BLOG 2026 MAY 2026 2025 2024 2023
AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2026 January(89) February(123) March(106) April(119) May(70) June(0) July(0) August(0) September(0) October(0) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 16.5.26 | Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments | Seven things security teams can start doing today to reduce risk | AI blog | SOPHOS |
| 16.5.26 | May’s Patch Tuesday hauls out 132 CVEs | With advisories, this month’s count approaches 300 – though many are already in place | OS Blog | SOPHOS |
| 16.5.26 | Why AMOS matters: The macOS malware stealing data at scale | Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities | Malware blog | SOPHOS |
| 16.5.26 | When Malware Authors Study Algebra: The Group Theory Inside Bedep's DGA | A closer look at how Bedep used foreign exchange data and advanced math to generate hard-to-predict domains, making its command-and-control infrastructure more difficult for defenders to block and disrupt | Malware blog | GENDIGITAL |
| 16.5.26 | Building a last-resort unpacker with AI | Exploring how AI can assist in unpacking protected binaries, recovering payloads from unsupported packers, while reducing repetitive analysis | AI blog | GENDIGITAL |
| 16.5.26 | Chasing an Angry Spark | A VM-obfuscated backdoor observed on a single machine in the UK, operated for one year, and vanished without a trace. | Malware blog | GENDIGITAL |
| 16.5.26 | Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign | Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service. | APT blog | SECURITY.COM |
| 16.5.26 | Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise | Microsoft Incident Response investigated an attack operated through legitimate and trusted administrative mechanisms to blend seamlessly into routine operations and remain undetected demonstrating that intrusions have increasingly avoided using noisy exploits, obvious malware, or custom tooling, instead leveraging systems that organizations already trust within their environments. | Security blog | Microsoft blog |
| 16.5.26 | Kazuar: Anatomy of a nation-state botnet | Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. | BotNet blog | Microsoft blog |
| 16.5.26 | Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft | Our research examines the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign. Across both cases, the actor abused trusted CI/CD and release workflows to steal credentials at scale. | Hacking blog | Trend Micro |
| 16.5.26 | Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America | TrendAI™ Research has identified two emerging threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that use agentic AI to drive intrusion operations against government and financial organizations in Latin America, marking these among the first cases we have observed of AI agents executing attacks from initial access to data exfiltration. | AI blog | Trend Micro |
| 16.5.26 | What Is the Instructure Canvas Breach? Impact, Risks, and What Institutions Should Do | The Instructure Canvas breach affects universities, K–12 school districts, and teaching hospitals globally. This blog entry intends to provide context and practical guidance. | Security blog | Trend Micro |
| 16.5.26 | The Ransomware Chimera That Does Everything | Malware typically falls into well-defined categories. Ransomware encrypts files and demands payment. Banking trojans steal credentials. Botnets await remote commands. However, some samples defy these conventional classifications by incorporating multiple threat vectors into a single executable. | Ransom blog | SonicWall |
| 16.5.26 | Adversary in the Middle Attacks - Abusing Trust via Weaponized PDFs | The SonicWall Capture Labs threat research team has identified an active Adversary-in-the-Middle (AiTM) phishing campaign that leverages PDF documents as the initial delivery vector. This is a technique that bypasses multi-factor authentication entirely by stealing authenticated session cookies, not just credentials. | Hacking blog | SonicWall |
| 16.5.26 | Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files | This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. | Malware blog | Palo Alto |
| 16.5.26 | Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools | Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. | Hacking blog | Palo Alto |
| 16.5.26 | The State of Ransomware – Q1 2026 | Consolidation after peak fragmentation: The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025. The ransomware ecosystem is once again consolidating around fewer, more dominant operators. | Ransom blog | CHECKPOINT |
| 16.5.26 | Thus Spoke…The Gentlemen | On May 4th, 2026, The Gentlemen RaaS administrator acknowledged on underground forums that an internal backend database (Rocket) had been leaked. This leak exposed 9 accounts, including zeta88 (aka hastalamuerte), who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the administrator of the program. | Ransom blog | CHECKPOINT |
| 16.5.26 | Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities | Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. | Exploit blog | CISCO TALOS |
| 16.5.26 | The time of much patching is coming | In this week’s newsletter, Martin reflects on what the next iteration of AI tools means for vulnerability discovery and our ability to manage large-scale patch releases. | Security blog | CISCO TALOS |
| 16.5.26 | Breaking things to keep them safe with Philippe Laulheret | Philippe shares his unique journey from French engineering school to the front lines of cybersecurity, explaining how his lifelong love for solving puzzles helps him uncover critical security flaws before they can be exploited. | Cyber blog | CISCO TALOS |
| 16.5.26 | State-sponsored actors, better known as the friends you don’t want | Responding to a state-sponsored threat is nothing like responding to ransomware, and the differences can make or break the outcome. Learn why your IR plan might need revisiting, and the factors you should consider. | Ransom blog | CISCO TALOS |
| 16.5.26 | Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 16 that Microsoft marked as “critical”. | Vulnerebility blog | CISCO TALOS |
| 16.5.26 | Unplug your way to better code | Cybersecurity concepts — logs, packets, DNS exfiltration, and more — are usually intangible, and its practitioners are prone to mental fatigue, Amy takes a second to yell at you to go touch grass. | Cyber blog | CISCO TALOS |
| 16.5.26 | Why geopolitical turmoil is a gift for scammers, and how to stay safe | Conflict is a boon for opportunistic fraudsters. Look out for their ploys. | Cyber blog | Eset |
| 16.5.26 | FrostyNeighbor: Fresh mischief and digital shenanigans | ESConflict is a boon for opportunistic fraudsters. Look out for their ploys.ET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations | APT blog | Eset |
| 16.5.26 | Eyes wide open: How to mitigate the security and privacy risks of smart glasses | Smart glasses allow anyone to track and record the world around them. That could put your data and the privacy of those nearby at risk. | Security blog | Eset |
| 16.5.26 | On the Effectiveness of Mutational Grammar Fuzzing | Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. When a sample gets mutated, the mutations happen in such a way that any resulting samples still adhere to the grammar rules, thus the structure of the samples gets maintained by the mutation process. | Vulnerebility blog | Project Zero |
| 9.5.26 | Pull the Plug: FIRESTARTER Survives Patches, Reboots, and Your Incident Response Plan | You patched your Cisco ASA. You rebooted it. Your vulnerability scanner shows green. You closed the ticket. However, the backdoor is still there! | Vulnerebility blog | Eclypsium |
| 9.5.26 | Zero Trust Target Level Compliance Device Pillar Challenges: Do The Hard Parts Now | The Department of War’s Zero Trust Target Level deadline may be September 30, 2027, but for agencies responsible for device security, the practical deadline comes much sooner. | Cyber blog | Eclypsium |
| 9.5.26 | Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam’s Military Telecom & Philippine Healthcare | Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys: Technical Analysis: Campaign-1: Stage-1: Ho so.rar Campaign: 2 Stage-1: download.zip Stage-2: The LNK & Batch file (Common in 1 & 2 both) Stage-3: Analysis | Hacking blog | Seqrite |
| 9.5.26 | Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit | Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit Table of Content Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Analysis of... | Hacking blog | Seqrite |
| 9.5.26 | Cyble Recognized in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies — and What Cyble Feels It Means for the Next Era of Threat Intel | A note from our CEO on the recognition, what we believe it signals about the category, and where we go from here. | Cyber blog | Cyble |
| 9.5.26 | Operation HumanitarianBait: An Infostealer Campaign in Disguise | Cyble analyzes Operation HumanitarianBait, a stealthy espionage campaign using aid-themed lures to deploy a fileless Python infostealer. | Hacking blog | Cyble |
| 9.5.26 | Third-Party Breaches Without Breaches: How Attackers Use Trusted Access to Bypass US Enterprise Defenses | A new supply chain attack exploits trusted access and browsers. Learn how attackers bypass defenses and how to prevent supply chain attack risks. | Hacking blog | Cyble |
| 9.5.26 | Cyble Named a Challenger in the 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence | Recognized for Completeness of Vision and Ability to Execute | Security blog | Cyble |
| 9.5.26 | Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Defender Research observed a large-scale credential theft campaign that exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains. | Phishing blog | Microsoft blog |
| 9.5.26 | Supporting the National Cyber Strategy: How TrendAI™ Helps | A deeper look at the first three pillars and outlining how our capabilities directly support government agencies working to bring this strategy to life. | AI blog | Trend Micro |
| 9.5.26 | InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise | Targeting multiple industries worldwide, the InstallFix campaign uses fake Claude AI installer pages to trick users into running malware that collects system information, disables security features, achieves persistence, and connects to attacker-controlled C&C servers for additional payloads. | Malware blog | Trend Micro |
| 9.5.26 | Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities | TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a rootkit, a PAM backdoor, credential harvesting, and more, revealing how this malware enables stealthy access, persistence, and potential supply-chain attacks. | Malware blog | Trend Micro |
| 9.5.26 | Mesop AI Sandbox Unauthenticated Remote Code Execution | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-33057, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also known as the Mesop AI Sandbox /exec-py Unauthenticated RCE, is a critical remote code execution vulnerability affecting Google-originated Mesop in PyPI versions up to and including 1.2.2. | AI blog | SonicWall |
| 9.5.26 | Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution | On May 6, 2026, Palo Alto Networks released a security advisory for CVE-2026-0300, identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. Vulnerable systems allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. | Vulnerebility blog | Palo Alto |
| 9.5.26 | Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years | On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431. This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process, this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017. | Vulnerebility blog | Palo Alto |
| 9.5.26 | Insights into the clustering and reuse of phone numbers in scam emails | Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails. | Spam blog | CISCO TALOS |
| 9.5.26 | Unplug your way to better code | Cybersecurity concepts — logs, packets, DNS exfiltration, and more — are usually intangible, and its practitioners are prone to mental fatigue, Amy takes a second to yell at you to go touch grass. | Security blog | CISCO TALOS |
| 9.5.26 | UAT-8302 and its box full of malware | Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. | APT blog | CISCO TALOS |
| 9.5.26 | CloudZ RAT potentially steals OTP messages using Pheno plugin | Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.” | Malware blog | CISCO TALOS |
| 9.5.26 | Fake call logs, real payments: How CallPhantom tricks Android users | ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down | OS Blog | Eset |
| 9.5.26 | Fixing the password problem is as easy as 123456 | How come it’s still possible to ‘secure’ an online account with a six-digit string? | Security blog | Eset |
| 9.5.26 | A rigged game: ScarCruft compromises gaming platform in a supply-chain attack | ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games | APT blog | Eset |
| 2.5.26 | CISA’s Advisory On Botnets: Why Banning SOHO Routers Won’t Fix Critical Infrastructure Cyber Risk | CISA recently released a new cybersecurity advisory focused on defending against botnets built from compromised consumer and small-office/home-office (SOHO) routers. The advisory highlights how threat actors are actively exploiting vulnerable, internet-exposed devices to build large-scale proxy networks. | Vulnerebility blog | Eclypsium |
| 2.5.26 | The Week in Vulnerabilities: GitHub Enterprise, Argo CD, Oracle Identity Manager, and Mozilla Security Flaws | Cyble weekly vulnerability report shows 1,095 vulnerabilities, PoCs, KEV additions, and active attacks across enterprise, cloud, and open-source. | Cyber blog | Cyble |
| 2.5.26 | How Cyble Blaze AI Turns Billions of Threat Signals into Actionable Intelligence | Cyble Blaze AI transforms fragmented threat data into real-time action using AI security analytics and automated cyber threat intelligence. | AI blog | Cyble |
| 2.5.26 | ANZ Organizations Are in the Ransomware Crosshairs— What the Dark Web Is Telling Us | Ransomware in ANZ is evolving into a scalable cybercrime model, with dark web intelligence revealing targeted attacks, data theft, and rising risks. | Ransom blog | Cyble |
| 2.5.26 | Why U.S. Critical Infrastructure Is the Highest-Value Target in the Global Cyber War | A critical infrastructure cyberattack is driving new risks as ransomware and nation-state threats target essential US systems in 2026. | ICS blog | Cyble |
| 2.5.26 | Email threat landscape: Q1 2026 trends and insights | In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics. | Spam blog | Microsoft blog |
| 2.5.26 | Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across Asia and beyond. | APT blog | Trend Micro |
| 2.5.26 | Kuse Web App Abused to Host Phishing Document | Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users’ trust in Kuse to carry out a phishing attack. | AI blog | Trend Micro |
| 2.5.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Hacking blog | Palo Alto |
| 2.5.26 | TGR-STA-1030: New Activity in Central and South America | TGR-STA-1030 remains an active threat. Since February, we have observed widespread activity from this group across multiple countries. Most recently, their efforts appear to be heavily focused on regions within Central and South America. | Hacking blog | Palo Alto |
| 2.5.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Attack blog | Palo Alto |
| 2.5.26 | VECT: Ransomware by design, Wiper by accident | Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them. A critical flaw in the encryption implementation, identical across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file above 131,072 bytes (128 KB). | Ransom blog | CHECKPOINT |
| 2.5.26 | Five defender priorities from the Talos Year in Review | With attackers moving faster than ever, it’s easy to feel overwhelmed. This blog breaks down five practical priorities from the Cisco Talos 2025 Year in Review to help defenders focus and prioritize, amidst all the noise. | Cyber blog | CISCO TALOS |
| 2.5.26 | Great responsibility, without great power | In this week’s newsletter, Hazel uses International Superhero Day as a springboard to explore why empathy — rather than just technical prowess — is the most essential, underrated superpower for navigating the human side of cybersecurity. | Cyber blog | CISCO TALOS |
| 2.5.26 | AI-powered honeypots: Turning the tables on malicious AI agents | Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. We can take the advantage back. This blog shows how generative AI can be used to rapidly deploy adaptive honeypot systems. | AI blog | CISCO TALOS |
| 2.5.26 | It pays to be a forever student | In this newsletter, Joe discusses why understanding other disciplines can often flow back into the macro and micro of cybersecurity, especially in a world of AI. | AI blog | CISCO TALOS |
| 2.5.26 | UAT-4356's Targeting of Cisco Firepower Devices | Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. | Hacking blog | CISCO TALOS |
| 2.5.26 | This month in security with Tony Anscombe – April 2026 edition | Warnings about helpdesk impersonation scams and Iran-linked hackers targeting critical sectors in the US, plus the most damaging scams of 2025 - here's some of what made the headlines this month | Cyber blog | Eset |