Latest Threat Intel Articles
Apple’s 2026 Security Events: iPhone Exploits, Zero-Days Put Millions at Risk
Apple’s 2026 security year includes zero-days, iPhone exploit kits, WebKit fixes, and background patches that users and IT teams need to track. The post Apple’s 2026 Security Events: iPhone Exploits, Zero-Days Put Millions at Risk appeared first on TechRepublic.
Microsoft Tests Wearable AI Badge for Office Workers
Microsoft showed Project Solara concept devices at Build 2026, including a wearable AI badge for office workers using AI agents. The post Microsoft Tests Wearable AI Badge for Office Workers appeared first on TechRepublic.
CISA Flags 2-Year-Old Oracle WebLogic Vulnerability as Actively Exploited
CISA added Oracle WebLogic flaw CVE-2024-21182 to its KEV catalog, giving federal agencies until June 4 to patch exposed servers. The post CISA Flags 2-Year-Old Oracle WebLogic Vulnerability as Actively Exploited appeared first on TechRepublic.
Ransom & Dark Web Issues Week 1, June 2026
ASEC Blog publishes Ransom & Dark Web Issues Week 1, June 2026 Qilin Ransomware Attack Targets South Korean Automation Equipment Company New Data Extortion Group Black X Claims Leak of Internal Data from South Korean Plastic Surgery Clinic Nova Ransomware Attack Targets Department of AI at University in Daegu,...
UK Cybercrime Journal: British Universities Struck by ShinyHunters Before Exam Season
What Happened: On 3 May 2026, ShinyHunters, the English-speaking adolescent cybercrime collective, claimed they breached Instructure by listing them on their Tor data leak site. Instructure is a US-based software provider behind the widely adopted Canvas Learning Management System (LMS). ShinyHunters reportedly...
Cisco Live 2026: New Security Tools Target AI Threats
Cisco unveiled Cloud Control, Live Protect, and Hybrid Mesh Firewall at Cisco Live to help enterprises manage AI-era IT and security operations. The post Cisco Live 2026: New Security Tools Target AI Threats appeared first on TechRepublic.
The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) appeared first on Unit 42.
Fake Claude Code Installers Deliver Credential-Stealing Malware
Fake Claude Code install sites are pushing malware that steals API keys, developer credentials, crypto wallets, and other sensitive data. The post Fake Claude Code Installers Deliver Credential-Stealing Malware appeared first on TechRepublic.
From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises
A previously unidentified cyberattack is quietly spreading through US businesses — and most security tools are not catching it. Researchers at ANY.RUN have identified a new backdoor called JS.MonoGlyphRAT, an advanced piece of malware delivered as an ordinary-looking JavaScript file disguised as a purchase order,...
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
Operation FlutterBridge is a malvertising campaign targeting macOS users. It distributed the new backdoor FlutterShell, built using the Flutter framework. The post Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor appeared first on Unit 42.
No Longer Invisible: When Cyber Attacks Go Physical
Critical infrastructure cyber attacks are increasing in the U.S. — and they’re changing in nature. Here are some examples and the top trends from the first half of 2026.
Less panic patching, more precision
In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.
2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface
The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here. The post 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface appeared first on Unit 42.
DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap
This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format.
Out of the Crypt: The Evolving Cyber Extortion Economy
Unit 42 explores trends in data theft and extortion, outlining key strategies for organizations as frontier AI models advance. The post Out of the Crypt: The Evolving Cyber Extortion Economy appeared first on Unit 42.
The proliferation and evolution of AI-powered hacking tools – how generative AI has changed the cyber attack ecosystem and response strategies
WormGPT, which emerged in June 2023, has brought a paradigm shift to the cybercrime ecosystem. generative AI has lowered the barrier to entry for attacks, and AI-powered hacking tools are rapidly proliferating in both paid subscription services and free open source. furthermore, AI is evolving beyond the creation...
Ransom & Dark Web Issues Week 4, May 2026
ASEC Blog publishes Ransom & Dark Web Issues Week 4, May 2026 Customer Data of Japanese Educational Franchise Sold on BreachForums by Hasan Data from Japanese Government Agency for National Civil Servant Personnel Administration Sold on BreachForums by Hasan FBI Issues Warning Regarding Fraudulent FIFA Websites...
MediaArea heap-based buffer overflow vulnerabilities
Talos researchers find 4 heap-based buffer overflow vulnerabilities in MediaArea's MediaInfoLib.
Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake
EvidenceForge generates high-quality, realistic, and consistent datasets across multiple log formats, enabling teams to effectively train personnel and validate detection models without the need for complex manual simulations.
UK Cybercrime Journal: £102 million Lost to Scams in 2025
What Happened On 5 May 2026, new data revealed that British romance scam victims were defrauded of a staggering £102 million last year, representing a 29% surge in reported cases. The figures come from information gathered by Report Fraud (f.k.a ActionFraud), which is a City of London Police-run service that logged...
Don’t trust ‘secure mail’! malicious Files Impersonating Credit Card Companies Are Being Distributed
ahnLab recently confirmed the distribution of malicious files disguised as security emails from a major credit card company in Korea. this attack has a similar flow to the Kimsuky group’s past malicious LNK distribution case of disguising password files, but it is characterized by a change in the command execution...
Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More
May 2026 showed how fast routine business activity can turn into real security exposure. ANY.RUN observed phishing campaigns, fileless malware delivery, credential theft, OTP interception, and remote access abuse targeting organizations across industries. From fake invitations and banking portals to compromised B2B...
How New College Grads Can Succeed in an AI Economy
It’s graduation season, and people entering the workforce now can turn the 2026 hiring slowdown into a career launchpad using practical skills — and some surprising suggestions.
UK Cybercrime Journal: Inside the Cl0p attack on South Staffs Water
What Happened: On 11 May 2026, the UK Information Commissioner’s Office (ICO) fined South Staffordshire Water £963,900 after the Cl0p ransomware group lurked completely undetected in its network for nearly two years. Initial access reportedly occurred via a malicious phishing email in September 2020, which...
RemotePE: The Lazarus RAT that lives in memory
Authors: Yun Zheng Hu and Mick Koomen Summary Last year, we published research about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multiple incident response engagements. This Lazarus subgroup overlaps with activity linked to AppleJeus, Citrine Sleet,...
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns. The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns appeared first on Unit 42.
The art of being ungovernable
In this edition of the Threat Source newsletter, William explores the value of being "ungovernable" in a professional setting, sharing how challenging the status quo and seeking out the smartest people in the room can lead to a more fulfilling and successful career.
The proliferation and evolution of AI-powered hacking tools – from dark web distribution to autonomous attacks
Key takeaway. since the emergence of WormGPT in June 2023, AI-based hacking tools have spread to the dark web, Telegram, GitHub, and Hugging Face. the market has evolved into a mix of paid subscription SaaS and free open-source distributions. key capabilities have been segmented into phishing automation, malware...
SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
Executive summary Financially motivated eCrime actors will likely continue to expand opportunistic campaigns by impersonating AI platforms. These campaigns generate direct supply chain risk for enterprises, as threat actors target software developer tooling, including AI coding assistants and package managers, to...
Why commercial cyber threat intelligence is failing defense operations
Cyber is no longer a supporting capability. It now shapes how defense organizations plan, assess, and act.
Project Glasswing: what Mythos showed us
In recent weeks, we pointed Mythos and other security-focused LLMs at live code across critical parts of our infrastructure. We share what we observed, the models’ strengths and weaknesses, and what the work around them needs to look like before any of it can scale.
Protecting People and Infrastructure: A 2026 World Cup Security Preview
Expert insights on guarding digital ecosystems, managing vendor risks and ensuring public safety during the world’s largest sporting event.
LATAM Under Siege: Agent Tesla’s 18-Month Credential Theft Campaign Against Chilean Enterprises
Editor’s note: The analysis is authored by Moises Cerqueira, malware researcher & threat hunter. You can find Moises on LinkedIn and X. Credential theft malware rarely announces itself with ransomware-level noise. Instead, it operates like a silent siphon hidden inside everyday business workflows: invoices, payroll...
Twin brothers wipe 96 gov't databases minutes after being fired
A case study in why credentials are revoked before firings.
‘CI Fortify’ Is the New Road Map for State and Local Resilience
In light of increasing international cyber threats, CISA unveiled “CI Fortify” to help secure critical infrastructure. Here’s what you need to know.
How Cloudflare responded to the “Copy Fail” Linux vulnerability
When a critical Linux kernel privilege escalation was publicly disclosed, Cloudflare's security and engineering teams detected, investigated, and mitigated the threat across our global fleet, confirming zero customer impact and no malicious exploitation.
New Phishing Campaign Targets US with Credential Theft: What CISOs Need to Know
A new large-scale phishing campaign is targeting U.S. organizations with fake event invitations that lead to credential theft, OTP interception, or RMM tool installation. ANY.RUN researchers found that the campaign uses a repeatable phishing framework to create event-themed lure pages at scale. Some pages steal...
From a stale README to a security research intelligence platform
A stale security-papers README grew into AI Scholar: a production system that ingests papers, deduplicates identities, extracts structured security-research records, maps the corpus as an atlas, and surfaces tensions between papers before I read them end to end.
A Tale of Two States: The 2026 Cybersecurity Paradox
The cyber threat outlooks from CIOs and CISOs at the NASCIO Midyear Conference in Philadelphia ranged from the good to the bad to the ugly — with AI front and center.
Post-quantum encryption for Cloudflare IPsec is generally available
Cloudflare IPsec now has generally available support for post-quantum encryption via hybrid ML-KEM. We’ve confirmed interoperability with Cisco and Fortinet.
Phishing-to-RMM Attacks: The Remote Access Blind Spot CISOs Can’t Ignore
CISOs are under pressure to prove that their security programs can detect threats early, reduce business risk, and support fast, confident response. But that becomes harder when attackers stop relying on obviously malicious tools. In recent phishing-to-RMM campaigns observed by ANY.RUN analysts, threat actors are...
AI threats in the wild: The current state of prompt injections on the web
Posted by Thomas Brunner, Yu-Han Liu, Moni Pande At Google, our Threat Intelligence teams are dedicated to staying ahead of real-world adversarial activity, proactively monitoring emerging threats before they can impact users. Right now, Indirect Prompt Injection (IPI) is a top priority for the security community,...
Mozilla: Anthropic's Mythos found 271 security vulnerabilities in Firefox 150
CTO says new AI model is "every bit as capable" as world's best security researchers.
UK gov's Mythos AI tests help separate cybersecurity threat from hype
New model is the first AI system to complete a difficult multistep infiltration challenge.
Securing non-human identities: automated revocation, OAuth, and scoped permissions
Cloudflare is introducing scannable API tokens, enhanced OAuth visibility, and GA for resource-scoped permissions. These tools help developers implement a true least-privilege architecture while protecting against credential leakage.
Scaling MCP adoption: Our reference architecture for simpler, safer and cheaper enterprise deployments of MCP
We share Cloudflare's internal strategy for governing MCP using Access, AI Gateway, and MCP server portals. We also launch Code Mode to slash token costs and recommend new rules for detecting Shadow MCP in Cloudflare Gateway.
Bringing Rust to the Pixel Baseband
Posted by Jiacheng Lu, Software Engineer, Google Pixel Team Google is continuously advancing the security of Pixel devices. We have been focusing on hardening the cellular baseband modem against exploitation. Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations...
Protecting Cookies with Device Bound Session Credentials
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement, Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome...
Google Workspace’s continuous approach to mitigating indirect prompt injections
Posted by Adam Gavish, Google GenAI Security Team Indirect prompt injection (IPI) is an evolving threat vector targeting users of complex AI applications with multiple data sources, such as Workspace with Gemini. This technique enables the attacker to influence the behavior of an LLM by injecting malicious...
VRP 2025 Year in Review
Posted by Dirk Göhmann, Tony Mendez, and the Vulnerability Rewards Program Team 2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉! Originally started in 2010, our vulnerability reward program (VRP) has seen constant additions and...
Introducing Intelligence Center 3.7: Faster decisions with clearer context across defense and enterprise
Counting intelligence outputs is simple: volume, velocity, coverage. The real question is this: does your intelligence improve decisions under pressure, with confidence you can defend?
Free TIP Bundles to test, validate, and operationalize threat intelligence faster
You cannot confidently choose threat intelligence integrations and services when you have to commit before you can validate operational impact. That is how you end up with tools that look good on paper, but do not always reduce triage time, improve detection quality, or support response the way you hoped.
Disarming disinformation: How EclecticIQ helps you analyze and track influence operations with the DISARM Framework
Disinformation is no longer just a nuisance. It’s a weapon leveraged by both state and non-state actors. For information operations analysts tracking influence campaigns across elections, national security threats, and coordinated disinformation efforts, the challenge is growing. Whether you work in a government...
Millions of iPhones can be hacked with a new tool found in the wild
DarkSword, a powerful iPhone-hacking technique, has been discovered in use by Russian hackers.
How World ID wants to put a unique human identity on every AI agent
Iris scan-backed tokens could help stop agent swarms from overwhelming online systems.
Autumn Dragon: China-nexus APT Group Targets South East Asia
In this report, we describe how we tracked for several months a sustained espionage campaign against the government, media, and news sectors in several countries including Laos, Cambodia, Singapore, the Philippines and Indonesia. Since early 2025, China’s involvement in the Indo-Pacific has been more prolific, from...
Earth Estries alive and kicking
Earth Estries, also known as Salt Typhoon and a few other names, is a China-nexus APT actor, and is known to have used multiple implants such as Snappybee (Deed RAT), ShadowPad, and several more. In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to...
Lessons from the BlackBasta Ransomware Attack on Capita
Introduction When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach. The aim of this blog is to extract...
Ransomware Tool Matrix Update: Community Reports
Introduction The Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such...
Three Lazarus RATs coming for your cheese
Authors: Yun Zheng Hu and Mick Koomen Introduction In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to...
Steam Phishing: popular as ever
A month or so ago a friend of mine received the following message on Steam from someone in their Friends list (they were already friends): Figure 1 - 'this is for you' The two links are different and refer to a Gift Card on Steam's community platform. As you might have noticed, the domain is not related to Steam at...
Decrypting Full Disk Encryption with Dissect
Author: Guus Beckers Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regular workflow. For those of you who are not yet familiar with Dissect, it is an incident response framework built with...
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
Authors: Boudewijn Meijer && Rick Veldhoven Introduction As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from disk, especially ones well known to antivirus and Endpoint Detection and Reponse (EDR) vendors. Now, attackers focus on in-memory...
Microsoft Word and Sandboxes
Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun. Collect user name from Microsoft Office Most sandboxes will trigger somehow or something if a tool or malware tries to collect system information or user information. But what if we collect the user name via the registry and...
New North Korean based backdoor packs a punch
In recent months, North Korean based threat actors have been ramping up attack campaigns in order to achieve a myriad of their objectives, whether it be financial gain or with espionage purposes in mind. The North Korean cluster of attack groups is peculiar seeing there is quite some overlap with one another, and...
The State of Go Fuzzing - Did we already reach the peak?
During one of the recent working days, I was tasked with fuzzing some Go applications. That's something I had not done in a while, so my first course of action was to research the current state of the art of the tooling landscape. After like a couple of
Sifting through the spines: identifying (potential) Cactus ransomware victims
Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group...
DarkGate - Threat Breakdown Journey
Intro Over the past month, a widespread phishing campaign has targeted individuals globally. The campaigns execution chain ends with the deployment of a malware known as: DarkGate. A loader type malware. DarkGate is exclusively sold on underground online forums and the developer keeps a very tight amount of seats...
Kraken - The Deep Sea Lurker Part 2
Intro In the second part of analyzing the “KrakenKeylogger”, I will be diving into some proactive “threat hunting” steps I’ve done during my research about the Kraken. here What we have? Let’s start with what we currently have and how can we pivot with it: C2: thereccorp.com Payload fetching domain:...
Kraken - The Deep Sea Lurker Part 1
Intro In this first part we will be going through a recent phishing campaign delivering a never seen before “KrakenKeylogger” malware. The Phish The mail sent to the victim is a simple malspam mail with archive attachment: The archive is a .zip archive that contains .lnk file: LNK Analysis LEcmd Tool In order to...
PlutoCrypt - A CryptoJoker Ransomware Variant
Intro In This blog I will deep dive into a variant of CryptoJoker Ransomware alongside with analyzing the multi stage execution chain. BRACE YOURSELVES! The Phish Our story begins with a spear phishing email, targeting Turkish individuals and organizations. These attacks often begin with an email that appears to be...
LummaC2 - Stealer Features BreakDown
Intro This blog will be a bit different from my ususal blogs, it will mainly contain scripts and some research I’ve spent on finding some of the things you’ll read through the blog. I’ve tried to cover things that weren’t covered in previous blogs that can be found on Lumma Stealer Malpedia entry The Phish The...
WannaCry: The Most Preventable Ransomware is Still at Large
The WannaCry attack of 2017 is the perfect example of why you should always install security updates as soon as they’re released. This was, probably, the most avoidable ransomware incident. And, at the same time, one of the most damaging and rapidly spreading malware outbreaks. This is the story of the WannaCry...
Vulnerability Research Digest - Issue 1 (macOS/iOS in 2022)
In the past few years I created some twitter threads (e.g. Windows Kernel Security Linux Kernel Security) on a number of publications I found the most interesting within the vulnerability research space, this didn’t really give me that much space to actually provide detail or allow this to be stored within a format...
The End of Sodinokibi: the Infamous Ransomware Goes Down
Sodinokibi was, perhaps, the most ill-renowned ransomware. While it was active, it netted crooks hundreds of millions of dollars, hitting prominent targets such as Apple, Acer, Donald Trump’s lawyers, and most recently, HX5, a US defense company. It took a law enforcement operation coordinated between 17 countries...
Learning Linux kernel exploitation - Part 2 - CVE-2022-0847
Continuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.
Demystifying Security Research - Part 1
There are a number of key questions which are always asked by people wanting to get into security research, find out more about how others go about it or just generally improve their processes. In this post I want to highlight some of things which work for me and some guidance which may help for others. This is a...
Learning Linux kernel exploitation - Part 1 - Laying the groundwork
Table fo contents Disclaimer: This post will cover basic steps to accomplish a privilege escalation based on a vulnerable driver. The basis for this introduction will be a challenge from the hxp2020 CTF called "kernel-rop". There's (obviously) write-ups for this floating around the net (check
Overview of GLIBC heap exploitation techniques
Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way
CVE-2021-30660 - XNU Kernel Memory Disclosure
The msgrcv_nocancel syscall could disclose uninitialized memory from kernel space into userspace. This is due to an incorrect calculation being performed when copying the memory. The vulnerability was patched in the following releases: macOS 11.3 iOS 14.5 Vulnerability Details (sysv_msg.c) The msgrcv_nocancel...
Rise and Fall of Emotet
Emotet was the most threatening malware in the world. This nightmare of cybersecurity specialists challenged millions of infected computers and caused more than $2 billion in losses. And now the sophisticated botnet is taken down. Emotet was known as a destructive cyber threat out there. And ANY.RUN sandbox faced...
CVE-2020-9967 - Apple macOS 6LowPAN Vulnerability
Inspired by Kevin Backhouse’s great work on finding XNU remote vulnerabilities I decided to spend some time looking at CodeQL and performing some variant analysis. This lead to the discovery of a local root to kernel (although documented by Apple as remote) vulnerability within the 6LowPAN code of macOS 10.15.4....
Time Bombs: Malware with Delayed Execution
Did you know that there’s malware that behaves just like cliched ticker-bombs from Hollywood blockbusters? It enters the system and waits there, sometimes for ages, with the timer slowly but inevitably counting towards the destructive explosion. Or in our case — execution. Once the time comes, a cyber-bomb like...
Malware History: MyDoom
MyDoom, sometimes also called Novarg, W32.MyDoom@mm, Shimgapi, and Mimail.R is a worm type malware that infects Windows PCs. After infecting machines, the malware gets access to all files and distributes itself to the email contacts of the victim. It also features a countback timer that starts DOS attacks on...
Coverage Guided Fuzzing in Go
Recently I had the need to explore coverage guided fuzzing in Go. Whilst there is a bit of information scattered around on multiple different sites, as someone who is fairly new to Go, I couldn’t find a good concise source of information on what is already out there and the current state of play of fuzzer tooling...