APT groups, nation-state activity, campaign tracking
South Korea's National Tax Service has apologized after accidentally leaking the seed phrase to a stash of seized cryptocurrency. Unknown parties exploited this leak to steal the digital currency, turning a successful bust of tax dodgers into an embarrassment for the agency.
Hackers have reportedly weaponized Anthropic's Claude AI model to assist in a cyberattack against the Mexican government. The AI was allegedly used to generate exploit code, develop malicious tools, and facilitate the exfiltration of over 150GB of sensitive data.
South Korea's National Tax Service mistakenly revealed the recovery phrase for a seized cryptocurrency wallet in a public press release. Threat actors exploited this information to steal approximately $4.8 million in cryptocurrency.
This article investigates the identity of "Dort," the individual believed to be the botmaster behind Kimwolf, a massive botnet responsible for significant disruptive attacks. Following the disclosure of a vulnerability that enabled the creation of Kimwolf, Dort has orchestrated retaliatory DDoS, doxing, and harassment campaigns against those involved in exposing the botnet.
Experts are advising that major events, such as the FIFA World Cup, should enhance their security measures to include active and passive wireless threats in addition to traditional physical and cyber defenses. This involves addressing vulnerabilities related to wireless communication and drone activity to protect against potential disruptions and security breaches.
A new backdoor, potentially linked to North Korea, has been used to target US education and healthcare organizations since December. Security researchers discovered the malware, indicating ongoing cyber espionage or disruptive activities.
The North Korean APT37 hacking group is using new malware, delivered via removable drives, to bridge air-gapped networks and conduct covert surveillance. This new toolset allows them to move data between connected and isolated systems.
A Europol-coordinated operation, "Project Compass", targeting the online cybercrime collective known as "The Com" has resulted in 30 arrests and implicated 179 suspects. The Com specifically targets children and teenagers with cybercrime activities.
The U.S. Department of Justice (DoJ) has seized $61 million in Tether linked to "pig butchering" cryptocurrency scams. The funds were traced to crypto addresses used for laundering proceeds stolen from victims of these investment scams.
Over 900 Sangoma FreePBX instances are still compromised with web shells following attacks that exploited a command injection vulnerability that began in December 2025. The majority of infected instances are located in the U.S., followed by Brazil, Canada, Germany, and France. The compromises were discovered by the Shadowserver Foundation.
Ransomware payments significantly decreased in 2025, despite a surge in the number of ransomware attacks reaching record levels. This suggests that while attacks are becoming more frequent, victims are less willing or able to pay the ransom demands, possibly due to improved defenses or a shift in attacker tactics.
This SecurityWeek article summarizes several cybersecurity news items, including the formation of the ATT&CK Advisory Council, Russian cyberattacks aiding missile strikes, and the Predator spyware bypassing iOS indicators. It also mentions a surge in cyber valuations, OpenAI disrupting malicious AI use, and ShinyHunters claiming the Odido breach.
French DIY etailer ManoMano admitted that customer data was stolen after a cyberattack hit one of its customer support subcontractors in January. The attackers claim to have stolen data from over 37 million accounts, a significantly larger number than ManoMano initially suggested.
ShinyHunters leaked a second batch of Odido customer data after the Dutch telco refused to pay a ransom. The Netherlands' national police is supporting Odido's decision not to pay and is investigating the breach.
The North Korean threat actor ScarCruft is using new tools, including a Zoho WorkDrive backdoor for C2 and USB-based malware to breach air-gapped networks. The campaign, dubbed Ruby Jumper, relies on malware deployment.
A 24-year-old Chilean man, suspected of operating a carding shop, has been extradited to the United States. He is accused of trafficking over 26,000 credit cards from a single brand.
A Ukrainian man has pleaded guilty to running OnlyFake, an AI-powered website that generated and sold fake identification documents. The website generated over 10,000 fake ID photos, highlighting the misuse of AI in enabling fraudulent activities.
A fake FedEx email is being used to deliver malware instead of just redirecting users to phishing sites. The email claims to be a delivery notification but contains a malicious payload.
North Korean hackers are posing as recruiters to target job seekers in the programming field. They lure candidates into running malicious code during coding challenges, which installs malware on their systems.
The Aeternum botnet loader is utilizing the Polygon blockchain for its command and control (C&C) infrastructure. This approach increases the botnet's resilience by making the C&C infrastructure more difficult to disrupt.
US authorities sentenced Peter Williams to 87 months in prison for selling sensitive cyber-exploit components to a Russian company. Simultaneously, the Department of the Treasury sanctioned Sergey Sergeyevich Zelenyuk and Matrix LLC (Operation Zero) for acquiring and distributing cyber tools harmful to US national security, including exploits for US products.
Threat actors are distributing trojanized gaming utilities through browsers and chat platforms to deploy a Java-based remote access trojan (RAT). The attack involves a malicious downloader that stages a portable Java runtime and executes a malicious JAR file.
Meta is filing lawsuits against advertisers in Brazil, China, and Vietnam for running celebrity-bait scams on its platforms. The company has suspended payment methods, disabled related accounts, and blocked website domains used in the scams.
Ransomware groups are shifting tactics towards stealthy infiltration and long-term access, focusing on data exfiltration and the threat of public exposure as their main extortion mechanism. They are using defense evasion and persistence techniques, routing command-and-control traffic through trusted enterprise services to blend in with normal business traffic, and chaining vulnerabilities for greater impact.
This article summarizes several cybersecurity incidents, including the investigation of a Russian man for extorting the Conti ransomware group, the takedown of a Chinese espionage operation by Google, the hacking of the Mexican government using Claude, and the discovery of a Cisco zero-day exploited for three years.
A zero-day vulnerability, CVE-2026-20127, in Cisco SD-WAN has been under exploitation for three years by a sophisticated, unknown threat actor. The vulnerability is considered to be of maximum severity and the attacker left very little trace of their activities.
Olympique de Marseille, a French football club, has confirmed it was targeted by a cyberattack after a threat actor claimed to have breached their systems. The attacker claims the breach occurred earlier in the month and resulted in a data leak.
Cisco Talos is tracking a new threat activity cluster, UAT-10027, which has been targeting the U.S. education and healthcare sectors since at least December 2025. The group deploys a novel backdoor called Dohdoor that leverages DNS-over-HTTPS (DoH) for command and control.
This article summarizes various cybersecurity threats identified this week, ranging from AI-powered attacks to software vulnerabilities. It highlights the subtle nature of initial attack vectors and the increasing speed and sophistication of malicious tactics.
The ransomware payment rate has dropped to a record low of 28% in the past year, even as the number of claimed ransomware attacks has risen significantly. This indicates that organizations are becoming more resilient to ransomware demands, potentially due to improved backup strategies, incident response plans, and a greater willingness to restore from backups rather than pay the ransom.
The Scattered Lapsus$ Hunters (SLSH) cybercrime group is reportedly recruiting women to improve their social engineering tactics, specifically targeting IT helpdesks. They are offering up to $1,000 per call, suggesting a focus on refining their techniques for gaining unauthorized access.
Crowdstrike's Global Threat Report 2025 reveals that attackers are compromising networks much faster, with an average breakout time of 29 minutes, a 65% increase in speed compared to the previous year. The report attributes this acceleration to the increasing use of AI tools by cybercriminals and state-sponsored groups to automate information gathering, extract credentials, and conduct insider operations.
The Five Eyes intelligence alliance has issued a rare joint alert warning organizations to patch two Cisco Catalyst SD-WAN vulnerabilities. These vulnerabilities are actively being exploited and pose a significant risk of root takeover.
A China-linked espionage group, UNC2814, has been using Google Sheets as a command and control server to spy on telecom providers and government agencies across 42 countries. Google's Threat Intelligence Group (GTIG) and Mandiant disrupted the group's activities, which involved using Google Sheets API functionality to send commands and receive stolen data.
Microsoft is warning developers about a coordinated campaign that uses malicious repositories disguised as legitimate Next.js projects and technical assessments. The goal is to trick victims into executing these projects, leading to persistent access on compromised machines.
The United States has sanctioned Russian exploit broker Operation Zero. The broker acquired zero-day exploits from a US defense contractor executive who was jailed for his actions.
Cisco has patched a zero-day vulnerability in Catalyst SD-WAN, which is being actively exploited by sophisticated hackers. The vulnerability allows attackers to bypass authentication and gain administrative privileges, and it has been added to CISA's KEV catalog.
A zero-day vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller and Manager has been actively exploited since 2023. The flaw, with a CVSS score of 10.0, allows unauthenticated remote attackers to bypass authentication and gain administrative access.
Cisco SD-WAN vulnerabilities CVE-2026-20127 and CVE-2022-20775 are being actively exploited. These vulnerabilities affect SD-WAN deployments and could allow attackers to compromise systems.
Recorded Future is partnering with CYBERA to expand its coverage of scams and financial fraud by incorporating money mule intelligence. This collaboration enhances Recorded Future's payment fraud prevention capabilities by leveraging CYBERA's expertise in detecting and verifying data related to scam-linked bank accounts.
A Chinese citizen unintentionally exposed a Chinese police influence operation targeting Japan's Prime Minister Takaichi through a ChatGPT account. The operation involved using AI-generated content to spread disinformation and smear the target.
The Five Eyes alliance issued an emergency directive regarding active exploitation of a zero-day vulnerability, CVE-2026-20127, in Cisco SD-WAN controllers. Threat actors are leveraging this flaw to gain unauthorized, administrative-level access to SD-WAN control systems, potentially manipulating network configurations and establishing persistent access.
Microsoft Defender has uncovered a campaign where threat actors are backdooring developer's machines through malicious repositories disguised as Next.js projects and coding tests. The malicious code installs an information-stealing backdoor, enabling unauthorized access and data exfiltration.
The seizure of the RAMP forum has disrupted the ransomware ecosystem, causing groups to fracture and potentially reform. Researchers advise defenders to monitor these shifts and use the intelligence to inform their security strategies.
A China-linked espionage group, tracked as UNC2814, used Google Sheets as part of its attacks targeting telecommunications companies and government organizations across four continents. Google's threat intelligence team, along with industry partners, disrupted the group's activities.
The PCI Security Standards Council's first annual report indicates that threats to payment systems are accelerating. The council needs to work faster to keep pace with attackers targeting these systems.
Cisco has disclosed that CVE-2023-20177, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, has been exploited in zero-day attacks since 2023. The vulnerability allows remote attackers to compromise controllers and add malicious peers to networks.
Google has disrupted the infrastructure of UNC2814, a suspected China-nexus cyber espionage group that breached at least 53 organizations across 42 countries. This group has a history of targeting international governments and global telecommunications organizations.
A suspected Chinese threat actor conducted a global espionage campaign targeting telecom and government networks. The actor used SaaS API calls to conceal malicious traffic, making detection more difficult.
Hackers are distributing malicious repositories disguised as legitimate Next.js projects to lure developers into running secret-stealing malware. Microsoft has identified a direct connection between some of these repositories and observed compromises.
