Alex Kowalski

Scattered Lapsus$ Hunters offers $500-$1,000 to recruit women for IT help desk social engineering attacks. The supergroup combines LAPSUS$, Scattered Spider, and ShinyHunters tactics.

Anthropic alleges DeepSeek, Moonshot AI, and MiniMax used 24,000 fake accounts to extract Claude capabilities through 16 million distillation queries.

Iranian APT MuddyWater launches Operation Olalampo against MENA organizations, deploying four new malware families including GhostFetch and CHAR, a Rust backdoor controlled via Telegram.

New espionage campaign uses protest-themed lures and Chrome DLL side-loading to deploy RAT malware against Iranian diaspora, activists, and journalists.

Amazon threat intelligence exposes Russian-speaking actor using generative AI to breach 600+ FortiGate devices across 55 countries. Attack used ARXON tool with DeepSeek and Claude.

Attackers exploiting CVE-2026-1731 deploy cross-platform backdoors across finance, healthcare, and tech. Over 10,600 instances remain exposed.

Radware's 2026 threat report reveals network-layer DDoS attacks jumped 168% year-over-year. NoName057 claimed 4,693 attacks, setting a new hacktivist record.

Cisco AI Defense research finds OpenAI's safeguard models perform worse than standard versions under sustained attack. Multi-turn jailbreaks spike success rates up to 92%.

Chinese threat group UNC6201 exploited a critical hardcoded credential flaw (CVE-2026-22769) in Dell RecoverPoint for 18 months before disclosure. Patch now.

SANS ISC documents phishing campaign using fabricated incident reports to steal MetaMask wallet credentials. Attackers host phishing pages on AWS S3.

North Korea's Lazarus Group targets blockchain developers with fake recruitment campaign distributing RAT malware through 36 poisoned npm and PyPI packages.

Cisco Talos links previously unknown threat actor UAT-9921 to VoidLink malware campaigns targeting technology and financial services since September 2025.

Singapore confirms China-linked APT compromised M1, Singtel, StarHub, and SIMBA using zero-day exploits and rootkits. 11-month Operation Cyber Guardian response disclosed.

SANS researchers demonstrate how open-source AI tools extract actionable relationships from unstructured threat reports, mapping GRU and APT28 TTPs in interactive visualizations.

Google's threat intelligence reveals APT groups from China, Iran, North Korea, and Russia using Gemini for recon, malware development, and phishing. Two AI-powered malware families discovered.

Google Mandiant exposes UNC1069's use of AI-generated deepfake video, compromised executive accounts, and ClickFix attacks to deploy macOS malware against cryptocurrency firms.

Germany's BfV and BSI issued a joint advisory warning of state-sponsored phishing campaigns targeting politicians, military officials, and journalists through Signal's device linking feature.

SafeBreach tracks Infy APT deploying Tornado v51 malware with blockchain-based C2 after Iran's internet blackout, confirming state sponsorship ties.

Asia-based APT TGR-STA-1030 compromised 70+ government and critical infrastructure targets across 37 countries using eBPF rootkits and Cobalt Strike.

Seven-implant Linux toolkit intercepts traffic on compromised routers, delivering ShadowPad and hijacking Android updates. Active C2 infrastructure dates to 2019.

Russia's APT28 exploited CVE-2026-21509 to hit maritime and transport organizations across nine countries, with shipping firms making up 35% of targets.

SANS ISC handler Xavier Mertens documents phishing campaigns using malformed URL parameters to evade regex detection, URL normalization, and IOC extraction.

Operation Neusploit saw Russia's APT28 exploit CVE-2026-21509 against 60+ Ukrainian targets within 72 hours of Microsoft's disclosure, delivering MiniDoor and BEARDSHELL backdoors.

Violet Typhoon compromised the text editor's hosting provider to redirect updates to malicious servers targeting telecom and financial firms.

SANS ISC detects reconnaissance activity targeting locally hosted Claude API endpoints. Researchers warn of growing risk from misconfigured AI deployments.

Iranian APT group shifts tactics with RustyWater implant targeting diplomatic, financial, and telecom sectors across the Middle East via spear-phishing.

French researchers uncover SloppyMIO, an AI-assisted malware campaign using fabricated victim lists to target individuals documenting human rights abuses during Iranian protests.

Google Threat Intelligence Group disrupts one of the world's largest residential proxy networks, cutting off infrastructure used by nation-state actors from China, Russia, Iran, and North Korea.

Attackers exploit Google Presentations' publish mode to host phishing pages that bypass Google's own security warnings, targeting Vivaldi Webmail users.

Analysis reveals CyberAv3ngers and other 'hacktivist' groups targeting US infrastructure are actually IRGC-controlled operations masquerading as ideological actors.

Chinese APT adds clipboard monitoring, browser stealing, and enhanced plugins to its long-running backdoor. Government entities in Asia remain primary targets.

Modern ransomware gangs have weaponized fear, legal liability, and deadline pressure. Here's how extortion tactics have fundamentally changed.

Check Point uncovers Konni campaign using AI-generated PowerShell backdoors to target blockchain developers across Asia-Pacific. Marks shift from diplomatic espionage.

ESET researchers attribute December cyberattack on Polish energy infrastructure to Russian GRU hackers. Previously unknown wiper malware recovered.

Recorded Future tracks APT28 harvesting credentials from energy, defense, and government targets in the Balkans, Middle East, and Central Asia using free hosting infrastructure.

The European Commission's revised Cybersecurity Act expands ENISA's powers and creates a framework to restrict high-risk technology suppliers.

DragonForce and other actors exploiting CVE-2024-57727 to compromise utility billing providers and their downstream customers.

APT42 campaign compromises government ministers, activists, and journalists through fake login pages and real-time surveillance capabilities.

German and Ukrainian authorities identify 35-year-old Russian national as Black Basta boss, raid homes of two affiliates in Ukraine.

Cisco Talos exposes China-nexus APT targeting critical infrastructure with CVE-2025-53690 exploitation, credential harvesting, and potential supply chain compromise.

Coordinated takedown seizes cybercrime service that enabled 191,000 account compromises. Operation marks Microsoft's 35th action against criminal infrastructure.

Void Blizzard deploys PLUGGYAPE backdoor through Signal and WhatsApp, impersonating charitable organizations to compromise Ukrainian defense forces.

GreyNoise honeypot data reveals coordinated reconnaissance of LLM infrastructure including OpenAI, Claude, and Ollama deployments over 11 days.

Global Cybersecurity Outlook 2026 finds executives prioritizing cyber-enabled fraud as top risk. Report warns of 'three-front war' against crime, AI misuse, and supply chain threats.

Huntress researchers discover 'MAESTRO' toolkit exploiting three VMware vulnerabilities. Attackers chained SonicWall VPN access with hypervisor escape to deploy persistent backdoors.

North Korean APT embeds malicious QR codes in spear-phishing emails to bypass corporate email security and compromise mobile devices.

Chinese state hackers accessed email accounts of House staffers working on China, foreign affairs, and defense. The intrusion was discovered in December.

The agency retired directives spanning SolarWinds to Microsoft Exchange in the largest bulk closure ever. KEV catalog now handles most vulnerability mandates.

Fancy Bear campaigns from February through September 2025 targeted energy, defense, and policy organizations using fake VPN and email login pages.

Qilin has hit 1,000+ victims. Everest targets critical infrastructure. Here's what security teams need to know about today's most active ransomware operations.

DPRK hackers stole $2B in cryptocurrency in 2025 alone. Understanding Lazarus Group's operations helps defend against state-sponsored financial theft.

Newly disclosed threat actor compromises telecom providers in South Asia and Southeastern Europe, establishing relay infrastructure for other Chinese APT groups.

North Korean APT-Q-1 now combines fraudulent cryptocurrency job postings with ClickFix social engineering to deploy GolangGhost backdoor and BeaverTail stealer.

Threat actors spoof organization domains by abusing complex mail routing and weak DMARC policies. Microsoft blocked 13 million malicious emails in October alone.

New Government Cyber Action Plan creates centralized security unit, dedicated cyber profession, and mandatory requirements for all departments. Legacy systems get top priority.

Microsoft and CrowdStrike warn of intensified Silk Typhoon operations targeting US government agencies and IT supply chains, with 150% increase in China-linked intrusions.

CACI wins task order to modernize classified and unclassified networks at all 14 U.S. Space Force bases, implementing zero trust architecture and cloud capabilities.

Two crew members detained after cargo vessel's anchor allegedly severed Finland-Estonia telecommunications cable in suspected hybrid warfare operation.

Attackers abuse Google Cloud Application Integration to send phishing emails that bypass SPF, DKIM, and DMARC, targeting 3,200 organizations globally.

Beyond CVSS scores, these vulnerabilities caused the most damage in 2025—from nation-state exploitation to mass ransomware campaigns and breaches affecting millions.

CloudSEK identifies Chinese threat group Silver Fox targeting Indian organizations with phishing emails disguised as income tax department communications.

Chinese APT uses stolen certificate to sign malicious driver that disables security tools. First documented case of TONESHELL delivered via kernel-mode loader.

Noname057(16) claims DDoS attack on La Poste that disrupted package tracking and banking services for millions during peak holiday delivery season.

Month-long operation across 19 African nations recovers $3 million, takes down 6,000 malicious links, and decrypts six ransomware variants.

SafeBreach uncovers new Prince of Persia campaign using updated Foudre and Tonnerre malware, now leveraging Telegram for command and control.

Joint advisory from CISA, NSA, and Canadian Cyber Centre details new Rust-based variants of Chinese government malware targeting IT and government sectors.

A Sygnia IR manager and DigitalMint negotiator admitted to deploying BlackCat ransomware while employed to help victims respond to such attacks.

From the largest cryptocurrency heist in history to nation-state espionage campaigns targeting critical infrastructure, 2025 redefined the cyber threat landscape.

Danish intelligence attributes Z-Pentest hacktivist attack on Køge water utility to Russian state, summons ambassador over 'hybrid war' operations.

ESET researchers discover sophisticated threat actor targeting Southeast Asian and Japanese governments using Windows Group Policy for lateral movement.

DPRK-affiliated threat actors dominated crypto theft in 2025, accounting for 76% of exchange compromises with cumulative theft now exceeding $6.75 billion.

Amazon's threat intelligence team exposes and disrupts Sandworm operations targeting Western critical infrastructure through misconfigured edge devices.

Sophisticated threat group escalates operations against European government entities using relay networks that route attacks through multiple victim organizations.

Joint advisory from CISA, FBI, NSA warns of pro-Russia hacktivist groups successfully compromising SCADA systems at US water, energy, and food facilities.