top of page
ALL POSTS
Global SocGholish Takedown: Nearly 15,000 WordPress Sites Cleaned in Major Operation
Key Findings Operation EndGame, a coordinated international law enforcement action, dismantled SocGholish infrastructure on June 18, 2026 106 servers and domains taken down globally; 14,971 compromised WordPress sites remediated Law enforcement from Netherlands, Canada, United States, and Germany executed the coordinated takedown with support from Europol SocGholish serves as initial access broker for major ransomware families including LockBit, RansomHub, and WastedLocker Be
Jun 193 min read
Microsoft Uncovers Windows Clipper Malware Campaign with USB Worm and Tor-Based Command & Control
Key Findings Windows-based clipper malware campaign active since February 2026 targets cryptocurrency wallets through USB-distributed LNK shortcut files Malware uses bundled Tor client with SOCKS5 proxy to communicate with hidden-service C2 servers, avoiding traditional IP-based infrastructure detection Attack chain involves worm component that replicates across USB drives by masking itself as legitimate documents like DOC, XLSX, and PDF files Clipper steals BIP39 seed phrase
Jun 183 min read
Argamal Malware and RAT Discovered Embedded in Trojanized Hentai Games
Key Findings Kaspersky discovered Argamal, a remote access Trojan hidden in hentai game installers, detected in April 2026 The malware is distributed through adult game sites, file-sharing platforms like PixelDrain, and torrent trackers such as AniRena Infected games function perfectly, allowing users to remain unaware their systems are compromised The malware establishes persistence through COM hijacking of Windows Color System Calibration Loader Hundreds of users infected,
Jun 142 min read
Conti Ransomware Member's Guilty Plea Signals Breakthrough in Global Cybercrime Crackdown
Key Findings Ukrainian national Oleksii Oleksiyovych Lytvynenko pleaded guilty to wire fraud conspiracy related to Conti ransomware operations Conti attacked over 1,000 organizations across 47 U.S. states and 31 countries from 2020 to 2022, extorting at least $150 million Lytvynenko joined the conspiracy in September 2021 and developed malware used in the attacks He faces up to 20 years in prison with sentencing scheduled for September 10, 2026 Authorities continue pursuing f
Jun 133 min read
Atomic Arch Campaign Hijacks 400+ Linux AUR Packages to Deploy Infostealer and eBPF Rootkit
Key Findings Over 400 packages in the Arch User Repository (AUR) were hijacked this week with malicious build scripts Attackers modified PKGBUILD files to inject a credential stealer written in Rust that harvests developer secrets The malware can load an eBPF rootkit when running with root privileges to hide its presence Attack targets orphaned packages with abandoned maintainers, then spoofs commit metadata to appear legitimate Malware collects browser cookies, SSH keys, Git
Jun 124 min read
Miasma Worm Supply Chain Attack Compromises 73 Microsoft GitHub Repositories
Key Findings A self-replicating worm called Miasma compromised 73 Microsoft GitHub repositories across Azure infrastructure and core .NET, Go, Java, JavaScript, and Python frameworks GitHub staff disabled affected repositories after attackers injected malicious workflows that harvested OIDC tokens and developer credentials The attack exploited AI coding tools as an automatic execution mechanism, triggering malware when developers cloned infected repos and opened them in IDEs
Jun 93 min read
Operation FlutterBridge: macOS Backdoor Campaign Leverages Fake Google Ads and Targeted Distribution
Key Findings Operation FlutterBridge is a sophisticated malvertising campaign targeting macOS users since late 2025, evolving from basic adware into a dangerous backdoor called FlutterShell Threat actors use fake shell companies to purchase verified Google and YouTube ads, bypassing security filters through artificial aging and legitimate developer credentials The malware masquerades as productivity tools including Podcasts Lounge, PDF-Brain, and PDF-Ninja, with three distinc
Jun 83 min read
PyPI Supply Chain Attack Exploits Malware Startup Hooks at Scale
Key Findings Coordinated PyPI supply chain attack compromised multiple popular open-source packages through maintainer account takeover Malware uses Python startup hooks (.pth files) to execute automatically during installation without requiring explicit package imports 448 affected artifacts identified spanning both npm and PyPI registries Threat actors dubbed the Hades cluster, part of broader Shai-Hulud and Miasma malware lineage Socket malware detection systems identified
Jun 73 min read
Critical Miasma Worm Campaign Targets Microsoft and Red Hat in Expanding Supply Chain Attack Wave
Key Findings Miasma worm infected 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations, forcing GitHub to disable access Attack represents re-compromise of previously infected "durabletask" PyPI package, suggesting threat actors maintained persistent access for over a month Miasma operates as self-replicating malware variant of Mini Shai-Hulud worm, exploiting the trust model of package registries rather than technical vulne
Jun 64 min read
China-Linked TA4922 Hackers Deploy SilentRunLoader Malware Against UK and European Targets
Key Findings TA4922, a suspected China-aligned cybercrime group, has expanded operations from East Asia to target organisations in the UK, Germany, Italy, and South Africa The group uses locally-tailored phishing emails impersonating tax authorities, benefits services, and government agencies to increase open rates SilentRunLoader, a new Python-based malware likely developed with LLM assistance, steals Chrome credentials, cookies, and browsing data TA4922 employs a diverse to
Jun 32 min read
WordPress Malware Hides C2 Instructions in Steam Profile Comments
Key Findings New malware campaign discovered on approximately 1,980 WordPress sites using Steam Community profile comments to store encoded command-and-control instructions Malware uses invisible Unicode characters hidden within visible Steam profile comments to deliver payloads, making detection difficult Infected sites load external malicious JavaScript and contain a server-side backdoor capable of modifying PHP files for persistent access Campaign first detected in July 20
Jun 23 min read
Massive 17 Million Device Botnet Successfully Dismantled by Dutch Authorities
Key Findings Dutch authorities dismantled a botnet comprising at least 17 million infected devices across computers, tablets, and smartphones Police seized over 200 servers hosted within the Netherlands that controlled the botnet infrastructure The operation was linked to ASOCKS, a Russia-based residential proxy service used for criminal activities A security researcher's report to the National Cyber Security Centre (NCSC) triggered the investigation The botnet was taken offl
May 302 min read
Russian-Linked GREYVIBE Hacking Group Uses AI to Target Ukraine
Key Findings Russian-linked threat actor GREYVIBE has conducted persistent cyberattacks against Ukraine and Ukrainian entities since at least August 2025 The group operates from Russian time zones and aligns with Kremlin state interests, particularly intelligence gathering related to the Russo-Ukrainian war GREYVIBE employs five distinct attack chains using spear-phishing, fake CAPTCHA pages, and fraudulent websites to deliver custom malware The group leverages generative AI
May 293 min read
Critical FortiClient EMS Vulnerability Exploited in Active Campaign Delivering EKZ Infostealer
Key Findings Threat actors are actively exploiting CVE-2026-35616, a critical FortiClient EMS vulnerability with a CVSS score of 9.1, to deploy credential-stealing malware across enterprise networks Attackers abuse legitimate FortiClient management pathways to push malicious PowerShell commands, evading traditional network monitoring solutions A new infostealer payload named EKZ Infostealer masquerades as vendor software updates and extracts credentials from Chrome and Firefo
May 283 min read
CrowdStrike Dismantles Glassworm Botnet Targeting Open-Source Developer Supply Chain
Key Findings CrowdStrike, Google, and Shadowserver dismantled the Glassworm botnet by simultaneously taking down four command-and-control servers that powered a sophisticated supply chain attack campaign The Russia-based threat group infected over 300 GitHub repositories and compromised hundreds of open-source packages across npm, Python, and VSCode extensions since early 2025 Glassworm deployed a multi-layered resilience strategy using the Solana blockchain, BitTorrent DHT,
May 273 min read
MuddyWater's DLL Side-Loading Espionage Campaign Spans 9 Countries
Key Findings MuddyWater conducted a widespread espionage campaign affecting at least nine organizations across nine countries on four continents in Q1 2026 Targets included a major South Korean electronics manufacturer, a Middle Eastern airport, Southeast Asian industrial firms, and Latin American financial services Attackers used DLL side-loading with legitimate binaries (fmapp.exe and sentinelmemoryscanner.exe) to execute malicious code while evading detection ChromElevator
May 263 min read
Cloud Under Siege: P2Pinfect Botnet Threats Targeting Kubernetes Infrastructure
Key Findings FortiGuard Labs identified persistent P2Pinfect botnet activity within Google Kubernetes Engine clusters targeting multiple enterprise clients One network compromise persisted for six months, demonstrating advanced operational dedication Initial infections originated from exposed Redis instances requiring no complex exploitation, only basic misconfigurations P2Pinfect uses peer-to-peer mesh architecture written in Rust, eliminating single points of failure and de
May 253 min read
Supply Chain Attack: 700+ Laravel Lang Versions Infected with RCE Backdoor
Key Findings Over 700 historical versions of laravel-lang localization packages compromised with RCE backdoors across multiple repositories Attack occurred May 22-23, 2026 with automated mass tag publishing seconds apart, indicating infrastructure-level breach Malicious code executes automatically via composer autoload.files on every PHP request in affected applications Second-stage payload deploys 17 specialized credential collectors targeting cloud keys, Kubernetes tokens,
May 233 min read
Cloud Atlas: Upcoming Operations, New Tools, and Payload Deployments (2025-2026)
Key Findings Cloud Atlas, active since 2014, conducted pervasive SSH tunnel operations affecting government and commercial organizations in Russia and Belarus throughout late 2025 and into 2026 The group introduced new tools and malicious payloads, including VBCloud and PowerShower backdoors Primary infection vector remains phishing with ZIP archives containing malicious LNK shortcuts that execute PowerShell scripts Multi-stage attack chain includes persistence mechanisms, de
May 233 min read
GitHub's 3,800 Internal Repositories Compromised Through Malicious VS Code Extension
Key Findings GitHub's internal repositories were compromised after an employee device was infected with a malicious Visual Studio Code extension Approximately 3,800 internal repositories were exfiltrated in the attack TeamPCP, a financially motivated hacking group, claimed responsibility and is selling the stolen data for around $95,000 GitHub confirmed it detected, contained and isolated the breach; no customer data outside internal repositories was affected Critical credent
May 202 min read
bottom of page
