ALL POSTS

Key Findings * Divine Skins data breach exposed 105,814 user accounts * Unauthorized third party accessed systems and deleted all skins from database * Exposed data included email addresses, usernames, and purchase history * Breach disclosed via Discord server in March 2026 Background Divine Skins is a custom League of Legends skin service that allows players to modify their in-game character appearances. The platform has been operating for several years, providing unique cos

Key Findings * GlassWorm campaign identified targeting developers through 72 malicious Open VSX extensions * Uses sophisticated supply-chain attack technique exploiting extension dependencies * Targets development environments to steal secrets and compromise systems * Employs advanced obfuscation and evasion techniques * Spans multiple platforms including Open VSX, GitHub, and npm registries Background The GlassWorm campaign represents an evolving threat in software supply ch

Key Findings * ShinyHunters claims to have stolen approximately 1 petabyte of data from Telus Digital * Breach discovered through stolen Google Cloud Platform credentials from a previous Salesforce-related hack * Telus confirms unauthorized access to internal systems * No disruption to customer services reported * Investigations and forensic analysis are ongoing Background Telus Digital, a subsidiary of Canadian telecommunications giant Telus, provides business process outsou

Key Findings Hive0163 uses AI-assisted Slopoly malware for persistent access in ransomware attacks PowerShell backdoor likely generated using a large language model (LLM) Malware maintains C2 access, collects system data, and executes remote commands Part of a broader attack framework involving NodeSnake and Interlock RAT Initial access achieved through social engineering and malvertising Background Hive0163 is a financially motivated threat actor specializing in post-comprom

Key Findings * Nine critical vulnerabilities discovered in Linux AppArmor security module * Enables root escalation and container isolation bypass * Affects Linux kernels since version 4.11 * Impacts over 12.6 million enterprise Linux instances * Allows unprivileged users to manipulate security profiles * Can trigger denial-of-service attacks * Enables arbitrary code execution within kernel * No CVE identifiers assigned yet * Vulnerabilities exist since 2017 Background AppArm

Key Findings * Attackers are exploiting Cloudflare's human verification system to hide phishing pages * Custom virtual machine function used to obfuscate malicious code * Targets Microsoft 365 login credentials * Employs sophisticated evasion techniques against security scanners * Uses location-based filtering to block security researchers Background Cybercriminals have developed an innovative method of hiding phishing websites by leveraging Cloudflare's Turnstile verificatio

Key Findings Apple released security updates for older iOS and iPadOS versions to address vulnerabilities in the Coruna exploit kit Updates cover devices that cannot upgrade to the latest iOS versions Patches address multiple vulnerabilities, including WebKit and kernel-related issues Coruna exploit kit targets iOS versions 13.0 through 17.2.1 with 23 total exploits Background The Coruna exploit kit, also known as CryptoWaters, was first identified by Google's Threat Intellig

Key Findings * International law enforcement dismantled SocksEscort proxy network * Network compromised approximately 369,000 IP addresses worldwide * Cybercriminals used service to route fraudulent activities and hide identity * $3.5 million in cryptocurrency seized * Infected over 8,000 home and small business routers * Caused millions in financial losses across multiple victims Background SocksEscort operated as a malicious proxy service from 2009, systematically infecting

Key Findings * Bell Ambulance experienced a data breach affecting 237,830 individuals * Unauthorized network access occurred in February 2025 * Medusa ransomware group claimed responsibility for the attack * Exposed data includes personal, financial, and medical information * Company offered 12 months of free credit monitoring to affected individuals Background Bell Ambulance is an emergency medical services provider based in Milwaukee, Wisconsin. The organization offers ambu

Key Findings * Critical remote code execution vulnerability in n8n workflow platform * CVE-2025-68613 added to CISA's Known Exploited Vulnerabilities (KEV) catalog * 24,700 unpatched instances exposed online * Vulnerability allows authenticated attackers to execute arbitrary code * FCEB agencies ordered to patch by March 25, 2026 Background n8n is an open-source workflow automation platform that allows users to connect different applications and services. The vulnerability ex

Key Findings * UNC6426 breached a victim's cloud environment within 72 hours * Supply chain attack compromised nx npm package in August 2025 * Stolen GitHub token used to gain unauthorized cloud access * Threat actor created new AWS administrator role * Exfiltrated data from S3 buckets and destroyed production environments * AI-assisted attack leveraged LLM tools for credential theft Background The incident originated from a supply chain vulnerability in the nx npm package di

Key Findings * Iran-linked Handala Hack Team claims cyberattacks against Stryker Corporation and Verifone on March 11 * Stryker confirms a network disruption; Verifone denies any breach * Handala claims to have wiped 200,000 systems and extracted 50 terabytes of data from Stryker * The group alleges the attack was retaliation for a missile strike on an Iranian school * Verification of claims is ongoing and independent confirmation is pending Background The Handala Hack Team,

Key Findings BeatBanker is an Android malware that combines banking trojan capabilities with cryptocurrency mining. It spreads through fake Starlink apps distributed on websites imitating the Google Play Store. Once installed, BeatBanker hijacks devices, steals login credentials, and tampers with cryptocurrency transactions. The malware uses a silent audio loop to maintain persistence and avoid being shut down by the system. In newer versions, BeatBanker has replaced the bank

Key Findings Microsoft released patches for 84 new security vulnerabilities affecting various software components 8 vulnerabilities are rated Critical, and 76 are rated Important in severity 46 of the patched vulnerabilities relate to privilege escalation, followed by 18 remote code execution, 10 information disclosure, 4 spoofing, 4 denial-of-service, and 2 security feature bypass flaws 2 publicly disclosed zero-days are included: CVE-2026-26127 (CVSS 7.5) - Denial-of-servic

Key Findings APT28, a Russian state-sponsored hacking group, has been observed using a pair of custom malware implants called BEARDSHELL and COVENANT for long-term surveillance of Ukrainian military personnel since April 2024. The malware families showcase the group's continued capabilities in developing advanced custom tools for espionage operations. BEARDSHELL is a C++ backdoor that downloads and executes PowerShell scripts, sending results via the Icedrive cloud storage se

Key Findings Microsoft released its monthly security update for March 2026, addressing 79 vulnerabilities 3 vulnerabilities were marked as "critical" by Microsoft Remaining vulnerabilities were classified as "important" Microsoft assessed that exploitation of the "critical" vulnerabilities is "less likely" Background CVE-2026-26110 and CVE-2026-26113 are "critical" Microsoft Office Remote Code Execution Vulnerabilities CVE-2026-26144 is a "critical" information disclosure vul

Key Findings: Attackers are exploiting vulnerabilities or weak credentials in FortiGate Next-Generation Firewall (NGFW) devices to gain initial access to corporate networks. Once inside, the attackers extract configuration files containing service account credentials and information about the internal network structure. The campaign appears to target sectors such as healthcare, government agencies, and managed service providers. Attackers have abused features like Single Sign

Key Findings Threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the open-source AuraInspector tool. The modified tool is capable of extracting data by exploiting overly permissive guest user settings, allowing access to sensitive CRM data. The activity does not involve a vulnerability in the Salesforce platform but targets customer configuration issues. The campaign is attributed to a known threat actor group, pos

Key Points Hackerbot-Claw, a new AI-powered threat, executed a 37-hour campaign targeting major GitHub repositories, including those of Microsoft and DataDog. The attacks focused on exploiting CI/CD pipelines, allowing the AI agent to manipulate developer tools within minutes. The campaign resulted in the deletion of 97 software releases and 32,000 stars from Aqua Security's Trivy project. Hackerbot-Claw employed social engineering tactics to trick developer assistants like C

Key Findings Dutch intelligence agencies AIVD and MIVD warn of a large-scale global cyber campaign by Russia-linked threat actors targeting Signal and WhatsApp accounts of government officials, military personnel, and journalists. The attackers are using social engineering tactics rather than exploiting app vulnerabilities - they impersonate Signal support bots and abuse legitimate features like "linked devices" to hijack accounts. Once they gain access, the hackers can read