ALL POSTS

Key Findings ScarCruft, a North Korean threat actor, has been attributed to a new set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications. The campaign, codenamed "Ruby Jumper" by Zscaler ThreatLabz, involves the deployment of various malware families to facilitate surveillance on victim systems. One of the malware components, THUMBSBD, uses removable media to relay commands and transfer data between internet-connected and air-g

Key Findings: Aeternum is a C++ botnet loader that uses the Polygon blockchain as its command-and-control (C2) infrastructure. The botnet stores its instructions in smart contracts on the Polygon blockchain, making its C2 effectively permanent and resistant to traditional takedown methods. Infected machines poll public RPC endpoints, read the on-chain instructions, and execute them, allowing the botnet operators to manage multiple contracts and payloads simultaneously. Blockc

Key Findings: Google Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign by UNC2814, a suspected China-linked cyber espionage group UNC2814 had breached at least 53 organizations across 42 countries, primarily targeting telecommunications and government sectors The group used a novel backdoor called GRIDTIDE that leveraged legitimate Google Sheets API functions for command-and-control GTIG took coordinated action to disrupt UNC2814's

Key Findings Aeternum C2 is a new botnet that uses the Polygon blockchain to store encrypted command-and-control (C2) instructions. This approach makes Aeternum's C2 infrastructure effectively permanent and resistant to traditional takedown methods. The malware works by writing commands to be issued to infected hosts into smart contracts on the Polygon blockchain. The bots then read those commands by querying public remote procedure call (RPC) endpoints, with the commands man

Key Findings Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading. The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control tra

Key Findings: A critical Cisco SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), has been actively exploited since 2023 to gain remote, unauthenticated administrative access. The vulnerability allows an attacker to bypass authentication and gain full administrative access to affected Cisco Catalyst SD-WAN Controller and Manager systems. Exploited environments include on-premises, Cisco Hosted SD-WAN Cloud, and FedRAMP Cisco Hosted SD-WAN Cloud deployments.

Key Findings A malicious NuGet package, codenamed "StripeApi.Net", was discovered impersonating the legitimate "Stripe.net" library from the financial services firm Stripe. The package was uploaded to the NuGet Gallery on February 16, 2026 by a user named "StripePayments". The package's NuGet page was designed to closely resemble the official Stripe.net package, using the same icon and a nearly identical readme. The package had an artificially inflated download count of over

Key Findings Multiple security vulnerabilities discovered in Anthropic's Claude Code, an AI-powered coding assistant Vulnerabilities could result in remote code execution and theft of Anthropic API credentials Vulnerabilities exploit configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables Background Claude Code is an artificial intelligence (AI)-powered coding assistant developed by Anthropic. It is designed to help developer

Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries Key Findings Google, in collaboration with industry partners, disrupted the infrastructure of the suspected China-nexus cyber espionage group UNC2814 UNC2814 breached at least 53 organizations across 42 countries in the Americas, Asia, and Africa The threat actor may have targeted at least 20 additional countries UNC2814 used a novel backdoor called GRIDTIDE that abuses Google Sheets API for comma

Key Findings SolarWinds has patched four critical vulnerabilities in its Serv-U file transfer server software The flaws could allow remote code execution and give attackers full root access on unpatched systems The vulnerabilities include: CVE-2025-40538: Broken access control flaw allowing creation of admin user and arbitrary code execution as root CVE-2025-40539 and CVE-2025-40540: Type confusion vulnerabilities enabling arbitrary native code execution as root CVE-2025-4054

Here are the key findings in bullet point format, followed by the background section under a separate header: Key Findings Peter Williams, a 39-year-old former executive at U.S. defense contractor L3Harris, was sentenced to 87 months (over 7 years) in prison for selling eight zero-day exploits to a Russian broker. Williams pleaded guilty in October 2025 to two counts of trade secret theft. Williams sold the stolen exploits, intended for restricted use by the U.S. government a

Amazon Alerts: Low-Skill Hacker Used AI Tools to Breach FortiGate Devices Globally Key Findings: A Russian-speaking individual with limited technical skills managed to infiltrate over 600 FortiGate security devices across 55 countries in just over a month. The attacker used commercial AI services as a force multiplier, turning basic hacking into a high-speed assembly line. The attacker systematically scanned the internet for exposed management ports and used AI to test common

Key Findings The North Korea-linked Lazarus Group has been observed using the Medusa ransomware in attacks targeting an entity in the Middle East and an unsuccessful attempt against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023, with over 366 claimed attacks to date. The Lazarus Group's Medusa ransomware campaign involves the use of various tools, including RP_Proxy, Mimikat

Key Findings Anthropic, the developer of the Claude AI chatbot, has accused several Chinese AI firms, including DeepSeek, MiniMax, and Moonshot AI, of attempting to "distill" Claude's capabilities to train their own models. Distillation refers to the practice of training a new AI model by learning from the outputs of an existing model, rather than using the original training data. Anthropic claims these Chinese firms engaged in coordinated, large-scale efforts to access Claud

Key Findings Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze from September 2025 to January 2026. The campaign used spear-phishing emails delivering weaponized documents with an "INCLUDEPICTURE" field pointing to a webhook[.]site URL hosting a JPG. When opened, the file silently retrieves the image, acting as a tracking pixel to alert attackers the document was viewed. Variants dropped modified macros that

Background The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. Key Findings The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration. The attack chain

Background The XWorm malware has been around since 2022, but the latest version 7.2 surfaced on Telegram marketplaces in late 2025 and early 2026. Attackers are using social engineering tactics to lure victims into opening malicious Excel attachments in emails disguised as business communications. Technical Details The Excel file exploits an old vulnerability (CVE-2018-0802) to run a hidden script (HTA file) that downloads what appears to be a normal JPEG image. However, the

Key Findings Wormable cryptojacking campaign spreads through pirated software installers Uses BYOVD (Bring Your Own Vulnerable Driver) technique to gain kernel-level access and boost mining performance Includes a time-based "kill switch" set to December 23, 2025, triggering a controlled cleanup routine Exhibits worm-like capabilities, spreading across external storage devices for lateral movement Modular design separates monitoring features from mining, persistence, and privi

Key Findings: Cybersecurity researchers have disclosed an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages. The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments. The packages also include a weaponized GitHub Action that harvests CI/CD secrets and exfiltrates them, as well as a "McpInje

Background The cybersecurity researchers at Veracode have discovered a new type of supply chain attack targeting the NPM ecosystem. The attack involves hiding a dangerous Pulsar Remote Access Trojan (RAT) inside seemingly innocuous PNG image files. Key Findings Hackers used a typosquatting technique to create a malicious NPM package named "buildrunner-dev" that closely resembles a legitimate tool called "buildrunner". Once installed, the package downloads a heavily obfuscated