HOT NEWS 2026 MARCH HOT NEWS 2026 January(174) February(168) March(225) April(5)) May(0) June(0) July(0) August(0) September(0) October(0) November(0) December(0) | HOT NEWS 2026 HOT NEWS 2025 HOT NEWS 2024
|
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 31.3.26 | axios Compromised | axios Compromised: npm Supply Chain Attack via Dependency Injection | INCIDENT | INCIDENT |
| 31.3.26 | AtlasCross RAT | Trust the Tunnel, Get the Trojan: Silver Fox Delivers AtlasCross RAT via Weaponized VPN Installers | MALWARE | RAT |
| 31.3.26 | DeepLoad | DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion | MALWARE | LOADER |
| 30.3.26 | CTRL TOOLKIT | Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework | MALWARE | TOOLKIT |
| 28.3.26 | CVE-2025-53521 | F5 BIG-IP Unspecified Vulnerability: F5 BIG-IP AMP contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 28.3.26 | CVE-2026-3055 | Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread | VULNEREBILITY | VULNEREBILITY |
| 28.3.26 | CVE-2026-4681 | A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. | VULNEREBILITY | VULNEREBILITY |
| 28.3.26 | CVE-2025-15517 | A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations. | VULNEREBILITY | VULNEREBILITY |
| 28.3.26 | VoidStealer | VoidStealer: Debugging Chrome to Steal Its Secrets | MALWARE | STEALER |
| 28.3.26 | Ghost SPN Attack | The Ghost SPN Attack: Catching Stealthy Kerberoasting Before It's Too Late Using Trellix NDR | ATTACK | ATTACK |
| 27.3.26 | Open Sesame | Open Sesame: How a Fail-Open Bug in Open VSX's New Scanner Let Malware Walk Right In | VULNEREBILITY | VULNEREBILITY |
| 27.3.26 | BPFdoor | The strategic positioning of covert access within the world’s telecommunication networks | MALWARE | BACKDOOR |
| 27.3.26 | Bearlyfy | Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware | GROUP | GROUP |
| 26.3.26 | Poisoned Typeface | Poisoned Typeface: How Simple Font Rendering Poisons Every AI Assistant, And Only Microsoft Cares |
AI |
|
| 26.3.26 | CVE-2026-3564 | A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios. | ||
| 26.3.26 | Oblivion RAT - a new mobile threat | Oblivion RAT is a recently discovered, sophisticated Android Remote Access Trojan (RAT) that operates under the Malware-as-a-Service (MaaS) business model. As reported by the researchers from iVerify, this malware relies heavily on a two-stage infection sequence initiated through targeted social engineering tactics, often deployed across popular messaging or dating applications. | ALERTS | VIRUS |
| 26.3.26 | FAUX#ELEVATE: The "CV" Malware Squeezing Enterprise CPUs for Monero | The FAUX#ELEVATE campaign is a sophisticated operation targeting French enterprises using deceptive job application lures. As detailed in a report by researchers at Securonix, this threat utilizes a heavily bloated VBScript dropper, where nearly all content consists of junk text to bypass traditional security scanners. | OPERATION | |
| 26.3.26 | MioLab Stealer | MioLab is a macOS stealer offered through a malware-as-a-service framework. In a recent article, researchers at LevelBlue outlined its capabilities, noting that it is designed to harvest browser credentials, cookies, Keychain data, Apple Notes, files, and a wide range of cryptocurrency wallets, with a particular focus on high-value crypto theft. | ALERTS | VIRUS |
| 26.3.26 | PureHVNC via Google Form lures | Researchers recently observed PureHVNC as the final payload in a campaign that used fake business workflows on Google Forms, including job interviews, project briefs, and financial documents, to lure victims into downloading ZIP archives. | CAMPAIGN | |
| 26.3.26 | PureLog via Copyright Bait | Researchers at Trend Micro recently published an article on a PureLog Stealer campaign that uses fake copyright-violation notices as bait, with lure filenames matched to the victim’s language to improve execution. | CAMPAIGN | |
| 26.3.26 | VoidStealer | Gen Digital has detailed a new infostealer, VoidStealer, which is notable for being the first seen in the wild using a debugger-based bypass of Chrome’s Application-Bound Encryption (ABE). | VIRUS | |
| 26.3.26 | CVE-2026-22557 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account. | ||
| 26.3.26 | WebRTC skimmer bypasses | Sansec discovered a payment skimmer that uses WebRTC DataChannels to receive its payload and exfiltrate stolen data, bypassing CSP and HTTP-based security tools. | HACKING | HACKING |
| 26.3.26 | Coruna | Coruna: the framework used in Operation Triangulation | EXPLOIT | EXPLOIT |
| 26.3.26 | ShadowPrompt | ShadowPrompt: How Any Website Could Have Hijacked Claude's Chrome Extension | HACKING | AI |
|
25.3.26 |
IDrive for Windows contains local privilege escalation vulnerability | The IDrive Cloud Backup Client for Windows, versions 7.0.0.63 and earlier, contains a privilege escalation vulnerability that allows any authenticated user to run arbitrary executables with NT AUTHORITY\SYSTEM permissions. | ALERT | ALERT |
|
25.3.26 |
Hard coded credentials vulnerability in GoHarbor's Harbor | GoHarbor's Harbor default admin password presents a security risk because it does not require change upon initial deployment. | ALERT | ALERT |
|
25.3.26 |
Microsoft 365 Token Attack Infrastructure | Riding the Rails: Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure | HACKING | HACKING |
|
25.3.26 |
Analyzing FAUX#ELEVATE: Threat Actors Target France with CV Lures to Deploy Crypto miners and Infostealers Targeting Enterprise Environments |
|||
|
25.3.26 |
From W-2 to BYOVD: How a Tax Search Leads to Kernel-Mode AV/EDR Kill |
TOOL |
||
|
25.3.26 |
GlassWorm Hides a RAT Inside a Malicious Chrome Extension |
WORM |
||
|
25.3.26 |
A compromised release steals credentials and spreads to Kubernetes clusters. First reported to PyPI by FutureSearch. |
|||
|
24.3.26 |
(CVSS score: 9.3) - Insufficient input validation leading to memory overread |
|||
|
24.3.26 |
(CVSS score: 7.7) - Race condition leading to user session mixup |
|||
|
24.3.26 |
StoatWaffle, malware used by WaterPlum |
LOADER |
||
|
24.3.26 |
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover. |
|||
|
22.3.26 |
Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker. |
|||
|
22.3.26 |
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). |
|||
| 21.3.26 | CVE-2026-21992 | Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). | ||
| 21.3.26 | Multi-stage malware distribution through typosquatted Telegram websites | Cybersecurity analysts from K7 Security Labs have uncovered a sophisticated malicious campaign leveraging a typosquatted Telegram domain, "telegrgam[.]com," to trick unsuspecting users into downloading compromised software installers. | ALERTS | VIRUS |
| 21.3.26 | Winos4.0 malware distributed as a fake KakaoTalk installer | Security researchers at the AhnLab Security Intelligence Center (ASEC) have uncovered a widespread cyberattack utilizing Search Engine Optimization (SEO) poisoning to distribute Winos4.0 malware variant. This deceptive campaign successfully compromised more than 5,000 computers by disguising a malicious payload as the standard installation file for the widely used messaging application, KakaoTalk. | VIRUS | |
| 21.3.26 | Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign | A series of attacks on Libyan organizations hit an oil refinery, a telecoms organization and a state institution between November 2025 and February 2026. These attacks delivered the AsyncRAT backdoor, which is a publicly available backdoor that has previously been used by state-sponsored groups. | APT | |
| 21.3.26 | Perseus mobile malware | Security researchers from Threat Fabric have reported on a new mobile malware called Perseus which is actively circulating in the wild. Representing the next evolutionary stage of older malware families like Cerberus and Phoenix, Perseus functions as a sophisticated, flexible framework designed for a complete device compromise. | VIRUS | |
| 21.3.26 | Polymorphic Scripts and Fake Overlays: Inside the Latest Horabot Surge | Horabot has re-emerged as a sophisticated, multi-stage campaign targeting Latin America, especially Mexico, using ClickFix-style CAPTCHAs and phishing lures to initiate infection. These lures are generated on compromised systems by hijacking email data and sending malicious PDF attachments. | ALERTS | VIRUS |
| 21.3.26 | Recent activities attributed to the SeedWorm threat group | SeedWorm (aka Boggy Serpens, Muddy Water) is an Iranian state-sponsored cyberespionage threat actor active since at least 2017. According to a recent report published by Palo Alto's Unit42, this threat group has been employing high-volume strategies, relying on broad spear-phishing and legitimate remote management software to infiltrate targets. | GROUP | |
| 21.3.26 | DrillApp backdoor | LAB52 researchers uncovered a recent cyberespionage campaign aimed at Ukrainian organizations. At the core of this operation is a newly discovered, JavaScript-based backdoor dubbed DrillApp. Rather than relying on a traditional standalone executable execution, the malware hijacks the Microsoft Edge browser to infiltrate victim networks. | VIRUS | |
| 21.3.26 | New Malware Targets Users of Cobra DocGuard Software | Symantec and Carbon Black researchers have uncovered a mysterious and stealthy new threat that hijacks functionality and infrastructure of the legitimate security software Cobra DocGuard. Infostealer.Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server. | VIRUS | |
| 21.3.26 | SnappyClient | In a new technical analysis, Zscaler researchers detail SnappyClient, a stealthy C++-based command-and-control implant often delivered through HijackLoader. Operating largely in memory, it blends evasive techniques like Antimalware Scan Interface (AMSI) bypasses and direct system calls with encrypted communications to avoid detection. | VIRUS | |
| 21.3.26 | CVE-2025-31277 | (CVSS score: 8.8) - A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content. (Fixed in July 2025) | ||
| 21.3.26 | CVE-2025-43510 | (CVSS score: 7.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected changes in memory shared between processes. (Fixed in December 2025) | ||
| 21.3.26 | CVE-2025-43520 | (CVSS score: 8.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected system termination or write kernel memory. (Fixed in December 2025) | ||
| 21.3.26 | CVE-2025-32432 | (CVSS score: 10.0) - A code injection vulnerability in Craft CMS that could allow a remote attacker to execute arbitrary code. (Fixed in April 2025) | ||
| 21.3.26 | CVE-2025-54068 | (CVSS score: 9.8) - A code injection vulnerability in Laravel Livewire that could allow unauthenticated attackers to achieve remote command execution in specific scenarios. (Fixed in July 2025) | ||
| 21.3.26 | CanisterWorm | Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets | MALWARE | WORM |
| 21.3.26 | Operation GhostMail | Contents Introduction Key Targets Industries Affected Geographical focus Geopolitical Context Infection Chain Timeline of Activity Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Malicious Archive Delivery Stage 2 – Malicious Shortcut Execution Stage 3 | OPERATION | OPERATION |
| 21.3.26 | PureLog Stealer | We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques. | MALWARE | STEALER |
| 21.3.26 | KEENADU | Keenadu malware gives an attacker control over a device but appears to be used primarily to facilitate ad fraud | MALWARE | ANDROID |
| 21.3.26 | Scarface Stealer | This week, the SonicWall Capture Labs Threat Research team analyzed a sample of ScarfaceStealer, a Go-compiled information stealer that utilizes sophisticated anti-analysis techniques including: | MALWARE | STEALER |
| 20.3.26 | CVE-2026-33017 | Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint | ||
| 20.3.26 | Speagle | New Malware Targets Users of Cobra DocGuard Software | MALWARE | INFOSTEALER |
| 20.3.26 | The technology behind EDR killers | ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers | HACKING | EDR |
| 20.3.26 | Perseus | Perseus: DTO malware that takes notes | MALWARE | ANDROID |
| 19.3.26 | Seven days of scans and probes and web traffic hitting my web server | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 19.3.26 | DarkSword | Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites | ||
| 19.3.26 | CVE-2025-43520 | Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) | ||
| 19.3.26 | CVE-2025-43510 | Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) | ||
| 19.3.26 | CVE-2025-14174 | Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) | ||
| 19.3.26 | CVE-2025-43529 | Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) | ||
| 19.3.26 | CVE-2026-20700 | User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) | ||
| 19.3.26 | CVE-2025-31277 | Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) | ||
| 19.3.26 | CVE-2026-20963 | (CVSS score: 8.8) - A deserialization of untrusted data vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to execute code over a network. (Fixed in January 2026) | ||
| 19.3.26 | CVE-2025-66376 | (CVSS score: 7.2) - A stored cross-site scripting vulnerability in the Classic UI of ZCS, where attackers could abuse Cascading Style Sheets (CSS) @import directives in an HTML e-mail message. (Fixed in versions 10.0.18 and 10.1.13 in November 2025) | ||
| 19.3.26 | CVE-2026-20131 | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. | ||
| 18.3.26 | Fake FileZilla installers lead to infection with a Remote Access Trojan (RAT) | Threat actors are exploiting the popularity of the FileZilla file transfer client to infect systems with a Remote Access Trojan (RAT) variant. Once a victim downloads the seemingly legitimate software, they unwittingly introduce a multi-stage malware loader into their digital environment. | ALERTS | VIRUS |
| 18.3.26 | Vidar Stealer Evolves: Improved Performance, Stealth, and Social Distribution Vectors | A recent report by Acronis TRU researchers details the re-emergence of Vidar Stealer 2.0. This iteration introduces several advancements, specifically targeting improved operational performance and defensive evasion. Current distribution vectors involve deceptive GitHub repositories and Reddit threads masquerading as gaming utilities | VIRUS | |
| 18.3.26 | Warlock Ransomware Group Ups the Ante with New TTPs | The Warlock ransomware group is escalating operations, according to researchers at Trend Micro. Recently observed activity primarily targets organizations in government, manufacturing, and technology sectors. Attacks typically begin with the exploitation of SharePoint vulnerabilities, enabling initial access and credential dumping. | RANSOM | |
| 18.3.26 | Hyrax malware distributed in SEO poisoning operation attributed to the Storm-2561 threat group | Microsoft researchers discovered a sophisticated credential-stealing operation orchestrated by the cybercriminal group known as Storm-2561. This threat actor actively employs search engine optimization (SEO) manipulation to distribute fraudulent virtual private network (VPN) applications. | OPERATION | |
| 18.3.26 | Venon Banking malware | ZenoX recently reported that it identified a new Brazilian banking trojan, VENON, in February 2026, describing it as a Rust-based RAT that mirrors many classic Latin American banker behaviors, including overlay abuse and active window monitoring (33 financial institutions and digital asset platforms). | ALERTS | VIRUS |
| 18.3.26 | CVE-2026-32746 | telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. | ||
| 18.3.26 | CVE-2026-3888 | Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS. | ||
| 18.3.26 | CVE-2026-20643 | A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. | ||
| 18.3.26 | LeakNet’s | Casting a Wider Net: ClickFix, Deno, and LeakNet’s Scaling Threat | OPERATION | OPERATION |
| 17.3.26 | CVE-2025-47813 | Wing FTP Server Information Disclosure Vulnerability: Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie. | ||
| 17.3.26 | ForceMemo | ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push | CAMPAIGN | CAMPAIGN |
| 17.3.26 | KakaoTalk | Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign by the Konni Group | CAMPAIGN | CAMPAIGN |
| 16.3.26 | LibreChat RAG API contains a log-injection vulnerability | A log-injection vulnerability in the LibreChat RAG API, version 0.7.0, is caused by improper sanitization of user-supplied input written to system logs. An authenticated attacker can forge or manipulate log entries by inserting CRLF characters, compromising the integrity of audit records. This flaw may further enable downstream attacks if the tampered logs are processed or displayed by insecure log-management tools. | ALERT | ALERT |
| 16.3.26 | Evil evolution | Across three recent campaigns, Sophos X-Ops notes shifts in both lures and malware capabilities, as threat actors leveraging ClickFix techniques increasingly target macOS users with infostealers | HACKING | HACKING |
| 15.3.26 | DRILLAPP | Stealthy Backdoor Attack to Real-world Models in Android Apps | MALWARE | ANDROID |
| 15.3.26 | CVE-2023-43000 | Apple Multiple products Use-After-Free Vulnerability: Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption. | ||
| 15.3.26 | CVE-2021-30952 | Apple Multiple Products Integer Overflow or Wraparound Vulnerability: Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code execution. | ||
| 15.3.26 | CVE-2023-41974 | Apple iOS and iPadOS Use-After-Free Vulnerability: Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges. | ||
| 15.3.26 | PhantomRaven | The Return of PhantomRaven: Detecting Three New Waves of npm Supply Chain Attacks | MALWARE | PYTHON |
| 15.3.26 | BlackSanta | A Silent Threat Targeting Recruitment Workflows | MALWARE | EDR and AV Killer |
| 15.3.26 | A0Backdoor | New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering | MALWARE | BACKDOOR |
| 14.3.26 | DoubleDonut loader leveraged for the delivery of various infostealing payloads | Rapid7 Labs recently uncovered a widespread malicious campaign that compromised a large number of trusted WordPress websites in efforts to distribute malicious payloads. Threat actors inject a deceptive ClickFix script into these legitimate sites, presenting unsuspecting visitors with fraudulent CAPTCHA prompts. Engaging with this fake verification triggers a sophisticated, multi-stage infection chain aimed at harvesting digital wallets and system credentials from the victims. | ALERTS | VIRUS |
| 14.3.26 | GibCrypto malware | GibCrypto is a new destructive and evasive ransomware variant discovered in the wild. As reported by researchers from K7 Security Labs, this malware variant compromises the Master Boot Record (MBR) and systematically targets vital Windows dependencies. | VIRUS | |
| 14.3.26 | Iranian Intelligence Integrates Malware-as-a-Service into State Operations | Recent research from Check Point reveals a strategic shift in Iranian cyber operations. Groups linked to the Ministry of Intelligence and Security (MOIS), such as Seedworm (aka MuddyWater) and Druidfly (aka Void Manticore), are moving beyond simply imitating cybercriminals to directly collaborating with the criminal ecosystem. | APT | |
| 14.3.26 | TAXISPY RAT Android malware | TaxiSpy RAT is an Android malware variant recently discovered by the researchers from Cyfirma. To bypass static security analysis, the malware employs complex evasion tactics, utilizing native libraries for critical tasks and XOR encryption to conceal its command-and-control (C2) infrastructure, configuration data, and Firebase credentials until runtime. | VIRUS | |
| 14.3.26 | Multi-staged Remcos RAT deployment campaign | A new Remcos RAT campaign leveraging fileless execution has been observed in the wild. As reported by Trellix researchers, the attack sequence begins with procurement-themed phishing emails, often disguised for example as "Request for Quotation" documents. | ALERTS | VIRUS |
| 14.3.26 | KadNap botnet | Researchers at Black Lotus Labs recently uncovered KadNap, an advanced botnet strain that has successfully compromised over 14,000 routers since August 2025. The malware employs sophisticated evasion strategy by utilizing a customized version of the Kademlia Distributed Hash Table (DHT) protocol to establish a decentralized, peer-to-peer (P2P) network. | BOTNET | |
| 14.3.26 | CVE-2026-1207 - Django SQLi Vulnerability | CVE-2026-1207 is a recently disclosed medium severity (CVSS score 5.4) SQL Injection vulnerability affecting Django, the Python-based open-source web framework. If successfully exploited the flaw might allow attackers with low-level authentication to inject SQL commands via the band index parameter, potentially allowing for unauthorized data access or manipulation. This vulnerability has already been addressed in the updated versions of the product (6.0.2, 5.2.11, and 4.2.28 or newer). | VULNEREBILITY | |
| 14.3.26 | China-Linked Hackers Target Qatar with PlugX Malware Campaign | Qatar is yet another victim of cyber espionage directly resulting from the increasing tensions in the Middle East. The Chinese-nexus threat group Fireant (aka Camaro Dragon/Mustang Panda) utilized a multi-stage infection chain to deliver a variant of the PlugX backdoor, according to a report by Check Point Research. | CAMPAIGN | |
| 14.3.26 | ClipXDaemon | Cyble has reported a newly identified Linux threat dubbed ClipXDaemon, a clipboard hijacker built to target cryptocurrency users on X11-based desktop environments. | ALERTS | CRYPTOCURRENCY |
| 14.3.26 | Graphql-upload-minimal has a prototype pollution vulnerability. | Version 1.6.1 of the Flash Payments package graphql-upload-minimal is vulnerable to prototype pollution. This vulnerability, located in the processRequest() function, allows an attacker to inject special property names into the operations.variables object and pollute global object prototypes, ultimately impacting the entire Node.js process. | ALERT | ALERT |
| 14.3.26 | Operation CamelClone: Multi-Region Espionage Campaign Targets Government and Defense Entities Amidst Regional Tensions | Contents Introduction Key Targets Industries Affected Geographical focus Geopolitical Context Infection Chain Timeline of Activity Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Malicious Archive Delivery Stage 2 – Malicious Shortcut Execution Stage 3 | OPERATION | OPERATION |
| 14.3.26 | Handala Hack | Handala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), an actor affiliated with Iranian Ministry of Intelligence and Security (MOIS) | GROUP | GROUP |
| 14.3.26 | XWorm | XWorm has surged to the #3 global threat, using stealthy memory-only execution and the WinRAR CVE-2025-8088 exploit to bypass traditional security stacks. | MALWARE | WORM |
| 14.3.26 | Remcos RAT | This blog examines a Remcos campaign demonstrating the transition from phishing-based initial access to fully fileless execution. | MALWARE | FILELESS |
| 14.3.26 | CL-STA-1087 | Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia | GROUP | CLUSTER |
| 14.3.26 | Storm-2561 | Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft | GROUP | GROUP |
| 13.3.26 | CVE-2026-21671 | (CVSS score: 9.1) - A vulnerability that allows an authenticated user with the Backup Administrator role to perform remote code execution in high availability (HA) deployments of Veeam Backup & Replication. | ||
| 13.3.26 | CVE-2026-21669 | (CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server. | ||
| 13.3.26 | CVE-2026-21666 | (CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server. | ||
| 13.3.26 | CVE-2026-21667 | (CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server. | ||
| 13.3.26 | CVE-2026-21668 | (CVSS score: 8.8) - A vulnerability that allows an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. | ||
| 13.3.26 | CVE-2026-21672 | (CVSS score: 8.8) - A vulnerability that allows local privilege escalation on Windows-based Veeam Backup & Replication servers. | ||
| 13.3.26 | CVE-2026-21708 | (CVSS score: 9.9) - A vulnerability that allows a Backup Viewer to perform remote code execution as the postgres user. | ||
| 13.3.26 | CVE-2026-3909 | (CVSS score: 8.8) - An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page. | ||
| 13.3.26 | CVE-2026-3910 | (CVSS score: 8.8) - An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | ||
| 13.3.26 | Slopoly | A Slopoly start to AI-enhanced ransomware attacks | MALWARE | AI |
| 13.3.26 | CrackArmor | CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root | ||
| 13.3.26 | VENON | VENON: The First Brazilian Banker RAT in Rust | MALWARE | BANKING RAT |
| 12.3.26 | CVE-2023-43010 | The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory corruption. | ||
| 12.3.26 | TAXISPY RAT | TAXISPY RAT : Analysis of TaxiSpy RAT – Russian Banking – Focused Android Malware with Full Remote Control | MALWARE | RAT |
| 12.3.26 | BeatBanker | BeatBanker: A dual‑mode Android Trojan | MALWARE | Android |
| 12.3.26 | UAC-0252 activity delivering ShadowSniff and SalatStealer malware | Ukraine’s Computer Emergency Response Team (CERT-UA) identified a malicious campaign (dubbed UAC-0252) impersonating national executive authorities and regional government officials to deceive the victims. | ALERTS | GROUP |
| 12.3.26 | FakeGit Campaign Uses GitHub Lures to Deliver StealC | Researchers at Derp uncovered a large GitHub-based malware operation dubbed FakeGit, active since March 2025, that masquerades as cracked extensions, gaming cheats, developer tools, and other bait to spread a LuaJIT loader. | CAMPAIGN | |
| 12.3.26 | Android Malware: BeatBanker | Researchers at Kasperky recently published an article about an Android malware campaign dubbed as "BeatBanker" that targets mobile users in Brazil. It's being spread via a fake Google Play page spoofing the “INSS Reembolso” app to lure victims into installing a trojanized APK. | VIRUS | |
| 12.3.26 | Swallowtail Returns with BeardShell Backdoor and Modified Covenant Framework | A report by researchers at ESET highlights details attributed to the Russian group Swallowtail (aka APT28/Fancy Bear/Sednit). Since early 2024, the group has pivoted toward a dual-implant strategy, deploying the custom BeardShell backdoor alongside a heavily modified Covenant framework. | APT | |
| 12.3.26 | CVE-2025-68613 | n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. | ||
| 11.3.26 | AgenticBlabbering | How AI Browsers’ Verbose Reasoning Fuels the Ultimate Scamming Machine | AI | SPAM |
| 11.3.26 | CVE-2026-27577 | (CVSS score: 9.4) - Expression sandbox escape leading to remote code execution (RCE) | ||
| 11.3.26 | CVE-2026-27493 | (CVSS score: 9.5) - Unauthenticated expression evaluation via n8n's Form nodes | ||
| 11.3.26 | CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability | ||
| 11.3.26 | CVE-2026-26118 | Azure MCP Server Tools Elevation of Privilege Vulnerability | ||
| 11.3.26 | CVE-2026-25187 | Winlogon Elevation of Privilege Vulnerability | ||
| 11.3.26 | CVE-2026-21536 | Microsoft Devices Pricing Program Remote Code Execution Vulnerability | ||
| 11.3.26 | CVE-2026-21262 | SQL Server Elevation of Privilege Vulnerability | ||
| 11.3.26 | CVE-2026-26127 | .NET Denial of Service Vulnerability | ||
| 11.3.26 | CVE-2026-27685 | SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system. | ||
| 11.3.26 | CVE-2019-17571 | Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. | ||
| 11.3.26 | KadNap | Silence of the hops: The KadNap botnet | BOTNET | BOTNET |
| 11.3.26 | LeakyLooker | LeakyLooker: Hacking Google Cloud’s Data via Dangerous Looker Studio Vulnerabilities | ||
| 10.3.26 | Recent Dust Specter APT activity | A recent targeted cyber espionage campaign directed at Iraqi government officials has been reported by researchers from Zscaler. The attack has been attributed to a threat group known as Dust Specter. | ALERTS | APT |
| 10.3.26 | Cybercriminals Exploit Middle East Tensions to Deliver Backdoors and Info-Stealing Malware | Cybercriminals are increasingly exploiting Middle East geopolitical tensions to launch sophisticated digital attacks. A report by researchers from Zscaler ThreatLabz reveals a surge in malicious activity, including a suspected targeted campaign that utilizes "missile strike" lures to deploy backdoors through a multi-stage attack chain incorporating ZIP, LNK, and CHM files. | VIRUS | |
| 10.3.26 | South American Telecom Providers Targeted by Trio of Malicious Tools | Cisco Talos researchers have uncovered a sophisticated campaign by UAT-9244, a Chinese-aligned threat actor, targeting South American telecommunications providers. This operation leverages a trio of malicious tools to compromise both Windows and Linux environments. | CAMPAIGN | |
| 10.3.26 | BoryptGrab Stealer | Trend Micro has recently reported a new malware campaign centered on BoryptGrab, a stealer spread through fake GitHub repositories and lookalike download pages posing as free utilities and game-related tools. Victims are lured through SEO-manipulated repos, then redirected to pages that generate malicious ZIP files to kick off the infection chain. | VIRUS | |
| 10.3.26 | Sednit | Sednit reloaded: Back in the trenches | GROUP | GROUP |
| 10.3.26 | CVE-2021-22054 | (CVSS score: 7.5) - A server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that could allow a malicious actor with network access to UEM to send requests without authentication and to gain access to sensitive information. | ||
| 10.3.26 | CVE-2025-26399 | (CVSS score: 9.8) - A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk that could allow an attacker to run commands on the host machine. | ||
| 10.3.26 | CVE-2026-1603 | (CVSS score: 8.6) - An authentication bypass using an alternate path or channel vulnerability in Ivanti Endpoint Manager that could allow a remote unauthenticated attacker to leak specific stored credential data. | ||
| 10.3.26 | Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed zip archives | Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression. | ALERT | ALERT |
| 10.3.26 | GhostClaw | GhostClaw Unmasked: A Malicious npm Package Impersonating OpenClaw to Steal Everything | HACKING | MALWARE |
| 9.3.26 | Cloud Threat Horizons Report H1 2026 | The Google Cloud Threat Horizons Report provides decision-makers with strategic intelligence on threats to not just Google Cloud, but all cloud service providers. | REPORT | REPORT |
| 9.3.26 | Pixel Perfect | Pixel Perfect: Sold Extension Injects Code Through Pixel | HACKING | HACKING |
| 8.3.26 | Jasper Sleet | Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations | GROUP | GROUP |
| 8.3.26 | GIFTEDCROOK | GIFTEDCROOK’s Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations | MALWARE | STEALER |
| 8.3.26 | CVE-2026-27636 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. | ||
| 8.3.26 | CVE-2026-28289 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check | ||
| 8.3.26 | CVE-2026-20131 | Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability | ||
| 8.3.26 | CVE-2026-20079 | Cisco Secure Firewall Management Center Software Authentication Bypass Vulnerability | ||
| 8.3.26 | Anubis | Anubis: A New Ransomware Threat | RANSOM | RANSOM |
| 7.3.26 | A flawed TLS handshake implementation affects Viber Proxy in multiple platforms | The Rakuten Viber messaging app for Android V25.7.2.0g and Windows V25.6.0.0-V25.8.1.0, has a flaw in its TLS handshake implementation when using the Cloak proxy configuration. This flaw allows for easy identification of proxy usage, potentially compromising user anonymity. | ALERT | ALERT |
| 7.3.26 | APT36 | APT36: A Nightmare of Vibeware | APT | APT |
| 7.3.26 | Seedworm | This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks. | APT | APT |
| 7.3.26 | VOID#GEIST | VOID#GEIST: Stealthy MultiStage Python Loader with Embedded Runtime Deployment, Startup Persistence, and Fileless Early Bird APC Injection into explorer.exe | MALWARE | LOADER |
| 6.3.26 | UAT-9244 | UAT-9244 targets South American telecommunication providers with three new malware implants | GROUP | GROUP |
| 6.3.26 | ARM47 Ransomware | ARM47 HACKERS is a newly identified ransomware threat actor observed deploying a customized variant of the LockBit Black (LockBit 3.0) builder. The group operates under a double-extortion model, encrypting victim files while threatening to publish stolen data via a TOR-hosted leak site if the ransom is not paid. | ALERTS | RANSOM |
| 6.3.26 | BadPaw and MeowMeow: Not as Cute as They Sound | A Russian-based threat actor targeted Ukraine with BadPaw and MeowMeow malware, according to a report by researchers at ClearSky. | VIRUS | |
| 6.3.26 | Datebug APT campaign targets governmental entities in India | Cybersecurity researchers at Cyfirma recently uncovered a sophisticated malware campaign orchestrated by the Datebug threat group (aka Transparent Tribe, APT36). | APT | |
| 6.3.26 | Recent Agent Tesla distribution campaign | Agent Tesla continues to be a highly adaptable threat in the current cybersecurity landscape. A recent campaign delivering this malware variant has been discussed by the researchers from Fortinet. The attack leverages the most typical infection chain and begins with a phishing email containing a malicious RAR archive. | CAMPAIGN | |
| 6.3.26 | Seedworm APT group activity following U.S. and Israeli military strikes on Iran | The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region. | APT | |
| 6.3.26 | AuraStealer malware variant | AuraStealer is an emerging Malware-as-a-Service (MaaS) information stealer promoted on underground forums. As reported by researchers from Intrinsec, this C++based malware is delivered via various channels including cracked software, ClickFix attacks and Tiktok scam campaigns. | VIRUS | |
| 6.3.26 | SloppyLemming Campaign: PDF → ClickOnce → BurrowShell; Macro Excel → Rust RAT | Arctic Wolf Labs reports a year-long cyber-espionage campaign (Jan 2025–Jan 2026) they attribute to the India-nexus actor SloppyLemming (aka Outrider Tiger / Fishing Elephant), aimed at government and critical-infrastructure targets in Pakistan and Bangladesh. The operation ran two chain: PDF lures that bounce victims to ClickOnce manifests, and macro-enabled Excel documents used as an alternate delivery route. | CAMPAIGN | |
| 6.3.26 | Dust Specter | Dust Specter APT Targets Government Officials in Iraq | APT | APT |
| 6.3.26 | BadPaw and MeowMeow | Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow | MALWAREs | LOADER |
| 6.3.26 | CVE-2026-20122 | A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. | ||
| 6.3.26 | CVE-2026-20128 | A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. | ||
| 6.3.26 | CVE-2017-7921 | (CVSS score: 9.8) - An improper authentication vulnerability affecting multiple Hikvision products that could allow a malicious user to escalate privileges on the system and gain access to sensitive information. | ||
| 6.3.26 | CVE-2021-22681 | (CVSS score: 9.8) - An insufficiently protected credentials vulnerability affecting multiple Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers that could allow an unauthorized user with network access to the controller to bypass the verification mechanism and authenticate with it, as well as alter its configuration and/or application code. | ||
| 5.3.26 | Silver Dragon’s Tactics, Custom Tools, and the GearDoor Backdoor | Silver Dragon is a Chinese-aligned threat group that has been actively targeting organizations in Southeast Asia and Europe since mid-2024, primarily focusing on government entities. | APT | |
| 5.3.26 | SurxRAT mobile malware | SurxRAT is a sophisticated Remote Access Trojan (RAT) for Android recently discovered by the researchers from Cyble. The malware operates under the Malware-as-a-Service (MaaS) model. | VIRUS | |
| 5.3.26 | APT-Linked PlugX Campaign: Meeting Invitation + Fake Browser Updater | A recent PlugX campaign blends social engineering with “trusted” binaries: one path uses a Meeting Invitation lure that drops a ZIP containing an MSBuild project which pulls the next stages on execution. Another path seen in January 2026 starts with a fake “Browser Updater” (STATICPLUGIN) that downloads and runs a malicious MSI even if the victim clicks Cancel. | APT | |
| 5.3.26 | Smishing Pushes Malicious “Red Alert” Android App in Israel | Global events have always been used as social engineering by both e-crime and APT groups in order to lure victims’ curiosity, fear, or urgency into kicking off an attack chain. | SPAM | |
| 5.3.26 | Zerobot Campaign Exploits CVE-2025-7544 and CVE-2025-68613 | This week, Akamai reported active exploitation of two command-injection flaws to spread a Mirai-derived botnet dubbed Zerobot: CVE-2025-7544 in Tenda AC1206 routers and CVE-2025-68613 in the n8n workflow automation platform. | VULNEREBILITY | |
| 5.3.26 | StegaBin: Another npm Supply-Chain Campaign | Researchers at Socket recently reported a supply-chain campaign dubbed “StegaBin,” in which 26 typosquatted npm packages published around Feb. | CAMPAIGN | |
| 5.3.26 | CVE-2026-25253 - OpenClaw RCE vulnerability | CVE-2026-25253 is a recently disclosed high severity (CVSS score 8.8) Remote Code Execution (RCE) vulnerability affecting OpenClaw AI personal assistant tool. | VULNEREBILITY | |
| 5.3.26 | Dohdoor backdoor delivery campaign | A sophisticated cyber campaign orchestrated by the threat actor dubbed UAT-10027 has been reported by the researchers from Cisco Talos. Focused heavily on American educational and healthcare institutions, the hackers execute a multi-staged attack chain to distribute a newly identified backdoor named Dohdoor. | VIRUS | |
| 5.3.26 | CVE-2026-24423 - SmarterTools SmarterMail vulnerability | CVE-2026-24423 is a recently disclosed critical (CVSS score 9.3) Remote Code Execution (RCE) vulnerability affecting SmarterTools SmarterMail software, which is an email, groupware, and collaboration server designed as an alternative to enterprise collaboration solutions such as Microsoft Exchange. | VULNEREBILITY | |
| 5.3.26 | Operation Epic Fury/Roaring Lion | Retaliatory Hacktivist DDoS Activity Following Operation Epic Fury/Roaring Lion | OPERATION | OPERATION |
| 5.3.26 | CVE-2026-1459 | A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device. | ||
| 5.3.26 | CVE-2025-13943 | A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device. | ||
| 5.3.26 | CVE-2025-13942 | A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests. | ||
| 5.3.26 | CVE-2025-11848 | A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. | ||
| 5.3.26 | CVE-2025-11847 | A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. | ||
| 5.3.26 | CVE-2025-11846 | A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. | ||
| 5.3.26 | CVE-2025-11845 | A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. | ||
| 4.3.26 | MAR-25993211-r1.v2 Ivanti Connect Secure (RESURGE) | This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. | CERT | CERT |
| 4.3.26 | CVE-2026-21902 | An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. | ||
| 4.3.26 | Coruna | Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit | EXPLOIT | EXPLOIT |
| 4.3.26 | MS-Agent does not properly sanitize commands sent to its shell tool, allowing for RCE | A command injection vulnerability was identified in the MS-Agent framework that can be triggered through unsanitized prompt-derived input. An attacker can craft untrusted input introduced via a chat prompt or other external content sources, resulting in arbitrary command execution on the target system(s) where the MS-Agent framework is deployed. No patch or vendor statement was obtained during the coordination process. | ALERT | ALERT |
| 4.3.26 | Кібератаки UAC-0252 з використанням стілерів SHADOWSNIFF та SALATSTEALER (CERT-UA#20032) | Починаючи з січня 2026 року CERT-UA фіксує непоодинокі випадки розповсюдження електронних листів, нібито від імені центральних органів виконавчої влади та обласних адміністрацій із закликом оновити мобільні застосунки широко використовуваних цивільних і військових систем. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 4.3.26 | Encrypted RAT | Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT | MALWARE | RAT |
| 4.3.26 | Silver Dragon | Silver Dragon Targets Organizations in Southeast Asia and Europe | APT | APT |
| 4.3.26 | CVE-2026-22719 | VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress. | ||
| 4.3.26 | Exorcising Demons | Exorcising Demons: Fake Tech Support Delivers Havoc Command & Control | SPAM | SPAM |
| 3.3.26 | CyberStrikeAI | The threat actor behind the recently disclosed artificial intelligence (AI)-assisted campaign targeting Fortinet FortiGate appliances leveraged an open-source, AI-native security testing platform called CyberStrikeAI to execute the attacks. | AI | PLATFORM |
| 3.3.26 | Starkiller | Starkiller: New Phishing Framework Proxies Real Login Pages to Bypass MFA | PHISHING | KIT |
| 3.3.26 | SloppyLemming | SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. | GROUP | GROUP |
| 3.3.26 | BurrowShell | SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh | MALWARE | RAT |
| 3.3.26 | CVE-2026-21385 | Memory corruption while using alignments for memory allocation. | ||
| 3.3.26 | CVE-2026-0628 | Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High) | ||
| 2.3.26 | StegaBin | Novel DPRK stager using Pastebin and text steganography | CAMPAIGN | CAMPAIGN |
| 1.3.26 | COOKIE SPIDER | COOKIE SPIDER (active since at least October 2018) develops and rents Atomic macOS Stealer (AMOS), an information stealer targeting macOS victims via multiple delivery methods, including search engine optimization (SEO) poisoning, fake job advertisements, and malicious VSCode extensions. | GROUP | GROUP |
| 1.3.26 | Log Poisoning in OpenClaw | It is important to be clear here: this is not a traditional remote code execution vulnerability. Instead, its an indirect prompt injection risk, where exploitation depends on context. | HACKING | AI |
| 1.3.26 | ClawJacked | OpenClaw Vulnerability: Website-to-Local Agent Takeover | ||
| 1.3.26 | CVE-2026-25593 | Unauthenticated Local RCE via WebSocket config.apply | ||
| 1.3.26 | CVE-2026-24763 | Command Injection in Clawdbot Docker Execution via PATH Environment Variable | ||
| 1.3.26 | CVE-2026-25157 | OS Command Injection via Project Root Path in sshNodeCommand | ||
| 1.3.26 | CVE-2026-25475 | OpenClaw may disclose local files via MEDIA: path staging | ||
| 1.3.26 | Arkanix | Arkanix Stealer: a C++ & Python infostealer | MALWARE | STEALER |
| 1.3.26 | CVE-2025-49113 | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | ||
| 1.3.26 | Diesel Vortex | Diesel Vortex: Inside the Russian cybercrime group targeting US & EU freight | GROUP | GROUP |
|
|
|
|
|
|