Threat Intel

Group-IB exposes 4,300+ fraudulent domains impersonating FIFA ahead of World Cup 2026. Six parallel scams could steal billions—check ticket sources carefully.

New threat actor uses fake recruiter profiles to deploy AUDIOFIX and MINIRAT malware against cryptocurrency organizations. npm supply chain also compromised.

Operation XENOFISCAL delivers customized XenoRAT to Afghanistan's Ministry of Finance and 34 provincial revenue directorates. The Pakistan-linked APT used Pashto-language lures and bulletproof European hosting.

Russian-linked GREYVIBE threat actor deploys AI-generated malware including PhantomRelay and LegionRelay against Ukrainian military and government targets. WithSecure analysis reveals the group's OPSEC failures.

Silent Ransom Group escalates from vishing to physical infiltration. FBI FLASH alert warns 38+ law firms already breached, with operatives plugging USB drives into office computers.

North Korea's Lazarus Group uses RemotePE, a fileless RAT that executes entirely in RAM, to target DeFi platforms. The group has stolen $577M in crypto this year alone.

New phishing-as-a-service platform bypasses MFA via OAuth device code flow. FBI PSA details how Kali365's AI-generated lures and $250/month pricing are enabling widespread credential theft.

China-linked Calypso group targets telecoms across Middle East and Asia Pacific with new Linux and Windows malware. Showboat provides SOCKS5 proxy access; JFMBackdoor enables full system control.

ESET exposes Webworm's EchoCreep and GraphWorm backdoors targeting European governments. The China-aligned APT uses Discord and OneDrive for C2, hitting Belgium, Italy, Poland, and Spain.

Verizon's 2026 Data Breach Investigations Report reveals vulnerability exploitation surpassed credential theft as the leading breach vector for the first time in 19 years. Only 26% of KEV flaws get patched.

Microsoft's Digital Crimes Unit seizes infrastructure behind Fox Tempest, a malware-signing service that helped Rhysida, Akira, and Qilin ransomware gangs disguise malicious code as legitimate software.

AI-enabled device code phishing campaigns hit hundreds of Microsoft 365 accounts daily since mid-March. Criminal toolkits proliferate as attacks bypass MFA at scale.

Internal database of #2 ransomware group leaked after 4VPS hosting breach exposes chat logs, affiliate rosters, and operational playbooks from 400+ attacks.

Microsoft exposes how Russia's FSB-linked Secret Blizzard transformed Kazuar from a monolithic backdoor into a three-module P2P botnet with advanced anti-detection capabilities.

Google's Threat Intelligence Group identifies a criminal group using an LLM-generated exploit to bypass 2FA in a web admin tool—marking the first confirmed AI-built zero-day in active use.

SOCRadar documents a persistent phishing operation that stole 2,000+ credentials from aviation, energy, and government sectors over four years using GitHub-hosted infrastructure.

China-nexus APT group UAT-8302 targets South American and European governments using NetDraft, CloudSorcerer, and VShell backdoors. Cisco Talos reveals connections to multiple Chinese threat clusters.

Iranian APT MuddyWater hijacked Microsoft Teams to harvest credentials via live screen-sharing, then dropped Chaos ransomware as a false flag to hide espionage. Rapid7 linked the campaign to 36 victims.

Unit 42 links CL-STA-1132 to Chinese state-sponsored actors exploiting CVE-2026-0300 for espionage. IOCs and attack timeline revealed after a month of active exploitation.

M-Trends 2026 reveals attackers now outpace patches, with AI accelerating exploitation and ransomware handoffs dropping to 22 seconds. Defenders are losing ground.

CTM360 exposes FEMITBOT, a large-scale fraud operation abusing Telegram Mini Apps to run crypto scams, impersonate brands like Apple and NVIDIA, and distribute Android malware.

SHADOW-EARTH-053, GLITTER CARP, and SEQUIN CARP target Asian governments, journalists, and activists across Pakistan, Thailand, Poland, and 5 other nations with ShadowPad.

New ConsentFix v3 attack automates Microsoft Azure OAuth credential theft using Pipedream webhooks and Cloudflare phishing pages. Pre-trusted apps bypass MFA entirely.

AiTM and token theft attacks hit 40,000 daily incidents in 2026. CISA warns OAuth tokens bypass MFA, enabling invisible lateral movement across SaaS apps.

US Coast Guard Cyber Command issued an alert warning that INC Ransom is actively targeting maritime and logistics networks with double-extortion ransomware.

A Vietnamese threat actor dubbed AccountDumpling compromised 30,000 Facebook Business accounts using Google AppSheet emails to bypass spam filters.

Russian military hackers deployed PRISMEX steganography malware against Ukraine and NATO logistics networks, exploiting zero-days CVE-2026-21509 and CVE-2026-21513 weeks before patches.

Peter Stokes, 19, was detained while boarding a flight to Japan. Federal prosecutors allege he participated in breaches that forced companies to pay millions in ransoms.

North Korean threat actors are befriending targets on Facebook, building trust over weeks, then delivering RokRAT malware through trojanized PDF readers. Military and government officials targeted.

Chinese national Xu Zewei faces nine federal counts after extradition from Italy for alleged role in Silk Typhoon attacks stealing COVID-19 vaccine research from U.S. universities and research institutions.

Pro-Ukrainian hacktivist group PhantomCore chains three TrueConf vulnerabilities including CVSS 9.8 command injection to infiltrate Russian government and private organizations since September 2025.

SentinelOne reveals fast16, a 2005 cyber sabotage framework targeting engineering software. The Lua-based malware corrupted high-precision calculations years before Stuxnet emerged.

New extortion group BlackFile impersonates IT helpdesks via phone calls to steal credentials and demand seven-figure ransoms. Targets include retail chains and hospitality companies.

Google Cloud uncovers UNC6692, a threat actor impersonating IT helpdesk staff on Microsoft Teams to deploy the modular SNOW malware suite targeting senior executives.

ESET uncovers GopherWhisper, a China-aligned APT using Go-based backdoors and legitimate cloud services like Discord, Slack, and Outlook to target Mongolian government systems.

Check Point researchers gained access to a SystemBC C2 server operated by The Gentlemen ransomware group, uncovering over 1,570 compromised corporate networks that haven't been publicly disclosed.

Google attributes the Axios npm supply chain attack to UNC1069, a North Korean threat actor. Malicious versions deployed WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

Russia-linked crypto exchange Grinex halts operations after $13 million theft, blaming 'Western special services.' Blockchain analysts find no evidence supporting the attribution.

CERT-UA warns of ongoing campaign hitting Ukrainian clinics and government agencies with AGINGFLY backdoor. Attackers steal browser credentials, WhatsApp data, and deploy cryptominers.

International law enforcement operation takes down 53 DDoS-for-hire domains and exposes 3 million criminal user accounts. 21 countries participate in coordinated crackdown.

Iranian APT MuddyWater adopts Russian TAG-150 malware-as-a-service platform to deploy ChainShell RAT against Israeli targets. C2 addresses resolved via Ethereum smart contracts evade takedowns.

Google researchers expose EtherHiding technique storing malware payloads in Ethereum and BNB smart contracts. First nation-state adoption of unkillable blockchain C2 infrastructure.

HUMAN Security exposes Pushpaganda campaign using AI content to poison Google Discover feeds, generating 240 million fraudulent ad requests through scareware and fake news.

Joint FBI-Indonesian operation dismantles W3LL phishing platform behind $20M in fraud attempts. Developer arrested after 25,000+ stolen accounts sold since 2019.

FBI IC3 2025 report reveals record $20.9 billion in cybercrime losses. Investment fraud tops $8.6B, cryptocurrency scams reach $11.4B, and ransomware losses surge 259%.