Site Map

New 'LucidRook' Malware Uses Lua and Rust in Targeted Attacks on Taiwan

Security researchers at Cisco Talos have discovered a new, sophisticated malware family named 'LucidRook' used in targeted spear-phishing campaigns. Attributed to a threat cluster known as UAT-10362, the attacks primarily target non-governmental organizations (NGOs) and universities in Taiwan. LucidRook is a complex stager delivered as a DLL that embeds a Lua interpreter and Rust-compiled libraries. It uses a dropper component, 'LucidPawn,' which performs an anti-analysis check to ensure it only runs on systems configured for the Traditional Chinese language. The malware downloads and executes Lua bytecode payloads from a C2 server, and is accompanied by a reconnaissance tool called 'LucidKnight' used for initial system profiling.

APT28 'FrostArmada' Campaign Hijacks SOHO Routers for Global DNS Espionage

The Russian-linked threat group APT28 (aka Forest Blizzard) has been identified as the actor behind 'FrostArmada,' a large-scale cyber espionage campaign compromising insecure Small Office/Home Office (SOHO) routers. According to Lumen's Black Lotus Labs and Microsoft, the campaign, active since at least May 2025, exploits vulnerable MikroTik and TP-Link routers. The attackers modify the devices' DNS settings to redirect traffic from victims—including government agencies and cloud service users—to attacker-controlled infrastructure. This allows for passive credential harvesting and data collection. At its peak, the campaign's infrastructure communicated with over 18,000 IPs across 120 countries before being disrupted by a law enforcement operation.

Singapore's CSA Issues Advisory on Securing Software Supply Chains

The Cyber Security Agency of Singapore (CSA) has published an advisory on the increasing threat of software supply chain attacks. The guidance warns that threat actors are targeting third-party software dependencies and automated development pipelines to compromise internal corporate systems. The CSA highlights that a single compromised tool can grant attackers deep access, leading to data theft and operational downtime. The advisory cites recent incidents like the hijacking of the popular 'Axios' npm package as examples of this growing threat. The CSA urges organizations to enforce strict governance over development environments, identify dependencies, and have incident response plans ready.

Southern Illinois Dermatology Breach Exposes Data of Over 150,000 Patients

Southern Illinois Dermatology has started notifying patients of a data breach that occurred in November 2025. An unauthorized party gained access to its network and exfiltrated files containing patient data, including names, Social Security numbers, and medical information. The 'Insomnia' threat group has claimed responsibility for the attack, alleging they stole data from over 150,000 patients. The group has since followed through on its threats by leaking the entire stolen dataset on its data leak site, amplifying the impact on affected individuals.

Samsung's April 2026 Patch Fixes 47 Vulnerabilities in Galaxy Devices

Samsung has released its April 2026 security patch, which addresses a total of 47 vulnerabilities affecting its Galaxy line of smartphones, tablets, and wearables. The update is a combination of patches from Google and Samsung itself. It includes 33 fixes from Google's Android Security Bulletin, 14 of which are rated critical. Additionally, Samsung has included 14 of its own Samsung Vulnerabilities and Exposures (SVEs), addressing high-severity flaws in both its software and underlying semiconductor firmware. Users are advised to install the update as soon as it becomes available for their device and region.

US Data Breach Costs Hit Record $10.2M, Fueled by AI and Supply Chain Attacks

A new report from insurance provider Chubb reveals that the average cost of a data breach in the United States has reached a record high of $10.2 million, more than double the global average. The 2026 Cyber Claims Report identifies three key drivers for this surge: the weaponization of Artificial Intelligence (AI) by cybercriminals, an increase in immediate litigation following breach announcements, and the cascading impact of software supply chain compromises. The report notes that hostile AI is being used for self-rewriting malware and deepfake-based social engineering, while supply chain issues are now seen as the top cyber challenge by 65% of large companies.

TeamPCP's Sophisticated Supply Chain Attack on Trivy and LiteLLM Hits 1,000+ SaaS Environments

A multi-stage supply chain attack by the threat group TeamPCP has caused a significant security crisis, beginning with the compromise of the popular open-source scanner Trivy and expanding to other developer tools, including Checkmarx KICS and LiteLLM. The attackers exploited a previously stolen GitHub token to poison official software releases and CI/CD pipelines, injecting credential-stealing malware. The campaign has already compromised over 1,000 SaaS environments, exfiltrating cloud credentials, SSH keys, and other secrets. The attack, tracked under CVE-2026-33634, highlights the systemic risk in modern software supply chains, with experts warning the full impact could affect up to 10,000 organizations.

Healthcare IT Firm CareCloud Probes Patient Data Access in EHR Breach

Healthcare technology provider CareCloud is investigating a security breach that gave an unauthorized third party access to one of its electronic health record (EHR) environments for eight hours on March 16, 2026. The company, which serves over 45,000 healthcare providers, has not yet confirmed if protected health information (PHI) was exfiltrated but has hired a leading cyber response team to assess the scope. The incident has been reported to the SEC, highlighting the potential for significant legal, regulatory, and reputational fallout if a large-scale patient data leak is confirmed.

Pro-Iranian Hacktivists "Handala" Claim Attack on US Medical Tech Firm Stryker

A pro-Iranian hacktivist group known as Handala has claimed responsibility for a cyberattack against Stryker, a prominent US-based medical technology company. This incident is part of a broader, politically motivated campaign by Iranian-linked threat actors targeting the US healthcare sector. Unlike financially motivated attacks, the primary goal of these operations appears to be disruption, intimidation, and causing chaos, reflecting the use of cyber operations as a tool in geopolitical conflicts. The attack on Stryker highlights the vulnerability of critical infrastructure sectors to state-aligned hacktivism.

Iranian APTs Target US Critical Infrastructure, Exploiting Internet-Exposed Rockwell PLCs

A coalition of U.S. federal agencies, including CISA, the FBI, and the NSA, has issued a joint advisory (AA26-097A) warning of ongoing disruptive attacks by Iranian-affiliated APT actors against U.S. critical infrastructure. The campaign specifically targets internet-connected operational technology (OT) devices, with a focus on Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). These attacks have already caused operational disruptions in the Water and Wastewater Systems (WWS) and energy sectors. The threat actors, known by aliases such as Hydro Kitten and Storm-0784, are manipulating the PLCs to disrupt industrial processes. The advisory strongly urges organizations to disconnect OT devices from the public internet and apply hardening measures recommended by Rockwell Automation to prevent further compromises.

AI Model Discovers RCE Zero-Days in Vim and Emacs with Simple Prompts

A security researcher has demonstrated the power of AI in vulnerability discovery by using Anthropic's Claude Code model to find critical zero-day flaws in the source code of the popular Vim and GNU Emacs text editors. With a simple prompt—"Somebody told me there is an RCE 0-day when you open a file. Find it"—the AI model identified a remote code execution (RCE) vulnerability in Vim within minutes. This flaw, now patched and tracked as CVE-2026-34714 (CVSS 9.2), allowed command execution when opening a malicious file. The AI subsequently found a similar issue in GNU Emacs, which its maintainers have reportedly not yet addressed. The findings highlight the dual-use nature of advanced AI, capable of dramatically accelerating both defensive security research and malicious exploit development.

Hackers Actively Exploit Critical RCE Flaw in Ninja Forms WordPress Add-on

A critical remote code execution (RCE) vulnerability, CVE-2026-0740, in the 'File Uploads' add-on for the popular Ninja Forms WordPress plugin is being actively exploited in the wild. The flaw, rated 9.8 out of 10 for severity, allows an unauthenticated attacker to upload malicious files, such as PHP web shells, and achieve complete website takeover. The vulnerability stems from insufficient file type validation, enabling attackers to bypass security checks and place executable files in sensitive directories. The plugin developer has released a patch in version 3.3.27. Security firm Wordfence, which helped disclose the issue, reported blocking thousands of exploitation attempts, underscoring the urgent need for users to update immediately.

SparkCat Mobile Malware Returns, Stealing Crypto Phrases from Photos on iOS and Android

A new variant of the SparkCat mobile trojan has been discovered on both the Apple App Store and Google Play Store, disguised as legitimate applications like enterprise messengers. Security researchers at Kaspersky report that the malware, which primarily targets users in Asia, uses a novel technique to steal cryptocurrency. After gaining access to a user's photo gallery, SparkCat employs Optical Character Recognition (OCR) to scan all images, searching for text that matches the format of a cryptocurrency wallet recovery phrase. If a potential phrase is found, the image is exfiltrated to an attacker-controlled server, giving the threat actor complete control over the victim's crypto assets. The malware's ability to bypass the security vetting of both major app stores highlights a significant threat to mobile users.

Anthropic's Project Glasswing Uses New AI to Find Thousands of Critical Flaws

AI research company Anthropic has launched Project Glasswing, a major cybersecurity initiative that uses a new AI model, Claude Mythos, to proactively discover vulnerabilities in critical software. In partnership with a consortium of tech giants including Google, Microsoft, and Apple, the project aims to secure the digital ecosystem by finding and fixing flaws before they can be exploited. In early testing, Claude Mythos has already demonstrated remarkable capabilities, identifying thousands of high-severity vulnerabilities. Notable discoveries include a 16-year-old bug in the FFmpeg library, a remote crash vulnerability affecting major operating systems, and a privilege escalation chain in the Linux kernel. The project signals a new era of AI-driven defensive security, aiming to put powerful vulnerability discovery tools in the hands of defenders.

Fortinet Scrambles to Patch Actively Exploited FortiClient EMS Zero-Day (CVE-2026-35616)

Fortinet has released an emergency hotfix for a critical zero-day vulnerability, CVE-2026-35616, affecting its FortiClient Endpoint Management Server (EMS). The flaw, rated 9.1 on the CVSS scale, is an improper access control issue that allows an unauthenticated remote attacker to achieve remote code execution. Fortinet confirmed the vulnerability is being actively exploited in the wild, prompting the U.S. CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog and mandate a swift patching deadline for federal agencies.

Critical Cisco IMC Flaw (CVE-2026-20093) Allows Full Server Takeover

Cisco has patched a critical authentication bypass vulnerability, CVE-2026-20093, in its Integrated Management Controller (IMC) firmware. The flaw, rated 9.8 on the CVSS scale, allows an unauthenticated, remote attacker to reset any user's password, including the administrator's, by sending a single crafted HTTP request. A successful exploit grants complete hardware-level control over a wide range of Cisco UCS servers and appliances. Cisco has released patched firmware and advises customers to update immediately, as there are no workarounds.

Qilin Ransomware Attacks German Party Die Linke, Threatens Data Leak

The Russia-speaking Qilin ransomware group has claimed responsibility for a cyberattack against the German political party Die Linke. The attack, detected on March 26, prompted the party to shut down parts of its IT infrastructure. Qilin is now threatening to publish stolen internal documents and employee data on its dark web leak site. While the main membership database was not compromised, Die Linke has suggested the attack may be politically motivated and part of a broader hybrid warfare campaign, not just a random criminal act.

North Korean Hackers Abuse GitHub for C2 in Campaign Targeting South Korea

A sophisticated, multi-stage phishing campaign attributed to North Korean state-sponsored actors is targeting organizations in South Korea. The attackers use malicious Windows shortcut (LNK) files disguised as business documents to deliver a PowerShell-based payload. A key feature of the campaign is the abuse of GitHub as a command-and-control (C2) channel, allowing the malware to exfiltrate data and receive commands by communicating with attacker-controlled repositories. This tactic helps the malicious traffic blend in with legitimate web activity, evading detection. The campaign shows links to known North Korean groups like Kimsuky and Lazarus.

Critical RCE Chain in Progress ShareFile Allows Unauthenticated Takeover

Security researchers have publicly disclosed a critical vulnerability chain in the on-premise version of Progress ShareFile Storage Zones Controller. The chain combines an authentication bypass (CVE-2026-2699, CVSS 9.8) and a file upload flaw (CVE-2026-2701, CVSS 9.1), allowing an unauthenticated attacker to achieve remote code execution (RCE) and take over the server. Although Progress patched the flaws in March, the public disclosure of technical details increases the risk for the nearly 30,000 internet-exposed instances that remain unpatched.

Unpatched Windows Zero-Day 'BlueHammer' Exploit Leaked, Allows SYSTEM-Level Access

A security researcher has publicly released a proof-of-concept (PoC) exploit for an unpatched Windows zero-day vulnerability dubbed "BlueHammer." The leak, which occurred after a dispute with the Microsoft Security Response Center (MSRC), exposes a local privilege escalation (LPE) flaw. The exploit allows a local attacker with limited access to gain full SYSTEM-level permissions on a compromised machine, significantly increasing the risk for Windows users as the vulnerability remains unpatched.

Cybercriminals Exploit Tax Season with Over 100 Unique Phishing and Malware Campaigns

As tax season intensifies, a surge of over one hundred distinct cyber campaigns are exploiting the urgency of filing deadlines, according to a report from Proofpoint. Threat actors are using a variety of tax-themed lures, such as fake W-8BEN, W-2, and W-9 forms, to conduct credential phishing, Business Email Compromise (BEC), and malware distribution. A notable trend is the use of these phishing emails to trick victims into installing legitimate Remote Monitoring and Management (RMM) tools, which provides attackers with persistent access to compromised systems. Campaigns have been observed globally, with a newly identified actor, TA2730, focusing on targets in Asia.

Toy Giant Hasbro Hit by Cyberattack, Recovery to Take Weeks

The global toy and entertainment company Hasbro, Inc. has confirmed it was the victim of a cyberattack. The incident, detected on March 28, 2026, involved unauthorized access to its network and has caused significant operational disruption. The company immediately shut down affected systems and engaged external experts to investigate. In an SEC filing, Hasbro stated it was in its second week of limited operations and expects the recovery period to last several more weeks, suggesting a sophisticated intrusion with potential persistence. The specific nature of the attack, such as whether it involved ransomware or data theft, has not yet been disclosed.

F5 BIG-IP Flaw Escalated to Critical 9.8 RCE, Now Under Active Attack

F5 has urgently reclassified a vulnerability in its BIG-IP Access Policy Manager (APM), CVE-2025-53521, from a medium-severity Denial-of-Service (DoS) flaw to a critical 9.8 CVSS unauthenticated Remote Code Execution (RCE) vulnerability. Originally disclosed in October 2025, F5 updated its advisory on March 28, 2026, after discovering it could be exploited for full system compromise. The vulnerability is now under active attack in the wild, prompting CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog. Attackers can send crafted traffic to a virtual server with an APM policy to gain root access. F5 urges customers to apply the patches released in October 2025, which are confirmed to mitigate this severe RCE vector.

AI-Powered Attacks Now a Top Concern for 79% of IT Leaders, Armis Report Finds

According to the fourth annual 'State of Cyberwarfare Report' by Armis, 79% of global IT decision-makers now consider artificial intelligence a significant security threat. The report, which surveyed 1,900 IT leaders, highlights a new phase of cyber conflict where AI is being weaponized by attackers to automate reconnaissance, vulnerability discovery, and lateral movement. Experts warn that AI compresses the 'critical risk window' between vulnerability discovery and exploitation, outpacing the response capabilities of many security teams. In response, 49% of security leaders are making AI and automation their top investment priority for 2026 to keep pace with these accelerated threats.

Hong Kong Hospital Authority Apologizes for Data Leak Affecting 56,000 Patients

The Hong Kong Hospital Authority (HA) is investigating a major data breach that exposed the sensitive personal and medical information of over 56,000 patients from its Kowloon East hospital cluster. The data, including HKID numbers and surgical details, was discovered on a third-party platform. While an external cyberattack has been ruled out, the breach is suspected to be linked to 'inappropriate access' by a contractor. The police and Hong Kong's privacy commissioner have launched formal investigations into the incident.

Anthropic Accidentally Leaks 'Claude Code' AI Source Code in Packaging Error

AI research company Anthropic experienced a significant intellectual property leak after the full source code for its flagship 'Claude Code' AI tool was accidentally published. The leak was caused by a packaging error where a JavaScript source map file, included in a public npm package, contained the entire agent architecture. For over three hours, 512,000 lines of proprietary TypeScript code were publicly accessible and were cloned thousands of times. Anthropic has stated it was a human error, not a security breach, and that no customer data was exposed.

Hyderabad Police Warn of WhatsApp Impersonation Fraud Leading to Major Corporate Losses

Police in Hyderabad, India, have issued an alert about a sophisticated new fraud scheme targeting corporations. The multi-stage attack begins with a phishing email that installs remote access malware on an employee's computer. The criminals then wait for an active WhatsApp Web session, which they hijack to impersonate a senior executive (like the CEO or CFO). Posing as the executive, they instruct finance staff to make urgent, fraudulent financial transfers. The use of the legitimate WhatsApp account lends credibility to the requests, leading to significant financial losses for several companies.

Trend Micro Uncovers Coordinated Malware Campaigns Targeting Seven Indian Banks

Cybersecurity firm Trend Micro has identified a large-scale, coordinated phishing campaign targeting the customers of seven major banks in India. The attackers are using five distinct families of banking malware to steal credit card data and personal credentials. The primary attack vector is phishing messages containing malicious links that redirect victims to fake login pages and other fraudulent websites. The report highlights a significant and ongoing threat to India's banking sector, though the specific banks and malware families were not disclosed.

Novel AI 'Feedback Loop' Attack Triggers 4-Hour Market Freeze at Financial Hub

A major global financial hub experienced a four-hour market freeze due to a novel cyberattack that turned an AI-powered defense system against itself. Attackers generated millions of fake, low-grade security alerts, overwhelming the institution's AI-driven Security Orchestration, Automation, and Response (SOAR) platform. The defensive AI, misinterpreting the flood of alerts as a massive assault, initiated its ultimate containment protocol: quarantining the entire primary trading floor network. The incident exposes a critical vulnerability in fully automated defense systems.

CISA Mandates Decommission of Medical IoT Gateways Due to 'Vitals Vapor' Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-03, ordering the immediate decommissioning of specific legacy embedded IoT gateways used in medical facilities. The urgent action responds to a new zero-day exploit dubbed 'Vitals Vapor,' which poses a grave threat to patient safety. The exploit allows attackers to compromise patient monitoring systems, freeze the live data feed, and loop pre-recorded normal data to nursing stations, effectively hiding a patient's deteriorating condition or the effects of a cyberattack.

Australian Water Treatment Facilities Thwart Coordinated PLC Cyberattack

Multiple municipal water treatment facilities in Australia were the target of a coordinated cyberattack aimed at their chemical feed Programmable Logic Controllers (PLCs). The attackers attempted to breach the industrial control systems to override safety thresholds for chlorine distribution. A potential public health crisis was averted by the timely manual intervention of plant operators. The incident exposes significant vulnerabilities in internet-connected critical infrastructure and highlights the growing threat to operational technology (OT) in the water sector.

Cisco Patches Critical Unauthenticated RCE Flaw in Smart Software Manager

Cisco has released a security patch for a critical vulnerability, CVE-2026-20160, in its Smart Software Manager On-Prem (SSM On-Prem) product. The flaw, which has a CVSS score of 9.8, could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system. The vulnerability is due to insufficient access control on a specific API. An attacker can exploit it by sending a crafted HTTP request. Cisco has released software updates and confirms there are no workarounds. The company's PSIRT is not aware of any malicious exploitation of this flaw, which was discovered during internal security testing.

Lapsus$ Claims Theft of 4TB of Data from AI Firm Mercor in LiteLLM Supply Chain Attack

AI recruiting firm Mercor has confirmed it was impacted by a recent supply chain attack targeting the open-source LiteLLM PyPI package. The incident occurred on March 27, when malicious versions `1.82.7` and `1.82.8` of LiteLLM were published for about 40 minutes. Following the incident, the notorious extortion group Lapsus$ claimed responsibility, listing Mercor on its data leak site and alleging the theft of over 4 terabytes of data. Mercor is currently investigating the breach with third-party forensic experts. The attack originated from a compromise of a dependency used in Mercor's CI/CD workflow, highlighting the cascading risks in the software supply chain.

Hims & Hers Faces Class Action Probe After Third-Party Vendor Breach

Telehealth company Hims & Hers, Inc. is under investigation for a data breach that originated from its third-party customer service provider, Zendesk. An unauthorized user gained access to the Zendesk platform between February 4 and February 7, 2026, exposing sensitive customer service tickets. These tickets contained personal information submitted by customers, including names and contact details. The national class action law firm Edelson Lechtzin LLP has launched an investigation into data privacy claims, highlighting the significant supply chain risks associated with third-party vendors.

EU Commission Hacked via Compromised Trivy Scanner in Major Supply Chain Attack

A significant data breach at the European Commission has been attributed to the hacking group TeamPCP, who leveraged a compromised version of the popular Trivy open-source vulnerability scanner. The supply chain attack allowed the threat actors to steal an AWS API key, gain management rights to the Commission's cloud environment, and exfiltrate 92 GB of compressed data, including sensitive email communications. The stolen data was later put up for sale on a dark web forum by the data broker ShinyHunters, underscoring a dangerous collaboration between cybercriminal groups.

Russian APTs Re-Exploiting Past Breaches for Renewed Attacks in Ukraine

Ukraine's computer emergency response team, CERT-UA, has issued a warning that Russian state-sponsored hacking groups like APT28 (Fancy Bear) and Void Blizzard are systematically revisiting networks they have previously compromised. This new tactic focuses on checking for persistent access, unpatched vulnerabilities, and still-valid credentials to launch follow-up operations. The attackers are also evolving their social engineering, using direct phone and video calls to build trust before sending malicious files, making their initial access attempts more effective.

Cyberattack Disrupts Emergency Communications in Massachusetts Towns

A cyberattack beginning April 2, 2026, has impacted the Patriot Regional Emergency Communications Center, which provides 911 dispatch services for several towns in northern Massachusetts. The attack has disrupted town and public safety computer systems, taking non-emergency and business phone lines offline. While critical 9-1-1 call systems remain operational, the incident has significantly hampered administrative and secondary communication channels. Federal law enforcement has been notified, and an investigation is underway to determine the scope of the attack.

Researchers Gain Access to Hacker Dashboard in React2Shell Campaign

Researchers at Cisco Talos gained access to the operational dashboard of a threat group, UAT-10608, that is actively exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications. A security lapse in the attackers' own infrastructure left a web application fronting their stolen data collection exposed. This allowed Talos to view a trove of stolen credentials, API keys, and access tokens harvested from hundreds of compromised servers, including credentials for AWS and GitHub. Talos is now notifying the affected victims.

Traffic Violation Scams Leverage QR Codes to Harvest Financial Data

A new wave of phishing scams is using QR codes embedded in fake traffic violation notices to trick victims into visiting malicious websites. This tactic bypasses user suspicion of malicious links in text messages and leverages the authority of government impersonation to create urgency. When scanned, the QR code directs the victim to a sophisticated phishing page designed to harvest personal and payment card details, contributing to the nearly $800 million in losses from government impersonation scams reported by the FBI in 2025.

Chinese Hackers Exploit TrueConf Zero-Day in 'Operation TrueChaos'

A suspected Chinese-nexus advanced persistent threat (APT) group is exploiting a zero-day vulnerability, CVE-2026-3502, in the TrueConf video conferencing application. The campaign, dubbed 'Operation TrueChaos' by Check Point, targets government entities in Southeast Asia. The attackers compromise on-premises TrueConf servers and hijack the software's update mechanism to deliver malicious updates to client machines. The final payload observed in these attacks is the Havoc open-source post-exploitation framework, giving the threat actors a persistent foothold inside the targeted government networks. TrueConf has patched the flaw in client version 8.5.3.

NightSpire Ransomware Claims Attack on French Org, Threatens to Leak Audit Data

The NightSpire ransomware group has claimed responsibility for a cyberattack against Association OCACIA, a French organization. On April 3, 2026, the group announced the breach on its leak site, threatening to publish sensitive internal documents if its ransom demands are not met. The allegedly exfiltrated data includes audit reports, non-compliance records, and corrective action plans, which could be highly damaging if released.

EU Commission Suffers Major Data Breach; TeamPCP Hackers Blamed for 92GB Data Heist

The European Union's cybersecurity agency, CERT-EU, has attributed a significant data breach at the European Commission to the hacking group TeamPCP. The attack involved the compromise of the Commission's Amazon Web Services (AWS) account, leading to the exfiltration of approximately 92 gigabytes of data, including emails and documents. The breach is believed to be linked to the use of a compromised version of the Trivy open-source vulnerability scanner, which provided the attackers with a secret Amazon API key. The incident has potentially exposed data from dozens of EU entities.

ShinyHunters Threatens to Leak Cisco Data, Claims Breach of Salesforce and AWS

The data extortion group ShinyHunters has issued a final ultimatum to networking giant Cisco, demanding contact by April 3, 2026, before it begins leaking a massive trove of allegedly stolen data. The group claims to have exfiltrated over three million Salesforce records, source code, and other internal files by compromising Cisco's Salesforce and AWS environments. The threat actor referenced 'UNC6040', linking the breach to a previously disclosed vishing campaign that targeted Cisco employees, suggesting social engineering was a key component of the attack.

REF1695 Campaign Spreads RATs and Cryptominers via Fake Software Installers

A long-running threat campaign, dubbed REF1695, has been active since November 2023, using counterfeit software installers to deliver a variety of malicious payloads. According to Elastic Security Labs, the operation uses ISO file lures to distribute malware including the PureMiner and PureRAT trojans, the CNB Bot implant, and various cryptominers like XMRig. The threat actor leverages GitHub as a content delivery network (CDN) to host its payloads, a tactic designed to evade detection by using a trusted platform.

Immigration Law Platform DocketWise Discloses Breach Affecting Over 116,000 People

DocketWise, a cloud-based case management platform for immigration lawyers, has reported a data breach that exposed the highly sensitive personal information of 116,666 individuals. The breach, discovered in October 2025, occurred when an unauthorized actor gained access to a third-party partner repository containing law firm records. The compromised data includes names, Social Security numbers, passport numbers, financial details, and medical information, posing a significant risk of identity theft and fraud.

T-Mobile Confirms Insider Data Breach, States Only One Customer Affected

T-Mobile USA has clarified that a recent data breach notification was the result of an isolated insider threat incident, not a large-scale attack. A vendor employee improperly accessed the account information of a single customer, exposing their name, address, account PIN, and Social Security Number. T-Mobile stated that no credentials were compromised in the incident and that it has reset the affected customer's PIN and notified law enforcement.

LinkedIn Accused of Secretly Scanning for 6,000+ Browser Extensions

A new report from the user association Fairlinked e.V. alleges that LinkedIn is secretly scanning visitors' browsers for the presence of over 6,000 installed browser extensions. The practice, dubbed "BrowserGate," reportedly involves injecting hidden JavaScript to fingerprint users. The report claims this data is linked to user profiles and used for competitive analysis against sales tool rivals. LinkedIn has refuted the claims, stating the scanning is a security measure to protect its platform and users from data scraping.

European Commission Confirms Data Breach After ShinyHunters Claims 350GB Theft

The European Commission (EC) has confirmed a cyberattack targeting its Europa.eu web portal, following a claim by the notorious hacking group ShinyHunters. The group alleges it breached one of the Commission's Amazon Web Services (AWS) accounts and exfiltrated over 350GB of sensitive data, including mail servers, databases, and confidential documents. ShinyHunters has reportedly leaked a 90GB archive as proof. While the EC acknowledged the intrusion and data theft, it sought to downplay the impact, stating that internal systems were not affected and the breach was limited to public-facing websites. This incident marks the second data breach for the EC in 2026, raising serious questions about the security posture of EU institutions.

Chinese APT Mustang Panda Renews Espionage Campaign Against European Governments

The Chinese state-sponsored threat group TA416, also known as Mustang Panda, has resumed its cyber-espionage operations against European government and diplomatic entities, including EU and NATO missions. According to Proofpoint, the group has been active since mid-2025, using evolving tactics to deliver its signature PlugX malware. Attack methods have included spoofed Cloudflare Turnstile pages, abuse of Microsoft Entra ID applications, and malicious archives containing a renamed MSBuild executable. The campaigns leverage phishing links distributed via compromised and newly created email accounts to deliver malware hosted on legitimate cloud services like Google Drive and Azure Blob Storage.

Microsoft Warns of Social Engineering Campaign Abusing WhatsApp for Windows

Microsoft has issued a warning about an ongoing social engineering campaign targeting users of the WhatsApp desktop application on Windows. Attackers send malicious Visual Basic Script (`.vbs`) files disguised as legitimate attachments. Once executed, the script uses 'living off the land' (LOTL) techniques, copying and renaming legitimate Windows tools to download and execute remote access software. The malware also attempts to bypass User Account Control (UAC) and establishes persistence through registry modifications, giving attackers full control over the victim's machine. This attack does not exploit a software vulnerability but relies entirely on tricking the user.

North Dakota Water Treatment Plant Hit by Ransomware, Reverts to Manual Operations

A water treatment facility in Minot, North Dakota, serving approximately 80,000 people, was hit by a ransomware attack in March 2026. The attack compromised the plant's Supervisory Control and Data Acquisition (SCADA) system, forcing operators to shut it down and revert to manual processes for about 16 hours. City officials confirmed the incident, emphasizing that the water supply remained safe throughout. A ransomware note was found, but no specific demand was made, and no ransom was paid. The plant is currently using a backup server while a new, more secure system is prepared. The incident highlights the growing cyber threats targeting U.S. critical infrastructure.

AI Now Leading Source of Friction for CISOs in Retail and Hospitality, Report Finds

A new CISO Benchmark Report from the Retail & Hospitality ISAC (RH-ISAC) and IANS reveals a significant shift in the threat landscape: Artificial Intelligence is now the top concern for security leaders in these sectors. 71% of surveyed CISOs identified AI as a primary source of friction, placing it ahead of traditional threats like ransomware and phishing. Key risks associated with AI include data leakage, insider misuse, and inadequate governance. While AI is also driving investment in security operations for improved threat detection, its rapid adoption is creating new and complex challenges for cybersecurity teams.

Iranian Hackers Launch Coordinated Password Spray Attacks on Middle East

The Iranian APT group Gray Sandstorm is suspected of conducting a large-scale password spray campaign against government and private sector organizations in Israel and the UAE. According to Check Point researchers, the cyberattacks, which began in early March 2026, targeted Microsoft 365 accounts and appear to be coordinated with physical military operations. The timing and targeting of municipalities responsible for damage response suggest the attacks were intended to support kinetic missile and drone strikes, likely for intelligence gathering and Bombing Damage Assessment (BDA). This campaign exemplifies the use of cyber operations in modern hybrid warfare.

Chinese-Nexus Actor Exploits TrueConf Zero-Day in "TrueChaos" Campaign

A zero-day vulnerability in the TrueConf video conferencing application, CVE-2026-3502, has been actively exploited in a targeted campaign named 'TrueChaos.' The campaign, attributed with moderate confidence to a Chinese-nexus threat actor, has targeted government entities in Southeast Asia. The CVSS 7.8 flaw exists in the update mechanism of the TrueConf Windows client, allowing an attacker who has compromised an on-premises TrueConf server to push malicious updates to all connected endpoints, thereby deploying malware like the Havoc C2 framework.

TeamPCP's Supply Chain Attack Cascade Hits LiteLLM, Stealing AI Credentials

The threat actor group 'TeamPCP' has executed a sophisticated, multi-stage supply chain attack, beginning with the compromise of the popular open-source vulnerability scanner Trivy. The attackers leveraged this access to poison downstream GitHub Actions, stealing credentials from CI/CD pipelines. They then pivoted to compromise other developer tools, including Checkmarx KICS, before publishing malicious versions of the widely-used LiteLLM AI gateway on PyPI. The trojanized LiteLLM packages were designed to steal sensitive AI API credentials, exfiltrating them to an attacker-controlled server. This cascading attack highlights the systemic risk in the open-source software supply chain, where a single point of failure can lead to widespread compromise across thousands of dependent projects.

Texas Hospital Data Breach Exposes Personal and Medical Info of 257,000 Patients

Nacogdoches Memorial Hospital (NMH) in Texas is notifying 257,073 patients of a data breach resulting from a cyberattack detected on January 31, 2026. An unauthorized party gained access to the hospital's network and may have exfiltrated a vast amount of sensitive patient data. The potentially compromised information includes names, Social Security numbers, dates of birth, medical record numbers, health plan details, and even full-face photographs. The hospital has begun mailing notification letters to affected individuals and is offering identity theft protection services. This incident adds to the growing list of healthcare organizations falling victim to cyberattacks, highlighting the sector's vulnerability.

Toy Giant Hasbro Investigating Cybersecurity Incident After Network Breach

Global toy and entertainment company Hasbro, Inc. has disclosed a cybersecurity incident in a Form 8-K filing with the SEC. The company detected unauthorized access to its network on March 28, 2026, and has since activated its incident response plan, which included proactively taking some systems offline for containment. Hasbro has engaged third-party cybersecurity experts to investigate the scope and impact of the breach. While the company's business continuity plans are active, it has warned that operational delays in taking orders and shipping products may occur for several weeks. Details about the nature of the attack or what data may have been compromised have not yet been released.

Two-Thirds of US State Legislators Have Had Data Leaked on Dark Web

A new investigation by privacy company Proton has revealed a startling lack of operational security among U.S. state legislators, with 67% having had their data exposed in past data breaches. The research found over 16,000 breach records linked to the officials' publicly listed email addresses, which were used to sign up for third-party services like LinkedIn, Adobe, and even dating sites that were later hacked. Alarmingly, 560 plaintext passwords were discovered among the leaked data, creating a direct path for attackers to compromise personal and potentially official accounts. The findings highlight a significant national security risk, as this exposed data could be used by foreign adversaries for espionage, blackmail, or targeted influence campaigns.

Microsoft to Include Security Copilot in M365 E5 Licenses at No Extra Cost

Microsoft has announced a significant change to its licensing model, bundling its AI-powered Security Copilot directly into Microsoft 365 E5 licenses at no additional cost. The phased rollout will begin on April 20, 2026, and is expected to complete by June 30, 2026. This move makes advanced AI-driven security operations accessible to a much wider range of enterprises. Security Copilot, which is embedded in Microsoft Defender, Entra, Intune, and Purview, helps security teams investigate threats and respond to incidents more efficiently. E5 customers will receive a monthly pool of Security Compute Units (SCUs) to power the tool, democratizing access to cutting-edge security AI.

Phishers Abuse No-Code Platform 'Bubble' to Bypass Email Security Filters

Security researchers at Kaspersky have identified a novel phishing technique that abuses the legitimate no-code development platform, Bubble.io. Attackers are creating malicious web applications on the platform that act as redirectors. Because these apps are hosted on Bubble's trusted domain (*.bubble.io), they are more likely to bypass email security filters that block links to known malicious sites. Phishing emails, often targeting Microsoft 365 users, contain a link to the Bubble-hosted app, which then forwards the victim to a credential harvesting page. This 'trust abuse' tactic makes it harder for both users and automated defenses to spot the attack, and is expected to be adopted by Phishing-as-a-Service (PhaaS) operators.

'DeepLoad' Malware Leverages AI-Generated Code and ClickFix Social Engineering to Steal Credentials

A new malware campaign dubbed 'DeepLoad' is using a potent combination of stealthy delivery and advanced obfuscation to steal credentials from enterprise environments. Researchers at ReliaQuest identified the malware, which is delivered using the 'ClickFix' social engineering technique that tricks users into running malicious commands. What sets DeepLoad apart is its use of what appears to be AI-generated code to create thousands of lines of meaningless variables and functions, effectively hiding its malicious PowerShell loader from static analysis tools and making detection extremely difficult.

UK Employee Data Breaches Hit Seven-Year High, Driven by Human Error in Hybrid Work

Reports of employee data breaches submitted to the UK's Information Commissioner's Office (ICO) have surged to a seven-year high, with 3,872 incidents recorded in 2025. An analysis by law firm Nockolds reveals that while cyber-related incidents fell, non-cyber incidents—primarily driven by human error—jumped by 15%. These errors, such as misaddressing emails or letters and losing paperwork, are being attributed to the complexities of hybrid work environments. The findings underscore the need for organizations to update their data protection policies and training to address the new risks posed by remote and flexible work.

Ransomware Attack on Spain's Port of Vigo Disrupts Cargo Operations, Forces Manual Processes

The Port of Vigo, a major fishing port in Spain, has been hit by a ransomware attack that disrupted its digital cargo management systems. The port authority detected the attack on Tuesday, immediately isolating affected servers to contain the threat. The incident, which involved a ransom demand, has forced some logistical operations to revert to manual, paper-based processes. While physical ship and cargo movements continue, the attack highlights the significant operational strain placed on critical infrastructure when digital systems are compromised.

Tax Season Phishing Frenzy: Scammers Use IRS and W-2 Lures to Spread Malware

Microsoft Threat Intelligence is warning of a significant increase in sophisticated phishing campaigns timed for the U.S. tax season. Attackers are impersonating the IRS and using lures related to tax forms like W-2 and 1099 to trick victims. These campaigns are used to distribute malware, including the remote access tool ScreenConnect, and various phishing-as-a-service kits like 'Energy365' and 'SneakyLog'. One notable campaign targeted over 10,000 organizations, while another used QR codes embedded in Word documents to bypass email security filters and lead victims to credential-harvesting sites.

GitHub Discussions Weaponized to Spread Malware via Fake VS Code Alerts

A large-scale, automated phishing campaign is abusing the GitHub Discussions feature to target developers. Attackers are spamming thousands of repositories with fake security alerts for Microsoft's Visual Studio Code, using fabricated CVEs to create a sense of urgency. The posts, often impersonating security researchers, trick users into downloading what they believe is a patched version of VS Code from external links. These downloads, however, deliver malware, turning a trusted developer platform into a potent malware distribution channel.

Swiss Critical Infrastructure Hit by 325 Cyberattacks in One Year

The Swiss Federal Office for Cybersecurity has revealed that it received 325 mandatory reports of cyberattacks against the nation's critical infrastructure in the past year, averaging nearly one incident per day. The report, which covers the first year of a new mandatory reporting law, shows the administrative sector was the most frequent target, followed by IT, telecommunications, and financial institutions. Hacking, DDoS attacks, and malware were among the most common attack vectors reported.

New Phishing-as-a-Service "EvilTokens" Abuses Microsoft's OAuth Device Code Flow

A new and sophisticated Phishing-as-a-Service (PhaaS) platform named EvilTokens is enabling widespread attacks against Microsoft 365 accounts. The service automates the process of stealing access tokens by abusing the legitimate OAuth 2.0 device code authentication flow. This technique allows attackers to bypass certain types of MFA and gain persistent access to a victim's cloud account, even if the user changes their password. The EvilTokens kit provides a turnkey solution for criminals, complete with phishing templates and a dashboard for managing stolen tokens, significantly lowering the bar for conducting advanced cloud-based attacks.

Middle East Conflict Amplifies Global Cyber Risks, Reshaping Threat Landscape

The ongoing conflict in the Middle East is significantly reshaping the global cyber threat landscape, according to a new report from the World Economic Forum. The conflict has fueled a surge in state-aligned and proxy hacking operations that target critical infrastructure, businesses, and government institutions far beyond the immediate geographic region. This new era of hybrid warfare, where cyber operations are a standard tool in geopolitical disputes, has forced 91% of large organizations to alter their cybersecurity strategies in response to the heightened volatility. The report highlights attacks on sectors like healthcare and energy, and the physical vulnerability of undersea communication cables.

European Commission Hit by Data Breach; Attacker Claims 350GB Exfiltrated from AWS Cloud

The European Commission has confirmed a data breach affecting its cloud infrastructure hosted on Amazon Web Services (AWS). The attack targeted the Europa.eu websites, and an attacker has claimed to have exfiltrated over 350 GB of data, allegedly including databases and employee records. The Commission has stated that its internal systems were not affected and that the attacker has not made any extortion demands. This incident follows a separate breach of the Commission's mobile device management system in January 2026 and highlights the persistent cyber threats facing major government entities. In response, the EU has pledged to strengthen the security of its critical services.

CISA Warns of "BridgeSiphon" Zero-Day Exposing Passwords in Hybrid Cloud Sync

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an emergency directive concerning "BridgeSiphon," a critical zero-day vulnerability impacting hybrid cloud environments. The flaw, found in a widely used data synchronization protocol, allows attackers to intercept and exfiltrate plaintext passwords as data moves between on-premise and cloud infrastructure. This poses a severe risk of credential theft, lateral movement, and widespread system compromise. The directive mandates immediate action from all federal agencies to audit their hybrid connections and apply mitigations while a permanent patch is developed.

AT&T Probes Massive Data Breach as 70 Million Customer Records Surface on Dark Web

Telecommunications giant AT&T has launched a full-scale investigation after a database containing the sensitive personal information of approximately 70 million current and former customers was leaked on a dark web forum. The dataset, which reportedly dates back to 2021, includes highly sensitive PII such as Social Security numbers, dates of birth, and home addresses. The breach places millions at significant risk of identity theft, financial fraud, and targeted phishing campaigns. AT&T is advising customers to monitor their accounts and has stated it will offer credit monitoring services.

Serbian Clinic's Patient Data Leaked by Ransomware Group After Refusing to Pay

In a severe violation of patient privacy, a Serbian gynecology clinic has had its entire patient database leaked on the dark web. The data dump occurred after the clinic refused to pay a ransom demand from a cybercriminal group that had encrypted its systems. The leaked information includes names, contact details, and extremely sensitive clinical notes, placing thousands of patients at risk of blackmail and public exposure. The incident underscores the ruthless tactics of modern ransomware gangs targeting the healthcare sector and the devastating real-world consequences of such attacks.

Major Data Leak at Malaysian Car Park Operator Imej Parking Exposes Government Data

Imej Parking Sdn Bhd, a major car park operator in Malaysia, has suffered a significant data breach after a large MySQL database was found exposed on the internet. The leak, attributed to a server misconfiguration, contains a wide array of sensitive information, including the company's internal records, customer data, and, most critically, data related to its government contracts. This third-party breach highlights the cascading risks within supply chains, as the exposure of a vendor's data has led to a potential compromise of government information. Malaysian authorities have been alerted and are assessing the full scope of the incident.

Global Cyber Incidents Surge: State-Sponsored Attacks, Financial Fraud, and AI-Powered Malware on the Rise

The global threat landscape is experiencing a significant escalation, with a notable surge in diverse and sophisticated cyberattacks over the past 24 hours. Key trends include state-sponsored actors, allegedly linked to China, targeting critical telecommunications infrastructure in nations like Canada, with the threat actor ShinyHunters implicated in a breach at Telus. Concurrently, attackers are evolving their TTPs, leveraging AI for more adaptive malware and increasingly targeting operational technology (OT) to threaten physical safety. This convergence of geopolitical espionage, high-tech criminal activity, and threats to critical infrastructure signals a new, more dangerous phase in cybersecurity.

Warning to Developers: Malicious Logic Bombs Found in Popular IDE Extensions

A significant software supply chain threat has emerged as security researchers have discovered malicious logic bombs hidden within several popular coding extensions for Integrated Development Environments (IDEs). The malicious code is designed to remain dormant until a specific future timestamp. Upon activation, the payload triggers and locks the host system, effectively rendering the developer's machine unusable. This attack vector targets developers directly through the trusted tools they use daily, raising serious concerns about the security of third-party extension marketplaces and the software development lifecycle itself.

New Android Trojan "AudioSignature Hijack" Eavesdrops on Conversations Using Vibration Sensors

Mobile security researchers have uncovered a highly sophisticated Android Trojan, dubbed "AudioSignature Hijack 2.0," that employs a novel technique to eavesdrop on conversations without requesting microphone permissions. The malware leverages the device's built-in vibration sensors (accelerometers) to detect microscopic vibrations caused by sound waves in the surrounding environment. A complex algorithm then processes this sensor data to reconstruct the audio, allowing attackers to spy on users' conversations covertly. This side-channel attack represents a significant threat to mobile privacy, as it bypasses a fundamental security control in the Android operating system.

Coordinated Cyber-Physical Attack on North American Battery Storage Facilities Causes Physical Damage

A highly sophisticated cyber-physical attack has targeted multiple lithium battery storage facilities across North America, resulting in significant physical damage to critical energy infrastructure. Attackers demonstrated a deep understanding of electrical engineering by gaining remote access to the facilities' Industrial Control Systems (ICS) and manipulating voltage settings. They carefully modulated the voltage to create harmonic resonance, a condition that caused substation transformers to overheat and fail catastrophically. This incident is a chilling real-world example of how digital intrusions can be leveraged to cause tangible, destructive effects, raising urgent concerns about the security of the modern power grid.

G20 Nations Sign Landmark Data Sovereignty Protocol to Govern Cross-Border Data Flows

In a significant move towards international cooperation on digital governance, the G20 nations have signed a new data sovereignty protocol. The non-binding agreement, finalized on March 28, 2026, aims to create a common framework for the secure and responsible transfer of data across borders. It seeks to balance the economic benefits of the free flow of data with the growing need for robust data protection, privacy, and national security. The protocol establishes key principles like data minimization and purpose limitation, representing a critical diplomatic step in harmonizing global data governance policies amidst escalating cyber threats.

Middle East Cyber Conflict Escalates Following Military Strikes on Iran

Coordinated military strikes against Iran on February 28, reportedly involving the U.S. and Israel, have ignited a significant escalation in cyber warfare across the Middle East. Security firms have issued heightened threat advisories, warning of disruptive attacks from state-aligned actors and hacktivists. Pro-Iran groups, such as 'Handala Hack,' have launched DDoS attacks, defacements, and data leak campaigns targeting government, aviation, and financial sectors in Israel and other regional nations. The conflict has also severely disrupted civil aviation, with hundreds of flights cancelled amid safety concerns.

Cloud Sweep Group's "Phase 30" Attack Embeds Ransomware in Cold Storage Backups, Defeating Recovery Efforts

The notorious threat actor group "Cloud Sweep" has launched "Phase 30," a sophisticated new attack campaign that targets cold storage backups. The group's novel technique involves embedding dormant malware into data archives during the backup process. When an organization attempts to restore from the compromised backup, the malware activates, re-encrypts the system, and sabotages the recovery effort, effectively creating a ransomware time bomb within the last line of defense.

Triple Threat: Canada's Top Telecoms Rogers, Telus, and Freedom Mobile Hit by Data Breaches

Canada's telecommunications sector is under fire after three of its largest carriers—Rogers, Telus, and Freedom Mobile—each reported significant data breaches. The incidents, which occurred within the same week, exposed customer information such as names, contact details, and account numbers. The breaches highlight systemic vulnerabilities, particularly related to third-party and subcontractor access. Rogers and its subsidiary Fido confirmed unauthorized access to customer data, while Telus was targeted by the 'ShinyHunters' hacking group, which claimed to have stolen nearly a petabyte of data. Freedom Mobile suffered its second breach in six months due to compromised subcontractor credentials, prompting all three companies to enhance their security protocols.

CRITICAL: Telegram Hit by 9.8-Rated Zero-Click RCE Flaw on Android & Linux

A critical zero-click remote code execution (RCE) vulnerability has been discovered in the Telegram messenger application, affecting both Android and Linux versions. The flaw, tracked as ZDI-CAN-30207, has been assigned a CVSS score of 9.8 out of 10, reflecting its extreme severity. An attacker can exploit this vulnerability by simply sending a specially crafted animated sticker to a victim. No user interaction is required; the malicious code executes as soon as the media is viewed. A successful exploit could grant the attacker full control over the user's account and correspondence. Reports suggest an exploit is already being sold in underground communities. Telegram has not yet released a patch.

INC Ransomware Leaks 500GB of Data from Namibia Airports Company on Dark Web

The Namibia Airports Company (NAC) has confirmed that approximately 500GB of sensitive data stolen during a ransomware attack has been published on the dark web. The attack, attributed to the INC Ransomware Group, was first detected on March 6, 2026. The threat actors employed double-extortion tactics, exfiltrating the data before encrypting systems and demanding a ransom. A preliminary assessment of the leaked data suggests it includes sensitive files such as airport permit records, financial documents, engineering plans, and internal reports. While airport operations were not affected, the NAC is investigating the full scope of the breach, which marks the second known attack in Namibia by the INC Ransomware Group.

Iran-Linked 'Handala Hack Team' Breaches Personal Gmail of FBI Director Kash Patel

The personal Gmail account of FBI Director Kash Patel has been compromised by an Iran-linked hacking group calling itself the 'Handala Hack Team.' The group claimed responsibility for the breach and subsequently leaked personal data, including photographs, emails, and documents from 2010 to 2019. The FBI has confirmed the breach of the director's personal account. In its claim, the Handala group stated the attack was a response to U.S. government actions and boasted about its ability to penetrate 'impenetrable' systems. The same group has also been linked to a separate leak of personal data belonging to Israeli government and military personnel, highlighting a pattern of targeting high-profile government officials.

Supreme Court to Decide FCC's Power to Fine Telcos for Customer Data Breaches

The U.S. Supreme Court is set to hear a pivotal case, FCC v. Verizon and AT&T v. FCC, concerning the Federal Communications Commission's (FCC) authority to penalize wireless carriers for failing to protect customer data. The case stems from fines the FCC issued in 2020 after an investigation found major carriers were selling access to customers' sensitive location data without reasonable safeguards. A coalition including two former FCC Chairs and several consumer advocacy groups has filed a brief in support of the FCC, arguing that stripping the agency of its enforcement power would leave consumers without a meaningful remedy for privacy violations. The carriers contend the FCC overstepped its authority, and the court's decision will have significant implications for consumer data privacy regulation in the U.S.

'ClickFix' Campaign Tricks macOS Users into Installing Infiniti Stealer via Fake CAPTCHA

A social engineering campaign dubbed 'ClickFix' is targeting macOS users with a sophisticated ruse to install the 'Infiniti Stealer' malware. The attack begins with a fake Cloudflare CAPTCHA page that, instead of presenting a puzzle, instructs the user to open their Terminal and run a malicious command to 'prove they are human.' This user-initiated execution triggers a multi-stage infection chain involving a Bash script and a Nuitka loader, which ultimately deploys the Python-based Infiniti Stealer. The malware is designed to harvest a wide array of sensitive data, including browser credentials, macOS Keychain contents, cryptocurrency wallets, and developer secrets, before exfiltrating the stolen information to the attacker's C2 server.

EU and Australia Issue New Cybersecurity Guidance as Regulatory Focus Sharpens

Governments are continuing to tighten cybersecurity regulations, with new guidance issued in the European Union and Australia on March 4, 2026. The European Commission launched a public consultation for its upcoming Cyber Resilience Act (CRA), aimed at helping manufacturers of connected devices prepare for new security obligations. Simultaneously, the Office of the Australian Information Commissioner (OAIC) released guidance clarifying the balance between privacy obligations and reporting requirements under Australia's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act. These moves, along with legislative proposals being developed in Sweden and new internet code guidance in Nigeria, signal a growing global trend toward more stringent, government-mandated cybersecurity standards.

Police Physically Warn Firms of Critical Unpatched RCE Flaw in PTC Windchill

A critical remote code execution (RCE) vulnerability in PTC's Windchill and FlexPLM software, tracked as CVE-2026-4681 with a CVSS score of 10.0, has prompted an unprecedented response in Germany. Police officers were physically dispatched, some in the middle of the night, to warn companies of the imminent threat. The flaw, which allows unauthenticated remote code execution, has not yet been patched by PTC, though mitigation guidance is available. The U.S. CISA has since issued its own advisory, highlighting the global risk to manufacturing and aerospace sectors.

China-Linked 'Red Menshen' APT Creates 'Digital Sleeper Cells' in Telecoms with BPFDoor

A long-running espionage campaign attributed to a China-linked threat actor dubbed 'Red Menshen' has been uncovered targeting telecommunications providers across the Middle East and Asia. Active since at least 2021, the group utilizes a highly sophisticated and passive Linux backdoor known as BPFDoor. This implant operates at the kernel level and only activates upon receiving a specific 'magic packet,' allowing it to remain dormant and evade detection while creating 'digital sleeper cells' for persistent surveillance and high-level espionage.

CISA KEV Alert: Actively Exploited Flaws in Langflow AI Framework and Trivy Scanner

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The first, CVE-2026-33017, is a critical unauthenticated RCE in the popular AI framework Langflow, which was reportedly exploited within 20 hours of disclosure. The second, CVE-2026-33634, is a supply chain compromise in Aqua Security's Trivy vulnerability scanner where malicious code was embedded. Federal agencies are now required to patch these flaws on an accelerated timeline.

Ransomware Dip Masks Alarming Rise in Nation-State Attacks on Critical Infrastructure

The Waterfall Threat Report 2026 reveals a complex shift in the industrial cyberattack landscape. While publicly recorded cyber incidents against heavy industry with physical consequences fell by 25% in 2025, this masks a more dangerous trend: attacks by nation-states and hacktivists on critical infrastructure doubled during the same period. The report suggests the slowdown in ransomware, the primary cause of such incidents in recent years, is temporary and that these attacks are expected to rebound in 2026.

New 'Uragan' Ransomware Emerges, Using Double Extortion Against Windows Systems

Researchers at CYFIRMA have discovered a new strain of ransomware named 'Uragan' on underground forums. This file-encrypting malware targets Windows systems, appending a '.uragan' extension to encrypted files and dropping a ransom note named 'README.txt'. The operators employ double extortion tactics, threatening to leak sensitive data exfiltrated from the victim's network if the ransom is not paid. No decryption tool is currently available.

Ransomware Attack Cripples Indiana Sheriff's Office, Forcing Full System Rebuild

The Jackson County Sheriff's Office in Indiana has suffered a devastating ransomware attack that has completely disabled its entire computer network. The attack, believed to have originated from a malicious email, has corrupted all computers, Wi-Fi, and the department's report filing system. Officials have stated they will not pay the ransom and are in the process of wiping all machines, replacing hardware, and rebuilding their IT infrastructure from scratch. Deputies have resorted to manual processes and working from a neighboring police department's facility.

Sophisticated AiTM Phishing Campaign Targets TikTok for Business Accounts to Bypass MFA

A sophisticated phishing campaign is actively targeting TikTok for Business accounts using adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication. According to researchers at Push Security, the attack uses a multi-stage process involving Google Storage URLs and Cloudflare CAPTCHA challenges to evade detection and filter out bots. The AiTM phishing kit allows attackers to steal not only usernames and passwords but also session cookies and MFA codes in real-time, enabling complete account takeover for use in fraudulent advertising or malware distribution.

Russia's Pawn Storm (APT28) Targets Defense Supply Chain with New 'PRISMEX' Malware and Zero-Day

The prolific Russia-aligned threat group Pawn Storm (also known as APT28 or Fancy Bear) is conducting a new campaign targeting the defense supply chain of Ukraine and its allies. According to Trend Micro, the group is deploying a new modular malware collection called PRISMEX. This sophisticated toolkit uses advanced evasion techniques like steganography and COM hijacking. The campaign has actively exploited multiple vulnerabilities, including a confirmed zero-day in Microsoft Windows, CVE-2026-21513, underscoring the group's high level of capability and determination.

Protos Labs Challenges Threat Intel Market with Freemium Agentic AI Platform

Singapore-based Protos Labs has launched a freemium edition of its Protos AI platform at RSA Conference 2026, aiming to disrupt the traditional cyber threat intelligence (CTI) market. The platform utilizes specialized, coordinated AI agents to automate the entire CTI lifecycle, from planning and evidence collection to analysis and reporting. By offering a freemium tier, Protos Labs seeks to democratize access to advanced CTI capabilities for smaller organizations while allowing large enterprises to augment their existing security teams. The solution is designed to be vendor-agnostic, integrating with existing security stacks and supporting multiple LLMs, including those from Azure OpenAI, Anthropic, and Google Gemini.

Ontario Enforces New Cybersecurity and Data Transparency Regulations for Public Sector

The government of Ontario, Canada, has filed two new regulations, O. Reg. 51/26 and O. Reg. 52/26, which will come into force on July 1, 2026. These regulations impose significant new cybersecurity and data privacy obligations on public sector entities, including hospitals, universities, school boards, and children's aid societies. O. Reg. 51/26 mandates the establishment of a formal cybersecurity program, the designation of a senior leader responsible for cybersecurity, regular maturity assessments, and a 72-hour reporting deadline for critical incidents. O. Reg. 52/26 introduces new transparency requirements for school boards regarding the disclosure of student data to third-party software providers.

Darktrace Replaces Security Training with 'Adaptive Human Defense'

At RSA Conference 2026, AI cybersecurity firm Darktrace launched 'Adaptive Human Defense,' a new product that shifts away from traditional, scheduled security awareness training. Instead, the platform uses behavioral AI to monitor user actions in real-time and delivers personalized, contextual 'micro-coaching' sessions at the exact moment a risky behavior is detected, such as interacting with a suspicious email. The system creates a feedback loop with Darktrace's email security solution, using the coaching results to automatically tune security controls for each individual user, thereby creating a personalized defense that strengthens both human and technical layers simultaneously.

NetRise Launches 'Provenance' to Uncover Contributor Risk in Software Supply Chains

Software supply chain security firm NetRise has launched 'Provenance,' a new product announced at RSA Conference 2026 designed to identify risks associated with the individual contributors and organizations behind open-source components. Moving beyond traditional SBOMs and vulnerability scanning, Provenance provides intelligence on the people and entities writing the code that enterprises rely on. The tool helps organizations identify potentially malicious contributors, understand their 'blast radius' across the software ecosystem, and enforce policies based on contributor risk, such as geographic location, to meet compliance obligations like OFAC.

Co-op CEO Resigns as Cyber-Attack Fallout Leads to £126 Million Loss

Shirine Khoury-Haq, the chief executive of the UK's Co-op Group, is stepping down effective March 29, 2026. Her departure follows the company's announcement of a £126 million pre-tax loss for the year, a dramatic reversal from the previous year's profit. The company directly attributed a significant portion of this financial damage to a major cyber-attack in April 2025, which caused widespread disruption, including payment problems and product shortages. The incident reportedly had a direct impact of £285 million on revenues and contributed £107 million to the profit loss, serving as a stark case study on the severe, real-world business consequences of a major cyber incident.

Cisco Firewall Zero-Day Exploited by Interlock Ransomware for Over a Month Before Patch

A critical insecure deserialization vulnerability in Cisco's Secure Firewall Management Center (FMC), tracked as CVE-2026-20131, was exploited as a zero-day by the Interlock ransomware gang. Amazon's threat intelligence team discovered that exploitation began on January 26, 2026, a full 36 days before Cisco released a patch in early March. The flaw allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on the management interface. Following the discovery of in-the-wild exploitation, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by March 22, 2026. Cisco strongly advises against exposing the FMC management interface to the internet.

FCC Issues Sweeping Ban on All Foreign-Produced Consumer Routers Citing National Security Risks

The U.S. Federal Communications Commission (FCC) has enacted a sweeping ban on the import and authorization of all new models of foreign-produced consumer-grade wireless routers. The devices have been added to the FCC's "Covered List" following a White House determination that they pose an unacceptable risk to U.S. national security. The move is aimed at preventing espionage and attacks on critical infrastructure by state-sponsored actors like Volt Typhoon. While not naming a specific country, the ban will significantly impact Chinese firms like TP-Link and any U.S. companies that manufacture their devices overseas. Existing inventory can still be sold, but no new models can be introduced to the U.S. market without FCC approval under a new, stricter regime.

Wealth Manager Hightower Holding Discloses Data Breach Affecting Over 131,000 Clients

Chicago-based wealth management firm Hightower Holding has disclosed a data breach that exposed the sensitive personal information of 131,483 clients. The breach occurred across two separate incidents in January 2026, where an unauthorized actor gained access to the company's network via compromised user accounts and exfiltrated files. The stolen data includes full names, Social Security numbers, and driver's license numbers. The company discovered the breach on March 12 and began notifying victims on March 23, a delay that has prompted investigations by multiple law firms for a potential class-action lawsuit.

CISA Adds Actively Exploited Langflow Code Injection Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a code injection vulnerability in Langflow, CVE-2026-33017, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms that the vulnerability is being actively exploited in the wild. Langflow is a user interface for the popular LangChain application development framework, making this a significant threat to organizations developing AI and LLM-based applications. In accordance with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies are now required to remediate this vulnerability by a specified deadline.

NIST Releases New Quick-Start Guides to Boost Adoption of Cybersecurity Framework 2.0

The U.S. National Institute of Standards and Technology (NIST) has released two new quick-start guides to help organizations implement its Cybersecurity Framework (CSF) 2.0. The first guide, SP 1308, focuses on integrating cybersecurity with enterprise risk management (ERM) and workforce planning, bridging the gap between technical teams and executive leadership. The second, a draft guide (SP 1347), explains how to use CSF 2.0's "Informative References" to map security outcomes to other standards and practices. These resources aim to make the updated framework more accessible and operational for a wider range of organizations.

Nike Faces Class-Action Lawsuit Over January Data Breach

Nike Inc. is the target of a proposed class-action lawsuit filed in Oregon over a data breach the company discovered on a third-party portal in January 2026. The lawsuit alleges that the sportswear giant failed to implement adequate security measures to protect customer data and violated the law by waiting a month to begin notifying affected individuals. The complaint accuses Nike of breaching its duties under the FTC Act, contract law, and common law, seeking to represent a class of all individuals whose data was compromised in the incident.

Microsoft Teams Phishing Campaign Uses Quick Assist to Deploy 'A0Backdoor' Malware

A social engineering campaign is targeting enterprise users on Microsoft Teams to deploy a malware strain named 'A0Backdoor'. Reported on March 20, 2026, the attack begins with attackers contacting employees directly on Teams. They then trick the target into granting remote access to their machine using the legitimate Windows Quick Assist tool. Once access is established, the attackers manually deploy the A0Backdoor malware, which allows them to infiltrate the corporate network, escalate privileges, and maintain persistence. The campaign, which primarily targets the financial and healthcare sectors, highlights the growing abuse of trusted internal collaboration platforms as a vector for initial access and lateral movement.

SOCs Pivot to Autonomous Defense to Counter Machine-Speed AI Attacks

A February 24, 2026 analysis argues that the modern Security Operations Center (SOC) is at a tipping point, forced to pivot towards autonomous, AI-driven defense strategies. This shift is a direct response to the crisis of scale created by adversaries who are already using AI and automation to launch attacks at machine speed. With threat actors leveraging LLMs for flawless phishing and scripts to scan thousands of targets, manual human-led defense is no longer viable. The report frames autonomous security not as a replacement for human analysts, but as a necessary augmentation to handle high-volume tasks, reduce burnout, and free up experts for strategic threat hunting and response.

Analysts Warn of 'Cyber Spillover' as US-Iran Tensions Escalate, Threatening Global Orgs

An editorial analysis published on March 6, 2026, warns of the increasing risk of 'cyber spillover' from the escalating geopolitical conflict between the United States and Iran. Security experts note that Iranian state-sponsored actors and affiliated hacktivist groups have intensified disruptive campaigns, including DDoS attacks and phishing, against Western commercial, financial, and critical infrastructure targets. There is a growing concern that these targeted attacks could cause unforeseen collateral damage to organizations not directly involved in the conflict, prompting calls for a 'shields up' posture.

Citrix Scrambles to Patch Critical 'CitrixBleed'-like Flaw in NetScaler Products

Citrix has issued an urgent patch for CVE-2026-3055, a critical (CVSS 9.3) out-of-bounds read vulnerability in its NetScaler ADC and Gateway products. The flaw allows unauthenticated remote attackers to read sensitive memory contents, such as session tokens, from appliances configured as a SAML Identity Provider (IdP). Security researchers warn that the vulnerability is poised for imminent exploitation, drawing strong parallels to the widely exploited CitrixBleed flaw. While there is no evidence of active attacks yet, the public disclosure of patches makes reverse-engineering and exploit development highly likely. A second high-severity flaw, CVE-2026-4368, was also addressed.

Kaplan Data Breach Exposes SSNs and Driver's Licenses of Over 230,000 People

Kaplan North America, a major educational services provider, is notifying over 230,000 individuals that their highly sensitive personal information was stolen in a data breach. The incident, which occurred between October 30 and November 18, 2025, resulted in the exfiltration of names, Social Security numbers, and driver's license numbers. The breach has affected individuals in at least seven U.S. states, with the largest impact in Texas. Multiple law firms have already initiated investigations and class-action lawsuits against Kaplan in response to the disclosure.

QualDerm Healthcare Data Breach Exposes Personal and Medical Info of 3.1 Million Patients

QualDerm Partners, a healthcare management services organization, is notifying over 3.1 million individuals of a major data breach that occurred in December 2025. During a two-day period of unauthorized network access, attackers exfiltrated a vast amount of sensitive data, including patient names, addresses, dates of birth, medical record numbers, treatment details, diagnoses, health insurance information, and some government-issued IDs. The scale and sensitivity of the compromised data make this a critical incident, placing millions of patients at risk of fraud and identity theft.

Russian Initial Access Broker for Yanluowang Ransomware Jailed for 81 Months in US

Aleksei Volkov, a 26-year-old Russian citizen, has been sentenced to 81 months in U.S. federal prison for his role as a prolific initial access broker (IAB). Volkov admitted to hacking into U.S. companies and selling that unauthorized access to ransomware groups, including the notorious Yanluowang gang. His activities facilitated dozens of attacks that resulted in over $9 million in actual losses to victims. Volkov was arrested in Italy, extradited to the U.S., and pleaded guilty in November 2025. He has also been ordered to pay over $9.1 million in restitution.

Iran-Linked Pay2Key Ransomware Targeted US Healthcare Amidst Military Conflict

The Iranian-linked ransomware group Pay2Key targeted a U.S. healthcare organization in late February 2026, coinciding with military conflict between the U.S. and Iran. Incident responders noted that the attack used an evolved strain of the Pay2Key ransomware but, unusually, did not involve data exfiltration. This deviation from typical financially motivated attacks suggests a potential dual motive of disruption and espionage, consistent with Iranian state-sponsored operations. The attackers compromised an administrative account days before deploying the ransomware and attempted to wipe event logs to cover their tracks.

Cybercrime Automation: Attacker Handoff Time Plummets from 8 Hours to 22 Seconds

The 2025 Google M-Trends report from Mandiant reveals a stunning increase in the efficiency of cybercriminal operations. The time between an initial network compromise and the handoff to a secondary attacker, such as a ransomware group, has plummeted from eight hours in 2022 to just 22 seconds in 2025. This points to highly integrated and automated partnerships in the cybercrime ecosystem. The report also highlights a surge in voice-based phishing (vishing) as a top initial access vector, while noting that global median dwell time has risen to 14 days, skewed by long-running espionage campaigns.

Semiconductor Firm Trio-Tech's Singapore Unit Hit by Gunra Ransomware

Trio-Tech International, a U.S.-based semiconductor services firm, has confirmed its Singaporean subsidiary was hit by a ransomware attack on March 11. The Gunra ransomware operation has claimed responsibility. In an SEC filing, the company initially stated the incident was not material, but later revised its assessment after the attackers began leaking stolen data online. The subsidiary has now activated its incident response plan, is working with cyber insurance, and is notifying affected parties. The event highlights how a contained ransomware incident can quickly escalate to a data breach crisis.

Poland Reports 150% Surge in Cyberattacks, Cites Unprecedented Assault on Energy Grid

A Polish government official has revealed a dramatic 150% increase in cyberattacks against the country in 2025, totaling 270,000 incidents. The surge included a sophisticated and coordinated attack in December on Poland's energy system, which targeted a major heat and power plant and multiple renewable energy farms. Polish authorities believe the attack, described as a 'significant escalation' for a NATO member, originated from a single actor linked to Russian secret services. While the electricity supply was not disrupted, the incident has raised significant alarms about the vulnerability of critical infrastructure.

DDoS Attacks Surge 150% with Record-Breaking 12 Tbps Volumes, Gcore Reports

A new report from infrastructure provider Gcore reveals a 150% increase in Distributed Denial-of-Service (DDoS) attacks between Q4 2024 and Q4 2025. Attack volumes have also exploded, reaching a record 12 Terabits per second (Tbps). The report highlights a trend towards faster, cheaper, and more frequent attacks, with 75% of network-layer attacks lasting less than a minute. The technology, financial services, and gaming industries remain the primary targets, while a significant portion of attack traffic originates from Latin America, particularly Mexico and Brazil.

Network Gear Surpasses Endpoints as Top Cyber Risk, Forescout Warns

Forescout's 2026 'Riskiest Connected Devices' report reveals a major shift in enterprise risk, with network infrastructure like routers and switches now posing a greater threat than traditional endpoints. These core network devices, which average nearly 32 vulnerabilities each, are heavily targeted by attackers for lateral movement and persistence. The report highlights a diversifying attack surface, with 40% of the riskiest device types being new to the list this year, including OT, IoT, and IoMT devices. This signals a clear trend of attackers focusing on often-unmanaged, high-impact devices within the network.

URGENT: Oracle Patches Critical 9.8 CVSS Unauthenticated RCE Flaw

Oracle has released an emergency, out-of-band security update for a critical remote code execution (RCE) vulnerability, CVE-2026-21992. The flaw, which affects Oracle Identity Manager and Oracle Web Services Manager, carries a CVSS score of 9.8 and can be exploited by an unauthenticated attacker over HTTP. A successful exploit could lead to a complete system takeover, allowing attackers to exfiltrate sensitive identity data, deploy malware, and pivot within the corporate network. Due to the flaw's ease of exploitation and the critical role of the affected products in enterprise identity management, Oracle strongly urges customers to apply the patches immediately. The out-of-band release suggests a high risk of active exploitation.

CISA KEV Catalog Updated: Federal Agencies Must Patch Exploited Flaws in Apple, Laravel, Craft CMS

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The flaws include an out-of-bounds write issue in Apple visionOS (CVE-2026-28217), a remote code execution bug in the Laravel Framework (CVE-2024-4671), and a critical cross-site scripting (XSS) vulnerability in Craft CMS (CVE-2026-25487) that allows for admin account creation. The inclusion in the KEV catalog signifies that these vulnerabilities are being actively used in real-world attacks. U.S. federal agencies are now mandated to apply patches by April 12, 2026, and CISA strongly urges all organizations to prioritize remediation to defend against these active threats.

Navia Benefit Solutions Breach Exposes PII and PHI of 2.7 Million People

Navia Benefit Solutions, a third-party administrator of employee benefits, has disclosed a significant data breach impacting nearly 2.7 million individuals. The company revealed that an unauthorized party had access to its network for three weeks, from December 22, 2025, to January 15, 2026. The compromised data includes a vast amount of personally identifiable information (PII) and protected health information (PHI), such as names, Social Security numbers, dates of birth, and health plan details. While financial and claims data were not exposed, the breach affects current and former members of over 10,000 employers. Navia is providing 12 months of identity theft protection to affected individuals.

Over 7,500 Magento E-Commerce Sites Defaced in Ongoing Global Campaign

A widespread and ongoing defacement campaign has compromised over 7,500 websites running the Magento e-commerce platform since late February 2026. The attackers, using aliases like 'Typical Idiot Security', are exploiting a suspected file upload vulnerability to place simple text files on web servers, leading to site defacement. The campaign appears opportunistic, affecting a diverse range of victims from regional storefronts and subdomains of major brands like Toyota, Asus, and FedEx to government services and universities. While largely driven by notoriety-seeking actors, the campaign highlights a significant vulnerability in the Magento ecosystem that could be exploited for more malicious purposes, such as deploying web shells or credit card skimmers.

WorldLeaks Ransomware Claims Attack on City of Los Angeles, Leaks Police Data

The City of Los Angeles has been listed as a victim on the darknet leak site of the WorldLeaks ransomware group. The group, believed to be a rebrand of the Hunters International gang, claims to have stolen nearly 160 GB of data and has published pages from a police interview transcript as proof of the breach. This incident is a data extortion attack, where the group forgoes encryption and focuses solely on data theft and the threat of public release. The attack coincides with other cyber incidents in California, including a disruption at the Los Angeles Metro system and a ransomware attack that prompted a state of emergency in Foster City, highlighting a trend of cybercriminals targeting municipal services.

Warning: Critical 10.0 CVSS Quest KACE Flaw from 2025 Now Actively Exploited

A critical authentication bypass vulnerability in the Quest KACE Systems Management Appliance (SMA), CVE-2025-32975, is being actively exploited in attacks observed in March 2026. The flaw, which has a perfect CVSS score of 10.0 and was patched in May 2025, allows an unauthenticated attacker to gain full administrative control of an unpatched, internet-exposed appliance. Attackers are leveraging this access to deploy credential harvesting tools like Mimikatz, create rogue admin accounts for persistence, and move laterally to other critical systems like domain controllers and backup servers. The new wave of attacks highlights the danger of unpatched legacy vulnerabilities, and all organizations using KACE SMA are urged to verify they are patched and remove the appliance from public internet exposure.

Puerto Rico Water Authority Hit by Cyberattack, Exposing Customer and Employee Data

The Puerto Rico Aqueduct and Sewer Authority (PRASA) has confirmed it was the victim of a cyberattack that resulted in the exposure of customer and employee data. The utility, which is responsible for the territory's water supply, stated that critical water distribution and management systems were not affected. PRASA credited its network segmentation, which separates the operational technology (OT) systems from the business information technology (IT) network, for containing the impact and preventing a disruption to the water supply. Details on the nature of the attack, the volume of data breached, and the number of individuals affected have not yet been disclosed.

New 'Perseus' Malware with Espionage Features Used by Drug Cartels

Security researchers have identified a new malware strain named 'Perseus,' reportedly developed for and used by Drug Trafficking Organizations (DTOs) to conduct espionage against targets like journalists, officials, and rival groups. Perseus is a sophisticated information stealer with capabilities for keylogging, credential theft from browsers, and monitoring encrypted messaging apps. A key feature is its ability to take detailed notes on victim activity for exfiltration. The malware also includes a 'kill switch' that allows operators to remotely wipe all traces of it from a compromised system, a common feature in advanced espionage tools designed to evade forensic analysis. This highlights the growing technical sophistication of non-state criminal actors.

A Look Inside 'The Gentlemen': A Sophisticated RaaS Operation

Security researchers have published detailed profiles of 'The Gentlemen,' a Ransomware-as-a-Service (RaaS) operation that emerged in mid-2025 and has been targeting organizations across at least 17 countries. The group employs a double-extortion strategy, exfiltrating sensitive data before encrypting files on Windows, Linux, and ESXi systems. Their ransomware, written in Go, exhibits a degree of sophistication, requiring a password to execute to hinder analysis. The group's TTPs include using legitimate remote access tools like AnyDesk for persistence, abusing Group Policy Objects (GPOs) for mass deployment, disabling security products, and using WinSCP for data exfiltration. The reports serve as a timely warning about this active and evolving global threat.

G7 Responds with GNSS Resilience Act as GPS Spoofing Attacks Cripple Global Aviation and Threaten Power Grids

A wave of sophisticated GPS spoofing attacks is targeting civil aviation and critical infrastructure across the Middle East and Europe. Attackers are using "time skew sabotage" to disrupt aircraft automated landing systems and attempting "flow reversal" attacks on solar farms to destabilize power grids. In a swift response, G7 nations have introduced the GNSS Resilience Act, mandating inertial backup systems for transit. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued Emergency Directive 26-24 to address the escalating cyber-physical threats.

"Bband Siphon 16.0" Android Malware Steals Location Data Directly from Communication Chip, Works Even When Phone is Off

A novel Android malware named "Bband Siphon 16.0" has been discovered, representing a significant escalation in mobile threats. It targets the device's communication (baseband) chip directly, bypassing the OS to exfiltrate location data. Its most alarming feature is the ability to transmit data even when the device appears powered down, indicating a deep, persistent hardware-level compromise that is exceptionally difficult to detect and remove.

"Phantom Entry" Zero-Day Hits Building Management Systems; Gov Agencies Ordered to Take Smart Meters Offline

A critical zero-day vulnerability dubbed "Phantom Entry" has been discovered in building management systems (BMS), enabling unauthorized physical and logical access. The threat is considered so severe that a government directive has ordered all smart metering controllers in federal buildings to be taken offline immediately. Compounding the threat, a new backdoor called "Ghost Pointer" found in free remote work tools could be used to exploit this vulnerability, allowing attackers to manipulate systems remotely without user knowledge.

Massive Telehealth Breach Exposes 30 Million Patient Video Records, Sparking Deepfake Scam Fears

A leading international telehealth platform has suffered a catastrophic data breach, resulting in the theft of 30 million patient video consultation records. While the company remains unnamed, the scale of the breach is staggering, exposing highly sensitive and private medical interactions. Cybersecurity experts are issuing urgent warnings that this data is a goldmine for creating sophisticated deepfake scams, enabling attackers to commit fraud, extortion, and identity theft with unprecedented realism.

"LAR Blinding Attacks" Use Lasers to Deceive Autonomous Car Sensors, Creating Critical Collision Risks

A new cyber-physical attack method targeting autonomous vehicles, dubbed "LAR blinding," has been demonstrated. The attack uses coordinated lasers to jam and feed false signals into a self-driving car's sensors, such as LiDAR and cameras. This manipulation effectively blinds the vehicle, preventing it from identifying real-world obstacles and creating a severe risk of collision. The emergence of this physical-layer attack poses a critical safety challenge to the automotive industry.

New "Latent Poisoning" Attack Embeds Hidden Backdoors in AI Models, Triggered by Secret Prompts

Security researchers have discovered a sophisticated new AI attack method called "latent poisoning." This technique embeds hidden, triggerable vulnerabilities within an AI model's training data. The compromised model behaves normally until an attacker provides a specific, secret prompt (a "sleeper agent" trigger). When activated, the prompt causes the model to bypass its safety controls, potentially leading to data leakage, execution of unauthorized commands, or generation of malicious content. This stealthy attack vector poses a significant threat to the integrity and security of AI systems.

EU Proposes Mandatory Audits for AI Training Data to Combat Data Poisoning Attacks

The European Union is drafting landmark legislation aimed at securing the AI supply chain. The proposed rules would mandate that companies developing or deploying AI systems within the EU must have their training datasets audited and certified by independent security agencies. This move is a direct response to the growing threat of AI data poisoning attacks, such as the recently discovered "latent poisoning" technique, and aims to establish a new standard for AI safety and trustworthiness.

Cyber Attack Paralyzes Parking Payment System in Russian City, Highlighting Urban Infrastructure Vulnerabilities

A cyber attack has disrupted the municipal parking payment system in an unnamed Russian city, preventing citizens from paying for parking. Details regarding the type of attack, the threat actor responsible, and the duration of the outage have not yet been disclosed. The incident serves as a stark reminder of the vulnerability of smart city infrastructure and the potential for cyber attacks to cause significant disruption to daily public services.

Payload Ransomware Group Claims Attack on Royal Bahrain Hospital, Threatening Patient Data Leak

The Payload ransomware group has claimed responsibility for a cyber attack against the Royal Bahrain Hospital, listing the healthcare provider as a victim on its dark web leak site. This incident is a classic double-extortion attack, where the group has likely encrypted the hospital's systems and exfiltrated sensitive patient data. The hospital has not yet confirmed the breach, but the attack places immense pressure on the institution, threatening operational disruption and a major violation of patient privacy.

Crimestoppers Data Breach Exposes 8.3 Million Anonymous Crime Tip Records, Endangering Whistleblowers

The anonymous crime reporting service Crimestoppers has suffered a catastrophic data breach, with a threat actor claiming to have stolen and leaked 8.3 million records. This incident strikes at the heart of the service's mission, which is built on the promise of anonymity for tipsters. The exposure of this data could potentially identify and endanger individuals who have reported on criminal activity, creating a massive chilling effect on public cooperation with law enforcement.

Bit Refill Blames North Korea-Linked Hackers for Cyber Attack on Cryptocurrency Platform

The cryptocurrency gift card platform Bit Refill has publicly attributed a recent cyber attack to a hacker group linked with North Korea. While the company has not yet detailed the full impact of the attack, such as whether customer funds were stolen, the accusation points towards a sophisticated, state-sponsored operation. North Korean threat actors, like the infamous Lazarus Group, are well-known for targeting cryptocurrency services to generate revenue for the regime, suggesting the attack was likely financially motivated.

Trivy Open-Source Scanner Backdoored in Major Supply Chain Attack, Secrets at Risk

The widely-used open-source security scanner Trivy has been compromised in a sophisticated supply chain attack. Threat actors identified as TeamPCP injected a multi-stage infostealer into official Trivy binaries and GitHub Actions. The breach stemmed from an incomplete credential rotation following a previous compromise, allowing attackers to regain access and modify 75 of 76 `trivy-action` tags and publish a malicious Trivy version `0.69.4`. The malware was designed to steal a wide array of secrets, including cloud credentials, API tokens, and SSH keys from CI/CD environments. The incident has triggered urgent warnings for all users to rotate pipeline secrets, audit workflows, and verify the integrity of their scanner versions, as the malicious code was active for up to 12 hours.

Identity Protection Firm Aura Ironically Breached via Vishing, 900,000 Records Exposed

In a deeply ironic turn of events, identity theft protection company Aura has confirmed a data breach exposing the records of nearly 900,000 individuals. The incident began with a successful voice phishing (vishing) attack, where an employee was socially engineered over the phone into providing credentials. This gave attackers access to a legacy marketing database from an acquired company. The notorious ShinyHunters group claimed responsibility, stating they exfiltrated 12GB of data. The breach affects 35,000 direct Aura customers, whose names, emails, phone numbers, and addresses were exposed. The incident highlights the power of social engineering and the persistent risks of legacy systems from mergers and acquisitions.

Critical UNISOC Modem Flaw Allows Zero-Click RCE on Millions of Android Phones via Cellular Call

A critical, unpatched vulnerability has been discovered in the modem firmware of several UNISOC chipsets, affecting millions of budget and mid-range Android devices from major brands like Samsung and Motorola. The flaw, an uncontrolled recursion issue (CWE-674), allows a remote attacker to achieve arbitrary code execution simply by initiating a cellular video call and sending a specially crafted SDP message. This triggers a stack overflow in the modem's firmware, crashing it and enabling the execution of shellcode. The attack requires no user interaction beyond the device being reachable on the cellular network, posing a severe risk to users of affected devices, including the Realme C33, on which a full RCE was demonstrated.

Nordstrom Email System Hijacked to Blast Crypto Scams, Abusing Salesforce and Okta Integration

The official customer email system of retailer Nordstrom was compromised and used to send fraudulent cryptocurrency scam emails. Attackers leveraged Nordstrom's integration with Salesforce Marketing Cloud and Okta, sending emails from the trusted `nordstrom@eml.nordstrom.com` address. Disguised as a St. Patrick's Day promotion, the emails promised to double cryptocurrency deposits and successfully bypassed spam filters due to their legitimate origin. The campaign led to at least $5,600 in confirmed losses for victims. This incident follows a pattern of similar attacks on other companies, highlighting a trend of attackers targeting and abusing trusted third-party SaaS platforms to exploit brand trust and reach customers directly.

Disgruntled Affiliate Leaks 'The Gentlemen' Ransomware Gang's Playbook

The operational playbook of 'The Gentlemen,' a nascent Ransomware-as-a-Service (RaaS) operation, has been leaked by a disgruntled affiliate known as 'hastalamuerte'. The leak, stemming from a financial dispute, provides a rare, unfiltered look into the group's methods. It reveals that The Gentlemen, an offshoot of the Qilin ransomware group, employs dual-extortion tactics and targets Windows, Linux, and ESXi environments. A primary initial access vector is the exploitation of vulnerable Fortinet FortiGate VPNs. The leaked TTPs include using PowerShell and WMI for lateral movement, deploying anti-forensic tools, and using Bring Your Own Vulnerable Driver (BYOVD) exploits. The incident highlights growing instability and internal conflict within the cybercrime ecosystem.

Critical ConnectWise ScreenConnect Flaw (CVE-2026-3564) Allows Session Hijacking

ConnectWise has patched a critical cryptographic vulnerability in its ScreenConnect remote access software, tracked as CVE-2026-3564. The flaw, which affects all versions prior to 26.1, allows an unauthenticated attacker to extract unique ASP.NET machine keys from server configuration files. These keys can then be used to forge authentication tokens and hijack active remote access sessions. This is extremely dangerous as ScreenConnect is widely used by Managed Service Providers (MSPs) with high levels of privilege in client networks. While ConnectWise is not aware of active exploitation of this specific CVE, it has observed abuse of the underlying technique. All administrators are urged to update to ScreenConnect version 26.1 immediately.

International Law Enforcement Operation Dismantles Major IoT DDoS Botnets

A coordinated international law enforcement operation involving the U.S., Canada, and Germany has successfully disrupted the command-and-control (C2) infrastructure of several major IoT botnets. The operation, reported on March 20, 2026, targeted the Aisuru, Kimwolf, JackSkid, and Mossad botnets, which collectively had infected over 3 million IoT devices like routers and cameras. These botnets were rented out in a 'cybercrime-as-a-service' model to launch massive Distributed Denial-of-Service (DDoS) attacks, some reaching speeds of 30 Terabits per second. The operation involved seizing domains and servers, significantly degrading the criminals' ability to conduct attacks and offer their services.

Identity Service Providers CGI Group and Aura Hit by Data Breaches

Two separate data breaches have impacted companies in the identity services sector. IT consulting giant CGI Group, which manages Sweden's e-government platform, is investigating a breach after its data was found on the dark web. This raises concerns about the security of sensitive data for Swedish citizens who use the platform to access government services. In a separate incident, identity protection firm Aura confirmed a breach claimed by the ShinyHunters hacking collective. The attackers allegedly stole 12GB of files affecting 35,000 customers from a marketing tool used by a company Aura acquired in 2021. These incidents highlight the high value of PII and the persistent risk of third-party and supply-chain-related breaches.

Foster City Declares State of Emergency After Cyberattack Cripples Public Services

Foster City, California, has declared a state of emergency following a significant cybersecurity breach on March 19, 2026. The attack has caused a widespread shutdown of all non-emergency city services, impacting the public's ability to conduct business with the city. While police and fire departments remain operational, other municipal functions are temporarily paused. Officials have not disclosed the nature of the attack but have warned that public information may have been accessed. The city is working with external cybersecurity experts to restore systems and is encouraging residents who have done business with the city to change their passwords as a precaution.

Poland Thwarts Iran-Linked Cyberattack on National Nuclear Research Center

Polish officials announced on March 20, 2026, that they had successfully thwarted a cyberattack targeting the IT infrastructure of the country's National Center for Nuclear Research (NCBJ). While specific details about the attack's nature or methods were not disclosed, authorities have assessed that the malicious activity originated from Iran. The successful defense of a critical national research facility highlights the persistent threat of nation-state cyber espionage and attacks against sensitive scientific and infrastructure sectors. The incident comes amid a heightened state of alert in Western nations for such threats.

RSAC 2026 Preview: AI Risks and Quantum Computing Threat Dominate Agenda

As the cybersecurity industry gears up for RSA Conference 2026 in San Francisco, the agenda reveals a significant focus on two transformative technologies: agentic Artificial Intelligence (AI) and quantum computing. Key themes revolve around managing the new attack surfaces and identity challenges introduced by autonomous AI agents, and the urgent need for organizations to prepare for post-quantum cryptography (PQC). The industry conversation is shifting from theoretical discussions to practical implementation strategies, urging leaders to begin inventorying cryptographic assets and planning their migration to quantum-resistant algorithms now. The conference signals a move away from pure defense towards building long-term resilience in the face of these disruptive technologies.

LAPSUS$ Hacking Group Reemerges, Claims Breach of Pharma Giant AstraZeneca

The notorious LAPSUS$ hacking group appears to have resurfaced, claiming a significant data breach at the pharmaceutical giant AstraZeneca. In a departure from some of their previous high-profile attacks, the group is attempting to sell a 3GB archive of allegedly stolen data on illicit forums. LAPSUS$ has posted screenshots as proof, claiming the data includes Java source code, Terraform configurations for AWS and Azure, and private keys for GitHub and Jenkins pipelines. They are directing potential buyers to contact them via the Session messaging app. AstraZeneca has not yet commented on the claim, but the reemergence of this highly unpredictable and effective group is a major concern for large enterprises.

Interlock Ransomware Exploited Critical Cisco Firewall Zero-Day for 36 Days Before Patch

The Interlock ransomware group exploited a critical zero-day vulnerability, CVE-2026-20131, in Cisco's Secure Firewall Management Center (FMC) for 36 days before a patch was released. The flaw, rated 10.0 on the CVSS scale, allows for unauthenticated remote code execution with root privileges. Amazon Threat Intelligence discovered the exploitation began on January 26, 2026, well before Cisco's patch on March 4. CISA has since added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the severe risk to organizations using the affected firewall management software.

Fintech Firm Marquis Revises Breach Impact to 672,000; Akira Ransomware Suspected

Fintech provider Marquis has officially revised the number of individuals impacted by its August 2025 data breach to 672,075. The breach, which stemmed from an exploited vulnerability in a SonicWall firewall, exposed the personal and financial data of customers from over 700 financial institutions. Compromised data includes names, Social Security numbers, and financial account details. While not officially confirmed, the Akira ransomware group, known for exploiting SonicWall flaws, is suspected to be behind the attack, with some reports alleging a ransom was paid.

Dragonforce Ransomware Claims Attack on U.S. Hydraulics Firm Dynex/Rivett

The Dragonforce ransomware group has claimed responsibility for a cyberattack against Dynex/Rivett Inc., a U.S.-based manufacturer of hydraulic systems. In a post on March 18, 2026, the group announced the attack and threatened to publish a 'full leak' of stolen data if the company does not make contact to negotiate. This incident employs a typical double-extortion tactic, where data is both encrypted and stolen to maximize pressure on the victim to pay a ransom. The nature and volume of the exfiltrated data have not been specified.

Freedom Mobile Data Breach Exposes Customer PII via Compromised Subcontractor

Canadian telecom provider Freedom Mobile disclosed a data breach on March 18, 2026, that occurred in January. An unauthorized third party gained access to the company's customer account management platform for one week using the compromised credentials of a subcontractor. The breach exposed customer PII including names, addresses, dates of birth, and phone numbers. Freedom Mobile confirmed that more sensitive data like passwords and financial information was not affected, but the incident highlights the significant risks posed by supply chain security gaps.

Apple Silently Patches WebKit Flaw That Could Let Sites Steal Your Data

Apple released a silent, background security patch on March 18, 2026, to fix a cross-origin vulnerability in WebKit, its core web rendering engine. The flaw, CVE-2026-20643, could allow a malicious website to bypass the same-origin policy, a fundamental browser security feature. This would enable an attacker to access or steal data from other websites open in different tabs. The patch was delivered automatically to users on the latest versions of iOS and macOS. There is no evidence of active exploitation.

Data of 129,509 Vault Strategies Customers Leaked Online After Ransomware Attack

Data stolen from benefits administrator Vault Strategies during a December 2025 ransomware attack by the 'Incransom' group has now been made public. On March 18, 2026, a searchable database containing the extensive Personally Identifiable Information (PII) of 129,509 individuals was posted online. The exposed data includes full names, addresses, dates of birth, and Social Security numbers, placing victims at high risk of identity theft and prompting investigations into a potential class-action lawsuit.

CISA Warns of Critical Code Injection Flaw in Schneider Electric ICS Software

CISA issued an ICS advisory on March 19, 2026, for a critical code injection vulnerability, CVE-2026-2273, in Schneider Electric's EcoStruxure Automation Expert software. The flaw, with a CVSS score of 8.2, could allow an authenticated attacker to achieve arbitrary command execution by tricking a user into opening a malicious project file. This could lead to a compromise of the engineering workstation and pose a significant risk to industrial control systems. Schneider Electric has released a patched version.

Public Sector Unprepared for AI-Powered Attacks, Report Finds

A March 18, 2026 report by LevelBlue reveals that public-sector organizations are struggling to defend against a rising tide of cyberattacks, especially those enhanced by AI. The study found that nearly one-third of state, local, and education (SLED) entities suffered a breach in the last year. A concerning 44% lack full visibility into their supply chain, and only 28% feel prepared for AI-enabled threats, highlighting significant gaps in visibility, readiness, and workforce training across the public sector.

CISA Adds Actively Exploited Zimbra XSS Flaw to KEV Catalog

On March 18, 2026, CISA added a cross-site scripting (XSS) vulnerability in Synacor's Zimbra Collaboration Suite, CVE-2025-66376, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms the vulnerability is being actively exploited in the wild. The flaw could allow attackers to inject malicious scripts into the web client, potentially leading to session hijacking or data theft. U.S. federal agencies are now required to remediate the vulnerability promptly.

Interlock Ransomware Weaponized Cisco Firewall Zero-Day 36 Days Before Patch

The Interlock ransomware group exploited a critical, maximum-severity vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center (FMC) as a zero-day for 36 days before a patch was released. The flaw allows unauthenticated remote code execution with root privileges. Amazon's threat intelligence team discovered the exploitation and, in a major OPSEC failure by the attackers, also found a misconfigured server that exposed the group's entire operational toolkit, including custom RATs and reconnaissance scripts. The discovery highlights the advanced capabilities of ransomware groups and their focus on targeting edge network infrastructure.

Apple Unveils 'Background Security Improvements' to Patch WebKit SOP Bypass Flaw

Apple has introduced a novel update mechanism called 'Background Security Improvements' to deliver its first-ever out-of-band patch for a WebKit vulnerability. The flaw, tracked as CVE-2026-20643, is a cross-origin issue that could allow a malicious website to bypass the Same-Origin Policy (SOP), potentially enabling it to read sensitive data from other open websites. The new update method allows Apple to ship smaller, more agile security fixes for critical components like WebKit without requiring a full OS update, ensuring faster protection for users. The feature is enabled by default on iOS 26.1, iPadOS 26.1, macOS 26, and later, with patched versions identified by an '(a)' suffix.

High-Severity DoS Flaw in Parse Server (CVE-2026-32886) Allows Unauthenticated Remote Crash

A high-severity denial-of-service (DoS) vulnerability, CVE-2026-32886, has been found in Parse Server, a popular open-source backend framework. The flaw allows a remote, unauthenticated attacker to instantly crash a server process with a single, specially crafted API request. The vulnerability is caused by improper handling of the JavaScript prototype chain when the server resolves cloud function names. By sending a request with a function name containing properties like `__proto__`, an attacker can trigger a recursive loop that leads to a stack overflow, crashing the server. The issue affects Parse Server versions before 9.6.0-alpha.24 and 8.6.47, and users are urged to update immediately.

Micronaut Framework Flaw (CVE-2026-33012) Leads to DoS via Unbounded Cache

A high-severity denial-of-service (DoS) vulnerability, CVE-2026-33012, has been discovered in the Micronaut Framework, a popular Java-based application framework. The flaw, which has a CVSS score of 7.5, allows a remote attacker to cause an `OutOfMemoryError` and crash the application server. The vulnerability lies in the `DefaultHtmlErrorResponseBodyProvider` component, which uses an unbounded `ConcurrentHashMap` to cache error messages. An attacker can exploit this by repeatedly triggering exceptions with unique, attacker-controlled input, causing the cache to grow indefinitely until it consumes all available heap memory. The issue affects Micronaut versions 4.7.0 through 4.10.6 and is fixed in version 4.10.7.

Ransomware Surge: LockBit Leads as 28 New Victims Claimed in 24 Hours

Ransomware activity remains intense, with 28 new victims publicly claimed on data leak sites in the 24 hours leading up to March 17, 2026. The resilient LockBit ransomware group was the most prolific operator, claiming six new victims. The APT73 and Medusa gangs were also highly active, each adding four victims to their lists. The Professional Services sector and organizations within the United States continue to be the most frequent targets. Notable victims from this period include the Philippine Department of Public Works and Highways (targeted by APT73), Cape May County in the U.S. (attacked by Medusa), and the Florida East Coast Railway (claimed by PayoutsKing).

Novel Font-Rendering Trick Hides Malicious Commands from AI Assistants

Security researchers have developed a novel technique that uses font-rendering manipulations to hide malicious commands from AI assistants and security scanners while they remain invisible to human users. Disclosed on March 18, 2026, the method exploits how web browsers render different fonts to create text that is perceived differently by machines than by people. This allows for the creation of 'poisoned' web pages containing hidden instructions. When an AI assistant processes the content of such a page, it could inadvertently execute these commands, leading to potential data exfiltration or other unauthorized actions. The discovery highlights a new class of vulnerabilities in the gap between human and machine perception.

High-Severity Ubuntu Flaw (CVE-2026-3888) Allows Local Root Access

A high-severity local privilege escalation (LPE) vulnerability, CVE-2026-3888, has been discovered in default installations of multiple Ubuntu LTS versions. The flaw, found by the Qualys Threat Research Unit and rated 7.8 (High), allows an unprivileged local user to gain full root access. The vulnerability is a race condition stemming from an interaction between the privileged `snap-confine` utility and the `systemd-tmpfiles` service. An attacker can exploit a time window during the cleanup of a snap's temporary directory to create malicious symlinks, leading to a full system compromise. The flaw affects Ubuntu versions 16.04 through 24.04, and Canonical has released patches.

Poland Blocks Cyberattack on Nuclear Research Centre; Suspects Iran-Linked False Flag

Poland's National Centre for Nuclear Research (NCBJ) successfully detected and blocked a cyberattack targeting its internal IT infrastructure. Officials confirmed that no systems were compromised and the 'MARIA' research reactor remained safe. While preliminary analysis of the attack vectors points towards Iran, Polish authorities, including the Minister for Digital Affairs, have cautioned that this could be a 'false flag' operation designed to misdirect attribution, especially given the history of cyberattacks against Poland attributed to Russian-linked groups like APT44 (Sandworm).

EU Sanctions Chinese and Iranian Hack-for-Hire Firms for Cyberattacks

The European Union has imposed sanctions on three companies and two individuals from China and Iran for their involvement in cyberattacks against EU interests. The sanctioned entities include Iranian firm Emennet Pasargad, linked to the Charlie Hebdo data leak and election interference, and two Chinese companies: Anxun Information Technology (iSoon), a hack-for-hire group targeting critical infrastructure, and Integrity Technology Group, which supported operations linked to the state-backed APT group Flax Typhoon. The measures include asset freezes and travel bans.

Fortinet Patches Three Critical FortiGate Flaws Used in Active Attacks to Steal Credentials

Fortinet has released patches for three critical vulnerabilities in its FortiGate Next-Generation Firewalls (NGFWs), which were actively exploited by attackers between December 2025 and February 2026. Two of the flaws, CVE-2025-59718 and CVE-2025-59719 (CVSS 9.8), allowed remote authentication bypass via crafted SAML tokens. A third zero-day, CVE-2026-24858 (CVSS 9.8), was also abused. Attackers leveraged these flaws to gain administrative access, download the full device configuration, and steal service account credentials for lateral movement. CISA has added CVE-2025-59718 to its KEV catalog.

Atlassian Bulletin Details 21 High-Severity Flaws, Including Critical RCEs in Bamboo

Atlassian has published its March 2026 Security Bulletin, addressing numerous vulnerabilities across its product suite, 21 of which are rated high-severity. Among the most critical fixes is for a Remote Code Execution (RCE) vulnerability in Bamboo Data Center and Server (CVE-2026-21570, CVSS 8.6). Other significant flaws in Bamboo, stemming from an Apache Struts dependency, were also patched. The company urges customers to upgrade their instances to a fixed version to mitigate the risks posed by these vulnerabilities.

Google Finalizes Acquisition of Cloud Security Firm Wiz to Bolster Multicloud Security

Google has officially completed its acquisition of Wiz, a leading cloud-native security platform. This major strategic investment is aimed at enhancing Google Cloud's security offerings, particularly for customers operating in multicloud environments. Wiz will join the Google Cloud division but will continue to operate under its own brand, maintaining its commitment to securing customer environments across all major cloud providers, including AWS and Microsoft Azure. The move is expected to help organizations better secure their cloud and AI deployments.

Zapier Pledges Free AI Education for One Million People to Lower Skills Barrier

Workflow automation company Zapier has launched the "1 Million AIs" initiative, a public pledge to provide free AI education and training to one million people. The program aims to democratize AI skills, making them accessible to non-technical users and driving broader adoption of AI-powered automation. The initiative will include live workshops, bootcamps, and self-paced courses, with a public counter tracking progress towards the goal. The first virtual workshop is scheduled for April 7, 2026.

WEF Report: AI Supercharges Cyber Arms Race, Widens Global 'Cyber Equity' Gap

The World Economic Forum's (WEF) "Global Cybersecurity Outlook 2026" report warns of a deepening 'cyber equity' gap, where many organizations are falling below a 'security poverty line' and lack the resources to defend against modern threats. The report, based on data from 800 global leaders, also highlights the dual-edged role of AI, noting that while more organizations are assessing AI tools, 87% of leaders believe AI will significantly amplify cyber threats. The WEF calls for greater public-private collaboration to address these systemic risks to the global digital ecosystem.

Cisco Scrambles to Patch Critical SD-WAN Zero-Day Exploited for Months

Cisco has released emergency patches for a critical, CVSS 10.0 zero-day vulnerability, CVE-2026-20127, impacting its Catalyst SD-WAN products. The flaw, an authentication bypass, has been actively exploited by a threat actor tracked as UAT-8616 since at least 2023, allowing unauthenticated attackers to gain administrative privileges. The vulnerability has been added to CISA's KEV catalog, and federal agencies have been ordered to patch within two days. The exploit allows attackers to create rogue peer devices, manipulate network configurations, and has been observed chained with another flaw (CVE-2022-20775) to achieve root access.

Ransomware Splinters as Attacks Surge 59% in Asia-Pacific, S-RM Report Finds

S-RM's 2026 Cyber Incident Insights Report reveals a significant shift in the ransomware landscape, which is fragmenting into a more diverse and unpredictable ecosystem. Based on over 800 incidents in 2025, the report identified 67 distinct ransomware groups, an increase from the previous year. This diversification includes both sophisticated RaaS operations like Akira and Qilin and newer, less predictable actors. A key finding is the dramatic 59% year-over-year increase in ransomware attacks in the Asia-Pacific (APAC) region, driven by rapid digitization and immature security postures. The report also warns of emerging risks from the insecure adoption of AI agents with privileged access in enterprise environments.

UK Companies House Flaw Exposes Data of 5 Million Companies

The UK's official business registry, Companies House, has confirmed a significant security vulnerability in its WebFiling service that exposed the sensitive data of personnel from five million registered companies. The flaw, which was active from October 2025 until March 2026, allowed any logged-in user to view non-public information of other companies, including directors' residential addresses and full dates of birth, by manipulating their browser session. The service was taken offline for emergency maintenance and restored on March 16, 2026, after a patch was applied. Companies House has reported the incident to the ICO and NCSC and is urging all UK businesses to review their filing history for any unauthorized changes.

CISA KEV Alert: Actively Exploited Wing FTP Server Flaw Added to Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-47813, a medium-severity information disclosure vulnerability in Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) catalog. This indicates the flaw is being actively exploited in the wild. The vulnerability allows an unauthenticated attacker to reveal the full local installation path of the server by sending a crafted request. While not an RCE flaw itself, attackers are using this information for reconnaissance to facilitate more severe follow-on attacks. A patch has been available since May 2025 in version 7.4.4. CISA has mandated that federal agencies remediate the flaw by March 30, 2026.

Play Ransomware Claims Attack on U.S. Aviation Firm Executive Aviation

The Play ransomware group, also known as Playcrypt, has claimed responsibility for a cyberattack against Executive Aviation, a company in the U.S. aviation sector. On March 15, 2026, the group posted the company's name on its dark web leak site, threatening to publish a 'full leak' of stolen data unless a ransom is paid. This incident highlights the ongoing targeting of critical infrastructure sectors by sophisticated ransomware operators. The Play group is known for its double-extortion tactics and often gains initial access by exploiting vulnerabilities in public-facing VPN or RDP services. The attack serves as a warning to the aviation industry to bolster its defenses against such threats.

'The Gentlemen' Ransomware Hits Thai Financial Firm Chase Asia

A relatively new ransomware group calling itself 'The Gentlemen' has claimed responsibility for a cyberattack on Chase Asia, a major debt collection and loan management firm in Thailand. On March 16, 2026, the group threatened to publish the company's data if contact was not made. 'The Gentlemen' is believed to be a sophisticated Ransomware-as-a-Service (RaaS) operation that emerged from the Qilin ransomware ecosystem. The group is known to target Windows, Linux, and ESXi environments and has previously exploited Fortinet VPN vulnerabilities for initial access. This attack on a prominent financial firm highlights the expanding reach of organized cybercrime into the Asia-Pacific market.

Critical CVSS 9.9 SQL Injection Flaw (CVE-2026-32306) Hits OneUptime Platform

A critical SQL injection vulnerability, CVE-2026-32306, with a CVSS score of 9.9 has been disclosed in the OneUptime open-source observability platform. The flaw allows a low-privileged authenticated user to execute arbitrary SQL commands against the backend ClickHouse database. This could enable an attacker to read or modify data across all tenants in a shared environment and potentially achieve remote code execution (RCE). The vulnerability, which stems from improper sanitization of API parameters, has been patched in version 10.0.23. This is the fourth critical vulnerability to impact OneUptime in just six weeks, raising serious concerns about the platform's security posture and prompting recommendations for users of self-hosted instances to apply the patch immediately.

AppsFlyer Web SDK Hijacked in Supply-Chain Attack to Deploy Crypto-Stealing Malware

The widely used AppsFlyer Web SDK was compromised in a software supply-chain attack reported on March 14, 2026. For a brief period, the official SDK hosted on 'websdk.appsflyer.com' was replaced with a malicious version that delivered a crypto-stealing JavaScript payload. The malware was designed to intercept cryptocurrency wallet addresses entered by users on any of the thousands of websites integrating the SDK, replacing them with attacker-controlled addresses to divert funds. AppsFlyer confirmed that a domain registrar incident on March 10 led to the compromise. The company has since resolved the issue and stated that its mobile SDK and customer data were not affected. The event highlights the significant downstream risk of supply-chain attacks targeting popular third-party scripts.

Payload Ransomware Hits Royal Bahrain Hospital, Threatens to Leak 110 GB of Patient Data

The Payload ransomware group has claimed responsibility for a cyberattack on the Royal Bahrain Hospital (RBH), a major healthcare provider in the Gulf region. In a post on their dark web leak site dated March 15, 2026, the group alleged it had stolen 110 gigabytes of sensitive data and published images of compromised systems as proof. Payload is employing a double-extortion tactic, threatening to publish the stolen data if a ransom is not negotiated by their March 23 deadline. The attack on RBH, which serves patients from across the region, poses a significant threat to patient privacy and hospital operations, and is another stark example of the healthcare sector's continued targeting by financially motivated ransomware gangs.

HHS Launches Free Cybersecurity Toolkit to Help Healthcare Orgs Assess Risk

The U.S. Department of Health and Human Services' (HHS) Administration for Strategic Preparedness and Response (ASPR) has launched a new cybersecurity module for its free RISC 2.0 Toolkit. Announced on March 14, 2026, the web-based tool is designed to help healthcare organizations of all sizes assess their cybersecurity posture. The module guides users through a questionnaire about their security practices and scores their responses against two key standards: the NIST Cybersecurity Framework (CSF) 2.0 and the HHS Cybersecurity Performance Goals (CPGs). This enables facilities to identify security gaps, prioritize investments, and improve their overall resilience against cyber threats, as part of a broader federal effort to bolster the security of the healthcare sector.

CA/Browser Forum Mandate Cuts TLS Certificate Lifespan to 200 Days, Forcing Automation

Effective March 15, 2026, a major industry-wide policy change mandated by the CA/Browser Forum has reduced the maximum lifespan of all newly issued public TLS/SSL certificates from 398 days to just 200 days. This change, which affects all Certificate Authorities (CAs) and browsers, is designed to improve security by forcing more frequent re-validation of website identities and limiting the window for misuse of compromised certificates. The move is the first step in a phased plan that will see lifespans shrink to 100 days in 2027 and 47 days in 2029. This accelerated renewal cadence will make manual certificate management impractical, creating a strong imperative for organizations to adopt automated certificate lifecycle management (CLM) solutions to avoid outages and security risks.

Canadian Retail Giant Loblaw Investigates Data Breach Exposing Customer Info

Loblaw Companies Limited, Canada's largest food and pharmacy retailer, has announced it is investigating a data breach after detecting suspicious activity on its network. The company stated that an unauthorized third party accessed a non-critical segment of its network and exfiltrated basic customer information, including names, phone numbers, and email addresses. Loblaw has assured customers that more sensitive data such as passwords, financial information, and health data were not compromised. As a precaution, the company has logged all customers out of their accounts, requiring them to sign back in.

CISA Issues Binding Directive: Federal Agencies Must Remove Unsupported Edge Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive requiring all federal civilian agencies to remove unsupported, end-of-life (EoL) 'edge' devices from their networks. The move targets internet-facing hardware like routers, firewalls, and VPNs that no longer receive security updates, as these are frequently exploited by advanced threat actors. Agencies have three months to identify all such devices and must complete their removal and replacement within 18 months, reflecting a major push to reduce the government's attack surface.

Google and Partners Dismantle Chinese Espionage Campaign (UNC2814) Targeting Global Telecoms

Google's Threat Intelligence Group (GTIG), with partners including Mandiant, has disrupted a major cyber-espionage campaign attributed to UNC2814, a hacking group linked to the People's Republic of China. Active since at least 2017, the campaign compromised at least 53 telecommunication and government organizations in 42 countries across multiple continents. The group's goal was intelligence collection and monitoring communications. The takedown involved sinkholing attacker domains and blocking their use of Google Sheets for command-and-control (C2) communications. Google has notified the victims and released Indicators of Compromise (IOCs).

Starbucks Discloses Data Breach After Phishing Attack on Employee Portal

Starbucks has disclosed a data breach affecting 889 of its employees after attackers gained unauthorized access to their accounts on the company's 'Partner Central' portal. The breach was the result of a targeted phishing campaign where employees were tricked into entering their credentials on fraudulent websites impersonating the legitimate portal. The incident, discovered on February 6, 2026, led to the exposure of highly sensitive personal information, including names, Social Security numbers, dates of birth, and financial account details. Starbucks has notified law enforcement and is providing affected employees with 24 months of free credit monitoring and identity protection services.

ShinyHunters Claims Massive Data Theft from Telus Digital, Demands $65 Million

Canadian business process outsourcer Telus Digital is investigating a major security incident after the notorious 'ShinyHunters' hacking group claimed to have stolen nearly a petabyte of data. The attackers are demanding a $65 million ransom. The breach allegedly involves customer data, call records, and sensitive information from dozens of Telus Digital's corporate clients, which include banks and tech firms. ShinyHunters reportedly gained initial access using stolen Google Cloud Platform credentials from a previous third-party breach, highlighting a significant supply chain risk.

Police Scotland Fined £66,000 by UK Regulator for Egregious Data Protection Failures

The UK's Information Commissioner's Office (ICO) has fined Police Scotland £66,000 for severe data protection violations. The police force improperly extracted the entire contents of a crime victim's mobile phone, collecting excessive and irrelevant sensitive data. This unredacted data was then mistakenly shared with an unauthorized third party. The ICO cited a lack of adequate policies, technical controls, and staff guidance as root causes for the breach, which also involved a failure to report the incident within the mandatory 72-hour window.

"DarkSword" iOS Exploit Chain Actively Used by Spyware Vendors and State Actors

Google's Threat Analysis Group (TAG) has uncovered a sophisticated iOS exploit chain named 'DarkSword,' which is being actively used by multiple threat actors, including commercial spyware vendors and state-sponsored groups. The exploit leverages six vulnerabilities, including CVE-2026-20700 and CVE-2025-43529, to achieve full device compromise on iPhones running iOS 18.4 to 18.7. The attack can be delivered via drive-by downloads and deploys a potent data-stealing payload called 'Ghostblade,' which exfiltrates messages, contacts, location data, and information from secure messaging and crypto apps.

CISA Warns: Critical SharePoint RCE Flaw Now Actively Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in Microsoft SharePoint Server, CVE-2026-20963, to its Known Exploited Vulnerabilities (KEV) catalog, confirming it is under active attack. The flaw, rated 9.8 in severity, allows an unauthenticated attacker to execute arbitrary code with no user interaction. It affects multiple versions of SharePoint Server. CISA has ordered federal agencies to apply the patch, originally released in January 2026, by March 21, and strongly urges all organizations to prioritize patching immediately.

Microsoft Rushes Emergency Hotpatch for Critical RCE Flaws in Windows RRAS

Microsoft has issued an emergency, out-of-band hotpatch (KB5084597) on March 13, 2026, to address three critical remote code execution (RCE) vulnerabilities in the Windows Routing and Remote Access Service (RRAS). The flaws—CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111—affect Windows 11 and can be exploited by an attacker who tricks a user into connecting to a malicious remote server. A successful exploit could allow the attacker to execute arbitrary code on the victim's device. The hotpatch is being delivered via Windows Update and allows for a no-reboot installation on supported Enterprise devices, underscoring the severity of the vulnerabilities in this core networking component.

Chinese Spy Group Targets Southeast Asian Militaries with Custom 'AppleChris' & 'MemFun' Backdoors

A suspected China-based cyber espionage group, tracked as CL-STA-1087, is conducting a long-running intelligence-gathering campaign against military organizations in Southeast Asia. Active since at least 2020, the operation demonstrates high sophistication, using custom backdoors named 'AppleChris' and 'MemFun' along with a credential harvesting tool called 'Getpass.' The threat actors focus on exfiltrating specific, high-value intelligence related to military capabilities, organizational structures, and collaborations with Western forces. Researchers at Palo Alto Networks Unit 42 detected the intrusion after observing suspicious PowerShell commands used to establish reverse shells to a command-and-control server, indicating a patient and persistent adversary focused on strategic espionage rather than widespread disruption.

Malicious AI Browser Extensions Caught Stealing ChatGPT Prompts and Corporate Data

Security researchers have uncovered a widespread data harvesting campaign involving malicious Chromium browser extensions disguised as helpful AI assistants. These extensions, installed nearly 900,000 times from official browser stores, targeted over 20,000 enterprise environments. The malware's primary function was to steal browsing history and exfiltrate the full content of user interactions with Large Language Models (LLMs) like ChatGPT and DeepSeek. This allowed attackers to capture potentially sensitive corporate data, intellectual property, and source code that employees were inputting into AI services. The incident highlights the significant 'shadow IT' risk posed by ungoverned browser extensions and the use of public AI tools for business purposes.

'SocksEscort' Proxy Botnet Used for Millions in Fraud Dismantled by FBI & Europol

An international law enforcement action named 'Operation Lightning' has dismantled 'SocksEscort,' a massive residential proxy service that facilitated widespread cybercrime. The service operated by infecting hundreds of thousands of home and business routers worldwide with the 'AVRecon' botnet malware. This network of compromised devices was then sold to criminals, who used it to hide their activities while committing large-scale fraud, including ransomware, ad fraud, and identity theft, resulting in tens of millions of dollars in losses. The operation, led by the FBI and Europol, involved seizing 34 domains and 23 servers, and freezing $3.5 million in cryptocurrency, dealing a major blow to the cybercrime ecosystem.

China's CERT Warns 'OpenClaw' AI Model Can Be Abused to Delete Data, Expose Keys

China's national Computer Emergency Response Team (CERT) has issued a significant security warning about the 'OpenClaw' AI model. According to the alert reported on March 12, 2026, the model can be manipulated to perform dangerous and destructive actions, such as deleting user data, exposing sensitive information like secret keys, and loading malicious content onto a system. The perceived severity of these vulnerabilities has reportedly led authorities in Beijing to ban the use of the AI model. The warning highlights the growing concerns among national security bodies about the inherent risks and potential for misuse of powerful, publicly available large language models.

Zscaler Rushes Patch for Critical Privilege Escalation Flaw in Windows Client Connector

Zscaler has released a security update for a high-severity privilege escalation vulnerability, CVE-2024-5407, in its Client Connector for Windows. The flaw, with a CVSS score of 7.8, could allow a local attacker with standard user privileges to gain SYSTEM-level access by exploiting the application's repair functionality. This could enable full system compromise, data theft, or the deployment of malware like ransomware. Zscaler strongly urges all customers to update to the patched version 4.4.0.280 immediately to mitigate the risk. While not yet exploited in the wild, its public disclosure increases the likelihood of future attacks.

Black Basta Ransomware Gang Caught Exploiting Windows Zero-Day for SYSTEM-Level Access

The notorious Black Basta ransomware gang has been observed exploiting a now-patched zero-day vulnerability in the Microsoft Windows Error Reporting Service, tracked as CVE-2024-26169. This critical privilege escalation flaw allowed attackers to gain SYSTEM privileges, bypassing security measures to deploy their ransomware. The threat group Cardinal (Storm-1811), an initial access broker for Black Basta, was also linked to the attacks. Microsoft addressed the vulnerability in its March 2024 Patch Tuesday updates, highlighting the urgent need for organizations to apply security patches to defend against sophisticated ransomware operations.

VMware Patches Critical RCE Flaws in vCenter and ESXi; Admins Urged to Update Immediately

VMware has released urgent security updates to address three critical vulnerabilities in its vCenter Server and ESXi products. The flaws include two heap-overflow vulnerabilities (CVE-2024-22252, CVE-2024-22253) with CVSS scores of 9.3, and a privilege escalation vulnerability (CVE-2024-22255). The heap-overflow flaws could allow an attacker with access to a virtual machine to escape to the hypervisor and achieve remote code execution, leading to a complete compromise of the host. VMware states there are no workarounds and immediate patching is the only mitigation.

CISA Adds Actively Exploited SharePoint RCE Chain to KEV Catalog, Mandates Federal Patching

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two Microsoft SharePoint vulnerabilities, CVE-2023-29357 and CVE-2023-24955, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms the flaws are being actively used in attacks. When chained together, these vulnerabilities allow an unauthenticated attacker to achieve remote code execution (RCE) on affected SharePoint servers. CISA has mandated that all Federal Civilian Executive Branch agencies apply the necessary patches by a specified deadline, and all organizations are strongly urged to patch immediately.

New 'Migo' Golang Malware Blinds Linux Security Tools on Redis Servers

A new Golang-based malware named 'Migo' is targeting exposed Redis servers on Linux systems. The malware's primary objective is to disable endpoint security solutions, cloud agents, and other monitoring tools, effectively blinding security teams. After neutralizing defenses, Migo deploys a cryptocurrency miner to hijack the compromised system's resources. The use of Golang makes the malware highly portable and harder to detect. Security researchers note that Migo is under active development, indicating a persistent and evolving threat. Securing Redis instances is a critical mitigation.

Leaked LockBit 3.0 Builder Continues to Fuel Ransomware Ecosystem, Complicating Attribution

The LockBit 3.0 ransomware builder, which was leaked in September 2022, is still being widely used by a multitude of threat actors to launch their own custom ransomware attacks. This has led to a significant proliferation of smaller, disparate ransomware operations, making attack attribution and defense more challenging for organizations. The leak has effectively 'democratized' a sophisticated ransomware tool, lowering the barrier to entry for less-skilled cybercriminals and creating a long-lasting problem for the cybersecurity community. The attacks have impacted a wide range of industries globally.

Microsoft Unleashes Massive April 2024 Patch Tuesday, Fixing 149 Flaws Including Critical RCEs

Microsoft has released its April 2024 Patch Tuesday update, a substantial release addressing 149 vulnerabilities across its product portfolio. Of these, three are rated as critical: a remote code execution (RCE) flaw in Microsoft SQL Server (CVE-2024-21422), a Windows Secure Boot bypass (CVE-2024-29053), and an RCE in the Microsoft RPC runtime (CVE-2024-21323). The update also covers numerous important-rated flaws in Windows, Office, Azure, and Dynamics 365. Given the volume and criticality of the fixes, organizations are urged to prioritize deployment of these updates to protect against potential exploitation.

Stealthy 'Cuttlefish' Malware Hides on Routers to Steal Credentials from Network Traffic

A sophisticated and stealthy malware named 'Cuttlefish' has been found infecting enterprise-grade routers. The malware is designed to remain hidden while it actively monitors network traffic passing through the device. Its primary goal is to exfiltrate sensitive information, such as usernames, passwords, and other credentials, by intercepting traffic from various protocols. The infection vector is believed to be the exploitation of known vulnerabilities or weak credentials. The malware's persistence and data-stealing capabilities make it a significant threat to corporate security and privacy.

Panda Restaurant Group Discloses Data Breach Impacting Corporate Employee Information

Panda Restaurant Group, the parent company of the Panda Express fast-food chain, has disclosed a data breach that exposed the personal information of some of its current and former corporate employees. The breach occurred in March 2024 when unauthorized actors gained access to corporate systems and exfiltrated files. The compromised data includes names, Social Security numbers, and driver's license numbers. The company has stated that customer data was not affected and is offering credit monitoring services to the impacted individuals.

'FakeBat' Malware Loader Uses Malvertising to Distribute RedLine Stealer and Other Payloads

A new and evolving malware loader, dubbed 'FakeBat', is being distributed through widespread malvertising campaigns. These campaigns use malicious ads that impersonate legitimate download pages for popular business software like Slack, Zoom, and Notion. When a user clicks an ad, they are redirected to a site that downloads the FakeBat loader. FakeBat is then used to deliver a variety of secondary payloads, most notably information stealers like RedLine Stealer and remote access trojans (RATs). The campaign highlights the ongoing threat of malvertising as a primary infection vector.

US Offers $10 Million Bounty for Information on BlackCat (ALPHV) Ransomware Gang Leaders

The U.S. Department of State's Rewards for Justice program is offering a reward of up to $10 million for information that leads to the identification or location of key leaders of the BlackCat (also known as ALPHV) ransomware gang. This significant bounty is part of a broader U.S. government effort to disrupt the operations of this prolific and destructive cybercrime group, which is known for targeting critical infrastructure and healthcare organizations worldwide using a 'triple extortion' model.

Starbucks Discloses Data Breach Affecting 889 Employees via Phishing Attack

Starbucks has revealed a data breach impacting 889 of its employees, or "partners," after their accounts on the company's 'Partner Central' portal were compromised. The breach was the result of a successful phishing campaign where employees were tricked into entering their credentials on imposter websites. The unauthorized access occurred over three weeks, between January 19 and February 11, 2026. The company discovered the activity on February 6 and contained it five days later. The exposed data is highly sensitive, including employees' full names, Social Security numbers, and financial account and routing numbers. Starbucks has stated that no customer data was affected and is providing identity theft protection services to the impacted employees.

UK NCSC Warns of Heightened Indirect Cyber Threat from Iran Amid Geopolitical Tensions

The UK's National Cyber Security Centre (NCSC) has issued an advisory urging British organizations to enhance their cyber defenses due to an increased risk of indirect cyber threats linked to Iran. The warning comes amid escalating geopolitical tensions in the Middle East. While the direct threat to the UK has not significantly changed, the NCSC cautions that organizations with supply chains or operations in the region, as well as Critical National Infrastructure (CNI), could face collateral damage from politically motivated cyberattacks.

Ericsson Data Breach Exposes Personal Info of 15,000 Due to Third-Party Vendor Compromise

Telecommunications giant Ericsson has reported a data breach impacting approximately 15,000 individuals associated with its US operations. The incident was not a direct breach of Ericsson's systems but originated from a compromise at an unnamed third-party service provider. The breach occurred in April 2025, but the investigation only concluded in February 2026. An unauthorized party gained access to files containing sensitive personal information, including names, addresses, Social Security numbers, driver's license numbers, and financial data, highlighting the significant risks posed by supply chain security vulnerabilities.

APT28 Hits Ukrainian Military with Custom 'BeardShell' Malware in Two-Year Espionage Campaign

The Russian state-sponsored threat group APT28, also known as Fancy Bear, has been conducting a persistent cyberespionage campaign against the Ukrainian military for nearly two years. Research from ESET reveals the group, attributed to Russia's GRU, has been using a sophisticated toolkit of custom malware since at least April 2024. The campaign employs paired implants, including a backdoor named 'BeardShell' and a heavily modified version of the open-source C2 framework 'Covenant'. The operation also deployed the 'SlimAgent' keylogger, demonstrating the group's continued investment in developing advanced tools for strategic intelligence gathering.

State-Aligned Hackers from China, Iran, Belarus Escalate Espionage in Middle East

A new report from Proofpoint reveals a significant uptick in cyber-espionage campaigns targeting government and diplomatic entities in the Middle East. Threat actors with suspected alignments to China (UNK_InnerAmbush), Iran (TA402, TA453), Belarus (TA473), and Hamas are opportunistically using a regional conflict as lure content for strategic intelligence collection. These campaigns often use compromised government email accounts, such as one from Iraq's Ministry of Foreign Affairs, to send highly credible phishing emails, demonstrating a complex and multi-faceted cyber-threat landscape in the region.

First-Ever 'Wormable' Malware in npm History Detailed in Analysis of 2025 Supply Chain Attacks

A detailed analysis of major JavaScript supply chain attacks from late 2025 reveals a significant escalation in threat actor sophistication. The campaigns included the compromise of massively popular npm packages like 'Chalk' and 'Debug,' which collectively see two billion weekly downloads, with payloads designed to steal cryptocurrency. Another campaign featured the 'Shai-Hulud' worm, described as the first wormable malware in npm's history. This malware executed during the `npm install` process, stealing developer credentials like npm tokens, GitHub PATs, and AWS keys, and then publishing them to a public repository, highlighting a severe threat to the software development lifecycle.

Critical Nginx UI Flaw (CVE-2026-27944) Allows Unauthenticated Backup Theft and Decryption

A critical information disclosure vulnerability, CVE-2026-27944, has been discovered in Nginx UI, a popular web interface for managing Nginx servers. The flaw, which has a CVSS score of 9.8, allows a remote, unauthenticated attacker to download a full system backup. Compounding the issue, the API endpoint also discloses the encryption key in a response header, allowing for immediate decryption of the stolen backup. The backup can contain highly sensitive data, including user credentials, session tokens, and SSL private keys. Users are urged to update to the patched version, Nginx UI 2.3.3, immediately.

Russian State Hackers Target Signal & WhatsApp Accounts of High-Value Individuals

Dutch intelligence agencies AIVD and MIVD have issued a warning about a large-scale phishing campaign by Russian state-backed hackers aimed at compromising the Signal and WhatsApp accounts of high-value targets. The campaign targets government officials, military personnel, and journalists. The attacks do not exploit software vulnerabilities but rely on social engineering to trick victims into sharing SMS verification codes or scanning malicious QR codes to link an attacker's device. This allows the attackers to take over the account or silently monitor all communications.

ShinyHunters Linked to Voice Phishing Campaign Targeting Okta Admins to Steal SaaS Data

A 2026 cyberattack campaign is using voice phishing (vishing) and social engineering to compromise Okta administrator accounts, with TTPs consistent with the ShinyHunters threat group. According to Obsidian Security, attackers socially engineer IT help desks or users over the phone to gain initial access. Once in, they immediately enroll their own MFA device (often an emulated Android device with Okta FastPass) to establish persistence. With persistent access to the identity provider, the attackers then pivot to connected single sign-on (SSO) applications to perform high-volume data exfiltration, highlighting a coordinated attack across the identity and SaaS layers.

FBI Warns of Sophisticated Phishing Scam Impersonating City Officials to Steal Permit Fees

The FBI's Internet Crime Complaint Center (IC3) has issued a public service announcement about a sophisticated, nationwide phishing campaign. Scammers are impersonating city and county officials, using publicly available permit data to create highly convincing emails that trick individuals and businesses into paying fraudulent fees. The attackers request payment via non-standard methods like wire transfers, P2P apps, and cryptocurrency, creating a significant financial risk for those engaged in the permitting process.

Texas Healthcare Provider CommuniCare Discloses Data Breach Affecting Nearly 20,000 Patients

The San Antonio-based Barrio Comprehensive Family Health Care Center, operating as CommuniCare, has reported a data breach impacting 19,885 individuals. The breach stemmed from unauthorized access to an employee's email account, which was first detected in September 2025. A subsequent investigation confirmed that the compromised account contained a trove of patient data, including personally identifiable information (PII) and protected health information (PHI) such as medical diagnoses, treatments, and prescription details.

FDD Warns NIST of "Agentic AI" Security Risks, Highlighting Prompt Injection and Multi-Agent Dangers

The Foundation for Defense of Democracies (FDD) has submitted a formal public comment to the U.S. National Institute of Standards and Technology (NIST), warning that the federal government is unprepared for the unique security risks posed by agentic artificial intelligence. The submission, part of NIST's RFI for a new AI Agent Security Framework, highlighted novel threats like indirect prompt injection, data poisoning, and multi-agent interaction risk. The FDD urged NIST to update core security standards to address these emerging dangers, which could be exploited by nation-state adversaries.

Transport for London Confirms 2024 Breach by 'Scattered Spiders' Affected 10 Million People

Transport for London (TfL) has officially confirmed the massive scale of a cyberattack that occurred in August 2024. The breach, attributed to the notorious hacking group 'Scattered Spiders', affected approximately 10 million people. The attackers stole a database containing sensitive personal information, including names, email addresses, phone numbers, and home addresses. The financial impact of the incident is estimated to be around £39 million ($52 million USD), highlighting the severe consequences of the attack long after its initial discovery.

Critical Zero-Click RCE Flaw (CVE-2026-25253) Hits OpenClaw AI Agent Framework

A critical zero-click remote code execution (RCE) vulnerability, CVE-2026-25253, has been discovered in the widely-used OpenClaw AI Agent Framework. The flaw allows a remote attacker to gain complete control of a developer's machine with minimal to no user interaction, posing a severe security risk. This disclosure adds to a series of security crises for the open-source project, which was already dealing with hundreds of malicious 'skills' on its marketplace. The vulnerability has drawn advisories from international cybersecurity agencies, compounding the pressure on the project.

Paint Giant AkzoNobel Hit by Anubis Ransomware; 170GB of Client Data and Passports Leaked

Dutch paint and coatings multinational AkzoNobel has confirmed that one of its U.S. sites was hit by a ransomware attack. The Anubis ransomware group has claimed responsibility on its dark web leak site, stating it exfiltrated 170 GB of data, including over 170,000 files. The attackers leaked samples containing confidential client agreements, product specifications, and sensitive employee PII like passport scans, demonstrating a classic double-extortion tactic. AkzoNobel stated the incident was contained to the single site.

China-Linked Group UAT9244 Targets South American Telecoms with New Malware Suite

A newly identified China-linked threat actor, designated UAT9244, is targeting telecommunications providers in South America with a previously undocumented malware toolkit. The campaign appears focused on long-term espionage and intelligence collection within this critical infrastructure sector. Researchers have identified a suite of custom implants, including backdoors named TernDoor, PeerTime, and BruteEntry, which provide capabilities for remote command execution, persistence, and reconnaissance. The strategic targeting of telecom providers highlights an ongoing focus by nation-state actors on critical infrastructure for surveillance purposes.

Google Patches Actively Exploited Qualcomm Zero-Day in Massive Android Update

Google's March 2026 security update for Android addresses 129 vulnerabilities, including a high-severity zero-day flaw, CVE-2026-21385, in a Qualcomm display component. The vulnerability, a memory corruption issue affecting over 230 Qualcomm chipsets, is confirmed to be under limited, targeted exploitation. The patch is included in the '2026-03-05' security patch level, and users are urged to update their devices as soon as the patch is made available by their respective manufacturers to mitigate the risk of compromise.

Infutor Data Breach Exposes 676 Million Records, Including SSNs, via Misconfigured Database

Data solutions provider Infutor, now part of Verisk, has reportedly suffered a colossal data breach exposing over 676 million unique records. The leak is attributed to a misconfigured Elasticsearch database and is said to include highly sensitive personally identifiable information (PII) such as full names, physical addresses, dates of birth, and Social Security numbers. Given Infutor's role in providing consumer identity data for marketing and verification, the breach could have severe and far-reaching consequences, placing millions at risk of identity theft and financial fraud. Attorneys are now investigating a potential class-action lawsuit.

New Excel Flaw Allows Zero-Click Data Theft by Abusing Copilot AI

Microsoft has disclosed and patched CVE-2026-26144, a high-severity cross-site scripting (XSS) vulnerability in Microsoft Excel with a CVSS score of 7.5. The flaw is particularly dangerous due to a novel attack vector that allows for zero-click data theft by leveraging Microsoft's own Copilot AI features. An attacker can craft a malicious Excel file that, when opened, uses the Copilot agent to exfiltrate sensitive data from the user's machine without any further interaction. Microsoft has released patches as part of its March 2026 security updates and urges customers to apply them immediately.

Cyberattack on French Healthcare Vendor Exposes Medical Data of 15 Million People

The French health ministry has confirmed a massive cyberattack that compromised the administrative and medical data of over 15 million individuals. The breach was a supply chain attack originating from Cegedim Santé, a software company providing services to approximately 1,500 medical practices. While most victims had administrative data like names and addresses exposed, over 165,000 individuals had highly sensitive medical notes leaked, including details on HIV/AIDS status and sexual orientation. The incident underscores the immense risk of supply chain vulnerabilities within the healthcare sector.

LexisNexis Confirms Breach After Hacker 'FulcrumSec' Leaks Data of 400,000 Users, Including U.S. Gov Employees

Data analytics and legal research firm LexisNexis Legal & Professional has confirmed a significant data breach that occurred on February 24, 2026. The incident was initiated by a threat actor known as 'FulcrumSec' who exploited a critical vulnerability, CVE-2025-55182 (React2Shell), in an unpatched front-end application. The attackers then leveraged severe AWS cloud misconfigurations, including overly permissive IAM roles and hardcoded credentials, to escalate privileges and move laterally. On March 3, FulcrumSec publicly leaked 2GB of stolen data, which reportedly includes information on nearly 400,000 user profiles and over 21,000 enterprise accounts. The compromised data contains names, emails, and phone numbers, and notably affects over 100 U.S. government employees. LexisNexis stated the breach was contained and primarily impacted legacy data, with no exposure of sensitive legal research, financial information, or Social Security numbers.

Iranian-Aligned Groups Launch 'The Great Epic' Wiper Campaign Targeting Israel and Allies

In retaliation for recent military strikes, a coalition of Iranian-aligned threat groups, including 'Handala Hack,' has launched a disruptive cyber campaign dubbed 'The Great Epic.' The operation primarily uses destructive wiper malware to attack critical infrastructure and logistics in Israel and Jordan. Unlike financially motivated ransomware, the goal is pure disruption. Israel's National Cyber Directorate issued a warning on March 6, 2026, about active attacks aimed at deleting servers, while the Handala group leaked sensitive data allegedly belonging to Israeli military personnel.

Pentagon Blacklists Anthropic AI, Citing National Security Risk Over Usage Policy Dispute

In an unprecedented move, the U.S. Pentagon has designated artificial intelligence company Anthropic a 'supply chain risk,' effectively banning its technology, including the Claude AI model, from all federal agencies. The decision, announced March 2, 2026, and directed by President Donald Trump, stems from a fundamental disagreement over Anthropic's acceptable use policy (AUP). The Pentagon sought unrestricted use of the AI for 'all lawful purposes,' while Anthropic refused to lift prohibitions against its use in autonomous weapons and mass surveillance, leading to a contract breakdown and the sweeping directive.

Cisco SD-WAN Flaw (CVSS 10.0) Actively Exploited, CISA Issues Emergency Directive

A critical authentication bypass vulnerability, **[CVE-2026-20127](https://www.cisco.com/c/en/us/support/docs/cve/2026/cve-2026-20127.html)**, in **[Cisco](https://www.cisco.com)** Catalyst SD-WAN Controller software is being actively exploited in the wild. The flaw, which has a maximum CVSS score of 10.0, allows a remote, unauthenticated attacker to gain administrative privileges on affected devices, effectively handing them control over a core component of an enterprise network. The threat actor UAT-8616 has been observed exploiting this vulnerability. Due to the severe risk, **[CISA](https://www.cisa.gov)** has issued Emergency Directive 26-03, compelling federal agencies to patch immediately and inventory all affected systems.

Microsoft's March Patch Tuesday Fixes 84 Flaws, Including Two Publicly Known Zero-Days

Microsoft has released its March 2026 security updates, addressing a total of 84 vulnerabilities across its product portfolio, including Windows, Office, Azure, and SQL Server. The update includes patches for eight critical flaws, primarily involving remote code execution and elevation of privilege. While none of the vulnerabilities were actively exploited at the time of release, two were publicly disclosed, increasing the urgency for remediation. These include a critical elevation of privilege bug in SQL Server (CVE-2026-21262) and a denial-of-service flaw in .NET (CVE-2026-26127). The patches cover a wide range of products, with elevation of privilege flaws representing the largest category of fixes.

Navia Data Breach Exposes Personal and Health Data of Nearly 2.7 Million Individuals

Navia Benefit Solutions, a third-party benefits administrator, has disclosed a significant data breach that exposed the personal and health information of nearly 2.7 million people. The incident occurred between December 2025 and January 2026, during which attackers had unauthorized access to Navia's systems. The stolen data includes names, Social Security numbers, dates of birth, and sensitive health plan information related to HRAs, FSAs, and COBRA plans. The breach has impacted employees from over 10,000 companies, including union workers in Washington state. Navia is now facing multiple class-action lawsuits.

Industrial Cyber Threats Evolve from Spying to Physical Disruption, Dragos Warns

The Dragos 2026 OT/ICS Cybersecurity Year in Review report reveals a significant strategic shift by adversaries targeting industrial sectors. Attackers are moving beyond simple espionage and are now actively studying industrial processes with the intent to cause physical operational impact. The report identifies three new APT groups specializing in industrial attacks, including SYLVANITE, an initial access broker. While nation-state threats are growing in sophistication, the report also highlights that ransomware remains a primary threat, with 119 distinct groups targeting over 3,300 industrial organizations in 2025.

Stryker Hit by Destructive Attack as Hackers Weaponize Microsoft Intune for Mass Device Wipe

Medical technology leader Stryker was hit by a highly disruptive cyberattack where attackers used a compromised administrative account to issue remote wipe commands to thousands of corporate devices via Microsoft Intune. The attack, attributed to pro-Iranian hackers, was not technically sophisticated but leveraged legitimate IT administration functions for destructive purposes. The mass device wipe caused significant operational disruption, leading to delays in surgical cases due to inventory delivery issues. The incident serves as a stark warning that Mobile Device Management (MDM) platforms must be treated as critical, high-risk assets requiring stringent security controls.

Russian APT28 Exploits Zimbra XSS Flaw in Phishing Campaign Against Ukraine

A Russian-backed APT group, believed to be APT28 (Fancy Bear), is exploiting a high-severity cross-site scripting (XSS) vulnerability in Zimbra Collaboration (CVE-2025-66376). The campaign targets Ukrainian government entities, including the State Hydrology Agency, with sophisticated phishing emails. The attack uses a stored XSS flaw embedded directly in the email's HTML body, which executes upon opening in a vulnerable Zimbra webmail client. The malicious JavaScript payload is designed to steal credentials, 2FA data, and emails. CISA has added the vulnerability to its KEV catalog.

GitHub Phishing Campaign Lures Developers with Fake $5,000 OpenClaw Crypto Airdrop

A sophisticated phishing campaign is abusing GitHub to target developers with a fake crypto airdrop for a project named OpenClaw. Attackers create fake accounts, open issue threads, and tag legitimate developers, promising a $5,000 token allocation. The link leads to a convincing clone of the real OpenClaw website with a malicious 'Connect your wallet' button. This button executes a wallet-draining script that steals funds from connected crypto wallets like MetaMask and Trust Wallet. The campaign uses social engineering by targeting developers who have shown interest in the legitimate OpenClaw project.

Critical Cisco Firewall Flaw (CVSS 10.0) Exploited as Zero-Day by Ransomware Gang

Cisco has released an urgent security update for a critical vulnerability, CVE-2026-20131, in its Secure Firewall Management Center (FMC) software. The flaw carries the maximum CVSS score of 10.0 and allows an unauthenticated, remote attacker to execute arbitrary code with root privileges. The vulnerability was actively exploited as a zero-day by the Interlock ransomware group for more than a month before the patch was released, making immediate patching a top priority for all affected organizations.

ShinyHunters Exploits Salesforce Cloud Flaw, Steals Data from Hundreds of Orgs

The **[ShinyHunters](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)** cybercrime group is actively exploiting widespread customer misconfigurations in **[Salesforce](https://www.salesforce.com/)** Experience Cloud, leading to data exfiltration from hundreds of organizations. According to a Salesforce advisory on March 7, 2026, the attackers are not exploiting a platform vulnerability but are abusing overly permissive guest user access settings. Using a modified open-source tool, ShinyHunters scans for public sites and queries exposed APIs (`/s/sfsites/aura` and GraphQL) to steal CRM data. The campaign, which began in late 2025, has prompted a FINRA alert, warning that the stolen data is being used for targeted phishing and extortion.

Cognizant Subsidiary TriZetto Breach Exposes 3.4M Patients' Health Data

TriZetto Provider Solutions (TPS), a healthcare technology subsidiary of IT giant **[Cognizant](https://www.cognizant.com)**, has disclosed a data breach that exposed the protected health information (PHI) of 3,433,965 individuals. Unauthorized actors gained access to a system handling insurance eligibility verification and remained undetected for approximately one year, from November 2024 to October 2025. The compromised data includes highly sensitive information such as names, Social Security numbers, dates of birth, and health insurance details, placing millions of patients at significant risk of identity theft and financial fraud. The incident highlights severe security gaps in the healthcare supply chain.

Genesis Ransomware Hits Healthcare Firm, Claims 100GB Data Theft

The **Genesis** ransomware group has claimed responsibility for a cyberattack against Sierra Management Group, a California-based firm that provides management services to medical practices. In a dark web post on March 7, 2026, the group alleged it exfiltrated 100GB of highly sensitive data, including PII, healthcare records, and financial information. The attackers are using a double extortion tactic, threatening to leak the stolen data within days if their ransom demand is not met. This incident underscores the significant risk to the healthcare sector from supply chain attacks, as the compromised data belongs to patients of Sierra's clients.

Phishing Campaign Delivers Signed Malware via Fake Zoom/Teams Invites

A sophisticated phishing campaign is targeting corporate employees with fake Zoom and Microsoft Teams meeting invitations. The attack, identified by **[Microsoft](https://www.microsoft.com/security)**, uses social engineering to trick users into downloading a supposed client update. The malware installer is signed with a stolen Extended Validation (EV) digital certificate from 'TrustConnect Software PTY LTD', allowing it to bypass security checks and appear legitimate. Once executed, the malware uses PowerShell to deploy legitimate remote monitoring and management (RMM) tools like ScreenConnect and MeshAgent, giving attackers persistent access to the victim's network for future attacks, such as ransomware deployment.

New Russian Malware 'BadPaw' & 'MeowMeow' Target Ukraine; 'Starkiller' Phishing Tool Bypasses MFA

Two distinct but significant threats have emerged. First, a new Russian-led cyber campaign is targeting Ukrainian organizations with two previously unknown malware families, **BadPaw** and **MeowMeow**. The attack uses a phishing lure disguised as a border crossing document to deploy a backdoor. Second, a powerful new Phishing-as-a-Service (PhaaS) tool named **Starkiller** has been identified. Starkiller is designed to defeat multi-factor authentication (MFA) by using real-time request proxying and headless browsers to steal not just credentials, but the post-authentication session tokens needed to hijack active user sessions.

Hacker 'GhostCrawl' Claims Breach of Cybersecurity Firm Team4Security

On March 7, 2026, a threat actor using the alias 'GhostCrawl' posted a claim on the 'Breachforums' hacking forum, alleging they had breached the cybersecurity firm Team4Security. The actor demanded a ransom of $2,350, threatening to leak confidential files, company 'secrets', and security vulnerabilities if the payment was not made within 24 hours. The post is an extortion attempt, and the claims remain unverified. However, the incident highlights that cybersecurity firms themselves are high-value targets for attackers seeking to cause reputational damage or extort money.

Boggy Serpens (MuddyWater) APT Targets UAE Energy Firm in Sustained Espionage Campaign

Researchers from Palo Alto Networks' Unit 42 have detailed a long-running cyber-espionage campaign targeting a national marine and energy company in the United Arab Emirates. The campaign, attributed to the APT group Boggy Serpens (also known as MuddyWater), was active from August 2025 through February 11, 2026. The threat actor conducted four distinct attack waves, using hijacked email accounts from legitimate government and corporate entities for its spear-phishing operations. The campaign deployed a diverse arsenal of malware, including GhostBackDoor, Nuso (HTTP_VIP), UDPGangster, and LampoRAT, showcasing the group's maturing and persistent operational methodology aimed at long-term intelligence gathering.

CISA Adds VMware Aria RCE Flaw to 'Must-Patch' KEV List, Confirming Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-22719, a command injection vulnerability in Broadcom's VMware Aria Operations, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms the flaw is being actively used in attacks. The vulnerability, rated CVSS 8.1, allows an unauthenticated attacker to achieve remote code execution, though it is only exploitable during a specific window when a product migration is in progress. The incident highlights the significant risk posed by under-patched management and observability platforms.

Australia, NZ, and Tonga Issue Joint Advisory on INC Ransomware Targeting Healthcare

On March 6, 2026, cyber authorities from Australia (ACSC), New Zealand (NCSC-NZ), and Tonga (CERT Tonga) issued a joint advisory on the INC Ransom group. The Ransomware-as-a-Service (RaaS) operation is actively using affiliates to conduct double-extortion attacks, with a significant focus on the healthcare sector across the Pacific region. The advisory details the group's TTPs—including initial access via phishing and exploitation of public-facing services—and highlights a major incident that disrupted Tonga's national healthcare network in 2025.

Dutch Telecom Odido Hit by Massive Data Breach; 6.2 Million Customers Exposed

Odido, the largest mobile provider in the Netherlands, has suffered a colossal data breach exposing the personal information of 6.2 million customers. The company confirmed the incident on February 12, 2026, after detecting unauthorized access to a customer contact system over the previous weekend. The compromised data is extensive, including names, addresses, phone numbers, email addresses, dates of birth, and, in some cases, bank account (IBAN) and government ID numbers. The threat actor group ShinyHunters has claimed responsibility, allegedly after Odido refused to pay a ransom. The attack is believed to have been initiated through a sophisticated social engineering campaign targeting customer service employees. A criminal investigation has been launched by Dutch authorities.

CISA KEV Alert: Actively Exploited VMware Aria Flaw (CVE-2026-22719) Allows Remote Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity command injection vulnerability in VMware Aria Operations, CVE-2026-22719, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms the flaw is being actively exploited in the wild. The vulnerability, rated CVSS 8.1, allows an unauthenticated attacker to achieve remote code execution during a product migration process, potentially granting them broad access to an organization's virtual infrastructure.

CrowdStrike & Schwarz Digits to Offer Sovereign AI-Native Security on STACKIT Cloud

CrowdStrike has announced a strategic partnership with Schwarz Digits, the IT division of the group owning retail giants Lidl and Kaufland. The collaboration will deliver CrowdStrike's AI-native Falcon cybersecurity platform on STACKIT, the sovereign cloud developed by Schwarz Group. This initiative aims to provide a comprehensive security solution that meets stringent European data sovereignty and residency requirements, ensuring customer data remains within European legal jurisdictions.

Hennessy Advisors Discloses Year-Old Data Breach, Notifying 12,000 Individuals

California-based investment firm Hennessy Advisors, Inc. has begun notifying over 12,000 individuals of a data breach that occurred nearly a full year ago, on March 30, 2025. The notification, filed in early 2026, reveals that an external system breach led to the potential compromise of highly sensitive personal information, including names, driver's license numbers, and financial account details. The significant delay in notification raises concerns and increases the risk of fraud for affected clients.

Latin America Now Top Global Target, Facing Double the Cyberattacks of US, Report Finds

A new threat report from Check Point Research reveals a dramatic shift in the global cyber threat landscape, with Latin America emerging as the world's most heavily targeted region. Organizations in Latin America now face an average of 3,100 cyber threats per week, a figure that is more than double the rate seen in the United States. This surge is attributed to rapid digitalization across the region, often outpacing the implementation of mature cybersecurity defenses.

Cloudflare Report: Attackers Ditch Malware for Stolen Credentials, Shifting from 'Breaking In' to 'Logging In'

Cloudflare's 2026 Threat Report, released March 3, reveals a fundamental change in cyberattack methodology. Threat actors are increasingly abandoning traditional malware in favor of using stolen credentials to 'log in' to target networks. This identity-centric approach allows attackers to blend in with legitimate traffic, making detection significantly harder and rendering identity and access management a critical security battleground. The report highlights that this tactic is now the primary vector for high-impact ransomware attacks. Furthermore, attackers are leveraging AI and LLMs to accelerate exploit development and network mapping. Nation-state actors are also adapting, with Chinese groups like Salt Typhoon and Linen Typhoon focusing on stealthy persistence in critical infrastructure, and other groups abusing legitimate cloud services like Google Calendar and Microsoft Azure for command-and-control operations. The findings underscore the need for automated defenses and a security strategy centered on identity verification and zero trust principles.

International Law Enforcement Dismantles 'LeakBase' Hacker Forum in Coordinated Takedown

In a major blow to the cybercrime economy, an international law enforcement operation led by the U.S. Department of Justice has seized and dismantled the 'LeakBase' hacker forum. The coordinated action, which took place on March 3-4, 2026, involved agents in 14 countries and was supported by Europol. LeakBase was a prominent English-language marketplace on the open web with over 142,000 members, used for buying and selling vast quantities of stolen data, including credentials from corporate breaches, credit card numbers, and other personally identifiable information. As part of the takedown, authorities seized the forum's infrastructure and collected user data, including private messages and IP logs, for evidentiary purposes. This operation follows similar successful disruptions of criminal forums like RaidForums and BreachForums, signaling a continued commitment by global law enforcement to disrupt the infrastructure that underpins cybercrime.

Half of Private Equity-Backed Firms Have High Cyber Risk, New Report Finds

A new report from ACA Group, released March 3, 2026, reveals a concerning state of cybersecurity within companies backed by private equity. The study, which assessed over 300 portfolio companies across 18 industries, found that half are operating with an 'elevated' or 'high' level of cyber risk. The Health Services and Producer Manufacturing sectors were identified as having the highest average risk scores. The report pinpoints two consistent areas of major weakness across the board: Third-Party Risk Management and Penetration Testing. The findings suggest that many firms are failing to adequately manage the security of their supply chains and are not effectively identifying and remediating their own vulnerabilities. The report underscores the need for stronger governance and programmatic controls to mitigate the growing risk of these companies being used as entry points for attacks on larger enterprises.

Global Coalition Disrupts 'Tycoon 2FA' Phishing Platform Used to Bypass MFA on Microsoft 365 and Gmail

An international coalition of law enforcement and private technology companies has disrupted the 'Tycoon 2FA' Phishing-as-a-Service (PaaS) platform. Announced on March 4, 2026, the operation involved Europol, Microsoft, Proofpoint, Cloudflare, and SpyCloud, leading to the seizure of 330 of the platform's control panel domains. Tycoon 2FA, active since at least 2023 and sold via Telegram, enabled cybercriminals to conduct adversary-in-the-middle (AiTM) phishing attacks. The service used a transparent proxy to intercept user credentials and, crucially, session cookies for Microsoft 365 and Gmail accounts, allowing attackers to bypass multi-factor authentication (MFA) and hijack active sessions. The takedown highlights the industrialization of cybercrime and the growing threat of session hijacking as a primary method for gaining unauthorized access to corporate accounts.

Trend Micro Warns of Severe RCE Flaws in Apex One Security Software, Allowing Protection Bypass

Trend Micro issued a warning on March 3, 2026, about severe remote code execution (RCE) vulnerabilities in its Apex One enterprise endpoint security solution. These flaws are highly critical because they could allow an attacker to disable the very security layers designed to protect the system. By exploiting these vulnerabilities, an attacker could remotely execute code on a protected endpoint, effectively neutralizing the Apex One agent. This would leave the system blind and defenseless, allowing the attacker to deploy further malware, exfiltrate data, or move laterally across the network undetected. Given that a security product itself is the attack vector, Trend Micro is urging customers and Managed Service Providers (MSPs) to apply the necessary patches immediately to prevent their primary line of defense from being turned against them.

ShinyHunters Leaks 12.4 Million CarGurus Records After Failed Extortion

The extortion group ShinyHunters has leaked a massive 6.1GB database containing 12.4 million user records allegedly stolen from the automotive marketplace CarGurus. The data, which includes full names, emails, phone numbers, and highly sensitive auto finance pre-qualification details, was published on February 21, 2026, after an extortion attempt failed. The breach tracking service 'Have I Been Pwned' has integrated the data, noting that it introduced 3.7 million new email addresses to its database. The incident places millions of users at significant risk of targeted phishing, identity theft, and financial fraud.

ManoMano Breach: 38 Million Customers Exposed After Third-Party Customer Service Provider Hacked

European DIY e-commerce giant ManoMano has disclosed a significant data breach impacting approximately 38 million customers across France, Germany, Italy, Spain, and the UK. The incident, which occurred in January 2026, was not a direct breach of ManoMano's systems but a supply chain attack targeting a third-party customer service provider. A threat actor known as 'Indra' has claimed responsibility, stating they exfiltrated 43GB of data, including full names, email addresses, phone numbers, and customer service message histories. ManoMano has confirmed that financial data and account passwords were not compromised. The company has since disabled the subcontractor's access, notified data protection authorities like France's CNIL, and is warning affected customers about potential phishing attacks.

CISA Orders Federal Agencies to Patch Actively Exploited Cisco and Ivanti Flaws

On February 12, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The flaws affect Cisco Secure Firewall Management Center (FMC) software (CVE-2026-20131) and Ivanti Endpoint Manager (EPM) (CVE-2026-1603). CVE-2026-20131 is a critical deserialization flaw allowing remote code execution with root privileges on Cisco FMC. In response, CISA has issued a directive under BOD 22-01 requiring all Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by a specified deadline to mitigate significant risk to their networks.

Wynn Resorts Confirms ShinyHunters Stole Data of 800,000 Employees, May Have Paid Ransom

Wynn Resorts confirmed on February 24, 2026, that it was the victim of a data breach by the ShinyHunters extortion group, resulting in the theft of sensitive data for approximately 800,000 employees. The stolen information includes Social Security numbers, names, and contact details. The initial intrusion reportedly occurred in September 2025 via a vulnerability in the company's Oracle PeopleSoft platform. ShinyHunters demanded a $1.5 million ransom and later removed Wynn from its leak site, strongly suggesting a payment was made. Wynn is now facing a class-action lawsuit and is offering identity protection services to affected employees.

APT37's 'Ruby Jumper' Malware Breaches Air-Gapped Networks via USB

The North Korean state-sponsored group APT37 (aka ScarCruft) is using a new malware suite called 'Ruby Jumper' to breach and exfiltrate data from highly secure, air-gapped networks. Active since at least December 2025, the campaign uses weaponized USB drives to bridge the air gap. The complex attack chain involves LNK files, PowerShell, and a backdoored Ruby interpreter to establish persistence and deploy surveillance tools, demonstrating a significant advancement in techniques for targeting isolated environments.

Bitrefill Breach: North Korea's Lazarus Group Suspected in Attack on Crypto Service

Bitcoin payment service Bitrefill has disclosed a data breach that occurred on March 1, 2026, after a single employee's laptop was compromised. The attack methods bear a strong resemblance to campaigns by the North Korean state-sponsored Lazarus Group. The breach exposed data from approximately 18,500 purchase records, including email addresses and IP metadata. Bitrefill has isolated the affected systems and is working with law enforcement.

Russia's APT28 Linked to Exploitation of MSHTML Zero-Day Before Patch

Security firm Akamai has found evidence suggesting that the Russian state-sponsored group APT28 (Fancy Bear) exploited a high-severity zero-day vulnerability, CVE-2026-21513, in Microsoft's MSHTML framework before it was patched in February 2026. The flaw, which allows attackers to bypass the Mark-of-the-Web (MotW) security feature, was reportedly exploited using malicious LNK files. The findings link the zero-day to infrastructure previously used in APT28 campaigns targeting Ukraine.

DragonForce Ransomware Hits Top Brazilian University, Threatens Data Leak

The DragonForce ransomware group has claimed responsibility for a cyberattack on Fundação Getulio Vargas (FGV), a prominent Brazilian university and research institution. In a post on March 2, 2026, the group threatened to publish a 'full leak' of sensitive data if the university does not enter into negotiations. The attack highlights the continued targeting of the education sector by ransomware gangs.

Qilin Ransomware Strikes Italian Logistics Firm, Threatening Supply Chain Disruption

The Qilin ransomware group has claimed an attack on Traffic Tech, a major logistics and freight company based in Italy. The claim was made on March 1, 2026, with the group threatening to leak sensitive operational data. This attack highlights the persistent and significant threat that ransomware poses to the global supply chain, where operational disruptions can have widespread cascading effects.

Vect Ransomware Claims Breach of Indian Manufacturer USHA, Accessing SAP Data

The Vect ransomware group has claimed a cyberattack on USHA International Limited, a major Indian manufacturer of consumer durables. In a post on March 1, 2026, the attackers alleged they have breached sensitive employee data and crucial databases, including SAP, CMS, and CMR systems. The group stated that negotiations with the company were in progress, setting a deadline of approximately 19 days before they threaten to leak the stolen data.

Iran-Linked 'Dust Specter' APT Uses AI-Generated Malware to Spy on Iraqi Officials

A suspected Iran-nexus threat actor, tracked by Zscaler ThreatLabz as 'Dust Specter,' was observed targeting Iraqi government officials in a cyberespionage campaign in January 2026. The campaign used previously undocumented malware, including a dropper called SPLITDROP, and leveraged a compromised Iraqi government website for command-and-control. Researchers noted with medium-to-high confidence that the malware's codebase shows signs of being developed with the assistance of generative AI, marking a potential evolution in APT tactics.

Samsung Settles with Texas Over Unauthorized Smart TV Data Collection

Samsung Electronics has settled with the State of Texas over allegations that it used Automated Content Recognition (ACR) technology in its Smart TVs to collect detailed user viewing data without obtaining proper, express consent. Announced on March 1, 2026, the settlement resolves claims of deceptive trade practices and requires Samsung to overhaul its privacy disclosures and implement more transparent 'opt-in' mechanisms for data tracking, highlighting growing regulatory scrutiny over consumer data privacy in IoT devices.

UH Cancer Center Pays Ransom After Breach Exposes Data of 1.24 Million People

The University of Hawaiʻi (UH) Cancer Center has disclosed a major data breach stemming from a ransomware attack in August 2025. The incident compromised the sensitive personal information of approximately 1.24 million people, including Social Security numbers and historical voter registration and driver's license data used for research. The affected data was stored on servers in the Epidemiology Division and did not impact patient care systems. Due to the extent of the encryption, UH confirmed it paid a ransom to the unidentified attackers to obtain a decryption tool and an affirmation that the exfiltrated data was destroyed.

Conduent Breach Explodes: Safepay Ransomware Hits 25 Million with Sensitive Data Theft

Business process outsourcing giant Conduent is notifying over 25 million people that their highly sensitive personal and medical data was compromised in a ransomware attack attributed to the Safepay gang. The breach exposed a trove of PII and PHI, including Social Security numbers and detailed health information, affecting customers of Conduent's numerous government and private sector clients like Blue Cross Blue Shield and Humana. The number of victims has swelled from initial estimates of 10 million, placing a massive population at high risk for identity theft and fraud. Victims are being offered credit monitoring and urged to freeze their credit.

Cloud Misconfiguration at Canadian Tire Exposes 38 Million Customer Accounts

Retail giant Canadian Tire has confirmed that a data breach discovered in October 2025 compromised the personal information of over 38 million customer accounts. The incident, which affected e-commerce databases for brands including Canadian Tire, SportChek, and Mark's, was caused by a misconfigured cloud environment. Exposed data includes names, addresses, emails, phone numbers, and, for a subset of users, dates of birth and partial credit card information. While the company states the encrypted passwords (PBKDF2 hashes) and partial card data are not directly usable for fraud, the scale of the breach poses a significant risk of phishing and identity-related scams.

Coupang Reports $26M Loss, Blames 34M-Customer Data Breach for Fallout

South Korean e-commerce giant Coupang has reported a net loss of $26 million for Q4 2025, a sharp reversal from a profit a year earlier. The company directly attributes the poor financial performance and a miss on revenue estimates to the fallout from a November 2025 data breach that compromised the personal information of 34 million customers. The incident led to a decline in active customers, increased churn in its membership program, and forced the company to pledge $1.2 billion in customer compensation, resulting in negative free cash flow. The disruption is expected to continue into early 2026.

Indian Chief Justice: Forensic Science is a 'Protective Shield' Against Digital Crime

Speaking at the National Forensic Sciences University, Chief Justice of India (CJI) Surya Kant described forensic science as an essential "protective shield" for the justice system in the face of complex digital crimes. He highlighted that threats like cyber intrusions, digital fraud, and transnational data crimes are challenging traditional investigation methods. The CJI stressed that the integrity of justice depends on verifiable, fact-based evidence provided by ethically-guided forensic analysis, warning that scientific analysis "cannot exist in a moral vacuum."

India Risks Trading 'Autonomy for Efficiency' with Foreign AI, Warns Ex-Diplomat

At the Asia Economic Dialogue, former Indian foreign secretary Nirupama Rao warned that India risks losing its national autonomy if it becomes overly dependent on foreign-developed artificial intelligence. She argued that relying on "borrowed algorithms" might increase efficiency at the cost of sovereignty. Rao identified AI, semiconductors, and cybersecurity as critical "sovereignty platforms" where India must build its own mastery to secure its national interests in a turbulent global environment and avoid vulnerabilities from concentrated supply chains.

Indian Banks Embrace AI to Combat 1.4 Million Annual Cyberattacks

Leaders in India's banking sector are turning to Artificial Intelligence (AI) as a strategic defense against a rising tide of cyber threats, estimated at 1.4 million attacks annually. Executives highlighted that AI is crucial for fraud detection, cost reduction, and superior risk management in underwriting. Global banks like Bank of America and JP Morgan Chase are cited as examples of successful AI implementation. The push for AI adoption coincides with a broader digital transformation in the sector, including a new government dashboard for real-time oversight and a focus on using vast data reserves for hyper-personalized customer services.

Statamic CMS Flaw (CVE-2026-28423) Enables Cloud Credential Theft via SSRF

A Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-28423, has been disclosed in the Statamic content management system. The flaw, which has a CVSS score of 6.8, exists in the Glide image manipulation feature. An unauthenticated attacker can exploit it to force the server to make HTTP requests to internal network services or, more critically, to cloud metadata endpoints. This could allow an attacker to steal sensitive cloud credentials (e.g., from an AWS EC2 instance), leading to a full compromise of the underlying cloud infrastructure. Users are advised to patch or reconfigure the feature to prevent abuse.

Patch Released for "ClawJacked" WebSocket Hijacking Flaw in OpenClaw AI Agent

A patch has been released for a high-severity vulnerability, dubbed "ClawJacked," in the OpenClaw AI agent. The flaw, fixed in version 2026.2.13, allowed a malicious website to hijack a locally running OpenClaw agent by abusing its WebSocket connection. An attacker could trick a developer into visiting a malicious site, which would then silently connect to and control the local agent. The vulnerability also exposed a risk of indirect prompt injection. The flaw was responsibly disclosed, and a fix was promptly issued.

Conduent Data Breach Impact Explodes to 25 Million Americans, Safepay Ransomware Blamed

The true scale of the data breach at government services contractor Conduent Business Services has been revealed, with new figures showing over 25 million individuals across the U.S. have been affected. The breach, which occurred between late 2024 and early 2025, involved the theft of highly sensitive personal and medical information. The Safepay ransomware group has claimed responsibility for the attack, stating they exfiltrated over 8 terabytes of data. The incident has impacted numerous state government services and healthcare providers, prompting an investigation by the Texas Attorney General.

‘Diesel Vortex’ Phishing Ring Steals Over 1,600 Credentials from US & European Logistics Firms

A financially motivated threat group dubbed 'Diesel Vortex' has been identified targeting the freight and logistics industry in the United States and Europe since September 2025. The campaign utilized a Phishing-as-a-Service (PaaS) model, complete with call centers and typosquatted domains mimicking platforms like DAT Truckstop and Penske Logistics. The actors employed a 'Dual-Domain Deception' technique to bypass browser warnings and used vishing and Telegram to capture MFA codes. An exposed .git repository led investigators to the group's infrastructure, revealing the theft of 1,649 unique credentials and evidence of financial fraud, including double-brokering and EFS check fraud. The group is believed to be Armenian-speaking with ties to Russian infrastructure.

Dutch Prison Agency Data Exposed for Five Months in Wider Government Hack

An investigation has revealed that hackers had prolonged access, for at least five months, to the systems of the Dutch prison agency (Dienst Justitiële Inrichtingen - DJI). The breach exposed sensitive staff data, including email addresses, phone numbers, and security certificates, raising fears of blackmail. The attackers also gained access to phones, tablets, and laptops. The incident is part of a wider attack that also affected other Dutch government bodies, including the privacy watchdog and the judiciary council. The Dutch National Cyber Security Centre (NCSC) is monitoring the situation as the investigation continues.

Accounting Firm Legacy Professionals LLP Reports Data Breach Affecting Over 215,000 People

The accounting and consulting firm Legacy Professionals LLP has reported a data breach to the Attorney General of Maine, indicating that the personal information of over 215,000 people has been compromised. The firm discovered suspicious activity on its internal computer network where 'sensitive identifiable information' was stored. The notification suggests that personal data of Maine residents was involved, triggering the reporting requirement. The full scope of the breach, the specific data types exposed, and the attack vector have not yet been publicly disclosed. The firm is in the process of notifying the affected individuals.

Hacker Reportedly Used 'Jailbroken' AI Chatbot Claude to Breach Mexican Government Agencies

A hacker has reportedly used Anthropic's AI chatbot, Claude, to facilitate a series of cyberattacks against Mexican government agencies, resulting in the theft of approximately 150 GB of data. The compromised information is said to include 195 million taxpayer and voter records, government employee credentials, and civil registry files. The targeted agencies include Mexico's tax authority and national electoral institute. The attacker allegedly had to 'jailbreak' the AI model, bypassing its safeguards, to get it to assist in writing the scripts needed to breach the government networks. The incident highlights the growing threat of advanced AI tools being abused for malicious cyber operations.

Microsoft and Dell Patch Actively Exploited Zero-Day Vulnerabilities

Two significant enterprise vulnerabilities have been disclosed. Microsoft patched a critical privilege escalation flaw (CVE-2026-26119, CVSS 8.8) in Windows Admin Center. More severely, Dell revealed a maximum-severity zero-day (CVE-2026-22769, CVSS 10.0) in its RecoverPoint for VMs product has been actively exploited by a suspected Chinese-linked group, UNC6201, since mid-2024. The Dell flaw involves hard-coded credentials, allowing root access and deployment of BRICKSTORM and GRIMBOLT malware.

NATO Certifies iPhones and iPads for "Restricted" Classified Data Handling

In a landmark decision, NATO has approved Apple's iPhones and iPads running iOS 26 and iPadOS 26 for handling classified data up to the "NATO Restricted" level. This makes them the first consumer mobile devices to achieve this certification without requiring any specialized hardware or software modifications. The approval, which applies to all NATO member nations, followed a rigorous security evaluation by Germany's Federal Office for Information Security (BSI), validating Apple's built-in security architecture.

Critical Flaws in Anthropic's Claude AI Tool Allowed Silent System Takeover

Check Point Research has disclosed three significant, now-patched vulnerabilities in Anthropic's AI coding assistant, Claude Code. The flaws could have allowed an attacker to achieve remote code execution (RCE), steal sensitive API keys, and take full control of a developer's environment. The attack was particularly dangerous as it could be triggered simply by having a developer clone and open a malicious code repository, highlighting new supply chain risks in AI-assisted development workflows.

"AirSnitch" Wi-Fi Attack Bypasses WPA3 Encryption to Intercept Traffic

Researchers have disclosed a novel Wi-Fi attack technique named "AirSnitch" that exploits architectural weaknesses in the Wi-Fi networking stack. The attack allows a threat actor already on the same network to bypass encryption, including on WPA3-protected networks, to intercept traffic, perform man-in-the-middle (MitM) attacks, and steal data. The flaw stems from a failure to cryptographically link identifiers across network layers, enabling an attacker to spoof a victim's identity and divert their traffic. The attack was demonstrated on popular routers from Netgear and Asus.

Discord Pauses Global Age Verification Rollout Until Late 2026 Amid Privacy Backlash

Discord has delayed the global implementation of its new age verification system until the second half of 2026. The decision follows widespread user criticism regarding privacy and data security, with many fearing mandatory ID uploads. Acknowledging it "missed the mark," Discord clarified that the system will primarily use on-platform signals and that most users won't need manual verification. The company also pledged more transparency, including publishing its list of verification vendors and prioritizing on-device processing to protect user data.

RansomHouse Claims Cyberattack on European Outlet Giant Neinver

The RansomHouse ransomware group has claimed responsibility for a cyberattack against Neinver, a major Spanish-based company that operates retail outlet centers across Europe. On February 27, 2026, the group added Neinver to its dark web leak site, threatening to release sensitive data if the company does not enter negotiations. Details about the attack vector and the scope of the data exfiltrated have not yet been disclosed. The incident highlights the ongoing trend of data extortion attacks against large enterprises.

INTERPOL's "Operation Red Card 2.0" Nabs 651 in African Cybercrime Sweep

An eight-week, INTERPOL-led crackdown on transnational online fraud across 16 African nations has concluded with significant results. Dubbed "Operation Red Card 2.0," the initiative led to the arrest of 651 individuals and the recovery of over $4.3 million in illicit funds. The operation targeted prevalent schemes such as high-yield investment scams, mobile money fraud, and fraudulent loan applications, which are estimated to have caused over $45 million in losses.

Chinese Hackers Used ChatGPT for Influence Operations, OpenAI Confirms

OpenAI has confirmed that threat actors linked to China have utilized its ChatGPT large language model to support cyberattack and influence operations. While not used for technical exploit development, the AI was leveraged to generate polished propaganda, craft convincing spear-phishing content, and create operational plans for social media manipulation. The activities included romance scams and fraudulent outreach to U.S. officials. OpenAI has banned the associated accounts and is enhancing its abuse detection mechanisms.

Marquis Sues SonicWall, Alleging Vendor's Breach Led to Ransomware Attack on 74 Banks

In a significant legal development for supply chain liability, financial services provider Marquis Software Solutions has filed a lawsuit against cybersecurity vendor SonicWall. Marquis alleges that a 2025 breach of SonicWall's MySonicWall cloud backup service exposed its firewall configuration data and unencrypted MFA scratch codes. This data, Marquis claims, was then used by threat actors to bypass its defenses and launch a devastating ransomware attack in August 2025 that disrupted services for 74 U.S. banks. The lawsuit accuses SonicWall of gross negligence.

Chinese APT UNC6201 Weaponizes Dell Zero-Day to Deploy GRIMBOLT Backdoor in VMware Environments

A sophisticated cyberespionage campaign attributed to a suspected Chinese state-sponsored actor, UNC6201, has been actively exploiting a critical zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines. The flaw, a hard-coded credential issue with a CVSS score of 10.0, allows unauthenticated remote attackers to gain root access. The campaign, ongoing since at least mid-2024, targets VMware infrastructure to deploy a suite of custom malware, including a new C#-based backdoor named GRIMBOLT. Researchers at Mandiant and Google observed the actor using the exploit for lateral movement and to establish persistent access, highlighting a significant threat to enterprise data recovery and virtualization environments. Dell has released patches and urges immediate updates.

US Treasury's OCC Remediates Critical BankNet Portal Vulnerability After Researcher Disclosure

The Office of the Comptroller of the Currency (OCC), a bureau within the U.S. Department of the Treasury, announced it has successfully remediated a cybersecurity vulnerability in its critical BankNet portal. The flaw was reported by a security researcher on February 25, 2026, under the agency's vulnerability disclosure policy. The OCC temporarily suspended access to the portal to conduct a forensic investigation, which found no evidence of data exfiltration or unauthorized access beyond that of the reporting researcher.

Threat Intelligence Supply Chain is Broken, Georgia Tech Researchers Warn

Researchers from Georgia Tech have revealed significant weaknesses in the global threat intelligence sharing ecosystem. Their study, presented on February 25, 2026, found that crucial information sharing between security vendors, antivirus companies, and sandbox services is slow and incomplete. The research showed that while most vendors analyze new malware, only 17% share the resulting intelligence. This creates dangerous delays and blind spots that can be exploited by adversaries and are exacerbated by geopolitical tensions, threatening to fracture the entire security community's defensive capabilities.

IBM X-Force: AI and RaaS Fuel 49% Surge in Ransomware Groups

The 2026 IBM X-Force Threat Intelligence Index, released on February 26, 2026, paints a concerning picture of the evolving threat landscape. The report reveals a 49% increase in ransomware groups compared to the previous year, a surge driven by the proliferation of AI and Ransomware-as-a-Service (RaaS) models that are lowering the barrier to entry for less skilled attackers. The report also highlights a significant rise in vulnerability exploitation, with 56% of tracked flaws requiring no authentication to exploit, and a nearly fourfold increase in supply chain attacks over the past five years.

Google Security Operations Unifies Access Control with Native IAM Integration

Google has enhanced its Security Operations platform by migrating its permission model to Google Cloud's native Identity and Access Management (IAM) framework. The update, announced on February 25, 2026, allows administrators to manage Role-Based Access Control (RBAC) for both the SIEM and SOAR components from a single, unified interface. This change enables more granular, consistent, and streamlined management of user permissions and automatically scopes data visibility in dashboards based on a user's assigned access labels.

Critical Unauthenticated RCE Flaw (CVE-2026-33017) in Langflow AI Platform Actively Exploited

A critical unauthenticated remote code execution (RCE) vulnerability, CVE-2026-33017, has been disclosed in the popular open-source AI framework, Langflow. The flaw allows an attacker to execute arbitrary Python code on a vulnerable server with a single HTTP request by sending a malicious flow definition to a public-facing API endpoint. The vulnerability, which exists in the way the server processes code with an `exec()` function, was reportedly weaponized and exploited by attackers within 20 hours of its public disclosure, highlighting the significant risk posed by insecure AI infrastructure.

Conduent Data Breach May Be Largest in U.S. History; Texas AG Investigates

The data breach at government contractor Conduent Business Services is escalating into what may be the largest in U.S. history, with estimates now exceeding 25 million victims nationwide. The Safepay ransomware group claimed to have stolen over 8 terabytes of data, including names, Social Security numbers, and medical histories. The breach, which occurred between late 2024 and early 2025, has triggered a formal investigation by the Texas Attorney General due to its massive impact on citizens, including 15.4 million in Texas alone. This incident serves as a stark reminder of the profound risks associated with third-party supply chain security.

CISA Orders Patching for Two Actively Exploited Cisco SD-WAN Flaws

On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities affecting Cisco Catalyst SD-WAN products to its Known Exploited Vulnerabilities (KEV) catalog, signaling they are under active attack. The flaws are CVE-2026-20127, a critical authentication bypass, and CVE-2022-20775, a path traversal vulnerability. Under Binding Operational Directive (BOD) 22-01, federal agencies are now mandated to apply the necessary patches by a specified deadline to protect their networks from these significant risks.

Google & Mandiant Dismantle Global Chinese Spy Network Using Novel "GRIDTIDE" Backdoor

On February 25, 2026, Google and Mandiant revealed they had disrupted a massive, multi-year cyber espionage campaign attributed to UNC2814, a suspected China-nexus threat actor. The operation compromised at least 53 organizations in 42 countries, primarily in the telecommunications and government sectors. The attackers utilized a novel C-based backdoor named GRIDTIDE, which cleverly abused the legitimate Google Sheets API for command and control, allowing its traffic to blend in with normal cloud activity. The joint disruption effort involved terminating the actor's cloud projects, disabling accounts, and taking down associated infrastructure, marking a significant blow to a prolific and distinct espionage group.

North Korea's Lazarus Group Adopts Medusa Ransomware, Targeting Healthcare

In a notable strategic shift, North Korea's state-sponsored Lazarus Group has been observed deploying Medusa ransomware in its financially motivated campaigns. Security researchers reported on February 24, 2026, that the prolific APT group used the ransomware-as-a-service (RaaS) offering in a successful attack in the Middle East and a failed attempt against a U.S. healthcare organization. This adoption of an off-the-shelf ransomware platform, rather than their custom tools, suggests Lazarus is industrializing its cybercrime efforts. The attacks leveraged a familiar toolkit, including the Comebacker backdoor and BLINDINGCAN RAT, indicating a blend of sophisticated espionage tradecraft with mainstream criminal tactics.

Medical Device Maker UFP Technologies Hit by Ransomware, Data Stolen and Destroyed

UFP Technologies, a U.S.-based manufacturer of medical devices, disclosed in a February 24 SEC filing that it suffered a ransomware attack on February 14, 2026. The company's CFO described it as a 'classic ransomware attack' where data was both stolen and destroyed. The incident caused significant disruption to IT systems, impacting billing, shipping, and other functions, leading to short-term shipment delays. While the company believes the threat actor has been removed and systems will be restored, an investigation is ongoing to determine the scope of the compromised data. No specific ransomware group has claimed responsibility.

CISA Warns of Actively Exploited RCE Flaw in Soliton FileZen Appliance

On February 24, 2026, CISA added a critical OS command injection vulnerability in the FileZen file transfer appliance to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, CVE-2026-25108, affects products from the Japanese firm Soliton Systems K.K. and is confirmed to be under active exploitation. Command injection flaws can allow for remote code execution, leading to full system compromise. CISA has mandated that federal agencies patch the vulnerability by the specified deadline and strongly urges all organizations using FileZen to do the same.

Predator Spyware Defeats iPhone Privacy Indicators for Covert Recording

Research published on February 24, 2026, has revealed a sophisticated and stealthy capability of the Predator spyware, sold by commercial surveillance vendor Intellexa. The spyware can secretly record audio and video on a compromised iPhone by programmatically disabling the green and orange dot indicators in the iOS status bar. This is achieved by hooking into a core system process called SpringBoard. By defeating this key, user-facing privacy feature, Predator can conduct surveillance that is completely invisible to the victim, undermining the security assurances provided by the operating system.

LockBit Attackers Exploit Apache ActiveMQ Flaw, Return After Eviction

A threat intelligence report from February 25, 2026, details a persistent LockBit ransomware attack where threat actors demonstrated significant determination. The attackers initially gained access by exploiting CVE-2023-46604, a known RCE vulnerability in Apache ActiveMQ. Although the victim organization detected and evicted the intruders, the attackers returned 18 days later, this time using credentials stolen during the initial breach to regain access via RDP. They then used tools like Metasploit and AnyDesk to move laterally and successfully deploy the LockBit ransomware, highlighting the critical need for comprehensive remediation, including credential resets, after a security incident.

Conduent Data Breach Victim Count Skyrockets to 25 Million, Triggering Texas AG Investigation

The fallout from the 2025 data breach at business services provider Conduent has dramatically worsened, with the number of affected individuals now estimated to be over 25 million, a significant jump from the 10.5 million initially reported. The breach involved the theft of over eight terabytes of highly sensitive data, including names, Social Security numbers, and medical information. The massive scale of the incident, which now includes over 15 million Texans, has prompted the Texas Attorney General to launch a formal investigation into what could be one of the largest healthcare-related data breaches in U.S. history.

No Crystal Ball: AI Denies Future Threat Report Request

An automated cybersecurity analysis system rejected a user request to generate a threat report for February 24, 2026. The system's refusal was based on its core programming, which prohibits the fabrication of information for future dates where no data exists. This event serves as a practical demonstration of AI safety guardrails, specifically the principle of avoiding hallucination and maintaining data integrity. The response underscores that the system's function is to analyze past and present events, not to speculate on future occurrences, thereby ensuring the reliability and trustworthiness of the intelligence provided.

Critical Confluence Zero-Day (CVE-2026-22515) Actively Exploited to Deploy LockBit Ransomware

Atlassian has issued an emergency patch for a critical remote code execution (RCE) zero-day, CVE-2026-22515 (CVSS 9.8), affecting Confluence Data Center and Server. The vulnerability is being actively exploited by threat actors, including a group named 'Cerberus', to gain initial access, deploy web shells, and ultimately deliver LockBit 3.0 ransomware. The flaw stems from an authentication bypass in the attachment upload process, allowing unauthenticated attackers to take full control of vulnerable instances.

CISA Warns of North Korean "SandViper" APT Espionage Campaign Targeting US Defense Sector

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and NSA, has issued a joint advisory detailing a sophisticated cyber-espionage campaign by "SandViper," a North Korean state-sponsored APT group. The campaign targets the U.S. Defense Industrial Base (DIB) to steal military and aerospace secrets. Attackers use spear-phishing and exploit CVE-2025-41890, deploying custom malware like the "DuneDrifter" backdoor and "SandHauler" exfiltration tool.

GlobalPay Supply Chain Attack Exposes 20 Million Credit Cards; ShinyHunters Claims Responsibility

GlobalPay, a major payment processor, has suffered a massive data breach exposing the credit card details and personal information of approximately 20 million individuals. The breach was the result of a supply chain attack, where a compromised third-party software update allowed attackers to access GlobalPay's network. The notorious cybercrime group ShinyHunters has claimed responsibility, demanding a $5 million ransom to prevent the data from being sold.

New "ChronoLeap" Infostealer Bypasses MFA Using System Time Manipulation

Security researchers at Zscaler have discovered "ChronoLeap," a new information-stealing malware with a novel technique to bypass multi-factor authentication (MFA). The malware uses a Browser-in-the-Browser (BitB) attack to steal credentials, then manipulates the victim's system clock to extend the validity window of the MFA token. Combined with session cookie theft, this allows attackers to gain full access to protected accounts. ChronoLeap is being offered as a Malware-as-a-Service (MaaS), indicating it could see widespread use.

Scattered Spider Launches Massive Tax-Season Phishing Campaign Impersonating IRS, HMRC, and CRA

A large-scale phishing campaign attributed to the cybercrime group "Scattered Spider" is targeting taxpayers in the United States, United Kingdom, and Canada. The attackers are using convincing emails and SMS messages that impersonate the IRS, HMRC, and CRA, luring victims with fake tax refund notifications. The goal is to steal a wide range of personal and financial information through high-quality, geo-targeted phishing portals.

Microsoft Issues Emergency Patch for Critical Exchange Privilege Escalation Flaw (CVE-2026-21445)

Microsoft has released an emergency, out-of-band security update for a critical privilege escalation vulnerability in Microsoft Exchange Server 2016 and 2019. The flaw, tracked as CVE-2026-21445 with a CVSS score of 9.1, could allow an attacker with a standard user's credentials to escalate their privileges to Domain Administrator, effectively compromising the entire Active Directory environment. Microsoft urges immediate patching.

Global Police Operation "Cyber-Surge" Dismantles "LabHost" Phishing-as-a-Service Empire

A massive international law enforcement operation, codenamed "Cyber-Surge," has successfully dismantled "LabHost," a notorious Phishing-as-a-Service (PhaaS) platform. Led by Europol and involving 19 countries, the operation resulted in 37 arrests and the seizure of the platform's infrastructure. LabHost provided subscription-based phishing kits to over 2,000 criminals, enabling at least 40,000 successful attacks worldwide by targeting banks, government services, and tech companies.

US Treasury Sanctions Crypto Mixers VortexCash and Cyclone for Laundering Ransomware Proceeds

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned two major cryptocurrency mixing services, VortexCash and Cyclone. The action was taken due to their extensive use by threat actors, including the North Korean Lazarus Group and the Conti and Ryuk ransomware gangs, to launder the proceeds of cybercrime. The sanctions make it illegal for U.S. persons to transact with these services, aiming to disrupt the financial infrastructure of ransomware operations.

"VoltSchemer" Attack Can Manipulate EV Charging and Destabilize Power Grids

Researchers have demonstrated a new attack method, "VoltSchemer," that exploits vulnerabilities in the Combined Charging System (CCS) standard for electric vehicles (EVs). By injecting malicious signals into the communication line between the vehicle and charger, an attacker can disrupt charging, overcharge batteries, and potentially create instability in local power grids. The attack can be carried out wirelessly from a nearby device.

Critical RCE Flaw in Ray AI Framework Actively Exploited After PoC Release

A critical remote code execution vulnerability, CVE-2023-48022 (CVSS score 9.8), in the open-source Ray AI/ML framework is under active threat following the public release of a proof-of-concept exploit. The flaw, stemming from a lack of authentication in the Ray Dashboard, allows unauthenticated attackers to execute arbitrary code and take full control of vulnerable Ray clusters. Security researchers report thousands of internet-exposed Ray instances are at immediate risk. The vulnerability affects Ray versions 2.6.3 and earlier, and users are urged to upgrade to version 2.7.0 or later immediately.

PayPal Discloses Data Breach After Software Bug Exposes User PII for Six Months

PayPal has disclosed a data breach resulting from a software bug in its PayPal Working Capital (PPWC) loan application. The flaw, which went undetected for nearly six months from July to December 2025, exposed the sensitive personal information of approximately 100 users. The compromised data includes names, addresses, dates of birth, and Social Security numbers. PayPal discovered the issue on December 12, 2025, and fixed it the next day. The company stated that a few customers experienced unauthorized transactions, which have since been refunded, and is offering two years of credit monitoring to those affected.

Kaplan Data Breach Exposed SSNs and Driver's Licenses of Over 200,000 Individuals

Educational services provider Kaplan North America has concluded its investigation into a 2025 cyberattack, confirming that files containing highly sensitive personal information were stolen. The breach, which occurred between October and November 2025, resulted in the exfiltration of names, Social Security numbers, and driver's license numbers. Regulatory filings show the breach impacted at least 173,676 residents in Texas, 26,612 in South Carolina, and 19,075 in Maine, with the total number likely being much higher. Kaplan is now notifying affected individuals and offering one year of identity protection services.

DHS Pressures Google, Meta, Reddit to Unmask Anonymous Critics of ICE

The Department of Homeland Security (DHS) has reportedly issued hundreds of administrative subpoenas to major tech companies, including Google, Meta, Reddit, and Discord, demanding the personal details of anonymous social media users. The targeted accounts are those that post critical commentary about Immigration and Customs Enforcement (ICE) or share publicly available information about the agency's operations. This move to unmask online critics using subpoenas that do not require a judge's approval has sparked significant concern among civil liberties advocates and resistance from the tech companies, raising questions about protected speech and privacy.

Fintech Firm Figure Technologies Breached by ShinyHunters; 1 Million Customer Records Leaked

Blockchain lending firm Figure Technology Solutions confirmed it suffered a major data breach after an employee's credentials were stolen in a social engineering attack. The notorious cybercrime group ShinyHunters has claimed responsibility, leaking 2.5GB of data allegedly belonging to nearly one million customers after the company refused to pay a ransom. The exposed data includes names, dates of birth, email addresses, and physical addresses, placing affected individuals at high risk for identity theft and further phishing attacks. Figure is now offering credit monitoring services to impacted users as legal investigations begin.

Convergence of Identity and Data Security Creates New Attack Vectors, Netwrix Warns

A new report from Netwrix warns that the next wave of cyber threats will arise from the convergence of identity and data security. As organizations increasingly rely on automated workflows to manage data access, attackers are shifting their focus from stealing individual credentials to exploiting misconfigured identity orchestration and automation. The report predicts that failures in identity automation will directly lead to data exposure. With the rise of agentic AI, which can autonomously perform actions, securing the identity of these non-human agents becomes paramount. Netwrix concludes that unified visibility across both identity management and data security is now essential to mitigate these emerging risks.

Semiconductor Giant Advantest Hit by Ransomware, Investigates Impact on Supply Chain

Advantest Corporation, a leading Japanese manufacturer of semiconductor testing equipment, has detected and is investigating a ransomware intrusion on its internal IT network. The company acted to isolate the affected systems to prevent the malware from spreading and has launched a full investigation to assess the scope and impact. As a critical supplier in the global semiconductor industry, this attack raises concerns about potential disruptions to the technology supply chain and the theft of valuable intellectual property. The ransomware group responsible has not yet been named.

AI's Role in Malware Evolves from Assistant to Embedded Threat Component

A February 17, 2026 analysis highlights a significant evolution in how threat actors are using Artificial Intelligence. The trend is shifting from using AI as a tool for development (e.g., writing phishing emails) to directly embedding AI models within malware itself. This new class of AI-integrated malware can dynamically alter its code, adapt its behavior to evade security tools, and make autonomous decisions about when to execute malicious actions. Attackers are using 'distillation attacks' to create their own unrestricted versions of commercial AI models, enabling this new phase of stealthy, persistent, and adaptive threats that challenge traditional, signature-based detection methods.

PromptSpy: First Android Malware to Weaponize Google's Gemini AI for Stealth and Persistence

Security researchers at ESET have uncovered 'PromptSpy,' a groundbreaking Android malware that integrates Google's Gemini AI to achieve persistence and evade removal. This marks the first known instance of malware weaponizing a large language model (LLM) in its core operational loop. PromptSpy sends UI data to Gemini, which returns instructions on how to navigate the device's interface to 'pin' the malicious app, preventing users from easily closing it. While its current goal is to deploy a VNC for remote access, PromptSpy's use of AI to dynamically adapt to different Android devices represents a significant and concerning evolution in mobile threat capabilities.

CISA KEV Catalog Updated with Actively Exploited BeyondTrust and SolarWinds RMM Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several critical vulnerabilities in Remote Monitoring and Management (RMM) tools from BeyondTrust and SolarWinds to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms that threat actors are actively exploiting these flaws in the wild, likely for initial access and ransomware deployment. CISA has mandated a three-day patching deadline for federal agencies. The vulnerabilities, including a CVSS 9.9 flaw in SolarWinds Web Help Desk (CVE-2026-1731), provide privileged access into networks, making them high-priority targets for attackers and defenders alike.

Ransomware Attack Cripples University of Mississippi Medical Center, Forcing Clinic Closures

The University of Mississippi Medical Center (UMMC) has been hit by a severe ransomware attack, causing widespread disruption to its IT systems and patient care. The attack disabled the electronic health records (EHR) system, forcing the medical center to cancel surgeries and appointments and revert to manual paper-based processes. Clinics across the state have been shut down as UMMC works to contain the threat and restore operations. This incident is a stark reminder of the devastating impact of ransomware on the healthcare sector, where IT outages can directly threaten patient safety.

Warlock Ransomware Hits SmarterTools by Exploiting Flaw in its Own Email Server Software

In an ironic turn, software company SmarterTools was breached by the Warlock ransomware group, who exploited a known vulnerability (CVE-2026-23760) in SmarterTools' own SmarterMail email server software. The attackers leveraged the authentication bypass flaw for initial access, then deployed ransomware and used a malicious installer for the Velociraptor DFIR tool to establish persistence. The incident, first detected in late January 2026, is a stark reminder that all organizations, including software vendors themselves, must practice diligent patch management for internet-facing systems.

Critical Flaw in Grandstream VoIP Phones (CVE-2026-21486) Allows Silent Eavesdropping

A significant vulnerability, CVE-2026-21486, has been disclosed in popular VoIP phones from Grandstream. The flaw could be exploited by remote attackers to gain access to internal device interfaces and, most critically, to silently eavesdrop on private phone conversations. This poses a serious privacy and security risk for businesses and individuals using the affected devices. Users are urged to seek out and apply firmware updates from Grandstream immediately to mitigate the threat of having their sensitive communications compromised.

Honeywell CCTV Cameras Have Critical Auth Bypass Flaw, Allowing Video Hijacking

A critical authentication bypass vulnerability has been reported in multiple Honeywell CCTV camera models. The flaw, disclosed on February 19, 2026, could allow a remote, unauthenticated attacker to hijack user accounts and gain complete access to the cameras. This would enable them to view live and recorded video feeds, manipulate camera settings, or disable surveillance entirely, posing a severe risk to physical security and privacy. Users of Honeywell CCTV systems are urged to monitor for an official advisory and patch from the manufacturer.

FCC Warns US Telecoms of Soaring Ransomware Threat, Mandates Stronger Defenses

The U.S. Federal Communications Commission (FCC) has issued a strong warning to the telecommunications sector, urging companies to urgently bolster their defenses against a dramatic surge in ransomware attacks. Citing a fourfold increase in such incidents since 2021, the agency's alert highlights the significant risks to national security and public safety. The FCC is recommending a series of best practices, including the adoption of zero-trust architecture, network segmentation, EDR, and enhanced employee training to mitigate the growing threat.

Adidas Investigates Third-Party Data Breach After Lapsus$ Claims 815k Record Theft

Sportswear giant Adidas is investigating a data breach at an independent third-party partner responsible for distributing its martial arts products. The investigation follows a claim made on a hacking forum by a threat actor using the alias 'LAPSUS-GROUP', who alleged the theft of 815,000 records from the Adidas partner extranet. The stolen data reportedly includes user PII and technical data. Adidas stated that its own core IT infrastructure and consumer data are not affected, but the incident highlights the significant risks posed by supply chain security vulnerabilities.

DEF CON Bans Three Prominent Tech Figures Over Links to Jeffrey Epstein

The DEF CON hacking conference has permanently banned three well-known figures from the technology and cybersecurity community: inventor Pablos Holman, cybersecurity executive Vincenzo Iozzo, and former MIT Media Lab director Joichi 'Joi' Ito. The decision follows the release of Department of Justice files and investigative reports detailing their connections and interactions with the late convicted sex offender Jeffrey Epstein. The move reflects an effort by the influential conference to uphold ethical standards and distance the community from the scandal, though it has been met with some criticism.

Asahi Confirms 115k Records Leaked in 2025 Ransomware Attack, Details New Security Measures

Japanese food and beverage giant Asahi Group Holdings has provided a final update on the ransomware attack that crippled its operations in September 2025. The company confirmed the incident resulted in the leak of 115,513 sets of personal data, including information belonging to corporate clients and its own employees. The attack had previously caused severe system glitches, forcing a suspension of production and shipments. In its announcement, Asahi detailed a series of new security enhancements being implemented to prevent future incidents.

Lumifi Inks Deal with Vizient to Strengthen Cybersecurity for US Healthcare Sector

Cybersecurity provider Lumifi has announced a new contract with Vizient, the largest provider-driven healthcare performance improvement company in the United States. The agreement will give Vizient's extensive network of member organizations, including hospitals and healthcare providers, enhanced access and pricing for Lumifi's full suite of security services. The partnership aims to help healthcare organizations combat rising cyber threats like ransomware and address compliance demands and staffing shortages by providing services like 24/7 MDR, SOC-as-a-Service, and incident response.

CISA Adds Four Actively Exploited Flaws in Chrome, Windows, Zimbra to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are being actively abused in the wild. The flaws affect a range of widely used products from Google (Chrome), Microsoft (Windows), Zimbra (Collaboration Suite), and ThreatSonar. By adding these to the KEV catalog, CISA has issued a binding operational directive requiring U.S. federal civilian agencies to apply patches by a specified deadline. All organizations are strongly urged to prioritize these vulnerabilities for immediate remediation.

Metasploit Module Released for Critical RCE Flaw in Grandstream VoIP Phones (CVE-2026-2329)

Researchers at Rapid7 have disclosed a critical, unauthenticated remote code execution (RCE) vulnerability, CVE-2026-2329, affecting Grandstream GXP1600 series VoIP phones. The flaw is a stack-based buffer overflow in the phone's web API, allowing a remote attacker to gain root privileges on devices with default configurations. To demonstrate the severity, Rapid7 has released a Metasploit exploit module and a post-exploitation module for credential theft. Grandstream has issued firmware version 1.0.7.81 to patch the vulnerability. Given the availability of a public exploit, users are urged to update their devices immediately or apply network-level mitigations.

French Government Database Breach Exposes 1.2 Million Bank Accounts via Stolen Credentials

The French Economy Ministry has confirmed a data breach affecting its FICOBA national bank account database. An unauthorized individual gained access to the system using credentials stolen from a government official, exposing the personal and banking information of 1.2 million account holders. The breach, which occurred in late January 2026, exposed names, addresses, bank account numbers, and tax IDs. However, the ministry clarified that the attacker could not view account balances or conduct transactions. The government has blocked the malicious access, filed a criminal complaint, and is in the process of notifying affected individuals.

Betterment Breach Escalates: ShinyHunters Leaks Detailed Financial and Personal Data of 1.4M Customers

The data breach at investment advisor Betterment LLC, first disclosed in January 2026, is now understood to be far more severe. The incident stemmed from a social engineering attack that gave an attacker access to a third-party communications platform. The ShinyHunters ransomware group has since claimed responsibility and published a massive trove of data allegedly belonging to 1.4 million customers after Betterment refused to pay a ransom. Analysis of the leak shows it contains not just contact information but highly sensitive details including employer information, job titles, retirement plan data, and internal company notes, creating a significant risk of sophisticated, targeted fraud for affected individuals.

Cybercrime Goes Corporate: Huntress Report Finds Attackers Industrializing Tactics for Scale and Profit

The Huntress 2026 Cyber Threat Report, released February 18, 2026, details a major shift in the cybercrime landscape towards an industrialized, business-like model. Analyzing data from millions of endpoints, the report finds that threat actors are prioritizing scalable, low-effort attacks that abuse trusted tools and identities over complex zero-days. This 'living off the land' approach maximizes profitability. The report highlights a significant 88% year-over-year increase in attacks targeting the manufacturing sector. It also warns of the growing use of AI in tradecraft, including deepfakes for impersonation and manipulation of AI chat tools to trick employees, lowering the barrier to entry for less skilled attackers.

Attackers Abuse Atlassian Jira Notifications in Large-Scale Phishing Campaign to Bypass Email Filters

A widespread and ongoing phishing campaign is abusing the legitimate notification features of Atlassian's Jira platform to deliver malicious links to government and corporate targets worldwide. By creating tasks or comments in Jira, attackers trigger legitimate notification emails sent from Atlassian's own servers. These emails, bearing valid digital signatures, bypass most email security filters and appear trustworthy to recipients. The 'low and slow' campaign aims to harvest credentials and deliver malware by luring users to click on links within the seemingly benign project updates. The tactic highlights a growing trend of threat actors abusing trusted SaaS platforms to conduct their attacks.

New 'Contagious Interview' and 'CrescentHarvest' Campaigns Target Crypto Wallets and Iranian Dissidents

Two distinct and sophisticated cyber threat campaigns were reported on February 18, 2026. The first, dubbed 'Contagious Interview,' is a financially motivated operation targeting MetaMask browser wallets. It uses injected malicious code to surgically alter transaction data in real-time, redirecting cryptocurrency to attacker-controlled wallets. The second campaign, 'CrescentHarvest,' is attributed to an Iranian threat actor and focuses on cyber-espionage against political dissidents and protestors. This campaign uses phishing to deploy surveillance malware designed to harvest sensitive communications. Both campaigns highlight a trend towards precision-targeted, stealthy attacks for financial gain and political suppression.

Malicious GitHub Fork of 'Triton' macOS App Used to Distribute Windows Malware

A malicious supply chain attack was identified on GitHub on February 17, 2026, targeting users through a deceptive fork of a legitimate open-source application. Attackers cloned 'Triton,' a macOS client for the omg.lol service, and created a malicious repository under the account name 'JaoAureliano.' The repository's README file lured users into downloading a trojanized ZIP file, `Software_3.1.zip`. While the original project is for macOS, the malicious payload was designed to infect Windows systems. This incident highlights the ongoing threat of software supply chain attacks that abuse the trust inherent in the open-source ecosystem.

UC Berkeley to Host Regional Summits to Strengthen Cyber Civil Defense

The UC Berkeley Center for Long-Term Cybersecurity (CLTC) announced on February 17, 2026, that it will host three regional Cyber Civil Defense Summits in 2026. The initiative aims to build collaboration between volunteer cyber defenders, government officials, researchers, and emergency responders to better protect under-resourced community organizations like schools and local critical infrastructure. The summits will be co-hosted with partner states, including New Jersey and Louisiana, and will build on the CLTC's previous work to create replicable models for community-based cyber defense and resilience.

Google Scrambles to Patch First Actively Exploited Chrome Zero-Day of 2026

Google has issued an urgent security update for its Chrome web browser to fix a high-severity zero-day vulnerability, CVE-2026-2441. The flaw, a use-after-free bug in the browser's CSS component, is confirmed to be actively exploited in the wild. Successful exploitation allows a remote attacker to execute arbitrary code simply by tricking a user into visiting a malicious webpage. All users are urged to update their browsers immediately.

Dell Zero-Day Exploited for Two Years by Chinese Spies to Steal Data

Dell has released an emergency patch for a critical, maximum-severity vulnerability (CVE-2026-22769) in its RecoverPoint for Virtual Machines appliance. The flaw, a case of hardcoded credentials, has been actively exploited by a suspected Chinese cyberespionage group (UNC6201) since mid-2024. Attackers leveraged the CVSS 10.0 vulnerability to gain root access, deploy webshells, and install multiple backdoors, including the novel GRIMBOLT malware. The long-term exploitation allowed the threat actor to maintain persistence and conduct lateral movement within victim networks.

‘Zero-Knowledge’ Password Managers Not So Secure, Study Finds

A new study by researchers at ETH Zurich has uncovered significant architectural weaknesses in popular cloud-based password managers, including Bitwarden, LastPass, and Dashlane. The research challenges the "zero-knowledge" encryption promises made by these vendors, demonstrating 27 distinct attack scenarios where a malicious or compromised server could access or alter passwords in a user's encrypted vault. The attacks exploit weaknesses in features like account recovery and data synchronization rather than breaking the underlying cryptography.

CISA KEV Alert: Patch Now for Exploited Flaws in SolarWinds, Microsoft, Notepad++, and Apple

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The flaws affect a wide range of popular products: SolarWinds Web Help Desk (CVE-2025-40536), Microsoft Configuration Manager (CVE-2024-43468), Notepad++ (CVE-2025-15556), and multiple Apple operating systems (CVE-2026-20700). Federal agencies are now under a binding directive to patch these vulnerabilities by their respective deadlines.

New ClickFix Attack Abuses DNS 'nslookup' for Stealthy Malware Delivery

Microsoft Threat Intelligence has uncovered a new variant of the 'ClickFix' social engineering attack that uses DNS queries as a covert channel for malware delivery. Victims are tricked into running an 'nslookup' command that queries an attacker-controlled DNS server. The malware payload, a PowerShell script, is embedded in the DNS response, allowing it to bypass some web-based security filters. The attack chain ultimately deploys the ModeloRAT remote access trojan.

Microsoft 365 Admin Center Outage in North America Investigated as Security Event

A significant service disruption on February 10, 2026, that prevented IT administrators across North America from accessing the Microsoft 365 admin center, is reportedly being investigated as a security event. The outage, which also affected the M365 mobile app, blocked administrators from performing critical user management and security tasks, raising concerns about the incident's root cause and whether it was the result of malicious activity.

New 'Keenadu' Android Backdoor Injects into Core Zygote Process, Links Major Botnets

Kaspersky researchers have discovered a highly sophisticated Android backdoor named "Keenadu." The malware is being distributed through two alarming vectors: pre-installed in device firmware via supply chain compromise, and through malicious apps on the Google Play Store. Keenadu's primary malicious action is to inject itself into the Android Zygote process, the parent of all applications, giving it pervasive access and control. The investigation also exposed operational links between Keenadu and the notorious Triada and BADBOX malware families.

Panasonic Launches World-First Cybersecurity Monitoring Trial for Grid-Scale Battery Storage Systems

Panasonic Holdings Corporation has announced the start of what it calls the world's first cybersecurity monitoring trial for grid-scale Battery Energy Storage Systems (BESS). This pioneering initiative aims to develop and validate a system for detecting intrusions and unauthorized commands within the BESS's internal operational technology (OT) network, moving beyond conventional perimeter defenses to secure critical energy infrastructure.

Fake 7-Zip Website Tricks Users, Turns PCs into Malicious Proxy Nodes

A malicious campaign is leveraging a lookalike domain, 7zip[.]com, to distribute a trojanized installer for the popular 7-Zip file archiving utility. The installer, signed with a now-revoked digital certificate, provides a functional version of 7-Zip to avoid suspicion, but also silently installs proxyware. This malware turns the victim's computer into a residential proxy node, allowing threat actors to route their traffic through the victim's IP address for nefarious activities.

New 'AI-in-the-Middle' Attack Turns Microsoft Copilot and Grok into C2 Channels

Security researchers have detailed a novel command-and-control (C2) technique dubbed "AI-in-the-Middle." This method allows malware on a compromised system to use legitimate, web-connected enterprise AI assistants, such as Microsoft Copilot, as a proxy to relay commands. The technique effectively hides malicious C2 traffic within the seemingly benign and trusted communications to AI platforms, posing a significant detection challenge for network security tools.

"Shadow Persistence" Rootkit Targets Cisco Edge Devices, Survives Factory Resets

A sophisticated espionage campaign is actively targeting critical infrastructure and government agencies by exploiting a new vulnerability in Cisco's IOS XE software. Attackers are using the flaw to install a powerful firmware rootkit, dubbed "Shadow Persistence," on network edge routers. This rootkit is exceptionally dangerous because it is installed directly into the device's firmware, allowing it to survive reboots and even factory resets, making it nearly impossible to remove through standard procedures.

BeyondTrust Patches Critical 9.9 CVSS RCE Zero-Day in Remote Access Tools

BeyondTrust has patched a critical zero-day vulnerability, CVE-2026-1731, affecting its self-hosted Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw is a pre-authentication remote code execution (RCE) vulnerability with a CVSS score of 9.9, indicating extreme severity. It allows an unauthenticated attacker to execute arbitrary OS commands on a vulnerable appliance by sending a specially crafted network request, requiring no user interaction. This could lead to a full server compromise. The vulnerability affects RS versions 25.3.1 and earlier, and PRA versions 24.3.4 and earlier. BeyondTrust has already secured its cloud instances, but is urging all on-premise customers to upgrade to the patched versions immediately. The flaw was discovered and responsibly disclosed by a security researcher.

Nation-State Hackers from China, Russia, and Iran Weaponize Google's Gemini AI for Attacks

A new report from Google's Threat Intelligence Group (GTIG) confirms that state-sponsored hacking groups from China, Iran, North Korea, and Russia are systematically using large language models (LLMs), including Google's own Gemini, to augment their cyber operations. These advanced persistent threat (APT) groups are leveraging AI for the entire attack lifecycle, from initial open-source intelligence gathering and target reconnaissance to crafting sophisticated phishing emails and developing malware. The report highlights a strategic shift where adversaries use AI to increase the speed, scale, and effectiveness of their campaigns, posing a new challenge for defenders.

CISA Issues Emergency Directive for 'IronBite' SCADA Zero-Day Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive for a critical zero-day vulnerability, CVE-2026-31501, dubbed 'IronBite'. This remote code execution (RCE) flaw in Avarium's OmniLogic SCADA platform scores a perfect 10.0 on the CVSS scale and is believed to be under active exploitation by state-sponsored actors targeting the energy sector. The vulnerability affects versions 4.x through 5.7.2 and can be triggered by a single network packet, requiring no authentication or user interaction. CISA has mandated immediate disconnection of affected systems from external networks for all federal agencies, highlighting the severe risk to critical infrastructure in North America and Europe.

ChronoLocker Ransomware Cripples AmeriCargo, Freezing US Supply Chains

The 'ChronoLocker' ransomware gang has launched a crippling attack against AmeriCargo, a major North American logistics firm, forcing a halt to its operations. The attack, which began on February 15, 2026, has encrypted critical systems managing port operations and freight tracking, leading to widespread supply chain disruptions across the United States. The threat actors claim to have exfiltrated 2 terabytes of sensitive data, including client contracts and financial information, and are demanding a $30 million ransom. This incident highlights the escalating trend of ransomware groups targeting critical infrastructure to maximize pressure and financial gain.

New APT 'Silent Geese' Deploys 'PoliGraph' Backdoor in Espionage Campaign Against NATO

A newly identified state-sponsored threat actor, named 'Silent Geese,' is conducting a highly targeted cyber-espionage campaign against diplomatic personnel in multiple NATO member states. According to research from SecuraIntel, the advanced persistent threat (APT) group uses convincing spear-phishing emails related to a fake security summit to lure victims. The emails contain a malicious PDF that exploits a vulnerability to install 'PoliGraph,' a novel and stealthy backdoor. This malware is designed for long-term intelligence gathering, capable of exfiltrating documents, capturing keystrokes, and recording audio, posing a significant threat to international security.

PaySphere FinTech App Breach Exposes Data and Transaction Histories of 4 Million Users

The popular FinTech payment app, PaySphere, has disclosed a major data breach affecting approximately 4 million users. The company announced that an unauthorized party gained access to a production database for over two weeks, from January 28 to February 12, 2026. The compromised data includes full names, email addresses, phone numbers, and detailed transaction histories. The breach was traced back to a compromised employee account that was phished, allowing attackers to bypass multi-factor authentication. While financial details like bank accounts were reportedly not accessed, the exposure of transaction data poses significant privacy and security risks to users.

CopperSteal Infostealer Evolves to Target AWS, Azure, and Google Cloud Credentials

A new variant of the 'CopperSteal' information-stealing malware has emerged with a dangerous new focus: enterprise cloud environments. According to analysis by ThreatFabric, the updated malware now includes specific modules designed to hunt for and exfiltrate credentials, access keys, and session cookies from AWS, Microsoft Azure, and Google Cloud. The malware is typically delivered through trojanized software masquerading as developer tools. This evolution marks a significant threat escalation, as stolen cloud credentials can be sold on underground forums and used to facilitate more severe attacks like ransomware deployment, corporate espionage, and data breaches.

Telehealth Provider HealthPath Exposes 700,000 Patient Medical Files in S3 Bucket Leak

Telehealth provider HealthPath has suffered a massive data exposure due to a misconfigured Amazon S3 bucket. A security researcher discovered the cloud storage bucket was left publicly accessible, exposing over 700,000 sensitive documents, including medical scans, test results, and patient identification forms. The data belongs to an estimated 150,000 patients and contained extensive personally identifiable information (PII) and protected health information (PHI). HealthPath attributed the exposure to 'human error' during a system update on January 20, 2026. The company now faces a major regulatory investigation under HIPAA for failing to secure patient data.

Patch Now: Critical RCE Flaw (CVE-2026-31845) in ZenithJS Framework Threatens Web Apps

The maintainers of ZenithJS, a popular JavaScript web framework, have released an emergency patch for a critical remote code execution (RCE) vulnerability, CVE-2026-31845. The flaw, rated 9.8 on the CVSS scale, exists in the framework's data serialization library and allows an unauthenticated attacker to execute arbitrary code on a server by sending a crafted HTTP request. The vulnerability is due to unsafe deserialization of user input. All applications built with ZenithJS versions 3.0.0 through 3.4.0 are affected. Given the framework's widespread use, developers are urged to upgrade to the patched version 3.4.1 immediately to prevent potential widespread exploitation.

Supply Chain Attack: Malicious 'PyUtils-Core' Library on PyPI Steals Developer Secrets

A software supply chain attack has compromised 'PyUtils-Core,' a popular Python library on the Python Package Index (PyPI) with millions of monthly downloads. The PyPI security team removed versions 1.8.7 and 1.8.8 after discovering they contained malicious code designed to steal developer secrets. The code, injected after the library maintainer's account was compromised, scans for and exfiltrates environment variables, including API keys, authentication tokens, and other secrets commonly found in developer environments and CI/CD pipelines. All users who downloaded the affected versions are urged to rotate their credentials immediately.

Social Media Giant ConnectSphere Hit with Landmark €800M GDPR Fine for Data Breaches

In a landmark ruling, European Union regulators have fined the social media platform ConnectSphere €800 million for significant and repeated violations of the General Data Protection Regulation (GDPR). The fine, issued by Ireland's Data Protection Commission (DPC), stems from a lengthy investigation into the company's data security practices between 2023 and 2025. The DPC found that ConnectSphere failed to implement appropriate technical measures to protect user data, citing inadequate access controls and weak password hashing, which directly contributed to multiple large-scale data breaches. ConnectSphere has been ordered to overhaul its security architecture and intends to appeal the decision.

'Crimson Wyvern' APT Steals Cancer Research Data in Global Espionage Campaign

A state-sponsored APT group tracked as 'Crimson Wyvern' is orchestrating a widespread cyber-espionage campaign against leading cancer research facilities and pharmaceutical companies. According to a new report from Mandiant, the attacks have targeted organizations in the U.S., U.K., and Japan with the goal of stealing valuable intellectual property, particularly data on novel drug therapies and clinical trials. The threat actors gain initial access by exploiting VPN vulnerabilities and then deploy a custom backdoor, 'SerpentShell,' to maintain long-term access and exfiltrate sensitive research data. The campaign poses a serious threat to public health innovation and commercial competitiveness.

NorthGrid Power Report Reveals IT-OT Segmentation Failure Led to Blackout Attack

NorthGrid Power, a major U.S. utility, has published a detailed post-incident report on the December 2025 cyberattack that resulted in localized power outages. The report attributes the attack to a sophisticated threat actor and provides a transparent look at the attack chain. The intrusion began with a spear-phishing email to an IT employee and escalated as attackers moved laterally from the corporate IT network to the sensitive operational technology (OT) network. This was possible due to a misconfigured firewall rule. Once in the OT network, the attackers used custom malware to manipulate circuit breakers, causing the outages. The report serves as a critical case study on the dangers of IT-OT convergence and segmentation failures.

Actively Exploited 'GhostTouch' Zero-Day in Androis Allows Silent Malware Installation

Google's Project Zero has disclosed a critical zero-day vulnerability, 'GhostTouch' (CVE-2026-31999), affecting billions of Androis devices. The flaw, present in Androis versions 14, 15, and the beta of 16, allows an attacker to silently install malicious applications on a victim's device without any user interaction. The attack is triggered simply by the user visiting a malicious webpage. Project Zero has confirmed the vulnerability is being actively exploited in the wild in targeted attacks, likely to install sophisticated spyware. While Google has released a patch, the fragmented Androis ecosystem means most users will remain vulnerable for weeks or months.

OpenClaw Founder Peter Steinberger Joins OpenAI Amidst Project's Security Turmoil

Peter Steinberger, the creator of the popular but embattled OpenClaw open-source AI framework, has announced he is joining OpenAI. The move, confirmed by OpenAI CEO Sam Altman, will see Steinberger focus on building the "next generation of personal agents." This decision comes during a turbulent period for OpenClaw, which is grappling with a critical RCE vulnerability and a marketplace flooded with malicious packages. Steinberger stated his goal is to build a safe, accessible AI agent for a broad audience, suggesting a pivot away from the complexities of maintaining a large open-source project.

Python 'cryptography' Library Flaw (CVE-2026-26007) Leaks Private Key Information

A significant vulnerability, CVE-2026-26007, has been disclosed in the widely-used Python 'cryptography' package. The flaw, which affects versions prior to 46.0.5, is due to improper input validation on public keys. An attacker can supply a specially crafted weak public key, causing cryptographic operations like ECDH to leak bits of the victim's private key. This also weakens signature forging defenses. Users are urged to update to the patched version immediately.

Critical 9.8 CVSS Unauthenticated Privilege Escalation Flaw Hits WordPress Plugin

A critical unauthenticated privilege escalation vulnerability, CVE-2025-14892, has been disclosed in the Prime Listing Manager WordPress plugin. The flaw, affecting versions up to and including 1.1, has been assigned a CVSS score of 9.8, reflecting its extreme severity. It allows any remote, unauthenticated attacker to elevate their privileges on an affected website, potentially leading to a full site compromise. Administrators are urged to deactivate the plugin immediately or apply WAF rules as no patch is currently available.

Google and Entrust Form Strategic Partnership for AI-Driven Identity Security

Global security provider Entrust and tech giant Google have announced a strategic collaboration to integrate their technologies for AI-driven identity verification. The partnership aims to develop advanced solutions to combat the growing threat of sophisticated, AI-powered fraud. By combining their expertise, the companies intend to strengthen security defenses while streamlining user and employee onboarding processes, reflecting a broader industry trend of using AI to bolster cybersecurity.

Google Attributes New 'CANFAIL' Malware Attacks in Ukraine to Russian State Actor

Google's Threat Intelligence group has attributed a new malware campaign targeting Ukrainian organizations to a suspected Russian nation-state actor. The report, published on February 15, 2026, details the use of a new malware framework dubbed 'CANFAIL'. This discovery, along with other novel malware like 'VoidLink', highlights the continuous development of custom tools for cyber warfare in the region. Security analysts stress the need for behavior-based detection methods to counter these rapidly evolving threats, particularly in high-value sectors like defense and energy.

Fedora Project Patches Vulnerabilities in Python-aiohttp Component for Fedora 43

The Fedora Project released an important security advisory on February 14, 2026, for its Fedora 43 distribution. The advisory, 2026-66cb8ecfc2, addresses vulnerabilities in the 'python-aiohttp' package, a key component for asynchronous HTTP clients and servers in Python. An updated version, 3.13.3-4.fc43, has been released to mitigate the unspecified security issues. Administrators of Fedora 43 systems are urged to apply the update promptly to protect their systems.

Firms Face 2026 Compliance Countdown for RBI and SAMA Cybersecurity Mandates

Cybersecurity firm Foresiet has published a strategic analysis for financial institutions navigating the upcoming 2026 compliance deadlines for external threat mandates from the Reserve Bank of India (RBI) and the Saudi Central Bank (SAMA). The guide addresses the specific regulatory frameworks and offers a roadmap for banks and financial firms in India and Saudi Arabia to enhance their security posture against external threats. This reflects a global trend of financial regulators imposing stricter cybersecurity rules to protect national financial sectors.

Blast Audit and SafePorter Formalize Researcher Relations with New VDPs

On February 15, 2026, cybersecurity firms Blast Audit and SafePorter each published new Vulnerability Disclosure Policies (VDPs). These policies provide a formal framework, including legal safe harbor, for security researchers to responsibly report vulnerabilities they discover in the companies' systems. Both policies outline the scope of testing, reporting procedures, and expected response times, reflecting a growing industry best practice for fostering positive relationships with the independent security research community.

Open-Source Malware Skyrockets by 75%, Sonatype's 2026 Report Warns

Sonatype's 2026 'State of the Software Supply Chain' report reveals an alarming 75% increase in malicious open-source packages, with over 1.233 million identified. The report connects this surge to the rapid adoption of AI and automation in software development, which has accelerated open-source consumption to 9.8 trillion downloads across major registries. This increased velocity expands the attack surface, making it easier for attackers to inject malware into the software supply chain. The report also notes that 86% of traffic from Maven Central, a key Java repository, now comes from automated cloud services, amplifying the risk of widespread compromise from a single malicious package.

Germany Prepares Legislation to Authorize Offensive Cyber Operations in Major Policy Shift

The German government is reportedly drafting legislation to formally authorize its intelligence agencies and military to conduct offensive cyber operations. This significant policy shift would move Germany from its traditionally defensive posture to one that includes 'hack-back' capabilities, aligning its cyber warfare doctrine more closely with allies like the United States and the UK. The proposed laws aim to counter hybrid threats and establish a zero-tolerance policy for attacks on the nation's critical infrastructure, signaling a more assertive stance in cyberspace.

'Crazy' Ransomware Gang Abuses Legitimate Employee Monitoring Software for Stealthy Persistence

The 'Crazy' ransomware gang has been observed using a new 'living off the land' tactic, abusing legitimate commercial software to maintain stealthy and persistent access to victim networks. Researchers report the group deployed 'Net Monitor for Employees Professional' and the 'SimpleHelp' remote support tool to blend their malicious activity with normal administrative traffic. This method allowed the attackers to remain undetected for extended periods while disabling security tools and preparing for the final ransomware deployment, highlighting a growing trend of abusing trusted applications to evade detection.

Google Details Coordinated Cyber Espionage Campaigns Against Global Defense Industrial Base

A comprehensive report from Google's Threat Intelligence Group (GTIG) details a multi-pronged assault on the global Defense Industrial Base (DIB) by state-sponsored actors from China, Iran, North Korea, and Russia. The campaigns use diverse tactics, including targeting battlefield technology in Ukraine, exploiting the hiring process with 'Operation Dream Job' style campaigns, and compromising edge devices for initial access. The report names specific APT groups like Russia's Sandworm (APT44), North Korea's Lazarus Group (UNC2970), and China's Volt Typhoon (UNC3236), and details their use of custom malware to evade EDR and steal sensitive data.

BridgePay Payment Gateway Hit by Ransomware, Causing Nationwide Outages

The U.S. payments platform BridgePay Network Solutions has confirmed it suffered a ransomware attack that initiated a "system-wide service disruption" on February 6, 2026. The attack has crippled the company's ability to process payments, causing significant downstream impact on its clients, which include retailers, restaurants, and municipal governments across the country. Many merchants have been forced to switch to cash-only operations. BridgePay has engaged cybersecurity experts and is collaborating with the FBI and the U.S. Secret Service. While the company stated that an initial forensic investigation shows no evidence that usable payment card data was compromised, it warned that the restoration process could be lengthy. The identity of the ransomware group responsible for the attack has not yet been disclosed.

Ransomware Attacks Skyrocket 58% in 2025, Setting New Records

Multiple cybersecurity reports released in January 2026 confirm that 2025 was the most active year for ransomware on record. A report from GuidePoint Security's GRIT team documented a staggering 58% year-over-year increase in publicly claimed ransomware victims. December 2025 alone saw 814 attacks, the highest monthly total ever recorded. Despite law enforcement takedowns of major players like LockBit, the ransomware ecosystem proved resilient. Affiliates quickly migrated to other operations, with the Qilin and Akira ransomware groups emerging as the dominant forces, collectively responsible for a significant portion of all attacks. The United States remained the primary target, and the manufacturing sector was the most heavily impacted industry.

Substack Discloses Data Breach Exposing User Contact Information

The newsletter platform Substack has announced it suffered a data breach after discovering on February 3, 2026, that an unauthorized party had gained access to a database containing user information. The exposed data includes names, email addresses, phone numbers, and Stripe IDs, though the company stated that financial data like credit card numbers and passwords were not compromised. The data exposure may date back to October 2025. With over 20 million active users, Substack is warning customers to be wary of suspicious emails and text messages, as a hacker has claimed to have stolen data from 700,000 users and posted it on the dark web.

Microsoft Scrambles to Fix Six Actively Exploited Zero-Days in February 2026 Patch Tuesday

Microsoft's February 2026 Patch Tuesday release is a critical one, addressing 58 vulnerabilities across its product ecosystem. Most alarmingly, the update includes patches for six zero-day vulnerabilities that were already being actively exploited by attackers in the wild. Three of these flaws were publicly disclosed before a fix was available, escalating the urgency for administrators to deploy these updates. The zero-days include severe security feature bypasses in Windows Shell (CVE-2026-21510) and the MSHTML engine (CVE-2026-21513), both rated with a CVSS of 8.8, which could allow for silent code execution. Additionally, three elevation of privilege (EoP) flaws in Desktop Window Manager (CVE-2026-21519) and Remote Desktop Services (CVE-2026-21533) grant attackers SYSTEM-level access. The sheer number of in-the-wild exploits makes this one of the most critical patch cycles in recent memory, requiring immediate action from all organizations to prevent compromise.

Dutch Telecom Odido Suffers Massive Data Breach; 6 Million Customers Potentially Exposed

Dutch telecommunications provider Odido announced a major data breach on February 11, 2026, after a third-party supplier's system was compromised. The incident may have exposed the personal information of as many as six million customers. The compromised data reportedly includes sensitive details such as names, addresses, phone numbers, and in some cases, bank account and passport numbers. While Odido's core network was not affected, the breach originated from a supplier managing a customer data environment, highlighting significant third-party risk. The company has launched a full investigation and is notifying affected individuals and regulatory authorities under GDPR, with significant fines and legal action expected.

CISA Warns Energy Sector of Destructive ICS/OT Attacks After Poland Grid Hit

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert to U.S. energy sector operators, urging them to bolster their defenses against destructive cyberattacks. The warning on February 12, 2026, follows a sophisticated attack in late 2025 that targeted energy facilities in Poland. In that incident, threat actors leveraged insecure internet-facing devices to gain initial access and deploy destructive malware that damaged remote terminal units (RTUs) and wiped data from human-machine interface (HMI) controls. CISA's advisory underscores the severe vulnerability of operational technology (OT) and industrial control systems (ICS) that form the backbone of critical infrastructure, calling for immediate action to prevent similar devastating attacks.

Google Scrambles to Patch Two Actively Exploited Chrome Zero-Days Under Active Attack

Google has released an emergency security update for its Chrome web browser to address two high-severity zero-day vulnerabilities, CVE-2026-3909 and CVE-2026-3910, that are confirmed to be actively exploited in the wild. The first flaw is an out-of-bounds write in the Skia 2D graphics library, while the second is an inappropriate implementation in the V8 JavaScript engine, both of which could allow a remote attacker to execute arbitrary code. With a CVSS score of 8.8 each, these vulnerabilities pose a significant risk to users. Google urges immediate updates to Chrome version 146.0.7680.75/76 for Windows/macOS and 146.0.7680.75 for Linux. Users of other Chromium-based browsers are also advised to apply patches as they become available.

Nation-States Pre-positioning in Critical Infrastructure for Future Cyber Warfare

Geopolitical tensions are fueling a new and dangerous phase of nation-state cyber activity, with a strategic shift towards pre-positioning within critical infrastructure for future disruptive operations. According to recent intelligence reports, Advanced Persistent Threat (APT) groups, such as the Iran-linked APT33 and APT34, are moving beyond espionage and financially motivated attacks. Instead, they are embedding themselves silently within global energy, healthcare, and telecommunications systems. Experts warn this long-term stealth access is designed to enable future attacks that could cause communications outages and supply chain shocks, making nation-state cyber warfare an existential business risk for organizations worldwide.

Software Supply Chain Attacks on the Rise, Exploiting Trusted Vendor Relationships

Software supply chain attacks have emerged as a dominant and highly effective threat vector, with cybercriminals increasingly targeting third-party vendors, open-source libraries, and software update mechanisms to compromise thousands of organizations at once. By injecting malicious code into legitimate software, attackers bypass traditional perimeter defenses and exploit the inherent trust between an organization and its suppliers. The infamous SolarWinds attack, which distributed a backdoored update to government agencies and major corporations, exemplifies the massive scale and impact of this threat. As modern software development increasingly relies on third-party components, the attack surface has expanded dramatically, making supply chain security a critical priority for businesses globally.

White House Unveils New "Cyber Strategy for America" with Offensive Focus

The White House announced its new "Cyber Strategy for America" on February 12, 2026, signaling a significant evolution from its 2023 predecessor. The new strategy marks a decisive shift towards a more proactive and offensive posture, aiming to disrupt foreign adversaries and cybercriminal networks before they can launch attacks against U.S. interests. Key pillars of the strategy include leveraging the full suite of government cyber capabilities, working with the private sector to dismantle threat actor infrastructure, and a push to streamline cybersecurity regulations to reduce compliance burdens on businesses. The policy also emphasizes modernizing federal networks with zero-trust architecture and AI-powered defenses.

FBI: Ransomware Attacks on Healthcare and Critical Infrastructure are Surging

Ransomware attacks continue to plague U.S. critical infrastructure, with a recent FBI report indicating a significant surge in incidents. At least 14 of the 16 critical infrastructure sectors have reported attacks, with healthcare and manufacturing being the most frequent targets. The FBI warns that these attacks are not just financial crimes but pose a direct threat to public safety and national security. In the healthcare sector, ransomware-induced downtime can delay treatments and divert emergency services, with life-threatening consequences. The 2021 attack on Colonial Pipeline serves as a stark reminder of the cascading societal impact, highlighting why ransomware remains a top-tier national security threat.

CISA Issues Flurry of ICS Advisories for Energy and Water System Vulnerabilities

On February 12, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a significant batch of ten new Industrial Control Systems (ICS) advisories, detailing vulnerabilities in products used across multiple critical infrastructure sectors, particularly energy and water systems. The advisories cover a range of products from prominent vendors including Hitachi Energy, Schneider Electric, Mitsubishi Electric, and TP-Link. These alerts provide technical details on the flaws and recommended mitigations, urging asset owners to apply updates promptly to protect their ICS and SCADA environments from potential exploitation.

EU's Stricter NIS2 Cybersecurity Directive Now in Full Effect

The deadline for European Union member states to transpose the Network and Information Security 2 (NIS2) Directive into their national laws passed on February 12, 2026, ushering in a new, stricter era of cybersecurity regulation across the bloc. NIS2 significantly expands the scope of the original NIS directive, applying to a wider range of 'essential' and 'important' entities. It imposes more rigorous cybersecurity risk management measures, incident reporting obligations with tighter deadlines, and higher penalties for non-compliance. The directive aims to harmonize and elevate the overall level of cyber resilience for critical infrastructure sectors like energy, transport, healthcare, and digital services.

Cloud Breaches Skyrocket, Now Costing Firms an Average of $5.1 Million

Recent reports analyzing the 2025-2026 threat landscape reveal a significant and sustained increase in attacks against cloud infrastructure. Cloud-targeted attacks rose 21% year-over-year, with 81% of organizations experiencing at least one cloud security incident. The primary causes are not sophisticated exploits but fundamental security lapses: credential compromise was the top attack vector, followed closely by cloud misconfigurations and insecure APIs. The financial consequences are severe, with the average cost of a cloud data breach climbing to an estimated $5.1 million in 2026, highlighting an urgent need for improved cloud security posture management.

'SilentVoice' Phishing Campaign Weaponizes AI Deepfake Audio to Bypass MFA

A sophisticated social engineering campaign named 'SilentVoice' is successfully bypassing multi-factor authentication (MFA) by using AI-generated deepfake audio of corporate executives. According to researchers at Proofpoint, attackers clone an executive's voice from public audio samples and then use it in a vishing (voice phishing) call to a subordinate employee. The deepfake voice creates a sense of urgency, tricking the employee into entering their credentials on a fake site and then approving the subsequent MFA push notification sent to their device. This highly convincing technique circumvents the protection offered by many common MFA methods, leading to full account takeover. The campaign has already resulted in successful breaches and financial fraud, highlighting the emerging threat of AI-weaponized social engineering.

Automotive Cyber Risk Escalates to Enterprise-Wide Challenge, VicOne Report Warns

A new report from automotive cybersecurity firm VicOne, released on February 11, 2026, warns that cyber threats in the automotive industry have evolved from isolated technical issues into enterprise-wide risks. Titled "Crossroads: Automotive Cybersecurity in the Overlap Era," the report finds that cross-organizational cyber incidents tripled in 2025. This trend is driven by the centralization of software platforms and over-the-air (OTA) update infrastructures, which magnify the impact of a single security failure. The report also highlights the "Overlap Era," where legacy vehicle systems, software-defined vehicles, and AI create a complex, interconnected risk landscape. VicOne also points to a significant blind spot in vulnerability management, having discovered 174 zero-day vulnerabilities in connected vehicles and EV chargers that are not tracked in the public CVE system.

SitusAMC Nears Completion of Data Breach Investigation from November 2025 Incident

SitusAMC, a key technology and services provider for the real estate finance industry, announced on February 12, 2026, that it is finalizing its investigation into a data breach first detected in November 2025. The company stated that notifications to affected consumers will be sent out in the coming weeks. The breach, which did not involve ransomware, compromised corporate data and potentially the personal and financial information of its clients' customers, which include major financial institutions. The incident highlights the significant supply chain risk in the financial sector, as a breach at a single vendor can have cascading effects on numerous banks and their customers. SitusAMC has confirmed the threat actor has been removed from its systems.

Arizona Urology Practice Breach Exposes PHI of Over 73,000 Patients

Academic Urology & Urogynecology of Arizona (AUUA) has begun notifying 73,281 individuals that their personal and protected health information (PHI) was compromised in a data breach that occurred in May 2025. The notification letters, sent starting February 12, 2026, come after a lengthy investigation determined that an unauthorized party had accessed the network between May 18 and May 22, 2025. The exposed data is highly sensitive and includes names, Social Security numbers, financial account information, and detailed medical information such as diagnoses, treatments, and prescriptions. While AUUA has no evidence of fraud resulting from the incident, it is offering complimentary credit monitoring to affected individuals.

Turkish Retailer Civil Mağazacılık Breach Exposes Data of 4.5 Million

Civil Mağazacılık, a major Turkish retailer specializing in baby and children's products, has reported a significant data breach estimated to affect 4.5 million individuals. According to a notification filed with Turkey's Personal Data Protection Authority (KVKK), the breach began on February 12, 2026, but was not detected until February 28. Attackers gained access to a Windows Server hosting the company's CRM database using an administrator account and exfiltrated the contents. The compromised data includes sensitive personal information such as full names, Turkish ID numbers (T.C. kimlik no), phone numbers, and email addresses. The KVKK has launched an investigation into the incident.

Higher Education Software Provider Nuventive Achieves SOC 2 Type II Compliance

Nuventive, a software company that provides data and improvement platforms for the higher education sector, announced on February 11, 2026, that it has successfully completed its System and Organization Controls (SOC) 2 Type II compliance audit. This certification, validated by the independent auditing firm A-LIGN, affirms that Nuventive's security practices, policies, and infrastructure meet the stringent trust services criteria set by the American Institute of Certified Public Accountants (AICPA). The achievement demonstrates the company's commitment to data security and provides assurance to its higher education clients that their sensitive institutional and student data is being managed securely.

Europe's Largest University, La Sapienza, Crippled by Ransomware Attack

La Sapienza University in Rome, Europe's largest university, continues to reel from a major cyberattack that began in early February 2026. The attack forced a precautionary shutdown of most of its IT systems, causing widespread disruption for its 112,500 students and staff. As of February 11, many digital services, including the main website, remained offline. While the university has not officially confirmed the details, reports attribute the incident to a pro-Russian threat actor group named Femwar02, using a strain of Bablock/Rorschach ransomware. A ransom note was reportedly found, but the university has avoided engagement. The incident highlights the growing trend of ransomware attacks targeting the academic sector.

Sandworm Deploys New 'DynoWiper' Malware in Failed Attack on Polish Power Grid

The Russian state-sponsored hacking group Sandworm has been attributed with a major, albeit unsuccessful, cyberattack against Poland's power system in late December 2025. Poland's energy minister described it as the 'largest cyber attack' on their energy infrastructure in years. Cybersecurity firm ESET linked the attack to Sandworm and discovered the use of a previously undocumented destructive malware, which has been named 'DynoWiper'. This incident underscores Sandworm's continued focus on targeting critical infrastructure with new cyber weapons.

FCC Warns Telecoms of 4x Increase in Ransomware, Urges Better Security

The U.S. Federal Communications Commission (FCC) has issued a formal alert to the telecommunications industry regarding the escalating threat of ransomware. Citing data that shows a fourfold increase in attacks on the sector between 2022 and 2025, the FCC's Public Safety and Homeland Security Bureau is urging providers to adopt fundamental cybersecurity best practices. The warning emphasizes that vulnerable communications networks pose a significant risk to national security and public safety, and calls for actions like patching, MFA, and network segmentation.

CISA, NSA, and Canada Warn of New BRICKSTORM Malware Variant Used by Chinese Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Canadian Centre for Cyber Security (Cyber Centre) have jointly released an updated Malware Analysis Report (MAR) for the BRICKSTORM backdoor. This new advisory, published February 11, 2026, details a new variant of the malware discovered during an incident response engagement. The investigation revealed that state-sponsored actors from the People's Republic of China (PRC) deployed BRICKSTORM on a VMware vCenter server to maintain long-term persistence within a victim network, having first gained access in April 2024. The agencies have released new YARA and Sigma rules to help organizations hunt for this threat and are urging government and critical infrastructure entities to immediately search their networks for signs of compromise.

Tax Season Phishing Frenzy: Microsoft Details Campaigns Abusing ScreenConnect and QR Codes

Microsoft has uncovered several large-scale, sophisticated phishing campaigns exploiting the U.S. tax season. In a report on February 10, 2026, the company detailed one massive campaign targeting over 29,000 users that aimed to install the legitimate remote access tool ScreenConnect for malicious use. This campaign broadly targeted organizations in financial services, technology, and retail. Another concurrent campaign used QR codes embedded in Word documents with 'W-2' themes to redirect victims to a credential harvesting site running the 'SneakyLog' phishing kit. A third attack wave leveraged lures impersonating CPAs to deliver the 'Energy365' Phishing-as-a-Service (PhaaS) kit. These multi-faceted campaigns demonstrate attackers' increasing sophistication in social engineering and their abuse of legitimate tools to bypass security.

Healthcare Provider's Ransomware Attack Traced to Compromised SonicWall Cloud Backups

Marquis Health Services, a major provider of skilled nursing care, has reported a disruptive ransomware attack that it attributes to a compromise of its SonicWall cloud backup systems. The incident, reported on February 10, 2026, allowed attackers to encrypt critical data, causing operational issues across its healthcare facilities. By targeting the backup system directly, the threat actors not only deployed ransomware but also aimed to sabotage the company's ability to recover, a tactic known as double extortion. This attack serves as a critical reminder of the security risks inherent in the third-party supply chain and the need to secure backup and recovery environments with the same rigor as primary production systems.

Undetected Go-Based Malware Emerge: GREENBLOOD Ransomware and Moonrise RAT

Security researchers have identified two new and dangerous malware families written in the Go programming language. The discoveries, reported on February 11, 2026, include a ransomware variant named GREENBLOOD and a remote access trojan (RAT) called Moonrise RAT. GREENBLOOD is designed for high-speed encryption and evidence removal, maximizing damage before detection. More alarmingly, the Moonrise RAT was found to be fully-featured, with extensive credential theft capabilities, and had zero detections on VirusTotal at the time of its analysis. The emergence of these potent Go-based threats highlights a trend of attackers using less common languages to develop malware that evades traditional signature-based antivirus and security tools, posing a significant challenge for defenders.

EU Greenlights Google's $32 Billion Acquisition of Cybersecurity Firm Wiz

The European Commission has granted unconditional antitrust approval for Google's proposed $32 billion acquisition of cybersecurity firm Wiz. The decision, announced on February 10, 2026, allows Google to move forward with its largest-ever deal, significantly bolstering its cloud security portfolio. EU regulators concluded that the acquisition would not harm competition in the cloud infrastructure market. They reasoned that Google remains a smaller player compared to Amazon and Microsoft, and customers will continue to have credible alternative security solutions and the ability to switch cloud providers. This approval from a major regulatory body signals a significant consolidation in the cybersecurity industry as cloud hyperscalers aim to deeply integrate security into their platforms.

Critical BeyondTrust Flaw Actively Exploited in Ransomware Attacks

A critical vulnerability in BeyondTrust's remote access solutions is being actively exploited by threat actors, with security firm Darktrace reporting anomalous activity linked to the flaw starting on February 10, 2026. Attackers are leveraging the vulnerability to gain unauthorized control of systems, which then serves as an entry point for follow-on attacks, including ransomware intrusions. Observed malicious activity includes compromised devices making suspicious outbound connections to Out-of-Band Application Security Testing (OAST) services, a technique used to validate successful exploitation. The active exploitation has prompted urgent calls for all BeyondTrust customers to apply patches immediately and hunt for signs of compromise within their networks.

Supply Chain Attacks Now a Dominant 'Ecosystem' of Crime, Warns Group-IB

A new report from cybersecurity firm Group-IB warns that supply chain attacks have evolved from being a specific attack type into a dominant 'ecosystem' of interconnected criminal activity. The 'High-Tech Crime Trends Report,' released on February 11, 2026, states that attackers are increasingly targeting upstream software vendors and managed service providers (MSPs) to compromise thousands of downstream victims in a single stroke. According to the report, 68% of major global incidents in the last year were linked to supply chain compromises. The firm's CEO highlights that phishing, ransomware, and data breaches are often just different stages of a larger campaign built on exploiting trusted third-party relationships, fueled by a booming dark web market for initial access credentials.

Hackers Expand Attacks on ICS/OT and Enterprise AI Systems

Research from Cyble, published January 20, 2026, reveals a dangerous convergence of threats, with adversaries increasingly targeting both industrial control systems (ICS/OT) and enterprise artificial intelligence (AI) systems. The report highlights that hacktivists and cybercriminals are exploiting internet-exposed Human-Machine Interfaces (HMI) and SCADA systems to disrupt critical infrastructure. Simultaneously, they are weaponizing AI workflows through techniques like prompt injection and data poisoning. This dual-front attack creates unprecedented challenges for defenders. The report also notes that ransomware remains the most disruptive threat, with RaaS affiliates collaborating and shifting towards extortion-only models, while the industrialized Phishing-as-a-Service (PhaaS) economy continues to fuel initial access campaigns.

CISA Adds Actively Exploited SolarWinds RCE Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2025-40551 with a CVSS score of 9.8, is a deserialization of untrusted data vulnerability. Its inclusion in the KEV catalog serves as a definitive warning that the vulnerability is being actively exploited in the wild. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must patch this flaw by February 6, 2026, and all organizations using the product are strongly urged to do the same.

Patch Now: Critical ScreenConnect Auth Bypass (CVSS 10.0) Under Active Attack

ConnectWise has disclosed and patched two critical vulnerabilities affecting its ScreenConnect remote access software, with one flaw, CVE-2026-1014, receiving a maximum CVSS score of 10.0. This authentication bypass vulnerability allows a remote, unauthenticated attacker to create a new administrator account on an exposed server. A second path traversal flaw, CVE-2026-1219 (CVSS 8.4), allows an authenticated attacker to upload arbitrary files. Security researchers and CISA have confirmed that threat actors are actively chaining these vulnerabilities in the wild to gain initial access, upload malicious payloads, and achieve remote code execution on vulnerable on-premise instances. The flaws impact ScreenConnect versions 23.9.7 and older. ConnectWise has released version 23.9.8 to address the issues, and CISA has added CVE-2026-1014 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for immediate patching.

New '0APT' Extortion Group Fakes Data Breach in Bluff Attack on Australian Hospital

A new extortion group calling itself '0APT' has targeted Australia's Epworth HealthCare, claiming to have stolen 920GB of sensitive patient and financial data. The group listed the hospital on its darknet leak site on February 4, 2026, threatening to publish the data if a ransom was not paid. However, Epworth HealthCare conducted a thorough investigation with external cybersecurity experts and found "no verified evidence of any impact to our systems or data." Cybersecurity researchers have corroborated this, assessing that 0APT is likely a "fake" ransomware operation. The group's modus operandi involves posting a high volume of victims without providing credible proof of a breach, instead using empty files or random data streams. This tactic relies on psychological pressure and the threat of reputational damage to extort payment, representing a shift from technical intrusion to pure intimidation.

KillSec Ransomware Group Claims Attack on Nigerian Tech Startup Getly

The ransomware group known as KillSec has claimed responsibility for a cyberattack on Getly, a Nigerian technology startup. On February 9, 2026, the group posted the claim on its platform, stating it had breached the company and exfiltrated sensitive data. KillSec has threatened to leak the stolen information if its unspecified ransom demands are not met. Getly, which operates the `getly.app` domain, has not yet publicly commented on the alleged breach, and the claims have not been independently verified. The incident highlights the global reach of ransomware gangs and the increasing risk they pose to startups and small businesses in emerging markets, not just large enterprises.

Australia Post Phishing Scam Harvests Credit Card and OTP Data

A widespread phishing campaign is actively targeting Australians by impersonating Australia Post. Cybersecurity firm MailGuard intercepted the scam on February 9, 2026, which uses emails with the subject line "Parcel Awaiting Instructions." The emails claim a delivery has failed due to an incomplete address and trick recipients into clicking a link to pay a small, fraudulent shipping fee of 1.99 AUD. The link leads to a sophisticated, multi-stage credential harvesting site designed to look like an official Australia Post portal. The site first captures the victim's full credit card details and phone number, and then, in a final crucial step, prompts for the one-time passcode (OTP) sent to their mobile. This allows the attackers to authorize fraudulent transactions immediately. The sender's email address is a clear giveaway, and users are advised to be vigilant.

AI Supply Chain Attack: Hundreds of Malicious 'Skills' on ClawHub Marketplace Steal Credentials

A significant software supply chain attack is targeting users of the OpenClaw AI assistant through its community marketplace, ClawHub. Security researchers have discovered hundreds of malicious 'skills'—add-ons that extend the AI's functionality—that have been published by threat actors. These skills masquerade as useful tools, such as wallet trackers or content summarizers, but their installation instructions trick users into downloading malware. The primary payloads include the Atomic Stealer infostealer for macOS and other backdoors and keyloggers for Windows. The attack leverages the trusted, open-source nature of the marketplace, which lacked a formal review process for submissions. In response to the discovery by KOI Security and SlowMist, the OpenClaw team has partnered with VirusTotal to automatically scan all skills uploaded to ClawHub to prevent further abuse.

'Bloody Wolf' APT Deploys NetSupport RAT in Espionage Campaign

Security researchers have uncovered an active spear-phishing campaign attributed to the threat actor 'Bloody Wolf' (also tracked as Stan Ghouls). The campaign targets organizations primarily in Uzbekistan and Russia, with a focus on manufacturing, finance, and IT sectors, though government and other entities have also been targeted. The attackers use phishing emails with password-protected ZIP archives containing a malicious LNK file. When executed, this file downloads and installs the legitimate remote administration tool, NetSupport RAT, which gives the attackers full control over the victim's system. The motives appear to be mixed, pointing towards both financially motivated cybercrime and state-aligned cyber espionage. This campaign marks a shift in tooling for the group, which previously used the STRRAT malware.

China-Linked UNC3886 Hits All Major Singapore Telcos in Coordinated Zero-Day Attack

Singaporean authorities have revealed that all four of the nation's major telecommunication providers were targeted in a sophisticated and coordinated cyber espionage campaign. The attack is attributed to UNC3886, a Chinese-linked advanced persistent threat (APT) group known for targeting critical infrastructure. The attackers exploited a zero-day vulnerability in the telcos' perimeter firewalls to gain initial access. Once inside, the group stole a limited amount of technical data and used advanced techniques to evade detection. While the attackers have not yet penetrated the core networks, officials noted their capability to deploy tools that could disrupt internet and telecommunications services. In response, Singapore has launched one of its largest-ever coordinated cyber defense operations, involving government agencies and the affected telcos working together to hunt for the intruders and harden national infrastructure.

CRITICAL: Ivanti Patches Two Actively Exploited RCE Zero-Days in EPMM

Ivanti has released urgent security patches for two critical remote code execution (RCE) vulnerabilities, CVE-2026-1281 and CVE-2026-1340, affecting its Endpoint Manager Mobile (EPMM) solution, formerly MobileIron Core. Both flaws are rated 9.8 out of 10 on the CVSS scale and are confirmed to be actively exploited in the wild as zero-days. An unauthenticated attacker can exploit these vulnerabilities to execute arbitrary code on an affected appliance, granting them access to sensitive mobile device management data. Given the active exploitation, administrators are urged to apply the temporary RPM script patches immediately while awaiting a permanent fix in the upcoming version 12.8.0.0.

Nationwide Outage: BridgePay Payment Gateway Confirms Ransomware Attack Crippled Production Systems

U.S. payment gateway provider BridgePay Network Solutions has confirmed a ransomware attack was the cause of a massive service outage that began on February 6, 2026. The attack took down numerous production systems, including the BridgePay Gateway API, virtual terminals, and hosted payment pages, disrupting credit and debit card processing for merchants across the United States in sectors like retail, hospitality, and government. Many businesses were forced to revert to cash-only operations. BridgePay has engaged the FBI and U.S. Secret Service. While the company states that an initial investigation suggests no usable payment card data was exposed due to encryption, a timeline for full service restoration has not been provided, and the process is expected to be lengthy.

EDR-Killer Malware Weaponizes Decade-Old EnCase Driver in BYOVD Attacks

Threat actors are using a new EDR-killing malware that leverages a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to disable endpoint security products. Researchers at Huntress discovered the malware during an intrusion that began with compromised SonicWall SSL VPN credentials. The attackers abuse `EnPortv.sys`, a legitimate but long-revoked kernel driver from Guidance Software's EnCase forensic toolkit. Despite its certificate being revoked in 2010, a gap in Windows' driver signature enforcement allows it to be loaded, granting the attackers kernel-level privileges. The malware uses these privileges to terminate 59 different processes associated with major EDR vendors like CrowdStrike, SentinelOne, and Microsoft, clearing the way for ransomware deployment.

U.S. Finalizes Ban on Chinese and Russian Tech in Connected Vehicles, Forcing Massive Supply Chain Overhaul

The United States has finalized new regulations from the Commerce Department that will ban hardware and software from China and Russia in connected vehicles sold in the U.S. The rules are designed to mitigate national security risks, preventing foreign adversaries from collecting sensitive data or manipulating vehicle functions. The ban will be phased in, starting with software for the 2027 model year and extending to hardware by 2029. The auto industry is facing what is being called 'one of the most consequential and complex auto regulations in decades,' forcing a massive and difficult overhaul of their deeply embedded global software and hardware supply chains.

European Commission Contains Cyberattack on its Mobile Device Management (MDM) System

The European Commission disclosed on February 5, 2026, that it had identified and contained a cyberattack against its central infrastructure for managing mobile devices. The attack, detected on January 30, was reportedly contained and the system cleaned within nine hours. The Commission stated that the incident may have resulted in unauthorized access to some staff names and mobile numbers, but there is no evidence that any mobile devices themselves were compromised. The incident comes shortly after the Commission proposed a new, comprehensive cybersecurity package (CSA2) to strengthen security across the EU.

Malicious VS Code Extension 'ClawdBot Agent' Deployed ScreenConnect RAT via Marketplace

A malicious extension named 'ClawdBot Agent' was discovered in the official Visual Studio Code Marketplace, impersonating a popular AI coding assistant to trick developers. The trojanized extension was fully functional, helping it evade suspicion while its malicious payload executed in the background upon VS Code launch. The attack chain fetched a remote configuration file that initiated the deployment of a weaponized version of the legitimate remote support tool, ConnectWise ScreenConnect, effectively turning it into a Remote Access Tool (RAT). This gave attackers full remote control over compromised developer machines. The extension was quickly removed by Microsoft, but the incident highlights the growing risk of supply chain attacks targeting developer ecosystems.

EU Proposes Revised Cybersecurity Act to Bolster Supply Chain Security & ENISA's Role

The European Commission has introduced a new cybersecurity package that includes a proposal for a revised Cybersecurity Act (CSA) and targeted amendments to the NIS2 Directive. The initiative aims to strengthen the EU's collective resilience against cyber threats by establishing a framework for ICT supply chain security, promoting 'cyber-secure by design' principles through certification, and enhancing the role of ENISA, the EU's cybersecurity agency. The amendments to NIS2 seek to clarify rules on jurisdiction and streamline ransomware incident data collection. Once adopted, member states will have one year to transpose the new provisions into national law.

CISA Adds Critical SmarterMail RCE Flaw to KEV Catalog Amid Active Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in SmarterTools' SmarterMail, CVE-2026-24423, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which allows for unauthenticated RCE, is being actively weaponized by ransomware operators. The vulnerability stems from a missing authentication check in an API endpoint, enabling attackers to execute arbitrary commands on vulnerable email servers. CISA has directed all federal agencies to apply patches by February 26, 2026, and strongly urges all organizations using the affected software to update immediately to mitigate the significant risk of compromise.

Transparent Tribe (APT36) Shifts Focus, Targeting Indian Startups with Crimson RAT

The Pakistan-aligned APT group Transparent Tribe (also known as APT36) has strategically shifted its targeting from Indian government and military entities to the country's growing startup sector. A new campaign, identified by researchers, uses the group's signature Crimson RAT malware delivered via malicious ISO files in phishing emails. The lures are themed around startups, with some attacks leveraging scraped personal information of real founders to appear more legitimate. The focus on startups in the cybersecurity and intelligence fields suggests the group aims to steal intellectual property and potentially use compromised companies as a supply chain vector to attack their government clients.

Ransomware Gangs Like LockBit and BlackCat Use Legitimate ISP Software for Anonymous Server Provisioning

Researchers at Sophos have discovered how bulletproof hosting (BPH) providers are abusing legitimate server management software from ISPsystem to anonymously provision virtual machines for cybercriminals. The software, VMmanager, leaves a default hostname fingerprint (`WIN-J9D866ESIJ2`) that allowed researchers to link thousands of malicious servers to BPH providers like Stark Industries Solutions and MasterRDP. This infrastructure is actively being used to support operations for top-tier ransomware groups, including LockBit, BlackCat (ALPHV), and Conti, highlighting a critical link between legitimate tools and the cybercrime underworld.

Aggressive Odyssey Stealer Malware Campaign Targets macOS Users Globally

A new and aggressive campaign featuring the Odyssey Stealer malware is actively targeting Apple macOS users across the globe. Initially focused on the US and Europe, the attack's reach expanded within 24 hours to South America, Africa, and Asia. Odyssey Stealer is an info-stealer designed to harvest browser credentials, crypto wallets, and system data. This latest variant uses builders to automatically generate unique, obfuscated samples, making it difficult for signature-based antivirus to detect. The malware spreads via social engineering, using fake or cracked software downloads and phishing lures to trick users into installing it.

Attackers Abuse Windows Screensaver (.scr) Files to Drop RMM Tools for Persistent Access

A novel attack technique has been observed where threat actors are abusing Windows screensaver (.scr) files as droppers for legitimate remote monitoring and management (RMM) tools. By tricking users into executing a malicious screensaver file, attackers can bypass security controls that might block direct RMM installation. Because .scr files are executables, they can be weaponized to install the RMM software, providing the attacker with persistent, stealthy remote access to the compromised machine for data theft, surveillance, or lateral movement. This method highlights the ongoing trend of attackers using living-off-the-land techniques.

Evolving Telegram Phishing Campaign Tricks Users into Approving Account Takeover

A sophisticated phishing campaign targeting Telegram users has re-emerged, using the platform's own features to hijack accounts. As reported by CYFIRMA, the attack tricks users with fake security alerts, directing them to a malicious site or bot that mimics an official Telegram service. The core of the attack is manipulating the user into approving a legitimate-looking authorization prompt for a 'new device' within their own Telegram app. Approving this prompt grants the attacker's device full session access, enabling them to take over the account, read private chats, and exfiltrate data. The campaign highlights the effectiveness of social engineering attacks that exploit user trust in a platform's native functions.

Ransomware Attacks on Education Sector Slowed in 2025, But U.S. Remains Top Target

A 2025 report from Comparitech indicates a slowdown in the growth of ransomware attacks against the global education sector. There were 251 attacks recorded worldwide, a slight 2% increase from the previous year. These incidents resulted in at least 3.96 million breached records. The United States was the most affected country with 130 attacks, though this marked a 9% decrease for the nation year-over-year. High-profile incidents included demands of $400,000 against school districts by the Medusa ransomware gang, highlighting the continued financial and operational strain these attacks place on educational institutions.

CISA: Critical SmarterMail RCE Flaw Actively Exploited in Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in SmarterTools' SmarterMail, CVE-2026-24423, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score of 9.3, allows an unauthenticated attacker to take full control of a mail server by abusing an API method with a missing authentication check. CISA confirms the vulnerability is being actively used in ransomware campaigns and has mandated that federal agencies patch by February 26, 2026. All organizations using the affected email server software are strongly urged to update to build 9511 or later immediately.

CISA Issues Directive Forcing Removal of Unsupported Edge Devices from Federal Networks

In response to increasing exploitation by nation-state actors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 26-02. The directive mandates that all Federal Civilian Executive Branch (FCEB) agencies inventory and remove all unsupported network edge devices, such as firewalls and routers, within one year. Devices that are end-of-life (EOL) or end-of-support (EOS) no longer receive security updates and represent a significant risk. The order requires agencies to replace unsupported hardware and software, report their inventory to CISA, and establish a mature lifecycle management process to prevent future risks from technical debt.

Betterment Data Breach Exposes 1.4M Customers After Social Engineering Attack

Automated investment platform Betterment has disclosed a data breach affecting 1.4 million customers, originating from a sophisticated social engineering attack. Threat actors, claiming to be the 'ShinyHunters' group, used voice phishing (vishing) to manipulate employees and steal Okta single sign-on codes, gaining access to third-party marketing and support systems. The compromised data includes names, email addresses, phone numbers, and physical addresses. While core financial accounts were not compromised, the attackers used the stolen contact information to launch a fraudulent cryptocurrency scam targeting Betterment's customers. The incident highlights the growing threat of social engineering targeting employees to bypass technical security controls.

Financial Sector Cyberattacks Doubled in 2025, Fueled by Geopolitical Hacktivism

A new report from Check Point Software reveals a dramatic escalation in cyber threats targeting the global financial sector, with incidents more than doubling in 2025. The primary driver was a 105% increase in Distributed Denial-of-Service (DDoS) attacks, which were largely motivated by geopolitically-driven hacktivism rather than direct financial gain. Hacktivist campaigns aimed to disrupt banking portals and payment systems in countries involved in geopolitical conflicts, including Israel, the U.S., and Ukraine. The report also highlights a 73% jump in data breaches and the persistent threat of multi-extortion ransomware, indicating a complex and evolving threat landscape for financial institutions.

Critical RCE Flaw in n8n Automation Platform Allows Full Server Takeover

A critical sandbox escape vulnerability, CVE-2026-25049, has been discovered in the popular n8n workflow automation platform. The flaw, rated 9.4 on the CVSS scale, allows an authenticated user with permission to edit workflows to bypass security controls and execute arbitrary system commands on the host server. This could lead to a full server compromise, exposing sensitive credentials, API keys, and OAuth tokens stored in the environment. The vulnerability is a bypass for a previously patched RCE flaw, and administrators are urged to update to n8n versions 1.123.17 or 2.5.2 immediately to prevent potential hijacking of connected cloud services and AI pipelines.

New 'Milkyway' Ransomware Strain Surfaces with Aggressive Extortion Tactics

A new Windows-based ransomware strain named 'Milkyway' has been identified by researchers at CYFIRMA. Currently in a developing state, the malware encrypts files and appends a '.milkyway' extension. It employs aggressive extortion tactics via a full-screen ransom note, threatening not only to leak or sell stolen data but also to report victims to tax authorities and law enforcement if the ransom is not paid. The operators also threaten to contact the victim's clients and partners. Experts warn that Milkyway could evolve into a more sophisticated threat, potentially adopting a Ransomware-as-a-Service (RaaS) model, which would significantly broaden its impact.

Everest Ransomware Group Claims Attack on Japanese Manufacturer Hosokawa Micron

The Everest ransomware group has claimed responsibility for a cyberattack against Hosokawa Micron Corporation, a leading Japanese manufacturer of industrial processing technology. The group announced the breach on an underground forum, threatening to publish approximately 30 GB of exfiltrated confidential company data if their ransom demands are not met. This incident aligns with Everest's typical double-extortion strategy. The group is known for targeting organizations in manufacturing, finance, and IT across the U.S., Europe, and Asia, and also acts as an initial access broker, selling network access to other threat actors.

'Shadow Campaign' Hacks Governments in 37 Countries, China-Linked Group Suspected

Security researchers have uncovered a massive, long-running cyber-espionage operation dubbed 'Shadow Campaign.' The campaign is attributed to a suspected Chinese nation-state group, TGR-STA-1030, and has successfully compromised at least 70 government and critical infrastructure organizations in 37 countries. The group's reconnaissance activities have been even broader, targeting government infrastructure in 155 countries. Targets include high-value entities like national law enforcement, border control, finance ministries, and telecommunications companies. The operational footprint, including tools and timezone activity (GMT+8), strongly points towards a China-based actor.

Cisco and F5 Release Urgent Patches for High-Severity DoS and RCE Vulnerabilities

Networking giants Cisco and F5 have released a wave of security updates to address multiple high-severity vulnerabilities across their product lines. Cisco patched five flaws, including a remote DoS bug in TelePresence/RoomOS (CVE-2026-20119) and a root-level command execution flaw in Meeting Management software (CVE-2026-20098). Concurrently, F5 addressed five vulnerabilities in its BIG-IP and NGINX products, two of which are rated high-severity: a DoS flaw in BIG-IP (CVE-2026-22548) and a man-in-the-middle vulnerability in NGINX (CVE-2026-1642). Customers are strongly advised to apply the patches promptly to mitigate risks of service disruption and system compromise.

Chinese APT 'Amaranth-Dragon' Hits Southeast Asian Governments with WinRAR Exploit

A newly identified China-linked APT group, dubbed 'Amaranth-Dragon,' is conducting targeted cyber espionage campaigns against government and law enforcement agencies in Southeast Asia. The group, believed to be affiliated with the broader APT41 ecosystem, is exploiting a known WinRAR vulnerability (CVE-2025-8088) for initial access. Amaranth-Dragon demonstrates a high degree of stealth, using custom tools like 'Amaranth Loader' and a new 'TGAmaranth RAT' that leverages Telegram for command-and-control. The campaigns are tightly scoped, targeting countries like Cambodia, Thailand, and the Philippines, and appear to be motivated by geopolitical intelligence gathering.

Voicemail-Themed Phishing Campaign Deploys Legitimate RMM Tools for Backdoor Access

A widespread social engineering campaign is using convincing voicemail-themed lures to trick victims into installing legitimate remote monitoring and management (RMM) software. The attack begins with an email, often from a bank-themed subdomain, leading to a webpage that prompts the user to 'listen to your message.' Instead of playing a message, the page guides the user through a series of installation steps for a legitimate tool called 'Remotely RMM.' Once installed, the software enrolls the device into an attacker-controlled environment, providing them with persistent remote access for data theft and further malware deployment.

Microsoft Mandates TLS 1.2 for Azure Blob Storage, Sunsetting Older Versions

Microsoft has officially deprecated support for Transport Layer Security (TLS) versions 1.0 and 1.1 for its Azure Blob Storage service, effective February 3, 2026. TLS 1.2 is now the minimum required version for all new and existing blob storage accounts across all Azure clouds. This mandatory security enhancement aims to protect data in transit from known cryptographic vulnerabilities present in the older protocols. Customers with applications or clients still relying on TLS 1.0 or 1.1 must update them to ensure continued connectivity and avoid service disruptions.

Futile Ransom: Nitrogen Ransomware Contains Fatal Coding Error, Decryption Impossible

In a case of profound operational failure, security researchers have discovered a fatal coding error in the Nitrogen ransomware group's malware that targets VMware ESXi systems. The flaw, found in the encryption routine, causes the malware to use the wrong public key during the encryption process. As a result, the decryptor provided by the gang after a ransom is paid is mathematically incapable of reversing the encryption. This means that any victim who pays the ransom for their encrypted ESXi virtual machines has zero chance of recovering their data, reinforcing law enforcement advice to not pay ransoms.

UK Advances New Bill to Regulate Managed Service Providers (MSPs)

The United Kingdom government is advancing a new Cyber Security and Resilience Bill aimed at strengthening the nation's digital supply chain. A key provision of the bill is to bring Managed Service Providers (MSPs) under direct regulatory oversight for the first time. Citing the systemic risk demonstrated by attacks like the one on Synnovis that impacted the NHS, the legislation will impose security duties on MSPs similar to those already applied to essential services. The goal is to establish a higher baseline of security across the thousands of organizations that rely on MSPs for their IT and security operations.

SolarWinds Discloses Five Critical RCE & Auth Bypass Flaws in Web Help Desk

SolarWinds has disclosed a set of five critical vulnerabilities in its Web Help Desk (WHD) platform, a tool used by over 300,000 organizations. The flaws include two unauthenticated remote code execution (RCE) vulnerabilities and two authentication bypasses, each with a CVSS score of 9.8. This incident highlights a troubling pattern of recurring patch failures, as one of the new flaws, CVE-2025-40553, is the second bypass of an original deserialization vulnerability (CVE-2024-28986) first patched in 2024. Given the critical nature of the flaws, organizations with internet-facing WHD instances are at extreme risk and must patch immediately.

CISA Criticized for Silently Updating KEV Catalog with Ransomware Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is facing criticism for its practice of silently updating its Known Exploited Vulnerability (KEV) catalog. In 2025, the agency updated 59 entries to indicate that the flaws were being used in ransomware attacks, but it did not issue any notifications for these changes. Security experts argue that this lack of communication is a significant missed opportunity for defenders, who use the ransomware designation as a key factor in prioritizing patching.

Massive AT&T Customer Dataset with 148M SSNs Resurfaces in Criminal Circles

A massive and highly sensitive dataset allegedly containing the personal information of AT&T customers has resurfaced and is being circulated in criminal forums. The data trove reportedly includes approximately 176 million records, featuring over 133 million full names and addresses, and, most critically, up to 148 million full and partial Social Security numbers. The re-emergence of this consolidated data poses a severe and renewed risk of identity theft, phishing, and fraud for millions of individuals.

LinkedIn Phishing Campaign Targets Executives Using Legitimate Pen-Testing Tools

A new phishing campaign discovered by ReliaQuest is abusing LinkedIn's private messaging feature to target executives and IT professionals. The attackers use social engineering to trick victims into downloading and running a malicious archive file. The attack's novelty lies in its use of a legitimate, open-source Python script designed for penetration testing. This 'living off the land' technique makes the malicious activity difficult to distinguish from normal administrative tasks, significantly reducing the risk of detection by security software.

Fake LINE Messenger Installer Spreads ValleyRAT Malware

A malware campaign attributed to the Silver Fox APT group is distributing the ValleyRAT remote access trojan by disguising it as an installer for the popular LINE messaging app. The campaign, which primarily targets Chinese-speaking users, uses the trojanized software as a lure to infect systems. Once installed, ValleyRAT establishes persistence and focuses on stealing user credentials, leveraging advanced evasion techniques to remain undetected.

Critical Flaws in Django Framework Expose Sites to DoS and SQL Injection

The maintainers of the Django web framework have released important security updates to address critical vulnerabilities. The flaws could allow remote attackers to conduct Denial-of-Service (DoS) and potential SQL injection attacks against web applications built with the framework. Due to the severity of these issues, which could lead to service disruption and data compromise, administrators are strongly urged to patch their Django instances immediately.

Critical RCE Flaw in Ingress-NGINX Threatens Kubernetes Clusters

A critical vulnerability has been discovered in the widely used Ingress-NGINX controller for Kubernetes. The flaw could allow a remote attacker to achieve arbitrary code execution within the context of the ingress controller. A successful exploit could lead to a full compromise of the ingress, enabling traffic interception, data theft, and providing a powerful foothold for lateral movement into the underlying Kubernetes cluster environment. Users are urged to patch immediately.

Samsung's February 2026 Update Fixes 37 Flaws in Galaxy Devices

Samsung has released its February 2026 security update for its Galaxy smartphones, tablets, and foldable devices. The update addresses a total of 37 vulnerabilities. This includes 25 patches from Google for the core Android OS and 12 Samsung-specific patches (SVEs) for its One UI software. The Samsung-specific fixes address flaws rated as high and moderate severity, including an access control vulnerability in the 'Emergency Sharing' feature. Users are advised to install the update promptly.

Google Patches Multiple Vulnerabilities in February 2026 Pixel Update

Google has released its monthly security update for all supported Pixel devices as part of its February 2026 patch cycle. The update addresses numerous security vulnerabilities detailed in the Android and Pixel-specific security bulletins. Installing the update will bring all supported Pixel devices to the 2026-02-05 patch level, ensuring they are protected against the latest discovered threats. The update also includes various functional improvements.

UK Law Criminalizing AI-Generated Deepfake Intimate Images Takes Effect

A new law in the United Kingdom is set to come into force on February 6, 2026, making it a criminal offense to create or share AI-generated 'deepfake' intimate images of an adult without their consent. The law, part of the Data (Use and Access) Act 2025, amends the Sexual Offences Act 2003 to specifically address the malicious use of artificial intelligence to create harmful and abusive content. This legislative action is a direct response to the growing problem of non-consensual deepfake pornography.

Notepad++ Update Mechanism Hijacked in 6-Month Supply Chain Attack by Chinese APT

The maintainers of the widely-used Notepad++ text editor have disclosed a major supply chain attack that compromised their update infrastructure for six months in 2025. The attack, attributed to the Chinese espionage group Lotus Blossom (Billbug), involved hijacking update requests to selectively deliver a custom backdoor named 'Chrysalis' and other malware like Cobalt Strike to a targeted set of organizations. Victims were primarily located in Southeast Asia and included government and financial entities, highlighting a sophisticated, long-running espionage campaign.

Qilin Ransomware Claims Breach of Tulsa International Airport, Leaks Data

The Russian-affiliated Qilin ransomware group has claimed responsibility for a cyberattack against Tulsa International Airport. The group has listed the airport on its data leak site, alleging the theft of sensitive data including financial records and employee information. While airport operations reportedly remain unaffected, the incident highlights the ongoing trend of ransomware gangs targeting critical infrastructure. Qilin has been identified as a highly active group, responsible for a significant number of recent attacks.

Sophisticated Phishing Attack Uses PDF Lures and Cloud Services to Steal Dropbox Credentials

A new, multi-stage phishing campaign is using procurement-themed emails with benign-looking PDF attachments to bypass email security filters. The attack chain redirects victims through a legitimate cloud service, Vercel Blob, before presenting a convincing fake Dropbox login page. The goal is to harvest corporate credentials, which are then exfiltrated to an attacker-controlled Telegram bot. This layered approach is designed to appear legitimate and evade detection by both automated systems and wary users.

Canada Computers Discloses Data Breach Affecting Guest Checkout Customers

Canada Computers Inc., a major Canadian electronics retailer, has announced a data breach that exposed the personal and credit card information of customers. The incident affected individuals who used the 'guest' checkout feature on the company's website between December 29, 2025, and January 22, 2026. The company discovered the breach on January 22 and has since launched an investigation with law enforcement. Customers who were logged into member accounts are not believed to be affected.

Play Ransomware Hits US Instrument Manufacturer Deatak in Data Breach

The Play ransomware group has claimed another victim in the manufacturing sector, listing U.S.-based instrument maker Deatak on its data breach forum. The attackers allege they have compromised and exfiltrated a wide range of private and confidential data, including client documents, employee payroll details, and financial information. This attack underscores the persistent threat that ransomware poses to specialized manufacturing firms, which often possess valuable intellectual property and sensitive corporate data.

INC Ransomware Group Breaches Two U.S. Law Firms, Leaks Sensitive Client Data

The INC ransomware group is actively targeting the U.S. legal sector, claiming responsibility for attacks on at least two law firms: Hawk Law Group and Eisenberg Lowrance Lundell Lofgren. The group alleges it has stolen highly sensitive client information, including data related to civil and criminal litigation cases, government-issued IDs, and personal details. These attacks highlight the significant risk faced by law firms, which are high-value targets for cybercriminals due to the confidential nature of the data they hold.

Ransomware Attack Cripples City of New Britain, CT, Forcing Manual Operations

A ransomware attack has caused significant and ongoing disruption to the municipal network systems of New Britain, Connecticut. The attack, which began last week and was later confirmed as ransomware, has impacted the city's entire internet server. As a result, city departments have been forced to abandon digital systems and revert to manual 'pen and paper' operations. Federal authorities have been called in to assist with the investigation and response efforts.

Health-ISAC Report: AI-Enabled Attacks Named Top Threat to Healthcare Sector in 2026

The Health Information Sharing and Analysis Center (Health-ISAC) has released its 2026 Global Health Sector Threat Landscape report, identifying AI-enabled attacks as the number one projected concern for the year. Based on surveys of healthcare executives and security professionals, the report highlights a shift in focus towards emerging, sophisticated threats. Alongside AI, the report emphasizes the persistent dangers of major supply chain vulnerabilities and the continued high impact of ransomware. The findings, drawn from extensive data including over 1,200 targeted alerts in 2025, urge healthcare organizations to move towards a more proactive and resilient security posture.

Open VSX Marketplace Hit by Supply Chain Attack Spreading "GlassWorm" Malware

On January 30, 2026, the Open VSX Registry, a popular marketplace for Visual Studio Code extensions, fell victim to a supply chain attack. Threat actors compromised the account of a legitimate developer, 'oorzc', and published malicious updates to four of their popular extensions. These updates embedded the 'GlassWorm' malware loader. The compromised extensions had been downloaded over 22,000 times, exposing a large number of developers to the malware before the malicious versions were removed by the Open VSX security team.

Microsoft Patches Actively Exploited Office Zero-Day (CVE-2026-21509) Under Targeted Attack

Microsoft has released an emergency out-of-band security update for CVE-2026-21509, a high-severity security feature bypass vulnerability in Microsoft Office. The flaw, which has a CVSS score of 7.8, is being actively exploited in targeted attacks, allowing attackers to bypass Object Linking and Embedding (OLE) protections by tricking users into opening malicious documents. In response to the in-the-wild exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply the patch by February 16, 2026. The update applies to Office 2016, Office 2019, and Office LTSC, while Microsoft 365 Apps customers will receive a service-side update.

New "Pulsar RAT" Evades Detection with In-Memory Execution and LoTL Techniques

Security researchers have uncovered a new, stealthy Remote Access Trojan (RAT) targeting Windows systems, named 'Pulsar RAT'. This modular, .NET-based malware utilizes a multi-stage infection chain that heavily relies on in-memory execution and living-off-the-land techniques to evade detection. It features advanced anti-analysis capabilities, including anti-VM and anti-debugging checks. Once active, Pulsar RAT provides operators with live, interactive control for credential harvesting and data exfiltration, using legitimate services like Discord and Telegram for command-and-control.

Warning: Malicious ChatGPT Chrome Extensions Steal Session Tokens to Hijack Accounts

Researchers have identified 16 malicious Google Chrome extensions that masquerade as helpful tools for OpenAI's ChatGPT. Once installed, these extensions inject malicious scripts into the ChatGPT web application. The scripts are designed to monitor outbound requests, intercept sensitive data such as authorization details and session tokens, and exfiltrate them to an attacker-controlled server. This allows the attackers to hijack active user sessions, granting them full access to the victim's account and chat history.

AI Social Network "Moltbook" Breach Exposes 1.5M API Keys and 29k User Emails

A significant data breach at the AI-focused social network 'Moltbook' has exposed 1.5 million API keys, 29,000 user emails, and other sensitive data tables. The investigation, conducted by security firm Wiz, not only uncovered the data exposure but also revealed systemic security flaws, such as a lack of rate-limiting on agent registration. The breach also provided a skewed insight into the platform's user base, showing that its 1.5 million 'agents' were owned by only 17,000 human users. Moltbook has since deployed fixes to secure the exposed data.

New Iran-Linked 'RedKitten' Group Targets Human Rights NGOs with AI-Suspected Malware

A new cyber-espionage campaign by a Farsi-speaking threat actor dubbed 'RedKitten' is targeting human rights NGOs and activists documenting abuses in Iran. The campaign, observed by HarfangLab in January 2026, uses phishing emails with macro-laced Excel files as an initial vector. The malware is notable for its modularity and its use of legitimate public services like GitHub, Google Drive, and Telegram for C2 and payload delivery, a technique to evade detection. Researchers suspect the attackers may have used Large Language Models (LLMs) to assist in the development of their sophisticated tooling, marking a potential new trend in malware creation.

Fortinet Scrambles to Fix Actively Exploited SSO Auth Bypass (CVE-2026-24858) Hijacking Devices

Fortinet has disclosed and patched a critical authentication bypass vulnerability, CVE-2026-24858, in its FortiCloud Single Sign-On (SSO) feature. The flaw is being actively exploited, allowing attackers with a FortiCloud account to log into devices registered to other users, leading to unauthorized configuration changes and account creation. The vulnerability affects a wide range of products, including FortiOS, FortiManager, and FortiAnalyzer. Due to the active exploitation and severity, CISA has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, urging users to patch and hunt for signs of compromise immediately.

Microsoft Office Zero-Day Under Active Attack Bypasses Security Features

Microsoft has issued an emergency out-of-band patch for a high-severity zero-day vulnerability in Microsoft Office, CVE-2026-21509. The flaw, a security feature bypass with a CVSS score of 7.8, is being actively exploited in the wild through malicious documents. It allows attackers to circumvent Object Linking and Embedding (OLE) protections, leading to code execution if a user opens a specially crafted file. The vulnerability affects a wide range of Office products, including Office 2016 through LTSC 2024 and Microsoft 365 Apps. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating urgent patching for federal agencies and signaling a significant risk to all organizations.

AI to Overtake Human Error as Top Cause of Breaches, Experian Predicts

In its 13th Annual Data Breach Industry Forecast, Experian predicts a paradigm shift in cybersecurity for 2026, with autonomous AI agents potentially surpassing human error as the leading cause of data breaches. The report warns that threat actors are weaponizing AI to create sophisticated polymorphic malware, execute highly personalized attacks, and generate 'pristine synthetic identities' at scale from stolen data. This new wave of AI-driven threats, combined with the looming risk of quantum computing, is expected to fuel a massive spike in identity theft and fundamentally change the nature of cyberattacks.

Attacks on Industrial Environments Doubled in 2025, Report Warns

A new report from cybersecurity firm Cyble reveals a dramatic escalation in threats targeting industrial environments. According to its Annual Threat Landscape Report 2025, exploits against industrial technology (IT) and operational technology (OT) systems almost doubled last year. The report, published on January 15, 2026, documented nearly 6,000 ransomware attacks and identified numerous vulnerabilities in internet-exposed assets across critical infrastructure. Cyble predicts that in 2026, attackers will increasingly target exposed Human-Machine Interfaces (HMIs) and SCADA systems. This trend poses a significant risk to major global events, such as the 2026 Winter Olympics, where interconnected vendor systems create a rich target environment for disruption and extortion.

FBI Shuts Down RAMP, a Notorious Ransomware Recruitment and Trading Hub

In a significant blow to the ransomware ecosystem, the U.S. Federal Bureau of Investigation (FBI) has seized the RAMP (Russian Anonymous MarketPlace) forum. The Russian-language site, which operated on both the clear and dark web, was a central hub for ransomware-as-a-service (RaaS) operations. It served as a recruitment ground for affiliates for major gangs like ALPHV/BlackCat and Qilin, a marketplace for initial access brokers, and a trading post for stolen data. The takedown, conducted with the DOJ, disrupts a key piece of infrastructure that enabled numerous high-profile cyberattacks.

Supply Chain Attack: eScan Antivirus Update Server Compromised to Distribute Malware

Indian antivirus provider eScan, a product of MicroWorld Technologies, has suffered a supply chain attack. On January 20, 2026, a regional update server was compromised, causing it to push a malicious file named 'Reload.exe' to enterprise and consumer customers. According to security firm Morphisec, the malware disables the antivirus product by modifying the local HOSTS file to block future updates and then proceeds with a multi-stage infection to download additional payloads. While MicroWorld Technologies acknowledged the breach and isolated the server, it has disputed the 'supply chain attack' label. Affected users require a manual cleaning utility from eScan support for remediation.

'WhisperPair' Bluetooth Flaw Exposes Millions of Headphones and Speakers to Eavesdropping

A newly discovered vulnerability named 'WhisperPair' affects millions of Bluetooth audio devices from major brands, including Sony, JBL, and Logitech. The flaw allows a nearby attacker to bypass standard Bluetooth pairing security protocols. Successful exploitation could enable an attacker to eavesdrop on private audio streams or inject malicious audio commands into the connected device. This discovery highlights significant security and privacy risks in widely used consumer electronics and the persistent challenges of securing wireless communication protocols.

UStrive Mentoring Platform Exposes Data of 238,000 Users, Including Minors, via Leaky API

The non-profit mentoring platform UStrive has inadvertently exposed the sensitive personal data of over 238,000 users due to a misconfigured GraphQL API endpoint. A significant portion of the exposed user base includes minors, elevating the severity and privacy implications of the incident. The leaky API could have allowed unauthorized individuals to query and retrieve vast amounts of user data. This breach highlights the critical need for robust cybersecurity practices and secure API implementation, particularly for organizations in the non-profit sector that handle sensitive information, including that of children.

Automated Attacks Wipe Exposed MongoDB Databases, Demanding $500 Ransom

An automated data extortion campaign is actively targeting publicly exposed and misconfigured MongoDB databases. A threat actor is systematically wiping data from these unsecured servers and leaving a ransom note demanding approximately $500 in Bitcoin for its return. Research from Flare identified over 3,100 MongoDB instances accessible without authentication, with nearly half (1,400) already compromised by this attacker. This campaign highlights the persistent threat of automated scanning and exploitation of basic security misconfigurations, demonstrating that even with lower ransom demands, such attacks remain a profitable venture for criminals preying on low-hanging fruit.

Air Conditioning Giant Blue Star Discloses Data Breach Affecting Product Installation Data

Blue Star, a major Indian multinational specializing in air conditioning and commercial refrigeration, has announced it experienced a data security incident. The company reported unauthorized access to its product installation data. The breach was reported to its Compliance Officer on January 31, 2026. Blue Star has engaged external cybersecurity experts to investigate the incident's scope, perform a root cause analysis, and strengthen its security posture. Further details on the extent of the compromise and the responsible party have not yet been released as the investigation is ongoing.

Cybersecurity Risks Mount as Partial US Government Shutdown Begins

A partial U.S. government shutdown began at midnight on January 31, 2026, after funding for several federal agencies, including the Department of Homeland Security (DHS), lapsed. Security experts are warning that such shutdowns create a period of heightened cybersecurity risk for the nation. With reduced staffing and coordination at key agencies like CISA, the government's ability to detect, respond to, and share intelligence about threats is diminished. Threat actors, both criminal and nation-state, are known to exploit these periods of disruption to launch targeted phishing, credential harvesting, and ransomware campaigns against government agencies and adjacent sectors.

Cognizant Sued in Class-Action Lawsuits After TriZetto Data Breach

IT services giant Cognizant Technology Solutions is facing multiple class-action lawsuits in the U.S. following a significant data breach at its healthcare subsidiary, TriZetto Provider Solutions (TPS). The lawsuits, filed in New Jersey and Missouri, allege that Cognizant failed to adequately protect sensitive patient health and personal information processed by the TriZetto platform. Plaintiffs also claim the company unreasonably delayed notifying affected individuals, preventing them from taking timely steps to protect themselves from fraud and identity theft. The breach at TriZetto, a major processor of healthcare claims, has wide-ranging privacy implications for a large number of patients.

Novel Phishing Attack Abuses Vercel and Telegram to Deliver RATs

A novel phishing campaign, observed between November 2025 and January 2026, is abusing trusted `*.vercel.app` domains to bypass email security filters and deliver malware. The attack, detailed by Cloudflare, uses financial lures like fake invoices to trick victims into clicking. A unique feature is its Telegram-gated payload delivery, which requires interaction with a Telegram bot to receive the final payload. This technique effectively filters out automated sandboxes and security researchers, ensuring the malware is only delivered to genuine targets. The campaign's ultimate goal is to install GoTo Resolve, a legitimate remote access tool, which is then abused by attackers for persistent access and control.

New 'Sicarii Ransomware' RaaS Emerges, Targeting U.S. Manufacturing

A new ransomware-as-a-service (RaaS) operation named 'Sicarii Ransomware' has been discovered by researchers at CYFIRMA. Active since late 2025, the group is targeting the manufacturing sector in the United States. The malware encrypts victim files using AES-GCM and appends a '.sicarii' extension to them. In addition to encryption, the malware is capable of collecting system information and credentials from infected hosts, suggesting a double-extortion tactic may be part of their playbook. Tactical recommendations to defend against this threat include enhanced monitoring, maintaining offline backups, and strengthening network segmentation.

Industry Responds to Threats with New Tools for Supply Chain, AI, and Malware Analysis

In response to the evolving threat landscape, several cybersecurity firms have launched new products in January 2026. SpyCloud has released its Supply Chain Threat Protection solution to address identity threats within vendor ecosystems. Vectra AI has enhanced its platform to specifically counter attacks that leverage AI, focusing on the AI attack lifecycle. Additionally, Booz Allen Hamilton has made its Vellox Reverser tool generally available, aiming to accelerate malware reverse engineering and threat intelligence analysis for cyber defenders. These releases highlight key areas of focus for the industry: securing the supply chain, defending against AI-powered threats, and speeding up incident analysis.

Global Phishing Campaign Lures Victims with Fake Job Offers

A multi-lingual phishing campaign is targeting job seekers across the United States, United Kingdom, France, Italy, and Spain. According to research from Bitdefender, attackers are impersonating well-known employers and staffing companies, sending emails with fake job offers that promise easy work and fast interviews. The messages are tailored to the recipient's language and location. When a victim clicks a link in the email, they are taken to a credential harvesting webpage designed to steal personal data and login information. This campaign capitalizes on social engineering tactics that prey on individuals' career aspirations.

Apple Boosts Privacy in iOS 26.3 with 'Limit Precise Location' Feature

Apple has introduced a new privacy feature called 'limit precise location' in its iOS 26.3 update. This setting is designed to give users more control over their data by reducing the precision of location information shared with cellular networks. While carriers still receive location data for operational purposes, the feature prevents them from obtaining a user's exact, fine-grained location, making it more difficult to track their precise movements. This update is part of a broader industry trend toward providing users with more granular privacy controls and addressing concerns about location tracking by mobile carriers.

Critical 1-Click RCE Flaw in IDIS Cloud Manager Puts Users at Risk

A critical remote code execution (RCE) vulnerability, CVE-2025-12556, has been discovered in the IDIS Cloud Manager (ICM) viewer by researchers at Claroty's Team82. The flaw, which has a CVSS v4 score of 8.7, allows an attacker to execute arbitrary code on a user's machine by convincing them to click a specially crafted link. This '1-click RCE' vulnerability bypasses the browser sandbox, making it a potent weapon for spear-phishing campaigns. IDIS has released version 1.7.1 to address the issue and urges users to upgrade or uninstall the software immediately.

AI-Fueled Cyberattacks Surge by 70%, Check Point's 2026 Report Reveals

Check Point's 14th annual Cyber Security Report highlights a dramatic escalation in the global threat landscape, revealing a 70% increase in cyberattacks since 2023. The 2026 report, analyzing trends from 2025, found that organizations faced an average of 1,968 attacks per week. A primary driver of this surge is the weaponization of Artificial Intelligence (AI), which attackers are using to enhance social engineering, accelerate malware development, and automate reconnaissance. The report also notes a shift in ransomware tactics towards data-only extortion and an increase in attacks targeting network edge devices like VPNs and IoT.

Canada's Cyber Security Centre Warns of AI-Fueled Ransomware Evolution

The Canadian Centre for Cyber Security has issued a new 'Ransomware Threat Outlook,' warning that the ransomware threat to Canadian organizations is growing and evolving rapidly. The report highlights that criminals are increasingly leveraging artificial intelligence (AI) to make their attacks more sophisticated, easier to execute, and harder to detect. A key trend identified is the shift towards 'multi-extortion' tactics, where attackers steal data and threaten to leak it in addition to encrypting it. The report stresses that despite the advanced tactics, strong cyber hygiene remains a primary defense.

Clop Ransomware Group Claims Attack on Canadian Helicopter Company

The notorious Clop ransomware group has claimed responsibility for a cyberattack against CMHHELI.COM, a Canadian company. On January 29, 2026, the group added the company to its dark web leak site, threatening to publish stolen data if a ransom is not paid. This incident highlights the persistent and indiscriminate nature of major ransomware gangs, who continue to target organizations of all sizes. Security experts advise victims to initiate incident response, validate backups, and engage professionals before considering any communication with the attackers.

SoundCloud Breach Exposes Private Emails of 29.8 Million Users

A significant data breach at the music streaming service SoundCloud has resulted in the public release of a database containing the personal details of 29.8 million users. The data was leaked in January 2026 after the company reportedly refused to pay a ransom demand. The primary risk from this breach stems from the linking of users' private email addresses with their public profile metadata. This combination provides a rich source of data for attackers to launch targeted phishing, credential stuffing, and social engineering campaigns. The breach has been indexed by the notification service HaveIBeenPwned.

ShinyHunters Claims Breach of Crunchbase, Betterment via Okta Vishing Attacks

The notorious cyber extortion syndicate ShinyHunters has claimed responsibility for breaching business intelligence firm Crunchbase and financial advisory company Betterment. According to the threat actor, the initial access was gained by using sophisticated voice phishing (vishing) attacks to socially engineer employees and compromise their Okta single sign-on (SSO) credentials. This method allows attackers to bypass weaker forms of multi-factor authentication. Neither of the targeted companies has publicly confirmed the breach.

ShinyHunters Claims Breach of 10M Match Group Users from Hinge & OkCupid

The notorious cybercrime group ShinyHunters has claimed responsibility for a major data breach impacting Match Group, the parent company of popular dating apps like Hinge, OkCupid, and Match.com. The group posted on a dark web forum that it has stolen over 10 million user records, and released a 1.7GB sample as proof. The data allegedly includes sensitive user information such as names, phone numbers, IP addresses, and match logs, as well as internal corporate documents. ShinyHunters asserts the data was exfiltrated from a third-party analytics provider, AppsFlyer, highlighting a potential supply chain attack vector.

Critical RCE Flaws in n8n Workflow Platform Put Thousands of Instances at Risk

Two new high-severity vulnerabilities have been discovered in the n8n workflow automation platform, a tool that often holds credentials to critical corporate systems. The most severe flaw, CVE-2026-1470, is a critical eval injection vulnerability (CVSS 9.9) that allows an authenticated attacker to bypass the expression sandbox and achieve full remote code execution. A second flaw, CVE-2026-0863 (CVSS 8.5), allows for a similar sandbox escape in the Python execution environment. A compromise could provide an attacker with a 'skeleton key' to an organization's infrastructure. This news is compounded by data showing over 39,000 n8n instances remain unpatched for a previous critical flaw.

Malicious PyPI Packages `spellcheckerpy` & `spellcheckpy` Deliver RAT via Hidden Payload

A software supply chain attack has been uncovered on the Python Package Index (PyPI), involving two malicious packages named `spellcheckerpy` and `spellcheckpy`. Downloaded over 1,000 times, the packages contained a hidden, dormant payload. A later version update activated the malware, which was designed to fingerprint the compromised developer's system and deploy a Remote Access Trojan (RAT). The attack was cleverly concealed, with the malicious code base64-encoded and hidden inside a Basque language dictionary file. The C2 domain used has been linked to a hosting provider known to service nation-state actors, suggesting a potentially sophisticated adversary.

US Indicts 31 More in ATM Jackpotting Ring Linked to Tren de Aragua Gang

A U.S. federal grand jury has indicted an additional 31 individuals for their participation in a widespread 'ATM jackpotting' conspiracy, bringing the total number of defendants to 87. The sophisticated scheme involved using malware to force ATMs to dispense large sums of cash. Many of the newly charged individuals are Venezuelan and Colombian nationals, including several identified members of the transnational criminal gang Tren de Aragua (TdA) who are in the U.S. illegally. The case highlights the growing convergence of organized crime and specialized cybercrime tactics.

Nova Ransomware Group Claims Cyberattack on KPMG Netherlands, Sets 10-Day Deadline

The Nova ransomware group has claimed responsibility for a cyberattack against the Netherlands division of global professional services firm KPMG. The claim, which appeared on ransomware monitoring services on January 23, 2026, alleges that the group successfully breached KPMG's systems and exfiltrated sensitive data. In a classic double-extortion tactic, the Nova group has reportedly set a ten-day deadline for KPMG Netherlands to enter into ransom negotiations before they potentially leak the stolen data. KPMG has not yet publicly confirmed the attack.

'Stanley' MaaS Sells Malicious Chrome Extensions Guaranteed for Web Store Publication

A new Malware-as-a-Service (MaaS) platform named 'Stanley' has appeared on Russian-language cybercrime forums, specializing in the sale of malicious Google Chrome extensions. A key feature of the service is a guarantee that the malicious extensions will be successfully published to the official Chrome Web Store, lending them an air of legitimacy. The primary purpose of these extensions is to facilitate phishing and credential theft by spoofing legitimate websites. The emergence of 'as-a-service' models like Stanley significantly lowers the barrier to entry for less sophisticated cybercriminals to launch effective attacks.

Mustang Panda APT Deploys Signed Kernel-Mode Rootkit to Hide Backdoor

The Chinese-linked cyber-espionage group Mustang Panda has significantly upgraded its stealth capabilities by using a signed kernel-mode rootkit to deploy its TONESHELL backdoor. Observed by Kaspersky, the rootkit, named 'ProjectConfiguration.sys', is signed with a leaked digital certificate from a Chinese tech company. By operating at the kernel level as a minifilter driver, the rootkit can effectively hide its malicious processes, files, and registry keys from security software. This new technique allows the group to inject its TONESHELL backdoor directly into the memory of legitimate processes like 'svchost.exe', enhancing its persistence and evasion in attacks targeting government organizations in Southeast Asia.

Illinois DHS Exposes Data of 700,000 Residents in Massive Misconfiguration Breach

The Illinois Department of Human Services (IDHS) has disclosed a major data breach affecting approximately 705,000 state residents. The breach was caused by incorrect privacy settings on internal planning maps that were inadvertently made public on a mapping website for up to four years. The exposed data includes addresses, case numbers, and medical plan information for Medicaid recipients, and names, addresses, and case details for customers of the Division of Rehabilitation Services. The exposure, which constitutes a HIPAA violation, was discovered in September 2025 but only announced in January 2026. IDHS has since secured the data and implemented new policies to prevent a recurrence.

Fortinet Confirms Active Exploitation of FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

Fortinet has confirmed that a critical Single Sign-On (SSO) authentication bypass vulnerability affecting FortiCloud is being actively exploited in the wild. The attacks, linked to CVE-2025-59718 and CVE-2025-59719, are reportedly successful even against fully patched FortiGate firewalls. Attackers are exploiting the flaw by sending specially crafted SAML messages to bypass authentication. Once inside, they are creating persistent administrative accounts, enabling VPN access, and exfiltrating firewall configurations. This allows for long-term persistence and deep network compromise. Customers are urged to review Fortinet's advisories and take immediate mitigation steps.

Microsoft Scrambles to Patch Actively Exploited Office Zero-Day, CISA Issues Urgent Directive

Microsoft has issued an emergency out-of-band security update for a high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509. The flaw, a security feature bypass with a CVSS score of 7.8, is being actively exploited in targeted attacks, allowing threat actors to bypass OLE mitigations via specially crafted Office files. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the patch by February 16, 2026. The vulnerability affects multiple versions of Office, including Office 2016, 2019, LTSC 2021, and Microsoft 365 Apps for Enterprise.

Cyberattack Cripples Digital Services at Germany's Dresden State Art Collections

Germany's Dresden State Art Collections (SKD), one of Europe's most significant museum networks, has been hit by a cyberattack that caused widespread disruption to its digital infrastructure. The attack knocked out the SKD's online ticketing system, visitor services, museum shop website, and internal communications. On-site services were severely impacted, with ticket sales reverting to cash-only. While the operational disruption is significant, the SKD has stated that there is currently no evidence that any data, including sensitive collection or visitor data, was stolen during the incident. The attack highlights the increasing vulnerability of cultural institutions to cyber threats.

Widespread Phishing Campaign Abuses Microsoft Teams Guest Invites to Target 6,000+ Users

A large-scale phishing campaign is abusing Microsoft Teams' guest invitation feature to target thousands of users with fake billing notices. Researchers at Check Point have observed over 12,000 phishing emails sent to more than 6,100 users, primarily in the manufacturing, technology, and education sectors in the United States. Attackers create Teams groups with finance-related names and send guest invitations to targets. The invitation email, which comes from a legitimate Microsoft address, contains obfuscated text that appears to be a billing notification, lending it an air of authenticity and increasing the likelihood that a user will click the malicious link.

Everest Ransomware Leaks Data of 72 Million Under Armour Customers After Failed Talks

The Everest ransomware group has claimed a massive data breach against athletic apparel giant Under Armour. After negotiations allegedly failed, the group announced on its dark web leak site that it has published the full dataset, which it claims contains 191 million records, including 72.7 million unique email addresses. The compromised data reportedly includes sensitive customer information such as full names, phone numbers, physical locations, and purchase histories. This breach places a huge number of individuals at significant risk for targeted phishing campaigns, identity theft, and other fraudulent activities.

Zoom & GitLab Race to Patch Critical Flaws, Including a 9.9 CVSS RCE Bug

Both Zoom and GitLab have released critical security updates to address several high-severity vulnerabilities. The most severe flaw, CVE-2026-22844, is a remote code execution vulnerability in Zoom Node Multimedia Routers (MMRs) with a near-perfect CVSS score of 9.9. This flaw could allow an unauthenticated attacker with network access to compromise the devices. GitLab's updates address multiple vulnerabilities, including two high-severity flaws (CVE-2025-13927 and CVE-2025-13928) that could allow an unauthenticated user to cause denial-of-service conditions. Users of all affected products are urged to apply the patches immediately.

New 'Osiris' Ransomware Borrows TTPs from Medusa and Inc Gangs, Uses Signed Driver to Kill AV

A new ransomware strain named Osiris is demonstrating a high level of sophistication by combining tactics from established ransomware groups like Medusa and Inc. The attackers use Rclone for data exfiltration to Wasabi cloud storage and deploy a version of Mimikatz named `kaz.exe`, both TTPs linked to the Inc group. More significantly, Osiris uses a custom-developed and signed malicious driver, 'Abyssworker' (aka Poortry), in a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack to terminate security software. This driver and its loader, 'Stonestop,' have been previously associated with the Medusa ransomware gang. The use of these advanced, borrowed TTPs suggests Osiris is operated by experienced actors, possibly former affiliates of other groups.

Warning: Fully Patched FortiGate Firewalls Are Being Compromised via New SSO Bypass

Security analysts are warning of a new wave of attacks compromising even fully patched Fortinet FortiGate firewalls. The activity, observed since January 15, 2026, allows attackers to bypass SAML-based single sign-on (SSO) authentication to gain administrative access. The attacks result in unauthorized configuration changes, creation of persistent user accounts, and exfiltration of device configurations. Fortinet has reportedly identified a new, distinct attack path related to previously disclosed vulnerabilities (CVE-2025-59718, CVE-2025-59719), suggesting existing patches may not be fully effective.

New QuantumLeap Ransomware Demands $50M, Halts Global Shipments at NaviGistics

The global logistics firm NaviGistics has suffered a catastrophic cyberattack from a new ransomware strain dubbed 'QuantumLeap'. The attack, orchestrated by a group calling itself 'Entropy Collective', has encrypted critical systems and brought the company's worldwide shipping and freight operations to a standstill. The threat actors gained initial access via a compromised VPN account lacking multi-factor authentication, demonstrating a sophisticated lateral movement campaign before deploying the payload. The group is demanding a $50 million ransom and has threatened to leak over 2 terabytes of exfiltrated data, including sensitive customer and financial records. This incident highlights the extreme vulnerability of the global supply chain to targeted cyber-extortion and the devastating operational and financial impact of modern ransomware attacks.

Urgent Patch Required: Critical RCE Zero-Day (CVE-2026-12345) in NexusFlow API Gateway Under Active Attack

A critical pre-authentication remote code execution (RCE) zero-day vulnerability, CVE-2026-12345, is being actively exploited in the wild against the popular NexusFlow API Gateway. The flaw, which carries the maximum CVSS score of 10.0, allows unauthenticated attackers to gain complete control of vulnerable servers by sending a single, specially crafted HTTP request. Security firm Horizon Security Labs discovered the exploitation during a breach investigation. The vulnerability is wormable, creating a risk of rapid, widespread compromise. NexusFlow's parent company, Voltara, has released an emergency patch (version 3.8.1) and is urging all customers to update immediately. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by February 9, 2026.

Medusa Ransomware Exploits Cybersecurity Gaps, Escalating Attacks Across Africa

Ransomware attacks are a pervasive and highly damaging threat across the African continent, where a significant cybersecurity skills and resources gap creates a fertile ground for cybercriminals. Notorious ransomware groups, including Medusa, are increasingly targeting organizations in the region, leveraging double extortion tactics to maximize pressure on their victims. These attacks involve not only encrypting critical data but also stealing it and threatening public release if the ransom is not paid. Key sectors such as healthcare, finance, and critical infrastructure are prime targets. According to reports, a high percentage of African organizations hit by ransomware end up paying the ransom, perpetuating the cycle of attacks. The situation underscores an urgent need for increased investment in cybersecurity infrastructure, skills development, and awareness across the continent.

Nation-State Actor 'SteelHydra' (APT47) Deploys 'GeoShifter' ICS Malware to Spy on Geothermal Energy Firms

The nation-state threat actor 'SteelHydra' (also tracked as APT47) is behind a sophisticated cyber-espionage campaign targeting the geothermal energy sector. According to research from Mandiant, the campaign has impacted firms in the United States, Canada, and Iceland. The attackers are using a novel, custom-built malware framework called 'GeoShifter', which is specifically designed to operate in Industrial Control System (ICS) environments and interface with SCADA/PLC systems from vendors like Siemens and Schneider Electric. The initial infection vector is a spear-phishing campaign that deploys a backdoor named 'PipeDreamer'. The ultimate goal of the campaign appears to be the theft of intellectual property and operational data related to geothermal technology, which could be used for economic advantage or to plan future disruptive attacks.

NPM Package 'js-utility-kit' Hijacked in Supply Chain Attack to Steal Crypto Keys and Credentials

A significant software supply chain attack has compromised the popular NPM package 'js-utility-kit', which is downloaded over 5 million times per week. Security firm Snyk discovered that malicious versions (2.1.8, 2.1.9, and 2.2.1) were published after the maintainer's account was hijacked via a credential stuffing attack. The compromised packages contained a post-install script that downloaded and executed a sophisticated information stealer. The malware was designed to steal cryptocurrency private keys, browser extension data for crypto wallets, and sensitive credentials such as environment variables and cloud provider CLI configurations from developers' machines and CI/CD pipelines. The NPM security team has removed the malicious versions, but any project that installed them between January 24 and 26 is considered compromised and requires immediate auditing and credential rotation.

Fintech Startup VoltPay Leaks 5 Million Customer Records via Misconfigured Cloud Database

The financial technology startup VoltPay has confirmed a massive data breach affecting approximately 5 million users. The leak was caused by a misconfigured Elasticsearch database that was left publicly accessible on the internet without a password for over three months. A security researcher discovered and reported the exposure. The leaked data includes highly sensitive information: full names, email addresses, phone numbers, physical addresses, dates of birth, hashed passwords, and full transaction histories. The last four digits of credit card and bank account numbers were also exposed. This incident, attributed to 'human error during a server migration', places millions of users at significant risk of identity theft and targeted phishing attacks, and has reportedly triggered investigations by U.S. and European regulators.

International Operation 'Echidna' Dismantles 'Crimson Market' Dark Web Hub, 50+ Arrested

A coordinated international law enforcement action, codenamed 'Operation Echidna', has successfully dismantled 'Crimson Market', one of the largest dark web marketplaces for cybercrime tools and stolen data. The operation, involving the FBI, Europol, and the UK's NCA, resulted in the seizure of the market's server infrastructure and the arrest of over 50 individuals worldwide, including its alleged administrator. Crimson Market was a key hub for selling billions of stolen credentials, malware-as-a-service (including ransomware and info-stealers), and phishing kits. The 18-month investigation involved undercover operations to trace cryptocurrency transactions. The takedown represents a major disruption to the cybercrime economy, and data from the seized servers is expected to lead to further arrests.

Volt Typhoon Linked to Breach at U.S. Water Utility, Exfiltrating Operational Documents

The Chinese state-sponsored group Volt Typhoon has been attributed to a data breach at the Park County Water District in Colorado. According to a joint advisory from CISA, the FBI, and the NSA, the hackers exploited a known vulnerability in an internet-facing network appliance to gain initial access. Consistent with their known TTPs, Volt Typhoon then used 'living off the land' techniques, leveraging built-in network administration tools to blend in and evade detection. The attackers moved laterally within the IT network and exfiltrated sensitive operational documents, including engineering schematics and maintenance schedules. While officials stated that the operational technology (OT) network and water supply were not affected, the incident highlights the group's continued focus on reconnaissance against U.S. critical infrastructure.

Researchers Detail 'ChronoStealer', a New Modular Info-Stealing Malware-as-a-Service

Security researchers at Check Point have published a deep-dive analysis of 'ChronoStealer', a new and highly modular information-stealing malware sold on a subscription basis in underground forums. This Malware-as-a-Service (MaaS) model allows low-skilled criminals to rent the sophisticated tool and its infrastructure for as little as $200 per month. ChronoStealer's core function is to steal credentials from over 50 web browsers and other applications. Its capabilities can be expanded with add-on modules for stealing cryptocurrency wallets, logging keystrokes, and capturing session cookies. The malware uses the Telegram API for C2 communications to better blend in with legitimate traffic. The rise of such user-friendly, powerful MaaS platforms represents a significant force multiplier for the cybercrime ecosystem.

Massive 149 Million Credential Leak Exposes Gmail, Facebook, and Financial Service Users

A publicly accessible, unencrypted 96 GB database containing 149.4 million unique login credentials has been discovered by a security researcher. The data, believed to be compiled from various infostealer malware logs and past breaches, impacts an estimated 48 million Gmail accounts, alongside users of Facebook, financial services, government portals, and numerous other online platforms. The leak includes usernames, passwords, and the direct login URLs, posing a significant risk of account takeover and fraud for millions of individuals globally.

Nike Probes Data Breach Claim by 'WorldLeaks' Extortion Group

Global apparel giant Nike has launched an investigation into a potential data breach after being listed as a victim by the 'WorldLeaks' data extortion group. The group, which emerged in 2025 and focuses on data theft without deploying ransomware, threatened to publish stolen Nike data on January 24. Nike has confirmed it is assessing the situation. The type and volume of the allegedly stolen data have not been disclosed by the attackers.

Phishing Campaign Hits Russia with Amnesia RAT, Uses GitHub and Dropbox for Payload Delivery

A sophisticated, multi-stage phishing campaign is targeting users in Russia, delivering a combination of the Amnesia remote access trojan (RAT) and ransomware. The attack, analyzed by Fortinet FortiGuard Labs, is notable for its use of public cloud services like GitHub and Dropbox to host payloads and its use of a tool called 'defendnot' to disable Microsoft Defender antivirus. The campaign relies on social engineering and abuse of native Windows features rather than software exploits to achieve system compromise.

Everest Ransomware Group Leaks 343GB of Under Armour Customer Data

The Russia-linked Everest ransomware group has leaked 343 GB of data allegedly stolen from global sportswear brand Under Armour. The massive data dump, which occurred on January 24, 2026, followed a failed extortion attempt. The leaked data is reported to contain the personally identifiable information (PII) of millions of customers, highlighting the 'double extortion' tactic where data publication is the primary threat. Under Armour has not yet commented on the incident.

Trend Micro Details New RCE Flaw in MetaGPT (CVE-2026-0761)

Trend Micro has published details and a detection rule for a new high-severity remote code execution (RCE) vulnerability in Foundation Agents MetaGPT, tracked as CVE-2026-0761. The exploit, which occurs over HTTP, can be leveraged by an attacker for initial access into a network or for lateral movement. Trend Micro has released DDI RULE 5627 to detect exploitation attempts and advises organizations to update security products and scan for signs of compromise.

Microsoft Issues Emergency Out-of-Band Patches for Flawed January Updates

Microsoft has released several emergency out-of-band (OOB) updates on January 24, 2026, to address significant bugs introduced by its January 13 Patch Tuesday release. The faulty updates caused a range of issues, including Remote Desktop connection failures, application hangs when accessing cloud storage like OneDrive, and system restart failures. The new cumulative updates, including KB5078136 and KB5078238, are available for various Windows versions and are intended to restore stability and functionality for affected users.

Pwn2Own Automotive: Hackers Earn $1M+ Exposing 76 Zero-Days in Tesla and Other Vehicle Systems

At the Pwn2Own Automotive 2026 event, security researchers earned over $1 million by successfully demonstrating 76 unique zero-day exploits against a range of modern vehicle systems. A major focus was Tesla, where researchers chained multiple vulnerabilities to gain root access to an infotainment system, accounting for $516,500 of the total prize money. The competition also targeted EV chargers and other in-vehicle infotainment (IVI) systems, highlighting the expanding and critical attack surface of the connected automotive industry. Vendors have been given a 90-day disclosure deadline to patch the flaws.

LastPass Users Targeted in Phishing Campaign to Steal Master Passwords

Password manager service LastPass is warning its users of an active phishing campaign aimed at stealing their master passwords. Attackers are sending fraudulent emails that impersonate official LastPass maintenance alerts, creating a false sense of urgency to trick users into 'backing up' their password vaults. The links in these emails lead to a convincing but malicious clone of the LastPass login page designed to capture user credentials. LastPass has confirmed it is working to take down the attacker infrastructure and advises users to be vigilant.

DragonForce Ransomware Claims Attack on U.S. Bank, Threatens Data Leak

The DragonForce ransomware group has claimed responsibility for a cyberattack against Uinta Bank, a community bank based in Wyoming, USA. In a post on their data leak site on January 23, 2026, the threat actors announced the breach and threatened to publish a "full dump" of the bank's data if negotiations are not initiated. This double extortion tactic, which involves both data encryption and data exfiltration, puts significant pressure on the victim organization. The incident underscores the ongoing threat ransomware poses to the financial services sector, regardless of the institution's size.

CISA Mandates Patching for Four Actively Exploited Flaws in Zimbra, Vite, and More

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The flaws affect a diverse range of products, including Synacor Zimbra Collaboration Suite (CVE-2025-68645), the Vite frontend framework (CVE-2025-31125), Versa Concerto SD-WAN (CVE-2025-34026), and the 'eslint-config-prettier' NPM package (CVE-2025-54313). Due to evidence of ongoing exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply patches or mitigations by February 12, 2026. CISA strongly urges all organizations to prioritize remediation to defend against these immediate threats.

North Korean Hackers Lure Developers with Fake Job Interviews, Backdoor macOS via VS Code

State-sponsored threat actors from North Korea, including the Lazarus Group, are targeting software developers in a sophisticated campaign dubbed 'Contagious Interview.' According to Jamf Threat Labs, the attackers use fake job offers to entice developers, particularly in the crypto and fintech sectors, into cloning malicious repositories from GitHub and GitLab. The attack abuses a feature in Microsoft's Visual Studio Code (VS Code), where trusting a repository can automatically execute a hidden `tasks.json` file. This triggers a backdoor on macOS systems, establishing persistence, collecting system data, and opening a C2 channel for remote code execution.

PcComponentes Denies Data Breach, Blames Credential Stuffing for Account Takeovers

Spanish electronics retailer PcComponentes has denied claims of a massive data breach affecting 16 million customers, stating its internal systems were not compromised. The announcement came after a threat actor, 'daghetiaw,' attempted to sell a large customer database on a hacking forum. The company's investigation concluded the incident was a large-scale credential stuffing attack, where attackers used credentials stolen from other breaches to access user accounts. While denying the breach, PcComponentes confirmed that customer data such as names, addresses, and phone numbers were exposed for accounts with reused passwords. In response, the company has mandated two-factor authentication (2FA) for all users and invalidated all active sessions.

INC Ransomware OPSEC Fail: Reused Infrastructure Leads to Data Recovery for 12 U.S. Victims

A significant operational security (OPSEC) failure by the INC ransomware group has allowed cybersecurity firm Cyber Centaurs to recover stolen data for twelve U.S. organizations. The discovery was made after analyzing an attack involving the RainINC ransomware variant. Researchers found artifacts from the open-source backup tool, Restic, including hardcoded S3 access keys and passwords. By pivoting to this attacker-controlled infrastructure, Cyber Centaurs found that the gang had been reusing the same cloud storage repositories across multiple attacks, leaving the encrypted data of a dozen unrelated victims accessible. This rare win for defenders highlights how even sophisticated groups can make critical mistakes.

Anubis RaaS Ups the Ante with Destructive 'Wipe Mode' to Maximize Extortion

A new Ransomware-as-a-Service (RaaS) operation named Anubis is gaining attention for its destructive capabilities. Evolving from a prototype called 'Sphinx,' Anubis offers its affiliates a dual-execution model. In addition to standard encryption, the malware can be run with a `/WIPEMODE` parameter that irreversibly overwrites and destroys victim files, rendering them unrecoverable. This tactic fundamentally changes the extortion negotiation, as paying a ransom cannot restore the data. It indicates a strategy where attackers rely solely on the threat of leaking exfiltrated data for payment, using permanent data destruction as additional leverage. The group is targeting organizations opportunistically across the globe.

China-Linked APT 'UAT-8837' Targets North American Critical Infrastructure

A new report from Cisco Talos has identified a China-nexus Advanced Persistent Threat (APT) group, tracked as UAT-8837, actively targeting critical infrastructure organizations in North America since at least 2025. The group gains initial access by exploiting public-facing vulnerabilities, including a zero-day in SiteCore products (CVE-2025-53690), and using compromised credentials. Once inside, UAT-8837 employs a variety of open-source tools, such as the Earthworm utility for creating reverse tunnels, to conduct reconnaissance, exfiltrate data, and maintain persistence. Cisco Talos assesses with medium confidence that the group is linked to China, highlighting the ongoing threat of state-sponsored espionage against vital sectors.

New Zealand's 'Manage My Health' Portal Breached; Data of 120,000 Patients Held for Ransom

New Zealand's largest patient portal, Manage My Health, is responding to a significant data breach that occurred in late December 2025. An attacker using the alias 'Kazu' claims to have stolen over 400,000 files, including sensitive medical records like lab results and clinical notes, affecting up to 126,000 individuals. The attacker has demanded a $60,000 ransom. The breach originated from a vulnerability in the 'Health Documents' module of the application. Manage My Health has since closed the security gap and is working with New Zealand authorities, while the government has launched an urgent review of the incident.

Oracle's January 2026 Patch Update Fixes 337 Flaws, Including Critical Remote Exploits

Oracle has released its January 2026 Critical Patch Update (CPU), a massive security update containing 337 new patches for vulnerabilities across more than 30 product families. The update resolves approximately 230 unique CVEs, with the discrepancy due to shared components like third-party libraries affecting multiple products. Alarmingly, over 235 of the patched vulnerabilities can be exploited remotely without authentication, significantly increasing their risk. The update includes fixes for over two dozen critical-rated flaws, such as CVE-2025-66516, a 10.0 CVSS vulnerability in the Apache Tika library embedded in Oracle products. Oracle strongly urges customers to apply these patches without delay.

Cisco Scrambles to Patch Actively Exploited RCE Zero-Day in Comms Products

Cisco has issued an urgent warning and emergency patches for a critical remote code execution (RCE) vulnerability, CVE-2026-20045, affecting a wide range of its Unified Communications and Webex Calling products. This zero-day flaw is being actively exploited in the wild, allowing unauthenticated attackers to send crafted HTTP requests to the web management interface and execute arbitrary code, potentially leading to full root access on the underlying server. In response to the active threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by February 11, 2026. Cisco has confirmed there are no workarounds and is urging all customers to apply the updates immediately.

Exposed Security Training Apps Like OWASP Juice Shop Create Backdoors into Corporate Clouds

A new report reveals a dangerous trend where intentionally vulnerable security training applications, such as OWASP Juice Shop and DVWA, are being deployed on live, production cloud infrastructure and left exposed to the internet. Threat actors are actively scanning for and exploiting these misconfigured applications to compromise the cloud environments of numerous organizations, including Fortune 500 companies and security vendors. The exploits have been used to achieve remote code execution, deploy webshells, install cryptominers, and steal sensitive cloud credentials, turning these training tools into unmonitored backdoors.

'Skeleton Key' Attacks Bypass Defenses by Weaponizing Legitimate RMM Tools

A sophisticated attack campaign dubbed "Skeleton Key" is bypassing traditional, malware-focused security defenses by weaponizing legitimate remote monitoring and management (RMM) software. A report from KnowBe4 Threat Labs details how attackers first compromise user credentials and then abuse trusted IT tools to create persistent, stealthy backdoors inside enterprise networks. This 'living-off-the-land' (LotL) technique allows attackers to blend in with normal administrative activity, making their presence extremely difficult to detect and highlighting the need for security teams to shift focus from signature-based detection to behavioral analysis and identity security.

Spotlight on Supply Chain Risk: Reports Warn of Escalating SaaS-to-SaaS Attacks

The digital supply chain has become a primary focus of cyber risk, as highlighted by multiple events on January 22, 2026. A new report from security firm Black Kite warns that the retail and wholesale sectors are highly exposed to attacks that exploit interconnected IT systems and shared vendors. Concurrently, SaaS security leader Obsidian Security launched the industry's first end-to-end SaaS supply chain security solution to combat the growing threat of SaaS-to-SaaS attacks, where a compromise in one application (like Salesloft) can cascade to affect hundreds of integrated partner applications (like Drift). These developments underscore the urgent need for organizations to gain visibility and control over their sprawling, interconnected digital ecosystems.

osTicket Flaw Lets Attackers Read Server Files via Malicious PDF Export

A high-severity vulnerability, CVE-2026-22200, has been disclosed in osTicket, a popular open-source helpdesk system. The flaw allows an unauthenticated, anonymous attacker to read arbitrary files from the server by injecting a malicious PHP filter chain into a support ticket. When a privileged user exports the ticket to PDF, the vulnerability is triggered, embedding the contents of sensitive server files (like configuration files) into the generated PDF as a bitmap image. Researchers warn this flaw can be chained with other vulnerabilities for full remote code execution (RCE). Patches are available in versions 1.18.3 and 1.17.4.

Critical Flaw in Popular Node.js Library 'binary-parser' Allows Code Execution

The CERT Coordination Center (CERT/CC) has issued a warning about a critical vulnerability, CVE-2026-1245, in the popular 'binary-parser' npm library for Node.js. The flaw, which has a CVSS score of 6.5, allows for arbitrary JavaScript execution. The vulnerability exists because the library dynamically generates parser code from user-supplied input without proper sanitization, creating a code injection sink. This poses a significant software supply chain risk, as any application using the library to parse untrusted data could be compromised. Developers are urged to update to the patched version 2.3.0 immediately.

New Android Malware Uses AI to Mimic Human Behavior and Evade Detection

A new and sophisticated family of Android malware is leveraging artificial intelligence to commit ad fraud while evading detection. The malware uses TensorFlow, Google's open-source machine learning framework, to mimic human-like behavior, such as realistic clicks and swipes on hidden advertisements. This advanced technique allows it to bypass traditional ad fraud detection systems that rely on identifying the predictable, scripted patterns of bots. The malware can also stream video of its operations back to attackers, likely for model refinement, representing a significant evolution in mobile threat capabilities.

Critical GNU Inetutils Flaw Allows Root Access via Telnet Authentication Bypass

A critical authentication bypass vulnerability, CVE-2026-24061, has been disclosed in the telnet daemon (telnetd) of GNU Inetutils, a common package of networking utilities for many Unix-like operating systems. The flaw allows a remote attacker to bypass authentication and gain root access to the system simply by providing a specially crafted username. Successful exploitation, achieved by passing '-f root' as the USER environment variable, leads to a complete compromise of the machine. All versions of GNU Inetutils up to and including 2.7 are affected. Administrators are urged to disable the telnetd service immediately.

Everest Ransomware Claims 861GB Data Breach at McDonald's India

The Everest ransomware group has claimed a major cyberattack against McDonald's India, alleging the theft of 861 gigabytes of sensitive data. In a post on its dark web leak site on January 20, 2026, the group threatened to publicly release the information if a ransom is not paid. The compromised data reportedly includes a vast amount of personal information on customers and employees, as well as internal corporate documents. This incident, if confirmed, would be the latest in a series of data security issues for the fast-food giant's Indian operations, which suffered previous breaches. The Everest group, a Russian-speaking operation active since 2020, is known for its double-extortion tactics, and the potential leak of customer data poses a significant risk of identity theft and phishing campaigns.

Oracle Issues Critical Patch for CVSS 10.0 Auth Bypass in WebLogic Server

Oracle has released its January 2026 Critical Patch Update (CPU), a massive security release containing 337 fixes for vulnerabilities across its product portfolio. The most severe flaw addressed is CVE-2026-21962, a critical authentication bypass vulnerability in the Oracle WebLogic Server Proxy Plug-in with a CVSS score of 10.0. This vulnerability can be exploited remotely by a low-privileged attacker without user interaction, potentially allowing complete takeover of the affected component. The flaw impacts WebLogic Server Proxy Plug-in versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0. Oracle strongly urges customers to apply these cumulative patches immediately, highlighting the continued risk of exploitation of previously patched vulnerabilities due to slow enterprise adoption rates.

EU Moves to Ban High-Risk Tech Suppliers from 18 Critical Sectors

On January 20, 2026, the European Commission introduced a revised EU Cybersecurity Act (CSA 2) aimed at bolstering the bloc's supply chain security. The proposal establishes a framework to identify and exclude high-risk technology suppliers from 18 critical sectors, including energy and telecommunications. This move is widely interpreted as a measure to reduce dependency on Chinese technology providers. The act mandates the derisking of mobile networks by requiring operators to replace equipment from designated high-risk vendors within three years. It also aims to streamline the European Cybersecurity Certification Framework (ECCF) to make compliance faster and more accessible, particularly for SMEs, and strengthens the mandate of the EU's cybersecurity agency, ENISA.

RansomHub Hits Apple Supplier Luxshare, Claims Theft of R&D Data for Apple, Nvidia, and Tesla

The RansomHub ransomware group has claimed a significant data breach against Luxshare Precision Industry, a major Chinese electronics manufacturer and a critical partner for Apple, Nvidia, Tesla, and other tech giants. In a dark web post on January 21, 2026, the group alleged it had stolen and encrypted sensitive intellectual property, including 3D CAD models and engineering designs for products related to its high-profile clients. RansomHub threatened to leak the data, accusing Luxshare's IT department of attempting to hide the incident. Luxshare is a primary assembler for Apple's iPhone and Vision Pro. Independent analysis of sample data released by the attackers appears to confirm it contains confidential project details, validating the severity of this major supply chain breach.

Drones Emerge as Urgent Cyber Threat to Critical Infrastructure

A report published on January 21, 2026, by the University of Canberra and Cisco warns of the urgent and escalating cyber threat posed by drones to critical infrastructure. The study highlights that as drone technology becomes more advanced, accessible, and affordable, its potential for use in cyber warfare is growing significantly. Researchers found that drones can be used as platforms to launch sophisticated cyberattacks against targets like data centers and telecommunications networks, exploiting gaps in physical and cybersecurity defenses. The report stresses a significant disconnect between the current level of threat awareness among infrastructure operators and the real-world capabilities of modern drones, urging industries to integrate drone-related risks into their security and resilience programs.

NYDFS Enforces Stricter Cybersecurity Rules for Financial Firms

The New York Department of Financial Services (NYDFS) has now fully implemented the final amendments to its landmark Part 500 Cybersecurity Regulation. These changes impose significantly more prescriptive and stringent requirements on regulated financial and insurance entities. As of May 2025, firms are mandated to have automated vulnerability scanning, enhanced access controls, and robust logging and monitoring capabilities, including endpoint detection and response (EDR). The amendments also place a strong emphasis on proactive governance of third-party service providers, including cloud and AI vendors. With the rules now fully in effect in 2026, the NYDFS is expected to have lower tolerance for non-compliance and will likely intensify its cybersecurity examinations.

Ingram Micro Breach Exposes Data of 42,000 After Safepay Ransomware Attack

Global IT distributor Ingram Micro has officially notified 42,521 individuals that their personal and sensitive information, including Social Security numbers, was stolen during a ransomware attack in July 2025. The incident, attributed to the Safepay ransomware group, compromised employment and job applicant records. After Ingram Micro reportedly refused to pay the ransom, the threat actors published the stolen 3.5 terabytes of data on their dark web leak site.

CEOs Optimistic, CISOs Wary: Survey Reveals Deep Divide on AI's Cybersecurity Impact

A new survey by specialty insurer AXIS Capital, released on January 20, 2026, reveals a significant perception gap between CEOs and CISOs regarding the role of artificial intelligence in cybersecurity. While CEOs are largely optimistic about AI's productivity and security benefits, CISOs are more acutely aware of the new risks it introduces, including data leakage, model manipulation, and sophisticated AI-driven attacks. This disconnect could lead to misaligned security strategies and underinvestment in critical risk areas.

North Korean 'Konni' APT Weaponizes Google Ads to Deliver EndRAT Malware

The North Korean state-sponsored threat group Konni is conducting a sophisticated spear-phishing campaign dubbed "Operation Poseidon." The advanced persistent threat (APT) actor is weaponizing Google advertising URLs to make malicious links appear legitimate, thereby bypassing security filters and tricking users. The campaign's ultimate goal is to deliver the 'EndRAT' malware, a remote access trojan, onto victim systems.

Stealthy 'PDFSIDER' Backdoor Uses DLL Side-Loading to Bypass EDR and AV

Security researchers at Resecurity have uncovered a new stealthy backdoor, dubbed 'PDFSIDER,' that uses a DLL side-loading technique to evade EDR and antivirus solutions. The malware masquerades as a legitimate PDF application to load a malicious DLL, establishing an encrypted command-and-control channel for long-term, covert access. The backdoor is already being actively used by ransomware groups, including the notorious Qilin gang, for payload delivery.

South Korean Giant Kyowon Group Hit by Ransomware, 9.6 Million Accounts at Risk

The South Korean conglomerate Kyowon Group has confirmed it suffered a significant ransomware attack that disrupted operations and resulted in data exfiltration. The attack, detected on January 10, 2026, compromised approximately 600 of the company's 800 servers. South Korean authorities estimate that up to 9.6 million user accounts (representing 5.5 million unique individuals) may have been affected, as attackers reportedly exploited an open external port to gain initial access.

Fake Ad Blocker Crashes Chrome, Tricks Users into Installing 'ModeloRAT' Malware

A novel malware campaign dubbed "CrashFix" is using a malicious Google Chrome extension that impersonates the 'uBlock Origin Lite' ad blocker to intentionally crash victims' browsers. The attack, attributed to a group called 'KongTuke,' then uses social engineering, presenting a fake crash report that tricks users into running a PowerShell command to "fix" the issue. This command ultimately downloads and installs 'ModeloRAT,' a previously undocumented Python-based remote access trojan.

GTMaritime Launches 'GT Identify' to Tackle Maritime Cybersecurity and Compliance

Maritime technology firm GTMaritime has launched GT Identify, a new cybersecurity system designed to help ship operators comply with increasingly stringent regulations. Announced on January 20, 2026, the system provides fleet-wide hardware and software asset inventory, vulnerability reporting, and aligns with the NIST Cybersecurity Framework. The launch addresses the growing need for robust cyber risk management to meet IMO and IACS E26/E27 requirements.

Threat Landscape Converges as Attackers Target ICS and AI Systems

New research from Cyble highlights a dangerous convergence of threats, as both hacktivists and financially motivated cybercriminals are increasingly targeting Industrial Control Systems (ICS), Operational Technology (OT), and enterprise AI systems. The report, published January 20, 2026, notes that attackers are exploiting exposed HMI and SCADA systems while also leveraging AI to create polymorphic malware and more effective social engineering lures.

'DragonForce' Emerges as New Ransomware Cartel Built on LockBit and Conti DNA

A new Ransomware-as-a-Service (RaaS) operation named DragonForce has emerged, positioning itself as a "ransomware cartel." The group is reportedly building its operations on the leaked source code of the notorious LockBit 3.0 and Conti ransomware variants. Operating a RaaS platform called 'Ransombay,' DragonForce's strategy includes absorbing smaller rival operations, signaling a trend towards consolidation in the cybercrime ecosystem.

Weaponized Invites: Google Gemini Flaw Allows Calendar Data Theft via Prompt Injection

Security researchers from Miggo Security have uncovered a significant vulnerability in Google Gemini's integration with Google Calendar. The flaw allowed attackers to use an indirect prompt injection technique to exfiltrate summaries of private meetings. By sending a specially crafted calendar invitation containing a hidden malicious prompt, an attacker could trick the AI into executing unauthorized actions when the user made a legitimate query about their calendar. This attack bypassed Google's privacy controls without requiring the user to interact directly with the malicious payload, highlighting emerging security risks in applications integrated with large language models (LLMs).

Evelyn Stealer: New Malware Hits Developers Through Malicious VS Code Extensions

A new information-stealing malware, named Evelyn Stealer, is being distributed through malicious extensions on the Microsoft Visual Studio Code (VS Code) Marketplace. Researchers at Trend Micro and Koi Security report the campaign specifically targets software developers to steal credentials, cryptocurrency wallet data, and other sensitive information. Three malicious extensions—`BigBlack.bitcoin-black`, `BigBlack.codo-ai`, and `BigBlack.mrbigblacktheme`—have been identified as the distribution vectors. This supply chain attack highlights the significant risk posed by unvetted third-party tools in development environments, as compromising a single developer can provide a gateway into an entire organization's critical infrastructure.

Patch Now: Critical Flaw Exposes Thousands of TP-Link VIGI Cameras to Remote Hacking

TP-Link has issued urgent firmware updates for a critical vulnerability in its VIGI line of security cameras. The flaw could allow an unauthenticated remote attacker to gain unauthorized access to the devices, potentially viewing, modifying, or deleting surveillance footage. At the time of disclosure, researchers discovered over 2,500 VIGI cameras were exposed to the public internet and vulnerable to this attack. Owners are strongly advised to update their camera firmware immediately and ensure their devices are not directly accessible from the internet to mitigate the significant risk of compromise.

16.6 Million Records Exposed: Raaga and Pass'Sport Breaches Added to Have I Been Pwned

The Have I Been Pwned (HIBP) data breach notification service has been updated with over 16.6 million user records from two separate incidents. The first breach involves 10.2 million users of the Indian music streaming service Raaga, which occurred in December 2025 and exposed names, email addresses, and MD5-hashed passwords. The second breach affects 6.4 million users of the French government's Pass'Sport program, also from December 2025, exposing names, dates of birth, and email addresses. Users of these services are urged to check HIBP and change their passwords, especially for the Raaga breach, due to the high risk of credential stuffing attacks from the weakly hashed passwords.

ScarCruft APT: North Korean Hackers Evolve Tactics in 'Artemis' Campaign

The North Korean advanced persistent threat (APT) group ScarCruft, also known as APT37 or Reaper, has launched a new campaign dubbed 'Artemis'. Active since late 2025, the campaign targets entities likely in South Korea using malicious Hanword Word Processor (HWP) documents. Researchers report that ScarCruft has evolved its tactics, now employing steganography to hide malicious code within image files and leveraging legitimate cloud services, specifically Yandex Cloud, for its command and control (C2) infrastructure. This shift makes the group's activities harder to detect, as their C2 traffic blends in with legitimate cloud service activity.

Manhunt: Black Basta Ransomware Leader Added to EU's Most Wanted List After Raids

An international law enforcement operation has targeted the prolific Black Basta ransomware group, which is linked to over 600 attacks and millions in ransom payments. Police in Ukraine conducted raids against two suspected members of the syndicate. Concurrently, an international arrest warrant and an INTERPOL Red Notice have been issued for a Russian national believed to be the group's founder and leader. The individual has been placed on the EU's Most Wanted list, signaling a high-priority, coordinated effort to dismantle one of the world's most active ransomware operations.

Public Exploits Released for Critical SQLi and RCE Flaws in Business Software

Multiple critical and high-severity vulnerabilities have been disclosed in various business software products, with proof-of-concept (PoC) exploits made public, elevating the risk of immediate attack. A critical SQL injection flaw (CVE-2026-1179) affects Yonyou KSOA 9.0. A critical command injection vulnerability (CVE-2026-1192) was found in Tosei Online Store Management System 1.01. Additionally, a high-severity improper authorization bug (CVE-2026-1193) impacts MineAdmin. Since vendors reportedly did not respond before disclosure, users of these products are urged to apply immediate mitigations to prevent compromise.

Access Broker Pleads Guilty After Selling Access to 50 Companies to Undercover FBI Agent

A Jordanian national has pleaded guilty in a U.S. court for his role as an Initial Access Broker (IAB) in the cybercrime ecosystem. The man admitted to compromising and selling unauthorized access to the corporate networks of approximately 50 different enterprise organizations. The operation was uncovered when he unknowingly sold this access to an undercover U.S. federal agent. The case highlights the critical role IABs play in the cybercrime supply chain, providing the initial foothold for major threat actors like ransomware groups, and demonstrates the effectiveness of law enforcement sting operations in disrupting these criminal enterprises.

Warning: Malicious Chrome Extensions Hijack Workday, NetSuite Sessions to Bypass MFA

Security researchers have uncovered five malicious Google Chrome extensions that impersonate legitimate add-ons for popular enterprise SaaS applications like Workday and NetSuite. The extensions are designed to perform session hijacking by stealing active session cookies and tokens after a user logs in. This technique allows attackers to completely bypass security controls, including multi-factor authentication (MFA), and gain full, authenticated access to the user's account. The stolen sessions can be used to exfiltrate sensitive corporate data, such as financial records and employee PII, highlighting the significant threat posed by unvetted browser extensions in corporate environments.

Healthcare Data Breaches Double, Fueled by 'Shadow AI' and Vendor Risk

The healthcare industry is facing a cybersecurity crisis, with a new report indicating that the number of data breaches doubled in the past year. The surge is being driven by two key factors: the unmanaged use of generative AI tools by staff, termed 'shadow AI,' and persistent, unmitigated risks from third-party vendors. This dangerous trend is exemplified by the McLaren data breach, where a ransomware attack compromised the sensitive health information of over 743,000 patients. The report highlights a lack of confidence within the sector to handle these evolving threats, urging organizations to gain visibility into AI usage and implement far more stringent vendor risk management programs.

2025 in Review: Simple Errors, Not 0-Days, Caused Biggest Breaches

A year-end analysis of 2025's major data breaches reveals a recurring theme: fundamental security failures, not sophisticated zero-day exploits, were the primary cause. The report, published on December 26, 2025, highlights cloud security misconfigurations and third-party supply chain attacks as the dominant root causes. High-profile incidents at McDonald's (default password '123456'), TalentHook (public Azure Blob storage), Harrods, and TransUnion (both breached via third-party vendors) serve as stark examples of how neglecting basic security hygiene leads to massive data exposure.

RedVDS Takedown: Microsoft and Law Enforcement Disrupt $40M Cybercrime-as-a-Service Operation

In a major international operation, Microsoft's Digital Crimes Unit, alongside law enforcement from the U.S., U.K., and Germany, has disrupted the RedVDS cybercrime-as-a-service (CaaS) platform. The service, operated by a group tracked as Storm-2470, provided criminals with cheap, disposable RDP servers used to launch large-scale phishing, BEC, and fraud campaigns. The operation, which took down key domains like redvds[.]com, has been linked to over $40 million in fraud losses in the U.S. and impacted more than 191,000 organizations globally.

NSA Kickstarts Zero Trust Adoption with New Foundational Implementation Guides

The U.S. National Security Agency (NSA) has released the first two documents in its new Zero Trust Implementation Guidelines (ZIGs) series. The 'Primer' and 'Discovery Phase' guides are designed to provide federal agencies and other organizations with a foundational roadmap for adopting a Zero Trust security architecture. This initiative aligns with the Department of War's mandate for agencies to achieve specific Zero Trust targets and emphasizes the critical first step of gaining comprehensive visibility across all data, applications, assets, and services (DAAS).

Infoblox to Acquire Axur, Expanding into AI-Powered External Threat Disruption

Infoblox, a leader in DNS security and network services, has announced a definitive agreement to acquire Axur, a company specializing in AI-driven external threat detection and takedown. The acquisition will extend Infoblox's preemptive security offerings, enabling customers to combat threats like phishing, brand abuse, and credential theft that originate outside the corporate network. By integrating Axur's rapid takedown capabilities with its own DNS-level controls, Infoblox aims to significantly reduce the uptime of active cyberattacks.

ColorTokens Xshield Platform Gains FedRAMP Moderate Authorization, Boosting Federal Zero Trust Adoption

ColorTokens has achieved FedRAMP Moderate Authorization for its Xshield microsegmentation platform, a significant milestone that makes the solution readily available to U.S. federal agencies via the FedRAMP Marketplace. This authorization validates Xshield's security posture and enables government bodies to adopt the platform to accelerate their Zero Trust initiatives, particularly in preventing the lateral movement of cyberattacks across complex on-premise, cloud, and OT environments.

Asimily Boosts Cisco ISE Integration with Enhanced Microsegmentation for IoT/OT Devices

Asimily, a provider of cyber asset and exposure management, has launched enhanced microsegmentation capabilities, including new support for Security Group Access Control Lists (SGACL) in Cisco Identity Services Engine (ISE). This integration allows organizations to translate rich device context—such as risk, behavior, and classification—from the Asimily platform into dynamically enforced security policies in Cisco ISE. The goal is to automate the containment of threats across complex IT, IoT, and OT environments.

SpyCloud Unveils Supply Chain Threat Protection to Combat Third-Party Identity Risks

SpyCloud has launched its Supply Chain Threat Protection solution, a new platform designed to give organizations visibility into identity-related compromises within their vendor and supplier ecosystems. By leveraging a massive repository of recaptured data from breaches and malware infections, the solution provides actionable intelligence on compromised credentials and infected devices affecting third parties. This allows security teams to move beyond static questionnaires and proactively address active threats within their supply chain.

Noction IRP v4.3 Launches with Automated DDoS Detection and Routing-Native Mitigation

Noction has released version 4.3 of its Intelligent Routing Platform (IRP), introducing a major new feature called Automatic Anomaly Detection (AAD). This capability uses behavior-based traffic analysis to rapidly identify DDoS attacks and other network anomalies. Once an attack is detected, the platform can automatically trigger mitigation actions using routing-native mechanisms like BGP FlowSpec or Remote Triggered Blackholing (RTBH), enabling network operators to respond to threats in seconds without relying on external systems.

JumpCloud Unveils AI-Powered Tools to Govern Shadow AI and Manage Autonomous Agents

JumpCloud has introduced a suite of AI-powered capabilities for its identity and access management (IAM) platform, designed to help organizations manage the security risks of modern AI adoption. The new features focus on discovering and governing 'shadow AI'—the unsanctioned use of AI tools by employees—and applying Zero Trust principles to manage access for non-human autonomous agents. The goal is to provide IT and security teams with the visibility and control needed to turn a potential liability into a secure source of productivity.

Acronis Debuts S3-Compatible Archival Storage for MSPs with Predictable Pricing

Acronis has launched Acronis Archival Storage, a new long-term, S3-compatible cold storage solution aimed at Managed Service Providers (MSPs) and their SMB clients. Powered by Seagate's Lyve Cloud, the service is integrated into the Acronis Cyber Protect Cloud platform and features a predictable pricing model with no egress or API fees. This addresses a key need for compliant, cost-effective data retention for large volumes of infrequently accessed data, offering WORM immutability and high durability.

Armis Revamps Channel Strategy with Flexible, Tier-Free 'Select Partner Program'

Armis, a leader in cyber exposure management, has launched its new Armis Select Partner Program. The revamped global channel initiative moves away from traditional, rigid tiers in favor of a flexible, three-route model: selling, delivering services, and building solutions. This approach allows partners to engage with Armis in a way that best suits their business model, aiming to accelerate the adoption of the Armis Centrix platform and build a more collaborative partner ecosystem.

Darktrace Hires Terry Doyle as First Chief Information Officer to Scale Enterprise IT

AI cybersecurity leader Darktrace has appointed Terry Doyle as its first-ever Chief Information Officer (CIO). Doyle, a veteran technology executive with nearly 30 years of experience, will join the executive committee and be responsible for consolidating the company's enterprise IT and data functions. This strategic hire aims to build enterprise-scale systems and processes to support Darktrace's rapid global growth and enhance its operational discipline.

AWS Patches 'CodeBreach' Flaw, Averting Massive GitHub Supply Chain Attack

Amazon Web Services (AWS) has remediated a critical vulnerability in its AWS CodeBuild service, dubbed 'CodeBreach' by Wiz researchers. The flaw, which stemmed from a misconfigured webhook filter, could have allowed unauthenticated attackers to inject malicious code into the build processes of major open-source projects, including the AWS JavaScript SDK. An exploit could have granted attackers administrative control over key GitHub repositories, creating a catastrophic supply chain risk for the millions of applications and cloud environments that depend on these libraries. The vulnerability was discovered following a separate, failed attack attempt, highlighting the real-world threat. AWS has since patched the issue and implemented global hardening measures.

Hacker Group 'HawkSec' Claims Breach of 184 Million TotalEnergies Records

A hacking group calling itself 'HawkSec' has claimed a massive data breach against the French energy supermajor, TotalEnergies. In a post on a data leak forum, the group alleged the theft of a database containing nearly 184 million records, including sensitive customer information such as names, email addresses, phone numbers, and bank account details for French customers. To substantiate their claims, HawkSec posted sample data on social media. However, the full extent and legitimacy of the breach remain unverified. TotalEnergies has not yet confirmed the incident. The group's erratic behavior on forums has led some researchers to question their experience, though the potential impact if the claims are true is significant.

Critical Flaw in WordPress Plugin 'Modular DS' Actively Exploited for Admin Takeover

A critical, unauthenticated privilege escalation vulnerability in the 'Modular DS' WordPress plugin is being actively exploited in the wild. The flaw, tracked as CVE-2026-23550 with a CVSS score of 10.0, affects over 40,000 websites. It allows attackers to bypass authentication and gain full administrator privileges by sending a specially crafted HTTP request. Security firm Patchstack, which discovered the exploitation, observed attackers creating rogue admin accounts named 'PoC Admin'. The vulnerability lies in the plugin's custom routing and login logic, which can be tricked into logging an unauthenticated user into an existing administrator account. The vendor released a patch in version 2.5.2, and all users are urged to update immediately.

Palo Alto Networks Patches High-Severity DoS Flaw in PAN-OS Firewalls

Palo Alto Networks has issued security updates to address a high-severity denial-of-service (DoS) vulnerability, CVE-2026-0227, in its PAN-OS software. The flaw, which has a CVSS score of 7.7, allows an unauthenticated, remote attacker to crash firewalls that have a GlobalProtect gateway or portal enabled. A successful exploit forces the device into maintenance mode, disrupting all network traffic. While Palo Alto Networks is not aware of active exploitation, a proof-of-concept (PoC) exploit reportedly exists. The vulnerability affects multiple versions of PAN-OS, and customers are urged to apply the patches as soon as possible, as there are no workarounds.

GlassWorm Malware Pivots to Attack macOS Developers via Malicious VS Code Extensions

The GlassWorm malware campaign has evolved, now specifically targeting macOS developers through malicious extensions for Visual Studio Code and OpenVSX. This new wave of attacks, detailed in a security digest from Acronis, uses a self-propagating worm to deliver its payload. The malware embeds an encrypted payload within JavaScript files, uses a 15-minute execution delay to evade sandboxes, and establishes persistence using LaunchAgents. The primary goal of GlassWorm is to steal a wide range of developer-centric data, including credentials for GitHub and npm, browser data, and information from over 50 different cryptocurrency wallets, highlighting a significant supply chain threat.

Central Maine Healthcare Breach Exposes Data of Over 145,000 Patients and Employees

Central Maine Healthcare (CMH) has disclosed a major data breach affecting 145,381 patients and employees. The incident involved an unauthorized third party maintaining access to its network for over two months, from March to June 2025. The compromised data includes highly sensitive personal, medical, and financial information, such as Social Security numbers and treatment details. CMH is offering complimentary credit monitoring services to those affected and has stated it is enhancing its security monitoring to prevent future incidents.

Massive Unsecured Database Leaks Personal, Health, and Financial Data of 45 Million French Citizens

Security researchers have discovered a massive, unprotected database on a cloud server containing the sensitive records of approximately 45 million French citizens. The data, which has since been secured, appears to be an aggregation from at least five separate breaches, compiled by a data broker or cybercriminal. The exposed archive included voter registration data, healthcare records, IBANs, and CRM contact information, creating comprehensive and dangerous profiles on a significant portion of the French population.

VoidLink: New Modular Linux Malware Framework Discovered Targeting Cloud and Container Environments

Security researchers at Check Point have discovered 'VoidLink,' a highly sophisticated and modular Linux malware framework. Written in the modern Zig programming language, VoidLink is purpose-built for espionage in cloud and containerized environments. It can detect if it's running in AWS, GCP, Azure, Kubernetes, or Docker and adapt its behavior. With a plugin-based architecture inspired by Cobalt Strike, it features advanced rootkit capabilities, an in-memory plugin system, and tools for credential theft from cloud services and Git repositories. Though not yet seen in the wild, its advanced design poses a significant future threat.

Microsoft Copilot Flaw Allowed Data Theft via "Reprompt" Session Hijacking Attack

Researchers discovered a significant vulnerability in Microsoft's Copilot AI assistant that allowed for a "Reprompt" attack, enabling threat actors to bypass safety features, hijack user sessions, and exfiltrate data. The flaw, which has been patched in the January 2026 security update, abused URL parameters to inject hidden, follow-up prompts that executed within the victim's authenticated session. This allowed attackers to chain commands and steal information without the user's knowledge, highlighting the security risks of AI assistants processing untrusted input.

CISA Mandates Patch for Exploited Windows Zero-Day Used in Attack Chains

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a zero-day vulnerability in the Windows Desktop Window Manager (CVE-2026-20805) by February 3, 2026. The medium-severity information disclosure flaw is being actively exploited in the wild as a crucial component in multi-stage attack chains, allowing attackers to bypass Address Space Layout Randomization (ASLR) and enable more severe exploits like remote code execution. The flaw was addressed in Microsoft's January 2026 Patch Tuesday update.

Spanish Energy Giant Endesa Hit by Massive Data Breach, 20M Records Allegedly For Sale

Spain's largest electric utility, Endesa, has confirmed a data breach after detecting unauthorized access to a commercial platform. The company admitted that customer PII, contact details, and bank account IBANs were potentially exposed. The situation is amplified by a threat actor on a cybercrime forum who claims to have stolen a 1.05 TB database containing the data of over 20 million people, which is now up for sale. Endesa, which serves over 10 million customers, is urging vigilance against phishing and fraud.

Pax8 Data Leak Exposes Sensitive MSP and Customer Info via Accidental Email

Cloud commerce marketplace Pax8 has confirmed a data exposure incident caused by human error. On January 13, an employee mistakenly sent an email containing a CSV file with sensitive, non-PII business data for approximately 1,800 Managed Service Provider (MSP) partners. The email, sent to fewer than 40 UK-based partners, exposed valuable information such as customer names, Microsoft license counts, pricing, and contract renewal dates, creating a significant risk of targeted phishing and competitive poaching.

CISA Warns of Critical Flaws in Rockwell & YoSmart ICS Equipment

CISA has released several Industrial Control Systems (ICS) advisories, warning of significant vulnerabilities in widely deployed equipment from Rockwell Automation and YoSmart. A high-severity SQL injection flaw (CVE-2025-12807) in Rockwell's FactoryTalk platform could allow for database takeover, while another flaw (CVE-2025-9368) can cause a denial-of-service condition. Separately, multiple flaws in YoSmart smart home hubs could permit remote device control and data interception, posing risks to both manufacturing and communications sectors.

Russian GRU Hackers (APT28) Evolve Credential-Harvesting Tactics

The Russian GRU-linked threat group BlueDelta, also known as APT28 or Fancy Bear, has been observed refining its credential-harvesting operations. According to research from Recorded Future, campaigns between February and September 2025 targeted energy, defense, and policy organizations in Europe and Eurasia. The group uses tailored spear-phishing emails, multi-stage redirection, and abuses low-cost, disposable infrastructure like ngrok and other free hosting services to enhance stealth and complicate attribution.

Russian Hackers Target Ukrainian Military with "PluggyApe" Malware

A Russian-linked hacking group, Void Blizzard (also known as UAC-0190), has been targeting the Ukrainian Defense Forces with a new cyber-espionage campaign. According to CERT-UA, the attacks, which occurred between October and December 2025, use a novel malware strain called PluggyApe. The campaign employs sophisticated social engineering, with attackers making direct contact with targets on secure messaging apps like Signal and WhatsApp, using charity-themed lures to build trust and deliver the malware.

ConnectPOS Exposed Admin GitHub Token for Over Four Years, Creating Massive Supply Chain Risk

Point-of-sale vendor ConnectPOS exposed a GitHub Personal Access Token (PAT) with full administrative privileges in its public documentation for over four years, from September 2021 until its discovery in January 2026. The blunder, found by security firm Sansec, put the vendor's entire software supply chain at risk. An attacker could have used the token to inject malicious code, such as a payment card skimmer, into the POS software, which would then be distributed to its 12,000+ customers, including major brands like Asus and Indiana University.

Microsoft's January 2026 Patch Tuesday Fixes 114 Flaws, Including One Exploited Zero-Day

Microsoft has released its first Patch Tuesday of 2026, a substantial update that addresses 114 security vulnerabilities across a wide range of its products, including Windows, Office, Azure, and SharePoint. The release includes fixes for eight critical remote code execution (RCE) vulnerabilities and, most notably, one moderate-severity information disclosure zero-day (CVE-2026-20805) that is confirmed to be actively exploited in the wild. This makes it the third-largest January update on record, urging administrators to prioritize deployment.

Ransomware Evolves: Groups Recruit Insiders, Add DDoS as Profits Fall

The ransomware landscape is undergoing a significant evolution heading into 2026. Despite a 47% surge in publicly reported attacks in 2025, analysis from Recorded Future shows that overall profits for threat actors have declined. This financial pressure is forcing a tactical shift. Key trends to watch for include the bundling of DDoS services with ransomware to increase victim coercion, a more aggressive focus on recruiting corporate insiders to gain initial access, and a notable globalization of new ransomware groups emerging outside of the traditional Russian sphere of influence.

Urgent Patch: CISA Adds Actively Exploited Gogs RCE Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical path traversal vulnerability, CVE-2025-8110, in the Gogs self-hosted Git service to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, which allows for remote code execution (RCE) via symlink manipulation, is confirmed to be actively exploited in the wild. With a CVSS score of 8.7, it bypasses a previous patch for CVE-2024-55947. Federal agencies are mandated to remediate by February 2, 2026. The vulnerability affects an estimated 1,600 internet-exposed Gogs servers, posing a significant risk to organizations using the platform for source code management.

Poetic Justice: BreachForums Hacked, Database of 324,000 Cybercriminals Leaked

In a significant turn of events for the cybercrime community, the user database for the notorious hacking marketplace BreachForums was leaked online on January 9, 2026. The dump contains sensitive records for 323,986 users, including usernames, email addresses, IP addresses, private messages, and Argon2-hashed passwords. The breach, allegedly occurring in August 2025 and claimed by an individual named "James," represents a major operational security failure and provides a trove of intelligence for law enforcement agencies seeking to identify and prosecute threat actors like 'IntelBroker' and 'ShinyHunters' who were active on the forum.

Oregon DEQ Kept Data Breach of 4,800 People Secret for Nine Months

The Oregon Department of Environmental Quality (DEQ) confirmed on January 13, 2026, that a cyberattack in April 2025 exposed the personal data of approximately 4,800 people. The agency opted not to issue a broad public disclosure, citing that Oregon law did not require it, and instead began sending notification letters to affected individuals in late December 2025, over eight months after the incident. The initial attack, which the Rhysida ransomware gang later claimed, caused significant operational disruption. The delay in notification has drawn criticism and raises questions about the agency's transparency and incident response process.

French Immigration Agency Data Leaked via Third-Party Breach

France's Office for Immigration and Integration (OFII) has confirmed a data breach originating from a compromised third-party service provider. In early January 2026, a hacker claimed to be selling a database of up to 2.1 million records of foreign residents on BreachForums, posting samples that included names, contact details, and nationalities. OFII clarified that its own systems were not breached, but that the attack targeted a private training provider responsible for mandatory integration courses. The incident highlights the significant risks of supply chain attacks for government agencies and could lead to GDPR penalties for OFII as the data controller.

G7 Urges Financial Sector to Prepare for Quantum Computing Threat

The G7 Cyber Expert Group (CEG), co-chaired by the U.S. Department of the Treasury and the Bank of England, has issued a public statement and roadmap advising the global financial sector to begin a coordinated transition to quantum-resilient technology. The guidance warns that advanced quantum computers will eventually be able to break the public-key cryptography that secures the world's financial transactions. The roadmap encourages financial institutions to start assessing their quantum risks and developing formal plans for migrating to post-quantum cryptography (PQC) standards, such as those being developed by NIST, to counter 'harvest now, decrypt later' attacks.

Supply Chain Attack: Malicious npm Packages Steal Credentials from n8n Automation Platform

A novel supply chain attack discovered by Endor Labs is targeting users of the n8n workflow automation platform. Attackers are publishing malicious packages to the npm registry, disguised as legitimate 'community nodes' for popular services. When an unsuspecting user installs one of these nodes and enters their credentials (e.g., OAuth tokens, API keys), the malicious code exfiltrates the entire credential store from the n8n instance to an attacker-controlled server. This gives the attackers access to all services connected to the victim's n8n workflows, such as Salesforce and Stripe, creating a significant risk of widespread data breaches and financial fraud.

Cyber-Fraud Now Top Global Threat, Surpassing Ransomware, WEF Report Finds

The World Economic Forum's (WEF) 'Global Cybersecurity Outlook 2026' report, produced with Accenture, reveals a major shift in the threat landscape: cyber-enabled fraud and phishing have now surpassed ransomware as the top concern for global business leaders. The report highlights that fraud has reached 'record highs,' with 77% of leaders reporting an increase. It also identifies Artificial Intelligence as the most consequential force shaping cybersecurity in 2026, with 94% of leaders agreeing it will be the biggest factor. AI is seen as a double-edged sword, accelerating both offensive capabilities and defensive solutions, while growing concerns about data leaks from generative AI persist.

GoBruteforcer Botnet Exploits Weak Credentials on Linux Servers to Target Crypto Wallets

A modular Go-based botnet named GoBruteforcer is actively compromising internet-facing Linux servers by brute-forcing weak credentials for services like FTP, MySQL, and PostgreSQL. According to Check Point Research, the campaign's success is fueled by the widespread use of default or weak passwords, often found in AI-generated server deployment examples. Once compromised, servers are added to an IRC-controlled botnet and used to scan for more victims. The attackers have a clear financial motive, as they have been observed deploying tools on compromised hosts to scan for and drain TRON and Binance Smart Chain cryptocurrency wallets.

High-Severity Code Injection Flaw in Open WebUI (CVE-2025-64496) Allows RCE

A high-severity vulnerability, tracked as CVE-2025-64496, has been discovered in Open WebUI, a popular self-hosted interface for large language models (LLMs). The flaw, found by Cato Networks, allows a malicious AI server to inject arbitrary JavaScript code into a user's browser session. This can be exploited to steal authentication tokens and take over the user's account. If the compromised user has specific permissions enabled, the vulnerability can be escalated to achieve full remote code execution (RCE) on the host server. The issue affects Open WebUI versions 0.6.34 and older and was patched in version 0.6.35.

Iran's MuddyWater APT Unveils 'RustyWater' RAT in Middle East Espionage

The Iranian state-sponsored advanced persistent threat (APT) group MuddyWater, also known as Mango Sandstorm and TA450, has been observed deploying a new, custom-built Remote Access Trojan (RAT) named 'RustyWater'. According to research from CloudSEK, this new implant, written in the Rust programming language, is being used in a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities across the Middle East. The shift to a Rust-based tool marks a significant evolution in the group's capabilities, aimed at enhancing stealth and evading detection during long-term espionage operations.

Qilin Ransomware Hits French Infra Giant Bouygues, Claims 80GB Data Theft

The prolific Qilin ransomware group has listed French multinational infrastructure firm Bouygues Energies & Services as its latest victim on its dark web leak site. The group claims to have exfiltrated 80 GB of highly sensitive data, comprising 31,000 files. Most alarmingly, the threat actors allege the stolen data includes documents related to industrial control systems (ICS), such as SCADA interfaces and network plans for critical infrastructure projects like tunnels and tramways. This attack highlights the severe risk ransomware poses to physical safety and national security, extending beyond simple data encryption.

Apex Legends 'Remote Control' Hack Patched After Streamers Hijacked

Respawn Entertainment, the developer of the popular battle royale game Apex Legends, rapidly deployed a patch on January 10, 2026, to fix a significant security exploit. The vulnerability allowed a malicious actor to remotely take control of other players' characters during a live match, an incident that affected several high-profile streamers. The developer was quick to reassure the community that the exploit was not a Remote Code Execution (RCE) vulnerability, meaning attackers could not execute malicious code on victims' computers. The issue was resolved within a day of being publicly acknowledged.

Everest Ransomware Claims 900 GB Data Theft from Nissan

The Everest ransomware group has claimed a massive data breach against Japanese automotive giant Nissan Motor Co., Ltd. In a post on its dark web leak site on January 10, 2026, the group alleged it had stolen approximately 900 GB of sensitive corporate data. To back up its claim, Everest published screenshots showing internal directory structures and file names related to dealerships, finance, and audits. The group, which employs a double-extortion model, has given Nissan a five-day deadline to respond before it threatens to release the data publicly. Nissan has not yet officially confirmed the breach.

High-Severity Flaw in Mailpit Dev Tool Allows Email Interception

A high-severity vulnerability, tracked as CVE-2026-22689, has been discovered in Mailpit, a popular email testing tool for developers. The flaw is a Cross-Site WebSocket Hijacking (CSWSH) issue affecting all versions prior to 1.28.2. It allows a remote attacker to intercept sensitive data, including the full content of test emails, by tricking a developer running a vulnerable Mailpit instance into visiting a specially crafted malicious website. Users are strongly urged to upgrade to the patched version to mitigate the risk of data exposure.

French Bank Customers Hit by 'Quishing' Scam Using Fake Physical Cards

A highly deceptive phishing campaign, dubbed 'quishing,' is targeting bank customers in France using a blend of physical and digital tactics. Scammers are sending official-looking letters by postal mail that contain a high-quality counterfeit bank card. The letter instructs the recipient to 'activate' the new card by scanning an included QR code. This QR code directs the victim to a fraudulent website designed to mimic their bank's portal, where their banking credentials and personal information are harvested. This hybrid attack method is effective at bypassing traditional email security filters.

Texas Health System Breach Exposes Data of Over 34,000 Patients

Vida Y Salud Health Systems Inc., a nonprofit health center serving rural communities in South Texas, has reported a data breach that exposed the sensitive personal and medical information of 34,504 patients. The organization detected unauthorized access to its network in October 2025, where an attacker copied files containing names, Social Security numbers, driver's license numbers, and protected health information (PHI). Vida Y Salud is notifying affected individuals and offering complimentary credit monitoring services as law firms begin to investigate the incident.

Financial Sector Warned of Systemic Supply Chain Risk and 'Indirect Ransomware'

A new threat intelligence report for 2025-2026 reveals a perilous cyber landscape for the financial sector, dominated by systemic supply chain risks and evolving ransomware tactics. Citing data that 97% of U.S. banks were breached via third-party suppliers in 2024, the report underscores the critical vulnerability posed by partners. It also highlights the rise of 'indirect ransomware,' where attackers compromise a supplier to bypass a bank's defenses. Geopolitical threats also persist, with pro-Russian hacktivists targeting European banks and the North Korean Lazarus Group remaining a primary state-aligned threat.

YARA-X Update Helps Analysts Avoid Flawed Detection Rules

Version 1.11.0 of YARA-X, a popular tool for malware analysis, has been released with a key enhancement aimed at improving the accuracy of detection rules. The update introduces 'hash function warnings,' a feature that alerts security analysts when they make common errors in hash string comparisons, such as providing a SHA1 hash where a SHA256 hash is expected. This quality-of-life improvement helps prevent silent false negatives, where a flawed rule fails to detect malware without providing any error, thereby strengthening threat hunting and security operations.

Chinese State Hackers 'Salt Typhoon' Breach U.S. Congressional Committee Emails

The Chinese state-sponsored hacking group known as Salt Typhoon has reportedly compromised the email systems of staff members for several key U.S. House of Representatives committees. The cyberespionage campaign, detected in December 2025, targeted aides on influential panels including those overseeing China, foreign affairs, intelligence, and armed services. While lawmakers' personal accounts are not believed to have been accessed, the infiltration of staff networks raises significant national security concerns about the potential for long-term intelligence gathering from sensitive, unclassified communications. Salt Typhoon is a known actor with a history of targeting U.S. critical infrastructure.

Cisco Patches Medium-Severity Flaws in Snort 3 Engine That Could Lead to DoS and Data Leaks

Cisco has disclosed two medium-severity vulnerabilities, CVE-2026-20026 and CVE-2026-20027, in its widely used Snort 3 detection engine. The flaws exist in the processing of DCE/RPC traffic and can be triggered by a remote, unauthenticated attacker. CVE-2026-20026 (CVSS 5.8) is a use-after-free issue that could cause the engine to crash, leading to a denial-of-service. CVE-2026-20027 (CVSS 5.3) is an out-of-bounds read that could leak sensitive memory data. The vulnerabilities affect numerous Cisco products, including Secure Firewall, IOS XE with UTD, and Meraki MX appliances. Patches are available for some products, but others are pending.

Google Patches High-Severity Chrome Flaw That Could Allow Attackers to Bypass Security Policies

Google has issued a security update for its Chrome browser, patching a high-severity vulnerability tracked as CVE-2026-0628. The flaw, which affects Chrome on Windows, macOS, and Linux, is described as an "insufficient policy enforcement" issue within the WebView component. An attacker could exploit this by tricking a user into installing a malicious extension, which could then bypass security controls to execute unauthorized code on normally protected browser pages. This could lead to data theft or session hijacking. While there is no evidence of active exploitation, Google urges all users to update to the patched versions immediately.

Online Betting Giant BetVictor Discloses Major Data Breach, Customer Data Compromised

BetVictor, a major European online gambling company, has officially disclosed a significant data breach that compromised sensitive customer information. The security incident was first detected on January 8, 2026, during routine security audits and has caused unspecified operational disruptions. The company has not yet detailed the nature of the attack or the exact types of data accessed. An investigation is underway as BetVictor works to secure its systems and manage the fallout, which could include regulatory scrutiny and a loss of customer trust in the highly competitive online gaming market.

Data of 17.5 Million Instagram Users Leaked on Hacker Forum After Scraping Attack

The personal data of approximately 17.5 million Instagram users has been leaked on the BreachForums hacking forum. The data, posted by a user named 'Solonik,' was allegedly obtained via automated data scraping from public APIs. The leaked information includes full names, email addresses, phone numbers, and user IDs, exposing the affected individuals to a high risk of targeted phishing, identity theft, and SIM swapping attacks. Following the leak, users have reported a surge in fraudulent password reset attempts. As of January 10, 2026, Instagram's parent company, Meta, has not formally acknowledged the incident.

Critical OpenSSH Flaw Exposes Moxa Industrial Switches to Remote Code Execution

Industrial networking vendor Moxa has issued a security advisory for a critical vulnerability, CVE-2023-38408, affecting its EDS-G4000 and RKS-G4000 series industrial Ethernet switches. The flaw resides in the OpenSSH service integrated into the device firmware and could allow a remote attacker to execute arbitrary code. These switches are commonly used in critical infrastructure and industrial control systems (ICS), making the vulnerability particularly high-risk. The Canadian Centre for Cyber Security has echoed the warning, and both organizations are urging administrators to apply the provided firmware updates immediately to mitigate the threat.

HPE OneView Flaw Scores Perfect 10.0, Grants Attackers 'Keys to the Kingdom'

Hewlett Packard Enterprise (HPE) has disclosed CVE-2025-37164, a critical unauthenticated remote code execution vulnerability in its OneView infrastructure management software. The flaw, rated with a maximum CVSS score of 10.0, allows a remote attacker to gain complete control of the centralized management appliance without any credentials. Given OneView's extensive privileges over servers, storage, and firmware, a successful exploit could lead to a catastrophic compromise of an organization's entire infrastructure. CISA has added the vulnerability to its KEV catalog, mandating immediate patching for federal agencies.

FBI: North Korea's Kimsuky APT Using 'Quishing' to Bypass MFA

The U.S. Federal Bureau of Investigation (FBI) has issued a formal advisory warning that the North Korean state-sponsored threat group Kimsuky (also known as APT43) is actively using malicious QR codes in spear-phishing emails. This tactic, dubbed 'quishing,' is designed to bypass traditional email security by tricking users into scanning the code with a personal mobile device. The goal is to harvest credentials and session tokens from high-value targets in government, academic institutions, and think tanks, effectively bypassing multi-factor authentication (MFA) through session hijacking.

London Councils Hit by Major Cyberattack, Resident Data Exposed

A significant cyberattack targeting a shared IT system used by multiple London councils has resulted in a data breach exposing the sensitive personal information of thousands of residents. The incident, which affected Kensington and Chelsea Council among others, has caused widespread service disruptions and has triggered an investigation by the UK's National Cyber Security Centre (NCSC) and the Metropolitan Police. The attack highlights the systemic risks associated with interconnected IT platforms in the public sector, where a single point of failure can have cascading consequences.

Critical 9.8 CVSS RCE Flaw Hits Trend Micro Apex Central

Trend Micro has released patches for multiple vulnerabilities in its on-premise Apex Central security management console, including a critical remote code execution (RCE) flaw, CVE-2025-69258, with a CVSS score of 9.8. The vulnerability allows an unauthenticated remote attacker to load a malicious DLL and execute code with SYSTEM-level privileges. The flaw resides in the 'MsgReceiver.exe' component listening on TCP port 20001. Two other high-severity denial-of-service flaws were also fixed. Customers are urged to update to Build 7190 or later.

Qilin Ransomware Gang Claims Attack on Italian Manufacturer Cressi

The prolific Russia-linked Qilin ransomware gang has claimed responsibility for a cyberattack on Cressi, a major Italian manufacturer of diving and water sports equipment. The claim was posted on the group's darknet leak site. As of January 9, 2026, the gang has not leaked any stolen data or set a public ransom deadline, which is a common extortion tactic. Cressi has not yet commented on the allegation. The Qilin group is one of the most active ransomware operations, known for targeting manufacturing and healthcare sectors and for its high-profile attacks in 2025.

CISA Issues Six New Advisories for Hitachi and Mitsubishi ICS Flaws

On January 8, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released six new Industrial Control Systems (ICS) advisories. The alerts detail vulnerabilities discovered in products from Hitachi Energy and Mitsubishi Electric. These products, including the Hitachi Energy Asset Suite and Mitsubishi Electric's ICONICS Digital Solutions, are widely deployed across multiple critical infrastructure sectors, with a specific mention of the Energy sector. CISA is urging organizations using this equipment to review the advisories and remediate the flaws to prevent potential disruption of industrial processes.

Cisco Patches Zero-Day Information Disclosure Flaw in ISE Platform

Cisco has patched a high-severity zero-day vulnerability, CVE-2026-20029, in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw could allow an authenticated, remote administrator to read arbitrary files from the underlying system. The vulnerability is due to improper parsing of XML in the web-based management interface. An attacker could exploit it by uploading a malicious file. Cisco has released software updates to address the issue and urges customers to apply them promptly to prevent sensitive data exposure.

Cyberattacks on Automotive and Logistics Supply Chains Skyrocket

A new report from Everstream Analytics reveals a dramatic escalation in cyberattacks targeting global supply chains. In 2025, the automotive manufacturing industry experienced a staggering 722% increase in cyber incidents compared to the previous year. The logistics industry was also heavily impacted, with attacks growing by 61%. The report identifies this surge in cyber warfare as a primary factor set to disrupt trade and logistics in 2026, alongside hybrid warfare, aging infrastructure, and the weaponization of trade regulations. This transforms supply chain risk from a cost issue to a major security challenge.

NZ Patient Portal Breach Exposes Health Records of 126,000

ManageMyHealth, New Zealand's largest online patient portal, has confirmed a significant data breach discovered on December 30, 2025. The cyberattack compromised the 'My Health Documents' module, exposing the sensitive medical records of between 108,000 and 126,000 users. A threat actor using the alias 'Kazu' has claimed responsibility, alleging the exfiltration of 108 gigabytes of data and issuing a ransom demand. Compromised information includes clinical notes, lab results, and hospital discharge summaries. ManageMyHealth has engaged cybersecurity specialists, notified authorities including the Office of the Privacy Commissioner, and obtained a High Court injunction to prevent the stolen data's distribution.

State-Sponsored "BRICKSTORM" Backdoor Targets VMware and Windows in Critical Infrastructure

CISA, the NSA, and the Canadian Centre for Cyber Security have released an updated report on BRICKSTORM, a sophisticated backdoor malware. The report links the malware to Chinese state-sponsored threat actors who are using it to compromise VMware vSphere and Windows environments, primarily within public sector and critical infrastructure organizations. BRICKSTORM is designed for long-term persistence, credential theft, and data exfiltration, posing a significant espionage threat to enterprise virtualization platforms.

Zero-Day in End-of-Life D-Link Routers Actively Exploited; No Patch Will Be Released

A critical zero-day command injection vulnerability, CVE-2026-0625, is being actively exploited in the wild, affecting multiple end-of-life (EOL) D-Link DSL router models. The flaw, rated 9.3 on the CVSS scale, allows unauthenticated remote attackers to execute arbitrary code by sending a malicious request to the 'dnscfg.cgi' endpoint. Exploitation has been observed since at least November 2025, with attackers using it for 'DNSChanger' style attacks. D-Link has confirmed the vulnerability but stated that since the affected products are discontinued, no security patches will be issued. Owners are strongly advised to immediately retire and replace the vulnerable devices to prevent compromise.

Black Cat Group Targets Notepad++ Users in Massive SEO Poisoning Campaign

The notorious Black Cat (ALPHV) cybercrime group is behind a large-scale SEO poisoning campaign that uses malicious advertisements and manipulated search results to distribute an information-stealing backdoor. The campaign targets users searching for popular software like Notepad++. Victims are lured to convincing fake download sites, which redirect them to a GitHub clone to download a trojanized installer. The malware uses DLL side-loading to execute its payload, which is capable of stealing browser credentials, cookies, and keystrokes. A report from CNCERT/CC and ThreatBook revealed the campaign was highly effective, compromising nearly 278,000 hosts in China in just two weeks.

Brightspeed Investigates Breach Claim by Crimson Collective Affecting 1M+ Customers

US fiber broadband provider Brightspeed is actively investigating a data breach claim made by the 'Crimson Collective' extortion group. The threat actors allege they have stolen a massive dataset containing the personally identifiable information (PII) of over one million customers, including names, addresses, phone numbers, and some payment data. The group, known for targeting AWS cloud environments, has threatened to leak the data if their demands are not met and has reportedly offered the dataset for sale. Brightspeed serves 20 states and has acknowledged the claim, stating it is working to determine its validity. The incident follows a pattern for Crimson Collective, which previously breached Red Hat.

CISA Warns of RCE Flaw in Hitachi Energy ICS Product

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Control Systems (ICS) advisory, ICSA-26-008-01, for a vulnerability in Hitachi Energy's Asset Suite. The flaw, CVE-2025-10492, could allow a remote attacker to achieve remote code execution (RCE). The vulnerability stems from an insecure third-party component, Jasper Report, used within the Asset Suite product, which is deployed in the energy sector. While there are no reports of active exploitation, CISA and Hitachi Energy are urging customers to apply mitigations and follow security best practices, such as ensuring control systems are not exposed to the internet.

TridentLocker Ransomware Strikes Claims Giant Sedgwick in Breach-then-Encrypt Attack

Global claims management leader Sedgwick has reportedly been targeted by the TridentLocker ransomware group. The attack follows the increasingly common 'breach-then-encrypt' model, where threat actors first exfiltrate sensitive data before deploying ransomware to encrypt systems. TridentLocker claims to have stolen data from systems supporting Sedgwick's government services operations, a move designed to maximize pressure for a ransom payment. This incident underscores the evolution of ransomware from a simple availability attack to a complex data breach and extortion scheme. For service providers like Sedgwick, which manage vast amounts of third-party regulated data, such an attack poses significant operational, financial, and reputational risks.

No MFA, No Problem: "Zestix" Actor Breaches 50 Firms Using Stolen Credentials

A threat actor identified as 'Zestix' (or 'Sentap') has successfully compromised approximately 50 global enterprises by simply logging into their corporate file-sharing portals with valid credentials. According to research from Hudson Rock, the attacks were not sophisticated zero-day exploits but a direct result of a fundamental security failure: the absence of multi-factor authentication (MFA). The actor acquired credentials harvested by infostealer malware like RedLine and Lumma from infected employee devices. They then used these credentials to access sensitive data stored on platforms such as Progress ShareFile, Nextcloud, and OwnCloud. High-profile victims include Iberia Airlines and Sekisui House, highlighting a 'global epidemic of cloud exposure' and the critical, non-negotiable need for MFA across all enterprise applications.

Ni8mare: Critical Unauthenticated RCE Flaw (CVSS 10.0) Hits n8n Automation Platform

A critical, unauthenticated remote code execution (RCE) vulnerability, codenamed 'Ni8mare' and tracked as CVE-2026-21858, has been disclosed in the popular n8n workflow automation platform. The flaw, which carries the maximum possible CVSS score of 10.0, allows a remote attacker to gain complete control over a vulnerable, self-hosted n8n instance without any credentials. Discovered by Cyera Research Labs, the vulnerability stems from a Content-Type confusion issue where a file-handling function can be improperly invoked. A successful exploit could lead to the theft of sensitive credentials stored in workflows, full server compromise, and lateral movement into connected corporate systems. All self-hosted n8n versions prior to 1.121.0 are affected, and administrators are urged to patch immediately as proof-of-concept details are now public.

Second CVSS 10.0 RCE Hits n8n, Allows Authenticated Takeover

A second maximum-severity vulnerability, CVE-2026-21877, has been disclosed in the n8n workflow automation platform, also rated CVSS 10.0. Unlike the recently revealed unauthenticated flaw, this vulnerability requires an attacker to be an authenticated user. A low-privileged user can exploit the flaw to achieve remote code execution (RCE), leading to a full takeover of the n8n instance. This could allow an attacker to steal credentials, disrupt workflows, and pivot into connected internal systems. The vulnerability affects both self-hosted and cloud versions of n8n. A patch was released in version 1.121.3 in November 2025, but organizations running older versions remain at high risk. This string of critical flaws puts immense pressure on n8n administrators to patch and secure their instances.

NIST Releases Draft Cybersecurity Framework Profile for AI

The U.S. National Institute of Standards and Technology (NIST) has released a preliminary draft of a Cybersecurity Framework (CSF) Profile for Artificial Intelligence. This new guidance, intended to be used with CSF 2.0 and the AI Risk Management Framework (AI RMF), aims to help organizations manage the unique cybersecurity risks associated with developing, deploying, and using AI. The draft profile is structured around three focus areas: 'Secure,' 'Defend/Thwart,' and 'Respond,' providing guidance on topics like AI agent identity, preventing arbitrary code execution by AI, and responding to AI-related security incidents. NIST is seeking public comment on the draft until January 30, 2026.

ownCloud Urges Users to Enable MFA as Credential Stuffing Attacks Surge

In a proactive security move, the developers of the ownCloud file-sharing platform have issued a warning to all users, strongly advising them to enable multi-factor authentication (MFA). The advisory, released on January 7, 2026, is a direct response to recent reports of the 'Zestix' threat actor successfully breaching dozens of organizations by using credentials stolen by infostealer malware on cloud portals without MFA. While ownCloud was not named as a victim in that specific campaign, it is a known target for such attacks. The company is emphasizing that strong passwords alone are insufficient and that MFA is an indispensable layer of defense against credential stuffing and password reuse attacks.

Qualcomm Issues January Security Bulletin Addressing Multiple Vulnerabilities

Qualcomm has published its January 2026 security bulletin, addressing multiple vulnerabilities of varying severities across a wide range of its products. The bulletin was highlighted by an advisory from the Canadian Centre for Cyber Security on January 7, 2026. Given the ubiquitous nature of Qualcomm chipsets in mobile phones, IoT devices, and automotive systems, these vulnerabilities could have a widespread impact. The specific CVEs and affected products are detailed in the bulletin itself. Users and administrators are urged to review the bulletin and apply necessary firmware or software updates from their device manufacturers as they become available to mitigate potential risks.

Lapsus$ Hacking Group Is Back with Evolved Extortion Tactics

The notorious Lapsus$ extortion group, known for its high-profile breaches of major tech companies, has reportedly resurfaced. According to a threat intelligence report from January 7, 2026, remnants of the group have reformed and evolved, integrating tactics from other cybercriminal operations. The new iteration of Lapsus$ is said to be shifting its focus towards more nuanced identity-based extortion schemes, moving beyond simple data theft. This evolution suggests a more complex and harder-to-detect threat, leveraging compromised identities for persistent and subtle attacks. Security teams are warned to be on high alert for sophisticated social engineering and extortion attempts targeting employee identities.

CISA Adds Two New Actively Exploited Vulnerabilities to KEV Catalog

On January 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The specific details of the flaws have not been disclosed, but their inclusion confirms they are under active exploitation by malicious actors. In accordance with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are now required to identify and remediate these vulnerabilities by a specified deadline. CISA strongly urges all public and private sector organizations to review the KEV catalog and prioritize patching these vulnerabilities to defend against active threats.

Kimwolf Botnet Hijacks 2M Android Devices via Proxy Networks

The Kimwolf botnet has rapidly expanded to infect over 2 million devices worldwide, primarily targeting low-cost Android-based TV and streaming boxes. Active since at least mid-2025, the botnet operators monetize their network by launching large-scale DDoS attacks, surreptitiously installing applications, and selling residential proxy bandwidth. The botnet's growth is fueled by its exploitation of residential proxy networks to infect devices behind home routers, with some evidence suggesting devices are being sold pre-infected.

Russia-Aligned UAC-0184 Uses Viber to Target Ukrainian Military

The Russia-aligned threat group UAC-0184 (also tracked as Hive0156) has evolved its tactics to include the Viber messaging platform for malware distribution. The group is targeting Ukrainian military and government departments with malicious ZIP archives containing LNK files. When opened, these files deploy the Remcos Remote Administration Tool (RAT), enabling the attackers to conduct espionage. This new vector supplements their previous methods of using phishing emails and other messaging apps like Signal and Telegram.

New Privacy & Cybersecurity Laws Take Effect Across US States

January 1, 2026, marked the effective date for a significant wave of new state-level privacy and cybersecurity laws in the United States. Comprehensive privacy laws are now active in Indiana, Kentucky, and Rhode Island. Concurrently, new regulations under the California Consumer Privacy Act (CCPA) covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) have also come into force, increasing compliance obligations for businesses operating in these states.

EmEditor Website Hacked to Distribute Infostealer Malware

Emurasoft, the developer of the popular EmEditor text editor, has disclosed that its official website was compromised for a four-day period. During the breach, the main download button on the homepage was redirected to a malicious server hosting a trojanized installer. Users who downloaded and ran this fake installer were infected with an infostealer malware designed to harvest system credentials. The malware also installed a rogue browser extension capable of remote control and cryptocurrency swapping.

Korean Air Subsidiary Breach Exposes Data of 30,000 Employees

South Korean airline Korean Air has confirmed a significant data breach affecting approximately 30,000 current and former employees. The incident occurred not on the airline's network, but at a former subsidiary and key catering supplier, Korean Air Catering & Duty-Free (KC&D). Attackers infiltrated the supplier's systems and exfiltrated sensitive employee data, including full names and bank account numbers. This supply chain attack highlights the persistent risk posed by third-party vendors, as no customer data was impacted, and the breach was confined to employee information stored on the supplier's compromised network.

TridentLocker Ransomware Hits Sedgwick's Federal Contracting Arm

Claims administration giant Sedgwick confirmed on January 4, 2026, that its government-focused subsidiary, Sedgwick Government Solutions (SGS), was breached by the emerging TridentLocker ransomware group. The attackers employed a double-extortion strategy, exfiltrating 3.4 GB of data from an isolated file transfer system and threatening its public release. SGS is a major federal contractor for U.S. agencies like the Department of Homeland Security and CISA, making this a significant supply chain security incident.

Flaws in Airoha Bluetooth Chips Expose Headphones from Sony, Bose to Hijacking

A set of critical vulnerabilities has been disclosed in Bluetooth System-on-Chips (SoCs) from Airoha, a major supplier for popular headphone brands including Sony, Bose, and JBL. The flaws, tracked up to CVE-2025-20702, exist in an unauthenticated diagnostic protocol called RACE. An attacker within Bluetooth range can exploit these flaws to connect to a device without pairing, read or write to memory, access the microphone for eavesdropping, and steal Bluetooth link keys to impersonate the device. The vulnerabilities pose a significant privacy and security risk to millions of consumer electronics users.

Ransomware Goes Global, Targeting New Regions and Industries with Weaker Defenses

Ransomware is becoming a more globalized and unpredictable threat, according to the H2 2025 Global Threat Briefing from cyber analytics firm CyberCube. The report warns that ransomware groups are actively expanding into new geographic regions and industry sectors that have historically seen fewer attacks, often targeting those with less mature cyber defenses. The highly active LockBit ransomware-as-a-service (RaaS) group is a key driver of this trend. The findings suggest that traditional risk models based on geography or industry are becoming less reliable predictors of attack likelihood.

Taiwan Reports 2.6 Million Daily Cyberattacks from China in 2025

Taiwan's National Security Bureau (NSB) released a report on January 4, 2026, detailing a massive and sustained cyber offensive by Chinese state-backed actors throughout 2025. The island faced an average of 2.63 million cyberattacks daily, a 6% increase from 2024 and double the rate of 2023. The attacks are described as a core component of Beijing's hybrid warfare strategy, targeting nine critical sectors including energy, healthcare, and government agencies. The NSB identified prominent threat groups like BlackTech, Flax Typhoon, and APT41 behind the campaigns, which utilized vulnerability exploitation, DDoS attacks, and supply chain intrusions. The energy sector saw an alarming 1,000% increase in attacks, underscoring a strategic effort to probe and potentially disrupt Taiwan's essential services.

Petlibro Smart Feeder API Flaw Lets Anyone Control Devices, Access Cameras

A serious improper access control vulnerability, CVE-2025-3653, has been found in the backend API for Petlibro's smart pet feeders. The flaw allows a remote attacker to take full control of any Petlibro device simply by sending its serial number to the API, with no authentication required. A successful attacker can alter feeding schedules, dispense food on command, and, on camera-equipped models, view the live video feed. Disclosed by VulnCheck, the vulnerability affects Petlibro Smart Pet Feeder Platform versions up to 1.7.31 and highlights the persistent failure of some IoT manufacturers to implement basic security controls, creating significant privacy and safety risks for consumers.

Critical Flaw in GNU Wget2 Allows Arbitrary File Overwrites

A critical vulnerability, CVE-2025-69194, has been discovered in GNU Wget2, the modern replacement for the ubiquitous Wget file download utility. The flaw is an improper path validation issue (path traversal) that can be triggered by a malicious remote server. An attacker can trick a vulnerable Wget2 client into writing a downloaded file to an arbitrary location on the filesystem. This could be exploited to overwrite critical system files, user configuration files (like .bashrc), or place malicious scripts in sensitive locations, potentially leading to data loss, denial of service, or remote code execution.

A Look Inside the CVE Process: The Story of a Rejected ID

On January 3, 2026, the National Vulnerability Database (NVD) officially updated the status of CVE-2025-34775 to 'REJECTED'. This status indicates that while the identifier was reserved by a CVE Numbering Authority (CNA), it was ultimately not used for a public vulnerability disclosure. This can occur for several reasons, such as the finding being a duplicate of an existing CVE, the issue not meeting the criteria for a vulnerability, or the researcher withdrawing the submission. While rejected CVEs contain no technical details, their existence provides transparency into the administrative backend of the global vulnerability tracking system.

Critical RCE in Xspeeder SXZOS Allows Unauthenticated Root Access

A critical remote code execution (RCE) vulnerability, CVE-2025-54322, has been discovered in Xspeeder SXZOS networking appliances. The flaw allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges. The vulnerability exists in the '/vLogin' API endpoint, which improperly processes base64-encoded Python payloads, leading to complete device compromise. Administrators are urged to patch immediately due to the ease of exploitation and the severity of the flaw.

Clop Ransomware Hits Korean Air in Supply Chain Attack, Exploiting Oracle Zero-Day

Korean Air announced on December 29, 2025, that it suffered a data breach affecting the personal information of approximately 30,000 employees. The breach was the result of a supply chain attack targeting KC&D Service, a former subsidiary. The incident is believed to be the work of the prolific Clop ransomware group (also known as TA505 or FIN11), which exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite. This remote code execution flaw, with a CVSS score of 9.8, is part of a wider Clop campaign targeting the aviation industry's supply chain.

Handala Group Doxes Israeli Intel Agents in Psyops Campaign

The Iran-linked hacktivist group Handala has intensified its information warfare against Israel by publicly exposing the identities of 15 alleged Signal Intelligence (SIGINT) officers on January 3, 2026. This act of doxing is the latest in a series of campaigns designed to inflict psychological and reputational damage on Israeli intelligence and government officials. Investigations by cybersecurity firm KELA suggest Handala's primary attack vector is not sophisticated device hacking but rather the compromise of messaging applications like Telegram, likely through social engineering or session hijacking. The group, believed to be associated with Iran's Ministry of Intelligence and the 'Banished Kitten' cyber unit, frames these leaks as strategic blows, having previously targeted high-profile figures and released documents related to Israel's Iron Dome system and Unit 8200.

Tokyo FM Radio Hit by Massive Data Breach, 3 Million Records for Sale

A threat actor using the alias 'victim' has claimed responsibility for a major data breach against Tokyo FM Broadcasting Co., LTD., one of Japan's largest radio stations. On January 1, 2026, the attacker announced on a hacker forum that they had stolen a database containing over 3 million records. The compromised data allegedly includes a vast amount of personally identifiable information (PII) from listeners, such as names, addresses, and birth dates, as well as sensitive internal data like employee login credentials. The attacker stated they attempted to disclose the vulnerability to the company but received no response, prompting them to sell the data. If confirmed, this breach would represent a significant violation of Japan's Act on the Protection of Personal Information (APPI), exposing Tokyo FM to severe regulatory penalties and reputational damage.

KIOTI Tractor Discloses Wider Impact from 2024 Data Breach

Daedong-USA, Inc., parent company of the KIOTI® Tractor Division, issued a notice on January 2, 2026, expanding the scope of a data breach that originally occurred in October 2024. A prolonged investigation that concluded in late 2025 revealed that a wider range of highly sensitive personal information was stolen by an unauthorized party than first realized. The compromised data affects a number of current and former employees, their dependents, and some customers. The stolen information includes names, Social Security numbers, driver's licenses, passport numbers, financial account details, and private health information. The company has begun notifying the newly identified victims and has set up a call center to address concerns, emphasizing that this is an update to a past incident, not a new breach.

Resecurity Turns Tables on Hackers, Claims Breach Was a Honeypot

Cybersecurity firm Resecurity has publicly refuted claims of a major data breach made by a hacking group known as 'Scattered Lapsus$ Hunters' (SLH). On January 3, 2026, the group announced on Telegram that it had compromised Resecurity's systems, stealing internal data and client information. Resecurity swiftly responded, asserting that the attackers had not breached any production systems but were instead contained within a sophisticated honeypot environment. The firm stated that the screenshots posted by SLH as 'proof' were from this decoy system, which was filled with synthetic data. Resecurity claims the successful deception allowed them to gather valuable threat intelligence on the attackers' TTPs, effectively turning a potential attack into an intelligence-gathering operation.

Finland Arrests Two in Probe of Damaged Undersea Telecom Cable

Finnish authorities have arrested two crew members of the cargo ship 'Fitburg' in connection with significant damage to an undersea telecommunications cable in the Gulf of Finland. The incident, which occurred around New Year's Eve, disrupted a critical data link owned by Elisa that connects Finland and Estonia. Investigators reported the ship was observed dragging its anchor at the exact time and location of the cable break. The investigation is being treated as potential sabotage and interference with telecommunications, heightening concerns about hybrid threats to critical infrastructure in the strategically sensitive Baltic Sea region. The incident follows a pattern of disruptions to undersea infrastructure since the start of the war in Ukraine.

VVS Stealer Malware Uses PyArmor Obfuscation to Target Discord Users

A new information-stealing malware named VVS Stealer is being sold on Telegram and used to target Discord users. Written in Python, the stealer's key feature is its use of the legitimate tool PyArmor to heavily obfuscate its code, allowing it to bypass static analysis and signature-based antivirus detection. Once on a victim's system, VVS Stealer establishes persistence and proceeds to steal a wide range of data. It specifically targets Discord, using the Windows DPAPI to decrypt authentication tokens and malicious JavaScript injection to capture password changes in real-time. The malware also exfiltrates cookies, history, and saved passwords from nearly 20 different web browsers, sending the stolen data to an attacker-controlled Discord webhook.

Infostealers Fuel Vicious Cycle, Hijacking Victim Websites to Spread More Malware

A new report from Hudson Rock highlights a dangerous and self-perpetuating cybercrime trend where credentials stolen by infostealer malware are used to hijack legitimate business websites. Attackers gain administrative access to platforms like WordPress using the stolen logins, then inject malicious scripts to turn the trusted sites into malware distribution points. These compromised sites are then used in campaigns employing social engineering tactics like 'ClickFix,' which tricks visitors into executing malicious PowerShell commands. This creates a vicious feedback loop: infostealers harvest credentials, which are used to compromise websites, which then distribute more infostealers like Lumma and Vidar, amplifying the scale and effectiveness of their campaigns.

Over 10,000 Fortinet Firewalls Exposed to Critical 2FA Bypass Flaw

Security watchdog Shadowserver revealed on January 2, 2026, that over 10,000 Fortinet FortiGate firewalls remain unpatched and vulnerable to a critical, five-year-old 2FA bypass flaw, CVE-2020-12812. This vulnerability, rated 9.8 on the CVSS scale, allows an attacker with valid credentials to bypass FortiToken-based two-factor authentication by simply changing the case of the username during login. The flaw stems from a mismatch where FortiGate is case-sensitive, but the backend LDAP server is not. Despite patches being available since July 2020 and CISA adding it to its Known Exploited Vulnerabilities (KEV) catalog, thousands of devices, including over 1,300 in the US, remain exposed and are being actively exploited by threat actors.

Critical Auth Bypass Flaw (CVSS 9.8) in IBM API Connect

IBM has issued an urgent security advisory for a critical authentication bypass vulnerability, CVE-2025-13915, in its API Connect platform. The flaw carries a CVSS score of 9.8, reflecting its potential for severe impact. It could allow a remote, unauthenticated attacker to bypass security controls and gain unauthorized access to applications managed by the platform. The vulnerability affects specific versions of API Connect V10. IBM has released patches and strongly urges customers to apply them immediately. As a temporary mitigation, disabling the self-service sign-up feature on the Developer Portal is recommended. There is currently no evidence of active exploitation.

Apple Supply Chain on Alert After Cyberattack Hits Key Chinese Manufacturer

Apple's supply chain is on high alert following a cyberattack in mid-December 2025 against one of its major Chinese manufacturing partners. The breach has raised significant concerns about the potential exposure of sensitive intellectual property, including production-line data and proprietary trade secrets related to Apple products. While the unnamed supplier claims the issue is resolved, internal audits are ongoing to assess the extent of the data loss. The incident highlights the persistent risk to major technology firms from attacks targeting their less secure supply chain partners.

Year-End Report: Ransomware Industrializes into Cartels, Edge Devices Become Top Target

A year-end analysis of the 2025 threat landscape highlights two dominant and transformative trends for enterprises. First, Ransomware-as-a-Service (RaaS) has 'industrialized,' with threat groups operating like sophisticated cartels and employing 'Extortion 2.0' tactics that involve both data encryption and theft. Second, network edge devices such as VPNs, firewalls, and routers have become the primary target for state-sponsored actors seeking initial access. Experts recommend 'industrial defenses,' including immutable backups and aggressive patch management, and a strategic shift towards Secure Access Service Edge (SASE) architecture to counter these evolving threats.

Report: AI-Powered Social Engineering and Identity Attacks Dominated 2025

The 2025 Threat-Led Defense Report from Tidal Cyber reveals a significant shift in the threat landscape, where attackers are adapting faster than security defenses. Key trends from 2025 include the widespread adoption of AI to automate and scale highly convincing social engineering campaigns, and a strategic pivot towards identity-driven attacks. Adversaries are increasingly targeting SaaS platforms, cloud administration accounts, and single sign-on (SSO) services to gain broad access without deploying traditional malware. The report also notes that zero-day exploits are now being leveraged by a wider range of criminal and hybrid actors, not just elite state-sponsored groups.

Hackers Use Animated Lures and Fake Legal Warnings to Spread Malware

HP's latest Threat Insights Report reveals a significant evolution in social engineering tactics, with cybercriminals using highly convincing lures such as professional animations and fake legal warnings to trick users into downloading malware. The report highlights a campaign impersonating the Colombian Prosecutor's Office to deliver PureRAT. It also details the abuse of trusted platforms like Discord for hosting malicious payloads like the Phantom Stealer and notes the rising threat of session cookie hijacking.

European Space Agency Probes Breach; Hacker Claims 200GB of Data for Sale

The European Space Agency (ESA) is investigating a security incident after a threat actor, using the alias "888," claimed to have breached its systems and stolen 200GB of data. The agency confirmed the breach was limited to external servers used for unclassified collaborative engineering work and that its primary corporate network remains secure. The hacker is attempting to sell the stolen data, which reportedly includes source code, project documentation, and API keys, on a cybercrime forum, raising concerns about potential intelligence gathering and future supply chain attacks.

Petco Data Breach Exposes Customer SSNs and Financial Info Due to Misconfiguration

Pet product retailer Petco has disclosed a data breach caused by a software misconfiguration that left highly sensitive customer files accessible on the internet. The exposed data includes full names, Social Security numbers, driver's license numbers, and financial account details, including credit and debit card numbers. The company discovered the issue internally and has since corrected the misconfiguration. Filings with state attorneys general indicate at least 500 California residents are affected, with an unknown number of victims in other states.

Malicious Trust Wallet Chrome Extension Pushed via Leaked API Key, $7M Stolen

Trust Wallet confirmed on December 26, 2025, that a malicious version of its Chrome browser extension (v2.68) was published, leading to the theft of approximately $7 million in cryptocurrency from 2,596 wallet addresses. The attackers bypassed internal security checks by using a leaked Chrome Web Store API key to publish the compromised version directly. The malicious code was hidden within the application's analytics logic, using the PostHog library to exfiltrate user data to an attacker-controlled server. Over $4 million of the stolen funds have already been laundered through centralized exchanges. Trust Wallet has suspended the malicious domain and is processing reimbursements for affected users.

2025: The Year Cybersecurity 'Crossed the AI Rubicon'

According to analysis published on December 14, 2025, the year 2025 represents a fundamental and irreversible turning point for the cybersecurity industry. The widespread integration of Artificial Intelligence (AI) into both offensive and defensive strategies has permanently altered the threat landscape. Key trends include the rise of 'agentic AI' capable of autonomous attacks, adaptive threats that change tactics in real-time, and a surge in highly convincing, AI-generated phishing and deepfake content. While defenders are also adopting AI, the 'great acceleration' in threat complexity is forcing a complete rethink of security playbooks.

Maximum Severity RCE Flaw in SmarterMail Puts Mail Servers at Risk

A critical, unauthenticated arbitrary file upload vulnerability in SmarterMail, tracked as CVE-2025-52691, has been disclosed, earning the maximum possible CVSS score of 10.0. The flaw allows a remote attacker to upload malicious files, such as a web shell, to any location on an affected server without needing credentials. This can lead to remote code execution (RCE), enabling a complete takeover of the mail server. The vulnerability affects SmarterMail builds 9406 and earlier. Although a patch was released in October 2025 (Build 9413), the public disclosure was delayed until late December. The Cyber Security Agency of Singapore (CSA) has issued an alert, urging administrators to update immediately due to the high risk of exploitation, especially for internet-facing mail servers.

Insider Threat: Cybersecurity Pros Plead Guilty to ALPHV/BlackCat Ransomware Attacks

In a significant insider threat case, two American cybersecurity professionals, Ryan Goldberg and Kevin Martin, have pleaded guilty to conspiracy to commit extortion. The pair admitted to using their expert knowledge and access gained from their roles in incident response and ransomware negotiation to conduct ransomware attacks against U.S. companies using the ALPHV/BlackCat ransomware variant. Operating as affiliates for the Ransomware-as-a-Service (RaaS) group, they targeted organizations in the healthcare, engineering, and technology sectors, extorting $1.2 million in one case. The Department of Justice announced the pleas on December 30, 2025, highlighting the danger of trusted insiders turning to cybercrime. Both individuals face up to 20 years in prison.

Rainbow Six Siege Hacked: Attackers Flood Game with $13M in Currency, Disrupting Economy

Over the weekend of December 27-28, 2025, Ubisoft's popular online shooter, Rainbow Six Siege, was hit by a major security breach. Attackers infiltrated the game's backend systems, distributing approximately 2 billion 'R6 Credits'—the game's premium currency, valued at over $13 million—to every player. The hackers also took control of moderation systems, issuing random bans and unbans, causing widespread chaos. In response, Ubisoft was forced to take the game completely offline to perform a full data rollback. While unconfirmed, some hacker groups have claimed responsibility, alleging they used the recently disclosed 'MongoBleed' exploit to gain access and may have stolen over 900GB of development data.

Fallout from 2022 LastPass Breach Continues: Over $35M in Crypto Stolen

The 2022 data breach at password manager LastPass is continuing to enable widespread financial theft, with researchers tracing over $35 million in stolen cryptocurrency to the incident. A report by blockchain intelligence firm TRM Labs reveals that threat actors are systematically cracking the encrypted password vaults stolen in the breach, with thefts observed as recently as October 2025. By brute-forcing weak master passwords, attackers gain access to stored crypto private keys and seed phrases. The stolen funds are being laundered through a sophisticated network involving privacy mixers and high-risk Russian exchanges, pointing to an organized cybercriminal operation. This long-tail exploitation highlights the severe and prolonged risks associated with password manager breaches.

Hacker Leaks 2.3M WIRED Subscriber Records, Threatens 40M More from Condé Nast

A threat actor named 'Lovely' has leaked a database containing over 2.3 million records of WIRED magazine subscribers on a hacking forum. The leaked data includes email addresses, internal IDs, and in some cases, full names, phone numbers, and physical addresses. The hacker claims the leak is retaliation against WIRED's parent company, Condé Nast, for ignoring vulnerability disclosure reports for a month. 'Lovely' has threatened to release a much larger dataset of 40 million records from other Condé Nast brands like The New Yorker and Vogue. The data, which has been added to Have I Been Pwned, appears to have been exfiltrated by exploiting web application vulnerabilities such as IDOR or broken access control.

Cl0p Implicated in Oracle Zero-Day Attacks, Breaching UPenn and University of Phoenix

The University of Pennsylvania and the University of Phoenix have both reported data breaches resulting from the exploitation of zero-day vulnerabilities in their Oracle E-Business Suite servers. The attacks have compromised the personal information of at least 1,488 individuals at UPenn and a much larger, unspecified number of students, alumni, and staff at the University of Phoenix. Security researchers suspect the notorious Cl0p ransomware gang is behind the campaign, continuing their pattern of exploiting vulnerabilities in widely used enterprise software for large-scale data theft and extortion. Both institutions are currently notifying affected individuals.

Hyperjacking: Ransomware Attacks on Hypervisors Skyrocket by 700%

Security vendor Huntress reports a staggering 700% increase in ransomware attacks directly targeting virtualization hypervisors like VMware ESXi and Microsoft Hyper-V in the latter half of 2025. This marks a significant strategic shift by threat actors, with the Akira ransomware group being a primary driver. By compromising the hypervisor, attackers can bypass traditional endpoint security and encrypt dozens or hundreds of virtual machines simultaneously, causing catastrophic operational disruption. The typical attack vector involves exploiting weak or stolen credentials for internet-facing services, such as VPNs without MFA, to gain initial access before moving laterally to the virtualization infrastructure. This trend underscores the critical need for organizations to harden and secure their core virtualization platforms.

900,000+ Users Compromised: Malicious Chrome Extensions Steal ChatGPT & DeepSeek Conversations

A significant data theft campaign has been uncovered involving two malicious Google Chrome extensions that were installed by over 900,000 users. The extensions, which impersonated legitimate AI productivity tools, were designed to secretly capture and exfiltrate entire conversation histories from AI platforms like ChatGPT and DeepSeek. In addition to stealing potentially sensitive AI chat data, the malware also monitored all user browsing activity, sending the harvested information to an attacker-controlled command-and-control server at `deepaichats[.]com`. One of the extensions had even received a 'Featured' badge from Google, highlighting the challenge of policing browser extension marketplaces.

DevMan Ransomware Group Claims Attack on U.S. Financial Firm Sharinc Inc.

The DevMan ransomware group has claimed responsibility for a cyberattack against Sharinc Inc., a U.S.-based financial organization. The claim was made on December 28, 2025, on the group's data leak site. The attackers have threatened to publish sensitive financial and customer data if their extortion demands are not met. This incident underscores the persistent and targeted threat that ransomware gangs pose to the financial services industry, which remains a high-value target due to the sensitive nature of the data it handles.

Software Supply Chain Attacks Doubled in 2025, Report Finds

A year-end security analysis published on December 29, 2025, reveals that software supply chain attacks more than doubled globally in 2025, with associated losses projected to reach $60 billion. The report, from CleanStart, indicates that this has become a systemic risk, with over 70% of organizations experiencing a related security incident. Despite the surge, the report finds that enterprise readiness to combat these threats remains critically low, with most organizations unable to quickly identify compromised components within their software.

Microsoft and Adobe Release December Patches for Over 190 Vulnerabilities

In their final security updates for 2025, Microsoft and Adobe addressed a combined total of over 190 vulnerabilities on December 28. Microsoft's Patch Tuesday release fixed 56 flaws, including a critical zero-day privilege escalation vulnerability (CVE-2025-62221) in the Windows Cloud Files Mini Filter Driver that is being actively exploited. Adobe's release was even more extensive, remediating 139 CVEs across a range of products, including Adobe Reader and Experience Manager. Administrators are urged to apply these critical updates promptly to mitigate risks.

Critical XSS Flaw in WordPress Plugin 'Invelity SPS connect' Disclosed

A reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2025-68876, was disclosed on December 28, 2025, affecting the 'Invelity SPS connect' WordPress plugin. The flaw, which has a CVSS score of 7.1, can be exploited by unauthenticated attackers and impacts all versions up to and including 1.0.8. At the time of disclosure, no patch was available. An attacker could trick a user into clicking a malicious link to execute arbitrary JavaScript in their browser, potentially leading to session hijacking. Administrators are advised to disable the plugin immediately.

Qilin Ransomware Gang Adds Business Services Firm B Dynamic to Leak Site

The Qilin ransomware group, a prominent ransomware-as-a-service (RaaS) operation, has listed business services company 'B Dynamic' as its latest victim on its dark web data leak site. The December 1, 2025, posting indicates that the company has suffered a network compromise and data exfiltration. By publicizing the breach, the Qilin group is employing its standard double-extortion tactic to pressure the victim into paying a ransom to prevent the public release of stolen data. This incident highlights the persistent threat from established ransomware gangs.

Clop Ransomware Breaches Barts Health NHS Trust via Oracle Zero-Day

The Clop ransomware gang has claimed responsibility for a significant data breach at Barts Health NHS Trust, one of England's largest healthcare providers. The attack, which occurred in August 2025, leveraged a zero-day vulnerability in Oracle E-Business Suite. The threat actors exfiltrated files from an invoice database containing the names and addresses of patients and former staff. This data was later published on Clop's dark web leak site. While core clinical systems were reportedly unaffected, the compromised information poses a serious risk for follow-on social engineering and fraud attacks. The incident is part of a wider campaign by Clop targeting the now-patched Oracle vulnerability.

Everest Ransomware Claims Breach of Chrysler, Threatens to Leak Over 1TB of Data

The Everest ransomware group has claimed responsibility for a significant data breach at the American automaker Chrysler. In a post on its dark web leak site on December 25, 2025, the group alleged it exfiltrated over 1 terabyte (TB) of data, including a "full database" of company operations and over 100 GB of Salesforce data covering 2021 to 2025. Chrysler has not yet confirmed the breach, but the claim represents a serious threat of data exposure for the major automotive manufacturer, following a common double-extortion tactic.

Living Off the Cloud: Phishing Campaign Abuses Google Cloud Service to Bypass Security Filters

A widespread and sophisticated phishing campaign is abusing Google Cloud's own Application Integration service to send malicious emails that appear to come from a legitimate Google address ("noreply-application-integration@google.com"). This technique allows the emails to bypass standard security filters like SPF and DMARC. The campaign, which sent nearly 9,400 emails in two weeks, impersonates routine notifications to trick users into clicking links that lead to credential harvesting pages, demonstrating how attackers are increasingly weaponizing trusted cloud platforms.

Iran's "Prince of Persia" APT Returns with Upgraded Malware, Uses Telegram for C2

The Iranian state-sponsored threat group "Prince of Persia" has resurfaced with multiple active malware campaigns, according to a new report from SafeBreach. The APT group is deploying new variants of its signature "Tonnerre" and "Foudre" backdoors. In a significant tactical evolution, one new variant, Tonnerre v50, now uses Telegram for command and control (C2) communications, replacing older protocols. The campaigns, which feature multiple Domain Generation Algorithms (DGAs), appear to be targeting critical infrastructure, indicating a patient and re-tooled adversary.

"Aisuru" Botnet Shatters Records with 29.7 Tbps DDoS Attack

A powerful botnet-for-hire service named "Aisuru" has emerged as a major global threat, responsible for a new record-breaking Distributed Denial-of-Service (DDoS) attack peaking at 29.7 Terabits per second (Tbps). The botnet, which leverages millions of compromised Internet of Things (IoT) devices and routers, has been linked to over 1,300 attacks in just three months. The industrial scale of the Aisuru service poses a severe risk to internet stability, with attacks impacting the gaming, telecommunications, and financial services sectors.

Baker University Discloses Year-Old Breach Affecting Over 53,000 Individuals

Baker University in Kansas has begun notifying 53,624 individuals about a severe data breach that occurred in December 2024. Attackers maintained access to the university's network for over two weeks, from December 2 to December 19, 2024. The compromised data is highly sensitive, including names, Social Security numbers, student IDs, financial account information, and private health data. The university detected the breach following a network outage but is only now, a full year later, informing the victims.

Critical RCE Flaw in n8n Puts 103,000+ Workflow Automation Servers at Risk

A critical remote code execution (RCE) vulnerability, CVE-2025-68613, with a CVSS score of 9.9, has been disclosed in the n8n workflow automation platform. The flaw affects over 103,000 publicly exposed instances. It allows an authenticated attacker with low-level privileges (the ability to create or edit workflows) to execute arbitrary commands on the underlying server by exploiting an expression injection weakness. This can lead to a full server compromise, data exfiltration, and lateral movement into connected systems. Users are urged to upgrade to patched versions (1.120.4, 1.121.1, or 1.122.0) immediately.

LockBit 5.0 Ransomware Claims Attack on Greek Luxury Hotel Group EM Resorts

On December 26, 2025, the prolific LockBit 5.0 ransomware group claimed responsibility for a cyberattack against EM Resorts, a luxury hotel operator based in Crete, Greece. The group posted a notice on its dark web leak site, threatening to publish exfiltrated data unless a company representative makes contact. This incident follows LockBit's typical double-extortion model, where they both encrypt victim data and steal it for leverage. The full scope of the breach and the type of data stolen have not yet been disclosed, but the attack highlights the ongoing threat ransomware poses to the hospitality industry.

Typo in Windows Activation Script Leads to Cosmali Loader Malware Infection

A typosquatting campaign discovered on December 26, 2025, is targeting users of the popular Microsoft Activation Scripts (MAS) tool. Attackers registered the domain `get.activate[.]win`, a common misspelling of the legitimate domain. Users who mistype the command are redirected to the malicious site, which infects their systems with the Cosmali Loader malware. This loader, in turn, deploys additional payloads, including cryptominers and the XWorm Remote Access Trojan (RAT), giving attackers full control over the victim's machine. In a strange twist, some victims received a pop-up warning them of the infection, believed to be from a third party who hacked the malware's C2 panel.

Debian Patches High-Severity SQL Injection Flaw in PgBouncer

On December 27, 2025, the Debian project released a security update for a high-severity SQL injection vulnerability, CVE-2025-12819, in PgBouncer, a widely used connection pooler for PostgreSQL. The flaw, which has a CVSS score of 8.1, allows an unauthenticated remote attacker to execute arbitrary SQL commands. The vulnerability can be triggered by injecting a malicious 'search_path' parameter during the authentication process. The issue has been fixed in PgBouncer version 1.25.1 and backported to Debian 11 'bullseye' in version 1.15.0-1+deb11u2. Administrators are urged to upgrade their packages to mitigate the risk.

Evasive Panda APT Hijacks DNS to Deploy MgBot Backdoor in Multi-Country Espionage Campaign

A sophisticated, long-running cyber-espionage campaign by the China-linked threat actor 'Evasive Panda' (also known as Bronze Highland) has been detailed. Active between November 2022 and November 2024, the group targeted entities in Türkiye, China, and India. Instead of traditional phishing, the attackers used adversary-in-the-middle (AitM) attacks, specifically DNS poisoning, to hijack legitimate software update channels. This allowed them to deliver the modular MgBot backdoor, a potent espionage tool capable of file harvesting, keylogging, and credential theft, by injecting it into the legitimate 'svchost.exe' process.

Romanian Energy Giant Hit by 'Gentlemen' Ransomware in Holiday Attack

Romania's largest coal-based energy producer, Oltenia Energy Complex, was struck by the 'Gentlemen' ransomware group in a targeted attack on December 26, 2025. The incident disrupted key business applications, including ERP systems and corporate email, by encrypting files. While power generation and the national energy grid were not affected, the attack highlights the increasing trend of targeting critical infrastructure during holiday periods when staffing is reduced. The company has isolated affected systems and initiated an investigation with Romania's organized crime unit.

Critical Flaws Under Fire: 'React2Shell' (CVSS 10.0) and Windows Zero-Day Actively Exploited

A December 26 security report highlights a convergence of critical vulnerabilities being actively exploited in the wild. Among them is 'React2Shell' (CVE-2025-55182), a CVSS 10.0 remote code execution flaw in React Server Components used to deploy cryptominers. Additionally, a Windows zero-day (CVE-2025-62221) allowing local privilege escalation to SYSTEM is being used in targeted attacks. The report also warns of two high-severity authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiGate firewalls, creating a multi-front threat for organizations.

Christmas Day Barrage: Mass Exploit Campaign Hits Adobe ColdFusion Servers

A massive, coordinated exploitation campaign targeted Adobe ColdFusion servers, peaking on Christmas Day 2025. Security firm GreyNoise reported that a single threat actor, operating almost exclusively from Japan-based infrastructure, launched nearly 6,000 exploit attempts against more than ten different ColdFusion CVEs. The primary attack vector was JNDI/LDAP injection. This activity is believed to be part of a much larger initial access broker operation, where the same actor has been observed scanning for hundreds of different vulnerabilities across numerous technology stacks to compromise systems and sell access to other cybercriminals.

Critical Flaw in WHILL Wheelchairs Allows Remote Hijacking via Bluetooth

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for a critical vulnerability, CVE-2025-14346, in WHILL electric wheelchairs. The flaw, rated 9.8 on the CVSS scale, stems from a missing authentication mechanism over Bluetooth. It allows an attacker within Bluetooth range (approx. 30 feet) to pair with a device and gain complete control, including issuing movement commands and overriding speed limits. This poses a direct physical safety risk to users. The manufacturer, WHILL Inc., has deployed firmware and application mitigations.

HoneyMyte APT (Mustang Panda) Deploys New Kernel-Mode Rootkit to Hide Backdoor

The Chinese cyber-espionage group HoneyMyte (also known as Mustang Panda) has significantly upgraded its toolkit by incorporating a kernel-mode rootkit, according to research from December 26, 2025. The rootkit is used to protect and conceal a new variant of its exclusive ToneShell backdoor. The malicious driver, often signed with a stolen certificate, registers itself as a mini-filter to hide the malware's files, processes, and registry keys from security tools. This advanced technique, observed in attacks against government targets in Myanmar and Thailand, dramatically increases the malware's stealth and persistence.

CISA Warns of Code Execution Flaw in WatchGuard Fireware OS

On December 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert for a vulnerability in WatchGuard's Fireware OS. The flaw could potentially allow an attacker to execute arbitrary code on an affected network security appliance. Specific details such as the CVE identifier and affected versions were not included in the initial alert. CISA urges administrators of WatchGuard devices to review vendor advisories for technical details and apply recommended mitigations to protect their network perimeters.

SEC Busts $14M AI-Powered Crypto Scam That Used Deepfakes

The U.S. Securities and Exchange Commission (SEC) has charged seven entities for their involvement in a sophisticated cryptocurrency investment scam that defrauded retail investors of over $14 million. The scheme, which ran for a year, used social media ads featuring deepfake videos of financial professionals to lure victims into private messaging groups. Inside these groups, fraudsters posing as experts used AI-generated investment tips to build trust before directing victims to fraudulent trading platforms. When investors tried to withdraw funds, they were hit with advance fee demands, compounding their losses.

2025 in Review: Mega-Deals Like Google/Wiz and Palo Alto/CyberArk Reshape Cybersecurity

The cybersecurity industry witnessed a massive wave of consolidation in 2025, with total M&A deal value approaching the record $75 billion set in 2021. A year-end analysis highlights several multi-billion dollar mega-deals, including Google's $32 billion acquisition of Wiz, Palo Alto Networks' $25 billion purchase of CyberArk, and ServiceNow's $7.75 billion deal for Armis. This surge reflects a fundamental market shift away from point solutions and towards integrated, simplified, and automated security platforms capable of managing complex risks across cloud, AI, and identity.

NIST and MITRE Launch $20M AI Centers to Secure Critical Infrastructure

The U.S. National Institute of Standards and Technology (NIST) and the non-profit MITRE Corporation have announced a $20 million investment to establish two new national artificial intelligence (AI) research centers. The initiative aims to accelerate the adoption of AI to boost U.S. manufacturing competitiveness and to develop advanced methods for securing the nation's critical infrastructure from AI-driven cyberthreats. The centers will leverage MITRE's extensive experience in operating federal R&D centers and its public contributions like the ATT&CK framework.

Malicious Scripts Targeting ICS Surge in East Asia, Kaspersky Reports

A Q3 2025 threat report from Kaspersky's ICS CERT reveals a significant increase in cyber threats targeting Industrial Control Systems (ICS) in East Asia. The region jumped to third place globally for the percentage of ICS computers where malicious objects were blocked. The most alarming trend was a surge in malicious scripts and phishing pages, which became the top threat category, with attack rates 1.4 times higher than the global average. This spike is primarily attributed to attacks targeting the engineering and ICS integrator sector in Mainland China, where malware was found hidden in customized P2P client applications.

Fake Job Ad Scams Surge Across MENA Region, Experts Warn

Security researchers are warning of a rising tide of coordinated scam campaigns targeting job seekers across the Middle East and North Africa (MENA) region. These campaigns utilize fake online job advertisements posted on social media and job portals to deceive individuals. The goal is to trick victims into divulging sensitive personal information or making fraudulent payments for non-existent application fees or training materials. This trend aligns with a global increase in sophisticated digital fraud, where criminals exploit economic conditions and the need for employment.

AI Adoption Fuels 'Massive' Cloud Attack Surface Expansion, Palo Alto Networks Report Warns

Palo Alto Networks' 2025 'State of Cloud Security Report' reveals that the rapid adoption of AI is creating an unprecedented expansion of the cloud attack surface. The study, surveying 2,800 security leaders, found that 99% of organizations have had their AI systems attacked in the last year. The use of generative AI in coding is producing insecure code faster than security teams can remediate it, creating a significant risk gap. API attacks have surged by 41% year-over-year, and lenient identity and access management (IAM) remains a top vulnerability. The report calls for a unified, platform-based approach to cloud security to counter AI-weaponized threats.

CISA Adds Actively Exploited Fortinet SSO Flaw to KEV Catalog, Urges Immediate Patching

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet vulnerability, CVE-2025-59718, to its Known Exploited Vulnerabilities (KEV) catalog, indicating active attacks in the wild. The flaw, rated 9.1 CVSS, allows an unauthenticated attacker to bypass FortiCloud single sign-on (SSO) authentication on multiple products, including FortiOS and FortiProxy, by sending a crafted SAML message. Security firm Arctic Wolf observed attackers exploiting the flaw within days of its disclosure to export device configurations and harvest credentials. CISA has mandated that federal agencies patch by December 23, 2025, and strongly advises all organizations to apply updates or disable the feature immediately.

Anna's Archive Scrapes 300TB of Spotify Music Data in "Preservation" Effort

The hacktivist and digital preservation group Anna's Archive has announced it scraped and archived nearly 300 TB of data from the music streaming giant Spotify. The trove includes metadata for 256 million tracks and audio for 86 million songs, which the group plans to release via torrents. Spotify clarified this was not a system breach but a large-scale violation of its terms of service by third-party accounts created to systematically exfiltrate content. The company confirmed that no private user data like passwords or payment details were compromised and that the abusive accounts have been disabled.

DoJ Dismantles $28M Bank Fraud Ring, Seizes Phishing Database

The U.S. Department of Justice has seized the domain `web3adspanels.org` and its associated backend database, which were central to a massive bank account takeover fraud operation. The criminal scheme used phishing websites to impersonate financial institutions and harvest victim credentials, leading to attempted losses of approximately $28 million and actual losses of $14.6 million. The action follows an FBI warning about this type of fraud and was coordinated with law enforcement in Estonia and Georgia.

New MacSync Malware Dropper Bypasses macOS Gatekeeper with Apple Notarization

A new campaign is distributing the MacSync information-stealing malware using a dropper that successfully bypasses Apple's macOS Gatekeeper security feature. The malicious installer is packaged as a disk image for a fake messaging app, and crucially, has been both digitally signed and notarized by Apple. This abuse of Apple's own security vetting process allows the malware to appear as a trusted application, tricking users into running it and compromising their systems to exfiltrate sensitive information.

Kazakhstan Issues New National Cybersecurity Guidelines Amid Rising Public Awareness

On December 23, 2025, Kazakhstan's Ministry of Digital Development, Innovation and Aerospace Industry (MAIDD) published updated national recommendations for cybersecurity and personal data protection. This initiative aims to strengthen the country's digital defenses and comes as a recent study reveals that public awareness of cyber threats has surged to 86% in 2025, up from 62.9% in 2018. The new guidelines emphasize key practices like encryption and the use of antivirus software.

Major Blow to African Cybercrime: 574 Arrested, $3M Seized in International Takedown

A large-scale, coordinated international law enforcement operation has dismantled several major cybercrime networks operating across West and Central Africa. The crackdown resulted in the arrest of 574 individuals and the seizure of approximately $3 million. The operation targeted criminal syndicates involved in a range of illicit activities, including Business Email Compromise (BEC) scams, ransomware attacks, and other forms of online fraud. Arrests were made in Senegal, Ghana, Benin, and Cameroon.

Romanian Water Authority Crippled by Ransomware, 1,000 Systems Encrypted with BitLocker

On December 20, 2025, Romania's national water authority, Administrația Națională Apele Române, was targeted in a significant ransomware attack. The incident compromised approximately 1,000 IT systems across its headquarters and 10 of 11 regional offices. Attackers employed a "living off the land" technique, weaponizing the native Windows BitLocker tool to encrypt systems instead of deploying custom ransomware. While IT services such as email, web servers, and GIS applications were disrupted, the agency confirmed that its Operational Technology (OT) networks controlling physical water infrastructure were not impacted, preventing a disruption to public water services. The Romanian National Cyber Security Directorate (DNSC) is investigating the incident and has reiterated its policy of not negotiating with attackers.

Nissan Breach Exposes 21,000 Customers After Third-Party Red Hat Server Compromise

Nissan Motor Co. announced on December 22, 2025, a data breach affecting approximately 21,000 customers. The incident was a result of a supply chain attack, originating from the compromise of a Red Hat-managed GitLab server. This server was used by a third-party contractor developing a customer management system for a Nissan dealership. Red Hat detected the initial unauthorized access on September 26, 2025, and notified Nissan on October 3. The exposed data includes customer names, addresses, phone numbers, and partial email addresses. The extortion group ShinyHunters and a group called 'Crimson Collective' have been linked to the initial attack on Red Hat's infrastructure.

Anubis Ransomware Hits AllerVie Health, Exposing Patient SSNs and Driver's Licenses

AllerVie Health, a Texas-based healthcare provider, began notifying patients on December 22, 2025, of a ransomware attack that exposed highly sensitive personal information. The company detected the intrusion on November 2, 2025, with forensic analysis revealing unauthorized access occurred between October 24 and November 3. The exposed data includes patient names, Social Security numbers, and driver's license numbers. The attack has been linked to the Anubis ransomware group, which allegedly claimed to have stolen data from over 30,000 patients on its dark web leak site. AllerVie is offering complimentary credit monitoring services to affected individuals.

New WhatsApp Hijack Method Bypasses 2FA via SIM Swapping Attacks

On December 21, 2025, security researchers highlighted a growing attack method used to hijack WhatsApp accounts that bypasses traditional authentication measures. The technique relies on SIM swapping, where attackers use social engineering to convince a victim's mobile carrier to transfer their phone number to a SIM card controlled by the attacker. Once they control the number, they can install WhatsApp and receive the SMS verification code to take over the account, locking the legitimate user out. This method circumvents the need to crack passwords or bypass on-device security. The North Korea-linked threat group APT37 has reportedly been observed using this technique.

Data Breaches Trigger Securities Lawsuits Against Tech Companies

A report on December 21, 2025, revealed a growing legal trend where companies face securities class-action lawsuits following data breaches. Two unnamed technology companies are now facing such litigation from investors. The lawsuits allege that the companies made misleading statements or failed to disclose known cybersecurity weaknesses in their public filings, which artificially inflated their stock prices. When the data breaches were eventually announced, the subsequent drop in stock value caused financial harm to investors, who are now suing to recover their losses. This highlights the increasing pressure from regulators and shareholders for transparent and accurate cybersecurity risk disclosures.

CEO of Chinese Cybersecurity Firm Cnzxsoft Hit with Spending Ban Amid Debt Crisis

On December 22, 2025, veteran Chinese cybersecurity firm Cnzxsoft (Zhongxin Network Information Security Co., Ltd.) was placed on a Beijing court's list of "dishonest judgment debtors" due to a severe liquidity crisis. As a result, the company's founder and CEO, Zhou Xiandong, was issued a Restricted Consumption Order, which bars him from high-cost personal spending such as luxury travel. Cnzxsoft, a firm with major state-owned clients like CCTV and China Mobile, is facing profound financial distress, highlighting systemic cash flow problems within China's IT sector, where long payment cycles from government contracts are common.

Australian Fertility Clinic Genea Hit by 'Termite' Ransomware Gang

The 'Termite' ransomware gang has claimed responsibility for an attack on Australian fertility provider Genea. The group, which uses a variant of the leaked Babuk ransomware code, alleges it exfiltrated 700GB of highly sensitive patient data, including medical histories and diagnostic results. This double-extortion attack places victims at severe risk of fraud and personal extortion, highlighting the growing threat to the healthcare sector.

SonicWall Zero-Day Chained with Older Flaw for Full Device Takeover

A new zero-day vulnerability (CVE-2025-40602) in SonicWall SMA 100 and 1000 series appliances is being actively exploited in the wild. Threat actors are chaining this local privilege escalation flaw with a previously patched critical pre-authentication vulnerability (CVE-2025-23006) to achieve full, unauthenticated root access on the secure access devices. Administrators are urged to patch immediately.

Trump Administration Preparing New 6-Pillar National Cybersecurity Strategy

The Trump administration is reportedly preparing a new, concise national cybersecurity strategy for release in January 2026. According to reports, the five-page document is structured around six core pillars and may be accompanied by a new executive order to mandate its implementation across all U.S. federal agencies, aiming to address accelerating threats from nation-states and criminal groups.

Australian Health Audit Finds Clinicians Routinely Bypass Security Controls

An audit of the New South Wales (NSW) healthcare system in Australia has revealed that clinicians are routinely bypassing critical cybersecurity controls, such as password sharing and using personal devices, to save time in high-pressure environments. This widespread "normalisation of non-compliance" creates significant security gaps and increases the risk of cyberattacks in the already heavily targeted healthcare sector, highlighting a critical failure in security culture.

React2Shell Apocalypse: CVSS 10.0 Flaw Exploited by China, North Korea, and Botnets

A critical, unauthenticated remote code execution vulnerability (CVSS 10.0) in React Server Components, dubbed 'React2Shell' and tracked as CVE-2025-55182, is under widespread attack. The flaw allows attackers to take full control of vulnerable servers with a single crafted HTTP request. Within hours of disclosure, Chinese and North Korean state-sponsored groups, alongside criminal botnets, began mass exploitation campaigns. These attacks deploy a range of malware, including the new EtherRAT backdoor, Cobalt Strike, and infostealers. With over 165,000 vulnerable instances identified and half remaining unpatched, CISA has issued an emergency directive for federal agencies to mitigate the threat immediately, highlighting the extreme urgency for all affected organizations to apply patches.

University of Sydney Data Breach Exposes Info of 27,500 Staff and Students

The University of Sydney has announced a significant data breach affecting approximately 27,500 individuals after an unauthorized party gained access to an internal IT code library. The compromised repository contained historical data files with personal information of current and former staff, affiliates, students, and alumni, primarily from 2010-2019. Exposed data includes names, dates of birth, phone numbers, and home addresses. The university has secured the environment and is in the process of notifying all affected individuals while an investigation is ongoing.

Nefilim Ransomware Operator Pleads Guilty in U.S. Court

Artem Aleksandrovych Stryzhak, a Ukrainian national, has pleaded guilty in a U.S. federal court for his role in the Nefilim ransomware conspiracy. Stryzhak, 35, was a key operator for the ransomware group that targeted high-revenue companies in the U.S. and Europe between 2018 and 2021, causing millions in damages. The group was known for its double-extortion tactics, stealing data before encryption and threatening to leak it on their 'Corporate Leaks' site. Stryzhak faces up to 10 years in prison, while his co-conspirator, Volodymyr Tymoshchuk, remains at large with an $11 million bounty offered by the U.S. Department of State.

URGENT: Cisco Warns of Active Zero-Day Attacks on Email Security Appliances

Cisco has issued an urgent security advisory for an actively exploited zero-day vulnerability in its AsyncOS software, affecting Cisco Secure Email Gateway (formerly IronPort) and Secure Email and Web Manager appliances. Threat actors are leveraging the unpatched flaw to deploy persistent backdoors and tunneling tools, granting them long-term, stealthy access to enterprise email infrastructure. A patch is not yet available, and Cisco is strongly urging administrators to apply interim mitigations, restrict management access, and monitor logs for signs of compromise.

Warning: "GhostPairing" Attack Hijacks WhatsApp Accounts with Malicious QR Codes

A new social engineering campaign dubbed "GhostPairing" is exploiting WhatsApp's multi-device linking feature to hijack user accounts. India's CERT-In has issued a high-severity warning about the attack, which tricks victims into scanning a malicious QR code or entering a pairing code from a fraudulent website. This action links the attacker's device to the victim's account, granting them full access to messages, contacts, and media without needing a password or SIM swap. The attack bypasses traditional authentication, relying purely on deceiving the user into performing the linking action themselves.

MongoDB 'MongoBleed' Flaw Allows Unauthenticated Data Leaks, Actively Exploited

MongoDB has disclosed a high-severity vulnerability, CVE-2025-14847, nicknamed "MongoBleed." The flaw is an unauthenticated memory leak in the database server's zlib compression functionality. A remote, unauthenticated attacker can send a malformed message to a vulnerable server, causing it to leak contents of its memory. This exposed data can include sensitive information like plaintext passwords, API keys, and session tokens from other user sessions. The vulnerability affects multiple versions of MongoDB, and with a PoC exploit public and active exploitation confirmed, administrators are urged to upgrade immediately or disable zlib compression as a workaround.

.NET "SOAPwn" Flaw Allows Authentication Bypass and RCE in Enterprise Apps

A critical vulnerability nicknamed "SOAPwn" has been discovered in .NET applications utilizing SOAP-based web services. The flaw, reported on December 19, 2025, allows an unauthenticated attacker to send a specially crafted SOAP request to bypass security checks and achieve remote code execution. This poses a severe risk to many enterprise applications that rely on the legacy SOAP protocol for critical business functions. Microsoft has issued guidance and released patches, urging organizations to update their applications immediately and monitor for suspicious SOAP traffic.

China-Linked Hackers Exploit Critical Cisco Email Gateway Zero-Day

Cisco has revealed that a China-affiliated advanced persistent threat (APT) group, tracked as UAT-9686, is actively exploiting a critical zero-day vulnerability in its email security products. The flaw, CVE-2025-20393, is a remote code execution vulnerability with a maximum CVSS score of 10.0, affecting Cisco Secure Email Gateway and Secure Email and Web Manager appliances. The attackers have been exploiting the flaw since late November 2025 to gain root-level access and have deployed persistence mechanisms on compromised devices. Due to active exploitation by a nation-state actor, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies.

HPE Issues Urgent Patch for 10.0 CVSS RCE Flaw in OneView

Hewlett Packard Enterprise (HPE) has released an urgent security advisory for CVE-2025-37164, a critical vulnerability in its OneView infrastructure management software with a maximum CVSS score of 10.0. The flaw allows a remote, unauthenticated attacker to achieve complete remote code execution on affected systems. HPE OneView versions 5.20 through 10.20 are impacted. Given that OneView serves as a central control plane for enterprise server, storage, and firmware management, a compromise could give an attacker control over vast segments of IT infrastructure. HPE is urging customers to upgrade to the patched version 11.0 or apply an emergency hotfix immediately.

Actively Exploited RCE Flaw in WatchGuard Firewalls Puts Networks at Risk

WatchGuard has issued an urgent advisory for customers to patch CVE-2025-14733, a critical remote code execution vulnerability in its Fireware OS that is confirmed to be under active exploitation. The flaw, an out-of-bounds write issue in the IKEv2 process, has a CVSS score of 9.3 and can be exploited by an unauthenticated remote attacker. The vulnerability affects Firebox firewalls with specific IKEv2 VPN configurations enabled. Given that firewalls are prime targets for initial access, immediate application of the provided security updates is crucial to protect network perimeters from compromise.

Manufacturing Web Portals Are a Weak Link in Supply Chain Attacks

A new report reveals that cybercriminals are increasingly targeting manufacturers through their public-facing web portals, such as supplier and customer forms, to execute supply chain attacks. Attackers are using bots and SQL injection to compromise these forms, which often run on legacy systems with weak security. The goal is to steal sensitive data, including credentials and intellectual property, or to gain a foothold to attack more heavily regulated downstream customers in defense, healthcare, and finance. A survey found that 85% of manufacturing firms experienced a security incident related to web forms, and 42% confirmed a resulting data breach.

"GhostPoster" Malware Infects 50,000+ Firefox Users via Malicious Add-ons

A stealthy malware campaign named "GhostPoster" has infected over 50,000 Mozilla Firefox users by distributing 17 malicious browser extensions. The add-ons, which masqueraded as legitimate tools like VPNs and ad blockers, have been removed from the Firefox store. The malware employed a clever technique, hiding obfuscated JavaScript within the add-on's logo image file. This code would then contact command-and-control (C2) servers to download a final payload designed for hijacking affiliate links and committing ad fraud. The campaign used evasion techniques like randomized and delayed C2 callbacks to avoid detection.

"Scripted Sparrow" BEC Group Targets Finance Teams with Highly Structured Attacks

A disciplined and persistent Business Email Compromise (BEC) group, newly identified by Fortra as "Scripted Sparrow," has been systematically targeting corporate finance teams since at least June 2024. The group employs a structured and well-researched approach, sending highly credible phishing emails with fake invoices that impersonate professional services firms. To add legitimacy, the attackers often include forged prior email correspondence from a company executive authorizing the payment. The group utilizes a large network of US-based mule accounts for cashing out, indicating a well-organized and persistent financial threat.

"IRLeaks" Supply Chain Attack Hits Iranian Banks, Exposing Millions of Customer Records

A major supply chain attack dubbed "IRLeaks" has resulted in a significant data breach affecting several prominent Iranian banks and millions of their customers. Attackers first compromised a third-party IT vendor in October 2025, using it as a pivot point to infiltrate the banks' networks. Over the following month, they exfiltrated vast amounts of financial data and personally identifiable information (PII), including national IDs and bank account numbers, before the breach was discovered in late November. The incident highlights the critical risks associated with third-party vendor security and inadequate patch management.

Ransomware Evolves: "ClickFix" Social Engineering and Threat Actor Alliances on the Rise

A December 2025 threat report from NCC Group indicates that while ransomware attack volumes plateaued in November with 583 incidents, their sophistication markedly increased. Attackers are increasingly adopting the "ClickFix" (also known as ClearFake) social engineering technique, which tricks users into manually running malicious commands, bypassing many automated defenses. The report also highlights a trend of collaboration, with groups like DragonForce forming alliances with skilled affiliates from other networks. The Qilin ransomware group remained the most prolific actor, with the industrials sector and North America being the most targeted.

"Operation ForumTroll" APT Targets Russian Academics with Plagiarism Lure

The Advanced Persistent Threat (APT) group known as Operation ForumTroll has launched a new, highly targeted phishing campaign aimed at Russian political scientists and academics. Active since at least 2022, the group's latest attack uses meticulously crafted emails impersonating a major Russian scientific library, eLibrary.ru. The emails lure victims into downloading a supposed plagiarism report, which is a ZIP archive containing a malicious .LNK file. Executing the shortcut file triggers a PowerShell script that downloads and installs the Tuoni command-and-control (C2) framework, giving the attackers remote access for espionage purposes.

Google Investigates Malicious Code Found in Search Result Infrastructure

Google has launched an urgent investigation after cybersecurity analysts discovered anomalous, encrypted code snippets and obfuscated JavaScript embedded within its core search result payloads on December 17, 2025. The malicious code appears designed to exploit browser sandboxing vulnerabilities, which could potentially enable remote code execution or data theft on users' systems. While Google has not confirmed any user impact and states it is neutralizing the threat, the incident represents a highly sophisticated attack against critical global internet infrastructure, prompting the involvement of government agencies.

SANS Report: OT/ICS Cyber Incidents Rising, 40% Cause Downtime

A new report from the SANS Institute highlights a dangerous trend in the security of Operational Technology (OT) and Industrial Control Systems (ICS). The '2025 State of ICS/OT Security Report' found that over 21% of organizations experienced a cyber incident in their OT environment in the past year. Of those, 40.3% suffered operational downtime. Ransomware was a primary cause, responsible for 37.9% of incidents, with unauthorized external connections being the top initial access vector. The report also points to a significant 'resilience gap,' with recovery times often exceeding one month.

SoundCloud and Pornhub Confirm User Data Exposure in Separate Breaches, One Via Third-Party

Both SoundCloud and Pornhub have confirmed security incidents exposing user data. SoundCloud suffered a direct breach of an ancillary service dashboard, resulting in the exfiltration of email addresses and public profile information for up to 28 million users (20% of its user base). The company states passwords and financial data were not affected. Separately, Pornhub announced that historical analytics data of some Premium members was exposed due to a breach at its former third-party analytics vendor, Mixpanel. The notorious hacking group ShinyHunters has claimed the Mixpanel breach and is attempting to extort Pornhub, alleging they stole a massive database of user search and watch history.

French Interior Ministry Confirms Cyberattack Compromised Email Servers

The French Ministry of the Interior has confirmed its email servers were compromised in a cyberattack detected between December 11 and 12, 2025. Interior Minister Laurent Nuñez stated that attackers stole staff email passwords, allowing them to access an unknown number of document files. While the government is still assessing the scale, a hacker group named 'Indra' has claimed, without evidence, to have exfiltrated police files on 16.4 million citizens. In response, the ministry is rolling out two-factor authentication and resetting passwords. The attack on the high-value government target, which oversees national police and security, has raised speculation of nation-state involvement, with groups like APT28 being considered.

New 'ConsentFix' Phishing Attack Hijacks Microsoft Accounts, Bypassing MFA via Azure CLI Abuse

A novel and sophisticated phishing attack dubbed 'ConsentFix' allows attackers to hijack Microsoft accounts without stealing passwords or bypassing multi-factor authentication (MFA). Discovered by Push Security, the browser-native attack tricks users into completing a fake verification process that involves copying a URL containing a sensitive OAuth authorization code from their browser's address bar and pasting it into the attacker's phishing page. The attacker then uses this code to authenticate as the user via the legitimate and trusted Microsoft Azure Command-Line Interface (CLI). Because the Azure CLI is a first-party app, it bypasses many consent restrictions, granting the attacker full account access. The technique is active and circumvents even phishing-resistant authentication like passkeys.

New Zealand Launches Massive Public Alert, Warning 26,000 Citizens of Lumma Stealer Malware Infections

In a first-of-its-kind campaign, New Zealand's National Cyber Security Centre (NCSC) is emailing approximately 26,000 people to warn them of potential infection by the Lumma Stealer malware. The potent information-stealing software targets Windows devices to covertly harvest sensitive data, including passwords, browser credentials, banking details, and cryptocurrency wallets. Officials have confirmed that some of the stolen credentials were linked to government and banking systems, heightening the risk of fraud. The NCSC's mass notification directs affected individuals to a government website with instructions for malware removal and improving account security.

MITRE Extends D3FEND Cybersecurity Framework to Operational Technology (OT)

MITRE has officially extended its D3FEND cybersecurity framework to include Operational Technology (OT), providing a standardized knowledge base of defensive techniques for cyber-physical systems. Announced on December 16, 2025, the NSA-funded initiative aims to create a common language for securing critical infrastructure in sectors like energy, manufacturing, and defense. As OT systems become increasingly connected to IT networks, D3FEND for OT provides a structured ontology of countermeasures tailored to the unique components and risks of industrial environments, mapping defensive techniques to threats against controllers, sensors, and actuators.

'Operation MoneyMount-ISO' Phishing Campaign Deploys Phantom Stealer via Malicious ISOs

A financially motivated, Russian-language phishing campaign dubbed 'Operation MoneyMount-ISO' is actively targeting finance and accounting departments to deploy the Phantom information-stealing malware. According to researchers at Seqrite Labs, the attack uses emails with fake payment confirmations that contain a malicious ISO disk image file. This technique is designed to bypass email security controls. When the user opens the ISO, it mounts a virtual drive with a disguised executable. Running this file triggers a memory-resident infection chain that deploys Phantom Stealer, which then harvests browser credentials, crypto wallets, and other sensitive data for exfiltration.

Storm-0249 Evolves: Access Broker Now Deploys Ransomware with Advanced Stealth Tactics

The initial access broker (IAB) known as Storm-0249 is evolving its tactics, moving beyond simply selling network access to actively participating in malware deployment. According to ReliaQuest, the group now uses more sophisticated techniques, including DLL side-loading and fileless PowerShell execution, to facilitate ransomware attacks directly. Their methods involve social engineering victims into running malicious commands (`ClickFix`), which fetch and execute PowerShell scripts from spoofed domains. A key technique is dropping a trojanized version of a SentinelOne security agent DLL to run malware under the guise of a trusted process. This evolution signifies a dangerous trend where IABs are becoming more integrated into the ransomware deployment process, increasing their threat level.

CISA Orders Federal Agencies to Patch Actively Exploited Critical GeoServer XXE Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical XML External Entity (XXE) injection vulnerability in OSGeo GeoServer, CVE-2025-58360, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score up to 9.8, allows an unauthenticated remote attacker to read arbitrary files, perform Server-Side Request Forgery (SSRF) attacks, or cause a denial-of-service. Due to evidence of active exploitation, CISA has mandated that all Federal Civilian Executive Branch agencies patch the vulnerability by January 1, 2026. All organizations using the popular open-source geospatial data server are strongly urged to apply the available updates immediately.

Active Attacks Exploit Critical Fortinet SSO Bypass Flaws to Gain Admin Access

Security firm Arctic Wolf has observed active exploitation of two critical authentication bypass vulnerabilities in Fortinet products, CVE-2025-59718 and CVE-2025-59719. Both flaws, rated 9.1 in severity, allow an unauthenticated attacker to bypass FortiCloud single sign-on (SSO) by forging a SAML message, granting them administrative access to affected devices. The attacks, observed since December 12, 2025, target the default 'admin' account. The vulnerability is present if the FortiCloud SSO feature is enabled, which can be activated automatically when registering a device. Patches are available, and administrators are urged to upgrade immediately or disable the vulnerable SSO feature.

FreePBX Patches Critical Auth Bypass and RCE Flaws; Update VoIP Platforms Immediately

The popular open-source VoIP platform FreePBX has been updated to fix several serious security vulnerabilities, including a critical authentication bypass (CVE-2025-66039) with a 9.3 CVSS score. This flaw, present in a non-default configuration, allows an attacker to bypass the admin login and potentially achieve remote code execution. Other patched high-severity issues include multiple authenticated SQL injection flaws (CVE-2025-61675) and an arbitrary file upload bug (CVE-2025-61678). These could be chained to upload a web shell and take full control of the server. Administrators are urged to update their FreePBX instances to the latest versions to mitigate these risks.

New 'PyStoreRAT' Malware Spreads Via Fake OSINT and AI Tools on GitHub

A new malware campaign is distributing an information-stealing Remote Access Trojan (RAT) called 'PyStoreRAT' through fake GitHub repositories. Threat actors create repositories for what appear to be legitimate OSINT, AI, or DeFi tools, artificially inflating their popularity with fake stars and forks. After gaining a user's trust, the attackers push a malicious update containing PyStoreRAT. The malware is designed to evade detection, establish persistence, and steal sensitive data, with a particular focus on cryptocurrency wallets. It can also download secondary payloads like the Rhadamanthys infostealer and propagates via USB drives, posing a significant threat to developers and security researchers.

700Credit Data Breach Exposes PII of 5.6 Million Individuals

The U.S. fintech company 700Credit, a major provider of credit reports and data services to the automotive industry, has disclosed a data breach affecting at least 5.6 million individuals. The incident, which occurred in October 2025, resulted in an unauthorized actor gaining access to and stealing a significant amount of personally identifiable information (PII). The compromised data includes names, addresses, dates of birth, and Social Security numbers. 700Credit serves approximately 18,000 auto dealerships, and the breach involved data collected between May and October 2025. The company is providing credit monitoring services to affected individuals, and authorities are urging victims to consider credit freezes to prevent identity theft and fraud.

New 'Gentlemen' Ransomware Group Deploys Advanced GPO and BYOVD Attacks

A new ransomware operation, identifying itself as the "Gentlemen" group, has been observed conducting double-extortion attacks against corporate networks. The group employs sophisticated techniques to achieve its objectives, including the manipulation of Group Policy Objects (GPOs) for wide-scale ransomware deployment across victim networks. Additionally, the threat actor leverages the 'Bring Your Own Vulnerable Driver' (BYOVD) technique to escalate privileges and disable or bypass endpoint security solutions. The emergence of the Gentlemen group highlights the continued evolution in ransomware tactics, combining data theft with advanced defense evasion and lateral movement strategies.

CVSS 10.0: Atlassian Patches Critical RCE Flaw in Apache Tika Dependency

Atlassian has issued security updates for a critical vulnerability, CVE-2025-66516, in the Apache Tika parser library, a third-party dependency used in many of its products. The flaw, which carries a perfect CVSS score of 10.0, is an XML External Entity (XXE) injection vulnerability. It can be exploited by uploading a specially crafted file, such as a PDF containing a malicious XFA, potentially leading to information disclosure, server-side request forgery (SSRF), or even remote code execution (RCE). The vulnerability affects a wide range of Atlassian's server and data center products, including Jira, Confluence, and Bamboo. Customers are urged to apply the patches immediately.

xHunt Espionage Group Returns, Targeting Kuwait with New PowerShell Backdoors

The cyber-espionage threat actor known as xHunt has resumed operations with a new campaign targeting organizations in Kuwait. Active since at least 2018, the group is focusing its latest attacks on the shipping, transportation, and government sectors. Researchers have observed xHunt infiltrating networks by targeting Microsoft Exchange and IIS web servers. Once inside, the group deploys a family of custom PowerShell-based backdoors, with tool names like 'Hisoka' and 'Netero' derived from the anime 'Hunter x Hunter'. The campaign's objective appears to be long-term intelligence collection and espionage, leveraging stealthy techniques to maintain persistence.

New '01flip' Ransomware, Written in Rust, Targets Critical Infrastructure in APAC

A new and stealthy cross-platform ransomware strain named "01flip" has been discovered targeting critical infrastructure organizations in the Asia-Pacific region. The malware is written in the Rust programming language, enabling it to be compiled for both Windows and Linux systems and enhancing its ability to evade detection. Attackers have been observed exploiting exposed services for initial access, then deploying the open-source Sliver command-and-control (C2) framework for reconnaissance and lateral movement before executing the 01flip ransomware. The campaign highlights a growing trend of threat actors using modern, memory-safe languages like Rust to develop more sophisticated and evasive malware.

LastPass Fined £1.2M by UK Regulator Over 2022 Security Failures

The UK's Information Commissioner's Office (ICO) has fined password manager provider LastPass £1.2 million (approximately $1.6 million) for significant security failures that led to a major data breach in 2022. The regulator found that LastPass failed to implement adequate technical and security measures to protect its users' data. The 2022 incident resulted in a threat actor gaining unauthorized access to a backup database, which contained the data of 1.6 million UK users, including encrypted password vaults. The fine highlights the serious regulatory consequences for security companies that do not meet their data protection obligations.

India Confirms GPS Spoofing Attacks Targeted Seven Major Airports

The Indian government has officially confirmed that a series of cyber incidents involving GPS spoofing have occurred at seven of the nation's major airports. The attacks, which targeted airports in Delhi, Mumbai, Kolkata, and Bengaluru among others, disrupted navigation data for aircraft utilizing GPS-based landing procedures. Despite the signal manipulation, government officials reported that no flights were canceled or diverted. The successful handling of the incidents was attributed to the implementation of contingency measures and robust safeguards by Air Traffic Control, which allowed for safe operations using alternative navigation aids. The events underscore the growing vulnerability of critical transportation infrastructure to cyberattacks.

Apple Rushes iOS 26.2 Update to Patch Two Actively Exploited Zero-Days

Apple has released an emergency security update, iOS 26.2 and iPadOS 26.2, to address 26 vulnerabilities. Among these are two critical zero-day flaws, CVE-2025-43529 and CVE-2025-14174, both residing in the WebKit browser engine. The company confirmed reports that these vulnerabilities have been actively exploited in sophisticated, targeted spyware campaigns, potentially allowing attackers to execute arbitrary code on unpatched devices. The update also patches a severe kernel vulnerability, CVE-2025-46285, that could grant an attacker root privileges. All iPhone and iPad users are urged to update their devices immediately.

CISA KEV Alert: Actively Exploited RCE Flaw in Sierra Wireless Routers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Sierra Wireless AirLink routers, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score as high as 9.9, is an unrestricted file upload vulnerability that allows an authenticated attacker to achieve remote code execution (RCE). Due to evidence of active exploitation, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies patch the vulnerability by a specified deadline, highlighting the severe risk it poses to network infrastructure.

Germany Summons Russian Ambassador Over Suspected Air Traffic Control Cyberattack

In a significant diplomatic escalation, the German government has summoned the Russian Ambassador to Berlin following allegations of a cyberattack targeting the nation's air traffic control (ATC) systems. The incident, reported on December 13, 2025, has raised grave concerns about the security of Germany's critical national infrastructure and points towards a potential act of state-sponsored cyber-espionage or disruption. While technical details remain undisclosed, the move underscores the high stakes of cyber hostilities between Western nations and Russia.

KillSec Ransomware Hits U.S. Financial Firm Daba Finance in Data Extortion Attack

The ransomware group known as KillSec has claimed responsibility for a cyberattack against Daba Finance Inc., a financial services company in the United States. On December 14, 2025, the group listed the company on its data leak site, employing a double-extortion tactic by threatening to release sensitive stolen data if a ransom is not paid. This incident underscores the persistent threat that data extortion gangs pose to the financial sector, which remains a high-value target due to the sensitive customer and corporate information it handles.

WestJet Data Breach Exposes Info of 1.2 Million Passengers; Scattered Spider Suspected

Canadian airline WestJet has disclosed a significant data breach that occurred in June 2025, impacting approximately 1.2 million passengers. The compromised data includes sensitive personal information such as names, contact details, and travel documentation. While investigations are ongoing, some reports suggest the notorious Scattered Spider hacking group, known for its social engineering prowess, may be behind the attack. The breach poses a serious risk of identity theft and fraud for the affected customers.

"Catastrophic" Data Breach at Norwegian News Agency NTB Exposes Customer Data

NTB (Norsk Telegrambyrå), Norway's leading news and content provider, has disclosed what it calls a "catastrophic" data breach that occurred in early December 2025. The company announced on December 13 that attackers exploited vulnerabilities in its systems to gain unauthorized access to its customer database, exposing sensitive personal information, detailed customer profiles, and internal communications for thousands of users. NTB is now undertaking a major overhaul of its security infrastructure in response.

Eswatini Faces Cybersecurity Crisis as Government Fails to Act on Rising Threats

A report published on December 13, 2025, reveals a deepening cybersecurity crisis in the Kingdom of Eswatini. The nation is experiencing a significant increase in cyberattacks targeting citizens, businesses, and government bodies. This surge is compounded by a lack of effective government response, characterized by outdated laws, minimal funding for cybersecurity initiatives, a severe shortage of skilled personnel, and a failure to implement its own national cybersecurity strategy. As a result, the country's digital infrastructure remains highly vulnerable to escalating threats.

Stealthy NANOREMOTE Backdoor Abuses Google Drive API for C2 Communications

A new and fully-featured Windows backdoor, dubbed NANOREMOTE, has been discovered by Elastic Security Labs. Written in C++, the malware distinguishes itself by using the Google Drive API for all command-and-control (C2) communications, allowing it to blend in with legitimate cloud traffic and evade traditional network security. The malware, which shares characteristics with the FINALDRAFT implant, is capable of reconnaissance, file transfer, and command execution. This tactic poses a significant challenge for organizations, especially those using Google Workspace, as it makes detecting malicious activity within sanctioned cloud services difficult.

OpenAI Unveils Strategy to Manage 'High' Risk AI Cybersecurity Threats

OpenAI has announced its strategy for managing the significant cybersecurity risks posed by its increasingly powerful AI models. The company will now treat all future models as potentially 'High' risk under its Preparedness Framework, capable of automating vulnerability discovery and exploitation. Key components of the plan include forming a 'Frontier Risk Council' of external experts, creating a tiered, trusted access program for cyber defense tools, and collaborating with industry partners. The move reflects growing concerns over the potential weaponization of AI for malicious cyber operations.

CISA Updates Cybersecurity Performance Goals for Critical Infrastructure

On December 11, CISA released an updated version of its voluntary Cybersecurity Performance Goals (CPGs), designed to help critical infrastructure operators bolster their defenses. The new version aligns with the latest NIST standards and places a stronger emphasis on governance, accountability, and risk management. The CPGs provide a baseline of measurable cybersecurity actions that organizations, including those in the healthcare sector, can take to protect against common and impactful threats, promoting a more resilient and proactive security posture.

Makop Ransomware Evolves, Using GuLoader and New Exploits in Attacks on India

A new campaign by the Makop ransomware group is primarily targeting enterprises in India, with additional victims in Brazil and Germany. The attackers continue to use brute-force attacks against exposed RDP services for initial access. Once inside, they now use the GuLoader downloader to deliver secondary payloads like the AgentTesla and FormBook infostealers. For privilege escalation, the group is exploiting vulnerabilities like CVE-2025-7771 in the ThrottleStop driver to gain kernel-level access and disable security products before deploying the final ransomware payload.

Google Patches Eighth Chrome Zero-Day of 2025 Under Active Attack

Google has released an emergency, out-of-band security update for its Chrome browser, patching its eighth zero-day vulnerability of 2025. The high-severity flaw, tracked as issue 466192044, is confirmed to be actively exploited in the wild. To prevent further abuse, Google has withheld technical details but analysis suggests it may be a buffer overflow in the ANGLE graphics library. All 3.4 billion Chrome users are urged to update their browsers immediately to version 143.0.7499.109 or later.

Conduent Breach Exposes 10.5M Patients, Ranks as 8th Largest US Healthcare Breach

Business services giant Conduent has disclosed a massive data breach that exposed the personal and medical information of over 10.5 million people, making it the 8th largest healthcare data breach in U.S. history. The breach, which was active for months between October 2024 and January 2025, has already cost the company $25 million in response efforts. The compromised data includes names, Social Security numbers, and health information, leading to multiple class-action lawsuits against the company.

"Battering RAM": $50 Hardware Attack Cracks Intel and AMD Secure CPU Enclaves

At the Black Hat Europe 2025 conference, researchers from KU Leuven University demonstrated "Battering RAM," a novel hardware attack that completely undermines modern confidential computing technologies. Using a custom-built DDR4 interposer costing just $50, the attack can bypass the memory encryption of secure enclaves like Intel SGX and AMD SEV. This allows an attacker with physical access to read encrypted memory at runtime, extract secret keys, and defeat protections previously thought to be secure against physical threats.

TriZetto Discloses Year-Long Data Breach Exposing Patient PHI

TriZetto Provider Solutions, a healthcare revenue management company owned by Cognizant, has started notifying clients about a major data breach. An unauthorized party had access to patient data for nearly a full year, from November 2024 until the breach was detected on October 2, 2025. The attackers accessed historical reports containing sensitive Protected Health Information (PHI), including patient names, Social Security numbers, dates of birth, and health insurance details. The cybersecurity firm Mandiant was brought in to investigate the long-running intrusion.

NATO Sharpens Cyber Defenses in Massive "Cyber Coalition" War Game

NATO has successfully concluded its largest annual cyber defense exercise, "Cyber Coalition," in Tallinn, Estonia. The week-long event involved approximately 1,500 military and civilian personnel from 29 NATO members and seven partner nations. Participants collaborated to defend a fictional nation's critical infrastructure against a series of realistic, hybrid cyberattacks, enhancing their collective ability to respond to modern threats.

Critical Infrastructure at Risk Due to "Deficient" OT Cybersecurity Training

A new report from Australian cybersecurity firm Secolve has exposed significant deficiencies in operational technology (OT) cybersecurity training across critical infrastructure sectors. The survey of senior professionals in industries like energy, manufacturing, and water found that training is often generic, infrequent, or completely ignored. This lack of specialized training is creating a dangerously immature security culture and leaving vital industrial environments unprepared for cyberattacks.

Hamas-Linked APT "Ashen Lepus" Targets Middle East with New "AshTag" Malware

The Hamas-affiliated advanced persistent threat (APT) group known as Ashen Lepus (or WIRTE) is conducting an ongoing espionage campaign targeting governmental and diplomatic entities in the Middle East. Researchers have identified a new, modular .NET malware suite named AshTag being used in these attacks. The campaign marks a significant evolution in the group's sophistication, incorporating enhanced encryption, in-memory payload execution, and the use of legitimate-looking subdomains to evade detection.

"Operation DupeHike" Espionage Campaign Targets Russian Corporate HR Depts

A highly targeted cyber-espionage campaign, dubbed "Operation DupeHike," has been identified targeting employees in Russian corporations. Attributed to the threat actor cluster UNG0902, the campaign uses convincing social engineering lures, such as decoy documents about employee bonuses, to infiltrate networks. The primary targets are staff in HR, payroll, and administrative departments, with the goal of achieving persistent surveillance and exfiltrating sensitive corporate data.

Unpatched Zero-Day in Gogs Git Service Actively Exploited to Gain SSH Access

A critical, unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, is being actively exploited in the wild. Tracked as CVE-2025-8110 with a CVSS score of 8.7, the flaw is a bypass of a previously patched RCE and allows an attacker to overwrite arbitrary files, ultimately leading to SSH access on the server. Researchers at Wiz have identified over 700 compromised instances, with attackers deploying the Supershell C2 framework.

Fake Leonardo DiCaprio Movie Torrent Used as Bait to Spread Agent Tesla Trojan

Cybercriminals are luring victims with a fake torrent for a new Leonardo DiCaprio movie to distribute the Agent Tesla information-stealing trojan. Security researchers at Bitdefender analyzed the campaign, revealing a complex, multi-stage attack chain that uses a malicious .lnk shortcut, hidden batch commands in subtitle files, and multiple layers of PowerShell to execute the final payload. The malware runs only in memory and establishes persistence through a fake audio diagnostic task, making it highly evasive.

React2Shell: Critical 10.0 CVSS RCE Flaw in React and Next.js Under Active Exploitation

A critical, unauthenticated remote code execution (RCE) vulnerability, dubbed 'React2Shell' (CVE-2025-55182), has been disclosed in React Server Components, affecting popular frameworks like Next.js. With a maximum CVSS score of 10.0, the flaw allows attackers to compromise servers with a single crafted HTTP request, requiring no user interaction. The vulnerability stems from an unsafe deserialization process in the 'Flight' protocol. Following the public disclosure on December 3, 2025, multiple weaponized proofs-of-concept became available, and active exploitation attempts by threat actors, including China-nexus groups, were observed. CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies and urging all organizations to update affected components.

Data Disaster: 4.3 Billion Records Leaked from Unprotected MongoDB Instance

One of the largest lead-generation data leaks ever recorded has been discovered by researchers from Cybernews and Bob Diachenko. An unprotected MongoDB instance, left publicly accessible without a password, exposed a staggering 4.3 billion documents, totaling 16.14 terabytes of data. The dataset contains highly detailed and structured professional and corporate intelligence, with much of the information appearing to be scraped from LinkedIn. Exposed data includes names, email addresses, phone numbers, employment history, and LinkedIn profile details. While the database was secured two days after discovery, the unknown duration of its exposure creates a significant risk of this data being used for sophisticated phishing, social engineering, and identity theft campaigns on a massive scale.

OPSEC Fail: North Korean Spy 'Trevor Greer' Exposed by Own Infostealer Infection

In a major operational security (OPSEC) failure, a North Korean state-sponsored hacker was unmasked after accidentally infecting their own machine with commodity infostealer malware like LummaC2. The leaked logs, analyzed by Flashpoint and Hudson Rock, exposed the digital life of an operative using the persona 'Trevor Greer.' The data revealed fake identities, cryptocurrency ventures, and, most notably, a direct link to the $1.5 billion cryptocurrency heist from the exchange Bybit. The actor had registered a phishing domain, 'Bybit-assessment.com,' prior to the attack. This rare glimpse into an APT operator's personal machine highlights that even sophisticated actors make human errors, providing invaluable intelligence for defenders.

GrayBravo MaaS Fuels Cybercrime with CastleLoader Malware

The cybercrime ecosystem is becoming more industrialized with the rise of Malware-as-a-Service (MaaS) operations like 'GrayBravo.' According to Recorded Future's Insikt Group, GrayBravo is developing and distributing a sophisticated loader called CastleLoader to at least four separate threat clusters. These clusters then use the loader to deploy various payloads, including RedLine Stealer and NetSupport RAT. The campaigns show specialization, with one group targeting the logistics sector using phishing and social engineering, while another uses Booking.com lures to target the hospitality industry. GrayBravo's operation, which features rapid development and a large infrastructure, exemplifies how MaaS providers empower less-skilled actors to launch effective and widespread attacks.

DeadLock Ransomware Uses Vulnerable Baidu Driver to Blind EDRs

A new DeadLock ransomware campaign is leveraging a novel "Bring Your Own Vulnerable Driver" (BYOVD) loader to exploit a vulnerability (CVE-2024-51324) in a legitimate Baidu Antivirus driver, `BdApiUtil.sys`. This technique allows the threat actors to terminate any process, including endpoint detection and response (EDR) and antivirus solutions, from the kernel level. By blinding security tools, the attackers can deploy the ransomware unimpeded. The attack chain, analyzed by Cisco Talos, also involves PowerShell scripts to disable Windows Defender and delete volume shadow copies, severely hindering detection and recovery efforts.

Code-to-Cloud Attacks: Leaked GitHub Tokens Become Keys to the Kingdom

Security researchers at Wiz have detailed an emerging "code-to-cloud" attack vector where threat actors leverage compromised GitHub Personal Access Tokens (PATs) to pivot from code repositories directly into production cloud environments. By abusing the trust between GitHub and connected Cloud Service Providers (CSPs), attackers with even basic read permissions can discover secret names, then use write permissions to execute malicious GitHub Actions that exfiltrate CSP credentials. The attack is particularly stealthy as API calls to search for secret names are not logged by GitHub Enterprise, creating a major visibility gap for defenders.

New 'Broadside' Botnet Exploits DVRs to Target Maritime Logistics

A new, sophisticated variant of the Mirai botnet, dubbed "Broadside," is actively exploiting a command injection vulnerability (CVE-2024-3721) in TBK Digital Video Recorder (DVR) devices. According to research from Cydome, the campaign specifically targets the maritime logistics sector, where these DVRs are common. Broadside is more advanced than typical Mirai variants, using stealthier techniques and a custom C2 protocol. Crucially, its goals extend beyond DDoS to include credential harvesting and lateral movement, turning compromised DVRs into strategic footholds on vessel networks.

AI Threat Hunting Exposes 'GhostPenguin,' a Linux Backdoor Undetected for Months

Researchers at Trend Micro have discovered "GhostPenguin," a sophisticated, multi-threaded Linux backdoor written in C++. The malware remained completely undetected on VirusTotal for over four months after its initial submission. It was ultimately found using an AI-driven automated threat hunting pipeline designed to analyze zero-detection samples. GhostPenguin provides attackers with full remote shell access and file system control over an RC5-encrypted UDP channel, using port 53 to masquerade as DNS traffic, highlighting the growing need for AI in detecting emerging, stealthy threats.

Vishing Attackers Impersonate IT on Teams, Trick Users into Running Fileless Malware

A sophisticated vishing (voice phishing) campaign is abusing trusted enterprise tools to deploy stealthy malware. Attackers impersonate IT support staff on Microsoft Teams, convincing users to initiate a Windows Quick Assist session. Once they have remote access, the attackers direct the user to a malicious site to download a loader. This loader then fetches an encrypted payload and executes it directly in memory using .NET reflection, a fileless technique designed to evade traditional antivirus and endpoint detection solutions. The campaign highlights the increasing trend of blending social engineering with the abuse of legitimate software.

IBM Rolls Out Critical Patches for AIX, Cloud Pak, and Other Enterprise Software

IBM has released a wave of security updates addressing vulnerabilities in numerous enterprise products, prompting an advisory from the Canadian Centre for Cyber Security. The bulletins, published between December 1 and December 7, 2025, include critical patches for IBM AIX, VIOS, Aspera Shares, Business Automation Workflow, and Cloud Pak System, among others. Administrators are strongly urged to review the advisories and apply the necessary updates promptly to protect their infrastructure from potential exploitation.

Race for Secure Digital Identity Heats Up with New Platforms from IBM and Turing Space

The digital identity space is seeing rapid innovation as IBM launches "Verify Digital Credentials," a new platform for issuing and authenticating secure digital documents like licenses and academic records. Built on open standards, it aims to reduce breach risk by decentralizing data storage. Concurrently, decentralized identity provider Turing Space is partnering with the IOTA blockchain to enhance its own verification offering, aiming to lower costs for enterprise-scale deployment. These moves highlight an industry-wide push towards verifiable credentials as a foundational defense against the growing threat of AI-powered deepfakes and identity fraud.

Supply Chain Attack: Marquis Software Breach Hits 74 Banks, Akira Ransomware Suspected

Marquis Software Solutions, a U.S.-based financial software provider, has suffered a major data breach, compromising the sensitive information of over 400,000 customers across 74 client banks and credit unions. This significant supply chain attack is suspected to be the work of the Akira ransomware gang. According to investigators, the threat actors likely gained initial access by exploiting vulnerabilities in SonicWall firewall devices on Marquis's network. This incident highlights the cascading risk in the financial sector, where a compromise at a single software vendor can have widespread consequences for numerous downstream institutions and their customers.

White House Sets 2025 Deadline for Post-Quantum Crypto Readiness

The White House has issued a new Executive Order to accelerate the U.S. federal government's transition to post-quantum cryptography (PQC). The order sets a critical deadline of December 1, 2025, for several key initiatives. It directs CISA and the NSA to create and maintain a list of commercially available products that support PQC standards, guiding federal procurement. It also mandates the development of new requirements for federal agencies to support TLS 1.3, a necessary precursor for PQC integration. Additionally, NIST is tasked with updating its Secure Software Development Framework (SSDF) to include practices for developing quantum-resistant software.

WhatsApp Worm Spreads Astaroth Banking Trojan in New Brazilian Campaign

A new malware campaign, tracked as STAC3150, is targeting banking users in Brazil by using WhatsApp Web as a distribution vector for the Astaroth banking trojan. The attack begins with a social engineering lure sent via WhatsApp, which persuades the victim to download a malicious ZIP archive. The archive contains a VBS or HTA file that, when executed, initiates a multi-stage infection process to deploy the Astaroth trojan. Astaroth is a well-known information stealer designed to capture banking credentials and other sensitive data. This campaign highlights the increasing use of popular messaging platforms for malware delivery.

SharePoint Flaw Chain Exploited to Deploy Warlock Ransomware

A new attack campaign attributed to the threat actor Storm-2603 is exploiting a chain of Microsoft SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704) for initial access. Post-exploitation, the attackers deploy Velociraptor, a legitimate digital forensics and incident response (DFIR) tool, for reconnaissance and persistence. By abusing a trusted tool, the attackers blend in with normal administrative activity, evading detection. In several confirmed incidents, this attack chain culminates in the deployment of the Warlock ransomware. This 'living-off-the-land' technique highlights a sophisticated approach to facilitating ransomware attacks.

Supply Chain Breach at Vendor Marquis Exposes Data From Dozens of US Banks

A ransomware attack on Marquis Software Solutions, a marketing and data analytics vendor for the financial industry, has resulted in a significant supply chain data breach affecting dozens of U.S. banks and credit unions. Marquis began notifying its clients on November 26, 2025, about the incident, which was first detected in August. The breach exposed highly sensitive customer information, including names, Social Security numbers, taxpayer IDs, and financial account details, that the financial institutions had entrusted to the vendor. While the banks' internal systems were not compromised, the incident highlights the profound risks associated with third-party vendors. At least 42,000 individuals in Maine alone have been affected, and Marquis is offering credit monitoring services to impacted customers.

Malicious Go Packages Impersonating Google UUID Library Steal Data

A sophisticated and long-running supply chain attack targeting Go developers has been discovered, active since at least May 2021. The attack involves two malicious packages, `github.com/bpoorman/uuid` and `github.com/bpoorman/uid`, which impersonate a popular Google UUID library using a typosquatting technique. The counterfeit packages are fully functional to avoid suspicion but contain a hidden backdoor. A specific function, `Valid`, is weaponized to secretly encrypt and exfiltrate any data passed to it, such as user IDs or session tokens, to an external paste site. This stealthy method allows the attacker, 'bpoorman', to siphon sensitive information from compromised applications.

Mexico's Maguen Group Launches Global Cybersecurity Brand 'Fortem'

Maguen Group, a leading private security firm based in Mexico, has officially launched Fortem Cybersecurity, its new global cybersecurity brand, on December 7, 2025. The new entity is an evolution of the company's existing cybersecurity arm, MT Cyber, which it acquired in 2019. With Fortem, Maguen Group aims to 'democratize cybersecurity' by offering enterprise-level protection to companies of all sizes. The launch marks a strategic push for global expansion, leveraging its existing presence in Mexico, Ecuador, and Germany, with the United States targeted as the next major market.

Malicious Rust Package 'evm-units' Targets Web3 Developers

A malicious software package named 'evm-units' has been discovered and removed from Rust's official crates.io registry. The package, downloaded over 7,200 times, targeted Web3 developers by impersonating a legitimate utility for the Ethereum Virtual Machine (EVM). While appearing functional, the crate contained a stealthy, multi-stage loader designed to download and execute operating system-specific malware. The malware included code to specifically evade 360 Total Security, a popular antivirus in China, suggesting the threat actor's focus was on stealing cryptocurrency from developers, likely in the Asian market. A second package, 'uniswap-utils', was also removed for depending on the malicious crate.

Wireshark Vulnerabilities Create Denial-of-Service Risk for Security Teams

France's national cybersecurity agency, CERT-FR, has issued a security advisory for two critical vulnerabilities in Wireshark, the world's most popular network protocol analyzer. The flaws, identified as CVE-2025-13945 and CVE-2025-13946, can be exploited by a remote attacker to cause a denial-of-service (DoS) condition. This poses a significant risk to security operations, as an attacker could crash the tool during a live incident investigation, effectively blinding security analysts. Users are urged to update to the patched versions (4.4.12 and 4.6.2) to mitigate the risk.

Washington Post Breached by Clop Ransomware via Oracle Flaws

The Washington Post has officially confirmed it was a victim of a large-scale cyberattack orchestrated by the Clop ransomware group. The threat actors exploited vulnerabilities in Oracle's E-Business Suite, compromising over 100 organizations globally. The campaign involves data exfiltration followed by aggressive extortion tactics, with Clop publicly naming victims on its dark web leak site to pressure them into paying ransoms reportedly as high as $50 million. This incident underscores the significant risk posed by vulnerabilities in widely used enterprise software and the sophisticated, multi-faceted extortion methods employed by modern ransomware gangs.

CISA: Commercial Spyware Hijacking Signal & WhatsApp via Zero-Clicks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding active campaigns using commercial spyware to compromise the Signal and WhatsApp accounts of high-value targets. Attackers are employing sophisticated methods including social engineering, malicious QR codes for device linking, and zero-click exploits that require no user interaction. The campaigns are reportedly targeting current and former government officials, military personnel, and civil society organizations across the U.S., Europe, and the Middle East. CISA warns that initial access to messaging apps is often used as a beachhead to deploy further malware and achieve full device compromise.

Global Coalition Targets 'Bulletproof' Hosting Services Fueling Cybercrime

An international coalition of cybersecurity agencies, including the NSA, CISA, and the FBI, has launched a coordinated effort to combat 'bulletproof' hosting (BPH) providers. These services knowingly lease infrastructure to cybercriminals for activities like ransomware and phishing. A new joint advisory urges Internet Service Providers (ISPs) and network defenders to adopt strategies to identify, block, and report these malicious hosts. The guidance focuses on a nuanced approach, including creating high-confidence blocklists and improving 'know your customer' processes, to disrupt the foundational infrastructure of cybercrime.

Cloudflare Outage Hits 28% of Global Traffic After Faulty React2Shell Patch

Cloudflare, a leading internet infrastructure provider, experienced a 25-minute global outage on December 5, 2025, that impacted approximately 28% of its HTTP traffic and made numerous popular websites inaccessible. The company quickly confirmed the disruption was not a cyberattack but was self-inflicted, caused by a faulty emergency change to its Web Application Firewall (WAF). The problematic update was deployed to provide mitigation against the critical React2Shell (CVE-2025-55182) vulnerability. The incident highlights the inherent risks of rapid, large-scale deployments, even when intended to improve security, and raises questions about change management processes for critical infrastructure.

AI Infrastructure at Risk: MCP Servers Emerge as New Supply Chain Threat

A new security advisory warns that Model Context Protocol (MCP) servers represent a significant and growing supply chain risk for organizations building AI-powered applications. These servers act as highly privileged automation engines, often possessing trusted access to sensitive enterprise resources like code repositories, email systems, and internal APIs. The warning follows the analysis of a critical vulnerability at hosting service Smithery.ai, where a single path traversal flaw could have allowed an attacker to gain administrative control over 3,000 hosted MCP servers. This and other incidents demonstrate that MCP servers are high-value targets that can be exploited to compromise entire AI software supply chains.

Iran Bans Officials From Using All Internet-Connected Devices Over Espionage Fears

In a drastic measure to combat espionage, Iran's Cybersecurity Command has banned all government officials and their security staff from using any device connected to public communication networks. The directive, reported on December 5, 2025, includes smartphones, laptops, and smartwatches. The move is a direct response to fears of hacking and mobile tracking being used for targeted assassinations, referencing past attacks on nuclear scientists and recent pager and walkie-talkie attacks against Hezbollah. The policy highlights a security philosophy of complete network isolation for key personnel over reliance on defensive technology.

Massive Supply Chain Attack Hits 200+ Companies via Salesforce App; Hacker Group Claims Breach

A hacking collective known as Scattered Lapsus$ Hunters has claimed responsibility for a large-scale supply chain attack that compromised the Salesforce data of over 200 organizations. The attack did not exploit a vulnerability in Salesforce itself, but rather abused OAuth tokens from the Gainsight customer-success application. The attackers gained unauthorized access to customer data, prompting Salesforce to revoke all tokens for the app. The group has named high-profile victims like Atlassian, Docusign, and Verizon, highlighting the significant risks of SaaS-to-SaaS integrations.

New "Benzona" Ransomware Strain Discovered in the Wild

Security researchers at CYFIRMA have discovered a new ransomware strain named "Benzona." The malware encrypts files on Windows, macOS, and Linux systems, appending a ".benzona" extension and dropping a ransom note titled "RECOVERY_INFO.txt". Victims are instructed to use the TOR browser to access a chat portal for recovery negotiations. The threat actors behind Benzona are believed to use a variety of initial access vectors, including social engineering, botnets, and exploitation of software vulnerabilities.

Critical 7-Zip RCE Vulnerability Now Under Active Exploitation

A critical remote code execution (RCE) vulnerability in the popular 7-Zip file archiver, tracked as CVE-2025-11001, is now being actively exploited in the wild. The path traversal flaw, which affects versions prior to 25.0.0, can be triggered when a user extracts a specially crafted malicious archive. This allows an attacker to write files to arbitrary locations and execute code. NHS England has issued an advisory confirming active exploitation, urging all organizations to update their installations immediately.

CISA Exposes 'BRICKSTORM' Backdoor Used by Chinese State Actors to Infiltrate US Government

The US Cybersecurity and Infrastructure Security Agency (CISA), NSA, and Canadian Centre for Cyber Security have jointly exposed a sophisticated backdoor named 'BRICKSTORM'. According to the December 4, 2025 advisory, People's Republic of China (PRC) state-sponsored actors are using this malware to target government and IT sector organizations. BRICKSTORM is designed for stealth and long-term persistence in both VMware vSphere and Windows environments. It employs multi-layered encrypted communications, including DNS-over-HTTPS (DoH), to hide its C2 traffic. The advisory details an attack chain where actors used a web shell for initial access, moved laterally via RDP, and ultimately deployed BRICKSTORM on a VMware vCenter server to compromise domain controllers. Agencies are urged to hunt for this threat immediately.

Android Zero-Days Under Active Attack, CISA Adds to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity Android zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are under active attack. The vulnerabilities, CVE-2025-48633 (Information Disclosure) and CVE-2025-48572 (Elevation of Privilege), affect the core Android Framework on versions 13, 14, 15, and 16. Google's December 2025 security bulletin confirmed the flaws may be subject to 'limited, targeted exploitation,' a pattern often associated with sophisticated spyware campaigns. Federal agencies are now mandated to patch these vulnerabilities, and all Android users are urged to apply the latest security updates as soon as possible to protect against potential device compromise.

Ransomware Payments Exceed $2.1 Billion Since 2022, FinCEN Reports

A new Financial Trend Analysis from the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN), released December 4, 2025, reveals that financial institutions reported over $2.1 billion in ransomware-related payments between January 2022 and December 2024. The data, derived from Bank Secrecy Act (BSA) filings, shows a peak in 2023 with $1.1 billion in payments. The report identifies ALPHV/BlackCat, LockBit, and Akira as some of the most prevalent variants, with the manufacturing and financial services sectors being the most frequent victims. The analysis underscores the critical role of BSA reporting in tracking cybercrime trends and informing law enforcement actions.

Freedom Mobile Data Breach Exposes Customer PII via Compromised Subcontractor

Canadian telecommunications provider Freedom Mobile announced on December 3, 2025, that it suffered a data breach after an unauthorized party gained access to its systems on October 23, 2025. The attacker leveraged the compromised account of a third-party subcontractor to access a customer account management platform. Exposed data includes customer names, addresses, birth dates, phone numbers, and account numbers. Freedom Mobile stated that more sensitive data like payment card information and passwords were not affected. The company is notifying a 'limited number' of affected individuals and advising them to be vigilant against phishing attacks.

CISA KEV Alert: Actively Exploited ScadaBR Flaw Puts Industrial Control Systems at Risk

CISA has added CVE-2021-26828, a high-severity vulnerability in the OpenPLC ScadaBR industrial control system (ICS) software, to its Known Exploited Vulnerabilities (KEV) catalog as of December 3, 2025. The flaw, with a CVSS score of 8.7, is an unrestricted file upload vulnerability that allows an authenticated attacker to achieve remote code execution (RCE) by uploading a malicious JSP file. This poses a significant risk to operational technology (OT) environments where this open-source SCADA solution is deployed. Federal agencies are mandated to patch by December 24, 2025, and CISA urges all organizations in critical infrastructure sectors to prioritize remediation.

Under Armour Sued Over Data Breach Attributed to 'Everest' Cybercrime Group

Athletic apparel giant Under Armour is the target of a new class action lawsuit following a November 2025 data breach. The suit, reported on December 4, 2025, claims the company was negligent in protecting the personal information of consumers and employees. The breach was allegedly carried out by the 'Everest' cybercriminal group, which claims to have stolen and leaked hundreds of gigabytes of data. The lawsuit asserts that Under Armour failed to implement basic cybersecurity measures like encryption and did not provide timely notification to victims, who now face a heightened risk of identity theft and fraud.

Critical Zero-Days in PyTorch Scanner 'PickleScan' Create AI Supply Chain Risk

Security firm JFrog has disclosed three critical zero-day vulnerabilities in PickleScan, a popular open-source tool used to scan Python pickle files for malware, particularly within the PyTorch AI framework. The flaws, collectively rated with a CVSS score of 9.3, allow an attacker to craft a malicious AI model that bypasses PickleScan's security checks. When this seemingly safe model is loaded by a user, it can lead to arbitrary code execution. This discovery, announced on December 3, 2025, highlights a significant software supply chain risk for the AI/ML community, as attackers could distribute weaponized models that evade standard security scanning.

AWS Boosts Cloud Defense with New AI-Powered Security Tools at re:Invent 2025

At its re:Invent 2025 conference, Amazon Web Services (AWS) unveiled several major additions to its security portfolio, heavily infused with artificial intelligence. Key announcements on December 3, 2025, included the preview of AWS Security Agent, a context-aware tool for proactive application security testing throughout the development lifecycle. AWS also announced the general availability of its revamped AWS Security Hub for centralized cloud security posture management (CSPM) and new attack sequence findings in Amazon GuardDuty for better threat detection in EC2 and ECS environments. These updates aim to automate and enhance security operations for organizations in the cloud.

React2Shell: Critical 10.0 CVSS RCE Hits React & Next.js, Actively Exploited!

A critical unauthenticated remote code execution (RCE) vulnerability, dubbed 'React2Shell' and tracked as CVE-2025-55182, has been disclosed in React Server Components. With a maximum CVSS score of 10.0, the flaw affects popular frameworks like Next.js and allows attackers to take complete control of vulnerable servers. Security researchers have already observed active exploitation in the wild, with attackers attempting to harvest cloud credentials and deploy cryptocurrency miners. Major cloud providers have issued WAF rules as a temporary mitigation, but immediate patching is essential.

ValleyRAT Malware Targets Job Seekers Using Foxit PDF Reader Disguise

A new malware campaign is distributing the ValleyRAT remote access trojan by preying on job seekers. Attackers send emails with weaponized executables disguised as HR documents, using the Foxit PDF Reader icon as a lure. The attack leverages a legitimate, renamed Foxit executable to perform a DLL side-loading attack, which silently loads the malware while displaying a decoy document to the victim. Once active, ValleyRAT provides attackers with full control over the compromised system, enabling data theft and surveillance.

G7 Unveils New Framework for Coordinated Cyber Response in Financial Sector

The G7 Cyber Expert Group has published a new policy paper outlining non-binding principles for Collective Cyber Incident Response and Recovery (CCIRR) within the global financial sector. The framework, developed to foster greater cross-border cooperation, aims to improve information sharing, streamline crisis communication, and bolster the resilience of the international financial system against major cyber incidents. The principles are intended as a high-level guide rather than a set of regulatory requirements.

EU Cyber Resilience Act Deadlines Loom: Vulnerability Reporting Starts 2026

The European Union is advancing the implementation of its landmark Cyber Resilience Act (CRA), which establishes mandatory cybersecurity requirements for all hardware and software products sold in the EU. With the regulation now in force, key deadlines are approaching. Manufacturers must prepare for a critical milestone in September 2026, when obligations to report actively exploited vulnerabilities to authorities within 24 hours will begin. The act aims to enforce security-by-design and ensure products remain secure throughout their lifecycle.

Qilin Ransomware Gang Claims 7 of 11 New Victims in 24 Hours

The daily ransomware report for November 8, 2025, highlights a significant burst of activity from the Qilin ransomware group, which claimed responsibility for 7 of the 11 new victims announced in the past 24 hours. The DragonForce group was the second most active with three victims. The attacks primarily targeted the professional services and manufacturing sectors, with victims located in the United States, Canada, and the United Kingdom. This latest surge brings the total number of publicly claimed ransomware victims in 2025 to 6,364, underscoring the relentless and persistent threat that ransomware-as-a-service (RaaS) operations pose to organizations globally.

SmartTube App Compromised: Malicious Update Pushed via Stolen Keys

A significant supply chain attack has compromised the popular ad-free YouTube client for Android TV, SmartTube. An attacker stole the developer's signing keys and distributed a malicious update containing surveillance-style malware through official channels. The malware, hidden in versions 30.43 through 30.55, collected device information and sent it to a command-and-control server. In response, Google Play Protect began automatically disabling the app on user devices. The developer has since revoked the compromised keys and released a new, clean version, which requires all users to perform a manual reinstallation to ensure their security.

'Cryptomixer' Shut Down: Authorities Seize €25M in Bitcoin from Laundering Service

A coordinated international law enforcement action, codenamed "Operation Olympia," has successfully dismantled Cryptomixer.io, a major cryptocurrency mixing service. Led by Swiss and German authorities with significant support from Europol and Eurojust, the takedown resulted in the seizure of servers, 12 terabytes of data, and over €25 million in Bitcoin. The service, active since 2016, is believed to have laundered over €1.3 billion for a wide range of criminal groups, including ransomware gangs and the North Korean Lazarus Group, by obfuscating the trail of illicit funds.

Iran-Linked MuddyWater APT Targets Israel with New 'MuddyViper' Backdoor

The Iranian-affiliated APT group MuddyWater has been observed in a new cyberespionage campaign targeting critical infrastructure and other key sectors in Israel and Egypt. Active from late 2024 to early 2025, the campaign leverages a previously undocumented custom C/C++ backdoor named MuddyViper. The malware is delivered via a loader called Fooder, which in some cases was disguised as the classic Snake game to deceive victims. The group, also known as Mango Sandstorm, used the backdoor for espionage, credential theft, and remote command execution, and showed operational overlap with another Iranian group, Lyceum.

Lazarus APT's Remote IT Worker Infiltration Scheme Exposed in Real-Time

A joint investigation by security researchers has exposed the inner workings of a North Korean Lazarus Group scheme where operatives commit identity fraud to get hired as remote IT workers at Western firms. By luring the threat actors into a sophisticated honeypot environment, researchers from BCA LTD, NorthScan, and ANY.RUN were able to capture their tactics, techniques, and procedures (TTPs) in real-time. The scheme's goals are twofold: to gain persistent network access for espionage and to funnel salaries back to the Democratic People's Republic of Korea (DPRK) in violation of international sanctions.

India Backs Down on Mandatory Pre-Installed Government "Snooping App"

Following widespread criticism from privacy advocates and significant resistance from major tech companies, the Indian government has withdrawn a controversial directive that would have required smartphone makers like Apple and Samsung to pre-install a non-deletable, state-owned security app. The app, named "Sanchar Saathi," was labeled a potential "snooping app" by critics, who raised concerns that it could be used as a tool for mass surveillance, violating citizens' right to privacy. The swift reversal marks a notable event in the ongoing global debate over digital privacy and government authority.

AI Cybersecurity Firm Tenex Expands to EMEA with New Funding

AI-native cybersecurity firm Tenex announced its expansion into the Europe, Middle East, and Africa (EMEA) region on December 2, 2025. The strategic move is supported by a new Series A investment from the global investment firm DTCP. Tenex, which offers an AI-driven managed detection and response (MDR) service, has seen rapid growth since its founding in January 2025 and plans to establish an international headquarters in Europe in 2026 to capitalize on the region's demand and talent pool.

CrowdStrike Named AWS Global Security and Marketplace Partner of the Year

At the AWS re:Invent 2025 conference, cybersecurity leader CrowdStrike was named both the Amazon Web Services (AWS) 2025 Global Security Partner of the Year and the Global Marketplace Partner of the Year. This dual recognition follows a landmark achievement for CrowdStrike, which became the first cloud-native independent software vendor (ISV) to surpass $1 billion in sales through the AWS Marketplace within a single calendar year, underscoring the strength of its cloud security offerings and its partnership with AWS.

Coupang Breach Exposes 33.7 Million Users in South Korea

South Korean e-commerce leader Coupang has admitted to a significant data breach exposing the personal information of 33.7 million customers, impacting over half of South Korea's population. The breach, which began in June 2025 and was detected in mid-November, stemmed from authentication vulnerabilities and the potential misuse of an ex-employee's still-active authentication key. Exposed data includes names, emails, phone numbers, and addresses. Coupang has reset user passwords and is working with authorities, including the Korea Internet & Security Agency (KISA), on the investigation.

Urgent Android Update: Google Patches 107 Flaws, Two Zero-Days Under Active Attack

Google has issued its December 2025 Android security bulletin, patching a total of 107 vulnerabilities. The update is critical, as it addresses two high-severity zero-days, CVE-2025-48633 (Information Disclosure) and CVE-2025-48572 (Elevation of Privilege), which are under limited, targeted exploitation in the wild. The patch also fixes a critical remote denial-of-service (DoS) flaw, CVE-2025-48631, in the Android Framework. The update covers vulnerabilities in components from Qualcomm, Arm, MediaTek, and others, affecting Android versions 13 through 16. Users are urged to install the update as soon as it becomes available for their devices.

APTs Exploit WinRAR Zero-Day to Target Industrial Sector in Q3 2025

Kaspersky's Q3 2025 threat report for industrial organizations highlights extensive exploitation of a WinRAR zero-day vulnerability, CVE-2025-8088. The flaw was used by multiple threat actors, including the RomCom cybercrime group and the Paper Werewolf (GOFFEE) APT, to deploy backdoors like SnipBot and the Mythic agent against industrial targets. The report also details other significant cyber-espionage campaigns, such as PhantomCore's attacks on Russian critical infrastructure and Cavalry Werewolf's phishing operations against energy and manufacturing sectors, underscoring the persistent threat to industrial control systems (ICS).

FTC Slams EdTech Firm Illuminate Education Over Breach of 10M Students' Data

The U.S. Federal Trade Commission (FTC) has taken enforcement action against education technology provider Illuminate Education for a 2021 data breach that exposed the personal and health information of 10.1 million students. The FTC alleged the company failed to implement reasonable security measures, citing the attacker's use of credentials from an employee who had left 3.5 years prior. Under the settlement, Illuminate must implement a comprehensive security program, delete non-essential student data, and undergo third-party assessments, highlighting severe consequences for failing to protect children's data.

Warning: Public PoC Exploit Released for Critical Zero-Click Outlook RCE Flaw

A proof-of-concept (PoC) exploit has been publicly released for CVE-2024-21413, a critical zero-click remote code execution (RCE) vulnerability in Microsoft Outlook nicknamed 'MonikerLink'. The flaw allows an attacker to execute arbitrary code on a victim's machine simply by sending a malicious email, with no user interaction required. The release of the PoC dramatically increases the risk of widespread exploitation. All organizations using affected versions of Outlook are urged to apply the security patches released by Microsoft immediately to prevent compromise.

Mystery Breach: Major Tech Firm Exposes Millions of Users' Data

A major, but currently unnamed, technology company has reportedly suffered a massive data breach, exposing the personal data of millions of users worldwide. The breach was detected on November 24, 2025, after unusual activity was observed on the company's servers, stemming from an unspecified vulnerability. The company has reportedly shut down the compromised servers, notified authorities, and begun alerting users. This incident is being described as one of the largest in recent years, placing millions at risk of identity theft and phishing attacks.

US Probes Bitcoin Mining Giant Bitmain for National Security Threats

The U.S. Department of Homeland Security is reportedly conducting a probe, codenamed 'Operation Red Sunset,' into Chinese bitcoin mining hardware manufacturer Bitmain. According to reports from November 29, 2025, the investigation centers on fears that Bitmain's mining devices could contain hidden backdoors for espionage or capabilities to sabotage the U.S. electrical grid. The probe allegedly involves physically inspecting imported hardware at U.S. ports for kill switches or remote access features. Bitmain has denied the allegations, but the investigation highlights growing national security concerns surrounding foreign-made hardware in critical infrastructure sectors.

Yearn Finance Hit by $9M 'Infinite Mint' Exploit

On November 30, 2025, the DeFi protocol Yearn Finance was exploited for approximately $9 million. The attacker leveraged a flaw in a legacy yETH stableswap smart contract, using a deposit of just 16 wei (a fraction of a cent) to mint a massive 235 septillion yETH tokens. The vulnerability stemmed from the contract's failure to clear cached storage variables after liquidity was fully drained. By manipulating these phantom balances, the attacker triggered an 'infinite mint' condition, subsequently draining the pool's assets into a Balancer pool. Around $3 million was quickly laundered through the Tornado Cash mixer.

Amazon Data Center Blueprints Leaked in Breach of Steel Contractor

A significant data breach at Cooper Steel Fabricators, a major U.S. structural steel contractor, was reported on November 30, 2025. A threat actor is selling a 330 GB database, claiming it is a 'complete mirror' of the company's FTP server. The asking price is $28,500. The leaked data allegedly contains highly sensitive intellectual property, including detailed blueprints and structural models for an Amazon data center in Ohio and a sorting facility in Massachusetts. Blueprints for Walmart distribution centers are also included, highlighting the severe supply chain risks that can expose the critical infrastructure plans of major corporations.

Gaming Giant Netmarble Breached, 6.1 Million Users' Data Exposed

South Korean gaming company Netmarble confirmed on November 30, 2025, that it suffered a data breach on November 22, exposing the personal information of 6.11 million members of its PC game portal. The compromised data includes names, birthdates, and encrypted passwords. The leak also affected 66,000 PC cafe owners and 17,000 current and former employees. Netmarble came under fire for waiting nearly 72 hours to report the incident to the Korea Internet & Security Agency (KISA), raising concerns about its incident response transparency.

CodeRED Alert System Hit by Ransomware, Wall Street Scrambles After Vendor Hack

A weekend news roundup from November 29, 2025, covered several major cyber incidents. The nationwide CodeRED emergency alert system, provided by OnSolve, was hit by an INC Ransom attack, disrupting a critical public safety service. In finance, Wall Street banks were assessing the fallout from a breach at a third-party real estate data firm, exposing ongoing supply chain risks. Additionally, the pro-Ukrainian hacktivist group Ukrainian Cyber Alliance claimed responsibility for a destructive attack on Donbas Post, the Russian-run postal service in occupied Ukraine, reportedly wiping over a thousand systems.

Comcast Fined $1.5M by FCC for Vendor's Data Breach

Comcast has agreed to a $1.5 million settlement with the Federal Communications Commission (FCC) following a 2024 data breach at a former vendor. The breach occurred at Financial Business and Consumer Solutions (FBCS), a debt collection agency, and exposed the personal information of nearly 238,000 Comcast customers, including names, addresses, and Social Security numbers. FBCS filed for bankruptcy before disclosing the breach, leaving Comcast to face the regulatory fallout. As part of the settlement, Comcast will implement a stricter vendor security compliance plan, highlighting the growing regulatory expectation for companies to secure their entire supply chain.

Global Infrastructure Breach Alert Confirmed as False Alarm

Initial reports on November 30, 2025, of a major security breach impacting global infrastructure were officially confirmed to be a false alarm. The panic was triggered when automated monitoring tools misinterpreted routine, benign system tests as a sophisticated cyberattack, leading to a cascade of incorrect alerts. While no data was stolen and no systems were compromised, the incident has exposed potential weaknesses in cyber-alerting systems and their ability to differentiate between normal administrative actions and genuine threats. The event has prompted calls for improving alert validation processes to maintain public trust.

Asahi Confirms Qilin Ransomware Breach Exposed Data of Nearly 2 Million

Japanese beverage giant Asahi Group Holdings has confirmed a September 2025 ransomware attack by the Qilin group resulted in a massive data breach affecting 1.914 million individuals. The breach exposed the personal information of customers, employees, and business contacts, leading to significant operational disruptions, including production halts and product shortages. The attackers gained initial access through compromised network equipment and moved laterally to deploy ransomware across Asahi's domestic data centers. While no financial data was stolen, the exposed PII includes names, addresses, phone numbers, and dates of birth.

Qilin's "Korean Leaks" Hits 28 Financial Firms via MSP Supply Chain Attack

The Qilin ransomware group has executed a devastating supply-chain attack, dubbed "Korean Leaks," by breaching GJTec, a South Korean managed service provider (MSP). This single point of failure allowed the attackers to compromise at least 28 of the MSP's downstream financial services clients. The campaign, which ran in waves from September to October 2025, resulted in the exfiltration of over 2TB of data. Researchers from Bitdefender have noted potential links to the North Korean state-affiliated group Moonstone Sleet, suggesting a hybrid operation blending financial extortion with geopolitical motives.

TryHackMe Apologizes for All-Male Panel After Community Backlash

Cybersecurity training platform TryHackMe issued a public apology on November 28, 2025, after announcing an all-male list of 18 industry helpers for its popular "Advent of Cyber" event. The omission sparked significant backlash from the cybersecurity community regarding the lack of gender diversity and representation. The company acknowledged the mistake was unintentional, stating several female creators had been invited but were unavailable. TryHackMe is now actively working with community members to recruit and onboard women to the panel before the event's launch.

Pakistan-linked APT36 Targets Indian Government with New Linux Malware

The Pakistan-based threat group APT36, also known as Transparent Tribe, is conducting an active cyber-espionage campaign against Indian government entities. A CYFIRMA report published on November 29, 2025, details the group's use of a new Python-based malware compiled for Linux systems (ELF format). This development signifies an expansion of APT36's toolkit to target non-Windows environments within sensitive Indian government and strategic sector networks, continuing the group's long-standing focus on intelligence gathering against India.

North Korea's Cybercrime is Statecraft, Report Warns

A strategic intelligence report published by CYFIRMA on November 28, 2025, analyzes North Korea's increasing reliance on cybercrime as a core instrument of its statecraft. The report's release is timely, following Russia's 2024 veto that disbanded the UN Panel of Experts responsible for monitoring North Korean sanctions evasion. The analysis details how state-sponsored groups like the Lazarus Group conduct large-scale cyber operations, including cryptocurrency heists and ransomware attacks, to generate revenue that directly funds the nation's weapons programs and sustains the regime.

Under Armour Investigates Ransomware Attack, Data Theft Claims

Athletic apparel giant Under Armour is investigating a ransomware attack that has impacted its internal corporate systems. According to a report from November 28, 2025, an unidentified ransomware group has claimed responsibility and alleges it has exfiltrated a large volume of data, including personal records for "millions of individuals." Under Armour has acknowledged the unauthorized access and launched a forensic investigation to determine the scope of the breach and verify the attackers' claims. The incident has caused internal disruptions and poses a significant data privacy risk.

DoorDash Discloses Another Breach via Third-Party Vendor

Food delivery service DoorDash disclosed another data breach on November 27, 2025, resulting from a compromise at an unnamed third-party service provider. The incident, reported on November 28, exposed information belonging to both customers and delivery drivers. This breach marks the latest in a series of security incidents for DoorDash involving its supply chain, highlighting persistent vulnerabilities in its network of external vendors and raising concerns about the security of its platform.

Oracle Cloud Misconfiguration Exposes Customer Data

Oracle has reported a data breach stemming from misconfigured resources within its own Oracle Cloud Infrastructure (OCI). The incident, first noted on November 13 and analyzed in a report on November 28, 2025, allowed external, unauthorized access to a portion of its cloud environment where customer data was stored. While the full scope and specific customers affected have not been detailed, the breach highlights the significant security challenges of managing large-scale cloud environments, demonstrating that even major cloud providers are susceptible to internal configuration errors.

MaaS Provider TAG-150 Distributes Modular Loader and RAT

A Malware-as-a-Service (MaaS) provider, tracked as TAG-150, has been identified operating a campaign active since at least March 2025. According to a threat intelligence report from November 29, 2025, the group is distributing a modular loader that delivers a Remote Access Trojan (RAT). The operation is focused on information theft and leverages user interaction and living-off-the-land techniques to compromise systems. The campaign highlights the ongoing threat from the MaaS ecosystem, which provides cybercriminals with ready-made tools to conduct attacks.

French Football Federation Data Breach Exposes Player Info Via Single Compromised Account

The French Football Federation (FFF) announced a significant data breach on November 28, 2025, after an attacker gained access to a centralized administrative software platform using a single compromised user account. The breach exposed the personally identifiable information (PII) of a large number of its 2.3 million members, including names, contact details, and birth dates. The attackers did not exploit a software vulnerability but rather leveraged stolen credentials to gain administrative control. In response, the FFF disabled the account, forced a password reset for all users, and notified both the French data protection authority (CNIL) and the national cybersecurity agency (ANSSI). This incident highlights the critical risk posed by credential compromise and the trend of cyberattacks targeting sports organizations.

IT Professional Jailed for 7 Years in Australia for 'Evil Twin' Wi-Fi Attacks on Flights

An Australian IT professional, Michael Clapsis, has been sentenced to seven years and four months in prison for conducting sophisticated 'evil twin' Wi-Fi attacks. Using a Wi-Fi Pineapple device, he created rogue Wi-Fi hotspots at airports and on flights to trick travelers into entering their credentials into a phishing portal. Clapsis then used this access to infiltrate the online accounts of multiple women, stealing thousands of private images and videos. The Australian Federal Police (AFP) investigation began after airline staff reported a suspicious network. Clapsis also attempted to obstruct the investigation by deleting evidence and abusing his IT privileges at work to spy on meetings between his employer and the AFP.

Massive Scan of Public GitLab Repositories Uncovers Over 17,000 Live Secrets

A security engineer, Luke Marshall, conducted a large-scale scan of all 5.6 million public repositories on GitLab Cloud, uncovering 17,430 verified, live secrets. The exposed credentials include thousands of API keys and access tokens for over 2,800 unique domains, with Google Cloud Platform (GCP) keys being the most common. The scan, performed using the open-source tool TruffleHog, highlights the pervasive issue of developers hardcoding secrets in public code. Alarmingly, 406 valid GitLab access tokens were found within GitLab's own repositories. The research also uncovered 'zombie secrets' that have remained valid for over a decade, posing a long-term risk. Marshall's responsible disclosure efforts led to multiple bug bounty payouts.

Legacy Python Scripts Create Dormant Supply Chain Risk via Abandoned Domain

Security researchers at ReversingLabs have identified a long-dormant supply chain vulnerability within the Python ecosystem affecting packages that use the legacy 'zc.buildout' tool. Outdated bootstrap scripts (`bootstrap.py`) found in several PyPI packages contain hardcoded references to an abandoned domain, `python-distribute.org`. This domain, once used for a fork of the Setuptools project, is now for sale. An attacker could purchase the domain, host malicious code, and automatically compromise any developer or build system that runs one of these legacy scripts. This creates a direct vector for malware injection, exposing an unknown number of projects to a decade-old risk.

'Adversarial Poetry' Emerges as Universal Jailbreak for Major LLMs

A new research paper has unveiled a simple yet powerful technique, dubbed 'adversarial poetry,' that can consistently bypass the safety guardrails of major Large Language Models (LLMs). By reformulating harmful prompts into verse, researchers were able to achieve jailbreak success rates up to 18 times higher than with plain text. The technique proved effective as a 'universal single-turn jailbreak' across 25 different AI models, including both proprietary and open-source ones. It successfully generated content related to dangerous topics like CBRN threats and cyber-offenses, revealing a fundamental weakness in current AI alignment strategies that appear overly sensitive to a prompt's style rather than its semantic content.

Bloody Wolf APT Shifts Tactics, Using Legitimate RATs to Target Central Asian Governments

The cyber-espionage group 'Bloody Wolf' has expanded its campaign, now targeting government entities in Kyrgyzstan and Uzbekistan. According to research from Group-IB, the APT group has evolved its tactics, moving away from custom malware to a more streamlined, Java-based delivery method. The new attack chain tricks victims into installing the legitimate NetSupport Manager remote administration tool (RAT). By using a widely recognized commercial tool, Bloody Wolf aims to evade detection by blending its malicious activities with normal administrative network traffic, sustaining its long-term espionage and data exfiltration goals.

CISA Adds Actively Exploited OpenPLC XSS Flaw to KEV Catalog After Hacktivist Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, CVE-2021-26829, to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on November 28, 2025, follows confirmed reports of active exploitation by the pro-Russian hacktivist group TwoNet. The group was observed using the flaw to deface the HMI of an industrial control system honeypot. The medium-severity vulnerability allows an attacker with access to the system to inject malicious scripts. Federal agencies are now required to patch the flaw by December 19, 2025, to protect against this confirmed threat to ICS/OT environments.

Tomiris APT Refines Toolkit, Using Discord and Telegram for C2 in Diplomatic Attacks

The cyber-espionage group 'Tomiris' has upgraded its tactical arsenal in a new wave of attacks targeting diplomatic and government organizations in Russia and Commonwealth of Independent States (CIS) countries. According to a new report from Kaspersky, the APT group is now using public services like Discord and Telegram for command-and-control (C2) communications to better evade detection. The group uses tailored spear-phishing emails to deliver a variety of payloads, including reverse shells and custom backdoors, and deploys specialized 'FileGrabber' malware to steal documents, demonstrating a focus on long-term intelligence gathering.

Major Cyberattack Hits Three London Councils, Crippling Public Services

A major cyber incident was declared on November 26, 2025, after a coordinated attack struck the shared IT infrastructure of three London councils: the Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), and the London Borough of Hammersmith and Fulham (LBHF). The attack disrupted essential services, including phone lines, for over half a million residents. The councils, which operate under a joint IT arrangement, were forced to activate emergency protocols to maintain critical functions. The UK's National Cyber Security Centre (NCSC) is assisting with the investigation. While the nature of the attack is unconfirmed, experts suspect it is a ransomware incident, potentially targeting a shared managed service provider (MSP), raising fears of a significant data breach involving sensitive citizen information.

New 'HashJack' Attack Injects Malicious Prompts into AI Browsers

On November 26, 2025, researchers disclosed a novel indirect prompt injection attack called 'HashJack' that targets AI-enabled web browsers. The technique works by embedding malicious instructions in the fragment portion of a URL (the text following a '#' symbol). Because URL fragments are processed client-side and are not sent to the server, they are invisible to most network security tools like firewalls and web gateways. However, AI assistants integrated into browsers often parse the full URL, including the fragment, to gain context. This allows an attacker to craft a seemingly benign link that, when visited, secretly instructs the user's AI assistant to perform malicious actions, creating a significant new attack surface.

Mitsubishi ICS Software Flaw Exposes Credentials in Plaintext

On November 27, 2025, Mitsubishi Electric issued a security advisory for CVE-2025-3784, an information disclosure vulnerability in its GX Works2 industrial control system (ICS) software. The flaw, which affects all versions of the software, involves the storage of credential information in plaintext within project files. An attacker with local access to a computer running the software could extract these credentials and use them to bypass authentication on project files, allowing them to view or modify critical industrial process information. The vulnerability has a CVSS score of 5.5. Mitsubishi is developing a patch and has provided interim mitigation guidance.

Critical 10.0 CVSS Flaw in Azure Bastion Allows Full Cloud Takeover

Microsoft has patched a critical authentication bypass vulnerability, CVE-2025-49752, in its Azure Bastion service. The flaw, which scores a perfect 10.0 on the CVSS scale, could allow a remote, unauthenticated attacker to gain administrative control over all virtual machines connected via a vulnerable Bastion host. The vulnerability is a capture-replay flaw, where an attacker can intercept and reuse authentication tokens. All Azure Bastion deployments created before the patch on November 20, 2025, are considered vulnerable, and customers are urged to ensure their instances are updated.

Asahi Breweries Crippled by Ransomware Attack, Shipments Plummet to 10% Ahead of Peak Holiday Season

Japan's largest brewer, Asahi Group Holdings Ltd., is facing severe operational paralysis more than a month after a devastating ransomware attack. The attack disabled the company's core order and shipment management system, forcing a regression to manual processes like phone calls and faxes. As a result, shipments are at only 10% of normal levels, a critical blow as the company enters its busiest sales month. The incident, which has also forced Asahi to postpone its Q3 earnings report, highlights the extreme vulnerability of complex supply chains and legacy IT systems to modern cyber threats.

CodeRED Emergency Alert System Crippled by 'Inc Ransom' Attack, Disrupting US Public Safety

The OnSolve CodeRED emergency alert system, a critical communication tool for hundreds of U.S. municipalities, has been taken offline following a ransomware attack claimed by the 'Inc Ransom' group. The attack, which began on November 1, 2025, resulted in the encryption of systems and the exfiltration of user data, including names, addresses, and contact information. After failed ransom negotiations, the vendor was forced to decommission the legacy platform, causing significant service disruptions for local governments in numerous states and leaving them unable to issue vital public safety notifications.

Geopolitical Shift: Russian and North Korean State Hackers Found Sharing Attack Infrastructure

In a rare and alarming discovery, security researchers have found evidence of operational collaboration between two of the world's most prolific state-sponsored hacking groups: Russia's Gamaredon (Pitty Tiger) and North Korea's Lazarus. The evidence centers on a shared command-and-control (C2) server IP address that was used by both groups within days of each other to deliver their respective malware payloads. This convergence of TTPs and infrastructure signals a potential new phase of cyber operations where geopolitical alliances between Moscow and Pyongyang are extending into direct, cooperative attacks, potentially amplifying the threat level for defenders globally.

Water Gamayun APT Exploits Novel 'MSC EvilTwin' Windows Flaw in Stealthy Attacks

The Russia-aligned APT group Water Gamayun is actively exploiting a novel vulnerability in the Windows Microsoft Management Console (MMC), tracked as CVE-2025-26633. The attack, analyzed by Zscaler and dubbed 'MSC EvilTwin,' uses a malicious .msc file to proxy code execution through the trusted mmc.exe binary, making it difficult to detect. The multi-stage campaign begins with a malicious download and uses embedded commands to execute hidden PowerShell payloads. This technique allows the attackers to install backdoors and information stealers while evading traditional security measures, showcasing the group's continued sophistication in developing stealthy intrusion methods.

CISA Warns of Critical Flaws in Industrial Control Systems, Including CVSS 10.0 Bug

On November 25, 2025, CISA issued seven new advisories for vulnerabilities in Industrial Control Systems (ICS) from multiple vendors, including Rockwell Automation, Opto 22, and Zenitel. The flaws affect equipment used globally in critical manufacturing and communications sectors. The most severe vulnerability, CVE-2025-64130, is a critical OS command injection flaw in Zenitel communications equipment with a CVSS score of 10.0, which could allow for remote code execution. Other advisories cover flaws leading to denial-of-service and information exposure, prompting CISA to urge immediate review and mitigation by asset owners.

NVIDIA AI Toolkit and WordPress Plugins Hit with High-Severity Flaws

On November 25, 2025, several new software vulnerabilities were disclosed, including a high-severity Server-Side Request Forgery (SSRF) flaw in NVIDIA's NeMo Agent Toolkit (CVE-2025-33203) used for AI development. This flaw could lead to information disclosure and denial of service. Concurrently, vulnerabilities were found in popular WordPress plugins. The 'Just Highlight' plugin is affected by a stored Cross-Site Scripting (XSS) bug (CVE-2025-13311), while the 'Locker Content' plugin has a sensitive information exposure flaw (CVE-2025-12525) that could allow unauthenticated attackers to bypass content restrictions.

Homeland Security Warns Gov't Shutdown and Lapsed Law Cripple U.S. Cyber Defenses

The U.S. House Committee on Homeland Security has issued a stark warning in its latest 'Cyber Threat Snapshot,' stating that the nation's ability to defend against cyber threats is being severely hampered. The report cites a dual crisis: a federal government shutdown that furloughs key cybersecurity personnel, and the lapse of the Cybersecurity Information Sharing Act of 2015. This creates 'dangerous blind spots' at a time of heightened threat activity from nation-state actors like China and Iran, and a surge in attacks against U.S. critical infrastructure.

Akira Ransomware Targets M&A Blind Spots, Breaching Firms via Inherited SonicWall Devices

The Akira ransomware group is exploiting security blind spots created during corporate mergers and acquisitions (M&A). According to research by ReliaQuest, Akira affiliates are gaining initial access to acquiring companies by compromising vulnerable SonicWall SSL VPN appliances inherited from smaller, acquired firms. Attackers leverage the fact that the acquiring organizations are often unaware of these unpatched, legacy devices on their new network. Once inside, they use zombie credentials and move laterally, with the time from lateral movement to ransomware deployment averaging less than one hour, highlighting a rapid and effective attack chain.

URGENT: CISA Orders 7-Day Patch for Actively Exploited FortiWeb Zero-Day

Fortinet has disclosed a critical OS command injection zero-day vulnerability, CVE-2025-58034, in its FortiWeb Web Application Firewall (WAF) that is being actively exploited in the wild. The flaw allows an authenticated attacker to execute arbitrary commands on the underlying system. In response to observed attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive mandating federal agencies apply patches within an accelerated seven-day window, by November 25, 2025. Researchers have detected approximately 2,000 attacks leveraging the flaw and warn it could potentially be chained with a recently disclosed authentication bypass vulnerability (CVE-2025-64446) to achieve unauthenticated remote code execution.

Massive NPM Supply Chain Attack Spreads Self-Replicating "Shai-Hulud" Worm

A significant, ongoing supply chain attack is targeting the NPM JavaScript ecosystem, where a self-replicating worm dubbed "Shai-Hulud" has infected over 400 software packages. The attack has a substantial impact on the cryptocurrency sector, compromising at least 10 widely used libraries crucial for the Ethereum Name Service (ENS), including 'content-hash' and 'address-encoder'. The malware functions as a general-purpose credential stealer, exfiltrating secrets like wallet keys from infected developer environments. The scale is vast, with researchers at Wiz observing over 25,000 affected repositories, highlighting a critical threat to developer infrastructure worldwide.

FCC Rolls Back ISP Cybersecurity Rules Despite China-Linked Hacking Threats

In a controversial decision, the U.S. Federal Communications Commission (FCC) has rescinded cybersecurity regulations for internet service providers (ISPs). These rules were implemented by the Biden Administration following the discovery that the Chinese state-sponsored hacking group Salt Typhoon had breached major U.S. carriers. The revoked rules mandated minimum security standards and compliance certifications. The FCC claimed the original ruling was based on a "flawed legal analysis," but the move has drawn sharp criticism, with Commissioner Anna M. Gomez stating it leaves the country "less secure" against increasing nation-state threats.

Akira Ransomware Gang Hits LG Energy Solution, Claims 1.7TB Data Theft

South Korean battery manufacturing giant LG Energy Solution has confirmed it was the victim of a ransomware attack at one of its overseas facilities. The notorious Akira ransomware gang has claimed responsibility for the breach, alleging on its dark web leak site that it stole 1.7 terabytes of data from the company's network. While LG Energy Solution reports that the affected systems have been restored and its headquarters was not impacted, the incident highlights the continued threat of double-extortion ransomware attacks against the manufacturing sector. The Akira gang has been highly active, often gaining initial access via compromised VPN credentials.

New "Autumn Dragon" Espionage Campaign Targets Southeast Asia

A newly identified cyber-espionage campaign named "Autumn Dragon" has been targeting government and media organizations across Southeast Asia since early 2025. The operation, attributed with medium confidence to a China-nexus Advanced Persistent Threat (APT) group, aims to gather intelligence related to the South China Sea. The attackers use spearphishing emails with malicious WinRAR archives that exploit the vulnerability CVE-2025-8088. Upon execution, a dropper script masquerading as a Windows Defender update retrieves and runs additional payloads to establish a foothold for intelligence gathering.

ShadowPad Backdoor Deployed via Critical WSUS Server Vulnerability

An active intrusion campaign is exploiting a critical remote code execution (RCE) vulnerability, CVE-2025-59287, in Microsoft's Windows Server Update Services (WSUS). Attackers, believed to be Chinese state-sponsored APTs, are leveraging the flaw to gain system-level access and deploy the sophisticated ShadowPad backdoor. The attack chain involves using PowerShell and legitimate system utilities like 'certutil' and 'curl' to download the malware, which is then executed using a DLL sideloading technique for stealth and persistence. The campaign highlights the rapid weaponization of newly disclosed vulnerabilities for espionage purposes.

Supply Chain Breaches Escalate Despite Maturing Defenses, Report Finds

A new 2025 report from cybersecurity firm BlueVoyant reveals a troubling trend: despite most organizations maturing their third-party risk management (TPRM) programs, the number of supply chain breaches is escalating. The study found that 97% of surveyed organizations experienced a supplier-related security incident in the past year, a significant jump from 81% in 2024. The report identifies ineffective tool integration and internal organizational silos as key barriers, with the manufacturing sector being particularly hard-hit, averaging 3.8 breaches per organization.

Ransomware Attacks Peak on Holidays and Weekends, Exploiting Low Staffing

A new global study by Semperis, the "2025 Holiday Ransomware Risk Report," confirms that threat actors strategically launch attacks during holidays and weekends to exploit reduced security staffing. The report found that 52% of organizations were targeted during these off-hour periods. Alarmingly, 78% of companies cut their Security Operation Center (SOC) staffing by 50% or more during these times. The study also revealed that 60% of attacks follow major corporate events like mergers or layoffs, when organizations are most distracted.

Italian IT Firm Almaviva Hit by Cyberattack, 2.3TB of Data Leaked

The prominent Italian IT services provider Almaviva has confirmed it was hit by a major cyberattack, resulting in the theft and leaking of nearly 2.3 terabytes of sensitive data. The breach has exposed information from several of Almaviva's clients, most notably Italy's national railway operator, Ferrovie dello Stato Italiane. The leaked files reportedly include highly sensitive data such as passenger passport details, employee records, financial documents, and defense-related contracts. The identity of the attackers has not yet been disclosed.

Harvard University Data Breach Exposes Donor Information After Phone Phishing Attack

Harvard University has disclosed a data breach affecting its Alumni Affairs and Development Office, discovered on November 18, 2025. The incident originated from a phone-based phishing (vishing) attack that gave an unauthorized party access to systems containing personal information and donation records of university affiliates and donors. While highly sensitive data like Social Security numbers were reportedly not compromised, the breach exposed names, contact details, and donation histories. This attack follows a similar pattern seen in recent incidents at Princeton University and the University of Pennsylvania, indicating a targeted campaign against the development departments of major educational institutions.

Logitech Confirms Breach: Clop Ransomware Exploits Oracle Zero-Day

Logitech has confirmed it suffered a data breach after the Clop ransomware gang exploited a zero-day vulnerability in Oracle's E-Business Suite (CVE-2025-61882). The consumer electronics giant stated that an unauthorized third party accessed and copied data related to employees, consumers, and suppliers. The incident is part of a wider campaign by Clop that has impacted numerous major organizations. Logitech asserts that sensitive personal data like credit card numbers was not exposed and business operations remain unaffected.

CISA KEV Alert: Actively Exploited Oracle RCE Flaw Allows Full System Takeover

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in Oracle Identity Manager, CVE-2025-61757, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, with a CVSS score of 9.8, allows an unauthenticated attacker to achieve RCE by chaining an authentication bypass with a code injection flaw in a Groovy script endpoint. Evidence of in-the-wild exploitation, including scans detected weeks before a patch was available, has prompted CISA to issue a patching deadline of December 12, 2025, for federal agencies.

Chinese APT24 Group Uses 'BadAudio' Malware in Years-Long Espionage Campaign Targeting Taiwan

The Chinese-nexus threat group APT24, also known as Pitty Tiger, is behind a nearly three-year cyberespionage campaign utilizing a new custom malware called 'BadAudio'. According to Google's Threat Intelligence Group, the campaign, active since November 2022, has targeted organizations primarily in Taiwan. The group has evolved its tactics from broad web compromises to sophisticated supply chain attacks and spear-phishing. BadAudio is a C++ downloader that uses DLL search-order hijacking and control flow flattening to evade detection before deploying second-stage payloads like Cobalt Strike.

Major Wall Street Banks Exposed After Breach at Mortgage Vendor SitusAMC

SitusAMC, a critical technology and services provider for the real estate finance industry, has disclosed a significant data breach discovered on November 12, 2025. The cyberattack compromised corporate information and, more critically, data belonging to its clients' customers, which could include sensitive personal information from mortgage applications. Major financial institutions, including JPMorgan Chase, Citigroup, and Morgan Stanley, have reportedly been notified of their potential exposure. The FBI is investigating the incident, which highlights the systemic risk posed by third-party vendors in the financial sector.

Grafana Enterprise Hit by Critical 10.0 CVSS Flaw Allowing Admin Impersonation

Grafana Labs has patched a critical vulnerability, CVE-2025-41115, in Grafana Enterprise that carries the maximum CVSS score of 10.0. The flaw resides in the SCIM provisioning feature and allows a malicious SCIM client to escalate privileges and impersonate any user, including the default administrator, by manipulating the 'externalId' attribute. The vulnerability affects Grafana Enterprise versions 12.0.0 through 12.2.1 and requires specific feature flags to be enabled. Grafana has released patches and confirmed its own cloud instances were not exploited.

CrowdStrike Fires Insider for Leaking Screenshots to 'Scattered Lapsus$ Hunters' Hacking Group

Cybersecurity giant CrowdStrike has confirmed it fired an employee last month for acting as a malicious insider. The employee leaked screenshots of internal systems, including an Okta dashboard, to the 'Scattered Lapsus$ Hunters' hacking group, who then posted them on Telegram. CrowdStrike stated that it detected and terminated the insider, that its corporate systems were not breached, and that no customer data was compromised. The hackers claimed to have offered the employee $25,000 for access, highlighting the persistent threat of malicious insiders even at top security firms.

ShinyHunters Hits Salesforce Again, Breaching Customers via Gainsight App

Salesforce has disclosed a significant data breach affecting its customers, stemming from a compromised connection with the Gainsight customer success application. The notorious cybercrime group ShinyHunters, also tracked as UNC6240, has claimed responsibility for the attack, stating they exploited OAuth tokens to gain unauthorized access to approximately 285 additional Salesforce instances. In response, Salesforce has revoked credentials and removed the Gainsight apps from its AppExchange. The incident highlights the growing risk of supply chain attacks targeting trusted third-party SaaS integrations to pivot into major enterprise environments.

SEC Abandons Landmark Lawsuit Against SolarWinds and its CISO

In a surprising move, the U.S. Securities and Exchange Commission (SEC) has voluntarily dismissed its civil enforcement action against SolarWinds and its CISO, Timothy G. Brown. The lawsuit, filed in October 2023, had accused the company and Brown of misleading investors about their cybersecurity posture before the 2020 SUNBURST supply chain attack. The dismissal is seen as a major victory for the cybersecurity community, which had feared the case would set a dangerous precedent for holding security executives personally liable for breaches and create a chilling effect on transparency.

WEL Companies Investigated for Data Breach Affecting 122,960 People

The law firm Schubert Jonckheer & Kolbe LLP is investigating transportation and logistics firm WEL Companies, Inc., following a data breach that compromised the sensitive personal information of 122,960 people. The breach, which exposed names, Social Security numbers, and driver's license numbers, was first detected in January 2025. However, the company only began notifying victims in November 2025, a delay of nearly ten months that could lead to legal action for violating data breach notification laws.

Patch Now: Microsoft Fixes Actively Exploited Windows Kernel Zero-Day

As part of its November 2025 Patch Tuesday release, Microsoft has addressed 63 security vulnerabilities, including a high-severity zero-day flaw in the Windows Kernel (CVE-2025-62215) that is confirmed to be under active exploitation. The vulnerability is a local privilege escalation (LPE) bug with a CVSS score of 7.0, allowing an attacker who has already gained initial access to a system to elevate their privileges to SYSTEM level. Such flaws are critical components in post-exploitation attack chains, enabling threat actors to take full control of a compromised machine. The update also fixes 16 remote code execution (RCE) vulnerabilities and numerous other flaws across the Microsoft product suite. Immediate patching is strongly recommended for all Windows users.

Sinobi Ransomware Strikes US Manufacturer and Indian Tech Firm

The 'sinobi' ransomware group has claimed responsibility for two recent cyberattacks targeting organizations in the United States and India. The victims are Croft, a U.S.-based window and door manufacturer, and CHANGEPOND, an enterprise software company headquartered in Chennai, India. Both breaches were discovered on November 19, 2025, occurring within minutes of each other. These incidents underscore the global reach and indiscriminate targeting of ransomware operators, affecting diverse sectors including manufacturing and technology. The attacks highlight the persistent threat posed by ransomware and the importance of robust cybersecurity defenses.

CISA and Partners Release Guide to Combat Bulletproof Hosting

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, and international partners, has published a comprehensive guide to help network defenders and Internet Service Providers (ISPs) combat the threat of bulletproof hosting (BPH) providers. These services knowingly lease infrastructure to cybercriminals for a wide range of malicious activities, including ransomware, phishing, and malware distribution. The guide, 'Bulletproof Defense,' provides actionable recommendations for filtering malicious traffic, enhancing network monitoring, and improving intelligence sharing to disrupt the criminal ecosystem that relies on BPH for anonymity and resilience.

CISA Issues 6 New ICS Advisories for Schneider Electric, Shelly, METZ CONNECT

On November 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released six new Industrial Control Systems (ICS) advisories, highlighting multiple vulnerabilities in products from Schneider Electric, Shelly, and METZ CONNECT. The alerts affect a range of operational technology (OT) products, including SCADA systems and power monitoring devices. Four of the advisories are for Schneider Electric products like EcoStruxure and PowerChute. CISA urges administrators in critical infrastructure and manufacturing sectors to review the advisories and apply the recommended mitigations to prevent potential exploitation.

CISA Releases "Be Air Aware" Guides to Combat Drone Threats

As part of Critical Infrastructure Security and Resilience Month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released three new guides under its "Be Air Aware™" campaign. These resources are designed to help critical infrastructure owners and operators understand, assess, and mitigate the growing security risks posed by Unmanned Aircraft Systems (UAS), or drones. The guides provide actionable information on detecting suspicious drone activity, implementing detection technologies, and safely handling downed aircraft, aiming to integrate aerial threat considerations into existing security plans.

New 'Nova Stealer' Malware Targets macOS Crypto Wallets

A new information-stealing malware, dubbed 'Nova Stealer,' has been discovered actively targeting Apple macOS users. The malware's primary goal is the exfiltration of sensitive data, with a specific focus on cryptocurrency wallets. Nova Stealer operates as a trojan, infecting systems by replacing legitimate, installed applications with malicious versions. When a user launches the compromised application, the malware activates in the background to search for and steal wallet files and other valuable information. This discovery underscores the increasing trend of threat actors developing malware for the macOS platform, challenging the perception of it being inherently more secure than Windows.

Inc Ransom Cripples PA Attorney General's Office, Exfiltrates 5.7 TB of Data

The Pennsylvania Office of the Attorney General (OAG) has confirmed it suffered a severe data breach orchestrated by the Inc Ransom ransomware group. The attackers exploited the 'CitrixBleed2' vulnerability (CVE-2025-5777) to gain initial access and subsequently exfiltrated 5.7 terabytes of highly sensitive data. The stolen information includes Social Security numbers, medical details, and confidential investigative files. The attack, which occurred in August 2025, caused a three-week operational disruption for the agency's 1,200 staff members. The OAG has refused to pay the ransom and is working with the FBI on the investigation.

US, UK, and Australia Sanction Russian Bulletproof Hosting Network Aiding Ransomware

In a coordinated action, the United States, United Kingdom, and Australia have sanctioned Media Land, LLC, a Russian bulletproof hosting provider, along with its network of related entities and key individuals. This infrastructure is accused of providing essential services to a wide range of global cybercriminals, including malware distributors, phishing operators, and ransomware groups like the notorious LockBit gang. The sanctions aim to disrupt the foundational services that enable cybercrime by targeting the providers who knowingly support malicious operations. The action highlights a strategic international effort to dismantle the cybercrime economy.

CISA Adds Actively Exploited Fortinet FortiWeb Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical OS command injection vulnerability in Fortinet's FortiWeb products, CVE-2025-58034, to its Known Exploited Vulnerabilities (KEV) catalog. Citing evidence of active exploitation, CISA has mandated a one-week remediation deadline for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01. The vulnerability allows attackers to execute arbitrary commands on affected devices. CISA strongly urges all organizations using FortiWeb to prioritize patching this flaw to mitigate the threat.

Chicago's St. Anthony Hospital Discloses Data Breach Affecting Over 6,600

St. Anthony Hospital in Chicago has reported a data breach that may have exposed the personal and medical information of more than 6,600 patients and staff members. The incident, which was discovered in February 2025, occurred when an unauthorized party gained access to several employee email accounts. An investigation revealed that the compromised accounts contained sensitive data, including names, Social Security numbers, medical record numbers, and medical histories. The hospital states there is no evidence the data has been misused but is in the process of notifying all affected individuals.

Supply Chain Attacks & AI-Powered Phishing Surge Across Asia-Pacific, Darktrace Warns

A new threat report from cybersecurity firm Darktrace highlights a dramatic increase in sophisticated cyber threats across the Asia-Pacific and Japan (APJ) region. The report, covering the 12 months to July 2025, details a surge in supply chain attacks, business email compromise, and cloud intrusions. State-sponsored groups from China (APT40, APT41) and North Korea (Lazarus/Bluenoroff) are reportedly leveraging generative AI to create more convincing phishing emails, particularly in non-English languages like Japanese. The report also notes the high cost of supply chain breaches and the use of advanced voice-phishing by groups like Scattered Spider.

China-Aligned APT 'PlushDaemon' Wields 'EdgeStepper' Implant for Network Hijacking

Security researchers have uncovered a new, sophisticated network implant named 'EdgeStepper' used by the China-aligned APT group PlushDaemon. The implant provides the attackers with adversary-in-the-middle (AitM) capabilities, allowing them to intercept and hijack legitimate software updates within a compromised network. EdgeStepper is deployed as part of a larger toolset that includes 'LittleDaemon' and 'DaemonicLogistics' to deliver a Windows implant called 'SlowStepper'. This framework enables the APT group to conduct espionage and deploy additional malware by masquerading as legitimate update traffic.

Togo and Mozambique Forge Cybersecurity Pact to Strengthen African Defenses

The nations of Togo and Mozambique have signed a Memorandum of Understanding (MoU) to formalize their cooperation on cybersecurity. The agreement, signed during the inaugural International Cybersecurity Week in Mozambique, establishes a framework for their national Computer Security Incident Response Teams (CSIRTs) to collaborate. The partnership will focus on sharing real-time threat intelligence, conducting joint capacity-building exercises, and coordinating operational responses to cyber incidents, aiming to bolster the digital resilience of both nations and the wider African continent.

Vendor Breach Exposes Patient Data at Innovative Physical Therapy

Innovative Physical Therapy has notified patients of a data breach that originated from a third-party vendor responsible for practice management. The breach occurred when two vendor employees fell victim to phishing emails, leading to the compromise of their email accounts. Between June 25 and June 26, 2025, an unauthorized party accessed these accounts, which contained the protected health information (PHI) and personally identifiable information (PII) of at least 2,023 patients. The exposed data includes names, Social Security numbers, medical information, and health insurance details.

Urgent Patch Required: Critical RCE Flaw in W3 Total Cache WordPress Plugin

A critical command injection vulnerability, CVE-2025-9501, with a CVSS score of 9.0, has been found in the W3 Total Cache WordPress plugin, which is active on over one million websites. The flaw allows unauthenticated attackers to achieve remote code execution (RCE) by simply submitting a malicious comment. This enables a complete site takeover. All versions prior to 2.8.13 are affected, and administrators are urged to update immediately.

Kenyan Government Websites Defaced in Coordinated Cyberattack

On November 17, 2025, a coordinated cyberattack targeted and temporarily disabled numerous Kenyan government websites. The Ministry of Interior and National Administration confirmed the breach, which impacted the websites of the State House and ministries of Health, Education, and Energy, among others. Reports indicate several of the compromised sites were defaced with white supremacist slogans and symbols. The Kenyan government has since restored services and vowed to bring the perpetrators to justice.

Merck Employee Data Breached in Third-Party Vendor Incident

Pharmaceutical giant Merck has confirmed a data breach impacting its current and former employees due to a cybersecurity incident at a third-party service provider, Graebel Companies. The breach, which occurred in September 2025, was disclosed on November 17. Exposed data includes sensitive PII such as names, Social Security numbers, and financial account information. Merck is offering 24 months of complimentary credit monitoring services to affected individuals.

WordPress Security Plugin Ironically Contains Critical File-Read Flaw

A critical vulnerability, CVE-2025-11705, has been discovered in the 'Anti-Malware Security and Brute-Force Firewall' WordPress plugin, which is active on over 100,000 sites. The flaw allows any authenticated user, including low-privilege subscribers, to read arbitrary files from the server. This can be exploited to access the sensitive wp-config.php file, leading to a full database compromise and site takeover. Users are urged to update the plugin immediately.

NSFOCUS Mitigates Massive 843 Gbps DDoS Attack on Critical Infrastructure

Security vendor NSFOCUS has detailed its successful effort to mitigate a massive multi-vector DDoS attack that targeted a critical infrastructure operator in October 2025. The attack peaked at an enormous 843.4 Gbps and 73.6 million packets per second, sustaining high volumes for over 30 minutes. The assault was dominated by a UDP flood, accounting for over 600 Gbps of the traffic. NSFOCUS's Cloud DDoS Protection Service successfully filtered over 99.9% of the malicious traffic, keeping the operator's services online.

Cl0p Gang Exploits Oracle Zero-Day to Breach Logitech, Washington Post, and More

The notorious Cl0p cyber extortion gang has orchestrated a massive data breach campaign by exploiting a zero-day vulnerability in Oracle's E-Business Suite (EBS), tracked as CVE-2025-61882. Swiss electronics giant Logitech has confirmed it was a victim, filing a data breach notification with the SEC. The campaign has also compromised other major organizations, including The Washington Post, Allianz UK, and GlobalLogic. Cl0p is known for exploiting vulnerabilities in widely-used enterprise software to simultaneously hit a large number of high-value targets, exfiltrating data for double extortion.

DoorDash Hit by Data Breach After Employee Targeted in Social Engineering Scam

Food delivery service DoorDash has confirmed a data breach after an employee was compromised by a social engineering scam, allowing an unauthorized third party to access internal systems. The breach exposed the names, physical addresses, phone numbers, and email addresses of an undisclosed number of customers in the United States, Canada, Australia, and New Zealand. The company has stated that financial information was not accessed. This incident highlights the persistent threat of attackers targeting the 'human element' to bypass technical security controls.

Iranian APT 'SpearSpecter' Targets Officials' Families in Sophisticated Espionage Campaign

The Iranian state-sponsored group APT42, also known by aliases like SpearSpecter, is conducting a highly sophisticated and ongoing espionage campaign targeting senior defense and government officials. According to the Israel National Digital Agency, the threat actors are using advanced social engineering tactics, including building trust over weeks and targeting victims' family members to apply psychological pressure. The campaign's technical core is 'TameCat,' a modular PowerShell-based backdoor that operates in-memory and uses legitimate services like Telegram and Discord for stealthy command-and-control.

Eurofiber Breach Exposes Thales, Orange, and French Government Data in Major Supply Chain Incident

European digital infrastructure provider Eurofiber has confirmed a major data breach in its French division, potentially exposing sensitive data from over 3,600 clients, including major corporations like Thales and Orange, and several French government ministries. A threat actor known as 'ByteToBreach' claims to have exploited vulnerabilities (CVE-2024-29889, CVE-2025-24799) in Eurofiber's GLPI IT asset management software via SQL injection. The stolen data, now for sale on the dark web, allegedly includes highly sensitive information such as SSH private keys, VPN configurations, and API keys, posing a severe supply chain risk.

Pro-Russian Hackers Target Denmark with DDoS Attacks Ahead of Elections

The pro-Russian hacktivist group NoName057(16) has claimed responsibility for a series of Distributed Denial-of-Service (DDoS) attacks that targeted Danish government websites, political parties, and defense-related entities. The attacks, which occurred just before Denmark's municipal and regional elections, were designed to cause disruption and informational noise. Targets included the Danish Ministry of Transport and the national citizen portal, Borger.dk. While the outages were brief, the incident aligns with a pattern of politically motivated cyber activity by the group against European nations supporting Ukraine.

Microsoft Patches Actively Exploited Windows Kernel Zero-Day in November Update

As part of its November 2025 Patch Tuesday release, Microsoft has addressed 63 security flaws, including a zero-day vulnerability in the Windows Kernel (CVE-2025-62215) that is being actively exploited. The flaw is an elevation of privilege vulnerability with a CVSS score of 7.0, allowing a local attacker to gain SYSTEM-level access. The vulnerability affects all supported versions of Windows and Windows Server. Due to its active exploitation in the wild, immediate patching is strongly recommended.

Critical RCE Flaws in AI Engines From Meta, NVIDIA, Microsoft Discovered

Security researchers have discovered critical remote code execution (RCE) vulnerabilities in widely used AI inference servers from major tech companies, including Meta, NVIDIA, and Microsoft, as well as open-source projects like vLLM. The vulnerabilities stem from the unsafe use of Python's 'pickle' module for data deserialization and exposed ZeroMQ (ZMQ) messaging endpoints. Exploitation could allow attackers to take full control of AI models and servers, posing a significant risk to enterprise AI infrastructure. Some flaws, termed 'Shadow Vulnerabilities,' remain unpatched in production environments.

RansomHouse Hits H&M and Adidas Supplier in Major Fashion Supply Chain Attack

The RansomHouse ransomware group has attacked Fulgar S.p.A., a major Italian textile manufacturer and a key supplier for global fashion brands like H&M and Adidas. The attack, confirmed on November 3, 2025, resulted in the exfiltration and leak of sensitive corporate data. This incident highlights the significant and growing risk of supply chain attacks in the fashion industry, where a compromise at a single supplier can have cascading impacts on major international retailers.

Pig Butchering Scams Evolve into Global Cybercrime Menace, FBI Warns

A new threat intelligence report, supported by warnings from the FBI, details the rapid evolution of "Pig Butchering" scams into one of the most economically damaging forms of global cybercrime. These sophisticated, long-con investment schemes leverage social engineering, emotional grooming, and fraudulent cryptocurrency trading platforms to defraud victims of massive sums. The scam involves building a relationship of trust over weeks or months before convincing the victim to invest in a fake, high-yield opportunity.

APT Caught Exploiting Cisco & Citrix Zero-Days in Sophisticated Attack

Amazon's threat intelligence team has discovered a sophisticated advanced persistent threat (APT) campaign that exploited two separate zero-day vulnerabilities in Cisco Identity Service Engine (CVE-2025-20337) and Citrix products (CVE-2025-5777) before they were publicly known. The attackers used the flaws to gain pre-authentication remote code execution and deployed custom, in-memory malware designed to evade detection. This discovery highlights a growing trend of targeting identity and access management systems at the network edge and underscores the capabilities of highly-resourced threat actors.

Ransomware Attacks Surge 50% in 2025; Qilin Group Takes the Lead

Cybersecurity researchers report a staggering 50% increase in ransomware attacks in 2025, with over 5,000 incidents claimed on dark web leak sites by late October. This surge occurs amidst a significant realignment in the ransomware ecosystem, with formerly dominant groups fading while new and resurgent actors like Qilin take their place. The Qilin group has been particularly prolific, leading in victim counts for most of the past six months. The United States remains the most targeted nation, and the industrial sector is the most heavily impacted industry. PowerShell has become the primary tool for attackers, used in nearly 78% of observed campaigns.

Checkout.com Rejects Ransom After ShinyHunters Breach, Donates to Research

The global payment processor Checkout.com has disclosed a data breach orchestrated by the ShinyHunters cybercrime group. The attackers exploited a legacy third-party cloud file storage system that was improperly decommissioned. After being contacted with a ransom demand, Checkout.com refused to pay. In a bold move, the company announced it will instead donate the equivalent ransom amount to cybersecurity research institutions, including Carnegie Mellon University and the University of Oxford. The breach did not impact the core payment platform or cardholder data.

Fortinet Patches Actively Exploited FortiWeb Zero-Day (CVE-2025-64446)

Fortinet has released a patch for a critical, actively exploited zero-day vulnerability in its FortiWeb web application firewall (WAF). The flaw, tracked as CVE-2025-64446, is a relative path traversal vulnerability that allows an unauthenticated remote attacker to execute arbitrary administrative commands by sending specially crafted HTTP/S requests. Due to evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies patch it immediately. The flaw affects a wide range of FortiWeb versions, making immediate patching a top priority for all customers.

150,000+ Malicious NPM Packages Flood Registry in Crypto Token Farming Scheme

Security researchers from Amazon have uncovered one of the largest package flooding incidents in the history of the npm open-source registry, involving over 150,000 malicious packages. In a novel twist, the campaign was not designed for traditional malicious activities like stealing credentials or deploying ransomware. Instead, the attackers aimed to conduct a large-scale token farming operation by exploiting the incentive system of tea.xyz, a decentralized protocol that rewards open-source developers with 'TEA tokens'. The self-replicating packages automatically generated and published new junk packages, each linked to the attackers' blockchain wallets, polluting the ecosystem and abusing the reward mechanism.

Critical 9.8 CVSS Auth Bypass Flaw in NVIDIA AIStore Disclosed

The Zero Day Initiative (ZDI) has publicly disclosed a critical authentication bypass vulnerability in NVIDIA's AIStore, an open-source object storage platform for AI applications. The flaw, tracked as CVE-2025-33186, carries a CVSS score of 9.8 and is caused by hard-coded credentials within the platform's authentication component. A remote, unauthenticated attacker could exploit this vulnerability to completely bypass authentication and gain unauthorized access to the system, compromising the confidentiality and integrity of AI models and data. A second, high-severity information disclosure flaw (CVE-2025-33185) was also disclosed.

CISA Warns Cisco ASA Devices Still Under Attack, Issues New Patch Guidance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued follow-up implementation guidance for its September Emergency Directive 25-03, which addresses two critical, actively exploited vulnerabilities in Cisco ASA and Firepower devices. The flaws, a remote code execution bug (CVE-2025-20333) and a privilege escalation bug (CVE-2025-20362), are still being targeted by threat actors, including the China-linked group Storm-1849 (ArcaneDoor). CISA warns that many organizations incorrectly applied patches, leaving them vulnerable. The new guidance provides corrective actions and recommends further mitigation for devices that were not updated properly.

Search Guard FLX Vulnerability (CVE-2025-12149) Allows DLS Bypass

A medium-severity information disclosure vulnerability, CVE-2025-12149, has been disclosed in floragunn's Search Guard FLX, a security plugin for Elasticsearch. The flaw, affecting versions up to 3.1.2, allows an attacker to bypass Document-Level Security (DLS) rules. This occurs specifically when a search is triggered from a Signals watch, an alerting component of the plugin. A low-privileged user who can create or trigger a watch could exploit this to access all documents in queried indices, exposing sensitive data that should be protected by DLS permissions.

AWS Outage in us-east-1 Knocks Major Global Services Offline

A significant infrastructure fault within Amazon Web Services' (AWS) us-east-1 region in North Virginia on October 20, 2025, triggered a global outage affecting numerous major online services. Platforms including Snapchat, Fortnite, Disney Plus, and various banking applications experienced widespread disruptions. The incident, caused by issues with core services like DynamoDB and EC2, highlights the critical dependency of the digital economy on a few major cloud providers and underscores the importance of robust architectural resilience.

Palo Alto Firewalls Vulnerable to Remote Reboot Attack via DoS Flaw

Palo Alto Networks has disclosed a medium-severity denial-of-service (DoS) vulnerability, CVE-2025-4619, affecting its PAN-OS software. The flaw enables an unauthenticated, remote attacker to reboot firewalls by sending specially crafted packets. Repeated exploitation can force the device into maintenance mode, disrupting network traffic and disabling security protections. The vulnerability impacts PA-Series and VM-Series firewalls with specific configurations. Patches are available and customers are urged to upgrade.

Suspected GRU 'Fancy Bear' Hacker Linked to 2016 Election Interference Arrested in Thailand

A Russian national believed to be Aleksey Lukashev, a high-level military intelligence officer in Russia's GRU, has been arrested in Phuket, Thailand. The arrest was part of a joint operation between Thai authorities and the U.S. FBI. Lukashev is one of 12 GRU officers indicted by the U.S. Department of Justice in 2018 for his alleged role in the APT28 (Fancy Bear) hacking operations that targeted Democratic Party organizations during the 2016 U.S. election. He now faces extradition to the United States.

Team Europe Wins Global Cybersecurity Challenge for Fourth Consecutive Year

For the fourth year in a row, Team Europe has won the International Cybersecurity Challenge (ICC), a prestigious global competition designed to showcase and develop young cybersecurity talent. The event, hosted in Tokyo, Japan, brought together teams from eight regions worldwide. Organized and supported by the EU Agency for Cybersecurity (ENISA), the victory highlights Europe's strong investment in nurturing the next generation of cybersecurity professionals. Team Asia and the US Cyber Team secured second and third place, respectively.

Anthropic Disrupts First AI-Orchestrated Cyber Espionage Campaign

AI safety and research company Anthropic has reported disrupting what it believes is the first large-scale cyber espionage campaign orchestrated by an AI with a high degree of autonomy. The company detected a threat actor, assessed to be a Chinese state-sponsored group, manipulating its 'Claude Code' AI tool. The AI was used to attempt infiltration of approximately 30 global organizations, including tech companies, financial institutions, and government agencies. The incident marks a significant evolution in the use of AI in offensive cyber operations.

New Tools From Legit Security and Cyware Tackle AI Code and Ops Risks

As AI adoption accelerates in software development and security, vendors are releasing new solutions to manage the inherent risks. Legit Security has launched 'VibeGuard,' a tool designed to secure AI-generated code within integrated development environments (IDEs). Simultaneously, Cyware has upgraded its 'Quarterback AI' platform to function as an 'AI Fabric' for security operations, aiming to boost threat intelligence and analyst productivity. These launches highlight the industry's focus on both securing AI's use and using AI for defense.

Patch Now: Microsoft Scrambles to Fix Actively Exploited Windows Kernel Zero-Day

Microsoft has released its November 2025 Patch Tuesday updates, addressing 63 vulnerabilities, including a critical zero-day in the Windows Kernel (CVE-2025-62215) that is being actively exploited in the wild. This privilege escalation flaw allows local attackers to gain full SYSTEM-level control of affected Windows and Windows Server systems. Due to its active exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies. The update also fixes four other critical flaws, including a severe remote code execution vulnerability (CVE-2025-60724) in the Microsoft Graphics Component.

GAME OVER: 'Operation Endgame' Dismantles Global Cybercrime Services

In a massive international crackdown dubbed 'Operation Endgame,' law enforcement agencies from 11 countries, coordinated by Europol, have dismantled the infrastructure of three major cybercrime-as-a-service platforms: the Rhadamanthys information stealer, the VenomRAT remote access trojan, and the Elysium botnet. The operation resulted in the seizure of over 1,025 servers, the takedown of 20 domains, and the arrest of the main suspect behind VenomRAT. The targeted malware was responsible for infecting hundreds of thousands of computers worldwide, stealing vast amounts of data, including millions in cryptocurrency.

Synnovis Confirms Patient Data Stolen in Qilin Ransomware Attack on London Hospitals

Pathology service provider Synnovis has officially confirmed that patient personal data, including names, NHS numbers, and dates of birth, was stolen during the June 2024 ransomware attack attributed to the Qilin gang. The attack caused widespread disruption to London hospitals, leading to the cancellation of over 1,100 procedures. After a lengthy forensic investigation, Synnovis acknowledged the data breach, which followed the attackers leaking approximately 400GB of data. Affected NHS trusts are now beginning the process of notifying individual patients whose information was compromised.

Retailers Unprepared for AI-Powered Cyberattack Tsunami, Report Warns

A new report from managed security provider LevelBlue reveals a troubling state of cybersecurity in the retail sector. The study found that 44% of retailers have experienced a significant increase in cyberattacks, with many feeling unprepared for the next wave of AI-powered threats. Despite 45% of executives expecting AI-driven attacks, only 25% believe their organization is ready to defend against them. The report also highlights major weaknesses in supply chain security, with nearly half of retailers admitting to having poor visibility into their suppliers' security practices, creating significant risk across the industry.

Dell Patches Critical 9.1 CVSS Flaw in Data Lakehouse Platform

Dell has released a security update to address a critical vulnerability (CVE-2025-46608) in its Data Lakehouse platform, which received a CVSS score of 9.1. The flaw is an improper access control issue that could be exploited by a remote, high-privileged attacker to gain further elevated rights and potentially compromise the entire system. Due to the severity and the potential for a complete confidentiality, integrity, and availability loss, Dell is urging all customers to upgrade to version 1.6.0.0 immediately.

CISA KEV Alert: WatchGuard and Triofox Flaws Now Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are under active attack. The additions include CVE-2025-9242, an out-of-bounds write flaw in WatchGuard Firebox appliances, and CVE-2025-12480, an improper access control vulnerability in Gladinet's Triofox product. The third is the recently disclosed Windows Kernel zero-day, CVE-2025-62215. Federal agencies are now mandated to patch these flaws by a specified deadline, and CISA strongly urges all organizations to prioritize remediation.

Stealthy Phishing Attack Uses HTML Smuggling & Telegram Bots to Steal Credentials

A sophisticated phishing campaign is targeting organizations across Central and Eastern Europe, using HTML smuggling to deliver credential harvesting forms. Researchers at Cyble discovered the attack, which uses malicious HTML file attachments to bypass email security filters. Once a victim enters their credentials into the fake login page, an embedded JavaScript code exfiltrates the data directly to the attackers' private Telegram channels via the Telegram Bot API. This technique makes the campaign highly evasive, as it avoids the use of traditional, blockable C2 infrastructure.

Microsoft Patches Actively Exploited Windows Kernel Zero-Day in November Patch Tuesday

Microsoft's November 2025 Patch Tuesday update addresses 63 vulnerabilities, including a critical Windows Kernel privilege escalation zero-day (CVE-2025-62215) that is being actively exploited in the wild. The flaw, which has a CVSS score of 7.0, allows a local attacker to gain SYSTEM-level privileges. The release also includes patches for four other critical vulnerabilities, notably a remote code execution flaw in the Microsoft Graphics Component (GDI+) with a CVSS score of 9.8 (CVE-2025-60724). Other significant fixes address high-severity issues in Windows Kerberos, Microsoft Office, and Visual Studio, requiring immediate attention from administrators to prevent potential system compromise and supply chain attacks.

Advanced Threat Actor Exploits Cisco and Citrix Zero-Days in Targeted Attacks on Network Infrastructure

Amazon's threat intelligence team has discovered an advanced threat actor actively exploiting two previously undisclosed zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler Application Delivery Controllers (ADC). The vulnerabilities, now tracked as CVE-2025-20337 (Cisco) and CVE-2025-5777 (Citrix), are being used to target critical identity and network access control infrastructure. The attackers are leveraging custom malware to gain initial access and establish persistence on these edge devices. Both Cisco and Citrix have been notified and are working on patches, which security teams are urged to apply immediately upon release.

UK Introduces Sweeping Cyber Security and Resilience Bill to Regulate MSPs and Mandate Stricter Breach Reporting

The UK government has introduced the Cyber Security and Resilience Bill to Parliament, a landmark piece of legislation set to replace the 2018 NIS Regulations. This new bill significantly expands the regulatory landscape by bringing Managed Service Providers (MSPs) into scope for the first time, a move impacting up to 1,100 firms. It also imposes stricter incident reporting rules, requiring an initial report within 24 hours and a full report within 72 hours. The legislation aims to bolster national security by strengthening supply chain resilience and aligning the UK with updated international standards like the EU's NIS2 Directive.

Clop Ransomware Gang Claims Attack on Dartmouth College, Threatens to Leak Data

The notorious Clop ransomware gang has claimed responsibility for a cyberattack against Dartmouth College, an Ivy League university in the U.S. On November 11, 2025, the group added the institution to its dark web leak site, threatening to publish exfiltrated data if the university does not enter negotiations. This incident highlights the increasing trend of ransomware attacks targeting the education sector, which holds vast amounts of sensitive personal data. Dartmouth College has not yet issued a public statement on the alleged breach, but the threat from Clop is considered highly credible due to the group's track record.

Iranian APT 'Ferocious Kitten' Continues to Target Dissidents With Custom MarkiRAT Surveillance Malware

The Iranian-aligned APT group 'Ferocious Kitten' continues its long-running cyber-espionage campaign against Iranian dissidents and activists, according to new research from Picus Security. Active since at least 2015, the group uses spear-phishing emails with malicious Office documents to deploy its custom remote access trojan (RAT), MarkiRAT. This malware is a sophisticated surveillance tool, featuring an advanced keylogger that activates only when password managers are not in use, clipboard hijacking, and data exfiltration over HTTP/S. The group also employs various defense evasion techniques, including the use of BITS and the RTLO trick to disguise malicious files.

Critical Triofox Zero-Day Actively Exploited for System-Level Access

A critical, unauthenticated remote code execution vulnerability (CVE-2025-12480) in Gladinet's Triofox file-sharing platform is being actively exploited by a threat group tracked as UNC6485. The attackers are bypassing authentication by spoofing HTTP Host headers to 'localhost', allowing them to create rogue administrator accounts. They then abuse a built-in antivirus feature to execute malicious code with SYSTEM-level privileges, leading to full system compromise. Post-exploitation activity includes the deployment of commercial remote access tools like Zoho UEMS and AnyDesk to maintain persistence. Gladinet has released a patch, and organizations are urged to update immediately.

KONNI APT Weaponizes Google's Find Hub for Destructive Attacks

The North Korea-linked threat group KONNI has been observed in a novel campaign targeting individuals in South Korea. The attackers use social engineering to deploy PC malware that steals Google account credentials. With these credentials, they access the victim's Google account and abuse the legitimate 'Find Hub' service (formerly Find My Device) to track the real-time location of the victim's Android phone and remotely trigger a factory reset, wiping all data. This campaign highlights the group's creativity in weaponizing legitimate services for destructive purposes.

Pentagon Overhauls Cyber Force Model to Boost USCYBERCOM Readiness

The U.S. Department of War (DoW) has announced a new cyber force generation model aimed at enhancing the operational effectiveness, specialization, and lethality of forces assigned to U.S. Cyber Command (USCYBERCOM). The revised plan is designed to create a more integrated and agile cyber force by streamlining the processes of recruiting, training, and retaining personnel across all military branches. This strategic shift seeks to address emerging cyber threats and deter aggression in the cyber domain more effectively.

Nikkei Slack Breach Exposes Data of 17,000 Users via Stolen Credentials

Japanese media giant Nikkei Inc., owner of the Financial Times, has disclosed a significant data breach affecting its internal Slack workspace. An attacker gained access using authentication credentials stolen from an employee's personal computer, which was infected with infostealer malware. The incident, which was detected in September 2025, exposed the names, email addresses, and chat histories of 17,368 employees and business partners. The breach highlights the persistent threat of infostealer malware and the security risks associated with credentials stored in web browsers.

Hyundai IT Affiliate Discloses Major Data Breach Exposing PII and SSNs

Hyundai AutoEver America, the IT services subsidiary of the Hyundai Group, has begun notifying customers of a major data breach that occurred between late February and early March 2025. The incident involved unauthorized access to the company's IT environment, exposing highly sensitive personally identifiable information (PII), including full names, driver's license numbers, and Social Security numbers. While the exact number of victims is unconfirmed, the company's software is used in up to 2.7 million vehicles in North America, indicating a potentially massive scale.

Cisco Firewalls Under Renewed Assault as New DoS Attack Variant Emerges

Cisco has issued an urgent security warning about a new denial-of-service (DoS) attack variant that is actively exploiting two previously patched vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in its Secure Firewall ASA and FTD software. The campaign, which began on November 5, 2025, causes unpatched devices to enter a continuous reload loop, rendering them inoperable. This follows months of active exploitation by advanced threat actors, including a compromise of at least one US government agency. Cisco strongly urges all customers to apply the available patches immediately, as no effective workarounds exist.

China's Cyber Arsenal Exposed: Knownsec Breach Leaks State Hacking Tools and Global Target Lists

A monumental data breach at Knownsec, a prominent Chinese cybersecurity firm with close government ties, has resulted in the exposure of over 12,000 classified documents. The leak, which occurred in early November 2025, provides an unprecedented view into China's offensive cyber capabilities, revealing a sophisticated arsenal of malware for multiple operating systems, custom hardware attack tools, and an extensive list of global espionage targets. The compromised data details large-scale data theft from countries including India, South Korea, and Taiwan, targeting critical infrastructure, government databases, and telecommunications networks, signaling a major intelligence failure for China's state-sponsored cyber operations.

Swedish IT Supplier Breach Exposes Personal Data of 1.5 Million Citizens

The 'Datacarry' ransomware group has claimed responsibility for a major cyberattack on Miljödata, a Swedish IT supplier for local governments, exposing the sensitive personal data of up to 1.5 million people. The attack, which occurred in August 2025, targeted the company's HR systems, leading to the theft of names, government IDs, and contact information. The 224MB data archive was subsequently published on the dark web. The breach has caused service disruptions for numerous Swedish municipalities and affected data from major companies like SAS and Volvo. The incident is now under a national privacy investigation for potential GDPR violations.

EU Governments Under Siege: ENISA Reports Massive Surge in DDoS and Data Attacks

A new threat landscape report from the EU Agency for Cybersecurity (ENISA) reveals that public administrations across the European Union are facing a dramatic increase in cyberattacks. DDoS attacks, largely driven by pro-Russia hacktivist groups like NoName057(16), account for 60% of all incidents, primarily targeting central governments. While disruptive, the report warns that data breaches (17.4%) and ransomware (10%) pose a more significant threat to the continuity of essential public services. ENISA also highlights ongoing espionage campaigns by Russian and Chinese state actors, and notes that the sector's immaturity under the new NIS2 Directive places it in a high-risk zone.

It's Official: DoD Begins Phased Rollout of CMMC Cybersecurity Program

The U.S. Department of Defense (DoD) has officially started the phased, three-year implementation of its Cybersecurity Maturity Model Certification (CMMC) program as of November 10, 2025. DoD contracting officers can now begin inserting CMMC requirements into new solicitations for the Defense Industrial Base (DIB). The first phase requires contractors handling Federal Contract Information (FCI) or some Controlled Unclassified Information (CUI) to perform self-assessments. More stringent third-party certification requirements for higher CMMC levels will be introduced in subsequent phases, with full implementation expected by late 2028, fundamentally changing the security landscape for all DoD contractors.

OWASP Top 10 for 2025 Released, Spotlighting Supply Chain and Design Flaws

The OWASP Foundation has released the 2025 release candidate for its influential Top 10 list of web application security risks. This update signals a major shift in focus, with the introduction of new categories like 'A03: Software Supply Chain Failures' and 'A10: Mishandling of Exceptional Conditions'. 'Broken Access Control' remains the top risk, but 'Security Misconfiguration' has climbed to the number two spot. The 2025 list emphasizes a move away from fixing individual bugs towards addressing systemic root causes like insecure design and dependency management, reflecting the modern threat landscape of complex, interconnected applications.

Akira Ransomware Hits US Manufacturer Koch & Co., Threatens to Leak 54GB of Data

The Akira ransomware group has added U.S. manufacturer Koch & Co., Inc. to its list of victims. In a November 7 post on its dark web leak site, the group claimed to have stolen 54 gigabytes of sensitive corporate data, including detailed financials, contracts, and HR files. Akira is threatening to publish the data if a ransom is not paid. This attack is characteristic of Akira's double-extortion tactics, targeting mid-sized organizations with data exfiltration followed by encryption. Koch & Co. has not yet issued a public statement on the incident.

OSCE Guide Urges Unified Cyber-Physical Defense for Critical Infrastructure

The Organization for Security and Cooperation in Europe (OSCE) has published a new technical guide advising governments and operators to adopt a unified approach to securing critical infrastructure. The guide emphasizes the growing convergence of physical and cybersecurity domains, warning that siloed security teams lack a holistic view of modern threats. It highlights how internet-connected Industrial Control Systems (ICS) have expanded the attack surface, making infrastructure vulnerable to remote cyberattacks. The document provides recommendations for integrating intrusion detection, access control, and insider threat management into a single, cohesive security framework.

Microsoft 'Whisper Leak' Attack Can Spy on Encrypted AI Chats

Microsoft researchers have discovered a novel side-channel attack method named 'Whisper Leak' that undermines the privacy of encrypted AI chatbot conversations. By analyzing the size and timing of encrypted data packets from streaming Large Language Models (LLMs), a passive network observer can accurately infer the topic of a conversation. The proof-of-concept attack achieved over 98% accuracy against models from OpenAI, Mistral, xAI, and DeepSeek. While major AI providers have already implemented mitigations following a responsible disclosure, the finding exposes a fundamental privacy risk in the architecture of streaming LLMs, particularly for users in sensitive sectors like law and healthcare.

Chinese-Made Electric Buses in Europe & Australia Pose Remote Shutdown Risk

Cybersecurity tests conducted in Norway on November 7, 2025, have uncovered a significant security risk in Chinese-manufactured Yutong electric buses, which are widely used across Europe and Australia. The 'Lion Cage' experiment demonstrated that the buses' connected systems could theoretically be accessed and disabled remotely by the manufacturer. The findings have triggered urgent security reviews by public transit authorities in multiple countries, highlighting the growing national security concerns surrounding internet-connected critical infrastructure and potential vulnerabilities in international supply chains.

Philippines Lawmakers Push for National Cybersecurity Fund

In the Philippines, Representatives Migz and Luigi Villafuerte have introduced a proposal to create a 'Cybersecurity Risk Management and Mitigation Fund' (CRMMF). This dedicated national fund would provide the government with the necessary resources to prevent and respond to cyberattacks against both public and private sector entities. The proposal comes after recent DDoS attack attempts on local banks and designates 30% of the fund for rapid restoration of critical information infrastructure, signaling a strong political push to enhance the nation's cyber resilience.

Critical Container Escape Flaws in runC Threaten Docker & Kubernetes

A security alert issued on November 9, 2025, warns of three new critical vulnerabilities in runC, the low-level container runtime used by Docker, Kubernetes, and other major container platforms. The flaws could allow a malicious actor to execute a 'container escape,' breaking out of the isolated container environment to gain unauthorized access to the underlying host operating system. A successful container escape is a worst-case scenario in cloud-native security, as it would allow an attacker to compromise all other containers on the host. Administrators of all containerized environments are urged to monitor for and apply patches immediately.

Pwn2Own Day 1: Hackers Net $522K for 34 Zero-Days in SOHO Devices

The first day of Trend Micro's Pwn2Own Ireland 2025 competition was a resounding success for security researchers, who earned a total of $522,500 for demonstrating 34 unique zero-day vulnerabilities. In a stunning display, every single one of the 17 scheduled attempts against popular SOHO devices—including printers, NAS devices, and smart home products from brands like QNAP, Synology, Canon, and HP—was successful. The highlight was a complex 'SOHO Smashup' that chained eight bugs to compromise a router and a NAS device.

Over 75% of Orgs Can't Keep Pace with AI-Powered Attacks, Survey Finds

A new survey from CrowdStrike reveals a stark reality: 76% of global organizations admit they cannot match the speed and sophistication of AI-powered cyberattacks. The 2025 State of Ransomware Survey highlights a dangerous 'confidence illusion,' where leaders believe they are prepared, yet 78% of their organizations were attacked in the past year. With adversaries using AI to accelerate attacks, 89% of security leaders now agree that AI-powered protection is essential to close the widening security gap and defend against modern threats.

Malicious VS Code Extension with Ransomware Capabilities Discovered on Official Marketplace

A malicious Visual Studio (VS) Code extension named "susvsex" was discovered on the official VS Code Extension Marketplace. The extension, which appears to have been created with AI assistance, contained overt ransomware capabilities. Upon activation, it was designed to archive a target directory, exfiltrate the ZIP file to a remote server, and then encrypt the original files. The extension also used a private GitHub repository as a command-and-control channel. Although its default target was a test folder, it could easily be modified to target sensitive user data. Microsoft has since removed the extension, which was published on November 5, 2025.

Data of Nearly 200,000 Supporters of Hungarian Party TISZA Leaked Online

The personal data of nearly 200,000 supporters of the Hungarian political party TISZA has been leaked and is being widely distributed online. The breach, which occurred in October 2025, originated from the party's "TISZA Világ" service. The compromised dataset, containing 198,500 records, has been added to the Have I Been Pwned service. Exposed information includes supporters' full names, email addresses, phone numbers, physical addresses, and usernames. This incident places affected individuals at significant risk of phishing, fraud, and other malicious targeting.

Bahrain Fosters Digital Talent with AI and Cybersecurity Partnership

Bahrain is strengthening its national digital capabilities through a new partnership between Beyon Cyber, a cybersecurity firm, and Bahrain Polytechnic. The two organizations signed a Memorandum of Understanding (MoU) to foster innovation in Artificial Intelligence and cybersecurity. The collaboration aims to develop advanced, AI-driven security solutions and cultivate a skilled local workforce. This strategic initiative is aligned with Bahrain's goal of becoming a regional leader in technology and equipping its next generation of professionals with the skills to tackle modern cybersecurity challenges.

Qilin Ransomware Strikes Again, Claiming Victims Across US, France, and Africa

The Qilin ransomware-as-a-service (RaaS) group has had a highly active month, listing numerous new victims on its data leak site. The group has claimed responsibility for attacks against a wide range of organizations in the U.S., France, and Africa. Victims include insurance providers, healthcare authorities, real estate firms, and French municipalities. This follows recent high-profile claims against two Texas electric cooperatives and Volkswagen Group Finance, demonstrating the group's broad targeting and operational capability, supported by resilient bulletproof hosting infrastructure.

Cl0p Gang Exploits Oracle EBS Zero-Day in Massive Data Theft Spree

The Cl0p ransomware syndicate, also known as Graceful Spider, is actively exploiting a critical zero-day vulnerability, CVE-2025-61882, in Oracle's E-Business Suite (EBS). The flaw, which has a CVSS score of 9.8, allows for unauthenticated remote code execution and has been used to steal data from numerous organizations since at least August 2025. The attackers exfiltrated data for weeks before sending extortion demands in late September. In response, Oracle released an emergency patch on October 4, 2025, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating a patch deadline for federal agencies.

SonicWall Breach Far Worse Than Feared: All Cloud Backup Users' Firewall Configs Stolen

**[SonicWall](https://www.sonicwall.com)** has issued a major update on a September data breach, revealing its impact is far more severe than initially disclosed. The company confirmed that an unauthorized party accessed and exfiltrated firewall configuration backups for **all** customers of its MySonicWall cloud backup service, a stark revision from the initial estimate of less than 5%. The stolen `.EXP` files contain complete firewall configurations, including security rules and encrypted credentials. While the credentials remain encrypted, security experts warn that possession of these files significantly lowers the bar for future targeted attacks. SonicWall, assisted by **[Mandiant](https://www.mandiant.com/)**, is urging all affected customers to reset passwords and follow detailed mitigation guidance.

AI-Powered Social Engineering to Become Top Cyber Threat, ISACA Warns

A new report from the global IT association ISACA reveals a major shift in the threat landscape, with IT professionals now believing AI-driven social engineering will be the most significant cyber threat by 2026. The survey of 3,000 professionals found that 63% ranked this emerging threat highest, surpassing ransomware. Critically, the report also highlights a widespread lack of preparedness, with only 13% of organizations feeling 'very prepared' to manage the risks of generative AI, signaling an urgent need for new defense strategies and training.

Massive 'I Paid Twice' Phishing Scheme Defrauds Booking.com Hotels and Guests

A sophisticated global phishing campaign named 'I Paid Twice' is targeting hotels on Booking.com and Expedia, compromising their administrative accounts to defraud guests. Since at least April 2025, attackers have been using social engineering and the PureRAT malware to gain access to hotel systems. Once in, they impersonate hotel staff to send fraudulent payment requests to travelers with upcoming reservations, tricking them into paying a second time via a malicious portal. Security firm Sekoia.io, which discovered the operation, reports that the campaign is highly active and has resulted in financial losses for an unknown number of victims.

Samsung Zero-Day Exploited in the Wild to Install 'LANDFALL' Android Spyware

A now-patched zero-day vulnerability, CVE-2025-21042, in Samsung Galaxy devices was actively exploited to install a commercial-grade Android spyware known as LANDFALL. Researchers from Palo Alto Networks' Unit 42 discovered that attackers sent malicious DNG image files via WhatsApp to targets in the Middle East. The flaw, an out-of-bounds write in an image processing library, allowed for remote code execution. This incident highlights the growing trend of exploiting mobile image parsing libraries to deliver spyware, echoing similar attacks against Apple devices.

State-Backed Hacking Escalates: Russia Targets Ukraine, China Eyes Latin America

A new report from ESET reveals a significant escalation in cyber operations by state-sponsored threat groups from Russia and China between April and September 2025. Russia-aligned groups, notably Sandworm, have accelerated destructive wiper malware attacks against Ukraine's critical infrastructure, including energy and logistics. Simultaneously, China-aligned actors like FamousSparrow have increased espionage activities targeting governmental entities in Latin America, potentially in response to shifting geopolitical dynamics. The report highlights a global landscape of heightened cyber conflict driven by national interests.

Patient Sabotage: Malicious NuGet Packages with Time-Delayed ICS Payloads Discovered

Security researchers have discovered nine malicious packages on the NuGet repository, downloaded over 9,400 times, containing hidden, time-delayed sabotage code. One package, 'Sharp7Extend,' was specifically designed to corrupt write operations in industrial control systems (ICS) by silently causing them to fail after a grace period. This could lead to physical damage or production failures. The code was set to trigger on specific dates, some as far in the future as 2028, demonstrating a patient and highly destructive approach to supply chain attacks.

Software Supply Chain Attacks Skyrocket to Record High, Driven by Ransomware Gangs

Software supply chain attacks reached an all-time high in October 2025, with 41 claimed incidents, according to a new report from Cyble. This figure is over 30% higher than the previous monthly record. Ransomware groups, particularly Qilin and Akira, are identified as the primary drivers of this trend, responsible for a majority of attacks in 2025. The information technology, finance, and energy sectors are the most heavily targeted, highlighting a strategic shift by attackers to compromise organizations through their trusted third-party suppliers.

Amazon Patches High-Severity Flaw in WorkSpaces Linux Client

Amazon Web Services (AWS) has patched a high-severity vulnerability, CVE-2025-12779, in its WorkSpaces client for Linux. The flaw, rated 8.8 CVSS, could allow a local attacker on a shared computer to extract another user's authentication token and gain unauthorized access to their virtual desktop session. The issue affects Linux client versions 2023.0 through 2024.8. AWS has released a patched version and recommends all users upgrade immediately to mitigate the risk.

CISA Adds Actively Exploited Control Web Panel RCE Flaw to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical command injection vulnerability in Control Web Panel (CWP), CVE-2025-48703, to its Known Exploited Vulnerabilities (KEV) catalog. The action confirms the flaw is being actively exploited in the wild. The vulnerability allows a remote, unauthenticated attacker to achieve remote code execution (RCE) on servers running the popular Linux web hosting panel. CISA has mandated that all Federal Civilian Executive Branch agencies patch the vulnerability by November 25, 2025, and strongly urges all other organizations to remediate it immediately.

U.S. Congressional Budget Office Breached by Suspected Foreign Actor

The U.S. Congressional Budget Office (CBO), the nonpartisan agency that provides economic analysis to Congress, confirmed on November 6, 2025, that it suffered a significant cybersecurity breach. The attack is suspected to be the work of a foreign government, raising concerns about espionage and the potential exposure of sensitive, pre-decisional information. Data at risk includes confidential communications between lawmakers and CBO analysts, as well as early drafts of legislative cost analyses. The CBO has taken steps to contain the incident and is investigating the full scope of the compromise.

Cisco Warns of New DoS Attacks Actively Exploiting Firewall Flaws

Cisco has issued an urgent warning about a new attack variant actively targeting its Secure Firewall products. Threat actors are chaining two previously disclosed vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to cause a denial-of-service (DoS) condition on unpatched Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices. These same flaws were exploited as zero-days in September 2025 and are listed in CISA's KEV catalog. Cisco strongly recommends that all customers immediately upgrade to patched software versions to prevent network outages and potential device compromise.

Critical SQL Injection Flaw in Django Framework Puts Web Apps at Risk

The Django project has released urgent security updates to patch a critical SQL injection vulnerability, CVE-2025-64459, rated 9.1 on the CVSS scale. The flaw affects Django versions 4.2, 5.1, 5.2, and the 6.0 beta. It allows an attacker to manipulate database queries by passing a specially crafted dictionary to certain ORM methods, potentially leading to unauthorized data access, modification, or authentication bypass. Due to the widespread use of Django and the low complexity of the attack, developers are strongly urged to upgrade to the patched versions (4.2.26, 5.1.14, 5.2.8) immediately.

Washington Post Confirms Breach in Cl0p's Oracle Supply Chain Attack

The Washington Post confirmed on November 6, 2025, that it was a victim of the widespread supply chain attack orchestrated by the Cl0p ransomware gang. The attack exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS), a widely used enterprise software platform. This confirmation came after Cl0p added the newspaper to its dark web leak site, a classic extortion tactic. The incident highlights the significant risk of supply chain attacks, where a single vulnerability in a trusted third-party vendor's software can lead to the compromise of hundreds of high-profile organizations.

Zscaler: 239 Malicious Apps on Google Play Downloaded 42 Million Times

A new report from Zscaler's ThreatLabz, published November 5, 2025, reveals a dramatic 67% year-over-year increase in Android malware. Researchers identified 239 malicious applications that successfully bypassed Google Play Store security, amassing a collective 42 million downloads before being removed. These apps often masqueraded as legitimate productivity 'Tools' to trick users. The report also highlights a dangerous trend in attacks against critical infrastructure, with the energy sector seeing a 387% surge in IoT/OT attacks, and significant increases in transportation and healthcare as well.

Hackers Hijack Logistics Systems to Orchestrate Physical Cargo Heists

A new and growing form of hybrid crime is targeting the supply chain, where cybercriminals infiltrate freight and logistics companies to facilitate physical cargo theft. According to recent reports, threat actors compromise carrier systems, often using legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect. Once inside, they manipulate digital 'load boards' to bid on and win real shipments. They then reroute the cargo to a location controlled by organized crime partners, leading to the theft of entire truckloads of goods. This trend highlights a critical vulnerability where the digital transformation of the logistics industry is being exploited to cause billions in real-world losses.

CISA Adds Actively Exploited Gladinet and CWP Flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The flaws include an information disclosure bug in Gladinet CentreStack/Triofox (CVE-2025-11371) and an OS command injection vulnerability in CWP Control Web Panel (CVE-2025-48703). Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to patch these vulnerabilities by a specified deadline, and CISA strongly urges all organizations to prioritize remediation to defend against these active threats.

CISA Warns of Critical ICS Flaws in Fuji, Delta, and Radiometrics Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released five advisories detailing critical vulnerabilities in Industrial Control Systems (ICS) from Fuji Electric, Survision, Delta Electronics, Radiometrics, and IDIS. The flaws, which include buffer overflows and authentication bypasses with CVSS scores up to 10.0, could allow remote code execution and severe disruption of critical infrastructure in sectors like manufacturing, energy, and aviation. CISA is urging immediate review and mitigation, as successful exploitation could lead to loss of control over industrial processes and, in some cases, create hazardous physical conditions.

Swedish IT Firm Breach Exposes Data of 1.5 Million, Sparks GDPR Probe

The Swedish IT services firm Miljödata has suffered a severe data breach, exposing the personal and potentially sensitive information of over 1.5 million people. The incident, which occurred in late August, resulted in the stolen data being published on the darknet. In response, the Swedish Data Protection Authority (IMY) has launched a major investigation under the General Data Protection Regulation (GDPR), targeting both Miljödata and several of its public sector clients, including the City of Gothenburg and Region Västmanland.

Identity is the New Perimeter: Stolen Credentials and Over-Privileged Accounts Drive Cloud Breaches

A consensus is forming across the cybersecurity industry: identity is the new security perimeter in the cloud. New reports from ReliaQuest and Amazon Web Services (AWS) reveal that identity-based attacks are the leading driver of cloud security incidents. Key findings show that compromised credentials caused 20% of breaches, while a staggering 99% of cloud identities are 'over-privileged,' possessing excessive permissions. Experts are urging a strategic shift away from network-centric security and towards a 'zero standing privileges' model, where access is granted on a temporary, as-needed basis to mitigate this massive attack surface.

Hackers Claim Breach and Full Database Theft from Russian Nuclear Waste Facility 'Radon'

A threat actor has posted on a data leak forum claiming to have breached Radon, a Russian state-owned enterprise responsible for nuclear waste management and operated by the nuclear giant Rosatom. The attackers allege they have stolen the company's entire database, which reportedly includes sensitive test statistics, user IDs, and the personal information of employees. Security experts warn that if the claim is legitimate, the breach poses a severe risk, as the data could be used to forge safety documents, endanger physical safety, or launch sophisticated spear-phishing campaigns against Russia's critical nuclear infrastructure.

F5 Hacked by Nation-State Actor; BIG-IP Source Code Stolen