Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic
Researchers at Cisco Talos have uncovered a new botnet, PowMix, actively targeting Czech workers since at least December 2025. The malware is delivered through phishing emails that contain a malicious ZIP file, which drops a Windows shortcut that launches a PowerShell loader to execute the payload in memory. PowMix distinguishes itself with randomized command‑and‑control beacon intervals and encrypted heartbeat data hidden in REST‑like URLs, allowing it to evade signature‑based detection. The botnet supports self‑deletion and C2 migration commands and mirrors tactics seen in the earlier ZipLine campaign.
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
The ThreatsDay bulletin highlights a wave of cyber incidents, from a North Korean‑linked breach at Zerion that stole $100 K from internal hot wallets to a newly disclosed Microsoft Defender privilege‑escalation zero‑day called RedSun. Legacy flaws remain dangerous, with CISA adding...
Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu
Reflectiz discovered that a Taboola tracking pixel approved in a bank’s CSP silently redirected logged‑in users to a Temu endpoint via a 302 response. The redirect included an Access‑Control‑Allow‑Credentials header, causing browsers to send authentication cookies to Temu and link...
Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks
Researchers at Elastic Security Labs identified a novel social‑engineering campaign that abuses Obsidian’s community plugins to deliver the previously unknown PHANTOMPULSE remote‑access trojan. Threat actors pose as venture‑capital contacts on LinkedIn and Telegram, coaxing finance and cryptocurrency professionals to enable...
Actively Exploited Nginx-Ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
A critical authentication‑bypass flaw (CVE‑2026‑33032, CVSS 9.8) in the open‑source nginx‑ui management console is being actively exploited, allowing attackers to seize full control of Nginx services. The vulnerability stems from two MCP endpoints that default to an empty IP whitelist, effectively...
April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More
April’s Patch Tuesday delivered a wave of critical fixes across major vendors, highlighted by a CVSS 9.9 SQL‑injection flaw in SAP Business Planning and Consolidation that lets low‑privileged users execute arbitrary database commands. Adobe Acrobat Reader faced a remote‑code‑execution vulnerability (CVSS 8.6)...
AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud
Cybersecurity firm HUMAN uncovered a new ad‑fraud operation dubbed Pushpaganda that weaponizes AI‑generated news articles to infiltrate Google Discover. The scheme tricks Android and Chrome users into enabling push notifications that deliver scareware and financial scams, driving traffic to malicious...
108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
Security researchers have uncovered a coordinated campaign involving 108 malicious Chrome extensions that share a common command‑and‑control server. The extensions, published under five publisher names, have collectively been installed about 20,000 times and harvest Google OAuth credentials, Telegram Web session...
Your MTTD Looks Great. Your Post-Alert Gap Doesn't
The security industry has narrowed mean‑time‑to‑detect (MTTD) but still suffers a lengthy post‑alert gap, where analysts spend 20‑40 minutes investigating alerts. Recent AI‑driven exploits, such as Anthropic’s Mythos model, demonstrate that attackers can move in seconds, making human‑speed investigations untenable....
Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data
Citizen Lab uncovered that law‑enforcement agencies worldwide are deploying Webloc, an advertising‑based geolocation platform originally built by Israeli firm Cobwebs Technologies and now sold by its successor Penlink. The system harvests identifiers, location coordinates and profile data from up to...
GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
Researchers have uncovered a new GlassWorm variant that hides a Zig‑compiled native binary inside a counterfeit WakaTime VS Code extension. The binary acts as a dropper, locating every IDE that supports VS Code extensions and silently installing a malicious VSIX package. The...
Browser Extensions Are the New AI Consumption Channel That No One Is Talking About
LayerX’s new report reveals that AI-powered browser extensions are an overlooked yet high‑risk attack vector for enterprises. While 99% of corporate users run at least one extension, AI extensions are 60% more likely to contain vulnerabilities, have three times more...
ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories
ThreatsDay bulletin highlights a surge in the hybrid P2P botnet Phorpiex, a 13‑year‑old Apache ActiveMQ RCE chain, record cyber‑fraud losses, AI‑driven DDoS evolution, and multiple supply‑chain and malware incidents. Phorpiex now infects roughly 125,000 devices daily, using peer‑to‑peer communication to...
The Hidden Security Risks of Shadow AI in Enterprises
The article warns that shadow AI—unauthorized artificial‑intelligence tools adopted by employees—creates hidden security gaps in enterprises. A 2024 Salesforce survey shows 55% of workers use AI solutions outside IT approval, exposing data to external platforms. These tools can leak credentials,...
New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy
Researchers have identified a new Chaos malware variant that now targets misconfigured cloud deployments, such as a deliberately vulnerable Hadoop instance. The updated 64‑bit ELF binary drops a SOCKS proxy feature while removing its previous SSH‑based spreading mechanisms. The attack...
