AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud
Cybersecurity firm HUMAN uncovered a new ad‑fraud operation dubbed Pushpaganda that weaponizes AI‑generated news articles to infiltrate Google Discover. The scheme tricks Android and Chrome users into enabling push notifications that deliver scareware and financial scams, driving traffic to malicious domains. At its peak the campaign generated about 240 million bid requests across 113 domains in a single week and has spread from India to the U.S., Europe and Australia. Google has responded by rolling out a fix and tightening spam policies for Discover content.
108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
Security researchers have uncovered a coordinated campaign involving 108 malicious Chrome extensions that share a common command‑and‑control server. The extensions, published under five publisher names, have collectively been installed about 20,000 times and harvest Google OAuth credentials, Telegram Web session...
Your MTTD Looks Great. Your Post-Alert Gap Doesn't
The security industry has narrowed mean‑time‑to‑detect (MTTD) but still suffers a lengthy post‑alert gap, where analysts spend 20‑40 minutes investigating alerts. Recent AI‑driven exploits, such as Anthropic’s Mythos model, demonstrate that attackers can move in seconds, making human‑speed investigations untenable....
Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data
Citizen Lab uncovered that law‑enforcement agencies worldwide are deploying Webloc, an advertising‑based geolocation platform originally built by Israeli firm Cobwebs Technologies and now sold by its successor Penlink. The system harvests identifiers, location coordinates and profile data from up to...
GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
Researchers have uncovered a new GlassWorm variant that hides a Zig‑compiled native binary inside a counterfeit WakaTime VS Code extension. The binary acts as a dropper, locating every IDE that supports VS Code extensions and silently installing a malicious VSIX package. The...
Browser Extensions Are the New AI Consumption Channel That No One Is Talking About
LayerX’s new report reveals that AI-powered browser extensions are an overlooked yet high‑risk attack vector for enterprises. While 99% of corporate users run at least one extension, AI extensions are 60% more likely to contain vulnerabilities, have three times more...
ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories
ThreatsDay bulletin highlights a surge in the hybrid P2P botnet Phorpiex, a 13‑year‑old Apache ActiveMQ RCE chain, record cyber‑fraud losses, AI‑driven DDoS evolution, and multiple supply‑chain and malware incidents. Phorpiex now infects roughly 125,000 devices daily, using peer‑to‑peer communication to...
The Hidden Security Risks of Shadow AI in Enterprises
The article warns that shadow AI—unauthorized artificial‑intelligence tools adopted by employees—creates hidden security gaps in enterprises. A 2024 Salesforce survey shows 55% of workers use AI solutions outside IT approval, exposing data to external platforms. These tools can leak credentials,...
New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy
Researchers have identified a new Chaos malware variant that now targets misconfigured cloud deployments, such as a deliberately vulnerable Hadoop instance. The updated 64‑bit ELF binary drops a SOCKS proxy feature while removing its previous SSH‑based spreading mechanisms. The attack...
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies
Russian state‑linked group APT28 has launched a spear‑phishing campaign that deploys a new malware suite called PRISMEX. The operation, active since September 2025, exploits freshly disclosed zero‑days CVE‑2026‑21509 and CVE‑2026‑21513 to infiltrate Ukrainian government agencies, logistics firms and NATO‑affiliated entities. PRISMEX...
N. Korean Hackers Spread 1,700 Malicious Packages Across Npm, PyPI, Go, Rust
North Korean‑linked threat group UNC1069, operating under the Contagious Interview campaign, has published more than 1,700 malicious packages across major open‑source ecosystems including npm, PyPI, Go, Rust and Packagist. The packages act as stealthy loaders that fetch second‑stage payloads with...
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs
Iran‑affiliated cyber actors are targeting internet‑exposed programmable logic controllers (PLCs) across U.S. critical‑infrastructure sectors, including water, energy, and government facilities. The attackers use Dropbear SSH to gain remote access, manipulate HMI/SCADA displays, and disrupt device functionality, focusing on Rockwell Automation...
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
Security researchers have identified a campaign that scans cloud IP ranges for exposed ComfyUI instances—a popular Stable Diffusion UI—and hijacks them for cryptocurrency mining and proxy botnet operations. The Python‑based scanner exploits a misconfiguration in custom nodes to achieve unauthenticated...
The Hidden Cost of Recurring Credential Incidents
Recurring credential incidents impose hidden operational costs beyond headline breach expenses. IBM reports the average breach cost $4.4 million, yet everyday password resets represent up to 30 % of help‑desk tickets, each costing roughly $70. Weak policies and forced periodic changes drive...
Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations
Iranian‑linked threat actors launched a password‑spraying campaign against more than 300 Israeli Microsoft 365 organizations, exploiting common weak credentials. The operation, attributed to an APT group with ties to Tehran, was uncovered by security researchers who observed repeated login attempts...
