ALL POSTS

Key Findings China-linked advanced persistent threat (APT) group Evasive Panda (also known as Bronze Highland, Daggerfly, and StormBamboo) conducted a cyber espionage campaign targeting victims in Türkiye, China, and India. The group used adversary-in-the-middle (AitM) attacks and DNS poisoning techniques to deliver its signature MgBot backdoor. The attackers leveraged lures that masqueraded as updates for third-party software, such as SohuVA, Baidu's iQIYI Video, IObit Smart

Key Findings Trust Wallet, a popular non-custodial cryptocurrency wallet, has suffered a security breach that resulted in the loss of approximately $7 million in digital assets. The issue was caused by a vulnerability in version 2.68 of the Trust Wallet Chrome extension, which has around one million users. The malicious code in the affected extension version was designed to extract the mnemonic phrases (recovery seeds) of all wallets stored in the extension, and then send the

Key Findings: A critical security flaw (CVE-2025-68664) has been disclosed in LangChain Core that could enable attackers to steal sensitive secrets and influence large language model (LLM) responses through prompt injection. The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. The vulnerability is caused by a serialization injection issue in the `dumps()` and `dumpd()` functions of LangChain, which fail to properly escape dictionaries with "l

Key Findings The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw in Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2023-52163, has a CVSS score of 8.8 and allows post-authentication remote code execution through a case of command injection. CISA cited evidence of active exploitation of the flaw by threat actors to deliver botnets like Mirai and S

Key Findings Fortinet reported active exploitation of a five-year-old security vulnerability, CVE-2020-12812 (CVSS score: 5.2), in FortiOS SSL VPN. The vulnerability is an improper authentication flaw that may allow users to bypass two-factor authentication (2FA) by changing the case of the username, enabling successful login without being prompted for the second authentication factor. The issue occurs when FortiGate has local 2FA users linked to LDAP, the same users belong t

Key Findings The fraudulent investment scheme known as Nomani has witnessed a 62% increase, according to ESET. Nomani campaigns have expanded beyond Facebook to include other social media platforms, such as YouTube. ESET blocked over 64,000 unique URLs associated with the Nomani threat this year, with the majority of detections originating from Czechia, Japan, Slovakia, Spain, and Poland. Nomani leverages social media malvertising, company-branded posts, and AI-powered video

Key Findings A new variant of the MacSync Stealer malware has been discovered, which uses a digitally signed and notarized Swift application to bypass macOS Gatekeeper security checks. The malicious application is distributed via a disk image (DMG) named "zk-call-messenger-installer-3.9.2-lts.dmg" hosted on the "zkcall[.]net/download" website. The application is code-signed and successfully notarized by Apple, giving it a veneer of legitimacy and allowing it to run on macOS w

Key Findings Italy's antitrust authority (AGCM) fined Apple €98.6 million for abusing its dominant position in the App Store market through its App Tracking Transparency (ATT) framework. The AGCM found that Apple's ATT policy, which requires a double consent prompt for developers to access user data for advertising, is disproportionate and limits competition. Apple's own apps and services can obtain user consent for data collection and personalized ads in a single tap, giving

Key Findings: Two malicious Google Chrome extensions named "Phantom Shuttle" have been discovered secretly stealing user credentials from over 170 websites. The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. The extensions execute complete traffic interception, operate as man-in-the-middle proxies, and continuously exfiltrate user data to a command-and-control server. Once users make a subscription paymen

Key Findings NVIDIA has issued a critical security update for its Isaac Launchable software, patching three vulnerabilities with a CVSS score of 9.8. The most severe flaw, CVE-2025-33222, involves hard-coded credentials that allow attackers to bypass authentication and gain complete control of affected systems. The remaining two vulnerabilities, CVE-2025-33223 and CVE-2025-33224, stem from improper privilege management, enabling attackers to execute code with elevated permiss

Key Findings The U.S. Justice Department (DoJ) seized the domain web3adspanels[.]org, which was used as a backend web panel to host and manipulate illegally harvested bank login credentials. The criminal group behind the scheme used fraudulent advertisements on search engines like Google and Bing to redirect users to fake bank websites, where their login credentials were harvested through malicious software. The stolen credentials were then used by the criminals to access vic

Key Findings A critical security vulnerability (CVE-2025-68613) with a CVSS score of 9.9 has been discovered in the n8n workflow automation platform. The flaw could enable arbitrary code execution under certain circumstances, potentially leading to a full compromise of the affected instances. The vulnerability affects all versions of n8n from 0.211.0 and below 1.120.4, and has been patched in versions 1.120.4, 1.121.1, and 1.122.0. According to Censys, there are 103,476 poten

Key Findings: A malicious npm package named "lotusbail" has been discovered that poses as a functional WhatsApp API, but actually steals users' messages, contacts, and login tokens. The package has been downloaded over 56,000 times since it was first uploaded in May 2025. The package is designed to capture authentication tokens, session keys, message history, contact lists, media files, and documents, and transmit the stolen data to an attacker-controlled server. The package

Key Findings The Kimwolf Android botnet has infected over 1.8 million devices globally, primarily targeting TV boxes It uses advanced techniques like DNS over TLS, elliptic curve digital signatures, and blockchain domains to evade detection The botnet is capable of massive DDoS attacks, issuing over 1.7 billion commands in a three-day period Kimwolf shares code with the Aisuru botnet family but has been heavily redesigned to avoid detection Background The Kimwolf botnet was f

Key Findings Zahid Hasan, a 29-year-old Bangladeshi national, has been indicted on a nine-count federal charge for operating a sophisticated network of websites selling digital templates for fake government documents, including U.S. passports and Montana driver's licenses. Hasan allegedly ran businesses like Techtreek.com, Egiftcardstorebd.com, and Idtempl.com from 2021 to 2025, selling these templates to over 1,400 customers worldwide and generating over $2.9 million in reve

Key Findings Iranian APT group Infy (aka Prince of Persia) has resurfaced with new malware campaigns after nearly 5 years of dormancy The scale of Infy's current activity is significantly larger than previously assessed The group has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe Infy's malware arsenal includes updated versions of the Foudre downloader and Tonnerre implant Attack chains have evolved from macro-laced documents to embedded execut

Key Findings The U.S. Department of Justice has indicted 54 individuals over a multi-million-dollar ATM jackpotting fraud scheme. The crimes are linked to the cybercrime group Tren de Aragua (TdA), including charges of fraud, money laundering, and material support to a terrorist organization. ATM jackpotting is a type of cyber-enabled bank robbery where criminals infect an ATM with malware or use physical access to force it to dispense cash. The conspiracy used a malware stra

Key Findings A Russia-aligned threat group, tracked as UNK_AcademicFlare, has been conducting phishing campaigns that abuse Microsoft 365 device code authentication workflows to steal victims' credentials and take over accounts. The attacks, ongoing since September 2025, target government, military, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary uses compromised email addresses belonging to government and military organizations

Key Findings: Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. Stryzhak faces up to 10 years in jail for conspiracy to commit fraud, including extortion. Authorities are still looking for Stryzhak's alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for informatio

Key Findings: A massive network of compromised YouTube accounts is being weaponized to spread a sophisticated new threat, turning the popular video platform into a launchpad for data theft. The campaign, dubbed the "YouTube Ghost Network," leverages malicious videos promoting "cracked" software, trainers, or cheats to lure users into downloading a new, heavily obfuscated JavaScript malware loader called GachiLoader. GachiLoader is written in Node.js and deploys a second-stage