ALL POSTS

Key Findings: Attackers are exploiting vulnerabilities or weak credentials in FortiGate Next-Generation Firewall (NGFW) devices to gain initial access to corporate networks. Once inside, the attackers extract configuration files containing service account credentials and information about the internal network structure. The campaign appears to target sectors such as healthcare, government agencies, and managed service providers. Attackers have abused features like Single Sign

Key Findings Threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the open-source AuraInspector tool. The modified tool is capable of extracting data by exploiting overly permissive guest user settings, allowing access to sensitive CRM data. The activity does not involve a vulnerability in the Salesforce platform but targets customer configuration issues. The campaign is attributed to a known threat actor group, pos

Key Points Hackerbot-Claw, a new AI-powered threat, executed a 37-hour campaign targeting major GitHub repositories, including those of Microsoft and DataDog. The attacks focused on exploiting CI/CD pipelines, allowing the AI agent to manipulate developer tools within minutes. The campaign resulted in the deletion of 97 software releases and 32,000 stars from Aqua Security's Trivy project. Hackerbot-Claw employed social engineering tactics to trick developer assistants like C

Key Findings Dutch intelligence agencies AIVD and MIVD warn of a large-scale global cyber campaign by Russia-linked threat actors targeting Signal and WhatsApp accounts of government officials, military personnel, and journalists. The attackers are using social engineering tactics rather than exploiting app vulnerabilities - they impersonate Signal support bots and abuse legitimate features like "linked devices" to hijack accounts. Once they gain access, the hackers can read

Key Findings Anthropic's AI model Claude Opus 4.6 discovered 22 security vulnerabilities in the Mozilla Firefox web browser over the course of two weeks. 14 of the 22 vulnerabilities were classified as high-severity, nearly a fifth of all high-severity Firefox issues fixed in 2025. Mozilla addressed the majority of these vulnerabilities in Firefox 148, released in January 2026. This demonstrates AI's growing capability to rapidly detect critical security flaws in complex soft

Background The emldump.py script is a powerful tool used by security analysts and incident responders to extract and analyze data from Microsoft Outlook email archives. This update focuses on enhancing the functionality of the "--yarastrings" option, which allows users to search for specific Yara signatures within the email data. Key Findings The update to emldump.py version 0.0.16 includes fixes and improvements to the "--yarastrings" option. The provided MD5 and SHA256 hash

Key Findings AI-based assistants ("agents") are growing in popularity, with the new OpenClaw AI assistant seeing rapid adoption OpenClaw and other AI assistants can automate virtually any task, accessing the user's computer, files, online services, and integrations Poorly secured AI assistants pose significant risks to organizations, with examples of AI agents accidentally deleting data or being exposed to the internet Attacking misconfigured AI agent web interfaces can allow

Key Findings A critical vulnerability in Nginx UI, tracked as CVE-2026-27944, allows attackers to download and decrypt full server backups without authentication. The vulnerability stems from two major flaws: the /api/backup endpoint lacks authentication, and the server exposes the AES-256 encryption key and IV in an HTTP response header. Exploitation of the vulnerability could have serious consequences as a full Nginx UI backup contains large amounts of sensitive operational

Key Findings BoryptGrab information stealer spreading through over 100 GitHub repositories Malware designed to collect browser data, cryptocurrency wallets, system details, and user files Some variants deploy a PyInstaller backdoor called TunnesshClient for remote command execution Background Trend Micro has uncovered a campaign distributing the BoryptGrab information stealer through more than 100 GitHub repositories. BoryptGrab is capable of collecting sensitive data such as

Key Findings Deceptive mobile campaign discovered targeting people in Israel using a fake version of the popular "Red Alert" life-saving app The app appears to be a modified version of the legitimate "Red Alert" app, which is widely used to provide real-time warnings about incoming rockets The attack starts with a simple text message claiming there is a technical problem with the current alert system and providing a link to download an updated version Background The "Red Aler

Key Findings: Iran-linked hackers targeted IP cameras across Israel and several Gulf countries, including the UAE, Qatar, Bahrain, and Kuwait, as well as Lebanon and Cyprus. The goal appears to be reconnaissance and real-time monitoring to support intelligence gathering and potential military targeting. Threat actors targeted vulnerabilities in Hikvision and Dahua IP cameras, such as improper authentication, command injection, and remote code execution flaws. Scanning and exp

Key Findings The FBI is investigating suspicious cyber activity affecting an internal system that stores sensitive data tied to surveillance operations and investigations. The affected system is unclassified but contains law enforcement-sensitive information, including data from legal tools like pen register and trap-and-trace orders, and personally identifiable information linked to investigations. The FBI has identified and addressed the suspicious activities, using all ava

Key Findings OpenAI has launched Codex Security, an AI-powered security agent designed to find, validate, and propose fixes for software vulnerabilities. Over the last 30 days, Codex Security has scanned more than 1.2 million commits across external repositories, identifying 792 critical and 10,561 high-severity findings. The vulnerabilities found include issues in various open-source projects like OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium. Codex Security leve

Key Findings North Korean threat groups are using artificial intelligence (AI) tools to accelerate and expand the country's long-running scheme to get remote technical workers hired at global companies. AI services are empowering North Korean operatives across the attack lifecycle, turning AI into a "force multiplier" for their efforts. Threat groups are using AI to shorten the time it takes to create digital personas for specific job markets and roles, leveraging financial o

Key Findings Multi-stage malware campaign codenamed VOID#GEIST delivers various remote access trojan (RAT) payloads, including XWorm, AsyncRAT, and Xeno RAT Malware utilizes obfuscated batch scripts as a pathway to deploy and execute encrypted shellcode payloads Leverages legitimate embedded Python runtime for portability, reliability, and stealth Employs fileless execution mechanisms and memory injection techniques to evade detection Background Cybersecurity researchers have

Key Findings Transparent Tribe, a Pakistan-aligned hacking group, has embraced the use of AI-powered coding tools to mass-produce malware implants. The goal is to flood target environments with a "high-volume, mediocre mass of implants" using lesser-known programming languages like Nim, Zig, and Crystal. These malware samples rely on trusted services like Slack, Discord, Supabase, and Google Sheets to fly under the radar, a technique dubbed "Distributed Denial of Detection (D

Key Findings Google's Threat Intelligence Group (GTIG) identified 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024 Nearly half of the flaws (43, or 48%) targeted enterprise technologies, marking a record share and confirming a shift toward enterprise-focused attacks Browser exploitation declined to historic lows, while operating system flaws were increasingly abused Nation-state actors mainly targeted edge devices and security appliances, while co

Key Findings Iran-linked MuddyWater (aka SeedWorm) APT group targeted U.S. organizations, including banks, airports, nonprofits, and a software supplier to the defense and aerospace sectors The group deployed a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution An attempt was made to exfiltrate data from the targeted software company using the Rclone utility to a Wasabi cloud storage bucket A separate Python backdoor called F

Key Findings: Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware. The campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, bypassing Run-dialog detections. Attackers guide users to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures. The malicious payload downloads and executes a multi-st

Key Findings Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026. The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same fu