDF does not feel like running code. Previewing an email does not feel like execution. Extracting a file feels routine.

By the time behavior looks unusual, the initial interaction already happened in a place people rarely question. These actions occur thousands of times a day, which makes tracing a compromise back to a document, email, or user extremely difficult.

Looking at the footprint, not just the platform

For leadership teams, the value here is perspective, not fear.

Security strategies often start with the platform layer, operating systems, networks, identity, cloud infrastructure. Those matter, but they do not tell the full story of how work actually happens.

Work happens in email clients, spreadsheets, PDFs, browsers, archive tools, and remote sessions. That is where files open, previews render, links get clicked, and data moves between people.

That makes them predictable.

That is why third-party patching often carries more risk weight than expected. The operating system may be tightly managed, while the tools on top quietly define real exposure.

Looking at the footprint is less about assuming weakness and more about understanding where everyday work intersects with real security concerns.

A quieter way to think about patching

Third-party patching often feels operational rather than strategic. Yet these utilities sit at the intersection of people, files, and execution.

They are ordinary, and that is exactly why they matter.

Not because every organization looks the same, but because they look similar enough that attackers design around that similarity.

When teams examine environments, the focus is usually infrastructure. There is also value in asking what the standard business suite looks like across endpoints, how it evolves, and how consistently it stays current.

Which tools are actually needed? Which are simply part of a default deploy? Which stay installed even when unused? Which stop getting updated because nobody notices them?

This is why, in practice, teams working with platforms like Action1 consistently see third-party patching deliver a greater reduction in real-world risk than many more visible security controls. Exploitation rarely hinges on a single overlooked vulnerability. It is enabled by years of accumulated drift across third-party applications that quietly fall out of date while remaining embedded in everyday workflows.

Those conditions exist long before an exploit is written or deployed. They shape the practical attack surface by defining which software actually executes, which files get opened, and which actions feel routine enough to avoid scrutiny.

Third-party software is not adjacent to the platform — it is part of how the platform operates, and it is often where exposure concentrates when everything else appears well-managed.

Action1is a founder-led company, brought to you by the original minds behind Netwrix. At the time of this writing, it is one of the fastest-growing private software companies in the US because organizations are recognizing that OS and third-party patching can no longer be treated as a secondary task.

Addressing modern risk requires continuous visibility into third-party software and the ability to remediate vulnerable applications across endpoints quickly and consistently. When teams evaluate modern patch management solutions, Action1 increasingly represents the option designed around that reality.

Activate your first 200 free endpoints and see how effective patch management can transform your team’s security posture.

Sponsored and written by Action1.

The Bugatti W16 Mistral ‘La Perle Rare’, the last of a vanishing breed, marks the end of an era defined by raw mechanical power and an obsessive quest of perfection. There are only 99 of these Mistrals in total, and each starts at over €5 million. ‘La Perle Rare’, on the other hand, is a handmade unique that will cost a little more than $8-9 million.

It all began at the 2023 Pebble Beach Concours d’Elegance, when a client commissioned Bugatti to produce something absolutely special. Over time, the client and Jascha Straub, the guy in charge of Bugatti’s bespoke business, came up with proposals ranging from a silver tint to numerous shades of white before settling on something that seemed to capture the essence of light. The project began in August 2023, and we can safely assume that the designers in Berlin and engineers in Molsheim worked long hours on it.

LEGO Technic Bugatti Chiron Pur Sport Hypercar Building Toy for Boys & Girls – Sports Car Toy W/Realistic…

• HIGH SPEED THRILLS – Kids construct an authentic race car with the LEGO Technic Bugatti Chiron Pur Sport Hypercar (42222) building toy for boys and…
• REALISTIC FEATURES & FUNCTIONS – Young builders can steer using the knob on top, explore the W16 engine, and open the doors and hood to discover…
• VIBRANT BUGATTI DESIGN – This hypercar model features the eye-catching orange bodywork and black design inspired by the real Bugatti Chiron Pur…

The exterior of ‘La Perle Rare’ is a true show-stopper, with a two-tone color scheme that separates the vehicle into two distinct areas. The top area is a warm color tinged with gold and iridescence, as well as a sprinkle of metallic particles that sparkle beautifully. The second part is a sophisticated, warm white color. Getting the separating lines between the colors just right required a lot of precision. Even the wheels received special treatment, resulting in stunning diamond-cut rims painted in the interior color of the vehicle, which is an understatement given that the wheels are coated in a custom paint combination that matches the exact colors of gold and white. The end result is a car that shines like a rare gem while maintaining the original Mistral design.

Rembrandt Bugatti’s famed Dancing Elephant sculpture is featured in a few of the car’s more subtle details, like the gear selector, body panels behind the front wheels, and even the headrests. To add a personal touch, the name ‘La Perle Rare’ is stitched in the center tunnel, stamped on the engine cover, and painted on the active rear wing. These little details return the automobile to Bugatti’s artistic roots.

Inside ‘La Perle Rare,’ the cabin takes on an entirely new level of brightness, a luminous continuation of the outer motif that is difficult to describe. Every visible piece of carbon fibre has been coated white to give it a jewel-like appearance. Door panels feature alternating white and warm gold lines that look lovely on their sculpted, concave surfaces. The ambient lighting has just the right amount of warmth to it, highlighting the interplay between light and material. The steering wheel, center console clocks, and door handles are all machined and polished aluminum, with each meant to catch reflections in a particularly stunning way.

The power comes from the same quad-turbocharged 8.0-litre W16 engine found in all Mistrals. It’s not exactly small in any way, with 1,579 horsepower and 1,600 Nm of torque, it can go from 0 to 62 in 2.4 seconds, 0 to 124 in 5.6 seconds, and 0 to 186 in 12.1 seconds, and all of that power is sent to all four wheels via a seven-speed dual clutch transmission. Top speed? The record for the fastest open-top production car is already in the records, 282 mph and all, thanks to this car, but, for obvious reasons, you won’t be able to get it up to that sort of speed on the road, closer to 236 mph if you want to play it safe.
[Source]

In the time it takes you to read this sentence, the Large Hadron Collider (LHC) will have smashed billions of particles together. In all likelihood, it will have found exactly what it found yesterday: more evidence to support the Standard Model of particle physics.

For the engineers who built this 27-kilometer-long ring, this consistency is a triumph. But for theoretical physicists, it has been rather frustrating. As Matthew Hutson reports in “AI Hunts for the Next Big Thing in Physics,” the field is currently gripped by a quiet crisis. In an email discussing his reporting, Hutson explains that the Standard Model, which describes the known elementary particles and forces, is not a complete picture. “So theorists have proposed new ideas, and experimentalists have built giant facilities to test them, but despite the gobs of data, there have been no big breakthroughs,” Hutson says. “There are key components of reality we’re completely missing.”

That’s why researchers are turning artificial intelligence loose on particle physics. They aren’t simply asking AI to comb through accelerator data to confirm existing theories, Hutson explains. They’re asking AI to point the way toward theories that they’ve never imagined. “Instead of looking to support theories that humans have generated,” he says, “unsupervised AI can highlight anything out of the ordinary, expanding our reach into unknown unknowns.” By asking AI to flag anomalies in the data, researchers hope to find their way to “new physics” that extends the Standard Model.

On the surface, this article might sound like another “AI for X” story. As IEEE Spectrum’s AI editor, I get a steady stream of pitches for such stories: AI for drug discovery, AI for farming, AI for wildlife tracking. Often what that really means is faster data processing or automation around the edges. Useful, sure, but incremental.

What struck me in Hutson’s reporting is that this effort feels different. Instead of analyzing experimental data after the fact, the AI essentially becomes part of the instrument, scanning for subtle patterns and deciding in real time what’s interesting. At the LHC, detectors record 40 million collisions per second. There’s simply no way to preserve all that data, so engineers have always had to build filters to decide which events get saved for analysis and which are discarded; nearly everything is thrown away.

Now those split-second decisions are increasingly handed to machine learning systems running on field-programmable gate arrays (FPGAs) connected to the detectors. The code must run on the chip’s limited logic and memory, and compressing a neural network into that hardware isn’t easy. Hutson describes one theorist pleading with an engineer, “Which of my algorithms fits on your bloody FPGA?”

This moment is part of a much older pattern. As Hutson writes in the article, new instruments have opened doors to the unexpected throughout the history of science. Galileo’s telescope revealed moons circling Jupiter. Early microscopes exposed entire worlds of “animalcules” swimming around. These better tools didn’t just answer existing questions; they made it possible to ask new ones.

If there’s a crisis in particle physics, in other words, it may not just be about missing particles. It’s about how to look beyond the limits of the human imagination. Hutson’s story suggests that AI might not solve the mysteries of the universe outright, but it could change how we search for answers.

Samsung and the State of Texas have reached a settlement agreement over the alleged unlawful collection of content-viewing information through its smart TVs

As part of the agreement, the TV manufacturer will revise its privacy disclosures to clearly explain its data collection and processing practices to consumers.

Last December, Texas Attorney General Ken Paxton filed a lawsuit against several TV manufacturers, including Samsung, alleging that they use Automated Content Recognition (ACR) technology to collect and process viewing data without first obtaining their express, informed consent.

In January, Texas obtained a short-lived temporary restraining order (TRO) against Samsung to stop the unlawful collection of consumer data in the state, confirming a violation of the Texas Deceptive Trade Practices Act (DTPA).

Although the order was vacated on the following day, the lawsuit remained active.

The allegations against Samsung were that it uses ACR technology to capture screenshots of consumers’ TVs to determine what they’re watching. The South Korean tech giant would use this information for targeted advertising.

In support of the TRO, the Court found that there was “good cause to believe” that Samsung automatically enrolled customers in this system using “dark patterns” that included “over 200 clicks spread across four or more menus for a consumer to read the privacy statements and disclosures.”

In a statement to BleepingComputer, Samsung stated that, while it does not agree that its Viewing Information Services (VIS) system violated any regulations, it has agreed to “make enhancements to further strengthen our privacy disclosures.”

“While we maintain our original television privacy policy and notices followed existing Texas state regulations, as a trusted brand, Samsung is proud to be at the forefront of protecting consumer privacy and security,” stated a spokesperson of Samsung Electronics America.

“The settlement affirms what Samsung has said since this lawsuit was filed – Samsung TVs do not spy on consumers. In fact, Samsung allows you to control your privacy – and change your privacy settings at any time.”

“As part of the agreement, Samsung must halt any collection or processing of ACR viewing data without obtaining Texas consumers’ express consent,” announced Texas AG Ken Paxton.

“Additionally, it compels Samsung to promptly update its smart TVs and implement disclosures and consent screens that are clear and conspicuous to ensure that Texans can make an informed decision regarding whether their data is collected and how it’s used.”

Paxton commended Samsung for agreeing to implement consumer safeguards, while he underlined that others haven’t moved with a similar fervor as of yet.

Smart TV manufacturers, including Sony, LG, Hisense, and TCL Technologies, have not made any changes in response to the lawsuits yet.

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Download The Report

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.

The update focuses on the implant’s undetected latency on the appliances and its “sophisticated network-level evasion and authentication techniques” that enable covert communication with the attacker.

CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges.

According to researchers at incident response company Mandiant, the critical CVE-2025-0282 vulnerability was exploited as a zero-day since mid-December 2024 by a threat actor linked to China, tracked internally as UNC5221.

Network-level evasion

CISA’s updated bulletin provides additional technical information on RESURGE, a malicious 32-bit Linux Shared Object file named libdsupgrade.so that was extracted from a compromised device.

The implant is described as a passive command-and-control (C2) implant with rootkit, bootkit, backdoor, dropper, proxying, and tunneling capabilities.

Instead of beaconing to the C2, it waits indefinitely for a particular inbound TLS connection, evading network monitoring, CISA says in the updated document.

When loaded under the ‘web’ process, it hooks the ‘accept()’ function to inspect incoming TLS packets before they reach the web server, looking for specific connection attempts from a remote attacker that are identified using the CRC32 TLS fingerprint hashing scheme.

If the fingerprint does not match, traffic is directed to the legitimate Ivanti server. CISA further details Rusrge’s authentication mechanism saying that the threat actor also uses a fake Ivanti certificate to ensure that they are interacting with the implant and not the Ivanti web server.

The agency highlights that the certificate’s purpose is just to for authentication and verification purposes, as it is not used to encrypt communication. Furthermore, the fake certificate also helps the actor evade detection by impersonating the legitimate server.

Because the forged certificate is sent unencrypted over the internet, CISA says that defenders could use it as a network signature to detect an active compromise.

After fingerprint validation and authentication with the malware, the threat actor establishes secure remote access to the implant using a Mutual TLS session encrypted with the Elliptic Curve protocol.

“Static analysis indicates the RESURGE implant will request the remote actors’ EC key to utilize for encryption, and will also verify it with a hard-coded EC Certificate Authority (CA) key,” CISA says.

By mimicking legitimate TLS/SSH traffic, the implant achieves stealth and persistence, the American cybersecurity agency says.

Another file analyzed is a variant of the SpawnSloth malware using the name liblogblock.so and contained by the RESURGE implant. Its main purpose is log tampering to hide malicious activity on compromised devices.

A third file that CISA analyzed is dsmain, a kernel extraction script that embeds the open-source script ‘extract_vmlinux.sh’ and the BusyBox collection of Unix/Linux utilities.

liblogblock.so - 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104
libdsupgrade.so - 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda
dsmain - b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d

It allows RESURGE to decrypt, modify, and re-encrypt coreboot firmware images and manipulate filesystem contents for boot-level persistence.

“CISA’s updated analysis shows that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device,” the agency notes. Because of this, the malicious implant “may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat.”

CISA suggests that system administrators use the updated indicators of compromise (IoCs) to discover dormant RESURGE infections and remove them from Ivanti devices.

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Advertisement

Download The Report

Anthropic’s chatbot Claude seems to have benefited from the attention around the company’s fraught negotiations with the Pentagon.

As first reported by CNBC, Claude has been rising to the top of the free app rankings in Apple’s US App Store. On Saturday evening, it overtook OpenAI’s ChatGPT to claim the number one spot, a position that it still held on Sunday morning.

According to data from SensorTower, Claude was just outside the top 100 at the end of January, and has spent most of February somewhere in the top 20. It’s climbed rapidly in the past few days, from sixth on Wednesday, then fourth on Thursday, then first on Saturday.

A company spokesperson said that daily signups have broken the all-time record every day this week, free users have increased more than 60% since January, and paid subscribers have more than doubled this year.

After Anthropic attempted to negotiate for safeguards preventing the Department of Defense from using its AI models for mass domestic surveillance or fully autonomous weapons, President Donald Trump directed federal agencies to stop using all Anthropic products and Secretary of Defense Pete Hegseth said he’s designating the company a supply-chain threat.

OpenAI subsequently announced its own agreement with the Pentagon, which CEO Sam Altman claimed includes safeguards related to domestic surveillance and autonomous weapons.

This post was first published on February 28, 2026. It has been updated to reflect Anthropic reaching No. 1, and to include growth numbers from the company.