<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>Bulwark Black — Cyber Threat Intelligence</title><description>Bulwark Black is a veteran-owned (SDVOSB) cyber threat intelligence and custom software studio. Daily CTI on threat actors, malware, and IOCs, plus custom web and iOS apps, AI setup, and small-business IT and cybersecurity, delivered remotely across the United States.</description><link>https://bulwarkblack.com/</link><item><title>Ghost Phishing Shows Why Email Security Must Follow the Browser</title><link>https://bulwarkblack.com/ghost-phishing-browser-decryption-microsoft-365-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/ghost-phishing-browser-decryption-microsoft-365-defense/</guid><description>Ghost phishing hides the real lure until the browser renders it. Here is what SMBs and government contractors should do to defend Microsoft 365 identities.</description><pubDate>Thu, 09 Jul 2026 20:03:04 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Pakistani Police Intrusions Show Why Public-Sector Data Systems Are Strategic Targets</title><link>https://bulwarkblack.com/pakistani-law-enforcement-espionage-public-sector-data-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/pakistani-law-enforcement-espionage-public-sector-data-defense/</guid><description>SentinelLabs reporting on rival espionage activity against Pakistani law enforcement is a reminder that public-sector portals, case systems, and citizen-data apps are strategic intelligence targets — even when they are not classified systems.</description><pubDate>Thu, 09 Jul 2026 15:04:16 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Bad Epoll Shows Linux Kernel LPEs Belong in the Patch Priority Queue</title><link>https://bulwarkblack.com/bad-epoll-linux-kernel-cve-2026-46242-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/bad-epoll-linux-kernel-cve-2026-46242-defense/</guid><description>Bad Epoll CVE-2026-46242 is a Linux kernel epoll race-condition LPE. Here is why SMBs and government contractors should prioritize kernel patching, developer endpoint hardening, and post-compromise controls.</description><pubDate>Thu, 09 Jul 2026 01:03:56 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Fake Payment SDKs Show Why Dependency Risk Is Credential Risk</title><link>https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/fake-payment-sdk-npm-pypi-secret-theft-defense/</guid><description>Socket uncovered malicious npm and PyPI packages impersonating Paysafe, Skrill, and Neteller SDKs. Here is what SMBs and government contractors should do now to protect CI secrets, developer machines, and payment integrations.</description><pubDate>Wed, 08 Jul 2026 20:08:55 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue</title><link>https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/ubiquiti-unifi-critical-flaws-network-control-plane-defense/</guid><description>Ubiquiti patched critical UniFi Connect, Talk, Access, Protect, and UniFi OS flaws. Here is what SMBs and government contractors should patch, restrict, and review now.</description><pubDate>Wed, 08 Jul 2026 15:05:03 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls</title><link>https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/vidar-xmrig-malvertising-file-size-code-signing-defense/</guid><description>Unit 42 reported a Vidar stealer and XMRig campaign using malvertising, fake cracked-software lures, misleading certificate metadata, oversized binaries, and commodity loader infrastructure. Here is what SMBs and government contractors should take away.</description><pubDate>Wed, 08 Jul 2026 01:04:27 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>ADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity Infrastructure</title><link>https://bulwarkblack.com/adfs-machine-dpapi-golden-saml-federation-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/adfs-machine-dpapi-golden-saml-federation-defense/</guid><description>Mandiant shows how ADFS certificate drift and Machine DPAPI can expose active signing keys. Here is what SMBs and government contractors should do now.</description><pubDate>Tue, 07 Jul 2026 20:07:20 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure</title><link>https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/uat-7810-orb-relay-network-edge-device-defense/</guid><description>Cisco Talos reports UAT-7810 is expanding ORB relay infrastructure using compromised edge and embedded devices. Here is what SMBs and government contractors should do now.</description><pubDate>Tue, 07 Jul 2026 15:05:20 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>FortiBleed Shows Firewall Credentials Are Ransomware Fuel</title><link>https://bulwarkblack.com/fortibleed-fortigate-credentials-ransomware-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/fortibleed-fortigate-credentials-ransomware-defense/</guid><description>SOCRadar linked the FortiBleed FortiGate credential-harvesting campaign to INC and Lynx ransomware operations. Here is what SMBs and government contractors should do next.</description><pubDate>Fri, 03 Jul 2026 01:06:41 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure</title><link>https://bulwarkblack.com/netnut-popa-residential-proxy-botnet-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/netnut-popa-residential-proxy-botnet-defense/</guid><description>The FBI and industry partners disrupted NetNut and the Popa botnet. Here is why residential proxy abuse matters for SMBs, government contractors, and defenders.</description><pubDate>Thu, 02 Jul 2026 20:24:31 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel</title><link>https://bulwarkblack.com/vect-teampcp-supply-chain-ransomware-credential-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/vect-teampcp-supply-chain-ransomware-credential-defense/</guid><description>Sophos CTU reports that Vect and TeamPCP have linked ransomware deployment with supply-chain credential theft. Here is what SMBs and government contractors should harden now.</description><pubDate>Thu, 02 Jul 2026 15:06:34 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes</title><link>https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/ousaban-banking-trojan-iberian-phishing-defense/</guid><description>Ousaban’s Spain and Portugal campaign shows how banking trojans use geofencing, phishing PDFs, steganography, and daily-changing C2 to evade sandbox-heavy defenses.</description><pubDate>Thu, 02 Jul 2026 01:06:16 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>NUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue</title><link>https://bulwarkblack.com/nut-upsmon-cve-2026-54161-command-injection-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/nut-upsmon-cve-2026-54161-command-injection-defense/</guid><description>CVE-2026-54161 in Network UPS Tools upsmon shows why UPS monitoring, notification scripts, and power-infrastructure control paths need patching, segmentation, and process monitoring.</description><pubDate>Wed, 01 Jul 2026 20:14:35 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane</title><link>https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/artoken-eviltokens-microsoft-365-bec-token-defense/</guid><description>Cisco Talos uncovered ARToken, an EvilTokens-linked phishing-as-a-service panel built around Microsoft 365 token theft, device-code phishing, mailbox access, SharePoint operations, and BEC automation. The practical lesson: treat identity tokens, inbox rules, and cloud collaborati</description><pubDate>Wed, 01 Jul 2026 15:04:19 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>CitrixBleed Keeps Returning: NetScaler SAML IdP Memory Leaks Need Edge-Control Discipline</title><link>https://bulwarkblack.com/citrixbleed-netscaler-cve-2026-8451-saml-idp-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/citrixbleed-netscaler-cve-2026-8451-saml-idp-defense/</guid><description>Citrix patched CVE-2026-8451, a NetScaler SAML IdP memory overread in the CitrixBleed family. Here is what SMBs and government contractors should do now.</description><pubDate>Wed, 01 Jul 2026 01:03:37 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>SimpleHelp Exploitation Shows RMM Is a Credential Control Plane</title><link>https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/simplehelp-cve-2026-48558-taskweaver-djinn-stealer-defense/</guid><description>Active exploitation of SimpleHelp CVE-2026-48558 shows why RMM platforms must be treated as privileged credential control planes, not routine support tools.</description><pubDate>Tue, 30 Jun 2026 20:03:54 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Leaky iOS AI Apps Show Mobile AI Needs Real API Gateways</title><link>https://bulwarkblack.com/ios-ai-app-api-key-leak-api-gateway-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/ios-ai-app-api-key-leak-api-gateway-defense/</guid><description>A study of iOS AI chatbot apps found widespread exposure of API keys, open AI proxy access, and replayable tokens. The fix is not another client-side secret workaround; it is real backend authentication, scoped tokens, monitoring, and key isolation.</description><pubDate>Tue, 30 Jun 2026 15:06:44 GMT</pubDate><category>AI (General)</category></item><item><title>Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access</title><link>https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/</link><guid isPermaLink="true">https://bulwarkblack.com/bing-seo-poisoning-bumblebee-adaptix-akira-ransomware/</guid><description>A DFIR Report case study shows how a fake ManageEngine OpManager download led from BumbleBee and AdaptixC2 to Akira ransomware. The defensive lesson: admin software downloads need control, verification, and monitoring.</description><pubDate>Tue, 30 Jun 2026 01:08:58 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Water Systems Are Becoming Nation-State Pressure Points</title><link>https://bulwarkblack.com/water-systems-nation-state-ot-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/water-systems-nation-state-ot-defense/</guid><description>Nation-state targeting of water systems shows why exposed OT, weak credentials, remote access, and poor IT/OT segmentation remain practical business risks—not just utility-sector problems.</description><pubDate>Mon, 29 Jun 2026 20:05:08 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation</title><link>https://bulwarkblack.com/fluentd-vulnerabilities-log-pipeline-segmentation-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/fluentd-vulnerabilities-log-pipeline-segmentation-defense/</guid><description>Multiple Fluentd vulnerabilities show why log collectors need segmentation, least privilege, and hostile-input assumptions—not just patching.</description><pubDate>Mon, 29 Jun 2026 15:05:17 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Shai Hulud Shows CI/CD Identity Is Production Cloud Identity</title><link>https://bulwarkblack.com/shai-hulud-cicd-cloud-identity-redshift-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/shai-hulud-cicd-cloud-identity-redshift-defense/</guid><description>Fortinet’s Shai Hulud case study shows how poisoned CI/CD dependencies can become cloud identity compromise, IAM escalation, and Redshift data theft. Here is what SMBs and government contractors should harden now.</description><pubDate>Mon, 29 Jun 2026 01:03:44 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Clean Repos Can Still Burn Developer Machines When AI Agents Trust Runtime Setup</title><link>https://bulwarkblack.com/ai-coding-agent-clean-repo-runtime-payload-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/ai-coding-agent-clean-repo-runtime-payload-defense/</guid><description>A clean-looking repository can still become dangerous when an AI coding agent follows setup instructions and executes runtime-fetched configuration. Here is how teams should defend developer workflows.</description><pubDate>Sat, 27 Jun 2026 15:10:35 GMT</pubDate><category>AI (General)</category></item><item><title>Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure</title><link>https://bulwarkblack.com/splunk-enterprise-cve-2026-20253-siem-tier-zero-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/splunk-enterprise-cve-2026-20253-siem-tier-zero-defense/</guid><description>CVE-2026-20253 shows why Splunk and other SIEM platforms need tier-zero hardening: patch quickly, restrict management access, review service accounts, and hunt for suspicious file writes.</description><pubDate>Sat, 27 Jun 2026 01:05:27 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>NAIC Breach Shows Why PeopleSoft Internet Exposure Needs Immediate Review</title><link>https://bulwarkblack.com/naic-peoplesoft-zero-day-cve-2026-35273/</link><guid isPermaLink="true">https://bulwarkblack.com/naic-peoplesoft-zero-day-cve-2026-35273/</guid><description>NAIC’s PeopleSoft-linked breach is a practical warning for SMBs and government contractors: patch CVE-2026-35273, restrict administrative endpoints, and hunt for attacker staging before extortion begins.</description><pubDate>Fri, 26 Jun 2026 20:09:30 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths</title><link>https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/hospitality-photo-zip-nodejs-implant-defense/</guid><description>Microsoft’s hospitality photo-ZIP campaign shows why front desk, booking, and customer intake workflows need executable-content controls, redirect-chain inspection, and endpoint hunting for unusual Node.js persistence.</description><pubDate>Fri, 26 Jun 2026 15:09:18 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells</title><link>https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/cl-sta-1062-tinyrct-critical-infrastructure-web-shell-defense/</guid><description>Unit 42’s CL-STA-1062 report shows why defenders should focus on exposed web apps, web shells, tunneling tools, scheduled-task persistence, and egress visibility — not just the TinyRCT malware name.</description><pubDate>Fri, 26 Jun 2026 01:12:24 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility</title><link>https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/</link><guid isPermaLink="true">https://bulwarkblack.com/turla-stockstay-backdoor-egress-visibility/</guid><description>GTIG’s STOCKSTAY research shows how Turla blends modular .NET malware, WebSocket C2, and diplomatic targeting. Here are the defensive lessons for SMBs and government contractors.</description><pubDate>Thu, 25 Jun 2026 20:08:35 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>StrikeShark Shows Loader Malware Is an Edge-Exposure Problem</title><link>https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/strikeshark-sharkloader-cobalt-strike-defense/</guid><description>Kaspersky’s StrikeShark research shows how opportunistic exploitation of exposed servers can become a multi-stage SharkLoader and Cobalt Strike intrusion. Here is what SMBs and government contractors should review now.</description><pubDate>Thu, 25 Jun 2026 15:09:47 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>MuddyWater’s Chaos Masquerade Shows Ransomware Response Needs Attribution Discipline</title><link>https://bulwarkblack.com/muddywater-chaos-false-flag-ransomware-attribution/</link><guid isPermaLink="true">https://bulwarkblack.com/muddywater-chaos-false-flag-ransomware-attribution/</guid><description>Iran-linked MuddyWater activity shows why ransomware response needs to examine identity compromise, remote access, and adversary objectives instead of trusting the ransom note at face value.</description><pubDate>Thu, 25 Jun 2026 01:04:28 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>SocGholish Takedown Shows Website Trust Is Malware Infrastructure</title><link>https://bulwarkblack.com/socgholish-operation-endgame-website-trust-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/socgholish-operation-endgame-website-trust-defense/</guid><description>Operation Endgame disrupted SocGholish infrastructure, but the defensive lesson is bigger: compromised trusted websites are malware delivery infrastructure.</description><pubDate>Sun, 21 Jun 2026 01:05:10 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets</title><link>https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/operation-escaneo-latin-america-edge-device-defense/</guid><description>Operation Escaneo shows how financially motivated actors are turning exposed edge devices, tunnels, and privileged service accounts into full intrusion chains across Latin American government and critical infrastructure targets.</description><pubDate>Sat, 20 Jun 2026 20:07:49 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Mastra npm Compromise Shows AI Frameworks Are Supply-Chain Targets</title><link>https://bulwarkblack.com/mastra-npm-sapphire-sleet-ai-supply-chain-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/mastra-npm-sapphire-sleet-ai-supply-chain-defense/</guid><description>Microsoft linked the Mastra AI npm package compromise to North Korean actor Sapphire Sleet. Here is what SMBs and government contractors should do about AI framework supply-chain risk.</description><pubDate>Sat, 20 Jun 2026 15:20:41 GMT</pubDate><category>AI (General)</category></item><item><title>Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring</title><link>https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/showboat-linux-malware-telecom-persistence-defense/</guid><description>Showboat is a China-linked Linux post-exploitation framework aimed at telecom providers. The lesson for defenders: treat Linux server persistence, dynamic linker abuse, and low-noise C2 as first-class monitoring priorities.</description><pubDate>Sat, 20 Jun 2026 01:03:42 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>AutoJack Shows AI Browsing Agents Need Localhost Boundaries</title><link>https://bulwarkblack.com/autojack-ai-agent-localhost-rce-boundaries/</link><guid isPermaLink="true">https://bulwarkblack.com/autojack-ai-agent-localhost-rce-boundaries/</guid><description>Microsoft’s AutoJack research shows how a malicious webpage can abuse an AI browsing agent’s access to localhost services. The defensive lesson: treat agent control planes, MCP servers, and local tool runners like privileged admin surfaces.</description><pubDate>Fri, 19 Jun 2026 20:11:44 GMT</pubDate><category>AI (General)</category></item><item><title>Apache APISIX Auth Bypass Cluster Shows API Gateways Need Plugin-Level Review</title><link>https://bulwarkblack.com/apache-apisix-auth-bypass-plugin-review/</link><guid isPermaLink="true">https://bulwarkblack.com/apache-apisix-auth-bypass-plugin-review/</guid><description>Apache disclosed a cluster of APISIX authentication and identity plugin CVEs. The defensive priority is patching, plugin inventory, and validating what backend services trust from the gateway.</description><pubDate>Fri, 19 Jun 2026 15:12:40 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>FortiBleed Shows Firewall Patching Is Not Compromise Recovery</title><link>https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/</link><guid isPermaLink="true">https://bulwarkblack.com/fortibleed-firewall-patching-compromise-recovery/</guid><description>FortiBleed is a reminder that edge firewall patching is necessary, but it does not prove a previously exposed appliance is clean. Defenders need compromise review, credential rotation, and rebuild plans for perimeter devices.</description><pubDate>Fri, 19 Jun 2026 01:04:18 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Vendor-Signed UEFI Apps Show Secure Boot Still Depends on Revocation Hygiene</title><link>https://bulwarkblack.com/uefi-secure-boot-bypass-dbx-revocation-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/uefi-secure-boot-bypass-dbx-revocation-defense/</guid><description>CERT/CC warns that multiple vendor-signed UEFI applications can be abused to bypass Secure Boot before the operating system and EDR controls ever load. For SMBs and government contractors, the fix is not just firmware patching; it is verifying DBX revocation coverage across manag</description><pubDate>Thu, 18 Jun 2026 20:03:18 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk</title><link>https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/smartapesg-okendo-widget-supply-chain-risk/</guid><description>Zscaler ThreatLabz reported that SmartApeSG injected malicious JavaScript into the Okendo Reviews widget, creating downstream exposure across e-commerce sites. Here is what SMBs and government contractors should do about third-party browser code risk.</description><pubDate>Thu, 18 Jun 2026 15:04:18 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity</title><link>https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/tor-crypto-clipper-usb-worm-backdoor-defense/</guid><description>Microsoft research on a Tor-routed crypto clipper shows why defenders should connect USB shortcut execution, script interpreters, localhost proxy activity, and clipboard theft into one investigation path.</description><pubDate>Thu, 18 Jun 2026 01:04:13 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Outsider Enterprise Shows AI-Powered Phishing Is Now Industrial Infrastructure</title><link>https://bulwarkblack.com/outsider-enterprise-ai-phishing-smishing-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/outsider-enterprise-ai-phishing-smishing-defense/</guid><description>The Outsider Enterprise takedown shows AI-powered phishing is now industrial infrastructure. SMBs and government contractors should prioritize phishing-resistant MFA, identity recovery controls, and rapid session revocation.</description><pubDate>Sun, 14 Jun 2026 15:04:21 GMT</pubDate><category>AI (General)</category></item><item><title>Handala’s Cal Water Claim Shows OT Defense Starts With Segmentation</title><link>https://bulwarkblack.com/handala-cal-water-ot-segmentation-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/handala-cal-water-ot-segmentation-defense/</guid><description>Handala’s California Water Service claim is a reminder that critical-infrastructure defense starts with proving separation between billing systems, telemetry platforms, and operational technology.</description><pubDate>Sun, 14 Jun 2026 01:05:54 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>FortiPortal CVE-2026-49938 Shows Network Configuration Data Is a High-Value Target</title><link>https://bulwarkblack.com/fortiportal-cve-2026-49938-network-config-data-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/fortiportal-cve-2026-49938-network-config-data-defense/</guid><description>Fortinet CVE-2026-49938 is a medium-severity FortiPortal API access-control issue, but sensitive network configuration exposure can still give attackers a valuable map of the environment.</description><pubDate>Sat, 13 Jun 2026 20:07:37 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure</title><link>https://bulwarkblack.com/velvet-ant-operation-highland-authentication-stack-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/velvet-ant-operation-highland-authentication-stack-defense/</guid><description>Velvet Ant’s Operation Highland shows why PAM, OpenSSH, jump hosts, and proxy paths deserve the same defensive priority as identity providers and domain controllers.</description><pubDate>Sat, 13 Jun 2026 15:04:04 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries</title><link>https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/shai-hulud-ai-scanner-evasion-package-supply-chain-defense/</guid><description>Zscaler ThreatLabz says the Shai-Hulud campaign has expanded across package ecosystems and introduced prompt-injection tactics aimed at automated AI security triage. The defense lesson is simple: treat package content as hostile input, even when an LLM is doing the review.</description><pubDate>Sat, 13 Jun 2026 01:08:24 GMT</pubDate><category>AI (General)</category></item><item><title>Maine Breach Portal Hoax Shows Disclosure Systems Need Verification Controls</title><link>https://bulwarkblack.com/maine-breach-portal-hoax-disclosure-verification-controls/</link><guid isPermaLink="true">https://bulwarkblack.com/maine-breach-portal-hoax-disclosure-verification-controls/</guid><description>Maine took its public breach notification database offline after fake disclosures were published. The lesson for SMBs and government contractors: public trust workflows need verification, moderation, and correction controls.</description><pubDate>Fri, 12 Jun 2026 20:04:46 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Portainer CVE-2026-33590 Shows Container Admin Tools Need Least Privilege Defaults</title><link>https://bulwarkblack.com/portainer-cve-2026-33590-container-host-takeover-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/portainer-cve-2026-33590-container-host-takeover-defense/</guid><description>intWave disclosed CVE-2026-33590 in Portainer, where insecure default Docker security settings could let regular users escalate toward host takeover. Here is what SMBs and government contractors should lock down.</description><pubDate>Fri, 12 Jun 2026 15:06:48 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>MaXSS and Spyder Show AI Browser Extensions Are an Endpoint Risk</title><link>https://bulwarkblack.com/maxss-spyder-ai-browser-extensions-endpoint-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/maxss-spyder-ai-browser-extensions-endpoint-risk/</guid><description>Rebora disclosed MaXSS and Spyder, two critical flaws in AI browser-extension side panels. The lesson for SMBs and government contractors: browser extensions are endpoint software with identity-session reach and need governance.</description><pubDate>Fri, 12 Jun 2026 01:04:57 GMT</pubDate><category>AI (General)</category></item><item><title>ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface</title><link>https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/</link><guid isPermaLink="true">https://bulwarkblack.com/shinyhunters-peoplesoft-cve-2026-35273-erp-admin-endpoints/</guid><description>GTIG and Mandiant report active ShinyHunters exploitation of Oracle PeopleSoft CVE-2026-35273. Here is what defenders should lock down, hunt, and segment now.</description><pubDate>Thu, 11 Jun 2026 20:05:37 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>LangGraph Checkpointer Bugs Show AI Agent Memory Is Backend Attack Surface</title><link>https://bulwarkblack.com/langgraph-checkpointer-sqli-rce-ai-agent-memory-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/langgraph-checkpointer-sqli-rce-ai-agent-memory-defense/</guid><description>Check Point Research disclosed LangGraph checkpointer flaws that could turn user-controlled state-history filters into SQL injection, unsafe deserialization, and remote code execution. The lesson for SMBs and government contractors: AI agent memory is application infrastructure, </description><pubDate>Thu, 11 Jun 2026 15:11:42 GMT</pubDate><category>AI (General)</category></item><item><title>IMA Diligence Breach Shows Legacy Servers Are Still Third-Party Risk</title><link>https://bulwarkblack.com/ima-diligence-genesis-ransomware-legacy-server-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/ima-diligence-genesis-ransomware-legacy-server-risk/</guid><description>A reported IMA Diligence breach affecting more than 525,000 people shows why legacy third-party servers need ownership, monitoring, decommissioning, and data-risk review.</description><pubDate>Thu, 11 Jun 2026 01:04:12 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>C0XMO Shows IoT Botnets Are Still an Edge Exposure Problem</title><link>https://bulwarkblack.com/c0xmo-dd-wrt-iot-botnet-edge-exposure-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/c0xmo-dd-wrt-iot-botnet-edge-exposure-defense/</guid><description>Fortinet researchers detailed C0XMO, a Gafgyt variant spreading through DD-WRT and other exposed devices. Here is what SMBs and government contractors should lock down before compromised routers become DDoS infrastructure.</description><pubDate>Sun, 07 Jun 2026 15:08:38 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>SolarWinds Serv-U Exploitation Shows File Transfer Availability Is Security</title><link>https://bulwarkblack.com/solarwinds-servu-cve-2026-28318-file-transfer-availability/</link><guid isPermaLink="true">https://bulwarkblack.com/solarwinds-servu-cve-2026-28318-file-transfer-availability/</guid><description>CISA added actively exploited SolarWinds Serv-U CVE-2026-28318 to KEV. Here is what SMBs and government contractors should do about file-transfer availability risk.</description><pubDate>Sun, 07 Jun 2026 01:04:04 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls</title><link>https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/</guid><description>Unit 42 is tracking Pink / CL-CRI-1147, a Com-affiliated extortion brand using vishing, credential theft, and Microsoft 365 data exfiltration. Here is what SMBs and government contractors should lock down now.</description><pubDate>Sat, 06 Jun 2026 20:05:25 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>ChatGPT Lockdown Mode Shows Prompt Injection Defense Is About Egress Control</title><link>https://bulwarkblack.com/chatgpt-lockdown-mode-prompt-injection-egress-control/</link><guid isPermaLink="true">https://bulwarkblack.com/chatgpt-lockdown-mode-prompt-injection-egress-control/</guid><description>OpenAI’s ChatGPT Lockdown Mode is a useful reminder that prompt-injection defense is not just about model behavior. It is about limiting outbound paths, connector permissions, and tool access around sensitive work.</description><pubDate>Sat, 06 Jun 2026 15:04:49 GMT</pubDate><category>AI (General)</category></item><item><title>PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching</title><link>https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/</link><guid isPermaLink="true">https://bulwarkblack.com/pan-os-globalprotect-cve-2026-0257-vpn-log-review/</guid><description>Unit 42 reports active exploitation attempts against PAN-OS GlobalProtect CVE-2026-0257. Defenders should patch, but also review VPN sessions, authentication override cookie behavior, and edge-device telemetry for signs of unauthorized access.</description><pubDate>Sat, 06 Jun 2026 01:04:43 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms</title><link>https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/</link><guid isPermaLink="true">https://bulwarkblack.com/unc3753-vishing-rmm-physical-intrusions-law-firms/</guid><description>Mandiant reports that UNC3753, also known as Luna Moth / Silent Ransom Group, is targeting U.S. law firms and professional services with vishing, RMM abuse, rapid data theft, and suspected physical office intrusions. Here is what SMBs and government contractors should lock down n</description><pubDate>Fri, 05 Jun 2026 20:06:19 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review</title><link>https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/</guid><description>Cisco says CVE-2026-20245 has been exploited against Catalyst SD-WAN Manager. Defenders should preserve evidence, review controller logs, validate edge-device configuration, and restrict management-plane access.</description><pubDate>Fri, 05 Jun 2026 15:07:55 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Agentic AI Failure Modes Show Why AI Tools Need Supply-Chain Controls</title><link>https://bulwarkblack.com/agentic-ai-failure-modes-supply-chain-controls/</link><guid isPermaLink="true">https://bulwarkblack.com/agentic-ai-failure-modes-supply-chain-controls/</guid><description>Microsoft’s updated agentic AI failure-mode taxonomy turns AI agents into a practical security architecture problem: plugins, prompts, memory, browser use, and human approvals all need controls.</description><pubDate>Fri, 05 Jun 2026 01:05:21 GMT</pubDate><category>AI (General)</category></item><item><title>Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI</title><link>https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/error-524-smishing-fraud-infrastructure-cti-defense/</guid><description>Group-IB documented a global smishing operation using fake error pages, geofencing, and encrypted WebSocket exfiltration. Here is what SMBs and government contractors should take from it.</description><pubDate>Thu, 04 Jun 2026 20:04:19 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Fuel Tank Gauge Attacks Show Why Small OT Still Needs Internet Exposure Control</title><link>https://bulwarkblack.com/automatic-tank-gauge-cyberattacks-ot-exposure-control/</link><guid isPermaLink="true">https://bulwarkblack.com/automatic-tank-gauge-cyberattacks-ot-exposure-control/</guid><description>Federal agencies warn that attackers are compromising internet-exposed automatic tank gauge systems. The lesson for SMBs, fuel operators, farms, logistics firms, and gov contractors is simple: small OT is still operational infrastructure.</description><pubDate>Thu, 04 Jun 2026 15:04:29 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Stock Exchange Mailbox Espionage Shows Executive Email Is Strategic Infrastructure</title><link>https://bulwarkblack.com/stock-exchange-mailbox-espionage-executive-email-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/stock-exchange-mailbox-espionage-executive-email-defense/</guid><description>A five-month espionage campaign against a stock exchange executive mailbox shows why senior email accounts need privileged-asset controls, cloud exfiltration monitoring, and scheduled-task hunting.</description><pubDate>Thu, 04 Jun 2026 01:05:22 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure</title><link>https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/ta4922-global-hr-tax-phishing-rmm-defense/</guid><description>Proofpoint’s TA4922 reporting shows how localized HR, payroll, tax, and invoice lures can become full initial-access infrastructure through DLL sideloading, loaders, RATs, RMM tools, and browser credential theft.</description><pubDate>Wed, 03 Jun 2026 20:05:18 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary</title><link>https://bulwarkblack.com/red-hat-miasma-npm-supply-chain-trusted-publishing-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/red-hat-miasma-npm-supply-chain-trusted-publishing-defense/</guid><description>A Red Hat Cloud Services npm compromise shows why signed releases and trusted publishing must be paired with install-time controls, CI/CD isolation, and fast credential rotation.</description><pubDate>Wed, 03 Jun 2026 15:04:14 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>AI-Assisted Ransomware Tooling Shows EDR Evasion Is Now an Iteration Problem</title><link>https://bulwarkblack.com/ai-assisted-ransomware-edr-evasion-iteration-problem/</link><guid isPermaLink="true">https://bulwarkblack.com/ai-assisted-ransomware-edr-evasion-iteration-problem/</guid><description>Sophos observed ransomware-linked operators using AI-assisted development workflows to accelerate EDR evasion testing and Active Directory discovery. The defensive lesson: validate controls, harden identity, and monitor behavior before attackers iterate around your tooling.</description><pubDate>Wed, 03 Jun 2026 01:05:01 GMT</pubDate><category>AI (General)</category></item><item><title>FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware</title><link>https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/flutterbridge-macos-malvertising-fluttershell-backdoor-defense/</guid><description>Unit 42’s FlutterBridge research shows macOS malvertising evolving from adware into FlutterShell backdoor delivery. Here is what SMBs and government contractors should tighten first.</description><pubDate>Tue, 02 Jun 2026 20:04:00 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Mustang Panda’s Fake Browser Updater Shows Why LNK Files Still Matter</title><link>https://bulwarkblack.com/mustang-panda-plugx-fake-browser-updater-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/mustang-panda-plugx-fake-browser-updater-defense/</guid><description>Mustang Panda’s fake browser updater chain shows why defenders still need to hunt LNK-to-PowerShell execution, DLL sideloading, user-context persistence, and suspicious HTTPS beaconing.</description><pubDate>Tue, 02 Jun 2026 15:04:24 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System</title><link>https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/</link><guid isPermaLink="true">https://bulwarkblack.com/forticlient-ems-ekz-infostealer-delivery/</guid><description>Attackers are abusing CVE-2026-35616 in FortiClient EMS to push a credential stealer through trusted endpoint management workflows. Here is what defenders should check first.</description><pubDate>Tue, 02 Jun 2026 01:05:30 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Meta AI Support Bot Abuse Shows Account Recovery Is Part of the Identity Perimeter</title><link>https://bulwarkblack.com/meta-ai-support-bot-account-recovery-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/meta-ai-support-bot-account-recovery-risk/</guid><description>Attackers reportedly abused Meta’s AI support assistant during Instagram account recovery. The lesson for SMBs and contractors: recovery workflows are identity infrastructure and need MFA, monitoring, and guardrails.</description><pubDate>Mon, 01 Jun 2026 20:06:35 GMT</pubDate><category>AI (General)</category></item><item><title>SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise</title><link>https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/solyximmortal-python-infostealer-business-risk/</guid><description>SolyxImmortal combines persistence, browser credential theft, document collection, screenshots, keylogging, and webhook exfiltration. Here is what SMB and government-contractor defenders should do about it.</description><pubDate>Mon, 01 Jun 2026 15:07:46 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting</title><link>https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/showboat-jfmbackdoor-telecom-intrusion-defense/</guid><description>Lumen and PwC reporting on Showboat, Red Lamassu, and JFMBackdoor shows how China-linked telecom intrusions combine Linux footholds, proxying, and Windows backdoors. Here is what SMBs and government contractors should harden now.</description><pubDate>Mon, 01 Jun 2026 01:06:17 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>WP Maps Pro Exploitation Shows Why Plugin Support Features Need Security Review</title><link>https://bulwarkblack.com/wp-maps-pro-admin-account-vulnerability-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/wp-maps-pro-admin-account-vulnerability-defense/</guid><description>Attackers are exploiting CVE-2026-8732 in WP Maps Pro to create rogue WordPress administrator accounts. Here is what SMBs and contractors should patch, audit, and verify.</description><pubDate>Sun, 31 May 2026 20:05:51 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>SideCopy’s XenoRAT Campaign Shows Why Localized Lures Beat Generic Phishing Defenses</title><link>https://bulwarkblack.com/sidecopy-xenorat-localized-phishing-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/sidecopy-xenorat-localized-phishing-defense/</guid><description>SideCopy/APT36 targeted Afghanistan finance officials with Pashto-language lures and XenoRAT. Here is what SMBs and government contractors should take from the campaign.</description><pubDate>Sun, 31 May 2026 15:13:08 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Dependency Confusion Campaign Shows Reconnaissance Is the First Supply-Chain Payload</title><link>https://bulwarkblack.com/npm-dependency-confusion-recon-supply-chain-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/npm-dependency-confusion-recon-supply-chain-defense/</guid><description>Microsoft found 33 malicious npm packages abusing dependency confusion to profile developer and build environments. The defender lesson: treat package installation as code execution and lock down internal namespace hygiene before attackers do reconnaissance at scale.</description><pubDate>Sun, 31 May 2026 01:03:55 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>MediaInfoLib Parser Bugs Show File Metadata Is an Execution Boundary</title><link>https://bulwarkblack.com/mediainfolib-parser-bugs-file-metadata-execution-boundary/</link><guid isPermaLink="true">https://bulwarkblack.com/mediainfolib-parser-bugs-file-metadata-execution-boundary/</guid><description>Cisco Talos disclosed four patched MediaInfoLib heap-based buffer overflow vulnerabilities. The bigger lesson: automated media metadata parsing belongs inside a sandboxed, monitored execution boundary.</description><pubDate>Wed, 27 May 2026 15:04:06 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access</title><link>https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/poisoned-search-ai-screenconnect-cryptojacking-defense/</guid><description>Microsoft reported a cryptojacking campaign that uses poisoned search results, AI-surfaced software recommendations, fake utility downloads, and abused ScreenConnect access. Here is what SMBs and government contractors should defend first.</description><pubDate>Wed, 27 May 2026 01:10:44 GMT</pubDate><category>AI (General)</category></item><item><title>LiteSpeed cPanel KEV Shows Shared Hosting Is Privilege Escalation Terrain</title><link>https://bulwarkblack.com/litespeed-cpanel-kev-shared-hosting-privilege-escalation/</link><guid isPermaLink="true">https://bulwarkblack.com/litespeed-cpanel-kev-shared-hosting-privilege-escalation/</guid><description>CISA added CVE-2026-48172 to KEV after active exploitation of a LiteSpeed cPanel user-end plugin flaw that can let compromised hosting accounts execute scripts as root.</description><pubDate>Tue, 26 May 2026 20:08:08 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield</title><link>https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/megalodon-github-actions-cicd-secret-theft-defense/</guid><description>The Megalodon GitHub campaign shows why CI/CD pipelines must be treated like production infrastructure: malicious workflow commits can harvest cloud credentials, OIDC tokens, SSH keys, and package secrets at scale.</description><pubDate>Tue, 26 May 2026 15:12:22 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Chinese-Language PhaaS Shows MFA Bypass Is Becoming Real-Time Fraud</title><link>https://bulwarkblack.com/chinese-phaas-real-time-otp-wallet-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/chinese-phaas-real-time-otp-wallet-defense/</guid><description>Google’s reporting on Chinese-language phishing-as-a-service shows why MFA bypass, real-time OTP interception, and digital wallet fraud require phishing-resistant authentication and session monitoring.</description><pubDate>Mon, 25 May 2026 20:05:03 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>KnowledgeDeliver RCE Shows Shared Machine Keys Are Shared Blast Radius</title><link>https://bulwarkblack.com/knowledgedeliver-viewstate-shared-machine-key-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/knowledgedeliver-viewstate-shared-machine-key-defense/</guid><description>Mandiant’s KnowledgeDeliver CVE-2026-5426 report shows how shared ASP.NET machine keys can turn ViewState into unauthenticated RCE and user-facing malware delivery.</description><pubDate>Mon, 25 May 2026 15:04:31 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized</title><link>https://bulwarkblack.com/laravel-lang-composer-supply-chain-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/laravel-lang-composer-supply-chain-defense/</guid><description>A Laravel-Lang package compromise shows why trusted dependency tags, Composer autoload behavior, and runtime secrets need security monitoring—not just engineering review.</description><pubDate>Mon, 25 May 2026 01:10:09 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven</title><link>https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/clop-south-staffs-water-soc-coverage-defense/</guid><description>The South Staffordshire Water breach shows why outsourced SOC coverage, legacy server risk, and vulnerability management must be proven—not assumed—for SMBs, utilities, and government contractors.</description><pubDate>Sun, 24 May 2026 20:06:55 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>ROADtools Abuse Shows Cloud Identity Is the New Attack Surface</title><link>https://bulwarkblack.com/roadtools-cloud-identity-entra-id-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/roadtools-cloud-identity-entra-id-defense/</guid><description>Unit 42’s ROADtools research shows why Microsoft Entra ID token abuse, rogue device registration, and Graph API enumeration need to be treated as core incident-response signals for SMBs and government contractors.</description><pubDate>Sun, 24 May 2026 15:12:59 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Drupal CVE-2026-9082 Shows Web Asset Inventory Is Emergency Response</title><link>https://bulwarkblack.com/drupal-cve-2026-9082-web-asset-inventory-response/</link><guid isPermaLink="true">https://bulwarkblack.com/drupal-cve-2026-9082-web-asset-inventory-response/</guid><description>Drupal CVE-2026-9082 is already being scanned and exploited in the wild. The lesson for SMBs and government contractors: know where your Drupal sites are, verify PostgreSQL exposure, patch fast, and review logs before probing turns into compromise.</description><pubDate>Sun, 24 May 2026 01:07:26 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk</title><link>https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/void-dokkaebi-invisibleferret-developer-endpoint-risk/</guid><description>Trend Micro reports North Korea-aligned Void Dokkaebi has moved InvisibleFerret into Cython-compiled Python extension modules. For SMBs and government contractors, the real risk is developer endpoint access to CI/CD, cloud, and production secrets.</description><pubDate>Sat, 23 May 2026 15:08:48 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Nimbus Manticore Shows Iranian APTs Are Moving Faster With AI-Assisted Tooling</title><link>https://bulwarkblack.com/nimbus-manticore-minifast-iran-apt-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/nimbus-manticore-minifast-iran-apt-defense/</guid><description>Check Point Research reports that IRGC-affiliated Nimbus Manticore resurfaced with fake Zoom and SQL Developer lures, SEO poisoning, AppDomain hijacking, and a new MiniFast backdoor. Here is what SMBs and government contractors should tighten first.</description><pubDate>Sat, 23 May 2026 01:04:27 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths</title><link>https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/</link><guid isPermaLink="true">https://bulwarkblack.com/f5-confluence-edge-identity-attack-path/</guid><description>Microsoft analyzed an intrusion where an F5 BIG-IP edge appliance led to Linux access, Confluence compromise, credential theft, and identity relay attempts. Here is what SMBs and government contractors should tighten first.</description><pubDate>Fri, 22 May 2026 20:04:38 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface</title><link>https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/</link><guid isPermaLink="true">https://bulwarkblack.com/screening-serpens-recruiting-espionage-attack-surface/</guid><description>Iran-nexus Screening Serpens used recruitment and meeting lures, new RAT variants, and .NET AppDomainManager hijacking. Here is what SMBs and government contractors should tighten now.</description><pubDate>Fri, 22 May 2026 15:06:52 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Kimwolf Arrest Shows DDoS Risk Starts on Forgotten IoT</title><link>https://bulwarkblack.com/kimwolf-arrest-iot-ddos-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/kimwolf-arrest-iot-ddos-defense/</guid><description>The alleged Kimwolf botmaster arrest is a useful reminder for SMBs and government contractors: DDoS resilience starts with asset visibility, upstream protection, and hardening forgotten IoT and edge devices.</description><pubDate>Fri, 22 May 2026 01:04:33 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default</title><link>https://bulwarkblack.com/tamperedchef-signed-productivity-apps-malware-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/tamperedchef-signed-productivity-apps-malware-defense/</guid><description>TamperedChef-style malware hides inside convincing signed productivity apps. Here is what SMBs and government contractors should do about it.</description><pubDate>Thu, 21 May 2026 20:05:34 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface</title><link>https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/</link><guid isPermaLink="true">https://bulwarkblack.com/patriot-bait-ai-enabled-fraud-trust-attack-surface/</guid><description>Trend Micro’s Patriot Bait research shows how one operator used AI assistance, social trust, WordPress credential attacks, and crypto fraud infrastructure to scale a low-cost cybercrime operation.</description><pubDate>Thu, 21 May 2026 15:04:56 GMT</pubDate><category>AI (General)</category></item><item><title>Mini Shai-Hulud Shows CI/CD Secrets Are the Real npm Supply-Chain Prize</title><link>https://bulwarkblack.com/mini-shai-hulud-antv-npm-cicd-secrets-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/mini-shai-hulud-antv-npm-cicd-secrets-defense/</guid><description>Mini Shai-Hulud’s @antv npm compromise shows why dependency malware should be treated as a CI/CD credential-theft threat, not just a package hygiene problem.</description><pubDate>Thu, 21 May 2026 01:04:15 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>ExifTool CVE-2026-3102 Shows Image Metadata Belongs in the Threat Model</title><link>https://bulwarkblack.com/exiftool-cve-2026-3102-image-metadata-threat-model/</link><guid isPermaLink="true">https://bulwarkblack.com/exiftool-cve-2026-3102-image-metadata-threat-model/</guid><description>CVE-2026-3102 in ExifTool shows why image metadata processing should be patched, isolated, and monitored like any other untrusted file-ingest path.</description><pubDate>Wed, 20 May 2026 20:05:07 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure</title><link>https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/p2pinfect-kubernetes-redis-botnet-defense/</guid><description>Fortinet observed P2Pinfect infections inside GKE clusters where exposed Redis instances became long-lived botnet footholds. For SMBs and government contractors, the lesson is clear: cloud misconfiguration, runtime visibility, and egress monitoring matter as much as patching.</description><pubDate>Wed, 20 May 2026 15:09:53 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Verizon DBIR 2026 Shows Vulnerability Exploitation Is Now the Breach Priority</title><link>https://bulwarkblack.com/verizon-dbir-2026-vulnerability-exploitation-priority/</link><guid isPermaLink="true">https://bulwarkblack.com/verizon-dbir-2026-vulnerability-exploitation-priority/</guid><description>Verizon’s 2026 DBIR shows vulnerability exploitation overtaking credential abuse as the top breach access vector. Here is what SMBs and government contractors should fix first.</description><pubDate>Wed, 20 May 2026 01:03:57 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Fox Tempest Shows Code Signing Trust Can Be Weaponized</title><link>https://bulwarkblack.com/fox-tempest-code-signing-trust-weaponized/</link><guid isPermaLink="true">https://bulwarkblack.com/fox-tempest-code-signing-trust-weaponized/</guid><description>Microsoft disrupted Fox Tempest, a malware-signing-as-a-service operation that helped ransomware crews make malicious binaries look trusted. Here is what SMBs and government contractors should review now.</description><pubDate>Tue, 19 May 2026 20:10:42 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>CISA GovCloud Leak Shows Secret Scanning Cannot Be Optional</title><link>https://bulwarkblack.com/cisa-govcloud-github-secrets-leak/</link><guid isPermaLink="true">https://bulwarkblack.com/cisa-govcloud-github-secrets-leak/</guid><description>A reported CISA contractor GitHub leak shows why secret scanning, token rotation, and CI/CD hardening need to be enforced controls, not optional developer hygiene.</description><pubDate>Tue, 19 May 2026 15:07:06 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Storm-2949 Shows Cloud Breaches Start With Identity, Not Malware</title><link>https://bulwarkblack.com/storm-2949-cloud-identity-breach-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/storm-2949-cloud-identity-breach-defense/</guid><description>Microsoft’s Storm-2949 case study is a clean warning for SMBs and government contractors: once cloud identity and control-plane access are compromised, attackers can steal data without deploying traditional malware.</description><pubDate>Tue, 19 May 2026 01:03:14 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>AI Agent Governance Is Becoming a Security Control, Not a Nice-to-Have</title><link>https://bulwarkblack.com/ai-agent-governance-security-control/</link><guid isPermaLink="true">https://bulwarkblack.com/ai-agent-governance-security-control/</guid><description>AI agents now operate with real credentials inside business systems. Here is how SMBs and government contractors should govern identity, authority, action, and evidence before agentic workflows become unmanaged risk.</description><pubDate>Mon, 18 May 2026 15:39:13 GMT</pubDate><category>AI (General)</category></item><item><title>SGLang RCE Flaws Show AI Inference Servers Need Real Network Isolation</title><link>https://bulwarkblack.com/sglang-rce-ai-inference-network-isolation/</link><guid isPermaLink="true">https://bulwarkblack.com/sglang-rce-ai-inference-network-isolation/</guid><description>CERT/CC disclosed three SGLang vulnerabilities affecting AI inference deployments, including remote code execution and path traversal risks. Here is what SMBs and government contractors should do now.</description><pubDate>Mon, 18 May 2026 15:36:57 GMT</pubDate><category>AI (General)</category></item><item><title>Grafana GitHub Token Breach Shows Why Source Code Access Needs Guardrails</title><link>https://bulwarkblack.com/grafana-github-token-breach-source-code-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/grafana-github-token-breach-source-code-defense/</guid><description>Grafana disclosed unauthorized GitHub access tied to a leaked token and codebase download. Here is what SMBs and government contractors should tighten around source-code access, CI/CD tokens, and extortion readiness.</description><pubDate>Sun, 17 May 2026 20:08:51 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>AI Literacy Needs Fundamentals: Teaching Technology in the Real World</title><link>https://bulwarkblack.com/ai-literacy-needs-fundamentals-teaching-technology-real-world/</link><guid isPermaLink="true">https://bulwarkblack.com/ai-literacy-needs-fundamentals-teaching-technology-real-world/</guid><description>Albert LaScola reflects on teaching database systems, governance, risk management, and AI literacy through a fundamentals-first approach shaped by Navy operations, security work, Bulwark Black, and Rural Tech and Support.</description><pubDate>Sun, 17 May 2026 17:25:56 GMT</pubDate><category>AI (General)</category></item><item><title>node-ipc Backdoor Shows Why CI Secrets Need Supply Chain Controls</title><link>https://bulwarkblack.com/node-ipc-npm-supply-chain-ci-secrets-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/node-ipc-npm-supply-chain-ci-secrets-defense/</guid><description>Malicious node-ipc npm releases turned a package update into a credential-exposure event. Here is what SMBs and government contractors should check first.</description><pubDate>Sun, 17 May 2026 15:43:37 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Exchange OWA Zero-Day Shows Why Email Servers Need Emergency Mitigation</title><link>https://bulwarkblack.com/exchange-owa-zero-day-cisa-kev-mitigation/</link><guid isPermaLink="true">https://bulwarkblack.com/exchange-owa-zero-day-cisa-kev-mitigation/</guid><description>CISA added Microsoft Exchange Server CVE-2026-42897 to KEV after evidence of active exploitation. For SMBs and government contractors, the lesson is simple: internet-facing email infrastructure needs emergency mitigation playbooks before the patch lands.</description><pubDate>Sun, 17 May 2026 01:04:06 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Device Code Phishing Turns Legitimate Login Flows Into Token Theft</title><link>https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/device-code-phishing-oauth-token-theft-defense/</guid><description>Device code phishing is scaling because it abuses legitimate OAuth flows instead of simply stealing passwords. Here is what SMBs and government contractors should review now.</description><pubDate>Sat, 16 May 2026 20:08:18 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Recent Linux Kernel Exploits Make Attack Surface Reduction a Practical Priority</title><link>https://bulwarkblack.com/linux-kernel-ipsec-attack-surface-reduction/</link><guid isPermaLink="true">https://bulwarkblack.com/linux-kernel-ipsec-attack-surface-reduction/</guid><description>Recent Linux kernel exploit discussions show why SMBs and government contractors should reduce unused modules and services, not just wait for patches.</description><pubDate>Sat, 16 May 2026 15:06:44 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight</title><link>https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/pawsrunner-steganography-purelogs-infostealer-defense/</guid><description>FortiGuard Labs reports PureLogs is being delivered through PawsRunner steganography. Here is what SMBs and government contractors should watch for defensively.</description><pubDate>Sat, 16 May 2026 01:03:47 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough</title><link>https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/blackfile-vishing-extortion-identity-defense/</guid><description>GTIG reports UNC6671 / BlackFile is using vishing, AiTM phishing, and SaaS data theft to extort organizations. Here is what SMBs and government contractors should harden now.</description><pubDate>Fri, 15 May 2026 20:06:06 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets</title><link>https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/</link><guid isPermaLink="true">https://bulwarkblack.com/gremlin-stealer-browser-session-resource-obfuscation/</guid><description>Unit 42 reports Gremlin Stealer has evolved with resource-file obfuscation, session hijacking, Discord token theft, and crypto clipboard fraud. Here is what SMBs and government contractors should do defensively.</description><pubDate>Fri, 15 May 2026 15:07:52 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review</title><link>https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/</link><guid isPermaLink="true">https://bulwarkblack.com/cisco-sdwan-active-exploitation-edge-controller-review/</guid><description>Cisco Talos reports active exploitation of Catalyst SD-WAN authentication bypass and related vulnerabilities. Here is what SMBs and government contractors should prioritize now.</description><pubDate>Fri, 15 May 2026 01:04:46 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Kazuar Shows Russian Espionage Malware Is Engineering for Resilience</title><link>https://bulwarkblack.com/kazuar-p2p-botnet-russian-espionage-defense/</link><guid isPermaLink="true">https://bulwarkblack.com/kazuar-p2p-botnet-russian-espionage-defense/</guid><description>Microsoft reports that Kazuar, attributed to Russian state actor Secret Blizzard, has evolved into a modular P2P botnet. Here is what SMBs and government contractors should take from it defensively.</description><pubDate>Thu, 14 May 2026 20:04:19 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Exposed AI Apps Turn Misconfiguration Into RCE Risk</title><link>https://bulwarkblack.com/exposed-ai-apps-misconfiguration-rce-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/exposed-ai-apps-misconfiguration-rce-risk/</guid><description>Microsoft warns that publicly exposed AI apps, MCP servers, and Kubernetes-hosted agent tooling can turn weak defaults into practical paths for RCE, credential theft, and data exposure.</description><pubDate>Thu, 14 May 2026 15:14:25 GMT</pubDate><category>AI (General)</category></item><item><title>May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs</title><link>https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/</link><guid isPermaLink="true">https://bulwarkblack.com/may-2026-patch-tuesday-smb-prioritization/</guid><description>Microsoft’s May 2026 Patch Tuesday shipped 132 CVEs. Here is how SMBs and government contractors should prioritize identity, server, and Office risks first.</description><pubDate>Thu, 14 May 2026 01:04:43 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem</title><link>https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/gentlemen-raas-leak-edge-device-ransomware-risk/</guid><description>Check Point’s look inside The Gentlemen ransomware operation is a useful reminder for SMBs and government contractors: exposed edge appliances, weak identity controls, and unmanaged remote access paths still drive real ransomware risk.</description><pubDate>Wed, 13 May 2026 20:08:11 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification</title><link>https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/</link><guid isPermaLink="true">https://bulwarkblack.com/jdownloader-site-compromise-trusted-download-verification/</guid><description>Attackers swapped selected JDownloader website download links with malicious installers. Here is what SMB and government-contractor defenders should do about trusted-download risk.</description><pubDate>Sat, 09 May 2026 20:06:43 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Fake OpenAI Hugging Face Repo Shows AI Supply Chain Risk Is Already Here</title><link>https://bulwarkblack.com/fake-openai-hugging-face-infostealer-ai-supply-chain-risk/</link><guid isPermaLink="true">https://bulwarkblack.com/fake-openai-hugging-face-infostealer-ai-supply-chain-risk/</guid><description>A fake OpenAI Privacy Filter repository on Hugging Face delivered Windows infostealer malware. Here is what SMB and gov-contractor defenders should take from it.</description><pubDate>Sat, 09 May 2026 15:09:27 GMT</pubDate><category>AI (General)</category></item><item><title>MCP Server Command Injection Shows Why AI Tools Need Real Isolation</title><link>https://bulwarkblack.com/mcp-server-command-injection-ai-tool-isolation/</link><guid isPermaLink="true">https://bulwarkblack.com/mcp-server-command-injection-ai-tool-isolation/</guid><description>A critical GitHub advisory for @profullstack/mcp-server shows how unsafe AI tool endpoints can turn domain lookup functionality into unauthenticated remote code execution.</description><pubDate>Sat, 09 May 2026 01:06:51 GMT</pubDate><category>AI (General)</category></item><item><title>Dirty Frag Turns Linux Footholds Into Root: What Defenders Should Do Now</title><link>https://bulwarkblack.com/dirty-frag-linux-privilege-escalation-defender-guide/</link><guid isPermaLink="true">https://bulwarkblack.com/dirty-frag-linux-privilege-escalation-defender-guide/</guid><description>Microsoft is tracking active Dirty Frag Linux privilege escalation activity. Here is what SMB and gov-contractor defenders should prioritize now.</description><pubDate>Fri, 08 May 2026 20:06:13 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Prompt Injection Just Became an RCE Problem for AI Agents</title><link>https://bulwarkblack.com/prompt-injection-rce-ai-agent-frameworks/</link><guid isPermaLink="true">https://bulwarkblack.com/prompt-injection-rce-ai-agent-frameworks/</guid><description>Microsoft disclosed Semantic Kernel vulnerabilities showing how prompt injection can cross into code execution when AI agents are connected to unsafe tools. Here is what defenders should review now.</description><pubDate>Fri, 08 May 2026 15:10:01 GMT</pubDate><category>AI (General)</category></item><item><title>NASA Put a Geospatial AI Foundation Model in Orbit — That Should Make You Think</title><link>https://bulwarkblack.com/nasa-prithvi-geospatial-ai-orbit/</link><guid isPermaLink="true">https://bulwarkblack.com/nasa-prithvi-geospatial-ai-orbit/</guid><description>NASA and IBM’s open-source Prithvi geospatial AI model has now been demonstrated in orbit. The milestone points toward a future where satellites analyze data before sending it home — and where security has to follow AI into operational environments.</description><pubDate>Fri, 08 May 2026 05:35:44 GMT</pubDate><category>Makes you Think</category></item><item><title>PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review</title><link>https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/</link><guid isPermaLink="true">https://bulwarkblack.com/pan-os-captive-portal-zero-day-edge-device-review/</guid><description>Unit 42 reports limited exploitation of CVE-2026-0300, a PAN-OS Captive Portal zero-day. Here is what SMB and government-contractor defenders should check now.</description><pubDate>Fri, 08 May 2026 01:06:24 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>PCPJack Shows Cloud Malware Is Moving From Cryptomining to Credential Theft</title><link>https://bulwarkblack.com/pcpjack-cloud-worm-credential-theft/</link><guid isPermaLink="true">https://bulwarkblack.com/pcpjack-cloud-worm-credential-theft/</guid><description>SentinelLabs reported PCPJack, a cloud-focused worm that evicts TeamPCP artifacts, steals credentials from exposed infrastructure, and spreads across cloud systems.</description><pubDate>Thu, 07 May 2026 18:38:54 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Hormuz Crisis Investment Report</title><link>https://bulwarkblack.com/2174-2/</link><guid isPermaLink="true">https://bulwarkblack.com/2174-2/</guid><description>2026 Hormuz Crisis — Investment Strategy Report BRENT CRUDE $101.91 ▲3.47% WTI CRUDE $98.50 ▲3.12% GOLD $4,750 ▼0.72% XLE +25% YTD XOP +30% YTD BWET +411% Q1 2026 S&amp;P 500 -4.4% YTD 10-YR YIELD 4.46% HORMUZ STATUS BLOCKADE ACTIVE IEA: LARGEST SUPPLY DISRUPTION IN HISTORY BRENT CRU</description><pubDate>Mon, 27 Apr 2026 18:34:26 GMT</pubDate><category>Business</category></item><item><title>Critical Cisco IMC Authentication Bypass Enables Unauthenticated Admin Access</title><link>https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-enables-unauthenticated-admin-access/</link><guid isPermaLink="true">https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-enables-unauthenticated-admin-access/</guid><description>Cisco has released urgent security patches addressing multiple critical and high-severity vulnerabilities, including a maximum-severity authentication bypass in the Integrated Management Controller (IMC) that allows unauthenticated attackers to gain administrative access to affec</description><pubDate>Sat, 04 Apr 2026 20:09:21 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Critical Cisco IMC Authentication Bypass Grants Remote Attackers Admin Privileges</title><link>https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-grants-remote-attackers-admin-privileges/</link><guid isPermaLink="true">https://bulwarkblack.com/critical-cisco-imc-authentication-bypass-grants-remote-attackers-admin-privileges/</guid><description>Cisco has released emergency security updates to patch a critical authentication bypass vulnerability in its Integrated Management Controller (IMC), a critical component embedded on the motherboard of Cisco UCS C-Series and E-Series servers that provides out-of-band management ca</description><pubDate>Sat, 04 Apr 2026 15:09:34 GMT</pubDate><category>General CTI</category></item><item><title>CrystalX RAT: New Malware-as-a-Service Combines Spyware, Stealer, and Prankware Capabilities</title><link>https://bulwarkblack.com/crystalx-rat-new-malware-as-a-service-combines-spyware-stealer-and-prankware-capabilities/</link><guid isPermaLink="true">https://bulwarkblack.com/crystalx-rat-new-malware-as-a-service-combines-spyware-stealer-and-prankware-capabilities/</guid><description>Kaspersky researchers have uncovered CrystalX RAT, a sophisticated new malware-as-a-service (MaaS) platform that combines remote access trojan capabilities with data theft, keylogging, and uniquely disturbing prankware features designed to psychologically torment victims. From We</description><pubDate>Sat, 04 Apr 2026 01:05:41 GMT</pubDate><category>Malware</category></item><item><title>CL-STA-1087: Chinese APT Targets Southeast Asian Militaries with AppleChris and MemFun Backdoors</title><link>https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/</link><guid isPermaLink="true">https://bulwarkblack.com/cl-sta-1087-chinese-apt-targets-southeast-asian-militaries-with-applechris-and-memfun-backdoors/</guid><description>Unit 42 researchers have uncovered a sophisticated Chinese espionage campaign, designated CL-STA-1087, that has been systematically targeting military organizations across Southeast Asia since at least 2020. The state-sponsored operation demonstrates exceptional operational patie</description><pubDate>Fri, 03 Apr 2026 20:06:25 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz</title><link>https://bulwarkblack.com/uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz/</link><guid isPermaLink="true">https://bulwarkblack.com/uat-10608-nexus-listener-framework-compromises-766-next-js-hosts-in-24-hour-credential-harvesting-blitz/</guid><description>Cisco Talos has disclosed a large-scale automated credential harvesting campaign carried out by a threat cluster they are tracking as “UAT-10608.” The systematic exploitation campaign leverages a custom framework called “NEXUS Listener” to target Next.js applications vulnerable t</description><pubDate>Fri, 03 Apr 2026 15:05:56 GMT</pubDate><category>General CTI</category></item><item><title>DPRK Threat Actors Leverage GitHub as Command and Control Infrastructure in Multi-Stage LNK Attacks</title><link>https://bulwarkblack.com/dprk-threat-actors-leverage-github-as-command-and-control-infrastructure-in-multi-stage-lnk-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/dprk-threat-actors-leverage-github-as-command-and-control-infrastructure-in-multi-stage-lnk-attacks/</guid><description>North Korean state-sponsored threat actors have been observed targeting South Korean organizations with a sophisticated multi-stage attack chain that abuses GitHub as command and control (C2) infrastructure. Fortinet FortiGuard Labs published research on April 2, 2026 detailing t</description><pubDate>Thu, 02 Apr 2026 20:06:07 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>LiteLLM Supply Chain Attack: TeamPCP Deploys Multi-Stage Credential Stealer to 95M Monthly Downloads</title><link>https://bulwarkblack.com/litellm-supply-chain-attack-teampcp-deploys-multi-stage-credential-stealer-to-95m-monthly-downloads/</link><guid isPermaLink="true">https://bulwarkblack.com/litellm-supply-chain-attack-teampcp-deploys-multi-stage-credential-stealer-to-95m-monthly-downloads/</guid><description>A sophisticated supply chain attack has compromised LiteLLM, the widely-used Python library for interfacing with large language models, delivering multi-stage credential-stealing malware to systems downloading over 95 million packages per month. The attack, attributed to TeamPCP—</description><pubDate>Thu, 02 Apr 2026 01:04:53 GMT</pubDate><category>AI (General)</category></item><item><title>Operation TrueChaos: Chinese APT Exploits TrueConf Zero-Day CVE-2026-3502 to Target Southeast Asian Governments</title><link>https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/</link><guid isPermaLink="true">https://bulwarkblack.com/operation-truechaos-chinese-apt-exploits-trueconf-zero-day-cve-2026-3502-to-target-southeast-asian-governments/</guid><description>A critical zero-day vulnerability in the TrueConf video conferencing platform is being actively exploited in a sophisticated espionage campaign targeting government entities across Southeast Asia. Check Point Research has uncovered Operation TrueChaos, a targeted attack campaign </description><pubDate>Wed, 01 Apr 2026 15:02:52 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Axios npm Supply Chain Attack Deploys Cross-Platform RAT to 83 Million Weekly Users</title><link>https://bulwarkblack.com/axios-npm-supply-chain-attack-deploys-cross-platform-rat-to-83-million-weekly-users/</link><guid isPermaLink="true">https://bulwarkblack.com/axios-npm-supply-chain-attack-deploys-cross-platform-rat-to-83-million-weekly-users/</guid><description>On March 31, 2026, the cybersecurity landscape was shaken by a significant supply chain attack targeting Axios, one of the most widely used HTTP client libraries in the JavaScript ecosystem with over 83 million weekly downloads. Attackers compromised a maintainer account to injec</description><pubDate>Wed, 01 Apr 2026 01:02:39 GMT</pubDate><category>Malware</category></item><item><title>DeepLoad Malware: AI-Generated Evasion Meets ClickFix Delivery in Enterprise Credential Theft Campaign</title><link>https://bulwarkblack.com/deepload-malware-ai-generated-evasion-meets-clickfix-delivery-in-enterprise-credential-theft-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/deepload-malware-ai-generated-evasion-meets-clickfix-delivery-in-enterprise-credential-theft-campaign/</guid><description>A sophisticated new malware campaign dubbed “DeepLoad” has emerged targeting enterprise environments, combining ClickFix social engineering delivery with AI-generated obfuscation techniques that defeat traditional security controls. ReliaQuest researchers discovered the threat af</description><pubDate>Tue, 31 Mar 2026 15:03:25 GMT</pubDate><category>AI (General)</category></item><item><title>ShinyHunters Breaches European Commission: 350GB of Sensitive Data Exfiltrated from AWS Cloud</title><link>https://bulwarkblack.com/shinyhunters-breaches-european-commission-350gb-of-sensitive-data-exfiltrated-from-aws-cloud/</link><guid isPermaLink="true">https://bulwarkblack.com/shinyhunters-breaches-european-commission-350gb-of-sensitive-data-exfiltrated-from-aws-cloud/</guid><description>The European Commission has confirmed a significant data breach after its Europa.eu web platform was compromised in a cyberattack claimed by the notorious ShinyHunters extortion gang. The attackers allegedly exfiltrated over 350GB of sensitive data from the Commission’s Amazon We</description><pubDate>Tue, 31 Mar 2026 01:02:59 GMT</pubDate><category>General CTI</category></item><item><title>CVE-2026-3055: Critical Citrix NetScaler Memory Flaw Actively Exploited in the Wild</title><link>https://bulwarkblack.com/cve-2026-3055-critical-citrix-netscaler-memory-flaw-actively-exploited-in-the-wild/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-3055-critical-citrix-netscaler-memory-flaw-actively-exploited-in-the-wild/</guid><description>Threat actors are actively exploiting CVE-2026-3055, a critical severity memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances. Security researchers at watchTowr have confirmed in-the-wild exploitation began at least March 27, 2026, with attackers</description><pubDate>Mon, 30 Mar 2026 20:02:32 GMT</pubDate><category>Threat Intelligence</category></item><item><title>FBI Alert: Iranian MOIS Hackers Weaponize Telegram as C2 Channel to Target Dissidents Worldwide</title><link>https://bulwarkblack.com/fbi-alert-iranian-mois-hackers-weaponize-telegram-as-c2-channel-to-target-dissidents-worldwide/</link><guid isPermaLink="true">https://bulwarkblack.com/fbi-alert-iranian-mois-hackers-weaponize-telegram-as-c2-channel-to-target-dissidents-worldwide/</guid><description>The FBI has issued a critical alert warning that Iranian government hackers are weaponizing Telegram as a command and control (C2) channel to steal data from dissidents, opposition groups, and journalists who oppose the regime around the world. According to the FBI alert publishe</description><pubDate>Mon, 30 Mar 2026 15:01:44 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>FBI Confirms Handala Hackers Breached Director Patel’s Personal Email Account</title><link>https://bulwarkblack.com/fbi-confirms-handala-hackers-breached-director-patels-personal-email-account/</link><guid isPermaLink="true">https://bulwarkblack.com/fbi-confirms-handala-hackers-breached-director-patels-personal-email-account/</guid><description>Iran-linked hackers have successfully breached the personal email account of FBI Director Kash Patel, publishing photos, documents, and email correspondence in a significant escalation of cyber operations targeting senior U.S. government officials. The Handala Hack Team, a hackti</description><pubDate>Mon, 30 Mar 2026 01:03:51 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Infinity Stealer: New macOS Infostealer Combines ClickFix Social Engineering with Nuitka Compilation</title><link>https://bulwarkblack.com/infinity-stealer-new-macos-infostealer-combines-clickfix-social-engineering-with-nuitka-compilation/</link><guid isPermaLink="true">https://bulwarkblack.com/infinity-stealer-new-macos-infostealer-combines-clickfix-social-engineering-with-nuitka-compilation/</guid><description>A sophisticated new info-stealing malware named Infinity Stealer is targeting macOS systems using an innovative attack chain that combines ClickFix social engineering with Python payloads compiled using the open-source Nuitka compiler. Attack Overview According to Malwarebytes re</description><pubDate>Sun, 29 Mar 2026 20:01:29 GMT</pubDate><category>Malware</category></item><item><title>Infinity Stealer: New macOS Infostealer Uses ClickFix and Nuitka Compilation to Evade Detection</title><link>https://bulwarkblack.com/infinity-stealer-new-macos-infostealer-uses-clickfix-and-nuitka-compilation-to-evade-detection/</link><guid isPermaLink="true">https://bulwarkblack.com/infinity-stealer-new-macos-infostealer-uses-clickfix-and-nuitka-compilation-to-evade-detection/</guid><description>A sophisticated new information-stealing malware named Infinity Stealer has emerged targeting macOS systems, combining the increasingly popular ClickFix social engineering technique with advanced evasion capabilities through Nuitka compilation. According to Malwarebytes research,</description><pubDate>Sun, 29 Mar 2026 15:02:30 GMT</pubDate><category>Malware</category></item><item><title>Iranian Handala Hackers Breach FBI Director Kash Patel’s Personal Email, Leak Photos and Documents</title><link>https://bulwarkblack.com/iranian-handala-hackers-breach-fbi-director-kash-patels-personal-email-leak-photos-and-documents/</link><guid isPermaLink="true">https://bulwarkblack.com/iranian-handala-hackers-breach-fbi-director-kash-patels-personal-email-leak-photos-and-documents/</guid><description>Iran-linked hacking group Handala Hack Team has successfully breached the personal email account of FBI Director Kash Patel, publishing photographs and documents stolen from his inbox, according to The Guardian and confirmed by the FBI. Attack Details The breach was announced by </description><pubDate>Sun, 29 Mar 2026 01:03:00 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>ShinyHunters Claims 350GB Data Theft from European Commission’s AWS Cloud Infrastructure</title><link>https://bulwarkblack.com/shinyhunters-claims-350gb-data-theft-from-european-commissions-aws-cloud-infrastructure/</link><guid isPermaLink="true">https://bulwarkblack.com/shinyhunters-claims-350gb-data-theft-from-european-commissions-aws-cloud-infrastructure/</guid><description>The European Commission, the executive branch of the European Union, has confirmed a significant cyberattack after the notorious ShinyHunters extortion group claimed responsibility for breaching its Amazon Web Services cloud infrastructure and stealing over 350GB of sensitive dat</description><pubDate>Sat, 28 Mar 2026 20:04:01 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Infinity Stealer: New macOS Malware Uses ClickFix Lures and Nuitka-Compiled Python Payload</title><link>https://bulwarkblack.com/infinity-stealer-new-macos-malware-uses-clickfix-lures-and-nuitka-compiled-python-payload/</link><guid isPermaLink="true">https://bulwarkblack.com/infinity-stealer-new-macos-malware-uses-clickfix-lures-and-nuitka-compiled-python-payload/</guid><description>Security researchers at Malwarebytes have uncovered a new macOS infostealer called Infinity Stealer that combines the ClickFix social engineering technique with a Python payload compiled using the open-source Nuitka compiler — a first for documented macOS malware campaigns. Why N</description><pubDate>Sat, 28 Mar 2026 15:05:33 GMT</pubDate><category>Threat Intelligence</category></item><item><title>FBI Alert: Iranian MOIS Hackers Weaponize Telegram for Global Espionage Against Dissidents</title><link>https://bulwarkblack.com/fbi-alert-iranian-mois-hackers-weaponize-telegram-for-global-espionage-against-dissidents/</link><guid isPermaLink="true">https://bulwarkblack.com/fbi-alert-iranian-mois-hackers-weaponize-telegram-for-global-espionage-against-dissidents/</guid><description>The FBI has issued a public alert warning that Iranian government hackers affiliated with the Ministry of Intelligence and Security (MOIS) are actively weaponizing Telegram as a command-and-control (C2) platform to conduct espionage operations against dissidents, opposition group</description><pubDate>Sat, 28 Mar 2026 01:02:39 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Iranian Handala Hackers Breach FBI Director Kash Patel’s Personal Email Account</title><link>https://bulwarkblack.com/iranian-handala-hackers-breach-fbi-director-kash-patels-personal-email-account/</link><guid isPermaLink="true">https://bulwarkblack.com/iranian-handala-hackers-breach-fbi-director-kash-patels-personal-email-account/</guid><description>In a significant escalation of Iranian cyber operations against U.S. government officials, the Iran-linked hacktivist group Handala has successfully compromised the personal email account of FBI Director Kash Patel. The breach, confirmed by the FBI on March 27, 2026, resulted in </description><pubDate>Fri, 27 Mar 2026 20:03:40 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Pro-Ukraine Bearlyfy Group Deploys Custom GenieLocker Ransomware Against 70+ Russian Companies</title><link>https://bulwarkblack.com/pro-ukraine-bearlyfy-group-deploys-custom-genielocker-ransomware-against-70-russian-companies/</link><guid isPermaLink="true">https://bulwarkblack.com/pro-ukraine-bearlyfy-group-deploys-custom-genielocker-ransomware-against-70-russian-companies/</guid><description>A pro-Ukrainian hacking group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since January 2025, with recent operations deploying a proprietary Windows ransomware strain called GenieLocker, according to research from Russian security</description><pubDate>Fri, 27 Mar 2026 15:07:03 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Chinese APT Red Menshen Plants Stealthy BPFdoor Backdoors in Global Telecom Networks</title><link>https://bulwarkblack.com/chinese-apt-red-menshen-plants-stealthy-bpfdoor-backdoors-in-global-telecom-networks/</link><guid isPermaLink="true">https://bulwarkblack.com/chinese-apt-red-menshen-plants-stealthy-bpfdoor-backdoors-in-global-telecom-networks/</guid><description>A months-long investigation by Rapid7 Labs has exposed a sophisticated state-sponsored espionage campaign by the China-nexus threat actor Red Menshen, which has embedded some of the most covert digital sleeper cells ever documented inside global telecommunications infrastructure.</description><pubDate>Fri, 27 Mar 2026 01:03:11 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Red Menshen Plants BPFdoor Backdoors in Global Telecom Networks for Long-Term Espionage</title><link>https://bulwarkblack.com/red-menshen-plants-bpfdoor-backdoors-in-global-telecom-networks-for-long-term-espionage/</link><guid isPermaLink="true">https://bulwarkblack.com/red-menshen-plants-bpfdoor-backdoors-in-global-telecom-networks-for-long-term-espionage/</guid><description>A comprehensive investigation by Rapid7 Labs has exposed a sophisticated, state-sponsored espionage campaign by the China-nexus threat actor Red Menshen, revealing one of the most covert digital sleeper cell operations ever documented within global telecommunications infrastructu</description><pubDate>Thu, 26 Mar 2026 20:01:34 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Pawn Storm Deploys PRISMEX Malware Suite Against Ukrainian Defense Supply Chain and NATO Allies</title><link>https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/</link><guid isPermaLink="true">https://bulwarkblack.com/pawn-storm-deploys-prismex-malware-suite-against-ukrainian-defense-supply-chain-and-nato-allies/</guid><description>Russia-aligned APT group Pawn Storm (APT28/Fancy Bear) has launched an aggressive campaign deploying a sophisticated new malware suite dubbed PRISMEX against Ukrainian defense infrastructure and NATO logistics partners across Central and Eastern Europe. Campaign Overview The camp</description><pubDate>Thu, 26 Mar 2026 15:02:31 GMT</pubDate><category>Research Papers</category></item><item><title>Identity Security Becomes Critical Attack Vector as Organizations Battle Fragmented Access Controls</title><link>https://bulwarkblack.com/identity-security-becomes-critical-attack-vector-as-organizations-battle-fragmented-access-controls/</link><guid isPermaLink="true">https://bulwarkblack.com/identity-security-becomes-critical-attack-vector-as-organizations-battle-fragmented-access-controls/</guid><description>Identity attacks have evolved beyond simply compromising individual accounts—modern threat actors now focus on what those identities can access across an organization’s sprawling digital ecosystem. As enterprises manage an explosive growth in human, non-human, and agentic identit</description><pubDate>Thu, 26 Mar 2026 01:06:42 GMT</pubDate><category>Business</category></item><item><title>Oracle Issues Rare Out-of-Band Patch for Critical CVE-2026-21992 RCE in Identity Manager</title><link>https://bulwarkblack.com/oracle-issues-rare-out-of-band-patch-for-critical-cve-2026-21992-rce-in-identity-manager/</link><guid isPermaLink="true">https://bulwarkblack.com/oracle-issues-rare-out-of-band-patch-for-critical-cve-2026-21992-rce-in-identity-manager/</guid><description>Oracle has released an emergency out-of-band security patch for a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. Tracked as CVE-2026-21992 with a CVSS v3.1 score of 9.8, this flaw allows attackers to</description><pubDate>Wed, 25 Mar 2026 20:04:43 GMT</pubDate><category>General CTI</category></item><item><title>CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran</title><link>https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/</link><guid isPermaLink="true">https://bulwarkblack.com/canisterworm-wiper-weaponizes-trivy-supply-chain-to-target-iran/</guid><description>A cybercrime group is attempting to leverage the ongoing US-Iran conflict by deploying a destructive wiper malware that specifically targets systems configured for Iranian users, according to new research from Krebs on Security and Aikido. TeamPCP Launches Iran-Targeting Wiper Th</description><pubDate>Tue, 24 Mar 2026 20:03:06 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>TeamPCP Deploys CanisterWorm Wiper to Target Iranian Systems</title><link>https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/</link><guid isPermaLink="true">https://bulwarkblack.com/teampcp-deploys-canisterworm-wiper-to-target-iranian-systems/</guid><description>The cybercrime group TeamPCP has added a destructive wiper component to their cloud-native attack infrastructure, specifically targeting systems in Iran based on timezone and language settings. From Data Theft to Destruction Security researcher Charlie Eriksen at Aikido discovere</description><pubDate>Tue, 24 Mar 2026 15:03:54 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems</title><link>https://bulwarkblack.com/hackers-exploit-cve-2025-32975-cvss-10-0-to-hijack-unpatched-quest-kace-sma-systems/</link><guid isPermaLink="true">https://bulwarkblack.com/hackers-exploit-cve-2025-32975-cvss-10-0-to-hijack-unpatched-quest-kace-sma-systems/</guid><description>Threat actors are actively exploiting a maximum-severity security flaw in Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf research. The vulnerability, tracked as CVE-2025-32975 with a CVSS score of 10.0, allows attackers to completely bypass authentication</description><pubDate>Tue, 24 Mar 2026 01:01:36 GMT</pubDate><category>Threat Intelligence</category></item><item><title>TeamPCP Spreads Trivy Supply Chain Attack to Docker Hub and Kubernetes with Devastating Wiper Payload</title><link>https://bulwarkblack.com/teampcp-spreads-trivy-supply-chain-attack-to-docker-hub-and-kubernetes-with-devastating-wiper-payload/</link><guid isPermaLink="true">https://bulwarkblack.com/teampcp-spreads-trivy-supply-chain-attack-to-docker-hub-and-kubernetes-with-devastating-wiper-payload/</guid><description>The cybersecurity community is reeling from an escalating supply chain attack targeting Trivy, Aqua Security’s popular open-source vulnerability scanner with over 33,800 GitHub stars. The threat actor known as TeamPCP has expanded their campaign from compromised GitHub Actions to</description><pubDate>Mon, 23 Mar 2026 20:02:17 GMT</pubDate><category>General CTI</category></item><item><title>FBI Flash Alert: Iranian Handala Hackers Weaponize Telegram for Malware C2 Operations</title><link>https://bulwarkblack.com/fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations/</link><guid isPermaLink="true">https://bulwarkblack.com/fbi-flash-alert-iranian-handala-hackers-weaponize-telegram-for-malware-c2-operations/</guid><description>The FBI has issued a flash alert warning network defenders that Iranian hackers linked to the Ministry of Intelligence and Security (MOIS) are actively using Telegram as command-and-control (C2) infrastructure in malware attacks targeting journalists, dissidents, and opposition g</description><pubDate>Mon, 23 Mar 2026 15:05:03 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Unit 42 Warns: AI Agents Could Enable Gift Card Theft and Returns Fraud at Scale</title><link>https://bulwarkblack.com/unit-42-warns-ai-agents-could-enable-gift-card-theft-and-returns-fraud-at-scale/</link><guid isPermaLink="true">https://bulwarkblack.com/unit-42-warns-ai-agents-could-enable-gift-card-theft-and-returns-fraud-at-scale/</guid><description>Palo Alto Networks’ Unit 42 has published new research examining how the rise of “agentic commerce” – AI agents that autonomously browse, shop, and transact on behalf of users – could be exploited by cybercriminals to conduct retail fraud at unprecedented scale. Read the full res</description><pubDate>Mon, 23 Mar 2026 01:04:32 GMT</pubDate><category>AI (General)</category></item><item><title>CVE-2026-33017: Critical Langflow AI Framework Vulnerability Exploited Within 20 Hours of Disclosure</title><link>https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-framework-vulnerability-exploited-within-20-hours-of-disclosure/</guid><description>A critical vulnerability in Langflow, the popular open-source visual framework for building AI agents and RAG pipelines, was weaponized by threat actors within just 20 hours of public disclosure—before any proof-of-concept code was publicly available. The Vulnerability Tracked as</description><pubDate>Sun, 22 Mar 2026 20:02:16 GMT</pubDate><category>AI (General)</category></item><item><title>DoJ Disrupts Four Massive IoT Botnets Behind Record-Breaking 31.4 Tbps DDoS Attacks</title><link>https://bulwarkblack.com/doj-disrupts-four-massive-iot-botnets-behind-record-breaking-31-4-tbps-ddos-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/doj-disrupts-four-massive-iot-botnets-behind-record-breaking-31-4-tbps-ddos-attacks/</guid><description>The U.S. Department of Justice announced a major law enforcement operation to disrupt four IoT botnets — AISURU, Kimwolf, JackSkid, and Mossad — responsible for record-breaking distributed denial-of-service (DDoS) attacks reaching 31.4 terabits per second. The court-authorized ta</description><pubDate>Sun, 22 Mar 2026 15:04:46 GMT</pubDate><category>General CTI</category></item><item><title>Interlock Ransomware Exploited Cisco Firewall Zero-Day Weeks Before Public Disclosure</title><link>https://bulwarkblack.com/interlock-ransomware-exploited-cisco-firewall-zero-day-weeks-before-public-disclosure/</link><guid isPermaLink="true">https://bulwarkblack.com/interlock-ransomware-exploited-cisco-firewall-zero-day-weeks-before-public-disclosure/</guid><description>Amazon’s security team has revealed that the Interlock ransomware gang exploited a critical Cisco firewall vulnerability as a zero-day for five weeks before it was publicly disclosed, giving attackers a significant head start against defenders. Zero-Day Exploitation Timeline Acco</description><pubDate>Sun, 22 Mar 2026 01:02:21 GMT</pubDate><category>Malware</category></item><item><title>DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover</title><link>https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/</link><guid isPermaLink="true">https://bulwarkblack.com/darksword-ios-exploit-kit-russian-hackers-weaponize-six-vulnerabilities-for-full-iphone-takeover/</guid><description>Google Threat Intelligence Group (GTIG), iVerify, and Lookout have jointly uncovered DarkSword, a sophisticated iOS exploit kit that enables complete device compromise with minimal user interaction. The kit, operational since at least November 2025, has been deployed by suspected</description><pubDate>Sat, 21 Mar 2026 20:03:54 GMT</pubDate><category>Malware</category></item><item><title>CVE-2026-33017: Critical Langflow AI Platform Flaw Exploited Within 20 Hours of Disclosure</title><link>https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-33017-critical-langflow-ai-platform-flaw-exploited-within-20-hours-of-disclosure/</guid><description>A critical vulnerability in Langflow, a popular open-source AI workflow automation platform, has been actively exploited in the wild within just 20 hours of public disclosure—before any proof-of-concept code was even available. The Vulnerability Tracked as CVE-2026-33017 with a C</description><pubDate>Sat, 21 Mar 2026 15:03:42 GMT</pubDate><category>General CTI</category></item><item><title>Critical Langflow AI Platform Flaw CVE-2026-33017 Exploited Within 20 Hours of Disclosure</title><link>https://bulwarkblack.com/critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure/</link><guid isPermaLink="true">https://bulwarkblack.com/critical-langflow-ai-platform-flaw-cve-2026-33017-exploited-within-20-hours-of-disclosure/</guid><description>A critical vulnerability in Langflow, the popular open-source AI workflow platform, has been actively exploited within just 20 hours of its public disclosure—before any proof-of-concept code was even available. The rapid weaponization highlights the shrinking window defenders hav</description><pubDate>Sat, 21 Mar 2026 01:04:06 GMT</pubDate><category>AI (General)</category></item><item><title>CVE-2026-3564: Critical ScreenConnect Flaw Enables Session Hijacking Through ASP.NET Machine Key Abuse</title><link>https://bulwarkblack.com/cve-2026-3564-critical-screenconnect-flaw-enables-session-hijacking-through-asp-net-machine-key-abuse/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-3564-critical-screenconnect-flaw-enables-session-hijacking-through-asp-net-machine-key-abuse/</guid><description>ConnectWise has released an emergency patch for a critical vulnerability (CVE-2026-3564) in its ScreenConnect remote access platform that could allow unauthenticated attackers to hijack legitimate sessions by forging authentication credentials using extracted ASP.NET machine keys</description><pubDate>Fri, 20 Mar 2026 20:02:25 GMT</pubDate><category>General CTI</category></item><item><title>Interlock Ransomware Exploited Cisco FMC Zero-Day for Six Weeks Before Patch: Amazon Reveals Full Attack Chain</title><link>https://bulwarkblack.com/interlock-ransomware-exploited-cisco-fmc-zero-day-for-six-weeks-before-patch-amazon-reveals-full-attack-chain/</link><guid isPermaLink="true">https://bulwarkblack.com/interlock-ransomware-exploited-cisco-fmc-zero-day-for-six-weeks-before-patch-amazon-reveals-full-attack-chain/</guid><description>Amazon Threat Intelligence has revealed that the Interlock ransomware group exploited CVE-2026-20131—a critical CVSS 10.0 vulnerability in Cisco Secure Firewall Management Center—as a zero-day since January 26, 2026, more than five weeks before Cisco publicly disclosed the flaw o</description><pubDate>Fri, 20 Mar 2026 15:02:54 GMT</pubDate><category>General CTI</category></item><item><title>9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors</title><link>https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/</link><guid isPermaLink="true">https://bulwarkblack.com/9-critical-ip-kvm-flaws-enable-unauthenticated-root-access-across-four-vendors/</guid><description>Low-cost IP KVM devices—designed to provide remote keyboard, video, and mouse access to physical systems—are introducing catastrophic security risks into enterprise environments. New research from Eclypsium reveals nine vulnerabilities affecting products from GL-iNet, Angeet/Yees</description><pubDate>Fri, 20 Mar 2026 01:03:12 GMT</pubDate><category>General CTI</category></item><item><title>54 EDR Killers Exploit 34 Vulnerable Signed Drivers to Disable Security Before Ransomware Deployment</title><link>https://bulwarkblack.com/54-edr-killers-exploit-34-vulnerable-signed-drivers-to-disable-security-before-ransomware-deployment/</link><guid isPermaLink="true">https://bulwarkblack.com/54-edr-killers-exploit-34-vulnerable-signed-drivers-to-disable-security-before-ransomware-deployment/</guid><description>A comprehensive analysis by ESET has uncovered a thriving ecosystem of endpoint detection and response (EDR) killer tools, revealing that 54 of these specialized programs abuse 34 vulnerable signed drivers to neutralize security software before ransomware attacks. The BYOVD Threa</description><pubDate>Thu, 19 Mar 2026 20:02:34 GMT</pubDate><category>General CTI</category></item><item><title>LeakNet Ransomware Scales Operations with ClickFix Lures and Stealthy Deno-Based Fileless Loader</title><link>https://bulwarkblack.com/leaknet-ransomware-scales-operations-with-clickfix-lures-and-stealthy-deno-based-fileless-loader/</link><guid isPermaLink="true">https://bulwarkblack.com/leaknet-ransomware-scales-operations-with-clickfix-lures-and-stealthy-deno-based-fileless-loader/</guid><description>The LeakNet ransomware group is rapidly scaling its operations with two dangerous innovations: a social engineering technique called ClickFix and a previously unreported fileless loader built on the legitimate Deno JavaScript runtime. According to ReliaQuest research, LeakNet has</description><pubDate>Thu, 19 Mar 2026 15:02:41 GMT</pubDate><category>Malware</category></item><item><title>Rapid7 2026 Global Threat Landscape Report: Exploited Vulnerabilities Surge 105% as Attack Timelines Collapse</title><link>https://bulwarkblack.com/rapid7-2026-global-threat-landscape-report-exploited-vulnerabilities-surge-105-as-attack-timelines-collapse/</link><guid isPermaLink="true">https://bulwarkblack.com/rapid7-2026-global-threat-landscape-report-exploited-vulnerabilities-surge-105-as-attack-timelines-collapse/</guid><description>Rapid7 has released its 2026 Global Threat Landscape Report, revealing a dramatic acceleration in cyber attack patterns that leaves organizations with shrinking windows to respond to emerging threats. The research demonstrates that the predictive lead time defenders once relied u</description><pubDate>Thu, 19 Mar 2026 01:03:01 GMT</pubDate><category>General CTI</category></item><item><title>CISA Adds Wing FTP Server Information Disclosure Flaw to KEV Catalog Amid Active Exploitation</title><link>https://bulwarkblack.com/cisa-adds-wing-ftp-server-information-disclosure-flaw-to-kev-catalog-amid-active-exploitation/</link><guid isPermaLink="true">https://bulwarkblack.com/cisa-adds-wing-ftp-server-information-disclosure-flaw-to-kev-catalog-amid-active-exploitation/</guid><description>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a medium-severity vulnerability in Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026, confirming that attackers are actively exploiting the flaw in real-world attacks. </description><pubDate>Wed, 18 Mar 2026 20:03:10 GMT</pubDate><category>General CTI</category></item><item><title>Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization</title><link>https://bulwarkblack.com/iranian-cyber-threat-evolution-from-mbr-wipers-to-identity-weaponization/</link><guid isPermaLink="true">https://bulwarkblack.com/iranian-cyber-threat-evolution-from-mbr-wipers-to-identity-weaponization/</guid><description>A comprehensive analysis by Unit 42 reveals a fundamental shift in Iranian cyber operations: state-aligned threat actors are abandoning custom malware in favor of weaponizing enterprise administrative tools to achieve unprecedented scale and stealth. The Strategic Shift During re</description><pubDate>Wed, 18 Mar 2026 01:04:49 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers</title><link>https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/</link><guid isPermaLink="true">https://bulwarkblack.com/glassworm-supply-chain-campaign-hijacks-72-open-vsx-extensions-to-target-developers/</guid><description>Threat actors are abusing Visual Studio Code extension dependencies in the Open VSX registry to distribute the GlassWorm malware loader through 72 malicious extensions targeting developers.</description><pubDate>Tue, 17 Mar 2026 20:03:14 GMT</pubDate><category>Malware</category></item><item><title>GlassWorm ForceMemo Campaign: Stolen GitHub Tokens Used to Inject Malware Into Hundreds of Python Repositories</title><link>https://bulwarkblack.com/glassworm-forcememo-campaign-stolen-github-tokens-used-to-inject-malware-into-hundreds-of-python-repositories/</link><guid isPermaLink="true">https://bulwarkblack.com/glassworm-forcememo-campaign-stolen-github-tokens-used-to-inject-malware-into-hundreds-of-python-repositories/</guid><description>A sophisticated supply chain attack dubbed ForceMemo is leveraging stolen GitHub tokens to inject malware into hundreds of Python repositories, marking a dangerous escalation in the ongoing GlassWorm campaign targeting software developers. The Attack Chain According to StepSecuri</description><pubDate>Tue, 17 Mar 2026 01:02:21 GMT</pubDate><category>Malware</category></item><item><title>Iranian Threat Actors Target Hikvision and Dahua IP Cameras for Kinetic Strike Coordination</title><link>https://bulwarkblack.com/iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination/</link><guid isPermaLink="true">https://bulwarkblack.com/iranian-threat-actors-target-hikvision-and-dahua-ip-cameras-for-kinetic-strike-coordination/</guid><description>As Iran-Israel-US military operations escalate in the Middle East, Check Point Research and Tenable have identified a significant surge in Iranian threat actors targeting IP cameras manufactured by Hikvision and Dahua. The activity, which began spiking on February 28, 2026, coinc</description><pubDate>Mon, 16 Mar 2026 20:02:50 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched</title><link>https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/</link><guid isPermaLink="true">https://bulwarkblack.com/critical-veeam-backup-vulnerabilities-draw-ransomware-group-attention-seven-cvss-9-9-flaws-patched/</guid><description>Veeam has released emergency patches for seven severe vulnerabilities in its flagship Backup &amp; Replication platform, several scoring CVSS 9.9 — the highest possible criticality rating. The flaws enable remote code execution (RCE), privilege escalation, and credential theft by aut</description><pubDate>Mon, 16 Mar 2026 15:02:56 GMT</pubDate><category>General CTI</category></item><item><title>The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks</title><link>https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/the-promptware-kill-chain-a-new-framework-for-understanding-ai-malware-attacks/</guid><description>A groundbreaking research paper by Bruce Schneier and collaborators introduces the concept of “promptware”—a distinct class of malware targeting large language models (LLMs). Moving beyond the myopic focus on prompt injection, the researchers propose a structured seven-step kill </description><pubDate>Mon, 16 Mar 2026 01:02:15 GMT</pubDate><category>AI (General)</category></item><item><title>Operation Lightning: Global Takedown of SocksEscort Botnet That Enslaved 369,000 Routers in 163 Countries</title><link>https://bulwarkblack.com/operation-lightning-global-takedown-of-socksescort-botnet-that-enslaved-369000-routers-in-163-countries/</link><guid isPermaLink="true">https://bulwarkblack.com/operation-lightning-global-takedown-of-socksescort-botnet-that-enslaved-369000-routers-in-163-countries/</guid><description>A coordinated international law enforcement operation has dismantled SocksEscort, a criminal proxy service that infected hundreds of thousands of residential routers worldwide to enable large-scale fraud, ransomware distribution, and other cybercrimes. The Scope of the Threat Acc</description><pubDate>Sun, 15 Mar 2026 20:02:26 GMT</pubDate><category>General CTI</category></item><item><title>Google Patches Two Chrome Zero-Days Under Active Exploitation: CVE-2026-3909 and CVE-2026-3910</title><link>https://bulwarkblack.com/google-patches-two-chrome-zero-days-under-active-exploitation-cve-2026-3909-and-cve-2026-3910/</link><guid isPermaLink="true">https://bulwarkblack.com/google-patches-two-chrome-zero-days-under-active-exploitation-cve-2026-3909-and-cve-2026-3910/</guid><description>Google has released emergency security updates to patch two high-severity Chrome vulnerabilities being actively exploited in zero-day attacks, affecting an estimated 3.5 billion users worldwide. “Google is aware that exploits for both CVE-2026-3909 &amp; CVE-2026-3910 exist in the wi</description><pubDate>Sun, 15 Mar 2026 15:01:59 GMT</pubDate><category>General CTI</category></item><item><title>Operation Synergia III: Global Crackdown Takes Down 45,000 Malicious IPs and Arrests 94 Cybercriminals</title><link>https://bulwarkblack.com/operation-synergia-iii-global-crackdown-takes-down-45000-malicious-ips-and-arrests-94-cybercriminals/</link><guid isPermaLink="true">https://bulwarkblack.com/operation-synergia-iii-global-crackdown-takes-down-45000-malicious-ips-and-arrests-94-cybercriminals/</guid><description>In one of the most significant international cybercrime operations to date, INTERPOL has announced the successful conclusion of Operation Synergia III—a coordinated global effort that dismantled critical infrastructure supporting phishing, malware, and ransomware campaigns worldw</description><pubDate>Sun, 15 Mar 2026 01:01:59 GMT</pubDate><category>General CTI</category></item><item><title>ShinyHunters Claims 1 Petabyte Data Theft From Telus Digital in Multi-Month BPO Breach</title><link>https://bulwarkblack.com/shinyhunters-claims-1-petabyte-data-theft-from-telus-digital-in-multi-month-bpo-breach/</link><guid isPermaLink="true">https://bulwarkblack.com/shinyhunters-claims-1-petabyte-data-theft-from-telus-digital-in-multi-month-bpo-breach/</guid><description>Business process outsourcing (BPO) giant Telus Digital has confirmed a major cybersecurity incident after the notorious ShinyHunters extortion group claimed to have stolen nearly one petabyte of data from the company and its customers. The breach, which involved unauthorized acce</description><pubDate>Sat, 14 Mar 2026 20:02:10 GMT</pubDate><category>General CTI</category></item><item><title>Google Patches Two Chrome Zero-Days Actively Exploited in the Wild, CISA Adds to KEV Catalog</title><link>https://bulwarkblack.com/google-patches-two-chrome-zero-days-actively-exploited-in-the-wild-cisa-adds-to-kev-catalog/</link><guid isPermaLink="true">https://bulwarkblack.com/google-patches-two-chrome-zero-days-actively-exploited-in-the-wild-cisa-adds-to-kev-catalog/</guid><description>Google has released emergency security updates to address two high-severity vulnerabilities in Chrome that are being actively exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both flaws to its Known Exploited Vulnerabilities (KEV) </description><pubDate>Sat, 14 Mar 2026 15:03:09 GMT</pubDate><category>General CTI</category></item><item><title>Pro-Iranian Hackers Expand Targeting of US Critical Infrastructure as Cyber Chaos Escalates</title><link>https://bulwarkblack.com/pro-iranian-hackers-expand-targeting-of-us-critical-infrastructure-as-cyber-chaos-escalates/</link><guid isPermaLink="true">https://bulwarkblack.com/pro-iranian-hackers-expand-targeting-of-us-critical-infrastructure-as-cyber-chaos-escalates/</guid><description>Pro-Iranian hackers are expanding their operations beyond the Middle East and increasingly targeting critical infrastructure in the United States, according to cybersecurity experts and recent incidents. The attacks represent a significant escalation in Iran’s cyber warfare capab</description><pubDate>Sat, 14 Mar 2026 01:04:19 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Google Patches Two Actively Exploited Chrome Zero-Days: CVE-2026-3909 and CVE-2026-3910</title><link>https://bulwarkblack.com/google-patches-two-actively-exploited-chrome-zero-days-cve-2026-3909-and-cve-2026-3910/</link><guid isPermaLink="true">https://bulwarkblack.com/google-patches-two-actively-exploited-chrome-zero-days-cve-2026-3909-and-cve-2026-3910/</guid><description>Google has released emergency security updates to fix two high-severity vulnerabilities in Chrome that are being actively exploited in the wild. These are the second and third Chrome zero-days patched in 2026, highlighting the continued targeting of browser vulnerabilities by thr</description><pubDate>Fri, 13 Mar 2026 20:02:10 GMT</pubDate><category>Business</category></item><item><title>Storm-2561 Weaponizes SEO Poisoning to Deploy Trojanized VPN Clients and Steal Enterprise Credentials</title><link>https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/</link><guid isPermaLink="true">https://bulwarkblack.com/storm-2561-weaponizes-seo-poisoning-to-deploy-trojanized-vpn-clients-and-steal-enterprise-credentials/</guid><description>Microsoft Defender Experts have uncovered a sophisticated credential theft campaign orchestrated by the financially motivated threat actor Storm-2561. The campaign exploits search engine optimization (SEO) poisoning to redirect enterprise users searching for legitimate VPN softwa</description><pubDate>Fri, 13 Mar 2026 15:03:49 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Infostealer Infection Unmasks DPRK Operative Behind Polyfill.io Supply Chain Attack and US Crypto Exchange Infiltration</title><link>https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/</link><guid isPermaLink="true">https://bulwarkblack.com/infostealer-infection-unmasks-dprk-operative-behind-polyfill-io-supply-chain-attack-and-us-crypto-exchange-infiltration/</guid><description>In a stunning example of operational security failure, a North Korean cyber operative was unmasked after infecting their own machine with a LummaC2 infostealer—revealing definitive evidence linking them to both the catastrophic Polyfill.io supply chain attack and deep infiltratio</description><pubDate>Thu, 12 Mar 2026 15:06:48 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>KadNap Botnet Hijacks 14,000+ ASUS Routers Using Novel Kademlia DHT Protocol for Stealth C2</title><link>https://bulwarkblack.com/kadnap-botnet-hijacks-14000-asus-routers-using-novel-kademlia-dht-protocol-for-stealth-c2/</link><guid isPermaLink="true">https://bulwarkblack.com/kadnap-botnet-hijacks-14000-asus-routers-using-novel-kademlia-dht-protocol-for-stealth-c2/</guid><description>A newly discovered botnet called KadNap is turning ASUS routers and edge networking devices into covert proxies for cybercriminal operations. Since August 2025, the malware has infected over 14,000 devices across the globe, with researchers from Black Lotus Labs (Lumen Technologi</description><pubDate>Thu, 12 Mar 2026 01:03:24 GMT</pubDate><category>Malware</category></item><item><title>Iranian Handala Hacktivists Deploy Wiper Malware Against Medical Device Giant Stryker</title><link>https://bulwarkblack.com/iranian-handala-hacktivists-deploy-wiper-malware-against-medical-device-giant-stryker/</link><guid isPermaLink="true">https://bulwarkblack.com/iranian-handala-hacktivists-deploy-wiper-malware-against-medical-device-giant-stryker/</guid><description>Iran-linked hacktivist group Handala has claimed responsibility for a devastating wiper malware attack against Stryker Corporation, a Fortune 500 medical technology company with over 53,000 employees and $22.6 billion in annual sales. Attack Scale and Impact According to Handala’</description><pubDate>Wed, 11 Mar 2026 20:04:02 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>FortiGate Devices Exploited as Network Entry Points for Service Account Credential Theft</title><link>https://bulwarkblack.com/fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft/</link><guid isPermaLink="true">https://bulwarkblack.com/fortigate-devices-exploited-as-network-entry-points-for-service-account-credential-theft/</guid><description>Cybersecurity researchers have uncovered a sophisticated campaign where threat actors are weaponizing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The activity, documented by SentinelOne, targets healthcare, government, and manag</description><pubDate>Wed, 11 Mar 2026 15:03:04 GMT</pubDate><category>General CTI</category></item><item><title>Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates</title><link>https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/</link><guid isPermaLink="true">https://bulwarkblack.com/iranian-mois-cyber-actors-embrace-criminal-ecosystem-from-rhadamanthys-to-ransomware-affiliates/</guid><description>A new Check Point Research report reveals that Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors are increasingly engaging with the cybercrime ecosystem, moving beyond mere imitation to directly leveraging criminal tools, services, and affiliate-style rela</description><pubDate>Wed, 11 Mar 2026 01:03:08 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>BlackSanta EDR Killer Campaign Targets HR Departments Through Weaponized Resume Files</title><link>https://bulwarkblack.com/blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files/</link><guid isPermaLink="true">https://bulwarkblack.com/blacksanta-edr-killer-campaign-targets-hr-departments-through-weaponized-resume-files/</guid><description>A year-long malware campaign targets HR departments through weaponized resume files, deploying the previously undocumented BlackSanta EDR killer that disables endpoint security tools at the kernel level.</description><pubDate>Tue, 10 Mar 2026 20:03:51 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Seedworm APT Deploys Dindoor and Fakeset Backdoors Inside US Critical Infrastructure Networks</title><link>https://bulwarkblack.com/seedworm-apt-deploys-dindoor-and-fakeset-backdoors-inside-us-critical-infrastructure-networks/</link><guid isPermaLink="true">https://bulwarkblack.com/seedworm-apt-deploys-dindoor-and-fakeset-backdoors-inside-us-critical-infrastructure-networks/</guid><description>Iran’s Seedworm APT group (also known as MuddyWater) has established persistent access inside the networks of multiple US organizations since early February 2026, deploying two previously unknown malware implants as geopolitical tensions between the US and Iran escalate. New Back</description><pubDate>Tue, 10 Mar 2026 15:04:00 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>60+ Pro-Iranian Hacktivist Groups Activate AI-Enabled ICS Attacks Following US-Israel Strikes</title><link>https://bulwarkblack.com/60-pro-iranian-hacktivist-groups-activate-ai-enabled-ics-attacks-following-us-israel-strikes/</link><guid isPermaLink="true">https://bulwarkblack.com/60-pro-iranian-hacktivist-groups-activate-ai-enabled-ics-attacks-following-us-israel-strikes/</guid><description>In the largest single-event activation of Iranian-aligned cyber actors ever documented, more than 60 pro-Iranian hacktivist groups became active on Telegram within hours of the February 28 US-Israel military strikes on Iran. Armed with AI tools and targeting over 40,000 internet-</description><pubDate>Tue, 10 Mar 2026 01:03:06 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Iranian Cyber Threats Intensify: APT Groups and Hacktivists Target U.S. and Allied Infrastructure</title><link>https://bulwarkblack.com/iranian-cyber-threats-intensify-apt-groups-and-hacktivists-target-u-s-and-allied-infrastructure/</link><guid isPermaLink="true">https://bulwarkblack.com/iranian-cyber-threats-intensify-apt-groups-and-hacktivists-target-u-s-and-allied-infrastructure/</guid><description>Executive Summary As hostilities between Iran and the U.S./Israeli-led coalition escalate, threat intelligence indicates Iranian-aligned cyber actors pose an elevated near-term risk to organizations across North America and allied nations. These actors have a well-documented hist</description><pubDate>Mon, 09 Mar 2026 20:04:18 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Seedworm APT Targets US Banks and Airports with New Dindoor and Fakeset Backdoors</title><link>https://bulwarkblack.com/seedworm-apt-targets-us-banks-and-airports-with-new-dindoor-and-fakeset-backdoors/</link><guid isPermaLink="true">https://bulwarkblack.com/seedworm-apt-targets-us-banks-and-airports-with-new-dindoor-and-fakeset-backdoors/</guid><description>Iranian state-sponsored hackers have maintained persistent access inside multiple US critical infrastructure networks since early February 2026, establishing footholds that security researchers warn could enable devastating attacks amid escalating geopolitical tensions in the Mid</description><pubDate>Mon, 09 Mar 2026 15:03:33 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign</title><link>https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-fake-github-repositories-in-massive-malware-campaign/</guid><description>Trend Micro researchers have uncovered a large-scale malware distribution campaign using over 100 GitHub repositories to spread BoryptGrab, an information stealer that targets browser credentials, cryptocurrency wallets, and sensitive files while deploying reverse SSH backdoors f</description><pubDate>Mon, 09 Mar 2026 01:03:51 GMT</pubDate><category>Malware</category></item><item><title>BoryptGrab Stealer Spreads Through 100+ Malicious GitHub Repositories</title><link>https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-malicious-github-repositories/</link><guid isPermaLink="true">https://bulwarkblack.com/boryptgrab-stealer-spreads-through-100-malicious-github-repositories/</guid><description>A massive malware distribution campaign has been discovered leveraging more than 100 GitHub repositories to spread the BoryptGrab information stealer. According to Trend Micro research, the campaign targets Windows users through deceptive downloads masquerading as legitimate soft</description><pubDate>Sun, 08 Mar 2026 20:03:35 GMT</pubDate><category>Malware</category></item><item><title>Russian APT Deploys Cat-Themed BadPaw and MeowMeow Malware to Target Ukraine</title><link>https://bulwarkblack.com/russian-apt-deploys-cat-themed-badpaw-and-meowmeow-malware-to-target-ukraine/</link><guid isPermaLink="true">https://bulwarkblack.com/russian-apt-deploys-cat-themed-badpaw-and-meowmeow-malware-to-target-ukraine/</guid><description>Security researchers from ClearSky have uncovered a sophisticated Russian cyber campaign targeting Ukrainian organizations using two previously unknown malware strains with distinctly playful names: BadPaw and MeowMeow. Despite their whimsical naming, these tools represent a seri</description><pubDate>Sun, 08 Mar 2026 15:04:29 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Velvet Tempest Ransomware Group Deploys CastleRAT via ClickFix Attacks Linked to Termite Operations</title><link>https://bulwarkblack.com/velvet-tempest-ransomware-group-deploys-castlerat-via-clickfix-attacks-linked-to-termite-operations/</link><guid isPermaLink="true">https://bulwarkblack.com/velvet-tempest-ransomware-group-deploys-castlerat-via-clickfix-attacks-linked-to-termite-operations/</guid><description>Five-Year Ransomware Affiliate Uses Malvertising and Legitimate Windows Tools in Sophisticated Intrusion Security researchers at MalBeacon have exposed a 12-day intrusion campaign by Velvet Tempest (also tracked as DEV-0504), a prolific ransomware affiliate group now deploying th</description><pubDate>Sun, 08 Mar 2026 02:05:29 GMT</pubDate><category>Projects</category></item><item><title>APT36 Vibeware Campaign: Pakistan’s Transparent Tribe Weaponizes AI to Mass-Produce Malware Targeting India</title><link>https://bulwarkblack.com/apt36-vibeware-campaign-pakistans-transparent-tribe-weaponizes-ai-to-mass-produce-malware-targeting-india/</link><guid isPermaLink="true">https://bulwarkblack.com/apt36-vibeware-campaign-pakistans-transparent-tribe-weaponizes-ai-to-mass-produce-malware-targeting-india/</guid><description>Pakistan-aligned threat actor Transparent Tribe (APT36) has embraced AI-assisted malware development to flood Indian government networks with disposable, polyglot implants—a technique security researchers are calling “vibeware” or Distributed Denial of Detection (DDoD). AI-Powere</description><pubDate>Sat, 07 Mar 2026 21:06:54 GMT</pubDate><category>Global Cyber Threat Intelligence</category></item><item><title>SAP NetWeaver Critical Zero-Day (CVE-2025-31324) Under Active Exploitation by Initial Access Brokers</title><link>https://bulwarkblack.com/sap-netweaver-critical-zero-day-cve-2025-31324-under-active-exploitation-by-initial-access-brokers/</link><guid isPermaLink="true">https://bulwarkblack.com/sap-netweaver-critical-zero-day-cve-2025-31324-under-active-exploitation-by-initial-access-brokers/</guid><description>SAP customers are being urged to immediately patch a critical zero-day vulnerability in the Visual Composer component of SAP NetWeaver application server that threat actors are actively exploiting to deploy web shell backdoors. The Vulnerability Tracked as CVE-2025-31324, this un</description><pubDate>Sat, 07 Mar 2026 16:02:17 GMT</pubDate><category>General CTI</category></item><item><title>VOID#GEIST: Multi-Stage Malware Campaign Uses Python Loaders and APC Injection to Deploy XWorm, AsyncRAT, and Xeno RAT</title><link>https://bulwarkblack.com/voidgeist-multi-stage-malware-campaign-uses-python-loaders-and-apc-injection-to-deploy-xworm-asyncrat-and-xeno-rat/</link><guid isPermaLink="true">https://bulwarkblack.com/voidgeist-multi-stage-malware-campaign-uses-python-loaders-and-apc-injection-to-deploy-xworm-asyncrat-and-xeno-rat/</guid><description>Security researchers at Securonix have uncovered a sophisticated multi-stage malware campaign dubbed VOID#GEIST that delivers three separate remote access trojans (RATs) through an elaborate infection chain designed to evade detection. A Modular Attack Framework Unlike traditiona</description><pubDate>Sat, 07 Mar 2026 02:03:33 GMT</pubDate><category>Malware</category></item><item><title>Google Disrupts Chinese APT UNC2814’s GRIDTIDE Backdoor Campaign Targeting 42 Countries</title><link>https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/</link><guid isPermaLink="true">https://bulwarkblack.com/google-disrupts-chinese-apt-unc2814s-gridtide-backdoor-campaign-targeting-42-countries/</guid><description>Google Threat Intelligence Group (GTIG) has disrupted a massive global cyber espionage campaign targeting telecommunications and government organizations across 42 countries. The threat actor, tracked as UNC2814, is a suspected People’s Republic of China (PRC)-nexus cyber espiona</description><pubDate>Fri, 06 Mar 2026 21:04:07 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Pakistan’s APT36 Floods Indian Government Networks With AI-Generated ‘Vibeware’ Malware</title><link>https://bulwarkblack.com/pakistans-apt36-floods-indian-government-networks-with-ai-generated-vibeware-malware/</link><guid isPermaLink="true">https://bulwarkblack.com/pakistans-apt36-floods-indian-government-networks-with-ai-generated-vibeware-malware/</guid><description>A Pakistan-linked threat group is overwhelming Indian government networks with a new breed of disposable, AI-generated malware in a campaign that marks a concerning shift in the digital conflict between the two nations. According to research from Bitdefender, the threat actor APT</description><pubDate>Fri, 06 Mar 2026 16:02:33 GMT</pubDate><category>Global Cyber Threat Intelligence</category></item><item><title>Google and Mandiant Disrupt GRIDTIDE: Chinese APT Espionage Campaign Compromises 53 Victims in 42 Countries</title><link>https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/</link><guid isPermaLink="true">https://bulwarkblack.com/google-and-mandiant-disrupt-gridtide-chinese-apt-espionage-campaign-compromises-53-victims-in-42-countries/</guid><description>Google Threat Intelligence Group (GTIG) and Mandiant have executed a coordinated takedown of one of the most expansive cyber espionage campaigns in recent memory. The operation targeted UNC2814, a suspected People’s Republic of China (PRC)-nexus threat actor that has operated glo</description><pubDate>Fri, 06 Mar 2026 02:03:44 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Coruna iOS Exploit Kit: Nation-State Spyware Tools Now Targeting Crypto Wallet Users</title><link>https://bulwarkblack.com/coruna-ios-exploit-kit-nation-state-spyware-tools-now-targeting-crypto-wallet-users/</link><guid isPermaLink="true">https://bulwarkblack.com/coruna-ios-exploit-kit-nation-state-spyware-tools-now-targeting-crypto-wallet-users/</guid><description>A powerful iOS exploit kit named “Coruna” has transitioned from elite surveillance operations to financially motivated cryptocurrency theft, signaling a dangerous shift in the mobile threat landscape. From Spyware Vendor to Cybercriminal Hands Google Threat Intelligence Group (GT</description><pubDate>Thu, 05 Mar 2026 21:03:49 GMT</pubDate><category>General CTI</category></item><item><title>UAT-9244: China-Nexus APT Deploys Three New Malware Implants Against South American Telecom Providers</title><link>https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/</link><guid isPermaLink="true">https://bulwarkblack.com/uat-9244-china-nexus-apt-deploys-three-new-malware-implants-against-south-american-telecom-providers/</guid><description>Cisco Talos has disclosed a new threat activity cluster, UAT-9244, assessed with high confidence to be a China-nexus advanced persistent threat (APT) actor closely associated with FamousSparrow and Tropic Trooper. Since 2024, the group has targeted critical telecommunications inf</description><pubDate>Thu, 05 Mar 2026 16:02:33 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Global Coalition Dismantles Tycoon 2FA Phishing Platform: 87 Million Emails, 330 Domains Seized</title><link>https://bulwarkblack.com/global-coalition-dismantles-tycoon-2fa-phishing-platform-87-million-emails-330-domains-seized/</link><guid isPermaLink="true">https://bulwarkblack.com/global-coalition-dismantles-tycoon-2fa-phishing-platform-87-million-emails-330-domains-seized/</guid><description>Microsoft, Europol, and a coalition of cybersecurity partners have dismantled Tycoon 2FA, one of the most prolific phishing-as-a-service (PhaaS) platforms ever documented, seizing 330 domains used for credential theft and multi-factor authentication bypass. The coordinated takedo</description><pubDate>Thu, 05 Mar 2026 02:03:33 GMT</pubDate><category>General CTI</category></item><item><title>Cisco Patches Two Max Severity Secure FMC Flaws Enabling Root Access</title><link>https://bulwarkblack.com/cisco-patches-two-max-severity-secure-fmc-flaws-enabling-root-access/</link><guid isPermaLink="true">https://bulwarkblack.com/cisco-patches-two-max-severity-secure-fmc-flaws-enabling-root-access/</guid><description>Cisco has released critical security updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software that could allow unauthenticated remote attackers to gain complete root access to affected systems. Critical Vulnerabilities Overvi</description><pubDate>Wed, 04 Mar 2026 21:03:05 GMT</pubDate><category>General CTI</category></item><item><title>Open-Source CyberStrikeAI Tool Weaponized in AI-Driven FortiGate Attacks Across 55 Countries</title><link>https://bulwarkblack.com/open-source-cyberstrikeai-tool-weaponized-in-ai-driven-fortigate-attacks-across-55-countries/</link><guid isPermaLink="true">https://bulwarkblack.com/open-source-cyberstrikeai-tool-weaponized-in-ai-driven-fortigate-attacks-across-55-countries/</guid><description>Team Cymru has revealed that threat actors behind the recent AI-assisted campaign targeting Fortinet FortiGate appliances leveraged an open-source, AI-native security testing platform called CyberStrikeAI to execute mass automated attacks, compromising over 600 devices across 55 </description><pubDate>Wed, 04 Mar 2026 16:03:59 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613</title><link>https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/</link><guid isPermaLink="true">https://bulwarkblack.com/zerobot-malware-targets-n8n-automation-platform-first-active-exploitation-of-cve-2025-68613/</guid><description>Akamai SIRT discovers Zerobot botnet actively exploiting CVE-2025-68613 in n8n workflow automation platform, marking a shift from traditional IoT targeting to enterprise infrastructure.</description><pubDate>Wed, 04 Mar 2026 02:04:39 GMT</pubDate><category>Malware</category></item><item><title>Silver Dragon APT Targets Southeast Asia and Europe Using GearDoor Backdoor with Google Drive C2</title><link>https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/</link><guid isPermaLink="true">https://bulwarkblack.com/silver-dragon-apt-targets-southeast-asia-and-europe-using-geardoor-backdoor-with-google-drive-c2/</guid><description>Check Point Research has unveiled a sophisticated Chinese APT campaign dubbed Silver Dragon that has been actively targeting government entities and organizations across Southeast Asia and Europe since mid-2024. The threat actor operates within the umbrella of Chinese-nexus APT41</description><pubDate>Tue, 03 Mar 2026 21:03:12 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>APT28 Exploited CVE-2026-21513 MSHTML Zero-Day as Attack Vector Before February Patch Tuesday</title><link>https://bulwarkblack.com/apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday/</link><guid isPermaLink="true">https://bulwarkblack.com/apt28-exploited-cve-2026-21513-mshtml-zero-day-as-attack-vector-before-february-patch-tuesday/</guid><description>Russia’s state-sponsored threat actor APT28 (also known as Fancy Bear) has been linked to active exploitation of CVE-2026-21513, a high-severity MSHTML zero-day vulnerability, before Microsoft released its patch in February 2026. This finding comes from new research published by </description><pubDate>Tue, 03 Mar 2026 16:03:32 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor</title><link>https://bulwarkblack.com/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor/</link><guid isPermaLink="true">https://bulwarkblack.com/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor/</guid><description>A sophisticated supply chain attack has been uncovered targeting Go developers through a malicious module that impersonates the legitimate golang.org/x/crypto library. The attack demonstrates how threat actors are increasingly exploiting namespace confusion to compromise develope</description><pubDate>Tue, 03 Mar 2026 02:03:31 GMT</pubDate><category>Malware</category></item><item><title>Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation</title><link>https://bulwarkblack.com/fake-google-security-check-transforms-browser-into-surveillance-toolkit-via-pwa-installation/</link><guid isPermaLink="true">https://bulwarkblack.com/fake-google-security-check-transforms-browser-into-surveillance-toolkit-via-pwa-installation/</guid><description>A sophisticated phishing campaign has been discovered that transforms web browsers into comprehensive surveillance platforms by masquerading as a Google Account security page. According to Malwarebytes researchers, this attack represents one of the most fully-featured browser-bas</description><pubDate>Mon, 02 Mar 2026 21:04:42 GMT</pubDate><category>General CTI</category></item><item><title>Russian Cyberattacks Shift to Intelligence Gathering for Missile Strike Guidance on Ukraine Power Grid</title><link>https://bulwarkblack.com/russian-cyberattacks-shift-to-intelligence-gathering-for-missile-strike-guidance-on-ukraine-power-grid/</link><guid isPermaLink="true">https://bulwarkblack.com/russian-cyberattacks-shift-to-intelligence-gathering-for-missile-strike-guidance-on-ukraine-power-grid/</guid><description>Russian cyberattacks targeting Ukraine’s energy infrastructure have shifted focus from immediate disruption to intelligence gathering for guiding missile strikes, Ukrainian cybersecurity officials revealed at the Kyiv International Cyber Resilience Forum. Strategic Shift in Attac</description><pubDate>Mon, 02 Mar 2026 02:03:27 GMT</pubDate><category>Operational Technology (OT)</category></item><item><title>Hackers Weaponize Claude Code AI to Steal 150GB from Mexican Government in Month-Long Campaign</title><link>https://bulwarkblack.com/hackers-weaponize-claude-code-ai-to-steal-150gb-from-mexican-government-in-month-long-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/hackers-weaponize-claude-code-ai-to-steal-150gb-from-mexican-government-in-month-long-campaign/</guid><description>In a disturbing escalation of AI-enabled cyber operations, hackers have weaponized Anthropic’s Claude Code AI assistant to develop exploits, create custom attack tools, and systematically exfiltrate more than 150GB of data from Mexican government systems, according to Israeli cyb</description><pubDate>Sun, 01 Mar 2026 16:03:56 GMT</pubDate><category>General CTI</category></item><item><title>Google Disrupts UNC2814 GRIDTIDE Campaign: Chinese APT Breaches 53 Organizations Across 42 Countries</title><link>https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/</link><guid isPermaLink="true">https://bulwarkblack.com/google-disrupts-unc2814-gridtide-campaign-chinese-apt-breaches-53-organizations-across-42-countries/</guid><description>Google has disclosed details of a massive disruption operation against UNC2814, a suspected China-nexus cyber espionage group that breached at least 53 organizations across 42 countries. The campaign, tracked as GRIDTIDE, represents one of the most far-reaching espionage operatio</description><pubDate>Sun, 01 Mar 2026 02:03:39 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>OpenAI Confirms ChatGPT Exploited by Chinese and Russian Threat Actors for Cyberattacks</title><link>https://bulwarkblack.com/openai-confirms-chatgpt-exploited-by-chinese-and-russian-threat-actors-for-cyberattacks/</link><guid isPermaLink="true">https://bulwarkblack.com/openai-confirms-chatgpt-exploited-by-chinese-and-russian-threat-actors-for-cyberattacks/</guid><description>OpenAI has confirmed that Chinese and Russian state-affiliated threat actors have been exploiting ChatGPT to support malicious cyber and influence operations, marking one of the first documented cases of adversaries weaponizing generative AI for tactical offensive cyber activitie</description><pubDate>Sat, 28 Feb 2026 21:04:02 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Operation Roar of the Lion: Israel Executes Largest Cyberattack in History Against Iran</title><link>https://bulwarkblack.com/operation-roar-of-the-lion-israel-executes-largest-cyberattack-in-history-against-iran/</link><guid isPermaLink="true">https://bulwarkblack.com/operation-roar-of-the-lion-israel-executes-largest-cyberattack-in-history-against-iran/</guid><description>In an unprecedented display of cyber warfare capability, Israel has executed what is being described as the largest cyberattack in history, plunging Iran into near-total digital darkness during a coordinated military operation on Saturday, February 28, 2026. Near-Total Internet B</description><pubDate>Sat, 28 Feb 2026 16:01:55 GMT</pubDate><category>General CTI</category></item><item><title>Steaelite RAT Bundles Ransomware and Data Theft in Single Web Panel for Double Extortion Attacks</title><link>https://bulwarkblack.com/steaelite-rat-bundles-ransomware-and-data-theft-in-single-web-panel-for-double-extortion-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/steaelite-rat-bundles-ransomware-and-data-theft-in-single-web-panel-for-double-extortion-attacks/</guid><description>A dangerous new remote access trojan called Steaelite RAT has emerged on cybercrime forums, offering attackers a unified platform for executing double extortion attacks with unprecedented efficiency. Unlike traditional attack chains that require separate tools for data theft and </description><pubDate>Sat, 28 Feb 2026 02:03:05 GMT</pubDate><category>Threat Intelligence</category></item><item><title>APT37 Ruby Jumper Campaign: North Korean Hackers Deploy Malware Arsenal to Bridge Air-Gapped Networks</title><link>https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/</link><guid isPermaLink="true">https://bulwarkblack.com/apt37-ruby-jumper-campaign-north-korean-hackers-deploy-malware-arsenal-to-bridge-air-gapped-networks/</guid><description>Zscaler ThreatLabz has uncovered a sophisticated campaign by North Korean threat group APT37, introducing five new malware tools designed specifically to infiltrate and exfiltrate data from air-gapped systems through weaponized USB drives. Campaign Overview In December 2025, secu</description><pubDate>Fri, 27 Feb 2026 21:03:11 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>UAC-0050 Targets European Financial Institution in Strategic Phishing Campaign</title><link>https://bulwarkblack.com/uac-0050-targets-european-financial-institution-in-strategic-phishing-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/uac-0050-targets-european-financial-institution-in-strategic-phishing-campaign/</guid><description>Russia-aligned threat actor UAC-0050 has expanded operations beyond Ukraine, targeting a European financial institution involved in reconstruction efforts with a sophisticated multi-stage spear-phishing attack. Campaign Overview Security researchers at BlueVoyant have uncovered a</description><pubDate>Fri, 27 Feb 2026 16:03:13 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Chinese APT Campaign Delivers PlugX RAT via G DATA Antivirus DLL Side-Loading</title><link>https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/</link><guid isPermaLink="true">https://bulwarkblack.com/chinese-apt-campaign-delivers-plugx-rat-via-g-data-antivirus-dll-side-loading/</guid><description>A sophisticated Chinese-aligned threat campaign has been observed delivering the PlugX Remote Access Trojan (RAT) through a clever abuse of legitimate G DATA antivirus components, according to new research from LAB52. The Attack Chain The infection begins with a spear-phishing em</description><pubDate>Fri, 27 Feb 2026 02:05:17 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>APT37 Deploys Ruby Jumper Campaign to Breach Air-Gapped Networks</title><link>https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/</link><guid isPermaLink="true">https://bulwarkblack.com/apt37-deploys-ruby-jumper-campaign-to-breach-air-gapped-networks/</guid><description>North Korean threat actor APT37 (Reaper) has expanded its arsenal with sophisticated new malware designed to compromise air-gapped networks — systems physically isolated from the internet that organizations use to protect their most sensitive data. Researchers at Zscaler ThreatLa</description><pubDate>Thu, 26 Feb 2026 21:01:38 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>DarkCloud Infostealer Emerges as Major Enterprise Threat: $30 Malware Delivers Scalable Credential Theft</title><link>https://bulwarkblack.com/darkcloud-infostealer-emerges-as-major-enterprise-threat-30-malware-delivers-scalable-credential-theft/</link><guid isPermaLink="true">https://bulwarkblack.com/darkcloud-infostealer-emerges-as-major-enterprise-threat-30-malware-delivers-scalable-credential-theft/</guid><description>The cybersecurity threat landscape is facing a growing challenge as infostealers continue to dominate the initial access ecosystem in 2026. Among the latest threats drawing serious attention is DarkCloud, a commercially available credential-harvesting malware that proves even low</description><pubDate>Thu, 26 Feb 2026 16:02:42 GMT</pubDate><category>Malware</category></item><item><title>Diesel Vortex: Russian Cybercrime Group Steals 1,600+ Credentials From Global Logistics Sector</title><link>https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/</link><guid isPermaLink="true">https://bulwarkblack.com/diesel-vortex-russian-cybercrime-group-steals-1600-credentials-from-global-logistics-sector/</guid><description>A Russian-linked cybercrime group dubbed Diesel Vortex has been systematically targeting the global freight and logistics industry, stealing over 1,600 unique login credentials from users of major logistics platforms in a sophisticated phishing campaign that ran from September 20</description><pubDate>Thu, 26 Feb 2026 02:04:05 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access</title><link>https://bulwarkblack.com/cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access/</link><guid isPermaLink="true">https://bulwarkblack.com/cisco-talos-exposes-three-year-campaign-uat-8616-exploits-sd-wan-zero-day-for-critical-infrastructure-access/</guid><description>Cisco Talos has disclosed the active exploitation of CVE-2026-20127, a critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart), by a highly sophisticated threat actor tracked as UAT-8616. The campaign, which dates back at least three years, targets c</description><pubDate>Wed, 25 Feb 2026 21:03:36 GMT</pubDate><category>General CTI</category></item><item><title>North Korean Lazarus Group Adopts Medusa Ransomware in Global Extortion Campaign</title><link>https://bulwarkblack.com/north-korean-lazarus-group-adopts-medusa-ransomware-in-global-extortion-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/north-korean-lazarus-group-adopts-medusa-ransomware-in-global-extortion-campaign/</guid><description>North Korean cyber operations are crossing a significant threshold into commercial ransomware markets, demonstrating an intensified focus on direct financial gains. Recent intelligence from Symantec and Carbon Black Threat Hunter Team reveals the notorious state-backed Lazarus Gr</description><pubDate>Wed, 25 Feb 2026 16:04:45 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>APT31’s Multi-Year Cyber Espionage Campaign Against Czech Ministry of Foreign Affairs</title><link>https://bulwarkblack.com/apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs/</link><guid isPermaLink="true">https://bulwarkblack.com/apt31s-multi-year-cyber-espionage-campaign-against-czech-ministry-of-foreign-affairs/</guid><description>The Czech Republic has publicly attributed a sophisticated multi-year cyber intrusion to Chinese state-sponsored group APT31 (also known as Zirconium or Judgment Panda), marking one of the most significant national attribution cases in European cyber defense history. The Campaign</description><pubDate>Wed, 25 Feb 2026 02:02:30 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>APT28 Deploys Operation MacroMaze: Webhook-Based Macro Malware Targets European Entities</title><link>https://bulwarkblack.com/apt28-deploys-operation-macromaze-webhook-based-macro-malware-targets-european-entities/</link><guid isPermaLink="true">https://bulwarkblack.com/apt28-deploys-operation-macromaze-webhook-based-macro-malware-targets-european-entities/</guid><description>Russia-linked APT28 (also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has launched a sophisticated espionage campaign targeting entities across Western and Central Europe. The operation, codenamed Operation MacroMaze by S2 Grupo’s LAB52 threat</description><pubDate>Tue, 24 Feb 2026 21:05:38 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Chinese APT UnsolicitedBooker Deploys LuciDoor and MarsSnake Backdoors Against Central Asian Telecoms</title><link>https://bulwarkblack.com/chinese-apt-unsolicitedbooker-deploys-lucidoor-and-marssnake-backdoors-against-central-asian-telecoms/</link><guid isPermaLink="true">https://bulwarkblack.com/chinese-apt-unsolicitedbooker-deploys-lucidoor-and-marssnake-backdoors-against-central-asian-telecoms/</guid><description>A China-aligned threat actor known as UnsolicitedBooker has expanded its targeting to telecommunications companies in Kyrgyzstan and Tajikistan, deploying two sophisticated backdoors—LuciDoor and MarsSnake—in a series of espionage campaigns documented by Positive Technologies res</description><pubDate>Tue, 24 Feb 2026 16:03:09 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>AI-Augmented Attack: Russian-Speaking Cybercriminals Compromise 600+ FortiGate Firewalls</title><link>https://bulwarkblack.com/ai-augmented-attack-russian-speaking-cybercriminals-compromise-600-fortigate-firewalls/</link><guid isPermaLink="true">https://bulwarkblack.com/ai-augmented-attack-russian-speaking-cybercriminals-compromise-600-fortigate-firewalls/</guid><description>A Russian-speaking cybercrime group has compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, leveraging off-the-shelf generative AI tools to automate and scale their operations, according to a new incident report from AWS. Attac</description><pubDate>Tue, 24 Feb 2026 02:02:45 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign</title><link>https://bulwarkblack.com/apt28-targets-european-entities-with-operation-macromaze-webhook-malware-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/apt28-targets-european-entities-with-operation-macromaze-webhook-malware-campaign/</guid><description>Russia’s notorious state-sponsored threat actor APT28 (also known as Fancy Bear) has been attributed to a sophisticated new campaign targeting organizations across Western and Central Europe. According to S2 Grupo’s LAB52 threat intelligence team, the campaign—codenamed Operation</description><pubDate>Mon, 23 Feb 2026 21:01:39 GMT</pubDate><category>General CTI</category></item><item><title>Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors</title><link>https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/</link><guid isPermaLink="true">https://bulwarkblack.com/unit-42-exposes-active-exploitation-of-beyondtrust-cve-2026-1731-with-vshell-and-sparkrat-backdoors/</guid><description>Palo Alto Networks’ Unit 42 has uncovered an active exploitation campaign targeting BeyondTrust Remote Support and Privileged Remote Access appliances through CVE-2026-1731, a critical pre-authentication remote code execution vulnerability with a CVSS score of 9.9. The attacks ha</description><pubDate>Mon, 23 Feb 2026 16:03:10 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Chinese APT Exploited Dell RecoverPoint Zero-Day for 18 Months Before Discovery</title><link>https://bulwarkblack.com/chinese-apt-exploited-dell-recoverpoint-zero-day-for-18-months-before-discovery/</link><guid isPermaLink="true">https://bulwarkblack.com/chinese-apt-exploited-dell-recoverpoint-zero-day-for-18-months-before-discovery/</guid><description>A suspected China-linked cyberespionage group has been covertly exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines (CVE-2026-22769) since at least mid-2024, according to new research from Google’s Threat Intelligence Group (GTIG) and Mandiant</description><pubDate>Mon, 23 Feb 2026 02:03:18 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Remcos RAT Evolves with Real-Time Webcam Streaming and Live Keylogging Capabilities</title><link>https://bulwarkblack.com/remcos-rat-evolves-with-real-time-webcam-streaming-and-live-keylogging-capabilities/</link><guid isPermaLink="true">https://bulwarkblack.com/remcos-rat-evolves-with-real-time-webcam-streaming-and-live-keylogging-capabilities/</guid><description>A newly observed variant of Remcos RAT has introduced significant upgrades to its surveillance arsenal, marking a dangerous evolution in how this remote access trojan operates on compromised Windows systems. From Storage to Streaming According to Infosecurity Magazine, the update</description><pubDate>Sun, 22 Feb 2026 21:03:16 GMT</pubDate><category>Malware</category></item><item><title>CVE-2026-20841: Windows Notepad RCE Vulnerability Weaponized with Public PoC Exploit</title><link>https://bulwarkblack.com/cve-2026-20841-windows-notepad-rce-vulnerability-weaponized-with-public-poc-exploit/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-20841-windows-notepad-rce-vulnerability-weaponized-with-public-poc-exploit/</guid><description>A high-severity remote code execution (RCE) vulnerability in Microsoft’s modern Windows Notepad application has been patched as part of the February 2026 Patch Tuesday release—but security researchers have already published a working proof-of-concept exploit on GitHub, raising co</description><pubDate>Sun, 22 Feb 2026 16:01:18 GMT</pubDate><category>Threat Intelligence</category></item><item><title>SANDWORMMODE: Self-Replicating npm Worm Steals Dev Secrets and Targets AI Coding Tools</title><link>https://bulwarkblack.com/sandwormmode-self-replicating-npm-worm-steals-dev-secrets-and-targets-ai-coding-tools/</link><guid isPermaLink="true">https://bulwarkblack.com/sandwormmode-self-replicating-npm-worm-steals-dev-secrets-and-targets-ai-coding-tools/</guid><description>A sophisticated supply chain worm dubbed SANDWORMMODE is actively targeting the npm ecosystem, compromising at least 19 malicious packages designed to steal developer credentials and CI/CD secrets while automatically spreading across repositories and workflows. Researchers at Soc</description><pubDate>Sat, 21 Feb 2026 21:01:37 GMT</pubDate><category>Malware</category></item><item><title>Starkiller: New Commercial-Grade Phishing Kit Bypasses MFA with Live Site Proxying</title><link>https://bulwarkblack.com/starkiller-new-commercial-grade-phishing-kit-bypasses-mfa-with-live-site-proxying/</link><guid isPermaLink="true">https://bulwarkblack.com/starkiller-new-commercial-grade-phishing-kit-bypasses-mfa-with-live-site-proxying/</guid><description>A newly uncovered phishing kit allows cybercriminals to steal credentials with a sophisticated toolkit that spoofs live login pages and bypasses multi-factor authentication (MFA) protections, cybersecurity analysts at Abnormal Security have warned. Dubbed Starkiller, the phishing</description><pubDate>Sat, 21 Feb 2026 16:30:20 GMT</pubDate><category>Threat Intelligence</category></item><item><title>IDMerit Exposes One Billion Personal Records in Massive KYC Database Leak</title><link>https://bulwarkblack.com/idmerit-exposes-one-billion-personal-records-in-massive-kyc-database-leak/</link><guid isPermaLink="true">https://bulwarkblack.com/idmerit-exposes-one-billion-personal-records-in-massive-kyc-database-leak/</guid><description>Digital identity verification provider IDMerit inadvertently exposed more than one billion personal records across 26 countries after leaving a database unsecured and accessible on the public internet, according to research by Cybernews. Scale of the Exposure The exposed MongoDB </description><pubDate>Sat, 21 Feb 2026 16:03:49 GMT</pubDate><category>General CTI</category></item><item><title>Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware</title><link>https://bulwarkblack.com/facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware/</link><guid isPermaLink="true">https://bulwarkblack.com/facebook-malvertising-campaign-uses-fake-windows-11-pages-to-deploy-credential-stealing-malware/</guid><description>Attackers are running a sophisticated malvertising campaign that leverages paid Facebook ads to distribute credential-stealing malware disguised as official Windows 11 updates. The campaign uses convincing fake Microsoft download pages and includes multiple technical countermeasu</description><pubDate>Sat, 21 Feb 2026 02:03:27 GMT</pubDate><category>Malware</category></item><item><title>AI-Fueled Supply Chain Attacks Surge in Asia-Pacific: Group-IB Report Exposes Self-Reinforcing Cybercrime Ecosystem</title><link>https://bulwarkblack.com/ai-fueled-supply-chain-attacks-surge-in-asia-pacific-group-ib-report-exposes-self-reinforcing-cybercrime-ecosystem/</link><guid isPermaLink="true">https://bulwarkblack.com/ai-fueled-supply-chain-attacks-surge-in-asia-pacific-group-ib-report-exposes-self-reinforcing-cybercrime-ecosystem/</guid><description>Supply chain cyber attacks are reshaping the threat landscape across Asia-Pacific, as criminals and state-aligned groups increasingly use trusted vendors, software components, and service providers as entry points into broader networks, according to Group-IB’s High-Tech Crime Tre</description><pubDate>Fri, 20 Feb 2026 21:04:20 GMT</pubDate><category>General CTI</category></item><item><title>287 Chrome Extensions Caught Exfiltrating Browsing History from 37.4 Million Users</title><link>https://bulwarkblack.com/287-chrome-extensions-caught-exfiltrating-browsing-history-from-37-4-million-users/</link><guid isPermaLink="true">https://bulwarkblack.com/287-chrome-extensions-caught-exfiltrating-browsing-history-from-37-4-million-users/</guid><description>A massive data exfiltration operation involving 287 Chrome extensions that secretly steal browsing history from approximately 37.4 million users worldwide has been uncovered by security researcher Q Continuum (alias qcontinuum1). The discovery represents roughly one percent of th</description><pubDate>Fri, 20 Feb 2026 16:04:41 GMT</pubDate><category>General CTI</category></item><item><title>Kimwolf Botnet Swamps I2P Anonymity Network in Massive Sybil Attack</title><link>https://bulwarkblack.com/kimwolf-botnet-swamps-i2p-anonymity-network-in-massive-sybil-attack/</link><guid isPermaLink="true">https://bulwarkblack.com/kimwolf-botnet-swamps-i2p-anonymity-network-in-massive-sybil-attack/</guid><description>The massive Kimwolf IoT botnet has caused significant disruptions to The Invisible Internet Project (I2P), a decentralized privacy network, after botnet operators accidentally overwhelmed the system while attempting to use it for command-and-control evasion. The Attack According </description><pubDate>Fri, 20 Feb 2026 02:04:30 GMT</pubDate><category>Malware</category></item><item><title>Russian Threat Actor Deploys CANFAIL Malware Against Ukrainian Organizations</title><link>https://bulwarkblack.com/russian-threat-actor-deploys-canfail-malware-against-ukrainian-organizations/</link><guid isPermaLink="true">https://bulwarkblack.com/russian-threat-actor-deploys-canfail-malware-against-ukrainian-organizations/</guid><description>Google Threat Intelligence Group (GTIG) has uncovered a new threat actor possibly affiliated with Russian intelligence services that has been systematically targeting Ukrainian organizations with a sophisticated malware strain known as CANFAIL. Target Profile The threat group has</description><pubDate>Thu, 19 Feb 2026 21:02:43 GMT</pubDate><category>Malware</category></item><item><title>ClawHavoc Supply Chain Attack Poisons OpenClaw ClawHub With 1,184 Malicious AI Agent Skills</title><link>https://bulwarkblack.com/clawhavoc-supply-chain-attack-poisons-openclaw-clawhub-with-1184-malicious-ai-agent-skills/</link><guid isPermaLink="true">https://bulwarkblack.com/clawhavoc-supply-chain-attack-poisons-openclaw-clawhub-with-1184-malicious-ai-agent-skills/</guid><description>A massive supply chain attack dubbed ClawHavoc has compromised ClawHub, the official skill marketplace for OpenClaw, an open-source AI agent platform formerly known as ClawdBot and Moltbot. Researchers have uncovered at least 1,184 malicious “Skills”—plugin-style packages that ex</description><pubDate>Thu, 19 Feb 2026 16:05:12 GMT</pubDate><category>Malware</category></item><item><title>Adidas Investigates Third-Party Data Breach as Lapsus$ Claims 815,000 Records Stolen</title><link>https://bulwarkblack.com/adidas-investigates-third-party-data-breach-as-lapsus-claims-815000-records-stolen/</link><guid isPermaLink="true">https://bulwarkblack.com/adidas-investigates-third-party-data-breach-as-lapsus-claims-815000-records-stolen/</guid><description>Adidas has confirmed it is actively investigating a data breach at one of its independent licensing partners after threat actors claiming to be the Lapsus$ Group posted allegedly stolen data on BreachForums. The incident highlights the ongoing risks posed by third-party vendor re</description><pubDate>Thu, 19 Feb 2026 02:04:06 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Check Point Reveals AI Assistants Can Be Weaponized as Stealthy C2 Proxies for Malware</title><link>https://bulwarkblack.com/check-point-reveals-ai-assistants-can-be-weaponized-as-stealthy-c2-proxies-for-malware/</link><guid isPermaLink="true">https://bulwarkblack.com/check-point-reveals-ai-assistants-can-be-weaponized-as-stealthy-c2-proxies-for-malware/</guid><description>Security researchers at Check Point have uncovered a concerning new attack vector: threat actors can abuse AI assistants like Microsoft Copilot and xAI’s Grok to create covert command-and-control (C2) communication channels that evade traditional security tools. The proof-of-conc</description><pubDate>Wed, 18 Feb 2026 21:04:36 GMT</pubDate><category>General CTI</category></item><item><title>Threat Actors Abuse Atlassian Jira Cloud to Bypass Email Security and Target Government Entities</title><link>https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/</link><guid isPermaLink="true">https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/</guid><description>Trend Micro researchers have uncovered a sophisticated spam campaign that weaponizes Atlassian Jira Cloud’s trusted infrastructure to bypass traditional email security controls and target government and corporate entities worldwide. The campaign, active from late December 2025 th</description><pubDate>Wed, 18 Feb 2026 16:04:31 GMT</pubDate><category>Threat Intelligence</category></item><item><title>2026 Unit 42 Global Incident Response Report: Attacks Now 4x Faster with AI-Accelerated Intrusions</title><link>https://bulwarkblack.com/2026-unit-42-global-incident-response-report-attacks-now-4x-faster-with-ai-accelerated-intrusions/</link><guid isPermaLink="true">https://bulwarkblack.com/2026-unit-42-global-incident-response-report-attacks-now-4x-faster-with-ai-accelerated-intrusions/</guid><description>Palo Alto Networks’ Unit 42 has released their 2026 Global Incident Response Report, analyzing over 750 major cyber incidents across 50+ countries. The findings paint a stark picture of an evolving threat landscape where attacks are faster, broader, and harder to contain than eve</description><pubDate>Wed, 18 Feb 2026 02:03:32 GMT</pubDate><category>General CTI</category></item><item><title>LockBit 5.0 Ransomware Emerges: Cross-Platform Threat Targeting Windows, Linux, and ESXi Systems</title><link>https://bulwarkblack.com/lockbit-5-0-ransomware-emerges-cross-platform-threat-targeting-windows-linux-and-esxi-systems/</link><guid isPermaLink="true">https://bulwarkblack.com/lockbit-5-0-ransomware-emerges-cross-platform-threat-targeting-windows-linux-and-esxi-systems/</guid><description>The Acronis Threat Research Unit (TRU) has identified a significantly enhanced version of the notorious LockBit ransomware, designated LockBit 5.0, actively being deployed in campaigns against enterprise environments. The latest variant introduces expanded cross-platform capabili</description><pubDate>Tue, 17 Feb 2026 21:03:56 GMT</pubDate><category>Threat Intelligence</category></item><item><title>ManoMano Data Breach Exposes 37.8 Million Customer Records via Zendesk Third-Party Compromise</title><link>https://bulwarkblack.com/manomano-data-breach-exposes-37-8-million-customer-records-via-zendesk-third-party-compromise/</link><guid isPermaLink="true">https://bulwarkblack.com/manomano-data-breach-exposes-37-8-million-customer-records-via-zendesk-third-party-compromise/</guid><description>European home improvement marketplace ManoMano has confirmed a massive data breach affecting 37.8 million customer accounts after hackers compromised a third-party customer service provider. The breach, which surfaced on cybercriminal forum BreachForums, represents one of the lar</description><pubDate>Tue, 17 Feb 2026 16:04:45 GMT</pubDate><category>General CTI</category></item><item><title>NexShield Fake Ad Blocker Uses CrashFix Attack to Deliver ModeloRAT Malware</title><link>https://bulwarkblack.com/nexshield-fake-ad-blocker-uses-crashfix-attack-to-deliver-modelorat-malware/</link><guid isPermaLink="true">https://bulwarkblack.com/nexshield-fake-ad-blocker-uses-crashfix-attack-to-deliver-modelorat-malware/</guid><description>Security researchers at Huntress have uncovered a sophisticated new malware campaign that weaponizes browser stability against users. The attack, dubbed CrashFix, represents an evolution of the notorious ClickFix social engineering technique—but with a dangerous twist: instead of</description><pubDate>Tue, 17 Feb 2026 02:03:31 GMT</pubDate><category>Malware</category></item><item><title>CVE-2026-20700: Apple Patches First Zero-Day of 2026 After Extremely Sophisticated Targeted Attacks</title><link>https://bulwarkblack.com/cve-2026-20700-apple-patches-first-zero-day-of-2026-after-extremely-sophisticated-targeted-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-20700-apple-patches-first-zero-day-of-2026-after-extremely-sophisticated-targeted-attacks/</guid><description>Apple has released emergency security updates to patch a zero-day vulnerability that was actively exploited in what the company describes as “extremely sophisticated” attacks targeting specific individuals. Technical Details The vulnerability, tracked as CVE-2026-20700, is an arb</description><pubDate>Mon, 16 Feb 2026 21:04:09 GMT</pubDate><category>Threat Intelligence</category></item><item><title>CVE-2026-2441: Google Patches First Actively Exploited Chrome Zero-Day of 2026</title><link>https://bulwarkblack.com/cve-2026-2441-google-patches-first-actively-exploited-chrome-zero-day-of-2026/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-2441-google-patches-first-actively-exploited-chrome-zero-day-of-2026/</guid><description>Google has released an emergency security update for Chrome to address CVE-2026-2441, a high-severity use-after-free vulnerability that is already being exploited in the wild. This marks the first actively exploited zero-day in Chrome that Google has patched in 2026, underscoring</description><pubDate>Mon, 16 Feb 2026 16:03:17 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Physical Mail Phishing Targets Trezor and Ledger Users: Attackers Use QR Codes to Steal Recovery Phrases</title><link>https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/</link><guid isPermaLink="true">https://bulwarkblack.com/physical-mail-phishing-targets-trezor-and-ledger-users-attackers-use-qr-codes-to-steal-recovery-phrases/</guid><description>A new phishing campaign is targeting cryptocurrency hardware wallet users through an unusual vector: physical mail. Threat actors are sending fake letters impersonating Trezor and Ledger security teams, attempting to trick users into surrendering their wallet recovery phrases. Th</description><pubDate>Mon, 16 Feb 2026 02:02:54 GMT</pubDate><category>Social Engineering</category></item><item><title>OysterLoader: Sophisticated Multi-Stage Malware Loader Linked to Rhysida Ransomware Campaigns</title><link>https://bulwarkblack.com/oysterloader-sophisticated-multi-stage-malware-loader-linked-to-rhysida-ransomware-campaigns/</link><guid isPermaLink="true">https://bulwarkblack.com/oysterloader-sophisticated-multi-stage-malware-loader-linked-to-rhysida-ransomware-campaigns/</guid><description>A highly sophisticated malware loader known as OysterLoader has emerged as a significant cybersecurity threat, employing advanced multi-layer obfuscation techniques to evade detection while delivering dangerous payloads including Rhysida ransomware and the widespread Vidar infost</description><pubDate>Sun, 15 Feb 2026 21:02:59 GMT</pubDate><category>Malware</category></item><item><title>Microsoft Exposes DNS-Based ClickFix Attack: Nslookup Commands Used for Stealth Malware Staging</title><link>https://bulwarkblack.com/microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging/</link><guid isPermaLink="true">https://bulwarkblack.com/microsoft-exposes-dns-based-clickfix-attack-nslookup-commands-used-for-stealth-malware-staging/</guid><description>Microsoft has disclosed a sophisticated new variant of the ClickFix social engineering attack that weaponizes the Windows nslookup command to stage malware through DNS queries, enabling attackers to bypass traditional web-based detection mechanisms. Attack Methodology This DNS-ba</description><pubDate>Sun, 15 Feb 2026 16:04:54 GMT</pubDate><category>General CTI</category></item><item><title>CVE-2026-21510: Windows Shell Zero-Day Exploited in the Wild to Bypass SmartScreen Protections</title><link>https://bulwarkblack.com/cve-2026-21510-windows-shell-zero-day-exploited-in-the-wild-to-bypass-smartscreen-protections/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-21510-windows-shell-zero-day-exploited-in-the-wild-to-bypass-smartscreen-protections/</guid><description>Microsoft’s February 2026 Patch Tuesday revealed a critical zero-day vulnerability affecting Windows Shell that attackers are actively exploiting to bypass security protections. CVE-2026-21510 carries a CVSS score of 8.8 and allows threat actors to circumvent Windows SmartScreen </description><pubDate>Sun, 15 Feb 2026 02:02:46 GMT</pubDate><category>General CTI</category></item><item><title>CVE-2026-1731: Critical BeyondTrust Remote Support Vulnerability Under Active Exploitation</title><link>https://bulwarkblack.com/cve-2026-1731-critical-beyondtrust-remote-support-vulnerability-under-active-exploitation/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-1731-critical-beyondtrust-remote-support-vulnerability-under-active-exploitation/</guid><description>A critical pre-authentication command injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is now being actively exploited in the wild, with threat actors targeting self-hosted deployments including legacy Bomgar appliances. Vulnerability </description><pubDate>Sat, 14 Feb 2026 21:05:43 GMT</pubDate><category>General CTI</category></item><item><title>DockerDash: Critical AI Assistant Flaw Enabled Code Execution via Malicious Image Metadata</title><link>https://bulwarkblack.com/dockerdash-critical-ai-assistant-flaw-enabled-code-execution-via-malicious-image-metadata/</link><guid isPermaLink="true">https://bulwarkblack.com/dockerdash-critical-ai-assistant-flaw-enabled-code-execution-via-malicious-image-metadata/</guid><description>Cybersecurity researchers at Noma Labs have disclosed details of a critical vulnerability in Ask Gordon, Docker’s AI assistant integrated into Docker Desktop and the Docker CLI. The flaw, codenamed DockerDash, could have been exploited to execute arbitrary code and exfiltrate sen</description><pubDate>Sat, 14 Feb 2026 16:02:57 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Critical Unstructured.io Vulnerability CVE-2025-64712 Threatens AI Pipelines at Amazon, Google, and Fortune 1000 Enterprises</title><link>https://bulwarkblack.com/critical-unstructured-io-vulnerability-cve-2025-64712-threatens-ai-pipelines-at-amazon-google-and-fortune-1000-enterprises/</link><guid isPermaLink="true">https://bulwarkblack.com/critical-unstructured-io-vulnerability-cve-2025-64712-threatens-ai-pipelines-at-amazon-google-and-fortune-1000-enterprises/</guid><description>A critical vulnerability (CVE-2025-64712) discovered in Unstructured.io, a widely deployed ETL library for AI data processing, exposes Amazon, Google, Bank of America, and 87% of Fortune 1000 companies to remote code execution attacks. The Vulnerability: CVSS 9.8 Path Traversal L</description><pubDate>Sat, 14 Feb 2026 02:03:25 GMT</pubDate><category>General CTI</category></item><item><title>XWorm RAT Campaign Exploits 7-Year-Old Office Vulnerability with Fileless Techniques</title><link>https://bulwarkblack.com/xworm-rat-campaign-exploits-7-year-old-office-vulnerability-with-fileless-techniques/</link><guid isPermaLink="true">https://bulwarkblack.com/xworm-rat-campaign-exploits-7-year-old-office-vulnerability-with-fileless-techniques/</guid><description>Fortinet researchers have uncovered a new phishing campaign delivering the XWorm remote access trojan (RAT) by chaining a years-old Microsoft Office vulnerability with fileless execution techniques to evade detection. The Attack Chain The campaign uses business-themed phishing em</description><pubDate>Fri, 13 Feb 2026 21:02:51 GMT</pubDate><category>General CTI</category></item><item><title>Google Blocks Massive Model Extraction Campaign Targeting Gemini AI with 100,000+ Malicious Prompts</title><link>https://bulwarkblack.com/google-blocks-massive-model-extraction-campaign-targeting-gemini-ai-with-100000-malicious-prompts/</link><guid isPermaLink="true">https://bulwarkblack.com/google-blocks-massive-model-extraction-campaign-targeting-gemini-ai-with-100000-malicious-prompts/</guid><description>Google has revealed it detected and blocked a sophisticated campaign involving more than 100,000 prompts designed to extract the proprietary reasoning capabilities of its Gemini AI model, according to the Google Threat Intelligence Group’s latest quarterly threat report. The Grow</description><pubDate>Fri, 13 Feb 2026 16:03:33 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Metro4Shell: Critical React Native CLI Vulnerability Actively Exploited to Deploy Malware</title><link>https://bulwarkblack.com/metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware/</link><guid isPermaLink="true">https://bulwarkblack.com/metro4shell-critical-react-native-cli-vulnerability-actively-exploited-to-deploy-malware/</guid><description>Threat actors are actively exploiting a critical remote code execution vulnerability in the popular @react-native-community/cli npm package, impacting countless mobile application developers worldwide. The Vulnerability: CVE-2025-11953 Dubbed Metro4Shell, this critical vulnerabil</description><pubDate>Fri, 13 Feb 2026 02:05:28 GMT</pubDate><category>General CTI</category></item><item><title>AiFrame Campaign: 30 Fake AI Chrome Extensions with 300K Users Steal Credentials, Gmail Content</title><link>https://bulwarkblack.com/aiframe-campaign-30-fake-ai-chrome-extensions-with-300k-users-steal-credentials-gmail-content/</link><guid isPermaLink="true">https://bulwarkblack.com/aiframe-campaign-30-fake-ai-chrome-extensions-with-300k-users-steal-credentials-gmail-content/</guid><description>Researchers at browser security platform LayerX have uncovered a coordinated malware campaign dubbed “AiFrame” involving 30 malicious Chrome extensions installed by more than 300,000 users. The extensions masquerade as AI assistants while secretly stealing credentials, email cont</description><pubDate>Thu, 12 Feb 2026 21:03:21 GMT</pubDate><category>Malware</category></item><item><title>Phorpiex Botnet Resurfaces: Phishing Campaign Delivers Offline-Capable Global Group Ransomware</title><link>https://bulwarkblack.com/phorpiex-botnet-resurfaces-phishing-campaign-delivers-offline-capable-global-group-ransomware/</link><guid isPermaLink="true">https://bulwarkblack.com/phorpiex-botnet-resurfaces-phishing-campaign-delivers-offline-capable-global-group-ransomware/</guid><description>A new phishing campaign leveraging the infamous Phorpiex botnet has been observed distributing Global Group ransomware through weaponized Windows shortcut (.LNK) files, according to a new advisory from Forcepoint X-Labs. The Attack Chain The campaign uses phishing emails with the</description><pubDate>Thu, 12 Feb 2026 16:03:17 GMT</pubDate><category>Malware</category></item><item><title>Cybercriminals Weaponize ChatGPT and Grok to Distribute AMOS Stealer on macOS</title><link>https://bulwarkblack.com/cybercriminals-weaponize-chatgpt-and-grok-to-distribute-amos-stealer-on-macos/</link><guid isPermaLink="true">https://bulwarkblack.com/cybercriminals-weaponize-chatgpt-and-grok-to-distribute-amos-stealer-on-macos/</guid><description>A sophisticated attack campaign is exploiting user trust in artificial intelligence platforms to distribute the Atomic macOS Stealer (AMOS), representing a dangerous evolution in social engineering tactics that combines legitimate AI chatbot services with paid Google advertising.</description><pubDate>Thu, 12 Feb 2026 02:04:53 GMT</pubDate><category>Malware</category></item><item><title>XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection</title><link>https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/</link><guid isPermaLink="true">https://bulwarkblack.com/xworm-rat-campaign-exploits-cve-2018-0802-in-multi-language-phishing-attacks-using-fileless-injection/</guid><description>FortiGuard Labs has uncovered a sophisticated phishing campaign delivering XWorm version 7.2, a multi-functional Remote Access Trojan (RAT) that provides attackers with full remote control of compromised Windows systems. Campaign Overview The campaign utilizes multiple phishing e</description><pubDate>Wed, 11 Feb 2026 21:02:35 GMT</pubDate><category>Malware</category></item><item><title>Google Warns of Sustained Russia and China Cyberattacks Targeting Defense Industrial Base</title><link>https://bulwarkblack.com/google-warns-of-sustained-russia-and-china-cyberattacks-targeting-defense-industrial-base/</link><guid isPermaLink="true">https://bulwarkblack.com/google-warns-of-sustained-russia-and-china-cyberattacks-targeting-defense-industrial-base/</guid><description>Google Threat Intelligence Group (GTIG) has published a comprehensive report revealing persistent cyber operations targeting the defense industrial base (DIB) from Russia and China-linked threat actors. The findings detail how state-sponsored hackers are exploiting everything fro</description><pubDate>Wed, 11 Feb 2026 16:03:52 GMT</pubDate><category>General CTI</category></item><item><title>WormGPT Database Breach Exposes 19,000 Cybercriminal Users and Billing Data</title><link>https://bulwarkblack.com/wormgpt-database-breach-exposes-19000-cybercriminal-users-and-billing-data/</link><guid isPermaLink="true">https://bulwarkblack.com/wormgpt-database-breach-exposes-19000-cybercriminal-users-and-billing-data/</guid><description>A threat actor has leaked the complete WormGPT database, exposing over 19,000 users of the notorious cybercrime AI platform along with their email addresses, billing data, and subscription information.</description><pubDate>Wed, 11 Feb 2026 02:02:56 GMT</pubDate><category>Threat Intelligence</category></item><item><title>Chinese APT UNC3886 Breaches Singapore’s Four Largest Telcos in Coordinated Espionage Campaign</title><link>https://bulwarkblack.com/chinese-apt-unc3886-breaches-singapores-four-largest-telcos-in-coordinated-espionage-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/chinese-apt-unc3886-breaches-singapores-four-largest-telcos-in-coordinated-espionage-campaign/</guid><description>Singapore’s government has officially confirmed that a sophisticated Chinese cyber-espionage group breached all four of the nation’s largest telecommunications providers in a coordinated campaign that exploited zero-day vulnerabilities and deployed advanced persistence mechanisms</description><pubDate>Tue, 10 Feb 2026 21:02:21 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>BlueNoroff’s GhostCall and GhostHire Campaigns Use Stolen Victim Videos to Compromise Crypto Executives</title><link>https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/</link><guid isPermaLink="true">https://bulwarkblack.com/bluenoroffs-ghostcall-and-ghosthire-campaigns-use-stolen-victim-videos-to-compromise-crypto-executives/</guid><description>North Korean threat actor BlueNoroff (also known as Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has launched two sophisticated campaigns—GhostCall and GhostHire—targeting cryptocurrency executives, blockchain developers, and venture capital professionals</description><pubDate>Tue, 10 Feb 2026 16:02:30 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>APT28 Exploits CVE-2026-21509 in Operation Neusploit: Stealing Emails with MiniDoor Backdoor</title><link>https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/</link><guid isPermaLink="true">https://bulwarkblack.com/apt28-exploits-cve-2026-21509-in-operation-neusploit-stealing-emails-with-minidoor-backdoor/</guid><description>Russia’s infamous APT28 (Fancy Bear/Forest Blizzard) threat group has weaponized a recently patched Microsoft Office vulnerability in just three days, launching a sophisticated espionage campaign dubbed Operation Neusploit targeting government and diplomatic entities across Centr</description><pubDate>Tue, 10 Feb 2026 02:02:37 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals</title><link>https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/</link><guid isPermaLink="true">https://bulwarkblack.com/fake-7-zip-downloads-convert-home-pcs-into-residential-proxy-nodes-for-cybercriminals/</guid><description>A sophisticated brand impersonation campaign is weaponizing the popular 7-Zip file archiver to silently transform infected Windows computers into residential proxy nodes—monetizing victims’ IP addresses for fraud, scraping, and anonymity laundering operations. The Lookalike Domai</description><pubDate>Mon, 09 Feb 2026 21:02:27 GMT</pubDate><category>Malware</category></item><item><title>North Korean Hackers Deploy AI-Generated Deepfakes and Seven Malware Families in Targeted Cryptocurrency Attacks</title><link>https://bulwarkblack.com/north-korean-hackers-deploy-ai-generated-deepfakes-and-seven-malware-families-in-targeted-cryptocurrency-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/north-korean-hackers-deploy-ai-generated-deepfakes-and-seven-malware-families-in-targeted-cryptocurrency-attacks/</guid><description>North Korean threat actor UNC1069 has launched a sophisticated campaign targeting the cryptocurrency and decentralized finance (DeFi) sectors, deploying AI-generated deepfake videos and seven unique malware families to steal credentials and financial data, according to new resear</description><pubDate>Mon, 09 Feb 2026 16:01:51 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>TGR-STA-1030 Espionage Campaign Compromises 70 Organizations Across 37 Nations Using ShadowGuard Linux Rootkit</title><link>https://bulwarkblack.com/tgr-sta-1030-espionage-campaign-compromises-70-organizations-across-37-nations-using-shadowguard-linux-rootkit/</link><guid isPermaLink="true">https://bulwarkblack.com/tgr-sta-1030-espionage-campaign-compromises-70-organizations-across-37-nations-using-shadowguard-linux-rootkit/</guid><description>A massive, state-aligned cyber espionage campaign has quietly infiltrated government networks across 37 countries, targeting ministries of finance, law enforcement, and critical infrastructure. In a new report, Unit 42 exposes the operations of TGR-STA-1030 (also tracked as UNC66</description><pubDate>Mon, 09 Feb 2026 02:02:32 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>BridgePay Ransomware Attack Forces Nationwide Cash-Only Payment Disruption</title><link>https://bulwarkblack.com/bridgepay-ransomware-attack-forces-nationwide-cash-only-payment-disruption/</link><guid isPermaLink="true">https://bulwarkblack.com/bridgepay-ransomware-attack-forces-nationwide-cash-only-payment-disruption/</guid><description>A major ransomware attack on BridgePay Network Solutions has caused a nationwide payment processing outage, forcing merchants across the United States to switch to cash-only operations and disrupting card transactions for municipalities and businesses alike. Ransomware Confirmed </description><pubDate>Sun, 08 Feb 2026 21:02:34 GMT</pubDate><category>General CTI</category></item><item><title>Qilin Ransomware Hits Romania’s National Oil Pipeline Operator Conpet, Claims Nearly 1 TB Data Theft</title><link>https://bulwarkblack.com/qilin-ransomware-hits-romanias-national-oil-pipeline-operator-conpet-claims-nearly-1-tb-data-theft/</link><guid isPermaLink="true">https://bulwarkblack.com/qilin-ransomware-hits-romanias-national-oil-pipeline-operator-conpet-claims-nearly-1-tb-data-theft/</guid><description>Romania’s national oil pipeline operator Conpet has confirmed a cyberattack disrupted parts of its technology infrastructure and knocked its website offline earlier this week. The company operates approximately 3,800 kilometers (2,360 miles) of pipelines supplying domestic and im</description><pubDate>Sun, 08 Feb 2026 16:02:36 GMT</pubDate><category>Operational Technology (OT)</category></item><item><title>Flickr Data Breach Exposes User Information Through Third-Party Email Vendor Vulnerability</title><link>https://bulwarkblack.com/flickr-data-breach-exposes-user-information-through-third-party-email-vendor-vulnerability/</link><guid isPermaLink="true">https://bulwarkblack.com/flickr-data-breach-exposes-user-information-through-third-party-email-vendor-vulnerability/</guid><description>Photo and video sharing service Flickr has disclosed a data security incident where user personal information was potentially exposed through a vulnerability at a third-party email service provider. The San Francisco-based platform confirmed on February 5, 2026, that the breach m</description><pubDate>Sun, 08 Feb 2026 02:03:02 GMT</pubDate><category>General CTI</category></item><item><title>SafePay Ransomware Attack on Conduent Exposes Data of 25.9 Million Americans</title><link>https://bulwarkblack.com/safepay-ransomware-attack-on-conduent-exposes-data-of-25-9-million-americans/</link><guid isPermaLink="true">https://bulwarkblack.com/safepay-ransomware-attack-on-conduent-exposes-data-of-25-9-million-americans/</guid><description>A January 2025 ransomware attack on government technology giant Conduent has exploded into one of the largest data breaches in recent history, with confirmed victims now numbering at least 25.9 million Americans across multiple states. The breach, attributed to the SafePay ransom</description><pubDate>Sat, 07 Feb 2026 21:01:54 GMT</pubDate><category>Threat Intelligence</category></item><item><title>APT-Q-27 (GoldenEyeDog) Deploys Fileless Malware in Stealthy Corporate Network Attacks</title><link>https://bulwarkblack.com/apt-q-27-goldeneyedog-deploys-fileless-malware-in-stealthy-corporate-network-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/apt-q-27-goldeneyedog-deploys-fileless-malware-in-stealthy-corporate-network-attacks/</guid><description>A new investigation from CyStack’s security team reveals how the threat group APT-Q-27, also known as GoldenEyeDog, is bypassing modern security defenses through an elaborate multi-stage attack chain that operates almost entirely in memory. The Attack Chain: From Support Ticket t</description><pubDate>Sat, 07 Feb 2026 16:03:37 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Betterment Data Breach Exposes 1.4 Million Customers Following Sophisticated Social Engineering Attack</title><link>https://bulwarkblack.com/betterment-data-breach-exposes-1-4-million-customers-following-sophisticated-social-engineering-attack/</link><guid isPermaLink="true">https://bulwarkblack.com/betterment-data-breach-exposes-1-4-million-customers-following-sophisticated-social-engineering-attack/</guid><description>Automated investment platform Betterment has disclosed a significant data breach affecting approximately 1.4 million customers, following a sophisticated social engineering campaign that targeted company employees in January 2026. Attack Overview According to Betterment’s officia</description><pubDate>Sat, 07 Feb 2026 02:03:03 GMT</pubDate><category>Social Engineering</category></item><item><title>Iranian APT Infy Resurfaces with New Tornado Malware After Internet Blackout</title><link>https://bulwarkblack.com/iranian-apt-infy-resurfaces-with-new-tornado-malware-after-internet-blackout/</link><guid isPermaLink="true">https://bulwarkblack.com/iranian-apt-infy-resurfaces-with-new-tornado-malware-after-internet-blackout/</guid><description>The elusive Iranian threat group known as Infy (also tracked as Prince of Persia) has evolved its tactics and deployed new command-and-control infrastructure, resuming operations precisely when Iran’s government-imposed internet blackout ended in late January 2026. Operational Ti</description><pubDate>Fri, 06 Feb 2026 21:02:39 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>Ransomware Gangs Abuse ISPsystem VMmanager to Hide Malicious Infrastructure at Scale</title><link>https://bulwarkblack.com/ransomware-gangs-abuse-ispsystem-vmmanager-to-hide-malicious-infrastructure-at-scale/</link><guid isPermaLink="true">https://bulwarkblack.com/ransomware-gangs-abuse-ispsystem-vmmanager-to-hide-malicious-infrastructure-at-scale/</guid><description>Ransomware operators are increasingly exploiting legitimate virtual infrastructure management platforms to host and deliver malicious payloads at scale, effectively hiding their command-and-control infrastructure among thousands of innocuous systems. The Discovery Researchers at </description><pubDate>Fri, 06 Feb 2026 16:03:47 GMT</pubDate><category>General CTI</category></item><item><title>Silver Fox APT Unleashes ValleyRAT with Rare PoolParty Process Injection Technique</title><link>https://bulwarkblack.com/silver-fox-apt-unleashes-valleyrat-with-rare-poolparty-process-injection-technique/</link><guid isPermaLink="true">https://bulwarkblack.com/silver-fox-apt-unleashes-valleyrat-with-rare-poolparty-process-injection-technique/</guid><description>A sophisticated malware campaign targeting Chinese-speaking users has revealed a significant evolution in the Silver Fox APT group’s capabilities. According to new research from Cybereason Security Services, the threat actors are deploying fake software installers to deliver Vall</description><pubDate>Fri, 06 Feb 2026 02:02:14 GMT</pubDate><category>Malware</category></item><item><title>SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide</title><link>https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/</link><guid isPermaLink="true">https://bulwarkblack.com/systembc-botnet-survives-law-enforcement-takedown-infects-over-10000-devices-worldwide/</guid><description>The SystemBC malware loader has demonstrated remarkable resilience, continuing to operate despite targeted efforts during Europol’s Operation Endgame in May 2024. Cybersecurity firm Silent Push has identified more than 10,000 unique infected IP addresses across a massive botnet i</description><pubDate>Thu, 05 Feb 2026 21:02:12 GMT</pubDate><category>Malware</category></item><item><title>Strategic Intelligence and the Cognitive Threshold: A Multidimensional Analysis of AI Model Efficacy in 2026</title><link>https://bulwarkblack.com/strategic-intelligence-and-the-cognitive-threshold-a-multidimensional-analysis-of-ai-model-efficacy-in-2026/</link><guid isPermaLink="true">https://bulwarkblack.com/strategic-intelligence-and-the-cognitive-threshold-a-multidimensional-analysis-of-ai-model-efficacy-in-2026/</guid><description>A comprehensive analysis of frontier AI models for strategic intelligence work in 2026, comparing GPT-5.2, Claude Opus 4.5, Gemini 3 Pro, and Grok 4.1 across reasoning benchmarks, research capabilities, geopolitical analysis, and financial intelligence applications.</description><pubDate>Thu, 05 Feb 2026 19:20:13 GMT</pubDate><category>Threat Intelligence</category></item><item><title>DKnife: Cisco Talos Exposes China-Nexus Gateway-Monitoring AitM Framework Active Since 2019</title><link>https://bulwarkblack.com/dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019/</link><guid isPermaLink="true">https://bulwarkblack.com/dknife-cisco-talos-exposes-china-nexus-gateway-monitoring-aitm-framework-active-since-2019/</guid><description>Cisco Talos researchers have disclosed a sophisticated adversary-in-the-middle (AitM) framework dubbed “DKnife” that enables China-nexus threat actors to intercept, manipulate, and weaponize network traffic at the gateway level. The framework has been operational since at least 2</description><pubDate>Thu, 05 Feb 2026 16:03:06 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>CISA Confirms VMware ESXi Flaw CVE-2025-22225 Now Exploited in Active Ransomware Campaigns</title><link>https://bulwarkblack.com/cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns/</link><guid isPermaLink="true">https://bulwarkblack.com/cisa-confirms-vmware-esxi-flaw-cve-2025-22225-now-exploited-in-active-ransomware-campaigns/</guid><description>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to confirm that CVE-2025-22225, a high-severity VMware ESXi sandbox escape vulnerability, is now being actively exploited in ransomware attacks. The Vuln</description><pubDate>Thu, 05 Feb 2026 05:12:51 GMT</pubDate><category>Business</category></item><item><title>EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach</title><link>https://bulwarkblack.com/encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach/</link><guid isPermaLink="true">https://bulwarkblack.com/encase-forensic-driver-weaponized-byovd-attack-targets-59-edr-tools-through-sonicwall-vpn-breach/</guid><description>Security researchers at Huntress have documented a sophisticated intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to deploy a custom EDR killer that abuses a legitimate forensic driver from Guidance Software’s EnCase to terminate security processes</description><pubDate>Thu, 05 Feb 2026 02:02:23 GMT</pubDate><category>General CTI</category></item><item><title>PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions</title><link>https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/</link><guid isPermaLink="true">https://bulwarkblack.com/pdfsider-the-stealthy-backdoor-targeting-fortune-100-financial-institutions/</guid><description>A newly identified Windows malware strain called PDFSider has emerged as a dangerous tool in the arsenals of multiple ransomware operators, with at least one confirmed attack targeting a Fortune 100 finance company. Security researchers at Resecurity uncovered the malware during </description><pubDate>Wed, 04 Feb 2026 21:01:57 GMT</pubDate><category>Malware</category></item><item><title>ShinyHunters Claims Massive Ivy League Breach: 2.2 Million Records from Harvard and UPenn</title><link>https://bulwarkblack.com/shinyhunters-claims-massive-ivy-league-breach-2-2-million-records-from-harvard-and-upenn/</link><guid isPermaLink="true">https://bulwarkblack.com/shinyhunters-claims-massive-ivy-league-breach-2-2-million-records-from-harvard-and-upenn/</guid><description>The notorious threat actor group ShinyHunters has claimed responsibility for a significant data breach targeting two of America’s most prestigious academic institutions: Harvard University and the University of Pennsylvania. What’s Being Claimed On February 4, 2026, ShinyHunters </description><pubDate>Wed, 04 Feb 2026 16:15:55 GMT</pubDate><category>Threat Intelligence</category></item><item><title>AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions</title><link>https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/</link><guid isPermaLink="true">https://bulwarkblack.com/ai-powered-attack-achieves-aws-admin-access-in-under-10-minutes-a-new-era-of-automated-intrusions/</guid><description>In a stark demonstration of how artificial intelligence is transforming the cybersecurity threat landscape, the Sysdig Threat Research Team (TRT) has documented a sophisticated cloud intrusion where attackers achieved full administrative control of an AWS environment in less than</description><pubDate>Wed, 04 Feb 2026 16:02:58 GMT</pubDate><category>General CTI</category></item><item><title>ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory</title><link>https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/</link><guid isPermaLink="true">https://bulwarkblack.com/shadowhs-fileless-linux-post-exploitation-framework-runs-entirely-in-memory/</guid><description>Cyble Research &amp; Intelligence Labs (CRIL) has uncovered a sophisticated Linux intrusion framework dubbed ShadowHS — a stealthy, fileless post-exploitation tool that executes entirely from memory, leaving virtually no traces on disk. This discovery highlights the growing sophistic</description><pubDate>Wed, 04 Feb 2026 02:01:50 GMT</pubDate><category>Malware</category></item><item><title>Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach</title><link>https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/</link><guid isPermaLink="true">https://bulwarkblack.com/vibe-coding-gone-wrong-moltbook-ai-social-network-exposes-4-75-million-records-in-massive-database-breach/</guid><description>Google-owned Wiz discovers 4.75 million exposed records in AI social network Moltbook, including 1.5M API tokens and plaintext OpenAI keys—all because Row Level Security was never enabled on the “vibe-coded” platform.</description><pubDate>Tue, 03 Feb 2026 16:02:13 GMT</pubDate><category>General CTI</category></item><item><title>Chinese APT Lotus Blossom Hijacks Notepad++ Update Mechanism to Deploy Chrysalis Backdoor</title><link>https://bulwarkblack.com/chinese-apt-lotus-blossom-hijacks-notepad-update-mechanism-to-deploy-chrysalis-backdoor/</link><guid isPermaLink="true">https://bulwarkblack.com/chinese-apt-lotus-blossom-hijacks-notepad-update-mechanism-to-deploy-chrysalis-backdoor/</guid><description>Chinese state-sponsored threat actors hijacked Notepad++ update infrastructure for nearly six months, deploying a sophisticated custom backdoor called Chrysalis to selectively targeted victims.</description><pubDate>Tue, 03 Feb 2026 02:01:35 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Russian Legion Hacker Alliance Launches OpDenmark Campaign Against Danish Critical Infrastructure</title><link>https://bulwarkblack.com/russian-legion-hacker-alliance-launches-opdenmark-campaign-against-danish-critical-infrastructure/</link><guid isPermaLink="true">https://bulwarkblack.com/russian-legion-hacker-alliance-launches-opdenmark-campaign-against-danish-critical-infrastructure/</guid><description>A newly formed Russian hacktivist alliance called Russian Legion has launched OpDenmark, a coordinated cyberattack campaign against Danish critical infrastructure in retaliation for the country’s 1.5 billion DKK military aid package to Ukraine.</description><pubDate>Mon, 02 Feb 2026 21:01:36 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>BreachForums Breach Exposes 324,000 Cybercriminal Identities in Unprecedented Dark Web Leak</title><link>https://bulwarkblack.com/breachforums-breach-exposes-324000-cybercriminal-identities-dark-web-leak/</link><guid isPermaLink="true">https://bulwarkblack.com/breachforums-breach-exposes-324000-cybercriminal-identities-dark-web-leak/</guid><description>The tables have turned: BreachForums, one of the largest dark web marketplaces for stolen data, has been breached. A disgruntled insider leaked the real identities of nearly 324,000 cybercriminals, including email addresses, IP addresses, and connections to notorious groups like </description><pubDate>Mon, 02 Feb 2026 16:02:18 GMT</pubDate><category>General CTI</category></item><item><title>SonicWall Cloud Breach Enables Ransomware Attack on 74 US Banks and Credit Unions</title><link>https://bulwarkblack.com/sonicwall-cloud-breach-enables-ransomware-attack-on-74-us-banks-and-credit-unions/</link><guid isPermaLink="true">https://bulwarkblack.com/sonicwall-cloud-breach-enables-ransomware-attack-on-74-us-banks-and-credit-unions/</guid><description>State-sponsored hackers exploited SonicWall’s MySonicWall cloud breach to launch a ransomware attack affecting 74 US banks and credit unions, compromising data of over 400,000 individuals. The attack demonstrates how third-party security breaches can cascade into devastating down</description><pubDate>Mon, 02 Feb 2026 02:01:47 GMT</pubDate><category>General CTI</category></item><item><title>Nike Investigates 1.4 TB Data Leak After World Leaks Ransomware Gang Posts Stolen Files</title><link>https://bulwarkblack.com/nike-investigates-1-4-tb-data-leak-after-world-leaks-ransomware-gang-posts-stolen-files/</link><guid isPermaLink="true">https://bulwarkblack.com/nike-investigates-1-4-tb-data-leak-after-world-leaks-ransomware-gang-posts-stolen-files/</guid><description>Nike confirms it is investigating a potential breach after the World Leaks ransomware gang claimed to have stolen 1.4 TB of corporate data. The group, a rebrand of Hunters International, has targeted major organizations including the U.S. Marshals Service and Tata Technologies.</description><pubDate>Sun, 01 Feb 2026 21:02:10 GMT</pubDate><category>General CTI</category></item><item><title>Russian Hackers Launch Coordinated Cyberattacks on Poland’s Renewable Energy Infrastructure</title><link>https://bulwarkblack.com/russian-hackers-launch-coordinated-cyberattacks-on-polands-renewable-energy-infrastructure/</link><guid isPermaLink="true">https://bulwarkblack.com/russian-hackers-launch-coordinated-cyberattacks-on-polands-renewable-energy-infrastructure/</guid><description>Russian state-sponsored threat actors launched coordinated cyberattacks against Poland’s energy sector on December 29, 2025, targeting over 30 wind and solar farms, a manufacturing company, and a major combined heat and power (CHP) plant that serves nearly 500,000 people, accordi</description><pubDate>Sun, 01 Feb 2026 16:02:50 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations</title><link>https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/</link><guid isPermaLink="true">https://bulwarkblack.com/iconics-suite-scada-vulnerability-enables-denial-of-service-through-privileged-file-operations/</guid><description>CVE-2025-0921 in Iconics Suite SCADA allows attackers to exploit privileged file operations to corrupt critical system binaries and crash Windows systems through symbolic link attacks.</description><pubDate>Sun, 01 Feb 2026 02:05:19 GMT</pubDate><category>Operational Technology (OT)</category></item><item><title>Global Energy Systems Exposed: Widespread Cybersecurity Gaps Found in Power Grid OT Networks</title><link>https://bulwarkblack.com/global-energy-systems-exposed-widespread-cybersecurity-gaps-found-in-power-grid-ot-networks/</link><guid isPermaLink="true">https://bulwarkblack.com/global-energy-systems-exposed-widespread-cybersecurity-gaps-found-in-power-grid-ot-networks/</guid><description>A global study by OMICRON reveals critical cybersecurity weaknesses in power grid OT networks, including unpatched devices, weak segmentation, and asset blind spots that leave critical infrastructure vulnerable to attack.</description><pubDate>Sat, 31 Jan 2026 21:04:54 GMT</pubDate><category>Operational Technology (OT)</category></item><item><title>WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw</title><link>https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/</link><guid isPermaLink="true">https://bulwarkblack.com/winrar-cve-2025-8088-russia-china-and-cybercriminals-unite-to-exploit-path-traversal-flaw/</guid><description>Google Threat Intelligence reveals widespread exploitation of CVE-2025-8088 by Russian APT groups, Chinese actors, and cybercriminals. The WinRAR path traversal flaw enables payload delivery via the Windows Startup folder, with active campaigns targeting Ukraine, LATAM, and finan</description><pubDate>Sat, 31 Jan 2026 18:32:04 GMT</pubDate><category>General CTI</category></item><item><title>North Korean Konni APT Deploys AI-Generated Malware to Target Blockchain Developers</title><link>https://bulwarkblack.com/north-korean-konni-apt-deploys-ai-generated-malware-to-target-blockchain-developers/</link><guid isPermaLink="true">https://bulwarkblack.com/north-korean-konni-apt-deploys-ai-generated-malware-to-target-blockchain-developers/</guid><description>The North Korean threat group Konni has launched a new campaign using AI-generated PowerShell malware to target blockchain developers across the APAC region, marking a significant shift toward technical targets and cryptocurrency infrastructure.</description><pubDate>Sat, 31 Jan 2026 08:48:55 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>Microsoft to Disable 30-Year-Old NTLM Authentication Protocol by Default</title><link>https://bulwarkblack.com/microsoft-to-disable-30-year-old-ntlm-authentication-protocol-by-default/</link><guid isPermaLink="true">https://bulwarkblack.com/microsoft-to-disable-30-year-old-ntlm-authentication-protocol-by-default/</guid><description>Microsoft announces NTLM will be disabled by default in upcoming Windows releases, marking the end of the 30-year-old authentication protocol that has been a persistent security vulnerability.</description><pubDate>Sat, 31 Jan 2026 02:05:00 GMT</pubDate><category>General CTI</category></item><item><title>CVE-2026-24061: 11-Year-Old GNU Telnetd Vulnerability Grants Instant Root Access</title><link>https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/</link><guid isPermaLink="true">https://bulwarkblack.com/cve-2026-24061-11-year-old-gnu-telnetd-vulnerability-grants-instant-root-access/</guid><description>CVE-2026-24061 is a critical 11-year-old vulnerability in GNU InetUtils telnetd that allows unauthenticated attackers to gain instant root shell access. With a CVSS score of 9.8 and active exploitation confirmed, this flaw affects over 200,000 devices running Telnet servers globa</description><pubDate>Sat, 31 Jan 2026 01:50:32 GMT</pubDate><category>Operational Technology (OT)</category></item><item><title>Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation</title><link>https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/</link><guid isPermaLink="true">https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/</guid><description>Two critical CVSS 9.8 vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281, CVE-2026-1340) are under active exploitation, allowing unauthenticated remote code execution. CISA has added them to the KEV catalog with a February 1 federal deadline.</description><pubDate>Sat, 31 Jan 2026 01:43:37 GMT</pubDate><category>General CTI</category></item><item><title>Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion</title><link>https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/</link><guid isPermaLink="true">https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/</guid><description>Two actively exploited pre-auth RCE vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile allow attackers to execute arbitrary commands via Bash arithmetic expansion. CISA has added these to the KEV catalog.</description><pubDate>Sat, 31 Jan 2026 01:42:13 GMT</pubDate><category>General CTI</category></item><item><title>Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT</title><link>https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/</link><guid isPermaLink="true">https://bulwarkblack.com/android-malware-campaign-abuses-hugging-face-ai-platform-to-distribute-rat/</guid><description>Threat actors are abusing the Hugging Face AI platform to host Android malware, using server-side polymorphism to generate thousands of RAT variants every 15 minutes.</description><pubDate>Fri, 30 Jan 2026 21:04:13 GMT</pubDate><category>Malware</category></item><item><title>SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score</title><link>https://bulwarkblack.com/smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score/</link><guid isPermaLink="true">https://bulwarkblack.com/smartermail-fixes-critical-unauthenticated-rce-flaw-with-cvss-9-3-score/</guid><description>SmarterTools patches critical CVE-2026-24423 (CVSS 9.3) unauthenticated RCE vulnerability in SmarterMail email server. Two other flaws including one under active exploitation also addressed. Update immediately.</description><pubDate>Fri, 30 Jan 2026 16:05:31 GMT</pubDate><category>General CTI</category></item><item><title>Aisuru Botnet Shatters Records with 31.4 Tbps DDoS Attack</title><link>https://bulwarkblack.com/aisuru-botnet-shatters-records-with-31-4-tbps-ddos-attack/</link><guid isPermaLink="true">https://bulwarkblack.com/aisuru-botnet-shatters-records-with-31-4-tbps-ddos-attack/</guid><description>The Aisuru/Kimwolf botnet launched the largest DDoS attack ever publicly disclosed, peaking at 31.4 Tbps and 200 million requests per second in Cloudflare’s ‘Night Before Christmas’ campaign.</description><pubDate>Fri, 30 Jan 2026 08:51:36 GMT</pubDate><category>Business</category></item><item><title>Match Group Data Breach Exposes User Information from Tinder, Hinge, and OkCupid</title><link>https://bulwarkblack.com/match-group-data-breach-exposes-user-information-from-tinder-hinge-and-okcupid/</link><guid isPermaLink="true">https://bulwarkblack.com/match-group-data-breach-exposes-user-information-from-tinder-hinge-and-okcupid/</guid><description>Match Group confirms cybersecurity incident after ShinyHunters voice phishing campaign compromises SSO account, exposing data from popular dating apps including Tinder, Hinge, OkCupid, and Match.com.</description><pubDate>Fri, 30 Jan 2026 08:41:50 GMT</pubDate><category>Business</category></item><item><title>SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass</title><link>https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/</link><guid isPermaLink="true">https://bulwarkblack.com/solarwinds-fixes-six-critical-web-help-desk-vulnerabilities-including-rce-and-auth-bypass/</guid><description>SolarWinds patches six severe vulnerabilities in Web Help Desk, including four critical flaws (CVSS 9.8) enabling unauthenticated remote code execution and authentication bypass. Organizations should update to WHD 2026.1 immediately.</description><pubDate>Thu, 29 Jan 2026 16:05:46 GMT</pubDate><category>General CTI</category></item><item><title>16 Malicious Chrome Extensions Steal ChatGPT Session Tokens</title><link>https://bulwarkblack.com/16-malicious-chrome-extensions-steal-chatgpt-session-tokens/</link><guid isPermaLink="true">https://bulwarkblack.com/16-malicious-chrome-extensions-steal-chatgpt-session-tokens/</guid><description>Security researchers discovered 16 malicious browser extensions claiming to enhance ChatGPT that actually steal session tokens, giving attackers full access to accounts and conversation history.</description><pubDate>Thu, 29 Jan 2026 02:48:27 GMT</pubDate><category>Business</category></item><item><title>Google Disrupts World’s Largest Residential Proxy Botnet</title><link>https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/</link><guid isPermaLink="true">https://bulwarkblack.com/google-disrupts-worlds-largest-residential-proxy-botnet/</guid><description>Google Threat Intelligence Group disrupts IPIDEA, the world’s largest residential proxy network, used by 550+ threat groups including nation-state actors from China, Russia, Iran, and North Korea.</description><pubDate>Thu, 29 Jan 2026 02:48:01 GMT</pubDate><category>Business</category></item><item><title>SoundCloud Data Breach Exposes 29.8 Million User Accounts</title><link>https://bulwarkblack.com/soundcloud-data-breach-exposes-29-8-million-user-accounts/</link><guid isPermaLink="true">https://bulwarkblack.com/soundcloud-data-breach-exposes-29-8-million-user-accounts/</guid><description>Music streaming platform SoundCloud confirmed a data breach affecting 29.8 million user accounts. The December 2025 incident exposed emails and profile data, creating risks for phishing and credential stuffing attacks.</description><pubDate>Wed, 28 Jan 2026 19:02:42 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready</title><link>https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/</link><guid isPermaLink="true">https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/</guid><description>Fortinet confirms CVE-2026-24858, a critical FortiCloud SSO authentication bypass zero-day actively exploited in the wild. The company has blocked FortiCloud SSO from vulnerable devices while patches are being developed.</description><pubDate>Wed, 28 Jan 2026 02:14:09 GMT</pubDate><category>General CTI</category></item><item><title>Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT</title><link>https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/</link><guid isPermaLink="true">https://bulwarkblack.com/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/</guid><description>A malicious VS Code extension impersonating the popular Clawdbot AI assistant has been caught deploying ScreenConnect RAT on Windows machines. The trojanized extension worked as a functional AI coding tool while silently installing remote access software.</description><pubDate>Tue, 27 Jan 2026 23:41:51 GMT</pubDate><category>Malware</category></item><item><title>Chinese APT Groups Leverage PeckBirdy JavaScript C2 Framework Since 2023</title><link>https://bulwarkblack.com/chinese-apt-groups-leverage-peckbirdy-javascript-c2-framework-since-2023/</link><guid isPermaLink="true">https://bulwarkblack.com/chinese-apt-groups-leverage-peckbirdy-javascript-c2-framework-since-2023/</guid><description>Trend Micro researchers have discovered PeckBirdy, a flexible JScript-based C2 framework used by China-linked APT actors to target gambling industries and Asian government entities since 2023.</description><pubDate>Tue, 27 Jan 2026 23:07:51 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Poland Thwarts Russian Sandworm Wiper Attack on Power Plants</title><link>https://bulwarkblack.com/poland-thwarts-russian-sandworm-wiper-attack-on-power-plants/</link><guid isPermaLink="true">https://bulwarkblack.com/poland-thwarts-russian-sandworm-wiper-attack-on-power-plants/</guid><description>Russian APT group Sandworm attempted to deploy destructive DynoWiper malware against Polish power plants in late December 2025. The attack was thwarted, but highlights ongoing threats to critical infrastructure from state-sponsored actors.</description><pubDate>Tue, 27 Jan 2026 22:51:35 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Critical Microsoft Office Vulnerabilities Exploited in Latest Cyber Threat Campaign</title><link>https://bulwarkblack.com/critical-microsoft-office-vulnerabilities-exploited-in-latest-cyber-threat-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/critical-microsoft-office-vulnerabilities-exploited-in-latest-cyber-threat-campaign/</guid><description>Security researchers have identified sophisticated attack vectors leveraging Microsoft Office documents to bypass security measures and deliver malicious payloads. Learn about the latest threats and defensive strategies.</description><pubDate>Tue, 27 Jan 2026 22:28:45 GMT</pubDate><category>General CTI</category></item><item><title>Poland Thwarts Russian Wiper Malware Attack on Power Plants</title><link>https://bulwarkblack.com/poland-thwarts-russian-wiper-malware-attack-on-power-plants/</link><guid isPermaLink="true">https://bulwarkblack.com/poland-thwarts-russian-wiper-malware-attack-on-power-plants/</guid><description>Source: Hackread | Author: Deeba Ahmed Poland has narrowly avoided a massive energy crisis following what officials are calling the largest cyberattack on the country in years. Between 29 and 30 December 2025, hackers attempted to break into the nation’s energy infrastructure, sp</description><pubDate>Tue, 27 Jan 2026 21:51:08 GMT</pubDate><category>Malware</category></item><item><title>Complete Guide: Setting Up FreePBX with VPS, Docker, and VPN (CGNAT Bypass Solution)</title><link>https://bulwarkblack.com/complete-guide-setting-up-freepbx-with-vps-docker-and-vpn-cgnat-bypass-solution/</link><guid isPermaLink="true">https://bulwarkblack.com/complete-guide-setting-up-freepbx-with-vps-docker-and-vpn-cgnat-bypass-solution/</guid><description>Complete FreePBX Setup Guide – Docker, VPN, and Twilio Integration Requirements / Setup Digital Ocean or whatever cloud provider you choose Docker (FreePBX) Nginx Setup OVPN Configuration IP Tables Setup YeaLink Phone configuration, the (YeaLinkT45w) was used in this tutorial Twi</description><pubDate>Fri, 18 Jul 2025 05:00:42 GMT</pubDate><category>Becoming Self Sufficient</category></item><item><title>Understanding Cryptocurrency: A Modern Metaphor Guide and Further Thoughts</title><link>https://bulwarkblack.com/understanding-cryptocurrency-a-modern-metaphor-guide-and-further-thoughts/</link><guid isPermaLink="true">https://bulwarkblack.com/understanding-cryptocurrency-a-modern-metaphor-guide-and-further-thoughts/</guid><description>Cryptocurrency: Digital Money with a New Tune Think of cryptocurrency like email is to regular mail. Instead of sending paper envelopes through the post office, you now send messages instantly across the globe. Similarly, with crypto, you’re sending value (money) instantly throug</description><pubDate>Fri, 16 May 2025 19:19:18 GMT</pubDate><category>Becoming Self Sufficient</category></item><item><title>I Got In Without A Badge Easy!? Social Engineering Strategies.</title><link>https://bulwarkblack.com/i-got-in-without-a-badge-easy-social-engineering-strategies/</link><guid isPermaLink="true">https://bulwarkblack.com/i-got-in-without-a-badge-easy-social-engineering-strategies/</guid><description>People assume social engineering is all charm and quick thinking. But real operators know the truth:Preparation is the payload.Execution is just the final click. This is how I walked into a secured corporate building twice without a badge, without clearance, and without triggerin</description><pubDate>Sun, 23 Mar 2025 19:20:05 GMT</pubDate><category>Red Teaming</category></item><item><title>The Game Is Life… But What If That’s Not Just Fiction?</title><link>https://bulwarkblack.com/the-game-is-life-but-what-if-thats-not-just-fiction/</link><guid isPermaLink="true">https://bulwarkblack.com/the-game-is-life-but-what-if-thats-not-just-fiction/</guid><description>I recently read a book that didn’t just entertain me, it challenged everything I thought I understood about reality. It’s called The Game is Life by Terry Schott. The premise is simple… and wild: humans live in a highly advanced society where children enter a full-immersion simul</description><pubDate>Sat, 22 Mar 2025 18:26:07 GMT</pubDate><category>Makes you Think</category></item><item><title>The AI Edge: Outthinking the Chaos</title><link>https://bulwarkblack.com/the-ai-edge-outthinking-the-chaos/</link><guid isPermaLink="true">https://bulwarkblack.com/the-ai-edge-outthinking-the-chaos/</guid><description>The privacy and security landscape has fundamentally changed. It’s not just about firewalls and VPNs anymore, it’s about where you live, how you power your life, and how resilient your systems are when the grid, the internet, or the institutions behind them fail. The concept of “</description><pubDate>Fri, 21 Mar 2025 18:28:57 GMT</pubDate><category>Becoming Self Sufficient</category></item><item><title>How to Avoid the Coming Trap: Digital IDs, Social Credit Scores, and Government-Controlled Crypto</title><link>https://bulwarkblack.com/how-to-avoid-the-coming-trap-digital-ids-social-credit-scores-and-government-controlled-crypto/</link><guid isPermaLink="true">https://bulwarkblack.com/how-to-avoid-the-coming-trap-digital-ids-social-credit-scores-and-government-controlled-crypto/</guid><description>Conspiracy? Blockchain and cryptocurrency were originally designed to free individuals from centralized financial control, but as governments shift toward embracing crypto, a hidden agenda is emerging. With digital IDs, social credit scores, and Central Bank Digital Currencies (C</description><pubDate>Thu, 20 Mar 2025 18:30:35 GMT</pubDate><category>Digital Assets</category></item><item><title>THIS WEEK IN SECURITY: LOOP DOS, FLIPPER RESPONDS, AND MORE!</title><link>https://bulwarkblack.com/this-week-in-security-loop-dos-flipper-responds-and-more/</link><guid isPermaLink="true">https://bulwarkblack.com/this-week-in-security-loop-dos-flipper-responds-and-more/</guid><description>by: Jonathan Bennett Here’s a fun thought experiment. UDP packets can be sent with an arbitrary source IP and port, so you can send a packet to one server, and could aim the response at another server. What happens if that response triggers another response? What if you could cra</description><pubDate>Fri, 22 Mar 2024 21:09:43 GMT</pubDate><category>General CTI</category></item><item><title>SHODAN Dorks</title><link>https://bulwarkblack.com/shodan-dorks/</link><guid isPermaLink="true">https://bulwarkblack.com/shodan-dorks/</guid><description>READ ARTICLE By: ZION3R Shodan Dorks Basic Shodan Filters city: Find devices in a particular city. city:”Bangalore” country: Find devices in a particular country. country:”IN” geo: Find devices by giving geographical coordinates. geo:”56.913055,118.250862″ Location country:us cou</description><pubDate>Fri, 22 Mar 2024 21:01:17 GMT</pubDate><category>Offensive Devices / Tactics</category></item><item><title>How to communicate a cyber breach to minimize reputational damage</title><link>https://bulwarkblack.com/how-to-communicate-a-cyber-breach-to-minimize-reputational-damage/</link><guid isPermaLink="true">https://bulwarkblack.com/how-to-communicate-a-cyber-breach-to-minimize-reputational-damage/</guid><description>READ ARTICLE Sarah Woodhouse, Director of AMBITIOUS, explains how businesses must communicate a cyber breach in order to remain trustworthy and minimise damage. A cyber breach occurs roughly once every 39 seconds. With businesses as targets for their data, it’s not a case of if b</description><pubDate>Fri, 22 Mar 2024 20:48:14 GMT</pubDate><category>Business</category></item><item><title>New Go loader pushes Rhadamanthys stealer</title><link>https://bulwarkblack.com/new-go-loader-pushes-rhadamanthys-stealer/</link><guid isPermaLink="true">https://bulwarkblack.com/new-go-loader-pushes-rhadamanthys-stealer/</guid><description>READ ARTICLE Posted: March 22, 2024 by Jérôme Segura Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads. A good </description><pubDate>Fri, 22 Mar 2024 20:30:27 GMT</pubDate><category>Malware</category></item><item><title>The Updated APT Playbook: Tales from the Kimsuky threat actor group</title><link>https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/</link><guid isPermaLink="true">https://bulwarkblack.com/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/</guid><description>READ ARTICLE Last updated at Thu, 21 Mar 2024 13:20:04 GMT Co-authors are Christiaan Beek and Raj Samani Within Rapid7 Labs we continually track and monitor threat groups. This is one of our key areas of focus as we work to ensure that our ability to protect customers remains con</description><pubDate>Fri, 22 Mar 2024 20:17:35 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention</title><link>https://bulwarkblack.com/curious-serpens-falsefont-backdoor-technical-analysis-detection-and-prevention/</link><guid isPermaLink="true">https://bulwarkblack.com/curious-serpens-falsefont-backdoor-technical-analysis-detection-and-prevention/</guid><description>By Tom Fakterman, Daniel Frank and Jerome Tujague READ ARTICLE Executive Summary This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sands</description><pubDate>Fri, 22 Mar 2024 19:16:53 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws</title><link>https://bulwarkblack.com/china-linked-group-breaches-networks-via-connectwise-f5-software-flaws/</link><guid isPermaLink="true">https://bulwarkblack.com/china-linked-group-breaches-networks-via-connectwise-f5-software-flaws/</guid><description>READ ARTICLE A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an “aggressive” campaign. Google-owned Mandiant is tr</description><pubDate>Fri, 22 Mar 2024 19:03:36 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>“Pig butchering” is an evolution of a social engineering tactic we’ve seen for years</title><link>https://bulwarkblack.com/pig-butchering-is-an-evolution-of-a-social-engineering-tactic-weve-seen-for-years/</link><guid isPermaLink="true">https://bulwarkblack.com/pig-butchering-is-an-evolution-of-a-social-engineering-tactic-weve-seen-for-years/</guid><description>By Jonathan Munshaw READ ARTICLE Whether you want to call them “catfishing,” “pig butchering” or just good ‘old-fashioned “social engineering,” romance scams have been around forever. I was first introduced to them through the MTV show “Catfish,” but recently they seem to be maki</description><pubDate>Fri, 22 Mar 2024 18:51:06 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>New AcidPour Wiper Targeting Linux Devices Spotted in Ukraine</title><link>https://bulwarkblack.com/new-acidpour-wiper-targeting-linux-devices-spotted-in-ukraine/</link><guid isPermaLink="true">https://bulwarkblack.com/new-acidpour-wiper-targeting-linux-devices-spotted-in-ukraine/</guid><description>READ ARTICLE By: Kevin Poireault Reporter, Infosecurity Magazine A new variant of the wiper malware AcidRain, known as AcidPour, has been discovered by SentinelOne’s threat intelligence team, SentinelLabs. AcidRain is destructive wiper malware attributed to Russian military intel</description><pubDate>Fri, 22 Mar 2024 17:29:08 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Fancy Bear: Espionage group expands global phishing campaign</title><link>https://bulwarkblack.com/fancy-bear-espionage-group-expands-global-phishing-campaign/</link><guid isPermaLink="true">https://bulwarkblack.com/fancy-bear-espionage-group-expands-global-phishing-campaign/</guid><description>Source Russia-linked threat actor Fancy Bear is conducting a wave of phishing campaigns impersonating entities across Europe, Americas, and Asia, focusing on Ukraine-related targets. IBM X-Force has identified an ongoing phishing campaign conducted by ITG05, a Russia state-sponso</description><pubDate>Fri, 22 Mar 2024 17:20:22 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>TBHM Live Training with Jhaddix</title><link>https://bulwarkblack.com/tbhm-live-training-with-jhaddix/</link><guid isPermaLink="true">https://bulwarkblack.com/tbhm-live-training-with-jhaddix/</guid><description>Attending The Bug Hunters Methodology Live training by Jason Haddix was a great experience. I think my goal with writing this post is really to paint a picture of my overall personal experience being new to Bug Bounty Hunting, coming from the Blue Teaming side of things, and to j</description><pubDate>Thu, 21 Mar 2024 17:51:05 GMT</pubDate><category>Bug Bounty</category></item><item><title>Detecting and Responding to Security Incidents and Why its Difficult.</title><link>https://bulwarkblack.com/detecting-and-responding-to-security-incidents-and-why-its-difficult/</link><guid isPermaLink="true">https://bulwarkblack.com/detecting-and-responding-to-security-incidents-and-why-its-difficult/</guid><description>Quick Picture of Attacker Vs Defender With the relentless advancement of technology and continuous improvements in security measures, there remains a significant challenge in detecting and responding to security incidents. This difficulty arises partly due to the diverse tactics </description><pubDate>Mon, 19 Feb 2024 07:29:46 GMT</pubDate><category>Cyber Security Blog</category></item><item><title>Tool of First Resort: Israel-Hamas War in Cyber</title><link>https://bulwarkblack.com/tool-of-first-resort-israel-hamas-war-in-cyber/</link><guid isPermaLink="true">https://bulwarkblack.com/tool-of-first-resort-israel-hamas-war-in-cyber/</guid><description>Feb 14, 2024 | 4 min read | Sandra Joyce | Shane Huntley READ ARTICLE Cybersecurity plays a critical role in geopolitics — particularly during times of conflict. While offensive cyber operations have become nearly universal, the tactics, timing and objectives of threat actors can</description><pubDate>Wed, 14 Feb 2024 05:56:20 GMT</pubDate><category>Detection</category></item><item><title>Endpoints vs Routes: What every API hacker needs to know</title><link>https://bulwarkblack.com/endpoints-vs-routes-what-every-api-hacker-needs-to-know/</link><guid isPermaLink="true">https://bulwarkblack.com/endpoints-vs-routes-what-every-api-hacker-needs-to-know/</guid><description>READ ARTICLE DANA EPP’S BLOG API Hacking Fundamentals February 13, 2024 I recently had an interesting conversation on Twitter/X that got me thinking about API endpoints vs routes. It all started with this tweet: The conversation progressed into whether this was one vulnerability </description><pubDate>Wed, 14 Feb 2024 05:46:28 GMT</pubDate><category>Bug Bounty</category></item><item><title>Bypassing EDRs With EDR-Preloading</title><link>https://bulwarkblack.com/bypassing-edrs-with-edr-preloading/</link><guid isPermaLink="true">https://bulwarkblack.com/bypassing-edrs-with-edr-preloading/</guid><description>READ ARTICLE Marcus Hutchins Previously, I wrote an article detailing how system calls can be utilized to bypass user mode EDR hooks. Now, I want to introduce an alternative technique, “EDR-Preloading”, which involves running malicious code before the EDR’s DLL is loaded into the</description><pubDate>Tue, 13 Feb 2024 15:17:22 GMT</pubDate><category>Red Teaming</category></item><item><title>Detecting API endpoints and source code with JS Miner</title><link>https://bulwarkblack.com/detecting-api-endpoints-and-source-code-with-js-miner/</link><guid isPermaLink="true">https://bulwarkblack.com/detecting-api-endpoints-and-source-code-with-js-miner/</guid><description>Read Article DANA EPP’S BLOG Security (de)engineering for fun and profit Let’s be honest. Most APIs are naked without some sort of web app frontend calling it. These days, those apps are usually written in some sort of framework based on Javascript. With a bit of work, we can do </description><pubDate>Wed, 07 Feb 2024 04:43:28 GMT</pubDate><category>Bug Bounty</category></item><item><title>Book.HackTricks</title><link>https://bulwarkblack.com/book-hacktricks/</link><guid isPermaLink="true">https://bulwarkblack.com/book-hacktricks/</guid><description>To the Book! Disclaimer This book, ‘HackTricks,’ is intended for educational and informational purposes only. The content within this book is provided on an ‘as is’ basis, and the authors and publishers make no representations or warranties of any kind, express or implied, about </description><pubDate>Sat, 03 Feb 2024 18:47:10 GMT</pubDate><category>Bug Bounty</category></item><item><title>Virtual Host Enumeration for Uncovering Hidden Subdomains</title><link>https://bulwarkblack.com/virtual-host-enumeration-for-uncovering-hidden-subdomains/</link><guid isPermaLink="true">https://bulwarkblack.com/virtual-host-enumeration-for-uncovering-hidden-subdomains/</guid><description>Read Article Nairuz Abulhul – Nov 28, 2023 | Published in R3d Buck3T | 8 min read When performing external penetration testing or bug bounty hunting, we explore the targeted system from various angles to collect as much information as possible to identify potential attack vectors</description><pubDate>Fri, 26 Jan 2024 23:11:52 GMT</pubDate><category>Bug Bounty</category></item><item><title>Demystifying Generative AI 🤖 A Security Researcher’s Notes</title><link>https://bulwarkblack.com/demystifying-generative-ai-f09fa496-a-security-researchers-notes/</link><guid isPermaLink="true">https://bulwarkblack.com/demystifying-generative-ai-f09fa496-a-security-researchers-notes/</guid><description>Roberto Rodriguez – Nov 4, 2023 • 22 min read Read Article As a security researcher, stepping into the world of Generative Artificial Intelligence (GenAI) was like entering unfamiliar territory. While I was excited by the potential it held for revolutionizing security, I soon rea</description><pubDate>Fri, 26 Jan 2024 17:26:09 GMT</pubDate><category>AI (General)</category></item><item><title>Threat Modeling LLM Applications</title><link>https://bulwarkblack.com/threat-modeling-llm-applications/</link><guid isPermaLink="true">https://bulwarkblack.com/threat-modeling-llm-applications/</guid><description>Posted by Gavin Klondike on 06 June 2023 Read Article Before we get started: Hi! My name is GTKlondike, and these are my opinions as a cybersecurity consultant. While experts from the AI Village provided input, I will always welcome open discussion so that we can come to a better</description><pubDate>Fri, 26 Jan 2024 17:04:10 GMT</pubDate><category>AI (General)</category></item><item><title>Active Directory Penetration Testing Orange Cyber-defense mind maps</title><link>https://bulwarkblack.com/active-directory-penetration-testing-orange-cyber-defense-mind-maps/</link><guid isPermaLink="true">https://bulwarkblack.com/active-directory-penetration-testing-orange-cyber-defense-mind-maps/</guid><description>Get Mind Map!</description><pubDate>Fri, 26 Jan 2024 16:45:59 GMT</pubDate><category>Offensive Devices / Tactics</category></item><item><title>SQLmap Cheat Sheet</title><link>https://bulwarkblack.com/sqlmap-cheat-sheet/</link><guid isPermaLink="true">https://bulwarkblack.com/sqlmap-cheat-sheet/</guid><description>Link to Sheet</description><pubDate>Fri, 26 Jan 2024 16:36:02 GMT</pubDate><category>Bug Bounty</category></item><item><title>Announcing cvemap from ProjectDiscovery</title><link>https://bulwarkblack.com/announcing-cvemap-from-projectdiscovery/</link><guid isPermaLink="true">https://bulwarkblack.com/announcing-cvemap-from-projectdiscovery/</guid><description>Read Article Project Discovery Tool ManagerGitHub pdtm is a simple and easy-to-use golang based tool for managing open source projects from ProjectDiscovery. Security professionals are constantly on guard against cyber threats, especially given the rising number and sophisticatio</description><pubDate>Fri, 26 Jan 2024 16:30:25 GMT</pubDate><category>Bug Bounty</category></item><item><title>How to protect Evilginx using Cloudflare and HTML Obfuscation</title><link>https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/</link><guid isPermaLink="true">https://bulwarkblack.com/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation/</guid><description>Read Article Using a combination of Cloudflare and HTML Obfuscation, it is possible to protect your Evilginx server from being flagged as deceptive and so increase your chances of success on Red Team and Social Engineering engagements. Anyone who has tried to run a Social Enginee</description><pubDate>Fri, 26 Jan 2024 16:14:36 GMT</pubDate><category>Offensive Devices / Tactics</category></item><item><title>How to Leverage Internal Proxies for Lateral Movement, Firewall Evasion, and Trust Exploitation</title><link>https://bulwarkblack.com/how-to-leverage-internal-proxies-for-lateral-movement-firewall-evasion-and-trust-exploitation/</link><guid isPermaLink="true">https://bulwarkblack.com/how-to-leverage-internal-proxies-for-lateral-movement-firewall-evasion-and-trust-exploitation/</guid><pubDate>Sat, 13 Jan 2024 05:50:43 GMT</pubDate><category>Business</category></item><item><title>THE BUG HUNTERS METHODOLOGY LIVE</title><link>https://bulwarkblack.com/the-bug-hunters-methodology-live/</link><guid isPermaLink="true">https://bulwarkblack.com/the-bug-hunters-methodology-live/</guid><description>https://tbhmlive.com/ Jason Haddix TBHM Live – Course Info I am thrilled to introduce you to The Bug Hunter’s Methodology LIVE, my masterclass designed for aspiring and seasoned offensive security professionals, including web application security testers, red teamers, and bug bou</description><pubDate>Fri, 12 Jan 2024 18:55:28 GMT</pubDate><category>Training</category></item><item><title>PWNAGOTCHI: DEEP REINFORCEMENT LEARNING FOR WIFI PWNING!</title><link>https://bulwarkblack.com/pwnagotchi-deep-reinforcement-learning-for-wifi-pwning/</link><guid isPermaLink="true">https://bulwarkblack.com/pwnagotchi-deep-reinforcement-learning-for-wifi-pwning/</guid><description>Project Site Pwnagotchi is an A2C-based “AI” powered by bettercap and running on a Raspberry Pi Zero W that learns from its surrounding WiFi environment in order to maximize the crackable WPA key material it captures (either through passive sniffing or by performing deauthenticat</description><pubDate>Thu, 11 Jan 2024 18:35:02 GMT</pubDate><category>Offensive Devices / Tactics</category></item><item><title>Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike</title><link>https://bulwarkblack.com/automating-c2-infrastructure-with-terraform-nebula-caddy-and-cobalt-strike/</link><guid isPermaLink="true">https://bulwarkblack.com/automating-c2-infrastructure-with-terraform-nebula-caddy-and-cobalt-strike/</guid><description>Read Article The ability to quickly build out a C2 infrastructure within a few minutes, including all the set up and tear down logic included would be a great asset for any offensive security group or operator. In this post, I will show exactly how to build a fully automated func</description><pubDate>Thu, 11 Jan 2024 18:30:02 GMT</pubDate><category>Business</category></item><item><title>FAKING BLUETOOTH LE WITH AN NRF24L01+ MODULE</title><link>https://bulwarkblack.com/faking-bluetooth-le-with-an-nrf24l01-module/</link><guid isPermaLink="true">https://bulwarkblack.com/faking-bluetooth-le-with-an-nrf24l01-module/</guid><pubDate>Thu, 11 Jan 2024 18:19:55 GMT</pubDate><category>Offensive Devices / Tactics</category></item><item><title>SCADA systems: How secure are the systems running our infrastructure?⎥Malav Vyas (Security Researcher at Palo Alto Networks)</title><link>https://bulwarkblack.com/scada-systems-how-secure-are-the-systems-running-our-infrastructuree28ea5malav-vyas-security-researcher-at-palo-alto-networks/</link><guid isPermaLink="true">https://bulwarkblack.com/scada-systems-how-secure-are-the-systems-running-our-infrastructuree28ea5malav-vyas-security-researcher-at-palo-alto-networks/</guid><pubDate>Thu, 11 Jan 2024 18:04:50 GMT</pubDate><category>Operational Technology (OT)</category></item><item><title>Review: Engineering-grade OT security: A manager’s guide</title><link>https://bulwarkblack.com/review-engineering-grade-ot-security-a-managers-guide/</link><guid isPermaLink="true">https://bulwarkblack.com/review-engineering-grade-ot-security-a-managers-guide/</guid><pubDate>Thu, 11 Jan 2024 18:00:08 GMT</pubDate><category>Business</category></item><item><title>DreamBus Unleashes Metabase Mayhem With New Exploit Module</title><link>https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/</link><guid isPermaLink="true">https://bulwarkblack.com/dreambus-unleashes-metabase-mayhem-with-new-exploit-module/</guid><description>Read Article Key Takeaways</description><pubDate>Thu, 11 Jan 2024 17:46:01 GMT</pubDate><category>Malware</category></item><item><title>Detection 101: Top Detections for Email Phishing and BEC</title><link>https://bulwarkblack.com/detection-101-top-detections-for-email-phishing-and-bec/</link><guid isPermaLink="true">https://bulwarkblack.com/detection-101-top-detections-for-email-phishing-and-bec/</guid><description>Read Article Phishing Detections: Starting the DIR Process Email phishing and BEC attacks both rely on email communication, so an email security tool is integral to protecting your environment. However, while an email security tool plays a central role in detecting phishing attem</description><pubDate>Thu, 11 Jan 2024 17:16:22 GMT</pubDate><category>Detection</category></item><item><title>Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns</title><link>https://bulwarkblack.com/hundreds-of-thousands-of-dollars-worth-of-solana-cryptocurrency-assets-stolen-in-recent-clinksink-drainer-campaigns/</link><guid isPermaLink="true">https://bulwarkblack.com/hundreds-of-thousands-of-dollars-worth-of-solana-cryptocurrency-assets-stolen-in-recent-clinksink-drainer-campaigns/</guid><description>Read Article On January 3, 2024, Mandiant’s X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. Working with X, we were able to regain control of the account and, based on our investigation over the following </description><pubDate>Thu, 11 Jan 2024 17:06:58 GMT</pubDate><category>Malware</category></item><item><title>Flash Report: LockBit Ends 2023 with Record Number of Attacks</title><link>https://bulwarkblack.com/flash-report-lockbit-ends-2023-with-record-number-of-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/flash-report-lockbit-ends-2023-with-record-number-of-attacks/</guid><description>Read Article Key Findings</description><pubDate>Thu, 11 Jan 2024 16:47:31 GMT</pubDate><category>General CTI</category></item><item><title>Backdoor.Win32 Carbanak (Anunak) / Named Pipe Null DACL</title><link>https://bulwarkblack.com/backdoor-win32-carbanak-anunak-named-pipe-null-dacl/</link><guid isPermaLink="true">https://bulwarkblack.com/backdoor-win32-carbanak-anunak-named-pipe-null-dacl/</guid><description>Read Article Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32 Carbanak (Anunak) Vulnerability: Named Pi</description><pubDate>Thu, 11 Jan 2024 16:22:58 GMT</pubDate><category>Global Cyber Threat Intelligence</category></item><item><title>Which type of malware resides only in RAM? Explaining fileless malware</title><link>https://bulwarkblack.com/which-type-of-malware-resides-only-in-ram-explaining-fileless-malware/</link><guid isPermaLink="true">https://bulwarkblack.com/which-type-of-malware-resides-only-in-ram-explaining-fileless-malware/</guid><description>Read Article Explaining malware which resides only in RAM Unlike traditional malware, which typically involves downloading and running an executable file, fileless malware operates in the system’s memory (RAM) and often exploits legitimate tools (like PowerShell, WMI, or Windows </description><pubDate>Thu, 11 Jan 2024 16:01:14 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Hacked in China</title><link>https://bulwarkblack.com/hacked-in-china/</link><guid isPermaLink="true">https://bulwarkblack.com/hacked-in-china/</guid><description>Read Article foreign government’s response to a U.S. strategy document rarely earns front page coverage, but in the case of the Chinese Communist Party’s (CCP) recent reaction to the U.S. government’s new cyber strategy, we should all be paying attention. Tensions continue to esc</description><pubDate>Tue, 09 Jan 2024 23:18:24 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Financially motivated threat actors misusing App Installer</title><link>https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/</link><guid isPermaLink="true">https://bulwarkblack.com/financially-motivated-threat-actors-misusing-app-installer/</guid><description>Read Article Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware. In </description><pubDate>Tue, 09 Jan 2024 19:14:14 GMT</pubDate><category>General CTI</category></item><item><title>Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors</title><link>https://bulwarkblack.com/opening-a-can-of-whoop-ads-detecting-and-disrupting-a-malvertising-campaign-distributing-backdoors/</link><guid isPermaLink="true">https://bulwarkblack.com/opening-a-can-of-whoop-ads-detecting-and-disrupting-a-malvertising-campaign-distributing-backdoors/</guid><description>Read Article Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to</description><pubDate>Tue, 09 Jan 2024 18:53:58 GMT</pubDate><category>Global Cyber Threat Intelligence</category></item><item><title>Turkish Hackers Exploiting Poorly Secured MS SQL Servers Across the GlobeTurkish Hackers Exploiting Poorly Secured MS SQL Servers Across the Globe</title><link>https://bulwarkblack.com/turkish-hackers-exploiting-poorly-secured-ms-sql-servers-across-the-globeturkish-hackers-exploiting-poorly-secured-ms-sql-servers-across-the-globe/</link><guid isPermaLink="true">https://bulwarkblack.com/turkish-hackers-exploiting-poorly-secured-ms-sql-servers-across-the-globeturkish-hackers-exploiting-poorly-secured-ms-sql-servers-across-the-globe/</guid><description>Read Article Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access. “The analyzed threat campaign appears to end in one of two wa</description><pubDate>Tue, 09 Jan 2024 17:36:16 GMT</pubDate><category>General CTI</category></item><item><title>The Underground Economist: Volume 4, Issue 1</title><link>https://bulwarkblack.com/the-underground-economist-volume-4-issue-1/</link><guid isPermaLink="true">https://bulwarkblack.com/the-underground-economist-volume-4-issue-1/</guid><description>https://www.zerofox.com/blog/the-underground-economist-volume-4-issue-1/ On December 27, 2023, threat actor “APTlord” announced on the dark web forum RAMP that they were selling source code and other information owned by marinetraffic[.]com, which was allegedly obtained by the th</description><pubDate>Tue, 09 Jan 2024 17:26:50 GMT</pubDate><category>Business</category></item><item><title>Custom GPTs: A Case of Malware Analysis and IoC Analyzing</title><link>https://bulwarkblack.com/custom-gpts-a-case-of-malware-analysis-and-ioc-analyzing/</link><guid isPermaLink="true">https://bulwarkblack.com/custom-gpts-a-case-of-malware-analysis-and-ioc-analyzing/</guid><description>Read Article On November 6, 2023, CustomGPTs, a new feature that OpenAI stated on its blog, became available. We can already say that the emergence of Custom Generative Pre-trained Transformers (GPTs) could mark a significant shift in the dynamics of both digital defense and offe</description><pubDate>Tue, 09 Jan 2024 17:12:15 GMT</pubDate><category>AI (General)</category></item><item><title>Analysis of OT cyberattacks and malwares</title><link>https://bulwarkblack.com/analysis-of-ot-cyberattacks-and-malwares/</link><guid isPermaLink="true">https://bulwarkblack.com/analysis-of-ot-cyberattacks-and-malwares/</guid><pubDate>Tue, 09 Jan 2024 16:12:04 GMT</pubDate><category>Operational Technology (OT)</category></item><item><title>Hardware Implants as an Initial Access Vector</title><link>https://bulwarkblack.com/hardware-implants-as-an-initial-access-vector/</link><guid isPermaLink="true">https://bulwarkblack.com/hardware-implants-as-an-initial-access-vector/</guid><description>Read Article On every red team engagement, one of the first steps is to gain access to the target environment. Generally, red teams will leverage social engineering techniques to get their customer to run a payload sent through email or other digital means. Unfortunately for us, </description><pubDate>Mon, 08 Jan 2024 18:50:15 GMT</pubDate><category>Offensive Devices / Tactics</category></item><item><title>Red Pandas Unleashed: How Webhooks, Bad USB, and WiFi Collide in Cyberspace</title><link>https://bulwarkblack.com/red-pandas-unleashed-how-webhooks-bad-usb-and-wifi-collide-in-cyberspace/</link><guid isPermaLink="true">https://bulwarkblack.com/red-pandas-unleashed-how-webhooks-bad-usb-and-wifi-collide-in-cyberspace/</guid><description>Read Article The Power of Automation for Pentesting Automation has become a game-changer in the world of penetration testing. With the ever-increasing complexity of networks and systems, manually tracking and responding to security events is no longer viable. This is where webhoo</description><pubDate>Mon, 08 Jan 2024 17:46:54 GMT</pubDate><category>Business</category></item><item><title>Deceptive Cracked Software Spreads Lumma Variant on YouTube</title><link>https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/</link><guid isPermaLink="true">https://bulwarkblack.com/deceptive-cracked-software-spreads-lumma-variant-on-youtube/</guid><description>Read Article Initial Infection Vector The hacker initially breaches a YouTuber’s account and uploads videos masquerading as sharing cracked software. Figure 3 shows the video descriptions in which a malicious URL is embedded, enticing users to download a ZIP file that harbors mal</description><pubDate>Mon, 08 Jan 2024 17:30:14 GMT</pubDate><category>Malware</category></item><item><title>NoName on Rampage! Claims DDoS Attacks on Ukrainian Government Sites</title><link>https://bulwarkblack.com/noname-on-rampage-claims-ddos-attacks-on-ukrainian-government-sites/</link><guid isPermaLink="true">https://bulwarkblack.com/noname-on-rampage-claims-ddos-attacks-on-ukrainian-government-sites/</guid><description>Read Article NoName ransomware group has allegedly targeted multiple Ukrainian government websites. The latest victims of the alleged NoName ransomware attack on Ukraine include Accordbank, Zaporizhzhya Titanium-Magnesium Plant, State Tax Service, Central Interregional Tax Admini</description><pubDate>Mon, 08 Jan 2024 17:19:33 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Alert: Carbanak Malware Strikes Again With Updated Tactics</title><link>https://bulwarkblack.com/alert-carbanak-malware-strikes-again-with-updated-tactics/</link><guid isPermaLink="true">https://bulwarkblack.com/alert-carbanak-malware-strikes-again-with-updated-tactics/</guid><pubDate>Mon, 08 Jan 2024 17:11:40 GMT</pubDate><category>Malware</category></item><item><title>From Akamai to F5 to NTLM… with love.</title><link>https://bulwarkblack.com/from-akamai-to-f5-to-ntlm-with-love/</link><guid isPermaLink="true">https://bulwarkblack.com/from-akamai-to-f5-to-ntlm-with-love/</guid><description>Read Article Discovery Note: This paper will be covering 1 smuggle gadget out of about 10 that I use in my testing, however this paper will show how this gadget, originally found by @albinowax, can be modified to pin one provider against another in a brutal fashion as you will re</description><pubDate>Mon, 08 Jan 2024 16:05:46 GMT</pubDate><category>Bug Bounty</category></item><item><title>AsyncRAT loader: Obfuscation, DGAs, decoys and Govno</title><link>https://bulwarkblack.com/asyncrat-loader-obfuscation-dgas-decoys-and-govno/</link><guid isPermaLink="true">https://bulwarkblack.com/asyncrat-loader-obfuscation-dgas-decoys-and-govno/</guid><description>Read Article Executive summary AT&amp;T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. Afte</description><pubDate>Sun, 07 Jan 2024 21:06:01 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Chapter 84: In-depth analysis and technical analysis of LockBit, the top encryption ransomware organization (Part 1)</title><link>https://bulwarkblack.com/chapter-84-in-depth-analysis-and-technical-analysis-of-lockbit-the-top-encryption-ransomware-organization-part-1/</link><guid isPermaLink="true">https://bulwarkblack.com/chapter-84-in-depth-analysis-and-technical-analysis-of-lockbit-the-top-encryption-ransomware-organization-part-1/</guid><description>Read Article Excerpt LockBit operators and affiliates will find ways to obtain the victim’s initial access rights and use them to deliver encrypted ransomware. The attack methods can be roughly divided into the following methods: 1. Extensive vulnerability scanning . Using Nday v</description><pubDate>Sun, 07 Jan 2024 20:41:31 GMT</pubDate><category>Malware</category></item><item><title>JavaScript Malware: 50,000+ Bank Users at Risk Worldwide</title><link>https://bulwarkblack.com/javascript-malware-50000-bank-users-at-risk-worldwide/</link><guid isPermaLink="true">https://bulwarkblack.com/javascript-malware-50000-bank-users-at-risk-worldwide/</guid><description>IOC: jscdnpack[.]com</description><pubDate>Sun, 07 Jan 2024 20:21:03 GMT</pubDate><category>Malware</category></item><item><title>OAuth endpoint “MultiLogin” identified as root for Google Chrome’s widely adopted session jacking exploit.</title><link>https://bulwarkblack.com/oauth-endpoint-multilogin-identified-as-root-for-google-chromes-widely-adopted-session-jacking-exploit/</link><guid isPermaLink="true">https://bulwarkblack.com/oauth-endpoint-multilogin-identified-as-root-for-google-chromes-widely-adopted-session-jacking-exploit/</guid><description>https://www.csoonline.com/article/1285861/highly-exploited-chromium-bug-traced-to-a-google-oauth-endpoint.html An undocumented Google OAuth endpoint has been identified to be the root of the notorious info stealing exploit that is being widely implemented by various threat actors</description><pubDate>Sun, 07 Jan 2024 20:11:44 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant</title><link>https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/</link><guid isPermaLink="true">https://bulwarkblack.com/prior-to-cyber-attack-russian-attackers-spent-months-inside-the-ukraine-telecoms-giant/</guid><description>https://www.cysecurity.news/2024/01/prior-to-cyber-attack-russian-attackers.html Kyivstar experienced a large-scale malfunction in December 2023, resulting in the outage of mobile communications and the internet for about 24 million users for several days. How? Russian hackers br</description><pubDate>Sun, 07 Jan 2024 20:02:23 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item><item><title>Hackers Modifying Registry Keys to Establish Persistence via Scheduled Tasks</title><link>https://bulwarkblack.com/hackers-modifying-registry-keys-to-establish-persistence-via-scheduled-tasks/</link><guid isPermaLink="true">https://bulwarkblack.com/hackers-modifying-registry-keys-to-establish-persistence-via-scheduled-tasks/</guid><pubDate>Sat, 06 Jan 2024 02:05:48 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer</title><link>https://bulwarkblack.com/tackling-anti-analysis-techniques-of-guloader-and-redline-stealer/</link><guid isPermaLink="true">https://bulwarkblack.com/tackling-anti-analysis-techniques-of-guloader-and-redline-stealer/</guid><description>https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/</description><pubDate>Fri, 05 Jan 2024 22:35:43 GMT</pubDate><category>Malware</category></item><item><title>Hackers target Apache RocketMQ servers vulnerable to RCE attacks</title><link>https://bulwarkblack.com/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/</link><guid isPermaLink="true">https://bulwarkblack.com/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/</guid><description>https://www.bleepingcomputer.com/news/security/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/</description><pubDate>Fri, 05 Jan 2024 22:24:59 GMT</pubDate><category>Malware</category></item><item><title>North Korea Debuts ‘SpectralBlur’ Malware Amid macOS Onslaught</title><link>https://bulwarkblack.com/north-korea-debuts-spectralblur-malware-amid-macos-onslaught/</link><guid isPermaLink="true">https://bulwarkblack.com/north-korea-debuts-spectralblur-malware-amid-macos-onslaught/</guid><description>https://www.darkreading.com/threat-intelligence/north-korea-debuts-spectralblur-malware-amid-macos-onslaught</description><pubDate>Fri, 05 Jan 2024 22:02:32 GMT</pubDate><category>North Korean Cyber Threat Intelligence</category></item><item><title>Iran’s APT33 targets US defense contractors with novel malware</title><link>https://bulwarkblack.com/irans-apt33-targets-us-defense-contractors-with-novel-malware/</link><guid isPermaLink="true">https://bulwarkblack.com/irans-apt33-targets-us-defense-contractors-with-novel-malware/</guid><description>https://www.scmagazine.com/news/iranian-threat-group-apt33-targets-us-defense-contractors-with-novel-malware</description><pubDate>Fri, 05 Jan 2024 21:56:48 GMT</pubDate><category>Iranian Cyber Threat Intelligence</category></item><item><title>100 Days of YARA – 2023</title><link>https://bulwarkblack.com/100-days-of-yara-2023/</link><guid isPermaLink="true">https://bulwarkblack.com/100-days-of-yara-2023/</guid><description>https://bitsofbinary.github.io/yara/2023/01/01/100daysofyara.html</description><pubDate>Fri, 05 Jan 2024 20:48:52 GMT</pubDate><category>Global Cyber Threat Intelligence</category></item><item><title>Hide and Seek in Windows’ Closet: Unmasking the WinSxS Hijacking Hideout</title><link>https://bulwarkblack.com/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout/</link><guid isPermaLink="true">https://bulwarkblack.com/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout/</guid><description>https://www.securityjoes.com/post/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout</description><pubDate>Fri, 05 Jan 2024 20:35:07 GMT</pubDate><category>Chinese Cyber Threat Intelligence</category></item><item><title>Russia-linked APT Sandworm was inside Ukraine telecoms giant Kyivstar for months</title><link>https://bulwarkblack.com/russia-linked-apt-sandworm-was-inside-ukraine-telecoms-giant-kyivstar-for-months/</link><guid isPermaLink="true">https://bulwarkblack.com/russia-linked-apt-sandworm-was-inside-ukraine-telecoms-giant-kyivstar-for-months/</guid><pubDate>Fri, 05 Jan 2024 19:59:22 GMT</pubDate><category>Russian Cyber Threat Intelligence</category></item></channel></rss>