top of page
ALL POSTS
Global SocGholish Takedown: Nearly 15,000 WordPress Sites Cleaned in Major Operation
Key Findings Operation EndGame, a coordinated international law enforcement action, dismantled SocGholish infrastructure on June 18, 2026 106 servers and domains taken down globally; 14,971 compromised WordPress sites remediated Law enforcement from Netherlands, Canada, United States, and Germany executed the coordinated takedown with support from Europol SocGholish serves as initial access broker for major ransomware families including LockBit, RansomHub, and WastedLocker Be
Jun 193 min read
DragonForce Ransomware Exploits Microsoft Teams Relays to Conceal Malicious Command-and-Control Traffic
Key Findings DragonForce ransomware operators deployed Backdoor.Turn, a custom Go-based remote access trojan that conceals command-and-control traffic within Microsoft Teams relay infrastructure This marks the first publicly documented abuse of Microsoft's TURN relay servers by threat actors Attackers maintained network access for one to two months while evading detection by routing malicious traffic through legitimate Microsoft servers The group employed sophisticated defens
Jun 183 min read
Ukrainian Extradited to US Pleads Guilty in Conti Ransomware Operation
Key Findings Ukrainian national Oleksii Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware operations Conti infected over 1,000 computers and networks across 47 U.S. states, 31 countries, and generated at least $150 million in ransom payments by January 2022 Lytvynenko joined the conspiracy in September 2021 and worked on malware development including creating a "loader" for delivering additional malicious tools He possessed stolen d
Jun 142 min read
Conti Ransomware Member's Guilty Plea Signals Breakthrough in Global Cybercrime Crackdown
Key Findings Ukrainian national Oleksii Oleksiyovych Lytvynenko pleaded guilty to wire fraud conspiracy related to Conti ransomware operations Conti attacked over 1,000 organizations across 47 U.S. states and 31 countries from 2020 to 2022, extorting at least $150 million Lytvynenko joined the conspiracy in September 2021 and developed malware used in the attacks He faces up to 20 years in prison with sentencing scheduled for September 10, 2026 Authorities continue pursuing f
Jun 133 min read
Europol Dismantles AudiA6 Crypto Laundering Network Behind Ransomware Operations
Key Findings Europol dismantled AudiA6, an industrial-scale cryptocurrency laundering service that processed over €336 million (~$389 million) in illicit funds since 2021 Two alleged administrators of Ukrainian and Russian nationality were arrested in Georgia on June 10, 2026 The operation seized over 30 servers, 25 domains, €692,000 in frozen cryptocurrency, and identified more than 6,000 fraudulent money mule accounts AudiA6 operators also ran Dark2Web, a dark web cybercrim
Jun 124 min read
Global Law Enforcement Dismantles First VPN Used by 25 Ransomware Groups in Historic Takedown
Key Findings First VPN Service, a criminal VPN operating since 2014, was dismantled in a coordinated international operation led by France and the Netherlands At least 25 ransomware groups used the service to conduct attacks, including network reconnaissance, data theft, fraud, and denial-of-service operations The takedown involved 16 countries and resulted in the seizure of 33 servers across 27 countries and the shutdown of associated domains First VPN marketed itself specif
May 223 min read
Attackers Bypass MFA on SonicWall VPNs Due to Flawed Prior Patch
Key Findings SonicWall Gen6 SSL-VPN devices remain vulnerable to MFA bypass despite firmware patches because administrators are missing six required manual remediation steps CVE-2024-12802 exploitation observed in-the-wild between February and March 2026, leading to ransomware-related intrusions across multiple organizations Attackers successfully brute-forced VPN credentials and bypassed MFA, reaching internal file servers in some cases within 30 minutes Gen6 devices reached
May 222 min read
Microsoft Dismantles Fox Tempest Malware-Signing Network
Key Findings Microsoft's Digital Crimes Unit dismantled Fox Tempest, a malware-signing-as-a-service operation that created over 1,000 fraudulent certificates The service enabled threat actors to sign malware with short-lived Microsoft certificates, making malicious files appear legitimate Fox Tempest charged between $5,000 and $9,000 for access to its signing platform, with higher tiers offering priority service The operation supported major ransomware families including Rhys
May 202 min read
IT Threat Evolution in Q1 2026: Comprehensive Statistics Report
Key Findings More than 2.67 million mobile attacks prevented in Q1 2026, down from 3.24 million in Q4 2025 Trojan-Banker malware dominated mobile threats with 10.86% share of detections 306,070 malicious installation packages discovered, with 162,275 tied to mobile banking Trojans Kaspersky blocked over 343 million web-based attacks in Q1 2026 2,938 new ransomware variants detected, with 77,319 unique users targeted Clop ransomware returned to top position with 14.42% of DLS
May 183 min read
Active Exploitation of cPanel CVE-2026-41940 Deploys Filemanager Backdoor Across 2,000+ Attacker IPs Globally
Key Findings Critical cPanel vulnerability CVE-2026-41940 (CVSS 9.3) is being actively exploited in the wild to deploy the Filemanager backdoor Over 2,000 malicious IPs from Germany, US, Brazil, Netherlands and other regions are conducting automated attacks Threat actor Mr_Rot13 has been linked to the campaign, with evidence of operations dating back to at least 2020 Exploitation has led to cryptomining, ransomware deployment, botnet propagation, and credential theft Southeas
May 123 min read
US Cybersecurity Experts Face Prison Time in Major Ransomware Conspiracy Case
Key Findings Two US cybersecurity professionals, Ryan Goldberg and Kevin Martin, sentenced to four years in prison for supporting BlackCat ransomware attacks Both pleaded guilty to conspiracy and extortion charges related to attacks between April and December 2023 Third accomplice Angelo Martino pleaded guilty and awaits sentencing scheduled for July 9 The trio deployed ALPHV BlackCat ransomware against multiple US victims and extorted approximately $1.2 million in Bitcoin De
May 32 min read
Former Cybersecurity Professionals Sentenced to 4 Years for BlackCat Ransomware Attacks
Key Findings Ryan Goldberg and Kevin Martin sentenced to four years in prison each for facilitating BlackCat ransomware attacks in 2023 Both defendants were employed in legitimate cybersecurity roles at the time of their crimes The pair, along with co-conspirator Angelo Martino, extorted approximately $1.3 million from a medical company in a single attack Goldberg fled to Europe after being interviewed by the FBI but was tracked across 10 countries and arrested in Mexico City
May 13 min read
Trigona Ransomware Gang Deploys Custom Exfiltration Tool for Data Theft and Detection Evasion
Key Findings Trigona ransomware operators have deployed a custom command-line tool called uploader_client.exe to replace publicly available utilities like Rclone and MegaSync The shift, observed in March 2026 attacks, provides attackers greater control and detection evasion capabilities The custom tool uses multiple parallel connections and rotates TCP connections to avoid network monitoring and traffic analysis Trigona affiliates disable security tools using vulnerable kerne
Apr 262 min read
CISA Adds Exploited Vulnerabilities to KEV Catalog, Establishes May 2026 Federal Remediation Deadline
Key Findings CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on Friday SimpleHelp flaws enable privilege escalation and arbitrary code execution, previously linked to DragonForce ransomware campaigns Samsung MagicINFO vulnerability allows arbitrary file writes with system-level access and has been exploited since PoC release in April 2025 D-Link DIR-823X command injection flaw is being weaponized to deliver Mirai botnet varian
Apr 252 min read
SystemBC C2 Infrastructure Exposes Over 1,570 Victims Connected to The Gentlemen Ransomware Campaign
Key Findings A compromised SystemBC C2 server linked to The Gentlemen ransomware operation revealed over 1,570 infected corporate networks globally The Gentlemen has claimed more than 320 victims since emerging in July 2025, establishing itself as one of the most prolific ransomware groups The group targets Windows, Linux, NAS, and BSD systems using Go-based encryption and demonstrates sophisticated defense evasion tactics SystemBC establishes SOCKS5 tunnels using custom RC4-
Apr 212 min read
Ransomware Negotiator Guilty of Secretly Supporting BlackCat Extortion Operations
Key Findings Angelo Martino, 41-year-old ransomware negotiator from Florida, pleaded guilty to assisting the BlackCat ransomware group while employed at a U.S. incident response firm Martino leaked confidential client information including insurance limits and negotiation strategies to BlackCat operators, enabling higher ransom demands across five victim cases starting April 2023 He conspired with two other cybersecurity professionals, Ryan Goldberg and Kevin Martin, to deplo
Apr 213 min read
Hidden VMs: How Hackers Leverage QEMU to Steal Data and Spread Malware Stealthily
Key Findings Sophos researchers identified a significant uptick in threat actors using QEMU, an open-source emulator, to hide malware in virtual machines and evade detection Two distinct campaigns since late 2025 leverage QEMU for defense evasion: STAC4713 linked to PayoutsKing ransomware and STAC3725 exploiting CitrixBleed2 Attackers use hidden VMs to maintain long-term access, steal credentials and data, deploy ransomware, and leave minimal forensic traces on host systems T
Apr 183 min read
ShinyHunters Claims Responsibility for Rockstar Games Breach, Begins Data Leaks
Key Findings ShinyHunters claims to have breached Rockstar Games through third-party cloud provider Anodot, accessing 8.1GB of data Leaked files include anti-cheat source code, player analytics, game assets, support tickets, and financial information Group set April 14, 2026 deadline for ransom payment, threatening data release and "digital disruption" Rockstar minimized impact, stating only non-material corporate information was accessed with no effect on operations or playe
Apr 153 min read
Fast-moving Storm-1175 exploits new vulnerabilities to breach networks and deploy Medusa
Key Findings China-based Storm-1175 executes rapid ransomware attacks, sometimes completing full intrusions within 24 hours The group exploits newly disclosed vulnerabilities before organizations can patch them, leveraging over 16 different flaws since 2023 Primary targets include healthcare, education, finance, and services sectors across the US, UK, and Australia Storm-1175 has weaponized zero-day exploits before public disclosure, demonstrating advanced capabilities The gr
Apr 73 min read
BKA Unmasks REvil Ransomware Leaders Behind 130+ German Cyberattacks
Key Findings German Federal Criminal Police (BKA) identified two REvil ransomware operators responsible for over 130 attacks across Germany Daniil Maksimovich Shchukin (31), a Russian national operating under the alias UNKN, led the GandCrab/REvil groups from early 2019 through July 2021 Anatoly Sergeevitsch Kravchuk (43), also Russian, served as the technical developer of REvil during the same period The two suspects orchestrated 25 attacks that resulted in €1.9 million in r
Apr 63 min read
bottom of page
