China-Linked Hackers Hit University Mail Servers via Roundcube
Proofpoint tracks UNK_MassTraction exploiting Roundcube flaws to target US and Canadian university physics departments. VShell post-exploitation tool deployed for persistent access.
206 articles
Proofpoint tracks UNK_MassTraction exploiting Roundcube flaws to target US and Canadian university physics departments. VShell post-exploitation tool deployed for persistent access.
A misconfigured hacker server exposed 22 days of logs revealing a webshell access-brokerage operation that compromised over 25,000 WordPress sites using 27 weaponized CVEs.
Researchers demonstrate how malicious instructions hidden in PNG images can hijack AI coding assistants to exfiltrate credentials. Claude Code resisted the attack while Cursor and others complied.
INTERPOL's Operation First Light 2026 led to 5,811 arrests across 97 countries, seizing $293 million from social engineering fraud networks including BEC, romance scams, and crypto laundering operations.
Former analyst claims a Huntress threat hunter shared FBI communications with ransomware operator Devman, including agent names. CEO admits 'poor judgment' but denies illegality.
Angelo Martino leaked client insurance limits and negotiation strategies to the ransomware gang he was hired to negotiate against. Federal court sentences the double agent to nearly six years.
Datadog Security Labs exposes coordinated campaigns using aged 'ghost' accounts to enumerate organizations via GitHub API. Some attackers escalated from reconnaissance to cloning private repositories.
New data extortion group Helix uses vishing and device code phishing to steal SharePoint data from Medtronic, Nissan, and others. ReliaQuest links infrastructure to defunct BlackFile.
China-linked APT UAT-7810 expands LapDogs campaign with LongLeash, DogLeash, and JarLeash backdoors. Over 1,000 Ruckus and Asus routers compromised for espionage relay network.
Threat actor O-UNC-066 runs voice phishing campaign tricking Microsoft 365 users into enrolling attacker-controlled Entra passkeys. Real-time MFA bypass enables full account takeover.
Device code phishing attacks jumped 1,380% in early 2026. EvilTokens and 17 other PhaaS kits now offer turnkey identity theft that bypasses MFA and passkeys.
Researchers demonstrate TrojPix, an attack that turns invisible pixel changes into radio signals leaking data at 8.1 Mbps from air-gapped systems up to 208 meters away.
New threat group Armored Likho targets government agencies and power sectors in Russia, Brazil, and Kazakhstan using BusySnake Stealer—malware with AI-generated loader code and reverse SSH tunneling capabilities.
LLMjacking evolves as threat actors hijack exposed Ollama servers to power multi-stage VAPT frameworks that scan, exploit, and compromise targets automatically.
Sophos and FBI warn of new partnership combining supply chain credential theft with ransomware deployment. 500,000 credentials already stolen.
JADEPUFFER campaign shows AI agents autonomously exploiting vulnerabilities, moving laterally, and encrypting databases. Ransomware attacks up 42% as LLMs compress attack timelines to seconds.
SOCRadar links FortiBleed to INC and Lynx ransomware operations. 430,000 FortiGate firewalls targeted, 110 million credentials stolen, 12+ ransomware deployments confirmed.
Hackers breached the Homeland Security Information Network between May and June, compromising sensitive but unclassified data while the US hosts FIFA World Cup games.
Google and the FBI dismantled NetNut, a residential proxy network that compromised 2 million smart TVs and streaming boxes. 316 threat groups used it in a single week to mask attack origins.
19-year-old Peter Stokes extradited from Finland to face U.S. charges for alleged role in Scattered Spider operations including an $8 million jewelry retailer breach.
Attackers exploited deprecated OAuth ROPC flow to bypass MFA, compromising 78 accounts across 64 organizations. Attack originated from Hong Kong and China infrastructure.
Unit 42 finds attackers registering domains that LLMs hallucinate, then hosting phishing kits to intercept AI-directed traffic. Montana Empire kit caught 23 days after prediction.
Two UK teenagers plead guilty to the September 2024 TfL breach that exposed 10 million commuters and forced 28,000 employees to reset passwords in person.
Spur Intelligence finds over 2,000 smart TV apps embedding Bright Data proxy code—turning your living room TV into an exit node for web scraping traffic.
Russian intelligence groups UNC5792 and UNC4221 have evolved their Signal phishing campaign to harvest backup recovery keys, enabling access even after victims change phones.
Mozilla's 0DIN researchers demonstrate how innocent-looking repositories can chain three benign components to hijack AI coding assistants and establish reverse shells on developer machines.
Netcraft identifies 70 new Bluekit hostnames as the phishing-as-a-service platform adopts real-time session hijacking that defeats all forms of traditional MFA.
Attackers injected malicious JavaScript via a compromised vendor to drain $3 million in pUSD from Polymarket users. The prediction market giant pledges full refunds.
Mandiant's investigation finds Handala breached Cal Water's billing system but never reached operational technology. The Iran-linked group claimed they chose not to disrupt water access.
Scammers insert fake Norton, McAfee, and PayPal invoices into Shopify's Shop order-tracking app, then social engineer victims into installing remote access tools. Here's how it works.
Microsoft and Europol seize 66 domains and 296 servers supporting StealC and Amadey malware, recovering 25.6 million stolen credentials in coordinated takedown.
Symantec reveals ransomware group used Teams TURN relay infrastructure to mask command-and-control. First documented abuse of Teams relay for malware C2.
International law enforcement seizes 106 servers and 101 domains behind SocGholish malware framework, cleaning up 15,000 infected WordPress sites. Evil Corp connection confirmed.
UNC1151 phishing campaign steals 2FA codes using fake Google security alerts. CERT Polska reports new domains appearing daily as attackers target government officials and their families.
Ukrainian national Oleksii Lytvynenko admits to developing loader malware for the Conti ransomware gang after extradition from Ireland. Sentencing set for September 2026.
Google TAG exposes UNC6508 campaign that compromised US and Canadian medical, academic, and military research labs since September 2023 using custom INFINITERED malware.
A cyberattack disrupted services at four major Iranian banks on June 14, with hacktivist group Black Wolves claiming responsibility for targeting shared infrastructure.
Operation Ghost Hook takedown seizes 9,000 fake websites and $100K in crypto from Chinese phishing-as-a-service ring that weaponized Gemini AI to steal 3.8 million credit cards.
Handala threat group claims to have compromised California Water Service, publishing 5GB of customer data. Security experts assess the group reached billing systems and GPS servers but likely cannot disrupt water operations.
Chinese APT Velvet Ant compromised PAM and OpenSSH on a critical infrastructure network, remaining undetected from 2016 to 2026. Here's how they did it.
ReliaQuest uncovers OP-512 threat cluster targeting Windows IIS servers with three-part web shell framework. Each deployment is unique, self-reporting, and timestamps itself to evade forensics.
Mandiant tracks UNC3753 hitting dozens of law firms via vishing and physical intrusions. Data theft to extortion in under one hour. FBI issues flash alert.
Meta catches NSO Group targeting WhatsApp users in Jordan and Lebanon despite permanent injunction. Files contempt order after detecting one-click phishing attempts.
Unit 42 exposes Phantom Taurus, a China-aligned APT targeting governments and telecoms across Africa, the Middle East, and Asia with custom NET-STAR backdoors for IIS servers.
Threat actor PCPJack compromised 230 AWS, Azure, and Google Cloud servers to build a hidden email relay network. Hunt.io and SentinelOne researchers expose the operation.
Russian FSB-linked hackers weaponize CVE-2025-8088 to spread self-propagating malware across Ukrainian networks. Worm spreads via USB and network shares.
Group-IB exposes 4,300+ fraudulent domains impersonating FIFA ahead of World Cup 2026. Six parallel scams could steal billions—check ticket sources carefully.
New threat actor uses fake recruiter profiles to deploy AUDIOFIX and MINIRAT malware against cryptocurrency organizations. npm supply chain also compromised.