ALL POSTS

Key Findings * New .NET AOT malware campaign discovered by Howler Cell researchers * Uses Ahead-of-Time (AOT) compilation to evade standard security detection * Multi-stage attack with sophisticated evasion techniques * Targets individual systems through phishing emails * Employs complex scoring system to determine victim validity Background The emergence of this malware represents a sophisticated evolution in cyberthreat techniques. Traditional malware detection relies on an

Key Findings * GlassWorm malware campaign targeting Python repositories * Attackers use stolen GitHub tokens to force-push malicious code * Targets Python projects including Django apps, ML code, and PyPI packages * Earliest injections traced to March 8, 2026 * Uses a new offshoot called "ForceMemo" * Leverages malicious VS Code and Cursor extensions to steal credentials * Payload includes cryptocurrency theft and data exfiltration capabilities Background The GlassWorm attack

Key Findings * Attackers are exploiting Cloudflare's human verification system to hide phishing pages * Custom virtual machine function used to obfuscate malicious code * Targets Microsoft 365 login credentials * Employs sophisticated evasion techniques against security scanners * Uses location-based filtering to block security researchers Background Cybercriminals have developed an innovative method of hiding phishing websites by leveraging Cloudflare's Turnstile verificatio

Key Findings * Iran-linked Handala Hack Team claims cyberattacks against Stryker Corporation and Verifone on March 11 * Stryker confirms a network disruption; Verifone denies any breach * Handala claims to have wiped 200,000 systems and extracted 50 terabytes of data from Stryker * The group alleges the attack was retaliation for a missile strike on an Iranian school * Verification of claims is ongoing and independent confirmation is pending Background The Handala Hack Team,

Key Findings: Iran-linked hackers targeted IP cameras across Israel and several Gulf countries, including the UAE, Qatar, Bahrain, and Kuwait, as well as Lebanon and Cyprus. The goal appears to be reconnaissance and real-time monitoring to support intelligence gathering and potential military targeting. Threat actors targeted vulnerabilities in Hikvision and Dahua IP cameras, such as improper authentication, command injection, and remote code execution flaws. Scanning and exp

Amazon Alerts: Low-Skill Hacker Used AI Tools to Breach FortiGate Devices Globally Key Findings: A Russian-speaking individual with limited technical skills managed to infiltrate over 600 FortiGate security devices across 55 countries in just over a month. The attacker used commercial AI services as a force multiplier, turning basic hacking into a high-speed assembly line. The attacker systematically scanned the internet for exposed management ports and used AI to test common

Key Findings North Korea-linked threat actor UNC2970 used Google's Gemini AI model to conduct reconnaissance on its targets, including searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information. Other state-backed hacking groups, including UNC6418 (unattributed), Temp.HEX or Mustang Panda (China), APT31 or Judgement Panda (China), APT41 (China), UNC795 (China), and APT42 (Iran), have also integrated G

Key Findings Nicholas Moore, 24, from Tennessee, pleaded guilty to repeatedly hacking the U.S. Supreme Court's electronic filing system. He used stolen credentials to access the Supreme Court's filing system, an AmeriCorps account, and a veteran's VA MyHealthEVet account. Over 25 days, he posted screenshots and personal data from his victims on his Instagram account, @ihackedthegovernment, exposing names and sensitive information publicly. Moore could serve up to one year in

Key Findings Cybersecurity firm Resecurity responded to claims made by hacking group ShinyHunters that they had breached the company's internal systems. Resecurity says the attackers were interacting with a honeypot, not their real infrastructure. The honeypot included synthetic employee accounts, fake apps, and isolated infrastructure unrelated to Resecurity's real operations or customers. Resecurity claims no actual client data, passwords, or operational systems were affect

Key Findings: A massive network of compromised YouTube accounts is being weaponized to spread a sophisticated new threat, turning the popular video platform into a launchpad for data theft. The campaign, dubbed the "YouTube Ghost Network," leverages malicious videos promoting "cracked" software, trainers, or cheats to lure users into downloading a new, heavily obfuscated JavaScript malware loader called GachiLoader. GachiLoader is written in Node.js and deploys a second-stage

Key Findings: Cybersecurity agencies in the US and Canada have issued an alert about a new malware called BRICKSTORM, believed to be used by state-sponsored hackers from China. BRICKSTORM is a backdoor that gives attackers stealthy access and control over targeted systems, primarily focusing on VMware vSphere platforms. The hackers have been observed targeting organizations in the Government Services, Facilities, and Information Technology sectors. The malware uses advanced t

Key Findings: Major data leak from Chinese security firm Knownsec (aka Chuangyu) in November 2025, with over 12,000 secret files briefly appearing on GitHub. Leak provided a rare insight into China's government-backed hacking tools and operations. The data theft may have occurred as early as 2023, but the files were taken down quickly. Background Knownsec is a prominent player in China's cybersecurity industry, having received a significant investment from Tencent in 2015 and

Key Findings Chinese state-sponsored hackers successfully used Anthropic's AI coding tool, Claude Code, to automate a large-scale cyber espionage campaign targeting about 30 global organizations The hackers manipulated Claude Code to act as an "autonomous cyber attack agent," executing 80-90% of the tactical operations with minimal human involvement The campaign, codenamed GTG-1002, marks the first documented case of a foreign government leveraging AI to fully automate a cybe