Alex Kowalski

North Korea's Lazarus Group uses RemotePE, a fileless RAT that executes entirely in RAM, to target DeFi platforms. The group has stolen $577M in crypto this year alone.

New phishing-as-a-service platform bypasses MFA via OAuth device code flow. FBI PSA details how Kali365's AI-generated lures and $250/month pricing are enabling widespread credential theft.

China-linked Calypso group targets telecoms across Middle East and Asia Pacific with new Linux and Windows malware. Showboat provides SOCKS5 proxy access; JFMBackdoor enables full system control.

ESET exposes Webworm's EchoCreep and GraphWorm backdoors targeting European governments. The China-aligned APT uses Discord and OneDrive for C2, hitting Belgium, Italy, Poland, and Spain.

Verizon's 2026 Data Breach Investigations Report reveals vulnerability exploitation surpassed credential theft as the leading breach vector for the first time in 19 years. Only 26% of KEV flaws get patched.

Microsoft's Digital Crimes Unit seizes infrastructure behind Fox Tempest, a malware-signing service that helped Rhysida, Akira, and Qilin ransomware gangs disguise malicious code as legitimate software.

AI-enabled device code phishing campaigns hit hundreds of Microsoft 365 accounts daily since mid-March. Criminal toolkits proliferate as attacks bypass MFA at scale.

Internal database of #2 ransomware group leaked after 4VPS hosting breach exposes chat logs, affiliate rosters, and operational playbooks from 400+ attacks.

Microsoft exposes how Russia's FSB-linked Secret Blizzard transformed Kazuar from a monolithic backdoor into a three-module P2P botnet with advanced anti-detection capabilities.

Google's Threat Intelligence Group identifies a criminal group using an LLM-generated exploit to bypass 2FA in a web admin tool—marking the first confirmed AI-built zero-day in active use.

SOCRadar documents a persistent phishing operation that stole 2,000+ credentials from aviation, energy, and government sectors over four years using GitHub-hosted infrastructure.

China-nexus APT group UAT-8302 targets South American and European governments using NetDraft, CloudSorcerer, and VShell backdoors. Cisco Talos reveals connections to multiple Chinese threat clusters.

Iranian APT MuddyWater hijacked Microsoft Teams to harvest credentials via live screen-sharing, then dropped Chaos ransomware as a false flag to hide espionage. Rapid7 linked the campaign to 36 victims.

Unit 42 links CL-STA-1132 to Chinese state-sponsored actors exploiting CVE-2026-0300 for espionage. IOCs and attack timeline revealed after a month of active exploitation.

M-Trends 2026 reveals attackers now outpace patches, with AI accelerating exploitation and ransomware handoffs dropping to 22 seconds. Defenders are losing ground.

CTM360 exposes FEMITBOT, a large-scale fraud operation abusing Telegram Mini Apps to run crypto scams, impersonate brands like Apple and NVIDIA, and distribute Android malware.

SHADOW-EARTH-053, GLITTER CARP, and SEQUIN CARP target Asian governments, journalists, and activists across Pakistan, Thailand, Poland, and 5 other nations with ShadowPad.

New ConsentFix v3 attack automates Microsoft Azure OAuth credential theft using Pipedream webhooks and Cloudflare phishing pages. Pre-trusted apps bypass MFA entirely.

AiTM and token theft attacks hit 40,000 daily incidents in 2026. CISA warns OAuth tokens bypass MFA, enabling invisible lateral movement across SaaS apps.

US Coast Guard Cyber Command issued an alert warning that INC Ransom is actively targeting maritime and logistics networks with double-extortion ransomware.

A Vietnamese threat actor dubbed AccountDumpling compromised 30,000 Facebook Business accounts using Google AppSheet emails to bypass spam filters.

Russian military hackers deployed PRISMEX steganography malware against Ukraine and NATO logistics networks, exploiting zero-days CVE-2026-21509 and CVE-2026-21513 weeks before patches.

Peter Stokes, 19, was detained while boarding a flight to Japan. Federal prosecutors allege he participated in breaches that forced companies to pay millions in ransoms.

North Korean threat actors are befriending targets on Facebook, building trust over weeks, then delivering RokRAT malware through trojanized PDF readers. Military and government officials targeted.

Chinese national Xu Zewei faces nine federal counts after extradition from Italy for alleged role in Silk Typhoon attacks stealing COVID-19 vaccine research from U.S. universities and research institutions.

Pro-Ukrainian hacktivist group PhantomCore chains three TrueConf vulnerabilities including CVSS 9.8 command injection to infiltrate Russian government and private organizations since September 2025.

SentinelOne reveals fast16, a 2005 cyber sabotage framework targeting engineering software. The Lua-based malware corrupted high-precision calculations years before Stuxnet emerged.

New extortion group BlackFile impersonates IT helpdesks via phone calls to steal credentials and demand seven-figure ransoms. Targets include retail chains and hospitality companies.

Google Cloud uncovers UNC6692, a threat actor impersonating IT helpdesk staff on Microsoft Teams to deploy the modular SNOW malware suite targeting senior executives.

ESET uncovers GopherWhisper, a China-aligned APT using Go-based backdoors and legitimate cloud services like Discord, Slack, and Outlook to target Mongolian government systems.

Check Point researchers gained access to a SystemBC C2 server operated by The Gentlemen ransomware group, uncovering over 1,570 compromised corporate networks that haven't been publicly disclosed.

Google attributes the Axios npm supply chain attack to UNC1069, a North Korean threat actor. Malicious versions deployed WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

Russia-linked crypto exchange Grinex halts operations after $13 million theft, blaming 'Western special services.' Blockchain analysts find no evidence supporting the attribution.

CERT-UA warns of ongoing campaign hitting Ukrainian clinics and government agencies with AGINGFLY backdoor. Attackers steal browser credentials, WhatsApp data, and deploy cryptominers.

International law enforcement operation takes down 53 DDoS-for-hire domains and exposes 3 million criminal user accounts. 21 countries participate in coordinated crackdown.

Iranian APT MuddyWater adopts Russian TAG-150 malware-as-a-service platform to deploy ChainShell RAT against Israeli targets. C2 addresses resolved via Ethereum smart contracts evade takedowns.

Google researchers expose EtherHiding technique storing malware payloads in Ethereum and BNB smart contracts. First nation-state adoption of unkillable blockchain C2 infrastructure.

HUMAN Security exposes Pushpaganda campaign using AI content to poison Google Discover feeds, generating 240 million fraudulent ad requests through scareware and fake news.

Joint FBI-Indonesian operation dismantles W3LL phishing platform behind $20M in fraud attempts. Developer arrested after 25,000+ stolen accounts sold since 2019.

FBI IC3 2025 report reveals record $20.9 billion in cybercrime losses. Investment fraud tops $8.6B, cryptocurrency scams reach $11.4B, and ransomware losses surge 259%.

Google warns of UNC6783 threat actor using Okta and Zendesk phishing to breach BPO providers, stealing 13M Adobe support tickets and bug bounty data. FIDO2 keys recommended.

Microsoft tracks Storm-2755 'Payroll Pirate' using poisoned search results and AiTM phishing to hijack Canadian employee direct deposits. HR systems compromised.

US, UK, and Canadian law enforcement froze $12 million in stolen crypto and identified 20,000 victims of approval phishing scams in week-long crackdown.

FBI-led Operation Masquerade dismantled Russia's GRU-linked FrostArmada, which compromised 18,000+ routers to steal Microsoft 365 credentials via DNS hijacking.

Joint advisory AA26-097A details Iranian APT targeting Rockwell Allen-Bradley controllers across critical infrastructure. Attacks caused operational disruptions since March 2026.

Check Point tracks an Iran-nexus campaign targeting Microsoft 365 accounts across 300+ Israeli organizations and 25+ UAE entities. Attackers use Tor exit nodes and Israeli VPNs to evade detection.

Microsoft links China-based Storm-1175 to high-velocity Medusa ransomware attacks exploiting zero-day vulnerabilities. Healthcare, education, and finance sectors hit across Australia, UK, and US.

Unit 42 exposes Phantom Taurus, a Chinese APT targeting embassies and foreign ministries with fileless NET-STAR malware. The group resurfaces within hours after discovery.

FortiGuard Labs exposes DPRK campaign using LNK files and GitHub repositories for command-and-control against South Korean targets. 22 evasion techniques identified.

New research maps the infostealer lifecycle from infection to dark web sale. Microsoft Entra ID appears in 79% of 2.05 million credential logs analyzed in 2026.

Threat actor UAC-0255 sent 1 million phishing emails posing as CERT-UA to distribute the AGEWHEEZE remote access trojan targeting Ukrainian organizations.

Operation TrueChaos exploited CVE-2026-3502 in TrueConf video conferencing to deploy Havoc malware across Southeast Asian government networks.

China-linked APT embeds kernel-level backdoors in telecom infrastructure across Middle East and Asia. Rapid7 finds stealthy implants evading detection for years.

Bearlyfy has hit 70+ Russian companies since January 2025, now deploying custom GenieLocker ransomware. The group blends financial extortion with politically motivated sabotage.

EvilTokens phishing platform targets Microsoft 365 identities across US, Canada, Australia, New Zealand, and Germany. OAuth abuse bypasses MFA to steal access tokens.

Unit 42 uncovers phishing campaign distributing trojanized Israeli civil defense app. Malicious APK harvests location data, contacts, and messages from Android devices amid regional tensions.

FBI and CISA alert reveals Russian intelligence operatives have hijacked thousands of Signal and WhatsApp accounts belonging to US officials, military, and journalists through phishing attacks.

Pakistan-linked APT36 uses LLM coding tools to mass-produce malware variants in Nim, Zig, and Crystal, targeting Indian government and embassies.

The EU sanctioned Integrity Technology Group, Anxun Information Technology, and Emennet Pasargad for cyberattacks against member states including the Paris Olympics.

New JavaScript backdoor targets Ukrainian entities using Microsoft Edge's debugging features for stealth. S2 Grupo links campaign to Laundry Bear threat group.

North Korean threat group Konni weaponizes KakaoTalk messaging app after compromising victims via spear-phishing. EndRAT, RftRAT deployed in multi-stage campaign.

Camaro Dragon weaponized missile strike lure documents to deploy PlugX backdoor against Qatari targets, exploiting Operation Epic Fury tensions for access.

North Korean APT37's Ruby Jumper campaign uses RESTLEAF, THUMBSBD, and FOOTWINE malware to exfiltrate data from isolated systems via USB drives.

Contagious Interview campaign weaponizes fake job interviews to deploy OtterCookie and FlexibleFerret malware. Targets crypto and AI developers for credentials.

Microsoft exposes Storm-2561 campaign using SEO manipulation to distribute fake Cisco, Fortinet, and Ivanti VPN clients that steal enterprise credentials.

China-linked UAT-9244 deploys TernDoor backdoor and peer-to-peer implants against telecom infrastructure across South America, North America, and Europe.

Iranian APT group breaches US critical infrastructure using novel Dindoor malware built on Deno runtime. Symantec links campaign to MOIS.

FIN6's year-long HR phishing campaign delivers BlackSanta, a tool that kills EDR and antivirus software before dropping final malware payloads. Recruiters are the target.

Russian GRU-linked APT28 deploys BEARDSHELL and COVENANT implants for long-term surveillance of Ukrainian military personnel. ESET research reveals cloud storage abuse for C2.

APT41-linked threat group deploys GearDoor backdoor via Google Drive for covert command-and-control. Check Point tracks campaigns across Europe and Southeast Asia.

India-linked APT deploys BurrowShell backdoor and Rust-based RAT against Pakistan nuclear agencies, Bangladesh banks, and Sri Lankan government. 112 C2 domains identified.

Zscaler uncovers Dust Specter campaign targeting Iraqi government officials with novel SPLITDROP and GHOSTFORM malware. Evidence suggests AI-assisted development.

The FBI confirms a sophisticated cyberattack targeted its internal wiretap and FISA warrant management system. Investigation ongoing with CISA and NSA involvement.

Government-grade iPhone exploits targeting iOS 13-17.2.1 now wielded by Russian spies and Chinese criminals. Lockdown Mode stops it cold.

Active phishing campaign uses spoofed email chains to trick LastPass users into revealing master passwords. Attackers generate thousands of URL variants leading to fake SSO pages.

Unit 42 details how Iran's Electronic Operations Room coordinated RipperSec and 60+ hacktivist groups claiming 150+ incidents in 72 hours during Operation Epic Fury.

Security researchers tie Russia's APT28 to CVE-2026-21513 exploitation using malicious LNK files. The MSHTML zero-day was weaponized weeks before Microsoft's February patch.

China-linked UNC2814 breached 53 organizations across 42 countries using GRIDTIDE malware that abuses Google Sheets for C2. Google terminates attacker infrastructure.

China-aligned threat group deploys LuciDoor and MarsSnake backdoors against telecom providers in Kyrgyzstan and Tajikistan, expanding from prior Saudi operations.

North Korean APT37 deploys six new malware tools to breach air-gapped systems using USB drives and cloud C2. Zscaler reveals RESTLEAF, THUMBSBD, and FOOTWINE surveillance capabilities.

Scattered Lapsus$ Hunters offers $500-$1,000 to recruit women for IT help desk social engineering attacks. The supergroup combines LAPSUS$, Scattered Spider, and ShinyHunters tactics.

Anthropic alleges DeepSeek, Moonshot AI, and MiniMax used 24,000 fake accounts to extract Claude capabilities through 16 million distillation queries.

Iranian APT MuddyWater launches Operation Olalampo against MENA organizations, deploying four new malware families including GhostFetch and CHAR, a Rust backdoor controlled via Telegram.

New espionage campaign uses protest-themed lures and Chrome DLL side-loading to deploy RAT malware against Iranian diaspora, activists, and journalists.

Amazon threat intelligence exposes Russian-speaking actor using generative AI to breach 600+ FortiGate devices across 55 countries. Attack used ARXON tool with DeepSeek and Claude.

Attackers exploiting CVE-2026-1731 deploy cross-platform backdoors across finance, healthcare, and tech. Over 10,600 instances remain exposed.

Radware's 2026 threat report reveals network-layer DDoS attacks jumped 168% year-over-year. NoName057 claimed 4,693 attacks, setting a new hacktivist record.

Cisco AI Defense research finds OpenAI's safeguard models perform worse than standard versions under sustained attack. Multi-turn jailbreaks spike success rates up to 92%.

Chinese threat group UNC6201 exploited a critical hardcoded credential flaw (CVE-2026-22769) in Dell RecoverPoint for 18 months before disclosure. Patch now.

SANS ISC documents phishing campaign using fabricated incident reports to steal MetaMask wallet credentials. Attackers host phishing pages on AWS S3.

North Korea's Lazarus Group targets blockchain developers with fake recruitment campaign distributing RAT malware through 36 poisoned npm and PyPI packages.

Cisco Talos links previously unknown threat actor UAT-9921 to VoidLink malware campaigns targeting technology and financial services since September 2025.

Singapore confirms China-linked APT compromised M1, Singtel, StarHub, and SIMBA using zero-day exploits and rootkits. 11-month Operation Cyber Guardian response disclosed.

SANS researchers demonstrate how open-source AI tools extract actionable relationships from unstructured threat reports, mapping GRU and APT28 TTPs in interactive visualizations.

Google's threat intelligence reveals APT groups from China, Iran, North Korea, and Russia using Gemini for recon, malware development, and phishing. Two AI-powered malware families discovered.

Google Mandiant exposes UNC1069's use of AI-generated deepfake video, compromised executive accounts, and ClickFix attacks to deploy macOS malware against cryptocurrency firms.

Germany's BfV and BSI issued a joint advisory warning of state-sponsored phishing campaigns targeting politicians, military officials, and journalists through Signal's device linking feature.

SafeBreach tracks Infy APT deploying Tornado v51 malware with blockchain-based C2 after Iran's internet blackout, confirming state sponsorship ties.

Asia-based APT TGR-STA-1030 compromised 70+ government and critical infrastructure targets across 37 countries using eBPF rootkits and Cobalt Strike.

Seven-implant Linux toolkit intercepts traffic on compromised routers, delivering ShadowPad and hijacking Android updates. Active C2 infrastructure dates to 2019.

Russia's APT28 exploited CVE-2026-21509 to hit maritime and transport organizations across nine countries, with shipping firms making up 35% of targets.

SANS ISC handler Xavier Mertens documents phishing campaigns using malformed URL parameters to evade regex detection, URL normalization, and IOC extraction.

Operation Neusploit saw Russia's APT28 exploit CVE-2026-21509 against 60+ Ukrainian targets within 72 hours of Microsoft's disclosure, delivering MiniDoor and BEARDSHELL backdoors.

Violet Typhoon compromised the text editor's hosting provider to redirect updates to malicious servers targeting telecom and financial firms.

SANS ISC detects reconnaissance activity targeting locally hosted Claude API endpoints. Researchers warn of growing risk from misconfigured AI deployments.

Iranian APT group shifts tactics with RustyWater implant targeting diplomatic, financial, and telecom sectors across the Middle East via spear-phishing.

French researchers uncover SloppyMIO, an AI-assisted malware campaign using fabricated victim lists to target individuals documenting human rights abuses during Iranian protests.

Google Threat Intelligence Group disrupts one of the world's largest residential proxy networks, cutting off infrastructure used by nation-state actors from China, Russia, Iran, and North Korea.

Attackers exploit Google Presentations' publish mode to host phishing pages that bypass Google's own security warnings, targeting Vivaldi Webmail users.

Analysis reveals CyberAv3ngers and other 'hacktivist' groups targeting US infrastructure are actually IRGC-controlled operations masquerading as ideological actors.

Chinese APT adds clipboard monitoring, browser stealing, and enhanced plugins to its long-running backdoor. Government entities in Asia remain primary targets.

Modern ransomware gangs have weaponized fear, legal liability, and deadline pressure. Here's how extortion tactics have fundamentally changed.

Check Point uncovers Konni campaign using AI-generated PowerShell backdoors to target blockchain developers across Asia-Pacific. Marks shift from diplomatic espionage.

ESET researchers attribute December cyberattack on Polish energy infrastructure to Russian GRU hackers. Previously unknown wiper malware recovered.

Recorded Future tracks APT28 harvesting credentials from energy, defense, and government targets in the Balkans, Middle East, and Central Asia using free hosting infrastructure.

The European Commission's revised Cybersecurity Act expands ENISA's powers and creates a framework to restrict high-risk technology suppliers.

DragonForce and other actors exploiting CVE-2024-57727 to compromise utility billing providers and their downstream customers.

APT42 campaign compromises government ministers, activists, and journalists through fake login pages and real-time surveillance capabilities.

German and Ukrainian authorities identify 35-year-old Russian national as Black Basta boss, raid homes of two affiliates in Ukraine.

Cisco Talos exposes China-nexus APT targeting critical infrastructure with CVE-2025-53690 exploitation, credential harvesting, and potential supply chain compromise.

Coordinated takedown seizes cybercrime service that enabled 191,000 account compromises. Operation marks Microsoft's 35th action against criminal infrastructure.

Void Blizzard deploys PLUGGYAPE backdoor through Signal and WhatsApp, impersonating charitable organizations to compromise Ukrainian defense forces.

GreyNoise honeypot data reveals coordinated reconnaissance of LLM infrastructure including OpenAI, Claude, and Ollama deployments over 11 days.

Global Cybersecurity Outlook 2026 finds executives prioritizing cyber-enabled fraud as top risk. Report warns of 'three-front war' against crime, AI misuse, and supply chain threats.

Huntress researchers discover 'MAESTRO' toolkit exploiting three VMware vulnerabilities. Attackers chained SonicWall VPN access with hypervisor escape to deploy persistent backdoors.

North Korean APT embeds malicious QR codes in spear-phishing emails to bypass corporate email security and compromise mobile devices.

Chinese state hackers accessed email accounts of House staffers working on China, foreign affairs, and defense. The intrusion was discovered in December.

The agency retired directives spanning SolarWinds to Microsoft Exchange in the largest bulk closure ever. KEV catalog now handles most vulnerability mandates.

Fancy Bear campaigns from February through September 2025 targeted energy, defense, and policy organizations using fake VPN and email login pages.

Qilin has hit 1,000+ victims. Everest targets critical infrastructure. Here's what security teams need to know about today's most active ransomware operations.

DPRK hackers stole $2B in cryptocurrency in 2025 alone. Understanding Lazarus Group's operations helps defend against state-sponsored financial theft.

Newly disclosed threat actor compromises telecom providers in South Asia and Southeastern Europe, establishing relay infrastructure for other Chinese APT groups.

North Korean APT-Q-1 now combines fraudulent cryptocurrency job postings with ClickFix social engineering to deploy GolangGhost backdoor and BeaverTail stealer.

Threat actors spoof organization domains by abusing complex mail routing and weak DMARC policies. Microsoft blocked 13 million malicious emails in October alone.

New Government Cyber Action Plan creates centralized security unit, dedicated cyber profession, and mandatory requirements for all departments. Legacy systems get top priority.

Microsoft and CrowdStrike warn of intensified Silk Typhoon operations targeting US government agencies and IT supply chains, with 150% increase in China-linked intrusions.

CACI wins task order to modernize classified and unclassified networks at all 14 U.S. Space Force bases, implementing zero trust architecture and cloud capabilities.

Two crew members detained after cargo vessel's anchor allegedly severed Finland-Estonia telecommunications cable in suspected hybrid warfare operation.

Attackers abuse Google Cloud Application Integration to send phishing emails that bypass SPF, DKIM, and DMARC, targeting 3,200 organizations globally.

Beyond CVSS scores, these vulnerabilities caused the most damage in 2025—from nation-state exploitation to mass ransomware campaigns and breaches affecting millions.

CloudSEK identifies Chinese threat group Silver Fox targeting Indian organizations with phishing emails disguised as income tax department communications.

Chinese APT uses stolen certificate to sign malicious driver that disables security tools. First documented case of TONESHELL delivered via kernel-mode loader.

Noname057(16) claims DDoS attack on La Poste that disrupted package tracking and banking services for millions during peak holiday delivery season.

Month-long operation across 19 African nations recovers $3 million, takes down 6,000 malicious links, and decrypts six ransomware variants.

SafeBreach uncovers new Prince of Persia campaign using updated Foudre and Tonnerre malware, now leveraging Telegram for command and control.

Joint advisory from CISA, NSA, and Canadian Cyber Centre details new Rust-based variants of Chinese government malware targeting IT and government sectors.

A Sygnia IR manager and DigitalMint negotiator admitted to deploying BlackCat ransomware while employed to help victims respond to such attacks.

From the largest cryptocurrency heist in history to nation-state espionage campaigns targeting critical infrastructure, 2025 redefined the cyber threat landscape.

Danish intelligence attributes Z-Pentest hacktivist attack on Køge water utility to Russian state, summons ambassador over 'hybrid war' operations.

ESET researchers discover sophisticated threat actor targeting Southeast Asian and Japanese governments using Windows Group Policy for lateral movement.

DPRK-affiliated threat actors dominated crypto theft in 2025, accounting for 76% of exchange compromises with cumulative theft now exceeding $6.75 billion.

Amazon's threat intelligence team exposes and disrupts Sandworm operations targeting Western critical infrastructure through misconfigured edge devices.

Sophisticated threat group escalates operations against European government entities using relay networks that route attacks through multiple victim organizations.

Joint advisory from CISA, FBI, NSA warns of pro-Russia hacktivist groups successfully compromising SCADA systems at US water, energy, and food facilities.