top of page
ALL POSTS
WinRAR Vulnerability from Years Past Still Powering 2026 Attacks Against Ukraine
Key Findings CVE-2025-8088, a WinRAR path traversal flaw patched in July 2025, remains actively exploited against Ukrainian organizations as of April 2026, nearly a year after the fix was released Two Russia-aligned threat groups, SHADOW-EARTH-066 (UAC-0226) and Earth Dahu (Gamaredon), are leveraging the vulnerability in coordinated campaigns targeting Ukrainian government and military entities The exploit abuses NTFS Alternate Data Streams to silently write files to the Wind
Jun 144 min read
PyPI Supply Chain Attack Exploits Malware Startup Hooks at Scale
Key Findings Coordinated PyPI supply chain attack compromised multiple popular open-source packages through maintainer account takeover Malware uses Python startup hooks (.pth files) to execute automatically during installation without requiring explicit package imports 448 affected artifacts identified spanning both npm and PyPI registries Threat actors dubbed the Hades cluster, part of broader Shai-Hulud and Miasma malware lineage Socket malware detection systems identified
Jun 73 min read
AI-Powered Zero-Day: Hackers' First Known 2FA Bypass Campaign Stopped by Google
Key Findings Google identified threat actors using an AI-generated zero-day exploit to bypass two-factor authentication on a web-based administration tool, marking the first confirmed use of AI in malicious vulnerability discovery in the wild The exploit was delivered as a Python script containing telltale signs of large language model generation, including excessive docstrings, fabricated CVSS scores, and textbook-style code formatting The vulnerability required valid user c
May 113 min read
New Wave of DPRK Attacks Leveraging AI-Generated npm Malware, Shell Companies, and Remote Access Trojans
Key Findings North Korean threat actor Famous Chollima deployed malicious npm packages designed to steal cryptocurrency wallet credentials and source code from developers Campaign codenamed PromptMink features AI-generated malware split across multiple package layers to evade detection Malware evolved from simple JavaScript stealers to sophisticated multi-platform RATs compiled in Rust, capable of establishing SSH backdoors Attack chain leverages legitimate-looking packages a
Apr 303 min read
AI-Powered Slopoly Malware Enables Hive0163's Advanced Ransomware Strategy
Key Findings Hive0163 uses AI-assisted Slopoly malware for persistent access in ransomware attacks PowerShell backdoor likely generated using a large language model (LLM) Malware maintains C2 access, collects system data, and executes remote commands Part of a broader attack framework involving NodeSnake and Interlock RAT Initial access achieved through social engineering and malvertising Background Hive0163 is a financially motivated threat actor specializing in post-comprom
Mar 132 min read
Salesforce Experience Cloud Targeted by Threat Actors Leveraging Modified AuraInspector Tool
Key Findings Threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the open-source AuraInspector tool. The modified tool is capable of extracting data by exploiting overly permissive guest user settings, allowing access to sensitive CRM data. The activity does not involve a vulnerability in the Salesforce platform but targets customer configuration issues. The campaign is attributed to a known threat actor group, pos
Mar 102 min read
Hacker Deploys LLM-Powered AI To Attack FortiGate Devices Across 55 Countries
Key Findings: A Russian-speaking threat actor compromised over 600 FortiGate firewalls across 55 countries in just 5 weeks The attacker systematically used generative AI and large language models (LLMs) to write tools and plan follow-on actions inside victim networks The campaign did not rely on zero-day vulnerabilities, instead targeting publicly accessible admin panels and VPN portals protected by weak credentials Stolen FortiGate configurations provided detailed informatio
Mar 32 min read
Compromised 600+ FortiGate Devices Globally by AI-Assisted Threat Actor
Key Findings A Russian-speaking, financially motivated threat actor has compromised over 600 FortiGate devices located in 55 countries between January 11 and February 18, 2026. The threat actor leveraged multiple commercial generative AI tools to automate various stages of the attack cycle, including tool development, attack planning, and command generation. No exploitation of FortiGate vulnerabilities was observed - the campaign succeeded by exploiting exposed management por
Feb 212 min read
China-Linked Amaranth-Dragon Weaponizes WinRAR Flaw to Spy on SE Asia
Key Findings Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025. The activity cluster, tracked by Check Point Research under the moniker "Amaranth-Dragon," shares links to the APT 41 ecosystem. Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. The campaigns were timed to coincide with sensitive
Feb 52 min read
bottom of page
