Track the latest ransomware attacks, malware campaigns, and threat actor activity. Analysis of ransomware gangs, decryption tools, and defense strategies.
Security GuidesMalicious extensions have compromised over 15 million users in the past year. Here's how attackers exploit the extension ecosystem and what organizations can do.
Emily Park
Ransomware attacks on healthcare surged 30% in 2025. Here's why medical organizations remain prime targets and what defenders can do about it.
Qilin has hit 1,000+ victims. Everest targets critical infrastructure. Here's what security teams need to know about today's most active ransomware operations.
From VS Code extensions to automation platforms, attackers are targeting the tools developers trust. Here's what security teams need to know.
Two rogue browser extensions masquerading as AI tools exfiltrated complete conversation histories from ChatGPT and DeepSeek to attacker-controlled servers every 30 minutes.
A threat actor called RedTeam is selling a $1,500 credential-stuffing tool with built-in scanning, proxy rotation, and multi-protocol support aimed at enterprise VPN infrastructure.
Russian ransomware group Clop claims responsibility for breach at Dartmouth College, posting stolen data on dark web and affecting more than 40,000 individuals including students, staff, and alumni.
Russian ransomware gang exploited CVE-2025-61882 to steal SSNs and financial data from the college. The same vulnerability hit Harvard, UPenn, and 100+ organizations.
The Russian-linked gang led all ransomware groups on January 6 with attacks spanning wine distributors, art logistics, and medical practices across three countries.
First macOS-focused wave of GlassWorm malware discovered on Open VSX marketplace, stealing cryptocurrency wallets, Keychain passwords, and developer credentials through trojanized extensions.
Aurora College in Canada's Northwest Territories cancels all classes January 5-9 after cyber attack over Christmas break takes down servers, email, and e-learning systems.
Hudson Rock research reveals 220 legitimate business websites hijacked for ClickFix malware attacks after admin credentials were stolen by infostealers.
New Year's Eve attack on Sedgwick Government Solutions compromises file transfer system serving DHS, CISA, and ICE. TridentLocker claims 3.4GB of stolen data.
Popular text editor's download page was hijacked for four days in December, serving trojanized installers that steal browser credentials and crypto wallets.
Nine-month-old botnet campaign pivots to exploit CVE-2025-55182 in Next.js, deploying cryptominers and Mirai variants across exposed instances.
After ASUS missed ransom deadline, Everest releases complete data trove including ROG source code, Qualcomm SDKs, and ArcSoft files on cybercrime forums.
ManageMyHealth confirms Kazu ransomware gang compromised Health Documents module, threatening to leak 108GB of medical records unless $60,000 ransom is paid.
Investigation reveals Qilin ransomware attack in May 2025 was far larger than initially reported. The gang has already leaked 850GB of stolen data.
The self-propagating VS Code extension worm now replaces Ledger Live and Trezor Suite with trojanized versions. Russian-speaking operators behind campaign.
A five-year investigation ends with extradition to South Korea. The 29-year-old allegedly infected 2.8 million Windows systems through trojanized software activation tools.
Chinese threat actor behind coordinated extension campaigns spanning seven years. Zoom Stealer component harvested corporate meeting credentials from 28 platforms.
Beyond CVSS scores, these vulnerabilities caused the most damage in 2025—from nation-state exploitation to mass ransomware campaigns and breaches affecting millions.
Oltenia Energy Complex shut down IT systems on December 26 after a ransomware attack encrypted critical documents and disrupted ERP, email, and web operations.
New variant distributed as signed and notarized Swift app evades built-in security. Jamf Threat Labs traces evolution from ClickFix techniques to silent installer approach.
Ransomware group says it exfiltrated over a terabyte of Chrysler customer data including Salesforce records and recall case narratives. Threatening to publish in days.
Supply chain attack disguised as working WhatsApp API library stole credentials, messages, and linked attacker devices to victim accounts. 56,000+ downloads since May.
Ransomware tracking data shows 63 total claims from 6 groups on December 26. LockBit's revival dominates holiday attack wave targeting reduced security staff.
David Stern, the sole employee running CISA's ransomware early warning initiative, resigned December 19 after being ordered to relocate. The program had sent 2,100+ alerts in 2024.
Month-long operation across 19 African nations recovers $3 million, takes down 6,000 malicious links, and decrypts six ransomware variants.
Akira ransomware gang exploited known SonicWall vulnerability to hit fintech vendor serving 700+ banks and credit unions. SSNs and card numbers stolen.
Oracle E-Business Suite zero-day exploitation adds another victim to Clop's CVE-2025-61882 campaign. SSNs and bank account numbers among exposed data.
Artem Stryzhak admits role in double-extortion ransomware attacks targeting large US and European companies from 2018 to 2021.
Federal indictments target Tren de Aragua members who used Ploutus malware to steal over $40 million from U.S. ATMs since 2021.
A Sygnia IR manager and DigitalMint negotiator admitted to deploying BlackCat ransomware while employed to help victims respond to such attacks.
Attackers weaponized Windows BitLocker to encrypt systems across Romanian Waters, impacting 10 of 11 river basin management organizations.
From the largest cryptocurrency heist in history to nation-state espionage campaigns targeting critical infrastructure, 2025 redefined the cyber threat landscape.
Massive Android botnet targets set-top boxes and tablets, issued 1.7 billion attack commands in 3 days, briefly surpassing Google in DNS rankings.
CVE-2025-55182 exploitation escalates as Weaxor ransomware operators use critical React Server Components flaw for initial access across 60+ organizations.
Russian-developed infostealer now production-ready after December 16 release, targets browser credentials, crypto wallets, and messaging apps for $175/month.
New $150/month malware platform allows attackers to create weaponized versions of legitimate Android apps while maintaining full functionality.
Security researchers uncover sophisticated steganography attack concealing malicious JavaScript within PNG logo files of 17 Firefox browser extensions.
Pickett USA breach exposes LiDAR scans, transmission line surveys, and substation layouts for Tampa Electric, Duke Energy Florida, and American Electric Power. Asking price: 6.5 BTC.
Threat actor '1011' posted alleged data from the semiconductor equipment giant to a Russian cybercrime forum. Security researchers are verifying the files.
System enhancement gone wrong allowed members to view other members' names, diagnoses, and medications. The insurer is offering affected individuals credit monitoring.
Ransomware remains one of the most damaging cyber threats facing organizations today. Our coverage tracks active ransomware gangs, new malware variants, attack campaigns, and the evolving tactics used by threat actors.
We analyze ransomware-as-a-service (RaaS) operations, infostealer malware, banking trojans, and nation-state malware campaigns. Each article includes indicators of compromise (IOCs), MITRE ATT&CK mappings, and practical defense recommendations.
New to ransomware? Read our comprehensive guide: What is Ransomware? For broader malware education, see What is Malware?
Browse all cybersecurity news including breaches, vulnerabilities, and threat intel.
Complete guide to understanding ransomware attacks and how to prevent them.
APT tracking, nation-state campaigns, and threat actor analysis.