At 49, Branden Spikes isn’t just one of the oldest technologists who has been involved in Elon Musk’s Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musk’s most loyal employees. Here’s a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elon’s cousin.

The profile of Branden Spikes on X.

When President Trump took office again in January, he put the world’s richest man — Elon Musk — in charge of the U.S. Digital Service, and renamed the organization as DOGE. The group is reportedly staffed by at least 50 technologists, many of whom have ties to Musk’s companies.

DOGE has been enabling the president’s ongoing mass layoffs and firings of federal workers, largely by seizing control over computer systems and government data for a multitude of federal agencies, including the Social Security Administration, the Department of Homeland Security, the Office of Personnel Management, and the Treasury Department.

It is difficult to find another person connected to DOGE who has stronger ties to Musk than Branden Spikes. A native of California, Spikes initially teamed up with Musk in 1997 as a lead systems engineer for the software company Zip2, the first major venture for Musk. In 1999, Spikes was hired as director of IT at PayPal, and in 2002 he became just the fourth person hired at SpaceX.

In 2012, Spikes launched Spikes Security, a software product that sought to create a compartmentalized or “sandboxed” web browser that could insulate the user from malware attacks. A review of spikes.com in the Wayback Machine shows that as far back as 1998, Musk could be seen joining Spikes for team matches in the online games Quake and Quake II. In 2016, Spikes Security was merged with another security suite called Aurionpro, with the combined company renamed Cyberinc.

A snapshot of spikes.com from 1998 shows Elon Musk’s profile in Spike’s clan for the games Quake and Quake II.

Spikes’s LinkedIn profile says he was appointed head of IT at X in February 2025. And although his name shows up on none of the lists of DOGE employees circulated by various media outlets, multiple sources told KrebsOnSecurity that Spikes was working with DOGE and operates within Musk’s inner circle of trust.

In a conversation with KrebsOnSecurity, Spikes said he is dedicated to his country and to saving it from what he sees as certain ruin.

“Myself, I was raised by a southern conservative family in California and I strongly believe in America and her future,” Spikes said. “This is why I volunteered for two months in DC recently to help DOGE save us from certain bankruptcy.”

Spikes told KrebsOnSecurity that he recently decided to head back home and focus on his job as director of IT at X.

“I loved it, but ultimately I did not want to leave my hometown and family back in California,” Spikes said of his tenure at DOGE. “After a couple of months it became clear that to continue helping I would need to move to DC and commit a lot more time, so I politely bowed out.”

Prior to founding Spikes Security, Branden Spikes was married to a native Russian woman named Natalia whom he’d met at a destination wedding in South America in 2003.

Branden and Natalia’s names are both on the registration records for the domain name orangetearoom[.]com. This domain, which DomainTools.com says was originally registered by Branden in 2009, is the home of a tax-exempt charity in Los Angeles called the California Russian Association.

Here is a photo from a 2011 event organized by the California Russian Association, showing Branden and Natalia at one of its “White Nights” charity fundraisers:

Branden and Natalia Spikes, on left, in 2011. The man on the far right is Ivan Y. Podvalov, a board member of the Kremlin-aligned Congress of Russian Americans (CRA). The man in the center is Feodor Yakimoff, director of operations at the Transib Global Sourcing Group, and chairman of the Russian Imperial Charity Balls, which works in concert with the Russian Heritage Foundation.

In 2011, the Spikes couple got divorced, and Natalia changed her last name to Haldeman. That is not her maiden name, which appears to be “Libina.” Rather, Natalia acquired the surname Haldeman in 1998, when she married Elon Musk’s cousin.

Reeve Haldeman is the son of Scott Haldeman, who is the brother of Elon Musk’s mother, Maye Musk. Divorce records show Reeve and Natalia officially terminated their marriage in 2007. Reeve Haldeman did not respond to a request for comment.

A review of other domain names connected to Natalia Haldeman’s email address show she has registered more than a dozen domains over the years that are tied to the California Russian Association, and an apparently related entity called the Russian Heritage Foundation, Inc.:

russianamericans.org
russianamericanstoday.com
russianamericanstoday.org
russiancalifornia.org
russianheritagefoundation.com
russianheritagefoundation.org
russianwhitenights.com
russianwhitenights.org
theforafoundation.org
thegoldentearoom.com
therussianheritagefoundation.org
tsarinahome.com

Ms. Haldeman did not respond to requests for comment. Her name and contact information appears in the registration records for these domains dating back to 2010, and a document published by ProPublica show that by 2016 Natalia Haldeman was appointed CEO of the California Russian Foundation.

The domain name that bears both Branden’s and Natalia’s names — orangeteamroom.com — features photos of Ms. Haldeman at fundraising events for the Russian foundation through 2014. Additional photos of her and many of the same people can be seen through 2023 at another domain she registered in 2010 — russianheritagefoundation.com.

A photo from Natalia Haldeman’s Facebook page shows her mother (left) pictured with Maye Musk, Elon Musk’s mother, in 2022.

The photo of Branden and Natalia above is from one such event in 2011 (tied to russianwhitenights.org, another Haldeman domain). The person on the right in that image — Ivan Y. Podvalov — appears in many fundraising event photos published by the foundation over the past decade. Podvalov is a board member of the Congress of Russian Americans (CRA), a nonprofit group that is known for vehemently opposing U.S. financial and legal sanctions against Russia.

Writing for The Insider in 2022, journalist Diana Fishman described how the CRA has engaged in outright political lobbying, noting that the organization in June 2014 sent a letter to President Obama and the secretary of the United Nations, calling for an end to the “large-scale US intervention in Ukraine and the campaign to isolate Russia.”

“The US military contingents must be withdrawn immediately from the Eastern European region, and NATO’s enlargement efforts and provocative actions against Russia must cease,” the message read.

The Insider said the CRA director sent another two letters, this time to President Donald Trump, in 2017 and 2018.

“One was a request not to sign a law expanding sanctions against Russia,” Fishman wrote. “The other regretted the expulsion of 60 Russian diplomats from the United States and urged not to jump to conclusions on Moscow’s involvement in the poisoning of Sergei Skripal.”

The nonprofit tracking website CauseIQ.com reports that The Russian Heritage Foundation, Inc. is now known as Constellation of Humanity.

The Russian Heritage Foundation and the California Russian Association both promote the interests of the Russian Orthodox Church. This page indexed by Archive.org from russiancalifornia.org shows The California Russian Foundation organized a community effort to establish an Orthodox church in Orange County, Calif.

A press release from the Russian Orthodox Church Outside of Russia (ROCOR) shows that in 2021 the Russian Heritage Foundation donated money to organize a conference for the Russian Orthodox Church in Serbia.

A review of the “Partners” listed on the Spikes’ jointly registered domain — orangetearoom.com — shows the organization worked with a marketing company called Russian American Media. Reporting by KrebsOnSecurity last year showed that Russian American Media also partners with the problematic people-search service Radaris, which was formed by two native Russian brothers in Massachusetts who have built a fleet of consumer data brokers and Russian affiliate programs.

When asked about his ex-wife’s history, Spikes said she has a good heart and bears no ill-will toward anyone.

“I attended several of Natalia’s social events over the years we were together and can assure you that she’s got the best intentions with those,” Spikes told KrebsOnSecurity. “There’s no funny business going on. It is just a way for those friendly immigrants to find resources amongst each other to help get settled in and chase the American dream. I mean, they’re not unlike the immigrants from other countries who come to America and try to find each other and help each other find others who speak the language and share in the building of their businesses here in America.”

Spikes said his own family roots go back deeply into American history, sharing that his 6th great grandfather was Alexander Hamilton on his mom’s side, and Jessie James on his dad’s side.

“My family roots are about as American as you can get,” he said. “I’ve also been entrusted with building and safeguarding Elon’s companies since 1999 and have a keen eye (as you do) for bad actors, so have enough perspective to tell you that Natalia has no bad blood and that she loves America.”

Of course, this perspective comes from someone who has the utmost regard for the interests of the “special government employee” Mr. Musk, who has been bragging about tossing entire federal agencies into the “wood chipper,” and who recently wielded an actual chainsaw on stage while referring to it as the “chainsaw for bureaucracy.”

“Elon’s intentions are good and you can trust him,” Spikes assured.

A special note of thanks for research assistance goes to Jacqueline Sweet, an independent investigative journalist whose work has been published in The Guardian, Rolling Stone, POLITICO and The Intercept.

New module content (3)

Get NAA Credentials

Metasploit Wrap-Up 03/06/2025

Authors: skelsec, smashery, and xpn
Type: Auxiliary
Pull request: #19712 contributed by smashery
Path: admin/sccm/get_naa_credentials

Description: Adds an auxiliary module which performs the retrieval of Network Access Account (NAA) credentials from an System Center Configuration Manager (SCCM) server. Given a computer name and password (which can typically be created by a standard AD domain user), a misconfigured SCCM server will give NAA credentials when requested.

SonicWall HTTP Login Scanner

Author: msutovsky-r7
Type: Auxiliary
Pull request: #19935 contributed by msutovsky-r7
Path: scanner/sonicwall/login_scanner

Description: This adds a module to brute-force the login credentials for SonicWall NSv HTTP Login.

D-Tale RCE

Authors: Takahiro Yokoyama and taiphung217
Type: Exploit
Pull request: #19899 contributed by Takahiro-Yoko
Path: linux/http/dtale_rce_cve_2025_0655
AttackerKB reference: CVE-2025-0655

Description: This module exploits a bypass (CVE-2025-0655) for an older vulnerability (CVE-2024-3408), leading to remote code execution (RCE) in D-Tale, a visualizer for pandas data structures.

Enhancements and features (7)

  • #19639 from zeroSteiner - Adds support for check method in relay modules and updates the two relay modules present in Metasploit Framework. In the case of smb_relay, this checks if the target has SMB signing disabled. In the case of ESC8, it checks that the target URI responds with a 401 and offers NTLM as an authentication mechanism.
  • #19682 from h00die - Adds additional tests for Linux post functionality along with additional comments for better understanding; adds new library for work with Linux packages.
  • #19879 from zeroSteiner - This updates the existing MsDtypSecurityDescriptor class to include a #to_sddl_text method. This allows an initialized object to be displayed using the Security Descriptor Definition Language defined by Microsoft.
    • #19917 from zeroSteiner - This adds crypto primitives for AES key derivation (NIST SP 800 108) and AES key unwrapping (NIST SP 800 38f) replacing RubySMB's implementation which does not support all of the parameters.
    • #19918 from msutovsky-r7 - Extracts a reusable Rex::Proto::Http::AuthDigest library for use within modules.
    • #19927 from bcoles - This improves the support of several Linux distros on the library function get_sysinfo in Msf::Post:Linux::System.
    • #19933 from zeroSteiner - Updates the auxiliary/scanner/ldap/ldap_login module with a new CreateSession option which controls the opening of an interactive LDAP session. This functionality was previously behind a feature flag, but is now enabled by default.
    • #19946 from zeroSteiner - Adds a warning to help users that are performing relay attacks. It notes that the attack won't work when relaying SMB to SMB on the same host if the MS08-068 patch has been applied.

Bugs fixed (5)

  • #19745 from smashery - This adds an escape_args method to all command shells that finds the appropriate OS escaping routines for an SSH server.
  • #19902 from zeroSteiner - This fixes the byte to int and vice versa conversion in MsAdts.
  • #19919 from jheysel-r7 - This fixes an issue in the gather/ldap_esc_vulnerable_cert_finder that would come up when checking templates for ESC13 that had missing issuance policy OIDs.
  • #19922 from cgranleese-r7 - Fixes a crash when searching by target, i.e search targets:python.
  • #19925 from zeroSteiner - Fixes a bug that caused a module's validation logic to not always be executed.

Documentation added (2)

  • #19895 from cgranleese-r7 - Updates multiple out of date reference links within modules.
  • #19920 from jheysel-r7 - This adds documentation for creating AD CS certificate templates that are vulnerable to ESC4, ESC13, and ESC15 for testing purposes.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

The National Health Service (NHS) has long been plagued by cybersecurity controversies, with one of the most notable incidents being the 2017 WannaCry ransomware attack that crippled its IT infrastructure.

Fast forward to 2020, as the COVID-19 pandemic swept across the globe, the NHS rapidly transitioned its IT operations from desktops to laptops to accommodate a growing remote workforce or the much discussed work from home culture.

However, this shift, intended to protect staff while ensuring operational continuity, hasn’t been without its challenges—especially as the organization grapples with a new set of concerns surrounding data privacy, security, and technology upgrades.

In particular, the NHS is now caught in a dilemma regarding the transition to Windows 11. Microsoft has announced that, starting in October 2025, it will no longer send security updates to devices running Windows 10, leaving these systems vulnerable to cyberattacks. While the solution might seem straightforward—upgrade to Windows 11—the reality is far more complicated for the NHS.

Many of the laptops used within the organization, purchased under a five-year contract with Microsoft, lack the necessary hardware to support Windows 11. This presents a significant challenge, as the only options available are to either extend the warranty on Windows 10 devices or replace them with new equipment—both of which would require additional funding, a concern given the already strained NHS IT budget.

Adding to the urgency of the situation is the ongoing issue of legacy IT systems, which have long been a headache for the NHS. A 2022 report from the British Medical Association highlighted that over 13.5 million hours of doctors’ time are lost each year due to malfunctioning or outdated technology.

As the NHS looks toward the end of this year, it faces a critical juncture. On one hand, it must secure its systems against increasing cybersecurity threats, and on the other, it must address the technological shortcomings that hinder its operations. Balancing these priorities will require swift action and significant investment if the NHS is to protect its staff, patients, and vital services in the years ahead.

The post NHS Faces Cybersecurity Challenges Amid Windows 11 Upgrade Dilemma appeared first on Cybersecurity Insiders.

Palo Alto, Singapore, March 6th, 2025, CyberNewsWire

With recent attack disclosures like Browser Syncjacking and extension infostealers, browser extensions have become a primary security concern at many organizations. SquareX’s research team discovers a new class of malicious extensions that can impersonate any extension installed on the victim’s browser, including password managers and crypto wallets. These malicious extensions can morph themselves to have the exact same user interface, icons and text as the legitimate extension, making it an extremely convincing case for victims to enter their credentials and other sensitive information. This attack impacts most major browsers, including Chrome and Edge.

Polymorphic extensions work by exploiting the fact that most users interact with extensions via the pinned in the browser toolbar. The attack begins with the user installing the malicious extension, which disguises itself, for example, as an unassuming AI tool. To make the attack even more convincing, the extension performs the AI functionality as advertised and remains benign for a predetermined period of time. 

However, while all this is happening, the malicious extension starts figuring out what other extensions are installed in the victim’s browser. Once identified, the polymorphic extension completely changes its own appearance to look like the target, including the icon shown on the pinned toolbar. It can even disable the target extension temporarily, removing it from the pinned bar. Given that most users use these icons as a visual confirmation to inform which extension they are interacting with, changing the icon itself is likely sufficient to convince the average user that they are clicking on the legitimate extension. Even if the victim navigates to the extension dashboard, there is no obvious way to correlate the tools displayed there to the pinned icons. To avoid suspicion, the malicious extension can even temporarily disable the target extension such that they are the only ones with the target’s icon on the pinned tab. 

Critically, the polymorphic extension can impersonate any browser extension. For example, it can mimic popular password managers to trick victims into entering their master password. This password can then be used by the attacker to log on to the real password manager and access all credentials stored in the password vault. Similarly, the polymorphic extension can also mimic popular crypto wallets, allowing them to use the stolen credentials to authorize transactions to send cryptocurrency to the attacker. Other potential targets include developer tools and banking extensions that may provide the attacker unauthorized access to apps where sensitive data or financial assets are stored.

Furthermore, the attack only requires medium-risk permissions based on Chrome Store’s classification. Ironically, many of these permissions are used by password managers themselves, as well as other popular tools like ad blockers and page stylers, making it especially difficult for Chrome Store and security teams to identify malicious intent just by looking at the extension’s code.

The founder of SquareX, Vivek Ramachandran cautions that “Browser extensions present a major risk to enterprises and users today. Unfortunately, most organizations have no way of auditing their current extension footprint and to check whether they are malicious. This further underscores the need for a browser native security solution like Browser Detection and Response, similar to what an EDR is to the operating system.”

These polymorphic extensions exploit existing features within Chrome to conduct the attack. As such, there is no software bug involved, and it cannot be patched. SquareX has written to Chrome for responsible disclosure, recommending banning or implementation of user alerts for any extension icon changes or abrupt changes in HTML, as these techniques can easily be leveraged by attackers to impersonate other extensions in a polymorphic attack. For enterprises, static extension analysis and permissions-based policies are no longer sufficient – it is critical to have a browser-native security tool that can dynamically analyze extension behaviour at runtime, including polymorphic tendencies of malicious extensions. 

For more information about polymorphic extensions, additional findings from this research are available at https://sqrx.com/polymorphic-extensions.

About SquareX

SquareX helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time, including defending against malicious extensions. In addition to the polymorphic attack, SquareX was also the first to discover and disclose multiple extension-based attacks, including Browser Syncjacking, the Chrome Store consent phishing attack leading to Cyberhaven’s breach and numerous other MV3-compliant malicious extensions revealed at DEF CON 32.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions. 

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com

The post SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension – Password Managers, Wallets at Risk appeared first on Cybersecurity Insiders.

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-25012, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution. "Prototype pollution in Kibana leads to
Uncategorized
The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT. "EncryptHub has been observed targeting users of popular applications, by distributing trojanized versions," Outpost24 KrakenLabs said in a new report shared with The
Uncategorized
The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024. In the first two months of 2025 alone, the group has claimed over 40 attacks, according to data from the Symantec Threat Hunter Team said in a report shared with The Hacker News. The
Uncategorized