ALL POSTS

Key Findings Google Threat Intelligence Group (GTIG) has identified a previously undocumented threat actor, possibly affiliated with Russian intelligence services, that has been targeting Ukrainian organizations with the CANFAIL malware. The threat actor has primarily targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments, but has also shown growing interest in aerospace, manufacturing with military/drone ties,

Key Findings: Several state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia have targeted the defense industrial base (DIB) sector. The adversarial targeting is centered around four key themes: striking defense entities in the Russia-Ukraine War, approaching employees and exploiting the hiring process, using edge devices/appliances for initial access, and supply chain risk from manufacturing breaches. Notable threat actors

Key Findings Cisco Talos has discovered a new threat actor, UAT-9921, using a modular attack framework called VoidLink to target organizations in the technology and financial services sectors. VoidLink is a Linux-focused, highly capable attack framework that can compile and deploy plugins on-demand, potentially enabling AI-driven tool creation in the future. UAT-9921 is believed to have been active since at least 2019, even before the use of VoidLink, and has been observed in

Key Findings Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group. The coordinated campaign has been codenamed "graphalgo" in reference to the first package published in the npm registry, and it's assessed to be active since May 2025. The campaign includes a well-orchestrated story around a company i

Key Findings North Korea-linked threat actor UNC2970 used Google's Gemini AI model to conduct reconnaissance on its targets, including searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information. Other state-backed hacking groups, including UNC6418 (unattributed), Temp.HEX or Mustang Panda (China), APT31 or Judgement Panda (China), APT41 (China), UNC795 (China), and APT42 (Iran), have also integrated G

Key Findings Ivanti released security patches for its Endpoint Manager (EPM) product, addressing two critical vulnerabilities. The most severe flaw, CVE-2026-1603, is a high-severity authentication bypass (CVSS 8.6) that allows remote unauthenticated attackers to access stored credentials. The second vulnerability, CVE-2026-1602, is a medium-severity SQL injection flaw (CVSS 6.5) that could enable data theft by authenticated attackers. There is no evidence of these vulnerabil

Key Findings Apple has fixed an actively exploited zero-day vulnerability in its ecosystem, including iOS, macOS, and other devices. The vulnerability, tracked as CVE-2026-20700, is a memory corruption flaw in Apple's Dynamic Link Editor (dyld) that allows attackers to execute arbitrary code. The flaw was discovered and reported by Google's Threat Analysis Group, suggesting it may have been used in sophisticated, targeted attacks by nation-state actors or commercial spyware v

Key Findings Apple released emergency updates for iOS, iPadOS, macOS, tvOS, watchOS, and visionOS to address an actively exploited zero-day vulnerability (CVE-2026-20700) The vulnerability is a memory corruption issue in Apple's Dynamic Link Editor (dyld) that could allow attackers to execute arbitrary code The flaw was discovered and reported by Google's Threat Analysis Group, suggesting it may have been used in sophisticated nation-state or commercial spyware attacks Apple

Key Findings: A critical vulnerability in MongoDB allows unauthenticated attackers to crash database servers The flaw, tracked as CVE-2022-29464, has a CVSS score of 8.7 and can lead to Denial of Service (DoS) conditions The vulnerability is caused by a memory exhaustion issue that can be triggered without any authentication Background MongoDB is a popular open-source NoSQL database management system that is widely adopted by organizations for its flexibility and scalability.

Key Findings North Korea-linked threat actor UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive victims UNC1069 has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reput

Key Findings A new Linux botnet called SSHStalker has been discovered, leveraging IRC for command-and-control (C2) purposes The botnet combines old-school 2009-era Linux kernel exploits with automated mass-compromise techniques to infect around 7,000 systems, primarily cloud servers Unlike typical botnets focused on DDoS attacks or cryptocurrency mining, SSHStalker maintains persistent access without immediate follow-on activities, suggesting potential infrastructure staging

Key Findings GitGuardian, a leading secrets and Non-Human Identity (NHI) security platform, has raised $50 million in a Series C funding round. The funding round was led by global software investor Insight Partners, alongside Quadrille Capital and existing investors. The investment will fuel GitGuardian's expansion in secrets and AI agent security as organizations grapple with exponential growth in non-human identities. Background GitGuardian is the #1 app on the GitHub Marke

Key Findings Microsoft released security updates to address 59 vulnerabilities, including 6 that are actively being exploited in the wild. Of the 59 flaws, 5 are rated Critical, 52 are rated Important, and 2 are rated Moderate in severity. 25 of the patched vulnerabilities are privilege escalation, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1). The 6 actively e

Key Findings North Korean IT operatives are applying to remote positions using real LinkedIn accounts of individuals they are impersonating The goal is to secure jobs at Western companies and conduct espionage, data theft, and ransomware attacks The threat is tracked by the cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole The impersonated LinkedIn profiles often have verified workplace emails and identity badges to appear legitimate Once employed, the DPRK w

Key Findings Microsoft released security updates to address 58 new vulnerabilities across Windows, Office, Azure, Edge, Exchange, Hyper-V, and other components. The update includes fixes for 6 zero-day vulnerabilities that are being actively exploited in the wild. 5 of the vulnerabilities were rated as "Critical" by Microsoft. Several vulnerabilities affect high-profile targets like GitHub Copilot, IDEs, and Azure cloud services. Background This month's Patch Tuesday from Mic

Key Findings Dutch Data Protection Authority (AP) and Council for the Judiciary (Rvdr) confirmed cyber attacks exploiting Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities Attacks exposed employee contact information, including names, work emails, and phone numbers European Commission also detected a cyberattack on its mobile device management platform, exposing some staff names and phone numbers Ivanti acknowledged vulnerabilities (CVE-2026-1281 and CVE-2026-1340) have b

Key Findings China-nexus cyber espionage group UNC3886 targeted Singapore's telecommunications sector in a deliberate, targeted, and well-planned campaign All four of Singapore's major telecom operators - M1, SIMBA Telecom, Singtel, and StarHub - were targeted by UNC3886 UNC3886 used sophisticated tools, including a zero-day exploit to bypass a perimeter firewall, and deployed rootkits to establish persistent access and conceal their activities Background UNC3886 is an advanc

Key Findings The European Commission detected a cyber attack on its central mobile device management infrastructure on January 30, 2026. The attack may have exposed the personal details, including names and phone numbers, of some Commission staff members. However, the Commission's swift response contained the breach within 9 hours and ensured that no mobile devices were compromised. The attack is linked to critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti's

Key Findings Criminal IP (criminalip.io) integrates with IBM QRadar SIEM and QRadar SOAR to deliver real-time threat intelligence. The integration brings external, IP-based threat intelligence into QRadar's detection, investigation, and response workflows. This enables security teams to identify malicious activity faster and prioritize response actions more effectively. Background IBM QRadar is a widely adopted SIEM and SOAR platform used by enterprises and public-sector orga

Key Findings Critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products Tracked as CVE-2026-1731 with a CVSS score of 9.9 Allows unauthenticated remote attackers to execute OS commands and compromise systems Affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior Patches available in RS v25.3.2+ and PRA v25.1.1+ Customers with older versions (RS <21.3, PRA <22.1) must upgrade b