ALL POSTS

Key Findings: The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control. Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs. The attackers exploited Google's asset tracking services Find Hub (formerly Find My De

Key Findings: CVE-2025-12485 is a critical vulnerability (CVSS 9.4) in Devolutions Server that allows a low-privileged authenticated user to impersonate another account by replaying a pre-MFA cookie. CVE-2025-12808 is a high-severity vulnerability (CVSS 7.1) that allows a View-only user to retrieve sensitive third-level nested fields, potentially exposing stored passwords or configuration secrets. Both vulnerabilities affect multiple versions of Devolutions Server 2025 and re

Key Findings Cybersecurity researchers have discovered a new set of three Visual Studio Code (VS Code) extensions associated with the GlassWorm malware campaign. The extensions, with thousands of downloads, are still available for download and are being used to harvest credentials, drain cryptocurrency wallets, and drop remote access tools. The malware uses invisible Unicode characters to hide malicious code, allowing it to evade detection and create a self-replicating worm-l

Key Findings: Incident Response Team SA DE CV (ShieldForce), a leading cybersecurity provider in Mexico and Latin America, has partnered with AccuKnox, a Zero Trust CNAPP platform, and DeepRoot Technologies, a global cybersecurity service provider. The partnership aims to accelerate the adoption of Zero Trust strategies and AI Security innovation across the region. ShieldForce's CEO, Francisco Villegas, recently presented on the importance of Zero Trust CNAPP in modern enterp

Key Findings Nine NuGet packages published under the alias "shanhai666" are designed to execute destructive, time-delayed payloads against database applications and industrial control systems. The packages provide nearly all of their advertised functionality, blending genuine code with hidden sabotage to build trust and pass code reviews. The malware exploits C# extension methods to transparently inject malicious logic into database and PLC operations, including methods to te

Key Findings Researchers discovered a previously unknown Android spyware family dubbed LANDFALL, which leveraged a zero-day vulnerability (CVE-2025-21042) in Samsung's image processing library to compromise Galaxy devices. The campaign, active since mid-2024, appears to have targeted users in the Middle East, with the spyware embedded inside malicious DNG image files sent through WhatsApp. The exploit relies on malformed DNG (Digital Negative) image files, exploiting a flaw i

Key Findings: Microsoft set to receive $12.5 billion in tax breaks in 2026, enough to provide food assistance to 5.2 million people, Medicaid coverage for 1.6 million adults (or 3.8 million children), or reduce ACA premiums for 1.9 million Americans Amazon poised to receive $16 billion in tax reductions this year, which could fund SNAP benefits for 6.6 million people, Medicaid coverage for 2 million adults (or 5.4 million children), or reduce ACA premiums for 2.4 million Amer

Key Findings: The Danish government has reached a political agreement to introduce legislation banning social media use for anyone under the age of 15. This measure would rank among the strictest digital regulations aimed at protecting young users from the potential harms of social media. The government cites concerns over disrupted sleep, loss of peace and concentration, and increasing social pressure on children and adolescents. Denmark's initiative follows Australia's nati

Key Findings Microsoft has uncovered a novel side-channel attack, dubbed "Whisper Leak", that can identify AI chat topics in encrypted traffic The attack allows an attacker to observe encrypted TLS traffic and use trained classifiers to infer whether the conversation topic matches a sensitive target category This leakage of data exchanged between humans and streaming-mode language models could pose serious risks to the privacy of user and enterprise communications Background

Key Findings China-linked hackers targeted a U.S. non-profit organization in a long-term espionage campaign. The group gained access to the network for several weeks in April 2025 and used various techniques to establish persistence and maintain long-term access. The attackers leveraged DLL sideloading via the vetysafe.exe application, a tactic commonly associated with China-linked APT groups such as Space Pirates, Kelp, and Earth Longzhi (a subgroup of APT41). The group also

Key Findings A set of nine malicious NuGet packages capable of dropping time-delayed payloads has been identified. The packages were published in 2023 and 2024 by a user named "shanhai666" and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times. The most dangerous package, "Sharp7Extend," targets industrial PLCs with dual sabotage mechanisms: immediate random process terminatio

Key Findings: A new commercial-grade spyware called "Landfall" has been targeting Samsung Galaxy phones in the Middle East since at least mid-2024. Landfall exploited a previously unknown, unpatched vulnerability (zero-day) in Samsung's Android image processing library, tracked as CVE-2025-21042. The spyware was delivered through malicious DNG image files sent via WhatsApp, with no user interaction required (zero-click). Landfall has extensive surveillance capabilities, inclu

Background Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities. The extension, named "susvsex," was uploaded on November 5, 2025, by a user named "suspublisher18." The extension was designed to automatically activate itself on any event, including installing or when launching VS Code, and invoke a function named "zipUploadAndEncrypt." Extension Functionality The "zipUploadAndEncrypt" function creates a Z

Background Google's Threat Intelligence Group (GTIG) has identified a new generation of malware that is using AI during execution to mutate, adapt, and collect data in real-time, helping it evade detection more effectively. Cybercriminals are increasingly using AI to build malware, plan attacks, and craft phishing lures. Recent research shows AI-driven ransomware like PromptLock can adapt during execution. Malware with Novel AI Capabilities GTIG has identified malware familie

Background In the late 1960s, science fiction author Philip K. Dick explored the traits that distinguish humans from autonomous robots in his novel "Do Androids Dream of Electric Sheep." As advances in generative AI allow us to create autonomous agents that can reason and act on humans' behalf, we must consider the human traits and knowledge we must equip these agentic AI with to enable them to act autonomously, reasonably, and safely. One crucial skill we need to impart on o

Background Nikkei Inc., a major Japanese financial news and media group, including the Financial Times, disclosed a data breach affecting its internal Slack workspace. The breach was first discovered in September 2023 after noticing unusual logins to employee messaging accounts. The incident led to the exposure of sensitive, private information belonging to over 17,000 people, including employees and business partners. Key Findings The Entry Point: A Stolen Slack Account The

Background In September 2025, SonicWall, a cybersecurity firm, disclosed a security breach that exposed firewall configuration files tied to MySonicWall accounts. The company initially claimed that less than 5% of customers were impacted, and no files were leaked. However, in October, SonicWall confirmed that threat actors had accessed the preference files of all firewalls using its MySonicWall cloud backup service. Key Findings The stolen files contained encrypted credential

Background The U.S. Treasury Department on Tuesday imposed sanctions against eight individuals and two entities within North Korea's global financial network. The sanctions are for laundering money for various illicit schemes, including cybercrime and information technology (IT) worker fraud. The Treasury stated that "North Korean state-sponsored hackers steal and launder money to fund the regime's nuclear weapons program." Sanctioned Individuals and Entities Jang Kuk Chol (J

Background Gladinet CentreStack and Triofox are enterprise file-sharing and cloud storage solutions designed for businesses. CentreStack provides a secure platform for file sharing, syncing, and collaboration, integrating on-premises storage with cloud access. Triofox offers a hybrid cloud solution that enables secure remote access to existing Windows file shares and SMB/NFS storage. CVE-2025-11371 - Gladinet CentreStack and Triofox Files or Directories Accessible to External

Background Brinker is a narrative intelligence company dedicated to combating disinformation and influence campaigns. The company was founded by Benny Schnaider, Daniel Ravner, and Oded Breiner. Key Findings Brinker has announced that Bob Flores, former Chief Technology Officer of the U.S. Central Intelligence Agency, has joined its advisory board. Flores' appointment strengthens Brinker's mission to transform the fight against disinformation, moving from detection to real-ti