James Rivera

Microsoft uncovers developer-targeting campaign using fake coding assessments to deliver JavaScript backdoors through VS Code automation triggers and Vercel-hosted payloads.

Huntress responds to ClickFix intrusion deploying Matanbuchus 3.0 and custom AstarionRAT. Attackers achieved lateral movement within 40 minutes.

Threat actors bypass ClawHub security by hiding Base64 payloads in fake troubleshooting comments. Atomic Stealer delivered to unsuspecting OpenClaw users.

Kaspersky exposes Arkanix Stealer, a Python and C++ infostealer likely built with LLM assistance. After two months of targeting crypto wallets and VPNs, the operation vanished.

Banking trojan disguised as IPTV streaming apps targets users in Portugal and Greece, enabling device takeover and credential theft through overlay attacks.

ESET discovers PromptSpy, the first Android malware weaponizing Google's Gemini AI to maintain persistence by analyzing UI and generating real-time tap instructions to stay pinned in recent apps.

Elastic Security Labs uncovers ClickFix campaign abusing compromised bincheck.io to deliver MIMICRAT, a custom C++ RAT with SOCKS5 tunneling and token impersonation capabilities.

SANS ISC analyzes DynoWiper's internals revealing Mersenne Twister seeding, 16-byte overwrite buffers, and directory exclusions. Technical breakdown of Sandworm's latest wiper.

Microsoft warns of ClickFix variant using nslookup commands to stage malware via DNS traffic. Delivers ModeloRAT through fileless attack chain.

Microsoft Defender Experts track expanding infostealer campaigns hitting macOS via ClickFix prompts, malicious DMG installers, and Python-based stealers. DigitStealer, MacSync, and AMOS lead the wave.

Cloud-native worm campaign by TeamPCP has compromised 60,000+ servers by exploiting Docker APIs, Kubernetes, and React2Shell. Flare researchers detail the industrialized operation.

Xavier Mertens discovers 846 images reusing the same Base64 steganography technique to deliver .NET malware via Equation Editor exploits. Here's how defenders can hunt for copycats.

Hudson Rock detects Vidar infostealer exfiltrating OpenClaw AI agent files for the first time. Stolen configs include gateway tokens and cryptographic keys.

CTM360 exposes 4,000+ malicious Google Groups delivering Lumma Stealer and Ninja Browser malware. Attackers pose as tech support in forums to bypass network detection.

Microsoft warns of ClickFix variant that deliberately crashes Chrome, then social-engineers victims into running PowerShell. Only domain-joined hosts targeted.

Researchers expose three Chrome extension campaigns stealing Meta Business Suite exports, VK accounts, and AI chatbot conversations from over 760,000 users.

New Linux botnet SSHStalker infected 7,000 cloud servers using brute-force SSH attacks and 2009-era kernel exploits. Uses IRC for command-and-control while apparently staging for future operations.

New ransomware family Reynolds embeds a vulnerable NsecSoft driver directly into its payload to disable CrowdStrike, Sophos, and other EDR tools before encryption begins.

Commercial mobile spyware on Telegram offers live surveillance, OTP interception, and crypto theft across Android 5-16 and iOS up to version 26.

BridgePay confirms ransomware attack crippled its payment processing platform, forcing merchants nationwide to cash-only. FBI and Secret Service are investigating.

Conpet, operator of 3,800km of Romanian oil pipelines, confirms cyberattack. Qilin claims 1TB of stolen data including financial records and passports.

Sophos finds 7,000+ servers with identical hostnames from ISPsystem VMmanager templates. LockBit, Qilin, and Conti all used the same bulletproof hosting VMs.

Rapid7 attributes the six-month Notepad++ supply chain compromise to Chinese APT Lotus Blossom, revealing a custom Chrysalis backdoor and three distinct infection chains.

Over 1,000 IPs exploit CVE-2025-55182 to inject malicious NGINX configs that redirect web traffic through attacker infrastructure, targeting Asian government and education sites.

Securonix uncovers multi-stage fileless campaign using IPFS-hosted VHD files and process injection into signed Windows binaries to deploy AsyncRAT.

SANS researcher uncovers multi-stage malware attack hiding XWorm payload inside a legitimate travel website image using steganography and obfuscated batch scripts.

Flare research finds enterprise identity compromise doubled in 2025, with Microsoft Entra ID appearing in 79% of logs. Session cookies enable MFA bypass at scale.

Russian-linked gang dumps executive emails, employee IDs, and banking communications in first airline sector attack of 2026.

Security researchers uncover ClawHavoc campaign distributing Atomic Stealer through fake cryptocurrency and productivity tools on ClawHub marketplace.

Security researchers expose an active campaign using layered evasion techniques to deliver Remcos RAT through MSBuild abuse and .NET Reactor-protected loaders.

Learn what ransomware is, how attacks work, the main types including double extortion, and practical steps to defend against this growing threat.

New campaign combines fake CAPTCHA pages with signed Microsoft scripts to bypass security tools and install Amatera infostealer on enterprise systems.

Two AI coding assistants on Microsoft's marketplace steal source code and credentials in real-time. Extensions use hidden iframes and analytics SDKs to profile developers.

New ransomware family employs BYOVD technique with POORTRY driver to disable endpoint protection. Evidence links operators to Inc ransomware campaigns.

The NexShield Chrome extension impersonated uBlock Origin's developer and used ClickFix techniques to deliver ModeloRAT malware to corporate networks.

Resecurity uncovers stealthy DLL-sideloading malware with APT-grade anti-VM tricks. Multiple ransomware groups now deploying it.

Budget Android TV boxes and tablets ship with backdoors from the factory, turning home networks into criminal infrastructure for ad fraud and proxy services.

Sophos exposes malvertising campaign that stayed dormant for 56 days before activating credential theft across 50+ fraudulent domains.

New Boto Cor-de-Rosa campaign uses Python-based worm module to auto-send malware through victims' WhatsApp contacts.

Cybercrime group uses fake software downloads and malicious Bing ads to deploy infostealer malware at scale across Chinese systems.

Multi-stage malware campaign uses text-based stagers and living-off-the-land binaries to deliver Remcos RAT to enterprise targets.

Five malicious extensions masquerading as HR tools steal authentication tokens, block security panels, and enable account takeover through cookie injection.

CyberArk exploited a vulnerability in the StealC infostealer's control panel to identify threat actors, steal session cookies, and track an operator who compromised 5,000 victims.

The initial access malware now delivers payloads through deliberately malformed archives that crash security tools while executing normally on Windows.

Check Point researchers expose a sophisticated cloud-native malware framework designed from the ground up to target AWS, Azure, GCP, and containerized environments.

A ransomware operation has compromised multiple US educational institutions using stolen VPN credentials. The education sector represents 80% of known victims.

A new ransomware group has compromised at least six healthcare organizations in Taiwan using BYOVD attacks to disable security software before encryption.

Two rogue browser extensions masquerading as AI tools exfiltrated complete conversation histories from ChatGPT and DeepSeek to attacker-controlled servers every 30 minutes.

A threat actor called RedTeam is selling a $1,500 credential-stuffing tool with built-in scanning, proxy rotation, and multi-protocol support aimed at enterprise VPN infrastructure.

The Russian-linked gang led all ransomware groups on January 6 with attacks spanning wine distributors, art logistics, and medical practices across three countries.

First macOS-focused wave of GlassWorm malware discovered on Open VSX marketplace, stealing cryptocurrency wallets, Keychain passwords, and developer credentials through trojanized extensions.

Hudson Rock research reveals 220 legitimate business websites hijacked for ClickFix malware attacks after admin credentials were stolen by infostealers.

Popular text editor's download page was hijacked for four days in December, serving trojanized installers that steal browser credentials and crypto wallets.

Nine-month-old botnet campaign pivots to exploit CVE-2025-55182 in Next.js, deploying cryptominers and Mirai variants across exposed instances.

The self-propagating VS Code extension worm now replaces Ledger Live and Trezor Suite with trojanized versions. Russian-speaking operators behind campaign.

A five-year investigation ends with extradition to South Korea. The 29-year-old allegedly infected 2.8 million Windows systems through trojanized software activation tools.

Chinese threat actor behind coordinated extension campaigns spanning seven years. Zoom Stealer component harvested corporate meeting credentials from 28 platforms.

New variant distributed as signed and notarized Swift app evades built-in security. Jamf Threat Labs traces evolution from ClickFix techniques to silent installer approach.

Supply chain attack disguised as working WhatsApp API library stole credentials, messages, and linked attacker devices to victim accounts. 56,000+ downloads since May.

Ransomware tracking data shows 63 total claims from 6 groups on December 26. LockBit's revival dominates holiday attack wave targeting reduced security staff.

Federal indictments target Tren de Aragua members who used Ploutus malware to steal over $40 million from U.S. ATMs since 2021.

Massive Android botnet targets set-top boxes and tablets, issued 1.7 billion attack commands in 3 days, briefly surpassing Google in DNS rankings.

Russian-developed infostealer now production-ready after December 16 release, targets browser credentials, crypto wallets, and messaging apps for $175/month.

New $150/month malware platform allows attackers to create weaponized versions of legitimate Android apps while maintaining full functionality.

Security researchers uncover sophisticated steganography attack concealing malicious JavaScript within PNG logo files of 17 Firefox browser extensions.