New malware strains, ransomware campaigns, botnet activity
A supply chain attack has compromised 32 Red Hat npm packages, with attackers publishing 96 malicious package versions. These versions contained a credential-stealing worm, reportedly similar to Mini Shai-Hulud.
A spear-phishing campaign, attributed to the Pakistan-aligned SideCopy group, has targeted Afghanistan's Ministry of Finance. The attackers used a ZIP archive containing a malicious LNK file with a Pashto-language filename to deliver the Xeno RAT, an open-source remote access trojan.
A new wave of phishing emails is using SVG files as attachments to deliver malicious content. Threat actors are leveraging the SVG format to embed harmful code, bypassing traditional email filters by presenting the content as an image without any URLs in the email body.
Hackers are using compromised websites to distribute malware through "ClickFix" and "FakeUpdate" techniques. A threat actor named DriveSurge is behind these large-scale campaigns, which target thousands of sites to deliver malicious payloads.
A new malware strain dubbed Shai-Hulud is targeting versions of the Red Hat build of Node.js package manager (npm). The malicious code was found embedded in a legitimate-looking package and has been downloaded approximately 80,000 times per week.
A supply-chain attack compromised over 30 npm packages within Red Hat's '@redhat-cloud-services' namespace. The attackers distributed a new variant of the Shai-Hulud malware, named "Miasma," designed to steal developer credentials.
A supply chain attack has compromised dozens of Red Hat packages via its official NPM channel. Attackers injected malicious code into these packages, which were then distributed to users through the official Red Hat registry.
Malicious actors have registered over 5,000 new domains in an effort to impersonate election-related entities and conduct phishing attacks. These domains are designed to mimic legitimate election websites and organizations, aiming to trick voters into revealing personal information. This tactic highlights the shift from direct election system attacks to social engineering methods.
A vulnerability in the WP Maps Pro WordPress plugin, identified as CVE-2026-8732, is being exploited by unauthenticated attackers. This flaw allows attackers to create administrative accounts on vulnerable WordPress sites.
Dashlane password manager is investigating reports of users being locked out of their accounts due to brute-force attacks. These attacks appear to originate from unknown locations and devices, with attackers attempting multiple login attempts. Dashlane is working to address the issue and has stated that no user data has been compromised.
Dutch police have successfully dismantled a massive botnet consisting of 17 million infected devices. This botnet was allegedly used to operate a residential proxy network and facilitate various cybercriminal activities.
A new supply chain attack campaign, codenamed Miasma, has compromised Red Hat npm packages to steal credentials and secrets. The attack uses install-time execution tactics to harvest credentials, target CI/CD systems, and exfiltrate data with a self-propagating worm.
A sophisticated WordPress malware campaign has been discovered that uses Steam Community profile comments to hide its command-and-control (C2) infrastructure. Attackers are exploiting WordPress sites to inject malicious code, which then communicates with C2 servers disguised within user comments on Steam profiles, making detection more challenging.
The Centre for Cybersecurity Belgium has issued a warning that threat actors are actively exploiting a critical Windows Netlogon Remote Code Execution (RCE) vulnerability in ongoing attacks. This vulnerability was recently patched, highlighting the ongoing threat posed by unaddressed security flaws.
Operation Dragon Weave, a new cyber espionage campaign aligned with China, is targeting officials and citizens in the Czech Republic and Taiwan. The campaign uses spear-phishing emails with ZIP attachments to deliver the AdaptixC2 agent to sectors including government, research, academic, technology, and financial services.
A supply chain attack has been discovered targeting developers using OpenAI Codex. The malicious package, codexui-android, disguised as a legitimate remote web UI for Codex, was downloaded over 29,000 times weekly from npm.
Threat actors are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin to create unauthorized administrator accounts. This plugin, used by over 15,000 sites, allows for custom map embedding.
An unidentified Remote Access Trojan (RAT) is distributing the NetSupport RAT malware. This is a concerning development as it indicates a potentially coordinated effort to spread malicious remote access tools.
A critical vulnerability in the WP Maps Pro plugin for WordPress is being actively exploited by hackers. The flaw allows unauthenticated attackers to create new administrator accounts on vulnerable websites. This could lead to full site compromise and malicious activity.
Dutch authorities have successfully dismantled a large botnet comprising at least 17 million infected devices, including computers, tablets, smartphones, and IoT devices. The operation, conducted by the Dutch Politie and the National Cyber Security Center (NCSC), involved taking down over 200 servers used to control the bot network.
A lone attacker has published 14 malicious npm packages designed to mimic popular OpenSearch and Elasticsearch libraries. These packages were discovered and subsequently removed by Microsoft's security team.
A massive botnet, reportedly linked to a Russia-based residential proxy network and comprising over 17 million devices, has been dismantled. The operation involved authorities taking down the infrastructure used to control these compromised devices.
Threat actors are exploiting ChatGPT's share link functionality to host fake outage pages. These pages are designed to trick users into downloading malware disguised as the legitimate ChatGPT desktop application.
Several cybersecurity incidents have been reported, including a data breach affecting Trump Mobile customers, a phishing campaign targeting the 2026 FIFA World Cup, and CISA's response to recent supply chain attacks.
The DDoS-as-a-Service market has evolved significantly, moving from basic tools to sophisticated platforms that offer tiered pricing, customer support, and reseller programs. This evolution makes DDoS attacks more accessible and potentially more damaging.
Dutch authorities have disrupted a massive malware botnet comprising 17 million infected devices. The operation involved seizing over 200 servers used to control the botnet, effectively taking it offline.
Dutch police have dismantled a massive botnet by taking control of 17 million infected devices. This operation involved identifying and seizing approximately 200 servers used to control the botnet, which were traced to the Netherlands. The hosting provider subsequently disconnected these servers, effectively disrupting the botnet's operations.
A malicious NuGet package named 'Sicoob.Sdk' has been found to steal banking credentials, specifically client IDs and PFX certificates, from users in Brazil. This package, disguised as a legitimate software development kit for Sicoob, a major financial cooperative, contains functions to exfiltrate this sensitive information.
The Gentlemen ransomware is evolving with a self-propagating Go-based encryptor that can spread laterally across networks. This sophisticated malware identifies and deploys itself to additional systems using harvested credentials and legitimate administrative tools, leading to broader business disruptions.
Dutch police, with international assistance, have successfully dismantled a massive botnet comprising 17 million devices. The operation targeted the infrastructure used to control these compromised devices, disrupting a significant criminal network.
A new Android remote access trojan (RAT) called BTMOB is being offered to cybercriminals. It features a builder interface that allows attackers to create custom phishing payloads, making it easier to target specific users and organizations. This advanced customization aims to increase the effectiveness of phishing campaigns.
A disgruntled developer allegedly injected malicious code into a popular Java testing library, jqwik. The hidden code was designed to instruct AI coding assistants to delete application output, potentially disrupting development processes.
The FBI has issued a warning about fraudulent websites impersonating FIFA to scam individuals ahead of the 2026 World Cup. These fake sites aim to steal personal and financial information, sell counterfeit tickets and hospitality packages, and perpetrate other World Cup-related fraud.
The recent Canvas attack, which targeted unpatched VPNs and exploited unpatched vulnerabilities, highlights the persistent risks associated with legacy systems and the need for robust patch management. Attackers exploited known vulnerabilities to gain initial access, demonstrating that even well-publicized flaws can be leveraged for significant impact.
Hackers are exploiting a critical vulnerability in FortiClient EMS to deploy a new infostealer malware known as EKZ. The vulnerability, an authentication bypass flaw, allows attackers to gain unauthorized access and push the malware to vulnerable systems.
Threat actors are actively exploiting a critical, patched vulnerability in FortiClient Endpoint Management Server (EMS) to distribute credential-stealing malware. The campaign leverages trusted endpoint management infrastructure to deliver payloads disguised as legitimate Fortinet software across managed endpoints.
This article from ThreatsDay Bulletin covers a range of cybersecurity topics including security issues with Claude plugins, privilege escalation in Azure, a multi-factor authentication bypass for Kali365, and FIFA-related scams. It also highlights ongoing, low-effort attacks using various malware and exposed infrastructure.
A new Android malware named BTMOB has been identified that can perform a full device takeover. It is distributed through phishing lures and is capable of financial theft, data exfiltration, and providing remote access to attackers.
Fortinet has released patches for a critical vulnerability in FortiClient EMS, which was actively exploited in the wild as a zero-day. The company urged users to apply the fixes immediately following the discovery of these attacks.
A major malware operation known as GlassWorm, which targeted developers by poisoning software repositories, has been disrupted by a coordinated effort led by CrowdStrike. Despite this takedown, the broader problem of securing the open-source ecosystem and distinguishing real threats from automated noise remains a significant challenge for defenders.
A new advanced remote access Trojan (RAT) known as BTMOB RAT is spreading across Brazil and Latin America. It is being delivered through a malware-as-a-service (MaaS) model and features a no-code interface for malware development.
A new, previously unknown threat actor, dubbed JINX-0164, is targeting cryptocurrency firms with a sophisticated campaign. This campaign utilizes recruitment-themed social engineering tactics and custom macOS malware to gain access and steal digital assets, focusing on CI/CD infrastructure.
Threat actors are conducting a cryptojacking campaign that leverages SEO poisoning to spread GPU mining malware. This campaign also manipulates AI chatbot recommendations to trick users into downloading malicious software. The attackers are specifically targeting systems with high-performance GPUs.
This article explains how to reconstruct the Akira ransomware attack chain by correlating perimeter firewall logs with Windows event logs. It focuses on identifying the initial access, domain administration, and pre-encryption activities that are crucial for defenders to understand.
The FBI has issued a warning regarding the Silent Ransom Group, an extortion gang that is specifically targeting law firms. This group employs social engineering tactics to gain access to sensitive data stored on law firm servers and databases.
The FBI is warning law firms about a new extortion tactic where cybercriminals pose as IT support personnel to gain physical access to offices. These individuals then often plug in malicious thumb drives to compromise systems and initiate ransomware attacks.
Two distinct malware campaigns, Grandoreiro and BTMOB, are targeting Windows and Android users in Latin America and Europe. WatchGuard and ESET research indicates these campaigns are specifically aimed at companies in Spain, Portugal, and Mexico, and mobile users in Brazil.
A malicious npm package named 'mouse5212-super-formatter' has been discovered that steals files from the Claude AI user directory. The package is designed to upload sensitive files from the '/mnt/user-data' directory, which is used by Anthropic's AI tool for handling uploads and outputs.
Researchers have disrupted the Glassworm botnet, which was used in software supply-chain attacks targeting developers. The takedown was achieved by dismantling its command-and-control infrastructure, which utilized Solana blockchain transactions and the BitTorrent DHT network for resilience.
The FBI has issued a warning regarding the Silent Ransom Group (SRG) extortion gang, which is now conducting in-person data theft attacks against law firms in the United States. These attacks involve physical intrusion and data exfiltration, posing a new threat vector for organizations.
