NASA’s X-59 quiet supersonic research aircraft successfully completed a critical series of tests in which the airplane was put through its paces for cruising high above the California desert – all without ever leaving the ground. The goal of ground-based simulation testing was to make sure the hardware and software that will allow the X-59 to fly safely are properly working together and able to handle any unexpected problems. Learn more about this series of exercies, dubbed “aluminum bird” testing by engineers. Image credit: Lockheed Martin/Garry Tice
How big is space? Space is really big. Thinking about our solar system, let’s imagine you could get in a car and drive to Pluto at highway speeds. It would take you about 6,000 years to get there. When we start to think about other stars outside of our solar system, we need to think about another unit of distance. This is why astronomers use the unit light-years. Light travels at 186,000 miles per second. One light year is about 6 trillion miles. The closest star to our Sun is about four light years away. Our own Milky Way galaxy is about 100,000 light-years across. We know from deep field images of the universe that there are hundreds of billions, perhaps a trillion other galaxies. Using some of the deepest images yet from the James Webb Space Telescope, we’ve been able to see galaxies that emitted their light about 13 and a half billion years ago. Now, here’s a really important thing. Because the universe is expanding, those most distant galaxies are actually much further away than 13 and a half billion light years. I’m glossing over some math here, but we can estimate that the observable universe is about 92 billion light-years across. But we’re pretty sure that the universe is even bigger than what we can see. And here’s where things get really weird, we don’t actually know if the universe is finite or infinite. As much as we’ve learned about the universe, science has no reliable estimate of the actual size of the entire universe. [END VIDEO TRANSCRIPT] Full Episode List Full YouTube Playlist
The rover took the image — its fifth since landing in February 2021 — between stops investigating the Martian surface. A Martian dust devil photobombed NASA’s Perseverance Mars rover as it took a selfie on May 10 to mark its 1,500th sol (Martian day) exploring the Red Planet. At the time, the six-wheeled rover was parked in an area nicknamed “Witch Hazel Hill,” an area on Jezero Crater’s rim that the rover has been exploring over the past five months. “The rover self-portrait at the Witch Hazel Hill area gives us a great view of the terrain and the rover hardware,” said Justin Maki, Perseverance imaging lead at NASA’s Jet Propulsion Laboratory in Southern California, which manages the mission. “The well-illuminated scene and relatively clear atmosphere allowed us to capture a dust devil located 3 miles to the north in Neretva Vallis.” The selfie also gives the engineering teams a chance to view and assess the state of the rover, its instruments, and the overall dust accumulation as Perseverance reached the 1,500-sol milestone. (A day on Mars is 24.6 hours, so 1,500 sols equals 1,541 Earth days.)
The bright light illuminating the scene is courtesy of the high angle of the Sun at the time the images composing the selfie were taken, lighting up Perseverance’s deck and casting its shadow below and behind the chassis. Immediately in front of the rover is the “Bell Island” borehole, the latest sampling location in the Witch Hazel Hill area. How Perseverance Did It This newest selfie, Perseverance’s fifth since the mission began, was stitched together on Earth from a series of 59 images collected by the WATSON (Wide Angle Topographic Sensor for Operations and eNgineering) camera at the end of the robotic arm. It shows the rover’s remote sensing mast looking into the camera. To generate the version of the selfie with the mast looking at the borehole, WATSON took three additional images, concentrating on the reoriented mast.
“To get that selfie look, each WATSON image has to have its own unique field of view,” said Megan Wu, a Perseverance imaging scientist from Malin Space Science Systems in San Diego. “That means we had to make 62 precision movements of the robotic arm. The whole process takes about an hour, but it’s worth it. Having the dust devil in the background makes it a classic. This is a great shot.”
The dust covering the rover is visual evidence of the rover’s journey on Mars: By the time the image was captured, Perseverance had abraded and analyzed a total of 37 rocks and boulders with its science instruments, collected 26 rock cores (25 sealed and 1 left unsealed), and traveled more than 22 miles (36 kilometers). “After 1,500 sols, we may be a bit dusty, but our beauty is more than skin deep,” said Art Thompson, Perseverance project manager at JPL. “Our multi-mission radioisotope thermoelectric generator is giving us all the power we need. All our systems and subsystems are in the green and clicking along, and our amazing instruments continue to provide data that will feed scientific discoveries for years to come.” The rover is currently exploring along the western rim of Jezero Crater, at a location the science team calls “Krokodillen.” News Media Contacts DC AgleJet Propulsion Laboratory, Pasadena, Calif.818-393-9011agle@jpl.nasa.gov Karen Fox / Molly WasserNASA Headquarters, Washington202-358-1600karen.c.fox@nasa.gov / molly.l.wasser@nasa.gov 2025-073
A newly discovered planetary system, informally known as 2M1510, is among the strangest ever found. An apparent planet traces out an orbit that carries it far over the poles of two brown dwarfs. This pair of mysterious objects – too massive to be planets, not massive enough to be stars – also orbit each other. Yet a third brown dwarf orbits the other two at an extreme distance.
In a typical arrangement, as in our solar system, families of planets orbit their parent stars in more-or-less a flat plane – the orbital plane – that matches the star’s equator. The rotation of the star, too, aligns with this plane. Everyone is “coplanar:” flat, placid, stately. Not so for possible planet 2M1510 b (considered a “candidate planet” pending further measurements). If confirmed, the planet would be in a “polar orbit” around the two central brown dwarfs – in other words, its orbital plane would be perpendicular to the plane in which the two brown dwarfs orbit each other. Take two flat disks, merge them together at an angle in the shape of an X, and you have the essence of this orbital configuration. “Circumbinary” planets, those orbiting two stars at once, are rare enough. A circumbinary orbiting at a 90-degree tilt was, until now, unheard of. But new measurements of this system, using the ESO (European Southern Observatory) Very Large Telescope in Chile, appear to reveal what scientists previously only imagined.
The method by which the study’s science team teased out the planet’s vertiginous existence is itself a bit of a wild ride. The candidate planet cannot be detected the way most exoplanets – planets around other stars – are found today: the “transit” method, a kind of mini-eclipse, a tiny dip in starlight when the planet crosses the face of its star. Instead they used the next most prolific method, “radial velocity” measurements. Orbiting planets cause their stars to rock back and forth ever so slightly, as the planets’ gravity pulls the stars one way and another; that pull causes subtle, but measurable, shifts in the star’s light spectrum. Add one more twist to the detection in this case: the push-me-pull-you effect of the planet on the two brown dwarfs’ orbit around each other. The path of the brown dwarf pair’s 21-day mutual orbit is being subtly altered in a way that can only be explained, the study’s authors conclude, by a polar-orbiting planet.
Only 16 circumbinary planets – out of more than 5,800 confirmed exoplanets – have been found by scientists so far, most by the transit method. Twelve of those were found using NASA’s now-retired Kepler Space Telescope, the mission that takes the prize for the most transit detections (nearly 2,800). Scientists have observed a small number of debris disks and “protoplanetary” disks in polar orbits, and suspected that polar-orbiting planets might be out there as well. They seem at last to have turned one up.
An international science team led by Thomas A. Baycroft, a Ph.D. student in astronomy and astrophysics at the University of Birmingham, U.K., published a paper describing their discovery in the journal “Science Advances” in April 2025. The planet was entered into NASA’s Exoplanet Archive on May 1, 2025. The system’s full name is 2MASS J15104786-281874 (2M1510 for short).
News In Brief – Source: US Computer Emergency Readiness Team
Executive Summary
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
Download the PDF version of this report:
Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)
For a downloadable list of IOCs, visit:
Introduction
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
HEADLACE [7]
MASEPIE [8]
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar
Works Cited
[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/ [2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF [3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF [4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/ [5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/ [6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/ [7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ [8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894 [9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF [10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF [11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html [12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF [13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF
[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian [15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf
Disclaimer of endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Table 2: Reconnaissance
Tactic/Technique Title
ID
Use
Reconnaissance
TA0043
Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information
T1591
Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles
T1591.004
Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships
T1591.002
Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information
T1592
Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.
Table 3: Resource development
Tactic/Technique Title
ID
Use
Compromise Accounts: Email Accounts
T1586.002
Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts
T1586.003
Sent phishing emails using compromised accounts.
Table 4: Initial Access
Tactic/Technique Title
ID
Use
Trusted Relationship
T1199
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing
T1566
Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment
T1566.001
Sent emails with malicious attachments.
Phishing: Spearphishing Link
T1566.002
Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice
T1566.004
Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services
T1133
Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application
T1190
Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection
T1659
Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.
Table 5: Execution
Tactic/Technique Title
ID
Use
User Execution: Malicious Link
T1204.001
Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File
T1204.002
Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task
T1053.005
Used scheduled tasks to establish persistence.
Command and Scripting Interpreter
T1059
Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell
T1059.001
PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell
T1059.003
Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic
T1059.005
Used VBScript in spearphishing.
Command and Scripting Interpreter: Python
T1059.006
Installed python on infected machines to enable the execution of Certipy.
Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking
T1574.001
Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.001
Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification
T1547.009
Placed malicious shortcuts in the startup folder to establish persistence.
Table 7: Defense Evasion
Tactic/Technique Title
ID
Use
Indicator Removal: Clear Windows Event Logs
T1070.001
Deleted event logs through the wevtutil utility.
Table 8: Credential access
Tactic/Technique Title
ID
Use
Brute Force
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing
T1110.001
Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying
T1110.003
Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception
Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture
Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication
Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS
T1003.003
Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences
T1552.006
Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.
Table 9: Discovery
Tactic/Technique Title
ID
Use
Account Discovery: Domain Account
T1087.002
Used a modified ldap-dump.py to enumerate the Windows environment.
Table 10: Command and Control
Tactic/Technique Title
ID
Use
Hide Infrastructure
T1665
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy
T1090.002
Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy
T1090.003
Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel
T1573
Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels
T1104
Used multi-stage redirectors for campaigns.
Table 11: Defense evasion (mobile framework)
Tactic/Technique Title
ID
Use
Execution Guardrails
Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing
T1627.001
Used multi-stage redirectors to verify IP-geolocation in some campaigns.
Table 12: Lateral movement
Tactic/Technique Title
ID
Use
Lateral Movement
Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol
T1021.001
Moved laterally within the network using RDP.
Table 13: Collection
Tactic/Technique Title
ID
Use
Email Collection
Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection
T1114.002
Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection
Used periodic EWS queries to collect new emails.
Video Capture
Attempted to gain access to the cameras’ feeds.
Archive Collected Data
Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility
T1560.001
Prepared zip archives for upload to the actors’ infrastructure.
Table 14: Exfiltration
Tactic/Technique Title
ID
Use
Exfiltration Over Alternative Protocol
Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer
Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.
Appendix B: CVEs exploited
Table 15: Exploited CVE information
CVE
Vendor/Product
Details
CVE-2023-38831
RARLAB WinRAR
Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397
Microsoft Outlook
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026
Roundcube Webmail
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730
Roundcube Webmail
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641
Roundcube Webmail
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting
D3-DNSDL
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis
D3-JFAPA
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
News In Brief – Source: US Computer Emergency Readiness Team
Today, CISA, the National Security Agency, the Federal Bureau of Investigation, and other U.S. and international partners released a joint Cybersecurity Advisory, Russian GRU Targeting Western Logistics Entities and Technology Companies.
This advisory details a Russian state-sponsored cyber espionage-oriented campaign targeting technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine.
Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, military unit 26165 cyber actors are using a mix of previously disclosed tactics, techniques, and procedures (TTPs) and are likely connected to these actors’ widescale targeting of IP cameras in Ukraine and bordering NATO nations.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of until 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise, and posture network defenses with a presumption of targeting. For more information on Russian state-sponsored threat actor activity, see CISA’s Russia Cyber Threat Overview and Advisories page.
Montpelier, Vt. – Governor Phil Scott announced action on the following bills, passed by the General Assembly.
On May 21, Governor Scott signed bills of the following titles:
H.398, An act relating to the Vermont Economic Development Authority
H.493, An act relating to making appropriations for the support of the government
S.44,An act relating to authorization to enter into certain immigration agreements
S.56,An act relating to creating an Office of New Americans
When signing H.493, Governor Scott sent the following letter to the General Assembly:
Dear Ms. Wrask:
Today, I’m signing H.493, An act relating to making appropriations for the support of government.
I appreciate that this budget makes important affordability investments – most notably the $77 million general fund transfer to the education fund to help stabilize property taxes this year, and $13.5 million in much needed, targeted tax relief for young families, lower income, working Vermonters and seniors on fixed incomes.
However, affordability must also be about getting state government and public education on a sustainable fiscal path; fixing systemic policy issues that make homebuilding, homeownership and rent far too expensive; and keeping and attracting the workers and employers we need for a strong economy. While I can support this budget, we have not yet done nearly enough to address these other areas.
Specifically, although this budget spends $30 million less in general fund base compared to the Senate version, it still spends $20 million more than my proposal. It also creates roughly 70 unique one-time appropriations. Neither would be sustainable under a more modest – and typical – revenue environment.
Outside of the budget, we must complete the work to transform our education system, starting with H.454, An act relating to transforming Vermont’s education governance, quality and finance systems. I proposed the $77 million transfer in the budget as a bridge to a structurally transformed and fiscally efficient public education system in the near term.
We need to follow through on reform.
And I urge the Legislature to pass the housing legislation I proposed at the start of the session so the housing Vermonters so desperately need can be built.
While not perfect, H.493 makes critical investments in affordability, housing, education and public safety. But we must focus on the policy bills that fix what’s broken so the funding can have its intended impact.
Sincerely,
/s/
Philip B. Scott
Governor
To view a complete list of action on bills passed during the 2025 legislative session,click here.
Lt. Gov. Luke – VNR – Hawaiʻi Schools Win ‘Super Sleuth’ Award in Internet Speeds Mapping Effort
Posted on May 20, 2025 in Latest Department News, Newsroom
STATE OF HAWAIʻI KA MOKU ʻĀINA O HAWAIʻI
SYLVIA LUKE LIEUTENANT GOVERNOR KE KEʻENA O KA HOPE KIAʻĀINA
FOR IMMEDIATE RELEASE
May 20, 2025
Hawaiʻi Schools Win ‘Super Sleuth’ Award in Internet Speeds Mapping Effort
Connect Kākou’s Digital Detectives Initiative included 6,000 participants statewide
Lt. Gov. Luke with Robert Louis Stevenson Middle School (left) and Kona Pacific Charter School (right).
(Videos/Photos Courtesy: Connect Kākou)
HONOLULU – Lieutenant Governor Sylvia Luke announced today that more than 6,000 Hawaiʻi residents, many of them students, participated in the Digital Detectives campaign to map internet speeds across the state. Part of the Connect Kākou initiative, Digital Detectives aimed to close the digital divide by identifying areas in need of urgent broadband infrastructure improvements.
By taking a simple 30-second internet speed test last October, residents provided valuable data to help ensure federal funding is directed where it is most needed. Classes from Robert Louis Stevenson Middle School and Kona Pacific Charter School received the top Digital Detectives Super Sleuth Awards for student participation and classroom reporting. The classes received a visit from Lieutenant Governor Luke and a gift card for classroom supplies.
“Thanks to the thousands of students and their teachers who participated in Digital Detectives, we now have a clearer picture of Hawaiʻi’s internet speeds and where improvements are most needed,” said Lieutenant Governor Luke. “Reliable internet is crucial for education, future careers, and so much more. We were thrilled to see so many students taking part in shaping a more connected future for our state.
“Digital Detectives encouraged our students to become active participants in expanding internet access for their communities,” said Ken Hiraki, executive director of the Public Schools Foundation. “By turning a simple classroom activity into meaningful data for our state, students had a front row seat to civic engagement and real-world impact.”
Results from the internet speed tests have been aggregated to provide a more comprehensive view of connectivity across the state. Construction of fiber-optic internet lines in underserved areas is expected to begin as early as this year.
Connect Kākou is a State of Hawai‘i initiative led by Lieutenant Governor Luke, in collaboration with the Hawai‘i Broadband and Digital Equity Office (HBDEO), the University of Hawai‘i, the Department of Hawaiian Home Lands (DHHL), and multiple state and county agencies. Connect Kākou is working to ensure people from all walks of life have reliable access to high-speed internet and the tools and knowledge to safely and confidently use the internet. Visit www.connectkakou.org to learn more.
DBEDT NEWS RELEASE: HAWAI‘I APRIL UNEMPLOYMENT RATE REMAINS AT 2.9 PERCENT
Posted on May 20, 2025 in Latest Department News, Newsroom
STATE OF HAWAIʻI
KA MOKU ʻĀINA O HAWAIʻI
JOSH GREEN, M.D. GOVERNOR
KE KIAʻĀINA
DEPARTMENT OF BUSINESS, ECONOMIC DEVELOPMENT ANDTOURISM
KA ʻOIHANA HOʻOMOHALA PĀʻOIHANA, ʻIMI WAIWAI A HOʻOMĀKAʻIKAʻI
RESEARCH AND ECONOMIC ANALYSIS DIVISION
JAMES KUNANE TOKIOKA
DIRECTOR
KA LUNA HOʻOKELE
EUGENE TIAN
CHIEF STATE ECONOMIST
HAWAI‘I APRIL UNEMPLOYMENT RATE REMAINS AT 2.9 PERCENT
Jobs Increased by 17,000 Year-Over-Year
FOR IMMEDIATE RELEASE
May 20, 2025
HONOLULU — The Hawai‘i State Department of Business, Economic Development and Tourism (DBEDT) today announced that the seasonally adjusted unemployment rate for April was 2.9 percent, the same as in March. In April, 668,650 persons were employed and 19,650 were unemployed, for a total seasonally adjusted labor force of 688,300 statewide. Nationally, the seasonally adjusted unemployment rate was 4.2 percent in April, the same as in March.
The unemployment rate figures for the state of Hawai‘i and the U.S. in this release are seasonally adjusted in accordance with U.S. Bureau of Labor Statistics (BLS) methodology. The not-seasonally adjusted rate for the state was 2.5 percent in April, compared to 2.4 percent in March.
Industry Payroll Employment (Establishment Survey)
In a separate measure of employment, total nonagricultural jobs increased by 1,500 month-over-month, from March 2025 to April 2025. Job gains were experienced in Leisure & Hospitality (+1,900); Private Education & Health Services (+1,100); Trade, Transportation & Utilities (+500); Professional & Business Services (+400); Construction (+300); and Information (+100). Within Leisure & Hospitality, the rise in employment primarily occurred in Food Services & Drinking Places. Within Private Education & Health Services, the bulk of job gains were spread out over the subsectors of Health Care & Social Assistance. Employment in Manufacturing remained unchanged. Job losses occurred in Financial Activities (-200); and Other Services (-200). Government employment went down by 2,400 jobs, primarily due to below average over-the-month change in staffing at both the Department of Education and the University of Hawai‘i system. Year-over-year, nonfarm jobs have gone up by 17,000, or 2.7 percent.
Technical Notes:
Labor Force Components
The concepts and definitions used by the Local Area Unemployment Statistics (LAUS) program are the same as those used in the Current Population Survey for the national labor force data:
Civilian labor force. Included are all persons in the civilian noninstitutional population ages 16 and older classified as either employed or unemployed. (See the definitions below.)
Employed persons. These are all persons who, during the reference week (the week including the twelfth day of the month), (a) did any work as paid employees, worked in their own business or profession or on their own farm, or worked 15 hours or more as unpaid workers in an enterprise operated by a member of their family, or (b) were not working but who had jobs from which they were temporarily absent because of vacation, illness, bad weather, childcare problems, maternity or paternity leave, labor-management dispute, job training, or other family or personal reasons, whether or not they were paid for the time off or were seeking other jobs. Each employed person is counted only once, even if he or she holds more than one job.
Unemployed persons. Included are all persons who had no employment during the reference week, were available for work, except for temporary illness and had made specific efforts to find employment sometime during the four-week period ending with the reference week. Persons who were waiting to be recalled to a job from which they had been laid off need not have been looking for work to be classified as unemployed.
Unemployment rate. The unemployed percent of the civilian labor force [i.e., 100 times (unemployed/civilian labor force)].
Seasonal Adjustment
The seasonal fluctuations in the number of employed and unemployed persons reflect hiring and layoff patterns that accompany regular events such as the winter holiday season and the summer vacation season. These variations make it difficult to tell whether month-to-month changes in employment and unemployment are due to normal seasonal patterns or to changing economic conditions. Therefore, the BLS uses a statistical technique called seasonal adjustment to address these issues. This technique uses the history of the labor force data and the job count data to identify the seasonal movements and to calculate the size and direction of these movements. A seasonal adjustment factor is then developed and applied to the estimates to eliminate the effects of regular seasonal fluctuations on the data. Seasonally adjusted statistical series enable more meaningful data comparisons between months or with an annual average.
Current Population (Household) Survey (CPS)
A survey conducted for employment status in the week that includes the twelfth day of each month generates the unemployment rate statistics, which is a separate survey from the Establishment Survey that yields the industry job counts. The CPS survey contacts approximately 1,000 households in Hawai‘i to determine an individual’s current employment status. Employed persons consist of 1) all persons who did any work for pay or profit during the survey reference week, 2) all persons who did at least 15 hours of unpaid work in a family owned enterprise operated by someone in their household and 3) all persons who were temporarily absent from their regular jobs, whether they were paid or not. Persons considered unemployed are those that do not have a job, have actively looked for work in the prior four weeks and are available for work. Temporarily laid-off workers are counted as unemployed, whether or not they have engaged in a specific job-seeking activity. Persons not in the labor force are those who are not classified as employed or unemployed during the survey reference week.
Benchmark Changes to Local Area Unemployment Statistics Data
Statewide and sub-state data for 2019 to 2024 have revised inputs and data for 1990 to 2024 have been re-estimated to reflect revised population controls and model re-estimation.
Change to Monthly Employment Estimates
This release incorporates revised job count figures for the seasonally adjusted series. The revised data reflects historical corrections applied to unadjusted super sector or sector-level series dating back from 2018 through 2024. For years, analysts with the state of Hawai‘i Department of Labor and Industrial Relations Research and Statistics Office have developed monthly employment estimates for Hawai‘i and its metropolitan areas. These estimates were based on a monthly survey of Hawai‘i businesses and analysts’ knowledge about our local economies. Beginning with the production of preliminary estimates for March 2011, responsibility for the production of state and metropolitan area (MSA) estimates were transitioned from individual state agencies to the U.S. Bureau of Labor Statistics (BLS).
For Hawai‘i, this means the transition of statewide, Honolulu and Kahului-Wailuku MSA estimates for both the seasonally adjusted and not-seasonally adjusted areas are produced by BLS. State agencies will continue to provide the BLS with information on local events that may affect the estimates, such as strikes or large layoffs/hiring at businesses not covered by the survey and to disseminate and analyze the Current Employment Statistics (CES) estimates for local data users. BLS feels this change is designed to improve the cost efficiency of the CES program and to reduce the potential bias in state and area estimates. A portion of the cost savings generated by this change is slated to be directed toward raising survey response rates in future years, which will decrease the level of statistical error in the CES estimates. Until then, state analysts feel this change could result in increased month-to-month variability for the industry employment numbers, particularly for Hawai‘i’s counties and islands. BLS can be reached at 202-691-6555 for any questions about these estimates.
The not-seasonally adjusted job estimates for Hawai‘i County, Kaua‘i County, Maui, Moloka‘i and Lāna‘i are produced by the state of Hawai‘i Department of Business, Economic Development and Tourism.
Labor Force Estimates for Small Areas
Labor Force estimates for the islands within Maui County (Maui, Moloka‘i and Lānai) are produced by the state of Hawai‘i Department of Business, Economic Development and Tourism.
Seasonally Adjusted Labor Force and Unemployment Estimates for Honolulu and Maui County
BLS publishes smoothed seasonally adjusted civilian labor force and unemployment estimates for all metropolitan areas, which includes the City and County of Honolulu and Maui County.
BLS releases this data each month in the Metropolitan Area Employment and Unemployment news release. The schedule is available at http://www.bls.gov/news.release/metro.toc.htm.
Alternative Measures of Labor Underutilization
Alternative Measures of Labor Underutilization for States, Second Quarter of 2024 through First Quarter of 2025 Averages
Area
Measure
U-1
U-2
U-3
U-4
U-5
U-6
United States
1.5
2.0
4.1
4.3
5.0
7.7
Hawai‘i
0.7
1.2
3.0
3.1
3.9
6.2
The six alternative labor underutilization state measures based on the Current Population Survey (CPS) and compiled on a four-quarter moving-average basis defined as:
U-1, persons unemployed 15 weeks or longer, as a percent of the civilian labor force;
U-2, job losers and persons who completed temporary jobs, as a percent of the civilian labor force;
U-3, total unemployed, as a percent of the civilian labor force (this is the definition used for the official unemployment rate);
U-4, total unemployed plus discouraged workers, as a percent of the civilian labor force plus discouraged workers;
U-5, total unemployed, plus discouraged workers, plus all other marginally attached workers*, as a percent of the civilian labor force plus all marginally attached workers; and
U-6, total unemployed, plus all marginally attached workers, plus total employed part-time for economic reasons, as a percent of the civilian labor force plus all marginally attached workers.
*Individuals who want and are available for work, and who have looked for a job sometime in the prior 12 months (or since the end of their last job if they had one within the past 12 months) but were not counted as unemployed because they had not searched for work in the four weeks preceding the survey, for such reasons as childcare or transportation problems, for example. Discouraged workers are a subset of the marginally attached.
Please note that the state unemployment rates (U-3) that are shown are derived directly from the CPS. As a result, these U-3 measures may differ from the official state unemployment rates for the latest four-quarter period. The latter are estimates developed from statistical models that incorporate CPS estimates, as well as input data from other sources, such as state unemployment claims data.
# # #
Media contacts:
Dr. Eugene Tian
Chief State Economist
Research and Economic Analysis Division
Department of Business, Economic Development and Tourism, State of Hawai‘i
Phone: 808-586-2470
Email: [email protected]
Laci Goshi
Communications Officer
Department of Business, Economic Development and Tourism, State of Hawai‘i
DLNR News Release – ADDITIONAL TEMPORARY CLOSURES AT DIAMOND HEAD STATE MONUMENT IN JUNE, May 20, 2025
Posted on May 20, 2025 in Latest Department News, Newsroom
STATE OF HAWAIʻI
KA MOKUʻĀINA O HAWAIʻI
JOSH GREEN, M.D.
GOVERNOR
KE KIAʻĀINA
DEPARTMENT OF LAND AND NATURAL RESOURCES
KA ‘OIHANA KUMUWAIWAI ‘ĀINA
DAWN N.S. CHANG
CHAIRPERSON
KA LUNA HOʻOKELE
ADDITIONAL TEMPORARY CLOSURES AT DIAMOND HEAD STATE MONUMENT IN JUNE
FOR IMMEDIATE RELEASE
May 20, 2025
HONOLULU – More full-day closures are forthcoming to Diamond Head State Monument (DHSM) next month. The DLNR Division of State Parks (DSP) announces park closures for ongoing rockfall mitigation work from June 17-20 and 24-27 at the popular O‘ahu landmark.
During these full closures, access to the park will be restricted and no visitors will be allowed entry. Employees will access the crater via the Kapahulu Tunnel between 6 a.m. and 6 p.m. A guard will be stationed at the entry gate leading to the tunnel for the duration of the closures.
On Monday June 16 and 23, the park will maintain its current partial closure hours from 6 a.m. – 2 p.m. All other days in June will continue with the current schedule: weekdays with closure at 2 p.m. and weekends with closure at 6 p.m.
DSP appreciates the patience of residents and visitors through this process to create a safer, more enjoyable experience at Diamond Head. The estimated project completion date is July 25, 2025.
# # #
RESOURCES
(All images/video courtesy: DLNR)
HD Video – Diamond Head rockfall mitigation project (February 7, 2025):
Source: United States Senator for New Hampshire Maggie Hassan
WASHINGTON – U.S. Senator Maggie Hassan (D-NH), Ranking Member of the Senate Finance Subcommittee on Health, responded to a new analysis from the non-partisan Congressional Budget Office finding that the plan put forward by President Trump and Congressional Republicans to give corporate special interests and billionaires a tax break increases the deficit by $2.3 trillion, which will trigger a $490 billion automatic cut to Medicare over the next 10 years.
“Seniors pay into Medicare their entire life, based on the promise that it will provide them with health care when they retire. It is absolutely ridiculous that Republicans want to take hundreds of billions of dollars away from Medicare in order to provide more tax giveaways to corporate special interests and billionaires,” said Senator Hassan, Ranking Member of the Senate Finance Subcommittee on Health. “At a time when we should be working to make health care more affordable, Congressional Republicans instead continue to push ahead with this partisan tax giveaway paid for by exploding the deficit and cutting Medicare, Medicaid, and Affordable Care Act, which will only increase health care costs for millions of Americans across the country.”
The non-partisan Congressional Budget Office analysis finds that because the Congressional Republican plan increases the deficit by $2.3 trillion, it will trigger automatic cuts of $490 billion to Medicare. More than 60 million American seniors are enrolled in Medicare. An additional recent non-partisan analysis of the Republican tax plan finds that the legislation will also result in 13.7 million Americans losing their health insurance by 2034 because of proposed cuts to Medicaid and the Affordable Care Act.
Source: United States Senator for Commonwealth of Virginia Mark R Warner
WASHINGTON – U.S. Sens. Mark R. Warner (D-VA), Tim Kaine (D-VA), and Michael Bennet (D-CO) issued the statement below after the Department of Defense (DoD) announced immediate modifications to the military’s broken moving system, which handles servicemember relocations. These modifications follow close advocacy by the senators, who have pushed for months to address the delays, poor communication, and repeated issues under the Global Household Goods Contract.
“Military members and their families sacrifice so much in service to our country, including every time they relocate and integrate into a new community. After pushing for months, we’re pleased to see the Department of Defense move to address ongoing challenges with the contract tasked with moving household goods for military members and families in the process of relocating.
“As these policy changes are implemented, we will continue to work with the Department of Defense and TRANSCOM to ensure that servicemembers and military families who are already well into the relocation process are not left in the lurch. Additionally, as these shifts put more pressure on federal employees to adapt to this change, we will continue to push for adequate federal staffing levels and against Trump’s senseless hiring freeze, which continues to prevent critical positions from being filled across government.”
In February, Sen. Warner requested a briefing from USTRANSCOM and sounded the alarm about missed household goods pickups, delivery issues, and communication difficulties with HomeSafe Alliance, the contractor responsible for the moves. Earlier this month, the lawmakers raised their concerns, reiterating the ongoing delays and confusion being faced by military families, and requesting additional information from TRANSCOM on its plan to address these issues.
The Council has not discussed the possible inclusion of Mexican cartels on the list of persons, groups and entities covered by the measures in Article 2 and 3 of Common Position 2001/931/CFSP (‘CP 931’) .
The Council can, at any time, adopt a decision to add additional persons, groups, or entities to the above-mentioned list, or to remove persons, groups or entities from that list. The listing of a person, group or entity under CP 931 must satisfy the conditions laid down in Article 1(2) to 1(4) of that Common Position, which, inter alia, provides a definition of ‘terrorist act’ and ‘persons, groups and entities involved in terrorist acts’ for this purpose.
As regards the question on coordination with the United States on drug-related matters, EU-US cooperation on combatting transnational organised crime and drug trafficking is a central focus of the longstanding EU-US Dialogue on Justice and Home Affairs held at ministerial and senior official level twice a year. The EU and the United States also regularly hold an EU-US Dialogue on Drugs in order to exchange information, strengthen bilateral cooperation and enhance coordination of actions undertaken globally to address drug-related issues. The discussions in these meetings focus on reducing d rug supply by enhancing security, reducing drug demand through prevention, treatment and care services, and addressing drug-related harm, in line with the EU Drugs Strategy 2021-2025.
VIENNA, Austria – May 21, 2025 – Today, Moody’s announced that it affirms the ratings of BAWAG P.S.K. and changed the outlook on the long-term deposit, senior unsecured, and long-term issuer ratings from stable to positive.
The positive outlook is a reflection of our to-be integrated recent acquisitions which show a steady business performance and could result in a sustainably improved financial profile.
David O’Leary, Chief Risk Officer of BAWAG Group, commented: “The change to a positive outlook is a testament to our strategy focused on sustainable growth, efficiency and maintaining a safe and secure balance sheet. While our strategy has been unchanged since 2012, with the recent acquisitions, our business profile with focus on DACH/NL region as well as Retail & SME had been enhanced. The improved outlook highlights the resilience and stability of our business, with increased profitability after our acquisitions.”
About BAWAG Group BAWAG Group AG is a publicly listed holding company headquartered in Vienna, Austria, serving our over 4 million retail, small business, corporate, real estate and public sector customers across Austria, Germany, Switzerland, Netherlands, Ireland, the United Kingdom, and the United States. The Group operates under various brands and across multiple channels offering comprehensive savings, payment, lending, leasing, investment, building society, factoring and insurance products and services. Our goal is to deliver simple, transparent, and affordable financial products and services that our customers need.
BAWAG Group’s Investor Relations website https://www.bawaggroup.com/ir contains further information, including financial and other information for investors.
Forward-looking statement This release contains “forward-looking statements” regarding the financial condition, results of operations, business plans and future performance of BAWAG Group. Words such as “anticipates,” “believes,” “estimates,” “expects,” “forecasts,” “intends,” “plans,” “projects,” “may,” “will,” “should,” “would,” “could” and other similar expressions are intended to identify these forward-looking statements. These forward-looking statements reflect management’s expectations as of the date hereof and are subject to risks and uncertainties that may cause actual results to differ materially from those projected. These risks and uncertainties include, but are not limited to, economic conditions, the regulatory environment, loan concentrations, vendors, employees, technology, competition, and interest rates. Readers are cautioned not to place undue reliance on the forward-looking statements as actual results may differ materially from the results predicted. Neither BAWAG Group nor any of its affiliates, advisors or representatives shall have any liability whatsoever (in negligence or otherwise) for any loss howsoever arising from any use of this report or its content or otherwise arising in connection with this document. This report does not constitute an offer or invitation to purchase or subscribe for any securities and neither it nor any part of it shall form the basis of or be relied upon in connection with any contract or commitment whatsoever. This statement is included for the express purpose of invoking “safe harbor provisions”.
SAN JOSE, Calif., May 21, 2025 (GLOBE NEWSWIRE) — Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, is pleased to announce that Raj Judge has been appointed to the company’s Board of Directors and joined as Executive Vice President of Corporate Strategy and Ventures. In this role, Judge will lead the company’s growth strategy, business development, and venture investment initiatives to drive Zscaler to $5 billion in ARR and beyond.
Judge brings over 25 years of experience in the tech legal and venture capital space, having previously served at Wilson Sonsini as Senior Partner and Co-Chair of the firm’s core practice, Emerging Companies and Venture Capital. Throughout his career, he has been instrumental in driving strategic growth, identifying emerging market opportunities, and creating solutions that have led to significant business growth for his clients.
“Raj’s deep expertise in corporate strategy and investment, combined with his track record of success, makes him the ideal leader to drive Zscaler’s growth and innovation agenda,” said Jay Chaudhry, Chairman and CEO of Zscaler. “We are excited to welcome Raj to our leadership team and we look forward to the impact he will have on shaping the future of our company.”
Judge will be responsible for key growth and investment opportunities as well as forging strategic initiatives. He will work closely with internal and external stakeholders to accelerate innovation and substantially broaden the company’s platform for Zscaler’s customers. The appointment of Judge to the Board further demonstrates the company’s dedication to advancing its corporate strategy and long-term vision.
“I am excited to join Zscaler at such a pivotal time in its growth journey,” said Raj. “I look forward to bringing my experience and strategic skills to drive new initiatives and investments that will accelerate its continued success.”
Forward-Looking Statements This press release contains forward-looking statements that are based on our management’s beliefs and assumptions and on information currently available to our management. These forward-looking statements include the potential impact of the executive appointment to Zscaler’s future strategic investments and our ability to grow and scale. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. A significant number of factors could cause actual results to differ materially from statements made in this press release. Additional risks and uncertainties are set forth in our most recent Annual Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on May 29, 2025, which is available on our website at ir.zscaler.com and on the SEC’s website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler will not necessarily update the information, even if new information becomes available in the future.
About Zscaler Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SASE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.
Zscaler™, Zscaler Zero Trust Exchange™, Zscaler Internet Access™, and Zscaler Private Access™, ZIA™, and ZPA™ and Zscaler B2B™ are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners.
SAN JOSE, Calif., May 21, 2025 (GLOBE NEWSWIRE) — Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, is pleased to announce that Raj Judge has been appointed to the company’s Board of Directors and joined as Executive Vice President of Corporate Strategy and Ventures. In this role, Judge will lead the company’s growth strategy, business development, and venture investment initiatives to drive Zscaler to $5 billion in ARR and beyond.
Judge brings over 25 years of experience in the tech legal and venture capital space, having previously served at Wilson Sonsini as Senior Partner and Co-Chair of the firm’s core practice, Emerging Companies and Venture Capital. Throughout his career, he has been instrumental in driving strategic growth, identifying emerging market opportunities, and creating solutions that have led to significant business growth for his clients.
“Raj’s deep expertise in corporate strategy and investment, combined with his track record of success, makes him the ideal leader to drive Zscaler’s growth and innovation agenda,” said Jay Chaudhry, Chairman and CEO of Zscaler. “We are excited to welcome Raj to our leadership team and we look forward to the impact he will have on shaping the future of our company.”
Judge will be responsible for key growth and investment opportunities as well as forging strategic initiatives. He will work closely with internal and external stakeholders to accelerate innovation and substantially broaden the company’s platform for Zscaler’s customers. The appointment of Judge to the Board further demonstrates the company’s dedication to advancing its corporate strategy and long-term vision.
“I am excited to join Zscaler at such a pivotal time in its growth journey,” said Raj. “I look forward to bringing my experience and strategic skills to drive new initiatives and investments that will accelerate its continued success.”
Forward-Looking Statements This press release contains forward-looking statements that are based on our management’s beliefs and assumptions and on information currently available to our management. These forward-looking statements include the potential impact of the executive appointment to Zscaler’s future strategic investments and our ability to grow and scale. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. A significant number of factors could cause actual results to differ materially from statements made in this press release. Additional risks and uncertainties are set forth in our most recent Annual Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on May 29, 2025, which is available on our website at ir.zscaler.com and on the SEC’s website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler will not necessarily update the information, even if new information becomes available in the future.
About Zscaler Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SASE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.
Zscaler™, Zscaler Zero Trust Exchange™, Zscaler Internet Access™, and Zscaler Private Access™, ZIA™, and ZPA™ and Zscaler B2B™ are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners.
SAN JOSE, Calif., May 21, 2025 (GLOBE NEWSWIRE) — Synaptics® Incorporated (Nasdaq: SYNA) announced today that Rahul Patel has been appointed President and Chief Executive Officer, and a Director of the company. Patel succeeds Synaptics CFO Ken Rizvi, who has served as the company’s Interim CEO since February 2025. Rizvi will continue to serve as the company’s CFO.
With more than 30 years of leadership experience in the semiconductor industry, Patel has a proven track record of driving growth and product innovation, particularly in the areas of high-performance Edge-AI wireless connectivity solutions for handsets, tablets, PCs, wearables such as smartwatches and earbuds, IoT applications, and networking and broadband solutions for enterprises and home markets.
Prior to joining Synaptics, he spent a decade at Qualcomm, including most recently as SVP and Group General Manager of the Connectivity, Broadband, & Networking Group, where he was responsible for overseeing a multi-billion-dollar portfolio of wireless networking and connectivity business.
Prior to Qualcomm, Patel spent 13 years in various senior leadership roles at Broadcom, including serving as Senior Vice President and General Manager, Wireless Connectivity Group, where he played a pivotal role in expanding Broadcom’s Wi-Fi®, Bluetooth®, and GPS leadership across all market segments.
“On behalf of the Board of Directors, we are delighted to welcome Rahul as Synaptics’ next CEO. Rahul’s extensive semiconductor expertise and strong vision uniquely position him to accelerate our growth and innovation, steering us into our next chapter as we broaden our market reach,” said Nelson Chan, Chairman of Synaptics’ Board of Directors. “Rahul’s deep expertise with wireless connectivity, coupled with his proven track record of launching successful product lines and developing high-performing global teams, will be instrumental in advancing our technology roadmap and driving long-term growth. I’d like to sincerely thank Ken for his exceptional leadership as Interim CEO and for ensuring the seamless execution of our strategic initiatives during this transition period.”
“I am truly honored and excited to join Synaptics, a leader in high-performance Processing, Connectivity, and Sensing solutions,” said Rahul Patel. “Synaptics’ culture of innovation, exceptional engineering talent, and diversified portfolio of solutions uniquely position the company to excel. I look forward to working with the talented team at Synaptics to execute on our growth roadmap and deliver next-generation technology that brings unparalleled value to our customers, partners, and investors.”
About Synaptics Incorporated Synaptics (Nasdaq: SYNA) is driving innovation in AI at the Edge, bringing AI closer to end users and transforming how we engage with intelligent connected devices, whether at home, at work, or on the move. As a go-to partner for forward-thinking product innovators, Synaptics powers the future with its cutting-edge Synaptics Astra™ AI-Native embedded compute, Veros™ wireless connectivity, and multimodal sensing solutions. We’re making the digital experience smarter, faster, more intuitive, secure, and seamless. From touch, display, and biometrics to AI-driven wireless connectivity, video, vision, audio, speech, and security processing, Synaptics is the force behind the next generation of technology enhancing how we live, work, and play. Follow Synaptics on LinkedIn, X, and Facebook, or visit www.synaptics.com.
Synaptics and the Synaptics logo are trademarks of Synaptics in the United States and/or other countries. All other marks are the property of their respective owners.
Firstquarter GAAP EPS of$0.81, up18.7%year over year, and non-GAAP EPS of$1.43, up6.0%year over year
Number of customers contributing more than $100,000 in trailing 12 months revenue up8.0%year overyear
Repurchased approximately5.6 millionshares of common stock in Q1, up from 4.3 million shares in Q4
SAN JOSE, Calif., May 21, 2025 (GLOBE NEWSWIRE) — Zoom Communications, Inc. (NASDAQ: ZM), today announced financial results for the first fiscal quarter ended April 30, 2025.
“We delivered another solid quarter, exceeding guidance in both revenue and profitability — a testament to the strength of our platform and AI-first innovation,” said Eric S. Yuan, Zoom’s founder and CEO. “In an uncertain macro-economic environment, customers are turning to Zoom to drive efficiency, improve customer and employee experiences, and future-proof their businesses. We saw continued momentum in Zoom Customer Experience, Zoom Revenue Accelerator, and Workvivo as customers look to elevate CX, reinvigorate sales, and strengthen culture. In Q1, we launched multiple new products, maintained strong operational discipline, and accelerated our share repurchase activity, reinforcing our commitment to shareholder value.”
FirstQuarter Fiscal Year2026Financial Highlights:
Revenue: Total revenue for the first quarter was $1,174.7 million, up 2.9% year over year. Adjusting for foreign currency impact, revenue in constant currency was $1,179.5 million, up 3.4% year over year. Enterprise revenue was $704.7 million, up 5.9% year over year, and Online revenue was $470.0 million, down 1.2% year over year.
Income from Operations and Operating Margin: GAAP income from operations for the first quarter was $241.6 million, compared to GAAP income from operations of $203.0 million in the first quarter of fiscal year 2025. Non-GAAP income from operations, which adjusts for stock-based compensation expense and related payroll taxes, and acquisition-related expenses, was $467.3 million for the first quarter, compared to non-GAAP income from operations of $456.6 million in the first quarter of fiscal year 2025. For the first quarter, GAAP operating margin was 20.6% and non-GAAP operating margin was 39.8%.
Net Income and Diluted Net Income Per Share: GAAP net income for the first quarter was $254.6 million, or $0.81 per share, compared to GAAP net income of $216.3 million, or $0.69 per share, in the first quarter of fiscal year 2025. Non-GAAP net income for the first quarter, which adjusts for stock-based compensation expense and related payroll taxes, gains/losses on strategic investments, net, acquisition-related expenses, and the tax effects on non-GAAP adjustments, was $448.3 million, or $1.43 per share. In the first quarter of fiscal year 2025, non-GAAP net income was $426.3 million, or $1.35 per share.
Cash and Marketable Securities: Total cash, cash equivalents, and marketable securities, excluding restricted cash, as of April 30, 2025 was $7.8 billion.
Cash Flow: Net cash provided by operating activities was $489.3 million for the first quarter, compared to $588.2 million in the first quarter of fiscal year 2025. Free cash flow, which is net cash provided by operating activities less purchases of property and equipment, was $463.4 million, compared to $569.7 million in the first quarter of fiscal year 2025.
Customer Metrics: Drivers of total revenue included acquiring new customers. At the end of the first quarter of fiscal year 2026, Zoom had:
4,192 customers contributing more than $100,000 in trailing 12 months revenue, up 8.0% from the same quarter last fiscal year.
A trailing 12-month net dollar expansion rate for Enterprise customers of 98%.
Online average monthly churn of 2.8% for the first quarter, down 40 bps from the same quarter last fiscal year.
The percentage of total Online MRR from Online customers with a continual term of service of at least 16 months was 74.2%, up 40 bps year over year.
Financial Outlook: Zoom is providing the following guidance for its second quarter of fiscal year 2026 and its full fiscal year 2026.
Second Quarter Fiscal Year 2026: Total revenue is expected to be between $1.195 billion and $1.200 billion and revenue in constant currency is expected to be between $1.196 billion and $1.201 billion. Non-GAAP income from operations is expected to be between $460.0 million and $465.0 million. Non-GAAP diluted EPS is expected to be between $1.36 and $1.37 with approximately 310 million weighted average shares outstanding.
Full Fiscal Year 2026: Total revenue is expected to be between $4.800 billion and $4.810 billion and revenue in constant currency is expected to be between $4.808 billion and $4.818 billion. Full fiscal year non-GAAP income from operations is expected to be between $1.865 billion and $1.875 billion. Full fiscal year non-GAAP diluted EPS is expected to be between $5.56 and $5.59 with approximately 312 million weighted average shares outstanding. Full fiscal year free cash flow is expected to be between $1.680 billion and $1.720 billion.
The EPS and share count figures do not include any impact from $1.2 billion of authorized share repurchase remaining as of April 30, 2025.
Additional information on Zoom’s reported results, including a reconciliation of the non-GAAP results to their most comparable GAAP measures, is included in the financial tables below. A reconciliation of non-GAAP guidance measures to corresponding GAAP measures is not available on a forward-looking basis without unreasonable effort due to the uncertainty of expenses that may be incurred in the future, although it is important to note that these factors could be material to Zoom’s results computed in accordance with GAAP.
A supplemental financial presentation and other information can be accessed through Zoom’s investor relations website at investors.zoom.us.
Zoom Video Earnings Call
Zoom will host a Zoom Video Webinar for investors on May 21, 2025 at 2:00 p.m. Pacific Time / 5:00 p.m. Eastern Time to discuss the company’s financial results, business highlights and financial outlook. Investors are invited to join the Zoom Video Webinar by visiting: https://investors.zoom.com/
About Zoom
Zoom’s mission is to provide the AI-first work platform for human connection. Zoom Workplace — the company’s AI-powered, open collaboration platform built for modern work — will streamline communications, increase employee engagement, optimize in-person time, improve productivity, and offer customer choice with third-party apps and integrations. Zoom Workplace, powered by Zoom AI Companion, will include collaboration solutions like meetings, team chat, phone, scheduler, whiteboard, spaces, Workvivo, and more. Together with Zoom Workplace, Zoom’s Business Services for sales, marketing, and customer care teams, including Zoom Contact Center, strengthen customer relationships throughout the customer lifecycle. Founded in 2011, Zoom is publicly traded (NASDAQ:ZM) and headquartered in San Jose, California. Get more information at zoom.com
Forward-LookingStatements
This press release contains express and implied “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995, including statements regarding Zoom’s financial outlook for the second quarter of fiscal year 2026 and full fiscal year 2026, Zoom’s market position, opportunities, and growth strategy, product initiatives, including future product and feature releases and the potential of agentic AI, and go-to-market motions and the expected benefits resulting from the same, market trends, and Zoom’s stock repurchase program. In some cases, you can identify forward-looking statements by terms such as “anticipate,” “believe,” “estimate,” “expect,” “intend,” “may,” “might,” “plan,” “project,” “will,” “would,” “should,” “could,” “can,” “predict,” “potential,” “target,” “explore,” “continue,” or the negative of these terms, and similar expressions intended to identify forward-looking statements. By their nature, these statements are subject to numerous uncertainties and risks, including factors beyond our control, that could cause actual results, performance or achievement to differ materially and adversely from those anticipated or implied in the statements, including: declines in new customers, renewals or upgrades, or decline in demand for our platform, difficulties in evaluating our prospects and future results of operations given our limited operating history, competition from other providers of communications platforms, the effect of macroeconomic conditions on our business, including geopolitical tensions, tariffs and escalating trade tensions, interest rate fluctuations, inflationary pressures and market and foreign currency exchange rate volatility, lengthened sales cycles with large organizations, delays or outages in services from our co-located data centers, failures in internet infrastructure or interference with broadband access, compromised security measures, including ours and those of the third parties upon which we rely, and global security concerns and their potential impact on regional and global economies and supply chains. Additional risks and uncertainties that could cause actual outcomes and results to differ materially from those contemplated by the forward-looking statements are included under the caption “Risk Factors” and elsewhere in our most recent filings with the Securities and Exchange Commission (the “SEC”), including our annual report on Form 10-K for the fiscal year ended January 31, 2025. Forward-looking statements speak only as of the date the statements are made and are based on information available to Zoom at the time those statements are made and/or management’s good faith belief as of that time with respect to future events. Zoom assumes no obligation to update forward-looking statements to reflect events or circumstances after the date they were made, except as required by law.
Non-GAAP Financial Measures
Zoom has provided in this press release financial information that has not been prepared in accordance with generally accepted accounting principles in the United States (“GAAP”). Zoom uses these non-GAAP financial measures internally in analyzing its financial results and believes that use of these non-GAAP financial measures is useful to investors as an additional tool to evaluate ongoing operating results and trends and in comparing Zoom’s financial results with other companies in its industry, many of which present similar non-GAAP financial measures.
Non-GAAP financial measures are not meant to be considered in isolation or as a substitute for comparable GAAP financial measures and should be read only in conjunction with Zoom’s condensed consolidated financial statements prepared in accordance with GAAP. A reconciliation of Zoom’s historical non-GAAP financial measures to the most directly comparable GAAP measures has been provided in the financial statement tables included in this press release, and investors are encouraged to review the reconciliation.
Non-GAAP Income from Operations and Non-GAAP Operating Margin. Zoom defines non-GAAP income from operations as income from operations excluding stock-based compensation expense and related payroll taxes, and acquisition-related expenses. Zoom excludes stock-based compensation expense because it is non-cash in nature and excluding this expense provides meaningful supplemental information regarding Zoom’s operational performance and allows investors the ability to make more meaningful comparisons between Zoom’s operating results and those of other companies. Zoom excludes the amount of employer payroll taxes related to employee stock plans, which is a cash expense, in order for investors to see the full effect that excluding stock-based compensation expense had on Zoom’s operating results. In particular, this expense is dependent on the price of our common stock and other factors that are beyond our control and do not correlate to the operation of the business. Zoom views acquisition-related expenses when applicable, such as amortization of acquired intangible assets, transaction costs, and acquisition-related retention payments that are directly related to business combinations as events that are not necessarily reflective of operational performance during a period. In fact, Zoom believes the consideration of measures that exclude such expenses can assist in the comparison of operational performance in different periods that may or may not include such expenses and assist in the comparison with the results of other companies in the industry. Zoom defines non-GAAP operating margin as non-GAAP income from operations divided by GAAP revenue.
Non-GAAP Net Income and Non-GAAP Net Income Per Share, Basic and Diluted. Zoom defines non-GAAP net income as GAAP net income adjusted to exclude stock-based compensation expense and related payroll taxes, acquisition-related expenses, gains/losses on strategic investments, net, and the tax effects of all non-GAAP adjustments. Zoom excludes these items because they are considered by management to be outside of Zoom’s core operating results. These adjustments are intended to provide investors and management with greater visibility to the underlying performance of Zoom’s business operations, facilitate comparison of its results with other periods, and may also facilitate comparison with the results of other companies in the industry. Zoom defines non-GAAP net income per share, basic and diluted, as non-GAAP net income divided by the number of shares outstanding, basic and diluted, calculated in accordance with GAAP.
Free Cash Flow and Free Cash Flow Margin. Zoom defines free cash flow as GAAP net cash provided by operating activities less purchases of property and equipment. Zoom considers free cash flow to be a liquidity measure that provides useful information to management and investors regarding net cash provided by operating activities and cash used for investments in property and equipment required to maintain and grow the business. Zoom defines free cash flow margin as free cash flow divided by GAAP revenue.
Revenue in Constant Currency. Zoom defines revenue in constant currency as GAAP revenue adjusted for revenue reported in currencies other than United States dollars as if they were converted into United States dollars using the average exchange rates from the comparative period rather than the actual exchange rates in effect during the respective periods. Zoom provides revenue in constant currency information as a framework for assessing how Zoom’s underlying businesses performed period to period, excluding the effects of foreign currency fluctuations.
Customer Metrics
Zoom defines a customer as a separate and distinct buying entity, which can be a single paid user or an organization of any size (including a distinct unit of an organization) that has multiple users. Zoom defines Enterprise customers as distinct business units that have been engaged by either our direct sales team, resellers, or strategic partners. All other customers that subscribe to our services directly through our website are referred to as Online customers.
Zoom calculates net dollar expansion rate as of a period end by starting with the annual recurring revenue (“ARR”) from Enterprise customers as of 12 months prior (“Prior Period ARR”). Zoom defines ARR as the annualized revenue run rate of subscription agreements from all customers at a point in time. Zoom calculates ARR by taking the monthly recurring revenue (“MRR”) and multiplying it by 12. MRR is defined as the recurring revenue run-rate of subscription agreements from all Enterprise customers for the last month of the period, including revenue from monthly subscribers who have not provided any indication that they intend to cancel their subscriptions. Zoom then calculates the ARR from these Enterprise customers as of the current period end (“Current Period ARR”), which includes any upsells, contraction, and attrition. Zoom divides the Current Period ARR by the Prior Period ARR to arrive at the net dollar expansion rate. For the trailing 12 months calculation, Zoom takes an average of the net dollar expansion rate over the trailing 12 months.
Zoom calculates online average monthly churn by starting with the Online customer MRR as of the beginning of the applicable quarter (“Entry MRR”). Zoom defines Entry MRR as the recurring revenue run-rate of subscription agreements from all Online customers except for subscriptions that Zoom recorded as churn in a previous quarter based on the customers’ earlier indication to us of their intention to cancel that subscription. Zoom then determines the MRR related to customers who canceled or downgraded their subscription or notified us of that intention during the applicable quarter (“Applicable Quarter MRR Churn”) and divides the Applicable Quarter MRR Churn by the applicable quarter Entry MRR to arrive at the MRR churn rate for Online Customers for the applicable quarter. Zoom then divides that amount by three to calculate the online average monthly churn.
Public Relations
Colleen Rodriguez Head of Global Public Relations press@zoom.us
Investor Relations
Charles Eveslage Head of Investor Relations investors@zoom.us
Zoom Communications, Inc. Condensed Consolidated Balance Sheets (In thousands)
As of
April 30, 2025
January 31, 2025
Assets
(unaudited)
Current assets:
Cash and cash equivalents
$
1,228,847
$
1,349,380
Marketable securities
6,563,976
6,442,329
Accounts receivable, net
477,242
495,228
Deferred contract acquisition costs, current
175,900
188,358
Prepaid expenses and other current assets
220,812
200,679
Total current assets
8,666,777
8,675,974
Deferred contract acquisition costs, noncurrent
114,513
123,464
Property and equipment, net
312,211
330,475
Operating lease right-of-use assets
53,217
55,900
Strategic investments
576,139
591,481
Goodwill
307,295
307,295
Deferred tax assets
769,189
749,759
Other assets, noncurrent
152,555
154,073
Total assets
$
10,951,896
$
10,988,421
Liabilities and stockholders’ equity
Current liabilities:
Accounts payable
$
14,205
$
8,345
Accrued expenses and other current liabilities
473,951
558,562
Deferred revenue, current
1,409,217
1,336,387
Total current liabilities
1,897,373
1,903,294
Deferred revenue, noncurrent
16,185
17,274
Operating lease liabilities, noncurrent
35,894
37,406
Other liabilities, noncurrent
100,076
95,363
Total liabilities
2,049,528
2,053,337
Stockholders’ equity:
Common stock
302
305
Additional paid-in capital
4,832,800
5,130,271
Accumulated other comprehensive (loss) income
15,145
4,990
Retained earnings
4,054,121
3,799,518
Total stockholders’ equity
8,902,368
8,935,084
Total liabilities and stockholders’ equity
$
10,951,896
$
10,988,421
Note: The amount of unbilled accounts receivable included within accounts receivable, net on the condensed consolidated balance sheets was $108.1 million and $118.5 million as of April 30, 2025 and January 31, 2025, respectively.
Zoom Communications, Inc. Condensed Consolidated Statements of Operations (Unaudited, in thousands, except share and per share amounts)
Three Months Ended April 30,
2025
2024
Revenue
$
1,174,715
$
1,141,234
Cost of revenue
278,402
273,302
Gross profit
896,313
867,932
Operating expenses:
Research and development
205,416
205,558
Sales and marketing
346,970
348,008
General and administrative
102,335
111,344
Total operating expenses
654,721
664,910
Income from operations
241,592
203,022
(Losses) gains on strategic investments, net
(13,619
)
17,354
Other income, net
87,792
71,588
Income before provision for income taxes
315,765
291,964
Provision for income taxes
61,162
75,656
Net income
254,603
216,308
Net income per share:
Basic
$
0.84
$
0.70
Diluted
$
0.81
$
0.69
Weighted-average shares used in computing net income per share:
Basic
304,908,652
308,700,582
Diluted
312,783,861
315,360,678
Zoom Communications, Inc. Condensed Consolidated Statements of Cash Flows (Unaudited, in thousands)
Three Months Ended April 30,
2025
2024
Cash flows from operating activities:
Net income
$
254,603
$
216,308
Adjustments to reconcile net income to net cash provided by operating activities:
Stock-based compensation expense
201,569
229,425
Amortization of deferred contract acquisition costs
69,557
68,125
Depreciation and amortization
35,316
26,667
Deferred income taxes
(24,690
)
(7,952
)
Losses (gains) on strategic investments, net
13,619
(17,354
)
Provision for accounts receivable allowances
5,855
6,782
Unrealized foreign exchange (gains) losses
(7,626
)
7,237
Non-cash operating lease cost
6,108
5,368
Amortization of discount/premium on marketable securities
(12,845
)
(17,668
)
Other
4,142
98
Changes in operating assets and liabilities:
Accounts receivable
12,485
12,260
Prepaid expenses and other assets
(12,293
)
35,839
Deferred contract acquisition costs
(48,148
)
(40,128
)
Accounts payable
7,252
7,276
Accrued expenses and other liabilities
(80,383
)
(14,942
)
Deferred revenue
72,141
77,964
Operating lease liabilities, net
(7,401
)
(7,114
)
Net cash provided by operating activities
489,261
588,191
Cash flows from investing activities:
Purchases of marketable securities
(1,135,024
)
(867,911
)
Maturities of marketable securities
1,033,279
776,941
Sales of marketable securities
2,525
—
Purchases of property and equipment
(25,910
)
(18,508
)
Purchases of strategic investments
—
(3,000
)
Proceeds from strategic investments
—
4,654
Net cash used in investing activities
(125,130
)
(107,824
)
Cash flows from financing activities:
Proceeds from exercise of stock options
954
1,016
Proceeds from employee equity transactions to be remitted to employees and tax authorities, net
8,690
6,581
Cash paid for repurchases of common stock
(418,021
)
(150,048
)
Taxes paid related to net share settlement of equity awards
(82,153
)
—
Net cash used in financing activities
(490,530
)
(142,451
)
Effect of exchange rate changes on cash, cash equivalents, and restricted cash
11,854
(6,852
)
Net (decrease) increase in cash, cash equivalents, and restricted cash
(114,545
)
331,064
Cash, cash equivalents, and restricted cash – beginning of period
1,361,417
1,565,380
Cash, cash equivalents, and restricted cash – end of period
$
1,246,872
$
1,896,444
Zoom Communications, Inc. Reconciliation of GAAP to Non-GAAP Measures (Unaudited, in thousands, except share and per share amounts)
Three Months Ended April 30,
2025
2024
GAAP income from operations
$
241,592
$
203,022
Add:
Stock-based compensation expense and related payroll taxes
216,730
242,874
Acquisition-related expenses
9,004
10,701
Non-GAAP income from operations
$
467,326
$
456,597
GAAP operating margin
20.6
%
17.8
%
Non-GAAP operating margin
39.8
%
40.0
%
GAAP net income
$
254,603
$
216,308
Add:
Stock-based compensation expense and related payroll taxes
216,730
242,874
Losses (gains) on strategic investments, net
13,619
(17,354
)
Acquisition-related expenses
9,004
10,701
Tax effects on non-GAAP adjustments
(45,663
)
(26,211
)
Non-GAAP net income
$
448,293
$
426,318
Net income per share – basic and diluted:
GAAP net income per share – basic
$
0.84
$
0.70
Non-GAAP net income per share – basic
$
1.47
$
1.38
GAAP net income per share – diluted
$
0.81
$
0.69
Non-GAAP net income per share – diluted
$
1.43
$
1.35
GAAP and non-GAAP weighted-average shares used to compute net income per share – basic
304,908,652
308,700,582
GAAP and non-GAAP weighted-average shares used to compute net income per share – diluted
312,783,861
315,360,678
Net cash provided by operating activities
$
489,261
$
588,191
Less: Purchases of property and equipment
(25,910
)
(18,508
)
Free cash flow (non-GAAP)
$
463,351
$
569,683
Net cash used in investing activities
$
(125,130
)
$
(107,824
)
Net cash (used in) provided by financing activities
Source: United States of America – Federal Government Departments (video statements)
In this episode, Deputy Secretary of Veterans Affairs, the Honorable Paul R. Lawrence, Ph.D., is exploring a question that matters to Veterans and their families: Who’s eligible to be buried in a VA national cemetery and how can you find out in advance?
Apply today to see if you’re eligible for burial in a VA cemetery: https://www.va.gov/burials-memorials/pre-need-eligibility/
Source: United States of America – Federal Government Departments (video statements)
We arrested Honduran criminal alien Darwin Ronaldo Rodriguez Lopez. He received a DUI conviction Feb. 25, 2024, and just six months later was arrested again for impaired driving.
Don’t come to this country, break our laws multiple times, and expect to stay.
In fact, thanks to the Trump administration, if you’re here illegally at all — expect an ICE arrest.
Source: United States of America – Department of State (video statements)
Secretary of State Marco A. Rubio Opening Statement before the House Foreign Affairs Committee on the FY26 Department of State Budget Request on Capitol Hill, on May 21, 2025.
———-
Under the leadership of the President and Secretary of State, the U.S. Department of State leads America’s foreign policy through diplomacy, advocacy, and assistance by advancing the interests of the American people, their safety and economic prosperity. On behalf of the American people we promote and demonstrate democratic values and advance a free, peaceful, and prosperous world.
The Secretary of State, appointed by the President with the advice and consent of the Senate, is the President’s chief foreign affairs adviser. The Secretary carries out the President’s foreign policies through the State Department, which includes the Foreign Service, Civil Service and U.S. Agency for International Development.
Get updates from the U.S. Department of State at www.state.gov and on social media!
Facebook: https://www.facebook.com/statedept
X: https://x.com/StateDept
Instagram: https://www.instagram.com/statedept
Flickr: https://flickr.com/photos/statephotos/
Rumble: https://rumble.com/c/StateDept
Substack: https://statedept.substack.com
Watch on-demand State Department videos: https://video.state.gov/
Subscribe to The Week at State e-newsletter: https://public.govdelivery.com/accounts/USSTATEBPA/signup/32562
State Department website: https://www.state.gov/
Careers website: https://careers.state.gov/
White House website: https://www.whitehouse.gov/
Terms of Use: https://state.gov/tou
Headline: Missouri Man Sentenced to Over Nine Years in Prison for Church Arson
A Missouri man was sentenced yesterday to 111 months in prison by U.S. District Judge Matthew T. Schelp for the Eastern District of Missouri for burning down a Cape Girardeau, Missouri house of worship in 2021. He was also ordered to pay $6,968,223.36 in restitution for damages incurred by the church.
Source: United States Senator for South Carolina Lindsey Graham
WASHINGTON – U.S. Senators Lindsey Graham (R-South Carolina) and Richard Blumenthal (D-Connecticut) today made this joint statement after their legislation to impose primary and secondary sanctions against Russia and actors supporting Russia’s aggression in Ukraine reached 81 cosponsors in the U.S. Senate.
These sanctions would be imposed if Russia refuses to engage in good faith negotiations for a lasting peace with Ukraine or initiates another effort, including military invasion, that undermines the sovereignty of Ukraine after peace is negotiated. The legislation also imposes a 500 percent tariff on imported goods from countries that buy Russian oil, gas, uranium and other products.
“As Secretary Rubio indicated yesterday to the Senate Appropriations Subcommittee on State and Foreign Operations, Russia has agreed to provide its term sheet for a ceasefire in the next few days. Its contents will speak volumes as to whether or not Russia is serious about peace. We suspect it will be more of the same.
“If it is more of the same, Russia can expect decisive action from the United States Senate. To that end, we are beyond pleased that we now have 81 cosponsors for legislation to sanction Russia for its barbaric invasion of Ukraine. Our legislation will isolate Russia – putting it on a trade island by imposing stiff tariffs on other countries that support these atrocities. One of the main priorities of our legislation is to hold China accountable for propping up Putin’s war machine by buying cheap Russian oil from the shadow fleet. Without China’s economic support, Putin’s war machine would come to a grinding halt.
“While we yearn for peace, it is increasingly clear to us – and a supermajority of the Senate – that Putin is playing games. The United States Senate stands ready to act if these games continue.”
Background on the Sanctioning Russia Act of 2025 is available HERE.
Bill text is available HERE.
Source: The Conversation – Canada – By Genevieve LeBaron, Distinguished SFU Professor of Global Supply Chain Governance, Simon Fraser University
Gender-based violence and harassment is a widespread issue in supply chains. Women workers in garment manufacturing, food production and hospitality are routinely subjected to unwanted touching and sexual advances and inappropriate comments, while promotion and advancement are often conditional on sex. In the most severe cases, this abuse escalates to sexual assault and rape.
A 2024 report from Statistics Canada, for instance, has found that 47 per cent of women have experienced some form of harassment or sexual assault in the workplace.
Rates of gender-based violence and harassment are thought to be even higher in some countries and industries. In Bangladesh, a 2018 study found at least 60 per cent of garment workers had experienced it in the previous year. Another found 85 per cent of garment workers in Indonesia were concerned about sexual harassment at work.
In the face of such a persistent global issue, women working in garment supply chains have pioneered a highly effective solution for tackling gender-based violence and harassment.
Worker-led binding agreements
Supported by labour unions and organizations like the Asia Floor Wage Alliance, Worker Rights Consortium and Global Labor justice, women workers have led the development of legally binding agreements with brands and suppliers to eliminate gender-based violence and harassment.
The latest of these is called the Central Java Agreement for Gender Justice. Signed in July 2024, it covers 6,250 workers producing clothing for brands like Nike and Fanatics, Inc. under licenses with universities affiliated with the Worker Rights Consortium.
This agreement creates a union-led program to address the problem at two Indonesian factories; if factory management does not comply, it risks losing business with Nike and Fanatics.
Building on success from India to Indonesia
The 2024 Central Java Agreement builds on and incorporates key features of previous worker-led agreements to address the issue.
The Dindigul agreement was led by an independent, majority-Dalit trade union run by women. It established a set of legally binding agreements with major garment companies including H&M Group, Gap Inc., PVH and Eastman Exports Global Clothing Ltd.
The Lesotho agreements involved brands such as Levi Strauss & Co., Nien Hsing Textile Co., unions, women’s rights advocates and labour organizations.
While each agreement is unique, they all adhere to the principles of worker-driven social responsibility.
Under this governance model, “worker organizations and unions, suppliers, and brand companies enter into enforceable and legally binding agreements” and “transnational corporations use their leverage and supply chain relationships to effect change amongst supplier worksites.”
A new model of accountability
These agreements include worker-led detection and remediation systems to address gender-based violence and harassment. For example, under the Lesotho agreement, workers can access a 24-hour hotline operated by a local women’s organization to lodge complaints or bring them directly to the unions involved in the agreement.
The Dindigul agreement also provides multiple channels for workers to raise complaints of gender-based violence and harassment, including shop floor monitors selected by the local union (one for every 25 workers). It also offers multiple avenues for raising complaints, including to the union or to sexual harassment committees required under Indian law.
Under the Central Java Agreement, workers can bring complaints to committees aimed at eliminating the problem, to shop floor monitors or their unions. Not only do each of the agreements permit workers to request independent investigations, they all provide a wide array of remedies in the case of any incidents and violations of freedom of association.
What sets these agreements apart from most other initiatives to combat gender-based violence and harassment in supply chains is that they actually work. One study of the two-year impact of the Dindigul Agreement by Cornell University’s Global Labor Institute found that 76 per cent of grievances were resolved in two weeks.
The report said the program “constituted a powerful monitoring mechanism, ensuring effective remediation and deterring violations” of both gender-based violence and harassment and freedom of association — briefly put, the right to voluntarily join or leave groups (like unions), and for those groups to pursue collective action.
Now, a key question is whether and to what extent these successful programs will continue to thrive and grow under the current “America First” agenda of the U.S. government.
Progress under threat
Despite their success, these worker-led initiatives face mounting challenges.
At the same time, company rollbacks of diversity, equity and inclusion programs are constraining, if not eliminating, the political space in which labour groups negotiate such agreements.
Tariffs and upheaval in global trade — especially efforts to redraw supply chains to evade costly tariffs — gives brands cover to withdraw commitments to worker-led initiatives and change sourcing patterns to circumvent them.
Within the United States, cuts and funding freezes — including to sexual assault prevention groups — are a worrying sign that support for preventing gender-based violence and harassment and helping its survivors are being undercut and failing.
If labour stakeholders lose the resources to support such initiatives, the impacts on women and workplaces within supply chains across the world will be devastating. These programs show that when workers lead, real change is possible, but they need continued investment and political support to survive.
Genevieve LeBaron receives funding from the Social Sciences and Humanities Research Council of Canada, Humanity United Foundation, and Ford Foundation.
Judy Fudge does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
Source: United States of America – Federal Government Departments (video statements)
How big is space? It’s one of the most mind-bending questions we can ask because the deeper we look, the more the universe keeps going. We’ve measured billions of light-years in every direction and still haven’t reached the edge.
A NASA scientists explains what we know — and don’t know — about the size of the cosmos.
Explore more about the universe: https://science.nasa.gov/exoplanets/what-is-the-universe/
Download this video at: https://images.nasa.gov/details/How%20Big%20is%20Space
Producers: Scott Bednar, Pedro Cota, Jessie Wilde
Editor: Daniel Salazar
Title: Sassy McBrass – Instrumental
Composer: Per-Anders Nilsson
Universal Production Music
Question for written answer E-001918/2025 to the Commission Rule 144 Valentina Palmisano (The Left)
Major pharmaceutical companies have recently announced investments of over USD 165 billion in the United States, thus shifting part of their production apparatus.
The CEOs of Novartis and Sanofi have criticised EU policy, which they deem to be unattractive, citing regulatory uncertainty and price controls.
The Commission has submitted proposals such as a European price list based on US prices, the elimination of spending caps and a European target for innovative medicines.
Given the foregoing and the fact that equitable access to medicines and the sustainability of healthcare systems are fundamental rights, that World Health Organisation resolution WHA72.8 calls for price transparency but no such policy enforces it in Europe, and that the evaluation of medicines does not systematically include added therapeutic value, can the Commission say:
1.What stance it takes on Big Pharma’s proposals and the associated risks for the sustainability of healthcare systems and equitable access to medicines?
2.What measures it intends to take to increase price transparency in line with Resolution WHA72.8 and improve information exchange between Member States?
3.Whether it intends to introduce the criterion of added therapeutic value in the assessment of medicines at European level, with a view to steering innovation towards real clinical benefits and avoiding incremental innovation?
MONTREAL, May 21, 2025 (GLOBE NEWSWIRE) — Boralex Inc. (“Boralex” or the “Company”) (TSX: BLX) is pleased to announce it has entered into a Renewable Energy Standard Agreement with the New York State Energy Research and Development Authority (NYSERDA) to procure Tier-1 RECs from each of its Fort Covington Solar Project and Two Rivers Solar Project, totaling 450 MW. The signing of these contracts marks a significant milestone in Boralex’s contribution to renewable energy in New York and in the Company’s development in this promising market.
These contracts were awarded as part of NYSERDA’s 2024 Renewable Energy Standard Competitive Solicitation for the purchase of New York Tier-1 Eligible Renewable Energy Certificates (RECs). Each REC represents the environmental attributes of one megawatt-hour of electricity generated from an eligible renewable source such as solar energy.
The two solar facilities will be located in Franklin and St. Lawrence Counties in upstate New York, with permit applications currently under review by the state Office of Renewable Energy Siting and Electric Transmission:
“New York is committed to building a clean energy economy, and Boralex is honored to meaningfully contribute toward achieving the State’s renewable energy targets,” said Patrick Decostre, President and Chief Executive Officer of Boralex. “We appreciate NYSERDA’s confidence in our projects. New York State is a strategic growth market for Boralex, and we are proud to support the State’s renewed commitment to advancing clean energy infrastructure.”
“Our execution of these contracts for the Fort Covington and Two Rivers projects reflects Boralex’s strategic focus on growing our U.S. renewable energy platform,” added Hugues Girardin, Executive Vice President, General Manager North America, Boralex. “We are extremely proud of our teams, whose expertise and dedication continue to drive Boralex’s successful expansion across North America in response to the consistently strong demand for green electricity.”
“Renewable energy projects like Fort Covington and Two Rivers, are crucial to New York’s clean energy transition,” said NYSERDA President and CEO Doreen M. Harris. “Additionally, public-private partnerships like this will bring meaningful benefits to Franklin and St. Lawrence counties by spurring economic investments and delivering affordable and locally-sourced energy to residents of these communities.”
“This is very exciting news for our town and the state as it looks to achieve its climate goals,” said Mark Peets, Supervisor of the Town of Brasher. “Throughout the development of this project, Boralex has done an excellent job communicating the benefits to our community. They’ve listened to our concerns and, more importantly, made meaningful project changes that have helped build trust and support. We look forward to the hundreds of construction jobs, and tens of millions of dollars in economic development these projects will provide.”
“These developments are great news for our community and the surrounding area,” said Susan Bellor, Supervisor, Town of Massena. “I very much look forward to continuing to strengthen the relationship between Boralex and our town, and I’m excited about the long-term positive economic impact the project will have – not only for the participating landowners, but the broader community.”
“Small towns like ours don’t often get opportunities like this,” said Pat Manchester, Supervisor of the Town of Fort Covington. “The Fort Covington Solar Project represents a major investment in our community and our future. We’re excited about the jobs, increased tax revenues, and the momentum it brings for sustainable economic growth. Boralex has been a transparent, responsive partner throughout this process, and we’re proud to host a project of this scale and significance.”
Construction of both projects is expected to begin in 2026, and are expected to be commissioned in 2028. They will bring substantial economic, social, and environmental benefits to New York State and to local communities. Once constructed, the projects will together provide enough energy to power approximately 105,000 homes, support approximately 300 to 400 construction jobs, and create long-term operational roles, further strengthening the local economy and advancing the State’s transition to clean energy.
Caution Regarding Forward-Looking Statements
Some of the statements contained in this press release, including those regarding the start of construction of the projects and their commissioning, are forward-looking statements based on current expectations, within the meaning of securities legislation. Boralex would like to point out that, by their very nature, forward-looking statements involve risks and uncertainties such that its results or the measure it adopts could differ materially from those indicated by or underlying these statements, or could have an impact on the degree of realization of a particular forward-looking statement. Unless otherwise specified by the Company, the forward-looking statements do not take into account the possible impact on its activities, transactions, non-recurring items or other exceptional items announced or occurring after the statements are made. There can be no assurance as to the materialization of the results, performance, or achievements as expressed or implied by forward-looking statements. The reader is cautioned not to place undue reliance on such forward-looking statements. Unless required to do so under applicable securities legislation, Boralex management does not assume any obligation to update or revise forward-looking statements to reflect new information, future events or other changes.
About Boralex
At Boralex, we have been providing affordable renewable energy accessible to everyone for over 30 years. As a leader in the Canadian market and France’s largest independent producer of onshore wind power, we also have facilities in the United States and development projects in the United Kingdom. Over the past five years, our installed capacity has increased by more than 50% to over 3.2 GW. We are developing a portfolio of projects in development and construction of more than 8 GW in wind, solar and storage projects, guided by our values and our corporate social responsibility (CSR) approach. Through profitable and sustainable growth, Boralex is actively participating in the fight against global warming. Thanks to our fearlessness, our discipline, our expertise and our diversity, we continue to be an industry leader. Boralex’s shares are listed on the Toronto Stock Exchange under the ticker symbol BLX.