Threat Actors Hide Behind School-Themed Domains In Newly Uncovered Bulletproof Infrastructure
Researchers uncovered a sophisticated traffic‑distribution system (TDS) that leverages education‑themed domains to deliver phishing pages, scams, and malware. The infrastructure is hosted on bullet‑proof providers in AS202015 (HZ Hosting) and shares WHOIS details such as oreshnik@mailum.com and Regway nameservers. A first‑stage JavaScript loader uses XOR deobfuscation and token‑based redirects to route victims based on user‑agent, referrer, and geolocation. Multiple sibling domains—e.g., toxicsnake-wifes.com and pasangiklan.top—form a coordinated cluster aimed at financial gain.
Sophisticated Malware Lurks In Open VSX Extension With 5,066 Downloads
Annex Security uncovered a malicious VS Code extension in the Open VSX registry that pretended to be the Angular Language Service, amassing 5,066 downloads before activating sophisticated malware. The extension decrypts a payload with AES‑256‑CBC, contacts a Solana blockchain address for command‑and‑control,...
Attackers Weaponize Microsoft 365 Outlook Add-Ins to Quietly Exfiltrate Email Data
Researchers have uncovered a stealthy data‑theft method called “Exfil Out&Look” that abuses Microsoft 365 Outlook Web add‑ins to siphon email content. The technique leverages minimal‑permission manifests that execute on the OnMessageSend event, silently fetching email bodies and forwarding them via a fetch()...
Open Directory Exposure Leaks BYOB Framework Across Windows, Linux, and macOS
The Hunt.io team uncovered an openly accessible directory on IP 38.255.43.60 that hosts the complete BYOB (Build Your Own Botnet) framework, a sophisticated post‑exploitation tool targeting Windows, Linux and macOS. The infrastructure includes five C2 nodes across the United States, Singapore...
BlackIce Introduced as Container-Based Red Teaming Toolkit for AI Security Testing
Databricks unveiled BlackIce, an open‑source Docker‑based toolkit that bundles 14 leading AI security utilities into a single, reproducible environment. By containerizing both static command‑line tools and dynamic Python‑driven frameworks, BlackIce removes the setup friction and dependency clashes that have long...
Fake “Mac Cleaner” Campaign Uses Google Ads to Redirect Users to Malware
Cybercriminals are leveraging Google Search Ads to distribute macOS malware by directing users searching for “mac cleaner” to counterfeit Apple‑styled landing pages. The ads, hosted on compromised Google Ads accounts, redirect to Google Apps Script pages that decode Base64 payloads...
Python-Based PyRAT Emerges as Cross-Platform Threat With Advanced Remote Access Capabilities
A new Python‑based Remote Access Trojan, dubbed PyRAT, has been identified as a cross‑platform threat capable of compromising both Windows and Linux systems. The malware leverages Python’s portability, compiling into ELF and PE binaries, and employs lightweight persistence mechanisms—XDG autostart...
Matanbuchus Malware Evolves to Bypass AV Defenses by Swapping Core Components
Matanbuchus, a C++‑based downloader sold as Malware‑as‑a‑Service since 2020, has evolved into a modular backdoor platform with its latest 3.0 release featuring heavy obfuscation, ChaCha20‑encrypted strings, and Protobuf‑encoded C2 traffic. The malware leverages DLL sideloading through a malicious HRUpdate.exe MSI...
Cal.com Broken Access Controls Lead to Account Takeover and Data Exposure
Cal.com, an open‑source scheduling platform, patched critical broken‑access‑control vulnerabilities that allowed attackers to hijack accounts and expose booking data. The flaws included an authentication bypass in the organization signup flow that let attackers take over any user by using an...
ESkimming Attacks Surge with Evolving Tactics and Ongoing Recovery Challenges
Source Defense’s year‑long study of 550 e‑commerce sites shows e‑skimming remains a chronic problem, with 18 % of sites still infected after twelve months. Over half of the persistent infections (57 %) have evolved into new script variants, indicating attackers adapt once...
Critical IDIS IP Camera Vulnerability Allows Full Computer Compromise with One-Click Exploit
IDIS Cloud Manager’s Windows viewer contains a critical flaw (CVE‑2025‑12556) that lets attackers trigger remote code execution with a single click. The vulnerability stems from CWGService.exe accepting unsanitized command‑line arguments via a local WebSocket, which are passed to the Chromium...
Cybercriminals Exploit Canadians’ Dependence on Digital Services in Widespread Attacks
Canadian cybercriminals are running a large‑scale phishing campaign that impersonates government agencies, Air Canada and Canada Post, using the PayTool phishing‑as‑a‑service platform. The operation distributes SMS alerts and malicious ads that direct victims to spoofed portals hosted on shared IP...
Chinese National Sentenced to 46 Months for Laundering Millions Stolen From U.S. Investors
A Chinese national, Jingliang Su, received a 46‑month federal prison sentence for laundering roughly $36.9 million stolen from U.S. investors in a cryptocurrency fraud scheme run from Cambodia. The court ordered him to pay nearly $27 million in restitution and highlighted a...
Attackers Hijack GitHub Desktop Repo to Spread Malware via Official Installer
Threat actors exploited a design flaw in GitHub’s fork architecture to distribute malware masquerading as the official GitHub Desktop installer. By forking the repository and altering the README download link, they created malicious commits that appear under the official namespace,...
G_Wagon NPM Package Exploits Users to Steal Browser Credentials with Obfuscated Payload
Security researchers identified a malicious npm package, ansi-universal-ui, that houses the G_Wagon infostealer. The package pretends to be a UI component library but delivers a Python‑based payload that extracts browser passwords, cryptocurrency wallets, cloud credentials, and messaging tokens. Over ten...
ShinyHunters Group Targets Over 100 Enterprises, Including Canva, Atlassian, and Epic Games
A newly identified threat supergroup called SLSH, formed by Scattered Spider, LAPSUS$ and ShinyHunters, is targeting more than 100 high‑profile enterprises through sophisticated human‑led vishing attacks on Single Sign‑On platforms, especially Okta. The attackers use a live phishing panel to...
Hackers Exploit SEO Poisoning to Target Users Seeking Legitimate Tools
Hackers are leveraging SEO poisoning to push malicious ZIP archives that contain BAT scripts masquerading as legitimate tools. The fraudulent pages rank highly in search results, directing users to fake repositories where the scripts contact command‑and‑control servers and download remote...
Lazarus Hackers Target European Drone Manufacturers in Active Campaign
North Korean state‑sponsored Lazarus group launched a new Operation DreamJob campaign targeting European defense firms that build uncrewed aerial vehicles. The attackers used fake job offers to distribute trojanized PDFs that install the ScoringMathTea RAT and BinMergeLoader loader. Malware leverages...
NetSupport Manager 0-Day Vulnerabilities Enable Remote Code Execution
Security researchers uncovered two critical 0‑day flaws—CVE‑2025‑34164 and CVE‑2025‑34165—in NetSupport Manager versions up to 14.10.4.0. The bugs reside in an undocumented broadcast feature and can be chained to achieve unauthenticated remote code execution by corrupting heap memory and reading stack...
New Phishing Attack Exploits Vercel to Host and Deliver Remote Access Malware
A sophisticated phishing campaign has been leveraging Vercel's *.vercel.app subdomains since November 2025 to deliver remote‑access malware. The attackers disguise malicious pages as invoice portals or document viewers, then conditionally serve a signed GoTo Resolve installer after fingerprinting the victim’s browser....
TrustAsia Pulls 143 Certificates Following Critical LiteSSL ACME Vulnerability
TrustAsia revoked 143 SSL/TLS certificates after uncovering a critical vulnerability in its LiteSSL ACME service. The flaw allowed domain‑validation data to be reused across different ACME accounts, enabling unauthorized issuance of wildcard certificates. The issue stemmed from a logic error...
NVIDIA CUDA Toolkit Flaw Allows Command Injection, Arbitrary Code Execution
NVIDIA released a patch on January 20 2026 for four critical vulnerabilities in its CUDA Toolkit, affecting Nsight Systems and Nsight Visual Studio tools. The flaws enable local command injection and arbitrary code execution through inadequate input validation and insecure DLL loading,...
BIND 9 Flaw Lets Attackers Crash Servers With Malicious DNS Records
A critical vulnerability identified as CVE‑2025‑13878 affects BIND 9 DNS servers, allowing remote attackers to crash the named process using malformed BRID or HHIT records. The flaw impacts several stable branches—9.18.40‑9.18.43, 9.20.13‑9.20.17, and 9.21.12‑9.21.16—and carries a CVSS v3.1 score of 7.5,...
PNB MetLife Phishing Attack: Multi-Stage Scheme Steals Data, Triggers UPI Payments
A sophisticated multi‑stage phishing campaign is targeting PNB MetLife insurance customers through mobile‑optimized fake payment‑gateway pages hosted on free EdgeOne Pages. The first stage harvests personal details and forces fraudulent UPI payments using dynamically generated QR codes and clipboard manipulation. A...
JA3 Fingerprinting Tool Exposes Attackers’ Infrastructure
JA3 fingerprinting, once considered outdated, is re‑emerging as a potent tool for tracking malicious infrastructure. By hashing TLS ClientHello parameters, JA3 creates a stable identifier that persists across malware variants. Recent threat‑intel investigations linked specific JA3 hashes to Remcos RAT,...
New ClickFix Campaign Exploits Fake Verification Pages to Hijack Facebook Sessions
A new ClickFix campaign is hijacking Facebook accounts by luring users into fake verification and appeal pages that instruct them to extract live session tokens (c_user and xs) from their browsers. The operation spans 115 phishing pages hosted on abuse‑friendly...
Malicious PyPI Package Impersonates Sympy-Dev, Targeting Millions of Users
A malicious PyPI package named sympy-dev impersonates the popular SymPy library, using typosquatting to lure developers into installing it. Four versions (1.2.3‑1.2.6) were released on Jan 17 2026 and amassed over 1,000 downloads within the first day. The package embeds a memory‑only...
ClearFake Malware Exploits Proxy Execution to Run Malicious PowerShell Commands via Trusted Windows Feature
ClearFake, a JavaScript‑based malware distribution framework, has upgraded its evasion tactics by abusing the legitimate Windows script SyncAppvPublishingServer.vbs to execute hidden PowerShell commands via proxy execution. The campaign retrieves multi‑stage payloads from smart contracts on the BNB Smart Chain testnet,...
ErrTraffic Exploits Visual Page Breaks to Fuel ClickFix Attacks, Rebranding Exploits as “GlitchFix”
ErrTraffic is a traffic‑distribution system that powers ClickFix social‑engineering attacks by deliberately corrupting website visuals—a technique dubbed “GlitchFix.” When a victim visits a compromised page, the script distorts text, CSS and cursor movement before presenting a fake update prompt that...
Magecart Hack Injects JavaScript to Steal Online Payment Data
Security researchers have uncovered a new Magecart‑style campaign that injects obfuscated JavaScript from cc-analytics.com/app.js into e‑commerce checkout pages. The script captures credit‑card numbers and billing details, then exfiltrates them to attacker‑controlled servers at pstatics.com via XMLHttpRequest POSTs. Infrastructure analysis reveals...
.webp?ssl=1)
Threat Actors Exploit LinkedIn for RAT Delivery in Enterprise Networks
A new phishing campaign is using LinkedIn private messages to deliver remote access trojans to enterprise networks. Attackers send self‑extracting WinRAR archives that contain a legitimate PDF reader, a malicious DLL, and a portable Python interpreter. The DLL is loaded...
.webp?ssl=1)
Apache Airflow Flaws Expose Sensitive Workflow Data to Potential Attackers
Apache Airflow released version 3.1.6 to fix two credential‑exposure flaws (CVE‑2025‑68675 and CVE‑2025‑68438). The first flaw logged proxy URLs with embedded usernames and passwords, while the second allowed unmasked API keys and tokens in the Rendered Templates UI. Both issues affect...
%20(1).webp?ssl=1)
OPNsense 25.7.11 Enhances Network Visibility With Host Discovery Feature
OPNsense 25.7.11 introduces a native host discovery service that automatically resolves and stores MAC addresses for IPv4 and IPv6 hosts. The feature feeds live data to MAC‑based firewall aliases and captive‑portal client tracking, improving policy accuracy and device visibility. IPv6...
.webp?ssl=1)
TP-Link Router Flaw Enables Authentication Bypass Through Password Recovery Mechanism
TP‑Link disclosed a high‑severity authentication bypass (CVE‑2026‑0629) affecting its VIGI security‑camera line. The flaw exploits the password‑recovery feature, allowing any LAN‑connected attacker to reset admin credentials without verification. With a CVSS v4.0 score of 8.7, the vulnerability grants full control over...
Discord Exploited to Spread Clipboard Hijacker Stealing Cryptocurrency Funds
Security firm CloudSEK’s STRIKE team uncovered a new cryptocurrency‑theft campaign that leverages Discord communities to distribute a clipboard‑hijacking trojan dubbed Pro.exe. The malware, attributed to the RedLineCyber group, monitors Windows clipboard for wallet addresses and silently replaces them with attacker‑controlled...
Cloudflare Zero-Day Flaw Allows Attackers to Bypass Security and Access Any Host
A critical zero‑day in Cloudflare’s Web Application Firewall allowed attackers to bypass all WAF rules by targeting the ACME certificate‑validation path. Researchers from FearsOff demonstrated that arbitrary requests to /.well-known/acme-challenge/ could reach origin servers, exposing sensitive endpoints in Spring Boot,...
Visual Studio Code Abused in Sophisticated Multistage Malware Attacks
A new campaign dubbed Evelyn Stealer leverages compromised Visual Studio Code extensions, such as the Bitcoin Black theme and Codo AI assistant, to deliver a multi‑stage malware chain. The first‑stage payload uses DLL hijacking of the Lightshot utility to execute PowerShell scripts that...
Cybercriminals Impersonate Malwarebytes to Steal User Credentials
A short‑lived campaign from January 11‑15 2026 masqueraded as Malwarebytes installers to deliver infostealers. Attackers distributed ZIP archives named like “malwarebytes‑windows‑github‑io‑X.X.X.zip” that contain a legitimate EXE loader, a malicious CoreMessaging.dll, and a benign‑looking TXT pivot file. The DLL is sideloaded, granting code...
Attackers Rerouted Employee Pay Without Breaching IT Systems
An attacker bypassed technical defenses by socially engineering help‑desk staff to reset passwords and re‑enroll MFA, gaining legitimate access to payroll accounts. Using the compromised credentials, the fraudster altered direct‑deposit details and diverted salaries from three employees without triggering alerts....
PDFSIDER Malware Actively Exploited to Evade Antivirus and EDR Defenses
Researchers have uncovered PDFSIDER, a backdoor malware that exploits DLL side‑loading in the legitimate PDF24 Creator application to evade endpoint detection and response tools. The malicious payload is delivered via spear‑phishing ZIP archives, signed with valid certificates, and replaces the...
Argus: Python-Based Recon Toolkit Aims to Boost Security Intelligence
Argus v2.0, a Python‑based reconnaissance toolkit, launches with 135 specialized modules unified under a professional command‑line interface. The overhaul adds multi‑threaded execution, over 25 CLI commands, and four deployment options—including pip, Docker, script, and direct Python. It integrates major threat‑intelligence...
Researchers Hijack Hacker Domain Using Name Server Delegation
Infoblox researchers exploited a DNS misconfiguration called lame nameserver delegation to seize control of abandoned hacker domains. Within hours they intercepted over 57 million push‑notification logs from roughly 120 misconfigured domains, capturing traffic at 30 MB per second. The data exposed a...
Threat Actors Abuse Browser Extensions to Deliver Fake Warning Messages
Huntress researchers uncovered a malicious Chrome extension, NexShield, that masquerades as the legitimate uBlock Origin Lite ad blocker. The extension installs a delayed denial‑of‑service loop, then displays a fake crash warning that tricks users into running a PowerShell command which...
.webp?ssl=1)
How Security Teams Use IP Location and DNS History In Cybercrime Investigation
Security teams start cybercrime investigations with a single alert—often a suspicious IP or login—and quickly need context beyond raw logs. By enriching that alert with IP location data and DNS history, analysts can identify geographic anomalies, hosting providers, and past...
Critical XSS Vulnerabilities in Meta Conversion API Enable Zero-Click Account Takeover
Security researchers identified two critical cross‑site scripting flaws in Meta’s Conversions API Gateway that enable zero‑click Facebook account takeover. The client‑side XSS stems from improper postMessage origin validation, while a stored XSS arises from unsafe string concatenation in the backend...
Best Security Awareness Training Platforms For 2026
The 2026 roundup identifies the ten leading security awareness training platforms, highlighting AI‑driven phishing simulations, micro‑learning, gamification, and comprehensive compliance reporting. Solutions such as KnowBe4, Proofpoint, and Cofense demonstrate measurable risk reductions, with industry benchmarks showing up to an 80%...
Promptware Kill Chain – Five-Step Kill Chain Model For Analyzing Cyberthreats
The Promptware Kill Chain introduces a five‑step framework that treats malicious prompts and poisoned content as a distinct class of AI malware. It maps the lifecycle of attacks on large language model applications from initial access through privilege escalation, persistence,...
GoLogin vs MultiLogin vs VMLogin – What’s the Anti-Detect Browsers Difference?
Anti-detect browsers let users conceal fingerprints and manage multiple online identities. The article compares three leading solutions—GoLogin, MultiLogin, and VMLogin—detailing their core features, user bases, and pricing models. GoLogin distinguishes itself with cloud‑based profile storage, multilingual support, and a seven‑day...
%20(1).webp?ssl=1)
Spring CLI Vulnerability Allows Attackers to Execute Commands on User Systems
A command‑injection flaw (CVE‑2026‑22718) has been discovered in the Spring CLI VS Code extension, affecting all versions up to 0.9.0. The vulnerability allows an attacker with local access to execute arbitrary commands, earning a medium severity rating and a CVSS score...
.webp?ssl=1)
Multiple Elastic Vulnerabilities Could Lead to File Theft and DoS
Elastic has issued urgent patches for four critical Kibana vulnerabilities spanning versions 7.x through 9.2.3. The most severe, CVE‑2026‑0532, combines SSRF and file disclosure, allowing authenticated attackers to exfiltrate credentials. Three medium‑severity flaws can cause denial‑of‑service through resource exhaustion in...
