The IT Nerd

Bitdefender today announced Bitdefender GravityZone Extended Email Security, unifying email and endpoint protection within a single platform. Built for organizations, managed service providers (MSPs) and their customers, it leverages an Integrated Cloud Email Security (ICES) approach to deliver continuous protection before and after delivery against modern email-borne threats including phishing, business email compromise (BEC), ransomware, impersonation, and insider-driven attacks.

“Email threats are growing more sophisticated and effective as total business email compromise-related payments crossed the $6 billion threshold in 2024”, according to Gartner®.¹ In a global survey of 1,200 IT and security professionals, 42% identified BEC as the greatest threat to their organization, while 66% reported an increase in these types of attacks.

Legacy email security solutions often focus on pre-delivery filtering, leaving gaps once threats reach user inboxes. Siloed email and endpoint security tools further create blind spots attackers exploit, increasing dwell time and delaying detection.

Bitdefender GravityZone Extended Email Security is a native email security solution that closes this gap by combining secure email gateway (SEG) filtering with API-based post-delivery protection. This dual-layer approach stops threats before delivery and continuously detects and remediates them after they reach inboxes, helping ensure complete protection across the email threat lifecycle. The solution builds on technology gained through Bitdefender’s acquisition of Mesh Security, further strengthening its email protection capabilities.

Fully integrated into Bitdefender GravityZone, the company’s unified security, risk analytics, and compliance platform, GravityZone Extended Email Security extends protection from endpoint to inbox. It integrates seamlessly into existing environments, enabling rapid deployment and time to value.

Key Benefits of GravityZone Extended Email Security include:

• Unified email and endpoint protection – GravityZone Extended Email Security uses artificial intelligence (AI) and real-time threat intelligence to stop phishing, BEC, impersonation, ransomware, and other advanced threats. Emails are inspected before delivery and continuously monitored after delivery, enabling automated quarantine and remediation to reduce dwell time and limit user exposure.

• Consolidates tools and reduces security team workload – The platform streamlines security management by unifying tools and automating detection and response across the email attack chain. Continuous monitoring and automated remediation reduce manual effort and improve response times.

• Improves efficiency and scales security operations – Built for modern environments and service delivery models, GravityZone Extended Email Security enables efficient, scalable security for businesses and MSPs. Centralized management, continuous policy enforcement, and streamlined workflows support multi-tenant environments and simplify security across distributed infrastructures.

• Fast, flexible deployment across any environment – Organizations and MSPs can deploy the solution as a SEG across Microsoft 365, hybrid, and diverse environments, with API-based and combined deployment models supported for Microsoft 365.

Availability

Bitdefender GravityZone Extended Email Security is available now as an add-on to GravityZone endpoint security deployments. For more information, visit here.

¹Gartner, How to Develop an Email Security Strategy, Max Taggett, Nikul Patel, August 20, 2025.

Gartner is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Bitdefender, a global cybersecurity leader, today announced the Bitdefender Attack Surface Assessment, a complimentary evaluation that helps organizations identify and reduce hidden internal cyber risk caused by unnecessary user access to applications, tools, and operating system utilities commonly exploited in modern attacks. The assessment gives organizations a clear, data-driven view of their internal attack surface and provides actionable guidance to help prioritize and remediate exposure.

Businesses face growing challenges defending against Living-Off-the-Land (LOTL), fileless, and other non-malware attack techniques, which leverage legitimate operating system tools and trusted applications to breach systems and evade detection while blending into normal activity.

Analysis of more than 700,000 real-world security incidents found that legitimate tools and LOTL techniques are involved in more than 84% of major attacks. Cybercriminals increasingly exploit widely available utilities such as PowerShell, WMIC, and others to gain access, escalate privileges and move laterally within environments undetected. As a result, organizations are being forced to shift toward a prevention-first security posture to proactively close attack paths before they can be exploited.

The Bitdefender Attack Surface Assessment addresses this critical security gap through a guided engagement that helps organizations uncover this largely invisible internal exposure, assess its impact on overall risk and identify practical steps for remediation. Organizations enroll and immediately begin assessing and monitoring their environment with no disruption to employees or daily operations.

The program is powered by Bitdefender GravityZone PHASR (Proactive Hardening and Attack Surface Reduction), a first-to-market endpoint security innovation that combines dynamic, behavior-based security hardening with real-time threat intelligence. It helps identify excessive user access and restrict or block unnecessary applications and tools without impacting business operations.

Key Benefits of the Attack Surface Assessment include:

• Quantify internal risk at the user level – Gain precise visibility into attack surface exposure down to each user, including access to applications, tools and utilities, mapped against their baseline behavior and real-time threat intelligence.
• Identify shadow IT and unauthorized tools – Uncover shadow IT and unauthorized tools, including unusual network activity, access to non-approved binaries, and unrecognized applications attempting to access company resources.
• Reduce the attack surface using actionable insights – Receive actionable recommendations to focus mitigation and begin hardening the internal attack surface, with the option to apply controls manually or automatically with Bitdefender guidance. Organizations can reduce their attack surface by up to 95%, significantly lowering exposure to modern attack techniques.  

Availability

The Bitdefender Attack Surface Assessment is a complimentary, 45-day turnkey program that requires minimal effort and is available now for organizations with 250 or more employees. To learn more or enroll, visit here.

Bitdefender has released new research revealing that phishing and malware campaigns targeting Gulf countries have surged by approximately 130% on average following the escalation of the war in Iran.

Researchers observed a sustained spike in malicious email activity beginning February 28, with campaigns quickly doubling and peaking at nearly four times pre-war levels.

Key findings:

• Threat actors are delivering a mix of remote access trojans, spyware, and fileless attacks that execute in memory
• The attacks rely heavily on business-themed lures, including invoices, contracts, banking communications, and delivery notifications
• No confirmed state-sponsored attribution; however, phishing is often a precursor to more complex attacks, enabling initial access to targeted environments.

You can read the research here: https://www.bitdefender.com/en-gb/blog/hotforsecurity/gulf-countries-phishing-surge

Bitdefender has released research warning of an active attack using a malicious extension for the Windsurf IDE (integrated development environment). The campaign intentionally targets software developers, who typically have privileged access, API keys, and other high-value credentials.

Disguised as a legitimate R programming language tool, the extension installs a multi-stage NodeJS credential stealer that retrieves encrypted payloads from the Solana blockchain, leveraging legitimate third-party infrastructure instead of traditional command-and-control (C2) servers to evade detection.

Cybercriminals are increasingly abusing trusted developer ecosystems and decentralized infrastructure to plant malware and establish persistence.

You can read the research here: https://www.bitdefender.com/en-us/blog/labs/windsurf-extension-malware-solana

Bitdefender has released new findings showing that Valentine’s Day–themed spam has spiked in recent weeks, using the promise of love, discounts, and gifts from popular brands such as Dior, Sephora, and Walmart as lures.

41% of all Valentine’s Day spam observed had deceptive or malicious intent. Common tactics used to snare victims included phishing attempts, dating scams, fake giveaways, advance-fee schemes, and misleading surveys.

Findings include:

• The U.S. was the most targeted destination at 55%, followed by Germany (13%), Ireland (8%), and the UK (6%).
• The U.S. also ranked as the top source, responsible for over 43% of Valentine’s-related spam.
• About 10% of scam-related messages used dating-themed lures, often relying on AI-generated profile images

You can get more details here: https://www.bitdefender.com/en-us/blog/hotforsecurity/nearly-4-in-10-valentines-day-emails-are-scams-what-bitdefender-antispam-lab-is-seeing-in-2026

A threat actor named ‘RedCurl,’ known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines. This is what Bitdefender had to say:

This research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign attributed to the RedCurl group (also known as Earth Kapre or Red Wolf). RedCurl has historically maintained a low profile, relying heavily on Living-off-the-Land (LOTL) techniques for corporate cyber espionage and data exfiltration. This shift to ransomware marks a significant evolution in their tactics.

This new ransomware, which we have named QWCrypt based on a self-reference ‘qwc’ found within the executable, is previously undocumented and distinct from known ransomware families.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented:

“While targeting Microsoft Hyper-V servers is nothing new (example: https://cybercx.com/blog/akira-ransomware/), this indicates an increased focus on Hyper-V and virtualization platforms in general. It’s actually far easier to bring down an organization using an enterprise virtualization platform than one with hundreds of disparate, separately located on-premise servers. If I get on your VM host server, now, with one compromise, I can more easily control and manipulate the whole kingdom. I can more easily encrypt entire servers. I can more easily exfiltrate large amounts of sensitive data. I can more easily corrupt backup services. It’s not good. But the question you need to ask is how the bad guy got to your VM host servers in the first place? Was it social engineering? Was it unpatched software or firmware? Was it stolen logon credentials or bypassed phishable MFA? Because those are the most likely reasons and if you don’t figure those out your environment is not going to be safe no matter what else you do.”

Using an anomaly detection feature that was added to its Mobile Security software, Bitdefender detected over 60,000 malicious Android apps disguised as legitimate applications that have been installing adware for the last 6 months.
 
The global campaign that predominantly targets US users is believed to have started in October 2022 and is being distributed as fake security software, game cracks, cheats, VPN software, Netflix, and utility apps on third-party sites, where malware inspection isn’t as strong.
 
When the app is installed and launched, it will display an error message stating that the “Application is unavailable in your region. Tap OK to uninstall,” but actually, the app is not uninstalled and instead sleeps for two hours before registering two ‘intents’ that cause the app to launch when the device is booted or unlocked. Bitdefender says the latter intent is disabled for the first 2 days, which helps evade detection.
 
The app then reaches out to the attackers’ servers and retrieves advertisement URLs to be displayed in the mobile browser or as a full-screen WebView ad.
 
“However, the threat actors involved can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware,” warns Bitdefender.

Ted Miracco, CEO, Approov Mobile Security had this to same:

   “The discovery of these malicious Android apps raises concerns about how easy it is to distribute malware and the fact that this campaign predominantly targets users in the United States is concerning, as it suggests that a large number of individuals may be at risk. This highlights the need for robust security measures, like app attestation to protect users from such threats. It also serves as a reminder for users to exercise caution when downloading and installing applications, particularly from unofficial sources.”

Dave Ratner, CEO, HYAS follows up with this:

   “The identification of beaconing behavior to adversary infrastructure via Protective DNS is not only for laptops and servers; the explosion of mobile-based malware highlights just how important it is to extend Protective DNS across all connected devices. Bad actors will continue to find innovative ways to trick users but having the visibility to see the anomalous communication reaching out to the adversary’s servers, and the ability to block it, provides a key layer of defense that is critical in today’s world.”

The fact that these Android apps are out there should send a chill down the spine of every Android user. Thus it means to me that Google as well as users of Android phones really need to have their heads on a swivel to make sure that this doesn’t become an extremely popular attack vector.

If you got pwned by the REvil criminal group, I have good news for you. A free master decryptor for the REvil ransomware has been released, allowing all victims encrypted before the gang disappeared to recover their files for free:

The REvil master decryptor was created by cybersecurity firm Bitdefender in collaboration with a trusted law enforcement partner. While Bitdefender could not share details about how they obtained the master decryption key or the law enforcement agency involved, they told BleepingComputer that it works for all REvil victims encrypted before July 13th. “As per our blog post, we received the keys from a trusted law enforcement partner, and unfortunately, this is the only information we are at liberty to disclose right now,” Bitdefender’s Bogdan Botezatu, Director of Threat Research and Reporting, told BleepingComputer. “Once the investigation progresses and will come to an end, further details will be offered upon approval.” REvil ransomware victims can download the master decryptor from Bitdefender (instructions) and decrypt entire computers at once or specify specific folders to decrypt.

Some of this does sound a bit sketchy, but it is still good news. You should have a look if you’ve been pwned by this criminal organization. Hopefully more tools like this get released as this will allow people to not pay the scumbags behind these ransomware attacks.