ALL POSTS

Key Findings Iran-linked MuddyWater (aka SeedWorm) APT group targeted U.S. organizations, including banks, airports, nonprofits, and a software supplier to the defense and aerospace sectors The group deployed a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution An attempt was made to exfiltrate data from the targeted software company using the Rclone utility to a Wasabi cloud storage bucket A separate Python backdoor called F

Key Findings: Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware. The campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, bypassing Run-dialog detections. Attackers guide users to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures. The malicious payload downloads and executes a multi-st

Key Findings Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026. The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same fu

Key Findings Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform, was dismantled by a coalition of law enforcement agencies and security companies led by Europol. The subscription-based phishing kit, which emerged in August 2023, was described as one of the largest phishing operations worldwide. Tycoon 2FA's primary developer is alleged to be Saad Fridi, who is said to be based in Pakistan. The platform enabled thousands of cybercriminals to covertly access email a

Key Findings: Evgenii Ptitsyn, a 43-year-old Russian national, pleaded guilty to wire fraud conspiracy for his role in the Phobos ransomware operation. Ptitsyn was a high-level administrator of the Phobos ransomware-as-a-service (RaaS) operation. The Phobos ransomware operation targeted over 1,000 public and private entities worldwide, extorting more than $16 million in ransom payments. Ptitsyn and his co-conspirators used a RaaS model to distribute Phobos ransomware to a net

Key Findings The Federal Bureau of Investigation (FBI) seized the LeakBase cybercrime forum (leakbase[.]la) as part of "Operation Leak", an international crackdown led by Europol. LeakBase was a key hub in the cybercrime ecosystem, specializing in trading leaked databases and "stealer logs" containing compromised credentials. The forum had over 142,000 registered users, approximately 32,000 posts, and more than 215,000 private messages as of December 2025. Law enforcement age

Key Findings Google's Threat Intelligence Group (GTIG) identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) The kit targets Apple iPhones running iOS versions 13.0 through 17.2.1 It includes five full exploit chains and a total of 23 exploits The kit is highly effective against the targeted iOS versions, but is ineffective against the latest iOS release Background GTIG first captured parts of an iOS exploit chain used by a customer of a surveil

Key Findings The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-22719 (CVSS 8.1) - Broadcom VMware Aria Operations Command Injection Vulnerability CVE-2026-21385 (CVSS 7.8) - Qualcomm Multiple Chipsets Memory Corruption Vulnerability Background The Broadcom vulnerability is a command injection flaw that allows an unauthenticated attacker to execute arbitrary commands, po

Key Findings About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw. Hundreds of Sangoma FreePBX instances are still infected with web shells following attacks that began in December 2025. The campaign exploited a post-authentication command injection vulnerability, tracked as CVE-2025-64328 (CVSS score of 8.6), in the endpoint manager interface. The Shadowserver Foundation reports that around 900 FreePBX instances a

Key Findings OpenClaw has fixed a high-severity security issue that could have allowed a malicious website to connect to a locally running AI agent and take over control. The flaw, dubbed "ClawJacked" by Oasis Security, enables a malicious website to silently open a WebSocket connection to the local OpenClaw gateway and brute-force the password. Upon successful authentication, the malicious script can register as a trusted device, which is automatically approved by the gatewa

Key Findings Nearly 3,000 Google API keys (identified by the prefix "AIza") were found embedded in client-side code, providing access to sensitive Gemini endpoints and private data. The problem occurs when users enable the Gemini API on a Google Cloud project, causing the existing API keys in that project to gain access to Gemini endpoints without any warning or notice. Creating a new API key in Google Cloud defaults to "Unrestricted," meaning it's applicable for every enable

Key Findings: Aeternum is a C++ botnet loader that uses the Polygon blockchain as its command-and-control (C2) infrastructure. The botnet stores its instructions in smart contracts on the Polygon blockchain, making its C2 effectively permanent and resistant to traditional takedown methods. Infected machines poll public RPC endpoints, read the on-chain instructions, and execute them, allowing the botnet operators to manage multiple contracts and payloads simultaneously. Blockc

Key Findings: Google Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign by UNC2814, a suspected China-linked cyber espionage group UNC2814 had breached at least 53 organizations across 42 countries, primarily targeting telecommunications and government sectors The group used a novel backdoor called GRIDTIDE that leveraged legitimate Google Sheets API functions for command-and-control GTIG took coordinated action to disrupt UNC2814's

Key Findings Aeternum C2 is a new botnet that uses the Polygon blockchain to store encrypted command-and-control (C2) instructions. This approach makes Aeternum's C2 infrastructure effectively permanent and resistant to traditional takedown methods. The malware works by writing commands to be issued to infected hosts into smart contracts on the Polygon blockchain. The bots then read those commands by querying public remote procedure call (RPC) endpoints, with the commands man

Key Findings Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading. The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control tra

Key Findings: A critical Cisco SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), has been actively exploited since 2023 to gain remote, unauthenticated administrative access. The vulnerability allows an attacker to bypass authentication and gain full administrative access to affected Cisco Catalyst SD-WAN Controller and Manager systems. Exploited environments include on-premises, Cisco Hosted SD-WAN Cloud, and FedRAMP Cisco Hosted SD-WAN Cloud deployments.

Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries Key Findings Google, in collaboration with industry partners, disrupted the infrastructure of the suspected China-nexus cyber espionage group UNC2814 UNC2814 breached at least 53 organizations across 42 countries in the Americas, Asia, and Africa The threat actor may have targeted at least 20 additional countries UNC2814 used a novel backdoor called GRIDTIDE that abuses Google Sheets API for comma

Amazon Alerts: Low-Skill Hacker Used AI Tools to Breach FortiGate Devices Globally Key Findings: A Russian-speaking individual with limited technical skills managed to infiltrate over 600 FortiGate security devices across 55 countries in just over a month. The attacker used commercial AI services as a force multiplier, turning basic hacking into a high-speed assembly line. The attacker systematically scanned the internet for exposed management ports and used AI to test common

Background The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. Key Findings The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration. The attack chain

Background The XWorm malware has been around since 2022, but the latest version 7.2 surfaced on Telegram marketplaces in late 2025 and early 2026. Attackers are using social engineering tactics to lure victims into opening malicious Excel attachments in emails disguised as business communications. Technical Details The Excel file exploits an old vulnerability (CVE-2018-0802) to run a hidden script (HTA file) that downloads what appears to be a normal JPEG image. However, the