Skip to content
Latest
Ghost Phishing Shows Why Email Security Must Follow the BrowserPakistani Police Intrusions Show Why Public-Sector Data Systems Are Strategic TargetsBad Epoll Shows Linux Kernel LPEs Belong in the Patch Priority QueueFake Payment SDKs Show Why Dependency Risk Is Credential RiskCritical UniFi Flaws Put Network Control Planes Back in the Patch QueueVidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak ControlsADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity InfrastructureUAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay InfrastructureFortiBleed Shows Firewall Credentials Are Ransomware FuelNetNut and Popa Takedown Shows Residential Proxies Are Now Attack InfrastructureVect and TeamPCP Show Supply-Chain Credentials Are Ransomware FuelOusaban Shows Banking Trojans Are Learning to Hide From SandboxesNUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch QueueARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane

Category Archive

Malware

103 reports · All intelligence

Malware family breakdowns and reversing notes, mapped to the behavior defenders can actually detect and block.

Cyber Security Blog
Fake Payment SDKs Show Why Dependency Risk Is Credential Risk
Cyber Security Blog·

Fake Payment SDKs Show Why Dependency Risk Is Credential Risk

Socket uncovered malicious npm and PyPI packages impersonating Paysafe, Skrill, and Neteller SDKs. Here is what SMBs and government contractors should do now to protect CI secrets, developer machines, and payment integrations.

Cyber Security Blog
Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls
Cyber Security Blog·

Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls

Unit 42 reported a Vidar stealer and XMRig campaign using malvertising, fake cracked-software lures, misleading certificate metadata, oversized binaries, and commodity loader infrastructure. Here is what SMBs and government contractors should take away.

Chinese Cyber Threat Intelligence
UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure
Chinese Cyber Threat Intelligence·

UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure

Cisco Talos reports UAT-7810 is expanding ORB relay infrastructure using compromised edge and embedded devices. Here is what SMBs and government contractors should do now.

Cyber Security Blog
FortiBleed Shows Firewall Credentials Are Ransomware Fuel
Cyber Security Blog·

FortiBleed Shows Firewall Credentials Are Ransomware Fuel

SOCRadar linked the FortiBleed FortiGate credential-harvesting campaign to INC and Lynx ransomware operations. Here is what SMBs and government contractors should do next.

Cyber Security Blog
NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure
Cyber Security Blog·

NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure

The FBI and industry partners disrupted NetNut and the Popa botnet. Here is why residential proxy abuse matters for SMBs, government contractors, and defenders.

Cyber Security Blog
Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel
Cyber Security Blog·

Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel

Sophos CTU reports that Vect and TeamPCP have linked ransomware deployment with supply-chain credential theft. Here is what SMBs and government contractors should harden now.

Cyber Security Blog
Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes
Cyber Security Blog·

Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes

Ousaban’s Spain and Portugal campaign shows how banking trojans use geofencing, phishing PDFs, steganography, and daily-changing C2 to evade sandbox-heavy defenses.

Cyber Security Blog
SimpleHelp Exploitation Shows RMM Is a Credential Control Plane
Cyber Security Blog·

SimpleHelp Exploitation Shows RMM Is a Credential Control Plane

Active exploitation of SimpleHelp CVE-2026-48558 shows why RMM platforms must be treated as privileged credential control planes, not routine support tools.

Cyber Security Blog
Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access
Cyber Security Blog·

Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access

A DFIR Report case study shows how a fake ManageEngine OpManager download led from BumbleBee and AdaptixC2 to Akira ransomware. The defensive lesson: admin software downloads need control, verification, and monitoring.

Cyber Security Blog
Shai Hulud Shows CI/CD Identity Is Production Cloud Identity
Cyber Security Blog·

Shai Hulud Shows CI/CD Identity Is Production Cloud Identity

Fortinet’s Shai Hulud case study shows how poisoned CI/CD dependencies can become cloud identity compromise, IAM escalation, and Redshift data theft. Here is what SMBs and government contractors should harden now.

Cyber Security Blog
Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths
Cyber Security Blog·

Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths

Microsoft’s hospitality photo-ZIP campaign shows why front desk, booking, and customer intake workflows need executable-content controls, redirect-chain inspection, and endpoint hunting for unusual Node.js persistence.

Cyber Security Blog
StrikeShark Shows Loader Malware Is an Edge-Exposure Problem
Cyber Security Blog·

StrikeShark Shows Loader Malware Is an Edge-Exposure Problem

Kaspersky’s StrikeShark research shows how opportunistic exploitation of exposed servers can become a multi-stage SharkLoader and Cobalt Strike intrusion. Here is what SMBs and government contractors should review now.

Cyber Security Blog
MuddyWater’s Chaos Masquerade Shows Ransomware Response Needs Attribution Discipline
Cyber Security Blog·

MuddyWater’s Chaos Masquerade Shows Ransomware Response Needs Attribution Discipline

Iran-linked MuddyWater activity shows why ransomware response needs to examine identity compromise, remote access, and adversary objectives instead of trusting the ransom note at face value.

Cyber Security Blog
SocGholish Takedown Shows Website Trust Is Malware Infrastructure
Cyber Security Blog·

SocGholish Takedown Shows Website Trust Is Malware Infrastructure

Operation Endgame disrupted SocGholish infrastructure, but the defensive lesson is bigger: compromised trusted websites are malware delivery infrastructure.

AI (General)
Mastra npm Compromise Shows AI Frameworks Are Supply-Chain Targets
AI (General)·

Mastra npm Compromise Shows AI Frameworks Are Supply-Chain Targets

Microsoft linked the Mastra AI npm package compromise to North Korean actor Sapphire Sleet. Here is what SMBs and government contractors should do about AI framework supply-chain risk.

Chinese Cyber Threat Intelligence
Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring
Chinese Cyber Threat Intelligence·

Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring

Showboat is a China-linked Linux post-exploitation framework aimed at telecom providers. The lesson for defenders: treat Linux server persistence, dynamic linker abuse, and low-noise C2 as first-class monitoring priorities.

Cyber Security Blog
SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk
Cyber Security Blog·

SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk

Zscaler ThreatLabz reported that SmartApeSG injected malicious JavaScript into the Okendo Reviews widget, creating downstream exposure across e-commerce sites. Here is what SMBs and government contractors should do about third-party browser code risk.

Cyber Security Blog
Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity
Cyber Security Blog·

Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity

Microsoft research on a Tor-routed crypto clipper shows why defenders should connect USB shortcut execution, script interpreters, localhost proxy activity, and clipboard theft into one investigation path.

AI (General)
Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries
AI (General)·

Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries

Zscaler ThreatLabz says the Shai-Hulud campaign has expanded across package ecosystems and introduced prompt-injection tactics aimed at automated AI security triage. The defense lesson is simple: treat package content as hostile input, even when an LLM is doing the review.

Cyber Security Blog
IMA Diligence Breach Shows Legacy Servers Are Still Third-Party Risk
Cyber Security Blog·

IMA Diligence Breach Shows Legacy Servers Are Still Third-Party Risk

A reported IMA Diligence breach affecting more than 525,000 people shows why legacy third-party servers need ownership, monitoring, decommissioning, and data-risk review.

Cyber Security Blog
C0XMO Shows IoT Botnets Are Still an Edge Exposure Problem
Cyber Security Blog·

C0XMO Shows IoT Botnets Are Still an Edge Exposure Problem

Fortinet researchers detailed C0XMO, a Gafgyt variant spreading through DD-WRT and other exposed devices. Here is what SMBs and government contractors should lock down before compromised routers become DDoS infrastructure.

Chinese Cyber Threat Intelligence
TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure
Chinese Cyber Threat Intelligence·

TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure

Proofpoint’s TA4922 reporting shows how localized HR, payroll, tax, and invoice lures can become full initial-access infrastructure through DLL sideloading, loaders, RATs, RMM tools, and browser credential theft.

Cyber Security Blog
Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary
Cyber Security Blog·

Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary

A Red Hat Cloud Services npm compromise shows why signed releases and trusted publishing must be paired with install-time controls, CI/CD isolation, and fast credential rotation.

AI (General)
AI-Assisted Ransomware Tooling Shows EDR Evasion Is Now an Iteration Problem
AI (General)·

AI-Assisted Ransomware Tooling Shows EDR Evasion Is Now an Iteration Problem

Sophos observed ransomware-linked operators using AI-assisted development workflows to accelerate EDR evasion testing and Active Directory discovery. The defensive lesson: validate controls, harden identity, and monitor behavior before attackers iterate around your tooling.

Cyber Security Blog
FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware
Cyber Security Blog·

FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware

Unit 42’s FlutterBridge research shows macOS malvertising evolving from adware into FlutterShell backdoor delivery. Here is what SMBs and government contractors should tighten first.

Chinese Cyber Threat Intelligence
Mustang Panda’s Fake Browser Updater Shows Why LNK Files Still Matter
Chinese Cyber Threat Intelligence·

Mustang Panda’s Fake Browser Updater Shows Why LNK Files Still Matter

Mustang Panda’s fake browser updater chain shows why defenders still need to hunt LNK-to-PowerShell execution, DLL sideloading, user-context persistence, and suspicious HTTPS beaconing.

Cyber Security Blog
FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System
Cyber Security Blog·

FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System

Attackers are abusing CVE-2026-35616 in FortiClient EMS to push a credential stealer through trusted endpoint management workflows. Here is what defenders should check first.

Cyber Security Blog
SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise
Cyber Security Blog·

SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise

SolyxImmortal combines persistence, browser credential theft, document collection, screenshots, keylogging, and webhook exfiltration. Here is what SMB and government-contractor defenders should do about it.

Chinese Cyber Threat Intelligence
Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting
Chinese Cyber Threat Intelligence·

Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting

Lumen and PwC reporting on Showboat, Red Lamassu, and JFMBackdoor shows how China-linked telecom intrusions combine Linux footholds, proxying, and Windows backdoors. Here is what SMBs and government contractors should harden now.

Cyber Security Blog
SideCopy’s XenoRAT Campaign Shows Why Localized Lures Beat Generic Phishing Defenses
Cyber Security Blog·

SideCopy’s XenoRAT Campaign Shows Why Localized Lures Beat Generic Phishing Defenses

SideCopy/APT36 targeted Afghanistan finance officials with Pashto-language lures and XenoRAT. Here is what SMBs and government contractors should take from the campaign.

Cyber Security Blog
Dependency Confusion Campaign Shows Reconnaissance Is the First Supply-Chain Payload
Cyber Security Blog·

Dependency Confusion Campaign Shows Reconnaissance Is the First Supply-Chain Payload

Microsoft found 33 malicious npm packages abusing dependency confusion to profile developer and build environments. The defender lesson: treat package installation as code execution and lock down internal namespace hygiene before attackers do reconnaissance at scale.

AI (General)
Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access
AI (General)·

Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access

Microsoft reported a cryptojacking campaign that uses poisoned search results, AI-surfaced software recommendations, fake utility downloads, and abused ScreenConnect access. Here is what SMBs and government contractors should defend first.

Cyber Security Blog
Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield
Cyber Security Blog·

Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield

The Megalodon GitHub campaign shows why CI/CD pipelines must be treated like production infrastructure: malicious workflow commits can harvest cloud credentials, OIDC tokens, SSH keys, and package secrets at scale.

Cyber Security Blog
Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized
Cyber Security Blog·

Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized

A Laravel-Lang package compromise shows why trusted dependency tags, Composer autoload behavior, and runtime secrets need security monitoring—not just engineering review.

Cyber Security Blog
Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven
Cyber Security Blog·

Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven

The South Staffordshire Water breach shows why outsourced SOC coverage, legacy server risk, and vulnerability management must be proven—not assumed—for SMBs, utilities, and government contractors.

Cyber Security Blog
Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk
Cyber Security Blog·

Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk

Trend Micro reports North Korea-aligned Void Dokkaebi has moved InvisibleFerret into Cython-compiled Python extension modules. For SMBs and government contractors, the real risk is developer endpoint access to CI/CD, cloud, and production secrets.

Cyber Security Blog
Nimbus Manticore Shows Iranian APTs Are Moving Faster With AI-Assisted Tooling
Cyber Security Blog·

Nimbus Manticore Shows Iranian APTs Are Moving Faster With AI-Assisted Tooling

Check Point Research reports that IRGC-affiliated Nimbus Manticore resurfaced with fake Zoom and SQL Developer lures, SEO poisoning, AppDomain hijacking, and a new MiniFast backdoor. Here is what SMBs and government contractors should tighten first.

Cyber Security Blog
Kimwolf Arrest Shows DDoS Risk Starts on Forgotten IoT
Cyber Security Blog·

Kimwolf Arrest Shows DDoS Risk Starts on Forgotten IoT

The alleged Kimwolf botmaster arrest is a useful reminder for SMBs and government contractors: DDoS resilience starts with asset visibility, upstream protection, and hardening forgotten IoT and edge devices.

Cyber Security Blog
TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default
Cyber Security Blog·

TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default

TamperedChef-style malware hides inside convincing signed productivity apps. Here is what SMBs and government contractors should do about it.

Cyber Security Blog
Mini Shai-Hulud Shows CI/CD Secrets Are the Real npm Supply-Chain Prize
Cyber Security Blog·

Mini Shai-Hulud Shows CI/CD Secrets Are the Real npm Supply-Chain Prize

Mini Shai-Hulud’s @antv npm compromise shows why dependency malware should be treated as a CI/CD credential-theft threat, not just a package hygiene problem.

Cyber Security Blog
P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure
Cyber Security Blog·

P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure

Fortinet observed P2Pinfect infections inside GKE clusters where exposed Redis instances became long-lived botnet footholds. For SMBs and government contractors, the lesson is clear: cloud misconfiguration, runtime visibility, and egress monitoring matter as much as patching.

Cyber Security Blog
Fox Tempest Shows Code Signing Trust Can Be Weaponized
Cyber Security Blog·

Fox Tempest Shows Code Signing Trust Can Be Weaponized

Microsoft disrupted Fox Tempest, a malware-signing-as-a-service operation that helped ransomware crews make malicious binaries look trusted. Here is what SMBs and government contractors should review now.

Cyber Security Blog
node-ipc Backdoor Shows Why CI Secrets Need Supply Chain Controls
Cyber Security Blog·

node-ipc Backdoor Shows Why CI Secrets Need Supply Chain Controls

Malicious node-ipc npm releases turned a package update into a credential-exposure event. Here is what SMBs and government contractors should check first.

Cyber Security Blog
PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight
Cyber Security Blog·

PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight

FortiGuard Labs reports PureLogs is being delivered through PawsRunner steganography. Here is what SMBs and government contractors should watch for defensively.

Cyber Security Blog
Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets
Cyber Security Blog·

Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets

Unit 42 reports Gremlin Stealer has evolved with resource-file obfuscation, session hijacking, Discord token theft, and crypto clipboard fraud. Here is what SMBs and government contractors should do defensively.

Cyber Security Blog
Kazuar Shows Russian Espionage Malware Is Engineering for Resilience
Cyber Security Blog·

Kazuar Shows Russian Espionage Malware Is Engineering for Resilience

Microsoft reports that Kazuar, attributed to Russian state actor Secret Blizzard, has evolved into a modular P2P botnet. Here is what SMBs and government contractors should take from it defensively.

Cyber Security Blog
The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem
Cyber Security Blog·

The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem

Check Point’s look inside The Gentlemen ransomware operation is a useful reminder for SMBs and government contractors: exposed edge appliances, weak identity controls, and unmanaged remote access paths still drive real ransomware risk.

Cyber Security Blog
JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification
Cyber Security Blog·

JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification

Attackers swapped selected JDownloader website download links with malicious installers. Here is what SMB and government-contractor defenders should do about trusted-download risk.

AI (General)
Fake OpenAI Hugging Face Repo Shows AI Supply Chain Risk Is Already Here
AI (General)·

Fake OpenAI Hugging Face Repo Shows AI Supply Chain Risk Is Already Here

A fake OpenAI Privacy Filter repository on Hugging Face delivered Windows infostealer malware. Here is what SMB and gov-contractor defenders should take from it.

Cyber Security Blog
PCPJack Shows Cloud Malware Is Moving From Cryptomining to Credential Theft
Cyber Security Blog·

PCPJack Shows Cloud Malware Is Moving From Cryptomining to Credential Theft

SentinelLabs reported PCPJack, a cloud-focused worm that evicts TeamPCP artifacts, steals credentials from exposed infrastructure, and spreads across cloud systems.

Malware
CrystalX RAT: New Malware-as-a-Service Combines Spyware, Stealer, and Prankware Capabilities
Malware·

CrystalX RAT: New Malware-as-a-Service Combines Spyware, Stealer, and Prankware Capabilities

Kaspersky researchers have uncovered CrystalX RAT, a sophisticated new malware-as-a-service (MaaS) platform that combines remote access trojan capabilities with data theft, keylogging, and uniquely disturbing prankware features designed to psychologically torment victims. From We

AI (General)
LiteLLM Supply Chain Attack: TeamPCP Deploys Multi-Stage Credential Stealer to 95M Monthly Downloads
AI (General)·

LiteLLM Supply Chain Attack: TeamPCP Deploys Multi-Stage Credential Stealer to 95M Monthly Downloads

A sophisticated supply chain attack has compromised LiteLLM, the widely-used Python library for interfacing with large language models, delivering multi-stage credential-stealing malware to systems downloading over 95 million packages per month. The attack, attributed to TeamPCP—

Malware
Axios npm Supply Chain Attack Deploys Cross-Platform RAT to 83 Million Weekly Users
Malware·

Axios npm Supply Chain Attack Deploys Cross-Platform RAT to 83 Million Weekly Users

On March 31, 2026, the cybersecurity landscape was shaken by a significant supply chain attack targeting Axios, one of the most widely used HTTP client libraries in the JavaScript ecosystem with over 83 million weekly downloads. Attackers compromised a maintainer account to injec

AI (General)
DeepLoad Malware: AI-Generated Evasion Meets ClickFix Delivery in Enterprise Credential Theft Campaign
AI (General)·

DeepLoad Malware: AI-Generated Evasion Meets ClickFix Delivery in Enterprise Credential Theft Campaign

A sophisticated new malware campaign dubbed “DeepLoad” has emerged targeting enterprise environments, combining ClickFix social engineering delivery with AI-generated obfuscation techniques that defeat traditional security controls. ReliaQuest researchers discovered the threat af

Malware
Infinity Stealer: New macOS Infostealer Combines ClickFix Social Engineering with Nuitka Compilation
Malware·

Infinity Stealer: New macOS Infostealer Combines ClickFix Social Engineering with Nuitka Compilation

A sophisticated new info-stealing malware named Infinity Stealer is targeting macOS systems using an innovative attack chain that combines ClickFix social engineering with Python payloads compiled using the open-source Nuitka compiler. Attack Overview According to Malwarebytes re

Malware
Infinity Stealer: New macOS Infostealer Uses ClickFix and Nuitka Compilation to Evade Detection
Malware·

Infinity Stealer: New macOS Infostealer Uses ClickFix and Nuitka Compilation to Evade Detection

A sophisticated new information-stealing malware named Infinity Stealer has emerged targeting macOS systems, combining the increasingly popular ClickFix social engineering technique with advanced evasion capabilities through Nuitka compilation. According to Malwarebytes research,

Iranian Cyber Threat Intelligence
FBI Alert: Iranian MOIS Hackers Weaponize Telegram for Global Espionage Against Dissidents
Iranian Cyber Threat Intelligence·

FBI Alert: Iranian MOIS Hackers Weaponize Telegram for Global Espionage Against Dissidents

The FBI has issued a public alert warning that Iranian government hackers affiliated with the Ministry of Intelligence and Security (MOIS) are actively weaponizing Telegram as a command-and-control (C2) platform to conduct espionage operations against dissidents, opposition group

Malware
Interlock Ransomware Exploited Cisco Firewall Zero-Day Weeks Before Public Disclosure
Malware·

Interlock Ransomware Exploited Cisco Firewall Zero-Day Weeks Before Public Disclosure

Amazon’s security team has revealed that the Interlock ransomware gang exploited a critical Cisco firewall vulnerability as a zero-day for five weeks before it was publicly disclosed, giving attackers a significant head start against defenders. Zero-Day Exploitation Timeline Acco

Malware
DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover
Malware·

DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover

Google Threat Intelligence Group (GTIG), iVerify, and Lookout have jointly uncovered DarkSword, a sophisticated iOS exploit kit that enables complete device compromise with minimal user interaction. The kit, operational since at least November 2025, has been deployed by suspected

Malware
LeakNet Ransomware Scales Operations with ClickFix Lures and Stealthy Deno-Based Fileless Loader
Malware·

LeakNet Ransomware Scales Operations with ClickFix Lures and Stealthy Deno-Based Fileless Loader

The LeakNet ransomware group is rapidly scaling its operations with two dangerous innovations: a social engineering technique called ClickFix and a previously unreported fileless loader built on the legitimate Deno JavaScript runtime. According to ReliaQuest research, LeakNet has

Malware
GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers
Malware·

GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers

Threat actors are abusing Visual Studio Code extension dependencies in the Open VSX registry to distribute the GlassWorm malware loader through 72 malicious extensions targeting developers.

Malware
GlassWorm ForceMemo Campaign: Stolen GitHub Tokens Used to Inject Malware Into Hundreds of Python Repositories
Malware·

GlassWorm ForceMemo Campaign: Stolen GitHub Tokens Used to Inject Malware Into Hundreds of Python Repositories

A sophisticated supply chain attack dubbed ForceMemo is leveraging stolen GitHub tokens to inject malware into hundreds of Python repositories, marking a dangerous escalation in the ongoing GlassWorm campaign targeting software developers. The Attack Chain According to StepSecuri

Malware
KadNap Botnet Hijacks 14,000+ ASUS Routers Using Novel Kademlia DHT Protocol for Stealth C2
Malware·

KadNap Botnet Hijacks 14,000+ ASUS Routers Using Novel Kademlia DHT Protocol for Stealth C2

A newly discovered botnet called KadNap is turning ASUS routers and edge networking devices into covert proxies for cybercriminal operations. Since August 2025, the malware has infected over 14,000 devices across the globe, with researchers from Black Lotus Labs (Lumen Technologi

Malware
BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign
Malware·

BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign

Trend Micro researchers have uncovered a large-scale malware distribution campaign using over 100 GitHub repositories to spread BoryptGrab, an information stealer that targets browser credentials, cryptocurrency wallets, and sensitive files while deploying reverse SSH backdoors f

Malware
BoryptGrab Stealer Spreads Through 100+ Malicious GitHub Repositories
Malware·

BoryptGrab Stealer Spreads Through 100+ Malicious GitHub Repositories

A massive malware distribution campaign has been discovered leveraging more than 100 GitHub repositories to spread the BoryptGrab information stealer. According to Trend Micro research, the campaign targets Windows users through deceptive downloads masquerading as legitimate soft

Global Cyber Threat Intelligence
APT36 Vibeware Campaign: Pakistan’s Transparent Tribe Weaponizes AI to Mass-Produce Malware Targeting India
Global Cyber Threat Intelligence·

APT36 Vibeware Campaign: Pakistan’s Transparent Tribe Weaponizes AI to Mass-Produce Malware Targeting India

Pakistan-aligned threat actor Transparent Tribe (APT36) has embraced AI-assisted malware development to flood Indian government networks with disposable, polyglot implants—a technique security researchers are calling “vibeware” or Distributed Denial of Detection (DDoD). AI-Powere

Malware
VOID#GEIST: Multi-Stage Malware Campaign Uses Python Loaders and APC Injection to Deploy XWorm, AsyncRAT, and Xeno RAT
Malware·

VOID#GEIST: Multi-Stage Malware Campaign Uses Python Loaders and APC Injection to Deploy XWorm, AsyncRAT, and Xeno RAT

Security researchers at Securonix have uncovered a sophisticated multi-stage malware campaign dubbed VOID#GEIST that delivers three separate remote access trojans (RATs) through an elaborate infection chain designed to evade detection. A Modular Attack Framework Unlike traditiona

Malware
Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613
Malware·

Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613

Akamai SIRT discovers Zerobot botnet actively exploiting CVE-2025-68613 in n8n workflow automation platform, marking a shift from traditional IoT targeting to enterprise infrastructure.

Malware
Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor
Malware·

Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor

A sophisticated supply chain attack has been uncovered targeting Go developers through a malicious module that impersonates the legitimate golang.org/x/crypto library. The attack demonstrates how threat actors are increasingly exploiting namespace confusion to compromise develope

General CTI
Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation
General CTI·

Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation

A sophisticated phishing campaign has been discovered that transforms web browsers into comprehensive surveillance platforms by masquerading as a Google Account security page. According to Malwarebytes researchers, this attack represents one of the most fully-featured browser-bas

Malware
DarkCloud Infostealer Emerges as Major Enterprise Threat: $30 Malware Delivers Scalable Credential Theft
Malware·

DarkCloud Infostealer Emerges as Major Enterprise Threat: $30 Malware Delivers Scalable Credential Theft

The cybersecurity threat landscape is facing a growing challenge as infostealers continue to dominate the initial access ecosystem in 2026. Among the latest threats drawing serious attention is DarkCloud, a commercially available credential-harvesting malware that proves even low

General CTI
APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign
General CTI·

APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign

Russia’s notorious state-sponsored threat actor APT28 (also known as Fancy Bear) has been attributed to a sophisticated new campaign targeting organizations across Western and Central Europe. According to S2 Grupo’s LAB52 threat intelligence team, the campaign—codenamed Operation

Malware
Remcos RAT Evolves with Real-Time Webcam Streaming and Live Keylogging Capabilities
Malware·

Remcos RAT Evolves with Real-Time Webcam Streaming and Live Keylogging Capabilities

A newly observed variant of Remcos RAT has introduced significant upgrades to its surveillance arsenal, marking a dangerous evolution in how this remote access trojan operates on compromised Windows systems. From Storage to Streaming According to Infosecurity Magazine, the update

Malware
SANDWORMMODE: Self-Replicating npm Worm Steals Dev Secrets and Targets AI Coding Tools
Malware·

SANDWORMMODE: Self-Replicating npm Worm Steals Dev Secrets and Targets AI Coding Tools

A sophisticated supply chain worm dubbed SANDWORMMODE is actively targeting the npm ecosystem, compromising at least 19 malicious packages designed to steal developer credentials and CI/CD secrets while automatically spreading across repositories and workflows. Researchers at Soc

Malware
Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware
Malware·

Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware

Attackers are running a sophisticated malvertising campaign that leverages paid Facebook ads to distribute credential-stealing malware disguised as official Windows 11 updates. The campaign uses convincing fake Microsoft download pages and includes multiple technical countermeasu

Malware
Kimwolf Botnet Swamps I2P Anonymity Network in Massive Sybil Attack
Malware·

Kimwolf Botnet Swamps I2P Anonymity Network in Massive Sybil Attack

The massive Kimwolf IoT botnet has caused significant disruptions to The Invisible Internet Project (I2P), a decentralized privacy network, after botnet operators accidentally overwhelmed the system while attempting to use it for command-and-control evasion. The Attack According

Malware
Russian Threat Actor Deploys CANFAIL Malware Against Ukrainian Organizations
Malware·

Russian Threat Actor Deploys CANFAIL Malware Against Ukrainian Organizations

Google Threat Intelligence Group (GTIG) has uncovered a new threat actor possibly affiliated with Russian intelligence services that has been systematically targeting Ukrainian organizations with a sophisticated malware strain known as CANFAIL. Target Profile The threat group has

Malware
ClawHavoc Supply Chain Attack Poisons OpenClaw ClawHub With 1,184 Malicious AI Agent Skills
Malware·

ClawHavoc Supply Chain Attack Poisons OpenClaw ClawHub With 1,184 Malicious AI Agent Skills

A massive supply chain attack dubbed ClawHavoc has compromised ClawHub, the official skill marketplace for OpenClaw, an open-source AI agent platform formerly known as ClawdBot and Moltbot. Researchers have uncovered at least 1,184 malicious “Skills”—plugin-style packages that ex

Malware
NexShield Fake Ad Blocker Uses CrashFix Attack to Deliver ModeloRAT Malware
Malware·

NexShield Fake Ad Blocker Uses CrashFix Attack to Deliver ModeloRAT Malware

Security researchers at Huntress have uncovered a sophisticated new malware campaign that weaponizes browser stability against users. The attack, dubbed CrashFix, represents an evolution of the notorious ClickFix social engineering technique—but with a dangerous twist: instead of

Malware
OysterLoader: Sophisticated Multi-Stage Malware Loader Linked to Rhysida Ransomware Campaigns
Malware·

OysterLoader: Sophisticated Multi-Stage Malware Loader Linked to Rhysida Ransomware Campaigns

A highly sophisticated malware loader known as OysterLoader has emerged as a significant cybersecurity threat, employing advanced multi-layer obfuscation techniques to evade detection while delivering dangerous payloads including Rhysida ransomware and the widespread Vidar infost

Malware
AiFrame Campaign: 30 Fake AI Chrome Extensions with 300K Users Steal Credentials, Gmail Content
Malware·

AiFrame Campaign: 30 Fake AI Chrome Extensions with 300K Users Steal Credentials, Gmail Content

Researchers at browser security platform LayerX have uncovered a coordinated malware campaign dubbed “AiFrame” involving 30 malicious Chrome extensions installed by more than 300,000 users. The extensions masquerade as AI assistants while secretly stealing credentials, email cont

Malware
Phorpiex Botnet Resurfaces: Phishing Campaign Delivers Offline-Capable Global Group Ransomware
Malware·

Phorpiex Botnet Resurfaces: Phishing Campaign Delivers Offline-Capable Global Group Ransomware

A new phishing campaign leveraging the infamous Phorpiex botnet has been observed distributing Global Group ransomware through weaponized Windows shortcut (.LNK) files, according to a new advisory from Forcepoint X-Labs. The Attack Chain The campaign uses phishing emails with the

Malware
Cybercriminals Weaponize ChatGPT and Grok to Distribute AMOS Stealer on macOS
Malware·

Cybercriminals Weaponize ChatGPT and Grok to Distribute AMOS Stealer on macOS

A sophisticated attack campaign is exploiting user trust in artificial intelligence platforms to distribute the Atomic macOS Stealer (AMOS), representing a dangerous evolution in social engineering tactics that combines legitimate AI chatbot services with paid Google advertising.

Malware
XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection
Malware·

XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection

FortiGuard Labs has uncovered a sophisticated phishing campaign delivering XWorm version 7.2, a multi-functional Remote Access Trojan (RAT) that provides attackers with full remote control of compromised Windows systems. Campaign Overview The campaign utilizes multiple phishing e

Malware
Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals
Malware·

Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals

A sophisticated brand impersonation campaign is weaponizing the popular 7-Zip file archiver to silently transform infected Windows computers into residential proxy nodes—monetizing victims’ IP addresses for fraud, scraping, and anonymity laundering operations. The Lookalike Domai

Malware
Silver Fox APT Unleashes ValleyRAT with Rare PoolParty Process Injection Technique
Malware·

Silver Fox APT Unleashes ValleyRAT with Rare PoolParty Process Injection Technique

A sophisticated malware campaign targeting Chinese-speaking users has revealed a significant evolution in the Silver Fox APT group’s capabilities. According to new research from Cybereason Security Services, the threat actors are deploying fake software installers to deliver Vall

Malware
SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide
Malware·

SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide

The SystemBC malware loader has demonstrated remarkable resilience, continuing to operate despite targeted efforts during Europol’s Operation Endgame in May 2024. Cybersecurity firm Silent Push has identified more than 10,000 unique infected IP addresses across a massive botnet i

Malware
PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions
Malware·

PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions

A newly identified Windows malware strain called PDFSider has emerged as a dangerous tool in the arsenals of multiple ransomware operators, with at least one confirmed attack targeting a Fortune 100 finance company. Security researchers at Resecurity uncovered the malware during

Malware
ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory
Malware·

ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory

Cyble Research & Intelligence Labs (CRIL) has uncovered a sophisticated Linux intrusion framework dubbed ShadowHS — a stealthy, fileless post-exploitation tool that executes entirely from memory, leaving virtually no traces on disk. This discovery highlights the growing sophistic

Malware
Malware·

Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT

Threat actors are abusing the Hugging Face AI platform to host Android malware, using server-side polymorphism to generate thousands of RAT variants every 15 minutes.

Malware
Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT
Malware·

Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT

A malicious VS Code extension impersonating the popular Clawdbot AI assistant has been caught deploying ScreenConnect RAT on Windows machines. The trojanized extension worked as a functional AI coding tool while silently installing remote access software.

Malware
Poland Thwarts Russian Wiper Malware Attack on Power Plants
Malware·

Poland Thwarts Russian Wiper Malware Attack on Power Plants

Source: Hackread | Author: Deeba Ahmed Poland has narrowly avoided a massive energy crisis following what officials are calling the largest cyberattack on the country in years. Between 29 and 30 December 2025, hackers attempted to break into the nation’s energy infrastructure, sp

Malware
New Go loader pushes Rhadamanthys stealer
Malware·

New Go loader pushes Rhadamanthys stealer

READ ARTICLE Posted: March 22, 2024 by Jérôme Segura Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads. A good

Malware
DreamBus Unleashes Metabase Mayhem With New Exploit Module
Malware·

DreamBus Unleashes Metabase Mayhem With New Exploit Module

Read Article Key Takeaways

Malware
Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns
Malware·

Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns

Read Article On January 3, 2024, Mandiant’s X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. Working with X, we were able to regain control of the account and, based on our investigation over the following

AI (General)
Custom GPTs: A Case of Malware Analysis and IoC Analyzing
AI (General)·

Custom GPTs: A Case of Malware Analysis and IoC Analyzing

Read Article On November 6, 2023, CustomGPTs, a new feature that OpenAI stated on its blog, became available. We can already say that the emergence of Custom Generative Pre-trained Transformers (GPTs) could mark a significant shift in the dynamics of both digital defense and offe

Malware
Deceptive Cracked Software Spreads Lumma Variant on YouTube
Malware·

Deceptive Cracked Software Spreads Lumma Variant on YouTube

Read Article Initial Infection Vector The hacker initially breaches a YouTuber’s account and uploads videos masquerading as sharing cracked software. Figure 3 shows the video descriptions in which a malicious URL is embedded, enticing users to download a ZIP file that harbors mal

Malware
Alert: Carbanak Malware Strikes Again With Updated Tactics
Malware·

Alert: Carbanak Malware Strikes Again With Updated Tactics

Chinese Cyber Threat Intelligence
AsyncRAT loader: Obfuscation, DGAs, decoys and Govno
Chinese Cyber Threat Intelligence·

AsyncRAT loader: Obfuscation, DGAs, decoys and Govno

Read Article Executive summary AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. Afte

Malware
Chapter 84: In-depth analysis and technical analysis of LockBit, the top encryption ransomware organization (Part 1)
Malware·

Chapter 84: In-depth analysis and technical analysis of LockBit, the top encryption ransomware organization (Part 1)

Read Article Excerpt LockBit operators and affiliates will find ways to obtain the victim’s initial access rights and use them to deliver encrypted ransomware. The attack methods can be roughly divided into the following methods: 1. Extensive vulnerability scanning . Using Nday v

Malware
JavaScript Malware: 50,000+ Bank Users at Risk Worldwide
Malware·

JavaScript Malware: 50,000+ Bank Users at Risk Worldwide

IOC: jscdnpack[.]com

Malware
Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer
Malware·

Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer

https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/

Malware
Hackers target Apache RocketMQ servers vulnerable to RCE attacks
Malware·

Hackers target Apache RocketMQ servers vulnerable to RCE attacks

https://www.bleepingcomputer.com/news/security/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/