AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2026 January(89) February(123) March(106) April(119) May(126) June(97) July(49) August(0) September(0) October(0) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 11.7.26 | Phishing in the Balkans: Fake Traffic Fines, Real Losses | This blog documents Group-IB’s research into an SMS phishing campaign targeting Serbian road users through the impersonation of Serbia's state road authority, and how it can be linked to both Darcula and Phoenix PhaaS platforms with victims across the globe. | Phishing blog | GROUP-IB |
| 11.7.26 | Connecting Scattered Spider: Defining A Cybercrime Collective Through Shared TTPs | This blog covers Group-IB’s overview of Scattered Spider, backed by Group-IB’s proprietary intelligence, providing additional information to what has already been reported publicly, with added clarification on 0ktapus and how it is related to Scattered Spider. | Hacking blog | GROUP-IB |
| 11.7.26 | RedHook Returns with a Dangerous Upgrade | Group-IB analysts examine this resurfaced Android Remote Access Trojan, demonstrating new, sophisticated and malicious functionalities including autonomous privilege abuse, expanded command-and-control capabilities, and a robust persistence stack. | Malware blog | GROUP-IB |
| 11.7.26 | Sophos named a 2026 Gartner® Peer Insights™ Customers’ Choice for Email Security | Sophos has been named a 2026 Gartner® Peer Insights™ Customers’ Choice in the 2026 Gartner® Peer Insights™ Voice of the Customer for Email Security. This marks Sophos’ entry into the report, as well as Sophos’ first ever Customers’ Choice distinction for Email Security. | Cyber blog | SOPHOS |
| 11.7.26 | When AI agents look like attackers: what behavioral telemetry tells us | An X-Ops analysis of how AI coding agents trigger endpoint detection rules designed for adversaries | AI blog | SOPHOS |
| 11.7.26 | "Exploit mitigation" stalled around 2008. The attacks didn't. | AI turns a patched bug into a working exploit in hours. Why endpoint exploit mitigation stalled in 2008, and what a default-on mitigation layer looks like now. | AI blog | SOPHOS |
| 11.7.26 | The "Golden SAML" technique, first described by CyberArk researchers in 2017, and further detailed by Mandiant researchers in 2021, remains one of the most effective methods for threat actors to forge identity assertions in the Microsoft ecosystem. | Hacking blog | GTI | |
| 11.7.26 | The Two BIOS Passwords Everyone Confuses | When someone tells me “we set the BIOS password on the fleet,” my first question is always “which one?” Because there are at least two firmware passwords on a modern machine, they do completely different things, and the failure I see most often is a team that sets one, assumes it covers the other, and leaves a gap they do not know they have. | Hacking blog | Eclypsium |
| 11.7.26 | Post-Mythos Cybersecurity: Can You Automate Infrastructure Assurance with AI? | Programs like Anthropic’s Mythos and OpenAI’s Daybreak are changing how organizations think about security architecture, internal engineering, staffing, and vendor commitments. OpenAI describes Daybreak as a defender-focused program for finding, validating, and fixing vulnerabilities before attackers can exploit them. | AI blog | Eclypsium |
| 11.7.26 | From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations | Table of Contents Introduction Infection Chain Technical Analysis Conclusion Seqrite Coverage Indicators of Compromise (IOCs) MITRE ATT&CK Mapping Introduction The Seqrite Threat Research Team identified a targeted spear-phishing campaign disguised as a legitimate business invoice. The phishing email impersonates a legitimate... | Phishing blog | Seqrite |
| 11.7.26 | Inside the Underground Economy: 5 Dark Web Trends Shaping the 2026 Threat Landscape | Cyble breaks down how dark web ecosystems are evolving in 2026 with ransomware, initial access brokers, AI-driven attacks, and underground threat activity. | Cyber blog | Cyble |
| 11.7.26 | Mid-Year Threat Trends: What H1 2026 Signals for the Rest of the Year | H1 2026 threat intelligence trends show rising ransomware, AI-driven attacks, and identity risks reshaping the global cyber risk outlook for 2026. | Cyber blog | Cyble |
| 11.7.26 | Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App | CRIL analyzes Glitch SPY, an Android RAT with 70+ commands, crypto-clipping, and a silent remote browser, giving attackers full device control. | Malware blog | Cyble |
| 11.7.26 | GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses | Third iteration of ransomware from Hyadina developers who first launched the Monster ransomware in 2022. | Ransom blog | SECURITY.COM |
| 11.7.26 | GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware | GigaWiper is a destructive backdoor that combines multiple wiping and ransomware-like capabilities into a single operational platform. | Malware blog | Microsoft blog |
| 11.7.26 | rclone Remote-Control API Unauthenticated Command Execution | rclone Remote-Control API Unauthenticated Command Execution (CVE-2026-41179) | Vulnerebility blog | SonicWall |
| 11.7.26 | Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation | In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide. | Malware blog | Palo Alto |
| 11.7.26 | Cavern Manticore: Exposing Iran-Linked Modular C2 Framework | Note: SysAid was not compromised, and no SysAid vulnerability was involved. The attacker had already gained access to the victim environment and abused a legitimate software-deployment feature to deploy malware onto another machine within it. | APT blog | CHECKPOINT |
| 11.7.26 | Winning 54% of the time | With Wimbledon's help, Hazel argues against the popular myth that "Attackers only need to be right once, but defenders need to be right 100% of the time." | Cyber blog | CISCO TALOS |
| 11.7.26 | UAT-7810 continues building ORB networks using new malware | Talos’ latest findings on UAT-7810 indicate that the threat actor continues to develop their custom-made malware. | Malware blog | CISCO TALOS |
| 11.7.26 | ESET Threat Report H1 2026 | A view of the H1 2026 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts. | Cyber blog | Eset |
| 9.7.26 | GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses | Third iteration of ransomware from Hyadina developers who first launched the Monster ransomware in 2022. | Ransom blog | SECURITY.COM |
| 9.7.26 | Friendly Fire: Hijacking Defensive Cyber AI Agents for Remote Code Execution | We are revealing a proof-of-concept exploit that enables remote code execution in Anthropic’s Claude Code CLI (with Claude Sonnet 4.6 & 5, Opus 4.8) and OpenAI’s Codex CLI (with GPT-5.5) when employed to defensively assess the security of an open-source or third-party library. | AI blog | AINOW |
| 9.7.26 | Fake Installers, Fake Reviews, Fake Services - Real Proxies, Real Victims | Residential proxies are one of the hottest topics in cybersecurity today. Turns out, they are often not in residences, and they facilitate a wide range of criminal activity. In the simplest terms, a little piece of software in a TV, digital picture frame, or your phone might enable a company to sell access to your device’s bandwidth to their own customers. | Hacking blog | INFOBLOX |
| 9.7.26 | Fake 7-Zip downloads are turning home PCs into proxy nodes | A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it has been hiding in plain sight for some time. | Hacking blog | MALWAREBYTES |
| 8.7.26 | When prompts become shells: RCE vulnerabilities in AI agent frameworks | AI agents have fundamentally changed the threat model of AI model-based applications. By equipping these models with plugins (also called tools), your agents no longer just generate text; they now read files, search connected databases, run scripts, and perform other tasks to actively operate on your network. | AI blog | Microsoft blog |
| 4.7.26 | GachiLoader adopts AI skill lure | AI skills are threat actors’ newest and most dangerous lures. | AI blog | THREATDOWN |
| 4.7.26 | A double-edged bleeding edge: Classifying AI threats | Sophos X-Ops presents a working taxonomy for attacks using, and targeting, AI | AI blog | SOPHOS |
| 4.7.26 | Vect and TeamPCP partner for ransomware campaigns | Credentials harvested through supply chain compromises enable large‑scale ransomware deployment | Ransom blog | SOPHOS |
| 4.7.26 | Today, in coordination with the FBI, Lumen, and others, Google took action against the NetNut residential proxy network, also known as Popa. This action builds on our disruption of the IPIDEA proxy network that took place in January 2026, and is a continuation of Google’s objective to dismantle malicious residential proxy networks. | Hacking blog | GTI | |
| 4.7.26 | Four years into Russia’s full-scale invasion of Ukraine, the pro-Russia influence ecosystem has evolved from a tool of war back into a global strategic asset. Since the mobilization of this ecosystem to support frontline objectives, we have witnessed the expedited development of new influence assets linked to multiple, expansive, covert information operations (IO) campaigns and a revitalization of pro-Russia hacktivism at an unprecedented scale. | APT blog | GTI | |
| 4.7.26 | Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment | Authors: Dixit Panchal & Soumen Burma Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Initial Mail: Email Attachment: Lure: Official GoI, Income Tax Document: Technical Analysis: Infrastructural Artefacts & Threat actor Attributions. Campaign Timeline. Conclusion:... | Cyber blog | Seqrite |
| 4.7.26 | Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App | CRIL analyzes Glitch SPY, an Android RAT with 70+ commands, crypto-clipping, and a silent remote browser, giving attackers full device control. | Malware blog | Cyble |
| 4.7.26 | The BYOVD Epidemic: How Attackers Are Weaponizing Trusted Windows Drivers to Kill Security | Bring Your Own Vulnerable Driver (BYOVD) has gone from a niche tactic to a standard part of the ransomware playbook and Windows' own kernel hardening does little to stop it. | Hacking blog | SECURITY.COM |
| 4.7.26 | Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud | In this blog entry, researchers from the TrendAI™ MDR team discuss how they mapped the full end-to-end operation of SHADOW-WATER-063’s Banana RAT banking malware by analyzing server-side artifacts and victim-side data. | Malware blog | Trend Micro |
| 4.7.26 | Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware | Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections. | Malware blog | Trend Micro |
| 4.7.26 | TONResolver RAT Abuses TON Blockchain to Target Japan's Hotel Industry | In this blog entry, TrendAI™ Research examines a wave of phishing emails observed in May 2026 that targeted Japanese accommodation facilities using Booking.com, detailing the victims, attack techniques used, and characteristics of the malware involved. | Malware blog | Trend Micro |
| 4.7.26 | Android Arsink RAT Revisited Targeting User Credentials | The SonicWall Capture Labs threat research team identified an ongoing Android Remote Access Trojan (RAT) campaign that employs multiple techniques to harvest sensitive user information through phishing and data exfiltration activities by impersonating the actual app icons and using similar names. | Malware blog | SonicWall |
| 4.7.26 | Joomla Content Editor Remote Code Execution | The SonicWall Capture Labs threat research team became aware of a PHP code upload and execution vulnerability in Joomla products, assessed its impact, and developed mitigation measures. Joomla is a free, open-source Content Management System (CMS) used to build and manage websites and online applications. It serves as a powerful, flexible alternative to platforms like WordPress, offering extensive customization through thousands of extensions and templates. | Vulnerebility blog | SonicWall |
| 4.7.26 | Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector | Unit 42 researchers found that large language models (LLMs) consistently hallucinate web domains for legitimate brands. Adversaries are actively weaponizing this vector by registering these nonexistent domains to intercept traffic generated by AI systems. We call this phenomenon phantom squatting, and it poses a significant risk to the software supply chain. | AI blog | Palo Alto |
| 4.7.26 | Threat Brief: Mitigating Large-Scale Credential Attacks | Unit 42 is aware of a large-scale password spraying and credential theft campaign (“FortiBleed”) against Fortinet devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted. While this activity is not targeting Palo Alto Networks devices, Unit 42 has observed suspicious login attempts in customer telemetry and we are providing this report out of an abundance of caution to ensure our customers have the latest intelligence and product recommendations to protect, detect and respond to attacks to their network. | Hacking blog | Palo Alto |
| 4.7.26 | CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure | Throughout 2025, we observed a cluster of activity targeting government entities and critical infrastructure in Southeast Asia. Specifically, the activity targeted state-owned enterprises in the energy and government sectors. | APT blog | Palo Alto |
| 4.7.26 | Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique | AI can turn high-level malicious ideas into concrete techniques, and can independently design and implement novel attack paths that have not yet appeared in real-world campaigns. | AI blog | CHECKPOINT |
| 4.7.26 | ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365 | Talos has identified "ARToken," a phishing-as-a-service platform that targets Microsoft 365. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email access, BEC operations, and SharePoint exfiltration. | Phishing blog | CISCO TALOS |
| 4.7.26 | Catan and Mouse | What do board games and cybersecurity have in common? Pattern recognition. Strategy. Adaptation. In this week’s Threat Source Bill explores why curiosity may be a defender’s most valuable skill. | Cyber blog | CISCO TALOS |
| 4.7.26 | Martin Lee: Running through the Arctic (and the threat landscape) | Ever wonder how someone goes from studying human viruses to leading cybersecurity teams? In this Humans of Talos, we’re joined by Martin Lee, EMEA Lead, to talk about his journey into the industry. | Cyber blog | CISCO TALOS |
| 4.7.26 | Cyber readiness for SMBs: Getting the basics right | AI is changing cybercrime, but SMB cyber readiness still largely depends on closing the familiar gaps | Cyber blog | Eset |
| 4.7.26 | This month in security with Tony Anscombe – June 2026 edition | Three-day patching deadlines, exposed fuel-tank systems, scams costing billions of dollars, and social media bans for children all gave Tony plenty to unpack in June 2026 | Cyber blog | Eset |
| 4.7.26 | Inside the inbox: Why cybercriminals want to break into your email account | Your inbox is an identity system all of its own: whoever owns it may own a lot more | Cyber blog | Eset |
| 30.6.26 | From Langflow to Monero: Inside CVE-2026-33017 Cryptominer | We tracked a cryptocurrency-mining campaign exploiting CVE-2026-33017, which revealed how threat actors are now scanning exposed AI application infrastructure for their next foothold. | Cryptocurrency blog | Trend Micro |
| 27.6.26 | Google Threat Intelligence Group (GTIG) has conducted an in-depth analysis of a .NET backdoor, tracked as STOCKSTAY, that has been continually developed and deployed by the Russia-linked threat actor Turla (aka SUMMIT, Secret Blizzard, VENOMOUS BEAR, UAC-0194) since at least December 2022. | Malware blog | GTI | |
| 27.6.26 | Mythos Finds Vulnerabilities. But Can Anyone Patch Fast Enough? | Security teams are scrambling to reprioritize their security plans based on the revelation of Anthropic’s Mythos model, and its ability to rapidly discover security vulnerabilities. T | Vulnerebility blog | Eclypsium |
| 27.6.26 | CISA BOD 26-04: What it Means and How Eclypsium Can Help | The new CISA BOD 26-04 shifts the focus from simply patching vulnerabilities to actively identifying and replacing internet-facing edge devices that are at or beyond vendor support. | Vulnerebility blog | Eclypsium |
| 27.6.26 | Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment | Authors: Dixit Panchal & Soumen Burma Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Initial Mail: Email Attachment: Lure: Official GoI, Income Tax Document: Technical Analysis: Infrastructural Artefacts & Threat actor Attributions. Campaign Timeline. Conclusion:... | Cyber blog | Seqrite |
| 27.6.26 | Operation Endgame Targets SocGholish: What It Means for Defenders | Last year, Silent Push published research into SocGholish and its operator, TA569, highlighting how the group evolved from a “fake browser update” threat into one of the most sophisticated malware delivery and initial access operations active today. | BigBrother blog | SILENTPUSH |
| 27.6.26 | Fake invoices are moving from inboxes to shopping apps | Scammers are using order-tracking apps to place fake receipts where users expect to see real purchases, then pushing them to call fake support numbers. | Cyber blog | GENDIGITAL |
| 27.6.26 | Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | Stealthy new backdoor used in cybercrime intrusions since April 2026 may be associated with Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has fed Qilin and other ransomware operations. | Malware blog | SECURITY.COM |
| 27.6.26 | StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them | On June 24, 2026, Microsoft’s Digital Crimes Unit (DCU) facilitated the takedown, suspension, and blocking of domains that formed the backbone of the StealC and Amadey infrastructure. | Malware blog | Microsoft blog |
| 27.6.26 | One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign | A solo Russian-speaking threat actor ran a 5-year Telegram channel and, starting September 2025, used AI to automate its content, credential theft, and a cryptocurrency fraud scheme targeting American audiences. | AI blog | Trend Micro |
| 27.6.26 | From Langflow to Monero: Inside CVE-2026-33017 Cryptominer | We tracked a cryptocurrency-mining campaign exploiting CVE-2026-33017, which revealed how threat actors are now scanning exposed AI application infrastructure for their next foothold. | Cryptocurrency blog | Trend Micro |
| 27.6.26 | CVE-2025-7544: Attackers Weaponize Tenda AC1206 Router Vulnerability to Deploy Mirai-Related Malware | The SonicWall Capture Labs threat research team has identified active exploitation attempts targeting CVE-2025-7544, a critical stack-based buffer overflow vulnerability affecting Tenda AC1206 routers running firmware version 15.03.06.23. | Vulnerebility blog | SonicWall |
| 27.6.26 | CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure | Throughout 2025, we observed a cluster of activity targeting government entities and critical infrastructure in Southeast Asia. Specifically, the activity targeted state-owned enterprises in the energy and government sectors. | APT blog | Palo Alto |
| 27.6.26 | OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat | OpenClaw is an AI agent that executes third-party skills from ClawHub, its dedicated marketplace. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain. s | AI blog | Palo Alto |
| 27.6.26 | Threat Brief: Mitigating Large-Scale Credential Attacks | Unit 42 is aware of a large-scale password spraying and credential theft campaign (“FortiBleed”) against Fortinet devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted. | Attack blog | Palo Alto |
| 27.6.26 | Introduction to COM usage by Windows threats | Component Object Model (COM) is a fundamental Windows technology used by legitimate applications for object activation, inter-process communication, automation and language-independent component reuse. Those same qualities make it useful to threat actors. | Security blog | CISCO TALOS |
| 27.6.26 | Beyond IOCs: AI-enabled threat intelligence | In this week’s newsletter, Martin considers how AI will help threat intelligence by creating an easily queryable data source of intelligence reports. | AI blog | CISCO TALOS |
| 27.6.26 | SMB cyber readiness: the road to resilience starts here | Security blog | Eset | |
| 27.6.26 | Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances | Hacking blog | Eset | |
| 27.6.26 | ESET takes part in Operation Endgame to disrupt Amadey and Stealc | ESET researchers assisted in the global disruption of the Amadey botnet and Stealc infostealer, providing technical analysis, infrastructure tracking, and affiliate-level insights | Malware blog | Eset |
| 25.6.26 | Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager | In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access. | Exploit blog | GTI |
| 20.6.26 | AI in the underground: Curiosity, claims, and concerns | Amid discussions about how artificial intelligence can facilitate cybercrime, some threat actors remain skeptical | AI blog | SOPHOS |
| 20.6.26 | A needle in a stack of needles: Hunting infostealers with AI | The sheer number of events and alerts can be overwhelming, but multi-layered pipelines can filter out the noise | AI blog | SOPHOS |
| 20.6.26 | Google Threat Intelligence Group (GTIG) has identified a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community. While remaining undetected for over a year, the threat actor compromised externally facing web applications, deployed bespoke malware, pivoted to sensitive internal systems, and abused enterprise administrative tools for covert data exfiltration. | APT blog | GTI | |
| 20.6.26 | FortiBleed: You Can't Patch Your Way Out of This | A multi-phase campaign has cracked administrative credentials on roughly half of the world’s internet-facing FortiGate firewalls, and because the persistence lies below the operating system, patching will not mitigate all the threats. | Cyber blog | Eclypsium |
| 20.6.26 | No Patch Coming: The Arista EOS Tunnel Bug Your Scanner Will Miss | CVE-2026-7473 allows an attacker to sneak traffic into your network; there is no fix planned, and because the flaw lives in configuration rather than in a version number, your scanner will likely miss it. | Vulnerebility blog | Eclypsium |
| 20.6.26 | Securing the Foundation: What the New White House AI Executive Order Means for Federal Cybersecurity | The Executive Order Promoting Advanced Artificial Intelligence Innovation and Security signals a significant shift in how the federal government approaches cybersecurity. The order directs agencies to accelerate the use of AI-enabled security capabilities while strengthening the systems that support critical government operations. | AI blog | Eclypsium |
| 20.6.26 | Threat Actors Weaponizing RAR Archives to Target Thailand’s Healthcare Sector | Seqrite Threat Research Unit (TRU) actively tracks and analyses threat actors and their campaigns, focusing on attribution, infrastructure analysis, and adversary tradecraft. Throughout our research, we have attributed numerous operations to China-aligned and other threat clusters targeting both regional and international entities. | Hacking blog | Seqrite |
| 20.6.26 | Operation FanTrap: Inside the FIFA 2026 Fraud Ecosystem | Operation FanTrap reveals FIFA 2026 fraud ecosystem with 4,000+ fake domains, phishing, streaming scams, and dark web-driven cybercrime activity. | Cyber blog | Cyble |
| 20.6.26 | Inside Vidar’s ABE Bypass: From Memory Scanning to APC Injections | A Technical Walkthrough of How Vidar Defeats Application-Bound Encryption | Hacking blog | GENDIGITAL |
| 20.6.26 | Fake hiring pages abuse FIFA and other major brands to steal work credentials | Scammers are copying recruitment and calendar-booking flows to make fake Google and Facebook sign-ins look routine. | Cyber blog | GENDIGITAL |
| 20.6.26 | Your flight was cancelled. Is the refund message real? | Travel disruption gives scammers the one thing they need most: a believable reason to rush you | Spam blog | GENDIGITAL |
| 20.6.26 | Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden | Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic. The attackers also used a previously unknown vulnerability in a Huawei driver. | Malware blog | SECURITY.COM |
| 20.6.26 | Governing Claude Enterprise in Environments Where Inline Controls Can't Go | TrendAI™ integrates the Claude Compliance API into TrendAI Vision One™ through two collectors that bring AI-aware visibility and detection to Claude Enterprise usage: one keeps all data inside the environment, while the other feeds TrendAI Vision One™ for deeper correlation and compliance. | Cyber blog | Trend Micro |
| 20.6.26 | Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign | Cybercriminals hijacked Google Ads searches for popular AI developer tools to funnel over 2,000 victims toward malicious download pages before quietly moving their operation onto claude.ai's own platform, turning the trusted domain into a delivery mechanism for credential-stealing malware. | Hacking blog | Trend Micro |
| 20.6.26 | PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM | A pre-authentication remote code execution (RCE) chain in Oracle PeopleSoft PeopleTools abuses the Integration Broker's PSIGW gateway to execute code inside the application server's Java virtual machine (JVM), evading behavioral and network sensors. | Hacking blog | Trend Micro |
| 20.6.26 | File Browser Hook Command Runner OS Command Injection | File Browser Hook Command Runner OS Command Injection (CVE-2026-35585) | Vulnerebility blog | SonicWall |
| 20.6.26 | Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility | Cloud logging services provide comprehensive visibility into actions performed within cloud resources, making them essential for security monitoring. However, this reliance also makes logging services a high-value target for attackers. An attacker who exploits these services could create weak spots, evade detection, and in certain scenarios, establish continuous visibility within a target’s environment. | Hacking blog | Palo Alto |
| 20.6.26 | Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE | We discovered a vulnerability in the Google Cloud Vertex AI software development kit (SDK) for Python, and responsibly disclosed it to Google. Before Google’s fix, the vulnerability would have allowed an attacker operating entirely from their own Google Cloud project to hijack a victim's model upload and poison it. | AI blog | Palo Alto |
| 20.6.26 | From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker | The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts. A dedicated YouTube channel, using AI‑generated narrators, suspicious view spikes, and highly positive (likely coordinated) comments, further reinforces the illusion of popularity and trustworthiness. | Hacking blog | CHECKPOINT |
| 20.6.26 | From SQLi to RCE – Exploiting LangGraph’s Checkpointer | AI agents need memory. Frameworks like LangGraph provide it through checkpointers – persistence layers that store execution state. But what happens when that persistence layer isn’t locked down? | Exploit blog | CHECKPOINT |
| 20.6.26 | Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model | Cisco Talos detailed a new approach to reverse engineering that pairs local AI agents with traditional analysis tools like the VB6 disassembler vbdec. Instead of awkwardly bolting AI onto the software, vbdec exposes its parsed data through a live COM interface. | Hacking blog | CISCO TALOS |
| 20.6.26 | Close Encounters of the Human Kind | In the latest Threat Source, Hazel channels her inner Spielberg to explore why humans are delightfully irrational, reminding us that while security best practices are simple in theory, they’re a lot harder to pull off when you’re busy dealing with real life. | Cyber blog | CISCO TALOS |
| 20.6.26 | Winning the cyber marathon with Tony Giandomenico | Tony Giandomenico, Senior Director of Product Management, joins Amy to discuss the Talos Threat Hunting launch what he's excited about for the future of cybersecurity, and, of course, his Ironman triathlons. | Cyber blog | CISCO TALOS |
| 20.6.26 | Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting | Learn how Cisco Talos Threat Hunting uses hypothesis-driven methods and multi-domain telemetry correlation to find stealthy threats operating below automated detection thresholds. | Cyber blog | CISCO TALOS |
| 20.6.26 | Killing me gently: Inside Gentlemen’s EDR killer framework | ESET Research shares the results of a months-long investigation into the suite of EDR killers maintained by the RaaS gang Gentlemen | Ransom blog | Eset |
| 20.6.26 | Protecting legacy OT systems against modern cyberthreats | Many manufacturing plants depend on OT systems that stay in service for many years. That long run can hide significant cybersecurity risks. | Security blog | Eset |
| 20.6.26 | FishMonger’s arsenal upgraded: SprySOCKS for Windows | Malware blog | Eset | |
| 20.6.26 | EvilTokens: A phishing attack that doesn’t steal your password | A phishing kit subverting Microsoft’s legitimate authentication flow lets attackers break into accounts without stealing passwords or creating fake login pages | Hacking blog | Eset |
| 18.6.26 | From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker | The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts. A dedicated YouTube channel, using AI‑generated narrators, suspicious view spikes, and highly positive (likely coordinated) comments, further reinforces the illusion of popularity and trustworthiness. | Cryptocurrency blog | CHECKPOINT |
| 18.6.26 | Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden | Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic. The attackers also used a previously unknown vulnerability in a Huawei driver. | Malware blog | SECURITY.COM |
| 13.6.26 | Bug bounties in the Mythos era | How AI is rewriting vulnerability research, and how our program has adapted | AI blog | SOPHOS |
| 13.6.26 | ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit | Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. | Exploit blog | GTI |
| 13.6.26 | You Need to Verify the Hardware Supply Chain Behind Cyber-Physical Systems | Eclypsium was recently named in the Gartner® Hype Cycle™ for CPS Security, 2026 in the category of CPS Supply Chain Security. | Hacking blog | Eclypsium |
| 13.6.26 | Borrowed Trust – Systematic Exploitation of Abandoned Cloud DNS Delegations to serve Thai Gambling SEO Content | Cyble's latest analysis exposes 163 organizations compromised via abandoned DNS delegations in a Thai gambling SEO poisoning campaign. | Exploit blog | Cyble |
| 13.6.26 | FIFA World Cup 2026 Scams Are Already Active: Fake Domains, Phishing Sites, and How to Stay Safe | FIFA World Cup 2026 scams are rising as cybercriminals launch fake tickets, recruitment, and streaming websites targeting fans worldwide. | Cyber blog | Cyble |
| 13.6.26 | Who's Really Using Your Home Internet Connection? | Since January 2026, we have detected 7.4 million malicious incidents tied to residential proxy traffic, affecting 572,000 users in our telemetry. In this model, the household whose connection is being used is often not the buyer of the traffic. It is the exit point. | Cyber blog | GENDIGITAL |
| 13.6.26 | GoFlateLoader: A Widespread Golang Loader Delivering Multiple Infostealers | Gen Threat Labs has been tracking GoFlateLoader, a widespread Golang loader used to deliver multiple infostealers, including Amatera, Remus, Lumma, Vidar and StealC. | Malware blog | GENDIGITAL |
| 13.6.26 | Fake hiring pages abuse FIFA and other major brands to steal work credentials | In samples reviewed by Gen threat researchers, scammers used branded hiring pages that looked like ordinary recruitment flows: a company logo, a recruiter profile, a 30-minute meeting, and a button to continue with Google or Facebook. There was no attachment to open and no software to install. The credential theft attempt sat inside a step many job applicants already expect: signing in to schedule a call. | Cyber blog | GENDIGITAL |
| 13.6.26 | AI brands as bait: How threat actors are using the AI hype in social engineering | As threat actors operationalize AI to accelerate attacks, they are also leveraging the wider global interest around AI itself as a social engineering lure. | AI blog | Microsoft blog |
| 13.6.26 | GenAI Is Both Hunter and Hunted at Pwn2Own Berlin 2026 | This year’s Pwn2Own competition in Berlin revealed just how much of the AI stack remains exposed -- and the gap between what these tools promise and what they can withstand point to the fragile security foundations underneath. | Cyber blog | Trend Micro |
| 13.6.26 | Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open | Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, showing how unmanaged software keeps an exploited entry point open long after the fix ships. | Vulnerebility blog | Trend Micro |
| 13.6.26 | Microsoft Security Bulletin Coverage for June 2026 | Microsoft’s June 2026 Patch Tuesday has 210 vulnerabilities, of which 67 are Elevation of Privilege. SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2026 and has produced coverage for 14 of the reported vulnerabilities. | Vulnerebility blog | SonicWall |
| 13.6.26 | Tracking Havoc Malware Activity and Evasion Techniques | This week, the SonicWall Capture Labs Threat Research Team reviewed a sample of Havoc malware. This is a C2 framework that has many stealth capabilities, including EDR bypass by using sleep obfuscation, return address stack spoofing, and indirect syscalls. While it can be used for legitimate purposes, Havoc has been and continues to be used for a variety of malicious campaigns. | Hacking blog | SonicWall |
| 13.6.26 | Trust No Skill: Integrity Verification for AI Agent Supply Chains | AI agents now extend their capabilities by installing third-party skills the way smartphones install apps. Anyone can publish a skill to a public registry. Anyone can install one into a production agent. And until now, no automated tool has verified what a skill does before it gains privileged access to credentials, files and shell commands inside that agent. | AI blog | Palo Alto |
| 13.6.26 | Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 | Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS® software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections. This CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29. | Vulnerebility blog | Palo Alto |
| 13.6.26 | Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility | Cloud logging services provide comprehensive visibility into actions performed within cloud resources, making them essential for security monitoring. However, this reliance also makes logging services a high-value target for attackers. An attacker who exploits these services could create weak spots, evade detection, and in certain scenarios, establish continuous visibility within a target’s environment. | Hacking blog | Palo Alto |
| 13.6.26 | From SQLi to RCE – Exploiting LangGraph’s Checkpointer | AI agents need memory. Frameworks like LangGraph provide it through checkpointers – persistence layers that store execution state. But what happens when that persistence layer isn’t locked down? | Exploit blog | CHECKPOINT |
| 13.6.26 | A tale of two eras | In this week’s newsletter, Amy reminisces on the tech toys of their childhood, inspired by a hilarious lesson about why your digital privacy shouldn't be left on an open channel. | Cyber blog | CISCO TALOS |
| 13.6.26 | OceanLotus: From external espionage to domestic targeting | A shift in operational pattern of the infamous Vietnam-aligned APT group | APT blog | Eset |
| 13.6.26 | What makes or breaks SMB cyber-readiness | A company that's expecting a cyberattack but hasn’t actively prepared for it risks making the hardest decisions at the worst possible moment | Cyber blog | Eset |
| 13.6.26 | Cybercriminals: the 'auditors' you never hired | Every organisation gets audited. The question is who does the auditing. | Cyber blog | Eset |
| 6.6.26 | New Malware Targeting Minecraft Infects 2K Daily, and Teens are Becoming Attackers | If you or your child plays Minecraft, here's what you need to know about a large-scale malware campaign McAfee Labs just uncovered, and what to do about... | Malware blog | MCAFEE |
| 6.6.26 | Pointing a Cursor at evading detection | AI accelerated tool development and testing, but humans drove the workflow | AI blog | SOPHOS |
| 6.6.26 | You do surprise me.exe: An unexpected executable in Hola Browser | Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride | Security blog | SOPHOS |
| 6.6.26 | Explore GTIG's 2026 report on how adversaries leverage AI for zero-day exploits, autonomous malware, and industrial-scale cyber operations. | AI blog | GTI | |
| 6.6.26 | From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as "Luna Moth," “Chatty Spider,” and "Silent Ransom Group") targeting dozens of organizations across professional, legal, and financial services in the United States. | Hacking blog | GTI | |
| 6.6.26 | Microsoft Secure Boot Certificates Expiring in 2026: Enterprise Impact | Three certificates expire, two UEFI stores are affected, and one permanent gap opens if you miss the deadline. You can use Eclypsium’s solution to identify these gaps that will inevitably affect your Windows fleet. | Security blog | Eclypsium |
| 6.6.26 | C-Suite Impersonation in the Gulf: How Threat Actors Are Targeting UAE & Saudi Executives in 2026 | CEO fraud is rising across the Gulf. Discover how BEC, executive impersonation, and deepfake scams target business leaders. | Spam blog | Cyble |
| 6.6.26 | How AI-Powered Brand Impersonation Works — And Why Traditional Security Misses It Entirely | AI-powered brand impersonation combines deepfakes, fake domains, and social engineering, creating scalable fraud that evades traditional defenses. | AI blog | Cyble |
| 6.6.26 | OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight | Cyble analyzes OverlayPhantom, an Android banking trojan targeting 180+ apps across 10 countries, stealing credentials via fake overlays and real-time screen streaming. | Malware blog | Cyble |
| 6.6.26 | Meet DriveSurge: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites | Silent Push Preemptive Cyber Defense Analysts recently observed several drive-by attack clusters developed by a threat actor to automate malware delivery at scale. We named the primary driver behind an extensive surge in ClickFix and FakeUpdates campaigns: DriveSurge. | Hacking blog | Silent Push |
| 6.6.26 | When Hotel Scams Know Your Booking: 350 Compromised Accommodations Across 50 Countries | After our first report, Booking.com began warning customers that reservation data had been accessed. Our continuing investigation shows how criminals are using that data at scale. | Spam blog | GENDIGITAL |
| 6.6.26 | Espionage Campaign Targeted Stock Exchange Executive for Five Months | Unknown attackers stole a senior executive's Outlook mailbox in incremental batches, exfiltrating through Dropbox and OneDrive Personal to keep the traffic indistinguishable from legitimate activity. | Hacking blog | SECURITY.COM |
| 6.6.26 | Pwn2Own Berlin 2026: On the Ground With TrendAI™ ZDI's Biggest AI Showdown Yet | 47 zero-days fell at Pwn2Own Berlin 2026 for US$1,298,250 in payouts. TrendAI™ was on the ground all three days — here's what we saw. | Cyber blog | Trend Micro |
| 6.6.26 | NGINX Rift Rewrite Module Remote Code Execution | The SonicWall Capture Labs threat research team became aware of a heap buffer overflow vulnerability in NGINX products, assessed its impact and developed mitigation measures. NGINX is the top web server and reverse proxy globally. | Vulnerebility blog | SonicWall |
| 6.6.26 | Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 | Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. | Vulnerebility blog | Palo Alto |
| 6.6.26 | The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Cyber blog | Palo Alto |
| 6.6.26 | Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell | We are tracking an increasingly widespread malvertising campaign targeting macOS. This campaign appears to be the next stage of a previous campaign known as JSCoreRunner, which was first identified in August 2025. | Malware blog | Palo Alto |
| 6.6.26 | Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem | Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot. | Hacking blog | CHECKPOINT |
| 6.6.26 | Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting | Learn how Cisco Talos Threat Hunting uses hypothesis-driven methods and multi-domain telemetry correlation to find stealthy threats operating below automated detection thresholds. | Cyber blog | CISCO TALOS |
| 6.6.26 | Reporting from Vegas: Networking, AI, and good boys | Joe’s on-the-ground report from Cisco Live U.S. is here, complete with therapy dog pictures and tips on handling conference overstimulation. | Cyber blog | CISCO TALOS |
| 6.6.26 | Winning the cyber marathon with Tony Giandomenico | Tony Giandomenico, Senior Director of Product Management, joins Amy to discuss the Talos Threat Hunting launch what he's excited about for the future of cybersecurity, and, of course, his Ironman triathlons. | Cyber blog | CISCO TALOS |
| 6.6.26 | DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap | This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format. | Security blog | CISCO TALOS |
| 6.6.26 | Less panic patching, more precision | In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter. | Vulnerebility blog | CISCO TALOS |
| 6.6.26 | MediaArea heap-based buffer overflow vulnerabilities | EvidenceForge generates high-quality, realistic, and consistent datasets across multiple log formats, enabling teams to effectively train personnel and validate detection models without the need for complex manual simulations. | Vulnerebility blog | CISCO TALOS |
| 6.6.26 | Lessons for life: Why children’s data is a long-term identity risk | Your child’s first data breach may happen before they’ve even opened a bank account. Here’s how to keep their digital life safe. | Vulnerebility blog | Eset |
| 4.6.26 | Gemini’s Secret Affair: Exploiting Gemini Voice Assistant Through Instant Messaging Apps | SafeBreach Labs researchers discovered a new security vulnerability that allows attackers to exploit Google Gemini through notification-based indirect prompt injections from messaging apps like WhatsApp, Slack, and SMS. | Hack | SAFEBREACH |
| 4.6.26 | Espionage Campaign Targeted Stock Exchange Executive for Five Months | Unknown attackers stole a senior executive's Outlook mailbox in incremental batches, exfiltrating through Dropbox and OneDrive Personal to keep the traffic indistinguishable from legitimate activity. | APT | SECURITY.COM |
| 4.6.26 | Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem | Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot. | Hack | CHECKPOINT |