Threat Intel
177 articles
CRITICALModeloRAT Campaign Abuses Microsoft Teams for Enterprise Intrusion
Rapid7 dissects an April 2026 intrusion where a fake IT Support Teams message delivered ModeloRAT via Dropbox, leading to privilege escalation, credential theft, and lateral...
CRITICALThe Gentlemen RaaS Internal Leak Exposes Admin, Affiliates, Tactics
A leaked backend database from The Gentlemen RaaS operation reveals 9 accounts, admin TOX ID, initial access via Fortinet/Cisco edge flaws, and a 190,000 USD ransom payout.
CRITICALTeamPCP Hijacks TanStack CI/CD, Poisons 170+ NPM/PyPI Packages
TeamPCP chained three GitHub Actions flaws to hijack TanStack's CI/CD, publishing 84 malicious artifacts across 42 packages.
HIGH2026 World Cup Scam Economy Targets Fans With Fake Visas, Tickets
Malwarebytes documents a four-part scam economy around the 2026 World Cup: fake visas, counterfeit tickets, phishing sites, and worthless crypto tokens targeting fans ahead of the…
HIGHAI-Assisted Attacks Reshape Cyber Threat Landscape in 2026
Japan teen arrested for stealing 7M Kaikatsu Club records to buy Pokémon cards — one example of how AI tools are lowering the barrier for cybercrime in 2026, per The Hacker News…
HIGHAmazon SES Abused in Phishing to Evade Email Security Filters
Threat actors exploit Amazon SES to send phishing emails that bypass SPF, DKIM, and DMARC checks, with a 40% rise in abuse since Q4 2025.
HIGHPhishing Campaign Hijacks SimpleHelp, ScreenConnect RMM Tools at 80+
Securonix tracks VENOMOUS#HELPER phishing campaign using legitimate SimpleHelp and ScreenConnect RMM software for persistent remote access across 80+ organizations, mostly in the…
HIGHSilver Fox Deploys ABCDoor Malware via Tax-Themed Phishing
China-linked Silver Fox group targets Indian and Russian organizations with ABCDoor backdoor via tax-themed phishing emails in December 2025 campaign.
HIGHTelegram Mini Apps Fuel Crypto Scams, Android Malware Campaign
Researchers uncovered a fraud network abusing Telegram Mini Apps to impersonate brands, steal crypto wallets, and push Android malware like SpyNote and ERMAC.
HIGHChina-Linked SHADOW-EARTH-053 Hits Asian Govts, NATO State
Trend Micro tracks SHADOW-EARTH-053 targeting government and defense sectors across Asia and one NATO-aligned European state. Campaign uses custom backdoors and spear-phishing.
HIGHCordial Spider, Snarky Spider Use Vishing, SSO Abuse for SaaS
Two cybercrime groups — Cordial Spider and Snarky Spider — are conducting rapid SaaS extortion attacks using vishing and SSO abuse to steal data within hours, researchers warn.
CRITICALNorth Korea Laundered 76% of All Stolen Crypto in 2026
North Korean hackers laundered 76% of all stolen cryptocurrency in 2026 — $2.3 billion — per Chainalysis.
HIGHVietnamese Phishers Hijack 30K Facebook Accounts via Google AppSheet
Guardio tracks AccountDumpling campaign using Google AppSheet as phishing relay to steal 30,000 Facebook accounts, resold via illicit storefront.
HIGHAI Browser Extensions Steal Emails, Passwords via Prompt Injection
Unit 42 finds 30+ malicious AI browser extensions exfiltrating email content, credentials, and API keys via prompt injection and DOM scraping. Affects Chrome, Edge users.
HIGHAPT29, Intellexa, NSO Share Identical Exploit Chains
Google TAG finds APT29 using exploit chains identical to those deployed by Intellexa and NSO Group, suggesting shared access to zero-day suppliers or exploit resale.
HIGHBluekit Phishing Service Offers AI Assistant, 40 Templates
A new phishing-as-a-service platform called Bluekit provides over 40 templates targeting banks, social media, and email providers, plus an AI assistant for drafting lures.
HIGHCISA Details Interlock Ransomware TTPs, IOCs in Joint Advisory
CISA and FBI released a joint advisory on Interlock ransomware, detailing TTPs, IOCs, and a shift from double extortion to data-theft-only attacks targeting healthcare and…
HIGHFake Roblox Enhancements Steal Hundreds of Thousands of Accounts
Malwarebytes reports hackers used fake Roblox game enhancements to steal login credentials from hundreds of thousands of players, reselling accounts for profit.
HIGHGoogle TAG: 97 Zero-Days Exploited in Wild During 2023
Google TAG reports 97 zero-days were exploited in the wild in 2023, up from 62 in 2022. Commercial surveillance vendors drove 80% of targeted exploits. Full report released.
MEDIUMGoogle TAG Details Q1 2025 Influence Operations Takedowns
Google TAG terminated 12 YouTube channels and multiple ad accounts linked to state-backed influence campaigns from Russia, China, Iran, and Israel in Q1 2025.
HIGHGoogle TAG Disrupted 10K DRAGONBRIDGE Influence Ops in Q1 2025
Google TAG disrupted over 10,000 DRAGONBRIDGE influence operations in Q1 2025 — the most prolific IO actor tracked — targeting elections, Ukraine war narratives, and US-China…
HIGHGoogle TAG Report Details Commercial Surveillance Vendor Industry
Google TAG's 2026 report maps 50+ commercial surveillance vendors selling spyware to governments — targeting journalists, activists, and lawyers.
HIGHRussian GRU Targets Western Logistics, Tech Firms in Ukraine Aid
CISA warns Russian GRU hackers target Western logistics and tech firms supporting Ukraine aid since 2022.
MEDIUMFake CAPTCHA Scam Racks Up International SMS Charges
Malwarebytes reports scammers using fake CAPTCHA pages to trigger premium-rate international SMS charges, billing victims up to $15 per message via a Keitaro traffic distribution…
HIGHHandala Group Targets US Troops in Bahrain via WhatsApp Threats
Iran-aligned Handala group sent WhatsApp messages to US service members in Bahrain threatening drone and missile attacks, escalating psychological warfare against military…
HIGHBlueNoroff Fakes Zoom Calls to Lure Crypto Execs
BlueNoroff uses stolen video, AI avatars, and fake Zoom invites to turn crypto executives into attack lures.
HIGHComburglar Intrusion: BHIS Details Stealthy C2 Persistence
Black Hills Information Security uncovers Comburglar intrusion technique enabling persistent C2 via compromised COM hijacking during a breach assessment engagement.
HIGHPro-Russia Hacktivists Target US Critical Infrastructure
CISA warns pro-Russia hacktivists are conducting opportunistic attacks against US and global critical infrastructure, targeting OT and IT systems with known exploits.
HIGHRival Ransomware Gangs 0APT, KryBit Leak Each Other's Data
0APT and KryBit ransomware groups leaked each other's infrastructure data after a feud, exposing C2 servers, panel credentials, and victim lists to defenders.
HIGHUS Charges 19-Year-Old Scattered Spider Hacker Arrested in Finland
A 19-year-old US-Estonian dual citizen arrested in Finland faces federal charges as a prolific Scattered Spider member linked to ransomware attacks on MGM Resorts and Caesars.
HIGHDort Identified as Kimwolf Botmaster Behind Record DDoS Attacks
KrebsOnSecurity traces Kimwolf botmaster 'Dort' to a real identity after the botnet launched DDoS, doxing, and email flood attacks against a security researcher who disclosed its…
HIGHFake CAPTCHA IRSF Scam Drives SMS Fraud via Keitaro Campaigns
Infoblox uncovers IRSF scam using fake CAPTCHAs to trick users into sending premium SMS; 120+ Keitaro traffic distribution campaigns enable global crypto and SMS fraud.
MEDIUMGoogle: AI Prompt Injection Attacks Rising, Still Low-Sophistication
Google reports a rise in malicious AI prompt injection attacks, but most remain low-sophistication and harmless. Indirect injection attempts target LLM-integrated apps.
HIGHMandiant: Fake Teams Help Desk Deploys Info-Stealing Malware
Mandiant details a social engineering campaign where attackers pose as Microsoft Teams help desk staff to trick victims into installing malware that steals credentials and session…
CRITICALPhantomCore Exploits TrueConf Zero-Days in Russian Network Attacks
Pro-Ukrainian hacktivist group PhantomCore has been exploiting three TrueConf vulnerabilities since September 2025 to execute remote commands on Russian servers, Positive…
HIGHSilver Dragon APT Targets Southeast Asia, Europe in Espionage Campaign
Check Point Research tracks Silver Dragon, a Chinese-aligned APT group operationally linked to APT41, targeting government and telecom entities in Southeast Asia and Europe with…
HIGHUNC6692 Email Bombing Delivers Snow Malware for Persistent Access
UNC6692 bombards victims with thousands of emails, then poses as IT support to deploy Snowbelt, Snowglaze, and Snowbasin malware for persistent backdoor access. No CVEs involved.
HIGHHandala Hack: Iranian Group's Wipe-and-Leak Operations Detailed
Check Point Research details Handala Hack (Void Manticore), an Iranian threat actor behind destructive wiper attacks and hack-and-leak ops via the Homeland Justice persona since…
HIGHIran Conflict Spills Over: Cyber Threats to Critical Infrastructure
ESET warns of increased Iranian cyber activity targeting energy, water, and transportation sectors globally as Middle East conflict escalates.
HIGHIranian Handala Hack Breaches FBI Director Patel's Gmail
Iranian state-affiliated group Handala Hack breached FBI Director Patel's personal Gmail account, leaking personal photos and documents after the FBI seized the group's domains.
HIGHLAC Cybercrime Ecosystem Matures with RaaS, Crypto Fraud Surge
Recorded Future's Insikt Group maps a maturing Latin American cybercrime ecosystem: RaaS affiliates, crypto fraud rings, and targeted phishing against financial and government…
HIGHQuantum Geopolitics Reshapes Cyber Threat Landscape
Recorded Future's Insikt Group warns that quantum computing advances are driving a geopolitical shift, creating new cyber espionage and attack vectors as state actors race to…
MEDIUMRecorded Future: Malicious Infrastructure Evolves with AI-Driven
Insikt Group's 2025 Malicious Infrastructure Report tracks shifts in Cobalt Strike, Vidar infostealers, and AI-driven hosting tactics to inform defender strategies for 2026.
MEDIUMRecorded Future Maps Latin America's Maturing Cybercrime Ecosystem
Insikt Group report details how LAC cybercrime evolved in 2025: RaaS adoption, crypto fraud, and phishing-as-a-service expand across the region.
HIGHSilver Fox APT Spoofs Japanese Tax Emails in Targeted Campaign
ESET details Silver Fox APT targeting Japanese firms with tax-themed phishing emails delivering malware via weaponized Excel attachments during tax season.
HIGHTeamPCP Container Attack Chain Detailed by Elastic Security
Elastic Security Labs publishes a real-world walkthrough of TeamPCP's multi-stage container compromise, showing how runtime signals across each attack phase are detected by…
CRITICALTeamPCP Partners with Vect Ransomware in Supply Chain Attacks
Unit 42 reports TeamPCP has partnered with Vect ransomware group to target security software vendors in multi-stage supply chain attacks, compromising trusted update mechanisms.
HIGHChinese-Language Telegram Guarantee Markets Thrive Post-Huione
Recorded Future finds Chinese-language Telegram guarantee marketplaces proliferating after Huione Guarantee's 2025 shutdown, enabling fraud, money laundering, and cybercrime…
HIGHGermany Identifies REvil, GandCrab Ransomware Leader 'UNKN'
German authorities name 31-year-old Russian Daniil Maksimovich Shchukin as 'UNKN,' the operator behind REvil and GandCrab ransomware groups linked to 130+ extortion attacks.
HIGHKaspersky: Financial Cyber Threats Surged 15% in 2025
Kaspersky reports a 15% year-over-year increase in financial cyber threats in 2025, with infostealers and phishing dominating. Android banking malware rose 20% in Latin America.
MEDIUMState Hackers Target Mining Sector Over Critical Minerals Supply
Recorded Future warns state-sponsored cyber operations increasingly target mining firms for critical minerals and rare earth elements, as China's refining dominance reshapes…
HIGH26 Fake Crypto Wallet Apps on Apple App Store Steal Seed Phrases
Kaspersky found 26 malicious apps on the Apple App Store since fall 2025 that impersonate wallets like MetaMask and Coinbase to steal recovery phrases and private keys via…
HIGHBlackFile Extortion Group Targets Retail, Hospitality via Vishing
BlackFile extortion group has hit at least 12 retail and hospitality organizations since Feb 2026, using vishing to steal VPN credentials and exfiltrate data before demanding…
HIGHFIRESTARTER Backdoor Compromised Federal Cisco Firepower Device
CISA revealed FIRESTARTER backdoor compromised a federal Cisco Firepower device running ASA software in September 2025, surviving patching and enabling persistent remote access.
HIGHGopherWhisper APT Targets Mongolian Government in Espionage Campaign
ESET discovered China-aligned APT GopherWhisper targeting Mongolian government institutions with custom Go-based malware, leveraging legitimate services for C2.
HIGHLazarus Hijacks macOS via ClickFix to Target Executives
Lazarus APT uses ClickFix social engineering to deliver macOS malware — fake browser update prompts trick executives into running AppleScript payloads that steal credentials and…
HIGHShadowBrokers Leak Links to Pre-Stuxnet Sabotage Framework
SentinelLabs ties leaked ShadowBrokers files to 'Fast16,' a pre-Stuxnet malware targeting Iranian precision software. The framework predates Stuxnet and shares code similarities.
HIGHTropic Trooper APT Hijacks Home Routers to Target Japanese Networks
Chinese state-sponsored Tropic Trooper is compromising home routers as proxy footholds to infiltrate Japanese organizations, shifting to novel TTPs and victim sectors.
HIGHTropic Trooper Uses Trojanized SumatraPDF to Deploy AdaptixC2
Zscaler ThreatLabz links Tropic Trooper to a campaign using trojanized SumatraPDF to drop AdaptixC2 Beacon and abuse VS Code tunnels for remote access, targeting Chinese-speaking…
HIGHUnit 42 Tracks TGR-STA-1030 Activity in Central and South America
Palo Alto Unit 42 reports TGR-STA-1030 remains active in Central and South America, targeting government and energy sectors with custom malware and living-off-the-land techniques.
CRITICALBitwarden CLI npm Package Hijacked to Steal Developer Credentials
Attackers published a malicious @bitwarden/cli npm package that steals credentials and spreads to other projects.
HIGHChina-Linked GopherWhisper Hits 12 Mongolian Gov Systems
ESET identified GopherWhisper, a China-aligned APT, breaching 12 Mongolian government systems with Go-based backdoors, injectors, and loaders since early 2026.
HIGHGopherWhisper APT Uses Go Tools, Legit Services in Gov Attacks
GopherWhisper, a new state-backed APT, targets government entities with a Go-based toolkit abusing Outlook, Slack, and Discord for C2.
HIGHUNC6692 Hijacks Microsoft Teams to Deploy SNOW Malware Suite
UNC6692 impersonates IT helpdesk staff via Microsoft Teams chats to trick victims into installing SNOW malware — a custom backdoor with credential theft and lateral movement…
HIGHAirSnitch Attacks Bypass WPA2/3 Encryption, Expose Enterprise Wi-Fi
Unit 42 reveals AirSnitch attacks bypass WPA2/3 encryption and client isolation, exposing enterprise Wi-Fi to packet injection and credential theft.
MEDIUMCaller-as-a-Service Fraud Operations Mimic Corporate Call Centers
Flare researchers detail 'Caller-as-a-Service' fraud, where criminal operations use hiring, training, and KPIs to manage scam callers targeting victims in North America and Europe.
MEDIUMMastodon Mitigates Major DDoS Attack Following Bluesky Outage
The decentralized social network Mastodon mitigated a major DDoS attack on April 22, 2026, causing a multi-hour outage for users.
HIGHMicrosoft-Signed Binary Hijacked to Deliver LOTUSLITE Backdoor in
State-linked threat actors used a Microsoft-signed binary for DLL sideloading to deploy the LOTUSLITE backdoor against India's banking sector, evading security controls with a…
HIGHMustang Panda Deploys New LOTUSLITE Variant Targeting Indian Banks
Mustang Panda's new LOTUSLITE variant targets Indian banks and South Korean policy circles via a dynamic DNS C2 over HTTPS, enabling remote shell access and file theft.
HIGHNorth Korean Fake Job Scams Spread Malware via 'Contagious Interview'
North Korean operatives use a 'contagious interview' tactic, where a compromised developer's GitHub repo spreads RATs to other job seekers.
HIGHPhishing Reclaims Top Initial Access Vector in Q1 2026, Cisco Talos
Cisco Talos found phishing accounted for over a third of initial access engagements in Q1 2026, surpassing exploitation of public-facing apps for the first time since Q2 2025.
HIGHRansomware Attackers Operate Like Businesses, ESET Research Reveals
ESET analysis of 100+ ransomware attacks shows threat actors run business operations with defined roles, KPIs, and supply chains, not just technical attacks.
HIGHBritish National Pleads Guilty to SIM Swapping, SMS Phishing for Crypto Theft
Tyler Robert Buchanan admitted to a U.S. conspiracy that stole over $1 million in cryptocurrency via SMS phishing, corporate network intrusions, and SIM swapping attacks targeting victims nationwide.
CRITICALCISA Warns Axios npm Package Compromised in Supply Chain Attack
CISA alerts that the Axios npm package, with over 60 million weekly downloads, was compromised in a supply chain attack, injecting malicious code into downstream applications.
INFORMATIONALFormer Ransomware Negotiator Pleads Guilty to BlackCat Attacks
Angelo Martino, a 41-year-old former employee of cybersecurity firm DigitalMint, pleads guilty to conspiring in BlackCat ransomware attacks against U.S. companies while working as a negotiator.
HIGHFrance Titres Data Breach Exposes Citizen Information for Sale
France Titres, the French government agency for ID documents, confirms a data breach after a threat actor offers to sell stolen citizen information, including names, addresses, and passport numbers.
HIGHGitHub Issue Notifications Hijacked for Developer Phishing via OAuth Apps
Threat actors are using GitHub's trusted notification system to phish developers, pushing malicious OAuth apps that steal account data and hijack repositories. The campaign exploits the platform's own infrastructure to bypass traditional email security.
HIGHHealthcare Data Breaches in Illinois and Texas Expose 600,000 Patients
Southern Illinois Dermatology, Saint Anthony Hospital, and North Texas Behavioral Health Authority disclose breaches affecting over 600,000 patients, exposing names, SSNs, and medical data.
HIGHIdentity-Based Attacks Dominate Breaches as Attackers Bypass Exploits
The Hacker News reports identity-based attacks, using stolen credentials and MFA bypass, are the dominant initial access vector in modern breaches, rendering sophisticated exploits unnecessary for initial entry.
HIGHSideWinder APT Deploys Fake Chrome PDF Viewer and Zimbra Clone to Steal
SideWinder APT targets South Asian government bodies with a phishing campaign using a fake Chrome PDF viewer and a cloned Zimbra login portal to steal webmail credentials, active since February 2026.
HIGHThe Gentlemen Ransomware Botnet Infects 1,570+ Systems via SystemBC Proxy
Check Point Research uncovers a 1,570-victim botnet linked to The Gentlemen ransomware, using the SystemBC proxy malware to establish stealthy SOCKS5 tunnels for command and control.
MEDIUMThreat Actors Embed Malicious Payloads in .WAV Audio Files
SANS ISC reports threat actors are using .WAV audio files to deliver malware payloads, exploiting the format's ability to conceal malicious code within seemingly benign audio data.
CRITICALLazarus Group Steals $290 Million in KelpDAO Cross-Chain Bridge Attack
North Korea's Lazarus Group exploited a smart contract flaw to steal $290 million from the KelpDAO cross-chain bridge, marking one of the largest DeFi heists of 2026 and highlighting persistent risks in cross-chain infrastructure.
HIGHNorth Korean Operatives Use AI and Fake Identities to Infiltrate Companies via
North Korean operatives are using AI tools and forged documents to pass remote job interviews, according to Flare research. The tactic aims to place threat actors inside target companies for long-term espionage and network access.
HIGHOperation PhantomCLR Hijacks Intel Driver to Deploy Stealthy Malware
Operation PhantomCLR exploits a legitimate Intel driver to hijack the .NET CLR and deploy malware, bypassing security tools by using a trusted, signed binary without modifying its code.
HIGHScattered Spider Member Pleads Guilty to SIM Swapping, Crypto Theft
Tyler Buchanan, a UK member of the Scattered Spider cybercrime group, pleaded guilty to charges of conspiracy to commit wire fraud and computer hacking, admitting to SIM-swapping attacks that stole over $800,000 in cryptocurrency from victims.
HIGHSeiko USA Website Defaced, Customer Data Stolen in Ransom Attack
Seiko USA's website was defaced by a hacker claiming theft of its Shopify customer database, including names, emails, and order details for 30,000 individuals, with a ransom demand to prevent public leak.
HIGHThreat Actors Impersonate IT Helpdesk via Microsoft Teams to Deploy Quick Assist
Threat actors are using Microsoft Teams to impersonate IT helpdesk staff, tricking employees into installing Microsoft's own Quick Assist tool to grant attackers full remote control of corporate systems.
HIGHUNC1069 Targets Crypto Professionals with Fake Zoom and Teams Meetings
North Korean threat actor UNC1069 lures Web3 professionals with fake Zoom and Microsoft Teams meetings to deploy malware that steals cryptocurrency, according to new research.
HIGHVercel Breach Exposes Customer Credentials via Compromised AI Tool
Vercel confirms a breach exposing limited customer credentials after attackers compromised an employee's account via a third-party AI tool, Context.ai. The cloud platform is resetting passwords and API tokens for affected users.
HIGHApple Account Change Alerts Hijacked for Phishing Scams
Threat actors are abusing Apple's legitimate notification system to send iPhone purchase phishing emails from Apple's own servers, bypassing spam filters and targeting millions of Apple ID users.
CRITICALInterlock Ransomware Exploits Cisco FMC Zero-Day in Global Attacks
The Interlock ransomware group is actively exploiting a zero-day vulnerability in Cisco Firepower Management Center to breach networks. Recorded Future identified 31 high-impact flaws in March 2026, a 139% monthly increase.
HIGHLos Angeles Police Department Reports 7.7 TB Data Breach
The Los Angeles Police Department reports a breach of 7.7 terabytes and 337,000 files from a city attorney's digital storage system, exposing sensitive law enforcement data.
HIGHOpenClaw AI Agent Poses Autonomous Threat via Package Masquerade
Qualys ETM detected the OpenClaw AI agent disguised as a routine package on a Windows Server, correlating endpoint, exposure, and identity telemetry to reveal an active, autonomous threat.
MEDIUMProofpoint Finds FIFA World Cup 2026 Partners Vulnerable to Email Spoofing
Proofpoint reports 36% of FIFA World Cup 2026 commercial partners fail to implement DMARC, exposing fans to spoofed email fraud. The analysis of 39 official partners found 14 lack basic email authentication.
HIGHPushpaganda Scam Hijacks Google Discover with AI-Generated News
The Pushpaganda campaign used AI-generated news sites to poison Google Discover, pushing 10,000+ deceptive articles to trigger browser notifications that delivered scareware and ad fraud to millions of users.
HIGHTeamPCP Supply Chain Attack Fuels Payroll Fraud and Ransomware
TeamPCP threat actors compromised trusted software tools to steal credentials from over 100 organizations, enabling $1.5M in payroll fraud, logistics theft, and ransomware extortion.
HIGHVercel Confirms Data Breach After Hackers Attempt to Sell Stolen Information
Vercel disclosed a security breach after threat actors attempted to sell stolen data, including customer account information and internal project details, on a hacking forum. The cloud platform is investigating the scope of the incident.
MEDIUMBusiness Impersonation Fraud Evolves with AI-Powered Shopping Scams
Recorded Future details how threat actors exploit corporate identity verification gaps, pivoting from cashing stolen checks to orchestrating AI-powered shopping scams that impersonate legitimate businesses to steal goods.
HIGHFake Data Breach Notifications Deploy Malware, Steal Credentials
Threat actors are weaponizing data breach notifications, sending fake alerts that trick users into downloading malware or entering credentials on phishing sites, according to ESET research.
HIGHTycoon 2FA Phishing Kit Disruption Fuels Surge in Copycat Attacks
The disruption of the Tycoon 2FA phishing-as-a-service platform has led to a surge in copycat attacks, as threat actors reuse its tools and techniques in other kits, increasing the overall volume of multi-factor authentication bypass attempts.
HIGHUAC-0247 Threat Actor Deploys Data-Stealing Malware Against Ukrainian Targets
The Ukrainian CERT-UA attributes a new campaign to threat actor UAC-0247, which uses phishing lures to deploy malware that steals data from Chromium browsers and WhatsApp on government and healthcare systems.
CRITICALWordPress Supply Chain Attack Infects 30+ Plugins Planted Malicous Backdoor
A malicious buyer used the Flippa marketplace to acquire a plugin developer, injecting a backdoor into over 30 WordPress plugins with hundreds of thousands of installations to deploy hidden SEO spam.
HIGHCybercriminals Hijack Logistics Systems to Steal High-Value Physical Cargo
Threat actors are compromising trucking and freight brokerage firms to manipulate shipments and steal physical cargo, moving beyond data theft to target high-value goods in transit.
HIGHDHL-Themed Phishing Campaign Delivers Remote Access Software
A new phishing campaign impersonates DHL to trick recipients into installing legitimate remote access software, which attackers then use as a foothold to deploy additional malware, including ransomware.
MEDIUMDraftKings Credential Seller Sentenced to Prison for Continued Fraud
Kamerin Stokes, a participant in the 2022 DraftKings credential stuffing attack, has been sentenced to time served and three years of supervised release for continuing to sell stolen accounts after pleading guilty.
HIGHEmail-Borne Worm Surge Targets Industrial Control Systems
A global wave of email-borne worms, driven by a single piece of malware, targeted industrial control systems (ICS) in Q4 2025, marking a significant shift in OT threats.
MEDIUMMan Sentenced to Prison for Selling Hacked DraftKings Accounts
Kamerin Stokes was sentenced to 30 months in prison for selling access to tens of thousands of compromised DraftKings accounts, causing over $600,000 in losses.
HIGHPayouts King Ransomware Emerges from BlackBasta's Shadow
The Payouts King ransomware group, linked to former BlackBasta affiliates, has conducted targeted attacks since April 2025, combining data theft with selective encryption to pressure victims.
HIGHPhishing Remains Primary Attack Vector as MSPs Struggle with Evolving Threats
Phishing continues to be the dominant initial attack vector for cybercrime, driving a surge in incidents that managed service providers (MSPs) and their clients are struggling to contain with traditional defenses.
HIGHSapphire Sleet Targets macOS Users with Fake Zoom SDK Update
North Korean threat actor Sapphire Sleet is distributing a new macOS malware via a fake Zoom SDK installer, stealing passwords, crypto wallets, and personal data through a multi-stage social engineering campaign.
HIGHMcGraw Hill Breach: ShinyHunters Leaks 13.5M User Records
ShinyHunters published data from 13.5 million McGraw Hill accounts — names, emails, institutional affiliations — stolen from a misconfigured Salesforce instance.
CRITICALTP-Link Router Flaw Exploited by Mirai Botnet Variant
Attackers are exploiting CVE-2023-33538, a command injection flaw in TP-Link Archer AX21 routers, to deploy a Mirai botnet variant. The campaign hijacks devices for DDoS attacks and credential theft.
HIGHTycoon 2FA Phishing Group Shifts to Device Code Attacks
The Tycoon 2FA phishing group has abandoned its namesake toolkit, adopting device code phishing to bypass multi-factor authentication and compromise Microsoft 365 and Gmail accounts.
MEDIUMUnderground Guides Teach Threat Actors to Vet Stolen Credit Card Shops
Threat intelligence firm Flare details how cybercriminal forums circulate guides teaching actors to systematically vet 'carding shops' selling stolen payment data, focusing on data freshness, shop reputation, and operational security.
HIGHW3LL Phishing Platform Disrupted in International Law Enforcement Operation
A coordinated law enforcement operation has disrupted the W3LL phishing-as-a-service platform, which was used to target over 800,000 corporate Microsoft 365 accounts globally.
HIGHATHR Vishing Platform Automates Voice Phishing with AI Agents
The ATHR cybercrime platform automates voice phishing (vishing) attacks using AI-generated voice agents to impersonate trusted entities and harvest credentials, lowering the barrier for large-scale social engineering campaigns.
HIGHBooking.com Breach Fuels Sophisticated Hotel Impersonation Scams
A data breach at Booking.com is providing threat actors with detailed guest reservation data, enabling highly convincing scams where attackers impersonate hotels to steal payment details and credentials.
HIGHClickFix Phishing Campaign Masquerades as Claude AI Installer
A phishing campaign uses fake Claude AI installer lures and 'ClickFix' social engineering to trick users into granting remote access, enabling credential theft and financial fraud.
HIGHIndustrial Control Systems Face Rising Malware, USB Threats in Q4 2025
Kaspersky data shows malware blocked on 33.3% of industrial control system computers in Q4 2025, with internet threats and removable media as top infection vectors. The share of systems facing USB-borne threats grew to 4.1%.
HIGHMcGraw-Hill Data Breach Exposes 13.5 Million Users via Salesforce
Education publisher McGraw-Hill confirms a data breach exposing 13.5 million users' personal data, linked to a misconfigured Salesforce environment. Over 100GB of stolen data has been publicly distributed online following an extortion attempt.
MEDIUMPushpaganda Campaign Exploits Google Discover to Hijack Browser Notifications
A threat operation dubbed Pushpaganda is abusing Google Discover with AI-generated clickbait to trick users into enabling malicious browser notifications, which then deliver phishing and scam content.
HIGHRansomware Attack Disrupts Automotive Data Giant Autovista Group
Autovista Group, a major European automotive data and analytics firm, confirms a ransomware attack disrupting operations. The company is investigating with external experts, but impact on customer data remains unclear.
HIGHResearchers Map Over 1,250 Active C2 Servers Across Russian Hosting Providers
A three-month investigation has identified more than 1,250 active command-and-control servers operating across 165 Russian hosting providers, forming a resilient infrastructure for malware and ransomware operations.
HIGHRhysida Ransomware Group Breaches Tennessee Hospital, Exposes 337,000
Cookeville Regional Medical Center confirms a 2025 ransomware attack by the Rhysida group compromised the data of 337,000 individuals after the theft of 500GB of files.
MEDIUMScammers Revive iCloud Storage Full Scam to Steal Payment Details
A phishing campaign impersonates Apple to pressure users with fake 'iCloud storage full' alerts, aiming to steal credit card information and Apple ID credentials.
HIGHThreat Actors Abuse Google Cloud Storage to Evade Filters, Deliver Remcos RAT
Cybercriminals are hosting phishing pages on Google Cloud Storage to bypass email security and reputation checks, delivering the Remcos remote access trojan in campaigns observed since early 2026.
HIGHThreat Actors Abuse Microsoft 365 Mailbox Rules for Silent Email Interception
Attackers are exploiting hidden mailbox rules in compromised Microsoft 365 accounts to intercept sensitive emails, redirect financial communications, and suppress security alerts without triggering user notifications.
HIGHUAC-0247 Threat Actor Targets Ukrainian Hospitals and Government with
The UAC-0247 threat actor is actively targeting Ukrainian municipal healthcare and government bodies, deploying malware to steal browser data, WhatsApp sessions, and credentials while moving laterally within networks.
MEDIUMCredit Resources Vault Scam Targets Financially Vulnerable with Deceptive Fees
A sophisticated email scam impersonating the 'Credit Resources Vault' uses urgency and official-looking documents to trick financially distressed individuals into paying recurring fees for worthless credit repair services.
HIGHFake YouTube Copyright Notices Steal Google Credentials via Phishing
YouTube creators are targeted by a sophisticated phishing campaign using fake copyright infringement notices to steal Google account credentials, enabling channel takeover and broader account compromise.
HIGHMicrosoft Edge WebView2 Runtime Abused for Proxy Execution and Defense Evasion
Offensive security researchers detail how the trusted Microsoft Edge WebView2 Runtime is being weaponized for proxy execution, allowing attackers to load malicious code under a legitimate, signed Microsoft process to evade detection.
MEDIUMPushpaganda Campaign Uses AI-Generated Clickbait to Hijack Browser Notifications
A campaign dubbed Pushpaganda uses AI-generated clickbait to trick users into enabling malicious browser notifications, delivering a persistent stream of scams and fake alerts directly to the desktop.
HIGHThreat Actors Weaponize n8n Workflow Platform for Phishing and Payload Delivery
Attackers have been abusing the legitimate n8n workflow automation platform since October 2025 to send phishing emails and deliver malware, leveraging its trusted infrastructure to bypass email security filters.
HIGHWordPress Plugin Supply Chain Attack Deploys Backdoor After 8-Month Dormancy
A threat actor purchased a legitimate WordPress plugin business and hid a backdoor in updates for eight months before activating it, compromising thousands of sites in a sophisticated supply chain attack.
HIGHAttackers Shift from Phishing to Social Engineering for Okta Compromise
Threat actors are bypassing email security by using phone-based social engineering to target IT help desks and compromise Okta identity systems, enabling initial access to corporate networks.
HIGHCSA Warns of AI-Driven 'Mythos' Era Collapsing Vulnerability-to-Exploit Timelines
The Cloud Security Alliance warns that AI models like Mythos are dramatically accelerating cyberattacks, collapsing the time between vulnerability discovery and weaponized exploit to near zero.
HIGHEDR-Killer Ecosystem Expands, Leveraging BYOVD Attacks to Evade Detection
A growing ecosystem of threat actors is using Bring-Your-Own-Vulnerable-Driver attacks to disable security software, requiring enhanced kernel-level protections.
HIGHFBI Dismantles W3LL Phishing Kit, a $500 Service Behind $20M in Fraud
The FBI and Indonesian authorities dismantled the W3LL phishing-as-a-service platform, a $500 kit used to steal credentials and linked to over $20 million in attempted fraud.
HIGHFIFA 2026 Partners' Email Security Gaps Expose Public to Impersonation Fraud
Proofpoint research reveals 36% of FIFA World Cup 2026 official partners lack essential DMARC email authentication, exposing fans to high-risk domain impersonation and fraud.
HIGHKraken Faces Extortion After Insider Breach Exposed Bug Bounty Flaw
Kraken's security team discovered an insider breach where a researcher exploited a zero-day flaw to steal $3 million in crypto, then demanded a bug bounty payment.
MEDIUMMcGraw-Hill Data Breach Linked to Exploited Salesforce Misconfiguration
McGraw-Hill breached via a misconfigured Salesforce instance — ShinyHunters claim 13.5M user records exposed. Root cause, scope of access, and what educators and SaaS admins should check now.
HIGHTriad Nexus Cybercrime Operation Evades Sanctions via Major Cloud Providers
The Triad Nexus cybercrime syndicate leverages major cloud and hosting providers to obscure its infrastructure, evade sanctions, and facilitate ransomware, data theft, and financial fraud.
HIGHAI Browser Extensions: The Unseen Threat Vector in Enterprise Networks
A new report from LayerX highlights the significant security risks posed by AI browser extensions, which are often overlooked in enterprise networks.
HIGHAPT37 Targets Individuals via Facebook to Deploy RokRAT Malware
North Korea's APT37 group is conducting a social engineering campaign on Facebook, using fake profiles to build trust and deliver the RokRAT remote access trojan to targeted individuals.
HIGHAPT41 Deploys Stealthy Backdoor to Harvest Cloud Credentials
China-linked threat actor APT41 is deploying a novel, low-detection backdoor against AWS, Google, Azure, and Alibaba Cloud to harvest credentials and establish persistence.
HIGHBackdoored Smart Slider 3 Pro Update Deployed via Compromised Plugin Servers
Unknown threat actors compromised the update infrastructure for the Smart Slider 3 Pro WordPress plugin, pushing a backdoored version (3.5.1.35) to users. The attack leverages a supply chain compromise to gain administrative access.
MEDIUMBasic-Fit Data Breach Exposes Member Data Across European Operations
Basic-Fit, Europe's largest budget fitness chain, confirmed a data breach impacting ~1 million members. Unauthorized access to membership systems exposed personal data across multiple countries.
HIGHBasic-Fit Data Breach Exposes 1 Million Member Records
Hackers breached European gym chain Basic-Fit, accessing personal data of approximately one million members, including names, birthdates, and email addresses.
HIGHBooking.com Confirms Data Breach Exposing Reservation and User Data
Booking.com confirms a data breach exposing sensitive reservation and user data, forcing PIN resets for affected customers.
MEDIUMBooking.com Confirms Data Breach via Social Engineering Attack
Booking.com confirms a data breach where attackers used social engineering to compromise employee accounts and access customer travel booking information. The company states the incident has been contained.
HIGHCanadian Payroll Phishing Campaign Exploits Office 365 Search Poisoning
A financially motivated group is hijacking Office 365 search results to steal employee paychecks via phishing and account takeover.
HIGHChipSoft Ransomware Attack Disrupts Dutch Healthcare IT Services
Dutch healthcare IT provider ChipSoft was hit by a ransomware attack, forcing it to take patient and provider portals offline, disrupting critical medical administration across the Netherlands.
CRITICALCritical PDF Zero-Day Exploited for Months, Infrastructure Espionage Revealed
A critical zero-day vulnerability in widely used PDF software has been actively exploited for months. Concurrently, state-sponsored actors have been targeting fiber optic infrastructure for espionage.
HIGHFancy Bear APT Exploits Unpatched Flaws in Global Espionage Campaign
Russia's APT28 (Fancy Bear) is conducting a global cyber espionage campaign, exploiting unpatched vulnerabilities in routers and network devices to infiltrate government and defense targets.
HIGHGlassWorm Uses New Zig Dropper to Target Developer IDEs via Fake VS Code Extension
Researchers discovered GlassWorm’s latest Zig dropper hidden in a malicious VS Code extension, allowing silent infection of multiple IDEs on developer workstations.
HIGHInternational Operation Disrupts SIM Swap & BEC Schemes, Recovers $45M
A joint US, UK, and Canadian law enforcement operation disrupted multi-million dollar crypto theft schemes using SIM swapping and BEC, identifying over $45M in stolen assets and freezing $12M.
HIGHIranian CyberAv3ngers Escalate Attacks on US Water, Industrial Infrastructure
The Iran-backed threat actor CyberAv3ngers, linked to the IRGC, has evolved from hacktivism to conducting disruptive cyber operations against US water utilities and programmable logic controllers (PLCs).
HIGHIran-Linked Hackers Target ICS/SCADA Systems in Critical Infrastructure
US Gov Warns Iran-Linked Actors Are Manipulating PLCs and SCADA Systems to Disrupt Critical Infrastructure
HIGHLAPD Data Breach Exposes 7.7 TB of Sensitive Files via Third-Party System
A data breach at a digital storage system used by the L.A. City Attorney's Office exposed 7.7 TB and over 337,000 files, including sensitive LAPD records. The incident stemmed from a third-party vendor's misconfiguration.
HIGHNorth Korean Lazarus Group Compromises OpenAI via Axios Supply Chain Attack
North Korea's Lazarus Group compromised OpenAI's internal systems via a supply chain attack on the Axios client library, using a stolen macOS code-signing certificate to sign malware.
HIGHShinyHunters Breaches Rockstar Games via Third-Party SaaS Platform
ShinyHunters breached Rockstar Games by exploiting the Anodot SaaS platform, accessing the company's Snowflake data environment and threatening to leak stolen data unless a ransom is paid.
HIGHSANS Stormcast: Exploits Target Ivanti, Fortinet, and VMware Flaws
The SANS Internet Storm Center reports active exploitation of vulnerabilities in Ivanti, Fortinet, and VMware products, alongside a new phishing campaign using malicious OneNote attachments.
HIGHStorm-2755 Targets Canadian Payroll Systems in Salary Theft Campaign
Financially motivated group Storm-2755 compromises employee payroll accounts to redirect salary payments in Canada.
HIGHStorm-2755 Hijacks Payroll via AiTM Attacks
Financially motivated group Storm-2755 targets Canadian employees using AiTM session hijacking to redirect salary payments.
HIGHThreat Actors Weaponize MSBuild LOLBin for Fileless Windows Attacks
Cybercriminals are abusing the legitimate Microsoft Build Engine (MSBuild.exe) to execute malicious .NET code directly in memory, evading traditional detection by avoiding file drops.
HIGHUS Warns of Active PLC Targeting in OT Environments
Government agencies warn that programmable logic controllers remain a top target for cyber adversaries in industrial environments.
HIGHVENOM PhaaS Platform Targets C-Suite Credentials in Sophisticated Campaign
A new phishing-as-a-service platform dubbed VENOM is being used to steal Microsoft credentials from senior executives via sophisticated, multi-stage email campaigns.
MEDIUMXChat's Self-Destructing Messages: A Security Analysis of Musk's New Feature
Elon Musk's X platform launched XChat with self-destructing messages, a feature that introduces complex security and forensic implications for enterprise users and incident responders.
HIGHAI-Powered Threat Actor Breaches Mexican Government, Exposes Citizen Data
A sophisticated attacker leveraged AI tools like Claude and ChatGPT to breach nine Mexican government agencies, exfiltrating hundreds of millions of citizen records in a multi-month campaign.
HIGHCredential-Based Attacks Blur Line Between Breach and Normal Activity
Modern attackers are exploiting valid credentials and living-off-the-land techniques to make breaches indistinguishable from legitimate user activity, rendering traditional perimeter and anomaly detection ineffective.
MEDIUMFake BTS World Tour Ticket Sites Target Fans in Multi-Country Scam
A widespread phishing campaign uses fraudulent BTS concert ticket websites to steal payment information from fans across at least nine countries.
HIGHHims Data Breach Exposes Sensitive Medical and Prescription Data
A breach at telehealth provider Hims & Hers exposed highly sensitive patient health information, including details on prescriptions for weight loss, hair loss, and erectile dysfunction.
MEDIUMOberon System 3 Native Port for Raspberry Pi Raises Supply Chain Security Concerns
A native port of the Oberon System 3 for Raspberry Pi 3, distributed via a pre-configured SD card image, presents a potential supply chain attack vector. The image's provenance and integrity cannot be fully verified, highlighting risks in third-party firmware distribution.
HIGHRansomware Gangs Evolve EDR Evasion, Adopt New Driver-Based Killers
ESET Research reports ransomware operators are expanding their arsenal of EDR-killing tools, moving beyond exploiting vulnerable drivers to using legitimate but maliciously signed drivers for stealth.
HIGHStryker Hit by Cyberattack, Windows Zero-Day Exploited, China Supercomputer Hacked
Medical device giant Stryker confirms a cyberattack, while a patched Windows zero-day is actively exploited and a Chinese supercomputer cluster is breached.
HIGHThousands of US Industrial PLCs Exposed to Iranian State-Sponsored Threat Actors
Nearly 4,000 Rockwell Automation PLCs in the US are directly exposed online, creating a significant attack surface for Iranian state-sponsored hackers targeting critical infrastructure.