Category: Threats

VECT 2.0 Ransomware Can Damage Files Its Own Decryptor Cannot Reliably Restore A new ransomware strain called VECT 2.0 is raising serious concerns among security professionals, and for a troubling reason — even if a victim pays the ransom, the attacker’s own decryptor may not fully restore their files. This is not a typical failure…

Fake Claude Code Installer Via Google Sites Deliver Credential-Stealing Malware Cybercriminals have found a new and clever way to exploit the growing popularity of AI developer tools. A recently identified campaign uses fake pages mimicking Claude Code and OpenAI Codex, hosted on trusted Google Sites infrastructure, to trick users into running commands that quietly steal…

WordPress Malware Abuses Steam Community Profiles for C2 Operations A newly discovered malware campaign targeting WordPress websites has raised serious concerns across the web security community. Attackers behind this campaign are using an unexpected method to communicate with infected sites, hiding command instructions inside Steam Community profile comments and turning a popular gaming platform into…

Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign A single threat actor has been running a fake political persona on Telegram for five years, quietly building an audience of over 17,000 subscribers while using stolen AI credentials to power the entire operation. What looks like an American patriot channel is actually…

Nimbus Manticore APT Abuses Fake Recruitment Portal to Deliver Custom Malware A state-linked hacking group has been caught running a carefully crafted fake recruitment operation to push custom malware onto unsuspecting victims. The group, known as Nimbus Manticore and also tracked as UNC1549 and Smoke Sandstorm, has a long history of targeting professionals in the…

Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist, the main package repository for PHP projects. The attack takes direct aim at software developers, disguising a dangerous payload as a routine configuration file. This kind…

Hackers Attacking Signal Users to Steal Backups in New Wave of Attacks A new wave of phishing attacks is targeting users of Signal, the encrypted messaging app trusted by journalists, activists, and privacy-conscious individuals worldwide. Hackers are impersonating Signal’s support team and tricking users into handing over their backup recovery keys, which can unlock entire…

Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community. Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across…

Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings A trusted tool for VMware administrators has been weaponized. Attackers built a fake version of RVTools, a widely used utility for managing virtual infrastructure, and disguised it with a real digital certificate to slip past Windows security warnings without raising a flag. RVTools is a…

Silent Ransom Group Targets Law Firms With IT Support Impersonation Attacks A threat group known as the Silent Ransom Group is actively targeting US-based law firms using a bold and deceptive social engineering playbook. Rather than deploying ransomware in the traditional sense, this group goes straight for the data and then turns it into a…

SBI Warns of Scammers are Sending Fake Messages Claiming Your YONO App Will be Deactivated A new wave of social engineering attacks is targeting millions of State Bank of India customers across the country. Fraudsters are sending fake messages warning users that their YONO banking app will be deactivated unless they update their Aadhaar number…

Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, the attackers have turned routine development workflows into entry points for data theft, credential harvesting, and…

Attackers Abuse Open RDP Ports to Gain Initial Access Into Business Networks There is a decades-old misconfiguration sitting quietly inside countless business networks, and attackers are still making full use of it. Remote Desktop Protocol, or RDP, allows users to connect to and control a computer remotely over a network. When its default port, 3389,…

Phishing Services Use RCS and iMessage to Bypass Traditional SMS Security Filters A new wave of phishing operations is quietly changing the way cybercriminals steal financial data from everyday people. Rather than relying on traditional SMS messages that carriers can easily flag and block, threat actors are now using encrypted messaging channels like Rich Communication…

Payload Ransomware Uses ChaCha20 and Curve25519 ECDH to Encrypt Windows Files A dangerous new ransomware strain called Payload has been quietly building a global victim list since it first appeared in February 2026. The group launched its leak site with a high-profile target and has since expanded operations across Egypt, Mexico, Poland, and beyond. What…

MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns A new wave of targeted espionage attacks has put technology professionals across the United States, Israel, and the United Arab Emirates on high alert. The threat comes from an Iran-linked hacking group deploying two families of remote access trojans through cleverly disguised recruitment lures and…

Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations Hackers are using telecom networks and hosting providers across the Middle East as a foundation for massive command-and-control operations, turning trusted infrastructure into a launchpad for cyberattacks. A newly released threat intelligence report reveals that more than 1,350 active command-and-control (C2) servers were identified across…

World Cup Phishing Campaign Nearly Triples With 203 Unique IP Addresses A large-scale phishing campaign targeting the 2026 FIFA World Cup has grown far beyond what security researchers originally thought. What began as a documented set of 79 fraudulent domains has ballooned into a network of at least 222 domains spread across 203 unique IP…

Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access Russian state-sponsored threat groups significantly stepped up their cyber operations in 2025, using a range of methods to break into targeted systems. From exploiting remote desktop tools and virtual private networks to manipulating trusted supply chains and deceiving employees through…

Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain Attack Hackers have found a new and alarming way to weaponize one of the most trusted platforms in the AI world. A threat actor linked to North Korea has embedded second-stage malware inside Hugging Face, the widely used AI and machine learning hub,…

BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites A dangerous piece of malware known as BadIIS has been actively targeting Internet Information Services (IIS) web servers, quietly hijacking them and redirecting unsuspecting visitors to illegal gambling sites, adult content platforms, and other illicit destinations. The attacks have been going on for…

Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave A sweeping supply chain attack has hit the npm ecosystem, compromising hundreds of widely used JavaScript packages tied to the @antv data visualization library. The attack, which unfolded in the early hours of May 19, 2026, injected malicious code into packages used by millions of…

Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data A threat actor known as Storm-2949 has launched a sophisticated, multi-layered cloud attack campaign targeting Microsoft Entra ID accounts to steal sensitive data from Microsoft 365 and Azure environments. The campaign was recently uncovered and has raised serious concerns about how modern…

Gunra Ransomware Expands RaaS Operations After Shifting From Conti-Based Locker Gunra ransomware has quickly grown from a new threat into a serious global problem, hitting dozens of organizations in less than a year. The group behind it is not just encrypting data, but also running a business-like operation that sells access, leaks stolen files, and…

Microsoft Details Kazuar Malware’s Modular Architecture and P2P Botnet Operations A nation-state malware known as Kazuar has resurfaced with a far more dangerous design than anyone expected. What once started as a relatively standard backdoor has now grown into a fully modular, peer-to-peer botnet specifically engineered for long-term, covert espionage against high-value government and diplomatic…

Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks A state-aligned hacking group known as FrostyNeighbor has resurfaced with a fresh wave of cyberattacks targeting government organizations in Ukraine, using a carefully designed infection chain that is harder than ever to detect. The group, active since at least 2016, has a long history of…

Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS Worker Attackers are now abusing a fresh Langflow vulnerability to quietly steal cloud keys and turn victim systems into workers for a new NATS based botnet. This campaign shows how a single exposed AI workflow tool can become the start of large scale credential theft…

Packagist Urges Immediate Composer Update After GitHub Actions Token Leak Packagist is sounding the alarm for PHP developers everywhere. A flaw in Composer, the widely used PHP dependency manager, briefly caused GitHub authentication tokens to leak into publicly visible CI logs, raising urgent concerns about credential exposure across thousands of active software projects around the…

Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading Iran-linked hackers have been quietly breaking into networks around the world, and their latest campaign is more calculated than anything we have seen from them before. The group known as Seedworm, also tracked as MuddyWater, spent the first quarter of 2026 targeting at least…

New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks A serious security flaw has been found in Exim, one of the most widely deployed mail transfer agents on the internet today. The vulnerability, tracked as EXIM-Security-2026-05-01.1, allows a remote attacker to corrupt server memory and potentially execute malicious code without needing any special privileges or…

Google Enhances Android Mobile Security with New AI-Powered Protections Android smartphones have become the go-to device for billions of people around the world. From banking and messaging to storing personal photos and sensitive documents, people rely on them for almost everything. That reliance has made mobile devices a prime target for scammers, cybercriminals, and threat…

Microsoft Releases Cumulative Update for Windows 11, Version 25H2 and 24H2 Microsoft pushed out a significant cumulative update for Windows 11 on May 12, 2026, covering both version 25H2 and version 24H2. The update, identified as KB5089549, brings OS Builds 26200.8457 and 26100.8457 to users running these versions. It bundles the latest security fixes alongside…

Magecart Hackers Abuse Google Tag Manager to Inject Credit Card Skimmers Online shoppers have long been targets of digital theft, but a recent wave of attacks has raised the stakes in a troubling new way. Hackers tied to the notorious Magecart group are now hiding credit card skimmers inside Google Tag Manager (GTM) containers, turning…

TeamPCP Compromised Checkmarx Jenkins AST Plugin Following KICS Supply Chain Attack A supply chain attack that started with a relatively obscure open-source scanner has now reached one of the most widely used application security tools in the industry. In May 2026, a malicious version of the Checkmarx Jenkins AST plugin was quietly published to the…

TrickMo Android Banking Malware Targets Banking, Wallet, and Authenticator Apps A dangerous Android banking malware known as TrickMo has resurfaced with a powerful new variant, and this time it is more stealthy, more capable, and harder to stop than ever before. The threat is actively targeting users of banking apps, digital wallets, and authenticator applications…

Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data A long-active information stealer is making headlines again, and this time it is targeting more than just passwords. Vidar malware, a credential-harvesting tool in circulation since late 2018, has been observed running through a sophisticated multi-stage attack chain designed to slip past modern security…

JDownloader Downloader Hacked to Infect Users With New Python RAT JDownloader, the popular open-source download manager trusted by millions of users worldwide, was at the center of a serious supply chain attack in early May 2026. Attackers quietly compromised the official jdownloader.org website and replaced legitimate installer download links with malicious files carrying a fully…

New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials A new backdoor called PamDOORa has emerged as a serious and growing threat to Linux systems, targeting one of the most trusted components of the operating system to silently steal SSH credentials. The malware was advertised for sale on a Russian-speaking cybercrime forum called Rehub,…

Hackers Used Claude AI to Attack on Water and Drainage Utility Systems A new threat intelligence report has revealed that an unknown group of hackers used a commercial AI tool to target the systems of a municipal water and drainage utility in Monterrey, Mexico. The attack, which took place in January 2026, marks one of…

New ClickFix Attack Targets macOS Users With Fake Disk Cleanup and Utility Lures A new wave of cyberattacks is putting macOS users in the crosshairs, and this time the bait looks almost too familiar. Attackers are disguising their malware as helpful disk cleanup tools and system utilities, tricking people into running dangerous commands directly on…

Beware of Fake ‘Notepad++ for Mac’ Website, Possibly Could Harm your Machine A fake website claiming to offer an official macOS version of the popular text editor Notepad++ has been making rounds online, raising serious cybersecurity concerns across the tech community. The site, operating under the domain notepad-plus-plus-mac.org, falsely presents itself as the official release…

pnpm 11 Turns On Minimum Release Age by Default to Reduce npm Supply Chain Risk The npm ecosystem has long been a target for supply chain attacks, where threat actors exploit the open nature of public package registries to push malicious code into developer environments. With pnpm 11, the package manager takes a direct step…

Threat Actors Use AI to Automate 0-Day Discovery and Exploitation at Machine Speed The way cyberattacks are launched has fundamentally changed. Threat actors are no longer spending months hunting for software flaws by hand. With artificial intelligence in their toolkit, they can now discover and exploit zero-day vulnerabilities in minutes, placing organizations across every sector…

Email Bombing and Fake IT Support Calls Fuel New Microsoft Teams Phishing Attacks A new wave of cyberattacks is targeting employees through a combination of inbox flooding and fake IT support contacts on Microsoft Teams, tricking users into handing over remote access to their own devices. These attacks have been growing steadily since the start…

EtherRAT Campaign Uses SEO Poisoning and GitHub Facades to Target Enterprise Admins A new and well-planned malware campaign has been actively targeting enterprise administrators, DevOps engineers, and security analysts by hijacking their everyday search habits. Rather than using mass phishing or broad spam waves, threat actors behind this operation have carefully crafted a delivery chain…

China-Aligned Attackers Use ShadowPad, IOX Proxy, and WMIC in Multi-Stage Espionage Campaign A China-aligned threat group has been carrying out a carefully planned espionage campaign against government agencies and critical infrastructure across Asia. The group, tracked under the temporary designation SHADOW-EARTH-053, has been active since at least December 2024, quietly targeting organizations in at least…

Claude-Generated Commit Adds PromptMink Malware to Crypto Trading Agent A new threat has quietly taken root in the software development world, using an AI coding assistant as an unknowing participant in a supply chain attack. A malicious npm package campaign called PromptMink surfaced after being introduced into an open-source autonomous crypto trading project through a…

Novel KarstoRAT RAT Enables Webcam Monitoring, Audio Recording, and Remote Payload Execution A newly identified remote access trojan called KarstoRAT has been found in sandbox analyses and malware repositories since early 2026. The malware gives attackers a broad set of remote-control capabilities over compromised Windows machines, including webcam capture, audio recording, keylogging, screenshot theft, and…

New Vect 2.0 RaaS Operation Targets Windows, Linux, and ESXi Systems A new ransomware group known as Vect 2.0 has entered the global cyberthreat landscape, operating as a full Ransomware-as-a-Service (RaaS) platform that targets Windows, Linux, and VMware ESXi systems. The group first appeared in December 2025 and rapidly scaled its activity through February 2026,…

New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Linux, and ESXi A newly documented ransomware strain called VECT 2.0 has drawn serious attention from the cybersecurity community for a deeply damaging flaw in its design. Unlike typical ransomware that locks files and demands payment for decryption, VECT 2.0 permanently destroys any file…

New BlueNoroff Campaign Uses Fileless PowerShell and AI-Generated Zoom Lures A dangerous new cyber campaign from North Korea’s Lazarus Group is targeting cryptocurrency and Web3 professionals using fake Zoom meeting interfaces, fileless PowerShell scripts, and AI-generated deepfake content. The group behind this activity is BlueNoroff, a financially motivated subgroup known for stealing digital assets. This…

OilRig Hides C2 Configuration in Google Drive Image Using LSB Steganography A well-known Iranian state-sponsored hacking group called OilRig, also tracked as APT34 and Helix Kitten, has been found hiding its command-and-control (C2) server configuration inside a regular-looking image file stored on Google Drive. The threat group used a technique called LSB (Least Significant Bit)…

Vidar Malware Hides Second-Stage Payloads in JPEG and TXT Files to Evade Detection Vidar, one of the most active information-stealing malware families, has taken on a new shape in 2026. Researchers have found that its latest version now conceals second-stage payloads inside JPEG image files and TXT documents, making it much harder for security tools…

‘fast16’ Malware with Sabotage Capabilities Attacking Ultra expensive Targets The fast16 malware is a recently exposed sabotage‑capable threat designed to target extremely high‑value environments and ultra‑expensive systems with precision. It does not behave like common commodity malware that aims for broad infections, but instead focuses on select victims where disruption or long‑term control can cause…

Hackers Use Fake CAPTCHA Pages to Trigger Costly International SMS Fraud Most internet users are familiar with CAPTCHA tests, simple challenges like selecting traffic lights or typing distorted letters to confirm they are human. But cybercriminals have found a way to weaponize this process. Hackers are now building fake CAPTCHA pages that trick users into…

Hackers Use Telegram Bots to Track 900+ Successful React2Shell Exploits A newly exposed server has revealed how a threat actor used automated tools, AI assistance, and Telegram bots to silently hack into more than 900 companies around the world. The operation, built around a tool called “Bissa scanner,” targeted internet-facing web applications at a massive…

Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data Ransomware attackers are no longer relying only on widely known tools to steal data. Affiliates linked to the Trigona ransomware group have taken a more calculated approach by building their own custom data exfiltration tool, one that gives them greater precision, speed, and control over…

109 Fake GitHub Repositories Used to Deliver SmartLoader and StealC Malware A large-scale malware distribution campaign has been uncovered involving 109 fake GitHub repositories that were used to trick users into downloading two dangerous malware tools named SmartLoader and StealC. The campaign was carefully built around cloned versions of legitimate open-source projects, making it hard…

Malicious Google Ads Target Crypto Users With Wallet Drainers and Seed Phrase Theft Cybercriminals are now using Google’s own advertising platform to steal cryptocurrency from unsuspecting users. They place fake ads that look exactly like real links to popular crypto applications, and when users click on them, they land on websites designed to drain their…

Microsoft-Signed Binary Used to Sneak LOTUSLITE Into India-Focused Espionage Campaign A state-linked threat group has been caught running a quiet but carefully planned espionage operation against India’s banking sector, using a trusted Microsoft-signed file to slip malware past security defenses. The campaign delivers a new version of the LOTUSLITE backdoor through a technique known as…

SideWinder Uses Fake Chrome PDF Viewer and Zimbra Clone to Steal Government Webmail Credentials A well-known advanced persistent threat group called SideWinder has launched a highly targeted phishing campaign against South Asian government organizations, using a fake Chrome PDF viewer and a pixel-perfect clone of the Zimbra email login portal to steal employee credentials. The…

Hackers Use CVE-2024-3721 to Infect TBK DVRs With Nexcorium DDoS Malware A newly identified botnet campaign is actively exploiting a critical flaw in TBK digital video recorders to deploy a dangerous piece of malware known as Nexcorium, a Mirai-based threat built to launch large-scale distributed denial-of-service attacks. The vulnerability at the center of this campaign,…

Hackers Target TP-Link Routers With Mirai Malware in CVE-2023-33538 Exploitation Attempts A known security flaw in several end-of-life TP-Link Wi-Fi routers is being actively targeted by hackers trying to install Mirai-based botnet malware on vulnerable devices. The vulnerability, tracked as CVE-2023-33538, affects multiple TP-Link models that no longer receive vendor updates, leaving users with no…

Hackers Target Israeli Desalination Plants With ZionSiphon Sabotage Malware A newly discovered piece of malware called ZionSiphon has raised serious concerns about the security of critical water infrastructure in Israel. The malware was built with a clear focus: to infiltrate and potentially sabotage Israeli water treatment and desalination systems, the very facilities responsible for providing…

Hackers Target Trucking and Freight Firms to Steal Real-World Cargo Shipments A new wave of cyber attacks is hitting trucking carriers and freight brokers, and the goal is not just data theft. Criminals are breaking into logistics companies digitally to steal physical cargo shipments worth millions of dollars in the real world. Cargo theft is…

New Chrome Privacy Analysis Shows How Fingerprinting and Header Leaks Can Expose Users Google Chrome is the most widely used browser in the world, yet a sweeping new analysis reveals it offers users almost no protection against fingerprinting and data leaks that quietly expose their identity to websites and trackers. Published April 14, 2026, the…

Fake Adobe Reader Download Delivers ScreenConnect Through Stealthy In-Memory Loader A newly uncovered attack campaign is tricking users into installing remote access software on their systems by disguising malware as a legitimate Adobe Acrobat Reader download. The attack uses a sophisticated chain of techniques — including in-memory execution, process masquerading, and privilege escalation — to…

1,250+ C2 Servers Mapped Across Russian Hosting Across 165 Providers Cybersecurity researchers have uncovered a large and organized network of malicious infrastructure quietly running inside Russia’s commercial hosting ecosystem. Over a three-month window from January 1 to April 1, 2026, more than 1,250 active command-and-control (C2) servers were detected across 165 Russian infrastructure providers, spanning…

FUNNULL-Linked Triad Nexus Resurfaces With 175+ Rotating CNAME Domains and Global Scam Portals A cybercriminal group tied to the FUNNULL Content Delivery Network has made a calculated return with a far more sophisticated and evasive infrastructure. Known as Triad Nexus, the group has rebuilt its global fraud operation following U.S. Treasury sanctions, deploying over 175…

New JanaWare Ransomware Targets Turkish Users Through Customized Adwind RAT A new ransomware family called JanaWare has begun targeting computer users in Turkey, relying on a customized version of the Adwind remote access trojan (RAT) to gain a foothold on victims’ systems. This campaign stands out because it combines a known cross‑platform RAT with fresh…

25,000+ Endpoints Exposed by Dragon Boss Solutions Update Domain Supply Chain Attack What started as a routine adware alert quickly turned into something far more serious. On the morning of March 22, 2026, security alerts began firing across multiple managed environments, all linked to software signed by a company called Dragon Boss Solutions LLC. The…

Hackers Use Fake Proxifier Installer on GitHub to Spread ClipBanker Crypto-Stealing Malware A dangerous malware campaign has been silently targeting cryptocurrency users by hiding inside a fake version of Proxifier, a popular proxy software tool. Threat actors set up a GitHub repository designed to look like a legitimate Proxifier download, but the installer bundled inside…

Hackers Abuse GitHub and Jira Notifications to Deliver Phishing Through Trusted SaaS Channels Cybercriminals are now weaponizing the very tools that developers and IT teams trust the most. By abusing the automated notification features built into GitHub and Jira, threat actors are delivering convincing phishing emails that originate directly from those platforms’ own servers. What…

Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access A critical security flaw found in a widely used WordPress plugin is putting thousands of websites at serious risk worldwide. Tracked as CVE-2026-1492, this vulnerability affects the User Registration & Membership plugin for WordPress and lets attackers completely bypass the login process to…

Trojanized OpenVSX Extension Spreads GlassWorm Across VS Code, Cursor, and Windsurf A fake developer extension published on the OpenVSX marketplace is silently spreading a known malware strain called GlassWorm to every code editor installed on a developer’s machine. The malicious package disguises itself as a legitimate productivity tool and uses a compiled native binary to…

DesckVB RAT Uses Obfuscated JavaScript and Fileless .NET Loader to Evade Detection A new Remote Access Trojan known as DesckVB has been targeting systems in 2026, using obfuscated JavaScript and a fileless .NET loader to stay hidden from traditional security tools. The malware gives attackers full remote control over a victim’s machine, making it a…

New RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection A threat actor known as DragonBreath has launched a stealthy campaign using a multi-stage malware loader called RoningLoader. The malware targets Chinese-speaking users by disguising itself as trusted software such as Google Chrome and Microsoft Teams. Its core strength lies in a layered…

New Silver Fox Campaign Hides ValleyRAT Inside Fake Telegram Chinese Language Pack Installer A new malware campaign linked to the Silver Fox APT group has been discovered, using a fake Telegram Chinese language pack installer to secretly deliver ValleyRAT — a powerful remote access trojan — onto targeted machines. The malicious file, disguised as a…

Microsoft Warns Storm-1175 Exploits Web-Facing Assets 0-Day Flaws in Medusa Ransomware Attacks A new ransomware campaign is putting organizations on high alert. A financially motivated threat group known as Storm-1175 has been running fast-paced attacks targeting vulnerable, internet-facing systems — and deploying the Medusa ransomware as the final blow. What makes this group especially dangerous…

Hackers Use Fake TradingView Premium Posts on Reddit to Deliver Vidar and AMOS Stealers A threat actor has been running an active campaign on Reddit, using fake posts that promise free TradingView Premium access to deliver two malware families — Vidar on Windows and AMOS on macOS. The operation is still live, with new posts…

New ResokerRAT Uses Telegram Bot API to Control Infected Windows Systems A new Remote Access Trojan (RAT) called ResokerRAT has been found targeting Windows systems by abusing Telegram’s widely used Bot API to receive commands and send stolen data back to attackers. Unlike traditional malware that relies on custom command-and-control servers, this threat routes all…

36 Malicious npm Strapi Packages Used to Deploy Redis RCE and Persistent C2 Malware A coordinated supply chain attack has been uncovered targeting developers who build applications on Strapi, a widely used open-source content management system. Thirty-six malicious npm packages disguised as legitimate Strapi plugins were published to the npm registry, carrying payloads designed to…

North Korea-Linked Hackers Compromise Axios npm Package in Major Supply Chain Attack A North Korea-linked threat group has successfully hijacked one of the most widely used JavaScript libraries on the internet, injecting malware into millions of potential development environments. On March 31, 2026, attackers gained access to the Axios Node Package Manager (npm) package using…

New WhatsApp Attack Chain Uses VBS Scripts, Cloud Downloads, and MSI Backdoors A new malware campaign is actively using WhatsApp to deliver harmful files directly to Windows users, exploiting the widespread trust placed in everyday messaging apps. The threat actors send malicious Visual Basic Script (VBS) files through WhatsApp messages, knowing that users rarely question…

Remcos RAT Infection Chain Hides Behind Obfuscated Scripts and Trusted Windows Binaries Cybercriminals are getting better at hiding their tracks, and a recently uncovered Remcos RAT campaign is proof of that. This attack does not rely on a single malicious file dropped onto a system. Instead, it uses a carefully built, multi-stage chain that starts…

Hackers Backdoor Telnyx Python SDK on PyPI to Steal Credentials Across Windows, macOS, and Linux A threat actor group known as TeamPCP has been caught backdooring the Telnyx Python SDK on PyPI — a popular cloud communications library with over 700,000 downloads in February alone. On March 27, 2026, two malicious versions of the package,…

New npm Supply Chain Attack Uses undicy-http to Deploy Screen-Streaming RAT and Browser Injector A malicious npm package named undicy-http has surfaced inside the Node.js developer ecosystem, quietly compromising machines of developers who mistakenly install it. The package impersonates undici, the official HTTP client library bundled with Node.js that handles millions of weekly downloads. Despite sharing a near-identical…

XLoader Malware Upgrades Obfuscation Tactics and Hides C2 Traffic Behind Decoy Servers A well-known information-stealing malware called XLoader has received significant upgrades in its latest versions, making it considerably harder to detect and analyze than before. Originally derived from a malware family known as FormBook, which first surfaced in 2016, XLoader was rebranded and relaunched…

New DeepLoad Malware Uses ClickFix and AI-Generated Evasion to Breach Enterprise Networks A newly discovered malware named DeepLoad is targeting enterprise environments, turning a single user action into persistent, credential-stealing access that survives reboots and outlasts standard cleanup efforts. What sets this campaign apart is how every stage of the attack was deliberately built to…

Hackers Deploy RoadK1ll Pivoting Malware to Turn Compromised Hosts Into Network Relays A new piece of malware called RoadK1ll has been found silently converting compromised machines into controllable network relay points. Unlike most malware that arrives loaded with commands and attack tools, RoadK1ll is deliberately lean, built around one goal: giving attackers a reliable and…

VoidLink Malware Framework Shows that AI-assisted Malware is Not Experimental Anymore For years, cybersecurity professionals debated whether AI could truly be weaponized to build dangerous malware at scale. That debate is now settled. VoidLink, a Linux-based malware framework discovered in early 2026, has crossed a threshold the security community long feared — AI-assisted malware has…

New Silver Fox Campaign Hits Japanese Businesses With Tax-Themed Phishing Lures Japan’s tax season has become a hunting ground for a well-organized threat actor known as Silver Fox. As Japanese companies enter their annual cycle of tax filing, salary reviews, and personnel changes, this group is taking full advantage of the moment — sending highly…

Fake Cloudflare CAPTCHA Pages Spread Infiniti Stealer Malware on macOS Systems A new macOS malware that was undocumented previously, is quietly tricking users through fake Cloudflare human verification pages. Called Infiniti Stealer, this threat uses a well-known social engineering trick called ClickFix to convince Mac users into running dangerous commands directly on their own machines,…

Fake npm Install Messages Hide RAT Malware in New Open Source Supply Chain Campaign A new and carefully crafted software supply chain campaign is targeting developers through the npm package registry, using fake installation messages to hide malicious activity. The campaign, which security researchers have named the “Ghost campaign,” began in early February 2026 and…

Fake VS Code Security Alerts on GitHub Used to Push Malware in Widespread Phishing Campaign A large-scale phishing campaign is targeting software developers on GitHub, using fake Visual Studio Code security alerts posted in GitHub Discussions to trick users into downloading malicious software. The attacks are designed to look like legitimate security advisories, warning developers…

China-Linked Hackers Breach Southeast Asian Military Systems in Long-Running Spy Campaign A sophisticated and long-running cyber espionage campaign, tracked as CL-STA-1087, has been quietly targeting military organizations across Southeast Asia since at least 2020. The operation, assessed with moderate confidence to be linked to a China-aligned threat actor, focuses on collecting strategic and operational intelligence rather…

Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads A sophisticated multi-stage malware campaign has surfaced, deploying obfuscated Visual Basic Script (VBS) files, PNG-embedded loaders, and remote access trojans (RATs) to target systems without leaving a trace on disk. What began as a routine endpoint detection in early 2026 quickly revealed itself…

New Data Leak Site Uncovered Linked to Active Initial Access Broker on Underground Forums The underground cybercriminal world saw a notable development on March 22, 2026, when a new Tor-based leak site called “ALP-001” appeared on the dark web, openly marketing itself as a “Data Leaks / Access Market.” The emergence of this platform points…

New CanisterWorm Steals npm Tokens and Spreads Through Compromised Publisher Accounts A new wave of supply chain attacks is hitting the npm ecosystem through a self-propagating malware campaign known as CanisterWorm. The threat, linked to a group tracked as “TeamPCP,” compromises legitimate publisher namespaces and pushes poisoned package versions, effectively turning trusted developer tools into…