Alex Kowalski

Microsoft tracks Storm-2755 'Payroll Pirate' using poisoned search results and AiTM phishing to hijack Canadian employee direct deposits. HR systems compromised.

US, UK, and Canadian law enforcement froze $12 million in stolen crypto and identified 20,000 victims of approval phishing scams in week-long crackdown.

FBI-led Operation Masquerade dismantled Russia's GRU-linked FrostArmada, which compromised 18,000+ routers to steal Microsoft 365 credentials via DNS hijacking.

Joint advisory AA26-097A details Iranian APT targeting Rockwell Allen-Bradley controllers across critical infrastructure. Attacks caused operational disruptions since March 2026.

Check Point tracks an Iran-nexus campaign targeting Microsoft 365 accounts across 300+ Israeli organizations and 25+ UAE entities. Attackers use Tor exit nodes and Israeli VPNs to evade detection.

Microsoft links China-based Storm-1175 to high-velocity Medusa ransomware attacks exploiting zero-day vulnerabilities. Healthcare, education, and finance sectors hit across Australia, UK, and US.

Unit 42 exposes Phantom Taurus, a Chinese APT targeting embassies and foreign ministries with fileless NET-STAR malware. The group resurfaces within hours after discovery.

FortiGuard Labs exposes DPRK campaign using LNK files and GitHub repositories for command-and-control against South Korean targets. 22 evasion techniques identified.

New research maps the infostealer lifecycle from infection to dark web sale. Microsoft Entra ID appears in 79% of 2.05 million credential logs analyzed in 2026.

Threat actor UAC-0255 sent 1 million phishing emails posing as CERT-UA to distribute the AGEWHEEZE remote access trojan targeting Ukrainian organizations.

Operation TrueChaos exploited CVE-2026-3502 in TrueConf video conferencing to deploy Havoc malware across Southeast Asian government networks.

China-linked APT embeds kernel-level backdoors in telecom infrastructure across Middle East and Asia. Rapid7 finds stealthy implants evading detection for years.

Bearlyfy has hit 70+ Russian companies since January 2025, now deploying custom GenieLocker ransomware. The group blends financial extortion with politically motivated sabotage.

EvilTokens phishing platform targets Microsoft 365 identities across US, Canada, Australia, New Zealand, and Germany. OAuth abuse bypasses MFA to steal access tokens.

Unit 42 uncovers phishing campaign distributing trojanized Israeli civil defense app. Malicious APK harvests location data, contacts, and messages from Android devices amid regional tensions.

FBI and CISA alert reveals Russian intelligence operatives have hijacked thousands of Signal and WhatsApp accounts belonging to US officials, military, and journalists through phishing attacks.

Pakistan-linked APT36 uses LLM coding tools to mass-produce malware variants in Nim, Zig, and Crystal, targeting Indian government and embassies.

The EU sanctioned Integrity Technology Group, Anxun Information Technology, and Emennet Pasargad for cyberattacks against member states including the Paris Olympics.

New JavaScript backdoor targets Ukrainian entities using Microsoft Edge's debugging features for stealth. S2 Grupo links campaign to Laundry Bear threat group.

North Korean threat group Konni weaponizes KakaoTalk messaging app after compromising victims via spear-phishing. EndRAT, RftRAT deployed in multi-stage campaign.

Camaro Dragon weaponized missile strike lure documents to deploy PlugX backdoor against Qatari targets, exploiting Operation Epic Fury tensions for access.

North Korean APT37's Ruby Jumper campaign uses RESTLEAF, THUMBSBD, and FOOTWINE malware to exfiltrate data from isolated systems via USB drives.

Contagious Interview campaign weaponizes fake job interviews to deploy OtterCookie and FlexibleFerret malware. Targets crypto and AI developers for credentials.

Microsoft exposes Storm-2561 campaign using SEO manipulation to distribute fake Cisco, Fortinet, and Ivanti VPN clients that steal enterprise credentials.

China-linked UAT-9244 deploys TernDoor backdoor and peer-to-peer implants against telecom infrastructure across South America, North America, and Europe.

Iranian APT group breaches US critical infrastructure using novel Dindoor malware built on Deno runtime. Symantec links campaign to MOIS.

Year-long campaign delivers BlackSanta EDR killer through fake job applications. Malware disables endpoint security before deploying final payloads.

Russian GRU-linked APT28 deploys BEARDSHELL and COVENANT implants for long-term surveillance of Ukrainian military personnel. ESET research reveals cloud storage abuse for C2.

APT41-linked threat group deploys GearDoor backdoor via Google Drive for covert command-and-control. Check Point tracks campaigns across Europe and Southeast Asia.

India-linked APT deploys BurrowShell backdoor and Rust-based RAT against Pakistan nuclear agencies, Bangladesh banks, and Sri Lankan government. 112 C2 domains identified.

Zscaler uncovers Dust Specter campaign targeting Iraqi government officials with novel SPLITDROP and GHOSTFORM malware. Evidence suggests AI-assisted development.

The FBI confirms a sophisticated cyberattack targeted its internal wiretap and FISA warrant management system. Investigation ongoing with CISA and NSA involvement.

Government-grade iPhone exploits targeting iOS 13-17.2.1 now wielded by Russian spies and Chinese criminals. Lockdown Mode stops it cold.

Active phishing campaign uses spoofed email chains to trick LastPass users into revealing master passwords. Attackers generate thousands of URL variants leading to fake SSO pages.

Unit 42 threat brief details Iran's cyber response to Operation Epic Fury, with 60+ hacktivist groups claiming 150+ incidents in 72 hours despite severe connectivity loss.

Security researchers tie Russia's APT28 to CVE-2026-21513 exploitation using malicious LNK files. The MSHTML zero-day was weaponized weeks before Microsoft's February patch.

China-linked UNC2814 breached 53 organizations across 42 countries using GRIDTIDE malware that abuses Google Sheets for C2. Google terminates attacker infrastructure.

China-aligned threat group deploys LuciDoor and MarsSnake backdoors against telecom providers in Kyrgyzstan and Tajikistan, expanding from prior Saudi operations.

North Korean APT37 deploys six new malware tools to breach air-gapped systems using USB drives and cloud C2. Zscaler reveals RESTLEAF, THUMBSBD, and FOOTWINE surveillance capabilities.

Scattered Lapsus$ Hunters offers $500-$1,000 to recruit women for IT help desk social engineering attacks. The supergroup combines LAPSUS$, Scattered Spider, and ShinyHunters tactics.

Anthropic alleges DeepSeek, Moonshot AI, and MiniMax used 24,000 fake accounts to extract Claude capabilities through 16 million distillation queries.

Iranian APT MuddyWater launches Operation Olalampo against MENA organizations, deploying four new malware families including GhostFetch and CHAR, a Rust backdoor controlled via Telegram.

New espionage campaign uses protest-themed lures and Chrome DLL side-loading to deploy RAT malware against Iranian diaspora, activists, and journalists.

Amazon threat intelligence exposes Russian-speaking actor using generative AI to breach 600+ FortiGate devices across 55 countries. Attack used ARXON tool with DeepSeek and Claude.

Attackers exploiting CVE-2026-1731 deploy cross-platform backdoors across finance, healthcare, and tech. Over 10,600 instances remain exposed.

Radware's 2026 threat report reveals network-layer DDoS attacks jumped 168% year-over-year. NoName057 claimed 4,693 attacks, setting a new hacktivist record.

Cisco AI Defense research finds OpenAI's safeguard models perform worse than standard versions under sustained attack. Multi-turn jailbreaks spike success rates up to 92%.

Chinese threat group UNC6201 exploited a critical hardcoded credential flaw (CVE-2026-22769) in Dell RecoverPoint for 18 months before disclosure. Patch now.

SANS ISC documents phishing campaign using fabricated incident reports to steal MetaMask wallet credentials. Attackers host phishing pages on AWS S3.

North Korea's Lazarus Group targets blockchain developers with fake recruitment campaign distributing RAT malware through 36 poisoned npm and PyPI packages.

Cisco Talos links previously unknown threat actor UAT-9921 to VoidLink malware campaigns targeting technology and financial services since September 2025.

Singapore confirms China-linked APT compromised M1, Singtel, StarHub, and SIMBA using zero-day exploits and rootkits. 11-month Operation Cyber Guardian response disclosed.

SANS researchers demonstrate how open-source AI tools extract actionable relationships from unstructured threat reports, mapping GRU and APT28 TTPs in interactive visualizations.

Google's threat intelligence reveals APT groups from China, Iran, North Korea, and Russia using Gemini for recon, malware development, and phishing. Two AI-powered malware families discovered.

Google Mandiant exposes UNC1069's use of AI-generated deepfake video, compromised executive accounts, and ClickFix attacks to deploy macOS malware against cryptocurrency firms.

Germany's BfV and BSI issued a joint advisory warning of state-sponsored phishing campaigns targeting politicians, military officials, and journalists through Signal's device linking feature.

SafeBreach tracks Infy APT deploying Tornado v51 malware with blockchain-based C2 after Iran's internet blackout, confirming state sponsorship ties.

Asia-based APT TGR-STA-1030 compromised 70+ government and critical infrastructure targets across 37 countries using eBPF rootkits and Cobalt Strike.

Seven-implant Linux toolkit intercepts traffic on compromised routers, delivering ShadowPad and hijacking Android updates. Active C2 infrastructure dates to 2019.

Russia's APT28 exploited CVE-2026-21509 to hit maritime and transport organizations across nine countries, with shipping firms making up 35% of targets.

SANS ISC handler Xavier Mertens documents phishing campaigns using malformed URL parameters to evade regex detection, URL normalization, and IOC extraction.

Operation Neusploit saw Russia's APT28 exploit CVE-2026-21509 against 60+ Ukrainian targets within 72 hours of Microsoft's disclosure, delivering MiniDoor and BEARDSHELL backdoors.

Violet Typhoon compromised the text editor's hosting provider to redirect updates to malicious servers targeting telecom and financial firms.

SANS ISC detects reconnaissance activity targeting locally hosted Claude API endpoints. Researchers warn of growing risk from misconfigured AI deployments.

Iranian APT group shifts tactics with RustyWater implant targeting diplomatic, financial, and telecom sectors across the Middle East via spear-phishing.

French researchers uncover SloppyMIO, an AI-assisted malware campaign using fabricated victim lists to target individuals documenting human rights abuses during Iranian protests.

Google Threat Intelligence Group disrupts one of the world's largest residential proxy networks, cutting off infrastructure used by nation-state actors from China, Russia, Iran, and North Korea.

Attackers exploit Google Presentations' publish mode to host phishing pages that bypass Google's own security warnings, targeting Vivaldi Webmail users.

Analysis reveals CyberAv3ngers and other 'hacktivist' groups targeting US infrastructure are actually IRGC-controlled operations masquerading as ideological actors.

Chinese APT adds clipboard monitoring, browser stealing, and enhanced plugins to its long-running backdoor. Government entities in Asia remain primary targets.

Modern ransomware gangs have weaponized fear, legal liability, and deadline pressure. Here's how extortion tactics have fundamentally changed.

Check Point uncovers Konni campaign using AI-generated PowerShell backdoors to target blockchain developers across Asia-Pacific. Marks shift from diplomatic espionage.

ESET researchers attribute December cyberattack on Polish energy infrastructure to Russian GRU hackers. Previously unknown wiper malware recovered.

Recorded Future tracks APT28 harvesting credentials from energy, defense, and government targets in the Balkans, Middle East, and Central Asia using free hosting infrastructure.

The European Commission's revised Cybersecurity Act expands ENISA's powers and creates a framework to restrict high-risk technology suppliers.

DragonForce and other actors exploiting CVE-2024-57727 to compromise utility billing providers and their downstream customers.

APT42 campaign compromises government ministers, activists, and journalists through fake login pages and real-time surveillance capabilities.

German and Ukrainian authorities identify 35-year-old Russian national as Black Basta boss, raid homes of two affiliates in Ukraine.

Cisco Talos exposes China-nexus APT targeting critical infrastructure with CVE-2025-53690 exploitation, credential harvesting, and potential supply chain compromise.

Coordinated takedown seizes cybercrime service that enabled 191,000 account compromises. Operation marks Microsoft's 35th action against criminal infrastructure.

Void Blizzard deploys PLUGGYAPE backdoor through Signal and WhatsApp, impersonating charitable organizations to compromise Ukrainian defense forces.

GreyNoise honeypot data reveals coordinated reconnaissance of LLM infrastructure including OpenAI, Claude, and Ollama deployments over 11 days.

Global Cybersecurity Outlook 2026 finds executives prioritizing cyber-enabled fraud as top risk. Report warns of 'three-front war' against crime, AI misuse, and supply chain threats.

Huntress researchers discover 'MAESTRO' toolkit exploiting three VMware vulnerabilities. Attackers chained SonicWall VPN access with hypervisor escape to deploy persistent backdoors.

North Korean APT embeds malicious QR codes in spear-phishing emails to bypass corporate email security and compromise mobile devices.

Chinese state hackers accessed email accounts of House staffers working on China, foreign affairs, and defense. The intrusion was discovered in December.

The agency retired directives spanning SolarWinds to Microsoft Exchange in the largest bulk closure ever. KEV catalog now handles most vulnerability mandates.

Fancy Bear campaigns from February through September 2025 targeted energy, defense, and policy organizations using fake VPN and email login pages.

Qilin has hit 1,000+ victims. Everest targets critical infrastructure. Here's what security teams need to know about today's most active ransomware operations.

DPRK hackers stole $2B in cryptocurrency in 2025 alone. Understanding Lazarus Group's operations helps defend against state-sponsored financial theft.

Newly disclosed threat actor compromises telecom providers in South Asia and Southeastern Europe, establishing relay infrastructure for other Chinese APT groups.

North Korean APT-Q-1 now combines fraudulent cryptocurrency job postings with ClickFix social engineering to deploy GolangGhost backdoor and BeaverTail stealer.

Threat actors spoof organization domains by abusing complex mail routing and weak DMARC policies. Microsoft blocked 13 million malicious emails in October alone.

New Government Cyber Action Plan creates centralized security unit, dedicated cyber profession, and mandatory requirements for all departments. Legacy systems get top priority.

Microsoft and CrowdStrike warn of intensified Silk Typhoon operations targeting US government agencies and IT supply chains, with 150% increase in China-linked intrusions.

CACI wins task order to modernize classified and unclassified networks at all 14 U.S. Space Force bases, implementing zero trust architecture and cloud capabilities.

Two crew members detained after cargo vessel's anchor allegedly severed Finland-Estonia telecommunications cable in suspected hybrid warfare operation.

Attackers abuse Google Cloud Application Integration to send phishing emails that bypass SPF, DKIM, and DMARC, targeting 3,200 organizations globally.

Beyond CVSS scores, these vulnerabilities caused the most damage in 2025—from nation-state exploitation to mass ransomware campaigns and breaches affecting millions.

CloudSEK identifies Chinese threat group Silver Fox targeting Indian organizations with phishing emails disguised as income tax department communications.

Chinese APT uses stolen certificate to sign malicious driver that disables security tools. First documented case of TONESHELL delivered via kernel-mode loader.

Noname057(16) claims DDoS attack on La Poste that disrupted package tracking and banking services for millions during peak holiday delivery season.

Month-long operation across 19 African nations recovers $3 million, takes down 6,000 malicious links, and decrypts six ransomware variants.

SafeBreach uncovers new Prince of Persia campaign using updated Foudre and Tonnerre malware, now leveraging Telegram for command and control.

Joint advisory from CISA, NSA, and Canadian Cyber Centre details new Rust-based variants of Chinese government malware targeting IT and government sectors.

A Sygnia IR manager and DigitalMint negotiator admitted to deploying BlackCat ransomware while employed to help victims respond to such attacks.

From the largest cryptocurrency heist in history to nation-state espionage campaigns targeting critical infrastructure, 2025 redefined the cyber threat landscape.

Danish intelligence attributes Z-Pentest hacktivist attack on Køge water utility to Russian state, summons ambassador over 'hybrid war' operations.

ESET researchers discover sophisticated threat actor targeting Southeast Asian and Japanese governments using Windows Group Policy for lateral movement.

DPRK-affiliated threat actors dominated crypto theft in 2025, accounting for 76% of exchange compromises with cumulative theft now exceeding $6.75 billion.

Amazon's threat intelligence team exposes and disrupts Sandworm operations targeting Western critical infrastructure through misconfigured edge devices.

Sophisticated threat group escalates operations against European government entities using relay networks that route attacks through multiple victim organizations.

Joint advisory from CISA, FBI, NSA warns of pro-Russia hacktivist groups successfully compromising SCADA systems at US water, energy, and food facilities.