RedHook Android RAT Weaponizes Wireless ADB for Shell Access
Group-IB reveals RedHook banking trojan now exploits Android's Wireless Debugging to gain shell privileges without rooting. Active in Southeast Asia with 53 remote commands.
Breaking cybersecurity news covering data breaches, vulnerability disclosures, threat actor campaigns, and security incidents worldwide.
Group-IB reveals RedHook banking trojan now exploits Android's Wireless Debugging to gain shell privileges without rooting. Active in Southeast Asia with 53 remote commands.
A misconfigured hacker server exposed 22 days of logs revealing a webshell access-brokerage operation that compromised over 25,000 WordPress sites using 27 weaponized CVEs.
Zimbra urges immediate patching for a stored XSS flaw in Classic Web Client that executes malicious code when users open crafted emails. Google TAG reported the vulnerability.
Researchers demonstrate how malicious instructions hidden in PNG images can hijack AI coding assistants to exfiltrate credentials. Claude Code resisted the attack while Cursor and others complied.
Progress Software tells ShareFile customers to immediately shut down Storage Zone Controllers due to a credible security threat. The company disabled affected accounts while investigating.
Attackers hijacked the jscrambler npm package to deploy a cross-platform Rust infostealer that harvests credentials from AI coding assistants, cloud platforms, and crypto wallets.
Binarly uncovers six vulnerabilities in U-Boot's FIT signature verification present since 2013, affecting millions of BMCs, routers, and IoT devices. Patches exist but downstream adoption lags.
China-based threat actor Lurking Lizard operates 230+ lookalike domains serving trojanized 7-Zip installers and the WireVPN app to recruit victims into a residential proxy botnet without consent.
Insurance provider AssuranceAmerica disclosed a data breach affecting 6.9 million customers—the largest known exposure of driver's license numbers in 2026. Attackers compromised employee credentials.
INTERPOL's Operation First Light 2026 led to 5,811 arrests across 97 countries, seizing $293 million from social engineering fraud networks including BEC, romance scams, and crypto laundering operations.
Palo Alto Networks addresses 13 PAN-OS vulnerabilities including CVE-2026-0288 (CVSS 9.2) buffer overflow and CVE-2026-0257 auth bypass under active exploitation by unknown threat actors.
Former analyst claims a Huntress threat hunter shared FBI communications with ransomware operator Devman, including agent names. CEO admits 'poor judgment' but denies illegality.
Angelo Martino leaked client insurance limits and negotiation strategies to the ransomware gang he was hired to negotiate against. Federal court sentences the double agent to nearly six years.
Datadog Security Labs exposes coordinated campaigns using aged 'ghost' accounts to enumerate organizations via GitHub API. Some attackers escalated from reconnaissance to cloning private repositories.
Wiz researchers discover six major AI coding assistants vulnerable to symlink attacks. Malicious repos can trick Claude Code, Cursor, and Amazon Q into writing files outside designated workspaces.
Unit 42 uncovers Node.js-based RAT using Ethereum smart contracts for C2. Attackers impersonate IT staff on Teams calls to install remote access tools before deploying EtherRAT.
Symantec exposes GodDamn ransomware's BYOVD attack using Microsoft-signed PoisonX kernel driver to blind EDR tools. Here's how Hyadina's latest variant works and what defenders should watch for.
New data extortion group Helix uses vishing and device code phishing to steal SharePoint data from Medtronic, Nissan, and others. ReliaQuest links infrastructure to defunct BlackFile.
Januscape vulnerability CVE-2026-53359 allows guest VM root users to corrupt host kernel memory and escape to host. First KVM exploit affecting both Intel and AMD architectures simultaneously.
Critical Gitea Docker vulnerability allows full admin access via single X-WEBAUTH-USER header injection. 6,200 exposed instances at risk as attackers begin active scanning.
17 malicious packages masquerading as payment processor SDKs exfiltrate API keys, AWS credentials, and GitHub tokens from developer environments. Packages flagged within 6 minutes of upload.
Technical analysis reveals Everest ransomware wakes sleeping machines via ARP cache parsing before encryption. ConfuserEx obfuscation and deceptive crypto declarations complicate response.
China-linked APT UAT-7810 expands LapDogs campaign with LongLeash, DogLeash, and JarLeash backdoors. Over 1,000 Ruckus and Asus routers compromised for espionage relay network.
Threat actor O-UNC-066 runs voice phishing campaign tricking Microsoft 365 users into enrolling attacker-controlled Entra passkeys. Real-time MFA bypass enables full account takeover.
CISA adds four actively exploited vulnerabilities to KEV catalog including two max-severity Joomla plugin flaws and Adobe ColdFusion CVE-2026-48282. Federal deadline is July 10.
Device code phishing attacks jumped 1,380% in early 2026. EvilTokens and 17 other PhaaS kits now offer turnkey identity theft that bypasses MFA and passkeys.
Threat actor '888' offers 35GB of Accenture data for sale including source code, RSA keys, SSH keys, and Azure tokens. Third major breach for the IT giant.
Malicious Python PoC repositories on GitHub deliver ChocoPoC RAT to security researchers. The trojan steals credentials and provides remote access via Mapbox dead drops.
CVE-2026-40138 and CVE-2026-40139 (CVSS 9.2) enable pre-auth bypass in BeyondTrust Remote Support and PRA. Flaws found using Claude AI during internal audit.
Ubiquiti warns of CVE-2026-50746 (CVSS 10.0) and six other critical vulnerabilities affecting UniFi OS devices. 100,000 instances exposed online require immediate patching.
CERT/CC warns of CVE-2026-11405, an undocumented authentication backdoor in Tenda router firmware. The vendor remains unreachable with no fix in sight.
CVE-2026-10134 enables unauthenticated RCE in Langflow OSS through public flows. Attackers can run arbitrary Python on servers via the build endpoint.
JetBrains fixes CVSS 9.8 account takeover bug in Hub and multiple RCE vulnerabilities across IntelliJ, GoLand, and other IDEs. Update immediately.
Kaspersky uncovers Umbrij, a .NET tool used by APT group ToddyCat to steal Gmail OAuth tokens through browser remote debugging—no credentials needed.
Researchers demonstrate TrojPix, an attack that turns invisible pixel changes into radio signals leaking data at 8.1 Mbps from air-gapped systems up to 208 meters away.
CVE-2026-20191 in Cisco Catalyst Center allows unauthenticated attackers to read arbitrary files through path traversal. Affects version 3.1+ across hardware appliances and cloud deployments.
New threat group Armored Likho targets government agencies and power sectors in Russia, Brazil, and Kazakhstan using BusySnake Stealer—malware with AI-generated loader code and reverse SSH tunneling capabilities.
Opera becomes the first browser to ship native protection against ClickFix attacks with Paste Protect, blocking malicious clipboard content before users can execute it in terminals or command prompts.
Critical authentication bypass in Oracle Payments (CVE-2026-46817) is being actively exploited. Over 900 vulnerable instances exposed online, with attackers achieving system takeover via unauthenticated HTTP requests.
Google releases Chrome 151 fixing 382 vulnerabilities including 15 critical use-after-free and type confusion bugs enabling remote code execution across Windows, macOS, and Linux.
Flipper Devices shifts to community-driven firmware development with new contribution rules, mandatory testing, and GitHub-based voting while focusing on Flipper One and new products.
Group-IB tracks Y2K Operators distributing upgraded Millennium RAT through game cheats and cracked software. Telegram serves as C2 channel.
LLMjacking evolves as threat actors hijack exposed Ollama servers to power multi-stage VAPT frameworks that scan, exploit, and compromise targets automatically.
Sophos and FBI warn of new partnership combining supply chain credential theft with ransomware deployment. 500,000 credentials already stolen.
CVE-2026-8451 and five other NetScaler vulnerabilities disclosed this week, with attackers already targeting SAML-configured appliances. Patch now.
JADEPUFFER campaign shows AI agents autonomously exploiting vulnerabilities, moving laterally, and encrypting databases. Ransomware attacks up 42% as LLMs compress attack timelines to seconds.
Pacemaker maker Medtronic notifies 3.8 million patients after April breach exposed SSNs and health information. ShinyHunters claims responsibility for the attack.
New infostealer campaign abuses EdgeUpdate and GoogleUpdater binaries through DLL sideloading to target Mexican businesses. Invoice-themed lures deliver credential theft malware.
Showing 48 of 1016 articles
ProbablyPwned delivers breaking hacking news and cybersecurity coverage for security professionals. Our team monitors global threat landscapes to bring you timely reporting on data breaches, vulnerability disclosures, and threat actor campaigns.
We cover the full spectrum of cyber threats including ransomware attacks, nation-state hacking operations, critical infrastructure incidents, and enterprise security breaches. Each story includes technical analysis, impact assessment, and actionable guidance.
Subscribe to our newsletter or follow our RSS feed to stay ahead of emerging threats. For in-depth security guidance, explore our Security Guides.
Track major data breaches and security incidents affecting organizations worldwide.
Latest ransomware attacks, malware analysis, and threat actor tracking.
Learn about ransomware, malware, phishing, and essential security practices.