Category: 3. Business

ISLAMABAD:

Pakistan’s oil and gas regulator has raised re-gasified liquefied natural gas (RLNG) prices by up to 0.59% for February 2026, citing a marginal increase in terminal charges.

The Oil and Gas Regulatory Authority (OGRA) announced its decision on Friday, increasing RLNG rates for both Sui Northern Gas Pipelines Ltd (SNGPL) and Sui Southern Gas Company Ltd (SSGCL). The changes reflect an increase of up to $0.0605 per million British thermal units (MMBtu) across transmission and distribution costs.

Under the new pricing, RLNG rates for SNGPL consumers were up by 0.53% from January levels, while SSGC consumers will face an increase of 0.59%, according to an OGRA notification.

For SNGPL, the distribution price edged up by $0.0602 per MMBtu to $11.3345 per MMBtu from $11.2743 in January. The SSGC distribution price increased by $0.0605 per MMBtu to $10.27 from $10.21 in January.

OGRA said the revised prices include terminal charges, transmission losses, port handling costs and margins for Pakistan State Oil (PSO), the state-run LNG importer. The weighted average sale prices were calculated on the basis of eight LNG cargoes imported by PSO under its two long-term supply agreements with Qatar. Of these, four cargoes were procured at a higher pricing slope, while the remaining four were acquired at a lower rate.

RLNG remains a critical component of Pakistan’s energy mix, particularly during periods of domestic gas shortages.

The government revises RLNG prices every month in line with global LNG rates, exchange rate movements and infrastructure-related costs.

Insider Brief

• An artificial intelligence system first identified a general formula for a class of gluon interactions long thought impossible at the simplest level of calculation, a result later rigorously proven by the researchers in a new preprint.
• The study shows that when the particles are arranged in a particular way, the interaction does not disappear and can be built step by step using a standard method in particle physics, turning what would normally be a sprawling set of diagrams into a compact mathematical expression.
• The AI-proposed formula was then tested against established consistency rules in quantum field theory, and the same approach is expected to extend to related calculations involving gravitons and other theoretical generalizations.

A long-dismissed class of particle interactions may exist after all — and human scientist say an artificial intelligence system served as a lab assistant to help them with the discovery. Or maybe rediscovery.

In a pre-print study posted to arXiv, the researchers report that a type of gluon interaction many physicists assumed could not occur at the simplest level of calculation can, under specific conditions, take on clean, compact mathematical forms. According to the study, the key closed-form expression was first conjectured by GPT-5.2 Pro before being formally proven and independently checked by humans.

The paper, published by researchers from Institute for Advanced Study, OpenAI, Vanderbilt University, Cambridge University and Harvard University, focuses on gluons, which are the particles that carry the strong nuclear force, which, as that sticky name suggests, binds quarks together inside protons and neutrons.

At the center of the work is a concept known as a scattering amplitude. In particle physics, a scattering amplitude is the mathematical object that encodes the probability that particles will collide and emerge in a particular configuration. These amplitudes are the bridge between abstract quantum field theory and real-world measurements. They are computed using Feynman diagrams, which depict every possible way particles can interact.

The problem is scale. As the number of particles increases, the number of diagrams grows faster than exponentially. What looks manageable at three or four particles becomes nearly intractable at six or seven. Yet physicists have repeatedly discovered that when all those diagrams are added together, the final answer often collapses into something surprisingly simple.

This tension — overwhelming intermediate complexity, unexpected final simplicity — has shaped modern theoretical physics for decades.

Vanishing? Maybe Not

The new study revisits a particular class of amplitudes involving gluons. Gluons, like photons, have a property called helicity, which can be thought of as the orientation of their spin relative to their direction of motion. At the risk of using an American football analogy so soon after the Super Bowl, helicity is like whether a football spirals clockwise or counterclockwise as it flies downfield.

For massless particles, helicity can take one of two values: positive or negative. In so-called “single-minus” configurations, one gluon has negative helicity while the remaining n−1 gluons have positive helicity.

Standard textbook arguments have long suggested that these amplitudes vanish — meaning the probability of that interaction is zero — at tree level, the baseline calculation that includes only the most direct interaction diagrams and leaves out the messier quantum loops that appear at higher orders.

According to the study, that conclusion rests on an assumption about the momenta — the directions and energies — of the particles. Those arguments hold when the momenta are generic, meaning they are not specially aligned.

The researchers show that when the momenta satisfy a particular alignment condition, known as the half-collinear regime, the reasoning breaks down. In this regime, certain spinor products — mathematical quantities used to represent particle momenta in a compact way — vanish in a coordinated fashion. The result is that the single-minus amplitude does not disappear.

Instead, it exists on a precisely defined slice of momentum space.

The researchers derive a recursion relation — a step-by-step construction rule based on the Berends-Giele method — that determines these amplitudes for any number of gluons. In other words, scientists can systematically build a complicated multi-particle interaction based on simpler ones.

When the team computed explicit examples for small numbers of gluons, the results were messy. Even at six particles, the expressions spanned dozens of terms, reflecting the superexponential growth of Feynman diagrams.

Enter AI.

According to the accompanying blog post from OpenAI, the human scientists first calculated the amplitudes for small values of n by hand, obtaining long expressions derived from Feynman diagrams. GPT-5.2 Pro was then used to simplify those expressions. From the simplified cases, the system identified a pattern and conjectured a general formula valid for all n.

An internal, scaffolded version of GPT-5.2 subsequently spent roughly 12 hours reasoning through the conjecture and produced a formal proof of its validity, according to the blog post. The researchers then verified the result analytically.

The formula was checked against the Berends-Giele recursion relation, ensuring that it reproduces the step-by-step construction of amplitudes. It was also tested against several standard consistency conditions in quantum field theory, including cyclic symmetry, reflection symmetry and Weinberg’s soft theorem — a rule that constrains how amplitudes behave when one particle’s energy becomes very small. According to the study, the result passed all of these checks.

In one special arrangement of the particles’ motion — known as region R1 — where a single negatively spinning gluon turns into many positively spinning ones, the math simplifies dramatically. What starts as a tangled web of interaction diagrams reduces to a short formula made of simple plus, minus, or zero values depending on how the particles are aligned.

According to the researchers, The simplification is dramatic. The direct Feynman-diagram expressions grow superexponentially in complexity as the number of particles increases. The AI-assisted formula replaces that growth with a structured product whose pattern holds for any number of gluons.

A Methodological Shift

The physics result itself occupies a narrow but conceptually important corner of Yang-Mills theory, the framework that describes gluons and underlies the Standard Model’s treatment of the strong force. Single-minus amplitudes were widely regarded as absent at tree level. Showing that they exist under well-defined conditions reopens questions about the internal structure of scattering amplitudes and the geometric principles that may organize them.

But the methodological aspect may draw even broader attention.

Here, the AI system did more than assist with algebraic manipulation. It inferred a general pattern from specific cases and proposed a closed-form formula. The human researchers then proved and validated that formula using established analytic methods.

In the blog post, the researchers write that this may serve as a template for AI-assisted theoretical research: conjecture generation by machine, verification by rigorous mathematics and cross-checking against known physical principles.

The study suggests that certain domains of theoretical physics — especially those involving hidden simplicity inside complex algebra — may be particularly well suited to this approach. Historically, recognizing such patterns required deep intuition built over years of experience. In this case, a large language model identified a structure that had not been written down in closed form.

Nima Arkani-Hamed, Professor of Physics, Institute for Advanced Study, said, in the post: “The physics of these highly degenerate scattering processes has been something I’ve been curious about since I first ran into them about fifteen years ago, so it is exciting to see the strikingly simple expressions in this paper. It happens frequently in this part of physics that expressions for some physical observables, calculated using textbook methods, look terribly complicated, but turn out to be very simple. This is important because often simple formulas send us on a journey towards uncovering and understanding deep new structures, opening up new worlds of ideas where, amongst other things, the simplicity seen in the starting point is made obvious.”

Arkani-Hamed added: “To me, finding a simple formula’ has always been fiddly, and also something that I have long felt might be automatable by computers. It looks like across a number of domains we are beginning to see this happen; the example in this paper seems especially well-suited to exploit the power of modern AI tools. I am looking forward to seeing this trend continue towards a general purpose ‘simple formula pattern recognition’ tool in the near future.”

Limits, Next Steps

The results apply to tree-level amplitudes and to specific kinematic regimes. Loop corrections, which incorporate quantum fluctuations, remain far more complicated. The half-collinear configuration is mathematically consistent but not generic in ordinary Minkowski spacetime; it corresponds to a special alignment of momenta or to complexified momentum configurations.

According to the study, the construction generalizes from gluons to gravitons — the hypothetical quantum carriers of gravity — and supersymmetric extensions are also possible. The researchers note that the structural role of these amplitudes within the broader theory remains to be understood and that even simpler formulations may exist.

In general, the study suggests how AI might be integrated into probing some of the problems that continue to vex science, particularly quantum mechanics.

Nathaniel Craig, Professor of Physics at the University of California, Santa Barbara, said in the post: “I am already thinking about this preprint’s implications for aspects of my group’s research program. This is clearly journal-level research advancing the frontiers of theoretical physics, and its novelty will inspire future developments and subsequent publications. This preprint felt like a glimpse into the future of AI-assisted science, with physicists working hand-in-hand with AI to generate and validate new insights. There is no question that dialogue between physicists and LLMs can generate fundamentally new knowledge. By coupling GPT‑5.2 with human domain experts, the paper provides a template for validating LLM-driven insights and satisfies what we expect from rigorous scientific inquiry.”

The research team included Alfredo Guevara, of the Institute for Advanced Study; Alexandru Lupsasca of Vanderbilt University and OpenAI; David Skinner of the University of Cambridge, Andrew Strominger of Harvard University and Kevin Weil, of OpenAI

The paper is highly technical and for a deeper dive, it’s recommended the reader review the paper on arXiv.

Also, please note that arXiv is a pre-print server, which allows researchers to receive quick feedback on their work. However, it is not — nor is this article, itself — official peer-review publications. Peer-review is an important step in the scientific process to verify results.

Executive Summary

This article explores the misuse of QR codes in today’s threat landscape, covering three areas of concern:

• QR codes using URL shorteners to disguise malicious destinations
• QR codes using in-app deep links to steal account credentials and take control of a victim’s apps
• QR codes attempting to bypass app store security by linking to direct downloads of malicious apps

With QR codes a notable presence in our everyday lives, some people instinctively scan them without hesitation. But QR codes are also a vector for attack. QR codes enable attackers to bypass organizational security by exploiting the weaker controls of personal mobile devices. By doing this, they can trick users into scanning codes and interacting with malicious destinations outside the corporate security perimeter.

Over the past several months, we have tracked campaigns that used QR codes for phishing (known as quishing) and scams. Our telemetry reveals an average of over 11,000 detections of malicious QR codes each day. Investigating these detections, we found that attackers are leveraging QR code shorteners, in-app deep links and direct downloads to bypass people’s awareness and security controls.

In addition to mass campaigns, we see attackers using QR codes for highly targeted messenger app phishing, such as targeting Ukrainian Signal users in the context of the Russia-Ukraine war. These findings necessitate further analysis of deep links and QR code data.

Palo Alto Networks customers are better protected from the threats described in this article through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Phishing QR Codes Not New, but a Growing Threat

QR codes are not a new technology, but their prevalence has increased with the push for contactless interactions, especially during the initial emergency phase of the coronavirus pandemic. QR codes allow companies to interact seamlessly with their customer base for payments, enabling customers to join rewards programs and sign up for apps or mailing services. People have grown used to QR codes in daily life, and often scan them without sufficient caution, increasing their susceptibility to attacks.

The popularity of QR codes has led to their use by attackers. In our offline web crawlers, we currently find an average of 75,000 detections of QR codes each day, with 15% of these pages containing QR codes leading to malicious links. This represents an average of over 11,000 detections of malicious QR code use each day.

Problem of Evasive QR Code Redirects

We looked beyond the recognized risks of QR codes. While straightforward QR code web-based attacks remain a threat, our focus shifted to understanding how attackers are leveraging the following trends to remain evasive to both victims and security controls:

These tactics represent an evolution in QR code-based attacks that security teams need to address.

Previous Unit 42 research has covered several key attack vectors for phishing QR codes hosted on documents, which are also relevant when hosted on websites. Attacks through these vectors can be effective for several reasons including:

• Lower user vigilance
• Security solutions having difficulty extracting URLs embedded in QR codes
• Complex redirection chains that obscure final destinations
• Weaker security controls on personal mobile devices
• Hosting on otherwise legitimate-looking pages

Building upon this threat model, in-app deep links allow the attacker to target specific apps and trigger specific behavior (Figure 1).

QR codes on websites need to be analyzed by security crawlers and other security solutions. To close this security gap, specific QR code detection techniques must be deployed to analyze the various data types stored in QR codes:

• Standard HTTPS URLs
• Deep links
• Non-URL content (e.g., JSON, plaintext)

Key Definitions

QR code shorteners are services that combine a URL shortener with a QR code generator to create a shorter, more scannable QR code that links to a long URL. These shorteners offer benefits such as reducing the size of the QR code, allowing attackers to change the destination URL later, and tracking scan data in a single dashboard.

In-app deep links are hyperlinks that direct visitors to a specific screen or content within a mobile app. In-app deep links can use both custom URL schemes (i.e., sms:+1234567890:Hello, tg[:]//login?token= ) or standard web URLs (i.e., hxxps[:]//wa[.]me/settings/linked_devices#) that the operating system redirects to the app.

Figure 2 shows an example that displays a phishing site impersonating a job match and training program website that hosts a payment in-app deep link. Deep links are often used to improve user experience by reducing the number of steps to access specific content from external sources like emails, social media, authentication tokens or ads.

The Stealth Factor: QR Code Shorteners

Attackers use QR code shorteners to mask malicious destinations. QR code shorteners convert a static image into a dynamic endpoint. Consequently, the attacker can change the redirect destination at will.

The attacker is also able to leverage the good reputation of QR code shortener services to evade detection of malicious activity. Even security-conscious people who check the URL preview before scanning cannot determine the final destination when presented with shortened links. This technique effectively prevents targets from being aware of potential threats until after the malicious payload has been delivered.

Our previous article has already talked about the risk of URL shorteners more broadly. However, the combination of a QR code and URL shortener is even more likely to bypass scrutiny.

Steady Increase in QR Code Shortener Traffic

We have seen QR code shortener traffic grow steadily over the past three years (Figure 3).

We see a steady increase of QR code shortener traffic in our telemetry. This includes a 55% increase from the first half of 2023 to the first half of 2024 and a 44% increase from the first half of 2024 to the first half of 2025. This data is based on the following popular QR code shortener services:

• qrcc[.]io
• qrco[.]de
• me-qr[.]com
• qr[.]io
• qrfy[.]com
• qrfy[.]io
• get-qr[.]com
• qr[.]ne, qrs[.]ly

Most Misused QR Code Shortener Services

Our telemetry reveals that qrco[.]de, me-qr[.]com and qrs[.]ly are the most used QR code shorteners. Compared to the top QR code shorteners mentioned in the Anti-Phishing Working Group (APWG) phishing trends report [PDF], qrs[.]ly is a notable new addition as the QR code shortener used in 7.3% of the malicious URLs observed.

Targeted Industries

Financial services was the most impacted industry when considering compromised QR code shorteners, accounting for 29% of this type of attack. This is followed by high tech (19%) and wholesale and retail (14%). Significantly, QR code shorteners for financial services make up only 4.8% of this type of traffic as a whole. This makes the high percentage of compromised QR code shorteners for financial services even more striking as shown in Figure 4

Example of a Phishing Attack Misusing a QR Code Shortener

The webpage shown in Figure 5 is a popular file-sharing platform containing a QR code that appears to imitate a school by including its logo. Upon analysis, we found that it is a QR code shortener that first redirects to a CAPTCHA page and then lands on a phishing page that impersonates Outlook hosted on cdnimg.jeayacrai[.]in[.]net. After a few days, the URL from this QR code no longer worked, illustrating how QR code shorteners are often ephemeral and can quickly cease redirecting to the original malicious endpoint.

In-App Deep Links Vulnerabilities: More Than Just Web Browsing

Modern mobile devices support a wide range of QR code actions beyond simple web browsing. The distribution of in-app deep links in QR codes is an understudied area despite its exploitability. In-app deep links account for about three percent of the QR codes in our telemetry. Attackers can either misuse app functionality (e.g., adding a trusted device, or sending a payment), or push malicious content to those apps (such as, adding malicious links to calendar invites).

Defenders face a challenge in detecting malicious in-app deep links embedded in QR codes because the activity generated by these links is often invisible to standard web crawlers. Effective detection necessitates a mobile sandbox environment with the specific app installed to properly observe and analyze this activity. Custom in-app deep links lack standardization across applications. This makes identifying malicious signals difficult to generalize, often requiring individualized investigation for each case.

Both iOS and Android devices can process QR codes with in-app deep links that have direct app integration. We categorize in-app deep links as those that apply to the following types of apps:

• Social media and communications
• App stores
• Payment
• System utilities (e.g., Wi-Fi, contacts, calendar, telephone, email, SMS, navigation)

The three most popular custom app URLs that we found were for Telegram, XHS Discover (RedNote) and Line, which respectively account for 44.7%, 1.8% and 0.8% of in-app deep links. As we discuss later, attackers commonly misuse Telegram and Line.

Attack Scenarios

In-app deep links enable additional cross-device interactions, creating new attack scenarios via QR codes.

Table 1 lists some examples of the attack chain scenarios possible through in-app deep links.

 

Attack Name	Deep Link Category	Description	Example (QR Code Content)
Financial fraud	Payment	Direct access to payment applications with pre-filled recipient information	bitcoin:attackers_address
Account Takeover	Social Media and Communications	Directs the victim to authenticate the attacker into the victim’s account	Attacker’s website hosts: tg[:]//login?token=xxxx
Embedding Malicious URLs	Communications, Other Apps	Attackers can embed malicious URLs in emails or text messages to be sent from the victim’s device, saved into a file, etc.	mailto[:]receive@mail[.]com?subject=Request%5D&body=Please%20visit%20this%20website%20www.malicious-url[.]com {info-here : www.malicious-url[.]com}
Calendar poisoning	System utilities	Malicious meeting links added to calendars that redirect victims to phishing sites when they attempt to join meetings,  Malicious files added to a calendar invite	BEGIN:VCALENDAR VERSION:2.0 BEGIN:VEVENT SUMMARY:Team Lunch & Planning Session DTSTART:20251205T120000 DTEND:20251205T130000 LOCATION: www.phishing-meeting-link-url[.]com DESCRIPTION:Discuss Q4 results and plan for Q1 goals. END:VEVENT END:VCALENDAR
Contact poisoning	System utilities	Embedding malicious URLs or fake contacts within contact information that activate when victims interact with saved contacts	BEGIN:VCARD N:First Name, Last Name TITLE:Dep. xxx TEL:+1 000-000-000 EMAIL:attack-email@xx[.]com URL:malicious-website[.]com END:VCARD
Rogue Wifi networks	System utilities	Automatically connecting victims to attacker-controlled networks	WIFI:T:WPA;S:attacker-network-name;P:password;H:false;

Table 1. Attack scenarios involving in-app deep links.

Many of these attack scenarios involve embedding malicious URLs into specific data entries stored in mobile apps. Figure 6 illustrates this for contact poisoning, where a malicious URL is embedded in a saved contact card.

Some of the scenarios described in Table 1 were not observed in our data collection, while others were. The ones not observed are plausible, but hypothetical scenarios. We will further discuss the scenarios observed in our data collection below.

Current Attack Trends and Examples

Financial Fraud In-App Deep Links

Financial in-app deep links represent a significant financial risk to potential victims. QR codes are commonly used in legitimate business transactions to facilitate payments, making it straightforward for attackers to misuse this trusted interaction through phishing schemes. We observed legitimate in-app deep links from popular payment apps such as:

• WeChat Pay
• Alipay
• Bitcoin
• Ethereum
• LitCoin
• Metamask
• Trust (wallet)

The familiarity and trust people have with payment-related QR codes create an ideal environment for social engineering attacks, where malicious QR codes can closely mimic legitimate payment requests. Phishing campaigns using pressure tactics can manipulate people into making quick payments.

Below, we share a few examples where an attacker attempts to trigger a financial transaction using a QR code. Figure 7 includes two examples. The first example is a phishing campaign claiming easy returns on investment, asking for an initial payment through a Bitcoin in-app deep link. The second example is a hacking for hire service advertising and providing easy payment with a WeChat payment in-app deep link.

Figure 8 illustrates another get-rich-quick phishing scheme that requests an initial payment through a popular cryptocurrency wallet via a QR code with an in-app deep link.

Messenger Account Takeover Through In-App Deep Links

Account takeovers through in-app deep links appear to be a significant phishing vector for messaging and social media sites. Telegram, in particular, was the most prominent application identified in our analysis that uses custom in-app deep links. We found over 35,000 QR codes that contain Telegram in-app deep links such as tg[:]//login or tg[:]//resolve and we observed multiple instances where attackers exploited these links to compromise accounts.

We saw three kinds of Telegram in-app deep links:

Login accounted for 97% of the Telegram in-app deep links observed. Login grants the QR code creator authorization to access your account.

Previous reporting of Telegram in-app deep link scams warns about these account takeover attacks. Roughly one out of every five host pages with a login Telegram in-app deep link is malicious, based on our conservative estimate.

Figure 9 includes two examples of such Telegram login scams. However, while Telegram is the most popular, attackers are also targeting other popular communication apps.

Figure 10 shows an example of a QR code containing an in-app deep link that requests authorization to a target’s Line account. This would allow attackers to send Line messages under the device and account owner’s name. Of note, Line has since deprecated this in-app deep link, and the link will now result in an error.

 

Figure 11 shows an example of a QR code containing an in-app deep link that requests authorization to access a target’s Signal account.

Figure 12 shows an example of a QR code containing an in-app deep link that requests authorization to access a target’s WhatsApp account.

In addition to mass phishing campaigns, there’s a clear trend toward more focused attacks aimed at stealing Signal credentials. For instance, the Google Threat Intelligence Group (GTIG) has documented increased efforts by Russia state-aligned actors to compromise Signal Messenger accounts. These attacks frequently misuse Signal’s feature to link devices with malicious QR codes.

Many of these campaigns have targeted Ukraine in the context of the Russia-Ukraine war. In July 2024, the CERT-UA reported on several threat groups, such as UAC-0185 (aka UNC4221), that have specifically targeted messenger accounts.

Our researchers continue to observe new malicious domains targeting Ukrainian Signal users, including snitch.open-group[.]site and similar variations. After linking a new session to Signal accounts, the attackers can exfiltrate message history and other account information. We have reported discovered information to our Ukrainian cybersecurity partners.

Figure 13 shows a QR code from a campaign targeting Ukraine-based Signal accounts.

Bypassing App Store Security: Direct App Downloads

QR codes are widely used for easy downloading of files and applications. Attackers can exploit this convenience to trick victims into downloading malicious content or installing harmful mobile applications.

Major app stores impose strict security and compliance guidelines to limit the distribution of harmful apps. However, attackers may circumvent these security measures by distributing links to unreviewed Android Package Kit (APK) files hosted on their own servers via QR codes.

Our investigation identified 59,000 detections of host pages distributing a total of 1,457 distinct APK files directly through QR codes, without going through any app store. Notable examples of these distributed APKs are listed below.

Gambling/Casino App Downloads

Gambling and casino games websites are distributing their apps through APK files in QR codes.

Figures 14-16 illustrate some examples of such host pages. They are all hosted by many different domains and request certain Android permissions that could be concerning to people.

Figure 14 shows an ad for a popular game that includes a QR code, which redirects the victim to another QR code to download a game app named yicai.apk from ​​f9999[.]app. This QR code is hosted on 10,022 unique URLs.

The app requests read and write permissions to the device’s external storage and camera. It also requests install packages permissions.

Figure 14 shows an ad for another game hosted on 9,161 unique URLs. The URL used in Figure 15 is hxxps[:]//pyreneesakbash[.]com/m-nagapoker/android.html. The file for the game is named NagaPocker.apk, and it requests write to external storage and internet permissions.

Figure 16 shows an app distributed through two different pages. Named app-u7cp-release.apk, the app requests:

• Access to coarse location
• Access to fine location
• Background location
• Read and write access to external storage
• Read phone state
• Camera permissions

Warnings from Trustwave about malicious APK files highlight that these types of gambling and betting apps expose victims to harmful activity, such as:

• Excessive advertising
• Theft of personal data
• Theft of funds
• Hidden fees
• Subscriptions

These apps provide financial incentives for engagement, prolonging the life of such scams. Allowing victims to download apps directly and bypassing official app stores enables attackers to circumvent app verification procedures.

Many campaigns hosting QR codes that pointed to a given APK file did so across numerous domains. The apps request suspicious Android permissions, most notably write external storage, camera and access fine location. These permissions could allow intentional data exfiltration, accidental data leakage and surveillance. The aggressive distribution across many different host pages, stealthy methods and excessive permissions suggest malicious intent.

Other Malicious App Downloads

Though gambling apps account for a large portion of the QR codes distributing APK files, QR codes also distribute other kinds of suspicious apps. Figure 17 illustrates two examples.

The first example is a phone optimization app named ludashi_home.apk. It requests the following permissions:

• Recording audio
• Reading battery status
• Reading phone state
• Accessing the camera
• Reading and writing to external storage
• Authenticating accounts
• Clearing the app cache
• Installing packages permissions

The second example is a social network app for educators named k12sns.apk. This app also requests several different types of permissions:

• Accessing the internet
• Reading logs
• Waking the lock
• Reading the phone state
• Writing to external storage

Several vendors detect these apps as suspicious or malicious, and they extract sensitive information from the device they are installed on. For example, the phone optimization app can take on certain behaviors like authenticating accounts and installing further packages, which attackers can misuse for malicious gains.

Conclusion

The attack scenarios and variety of examples we’ve discovered illustrate the extensive potential and existing prevalence of QR code misuse. The fundamental challenges of this type of misuse are user awareness and lack of visibility from current detection systems.

Most people scanning QR codes don’t anticipate the broad range of device functions that can be triggered from in-app deep links or unexpected endpoints from QR code shorteners. This expectation mismatch creates a significant security weak spot that attackers can actively exploit.

User education remains critical — people need to understand that QR codes can do much more than simply open webpages.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

Customers using Advanced URL Filtering and Prisma Browser (with Advanced Web Protection) are better protected against various QR code attacks. Our detectors analyze QR code landing pages and deep links.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107
• South Korea: +82.080.467.8774

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Acknowledgements

The authors would like to thank Bradley Duncan and Billy Melicher for the thorough technical review of the article. We would also like to thank the editorial team including Samantha Stallings and Lysa Myers for the assistance with improving and publishing this article.

Indicators of Compromise

Examples of URLs for QR code shorteners:

• hxxps[:]//www.dropbox[.]com/scl/fi/7e8xqrcxgzftrk61omgn0/Presentation.pptx?rlkey=xgk24xllhh4qqv1li2ifd3e3s&st=xvtu5b7y&dl=0
• hxxps[:]//qrco[.]de/bgP6vx
• hxxps[:]//cdnimg.jeayacrai[.]in[.]net/qY42h5ei3SBo9ZmvO!/

Examples of URLs for financial scams:

• hxxp[:]//kccomputech[.]in/babukh1513273
• upi://pay?pa=Q573631163@ybl&pn=PhonePeMerchant&mc=0000&mode=02&purpose=00
• hxxps[:]//20.217.81[.]20
• bitcoin:12wXzmwak8LJ88e1ejupY3brfQi43xdDhb
• hxxps[:]//csdh.wangzhan[.]mobi
• wxp[:]//f2f04lGLqnDoxxeZnftA79yXXU-BeXrgkdYL
• solulu[.]vip
• metamask[:]//connect?channelId=d92099ec-28e3-4eed-97e8-3c40c656f555&v=2&comm=socket&pubkey=021f24e23edc0cbb73440dc2ac94b5a458371cc7c9ce8551b1b68db2196443c2ba&t=q&originatorInfo=eyJ1cmwiOiJodHRwOi8vc29sdWx1LnZpcCIsInRpdGxlIjoid2FnbWkiLCJpY29uIjoiaHR0cDovL3NvbHVsdS52aXAvbG9nby5wbmciLCJzY2hlbWUiOiIiLCJhcGlWZXJzaW9uIjoiMC4zMy4xIiwiZGFwcElkIjoic29sdWx1LnZpcCIsImFub25JZCI6Ijk1ZDcyY2M3LTYwYWYtNGI5Yi1hZTJiLTk4YmE4MDcxZmQwZiIsInBsYXRmb3JtIjoid2ViLWRlc2t0b3AiLCJzb3VyY2UiOiJ3YWdtaSJ9

Examples of URLs and domains for Telegram account takeover:

• hxxps[:]//fable.tele-tale[.]cn
• tg[:]//login?token=AQJgx85oZgPcBRoIg76p-8BBy4nB4Wpel-PvZ8Og7t_–A
• Olb228hoki[.]live
• radenspinrtp[.]cloud
• bostonsportsthenandnow[.]com
• slotolb228[.]com
• tg[:]//login?token=AQI-jOVkNxCqKYy-wB6VFz-nE-eo-l-tFtgZ3VPshaKJ0A

Examples of URLs and domains for Signal account takeover:

• hxxp[:]//www.sgnl-web[.]org-status.nl/
• hxxps[:]//signal-qr[.]org/chatZGtqZmpic2l1NDkzdWpka25zamRucDJ1MDllamtmOThyNGltdmZkZw==/ty62i
• signal.skyriver[.]ch

Examples of phishing domains targeting Ukrainian Signal users:

• snitch.open-group[.]site
• gui.snitch-dev[.]site
• gui.dev-snitch[.]site
• gui.snitch-dev[.]xyz
• gui.dev-snitch[.]xyz
• gui.snitch-dev[.]online
• gui.dev-snitch[.]online
• gui.dev-snitch[.]site
• gui.dev-snitch[.]cloud
• snitch-dev[.]space
• gui-snitch[.]online
• gui-grafit[.]online
• kropyva-group[.]online

Examples of URLs for Line account takeover:

• hxxps[:]//link.members-ms[.]jp/view/clickCount?cst_id=000000000003690&msg_id=0000000000000000000000833677&deli_date=20251029&redirect_uri=hxxps%3A%2F%2Fliff.line.me%2F2007686667-M9geAqrB%3Fid%3D5%3FROUTE_KBN%3D12&msg_type=1&sec_msg=BtBnJY9kxxWnP%2BQt3ycGtVVhajc%3D&sec_date=zVK0EnCA1F8siaD0nf4Nsq1VRlc%3D&sec_uri=P85jU5m9ynEk1wr9ltPW%2Fh%2BJrxE%3D&sec_type=XWWoEGkCR%2BDRAsxfdW4dQHnr%2FbI%3D
• line[:]//app/2007686667-M9geAqrB?liff.state=%3Fid%3D5%253FROUTE_KBN%253D12%26cst_id%3D000000000003690%26msg_id%3D0000000000000000000000833677%26deli_date%3D20251029&liff.referrer=hxxps%3A%2F%2Fbing[.]com%2F&liff.source=lp_qr

Examples of URLs and domains for WhatsApp account takeover:

• hxxps[:]//kzeva2010[.]sbs/MZApUU1aJ3LSYi86IrAZ
• hxxps[:]//wa[.]me/settings/linked_devices#2@vxFKwMU92ToQ60n6gPIw/SLkNcoYVu1XKW+/zMiBEuslO63jfBCCZX/f1mOrkxrAqkp4DaSzq5MX7CcvOJqrNDSJQRLKgXP7K2A=,tZrifOdd4aLBy9nrncQVsa0WqVcYmJnFSs8nEpt3URs=,DfpvHVSe6SmZWxAgVdYXsYz2FsD7DQ3NgmGybCNMHHY=,Ipp5goLgYXXn+7Swuw+pGX77EFECRemAHS5gfOJE7G4=,1
• ​hxxps[:]//xlq.wpybta[.]icu
• hxxps[:]//wa[.]me/settings/linked_devices#2@8zRSshgXZVfdYcvUvycaOQJlQBcjUDomiqdxC8uQEowH5TQLr/P+1QbxvrXPV4tKg23mqzQeMpPRp3ofr4mePrur/YN4ztk6fWY=,FaknzsibNU+yi9cvuQKDgI3eBh+KEY2TQHqilwZ+KRs=,Rpz7L5S/72o1Ust4Y6CZ3tC7gf6yQvJdd80IFbZzdiw=,eZyTFPAbZWlFUXjGbrvBCM4ApoYT50kFXQb+/cTMzPw=,1
• wswwc[.]icu
• awawc[.]icu
• ve1edm[.]cc
• ve2edm[.]cc
• weppf[.]icu

Examples of URLs hosing APK files for gambling game

• hxxps[:]//gricanjolt[.]com?r=aHR0cHM6Ly9mOTk5OS5hcHA=1
• hxxps[:]//pyreneesakbash[.]com/m-nagapoker/android[.]html
• hxxps[:]//resourcepro.tycheint[.]com/yicai[.]apk
• hxxps[:]//90999.fdjk34sddsf90999[.]cc/xincai[.]apk
• hxxps[:]//gld45a.cqxqlsz[.]com/fusion2023/android/app-u7cp-release[.]apk
• hxxps[:]//azojwdsj.xinchaoshan[.]com/fusion2023/android/app-u7cp-release[.]apk
• hxxp[:]//www.ludashi[.]com/cms/android/special/download[.]html hxxp[:]//t.k12[.]com[.]cn/k12sns[.]apk

Additional Resources

THOUSAND OAKS, Calif., Feb. 13, 2026 /PRNewswire/ — Amgen (NASDAQ:AMGN) will present at Citi’s 2026 Virtual Oncology Leadership Summit at 12:15 p.m. PT on Wednesday, Feb. 18, 2026. Jean-Charles Soria, senior vice president of oncology within global development at Amgen, will present at the conference. The webcast will be broadcast over the internet simultaneously and will be available to members of the news media, investors and the general public. 

The webcast, as with other selected presentations regarding developments in Amgen‘s business given by management at certain investor and medical conferences, can be found on Amgen‘s website, www.amgen.com, under Investors. Information regarding presentation times, webcast availability and webcast links are noted on Amgen‘s Investor Relations Events Calendar. The webcast will be archived and available for replay for at least 90 days after the event. 

About Amgen
Amgen discovers, develops, manufactures and delivers innovative medicines to fight some of the world’s toughest diseases. Harnessing the best of biology and technology, Amgen reaches millions of patients with its medicines. 

More than 45 years ago, Amgen helped establish the biotechnology industry at its U.S. headquarters in Thousand Oaks, California, and it remains at the cutting edge of innovation, using technology and human genetic data to push beyond what is known today. Amgen is advancing a broad and deep pipeline and portfolio of medicines to treat cancer, heart disease, inflammatory conditions, rare diseases and obesity and obesity-related conditions.

Amgen has been consistently recognized for innovation and workplace culture, including honors from Fast Company and Forbes. Amgen is one of the 30 companies that comprise the Dow Jones Industrial Average^®, and it is also part of the Nasdaq-100 Index^®, which includes the largest and most innovative non-financial companies listed on the Nasdaq Stock Market based on market capitalization.

For more information, visit Amgen.com and follow Amgen on X, LinkedIn, Instagram, YouTube, Facebook, TikTok and Threads. 

CONTACT: Amgen, Thousand Oaks  Elissa Snook, 609-251-1407 (media) Casey Capparelli, 805-447-1746 (investors)

 

View original content to download multimedia:https://www.prnewswire.com/news-releases/amgen-to-present-at-citis-2026-virtual-oncology-leadership-summit-302687989.html

SOURCE Amgen

​​​Macro update

​Wall Street selloff deepens on AI fears

United States (US) indices fell sharply, with the Dow Jones down 1.34%, the S&P 500 losing 1.57% and the Nasdaq 100 sliding 2.04% as investors accelerated their rotation out of technology and other risk-sensitive sectors.

​Cisco triggers a fresh tech rout

Cisco plunged 12.3% after missing on adjusted gross margin, its worst one-day drop since 2022, weighing on mega caps including Apple, NVIDIA, Broadcom and Amazon and reigniting concerns over the returns on heavy AI-driven spending.

​Transport and PC stocks hit by disruption worries

The Dow transports index slid 4% on fears around artificial intelligence (AI)-led automation, while HP and Dell fell after Lenovo warned of shipment pressure linked to memory-chip shortages.

​Defensive rotation and bond rally

Investors shifted into utilities, consumer staples and real estate, while US Treasury yields dropped sharply, with the 10-year yield down 7bp as strong demand at a 30-year auction supported bonds.

​Asia pulls back from record levels

MSCI’s Asia-Pacific index fell 1.1%, Japan’s Nikkei 225 dropped 1.3% and Hong Kong’s Hang Seng slid 2.1%, tracking Wall Street’s tech-led declines, while US futures edged lower ahead of the European open.

​Attention turns to US inflation data

Weekly jobless claims fell by less than expected and markets now await January consumer price index (CPI), with core prices forecast to rise 0.3% month-on-month (MoM) and annual core inflation seen easing to 2.5%, as traders price around 60bp of Federal Reserve (Fed) cuts this year.

​S&P 500 once again under pressure

​The recent S&P 500 rally ran out of steam marginally below its 7002 late January record high and rapidly slid back towards support at the early January 6824 low.

​A fall through this level seems to be on the cards now with the November to February support line and 20 January-to-early February lows at 6807 – 6780 being on the cards.

​Were this support zone to give way, the December trough at 6720 would be in sight.

​Resistance may now be spotted around the 29 January low at 6871.

• ​Short-term outlook: Bearish while below the late December peak at 6946.
• ​Medium-term outlook: Neutral with a bullish stance while above the 6721 mid-December low.

S&P 500 daily candlestick chart

Chambers Global 2026 has recognized Goodwin lawyers and practices for excellence in geographies around the world. Goodwin received 43 lawyer rankings and 38 practice rankings—both firm records—in this year’s edition of the guide.

Clients noted that the Goodwin team is “innovative, well informed, entrepreneurial and knowledgeable” and is an “excellent resource across legal areas, extremely responsive and extremely well connected to the market.” 

Chambers Global recognized the following Goodwin practices as leaders in the international market: 

Asia-Pacific Region

China

France

Germany

Global

India

Israel

United Kingdom

United States

Goodwin lawyers were also ranked as leading lawyers in their fields, including:

Belgium

China

• Daniel Dusek: Corporate/M&A: Hong Kong-based (International Firms) / Private Equity: Buyouts & Venture Capital Investment (International Firms)
• Yash Rana: Corporate/M&A (International Firms) / Private Equity: Buyouts & Venture Capital Investment (International Firms)
• Douglas Freeman: Private Equity: Buyouts & Venture Capital Investment (International Firms)
• Edwin Chan: Private Equity: Buyouts & Venture Capital Investment (International Firms)

France

Germany

India

Luxembourg

United Kingdom

United States