Threat Intelligence

This blog post provides an in-depth technical analysis of the malicious dynamic-link library (DLL) "msimg32.dll", which Cisco Talos observed being deployed in Qilin ransomware attacks. This DLL represents the initial stage of a sophisticated, multi-stage infection chain designed

A new and dangerous ransomware campaign has surfaced across South America, targeting Windows users with a carefully crafted strain that closely imitates the well-known Akira ransomware. While the two may appear nearly identical on the surface, this new threat is built on an entir

Security researchers have warned of another step change in the velocity of ransomware, after spotting the Akira group complete all stages of an attack within an hour. Halcyon said in a new report that Akira usually achieves initial access by exploiting vulnerabilities in internet

Fraud operations have expanded beyond traditional hacking techniques to include methods that exploit legitimate services and real-world infrastructure. By combining publicly available data, weak identity verification processes, and operational gaps, threat actors are building sca

The cost of high-performance GPUs, typically $8,000 or more, means they are frequently shared among dozens of users in cloud environments. Two new attacks demonstrate how a malicious user can gain full root control of a host machine by performing novel Rowhammer attacks on high-p

Nearly 80 percent of British manufacturers say they've been hit by a cyber incident in the past year, as new research suggests disruption on the factory floor is no longer an exception but business as usual. According to security outfit ESET, 78 percent of UK manufacturers admit

Today, most malware are called "fileless" because they try to reduce their footprint on the infected computer filesystem to the bare minimum. But they need to write something... think about persistence. They can use the registry as an alternative storage location. However, some s

Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go

A multi-pronged phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deliver Windows banking trojans like Casbaneiro (aka Metamorfo) via another malware called Horabot. The activity has been attributed to a Brazilian cybercrime

A hijacked maintainer account was used to publish poisoned axios releases including 1.14.1 and 0.30.4. axios is the most popular JavaScript HTTP client library with over 100 million weekly downloads. On March 30, 2026, StepSecurity identified two malicious versions of the widely

In case of a cyber incident, most organizations fear more of data loss (via exfiltration) than regular data encryption because they have a good backup policy in place. If exfiltration happened, it means a total loss of control of the stolen data with all the consequences (PII, CC

The GIGABYTE Control Center is vulnerable to an arbitrary file-write flaw that could allow a remote, unauthenticated attacker to access files on vulnerable hosts. The hardware maker says that successful exploitation could potentially lead to code execution on the underlying syste

Successful exploitation of this vulnerability could allow an attacker with access to the MAVLink interface to execute arbitrary shell commands without cryptographic authentication. The following versions of PX4 Autopilot are affected: Autopilot v1.16.0_SITL_latest_stable (CVE-202

Successful exploitation of this vulnerability could allow attackers with network access to alter operational settings, obtain sensitive signal data, or disrupt device availability. The affected Critical Infrastructure Sectors include Communications, Defense Industrial Base, Emerg

US authorities are getting more aggressive about detentions and seizures, and no single law governs phone inspections, making devices configured for biometric unlocking highly vulnerable. Legal experts agreed that legal rights in this area were murky at best, and ZDNET's recommen

A newly identified malicious implant named RoadK1ll is enabling threat actors to quietly move from a compromised host to other systems on the network. The malware is a Node.js implant that communicates over a custom WebSocket protocol to sustain ongoing attacker access and enable

This TSUBAME Report Overflow series discusses monitoring trends observed by overseas TSUBAME sensors, as well as other activities that are not included in the Internet Threat Monitoring Quarterly Reports. This article covers the monitoring results from July to September 2025.

A 15-year-old flaw in strongSwan's EAP-TTLS plugin could let hackers knock VPNs offline. Research from Bishop Fox reveals how a simple math error leads to massive memory corruption and service collapse. For over a decade and a half, a quiet but serious security flaw has been sitt

Security researchers are warning that applications using AI frameworks without proper safeguards can expose sensitive information in basic, yet critical, non-AI ways. According to a recent Cyera analysis, widely used AI orchestration tools, LangChain and LangGraph, are vulnerable

Sansec is tracking a mass exploitation wave of the PolyShell vulnerability that hit hundreds of online stores within a single hour today. The attacks are ongoing: new victims appear every minute. Sansec Shield has been blocking PolyShell attacks since March 16th. After gaining ac

A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. An authenticated attacker could use it to access sensitive files, such as wp-config.php, which i

When people hear the word “cyberattack,” many imagine the most extreme scenario: everything was working, and suddenly the website goes down, payments stop, files become inaccessible, and a ransom demand appears on the screen. In practice, however, most incidents develop different

The European Commission has allegedly been breached by ShinyHunters, with reported data dumps including content from mail servers and internal communications systems. The cybercrime group added the Commission to its Tor data leak site, claiming the theft of over 350 GB+ of data.

Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices. The activity has been attributed with high confidence to the Russian state-sponsored threat

macOS users are targeted in a fresh ClickFix campaign that uses a Cloudflare-themed verification page to deliver a Python-based information stealer, Malwarebytes reports. The attack starts with a fake CAPTCHA page that serves a legitimate-looking Cloudflare human verification pag

TeamPCP has again expanded its supply chain attacks on open-source repositories by targeting Telnyx, according to security researchers. The cyber threat group recently rose to notoriety by uploading malicious packages to Python Package Index (PyPI), the official online reposito

Cyberattackers, equipped with AI, are mastering the art of imitating the familiar, posing as trusted users and masking their activity within legitimate processes and ordinary network traffic. Mimicry is the new normal, with 81% of attacks now malware-free. Agentic AI is helping a

Prolific Russia-aligned Advanced Persistent Threat (APT) group Pawn Storm, also known as APT28, Fancy Bear, UAC-0001 and Forest Blizzard, has deployed PRISMEX, a new collection of interconnected malware components. This operation targets the defense supply chain of Ukraine and it

A months-long investigation by Rapid7 Labs has uncovered evidence of an advanced China-nexus threat actor, Red Menshen, placing some of the stealthiest digital sleeper cells the team has ever seen in telecommunications networks. The goal of these campaigns is to carry out high-le

A large-scale magecart operation remained active for over 24 months, leveraging an infrastructure of 100+ domains. While the targeted victims are e-commerce websites, the actual pressure falls on banks and payment systems. As ANY.RUN's analysis shows, threat actors applied multi-

Spyware is one of the biggest threats to your mobile security and can severely impact your phone's performance if you are unlucky enough to become infected. It is a type of malware that typically lands on your iPhone or Android phone through malicious mobile apps or through phish

Cisco Talos' Vulnerability Discovery & Research team recently disclosed a vulnerability in HikVision, as well as 10 in TP-Link, and 19 in Canva. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco's third-party

In September 2025, Anthropic disclosed that a state-sponsored threat actor used an AI coding agent to execute an autonomous cyber espionage campaign against 30 global targets. The AI handled 80-90% of tactical operations on its own, performing reconnaissance, writing exploit code

On Wednesday, Russian police arrested the alleged administrator of the cybercrime forum LeakBase, according to the state-owned news agency TASS. LeakBase was, as the U.S. Department of Justice put it, "one of the world's largest online forums for cybercriminals" for sharing hacki

Kamasers is a sophisticated DDoS botnet that supports both application-layer and transport-layer attacks, including HTTP, TLS, UDP, TCP, and GraphQL-based flooding. The malware can also act as a loader, downloading and executing additional payloads, which raises the risk of furth

In early March, we traveled to Baku, the capital of Azerbaijan, and had the opportunity to visit five organizations, including CSIRTs and facilities involved in cyber security workforce development. In Azerbaijan, CSIRTs have been established across various sectors, including gov

The U.S. FCC announced a ban on importing new foreign-made consumer routers, citing unacceptable cyber and national security risks. The decision, backed by Executive Branch assessments, means such devices can no longer be sold or marketed in the U.S. unless they receive special a

In Northern California wine country the weekend before RSAC, roughly 80 top cybersecurity CEOs, chief information security officers and former government officials convene at the intimate Cyber Council gathering to game out the next two to three years for the industry. For the fi

Last week, the GreyNoise Observation Grid (GOG) observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days -- nearly half of all new scanning IPs observed by GreyNoise that week. And 99.7% of them never completed a single TCP connection.

Attacks leveraging the 'PolyShell' vulnerability in version 2 of Magento Open Source and Adobe Commerce installations are underway, targeting more than half of all vulnerable stores. According to eCommerce security company Sansec, hackers started exploiting the critical PolyShell

SHARP routers allow access to some web APIs without authentication. SHARP routers do not perform authentication for some web APIs. This has been identified as missing authentication for critical function (CWE-306). The vulnerability is tracked under CVE-2026-32326, with a CVSS v4

As special guest Jim Browning noted, "If there are people willing to attack you, your systems, and your business, the best way to defend yourself is to understand how they do this, who they are, and how they're working. If you understand all of that, you're far better able to pro

Since early 2023, Nisos has provided our clients with critical insights and conducted OSINT (Open-Source Intelligence) pre-employment and insider risk investigations to mitigate the threat of North Korean (DPRK) IT worker employment schemes. In June 2025, we used a combination of

The TeamPCP hacking group is targeting Kubernetes clusters with a malicious script that wipes all machines when it detects systems configured for Iran. The threat actor is responsible for the recent supply-chain attack on the Trivy vulnerability scanner, and also an NPM-based cam