BLOG 2026 JULY 2026 2025 2024 2023
AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2026 January(89) February(123) March(106) April(119) May(126) June(97) July(49) August(0) September(0) October(0) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 11.7.26 | Phishing in the Balkans: Fake Traffic Fines, Real Losses | This blog documents Group-IB’s research into an SMS phishing campaign targeting Serbian road users through the impersonation of Serbia's state road authority, and how it can be linked to both Darcula and Phoenix PhaaS platforms with victims across the globe. | Phishing blog | GROUP-IB |
| 11.7.26 | Connecting Scattered Spider: Defining A Cybercrime Collective Through Shared TTPs | This blog covers Group-IB’s overview of Scattered Spider, backed by Group-IB’s proprietary intelligence, providing additional information to what has already been reported publicly, with added clarification on 0ktapus and how it is related to Scattered Spider. | Hacking blog | GROUP-IB |
| 11.7.26 | RedHook Returns with a Dangerous Upgrade | Group-IB analysts examine this resurfaced Android Remote Access Trojan, demonstrating new, sophisticated and malicious functionalities including autonomous privilege abuse, expanded command-and-control capabilities, and a robust persistence stack. | Malware blog | GROUP-IB |
| 11.7.26 | Sophos named a 2026 Gartner® Peer Insights™ Customers’ Choice for Email Security | Sophos has been named a 2026 Gartner® Peer Insights™ Customers’ Choice in the 2026 Gartner® Peer Insights™ Voice of the Customer for Email Security. This marks Sophos’ entry into the report, as well as Sophos’ first ever Customers’ Choice distinction for Email Security. | Cyber blog | SOPHOS |
| 11.7.26 | When AI agents look like attackers: what behavioral telemetry tells us | An X-Ops analysis of how AI coding agents trigger endpoint detection rules designed for adversaries | AI blog | SOPHOS |
| 11.7.26 | "Exploit mitigation" stalled around 2008. The attacks didn't. | AI turns a patched bug into a working exploit in hours. Why endpoint exploit mitigation stalled in 2008, and what a default-on mitigation layer looks like now. | AI blog | SOPHOS |
| 11.7.26 | The "Golden SAML" technique, first described by CyberArk researchers in 2017, and further detailed by Mandiant researchers in 2021, remains one of the most effective methods for threat actors to forge identity assertions in the Microsoft ecosystem. | Hacking blog | GTI | |
| 11.7.26 | The Two BIOS Passwords Everyone Confuses | When someone tells me “we set the BIOS password on the fleet,” my first question is always “which one?” Because there are at least two firmware passwords on a modern machine, they do completely different things, and the failure I see most often is a team that sets one, assumes it covers the other, and leaves a gap they do not know they have. | Hacking blog | Eclypsium |
| 11.7.26 | Post-Mythos Cybersecurity: Can You Automate Infrastructure Assurance with AI? | Programs like Anthropic’s Mythos and OpenAI’s Daybreak are changing how organizations think about security architecture, internal engineering, staffing, and vendor commitments. OpenAI describes Daybreak as a defender-focused program for finding, validating, and fixing vulnerabilities before attackers can exploit them. | AI blog | Eclypsium |
| 11.7.26 | From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations | Table of Contents Introduction Infection Chain Technical Analysis Conclusion Seqrite Coverage Indicators of Compromise (IOCs) MITRE ATT&CK Mapping Introduction The Seqrite Threat Research Team identified a targeted spear-phishing campaign disguised as a legitimate business invoice. The phishing email impersonates a legitimate... | Phishing blog | Seqrite |
| 11.7.26 | Inside the Underground Economy: 5 Dark Web Trends Shaping the 2026 Threat Landscape | Cyble breaks down how dark web ecosystems are evolving in 2026 with ransomware, initial access brokers, AI-driven attacks, and underground threat activity. | Cyber blog | Cyble |
| 11.7.26 | Mid-Year Threat Trends: What H1 2026 Signals for the Rest of the Year | H1 2026 threat intelligence trends show rising ransomware, AI-driven attacks, and identity risks reshaping the global cyber risk outlook for 2026. | Cyber blog | Cyble |
| 11.7.26 | Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App | CRIL analyzes Glitch SPY, an Android RAT with 70+ commands, crypto-clipping, and a silent remote browser, giving attackers full device control. | Malware blog | Cyble |
| 11.7.26 | GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses | Third iteration of ransomware from Hyadina developers who first launched the Monster ransomware in 2022. | Ransom blog | SECURITY.COM |
| 11.7.26 | GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware | GigaWiper is a destructive backdoor that combines multiple wiping and ransomware-like capabilities into a single operational platform. | Malware blog | Microsoft blog |
| 11.7.26 | rclone Remote-Control API Unauthenticated Command Execution | rclone Remote-Control API Unauthenticated Command Execution (CVE-2026-41179) | Vulnerebility blog | SonicWall |
| 11.7.26 | Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation | In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide. | Malware blog | Palo Alto |
| 11.7.26 | Cavern Manticore: Exposing Iran-Linked Modular C2 Framework | Note: SysAid was not compromised, and no SysAid vulnerability was involved. The attacker had already gained access to the victim environment and abused a legitimate software-deployment feature to deploy malware onto another machine within it. | APT blog | CHECKPOINT |
| 11.7.26 | Winning 54% of the time | With Wimbledon's help, Hazel argues against the popular myth that "Attackers only need to be right once, but defenders need to be right 100% of the time." | Cyber blog | CISCO TALOS |
| 11.7.26 | UAT-7810 continues building ORB networks using new malware | Talos’ latest findings on UAT-7810 indicate that the threat actor continues to develop their custom-made malware. | Malware blog | CISCO TALOS |
| 11.7.26 | ESET Threat Report H1 2026 | A view of the H1 2026 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts. | Cyber blog | Eset |
| 9.7.26 | GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses | Third iteration of ransomware from Hyadina developers who first launched the Monster ransomware in 2022. | Ransom blog | SECURITY.COM |
| 9.7.26 | Friendly Fire: Hijacking Defensive Cyber AI Agents for Remote Code Execution | We are revealing a proof-of-concept exploit that enables remote code execution in Anthropic’s Claude Code CLI (with Claude Sonnet 4.6 & 5, Opus 4.8) and OpenAI’s Codex CLI (with GPT-5.5) when employed to defensively assess the security of an open-source or third-party library. | AI blog | AINOW |
| 9.7.26 | Fake Installers, Fake Reviews, Fake Services - Real Proxies, Real Victims | Residential proxies are one of the hottest topics in cybersecurity today. Turns out, they are often not in residences, and they facilitate a wide range of criminal activity. In the simplest terms, a little piece of software in a TV, digital picture frame, or your phone might enable a company to sell access to your device’s bandwidth to their own customers. | Hacking blog | INFOBLOX |
| 9.7.26 | Fake 7-Zip downloads are turning home PCs into proxy nodes | A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it has been hiding in plain sight for some time. | Hacking blog | MALWAREBYTES |
| 8.7.26 | When prompts become shells: RCE vulnerabilities in AI agent frameworks | AI agents have fundamentally changed the threat model of AI model-based applications. By equipping these models with plugins (also called tools), your agents no longer just generate text; they now read files, search connected databases, run scripts, and perform other tasks to actively operate on your network. | AI blog | Microsoft blog |
| 4.7.26 | GachiLoader adopts AI skill lure | AI skills are threat actors’ newest and most dangerous lures. | AI blog | THREATDOWN |
| 4.7.26 | A double-edged bleeding edge: Classifying AI threats | Sophos X-Ops presents a working taxonomy for attacks using, and targeting, AI | AI blog | SOPHOS |
| 4.7.26 | Vect and TeamPCP partner for ransomware campaigns | Credentials harvested through supply chain compromises enable large‑scale ransomware deployment | Ransom blog | SOPHOS |
| 4.7.26 | Today, in coordination with the FBI, Lumen, and others, Google took action against the NetNut residential proxy network, also known as Popa. This action builds on our disruption of the IPIDEA proxy network that took place in January 2026, and is a continuation of Google’s objective to dismantle malicious residential proxy networks. | Hacking blog | GTI | |
| 4.7.26 | Four years into Russia’s full-scale invasion of Ukraine, the pro-Russia influence ecosystem has evolved from a tool of war back into a global strategic asset. Since the mobilization of this ecosystem to support frontline objectives, we have witnessed the expedited development of new influence assets linked to multiple, expansive, covert information operations (IO) campaigns and a revitalization of pro-Russia hacktivism at an unprecedented scale. | APT blog | GTI | |
| 4.7.26 | Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment | Authors: Dixit Panchal & Soumen Burma Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Initial Mail: Email Attachment: Lure: Official GoI, Income Tax Document: Technical Analysis: Infrastructural Artefacts & Threat actor Attributions. Campaign Timeline. Conclusion:... | Cyber blog | Seqrite |
| 4.7.26 | Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App | CRIL analyzes Glitch SPY, an Android RAT with 70+ commands, crypto-clipping, and a silent remote browser, giving attackers full device control. | Malware blog | Cyble |
| 4.7.26 | The BYOVD Epidemic: How Attackers Are Weaponizing Trusted Windows Drivers to Kill Security | Bring Your Own Vulnerable Driver (BYOVD) has gone from a niche tactic to a standard part of the ransomware playbook and Windows' own kernel hardening does little to stop it. | Hacking blog | SECURITY.COM |
| 4.7.26 | Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud | In this blog entry, researchers from the TrendAI™ MDR team discuss how they mapped the full end-to-end operation of SHADOW-WATER-063’s Banana RAT banking malware by analyzing server-side artifacts and victim-side data. | Malware blog | Trend Micro |
| 4.7.26 | Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware | Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections. | Malware blog | Trend Micro |
| 4.7.26 | TONResolver RAT Abuses TON Blockchain to Target Japan's Hotel Industry | In this blog entry, TrendAI™ Research examines a wave of phishing emails observed in May 2026 that targeted Japanese accommodation facilities using Booking.com, detailing the victims, attack techniques used, and characteristics of the malware involved. | Malware blog | Trend Micro |
| 4.7.26 | Android Arsink RAT Revisited Targeting User Credentials | The SonicWall Capture Labs threat research team identified an ongoing Android Remote Access Trojan (RAT) campaign that employs multiple techniques to harvest sensitive user information through phishing and data exfiltration activities by impersonating the actual app icons and using similar names. | Malware blog | SonicWall |
| 4.7.26 | Joomla Content Editor Remote Code Execution | The SonicWall Capture Labs threat research team became aware of a PHP code upload and execution vulnerability in Joomla products, assessed its impact, and developed mitigation measures. Joomla is a free, open-source Content Management System (CMS) used to build and manage websites and online applications. It serves as a powerful, flexible alternative to platforms like WordPress, offering extensive customization through thousands of extensions and templates. | Vulnerebility blog | SonicWall |
| 4.7.26 | Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector | Unit 42 researchers found that large language models (LLMs) consistently hallucinate web domains for legitimate brands. Adversaries are actively weaponizing this vector by registering these nonexistent domains to intercept traffic generated by AI systems. We call this phenomenon phantom squatting, and it poses a significant risk to the software supply chain. | AI blog | Palo Alto |
| 4.7.26 | Threat Brief: Mitigating Large-Scale Credential Attacks | Unit 42 is aware of a large-scale password spraying and credential theft campaign (“FortiBleed”) against Fortinet devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted. While this activity is not targeting Palo Alto Networks devices, Unit 42 has observed suspicious login attempts in customer telemetry and we are providing this report out of an abundance of caution to ensure our customers have the latest intelligence and product recommendations to protect, detect and respond to attacks to their network. | Hacking blog | Palo Alto |
| 4.7.26 | CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure | Throughout 2025, we observed a cluster of activity targeting government entities and critical infrastructure in Southeast Asia. Specifically, the activity targeted state-owned enterprises in the energy and government sectors. | APT blog | Palo Alto |
| 4.7.26 | Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique | AI can turn high-level malicious ideas into concrete techniques, and can independently design and implement novel attack paths that have not yet appeared in real-world campaigns. | AI blog | CHECKPOINT |
| 4.7.26 | ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365 | Talos has identified "ARToken," a phishing-as-a-service platform that targets Microsoft 365. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email access, BEC operations, and SharePoint exfiltration. | Phishing blog | CISCO TALOS |
| 4.7.26 | Catan and Mouse | What do board games and cybersecurity have in common? Pattern recognition. Strategy. Adaptation. In this week’s Threat Source Bill explores why curiosity may be a defender’s most valuable skill. | Cyber blog | CISCO TALOS |
| 4.7.26 | Martin Lee: Running through the Arctic (and the threat landscape) | Ever wonder how someone goes from studying human viruses to leading cybersecurity teams? In this Humans of Talos, we’re joined by Martin Lee, EMEA Lead, to talk about his journey into the industry. | Cyber blog | CISCO TALOS |
| 4.7.26 | Cyber readiness for SMBs: Getting the basics right | AI is changing cybercrime, but SMB cyber readiness still largely depends on closing the familiar gaps | Cyber blog | Eset |
| 4.7.26 | This month in security with Tony Anscombe – June 2026 edition | Three-day patching deadlines, exposed fuel-tank systems, scams costing billions of dollars, and social media bans for children all gave Tony plenty to unpack in June 2026 | Cyber blog | Eset |
| 4.7.26 | Inside the inbox: Why cybercriminals want to break into your email account | Your inbox is an identity system all of its own: whoever owns it may own a lot more | Cyber blog | Eset |