ALL POSTS

Key Findings Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform, was dismantled by a coalition of law enforcement agencies and security companies led by Europol. The subscription-based phishing kit, which emerged in August 2023, was described as one of the largest phishing operations worldwide. Tycoon 2FA's primary developer is alleged to be Saad Fridi, who is said to be based in Pakistan. The platform enabled thousands of cybercriminals to covertly access email a

Key Findings: A new Russian cyber campaign has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28. The attack chain initiates with a phishing email containing a link to a ZIP archive, which leads to the deployment of a .NET-based loader called BadPaw and a sophisticated backdoor called MeowMeow. Background T

Key Findings: Evgenii Ptitsyn, a 43-year-old Russian national, pleaded guilty to wire fraud conspiracy for his role in the Phobos ransomware operation. Ptitsyn was a high-level administrator of the Phobos ransomware-as-a-service (RaaS) operation. The Phobos ransomware operation targeted over 1,000 public and private entities worldwide, extorting more than $16 million in ransom payments. Ptitsyn and his co-conspirators used a RaaS model to distribute Phobos ransomware to a net

Key Findings Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain. The malware uses the .NET Reactor packer to make analysis and reverse engineering harder, showing th

Key Findings The Federal Bureau of Investigation (FBI) seized the LeakBase cybercrime forum (leakbase[.]la) as part of "Operation Leak", an international crackdown led by Europol. LeakBase was a key hub in the cybercrime ecosystem, specializing in trading leaked databases and "stealer logs" containing compromised credentials. The forum had over 142,000 registered users, approximately 32,000 posts, and more than 215,000 private messages as of December 2025. Law enforcement age

Key Findings Google's Threat Intelligence Group (GTIG) identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) The kit targets Apple iPhones running iOS versions 13.0 through 17.2.1 It includes five full exploit chains and a total of 23 exploits The kit is highly effective against the targeted iOS versions, but is ineffective against the latest iOS release Background GTIG first captured parts of an iOS exploit chain used by a customer of a surveil

Key Findings Silver Dragon, an APT group linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024. The group gains initial access by exploiting public-facing internet servers and delivering phishing emails with malicious attachments. Silver Dragon uses techniques like Cobalt Strike beacons and DNS tunneling for persistence and command-and-control (C2) communication. The group employs multiple infection chains, including AppDomain hij

Key Findings A ransomware attack on the University of Hawaiʻi (UH) Cancer Center compromised personal data of approximately 1.2 million individuals. The attack, detected on August 31, 2025, targeted servers supporting the center's Epidemiology Division and did not impact clinical operations, patient care, or student records. The stolen data includes names, Social Security numbers, driver's license details, voter registration records, and health-related information, raising co

Key Findings The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-22719 (CVSS 8.1) - Broadcom VMware Aria Operations Command Injection Vulnerability CVE-2026-21385 (CVSS 7.8) - Qualcomm Multiple Chipsets Memory Corruption Vulnerability Background The Broadcom vulnerability is a command injection flaw that allows an unauthenticated attacker to execute arbitrary commands, po

Key Findings: The Model Context Protocol (MCP) is enabling AI agents to move beyond "chat" and into real enterprise work, providing structured access to applications, APIs, and data. These AI agents are rapidly being adopted in production, through horizontal assistants like Microsoft Copilot and vertical industry-specific agents. However, the governance and policy controls required to manage these AI agents are significantly lagging behind their adoption. These AI "colleagues

Key Findings: Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections. Starkiller is advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard to impersonate brands or enter a brand's real URL. The platform lets users choose custom keywords and integrates URL shorteners to obscure the destin

Key Findings: A Russian-speaking threat actor compromised over 600 FortiGate firewalls across 55 countries in just 5 weeks The attacker systematically used generative AI and large language models (LLMs) to write tools and plan follow-on actions inside victim networks The campaign did not rely on zero-day vulnerabilities, instead targeting publicly accessible admin panels and VPN portals protected by weak credentials Stolen FortiGate configurations provided detailed informatio

Key Findings Google disclosed that a high-severity vulnerability, CVE-2026-21385 (CVSS score: 7.8), affecting an open-source Qualcomm component used in Android devices has been actively exploited. The vulnerability is a buffer over-read in the Graphics component, described by Qualcomm as "memory corruption when adding user-supplied data without checking available buffer space" and an integer overflow. Google acknowledged "there are indications that CVE-2026-21385 may be under

Key Findings: Russia-linked APT28 reportedly exploited MSHTML zero-day CVE-2026-21513 (CVSS 8.8) before Microsoft patched it in February 2026 The vulnerability is an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file Akamai researchers found a malicious sample uploaded to VirusTotal on January 2026 tied to infrastructure linked to APT28 The exploit relies on nested iframes and multiple DOM contexts t

Key Findings Cybersecurity researchers at Microsoft Threat Intelligence have found that attackers are circulating fake gaming tools that install a remote access trojan (RAT) when users run the files. The campaign relies on trojanized executables distributed through browsers and chat platforms, convincing victims to download software such as Xeno.exe or RobloxPlayerBeta.exe, which appear legitimate at first glance. The initial file acts as a downloader that prepares the system

Key Findings About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw. Hundreds of Sangoma FreePBX instances are still infected with web shells following attacks that began in December 2025. The campaign exploited a post-authentication command injection vulnerability, tracked as CVE-2025-64328 (CVSS score of 8.6), in the endpoint manager interface. The Shadowserver Foundation reports that around 900 FreePBX instances a

Key Findings Hackers abused Anthropic's Claude AI model to develop exploits, create custom tools, and automate the exfiltration of over 150GB of data in a cyberattack targeting Mexican government systems. The attackers compromised 10 Mexican government agencies and a financial institution, starting with the tax authority in December 2025. Hackers sent over 1,000 prompts to Claude and used OpenAI's GPT-4.1 to analyze stolen data. By bypassing AI guardrails and framing actions

Key Findings OpenClaw has fixed a high-severity security issue that could have allowed a malicious website to connect to a locally running AI agent and take over control. The flaw, dubbed "ClawJacked" by Oasis Security, enables a malicious website to silently open a WebSocket connection to the local OpenClaw gateway and brute-force the password. Upon successful authentication, the malicious script can register as a trusted device, which is automatically approved by the gatewa

Key Findings Nearly 3,000 Google API keys (identified by the prefix "AIza") were found embedded in client-side code, providing access to sensitive Gemini endpoints and private data. The problem occurs when users enable the Gemini API on a Google Cloud project, causing the existing API keys in that project to gain access to Gemini endpoints without any warning or notice. Creating a new API key in Google Cloud defaults to "Unrestricted," meaning it's applicable for every enable

Key Findings ScarCruft, a North Korean threat actor, has been attributed to a new set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications. The campaign, codenamed "Ruby Jumper" by Zscaler ThreatLabz, involves the deployment of various malware families to facilitate surveillance on victim systems. One of the malware components, THUMBSBD, uses removable media to relay commands and transfer data between internet-connected and air-g