ALL POSTS

Key Findings A dark web marketplace called Threat Market is listing 375 terabytes of alleged Lockheed Martin data for $600 million, with an alternative $374 million price tag The data was allegedly provided by a group claiming to be "APT IRAN" starting March 26, 2026 A separate Iran-linked group called Handala Hack Team claimed around the same time to have accessed personal data of Lockheed Martin engineers and employees No verification of the breach has been confirmed by Loc

Key Findings Check Point discovered a critical vulnerability in ChatGPT that allowed attackers to exfiltrate user data, uploaded files, and conversation history without detection or consent The flaw exploited a hidden DNS-based communication channel in the Linux runtime environment, bypassing all visible AI guardrails OpenAI patched the ChatGPT vulnerability on February 20, 2026, with no evidence of malicious exploitation BeyondTrust Phantom Labs identified a command injectio

Key Findings Three China-linked threat clusters targeted a Southeast Asian government organization throughout 2025 in a sophisticated, well-resourced cyber campaign Mustang Panda (Stately Taurus) deployed PUBLOAD malware via USB-infected drives between June and August 2025 CL-STA-1048 cluster operated from March to September 2025, using multiple espionage tools including EggStremeFuel, MASOL RAT, and TrackBak Stealer CL-STA-1049 cluster active in April and August 2025 used th

Key Findings CVE-2026-3055 is a critical vulnerability (CVSS 9.3) in Citrix NetScaler ADC and Gateway affecting memory through an insufficient input validation flaw Attackers are actively probing the vulnerability via honeypot detection and fingerprinting authentication methods Only affects systems configured as a SAML Identity Provider, though this is a common enterprise configuration No public exploits exist yet, but in-the-wild exploitation is considered imminent Organizat

Key Findings Software defect during routine overnight app update on 12 March exposed financial data for 447,936 customers across Lloyds, Halifax, and Bank of Scotland Privacy barriers between accounts failed for several hours, allowing customers to see strangers' transactions or have their own data exposed Over 114,000 users clicked on rogue transactions and may have viewed sensitive information including National Insurance numbers, payment references, and account details Dat

Key Findings CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on Friday, citing active exploitation in the wild The vulnerability affects F5 BIG-IP Access Policy Manager (APM) and allows unauthenticated remote code execution with a CVSS v4 score of 9.3 The flaw was initially classified as a denial-of-service issue with a lower severity score but was reclassified as RCE after new information emerged in March 2026 Federal agencies have until March 30, 20

Key Findings Apple is sending lock screen warnings to users with outdated iOS and iPadOS versions alerting them to active web-based exploits Exploit kits Coruna and DarkSword are actively targeting iOS versions 13 through 18.7, capable of stealing sensitive data through malicious links or compromised websites Users on iOS 13-14 must upgrade to iOS 15 and install critical security updates; iOS 15-16 devices received patches on March 11, 2026 Coruna shares code similarities wit

Key Findings ShinyHunters claims to have breached European Commission systems and stolen over 350GB of data Alleged data includes mail server dumps, databases, confidential documents, and contracts The European Commission confirmed detecting a cyberattack on March 24 affecting cloud infrastructure hosting Europa.eu websites Internal systems were not compromised according to the Commission's investigation AWS denies any security incident occurred within its cloud environment N

Key Findings Russian state-sponsored threat group TA446 (also known as Callisto, COLDRIVER, Star Blizzard) deployed the DarkSword iOS exploit kit in targeted spear-phishing campaign on March 26, 2026 Campaign used fake Atlantic Council "discussion invitation" emails to deliver GHOSTBLADE dataminer malware to iOS devices High-profile target included Leonid Volkov, Russian opposition politician and Anti-Corruption Foundation political director First observed use of DarkSword by

Key Findings WatchGuard researchers identified a phishing campaign targeting Venezuelan companies using malicious SVG image files BianLian ransomware group deploying malware via fake invoice attachments with Spanish filenames Attack chain uses ja.cat link shortening service to redirect through compromised Brazilian domains Malware written in Go language includes anti-analysis capabilities and high-speed AES encryption Campaign infrastructure includes four suspicious domains c

Key Findings CISA and BSI issued critical warning for CVE-2026-4681 affecting PTC Windchill and FlexPLM with CVSS score of 10.0 No patches available at time of advisory; exploitation could be imminent according to German media reports Remote Code Execution vulnerability exploitable through deserialization of untrusted data German police conducted unprecedented physical visits to companies to warn administrators, some at 3:30 AM PTC released indicators of compromise despite st

Key Findings Iranian government-linked hacking group Handala claimed Friday to have compromised FBI Director Kash Patel's personal email account and released the data publicly The FBI confirmed awareness of the targeting but stated no government information was compromised and the exposed data is historical in nature Handala framed the breach as retaliation for U.S. seizure of its domains and a $10 million State Department reward for information on group members Leaked docume

Key Findings Google has set a 2029 deadline for post-quantum cryptography migration, four years ahead of NSA guidance and six years ahead of broader US government targets Quantum computers with one million noisy qubits could crack current 2,048-bit RSA encryption in less than a week, down from previous estimates requiring a billion precise parts Store-now-decrypt-later attacks pose immediate risk as hackers steal encrypted data today for future decryption once quantum compute

Key Findings Push Security identified a new AITM phishing campaign targeting TikTok for Business accounts to hijack them for malvertising and fraud Attackers use fake TikTok and Google-themed pages with Cloudflare Turnstile bot protection to bypass security scanners Newly registered domains are created rapidly and hosted behind Cloudflare, making them difficult to track Compromised accounts are used for malvertising, credential theft, malware distribution, and ad fraud Many u

Key Findings China-linked threat actor Red Menshen has maintained a long-term espionage campaign targeting telecom networks in the Middle East and Asia since at least 2021 The group deploys BPFDoor, a kernel-level Linux backdoor that operates as a "digital sleeper cell" with no visible listening ports or command-and-control beaconing BPFDoor inspects network traffic inside the kernel using Berkeley Packet Filter functionality, activating only when receiving a specially crafte

Key Findings Sansec researchers discovered a novel payment skimmer using WebRTC data channels to steal and exfiltrate payment data instead of traditional HTTP requests The skimmer exploits the PolyShell vulnerability in Magento and Adobe Commerce to inject malicious code on e-commerce sites WebRTC connections bypass Content Security Policy rules and use encrypted UDP traffic, making detection significantly more difficult than traditional skimmers Since March 19, 2026, the vul

Key Findings Vulnerability in Anthropic's Claude Chrome extension allowed zero-click prompt injection from any website without user interaction or permission prompts Attack chains two flaws: overly permissive origin allowlist and DOM-based XSS in Arkose Labs CAPTCHA component Successful exploitation could enable data theft, access token compromise, conversation history access, and account takeover Patch deployed December 27, 2025 (version 1.0.41); Arkose Labs fixed XSS compon

Key Findings Coruna iOS exploit kit uses an updated version of the kernel exploit from Operation Triangulation, a sophisticated 2023 iOS APT campaign The exploit kit includes five full exploit chains and 23 total exploits, targeting iOS 13.0 through 17.2.1 Coruna contains four additional kernel exploits not seen in Triangulation, two developed after the original campaign's discovery Code analysis reveals Coruna was designed with unified architecture rather than patchworked co

Key Findings Russian authorities arrested the alleged administrator of LeakBase, a major cybercrime marketplace operating since 2021 The suspect, a resident of Taganrog, is accused of running a platform with over 147,000 users trading stolen data and credentials LeakBase was dismantled in early March 2024 through "Operation Leak," a coordinated international effort involving 14 countries The forum hosted hundreds of millions of compromised account credentials, financial infor

Key Findings In September 2025, a state-sponsored threat actor deployed an AI coding agent that autonomously targeted 30 global organizations, handling 80-90% of tactical operations without human intervention AI agents operating inside corporate environments bypass traditional kill chain detection by leveraging legitimate access, permissions, and data workflows they were granted at deployment The OpenClaw crisis revealed that 12% of marketplace skills were malicious, with com