Category: Threats

Copyright-Themed Lures Deliver Multi-Stage PureLog Stealer in New Credential Theft Campaign A new malware campaign is targeting organizations across healthcare, government, education, and hospitality sectors using cleverly disguised copyright violation notices to deliver PureLog Stealer, a powerful information-stealing malware. The campaign, first analyzed in March 2026, tricks victims into executing a malicious file that looks…

SILENTCONNECT Uses VBScript, PowerShell and PEB Masquerading to Deploy ScreenConnect SILENTCONNECT is a newly discovered multi-stage malware loader that has been silently targeting Windows machines since at least March 2025. It uses VBScript, in-memory PowerShell execution, and PEB masquerading to install the ConnectWise ScreenConnect remote monitoring and management tool on victim systems. Once deployed, ScreenConnect…

Russian APT Exploits Zimbra XSS to Target Ukrainian Government in ‘Operation GhostMail’ A Russian state-linked threat actor has launched a targeted cyberattack against a Ukrainian government agency, exploiting a cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite to steal credentials and sensitive email data. Dubbed “Operation GhostMail,” the campaign stands out for its complete absence…

WaterPlum Deploys New ‘StoatWaffle’ Malware in VSCode-Based Supply Chain Campaign A North Korea-linked hacking group known as WaterPlum has introduced a dangerous new malware called StoatWaffle, deploying it through compromised Visual Studio Code (VSCode) repositories disguised as legitimate blockchain development projects to silently infiltrate developer machines.​ WaterPlum has been running a campaign known as “Contagious…

New SnappyClient Implant Combines Remote Access, Data Theft and Advanced Evasion A dangerous new malware implant called SnappyClient has quietly emerged as a serious threat to Windows users, combining remote access, data theft, and sophisticated evasion techniques in one compact C++ package. First spotted in December 2025, this command-and-control (C2) framework implant can log keystrokes,…

Boggy Serpens Targets Diplomats and Critical Infrastructure in Multi-Wave Espionage Campaign A well-resourced Iranian nation-state group known as Boggy Serpens — also tracked as MuddyWater — has sharply escalated its cyberespionage operations, running sustained and targeted campaigns against diplomatic missions, energy companies, maritime operators, and financial institutions. Attributed to Iran’s Ministry of Intelligence and Security…

Attackers Abuse Court Documents, GitHub Payloads to Infect Judicial Targets With COVERT RAT A new wave of targeted attacks is quietly hitting Argentina’s judicial system, using fake court documents to lure legal professionals into installing a dangerous piece of malware. The campaign, formally called Operation Covert Access, deploys a Rust-built Remote Access Trojan known as…

Malicious npm Packages Deliver PylangGhost RAT in New Software Supply Chain Campaign A remote access trojan known as PylangGhost has appeared on the npm registry for the first time, concealed inside two malicious JavaScript packages. The malware, first publicly disclosed by Cisco Talos in June 2025 and attributed to the North Korean state-sponsored threat group…

Phishers Abuse LiveChat Support Tools to Steal Sensitive Data in New SaaS-Based Attack Tactic A newly identified phishing campaign is turning legitimate customer service software into a weapon for stealing sensitive user data. Attackers have been found abusing LiveChat, a widely used Software-as-a-Service (SaaS) platform that businesses rely on for real-time customer support, to carry…

Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors A newly uncovered phishing campaign is actively targeting enterprise users by disguising malware as widely used workplace applications, including Microsoft Teams, Zoom, and Adobe Acrobat Reader. What makes this threat stand out is that the malicious files carry legitimate-looking digital signatures, making them harder for…

Chinese APT Campaign Targets Qatar With PlugX Lures Tied to Middle East Conflict A Chinese-linked advanced persistent threat group known as Camaro Dragon launched a targeted cyberespionage campaign against entities in Qatar just one day after the outbreak of new hostilities in the Middle East on March 1, 2026. The group used war-themed lure documents…

Microsoft Warns Fake AI Browser Extensions Compromised Chat Histories Across 20,000+ Enterprise Tenants A wave of counterfeit AI-powered browser extensions has silently breached over 20,000 enterprise environments, compromising the chat histories of employees who routinely used AI tools for work. These malicious Chromium-based extensions disguised themselves as legitimate AI assistant tools and accumulated close to…

New ClickFix Attack leverages Windows Terminal for Payload Execution Cybersecurity researchers have uncovered a new wave of ClickFix attacks that now exploit Windows Terminal to deliver malicious payloads directly onto victim machines. Unlike earlier iterations of this social engineering technique, which relied on the Windows Run dialog, this latest campaign leads users into opening a…

RMM Tools Essential for IT Operations but Increasingly Weaponized by Attackers Remote Monitoring and Management (RMM) tools are the backbone of modern IT operations. Security professionals rely on them daily to patch systems, troubleshoot issues, and manage entire networks from anywhere. These tools deliver speed, control, and convenience — qualities every IT team values. But…

Hackers Can Use Indirect Prompt Injection Allows Adversaries to Manipulate AI Agents with Content Artificial intelligence tools are now a core part of everyday workflows — from browsers that summarize web pages to automated agents that help users make decisions online. As these tools become more capable, attackers are learning how to turn them against…

Threat Actors Using Fake Claude Code Download to Deploy Infostealer Cybercriminals have found a new way to target developers and IT professionals by setting up fake download pages that impersonate Claude Code, a legitimate AI coding assistant. These deceptive pages trick users into downloading what appears to be an official installation package, but instead silently…

Hackers Mimic LastPass Support Email to Steal Vault Passwords A new and carefully crafted phishing campaign is currently targeting LastPass users, with attackers sending fake support emails designed to steal vault master passwords. The campaign, which began on or around March 1, 2026, relies on social engineering tactics to trick users into believing their accounts…

Malicious Packages Disguised as Laravel Utilities Deploy PHP RAT and Enables Remote Access A supply chain attack targeting the PHP developer community has surfaced through Packagist, the official package repository for PHP and Laravel projects. Threat actor nhattuanbl published several packages that disguised a fully functional remote access trojan (RAT) inside what looked like standard Laravel utility…

SloppyLemming Espionage Campaign Uses BurrowShell Backdoor and Rust RAT to Hit Pakistan and Bangladesh Targets A suspected India-aligned threat group known as SloppyLemming has been conducting a sustained espionage campaign against government agencies, defense organizations, nuclear oversight bodies, and critical infrastructure operators in Pakistan and Bangladesh. Active since 2021 and also tracked as Outrider Tiger…

Hackerbot-Claw Bot Attacks Microsoft and DataDog via GitHub Actions CI/CD Misconfiguration Between February 21 and February 28, 2026, an autonomous bot named hackerbot-claw launched a week-long attack campaign against major open source repositories. It targeted GitHub Actions CI/CD pipelines belonging to Microsoft, DataDog, the Cloud Native Computing Foundation, and several other widely used projects. Over…

Threat Actors Exploit OpenVSX Aqua Trivy with Malicious AI Prompts to Hijack Local Coding Tools A supply chain attack targeting developers surfaced on March 2, 2026, when unauthorized code was found inside two versions of the Aqua Trivy VS Code extension on the OpenVSX registry. The compromised versions — 1.8.12 and 1.8.13 — were uploaded…

Pixel Perfect Extension Abuse Enables Covert Script Injection and Security Header Removal A browser extension that once earned a Featured badge from Google quietly turned into a remote code execution tool after its ownership changed hands, exposing thousands of users to covert script injection and full browser security header stripping. The campaign, centered on a…

Researchers Uncover Aeternum C2 Infrastructure with Advanced Persistence and Network Evasion Features For years, taking down a botnet meant finding its command-and-control (C2) server, seizing the domain, and watching the network go dark. Law enforcement used this method to dismantle major operations like Emotet, TrickBot, and QakBot. A newly discovered botnet loader called Aeternum C2…

Vshell Gains Traction Among Threat Actors as an Alternative to Cobalt Strike A Go-based command-and-control (C2) framework originally marketed within Chinese-speaking offensive security communities has been quietly expanding its reach, drawing growing attention from threat actors seeking flexible and cost-effective alternatives to expensive commercial tools. Known as Vshell, the tool has evolved well beyond its…

New Dohdoor Malware Attacking Schools and Health Care Sectors in U.S. via Multi-Stage Attack Chain A newly discovered malware campaign has been quietly targeting educational institutions and healthcare organizations across the United States since at least December 2025. The threat, tracked under the actor designation “UAT-10027,” deploys a previously unknown backdoor called “Dohdoor,” which uses…

Microsoft Defender Uncovers Trojanized Gaming Utility Campaign Targeting Users with RATs and Remote Data Theft Cybercriminals have found a new way to get past users’ defenses — by hiding malware inside gaming tools that look completely normal. Microsoft’s security team has uncovered an active campaign where attackers are distributing trojanized versions of popular gaming utilities…

North Korean APT37 Hackers Leverages Novel Malware to Infect Air‑Gapped Systems North Korea-linked threat group APT37 has launched a sophisticated new campaign using a fresh set of custom malware tools specifically designed to reach computers that are not connected to the internet — a type of system long considered among the most secure in the…

Google Disrupts Chinese Hackers Infrastructre which Breached 53 Telecom and Government Entities A suspected Chinese state-linked hacking group has been caught running one of the most far-reaching cyber espionage operations ever uncovered — silently breaching telecom providers and government bodies across four continents for nearly a decade. Google has now stepped in to dismantle that…

Microsoft Warns of Hackers Attacking Developers with Malicious Next.js Repositories A coordinated attack campaign is actively targeting software developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The attackers rely on job-themed lures, presenting fake recruitment challenges that convince developers to clone and run poisoned code on their own machines. Once…

Threat Actors Exploit Apache ActiveMQ Server Vulnerability to Gain RDP Access and Deploy LockBit Ransomware A critical vulnerability in Apache ActiveMQ has been actively exploited by threat actors, leading to a full LockBit ransomware deployment across an enterprise network. Attackers leveraged CVE-2023-46604, a remote code execution flaw in the ActiveMQ messaging broker, to break into…

Hackers Leverage DeepSeek and Claude to Attack FortiGate Devices Worldwide In early February 2026, a significant cybersecurity threat emerged involving the sophisticated use of Large Language Models (LLMs) in active intrusion campaigns. A misconfigured server exposed a detailed software pipeline where threat actors integrated DeepSeek and Claude into their attack workflows. This discovery highlights a…

DPRK Linked Operators Sustain Aggressive Crypto Targeting 12 Months After Bybit Breach February 21, 2026, marks one year since North Korea (DPRK)-linked operators stole approximately $1.46 billion in cryptoassets from Dubai-based exchange Bybit — the largest confirmed crypto theft in history. Rather than slowing down after that breach, the group has only become more active,…

Silver Fox APT Uses DLL Sideloading and BYOVD Techniques in Sophisticated Malware Attacks The cybersecurity community recently witnessed the emergence of targeted malware campaigns linked to the Silver Fox threat group. This operation focuses heavily on Asia, targeting local organizations with carefully localized lures. By disguising attacks as routine business communications, actors successfully distributed the…

Grandstream VoIP Phones Vulnerability Allows Attackers to Gain Root Privileges VoIP desk phones are trusted devices, but many are managed like office furniture. A newly disclosed flaw in Grandstream phones shows how a simple network-facing bug can turn a handset into an entry point for eavesdropping and wider access. In a typical attack, the goal…

CharlieKirk Grabber Stealer Attacking Windows Systems to Exfiltrate Login Credentials A new Python-based infostealer called CharlieKirk Grabber has been identified targeting Windows systems, with a focused goal of stealing stored login credentials, browser cookies, and session data. The malware is built to work as a “smash-and-grab” threat — it launches quickly, collects whatever sensitive data…

Hackers Actively Exploiting Critical BeyondTrust Vulnerability to Deploy VShell and SparkRAT A critical vulnerability in BeyondTrust’s remote support software is being actively exploited by hackers to deliver dangerous backdoors on compromised systems. The flaw, tracked as CVE-2026-1731, carries a CVSS score of 9.9 and lets attackers run system commands with no login required. BeyondTrust released…

Advanced Crypto Mining Malware Spreads Through External Drives and Air-Gapped Systems A sophisticated cryptocurrency mining campaign has emerged, targeting systems through external storage devices with the ability to compromise even air-gapped environments. The malware operates as a multi-stage infection that prioritizes mining Monero cryptocurrency while establishing persistent mechanisms to resist removal. Unlike typical cryptojacking operations,…

MCP Servers can be Exploited to Execute Arbitrary Code and Exfiltrate Sensitive Data The Model Context Protocol (MCP) emerged as a breakthrough standard in November 2024, designed by Anthropic to seamlessly connect AI assistants with external systems and data sources. This innovation allows Large Language Models (LLMs) to interact with tools and repositories, significantly enhancing…

New ‘Foxveil’ Malware Loader Leverages Cloudflare, Netlify, and Discord to Evade Detection A new malware loader called “Foxveil” has been discovered actively targeting systems through legitimate cloud platforms, raising concerns about how threat actors are weaponizing trusted services to bypass security measures. The malware has been operational since August 2025 and has since evolved significantly.…

Noodlophile Malware Creators Evolve Tactics with Fake Job Postings and Phishing Lures The Noodlophile information stealer, originally uncovered in May 2025, has significantly evolved its attack strategies to bypass security measures. Initially, this malware hid behind deceptive advertisements for fake AI video generation platforms on social media, tricking users into downloading malicious ZIP files. These…

Chrome Extensions Infected 500K Users to Hijack VKontakte Accounts Over half a million VKontakte users have fallen victim to a sophisticated malware campaign that silently hijacks accounts through seemingly harmless Chrome extensions. The malicious extensions, disguised as VK customization tools, automatically subscribe users to attacker-controlled groups, reset account settings every 30 days, and manipulate security…

New ClickFix Attack Wave Targeting Windows Systems to Deploy StealC Stealer A sophisticated social engineering campaign is targeting Windows users through fake CAPTCHA verification pages to deliver the StealC information stealer malware. The attack begins when victims visit compromised websites that display fraudulent Cloudflare security checks, tricking them into executing malicious PowerShell commands. The compromised…

Over 1,800 Windows Servers Compromised by BADIIS Malware in Large-Scale SEO Poisoning Campaign A sophisticated cyber campaign has compromised over 1,800 Windows servers globally, using a potent malware strain known as BADIIS. This operation targets Internet Information Services (IIS) environments, transforming legitimate infrastructure into a massive network for SEO poisoning. By hijacking these servers, threat…

Fake CAPTCHA Attacks Emerge as Key Entry Point for LummaStealer Malware Campaigns LummaStealer, a notorious information-stealing malware, has made a significant comeback following a major law enforcement disruption in 2025. This resurgence is characterized by a shift in distribution tactics, moving away from traditional exploit kits towards aggressive social engineering campaigns. Cybercriminals are now leveraging…

Bloody Wolf Hackers Attacking Organizations to Deploy NetSupport RAT and Gain Remote Access Stan Ghouls, a cybercriminal group also known as Bloody Wolf, has launched a sophisticated wave of targeted attacks against organizations across Russia and Uzbekistan. Active since at least 2023, the group focuses heavily on the manufacturing, finance, and IT sectors. While they…

Chinese Hackers Attacking Singapore’s Telecommunications Sector to Compromise Edge Devices Singapore’s telecommunications sector has recently been the target of a highly sophisticated cyber espionage campaign orchestrated by the Advanced Persistent Threat (APT) group known as UNC3886. The details of this extensive intrusion were formally disclosed following Operation CYBER GUARDIAN, a major multi-agency response led by…

Vortex Werewolf Attacking Organizations to Gain Tor-Enabled Remote Access Over the RDP, SMB, SFTP, and SSH Protocols A new cyber espionage cluster has recently emerged, focusing its aggressive targeting on Russian government and defense organizations. Active since at least December 2025, the group, designated as Vortex Werewolf, employs a combination of social engineering and legitimate…

New Telegram Phishing Attack Abuses Authentication Workflows to Obtain Full Authorized User Sessions A sophisticated Telegram phishing campaign has re-emerged, marking a significant evolution in how threat actors compromise user accounts. Unlike traditional credential harvesting, this operation does not rely on cloning login pages to steal passwords but instead manipulates the platform’s legitimate authentication infrastructure.…

Transparent Tribe Hacker Group Attacking India’s Startup Ecosystem The threat landscape for India’s technology sector has taken an unexpected turn. A Pakistan-based hacking group called Transparent Tribe has shifted its focus from traditional government targets to the country’s vibrant startup ecosystem, particularly companies working in cybersecurity and intelligence domains. The group, also tracked as APT36,…

Bulletproof Hosting Providers Leverage Legitimate ISPsystem to Supply Servers for Cybercriminals In the constantly shifting landscape of online threats, cybercriminals have found a new way to strengthen their attacks by hiding behind legitimate technology. Late in 2025, a series of ransomware incidents revealed that attackers were using virtual machines provisioned through ISPsystem, a popular platform…

Hackers Leveraging Windows Screensaver to Deploy RMM Tools and Gain Remote Access to Systems Cybersecurity threats are constantly evolving, and a recent campaign highlights a deceptive new tactic where attackers leverage Windows screensaver (.scr) files to compromise systems. This method allows threat actors to deploy legitimate Remote Monitoring and Management (RMM) tools, granting them persistent…

Spam Campaign Distributes Fake PDFs, Installing Remote Monitoring Tools for Persistent Access Security teams have discovered an active spam campaign that uses fake PDF documents to trick users into installing remote monitoring and management (RMM) software. The campaign targets organizations by sending emails containing PDF attachments that appear to be invoices, receipts, or important documents.…

APT28 Hackers Exploiting Microsoft Office Vulnerability to Compromise Government Agencies Russian state-sponsored actors known as APT28 have initiated a sophisticated cyber espionage campaign targeting high-value government and military entities across Europe. The primary targets include maritime and transport organizations in nations such as Poland, Ukraine, and Turkey. The attackers are actively exploiting a critical vulnerability…

New DesckVB RAT with Multi-stage Infection Chain and Plugin-Based Architecture A sophisticated new threat has surfaced in the wild, identified as the DesckVB RAT version 2.9. This modular Remote Access Trojan, built on the .NET framework, has been observed in active malware campaigns throughout early 2026. Unlike simple backdoors, this threat demonstrates a high level…

New 3 Step Malvertising Chain Abusing Facebook Paid Ads to Push Tech Support Scam Kit A sophisticated new cyber threat has emerged within the digital advertising ecosystem, specifically targeting users through the vast reach of Facebook’s paid advertising platform. Malicious actors are increasingly weaponizing social media ads to bypass traditional security filters and deliver harmful…

Attackers Using DNS TXT Records in ClickFix Script to Execute Powershell Commands The cybersecurity landscape has darkened with the sophisticated evolution of the KongTuke campaign. Active since mid-2025, this threat actor group has continuously refined its techniques to bypass conventional enterprise security filters. Their primary weapon remains the “ClickFix” strategy, a social engineering vector that…

GlassWorm Infiltrated VSX Extensions with More than 22,000 Downloads to Attack Developers GlassWorm has emerged as a serious threat to developers using the Open VSX Registry, where popular VSX extensions were silently turned into delivery vehicles for malware. Threat actors compromised a trusted publisher account and pushed poisoned updates that looked like routine releases but…

Infostealer Campaigns Expand to macOS as Attackers Abuse Python and Trusted Platforms Infostealer campaigns that once focused mainly on Windows are now expanding aggressively to macOS, using Python and trusted platforms to reach new victims. Recent attacks show a clear shift: threat actors are abusing online ads, fake apps, and familiar tools to quietly steal…

Beware of Fake Dropbox Phishing Attack that Harvest Login Credentials Cybercriminals are launching a dangerous phishing campaign that tricks users into giving away their login credentials by impersonating Dropbox. This attack uses a multi-stage approach to bypass email security checks and content scanners. The threat actors exploit trusted cloud platforms and harmless-looking PDF files to…

Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware A dangerous banking malware called Anatsa has been discovered spreading through the Google Play Store, reaching more than fifty thousand downloads before detection. The malicious application was cleverly hidden as a document reader, making it appear harmless to unsuspecting users searching for…

DynoWiper Data-Wiping Malware Attacking Energy Companies to Destroy Data A dangerous new data-wiping malware known as DynoWiper has emerged, targeting energy companies in Poland with destructive attacks designed to permanently erase critical data. The malware surfaced in December 2025 when security researchers detected its deployment at a Polish energy firm. Unlike typical ransomware that encrypts…

Google Uncovered Significant Expansion in ShinyHunters Threat Activity with New Tactics The ShinyHunters threat group has expanded its extortion operations with sophisticated attack methods targeting cloud-based systems across multiple organizations. These cybercriminals use voice phishing and fake credential harvesting websites to steal login information from employees. Once they gain access, they extract sensitive data from…

UAT-8099 Targets Vulnerable IIS Servers Using Web Shells, PowerShell, and Region-Customized BadIIS A new wave of targeted attacks has emerged against Internet Information Services (IIS) servers across Asia, with threat actors deploying sophisticated malware designed to compromise vulnerable systems. The campaign, active from late 2025 through early 2026, focuses primarily on victims in Thailand and…

175,000 Exposed Ollama Hosts Enable Code Execution and External System Access A significant security discovery reveals that approximately 175,000 Ollama servers remain publicly accessible across the internet, creating a serious risk for widespread code execution and unauthorized access to external systems. Ollama, an open-source framework designed to run artificial intelligence models locally, has become unexpectedly…

TAMECAT PowerShell-Based Backdoor Exfiltrates Login Credentials from Microsoft Edge and Chrome A sophisticated PowerShell-based malware named TAMECAT has emerged as a critical threat to enterprise security, targeting login credentials stored in Microsoft Edge and Chrome browsers. This malware operates as part of espionage campaigns conducted by APT42, an Iranian state-sponsored cyber-espionage group that has been…

Education-Themed Malicious Domains Linked to Bulletproof Hosting Infrastructure Exposed Security researchers have uncovered a sophisticated traffic distribution network leveraging deceptive education-themed domains to deliver malware and phishing attacks. The operation, tracked under infrastructure indicators pointing to TOXICSNAKE, uses legitimate-looking university and educational institution branding to deceive users into visiting malicious websites. This tactic exploits the…

Hackers Weaponized Open VSX Extension with Sophisticated Malware After Reaching 5060+ Downloads A dangerous malware campaign has infiltrated the Open VSX extension marketplace, compromising over 5,000 developer workstations through a fake Angular Language Service extension. The malicious package disguised itself as legitimate development tooling, bundling authentic Angular and TypeScript components alongside encrypted malware code that…

Microsoft Exchange Online to Deprecate SMTP AUTH Basic Authentication for Tenants Microsoft is preparing a major security shift for cloud email customers as Exchange Online moves toward deprecating SMTP AUTH Basic Authentication for all tenants. The change targets one of the oldest and weakest ways to sign in to email systems, where usernames and passwords…

Attackers Targeting Canadian Citizens by Exploiting Their Reliance on Digital Services Attackers are increasingly targeting Canadian citizens by abusing their heavy dependence on online government and commercial services. From paying traffic fines and renewing licenses to tracking parcels and booking flights, people now expect these tasks to be quick and digital. Threat actors are taking…

Chinese National Jailed to 46 Months for Laundering Millions of Dollars Stolen from American Investors A Chinese national named Jingliang Su has been sentenced to 46 months in prison for his involvement in a major cryptocurrency fraud scheme targeting American investors. On January 27, 2026, federal courts ordered Su to serve his sentence and pay…

Fake CAPTCHA Attack Leverages Microsoft Application Virtualization (App-V) to Deploy Malware A newly discovered campaign demonstrates a sophisticated approach to delivering information-stealing malware through a combination of social engineering and legitimate Windows components. The attack begins with a deceptive CAPTCHA prompt that tricks users into executing commands manually through the Windows Run dialog, presenting the…

HoneyMyte Hacker Group Updates CoolClient Malware to Deploy Browser Login Data Stealer The HoneyMyte threat group, also known as Mustang Panda or Bronze President, continues to pose a significant risk to government organizations across Asia and Europe. Recent security research has revealed that this advanced hacker collective is actively upgrading its digital arsenal with enhanced…

Caminho Loader-as-a-Service Using Steganography to Conceal .NET Payloads within Image Files Caminho Loader is a new Loader-as-a-Service threat that blends steganography, fileless execution, and cloud abuse to quietly deliver malware across several regions. First seen in March 2025 and believed to originate from Brazil, this service hides .NET payloads inside harmless-looking image files hosted on…

APT Hackers Attacking Indian Government Using GOGITTER Tool and GITSHELLPAD Malware Advanced persistent threat actors operating from Pakistan have launched coordinated attacks against Indian government organizations using newly discovered tools and malware designed to bypass security defenses. The campaign, identified as Gopher Strike, emerged in September 2025 and represents a significant escalation in targeted cyber…

China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates Since 2023, a dangerous malware framework called PeckBirdy has emerged as a primary weapon used by Chinese-aligned hacking groups. This JavaScript-based tool serves as a command-and-control platform designed to work across multiple system environments, giving attackers remarkable flexibility in how they deploy their…

New Phishing Attack Leverages Vercel Hosting Platform to Deliver a Remote Access Tool A sophisticated phishing campaign active between November 2025 and January 2026 has been exploiting Vercel’s legitimate hosting platform to distribute remote access tools to unsuspecting victims. The attack chain combines social engineering with trusted domain exploitation, making it particularly effective at bypassing…

Sandworm APT Group Targeting Poland’s Power Grid with DynoWiper Malware Late December 2025 brought alarming news to Poland as its energy infrastructure became the target of what security experts describe as the country’s largest cyberattack in years. The Russian-aligned Sandworm group, known for orchestrating some of the most damaging attacks on critical infrastructure, emerged as…

20,000 WordPress Sites Affected by Backdoor Vulnerability Allowing Malicious Admin User Creation A critical backdoor vulnerability has been discovered in the LA-Studio Element Kit for Elementor, a popular WordPress plugin used by more than 20,000 active sites. This security flaw allows attackers to create administrator accounts without any authentication, putting thousands of websites at risk…

North Korean Hackers Adopted AI to Generate Malware Attacking Developers and Engineering Teams North Korea–aligned hackers have launched a new campaign that turns artificial intelligence into a weapon against software teams. Using AI-written PowerShell code, the group known as KONNI is delivering a stealthy backdoor that blends real project content with malicious scripts. This operation…

New Osiris Ransomware Using Wide Range of Living off the Land and Dual-use Tools in Attacks A newly discovered ransomware family called Osiris launched attacks against a major food service company in Southeast Asia during November 2025. Security researchers have identified this threat as a completely new malware variant with no connection to an older…

New ClearFake Campaign Leveraging Proxy Execution to Run PowerShell Commands via Trusted Window Feature ClearFake has entered a new and more dangerous phase, turning a familiar fake CAPTCHA scam into a highly evasive malware delivery chain. Across hundreds of hacked websites, visitors now see what looks like a routine verification challenge, but behind the scenes…

Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware A large-scale campaign is turning a trusted Windows security driver into a weapon that shuts down protection tools before ransomware and remote access malware are dropped. The attacks abuse truesight.sys, a kernel driver from Adlice Software’s RogueKiller antivirus, and use more than 2,500 validly…

New AI Malware Era Begins as Advanced VoidLink Malware Emerges as the First Fully AI-Driven Threat Framework The cybersecurity landscape has entered a dangerous new chapter with the discovery of VoidLink, the first documented advanced malware framework built almost entirely by artificial intelligence. Unlike earlier attempts where inexperienced hackers used AI to create basic malicious…

Attackers Leverages LinkedIn to Deliver Remote Access Trojan Targeting Corporate Environments A sophisticated phishing campaign is actively exploiting LinkedIn’s trusted social media platform to distribute a dangerous remote access trojan to corporate employees. Attackers are leveraging the professional credibility of LinkedIn to craft convincing messages that appear legitimate, making employees more likely to download and…

Attackers Abuse Discord to Deliver Clipboard Hijacker That Steals Wallet Addresses on Paste A new clipboard hijacker is quietly draining cryptocurrency from gamers and streamers by abusing trust inside Discord communities. The campaign centers on a malicious Windows program shared as a supposed streaming or security tool. Once installed, it silently watches the user’s clipboard,…

Python-based Malware SolyxImmortal Leverages Discord to Silently Harvest Sensitive Data SolyxImmortal represents a notable advancement in information-stealing malware targeting Windows systems. This Python-based threat combines multiple data theft capabilities into a single, persistent implant designed for long-term surveillance rather than destructive activity. The malware operates silently in the background, collecting credentials, documents, keystrokes, and screenshots…

Threat Actors Leverage Google Ads to Weaponize PDF Editor with TamperedChef A malvertising campaign identified in September 2025 has brought a significant threat to Windows users worldwide. Attackers created fake PDF editing applications and promoted them through Google Ads to distribute a dangerous information-stealing malware called TamperedChef. The malware targets users searching for appliance manuals…

CrashFix – Hackers Using Malicious Extensions to Display Fake Browser Warnings Cybersecurity researchers have discovered a sophisticated malware campaign using an unusual but effective tactic: deliberately crashing users’ browsers. The threat, named CrashFix, operates through a malicious Chrome extension disguised as the legitimate ad blocker NexShield. When users search for privacy tools online, malicious advertisements…

17 New Malicious Chrome GhostPoster Extensions with 840,000+ Installs Steals User Data Cybercriminals have distributed 17 malicious browser extensions across Chrome, Firefox, and Edge platforms, collectively downloading over 840,000 times and compromising user security for years. The GhostPoster campaign, which emerged as early as 2020, used deceptive extension names like “Google Translate in Right Click,”…

Hackers Abusing Legitimate Cloud and CDN Platforms to Host Phishing Kits Threat actors are increasingly using trusted cloud and content delivery network platforms to host phishing kits, creating major detection challenges for security teams. Unlike traditional phishing campaigns that rely on newly registered suspicious domains, these attacks use legitimate infrastructure from providers like Google, Microsoft…

Promptware Kill Chain – Five-Step Kill Chain Model for Analyzing Cyberthreats Large language models have become deeply integrated into everyday business operations, from customer service chatbots to autonomous agents managing calendars, executing code, and handling financial transactions. This rapid expansion has created a critical security blind spot. Researchers have identified that attacks targeting these systems…

Chinese Threat Actors Hosted 18,000 Active C2 Servers Across 48 Hosting Providers Threat actors linked to Chinese hosting infrastructure have established a massive network of over 18,000 active command-and-control servers across 48 different hosting providers in recent months. This widespread abuse highlights a serious issue in how malicious infrastructure can hide within trusted networks and…

Stealthy CastleLoader Malware Attacking US Government Agencies and Critical Infrastructure A sophisticated malware loader known as CastleLoader has emerged as a critical threat to US government agencies and critical infrastructure organizations. First identified in early 2025, this stealthy malware has been used as the initial access point in coordinated attacks targeting multiple sectors including federal…

Researchers Breakdown DragonForce Ransomware Along with Decryptor for ESXi and Windows Systems DragonForce is the latest ransomware brand to move from noisy forum posts to full RaaS operations, targeting both Windows and VMware ESXi environments. First seen in December 2023 on BreachForums, the group advertises stolen data and uses a dark web blog to pressure…

New Magecart Attack Steals Customers Credit Cards from Website Checkout Pages A sophisticated web-skimming campaign targeting online shoppers has emerged with renewed intensity in 2026, compromising e-commerce websites and extracting sensitive payment information during checkout processes. The attack, identified as part of the broader Magecart family of threats, represents an evolving challenge to online retail…

Hackers Leverage Browser-in-the-browser Tactic to Trick Facebook Users and Steal Logins Facebook users are increasingly becoming targets of a sophisticated phishing technique that bypasses conventional security measures. With over three billion active users on the platform, Facebook represents an attractive target for attackers seeking to compromise accounts and harvest personal credentials. The primary objective of…

AsyncRAT Leveraging Cloudflare’s Free-Tier Services to Mask Malicious Activities and Detection A recent AsyncRAT campaign is using Cloudflare’s free tier services and TryCloudflare tunnels to hide remote access activity inside normal looking cloud traffic. In these attacks, threat actors send phishing emails that link to a Dropbox hosted ZIP archive named to look like an…

ValleyRAT_S2 Attacking Organizations to Deploy Stealthy Malware and Extract Financial Details A new wave of attacks is using the ValleyRAT_S2 malware to quietly break into organizations, stay hidden for long periods, and steal sensitive financial information. ValleyRAT_S2 is the second-stage payload of the ValleyRAT family and is written in C++. Once inside a network, it…

Beware of Weaponized Employee Performance Reports that Deploys Guloader Malware Cybersecurity threats continue to evolve with attackers using more creative social engineering techniques to target organizations. A recent threat has emerged involving the Guloader malware, which is being disguised as employee performance reports to trick users into downloading and executing malicious files. This sophisticated attack…

Everest Hacking Group Allegedly Claims Breach of Nissan Motors Everest hacking group has allegedly claimed a major breach of Nissan Motor Co., Ltd., raising fresh concerns about data security at large automotive manufacturers. According to early reports, the cybercrime group says it exfiltrated around 900 GB of sensitive data from the Japanese carmaker, a volume…