🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass) - The content posted at the URL is controlled by **watchTowr Labs** . watchTowr Labs is described as the "epicentre of offensive security expertise at watchTowr" and focuses on research and innovation to power their Preemptive Exposure Management technology . The research published by watchTowr Labs is a demonstration of what powers the watchTowr Platform, which offers automated, continuous testing against real attacker behavior . 🔍 Show Kagi Synopsis
  A critical authentication bypass vulnerability, **WT-2026-0001**, has been discovered in **SmarterTools SmarterMail** that allows unauthorized users to reset administrator passwords.
  
  - **What Happened**: Attackers can exploit this vulnerability by accessing the `force-reset-password` endpoint anonymously. This allows them to reset an administrator's password without needing the old password or any form of authentication. The exploit appears to have been available shortly after the patch for version 9511 was released.
  
  - **Who is Affected**: **SmarterMail deployments** that have not been updated to version 9511 are vulnerable. Active exploitation has been noted.
  
  - **Security Implications**:
  - **Authentication Bypass**: The core issue is the ability to bypass authentication for password resets.
  - **Admin Takeover**: This bypass can lead to a full takeover of administrator accounts.
  - **Remote Code Execution (RCE)**: Once an attacker gains administrative access, they can potentially achieve RCE through methods like Volume Mounts, allowing them to run operating system commands.
  - **Username Enumeration**: The vulnerability may also facilitate username enumeration.
  - **Bypassed Password Brute Force Detector**: The exploit bypasses the password brute force detector.
  
  - **Technical Details**:
  - The vulnerability lies within the `ForceResetPassword` function.
  - The exploit involves manipulating inputs such as `IsSysAdmin`, `Username`, `OldPassword`, `NewPassword`, and `ConfirmPassword`.
  - The privileged path of the code bypasses authentication checks. It uses `AdministratorGetByUsername` to retrieve user information and then `AdministratorUpdate` to set a new password without verifying the `OldPassword`.
  - There are no authentication checks on the administrator reset path.
  - Debug information like `check1..` in logs might indicate exploitation attempts.
  
  - **What Defenders Should Know**:
  - **Patch Immediately**: Update SmarterMail to version 9511 or later.
  - **Audit Admin Accounts**: Review and audit all administrator accounts.
  - **Monitor Endpoints**: Monitor the `ForceResetPassword` endpoints for suspicious activity.
  - **Log Analysis**: Examine logs for debug information such as `check1..` which may indicate exploitation.
  - **Input Validation**: Ensure proper validation of all inputs, especially for password reset functions.
  - **Secure Password Resets**: Implement multi-factor authentication (MFA) or token verification for all password reset processes.
  - **Restrict Access**: Limit anonymous access to sensitive endpoints.
  - **Review Patch Notes**: Carefully review patch notes for security updates and upgrade guidance.
• Cisco Security Advisory: Cisco Unified Communications Products Remote Code Execution Vulnerability - "The Cisco PSIRT is aware of attempted exploitation of this vulnerability in the wild" - Cisco 🔍 Show Kagi Synopsis
  A critical **remote code execution (RCE)** vulnerability has been identified in **Cisco Unified Communications Products** 【1】.
  
  **What Happened:**
  The vulnerability stems from **improper validation of user-supplied input in HTTP requests**. This allows an unauthenticated, remote attacker to **execute arbitrary commands on the underlying operating system** of affected devices 【1】.
  
  **Who is Affected:**
  The following Cisco products are affected:
  - Cisco Unified Communications Manager (Unified CM)
  - Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
  - Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P)
  - Cisco Unity Connection
  - Cisco Webex Calling Dedicated Instance 【1】
  
  **Security Implications:**
  The security implication is **critical** 【1】. A successful exploit could enable an attacker to **gain user-level access** and subsequently **elevate their privileges to root**, giving them complete control over the affected system 【1】. Exploitation of this vulnerability in the wild has been observed 【1】.
  
  **Technical Details:**
  The vulnerability is triggered by **improper validation of user-supplied input within HTTP requests** 【1】. This flaw allows attackers to send specially crafted requests that lead to the execution of arbitrary commands on the device's operating system 【1】.
  
  **What Defenders Should Know:**
  - **No workarounds are available** for this vulnerability 【1】.
  - **Cisco has released software updates** to address this issue and strongly recommends customers **upgrade to the fixed software releases** 【1】.
  - Defenders should consult the advisory for **specific fixed release information** for each affected product and instructions on migrating to fixed releases or applying specific patches 【1】.
  - Customers requiring assistance with upgrades or having questions should **contact the Cisco Technical Assistance Center (TAC)** 【1】.
• KONNI Adopts AI to Generate PowerShell Backdoors - **Check Point Research** is the organization that controls the content posted at the URL https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/. Check Point Research is described as the intelligence and research arm of **Check Point Technologies** and provides leading cyber threat intelligence to **Check Point Software** customers and the broader intelligence community. 🔍 Show Kagi Synopsis
  A North Korean-aligned threat actor known as **KONNI** has been observed employing **AI-generated PowerShell backdoors** in a sophisticated phishing campaign. This campaign specifically targets **software developers and engineering teams**, with a particular focus on those involved in **blockchain and cryptocurrency projects**. The threat actor's aim appears to be gaining access to sensitive assets by compromising development environments.
  
  The security implications of this campaign are significant, as a successful compromise could lead to the theft of **critical infrastructure, API credentials, and cryptocurrency holdings**. The use of AI in malware creation by KONNI marks a notable advancement in their capabilities, potentially allowing for more sophisticated and harder-to-detect malicious code.
  
  **Technical details** of the infection chain reveal that it begins with a link hosted on Discord, leading to a ZIP archive. This archive contains a lure document and a Windows shortcut (LNK) file. The LNK file then executes a PowerShell loader, which extracts additional malicious components, including the AI-generated PowerShell backdoor. This backdoor exhibits advanced obfuscation and anti-analysis techniques. It also utilizes privilege escalation methods, such as a UAC bypass via `fodhelper`, to achieve persistence and communicate with Command and Control (C2) servers. The AI-generated nature of the backdoor is suggested by its well-structured code, clear documentation, and instructional comments, which are characteristic of outputs from Large Language Models (LLMs).
  
  **Defenders should be aware** of KONNI's expanding geographical reach, which now includes the APAC region (Japan, Australia, India) in addition to South Korea. They should also be vigilant for indicators of **AI-assisted malware development**, understand the multi-stage infection process, and be familiar with the specific functionalities of KONNI's backdoor, including its obfuscation and privilege escalation techniques. Monitoring for these evolving tactics is crucial for effective detection and mitigation of these threats. 【1】
• ShadowRelay: новый модульный бэкдор в госсекторе — ShadowRelay – a unique backdoor in the public sector - The content posted at the URL is controlled by **Solar Group** (also known as "Солар" in Russian). Solar Group is a cybersecurity company that operates under the brand "Solar" for the commercial sector and "Rostelecom - Information Security" for government entities. Rostelecom acquired Solar Security in May 2018. 🔍 Show Kagi Synopsis
  A new modular backdoor named **ShadowRelay** has been discovered, targeting organizations within the **public sector** 【1】. The initial compromise likely occurred in the **summer of 2024** through the exploitation of **ProxyShell vulnerabilities** on an Exchange server, which was then used to infect other systems in the spring of 2025 【1】.
  
  **Who is Affected:**
  The primary targets appear to be **organizations within the public sector** 【1】. The infection vector identified was a vulnerable **Exchange server**, which attackers exploited to gain access and subsequently spread to other infected systems 【1】.
  
  **Security Implications:**
  ShadowRelay is a sophisticated backdoor that allows attackers to **stealthily load various functional plugins**, indicating a high level of preparation and technical skill 【1][2]. Its ability to communicate with other implants, even those without direct internet access, creates a network of compromised machines that can be used for **long-term, stealthy presence and espionage** 【2][10]. This behavior is characteristic of **state-sponsored APT groups** 【12]. The modular nature of the backdoor allows attackers to hide their malicious functionality and avoid detection 【12].
  
  **Technical Details:**
  - **Modularity:** ShadowRelay is designed to load different plugins, each providing specific functionality. These plugins are expected to have `plugin_init`, `plugin_task`, and `plugin_deinit` functions 【8][12].
  - **Evasion Techniques:**
  - **Process Injection:** The client version can inject itself into a specified target process, and the main process terminates upon successful injection 【5].
  - **Packet Injection and Port Reuse:** It can use the WinDivert driver to reuse existing open ports for network communication, potentially bypassing firewalls 【5].
  - **Anti-Debugging and Self-Liquidation:** The backdoor attempts to detect debuggers and sandboxes, with a self-liquidation function to remove traces if checks fail 【3].
  - **Configuration:** The configuration is encrypted using a Caesar cipher with a shift of -1 and defines network parameters, C2 data, encryption methods, and operational modes such as 'antidebug', 'portreuse', and 'targetprocess' 【3][4].
  - **Packet Structure:** ShadowRelay uses a unique packet signature 'S&j0$' and a modified zlib for compression. The packet header includes fields like 'operation_code', 'crypted_msg_size', and 'total_size' 【6].
  - **Multithreading:** The backdoor utilizes a custom thread class and multiple threads that communicate via special contexts acting as queues 【7].
  - **Key Functions:**
  - `hello_connect`: Establishes server connections and parses packet headers 【8].
  - `send_message`: Sends data to the control server 【8].
  - `load_plugin`: Loads executable PE plugins into memory, supporting installation and uninstallation 【8].
  - `send_pc_info`: Collects and sends computer information, including checks for debuggers 【9].
  - **Indicators of Compromise (IOCs):** Specific file hashes (MD5, SHA1, SHA256) and IP addresses associated with the malware have been identified 【13].
  
  **What Defenders Should Know:**
  - **Vulnerable Exchange Servers:** Organizations should ensure their Exchange servers are patched against vulnerabilities like ProxyShell, as they remain a significant entry point for attackers 【2].
  - **Detection:** A simple Snort rule can be used to detect ShadowRelay network activity by identifying its packet signature 【11]. Monitoring for unusual network traffic and communication patterns between internal machines is crucial 【10].
  - **Sophistication:** Defenders should be aware of the advanced evasion techniques employed by ShadowRelay, including process injection and port reuse, which can make detection challenging 【5][12].
  - **Modular Nature:** The modular design means that new functionalities can be added via plugins, requiring continuous monitoring and analysis of network and system behavior 【8][12].
  - **Attacker Motives:** The observed behavior suggests a focus on long-term espionage, typical of APT groups, necessitating a robust and persistent threat hunting strategy 【12].
• ClearFake gets more evasive with new living off the land (LOTL) techniques - Expel 🔍 Show Kagi Synopsis
  The **ClearFake** malware campaign has evolved its tactics to become more evasive, employing "living off the land" (LOTL) techniques to bypass security measures.
  
  **What Happened:**
  ClearFake operates by compromising websites and injecting malicious JavaScript. This script presents users with fake CAPTCHA challenges that trick them into installing malware. Previously, ClearFake used `mshta.exe` to execute commands, but it has now shifted to a more sophisticated method involving `SyncAppvPublishingServer.vbs`. This legitimate Windows system file has a command injection flaw that allows attackers to run malicious PowerShell code in a hidden mode, making it difficult to detect. Additionally, the campaign now leverages a popular Content Delivery Network (CDN), `cdn.jsdelivr.net`, to host its malicious code, further complicating detection efforts that rely on blocking malicious domains and IP addresses. The PowerShell commands themselves are also obfuscated using aliases and regular expressions to evade signature-based detections. 【1】
  
  **Who is Affected:**
  **Website visitors** are the primary targets, as they are lured into downloading malware through fake CAPTCHA prompts on compromised websites. The use of a widely adopted CDN means that a large number of websites could potentially be affected, and consequently, their visitors. 【1】
  
  **Security Implications:**
  The adoption of LOTL techniques, particularly the abuse of `SyncAppvPublishingServer.vbs` and the use of CDNs, makes ClearFake highly evasive. 【1】
  - **Bypassing EDR:** By using a trusted Windows component (`SyncAppvPublishingServer.vbs`) and running PowerShell commands in hidden mode, the malware can evade detection by Endpoint Detection and Response (EDR) products that might flag direct abuse of PowerShell or `mshta.exe`. 【1】
  - **Evading URL Blocklists:** Utilizing legitimate CDNs like jsDelivr makes it difficult to block malicious activity based on domain or IP reputation, as these are widely used and trusted services. 【1】
  - **Fileless Execution:** The campaign can execute malware in memory without writing files to disk, which is a common evasion technique that bypasses traditional file-based antivirus solutions. 【1】
  
  **Technical Details:**
  - **Fake CAPTCHA (ClickFix):** The campaign uses fake CAPTCHA challenges as a social engineering lure. Users are prompted to press specific key combinations (e.g., Win + R, Ctrl + V, Enter) to supposedly verify they are not a bot. 【1】
  - **Proxy Execution via `SyncAppvPublishingServer.vbs`:** The core of the new technique involves exploiting a command injection flaw in `SyncAppvPublishingServer.vbs`. By appending a semicolon and PowerShell commands to a legitimate argument, attackers can execute arbitrary PowerShell code. This script launches PowerShell in hidden mode (`-WindowStyle Hidden`). 【1】
  - **Obfuscated PowerShell Commands:** The PowerShell commands used to download and execute the payload are designed to evade detection. They use aliases like `gal` (for `Get-Alias`) and `gcm` (for `Get-Command`) with regular expressions to indirectly invoke `Invoke-Expression` and `Invoke-RestMethod`, avoiding direct use of these commonly flagged commands. 【1】
  - **CDN for Payload Hosting:** Malicious scripts are hosted on `cdn.jsdelivr.net`, a legitimate CDN, making it difficult to block the source of the attack. 【1】
  
  **What Defenders Should Know:**
  - **Block Web3 Endpoints (if applicable):** If your organization does not interact with blockchain or Web3 technologies, consider blocking the specific RPC endpoints used by the campaign (e.g., `bsc-testnet.drpc.org`, `data-seed-prebsc-1-s1.bnbchain.org`). Be aware that attackers can change these endpoints. 【1】
  - **Restrict `SyncAppvPublishingServer.vbs`:** If not essential for your organization, blocking this script entirely is an option. Alternatively, restrict its usage by allowlisting specific command-line parameters and parent processes. Inspecting command-line arguments for semicolons could also be a partial mitigation. 【1】
  - **Limit PowerShell Usage:** Disabling PowerShell for non-system accounts is the most effective defense, though often impractical. Application allow-listing can help restrict which applications can launch PowerShell. 【1】
  - **Monitor for LOTL Techniques:** Be aware of the increasing use of LOTL techniques and ensure security tools are configured to detect suspicious behavior, even when executed by trusted system binaries. 【1】
  - **Understand CDN Abuse:** Recognize that legitimate services like CDNs can be abused for malware distribution, and traditional URL blocking may be less effective. 【1】
• Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts - Arctic Wolf 🔍 Show Kagi Synopsis
  A recent cybersecurity campaign involves unauthorized configuration changes on **Fortinet FortiGate devices** through compromised Single Sign-On (SSO) accounts. This activity, observed starting January 15, 2026, includes the creation of generic accounts for persistence, granting VPN access to these accounts, and exfiltrating firewall configurations. 【1】
  
  **Who is affected:**
  The campaign specifically targets **Fortinet FortiGate devices**. While the exact initial access vector is still under investigation, the activity shares similarities with a previous campaign in December 2025 that involved SSO login activity for administrator accounts on affected firewall devices. 【1】 Several Fortinet product lines were previously reported to be affected by related vulnerabilities, including **FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager**. 【1】
  
  **Security Implications:**
  The primary security implications include unauthorized access and control over network perimeters, potential data exfiltration of sensitive firewall configurations, and the establishment of persistent backdoors for future malicious activities. The creation of new accounts and granting VPN access can lead to further compromise of internal networks. 【1】
  
  **Technical Details:**
  Malicious SSO logins have been observed originating from specific hosting providers, often targeting the `[email protected]` account. 【1】 Following successful logins, attackers export configurations via the GUI to the same IP addresses. 【1】 This is followed by the creation of secondary accounts, such as `secadmin`, for persistence. 【1】 The speed at which these events occur suggests automated activity. 【1】 The campaign may be related to previously disclosed authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719), which allowed unauthenticated bypass of SSO login via crafted SAML messages when the FortiCloud SSO feature was enabled. 【1】
  
  **What defenders should know:**
  Defenders should **monitor for updates from Fortinet** and apply any new security patches promptly. 【1】 If malicious activity is observed, it is crucial to **reset firewall credentials** as exfiltrated configurations may contain hashed credentials susceptible to offline cracking. 【1】 It is recommended to **limit access to management interfaces** of network appliances to trusted internal users and consider disabling the FortiCloud SSO login feature as a temporary workaround if it is enabled. 【1】 Arctic Wolf has implemented detections for this campaign and will continue to alert customers to identified instances. 【1】
• Adventures in Primary Group Behavior, Reporting, and Exploitation - TrustedSec is the organization that controls the content posted at the provided URL. The company was founded by David Kennedy in 2012. 🔍 Show Kagi Synopsis
  This article details a cybersecurity vulnerability related to the `primaryGroupID` attribute in Active Directory (AD), which can be exploited for **privilege escalation and stealthy persistence** 【1】.
  
  **What Happened:**
  Attackers can manipulate the `primaryGroupID` attribute of a user account. This attribute defines a user's primary group, and by changing it, an attacker can effectively grant themselves membership in privileged groups, such as **Domain Admins** (with ID 512), without this membership being visible in standard group membership lists 【1】. This manipulation can be achieved using tools like mimikatz or by directly interacting with the AD database through methods like DCShadow 【1】. A side effect of changing the `primaryGroupID` is that it can also remove the user from their previous primary group 【1】.
  
  **Who is Affected:**
  Organizations using **Active Directory** are potentially affected by this vulnerability 【1】. Any user account whose `primaryGroupID` attribute is manipulated by an attacker can be used to gain elevated privileges 【1】.
  
  **Security Implications:**
  The primary security implication is the creation of **significant blind spots in security monitoring and reporting** 【1】. Standard AD tools and PowerShell cmdlets like `Get-ADGroupMember` and `Get-ADUser` may report group memberships inconsistently, as they might not always reflect membership derived from the `primaryGroupID` attribute 【1】. This allows attackers to maintain privileged access stealthily, bypassing detection mechanisms that rely on standard group membership checks 【1】. Furthermore, attackers can modify Discretionary Access Control Lists (DACLs) on user objects to hide the `primaryGroupID` attribute itself, making the privileged membership even more invisible 【1】.
  
  **Technical Details:**
  The `primaryGroupID` attribute in AD specifies a user's primary group. The default `primaryGroupID` for most users is 513, corresponding to the `Domain Users` group 【1】. Attackers can change this value to the ID of a privileged group, such as 512 for `Domain Admins` 【1】. This change is not always reflected in the `members` attribute of the target group, leading to reporting discrepancies 【1】. Attackers can also use techniques to obscure the `primaryGroupID` attribute from view 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the inconsistencies in how AD group memberships are reported and ensure their **monitoring and reporting tools are robust enough to detect `primaryGroupID`-based membership** 【1】. This involves:
  - **Scrutinizing all user objects** for non-standard `primaryGroupID` values (any value other than 513, unless there's a documented business reason) 【1】.
  - **Verifying that monitoring systems can detect these hidden privileges** 【1】.
  - **Resetting any non-standard `primaryGroupID` to the default `Domain Users` (513)** unless there is a specific, valid justification 【1】.
• Task Failed Successfully - Microsoft’s “Immediate” Retirement of MDT - SpecterOps 🔍 Show Kagi Synopsis
  Microsoft has retired the **Microsoft Deployment Toolkit (MDT)** service, ceasing all support and updates, including security patches, as of January 6, 2026. This decision was made after vulnerabilities were reported by TrustedSec and further investigated by SpecterOps.
  
  **What Happened:**
  SpecterOps researchers discovered vulnerabilities in MDT that could allow attackers to locate MDT servers, bypass security controls, and potentially extract privileged Active Directory credentials. Specifically, they found that the MDT monitoring service lacked authentication, enabling unauthenticated discovery and manipulation of computer objects. This could be exploited to trigger XML External Entity (XXE) vulnerabilities, leading to credential theft or information disclosure. Instead of patching these issues, Microsoft chose to retire the service. 【1】
  
  **Who is Affected:**
  Organizations that continue to use MDT are affected. This includes administrators who rely on MDT for operating system deployment and image hosting. While Microsoft has retired the service, some organizations may still be using it or may not be able to migrate immediately. 【1】
  
  **Security Implications:**
  The primary security implication is the **risk of credential compromise**. Attackers could exploit the vulnerabilities to gain access to privileged service accounts within Active Directory, which could then be used for further lateral movement and compromise of the network. The lack of ongoing security updates for MDT means that any newly discovered vulnerabilities will remain unpatched, posing a persistent risk. 【1】
  
  **Technical Details:**
  MDT relies on file shares for OS images and task sequences, often integrated with Windows Deployment Services (WDS) for network booting.
  - **Discovery:** MDT servers can be located by querying Active Directory for WDS `serviceConnectionPoint` objects or by unauthenticated discovery through the PXE boot process, which reveals files like `LiteTouchPE_x64.wim`. 【1】
  - **Vulnerabilities:**
  - The MDT monitoring service's "Event" and "Data" ports lack authentication, allowing unauthorized access to APIs like `PostEvent` and `GetSettings`. 【1】
  - The `GetSettings` method is vulnerable to XXE attacks due to the use of `System.Xml.XmlDocument` in .NET Framework versions prior to 4.5.2. This allows attackers to inject XXE payloads to coerce authentication from the MDT server's machine account or leak sensitive files like `CustomSettings.ini`. 【1】
  - **Exploitation:** Attackers can register a computer object via the "Event" API, update its settings with an XXE payload to trigger authentication coercion, or use DTD parsing to leak credentials from `CustomSettings.ini`. 【1】
  
  **What Defenders Should Know:**
  Defenders who are still using MDT should be aware of the following:
  - **No More Updates:** MDT will no longer receive any security updates or patches from Microsoft. 【1】
  - **Mitigation Strategies:** If migration is not immediately possible, administrators should implement defensive measures. This includes:
  - **Restrict Access:** Ensure that MDT deployment shares have strictly enforced access control lists (ACLs) and that only necessary service accounts have read permissions. 【1】
  - **Monitor Network Traffic:** Actively monitor network traffic for suspicious activity related to MDT and WDS services.
  - **Secure Configurations:** Review and secure the configurations of WDS and MDT, paying close attention to the monitoring service and its API endpoints.
  - **Migration is Key:** The most effective defense is to **migrate away from MDT** to a supported and secure operating system deployment solution. 【1】
• From Protest to Peril: Cellebrite Used Against Jordanian Civil Society - The Citizen Lab - The **Citizen Lab** controls the content posted at the URL. It is a research unit at the **Munk School of Global Affairs & Public Policy, University of Toronto**, founded by **Ronald Deibert**. 🔍 Show Kagi Synopsis
  The cybersecurity article details how **Jordanian authorities have been using Cellebrite's forensic extraction products to extract data from the phones of activists and civil society members without their consent** 【1】. This practice has been ongoing since at least 2020 and has been confirmed through forensic analysis of seized devices and court records 【1】.
  
  **Who is affected:**
  The individuals affected are primarily **activists, civil society members, journalists, and human rights defenders in Jordan**. The report specifically mentions cases involving political activists, a student organizer, a human rights defender, a youth activist, and a citizen journalist whose devices were seized and forensically examined 【1】.
  
  **Security implications:**
  The use of Cellebrite technology by Jordanian authorities raises **significant human rights concerns**, potentially violating international human rights law. It facilitates surveillance and repression of free expression, which can lead to the muzzling of advocacy, intimidation, and unlawful restrictions on freedom of expression 【1】. Cellebrite is implicated for not ensuring its technology is not misused by clients, despite acknowledging its potential for human rights violations 【1】.
  
  **Technical details:**
  The article identifies specific forensic artifacts linked to Cellebrite products, including **HostIDs and SystemBUIDs found in DLL files** such as "CellebriteMobileAgent/iPhoneLib.dll" and "CellebriteMobileAgent\CellewiseLib.dll" 【1】. Other indicators include the process name "mnm," a dispatch queue label "com.cellebrite.bruteforce" in iOS crash logs, and the Android package ID "com.client.appA" 【1】. The analysis covers devices in both Before First Unlock (BFU) and After First Unlock (AFU) states, and notes the use of Cellebrite's Physical Analyzer software (version 7.60.1.9) 【1】. Technical aspects also involve how devices are unlocked, including biometric methods or obtaining passcodes, and challenges posed by features like USB Restricted Mode or Stolen Device Protection 【1】.
  
  **What defenders should know:**
  Individuals whose devices are seized should **immediately change passwords for all accounts accessed via the device and check for unrecognized logins** 【1】. It is advised to avoid factory resetting the device before expert analysis, as this erases forensic traces 【1】. Seeking advice from forensic professionals or organizations like The Citizen Lab is recommended 【1】. To reduce the risk of forensic access, users should keep operating systems updated, use strong passcodes, enable Lockdown Mode (iOS) or Advanced Protection (Android), and power off devices before entering high-risk situations 【1】. Developers are encouraged to implement features like duress PINs, USB restricted modes, and remote account disabling to enhance user security 【1】.