ALL POSTS

Key Findings Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading. The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control tra

Key Findings: A critical Cisco SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), has been actively exploited since 2023 to gain remote, unauthenticated administrative access. The vulnerability allows an attacker to bypass authentication and gain full administrative access to affected Cisco Catalyst SD-WAN Controller and Manager systems. Exploited environments include on-premises, Cisco Hosted SD-WAN Cloud, and FedRAMP Cisco Hosted SD-WAN Cloud deployments.

Key Findings A malicious NuGet package, codenamed "StripeApi.Net", was discovered impersonating the legitimate "Stripe.net" library from the financial services firm Stripe. The package was uploaded to the NuGet Gallery on February 16, 2026 by a user named "StripePayments". The package's NuGet page was designed to closely resemble the official Stripe.net package, using the same icon and a nearly identical readme. The package had an artificially inflated download count of over

Key Findings Multiple security vulnerabilities discovered in Anthropic's Claude Code, an AI-powered coding assistant Vulnerabilities could result in remote code execution and theft of Anthropic API credentials Vulnerabilities exploit configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables Background Claude Code is an artificial intelligence (AI)-powered coding assistant developed by Anthropic. It is designed to help developer

Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries Key Findings Google, in collaboration with industry partners, disrupted the infrastructure of the suspected China-nexus cyber espionage group UNC2814 UNC2814 breached at least 53 organizations across 42 countries in the Americas, Asia, and Africa The threat actor may have targeted at least 20 additional countries UNC2814 used a novel backdoor called GRIDTIDE that abuses Google Sheets API for comma

Key Findings SolarWinds has patched four critical vulnerabilities in its Serv-U file transfer server software The flaws could allow remote code execution and give attackers full root access on unpatched systems The vulnerabilities include: CVE-2025-40538: Broken access control flaw allowing creation of admin user and arbitrary code execution as root CVE-2025-40539 and CVE-2025-40540: Type confusion vulnerabilities enabling arbitrary native code execution as root CVE-2025-4054

Here are the key findings in bullet point format, followed by the background section under a separate header: Key Findings Peter Williams, a 39-year-old former executive at U.S. defense contractor L3Harris, was sentenced to 87 months (over 7 years) in prison for selling eight zero-day exploits to a Russian broker. Williams pleaded guilty in October 2025 to two counts of trade secret theft. Williams sold the stolen exploits, intended for restricted use by the U.S. government a

Amazon Alerts: Low-Skill Hacker Used AI Tools to Breach FortiGate Devices Globally Key Findings: A Russian-speaking individual with limited technical skills managed to infiltrate over 600 FortiGate security devices across 55 countries in just over a month. The attacker used commercial AI services as a force multiplier, turning basic hacking into a high-speed assembly line. The attacker systematically scanned the internet for exposed management ports and used AI to test common

Key Findings The North Korea-linked Lazarus Group has been observed using the Medusa ransomware in attacks targeting an entity in the Middle East and an unsuccessful attempt against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023, with over 366 claimed attacks to date. The Lazarus Group's Medusa ransomware campaign involves the use of various tools, including RP_Proxy, Mimikat

Key Findings Anthropic, the developer of the Claude AI chatbot, has accused several Chinese AI firms, including DeepSeek, MiniMax, and Moonshot AI, of attempting to "distill" Claude's capabilities to train their own models. Distillation refers to the practice of training a new AI model by learning from the outputs of an existing model, rather than using the original training data. Anthropic claims these Chinese firms engaged in coordinated, large-scale efforts to access Claud

Key Findings Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze from September 2025 to January 2026. The campaign used spear-phishing emails delivering weaponized documents with an "INCLUDEPICTURE" field pointing to a webhook[.]site URL hosting a JPG. When opened, the file silently retrieves the image, acting as a tracking pixel to alert attackers the document was viewed. Variants dropped modified macros that

Background The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. Key Findings The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration. The attack chain

Background The XWorm malware has been around since 2022, but the latest version 7.2 surfaced on Telegram marketplaces in late 2025 and early 2026. Attackers are using social engineering tactics to lure victims into opening malicious Excel attachments in emails disguised as business communications. Technical Details The Excel file exploits an old vulnerability (CVE-2018-0802) to run a hidden script (HTA file) that downloads what appears to be a normal JPEG image. However, the

Key Findings Wormable cryptojacking campaign spreads through pirated software installers Uses BYOVD (Bring Your Own Vulnerable Driver) technique to gain kernel-level access and boost mining performance Includes a time-based "kill switch" set to December 23, 2025, triggering a controlled cleanup routine Exhibits worm-like capabilities, spreading across external storage devices for lateral movement Modular design separates monitoring features from mining, persistence, and privi

Key Findings: Cybersecurity researchers have disclosed an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages. The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments. The packages also include a weaponized GitHub Action that harvests CI/CD secrets and exfiltrates them, as well as a "McpInje

Background The cybersecurity researchers at Veracode have discovered a new type of supply chain attack targeting the NPM ecosystem. The attack involves hiding a dangerous Pulsar Remote Access Trojan (RAT) inside seemingly innocuous PNG image files. Key Findings Hackers used a typosquatting technique to create a malicious NPM package named "buildrunner-dev" that closely resembles a legitimate tool called "buildrunner". Once installed, the package downloads a heavily obfuscated

Key Findings Researchers executed 27 successful attacks against industry-leading password managers Bitwarden, LastPass, and Dashlane Attacks show how compromised servers and design flaws can expose encrypted vault data 1Password emerged as the most secure option due to its use of a Secret Key Background We often treat cloud-based password managers as digital safes that only we can open. These services rely on Zero-Knowledge Encryption, a marketing promise that the company sto

Key Findings: A new scam is targeting users by mimicking CAPTCHA verification systems The attack is an evolved version of the ClickFix attacks from early 2025 targeting restaurant bookings The multi-stage infection starts with a fake CAPTCHA, then triggers a PowerShell script to download malware The malware, known as an infostealer, targets cryptocurrency wallets, browser login data, and other sensitive information Background This research, shared with Hackread.com, indicates

Key Findings: CISA has added two actively exploited vulnerabilities in Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities are CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 (CVSS 7.2). CVE-2025-49113 is a deserialization of untrusted data flaw that allows remote code execution by authenticated users. CVE-2025-68461 is a cross-site scripting vulnerability in the "animate" tag of an SVG document. Attackers have already weaponized

Key Findings A Russian-speaking, financially motivated threat actor has compromised over 600 FortiGate devices located in 55 countries between January 11 and February 18, 2026. The threat actor leveraged multiple commercial generative AI tools to automate various stages of the attack cycle, including tool development, attack planning, and command generation. No exploitation of FortiGate vulnerabilities was observed - the campaign succeeded by exploiting exposed management por