ALL POSTS

Key Findings PowMix botnet has been actively targeting Czech workforce since at least December 2025 with previously undocumented malware Campaign uses randomized C2 beaconing intervals and encrypted heartbeat data embedded in REST API-mimicking URLs to evade detection Multi-stage attack chain initiated via phishing emails containing malicious ZIP files with Windows Shortcut (LNK) files PowerShell loader employs AMSI bypass techniques to execute botnet payload directly in memo

Key Findings Cisco patched four critical vulnerabilities in Identity Services Engine and Webex with CVSS scores ranging from 9.8 to 9.9 CVE-2026-20184 allows unauthenticated attackers to impersonate any Webex user through improper certificate validation CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 enable authenticated attackers with admin credentials to execute arbitrary code and OS commands No evidence of active exploitation in the wild, but immediate patching is stron

Key Findings A counterfeit Ledger Live app on Apple's App Store stole approximately $9.5 million from over 50 users between April 7-13, 2024 The fake app was listed under "SAS Software Company" and "Leva Heal Limited," featuring convincing branding and fake positive reviews Victims lost funds across Bitcoin, Ethereum, Solana, Tron, and XRP networks, indicating a multi-chain attack Stolen assets were routed through 150+ KuCoin deposit addresses and then sent through a centrali

Key Findings UAC-0247 conducted a targeted campaign against Ukrainian government agencies and municipal healthcare facilities between March and April 2026 Attack chain begins with phishing emails posing as humanitarian aid proposals, using either AI-generated fake sites or legitimate sites compromised via XSS vulnerabilities Malware payload steals sensitive data from Chromium-based browsers and WhatsApp through multiple custom and open-source tools Evidence suggests Ukrainian

Key Findings Threat actors have weaponized n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns Malicious emails containing n8n webhook URLs appear legitimate because they originate from trusted n8n domains Email volume containing these URLs increased 686% from January 2025 to March 2026 Two primary attack methods observed: malware delivery via fake document links and device fingerprinting using invisible tracking pixels Attack

Key Findings Mirax, a new Android RAT, infected over 220,000 users primarily in Spanish-speaking regions through Meta platform advertisements The malware grants attackers full remote control of devices and converts them into SOCKS5 residential proxies for routing malicious traffic Distribution uses a multi-stage attack combining phishing sites, fake streaming apps, and GitHub-hosted droppers with strong obfuscation Mirax operates as an exclusive malware-as-a-service limited t

Key Findings OpenAI unveiled GPT-5.4-Cyber, a cybersecurity-focused variant of its flagship GPT-5.4 model optimized for defensive security operations The company is expanding its Trusted Access for Cyber (TAC) program to thousands of individual defenders and hundreds of security teams GPT-5.4-Cyber has already contributed to over 3,000 critical and high-severity vulnerability fixes through the Codex Security application Access will be controlled through Know-Your-Customer ver

Key Findings Two high-severity command injection vulnerabilities discovered in PHP Composer's Perforce VCS driver CVE-2026-40176 (CVSS 7.8) and CVE-2026-40261 (CVSS 8.8) allow arbitrary command execution through malicious repository configs and crafted inputs Patches released: Composer 2.9.6 (mainline) and 2.2.27 (LTS) No active exploitation detected on Packagist.org or Private Packagist as of April 10, 2026 Perforce metadata publishing temporarily disabled as precaution Back

Key Findings ShinyHunters claims to have breached Rockstar Games through third-party cloud provider Anodot, accessing 8.1GB of data Leaked files include anti-cheat source code, player analytics, game assets, support tickets, and financial information Group set April 14, 2026 deadline for ransom payment, threatening data release and "digital disruption" Rockstar minimized impact, stating only non-material corporate information was accessed with no effect on operations or playe

Key Findings Microsoft released 165-167 critical and important security updates in April 2026, marking one of the largest Patch Tuesday releases on record Eight vulnerabilities marked critical, including remote code execution flaws in Windows TCP/IP, IKE, Active Directory, and multiple Office applications CVE-2026-32201 SharePoint spoofing vulnerability already exploited in the wild, enabling phishing and social engineering attacks CVE-2026-33825 BlueHammer Windows Defender p

Key Findings Booking.com confirmed a targeted data breach affecting reservation records Exposed data includes names, email addresses, phone numbers, postal addresses, and booking details Payment information was not accessed Company has not disclosed the number of affected users or attack methodology Reservation PIN codes have been reset as a precaution Over 100 million users accessed the mobile app in 2024, amplifying breach severity Attackers can now leverage booking data to

Key Findings Critical remote code execution vulnerability CVE-2025-0520 in ShowDoc is under active exploitation in the wild with a CVSS score of 9.4 Unrestricted file upload flaw allows unauthenticated attackers to deploy web shells and execute arbitrary code on vulnerable servers Vulnerability affects all ShowDoc versions prior to 2.8.7, which was released in October 2020 Over 2,000 exposed ShowDoc instances remain online, with the majority located in China Threat actors hav

Key Findings FBI forensically recovered incoming Signal messages from an iPhone after the app was deleted, contradicting common privacy assumptions Messages were extracted from Apple's push notification database, not by breaking Signal's encryption Only incoming messages were recovered, not outgoing ones, due to how iOS processes notifications iOS maintains persistent notification databases that survive app removal and can be accessed through forensic tools Users commonly mis

Key Findings JanelaRAT is a modified BX RAT variant targeting financial institutions across Latin America, with 14,739 recorded attacks in Brazil and 11,695 in Mexico during 2025 The malware uses a custom title bar detection mechanism to identify banking websites and execute fraudulent actions in real-time Initial infection relies on phishing emails mimicking invoice notifications, leading to multi-stage infection chains using MSI installers and DLL side-loading Recent campai

Key Findings OpenAI's GitHub Actions workflow downloaded malicious Axios version 1.14.1 on March 31, compromising access to macOS app signing certificates North Korean hacking group UNC1069 hijacked the Axios package maintainer account and injected WAVESHAPER.V2 backdoor into versions 1.14.1 and 0.30.4 OpenAI found no evidence of user data theft, system compromise, or software alteration despite certificate access All macOS versions of ChatGPT Desktop, Codex, Codex CLI, and A

Key Findings Threat actors claiming to be "Infrastructure Destruction Squad" or "Dark Engine" breached Venice's San Marco flood defense system in late March 2026 Attackers claim to have maintained administrative access and stated they could disable flood defenses and inundate coastal areas Group offered full root access to the system for $600 USD, demonstrating both severity of breach and low barrier to further exploitation Italian authorities confirmed critical systems prote

Key Findings A single hacker compromised nine Mexican government agencies between December 2025 and February 2026 using Claude Code and GPT-4.1 The attacker generated 5,317 AI-executed commands across 34 sessions, with Claude Code running approximately 75% of remote commands to government systems Over 305 million citizen records were exfiltrated, including 195 million taxpayer records, 220 million civil records, and sensitive health and domestic violence victim data The hacke

Key Findings Adobe released emergency patches for CVE-2026-34621, a critical vulnerability in Acrobat Reader actively exploited in the wild The flaw has a CVSS score of 8.6 and allows arbitrary code execution through prototype pollution in JavaScript Evidence suggests exploitation has been occurring since at least December 2025 Security researcher Haifei Li discovered the vulnerability being used to deliver malicious JavaScript via crafted PDFs Affected versions include Acrob

Key Findings Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to prevent hackers from using stolen session cookies to access user accounts The system binds login sessions to a device's hardware security chip, making exfiltrated cookies unusable on other machines Early testing shows a measurable drop in successful infostealer attacks through Origin Trials with partners like Okta Over 30 million computers were infected with infostealer mal

Key Findings CPUID's website was compromised for approximately 24 hours (April 9-10, 2026) to distribute trojanized CPU-Z and HWMonitor installers containing STX RAT malware Threat actors manipulated a secondary API to redirect download links to malicious websites hosting infected executables The malware used DLL sideloading with a file named CRYPTBASE.dll to execute payloads while evading detection Over 150 victims identified across individuals and organizations in retail, m