ALL POSTS

Key Findings A European bank's approved Taboola pixel silently redirected authenticated users to a Temu tracking endpoint without bank knowledge or user consent The redirect chain exploited "first-hop bias" — security tools validate the declared origin domain but not the runtime destination of 302 redirects Temu's tracking pixel included Access-Control-Allow-Credentials headers, enabling cross-origin cookie access to the banking session Standard security controls including WA

Key Findings UAC-0247 conducted a targeted campaign against Ukrainian government agencies and municipal healthcare facilities between March and April 2026 Attack chain begins with phishing emails posing as humanitarian aid proposals, using either AI-generated fake sites or legitimate sites compromised via XSS vulnerabilities Malware payload steals sensitive data from Chromium-based browsers and WhatsApp through multiple custom and open-source tools Evidence suggests Ukrainian

Key Findings Threat actors have weaponized n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns Malicious emails containing n8n webhook URLs appear legitimate because they originate from trusted n8n domains Email volume containing these URLs increased 686% from January 2025 to March 2026 Two primary attack methods observed: malware delivery via fake document links and device fingerprinting using invisible tracking pixels Attack

Key Findings Mirax, a new Android RAT, infected over 220,000 users primarily in Spanish-speaking regions through Meta platform advertisements The malware grants attackers full remote control of devices and converts them into SOCKS5 residential proxies for routing malicious traffic Distribution uses a multi-stage attack combining phishing sites, fake streaming apps, and GitHub-hosted droppers with strong obfuscation Mirax operates as an exclusive malware-as-a-service limited t

Key Findings ShinyHunters claims to have breached Rockstar Games through third-party cloud provider Anodot, accessing 8.1GB of data Leaked files include anti-cheat source code, player analytics, game assets, support tickets, and financial information Group set April 14, 2026 deadline for ransom payment, threatening data release and "digital disruption" Rockstar minimized impact, stating only non-material corporate information was accessed with no effect on operations or playe

Key Findings Booking.com confirmed a targeted data breach affecting reservation records Exposed data includes names, email addresses, phone numbers, postal addresses, and booking details Payment information was not accessed Company has not disclosed the number of affected users or attack methodology Reservation PIN codes have been reset as a precaution Over 100 million users accessed the mobile app in 2024, amplifying breach severity Attackers can now leverage booking data to

Key Findings A single hacker compromised nine Mexican government agencies between December 2025 and February 2026 using Claude Code and GPT-4.1 The attacker generated 5,317 AI-executed commands across 34 sessions, with Claude Code running approximately 75% of remote commands to government systems Over 305 million citizen records were exfiltrated, including 195 million taxpayer records, 220 million civil records, and sensitive health and domestic violence victim data The hacke

Key Findings Adobe released emergency patches for CVE-2026-34621, a critical vulnerability in Acrobat Reader actively exploited in the wild The flaw has a CVSS score of 8.6 and allows arbitrary code execution through prototype pollution in JavaScript Evidence suggests exploitation has been occurring since at least December 2025 Security researcher Haifei Li discovered the vulnerability being used to deliver malicious JavaScript via crafted PDFs Affected versions include Acrob

Key Findings CPUID's website was compromised for approximately 24 hours (April 9-10, 2026) to distribute trojanized CPU-Z and HWMonitor installers containing STX RAT malware Threat actors manipulated a secondary API to redirect download links to malicious websites hosting infected executables The malware used DLL sideloading with a file named CRYPTBASE.dll to execute payloads while evading detection Over 150 victims identified across individuals and organizations in retail, m

Key Findings Webloc, an ad-based geolocation surveillance system, tracks up to 500 million mobile devices globally without warrant requirements Law enforcement agencies in the U.S., Hungary, and El Salvador have deployed the tool, including ICE, DHS, and local police departments across multiple cities The system accesses device identifiers, location coordinates, and personal data harvested from mobile apps and digital advertising networks Israeli company Cobwebs Technologies

Key Findings FBI successfully recovered deleted Signal messages from an iPhone using Apple's notification database Messages were extracted even after the Signal app was completely uninstalled from the device Only incoming messages could be recovered, not outgoing ones, confirming data came from notification storage The vulnerability affects any messaging app that displays preview notifications, including WhatsApp and Telegram Users can disable message previews in iPhone and a

Key Findings Threat actors have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader since at least November 2025 Malicious PDF documents named with invoice-themed filenames use Russian language lures related to oil and gas industry issues to trick victims into opening them The exploit automatically executes obfuscated JavaScript upon opening to harvest sensitive data and receive additional malicious payloads The vulnerability allows execution

Key Findings A coordinated hack-for-hire campaign targeting journalists and activists across the Middle East and North Africa has been active since at least 2022, with operations continuing into 2025 The campaign is attributed to Bitter, a threat actor with suspected ties to the Indian government, operating as a likely contracted espionage service Two Egyptian journalists and critics of their government, Mostafa Al-A'sar and Ahmed Eltantawy, were targeted with sophisticated s

Key Findings CVE-2025-59528, a maximum-severity code injection vulnerability (CVSS 10.0), is being actively exploited against Flowise, an open-source AI platform The flaw allows remote code execution with only an API token required for exploitation Over 12,000 Flowise instances are exposed and vulnerable to attack Exploitation activity has been confirmed originating from a single Starlink IP address The vulnerability was patched in version 3.0.6 but remains unpatched on thous

Key Findings China-based Storm-1175 executes rapid ransomware attacks, sometimes completing full intrusions within 24 hours The group exploits newly disclosed vulnerabilities before organizations can patch them, leveraging over 16 different flaws since 2023 Primary targets include healthcare, education, finance, and services sectors across the US, UK, and Australia Storm-1175 has weaponized zero-day exploits before public disclosure, demonstrating advanced capabilities The gr

Key Findings North Korean state-sponsored hacking group UNC4736 orchestrated a six-month social engineering campaign against Drift, culminating in the theft of $285 million on April 1, 2026 The operation began in fall 2025 with actors posing as a quantitative trading firm, using in-person meetings at cryptocurrency conferences across multiple countries to build trust with Drift contributors UNC4736 is also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pis

Key Findings Qilin ransomware group claims to have breached Die Linke, Germany's left-wing political party, and posted the claim on its Tor data leak site on April 1, 2026 Die Linke discovered the attack on March 27 and confirmed the incident but has not verified whether data was actually stolen The party's membership database was not compromised and no member data was accessed Qilin has provided no proof of the breach despite making the claim Qilin is one of the most prolifi

Key Findings Crunchyroll experienced a data breach in March 2026 affecting approximately 6.8 million users Attackers gained unauthorized access to the company's Zendesk support system Exposed data included names, login credentials, email addresses, IP addresses, geographic location data, and support ticket contents A subset of 1.2 million email addresses from a larger 2 million record dataset was later provided to Have I Been Pwned 1,195,684 breached accounts were confirmed i

Key Findings Drift Protocol, a Solana-based decentralized exchange, lost approximately $285 million on April 1, 2026 in a sophisticated social engineering attack Attackers exploited durable nonce mechanisms to obtain unauthorized multisig approvals and gain control of the Security Council administrative powers The attack involved multi-week preparation starting as early as March 23, 2026, with staged execution and pre-signed transactions Threat actors created a fictitious ass

Key Findings At least 766 Next.js hosts across multiple geographic regions and cloud providers compromised through CVE-2025-55182 exploitation Threat cluster UAT-10608 attributed to the campaign by Cisco Talos Critical vulnerability (CVSS 10.0) in React Server Components and Next.js App Router enables remote code execution NEXUS Listener framework deployed post-compromise to harvest and exfiltrate credentials via web-based GUI Stolen data includes database credentials, SSH ke