APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies
Russian state‑linked group APT28 has launched a spear‑phishing campaign that deploys a new malware suite called PRISMEX. The operation, active since September 2025, exploits freshly disclosed zero‑days CVE‑2026‑21509 and CVE‑2026‑21513 to infiltrate Ukrainian government agencies, logistics firms and NATO‑affiliated entities. PRISMEX uses steganography, COM hijacking and cloud‑based C2 via Filen.io, delivering payloads such as the MiniDoor Outlook stealer and a COVENANT‑based Grunt implant. In at least one case the payload also executed a destructive wiper, indicating dual espionage‑sabotage intent.
N. Korean Hackers Spread 1,700 Malicious Packages Across Npm, PyPI, Go, Rust
North Korean‑linked threat group UNC1069, operating under the Contagious Interview campaign, has published more than 1,700 malicious packages across major open‑source ecosystems including npm, PyPI, Go, Rust and Packagist. The packages act as stealthy loaders that fetch second‑stage payloads with...
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs
Iran‑affiliated cyber actors are targeting internet‑exposed programmable logic controllers (PLCs) across U.S. critical‑infrastructure sectors, including water, energy, and government facilities. The attackers use Dropbear SSH to gain remote access, manipulate HMI/SCADA displays, and disrupt device functionality, focusing on Rockwell Automation...
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
Security researchers have identified a campaign that scans cloud IP ranges for exposed ComfyUI instances—a popular Stable Diffusion UI—and hijacks them for cryptocurrency mining and proxy botnet operations. The Python‑based scanner exploits a misconfiguration in custom nodes to achieve unauthenticated...
The Hidden Cost of Recurring Credential Incidents
Recurring credential incidents impose hidden operational costs beyond headline breach expenses. IBM reports the average breach cost $4.4 million, yet everyday password resets represent up to 30 % of help‑desk tickets, each costing roughly $70. Weak policies and forced periodic changes drive...
Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations
Iranian‑linked threat actors launched a password‑spraying campaign against more than 300 Israeli Microsoft 365 organizations, exploiting common weak credentials. The operation, attributed to an APT group with ties to Tehran, was uncovered by security researchers who observed repeated login attempts...
Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools
Cisco Talos and Trend Micro report that Qilin and Warlock ransomware groups are employing a bring‑your‑own‑vulnerable‑driver (BYOVD) strategy to neutralize endpoint detection and response (EDR) solutions. Qilin’s malware drops a malicious msimg32.dll that side‑loads two drivers—rwdrv.sys and hlpdrv.sys—to terminate more than...
Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers
Microsoft’s Defender Security Research team has uncovered a new web‑shell tradecraft that leverages HTTP cookies as a covert control channel for PHP loaders on Linux servers. The shells remain dormant until a specific cookie value is presented, then execute malicious...
Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture
Third‑party risk has become the largest security gap for many organizations, accounting for 30% of data‑breach incidents and an average remediation cost of $4.91 million. The modern perimeter now extends across SaaS applications, vendor APIs, and subcontractors, prompting regulators such as...
Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
Hackers are exploiting the critical CVE‑2025‑55182 flaw in Next.js to gain remote code execution and compromise at least 766 hosts across several cloud providers. The UAT‑10608 threat cluster deploys a multi‑phase dropper that harvests SSH keys, cloud IAM tokens, API...
Block the Prompt, Not the Work: The End of "Doctor No"
Enterprise security teams are abandoning blunt URL blocks in favor of session‑level governance. Legacy endpoint agents and SSL inspection create performance penalties that push users toward shadow AI tools and unmanaged extensions. The resulting "workaround economy" leaves critical data flowing...
Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures
Brazilian cyber‑crime group Augmented Marauder, also known as Water Saci, is running a multi‑vector phishing campaign against Spanish‑speaking organizations in Latin America and Europe. The campaign delivers the Casbaneiro banking trojan and the Horabot spreader via password‑protected PDF attachments that are...
TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
A high‑severity zero‑day (CVE‑2026‑3502) in TrueConf’s video‑conferencing client was exploited in the wild, allowing attackers to replace legitimate updates with malicious code. The flaw, rated 7.8 CVSS, enables arbitrary code execution via DLL side‑loading and was used in the TrueChaos...
DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials
Researchers at ReliaQuest uncovered DeepLoad, a new malware loader delivered through a ClickFix social‑engineering lure that tricks users into running obfuscated PowerShell commands. The loader employs AI‑generated code obfuscation, APC injection, and dynamic C# compilation to avoid static and behavioral...
⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More
The week’s cyber‑threat landscape was dominated by a critical Citrix NetScaler flaw (CVE‑2026‑3055) that is now being actively exploited, a confirmed breach of FBI Director Kash Patel’s personal email with a $10 million bounty offered, and the emergence of Red Menshen’s BPFDoor...
3 SOC Process Fixes That Unlock Tier 1 Productivity
The article outlines three SOC process fixes that boost Tier 1 productivity: a unified cross‑platform investigation workflow, a behavior‑first triage model powered by automation and interactivity, and standardized escalation with response‑ready evidence. Leveraging ANY.RUN’s sandbox, analysts can analyze Windows, macOS, Linux...
Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack
Iran‑linked threat actors operating under the Handala Hack persona breached the personal email of FBI Director Kash Patel, leaking historical messages from 2010 and 2019. The same group claimed a destructive wiper attack on medical‑device giant Stryker, wiping thousands of...
We Are At War
The article warns that rising geopolitical tensions are now mirrored in a surge of state‑sponsored cyber operations targeting Europe’s critical infrastructure, from energy and telecom to defense networks. Hacktivist groups, once fringe protestors, have evolved into actors capable of cyber‑physical...
![[Webinar] Stop Guessing. Learn to Validate Your Defenses Against Real Attacks](/cdn-cgi/image/width=1200,quality=75,format=auto,fit=cover/https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCypzkb6uvHuNx6LKknUqtvQFoqsr6aalztDeBKT1aaUASzfjZMZAZqExx1k0w5iKWl08lx3MxbM_FwWxAvBdZODEerioaMp8OHVvhSjC8VL3uAW9_NMniMl_niggBVhVMdDFu2324YyhW5TrK4fua1PXlrb0DweOULvNgi5mlQUZUct_dIX3OePrfqks/s1700-e365/validate.jpg)
[Webinar] Stop Guessing. Learn to Validate Your Defenses Against Real Attacks
The upcoming cybersecurity webinar teaches organizations how to move beyond guesswork by validating defenses against real‑world attack paths, including those targeting autonomous AI agents. It emphasizes CTI‑driven, automated testing that integrates with existing pipelines, delivering continuous, accurate posture assessments. Attendees...
Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
Security researchers uncovered a zero‑click XSS flaw in Anthropic’s Claude Chrome extension that let any website inject prompts into the AI assistant without user interaction. The vulnerability, dubbed ShadowPrompt, combined an overly permissive *.claude.ai origin allow‑list with an XSS bug...
Masters of Imitation: How Hackers and Art Forgers Perfect the Art of Deception
The article draws a parallel between 1960s art forger Elmyr de Hory and today’s cyber‑attackers, showing how both rely on convincing imitation to slip past experts. It highlights that 81% of modern attacks are malware‑free, using legitimate tools and AI‑generated identities...
The Hidden Cost of Cybersecurity Specialization: Losing Foundational Skills
Cybersecurity teams are increasingly specialized, but this focus erodes the foundational understanding needed to see the full risk picture. The loss of context leads to misaligned tool choices, fragmented risk communication, and slower incident response. Bryan Simon argues that without...
Ghost Campaign Uses 7 Npm Packages to Steal Crypto Wallets and Credentials
Security researchers have identified a new "Ghost" campaign that distributes seven malicious npm packages under the author name mikilanjillo. The packages masquerade as popular React utilities and AI trading tools, prompting developers to enter their sudo password during a fabricated...
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
The open‑source Trivy vulnerability scanner was backdoored, injecting credential‑stealing malware that spread a self‑propagating worm through thousands of CI/CD pipelines. A coordinated DOJ operation dismantled four Mirai‑derived IoT botnets, removing control of more than three million compromised devices. Critical flaws...
We Found Eight Attack Vectors Inside AWS Bedrock. Here's What Attackers Can Do with Them
XM Cyber identified eight distinct attack vectors within Amazon Bedrock, the AI service that links foundation models to enterprise data. The vectors span log manipulation, knowledge‑base credential theft, agent hijacking, flow injection, guardrail degradation, and prompt poisoning, each triggered by over‑privileged...
Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware
Microsoft’s threat intel team warned that a tax‑season phishing campaign compromised 29,000 users in 10,000 organizations, primarily in the United States. The attacks impersonated the IRS and used QR‑code, CPA, and cryptocurrency lures to deliver malicious links and attachments. Many...
CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five high‑severity flaws affecting Apple WebKit, Apple kernel components, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog, mandating remediation by April 3 2026. The vulnerabilities carry CVSS scores from...
Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets
Trivy, a widely used open‑source vulnerability scanner, suffered a second supply‑chain breach when attackers force‑pushed 75 of 76 tags in the official aquasecurity/trivy‑action repository to deliver a malicious payload. The code runs inside GitHub Actions runners, harvesting environment variables, cloud...
The Importance of Behavioral Analytics in AI-Enabled Cyber Attacks
Artificial intelligence is empowering cybercriminals to craft hyper‑personalized phishing, automate credential abuse, and generate adaptive malware that mimics legitimate user behavior. Traditional rule‑based and signature‑based defenses struggle because AI‑driven attacks operate within normal activity thresholds and continuously evolve their code....
Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE
A critical vulnerability (CVE‑2026‑32746) in GNU InetUtils telnetd allows unauthenticated remote attackers to achieve root‑level code execution via a buffer overflow in the SLC sub‑option handler. The flaw affects all telnetd versions up to 2.7 and carries a CVSS score...
Why Security Validation Is Becoming Agentic
Traditional security validation relies on disconnected tools like BAS platforms, periodic penetration tests, and vulnerability scanners, creating blind spots as attackers chain identity, cloud, and vulnerability exploits. This fragmentation forces manual data stitching, delaying insight and remediation. Emerging agentic exposure...
DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage
The DRILLAPP backdoor, discovered by security researchers, is actively targeting Ukrainian entities, including government agencies and critical infrastructure. It exploits Microsoft Edge's remote debugging interface to execute malicious JavaScript, achieving fileless persistence while evading traditional antivirus solutions. The malware establishes...
OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration
China’s CNCERT has warned that OpenClaw, an open‑source autonomous AI agent, suffers from weak default security configurations that can be exploited for prompt‑injection attacks. Researchers demonstrated that indirect prompt injection via link previews can exfiltrate confidential data without user interaction....
Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware
Unit 42 has identified a China‑backed espionage campaign, designated CL‑STA‑1087, that has been infiltrating Southeast Asian military organizations since at least 2020. The operation deploys two custom backdoors, AppleChris and MemFun, alongside a credential‑harvesting tool called Getpass, using techniques such...
Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries
International law‑enforcement agencies dismantled the SocksEscort proxy botnet, which compromised roughly 369,000 residential routers in 163 countries. The operation, dubbed Operation Lightning, seized 34 domains, 23 servers and froze $3.5 million in cryptocurrency. SocksEscort sold proxy access to criminals, enabling fraud...
Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays
Brazilian security firm ZenoX has uncovered VENON, a Rust‑based banking trojan that targets 33 banks and digital‑asset platforms. The malware uses DLL side‑loading, shortcut hijacking, and nine evasion techniques before delivering credential‑stealing overlays. Distribution relies on a PowerShell‑driven ZIP chain,...
Attackers Don't Just Send Phishing Emails. They Weaponize Your SOC's Workload
Attackers are weaponizing phishing campaigns to overload Security Operations Center (SOC) analysts, turning the investigation process into an informational denial‑of‑service (IDoS) attack. By flooding the SOC with thousands of low‑sophistication emails, they force analysts to triage quickly, allowing a few...
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
Threat actors are exploiting FortiGate next‑generation firewalls to gain initial access and harvest service‑account credentials. Researchers identified abuse of recent CVEs (2025‑59718, 2025‑59719, 2026‑24858) and misconfigurations to extract configuration files containing LDAP and AD service accounts, targeting healthcare, government and...
New "LeakyLooker" Flaws in Google Looker Studio Could Enable Cross-Tenant SQL Queries
Researchers at Tenable disclosed nine cross‑tenant vulnerabilities in Google Looker Studio, dubbed “LeakyLooker,” that could let attackers execute arbitrary SQL queries against BigQuery, Spanner, PostgreSQL, MySQL and other GCP data sources. The flaws, ranging from zero‑click SQL injection to data‑source...
Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
Researchers have uncovered a multi‑stage malware campaign dubbed VOID#GEIST that uses obfuscated batch scripts, an embedded Python runtime, and Early Bird APC injection to deliver encrypted RAT payloads—XWorm, AsyncRAT and Xeno RAT. The chain is launched from a phishing email, displays...
The MSP Guide to Using AI-Powered Risk Management to Scale Cybersecurity
The guide explains how managed service providers (MSPs) can leverage AI‑powered risk management to transform fragmented cybersecurity services into a scalable, revenue‑generating model. It outlines the shift from isolated, compliance‑only offerings to a risk‑first approach that delivers continuous protection and...
Where Multi-Factor Authentication Stops and Credential Abuse Starts
Multi‑factor authentication (MFA) is effective for cloud and federated apps, but many Windows authentication paths—interactive logons, RDP, NTLM, Kerberos tickets, and service accounts—remain outside its protection. Attackers exploit these gaps using stolen passwords, pass‑the‑hash, or forged tickets, gaining lateral movement...
New RFP Template for AI Usage Control and AI Governance
Enterprises are finally allocating budgets for AI security, but many lack clear requirements. A new RFP template reframes AI protection as an interaction‑level problem rather than an app‑cataloging exercise, enabling tool‑agnostic control. It exposes the blind spots of legacy CASB/SSE...
Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux
Cybersecurity researchers discovered three malicious Laravel packages on Packagist—nhattuanbl/lara-helper, simple-queue, and lara-swagger—that install a cross‑platform remote access trojan (RAT) on Windows, macOS, and Linux. The RAT connects to a C2 server at helper.leuleu.net, gathers system data, and executes commands via...
Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations
Threat actors masquerading as IT support used a spam‑email and phone‑call campaign to deliver the Havoc command‑and‑control framework across five organizations. By tricking users into remote‑access sessions, they sideloaded malicious DLLs that deployed Havoc Demon payloads and legitimate RMM tools...
Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets
Microsoft warned that threat actors are exploiting OAuth redirect functionality to deliver malware to government and public‑sector targets. The attackers create malicious applications with rogue redirect URLs, send phishing emails containing crafted OAuth links, and use an invalid scope to...
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More
This week’s cyber‑threat landscape featured a critical Cisco SD‑WAN zero‑day (CVE‑2026‑20127) being actively exploited, highlighting the risk to network infrastructure. Anthropic accused three Chinese AI firms of large‑scale model‑distillation attacks, echoing similar concerns raised by OpenAI. Google disrupted the UNC2814...
How to Protect Your SaaS From Bot Attacks with SafeLine WAF
SaaS companies are increasingly targeted by sophisticated bots that inflate sign‑ups, scrape APIs, and overload infrastructure. SafeLine, a self‑hosted web application firewall, inspects every HTTP request using a semantic analysis engine that detects malicious intent with 99.45% accuracy. By deploying...
ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks
North Korean APT ScarCruft launched the Ruby Jumper campaign, employing a chain of malware that includes RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE and BLUELIGHT. The first‑stage payload uses a malicious LNK file to execute PowerShell, which carves and runs additional components....
Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms
Threat actors are distributing trojanized gaming utilities through browsers and chat platforms to install a Java‑based remote‑access trojan (RAT). The downloader stages a portable Java runtime, executes a malicious JAR via PowerShell and cmstp.exe, then deletes itself and configures Microsoft...
