RedHook Android RAT Weaponizes Wireless ADB for Shell Access
Group-IB reveals RedHook banking trojan now exploits Android's Wireless Debugging to gain shell privileges without rooting. Active in Southeast Asia with 53 remote commands.
Track the latest ransomware attacks, malware campaigns, and threat actor activity. Analysis of ransomware gangs, decryption tools, and defense strategies.
Group-IB reveals RedHook banking trojan now exploits Android's Wireless Debugging to gain shell privileges without rooting. Active in Southeast Asia with 53 remote commands.
Attackers hijacked the jscrambler npm package to deploy a cross-platform Rust infostealer that harvests credentials from AI coding assistants, cloud platforms, and crypto wallets.
China-based threat actor Lurking Lizard operates 230+ lookalike domains serving trojanized 7-Zip installers and the WireVPN app to recruit victims into a residential proxy botnet without consent.
Former analyst claims a Huntress threat hunter shared FBI communications with ransomware operator Devman, including agent names. CEO admits 'poor judgment' but denies illegality.
Angelo Martino leaked client insurance limits and negotiation strategies to the ransomware gang he was hired to negotiate against. Federal court sentences the double agent to nearly six years.
Unit 42 uncovers Node.js-based RAT using Ethereum smart contracts for C2. Attackers impersonate IT staff on Teams calls to install remote access tools before deploying EtherRAT.
Symantec exposes GodDamn ransomware's BYOVD attack using Microsoft-signed PoisonX kernel driver to blind EDR tools. Here's how Hyadina's latest variant works and what defenders should watch for.
17 malicious packages masquerading as payment processor SDKs exfiltrate API keys, AWS credentials, and GitHub tokens from developer environments. Packages flagged within 6 minutes of upload.
Technical analysis reveals Everest ransomware wakes sleeping machines via ARP cache parsing before encryption. ConfuserEx obfuscation and deceptive crypto declarations complicate response.
Malicious Python PoC repositories on GitHub deliver ChocoPoC RAT to security researchers. The trojan steals credentials and provides remote access via Mapbox dead drops.
Kaspersky uncovers Umbrij, a .NET tool used by APT group ToddyCat to steal Gmail OAuth tokens through browser remote debugging—no credentials needed.
New threat group Armored Likho targets government agencies and power sectors in Russia, Brazil, and Kazakhstan using BusySnake Stealer—malware with AI-generated loader code and reverse SSH tunneling capabilities.
Group-IB tracks Y2K Operators distributing upgraded Millennium RAT through game cheats and cracked software. Telegram serves as C2 channel.
Sophos and FBI warn of new partnership combining supply chain credential theft with ransomware deployment. 500,000 credentials already stolen.
JADEPUFFER campaign shows AI agents autonomously exploiting vulnerabilities, moving laterally, and encrypting databases. Ransomware attacks up 42% as LLMs compress attack timelines to seconds.
New infostealer campaign abuses EdgeUpdate and GoogleUpdater binaries through DLL sideloading to target Mexican businesses. Invoice-themed lures deliver credential theft malware.
SOCRadar links FortiBleed to INC and Lynx ransomware operations. 430,000 FortiGate firewalls targeted, 110 million credentials stolen, 12+ ransomware deployments confirmed.
New modular malware framework Avalon combines credential theft, lateral movement, and CrownX ransomware in one package. AI-assisted development suspected.
CISA confirms ransomware groups are exploiting CVE-2026-33825, a Microsoft Defender privilege escalation flaw leaked in April. Patch urgently if you haven't already.
Malwarebytes documents a new loader that abuses a legitimate driver to terminate EDR processes, then uses process hollowing to inject the StealC infostealer through fake Google and Cloudflare verification pages.
Jamf Threat Labs uncovers a macOS infostealer that impersonates the Maccy clipboard manager, validates credentials through PAM, then harvests browser data, crypto wallets, and iCloud Keychain.
Check Point Research reveals InfernoGrabber, an AI-generated ransomware that encrypts files through Chrome's File System Access API without installing malware or exploiting any vulnerability.
The Blackfield ransomware gang claims a breach at Nidec Corporation, demanding $2 million to prevent data leakage. This marks Nidec's second ransomware incident in two years.
BabaDeda, Lorem Ipsum, and Potemkin loaders emerge from ClickFix social engineering attacks, deploying infostealers and linking to Rhysida ransomware operations.
18 compromised packages hide execution in VS Code folder-open tasks, fetch encrypted payloads from blockchain transactions, and deploy Python infostealers.
Two UK teenagers plead guilty to the September 2024 TfL breach that exposed 10 million commuters and forced 28,000 employees to reset passwords in person.
Microsoft Threat Intelligence tracks active campaign deploying TonRAT malware against hospitality sector in Europe and Asia via fake guest complaint emails.
SentinelOne discovers Gaslight, a Rust-based macOS backdoor embedding 38 fake system messages designed to crash or confuse AI-powered malware analysis tools.
A malicious Edge extension abuses Chrome's Native Messaging protocol to deploy a Python backdoor with full system access, linked to Payouts King ransomware operations.
Symantec links the stealthy Mistic backdoor to KongTuke, an initial access broker supplying corporate network access to major ransomware gangs.
Microsoft and Europol seize 66 domains and 296 servers supporting StealC and Amadey malware, recovering 25.6 million stolen credentials in coordinated takedown.
CVE-2026-50751 allows unauthenticated VPN access via IKEv1 certificate validation flaw. CISA gave federal agencies three days to patch after linking attacks to ransomware affiliate.
Three malicious packages impersonating PostCSS tools deploy a multi-stage Windows RAT. The payload steals saved passwords by bypassing Chrome's app-bound encryption.
Attackers hijacked orphaned AUR packages to push malicious npm payloads. The rootkit hides processes at kernel level while the stealer exfiltrates developer credentials.
Unit 42 uncovers ClickFix campaign using hdiutil -nobrowse to silently mount disk images on macOS. Victims never see the DMG—just Atomic Stealer harvesting credentials.
Kaspersky uncovers a multi-country malware campaign using WhatsApp to distribute VBScript files that install ManageEngine remote access tools. Malaysia accounts for 80% of victims.
A previously undocumented botnet exploits 13-year-old D-Link flaws to build a distributed proxy network. South Korea and China account for 80% of infections.
Prinz Eugen ransomware prioritizes recently modified files for encryption, maximizing business disruption. Learn how this Go-based threat works and who's at risk.
Symantec reveals ransomware group used Teams TURN relay infrastructure to mask command-and-control. First documented abuse of Teams relay for malware C2.
ESET unmasks GentleKiller, an 8-variant EDR killer framework targeting 400+ security processes. The gang ships updates to affiliates like a software vendor.
Microsoft warns of CryptoBandits campaign spreading clipboard-hijacking malware through USB drives. The worm uses Tor C2, steals seed phrases, and replaces wallet addresses mid-transaction.
International law enforcement seizes 106 servers and 101 domains behind SocGholish malware framework, cleaning up 15,000 infected WordPress sites. Evil Corp connection confirmed.
Malicious JetBrains IDE plugins disguised as AI coding assistants exfiltrated OpenAI and DeepSeek API keys from developers. All 15 plugins have been removed and publisher accounts terminated.
144 packages in the Mastra AI framework compromised via hijacked maintainer account. The malicious easy-day-js dependency deploys a crypto-stealing RAT affecting 1.1M weekly downloads.
Kaspersky uncovers malware campaign using Wallpaper Engine's Steam Workshop to distribute DarkKomet, Lumma, and Vidar. China-focused attacks stole Steam accounts and deployed cryptominers.
Ukrainian national Oleksii Lytvynenko admits to developing loader malware for the Conti ransomware gang after extradition from Ireland. Sentencing set for September 2026.
North Korean hackers impersonate Microsoft Account security notifications to deliver NarwhalRAT, a Python-based RAT with keylogging, screen capture, and cloud-based C2.
China-linked FishMonger APT expands its Linux-only SprySOCKS backdoor to Windows with WIN_DRV and WIN_PLUS variants featuring kernel drivers and Print Spooler abuse.
Insurance provider AssuranceAmerica disclosed a data breach affecting 6.9 million customers—the largest known exposure of driver's license numbers in 2026. Attackers compromised employee credentials.
Threat actor '888' offers 35GB of Accenture data for sale including source code, RSA keys, SSH keys, and Azure tokens. Third major breach for the IT giant.
Pacemaker maker Medtronic notifies 3.8 million patients after April breach exposed SSNs and health information. ShinyHunters claims responsibility for the attack.
Ransomware remains one of the most damaging cyber threats facing organizations today. Our coverage tracks active ransomware gangs, new malware variants, attack campaigns, and the evolving tactics used by threat actors.
We analyze ransomware-as-a-service (RaaS) operations, infostealer malware, banking trojans, and nation-state malware campaigns. Each article includes indicators of compromise (IOCs), MITRE ATT&CK mappings, and practical defense recommendations.
New to ransomware? Read our comprehensive guide: What is Ransomware? For broader malware education, see What is Malware?
Browse all cybersecurity news including breaches, vulnerabilities, and threat intel.
Complete guide to understanding ransomware attacks and how to prevent them.
APT tracking, nation-state campaigns, and threat actor analysis.