BLOG 2025 AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog 2024 2023
H January(21) February(46) March(44) April(33) May(35) June(67) July(84) August(73) September(57) October(0) November(59) December(60) 2025 January(29) February(72) March(67) April(118) May(0) June(0) July(0) August(0) September(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 27.5.24 | 60 Malicious npm Packages Leak Network and Host Data in Active Malware Campaign | Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. | Malware blog | SOCKET DEV |
| 27.5.24 | Threat Spotlight: Hijacked Routers and Fake Searches Fueling Payroll Heist | ReliaQuest investigated a unique search engine optimization (SEO) poisoning attack targeting mobile devices, where attackers stole credentials via fake login pages to access the employee payroll portal and reroute paychecks. | Hacking blog | RELIAQUEST |
| 25.5.24 | “Anti-Ledger” malware: The battle for Ledger Live seed phrases | Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry and is unlikely to be the last. However, more low-profile heists are already underway. | Malware blog | Moonlock-lab |
| 25.5.24 | A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign | Bumblebee is a downloader malware which has become known for its sophistication and effectiveness. The malware was first discovered in 2022 and was believed to be a tool for ransomware groups due to the developer’s close ties with Conti. | Malware blog | Cyjax |
| 25.5.24 | Not content with attacking retailers, this aggressive group is fighting a turf war with other ransomware operators | Ransom blog | Sophos | |
| 25.5.24 | A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist | Another adversary picks up the email bombing / vishing Storm-1811 playbook, doing thorough reconnaissance to target specific employees with fake help desk call—this time, over the phone. | Spam blog | Sophos |
| 25.5.24 | Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool | Microsoft’s Digital Crimes Unit (DCU) and international partners are disrupting the leading tool used to indiscriminately steal sensitive personal and organizational information to facilitate cybercrime. | Malware blog | Microsoft blog |
| 25.5.24 | Hidden Threats of Dual-Function Malware Found in Chrome Extensions | An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. | Malware blog | dti domain tools |
| 25.5.24 | FIN7: Silent Push unearths the largest group of FIN7 domains ever discovered | 4000+ IOFA domains and IPs found. Louvre, Meta, and Reuters targeted in massive global phishing and malware campaigns. | Phishing blog | Silent Push |
| 24.5.24 | Ransomware Roundup – VanHelsing | The VanHelsing ransomware was first identified in March 2025 and uses TOR sites for ransom negotiations and data leaks. | Ransom blog | FOTINET |
| 24.5.24 | Horabot Unleashed: A Stealthy Phishing Threat | FortiGuard Labs observed a phishing campaign "Horabot" resurfacing with a sophisticated multi-stage attack, blending phishing, credential theft, and propagation. | Phishing blog | FOTINET |
| 24.5.24 | WHILE TRUMP DISRUPTS THE WORLD ORDER, CHINA PREPARES FOR WAR OVER TAIWAN | With Donald Trump’s erratic style and his many isolationist tendencies, none of America’s allies can be 100% sure where they stand. Unlike Ukraine—which, despite America’s wavering | BigBrother blog | Cyfirma |
| 24.5.24 | GhostSpy Web-Based Android RAT : Advanced Persistent RAT with Stealthy Remote Control and Uninstall Resistance | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging threats and attacker tactics. In this report, we analyze a high-risk Android | Malware blog | Cyfirma |
| 24.5.24 | Operation Sindoor – Anatomy of a Digital Siege | Overview Seqrite Labs, India’s largest Malware Analysis lab, has identified multiple cyber events linked to Operation Sindoor, involving state-sponsored APT activity and coordinated hacktivist operations. Observed tactics included spear phishing, deployment of malicious scripts, website defacements, and unauthorized data.. | APT blog | Seqrite |
| 24.5.24 | Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot | The attack surface Eclypsium set out to defend extends to areas in our systems that many security teams and monitoring tools are either overlooking or trusting someone else has secured for them. This pre-operating system attack surface includes components such as UEFI and bootloaders. | Malware blog | Eclypsium |
| 24.5.24 | A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame | DanaBot is a cybercrime malware-as-a-service that Proofpoint researchers first identified and named in May 2018. At the time, banking trojans were the most popular email-based cybercriminal malware threat, and DanaBot became one of the favored payloads by TA547 before being adopted by other notable cybercrime threat actors. | Malware blog | PROOFPOINT |
| 24.5.24 | Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer | Over the past year, Microsoft Threat Intelligence observed the persistent growth and operational sophistication of Lumma Stealer, an info-stealing malware used by multiple financially motivated threat actors to target various industries. | Malware blog | Microsoft blog |
| 24.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | Trend™ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain. | APT blog | Trend Micro |
| 24.5.24 | Trend Micro Puts a Spotlight on AI at Pwn2Own Berlin | At Trend Micro, we believe we can make the digital world safer by proactively discovering threats and vulnerabilities that others haven’t yet seen. That’s why, every year, we invest millions of dollars in the Trend Zero Day Initiative™ (ZDI)—the world’s largest vendor-agnostic bug bounty program. | Cyber blog | Trend Micro |
| 24.5.24 | Trend Secures AI Infrastructure with NVIDIA | Organizations worldwide are racing to implement agentic AI solutions to drive innovation and competitive advantage. However, this revolution introduces security challenges—particularly for organizations in highly regulated industries that require data sovereignty and strict compliance. | AI blog | Trend Micro |
| 24.5.24 | Using Agentic AI & Digital Twin for Cyber Resilience | Learn how Trend is combining agentic AI and digital twin to transform the way organizations protect themselves from cyber threats. | AI blog | Trend Micro |
| 24.5.24 | Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload Chain | We have detected a new tactic involving fake CAPTCHA pages that trick users into executing harmful commands in Windows. This scheme uses disguised files sent via phishing and other malicious methods. | Malware blog | Trend Micro |
| 24.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | In July 2024, we disclosed the TIDRONE campaign, in which threat actors targeted Taiwan’s military and satellite industries. During our investigation, we discovered that multiple compromised entities were using the same enterprise resource planning (ERP) software. | APT blog | Trend Micro |
| 24.5.24 | TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead | Trend Research has uncovered a novel social engineering campaign using TikTok’s vast user base to distribute information-stealing malware, specifically Vidar and StealC. Unlike the prevalent Fake CAPTCHA campaign — which relies on fake CAPTCHA pages and clipboard hijacking to trick users into running malicious scripts — this new campaign pivots to exploiting the popularity and viral nature of TikTok. | Social blog | Trend Micro |
| 24.5.24 | Critical SysAid XXE Vulnerabilities Expose Systems to Remote Exploitation (CVE-2025-2775–2777) | The SonicWall Capture Labs threat research team became aware of multiple critical XML External Entity (XXE) injection vulnerabilities in SysAid’s IT service management (ITSM) platform. SysAid is used by organizations to streamline and automate help desk operations, asset management and IT workflows, and is available as both a cloud-based and on-premises solution. | Vulnerebility blog | SonicWall |
| 24.5.24 | DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt | In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. | Malware blog | Palo Alto |
| 24.5.24 | Threat Brief: CVE-2025-31324 (Updated May 23) | Update May 23, 2025: We have added further details and indicators of compromise (IoC) to this post, to provide defenders additional information to hunt with. This information can be found in the Appendix section. | Vulnerebility blog | Palo Alto |
| 24.5.24 | Threat Group Assessment: Muddled Libra (Updated May 16, 2025) | We’ve added an additional section to this article that describes the evolution of Muddled Libra activity since the beginning for 2024. This group is a dynamic one, and as members cycle in and out of the group, its knowledgebase and skill set naturally shift. Its toolbox has now expanded to include: | Malware blog | Palo Alto |
| 24.5.24 | Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation | Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. | APT blog | Palo Alto |
| 24.5.24 | Lampion Is Back With ClickFix Lures | Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. This campaign was orchestrated by the threat actors behind Lampion malware, an infostealer that focuses on sensitive banking information. This malware family has been active since at least 2019. | Malware blog | Palo Alto |
| 24.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). | Malware blog | Palo Alto |
| 24.5.24 | The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website | In early 2025, Check Point Research (cp<r>) started tracking a threat campaign that abuses the growing popularity of AI content generation platforms by impersonating Kling AI, a legitimate AI-powered image and video synthesis tool. Promoted through Facebook advertisements, the campaign directs users to a convincing spoof of Kling AI’s website, where visitors are invited to create AI-generated images or videos directly in the browser. | AI blog | Checkpoint |
| 24.5.24 | Scarcity signals: Are rare activities red flags? | Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. | Cyber blog | CISCO TALOS |
| 24.5.24 | UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware | Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader. | Exploit blog | CISCO TALOS |
| 24.5.24 | Ghosted by a cybercriminal | Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure. | Cyber blog | CISCO TALOS |
| 24.5.24 | Duping Cloud Functions: An emerging serverless attack vector | Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure. | Exploit blog | CISCO TALOS |
| 24.5.24 | Xoxo to Prague | In this week’s newsletter, Thor inspects the LockBit leak, finding $10,000 “security tips,” ransom negotiations gone wrong and a rare glimpse into the human side of cybercrime. | Ransom blog | CISCO TALOS |
| 24.5.24 | Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”. Microsoft noted five vulnerabilities that have been observed to be exploited in the wild | OS Blog | CISCO TALOS |
| 24.5.24 | Defining a new methodology for modeling and tracking compartmentalized threats | How do you profile actors and defend your systems when multiple threat actors are working together? In Part 2, Cisco Talos proposes an extended Diamond Model to analyze complex relationships between attackers. | Security blog | CISCO TALOS |
| 24.5.24 | Danabot under the microscope | ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure | Malware blog | Eset |
| 24.5.24 | Danabot: Analyzing a fallen empire | Malware blog | Eset | |
| 24.5.24 | Lumma Stealer: Down for the count | The bustling cybercrime enterprise has been dealt a significant blow in a global operation that relied on the expertise of ESET and other technology companies | Malware blog | Eset |
| 24.5.24 | ESET takes part in global operation to disrupt Lumma Stealer | Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation | Malware blog | Eset |
| 24.5.24 | The who, where, and how of APT attacks in Q4 2024–Q1 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025 | APT blog | Eset |
| 24.5.24 | ESET APT Activity Report Q4 2024–Q1 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025 | APT blog | Eset |
| 24.5.24 | Canary Exploit Tool for CVE-2025-30065 Apache Parquet Avro Vulnerability | Investigating a schema parsing concern in the parquet-avro module of Apache Parquet Java. | Vulnerebility blog | F5 |
| 24.5.24 | Copyright Phishing Lures Leading to Rhadamanthys Stealer Now Targeting Europe | Analysis of new Rhadamanthys infostealer campaign in Europe and malware breakdown | Malware blog | Cybereason |
| 24.5.24 | Genesis Market - Malicious Browser Extension | In this Threat Alert, Cybereason identifies a malware infection exhibiting similarities to a previous Genesis Market campaign. | Malware blog | Cybereason |
| 24.5.24 | The Windows Registry Adventure #7: Attack surface analysis | In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally – from the perspective of its clients (e.g., user-mode applications running on Windows), the regf format used to encode hives, and finally the kernel itself, which contains its canonical implementation. | OS Blog | Project Zero |
| 17.5.24 | Ransomware Roundup – VanHelsing | The VanHelsing ransomware was first identified in March 2025 and uses TOR sites for ransom negotiations and data leaks. | Ransom blog | FOTINET |
| 17.5.24 | Horabot Unleashed: A Stealthy Phishing Threat | FortiGuard Labs observed a phishing campaign "Horabot" resurfacing with a sophisticated multi-stage attack, blending phishing, credential theft, and propagation. | Phishing blog | FOTINET |
| 17.5.24 | APT GROUP123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. | APT blog | Cyfirma |
| 17.5.24 | APT PROFILE : Transparent Tribe aka APT36 | APT36, also known as Transparent Tribe, is a Pakistan-based advanced persistent threat (APT) group active since at least 2013. | APT blog | Cyfirma |
| 17.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | Trend™ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain. | APT blog | Trend Micro |
| 17.5.24 | Trend Micro Puts a Spotlight on AI at Pwn2Own Berlin | Get a sneak peak into how Trend Micro's Pwn2Own Berlin 2025 is breaking new ground, focusing on AI infrastructure and finding the bugs to proactively safeguard the future of computing. | AI blog | Trend Micro |
| 17.5.24 | Microsoft Security Bulletin Coverage for May 2025 | Microsoft’s May 2025 Patch Tuesday has 76 vulnerabilities, 28 of which are Remote Code Execution. The SonicWall Capture Labs' threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2025 and has produced coverage for 11 of the reported vulnerabilities. | OS Blog | SonicWall |
| 17.5.24 | LCRYX Ransomware Utilizes Weak Encryption, Demands $500 Bitcoin Payment | The SonicWall Capture Labs threat research team has recently been tracking LCRYX ransomware. LCRYX is a VBScript-based ransomware strain that first emerged in November 2024 and reappeared in February 2025 with enhanced capabilities. It specifically targets Windows systems, employing a combination of Caesar cipher and XOR encryption to lock files before demanding a $500 ransom in Bitcoin for decryption. While it made its resurgence in February, it is still being seen in the wild today. | Ransom blog | SonicWall |
| 17.5.24 | DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt | In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. | Malware blog | Palo Alto |
| 17.5.24 | Threat Brief: CVE-2025-31324 | On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry. | Vulnerebility blog | Palo Alto |
| 17.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). | Malware blog | Palo Alto |
| 17.5.24 | Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation | Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. | APT blog | Palo Alto |
| 17.5.24 | Redefining IABs: Impacts of compartmentalization on threat tracking and modeling | Threat actors are teaming up, splitting attacks into stages and making defense harder than ever. In Part 1, Cisco Talos examines their tactics and defines their motivations. | Cyber blog | CISCO TALOS |
| 17.5.24 | Defining a new methodology for modeling and tracking compartmentalized threats | How do you profile actors and defend your systems when multiple threat actors are working together? In Part 2, Cisco Talos proposes an extended Diamond Model to analyze complex relationships between attackers. | Hacking blog | CISCO TALOS |
| 17.5.24 | Spam campaign targeting Brazil abuses Remote Monitoring and Management tools | A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents. | Spam blog | CISCO TALOS |
| 17.5.24 | Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”. Microsoft noted five vulnerabilities that have been observed to be exploited in the wild. CVE-2 | OS Blog | CISCO TALOS |
| 17.5.24 | Understanding the challenges of securing an NGO | Joe talks about how helping the helpers can put a fire in you and the importance of keeping nonprofits cybersecure. | Cyber blog | CISCO TALOS |
| 17.5.24 | Sednit abuses XSS flaws to hit gov't entities, defense companies | Operation RoundPress targets webmail software to steal secrets from email accounts belonging mainly to governmental organizations in Ukraine and defense contractors in the EU | Vulnerebility blog | Eset |
| 17.5.24 | Operation RoundPress | Cyber blog | Eset | |
| 17.5.24 | How can we counter online disinformation? | Unlocked 403 cybersecurity podcast (S2E2) | Ever wondered why a lie can spread faster than the truth? Tune in for an insightful look at disinformation and how we can fight one of the most pressing challenges facing our digital world. | Cyber blog | Eset |
| 17.5.24 | Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages | Every second, highly-privileged MacOS system daemons accept and process hundreds of IPC messages. In some cases, these message handlers accept data from sandboxed or unprivileged processes. | OS Blog | Project Zero |
| 10.5.24 | Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware | FortiGuard Labs highlights a malware campaign's increasing sophistication of attack methodologies, leveraging the legitimate functionalities of remote administration tools for malicious purposes. | Attack blog | FOTINET |
| 10.5.24 | FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure | The FortiGuard Incident Response (FGIR) team recently investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group. | Incident blog | FOTINET |
| 10.5.24 | New Finance Scam Discovered Abusing Niche X/Twitter Advertising Loophole | Silent Push Threat Analysts have uncovered a new finance scam exploiting an X/Twitter advertising display URL feature to spoof “cnn[.]com” while directing visitors to a crypto scam website impersonating Apple’s brand. | Social blog | Silent Push |
| 10.5.24 | How To Defend Against Threats With A Cyber Early Warning System | Security teams are constantly on the lookout for hidden threat infrastructure that isn’t already widely known, and doesn’t appear on anyone’s radar. This usually involves analyzing a significant amount of alert data and hunting for emerging domains and IPs that are in the process of being setup, across linked malicious hosting clusters. | Cyber blog | Silent Push |
| 10.5.24 | India Experiences Surge in Hacktivist Group Activity Amid Military Tensions | 40+ hacktivist groups united in cyberattacks against India after a terror attack in the Indian state... | Hacking blog | Cyble |
| 10.5.24 | Ransomware Attacks April 2025: Qilin Emerges from Chaos | Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November... | Ransom blog | Cyble |
| 10.5.24 | PupkinStealer : A .NET-Based Info-Stealer | Executive Summary At CYFIRMA, we are committed to delivering timely insights into active cyber threats and the techniques used by malicious actors to target individuals and | Malware blog | Cyfirma |
| 10.5.24 | Tracking Ransomware : April 2025 | EXECUTIVE SUMMARY April 2025 witnessed a decline in ransomware incidents, with 470 reported victims worldwide. Qilin remained the dominant group, while newer actors like | Ransom blog | Cyfirma |
| 10.5.24 | EXPLAINER : THE ALGERIA / MOROCCO TENSIONS | EXECUTIVE SUMMARY Since Algeria severed diplomatic ties with Morocco in 2021, tensions between the two neighbors have largely remained confined to the diplomatic arena. However, | BigBrother blog | Cyfirma |
| 10.5.24 | Fortnightly Vulnerability Summary | Fortnightly Vulnerability Summary CHECK OUT THESE FAST FACTS ON FORTNIGHTLY OBSERVED VULNERABILITIES. Fortnight's Most Impacted Products Linux | D-Link | Totolink Fortnightly | Vulnerebility blog | Cyfirma |
| 10.5.24 | Gunra Ransomware – A Brief Analysis | Executive Summary At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and | Ransom blog | Cyfirma |
| 10.5.24 | Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer | Introduction A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming... | Malware blog | Seqrite |
| 10.5.24 | What Is the Goal of an Insider Threat Program? | Insider risk is one of the biggest cybersecurity threats that businesses face today. Insiders include employees, contractors or business partners with legitimate access to a company’s network, systems or data. Some misuse their access intentionally, while others make mistakes or fall victim to cybercriminals. | Cyber blog | PROOFPOINT |
| 10.5.24 | CoGUI Phish Kit Targets Japan with Millions of Messages | Proofpoint has observed a notable increase in high-volume Japanese language campaigns targeting organizations in Japan to deliver a phishing kit that Proofpoint researchers refer to as CoGUI. Most of the observed campaigns abuse popular consumer or payment brands in phishing lures, including Amazon, PayPay, Rakuten, and others. | Phishing blog | PROOFPOINT |
| 10.5.24 | Email Attacks Drive Record Cybercrime Losses in 2024 | The FBI’s Internet Crime Complaint Center (IC3) has released its 2024 Internet Crime Report. And it has revealed a record-breaking surge in cybercrime losses across the United States. Last year, total losses reached $16.6 billion, which is a 33% increase from the previous year. | Cyber blog | PROOFPOINT |
| 10.5.24 | Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape | Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared our findings with Apple and a fix was released for this vulnerability, now identified as CVE-2025-31191. We encourage macOS users to apply security updates as soon as possible. | Vulnerebility blog | Microsoft blog |
| 10.5.24 | Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal | During our monitoring of Agenda ransomware activities, we uncovered campaigns that made use of the SmokeLoader malware and a new loader we've named NETXLOADER. | Ransom blog | Trend Micro |
| 10.5.24 | Exploring PLeak: An Algorithmic Method for System Prompt Leakage | What is PLeak, and what are the risks associated with it? We explored this algorithmic technique and how it can be used to jailbreak LLMs, which could be leveraged by threat actors to manipulate systems and steal sensitive data. | AI blog | Trend Micro |
| 10.5.24 | NetSupport RAT Malware Spied in Ukraine | This week, the SonicWall Capture Labs threat research team analyzed a sample of NetSupport RAT malware. OSINT shows that this malware has been regularly seen in Ukraine and Poland as of mid- to late-2024. | Malware blog | Palo Alto |
| 10.5.24 | CraftCMS Vulnerability Exposes Systems to Pre-Auth RCE, Now Exploited in the Wild (CVE-2025-32432) | The SonicWall Capture Labs threat research team became aware of a pre-authentication vulnerability in CraftCMS's asset transform generation feature, assessed its impact and developed mitigation measures. | Vulnerebility blog | Palo Alto |
| 10.5.24 | AI Agents Are Here. So Are the Threats. | Agentic applications are programs that leverage AI agents — software designed to autonomously collect data and take actions toward specific objectives — to drive their functionality. | AI blog | Palo Alto |
| 10.5.24 | Lampion Is Back With ClickFix Lures | Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. | Malware blog | Palo Alto |
| 10.5.24 | Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation | Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. | APT blog | Palo Alto |
| 10.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. | Malware blog | Palo Alto |
| 10.5.24 | State-of-the-art phishing: MFA bypass | Threat actors are bypassing MFA with adversary-in-the-middle attacks via reverse proxies. Phishing-as-a-Service tools like Evilproxy make these threats harder to detect. | Phishing blog | CISCO TALOS |
| 10.5.24 | The IT help desk kindly requests you read this newsletter | How do attackers exploit authority bias to manipulate victims? Martin shares proactive strategies to protect yourself and others in this must-read edition of the Threat Source newsletter. | Exploit blog | CISCO TALOS |
| 10.5.24 | Spam campaign targeting Brazil abuses Remote Monitoring and Management tools | A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents. | Spam blog | CISCO TALOS |
| 10.5.24 | Proactive threat hunting with Talos IR | Learn more about the framework Talos IR uses to conduct proactive threat hunts, and how we can help you stay one step ahead of emerging threats. | Cyber blog | CISCO TALOS |
| 10.5.24 | Catching a phish with many faces | Here’s a brief dive into the murky waters of shape-shifting attacks that leverage dedicated phishing kits to auto-generate customized login pages on the fly | Phishing blog | Eset |
| 10.5.24 | Beware of phone scams demanding money for ‘missed jury duty’ | Phishing blog | Eset | |
| 10.5.24 | Toll road scams are in overdrive: Here’s how to protect yourself | Have you received a text message about an unpaid road toll? Make sure you’re not the next victim of a smishing scam. | Phishing blog | Eset |
| 10.5.24 | The Bug Report - April 2025 Edition | Spring clean your security! Dive into April 2025’s top CVEs, live exploits, and patches. Stay ahead of attacks — read the full Bug Report now. | Cyber blog | Trelix |
| 10.5.24 | The Growing Threat of Vishing: How Cybercriminals Are Using Multimedia to Target You | New vishing attack technique we need to be aware of. How cybercriminals are using multimedia to target you. | Cyber blog | Trelix |
| 6.5.24 | Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | According to the Federal Trade Commission (FTC), consumers lost more money to investment scams than any other kind in 2024. | Spam | Infoblox |
| 6.5.24 | The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluste | Have you ever used pre-made deployment templates to quickly spin up applications in Kubernetes environments? While these “plug-and-play” options greatly simplify the setup process, they often prioritize ease of use over security. | Security | Microsoft blog |
| 3.5.24 | This Google Threat Intelligence Group report presents an analysis of detected 2024 zero-day exploits. | Exploit blog | Google Threat Intelligence | |
| 3.5.24 | Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer | Introduction A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming... | Phishing blog | Seqrite |
| 3.5.24 | Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government | Seqrite Labs APT team has discovered “Pahalgam Terror Attack” themed documents being used by the Pakistan-linked APT group Transparent Tribe (APT36) to target Indian Government and Defense personnel. The campaign involves both credential phishing and deployment of malicious payloads,... | APT blog | Seqrite |
| 3.5.24 | Security Brief: French BEC Threat Actor Targets Property Payments | Proofpoint identified and named a new financially motivated, business email compromise (BEC) threat actor conducting fraud, TA2900. This actor sends French language emails using rental payment themes to target people in France and occasionally in Canada. | Spam blog | PROOFPOINT |
| 3.5.24 | Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape | Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared our findings with Apple and a fix was released for this vulnerability, now identified as CVE-2025-31191. We encourage macOS users to apply security updates as soon as possible. | Vulnerebility blog | Microsoft blog |
| 3.5.24 | Exploring PLeak: An Algorithmic Method for System Prompt Leakage | What is PLeak, and what are the risks associated with it? We explored this algorithmic technique and how it can be used to jailbreak LLMs, which could be leveraged by threat actors to manipulate systems and steal sensitive data. | AI blog | Trend Micro |
| 3.5.24 | Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan | This blog discusses the latest modifications observed in Earth Kasha’s TTPs from their latest campaign detected in March 2025 targeting Taiwan and Japan. | APT blog | Trend Micro |
| 3.5.24 | NVIDIA Riva Vulnerabilities Leave AI-Powered Speech and Translation Services at Risk | Trend Research uncovered misconfigurations in NVIDIA Riva deployments, with two vulnerabilities, CVE-2025-23242 and CVE-2025-23243, contributing to their exposure. These security flaws could lead to unauthorized access, resource abuse, and potential misuse or theft of AI-powered inference services, including speech recognition and text-to-speech processing. | AI blog | Trend Micro |
| 3.5.24 | Actively Exploited SAP NetWeaver Visual Composer Vulnerability Enables Remote Code Execution (CVE-2025-31324) | The SonicWall Capture Labs threat research team became aware of an arbitrary file upload vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer, assessed its impact, and developed mitigation measures. SAP NetWeaver serves as a robust technology platform that functions as both an integration hub and application layer, enabling businesses to unify data, processes, and applications from various sources into a cohesive SAP ecosystem. | Vulnerebility blog | SonicWall |
| 3.5.24 | Exploring the State of AI in Cyber Security: Past, Present, and Future | Artificial intelligence is rapidly reshaping the cyber security landscape—but how exactly is it being used, and what risks does it introduce? At Check Point Research, we set out to evaluate the current AI security environment by examining real-world threats, analyzing how researchers and attackers are leveraging AI, and assessing how today’s security tools are evolving with these technologies. | AI blog | Checkpoint |
| 3.5.24 | RSAC 2025 wrap-up – Week in security with Tony Anscombe | From the power of collaborative defense to identity security and AI, catch up on the event's key themes and discussions | Cyber blog | Eset |
| 3.5.24 | This month in security with Tony Anscombe – April 2025 edition | From the near-demise of MITRE's CVE program to a report showing that AI outperforms elite red teamers in spearphishing, April 2025 was another whirlwind month in cybersecurity | Cyber blog | Eset |
| 3.5.24 | How safe and secure is your iPhone really? | Your iPhone isn't necessarily as invulnerable to security threats as you may think. Here are the key dangers to watch out for and how to harden your device against bad actors. | OS Blog | Eset |