HOT NEWS 2026 APRIL January(174) February(168) March(221) April(222) May(0) June(0) July(0) August(0) September(0) October(0) November(0) December(0) | HOT NEWS 2026 HOT NEWS 2025 HOT NEWS 2024
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 27.4.26 | Unauthenticated configuration modification vulnerability in Central Office Services - Content Hosting Component | A security flaw exists in the configuration management endpoint of the DRC INSIGHT software, allowing an unauthenticated user with access to the same network as the server to modify the server’s configuration file. This could enable data exfiltration, traffic redirection, or service disruption. | ALERT | ALERT |
| 26.4.26 | GopherWhisper | GopherWhisper: A burrow full of malware | PAPERS | PAPERS |
| 26.4.26 | Cordial Spider | CORDIAL SPIDER is a financially motivated eCrime adversary that has performed data theft and extortion since at least October 2025. CORDIAL SPIDER gains initial access to victim systems via voice phishing (vishing) calls in which they direct targeted users to single sign-on (SSO)–themed phishing pages. | GROUP | GROUP |
| 26.4.26 | CVE-2026-41651 | PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. | VULNEREBILITY | VULNEREBILITY |
| 26.4.26 | fast16 | fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet | MALWARE | FRAMEWORK |
| 26.4.26 | The State of BCDR 2025: Future-Proof Your Data Protection Strategies | Data is the backbone of every business, driving innovation, decision-making and customer engagement. Whether you’re an MSP protecting client environments or an internal IT professional securing your organization’s infrastructure, ensuring data availability and security is both a critical responsibility and a strategic advantage. | REPORT | REPORT |
| 26.4.26 | SparkCat | SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play | MALWARE | TROJAN |
| 25.4.26 | PhantomRPC | PhantomRPC: A new privilege escalation technique in Windows RPC | HACKING | HACKING |
| 25.4.26 | CVE-2024-57726 | (CVSS score: 9.9) - A missing authorization vulnerability in SimpleHelp that could allow low-privileged technicians to create API keys with excessive permissions, which can then be used to escalate privileges to the server admin role. | VULNEREBILITY | VULNEREBILITY |
| 25.4.26 | CVE-2024-57728 | (CVSS score: 7.2) - A path traversal vulnerability in SimpleHelp that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e., zip slip), which can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user. | VULNEREBILITY | VULNEREBILITY |
| 25.4.26 | CVE-2024-7399 | (CVSS score: 8.8) - A path traversal vulnerability in Samsung MagicINFO 9 Server that could allow an attacker to write arbitrary files as system authority. | VULNEREBILITY | VULNEREBILITY |
| 25.4.26 | CVE-2025-29635 | (CVSS score: 7.5) - A command injection vulnerability in end-of-life D-Link DIR-823X series routers that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. | VULNEREBILITY | VULNEREBILITY |
| 25.4.26 | CVE-2025-20333 | (CVSS score: 9.9) - An improper validation of user-supplied input vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests. | VULNEREBILITY | VULNEREBILITY |
| 25.4.26 | CVE-2025-20362 | (CVSS score: 6.5) - An improper validation of user-supplied input vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests. | VULNEREBILITY | VULNEREBILITY |
| 25.4.26 | FIRESTARTER | The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. | MALWARE | BACKDOOR |
| 25.4.26 | UNC6692 | Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. | GROUP | GROUP |
| 25.4.26 | Operation TrustTrap | CRIL uncovered 16,800+ spoofed domains by analyzing URL trust abuse, cloud infra clustering, and human‑centric deception instead of technical exploits. | OPERATION | OPERATION |
| 25.4.26 | UAT-4356's | Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. | GROUP | GROUP |
| 24.4.26 | SmartApeSG activity | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 24.4.26 | DarkCloud via Sea-Freight-Themed Malspam | Symantec has observed a DarkCloud info stealer campaign distributed through malspam messages leveraging a sea-freight quotation lure. | ALERTS | SPAM |
| 24.4.26 | Recent Mirai campaign exploits old vulnerabilities | Cybersecurity researchers at the Akamai identified a recent campaign leveraging a Mirai botnet variant to compromise network devices. | ALERTS | CAMPAIGN |
| 24.4.26 | Needle Stealer malware spread via fraudulent websites | Malwarebytes researchers recently identified a new cybersecurity threat in the form of a Go-based modular information stealer dubbed Needle Stealer. | VIRUS | |
| 24.4.26 | Dindoor backdoor malware | Dindoor is a malicious backdoor built on the Deno runtime and considered an offshoot of the Tsundere Botnet. | ALERTS | VIRUS |
| 24.4.26 | Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft | While many ransomware groups rely on off-the-shelf utilities such as Rclone or MegaSync to steal victim data, recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. | ALERTS | VIRUS |
| 24.4.26 | AdaptixC2 | AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks | HACKING | TOOLS |
| 24.4.26 | CVE-2026-33626 | Server-Side Request Forgery (SSRF) in Vision-Language Image Loading | VULNEREBILITY | VULNEREBILITY |
| 24.4.26 | UNC6692 | Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite | GROUP | GROUP |
| 23.4.26 | Checkmarx KICS images | Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions | HACKING | HACKING |
| 23.4.26 | Bitwarden CLI 2026.4.0 | Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign | INCIDENT | INCIDENT |
| 23.4.26 | CanisterSprawl | CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister | MALWARE | PYTHON |
| 23.4.26 | TeamPCP-Style CanisterWorm | Malicious Namastex.ai npm packages appear to replicate TeamPCP-style Canister Worm tradecraft, including exfiltration and self-propagation. | MALWARE | WORM |
| 23.4.26 | Ollama GGUF Quantization Remote Memory Leak | Ollama’s model quantization engine contains a vulnerability that allows an attacker with access to the model upload interface to read and potentially exfiltrate heap memory from the server. | ALERT | ALERT |
| 23.4.26 | Radware Alteon has a reflected XSS vulnerability that can execute JavaScript in the host browser | Radware Alteon has a reflected Cross-Site Scripting (XSS) vulnerability in the parameter ReturnTo of the route /protected/login. This vulnerability allows an attacker to execute JavaScript in the host browser. | ALERT | ALERT |
| 23.4.26 | Terrarium contains a vulnerability that allows arbitrary code execution | Terrarium is a sandbox-based code execution platform that enables users to run and execute code in a controlled environment, providing a secure way to test and validate code. However, a vulnerability has been discovered in Terrarium that allows arbitrary code execution with root privileges on the host Node.js process | ALERT | ALERT |
| 23.4.26 | NGate Android Malware Targets Brazil with Trojanized HandyPay App | Researchers at ESET have discovered a new variant of the NGate malware family targeting Android users in Brazil. This iteration is particularly notable because it abuses HandyPay, a legitimate NFC relay application, rather than the open-source tools used in previous campaigns. | ALERTS | VIRUS |
| 23.4.26 | Typosquatted Domain Targets Developers with Malicious Antigravity Installer | Researchers at Malwarebytes have uncovered a campaign targeting developers via trojanized installers for Google’s Antigravity tool. The operation relies on a typosquatted domain that impersonates the legitimate site, distributing a version of the genuine application bundled with an additional malicious PowerShell script. | CAMPAIGN | |
| 23.4.26 | NWHStealer via Fake Downloads | Malwarebytes reports that NWHStealer is being spread through a wide mix of lures, including fake Proton VPN downloads, bogus hardware tools, mining software, and gaming mods, showing how broadly this infostealer is being seeded across the web. | ALERTS | VIRUS |
| 23.4.26 | Dual-Payload Loader Pushes Gh0st RAT & CloverPlus adware | Splunk says attackers are using an obfuscated loader to deliver two threats at once: Gh0st RAT for covert remote access and CloverPlus adware for quick monetization, combining long-term compromise with immediate profit. | ALERTS | VIRUS |
| 23.4.26 | Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor | The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses. | APT | |
| 23.4.26 | ZionSiphon malware | Cybersecurity firm Darktrace has uncovered ZionSiphon, a politically motivated malware strain specifically targeting water treatment and desalination plants. | ALERTS | VIRUS |
| 23.4.26 | CVE-2026-28950 | A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly retained on the device. | VULNEREBILITY | VULNEREBILITY |
| 23.4.26 | GopherWhisper | GopherWhisper: A burrow full of malware | APT | APT |
| 23.4.26 | Harvester | Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor | APT | APT |
| 22.4.26 | LOTUSLITE | LOTUSLITE: Targeted espionage leveraging geopolitical themes | MALWARE | LOADER |
| 22.4.26 | Lotus Wiper | Lotus Wiper: a new threat targeting the energy and utilities sector | MALWARE | WIPER |
| 22.4.26 | Mustang Panda | Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics | APT | APT |
| 22.4.26 | CVE-2026-40372 | ASP.NET Core Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 22.4.26 | CVE-2026-5752 | Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. | VULNEREBILITY | VULNEREBILITY |
| 22.4.26 |
Assessment | Q1 2026 Ransomware Wrap-Up A-2026-04-17a |
ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. | REPORT | REPORT |
| 22.4.26 | Kyber Ransomware | Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained | RANSOM | RANSOM |
| 22.4.26 | DFIR Report – The Gentlemen & SystemBC | DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy | RANSOM | RANSOM |
| 22.4.26 | Bridge:Break | Bridge:Break: Vulnerabilities Thrive in Serial-to-Ethernet Converters | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | Recent Cloverworm campaign targets macOS users with social engineering | Microsoft Threat Intelligence recently exposed a macOS-focused operation attributed to the North Korean state actor Cloverworm (aka Sapphire Sleet). Instead of exploiting software vulnerabilities, the group uses social engineering to compromise systems and exfiltrate sensitive information. | ALERTS | CAMPAIGN |
| 21.4.26 | Cross-Platform and Coordinated: The Gentlemen RaaS Targets Windows, Linux, and ESXi | According to findings from Check Point Research, the emerging "The Gentlemen" Ransomware-as-a-service (RaaS) operation has scaled rapidly in 2026, accounting for hundreds of confirmed victims. The group utilizes a cross-platform locker suite developed in Go and C, facilitating operations across Windows, Linux, and ESXi environments. | RANSOM | |
| 21.4.26 | Nexcorium botnet - a new Mirai variant | Cybersecurity researchers at FortiGuard Labs uncovered a new malicious campaign distributing Nexcorium, a sophisticated malware strain based on the notorious Mirai botnet. The attackers primarily compromise systems by weaponizing CVE-2024-3721, an operating system command injection flaw found in TBK DVR devices. | ALERTS | BOTNET |
| 21.4.26 | "Cracked" Software is Actually Lumma Stealer | Lumma Stealer and SectopRAT (ArechClient2) represent a previously observed attack chain currently resurfacing in a new campaign. The infection typically originates from "cracked" installers for popular software applications. | ALERTS | VIRUS |
| 21.4.26 | PowMix Botnet | Researchers at Cisco Talos recently published an article on PowMix botnet that has been targeting people and organizations in the Czech Republic since at least December 2025, using compliance- and job-themed lures to draw in victims across sectors. | BOTNET | |
| 21.4.26 | Transportation Sector Targeted by RMM-Laced Malspam | In a recent article, Proofpoint describes a cargo-theft-focused intrusion that went well beyond initial access, giving researchers a month-long view into how the actor operated after compromise. The attacker used email-delivered VBS and PowerShell to install ScreenConnect, then layered in additional remote management tools for redundancy and long-term access. | ALERTS | SPAM |
| 21.4.26 | SGLang is vulnerable to remote code execution when rendering chat templates from a model file | A remote code execution vulnerability has been discovered in the SGLang project, specifically in the reranking endpoint (/v1/rerank). A CVE has been assigned to track the vulnerability; CVE-2026-5760. An attacker can create a malicious model for SGLang to achieve RCE | ALERT | ALERT |
| 21.4.26 | CVE-2026-20133 | Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | CVE-2026-20128 | Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | CVE-2026-20122 | Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | CVE-2025-48700 | Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | CVE-2025-32975 | Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | CVE-2025-2749 | Kentico Xperience Path Traversal Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | CVE-2024-27199 | JetBrains TeamCity Relative Path Traversal Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | CVE-2023-27351 | PaperCut NG/MF Improper Authentication Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.4.26 | NGate | New NGate variant hides in a trojanized NFC payment app | MALWARE | TROJAN AI |
| 21.4.26 | CVE-2026-5760 | SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment(). | VULNEREBILITY | VULNEREBILITY |
| 19.4.26 | ZionSiphon | Inside ZionSiphon: Darktrace’s Analysis of OT Malware Targeting Israeli Water Systems | MALWARE | OT MALWARE |
| 19.4.26 | CVE-2025-60710 | Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | VULNEREBILITY | VULNEREBILITY |
| 19.4.26 | Nexcorium | Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | CAMPAIGN | CAMPAIGN |
| 19.4.26 | CVE-2024-3721 | A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. | VULNEREBILITY | VULNEREBILITY |
| 18.4.26 | SessionShark | SessionShark Steals Session Tokens to Slip Past Office 365 MFA | PHISHING | PHISHING KIT |
| 18.4.26 | CVE-2026-5194 | Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. This could lead to reduced security of ECDSA certificate-based authentication if the public CA key used is also known. This affects ECDSA/ECC verification when EdDSA or ML-DSA is also enabled. | VULNEREBILITY | VULNEREBILITY |
| 18.4.26 | CVE-2026-39987 | marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands | VULNEREBILITY | VULNEREBILITY |
| 17.4.26 | CVE-2026-20180 | A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input | VULNEREBILITY | VULNEREBILITY |
| 17.4.26 | CVE-2026-20186 | A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. | VULNEREBILITY | VULNEREBILITY |
| 17.4.26 | CVE-2026-20147 | (CVSS score: 9.9) - An insufficient validation of user-supplied input vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an authenticated, remote attacker in possession of valid administrative credentials to achieve remote code execution by sending crafted HTTP requests | VULNEREBILITY | VULNEREBILITY |
| 17.4.26 | CVE-2026-20184 | (CVSS score: 9.8) - An improper certificate validation in the integration of single sign-on (SSO) with Control Hub in Webex Services that could allow an unauthenticated, remote attacker to impersonate any user within the service and gain unauthorized access to legitimate Cisco Webex services. | VULNEREBILITY | VULNEREBILITY |
| 17.4.26 | CVE-2026-34197 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. | VULNEREBILITY | VULNEREBILITY |
| 17.4.26 | UAC-0247 | Лікарні, органи місцевого самоврядування та оператори FPV - у фокусі кластера кіберзагроз UAC-0247 | GROUP | GROUP |
| 17.4.26 | PowMix | PowMix botnet targets Czech workforce | BOTNET | BOTNET |
| 17.4.26 | PhantomPulse | Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT | MALWARE | RAT |
| 16.4.26 | The n8n n8mare | The n8n n8mare: How threat actors are misusing AI workflow automation | AI | AI |
| 15.4.26 | CVE-2026-39808 | (CVSS score: 9.1) - An operating system command injection vulnerability in FortiSandbox that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. (Fixed in version 4.4.9) | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | CVE-2026-39813 | (CVSS score: 9.1) - A path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. (Fixed in versions 4.4.9 and 5.0.6) | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | CVE-2026-27681 | SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | MCPwnfluence | MCPwnfluence: Critical Unauthenticated SSRF to RCE Attack Chain in the Most Widely Used Atlassian MCP Server | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | CVE-2026-33032 | Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | Лікарні, органи місцевого самоврядування та оператори FPV - у фокусі кластера кіберзагроз UAC-0247 | CERT-UA протягом березня-квітня 2026 року зафіксовано інтенсифікацію кібератак у відношенні органів місцевого самоврядування та, насамперед, комунальних закладів охорони здоров'я, зокрема клінічних лікарень та лікарень екстреної (швидкої) медичної допомоги. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 15.4.26 | CVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | CVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | CVE-2026-40176 | (CVSS score: 7.8) - An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer. | VULNEREBILITY | VULNEREBILITY |
| 15.4.26 | CVE-2026-40261 | (CVSS score: 8.8) - An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. | VULNEREBILITY | VULNEREBILITY |
| 14.4.26 | CVE-2026-21643 | (CVSS score: 9.1) - An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | VULNEREBILITY | VULNEREBILITY |
| 14.4.26 | CVE-2020-9715 | (CVSS score: 7.8) - A use-after-free vulnerability in Adobe Acrobat Reader that could result in remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 14.4.26 | CVE-2023-36424 | (CVSS score: 7.8) - An out-of-bounds read vulnerability in Microsoft Windows Common Log File System Driver that could result in privilege escalation. | VULNEREBILITY | VULNEREBILITY |
| 14.4.26 | CVE-2023-21529 | (CVSS score: 8.8) - A deserialization of untrusted data in Microsoft Exchange Server that could allow an authenticated attacker to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 14.4.26 | CVE-2025-60710 | (CVSS score: 7.8) - An improper link resolution before file access vulnerability in Host Process for Windows Tasks that could allow an authorized attacker to elevate privileges locally. | VULNEREBILITY | VULNEREBILITY |
| 14.4.26 | CVE-2012-1854 | (CVSS score: 7.8) - An insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) that could result in remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 14.4.26 | CVE-2025-0520 | ShowDoc unrestricted file upload vulnerability | VULNEREBILITY | VULNEREBILITY |
| 14.4.26 | Mirax | Mirax: a new Android RAT turning infected devices into potential residential proxy nodes | MALWARE | ANDROID RAT |
| 14.4.26 | JanelaRAT | JanelaRAT: a financial threat targeting users in Latin AmericaLABYRINT | MALWARE | RAT |
| 14.4.26 | APT37 | APT37’s Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks | APT | APT |
| 13.4.26 | CPU-Z / HWMonitor watering hole infection – a copy-pasted attack | On April 9, 2026, the website cpuid[.]com, hosting installers for popular system administration software CPU-Z, HWMonitor (HWMonitor Pro) and Perfmonitor 2, was compromised. | INCIDENT | INCIDENT |
| 13.4.26 | CVE-2026-34621 | Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. | VULNEREBILITY | VULNEREBILITY |
| 12.4.26 |
Iranian-Affiliated APT Targeting of Rockwell/Allen-Bradley PLCs |
Internet Exposure Assessment in Response to CISA Advisory AA26-097A | ICS | ICS |
| 12.4.26 | Storm-2755 | Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees | GROUP | GROUP |
| 12.4.26 | VENOM | Meet VENOM: The PhaaS Platform That Neutralizes MFA | MALWARE | MALWARE |
| 12.4.26 | CVE-2026-1340 | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 12.4.26 | CVE-2026-34197 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. | VULNEREBILITY | VULNEREBILITY |
| 12.4.26 |
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure |
Iranian-Affiliated Cyber Actors Exploit Programmable Logic
Controllers Across US Critical Infrastructure |
REPORT | REPORT |
| 10.4.26 | VantaBlack Ransomware | VantaBlack (self-chosen name) is a ransomware actor first observed in late 2025. Their ransomware is a Windows x64 binary built for double extortion: it encrypts files using a modern Salsa20/ChaCha symmetric cipher paired with an asymmetric RSA public key for key encapsulation (two distinct encrypted file extensions have been observed across samples — .E2WN0 and .35RUT), while simultaneously exfiltrating data with threatened publication on a dedicated leak site. | ALERTS | RANSOM |
| 10.4.26 | Torg Grabber Infostealer | Cybersecurity experts at Gen Digital have discovered a rapidly evolving information-stealing malware known as Torg Grabber. This variant is distributed via the ClickFix social engineering attack techniques. Once a system is compromised, Torg Grabber proceeds to extract sensitive data from system web browsers, aiming for user credentials, autofill details and cookies, among others. | VIRUS | |
| 10.4.26 | Masjesu botnet | Masjesu botnet is a highly advanced threat targeting the Internet of Things (IoT). As reported by the researchers from Trellix, the malware is primarily marketed on Telegram as a DDoS-for-hire service. The botnet infects a diverse spectrum of IoT hardware, including gateways and routers, and is compatible with numerous complex system architectures. | ALERTS | BOTNET |
| 10.4.26 | LucidRook Campaigns Target Taiwanese Entities | Researchers at Cisco Talos have identified LucidRook, a Lua-based stager used by UAT-10362 to target Taiwanese entities. Delivered through spear-phishing lures disguised as antivirus installers (LNK/EXE), LucidRook often operates alongside LucidPawn, a dropper, and LucidKnight, a reconnaissance tool. | ALERTS | CAMPAIGN |
| 10.4.26 | Operation NoVoice - a new Android malware delivery campaign | Cybersecurity researchers at McAfee have uncovered "Operation NoVoice," a widespread mobile malware campaign utilizing exploits for previously patched Android vulnerabilities from 2016 to 2021. Threat actors have been observed to distribute a malicious rootkit module via the Google Play Store, hiding it within more than fifty seemingly harmless applications, such as games and device cleaner apps. | OPERATION | |
| 10.4.26 | CVE-2026-33017 - Langflow Code Injection vulnerability exploited in the wild | CVE-2026-33017 is a recently disclosed critical (CVSS score 9.3) Code Injection vulnerability affecting Langflow, which is a tool for building and deploying AI-powered agents and workflows. If successfully exploited the flaw might allow the attackers to execute arbitrary code within the context of the vulnerable application, leading to full compromise of the underlying server. | ALERTS | VULNEREBILITY |
| 10.4.26 | CVE-2026-22765 - Dell Wyse Management Suite vulnerability | CVE-2026-22765 is a recently disclosed high severity (CVSS score 8.8) Missing Authorization vulnerability affecting Dell Wyse Management Suite, which is a centralized, web-based management solution designed to configure and monitor Dell thin client endpoints. | VULNEREBILITY | |
| 10.4.26 | Supply-chain attack: Axios npm compromise | StepSecurity reported that the widely used npm package axios — with over 100 million weekly downloads — was briefly compromised through two malicious releases, 1.14.1 and 0.30.4, published from a hijacked maintainer account on March 30–31, 2026. The poisoned versions did not alter axios's own code; instead, they added a hidden dependency, plain-crypto-js@4.2.1, whose postinstall script deployed a cross-platform remote access trojan for Windows, macOS, and Linux. | HACKING | |
| 10.4.26 | Casbaneiro Banking Trojan Campaigns Target Latin America and Europe | The Augmented Marauder threat group has evolved, deploying a sophisticated multi-pronged campaign that pairs the Casbaneiro banking trojan with the Horabot spreader. Researchers from BlueVoyant have highlighted that this duo targets Spanish-speaking organizations by transitioning from password-protected PDFs to obfuscated VBScript and AutoIT loaders. | ALERTS | CAMPAIGN |
| 10.4.26 | Qilin Ransomware Deploys Kernel-Level EDR Killer to Blind Defenses | A sophisticated Qilin ransomware campaign has been identified using a specialized "EDR Killer" tool to neutralize enterprise defenses. According to Cisco Talos, the attack begins with a malicious DLL sideloading technique that deploys dual kernel drivers. | RANSOM | |
| 10.4.26 | Cybercriminals bait users with leaked Anthropic Claude Code on GitHub to deliver Vidar Stealer | Following Anthropic’s accidental exposure of Claude Code source code through an npm package on March 31, 2026, cybercriminals swiftly capitalized on this incident. As reported by Zscaler, the malicious actors established a highly visible GitHub repository masquerading as the leaked data. Instead of receiving legitimate source code, victims inadvertently downloaded a malicious Rust-based executable disguised as a standard setup file. | ALERTS | VIRUS |
| 10.4.26 | Malicious LNK Delivery and GitHub-Based C2 Observed in New DPRK Campaign | Fortinet researchers have identified a sophisticated DPRK-linked campaign targeting Windows environments via malicious LNK files. The attack uses encoded PowerShell scripts and employs GitHub for command-and-control operations. | ALERTS | APT |
| 11.4.26 | The Phishing Kits Economy in Cybercrime Markets | In the early days of phishing, attackers didn’t need much more than a crude HTML form. The designs were sloppy, the logos were wrong, and sometimes the page didn’t even resemble the real service, yet people still typed in their usernames and passwords. | ANALÝZA | ANALÝZA |
| 10.4.26 | PRISMEX | The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX. | MALWARE | MALWARE |
| 10.4.26 | ESPIONAGE FOR REPRESSION: FORENSIC ANALYSIS OF A CROSS-BORDER HACK-FOR-HIRE CAMPAIGN TARGETING CIVIL SOCIETY IN MENA | ESPIONAGE FOR REPRESSION: FORENSIC ANALYSIS OF A CROSS-BORDER HACK-FOR-HIRE CAMPAIGN TARGETING CIVIL SOCIETY IN MENA | PAPERS | PAPERS |
| 10.4.26 | Chaos | Darktrace Identifies New Chaos Malware Variant Exploiting Misconfigurations in the Cloud | MALWARE | GO |
| 10.4.26 | Masjesu Rising | Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion | BOTNET | BOTNET |
| 10.4.26 | LucidRook | New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations | MALWARE | LUA |
| 10.4.26 | Rotten Apple | Rotten Apple: An Invasive Threat Actor Targeting Civil Society in Lebanon | CAMPAIGN | CAMPAIGN |
| 10.4.26 | BITTER APT | Beyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation Linked to BITTER APT | APT | APT |
| 10.4.26 | Pawn Storm Campaign | Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities | CAMPAIGN | CAMPAIGN |
| 8.4.26 | CVE-2026-1731 | BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2026-23760 | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2025-52691 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2025-10035 | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE‑2025‑31161 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-57728 | A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-57727 | CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-57726 | SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-27199 | SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-27198 | In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-1709 | In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-1708 | ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-21887 | A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2023-46805 | An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2023-27351 | This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2023-21529 | Microsoft Exchange Server Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | SOHO router compromise | SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks | INCIDENT | INCIDENT |
| 8.4.26 | Internet-exposed ComfyUI instances | Hackers Are Attempting to Turn ComfyUI Servers Into a Cryptomining Proxy Botnet | CAMPAIGN | CAMPAIGN |
| 8.4.26 | Python-Based Backdoor and Changes in Distribution Techniques | Malicious LNK Files Distributing a Python-Based Backdoor and Changes in Distribution Techniques (Kimsuky Group) | HACKING | MALWARE |
| 8.4.26 | GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit | Over the years, Rowhammer has been leveraged to mount a wide range of attacks against system main memory. | PAPERS | PAPERS |
| 8.4.26 |
GDDRHammer:
Greatly Disturbing DRAM Rows — Cross-Component Rowhammer Attacks from Modern GPUs |
While Rowhammer has been extensively studied in CPU-based memory systems, a very recent work by Lin etal. (USENIX Security ‘25) extended this line of research to GDDR6 GPU memory, demonstrating the first Rowhammer bit flips on NVIDIA GPUs | PAPERS | PAPERS |
| 8.4.26 | GPUHammer: Rowhammer Attacks on GPU Memories are Practical | Rowhammer is a read disturbance vulnerability in modern DRAM that causes bit-flips, compromising security and reliability. | PAPERS | PAPERS |
| 8.4.26 | ChainShell | ChainShell: MuddyWater’s Russian MaaS Link | MALWARE | SHELL |
| 8.4.26 | Handala | Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment | HACKING | MALWARE |
| 8.4.26 | CVE-2025-59528 | RCE in FlowiseAI/Flowise | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | APT28 | APT28 exploit routers to enable DNS hijacking operations | APT | APT |
| 8.4.26 | CVE-2023-50224 | TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2026-34040 | AuthZ plugin bypass with oversized request body | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | FrostArmada | A DNS setting change on a single router can quietly reroute an entire network’s authentication traffic. In FrostArmada, Lumen observed Forest Blizzard using that technique to feed targeted logins into Attacker-in-the-Middle (AitM) infrastructure, scaling from limited activity to thousands of victims worldwide. | GROUP | GROUP |
| 8.4.26 | Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates | The Halcyon Ransomware Research Center (RRC) has seen increased activity in the Middle East region and calls to action, since the initiation of kinetic activity against Iran over the weekend. | ANALÝZA | ANALÝZA |
| 8.4.26 | Pay2Key | Pay2Key Iranian-Linked Ransomware is Back, Back Again | GROUP | RANSOMWARE |
| 8.4.26 | Storm-1175 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations | GROUP | GROUP |
| 8.4.26 | PIONEER KITTEN | Who Is PIONEER KITTEN? | GROUP | APT |
| 8.4.26 | Iran-nexus Password Spray Campaign Targeting Cloud Environments | Iran-nexus Password Spray Campaign Targeting Cloud Environments, with a Focus on the Middle East | CAMPAIGN | CAMPAIGN |
| 8.4.26 | DPRK-Related Campaigns with LNK and GitHub C2 | How DPRK actors use LNK files and GitHub C2 to evade detection and maintain persistence | CAMPAIGN | CAMPAIGN |
| 8.4.26 | ROKRAT | Scarcruft’s ROKRAT Malware: Recent Changes | MALWARE | RAT |
| 8.4.26 | Qilin EDR killer infection chain | Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. | HACKING | RANSOMWARE |
| 8.4.26 | DPRK Malware Modularity | DPRK Malware Modularity: Diversity and Functional Specialization | HACKING | MALWARE |
| 6.4.26 | Cisco Talos year review | The 2025 threat landscape was defined by an unprecedented acceleration in the speed of vulnerability exploitation, with adversaries weaponizing new security flaws like React2Shell and ToolShell almost immediately upon disclosure. | REPORT | REPORT |
| 6.4.26 | 2026-ciso-report | 35,000 Chief Information Security Officers Employed Globally in 2026 | REPORT | REPORT |
| 6.4.26 | m-trends-2026 | M-Trends serves as a definitive look at the threats and tactics used in breaches, grounded in over 500k hours of frontline incident investigations conducted by Mandiant in 2025. | REPORT | REPORT |
| 5.4.26 | Operation NoVoice | Operation NoVoice: Rootkit Tells No Tales | OPERATION | OPERATION |
| 5.4.26 | CVE-2025-53521 | When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | VULNEREBILITY | VULNEREBILITY |
| 5.4.26 | CVE-2026-3502 | TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user. | VULNEREBILITY | VULNEREBILITY |
| 5.4.26 | RoadK1ll | RoadK1ll: A WebSocket Based Pivoting Implant | HACKING | HACKING |
| 5.4.26 | CVE-2026-4415 | Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation. | VULNEREBILITY | VULNEREBILITY |
| 5.4.26 | TA416 | I’d come running back to EU again: TA416 resumes European government espionage campaigns | GROUP | GROUP |
| 5.4.26 | Cookie-controlled PHP webshells | Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments | HACKING | HACKING |
| 5.4.26 | MuPDF by Artifex contains integer overflow vulnerability. | Artifex's MuPDF contains an integer overflow vulnerability, CVE-2026-3308, in versions up to and including 1.27.0. Using a specially crafted PDF, an attacker can trigger an integer overflow resulting in out-of-bounds heap writes. | ALERT | ALERT |
| 4.4.26 | Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets | Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. | OPERATION | OPERATION |
| 4.4.26 | Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity | Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity Introduction During our investigation, we identified a multi-stage malware infection leveraging Scheduled Task persistence, VBScript launchers, and PowerShell-based execution. The attack operates through two parallel chains:... | OPERATION | OPERATION |
| 3.4.26 | Infiniti Stealer | Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka | MALWARE | MACOS |
| 3.4.26 | CVE-2026-21643 | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | VULNEREBILITY | VULNEREBILITY |
| 3.4.26 | CVE-2026-3098 | The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | VULNEREBILITY | VULNEREBILITY |
| 3.4.26 | Chinese-Nexus Monarch APT Deploys In-Memory AtlasCross RAT via Fake Installers | A recent report by Hexastrike details a campaign by Monarch (also known as Silver Fox or Void Arachne), a Chinese-nexus APT targeting Chinese-speaking users. The campaign leverages typosquatted domains impersonating popular applications such as Microsoft Teams, Signal, Telegram, and Zoom to distribute ZIP archives disguised as legitimate installers. | ALERTS | APT |
| 3.4.26 | CrystalX malware | CrystalX RAT is a novel Malware-as-a-Service (MaaS) variant marketed across Telegram and YouTube and utilizing promotional tactics like giveaways and video demonstrations. | VIRUS | |
| 3.4.26 | XLoader Levels Up: Advanced Obfuscation Fuels Stealthy Data Theft | An evolution of the Formbook infostealer, XLoader is doubling down on stealth. New variants detailed by Zscaler researchers employ advanced obfuscation and multi-layered network protection to mask their command-and-control infrastructure. | ALERTS | VIRUS |
| 3.4.26 | CrystalX | A laughing RAT: CrystalX combines spyware, stealer, and prankware features | MALWARE | RAT |
| 3.4.26 | UAT-10608 | UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications | GROUP | GROUP |
| 3.4.26 | Multi-Tool Mining Operation | Fake Installers to Monero: A Multi-Tool Mining Operation | OPERATION | OPERATION |
| 3.4.26 | CVE-2026-20093 | Cisco Integrated Management Controller Authentication Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 2.4.26 | Torg Grabber | Torg Grabber: Anatomy of a New Credential Stealer | MALWARE | STEALER |
| 2.4.26 | Xinbi | UK Government Designates Xinbi, Key Node in Chinese-Language Crypto-Enabled Scam Infrastructure | CRYPTOCURRENCY | CRYPTOCURRENCY |
| 2.4.26 | Bubble | Bubble: a new tool for phishing scams | PHISHING | TOOLS |
| 1.4.26 | Resoker RAT malware | Resoker is a recently identified Remote Access Trojan (RAT) designed to grant threat actors comprehensive control over compromised endpoints. Unlike conventional malware that relies on dedicated centralized server infrastructure, this threat leverages legitimate Telegram Bot APIs instead. | ALERTS | VIRUS |
| 1.4.26 | Prismex malware distributed by the Swallowtail APT | Swallowtail threat group (also known as Pawn Storm, APT28 or Fancy Bear) has been reported to have launched a major cyber espionage campaign targeting the military and humanitarian supply chains of Ukraine and its allies across Central and Eastern Europe | VIRUS | |
| 1.4.26 | BrushWorm and BrushLogger malware | Elastic Security Labs recently uncovered a cyberattack targeting a financial organization in South Asia, deploying two custom-built malicious tools: a backdoor dubbed BrushWorm and a keylogger named BrushLogger. BrushWorm serves as the primary infection mechanism. I | ALERTS | VIRUS |
| 1.4.26 | BPFdoor - a stealthy backdoor distributed to telecommunications network for persistent access | A recent investigation by Rapid7 Labs has exposed a highly sophisticated, long-term espionage operation orchestrated by the Red Menshen threat group. Targeting global telecommunications providers and government networks, the group's primary objective is to embed stealthy malware deep within critical systems to maintain undetected, persistent access. | VIRUS | |
| 1.4.26 | EtherRAT malware distribution campaign | EtherRAT is a highly sophisticated malware designed to execute unauthorized commands, exfiltrate cloud credentials, and drain cryptocurrency wallets from the infected systems. A defining characteristic of this threat is its use of "EtherHiding", an increasingly prevalent evasion tactic that leverages the Ethereum blockchain to conceal its Command-and-Control (C2) infrastructure. | VIRUS | |
| 1.4.26 | HRSword tool abused by ransomware actors | The HRSword is a specialized, legitimate system monitoring tool developed by Chinese cybersecurity firm Huorong Network Technology, designed for diagnosing Windows system issues | RANSOM | |
| 1.4.26 | TDSSKiller tool abused by ransomware actors | TDSSKiller is a portable, free utility used to detect and remove advanced rootkits and bootkits that hide from standard antivirus software. | ALERTS | RANSOM |
| 1.4.26 | Three China-Aligned Clusters Orchestrate Layered Intrusion Against SEA Government | Unit 42 researchers at Palo Alto Networks identified a multi-faceted cyberespionage campaign targeting a Southeast Asian government, attributed to three China-aligned clusters. | CAMPAIGN | |
| 1.4.26 | A new GlassWorm distribution campaign | Cybersecurity experts at Aikido identified a sophisticated new phase of the GlassWorm malware campaign, which utilizes a complex, multi-stage attack framework to steal sensitive data and deploy a remote access trojan variant. | ALERTS | CAMPAIGN |
| 1.4.26 | Kyverno is vulnerable to server-side request forgery (SSRF) | Kyverno, versions 1.16.0 to present, contains an SSRF vulnerability in its CEL-based HTTP functions, which lack URL validation or namespace scoping and allow namespaced policies to trigger arbitrary internal HTTP requests. | ALERT | ALERT |
| 1.4.26 | CrewAI contains multiple vulnerabilities including SSRF, RCE and local file read | Four vulnerabilities have been identified in CrewAI, including remote code execution (RCE), arbitrary local file read, and server-side request forgery (SSRF). CVE-2026-2275 is directly caused by the Code Interpreter Tool. | ALERT | ALERT |
| 1.4.26 | Кібератака UAC-0255 під виглядом сповіщення від CERT-UA із застосуванням програмного засобу AGEWHEEZE (CERT-UA#21075) | Національною командою реагування на кіберінциденти, кібератаки, кіберзагрози CERT-UA 26-27 березня 2026 року зафіксовано випадки розповсюдження електронних листів нібито від імені CERT-UA із закликом завантажити з сервісу Files.fm захищений паролем архів ("CERT_UA_protection_tool.zip", "protection_tool.zip") та встановити "спеціалізоване програмне забезпечення". | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 1.4.26 | WhatsApp malware campaign | WhatsApp malware campaign delivers VBScript and MSI backdoors | CAMPAIGN | CAMPAIGN |
| 1.4.26 | Augmented Marauder’s Multi-Pronged Casbaneiro Campaigns | Unpacking Augmented Marauder’s Multi-Pronged Casbaneiro Campaigns | CAMPAIGN | CAMPAIGN |
| 1.4.26 | CVE-2026-5281 | Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | VULNEREBILITY | VULNEREBILITY |
| 1.4.26 | UNC1069 | North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack | GROUP | GROUP |
| 1.4.26 | CVE-2026-3502 | TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. | VULNEREBILITY | VULNEREBILITY |
|
|
|
|
|
|