top of page

ALL POSTS

JanelaRAT: Financial Malware Targeting Latin American Banks with Thousands of Attacks in 2025

Key Findings JanelaRAT is a modified BX RAT variant targeting financial institutions across Latin America, with 14,739 recorded attacks in Brazil and 11,695 in Mexico during 2025 The malware uses a custom title bar detection mechanism to identify banking websites and execute fraudulent actions in real-time Initial infection relies on phishing emails mimicking invoice notifications, leading to multi-stage infection chains using MSI installers and DLL side-loading Recent campai

OpenAI Revokes macOS Certificate Following Axios Supply Chain Compromise

Key Findings OpenAI's GitHub Actions workflow downloaded malicious Axios version 1.14.1 on March 31, compromising access to macOS app signing certificates North Korean hacking group UNC1069 hijacked the Axios package maintainer account and injected WAVESHAPER.V2 backdoor into versions 1.14.1 and 0.30.4 OpenAI found no evidence of user data theft, system compromise, or software alteration despite certificate access All macOS versions of ChatGPT Desktop, Codex, Codex CLI, and A

Hackers claim control of Venice's San Marco anti-flood pumps

Key Findings Threat actors claiming to be "Infrastructure Destruction Squad" or "Dark Engine" breached Venice's San Marco flood defense system in late March 2026 Attackers claim to have maintained administrative access and stated they could disable flood defenses and inundate coastal areas Group offered full root access to the system for $600 USD, demonstrating both severity of breach and low barrier to further exploitation Italian authorities confirmed critical systems prote

Hacker Leveraged Claude and GPT-4.1 AI to Steal Hundreds of Millions of Mexican Records

Key Findings A single hacker compromised nine Mexican government agencies between December 2025 and February 2026 using Claude Code and GPT-4.1 The attacker generated 5,317 AI-executed commands across 34 sessions, with Claude Code running approximately 75% of remote commands to government systems Over 305 million citizen records were exfiltrated, including 195 million taxpayer records, 220 million civil records, and sensitive health and domestic violence victim data The hacke

Adobe Releases Critical Security Patch for Actively Exploited Acrobat Reader Vulnerability CVE-2026-34621

Key Findings Adobe released emergency patches for CVE-2026-34621, a critical vulnerability in Acrobat Reader actively exploited in the wild The flaw has a CVSS score of 8.6 and allows arbitrary code execution through prototype pollution in JavaScript Evidence suggests exploitation has been occurring since at least December 2025 Security researcher Haifei Li discovered the vulnerability being used to deliver malicious JavaScript via crafted PDFs Affected versions include Acrob

Chrome's Latest Update: A Major Blow to Infostealer Cookie Theft Operations

Key Findings Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to prevent hackers from using stolen session cookies to access user accounts The system binds login sessions to a device's hardware security chip, making exfiltrated cookies unusable on other machines Early testing shows a measurable drop in successful infostealer attacks through Origin Trials with partners like Okta Over 30 million computers were infected with infostealer mal

CPUID Website Breach Deploys STX RAT Through Compromised CPU-Z and HWMonitor Downloads

Key Findings CPUID's website was compromised for approximately 24 hours (April 9-10, 2026) to distribute trojanized CPU-Z and HWMonitor installers containing STX RAT malware Threat actors manipulated a secondary API to redirect download links to malicious websites hosting infected executables The malware used DLL sideloading with a file named CRYPTBASE.dll to execute payloads while evading detection Over 150 victims identified across individuals and organizations in retail, m

Iranian APT Attacks Target Thousands of Exposed US Industrial Devices

Key Findings Censys identified 5,219 internet-exposed Rockwell Automation PLCs globally, with 74.6% located in the United States Iranian-linked APT groups have been actively targeting these devices since March 2026, causing operational disruptions and financial losses Approximately 3,891 exposed U.S. devices are concentrated on cellular networks, indicating field-deployed infrastructure at utilities and substations Most vulnerable devices run outdated firmware from the MicroL

Law Enforcement's Mass Surveillance Through Ad Data: The Webloc Tracking of 500 Million Devices

Key Findings Webloc, an ad-based geolocation surveillance system, tracks up to 500 million mobile devices globally without warrant requirements Law enforcement agencies in the U.S., Hungary, and El Salvador have deployed the tool, including ICE, DHS, and local police departments across multiple cities The system accesses device identifiers, location coordinates, and personal data harvested from mobile apps and digital advertising networks Israeli company Cobwebs Technologies

FBI's iPhone Notification Loophole: How Deleted Signal Messages Aren't Really Deleted

Key Findings FBI successfully recovered deleted Signal messages from an iPhone using Apple's notification database Messages were extracted even after the Signal app was completely uninstalled from the device Only incoming messages could be recovered, not outgoing ones, confirming data came from notification storage The vulnerability affects any messaging app that displays preview notifications, including WhatsApp and Telegram Users can disable message previews in iPhone and a

Lazarus Hackers Use Real US LLCs to Distribute Malware in GraphAlgo Scam

Key Findings North Korea-linked Lazarus Group registered legitimate US LLC to distribute malware targeting blockchain developers Hackers created fake company "Blocmerce" in Florida with fabricated CEO and official state filings using real residential addresses GraphAlgo campaign evolved from npm package distribution to hiding malware in GitHub release artifacts Remote Access Trojan (RAT) deployed after developers run test tasks, giving attackers full machine control Campaign

GlassWorm Campaign: Zig Dropper Targeting Developer IDEs

Key Findings GlassWorm campaign discovered using Zig-compiled dropper to infect multiple IDEs on developer machines Malicious VS Code extension "specstudio.code-wakatime-activity-tracker" masquerades as legitimate WakaTime tool Native binary executes outside JavaScript sandbox with full OS-level access to find and compromise all IDE installations Second-stage extension deploys information-stealing malware, avoids execution on Russian systems, and uses Solana blockchain for C2

Marimo RCE Vulnerability CVE-2026-39987 Under Active Exploitation Since Disclosure

Key Findings Critical RCE vulnerability CVE-2026-39987 in Marimo (CVSS 9.3) exploited within 9 hours 41 minutes of disclosure Unauthenticated attackers can obtain full interactive shell access on exposed instances through /terminal/ws WebSocket endpoint Affects all Marimo versions up to 0.20.4; patched in version 0.23.0 Unknown threat actor built working exploit from advisory alone, with no public PoC available Attacker conducted credential theft operation and reconnaissance,

UAT-10362 LucidRook Campaigns Target Taiwan-Based Institutions and NGOs Through Spear-Phishing

Key Findings UAT-10362, a sophisticated threat actor, conducted targeted spear-phishing campaigns against Taiwanese NGOs and universities starting in October 2025 LucidRook, a Lua-based malware stager, was delivered through password-protected RAR and 7-Zip archives with decryption passwords included in phishing emails Two distinct infection chains were identified: one using Windows Shortcut files and another using .NET executables masquerading as antivirus software Both chain

EngageLab SDK Vulnerability Compromises Private Data Across 50M Android Devices and Crypto Wallets

Key Findings Critical flaw in EngageLab SDK affected up to 50 million Android devices, including over 30 million crypto wallet installations Intent redirection vulnerability allowed malicious apps to bypass Android sandbox protections and access private data EngageLab released patch in version 5.2.1 on November 3, 2025, after Microsoft's coordinated disclosure in April 2025 No active exploitation confirmed in the wild Vulnerable apps were removed from Google Play Store follow

Adobe Reader Zero-Day Under Active Exploitation: Malicious PDFs Weaponized in the Wild

Key Findings Threat actors have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader since at least November 2025 Malicious PDF documents named with invoice-themed filenames use Russian language lures related to oil and gas industry issues to trick victims into opening them The exploit automatically executes obfuscated JavaScript upon opening to harvest sensitive data and receive additional malicious payloads The vulnerability allows execution

Hack-for-Hire Spyware Campaign Targets Journalists Across MENA Region

Key Findings A coordinated hack-for-hire campaign targeting journalists and activists across the Middle East and North Africa has been active since at least 2022, with operations continuing into 2025 The campaign is attributed to Bitter, a threat actor with suspected ties to the Indian government, operating as a likely contracted espionage service Two Egyptian journalists and critics of their government, Mostafa Al-A'sar and Ahmed Eltantawy, were targeted with sophisticated s

North Korean-Linked Hackers Distribute 1,700 Malicious Packages Across Multiple Package Repositories

North Korean-linked threat actor "Contagious Interview" has distributed over 1,700 malicious packages across npm, PyPI, Go, Rust, and Packagist ecosystems since January 2025 Malicious code is hidden within legitimate-looking functions and only executes at runtime, not during installation, making detection harder Packages function as malware loaders delivering second-stage payloads with infostealer, RAT, and post-compromise capabilities including keylogging and remote access C

Iran-Linked Cyber Actors Escalate Attacks on US Critical Infrastructure Through PLC Exploitation

Key Findings Iran-affiliated cyber actors are actively targeting internet-exposed programmable logic controllers (PLCs) across U.S. critical infrastructure sectors including government, water systems, and energy Attacks have caused diminished PLC functionality, manipulated display data, operational disruption, and financial losses Threat actors are exploiting Rockwell Automation and Allen-Bradley PLCs, specifically CompactLogix and Micro850 devices Initial access is gained th

Feds dismantle Russia-backed espionage network operating across 18,000 devices

Key Findings Russian GRU-attributed threat group Forest Blizzard compromised over 18,000 routers across 120+ countries for large-scale espionage before being neutralized Attackers exploited known vulnerabilities in TP-Link and MicroTik routers to hijack DNS settings and steal credentials via man-in-the-middle attacks Campaign impacted more than 200 organizations and at least 5,000 consumer devices globally, including government agencies and critical infrastructure sectors FBI

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page