top of page
ALL POSTS
Microsoft Dismantles Fox Tempest Malware-Signing Network
Key Findings Microsoft's Digital Crimes Unit dismantled Fox Tempest, a malware-signing-as-a-service operation that created over 1,000 fraudulent certificates The service enabled threat actors to sign malware with short-lived Microsoft certificates, making malicious files appear legitimate Fox Tempest charged between $5,000 and $9,000 for access to its signing platform, with higher tiers offering priority service The operation supported major ransomware families including Rhys
May 202 min read
INTERPOL Operation Ramz: Major Cybercrime Crackdown Across MENA Results in 201 Arrests
Key Findings INTERPOL coordinated Operation Ramz across 13 MENA countries from October 2025 to February 2026, resulting in 201 arrests and 382 additional suspects identified Nearly 8,000 intelligence records were shared between participating nations, marking the largest coordinated cybercrime effort INTERPOL has led in the region Authorities identified 3,867 victims and seized 53 servers involved in phishing, malware, and cyber scam operations Private sector partners includin
May 192 min read
Reaper Malware Exploits Spoofed Microsoft Domain in macOS Password Theft Campaign
Key Findings SentinelLABS discovered a new macOS infostealer variant called Reaper that bypasses Apple's recent security patches in macOS Tahoe 26.4 Attack chain begins with fake download pages for WeChat or Miro using typo-squatted domain mlcrosoft.co.com Malware uses Script Editor with hidden commands disguised as ASCII art to trick users into executing malicious code Reaper steals passwords, browser data, cryptocurrency wallets, and financial documents before establishing
May 193 min read
State-Sponsored Hackers Exploit Cloudflare Infrastructure in Targeted Malaysian Cyber Espionage Operation
Key Findings Suspected Malaysian government-backed operation maintained hidden command and control infrastructure for years using sophisticated obfuscation techniques Threat actors abused Cloudflare storage and CDN services to host malware, phishing material, and exfiltrated data while leveraging the platform's trusted reputation Infrastructure designed with selective access controls and adaptive response mechanisms to evade standard internet scanning and detection tools Atta
May 182 min read
IT Threat Evolution in Q1 2026: Comprehensive Statistics Report
Key Findings More than 2.67 million mobile attacks prevented in Q1 2026, down from 3.24 million in Q4 2025 Trojan-Banker malware dominated mobile threats with 10.86% share of detections 306,070 malicious installation packages discovered, with 162,275 tied to mobile banking Trojans Kaspersky blocked over 343 million web-based attacks in Q1 2026 2,938 new ransomware variants detected, with 77,319 unique users targeted Clop ransomware returned to top position with 14.42% of DLS
May 183 min read
Evolution of Kazuar Botnet: How Russian APT Turla Developed Advanced Persistent Access Capabilities
Key Findings Russia-linked APT group Turla has evolved its Kazuar malware from a traditional backdoor into a modular peer-to-peer botnet designed for stealth and persistent access The upgraded malware uses Kernel, Bridge, and Worker modules to distribute tasks and maintain long-term control over compromised systems Only one elected "leader" node communicates with command-and-control servers while other infected machines operate silently, reducing detection risk Kazuar support
May 173 min read
OpenAI Targeted in TanStack npm Supply Chain Attack: What You Need to Know
Key Findings OpenAI confirmed that two employee devices were compromised in the TanStack supply chain attack, exposing limited credential material from internal source code repositories The TeamPCP hacking group distributed 84 malicious packages through the TanStack ecosystem using the Mini Shai-Hulud worm, which exploited GitHub Actions OIDC tokens and generated valid SLSA Level 3 attestations Code-signing certificates for iOS, macOS, Windows, and Android applications were e
May 163 min read
Mini Shai-Hulud Worm Supply Chain Attack Compromises Hundreds of Open-Source Packages
Key Findings TeamPCP threat actor behind sprawling supply chain attack targeting npm and PyPI packages across TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI Malware deploys obfuscated JavaScript credential stealer targeting cloud providers, crypto wallets, AI tools, CI systems, and messaging apps Data exfiltrated to attacker-controlled infrastructure using Session Protocol to evade detection Malware establishes persistence in VS Code and Claude Code IDEs, survive
May 133 min read
Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware, Reaches Top Downloads
Key Findings Malicious repository impersonating OpenAI's Privacy Filter reached #1 trending on Hugging Face with 244,000 downloads in 18 hours before removal Typosquatting attack used copied model descriptions and fake AI code to distribute Rust-based information stealer malware Multi-stage attack chain included privilege escalation, Windows Defender evasion, and credential theft targeting browsers, wallets, and Discord At least six additional malicious repositories using sim
May 113 min read
JDownloader's Official Site Distributes Malware to Windows and Linux Users in Major Supply Chain Attack
Key Findings JDownloader's official website was compromised between May 6-7, 2026, serving malicious installers to Windows and Linux users instead of legitimate software Attackers deployed a Python-based remote access trojan (RAT) that gave them remote control over infected systems, with an 8-minute execution delay The breach was limited to the Windows "Alternative Installer" and Linux shell installer; macOS, in-app updates, and package managers remained unaffected Attackers
May 103 min read
ThreatsDay Bulletin: Edge Plaintext Password Exposure, Critical ICS 0-Days, Urgent Patch Alerts and 25+ Breaking Security Stories
Key Findings Microsoft Edge stores saved passwords in plaintext in memory on startup, accessible to any process with administrative privileges MicroStealer malware targeting education and telecom sectors spreads via multi-stage delivery chains and exfiltrates data through Discord FTC settlement with Kochava blocks sale of location data including income, device IDs, and real-time geolocation without explicit consent pnpm 11 implements 24-hour minimum release age for packages t
May 75 min read
China-Linked UAT-8302 Expands Arsenal: Shared APT Malware Targeting Multiple Government Sectors
Key Findings China-nexus APT group UAT-8302 has targeted government entities in South America since late 2024 and southeastern Europe in 2025 The group deploys shared malware families previously used by other China-aligned threat actors, indicating close operational relationships between multiple APT clusters NetDraft (NosyDoor), a .NET-based backdoor, connects UAT-8302 to at least five other known threat clusters including Jewelbug, Earth Estries, and LongNosedGoblin Post-co
May 53 min read
GopherWhisper APT: China-Linked Campaign Deploys Go-Based Malware Against Mongolian Government
KEY FINDINGS ESET discovered GopherWhisper, a previously undocumented China-aligned APT group targeting Mongolian government institutions The group uses a toolkit primarily written in Go, including custom loaders, injectors, and multiple backdoors GopherWhisper abuses legitimate platforms like Discord, Slack, Outlook, and file.io for command-and-control and data exfiltration At least 12 systems within a Mongolian government entity were confirmed infected, with dozens more sus
Apr 262 min read
Trigona Ransomware Gang Deploys Custom Exfiltration Tool for Data Theft and Detection Evasion
Key Findings Trigona ransomware operators have deployed a custom command-line tool called uploader_client.exe to replace publicly available utilities like Rclone and MegaSync The shift, observed in March 2026 attacks, provides attackers greater control and detection evasion capabilities The custom tool uses multiple parallel connections and rotates TCP connections to avoid network monitoring and traffic analysis Trigona affiliates disable security tools using vulnerable kerne
Apr 262 min read
TeamPCP Hijacks Bitwarden CLI, Exploits Dependabot to Distribute Shai-Hulud Malware
Key Findings TeamPCP compromised the widely-used @bitwarden/cli npm package on April 20, 2026, targeting developers who rely on Bitwarden for credential management The attack leveraged Dependabot, GitHub's trusted automation bot, to pull a trojanized Checkmarx KICS Docker image and execute malware with CI privileges Shai-Hulud malware uses GitHub itself as a fallback command and control server when primary infrastructure is blocked, making it unusually resilient The worm inje
Apr 252 min read
Bitwarden CLI Compromised in Supply Chain Attack Through Checkmarx
Key Findings Bitwarden CLI version 2026.4.0 was compromised through a malicious GitHub Action in the project's CI/CD pipeline, affecting the npm distribution mechanism The attack was part of the ongoing Checkmarx supply chain campaign, likely orchestrated by threat actor TeamPCP Malicious code in bw1.js executed a preinstall hook that stole GitHub tokens, npm credentials, SSH keys, cloud secrets, and shell history Stolen data was exfiltrated to a fake Checkmarx domain (audit.
Apr 243 min read
Supply Chain Worm Spreads Through npm Packages to Steal Developer Authentication Tokens
Key Findings Self-propagating worm dubbed CanisterSprawl detected in six npm packages, spreading via stolen developer credentials Malware executes during package installation to harvest npm tokens, SSH keys, cloud credentials, and browser data Stolen tokens enable attackers to push poisoned package versions, creating a self-replicating supply chain attack Exfiltration occurs through HTTPS webhook and ICP canister infrastructure designed to resist takedowns Campaign includes c
Apr 223 min read
Lotus Wiper Malware Campaign Targets Venezuelan Energy Infrastructure in Coordinated Destructive Attack
Key Findings Previously undocumented data wiper dubbed Lotus Wiper deployed against Venezuelan energy and utilities sector in late 2025 and early 2026 Multi-stage attack uses two batch scripts to disable system defenses before executing the wiper payload, which overwrites drives and deletes all recoverable data No ransom demands present, indicating destructive intent rather than financial motivation Malware compiled September 2025, uploaded December 2025, suggesting attackers
Apr 223 min read
SystemBC C2 Infrastructure Exposes Over 1,570 Victims Connected to The Gentlemen Ransomware Campaign
Key Findings A compromised SystemBC C2 server linked to The Gentlemen ransomware operation revealed over 1,570 infected corporate networks globally The Gentlemen has claimed more than 320 victims since emerging in July 2025, establishing itself as one of the most prolific ransomware groups The group targets Windows, Linux, NAS, and BSD systems using Go-based encryption and demonstrates sophisticated defense evasion tactics SystemBC establishes SOCKS5 tunnels using custom RC4-
Apr 212 min read
Hidden VMs: How Hackers Leverage QEMU to Steal Data and Spread Malware Stealthily
Key Findings Sophos researchers identified a significant uptick in threat actors using QEMU, an open-source emulator, to hide malware in virtual machines and evade detection Two distinct campaigns since late 2025 leverage QEMU for defense evasion: STAC4713 linked to PayoutsKing ransomware and STAC3725 exploiting CitrixBleed2 Attackers use hidden VMs to maintain long-term access, steal credentials and data, deploy ransomware, and leave minimal forensic traces on host systems T
Apr 183 min read
bottom of page
