Iran Alleges US Cyberattacks; China Amplifies Claims
Iranian state media alleges that the United States exploited hidden backdoors or a botnet to disable networking equipment from vendors such as Cisco, Juniper, Fortinet and MikroTik during recent hostilities. The claim suggests the sabotage could be triggered by a satellite signal or a timed firmware flaw, occurring while Iran enforces a 50‑day internet blockade. Chinese state media amplified the story, framing the United States as a cyber aggressor and positioning China as a peaceful actor in cyberspace. The Register reported the allegations, but independent verification remains difficult due to Iran’s restricted internet environment.
Mastodon Hit by DDoS Attack, Disrupting Flagship Server
Mastodon’s flagship instance, mastodon.social, was hit by a distributed denial‑of‑service (DDoS) attack on Monday, April 21, 2026, causing intermittent outages for users. The platform confirmed the attack at 7 a.m. ET and deployed mitigation measures by 9:05 a.m., restoring access though some instability...
Making AI Actually Work in the Enterprise and More RSAC Conference 2026 Interviews - Aamir Lakhani, Camellia Chan, Ely Abramovitch,...
The episode explores why many enterprise AI initiatives stumble, emphasizing the need for security‑by‑design and clear governance. Fortinet’s 2026 Global Threat Landscape Report highlights a sharp rise in AI‑enabled cybercrime, prompting vendors like X‑PHY to deliver hardware‑enforced safeguards for AI...
ShinyHunters Alleges Kemper Corporation Hack, Exposes over 13M Records
Kemper Corporation disclosed that the ShinyHunters hacking group claimed to have exfiltrated more than 29 GB of data from its Salesforce environment, leaking over 13 million records. The stolen files span SharePoint corporate documents, Azure-stored employee PII, Salesforce employee data, and Stripe...
GitHub User Attachments Abused to Spread Novel Infostealer
Cyderes researchers uncovered a new malware campaign that abuses GitHub user‑attachment links to deliver ZIP archives containing a custom loader called Direct‑Sys and the CGrabber infostealer. The loader sideloads a Microsoft‑signed DLL, performs three anti‑sandbox checks, and uses direct syscalls...
Grinex Crypto Exchange Halts Operations After $13.7 Million Hack
Kyrgyzstan‑based crypto exchange Grinex suspended operations after a $13.7 million hack that primarily affected Russian users trading crypto‑ruble pairs. The theft was executed via TRON and Ethereum addresses and laundered through the SunSwap decentralized exchange. Grinex, which succeeded the U.S.–sanctioned Russian...
AI as the Defender: Reinventing Proactive Cybersecurity Through Intelligent Automation
Artificial intelligence is reshaping cybersecurity by acting as a force multiplier rather than replacing human analysts. Tenable and peers define "AI for security" as the use of machine learning to automate analysis, amplify detection and improve decision‑making, while "security for...
Google Cloud Storage Weaponized for Clandestine Remcos RAT Delivery
Threat actors are weaponizing Google Cloud Storage to host phishing pages that silently deliver the Remcos remote‑access trojan. Emails direct victims to fake Google Drive login screens on the legitimate storage.googleapis.com domain, harvesting credentials and deploying a JavaScript loader. The...
Extensive MuddyWater-Like Attack Campaign Against Middle Eastern Critical Infrastructure Detailed
A threat group mirroring Iran‑backed MuddyWater launched a large‑scale campaign against Middle Eastern critical‑infrastructure entities beginning in February. Exploiting five vulnerabilities—including SmarterMail (CVE‑2025‑52691) and Langflow (CVE‑2025‑34291)—the actors breached more than 12,000 internet‑exposed systems and used brute‑force attacks on Outlook Web...
Over 25K Systems Exposed by Adware App to Supply Chain Compromise
Dragon Boss Solutions’ ad‑ware platform inadvertently exposed more than 25,000 systems after an insecure software‑update channel was discovered. Threat actors could purchase a signed payload for about $10 and push malicious code with SYSTEM privileges. Huntress identified communications from 23,565 IP addresses,...
WBA Guidelines Target Rogue Access Points and Credential Theft
The Wireless Broadband Alliance (WBA) released a Wi‑Fi Security Guidelines framework to standardize protection across public, enterprise, IoT, and roaming networks. The document mandates mutual certificate‑based authentication, WPA3‑Enterprise with Protected Management Frames, and encrypted RADIUS traffic to thwart rogue access...
CIA to Deploy AI Coworkers in Analyst Workflows
The CIA is embedding artificial‑intelligence “coworkers” into its analytical workflows, beginning as drafting assistants and trend‑spotters and aiming to become autonomous mission partners within the next decade. Deputy Director Michael Ellis announced the agency’s first AI‑generated intelligence report and disclosed...
KnowBe4 Debuts Guardrails for Autonomous AI Agents
KnowBe4 has introduced Agent Risk Manager, a real‑time monitoring and governance layer designed to police autonomous AI agents operating across enterprise environments. The solution adds behavioral guardrails to block threats such as unauthorized data exposure, prompt‑injection jailbreaks, and runaway compute...
Execution Gap Plagues Enterprise Digital Resilience
A new global study by Economist Impact and Telstra International finds that only one in four enterprises successfully execute major disruption response plans. The gap is attributed more to fractured governance and weak ecosystem coordination than to technology shortfalls. About...
Nearly Half of March Ransomware Attacks in Tied to Just 3 Groups
Check Point researchers reported 672 ransomware incidents in March 2026, with three groups responsible for nearly half of the attacks. Qilin alone accounted for 20% of incidents, Akira for 12%, and Dragonforce RaaS for 8%. The analysis highlighted attackers’ refined...
MuddyWater Pays for Russian CastleRAT Malware
Iranian state‑sponsored group MuddyWater has become a paying customer of a Russian malware‑as‑a‑service (MaaS) platform, using the CastleRAT tool in a new campaign called “ChainShell.” The operation leverages a misconfigured C2 server, an Ethereum‑based smart contract for address resolution, and...
We Catch up on the News, Including AI Vuln Hunting; Also More RSAC Interviews! - Mark Lambert, Samuel Hassine, John...
ArmorCode unveiled its AI Exposure Management (AIEM) solution on the Agentic AI Platform, giving enterprises real‑time visibility into AI usage, ownership, and risk across heterogeneous environments. The launch coincides with the release of the 2026 State of AI Risk Management...
US Treasury to Offer Free Cybersecurity Intelligence to Crypto Firms
The U.S. Treasury’s Office of Cybersecurity and Critical Infrastructure Protection announced a new initiative that will provide cryptocurrency firms with free access to the same cyber threat intelligence shared with traditional banks. Eligible digital‑asset companies and industry groups must meet...
Hacker Faux Pas Uncloaks North Korean IT Worker Scheme
A hacker unintentionally ran infostealer malware on their own system, exposing a North Korean IT‑worker scam. The breach leaked data from a state‑run payment server, including 390 accounts, chat logs and cryptocurrency transaction details. Independent analyst ZachXBT estimates the operation...
Report: US Accounts for Most PLCs Subjected to Iranian Targeting
A CyberScoop report finds that nearly 3,900 of the 5,219 internet‑exposed Rockwell Automation/Allen‑Bradley programmable logic controllers (PLCs) used in critical‑infrastructure are located in the United States, representing about 75% of the total. Roughly half of these vulnerable devices are linked...
Global Crypto Scam Disrupted, $12 Million Recovered in Operation Atlantic
Law enforcement agencies from the United States, United Kingdom and Canada dismantled a trans‑national cryptocurrency “pig‑butchering” scam in a week‑long effort dubbed Operation Atlantic. The operation froze $12 million and returned it to more than 3,000 victims, while identifying over 20,000...
Cybercriminals Use Emojis to Evade Detection, Flashpoint Warns
Flashpoint’s latest threat‑intelligence report reveals cybercriminals are swapping traditional fraud‑related keywords with emojis to slip past security filters. By mapping emojis to concepts such as credit cards, banks, credentials, and malware, threat actors make automated monitoring far less effective. The...
Hack-for-Hire Group Targets MENA Journalists and Officials
A hack‑for‑hire group has been uncovered running a multi‑year espionage campaign against journalists, activists and government officials across the Middle East and North Africa. The attackers used phishing to steal Apple ID credentials and access iCloud backups, while deploying Android spyware...
Feds Grade Themselves High Despite Legacy Gaps
A new EY survey shows 85 % of federal agency leaders rate their cybersecurity posture as an “A” or “B,” even though only one‑in‑five have completed a full migration to modern, secure platforms. Roughly half of AI‑driven defense projects are still...
Malaysia Faces Structural Shift in Cyber Threats
Malaysia's cyber threat landscape is undergoing a structural shift as rapid digitization outpaces defenses. China‑linked APT groups such as APT41 and Mustang Panda are probing semiconductor and government networks, while financially motivated actors like Lazarus Group and FIN7 target banks...
Olympics Offer IR Lessons for Everyday Firms
The Milan‑Cortina Winter Olympics served as a live cyber‑stress test, exposing a 180% surge in DDoS attacks and coordinated phishing attempts. CISA officials highlighted that the same tactics used against the Games will soon target the FIFA World Cup, underscoring...
ComfyUI Instances Hijacked for Cryptomining and Proxy Botnet
A new campaign is hijacking publicly exposed ComfyUI instances—an open‑source UI for stable diffusion models—to run illicit cryptocurrency mining and proxy botnet operations. Threat actors scan cloud IP ranges with a custom Python tool, exploiting unauthenticated deployments to execute malicious...
Novel ResokerRAT Malware Exploits Telegram API to Target Windows Systems
A new remote access trojan named ResokerRAT is targeting Windows computers by leveraging the Telegram Bot API for command‑and‑control. The malware creates a mutex to guarantee only one instance runs, then uses ShellExecuteEx to relaunch with elevated privileges while terminating...
SparkCat Malware Returns on App Stores, Targeting Cryptocurrency Users
A new SparkCat variant has reappeared on both the Apple App Store and Google Play, masquerading as benign enterprise messenger and food‑delivery applications. The trojan employs optical character recognition to scan photo libraries for cryptocurrency wallet recovery phrases, exfiltrating any...
Americans' Passports Purportedly Stolen in Hacktivist Attack Against Dubai Airport
Nasir Security, a hacktivist group linked to Iran, claimed to have stolen a large data set from Dubai International Airport after a months‑long intrusion. The breach includes passport photos of American, Arab and Emirati travelers, as well as luggage and...
Report Sheds More Light on Phantom Stealer
A multi‑wave phishing campaign targeting European manufacturing, technology and logistics firms deployed the .NET‑based Phantom Stealer, bundled with a crypter and remote‑access tool. The attackers sent spoofed emails lacking DKIM signatures and failing SPF checks, attaching either a malicious executable...
Widespread Microsoft 365 Account Compromise Sought by Iran-Linked Hackers
Iran‑linked threat groups have compromised Microsoft 365 accounts across more than 300 Israeli organizations, 25 firms in the United Arab Emirates, and a limited set of targets in the United States, Saudi Arabia and Europe. The campaign began in early March with...
Joint Offering Combines CrowdStrike's Falcon with HCLTech's AI Force
CrowdStrike and HCLTech have deepened their alliance by launching a continuous threat exposure management service that merges CrowdStrike’s Falcon platform with HCLTech’s VERITY framework and AI Force. The solution delivers real‑time visibility, AI‑driven insights, and automated remediation across endpoints, cloud, identity,...
Resemble AI Unveils Deepfake Detection Tools Amid Synthetic Media Surge
Resemble AI released a deepfake threat report and two free detection tools—a Chrome extension that scans images, video and audio, and an X bot that lets users verify suspicious posts without leaving the platform. The company also added enterprise features...
Censys Gets $70M to Scale Internet Intelligence Platform
Censys announced a $70 million financing package, comprising a $40 million Series D equity round led by Morgan Stanley Expansion Capital and $30 million of debt. The funding lifts the company’s total venture capital to over $149 million. Censys provides a continuously refreshed global map...
Venom Stealer MaaS Handles Attacks From ClickFix to Crypto Theft
Venom Stealer, a new malware‑as‑a‑service, enables cybercriminals to launch ClickFix attacks that harvest credentials and cryptocurrency wallets. The service is priced at $250 per month or $1,800 for a lifetime license and includes four Windows and macOS phishing templates. Its...
US Bounty on Iranian Hackers Reissued
The U.S. State Department has reissued a $10 million bounty for information on Iranian threat groups Handala and Parsian Afzar Rayan Borna. The reward follows the FBI’s confirmation that Handala breached Director Kash Patel’s personal email and earlier disclosures of compromised...
SC Awards Winner: Best CTEM Solution - Reach Security - Garrett Hamilton - SCA26 #1
At RSAC 2026, Reach Security’s CEO Garrett Hamilton announced the company’s win of the SC Awards’ Best Continuous Threat Exposure Management (CTEM) Solution. The platform continuously identifies, prioritizes, and remediates real‑world risk by focusing on misconfigurations, configuration drift, and control‑level exposure...
Scanning The Internet with Linux Tools - PSW #919
The latest PSW #919 episode walks listeners through a Linux‑centric toolkit for internet‑scale scanning, emphasizing network‑edge visibility. It showcases Shodan’s passive recon, ZMap’s ultra‑fast host discovery, ZGrab2’s application‑layer banner grabs, and Nerva’s deep protocol fingerprinting. Sample results are processed with Claude Code,...
Beyond IOCs: A Framework for High-Impact Cyber Threat Intelligence - Samuel Hassine - RSAC26 #3
Samuel Hassine, CEO of Filigran, outlined a shift from reactive indicator‑of‑compromise (IOC) alerts to a business‑focused Continuous Threat Exposure Management (CTEM) framework. He emphasized unifying threat intelligence with adversarial attack simulation using platforms like OpenCTI to drive measurable risk reduction....
TeamPCP Supply Chain Attack Hits LiteLLM PyPI Package
Open‑source Python library LiteLLM was compromised by the TeamPCP threat group, which uploaded malicious versions to PyPI that have since been removed. The packages deployed a three‑stage intrusion: credential harvesting, a Kubernetes lateral‑movement toolkit, and a persistent systemd backdoor. Endor...
Trojanized ConnectWise ScreenConnect Installers Deployed in Tax-Themed Malvertising Campaign
Cybercriminals have been running a tax‑season malvertising campaign since January 2026, hijacking Google Ads to serve fake W‑2 and W‑9 download pages that redirect to malicious ConnectWise ScreenConnect installers. The trojanized installers launch a trial instance, inject a multi‑stage crypter...
Trends Revealed in Fortinet’s FortiGuard Labs 2026 Global Threat Landscape Report - Aamir Lakhani - RSAC26 #3
Fortinet’s FortiGuard Labs released its 2026 Global Threat Landscape Report, highlighting a sharp rise in AI‑enabled cybercrime. The report shows AI is accelerating attack techniques, from automated ransomware encryption to AI‑driven supply‑chain exploits. Aamir Lakhani, Fortinet’s Global Director of Threat Intelligence...
Agentic AI and the Future of Threat Intelligence Operations - Sachin Jade - RSAC26 #2
At RSA 2026, Cyware’s Chief Product Officer Sachin Jade unveiled the company’s Agentic Fabric, an AI‑driven platform that embeds specialized agents into threat‑intelligence, detection‑engineering, and response workflows. The discussion highlighted how raw threat data can be transformed into actionable insights through STIX/TAXII...
Internet-Exposed EoL Microsoft IIS Servers Remain Prevalent
More than 511,000 Microsoft Internet Information Services (IIS) servers that have reached end‑of‑life remain exposed on the public internet, according to the Shadowserver Foundation. Nearly half of these servers have outlived Microsoft’s Extended Security Updates window, leaving them unpatched and...
Attack Handoff Times Plummet, Exploits Remain Leading Attack Vector
The median time for attackers to hand off compromised networks fell dramatically to just 22 seconds in 2025, down from over eight hours in 2022, driven by tighter coordination and automation. Exploits continued to dominate initial infection, with CVE‑2025‑31324, CVE‑2025‑61882...
Iranian Cyberattacks Ahead of US, Israel Strikes Discovered
Iranian advanced persistent threat groups, notably MuddyWater, staged six CIDR blocks in September using an Estonian autonomous system, indicating pre‑operational cyber preparation six months before the February 28 U.S.–Israel missile strikes. The buildup was corroborated by Augur Security, which linked the...
New Speagle Malware Hijacks Cobra DocGuard for Data Theft
Security researchers have uncovered a new malware strain called Speagle that subverts the legitimate document security platform Cobra DocGuard to steal data. The malware disguises exfiltration as normal client‑server traffic and uses a compromised DocGuard server for command‑and‑control. It selectively infects...
AI Is Now the Decisive Factor in Cyber Conflict
AI has become a decisive factor in cyber conflict, especially across the Asia‑Pacific region. Deep‑fake and generative AI have driven social‑engineering incidents up 53% year‑over‑year and fraud claims up 233%. By 2025, AI‑driven threats are projected to affect 56% of...
Fake Interactive Zoom Call Leads to Malicious ScreenConnect Download
Security researchers discovered a novel phishing campaign that uses a fake, interactive Zoom call to trick users into downloading a malicious update. The lure relies on AI‑generated JavaScript to mimic a glitchy Zoom meeting, directing victims to a counterfeit Microsoft...