APT groups, nation-state activity, campaign tracking
A new cybercrime platform named ATHR has been discovered that leverages AI-powered voice agents to conduct fully automated vishing attacks. These attacks aim to harvest user credentials by combining AI and human operators for social engineering.
This week's cybersecurity news includes a Defender 0-day exploit, a brute-force attack targeting SonicWall, and a 17-year-old vulnerability in Microsoft Excel allowing remote code execution. The article highlights a mix of new threats, persistent old vulnerabilities, and supply chain issues affecting defenders.
The article highlights that in 2024, unmanaged non-human identities, such as compromised service accounts and forgotten API keys, were the primary cause of cloud breaches (68%), overshadowing phishing and weak passwords. It emphasizes the vast number of automated credentials (40-50 per employee) that often go unmonitored after projects end or employees depart.
Textbook publisher McGraw Hill has had 13.5 million records exposed and subsequently listed on a ransomware crew's leak site. The data leak is attributed to a misconfigured page hosted on Salesforce.
A new social engineering campaign is using the Obsidian note-taking app as an entry point to deploy a novel remote access trojan named PHANTOMPULSE. The attacks are specifically targeting individuals in the finance and cryptocurrency industries.
The extortion group ShinyHunters has leaked data from 13.5 million McGraw Hill user accounts. This breach occurred after the group gained access to the edtech giant's Salesforce environment.
A Taboola pixel, approved by a bank, secretly redirected logged-in banking users to a Temu tracking endpoint. This occurred without the bank's knowledge, user consent, or triggering any security alerts. The issue highlights a "First-Hop Bias" blind spot where initial approvals bypass deeper security scrutiny.
Two U.S. nationals have been sentenced to prison for facilitating North Korean IT workers to gain employment with over 100 U.S. companies by falsely posing as American residents. This operation allowed North Korea to circumvent sanctions and generate revenue through its IT sector. The individuals involved face significant prison sentences for their roles in this scheme.
CERT-UA has detailed a campaign by threat actor UAC-0247 that targeted Ukrainian government and healthcare institutions. The campaign used malware to steal sensitive data from Chromium-based browsers and WhatsApp, observed between March and April.
A six-year ransomware campaign has been discovered targeting Turkish homes and small to medium-sized businesses. This campaign has likely gone unnoticed for so long due to the under-reporting of smaller incidents compared to major enterprise breaches. Attackers leverage various tactics including phishing emails and exploit kits.
This article details the process of identifying and locating compromised DVRs in the wild, as performed by an ISC intern. It highlights the methods used to find these devices and the challenges associated with them.
A new malware family called 'AgingFly' has been detected targeting Ukrainian government entities and hospitals. This malware is designed to steal authentication data from Chromium-based browsers and WhatsApp, likely to facilitate further compromise or espionage.
Sweden's minister for civil defense has publicly attributed a cyberattack that occurred last year to a pro-Russian group. The attack specifically targeted a heating plant located in western Sweden, marking the first official acknowledgment of the incident.
CISA has issued a warning to U.S. government agencies regarding a Windows Task Host vulnerability that can be exploited for privilege escalation. Successful exploitation allows attackers to gain SYSTEM privileges on affected systems, posing a significant security risk.
A mother and her ten-year-old son were held captive for approximately 20 hours during a cryptocurrency extortion scheme targeting the father. The father was forced to pay hundreds of thousands of euros to secure their release. This incident is part of a concerning trend in France involving such sophisticated criminal operations.
The Mirax RAT is being offered as a service (MaaS) to a select group of affiliates, primarily Russian speakers. This malware can compromise Android devices, turning them into residential proxy nodes and posing a threat to users in Europe.
A 17-year-old critical vulnerability in Microsoft Excel has been added to CISA's list of actively exploited vulnerabilities. This flaw, despite its age, is now being leveraged by attackers.
Security researchers discovered that a cheap $10 domain name registration could have inadvertently given attackers access to a large number of endpoints, potentially including critical operational technology (OT) and government networks. The identified adware was also capable of disabling existing cybersecurity defenses to facilitate further malicious activity.
Researchers have identified malicious Large Language Model (LLM) proxy routers being used in the wild. These routers are designed to facilitate malicious activities by leveraging LLMs.
Starting March 10, 2026, DShield sensors began detecting probes targeting various AI models like Claude, OpenClaw, and Hugging Face. This activity has been consistently observed in the DShield database since its inception.
This article outlines four essential integration workflows for operationalizing threat intelligence within an organization's security infrastructure. It guides readers through stages of cyber maturity and provides practical steps to advance threat intelligence programs from reactive to autonomous operations.
TeamPCP has been observed conducting supply chain attacks by compromising legitimate software tools. Their objective is to steal credentials for various malicious activities, including payroll fraud, theft of logistics information, and ransomware operations.
Cryptocurrency exchange Kraken has been targeted by hackers who gained access through an insider breach. The attackers are now extorting Kraken by threatening to release videos of internal systems that contain client data.
Microsoft's April Patch Tuesday addresses a significant number of vulnerabilities, including one actively exploited SharePoint Server spoofing flaw and another disclosed by a researcher. A total of 163 bugs were patched across various Microsoft products.
A wargame exercise named "Capture the Narrative" simulated social media manipulation by having students create bots to influence a fictional election. This exercise aimed to educate participants on how influence operations can be carried out in real-world political contexts.
A new ad fraud scheme is using AI-generated content and SEO poisoning to spread scareware and financial scams via Google Discover. The campaign manipulates search results to push deceptive news stories, tricking users into enabling browser notifications that lead to malicious outcomes.
Rival ransomware gangs 0APT and Krybit are engaged in an internal conflict, with 0APT threatening to expose Krybit affiliates. This dispute highlights the lack of cohesion within the cybercrime ecosystem.
The Cloud Security Alliance (CSA) is urging CISOs to prepare for an accelerated threat landscape due to advancements in AI models like Mythos. These models are rapidly shortening the time between identifying vulnerabilities and exploiting them, leading to a new era of faster cyberattacks.
China-linked APT41 (Winnti) group is using a Linux-based backdoor to steal cloud credentials from major cloud providers like AWS, GCP, Azure, and Alibaba Cloud. The malware employs SMTP port 25 for covert command and control and uses typosquatted domains for exfiltration.
CISA has added two new vulnerabilities, CVE-2009-0238 and CVE-2026-32201, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of their active exploitation. These vulnerabilities represent significant risks and frequent attack vectors for cyber actors. Federal agencies are required to remediate these, and all organizations are strongly urged to prioritize them in their vulnerability management.
A cybercrime operation named Triad Nexus is successfully evading sanctions and takedowns by exploiting major service providers. This allows them to continue their illicit activities and distance themselves from international restrictions.
A study analyzing cybercrime forum conversations reveals how cybercriminals perceive and discuss the exploitation of AI. While expressing curiosity about AI's criminal applications, they also harbor doubts about its effectiveness and impact on their operations, with documented attempts to misuse legitimate AI tools and develop bespoke criminal models.
A new Android remote access trojan (RAT) named Mirax has been observed, particularly in Spanish-speaking regions. Mirax campaigns have reportedly reached over 220,000 accounts on Meta platforms by using advertisements to compromise devices and turn them into SOCKS5 proxies.
Hybrid attacks targeting critical infrastructure in Germany and deployed Bundeswehr troops abroad have significantly increased since 2022, according to Vizeadmiral Thomas Daum, Inspector of Cyber and Information Space of the German Armed Forces. These attacks, attributed to state-sponsored actors from Russia, China, Iran, and North Korea, include cyber intrusions, disinformation campaigns, and physical sabotage attempts, as observed during the NATO cyber defense exercise 'Locked Shields'.
CISA has added six known exploited vulnerabilities to its KEV catalog, including flaws in software from Fortinet, Microsoft, and Adobe. These additions indicate active exploitation in the wild, urging organizations to prioritize patching these vulnerabilities.
Rockstar Games has experienced a data breach stemming from a security incident at its analytics provider, Anodot. The ShinyHunters extortion gang has subsequently leaked the stolen data on their platform.
The FBI, in collaboration with Indonesian authorities, has dismantled the W3LL global phishing platform and arrested its alleged developer. This operation marks the first coordinated enforcement action between the US and Indonesia against a phishing kit developer, leading to the seizure of significant infrastructure.
An unknown threat actor impersonated a Linux Foundation official on Slack, using Google Sites to host a phishing lure that tricked open-source software developers into revealing their credentials and giving up control of their systems.
A malware strain named JanelaRAT, a derivative of BX RAT, has been actively targeting banks in Latin America, with a significant number of attacks recorded in Brazil in 2025. This malware is designed to steal financial and cryptocurrency data, capture user inputs like mouse movements and keystrokes, take screenshots, and collect system metadata.
The China-linked APT41 threat group has been observed deploying a new backdoor designed to evade detection, specifically targeting cloud environments like AWS, Google Cloud, Azure, and Alibaba Cloud. This backdoor aims to harvest cloud credentials, and the group is employing typosquatting techniques to mask its command and control (C2) communications.
The FBI and Indonesian police have dismantled a global phishing network using the W3LL toolkit. This operation targeted thousands of victims, attempting to defraud them of over $20 million. The alleged developer of the toolkit has also been apprehended.
Booking.com has reported that hackers gained access to user information. The company stated that the issue has since been contained, but did not specify the number of customers affected.
Attackers are increasingly scanning for and deploying webshells with more sophisticated defenses, such as EncystPHP. This specific webshell is noted to be popular among threat actors compromising vulnerable FreePBX systems. Defenders should be aware of these evolving tactics.
OpenAI has confirmed it was impacted by a supply chain hack linked to North Korea, involving the Axios platform. The breach may have resulted in the compromise of a macOS code signing certificate, raising concerns about the integrity of software distributed by OpenAI.
CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating they are actively being exploited by malicious actors. These vulnerabilities affect various software like Microsoft products, Adobe Acrobat, and Fortinet. The KEV Catalog helps organizations prioritize remediation efforts to mitigate risks.
An international law enforcement operation involving the US, UK, and Canada has successfully disrupted multimillion-dollar cryptocurrency theft schemes. The operation resulted in the identification of over $45 million in stolen cryptocurrency and the freezing of $12 million.
A Russian-speaking threat actor compromised CPUID, the provider of CPU-Z and HWMonitor utilities, to distribute malware. Download links were replaced to serve trojanized versions of these legitimate software tools, embedding a new malware called STX RAT.
The threat actor group ShinyHunters claims to have accessed data belonging to Rockstar Games, threatening to leak it unless a ransom is paid. They allege the breach occurred through a third-party tool used by Rockstar, which may have been compromised, potentially impacting Snowflake metrics.
North Korean APT group APT37 has been observed conducting a social engineering campaign using Facebook. Threat actors befriend targets on the platform to build trust and then use this relationship to deliver the RokRAT malware.
A critical pre-authentication remote code execution (RCE) vulnerability in Marimo is actively being exploited. Attackers are leveraging this flaw to steal credentials.
