ALL POSTS

Key Findings ShinyHunters claims to have breached Rockstar Games through third-party cloud provider Anodot, accessing 8.1GB of data Leaked files include anti-cheat source code, player analytics, game assets, support tickets, and financial information Group set April 14, 2026 deadline for ransom payment, threatening data release and "digital disruption" Rockstar minimized impact, stating only non-material corporate information was accessed with no effect on operations or playe

Key Findings China-based Storm-1175 executes rapid ransomware attacks, sometimes completing full intrusions within 24 hours The group exploits newly disclosed vulnerabilities before organizations can patch them, leveraging over 16 different flaws since 2023 Primary targets include healthcare, education, finance, and services sectors across the US, UK, and Australia Storm-1175 has weaponized zero-day exploits before public disclosure, demonstrating advanced capabilities The gr

Key Findings German Federal Criminal Police (BKA) identified two REvil ransomware operators responsible for over 130 attacks across Germany Daniil Maksimovich Shchukin (31), a Russian national operating under the alias UNKN, led the GandCrab/REvil groups from early 2019 through July 2021 Anatoly Sergeevitsch Kravchuk (43), also Russian, served as the technical developer of REvil during the same period The two suspects orchestrated 25 attacks that resulted in €1.9 million in r

Key Findings Qilin ransomware group claims to have breached Die Linke, Germany's left-wing political party, and posted the claim on its Tor data leak site on April 1, 2026 Die Linke discovered the attack on March 27 and confirmed the incident but has not verified whether data was actually stolen The party's membership database was not compromised and no member data was accessed Qilin has provided no proof of the breach despite making the claim Qilin is one of the most prolifi

Key Findings ShinyHunters has issued a final warning to Cisco with an April 3, 2026 deadline before publicly leaking over 3 million alleged stolen records The group claims access through three separate breach paths: UNC6040, Salesforce Aura, and compromised AWS accounts Stolen data includes personally identifiable information, GitHub repositories, AWS storage buckets, and internal corporate data Screenshots provided by the group show access to AWS organizational dashboards an

Key Findings WatchGuard researchers identified a phishing campaign targeting Venezuelan companies using malicious SVG image files BianLian ransomware group deploying malware via fake invoice attachments with Spanish filenames Attack chain uses ja.cat link shortening service to redirect through compromised Brazilian domains Malware written in Go language includes anti-analysis capabilities and high-speed AES encryption Campaign infrastructure includes four suspicious domains c

Key Findings 26-year-old Russian citizen Aleksei Olegovich Volkov sentenced to 81 months in prison for ransomware facilitation Volkov operated as initial access broker, providing unauthorized network access to ransomware groups including Yanluowang Facilitated dozens of attacks causing over $9 million in confirmed losses and $24 million in intended losses Arrested in Italy January 2024, extradited to U.S., pleaded guilty November 2025 Must pay $9.1 million in restitution to v

Key Findings Exploitation velocity doubled in 2025, with new vulnerabilities weaponized within days while decade-old CVEs remain reliably exploited Identity systems became the primary attack surface, with compromised credentials enabling stealthy lateral movement and environment-wide control Approximately 25% of top exploited vulnerabilities targeted shared frameworks and libraries, amplifying blast radius across industries APT investigations and ransomware operations increas

Key Findings * 54 endpoint detection and response (EDR) killer tools detected * 34 unique signed vulnerable drivers exploited * Technique known as Bring Your Own Vulnerable Driver (BYOVD) widely used * Primarily targeting ransomware defense evasion * Three main categories of threat actors develop these tools * Kernel-mode privilege escalation is primary attack mechanism Background Endpoint detection and response (EDR) killer tools have emerged as a critical threat in modern c

Key Findings * Interlock ransomware group exploited CVE-2026-20131 in Cisco FMC 36 days before public disclosure * Zero-day vulnerability allows unauthenticated remote code execution with root privileges * Amazon Threat Intelligence discovered exploitation using global honeypot network * Attackers used sophisticated multi-stage attack with custom tools and evasion techniques * Targeted sectors include education, healthcare, industry, and government Background The Interlock ra

Key Findings Payload Ransomware claims to have breached Royal Bahrain Hospital (RBH) 110 GB of data allegedly stolen Threat to release data if ransom not paid by March 23, 2026 Attack targets a healthcare facility serving multiple Middle Eastern countries Background Royal Bahrain Hospital, established in 2011, is a 70-bed healthcare facility providing comprehensive medical services including surgery, maternity care, and diagnostics. Located in Bahrain, the hospital serves pat

Key Findings Hive0163 uses AI-assisted Slopoly malware for persistent access in ransomware attacks PowerShell backdoor likely generated using a large language model (LLM) Malware maintains C2 access, collects system data, and executes remote commands Part of a broader attack framework involving NodeSnake and Interlock RAT Initial access achieved through social engineering and malvertising Background Hive0163 is a financially motivated threat actor specializing in post-comprom

Key Findings * Bell Ambulance experienced a data breach affecting 237,830 individuals * Unauthorized network access occurred in February 2025 * Medusa ransomware group claimed responsibility for the attack * Exposed data includes personal, financial, and medical information * Company offered 12 months of free credit monitoring to affected individuals Background Bell Ambulance is an emergency medical services provider based in Milwaukee, Wisconsin. The organization offers ambu

Key Findings: Evgenii Ptitsyn, a 43-year-old Russian national, pleaded guilty to wire fraud conspiracy for his role in the Phobos ransomware operation. Ptitsyn was a high-level administrator of the Phobos ransomware-as-a-service (RaaS) operation. The Phobos ransomware operation targeted over 1,000 public and private entities worldwide, extorting more than $16 million in ransom payments. Ptitsyn and his co-conspirators used a RaaS model to distribute Phobos ransomware to a net

Key Findings The FBI has warned of a sharp rise in ATM jackpotting attacks across the U.S., with losses exceeding $20 million in 2025 alone. Since 2020, about 1,900 incidents have been reported, including 700 last year. Total losses tied to jackpotting have reached roughly $40.7 million since 2021. Background The jackpotting technique was first proposed by white-hat hacker Barnaby Jack in 2010. Ploutus is one of the most sophisticated ATM malware that was first discovered in

Key Findings Polish authorities have arrested a 47-year-old man accused of being an affiliate for the Phobos ransomware group. The suspect faces up to five years in prison for producing, obtaining, and sharing computer programs used to conduct cyberattacks. The arrest was part of a larger Europol-led operation called "Phobos Aetor" that targeted individuals involved with Phobos ransomware attacks. Background Phobos ransomware has claimed over 1,000 victims globally and receiv

Key Findings North Korean IT operatives are applying to remote positions using real LinkedIn accounts of individuals they are impersonating The goal is to secure jobs at Western companies and conduct espionage, data theft, and ransomware attacks The threat is tracked by the cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole The impersonated LinkedIn profiles often have verified workplace emails and identity badges to appear legitimate Once employed, the DPRK w

Key Findings Exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements. Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks. Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant. Background Cisco Talos Incident Response's report fo

Key Findings Symantec and VMware Carbon Black researchers have uncovered a new ransomware strain called Osiris, used in a November 2025 attack against a major Southeast Asian food service franchise operator. Osiris leverages the POORTRY driver in a bring-your-own-vulnerable-driver (BYOVD) attack to disable security software on targeted systems. The new ransomware has full-featured capabilities, including the ability to stop services and processes, select files and folders to

Key Findings GootLoader malware uses malformed ZIP files made of hundreds of concatenated archives to evade detection. GootLoader is used by ransomware actors for initial access, then handed off to others. GootLoader runs on an access-as-a-service model and has been known to deliver threats like SunCrypt, REvil, Kronos, and Cobalt Strike. The ZIP file is intentionally broken so many security and analysis tools can't open it, but Windows can, helping the malware avoid detectio