HOT NEWS 2026 January(174) February(168) March(221) April(103) May(0) June(0) July(0) August(0) September(0) October(0) November(0) December(0) | HOTNEWS 2026(568) HOTNEWS 2025(3125) HOTNEWS 2024(2588) | STATISTICS | ALL
|
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 13.4.26 | CPU-Z / HWMonitor watering hole infection – a copy-pasted attack | On April 9, 2026, the website cpuid[.]com, hosting installers for popular system administration software CPU-Z, HWMonitor (HWMonitor Pro) and Perfmonitor 2, was compromised. | INCIDENT | INCIDENT |
| 13.4.26 | CVE-2026-34621 | Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. | VULNEREBILITY | VULNEREBILITY |
| 12.4.26 |
Iranian-Affiliated APT Targeting of Rockwell/Allen-Bradley PLCs |
Internet Exposure Assessment in Response to CISA Advisory AA26-097A | ICS | ICS |
| 12.4.26 | Storm-2755 | Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees | GROUP | GROUP |
| 12.4.26 | VENOM | Meet VENOM: The PhaaS Platform That Neutralizes MFA | MALWARE | MALWARE |
| 12.4.26 | CVE-2026-1340 | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 12.4.26 | CVE-2026-34197 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. | VULNEREBILITY | VULNEREBILITY |
| 12.4.26 |
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure |
Iranian-Affiliated Cyber Actors Exploit Programmable Logic
Controllers Across US Critical Infrastructure |
REPORT | REPORT |
| 10.4.26 | VantaBlack Ransomware | VantaBlack (self-chosen name) is a ransomware actor first observed in late 2025. | ALERTS | RANSOM |
| 10.4.26 | Torg Grabber Infostealer | Cybersecurity experts at Gen Digital have discovered a rapidly evolving information-stealing malware known as Torg Grabber. | VIRUS | |
| 10.4.26 | Masjesu botnet | Masjesu botnet is a highly advanced threat targeting the Internet of Things (IoT). | ALERTS | BOTNET |
| 10.4.26 | LucidRook Campaigns Target Taiwanese Entities | Researchers at Cisco Talos have identified LucidRook, a Lua-based stager used by UAT-10362 to target Taiwanese entities. | ALERTS | CAMPAIGN |
| 10.4.26 | Operation NoVoice - a new Android malware delivery campaign | Cybersecurity researchers at McAfee have uncovered "Operation NoVoice," a widespread mobile malware campaign utilizing exploits for previously patched Android vulnerabilities from 2016 to 2021. | OPERATION | |
| 10.4.26 | CVE-2026-33017 - Langflow Code Injection vulnerability exploited in the wild | CVE-2026-33017 is a recently disclosed critical (CVSS score 9.3) Code Injection vulnerability affecting Langflow, which is a tool for building and deploying AI-powered agents and workflows. | ALERTS | VULNEREBILITY |
| 10.4.26 | CVE-2026-22765 - Dell Wyse Management Suite vulnerability | CVE-2026-22765 is a recently disclosed high severity (CVSS score 8.8) Missing Authorization vulnerability affecting Dell Wyse Management Suite, which is a centralized, web-based management solution designed to configure and monitor Dell thin client endpoints. | VULNEREBILITY | |
| 10.4.26 | Supply-chain attack: Axios npm compromise | StepSecurity reported that the widely used npm package axios — with over 100 million weekly downloads — was briefly compromised through two malicious releases, 1.14.1 and 0.30.4, published from a hijacked maintainer account on March 30–31, 2026. | HACKING | |
| 10.4.26 | Casbaneiro Banking Trojan Campaigns Target Latin America and Europe | The Augmented Marauder threat group has evolved, deploying a sophisticated multi-pronged campaign that pairs the Casbaneiro banking trojan with the Horabot spreader. | ALERTS | CAMPAIGN |
| 10.4.26 | Qilin Ransomware Deploys Kernel-Level EDR Killer to Blind Defenses | A sophisticated Qilin ransomware campaign has been identified using a specialized "EDR Killer" tool to neutralize enterprise defenses. According to Cisco Talos, the attack begins with a malicious DLL sideloading technique that deploys dual kernel drivers. | RANSOM | |
| 10.4.26 | Cybercriminals bait users with leaked Anthropic Claude Code on GitHub to deliver Vidar Stealer | Following Anthropic’s accidental exposure of Claude Code source code through an npm package on March 31, 2026, cybercriminals swiftly capitalized on this incident. | ALERTS | VIRUS |
| 10.4.26 | Malicious LNK Delivery and GitHub-Based C2 Observed in New DPRK Campaign | Fortinet researchers have identified a sophisticated DPRK-linked campaign targeting Windows environments via malicious LNK files. | ALERTS | APT |
| 11.4.26 | The Phishing Kits Economy in Cybercrime Markets | In the early days of phishing, attackers didn’t need much more than a crude HTML form. The designs were sloppy, the logos were wrong, and sometimes the page didn’t even resemble the real service, yet people still typed in their usernames and passwords. | ANALÝZA | ANALÝZA |
| 10.4.26 | PRISMEX | The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX. | MALWARE | MALWARE |
| 10.4.26 | ESPIONAGE FOR REPRESSION: FORENSIC ANALYSIS OF A CROSS-BORDER HACK-FOR-HIRE CAMPAIGN TARGETING CIVIL SOCIETY IN MENA | ESPIONAGE FOR REPRESSION: FORENSIC ANALYSIS OF A CROSS-BORDER HACK-FOR-HIRE CAMPAIGN TARGETING CIVIL SOCIETY IN MENA | PAPERS | PAPERS |
| 10.4.26 | Chaos | Darktrace Identifies New Chaos Malware Variant Exploiting Misconfigurations in the Cloud | MALWARE | GO |
| 10.4.26 | Masjesu Rising | Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion | BOTNET | BOTNET |
| 10.4.26 | LucidRook | New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations | MALWARE | LUA |
| 10.4.26 | Rotten Apple | Rotten Apple: An Invasive Threat Actor Targeting Civil Society in Lebanon | CAMPAIGN | CAMPAIGN |
| 10.4.26 | BITTER APT | Beyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation Linked to BITTER APT | APT | APT |
| 10.4.26 | Pawn Storm Campaign | Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities | CAMPAIGN | CAMPAIGN |
| 8.4.26 | CVE-2026-1731 | BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2026-23760 | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2025-52691 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2025-10035 | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE‑2025‑31161 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-57728 | A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-57727 | CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-57726 | SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-27199 | SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-27198 | In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-1709 | In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-1708 | ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2024-21887 | A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2023-46805 | An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2023-27351 | This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2023-21529 | Microsoft Exchange Server Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | SOHO router compromise | SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks | INCIDENT | INCIDENT |
| 8.4.26 | Internet-exposed ComfyUI instances | Hackers Are Attempting to Turn ComfyUI Servers Into a Cryptomining Proxy Botnet | CAMPAIGN | CAMPAIGN |
| 8.4.26 | Python-Based Backdoor and Changes in Distribution Techniques | Malicious LNK Files Distributing a Python-Based Backdoor and Changes in Distribution Techniques (Kimsuky Group) | HACKING | MALWARE |
| 8.4.26 | GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit | Over the years, Rowhammer has been leveraged to mount a wide range of attacks against system main memory. | PAPERS | PAPERS |
| 8.4.26 |
GDDRHammer:
Greatly Disturbing DRAM Rows — Cross-Component Rowhammer Attacks from Modern GPUs |
While Rowhammer has been extensively studied in CPU-based memory systems, a very recent work by Lin etal. (USENIX Security ‘25) extended this line of research to GDDR6 GPU memory, demonstrating the first Rowhammer bit flips on NVIDIA GPUs | PAPERS | PAPERS |
| 8.4.26 | GPUHammer: Rowhammer Attacks on GPU Memories are Practical | Rowhammer is a read disturbance vulnerability in modern DRAM that causes bit-flips, compromising security and reliability. | PAPERS | PAPERS |
| 8.4.26 | ChainShell | ChainShell: MuddyWater’s Russian MaaS Link | MALWARE | SHELL |
| 8.4.26 | Handala | Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment | HACKING | MALWARE |
| 8.4.26 | CVE-2025-59528 | RCE in FlowiseAI/Flowise | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | APT28 | APT28 exploit routers to enable DNS hijacking operations | APT | APT |
| 8.4.26 | CVE-2023-50224 | TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | CVE-2026-34040 | AuthZ plugin bypass with oversized request body | VULNEREBILITY | VULNEREBILITY |
| 8.4.26 | FrostArmada | A DNS setting change on a single router can quietly reroute an entire network’s authentication traffic. In FrostArmada, Lumen observed Forest Blizzard using that technique to feed targeted logins into Attacker-in-the-Middle (AitM) infrastructure, scaling from limited activity to thousands of victims worldwide. | GROUP | GROUP |
| 8.4.26 | Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates | The Halcyon Ransomware Research Center (RRC) has seen increased activity in the Middle East region and calls to action, since the initiation of kinetic activity against Iran over the weekend. | ANALÝZA | ANALÝZA |
| 8.4.26 | Pay2Key | Pay2Key Iranian-Linked Ransomware is Back, Back Again | GROUP | RANSOMWARE |
| 8.4.26 | Storm-1175 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations | GROUP | GROUP |
| 8.4.26 | PIONEER KITTEN | Who Is PIONEER KITTEN? | GROUP | APT |
| 8.4.26 | Iran-nexus Password Spray Campaign Targeting Cloud Environments | Iran-nexus Password Spray Campaign Targeting Cloud Environments, with a Focus on the Middle East | CAMPAIGN | CAMPAIGN |
| 8.4.26 | DPRK-Related Campaigns with LNK and GitHub C2 | How DPRK actors use LNK files and GitHub C2 to evade detection and maintain persistence | CAMPAIGN | CAMPAIGN |
| 8.4.26 | ROKRAT | Scarcruft’s ROKRAT Malware: Recent Changes | MALWARE | RAT |
| 8.4.26 | Qilin EDR killer infection chain | Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. | HACKING | RANSOMWARE |
| 8.4.26 | DPRK Malware Modularity | DPRK Malware Modularity: Diversity and Functional Specialization | HACKING | MALWARE |
| 6.4.26 | Cisco Talos year review | The 2025 threat landscape was defined by an unprecedented acceleration in the speed of vulnerability exploitation, with adversaries weaponizing new security flaws like React2Shell and ToolShell almost immediately upon disclosure. | REPORT | REPORT |
| 6.4.26 | 2026-ciso-report | 35,000 Chief Information Security Officers Employed Globally in 2026 | REPORT | REPORT |
| 6.4.26 | m-trends-2026 | M-Trends serves as a definitive look at the threats and tactics used in breaches, grounded in over 500k hours of frontline incident investigations conducted by Mandiant in 2025. | REPORT | REPORT |
| 5.4.26 | Operation NoVoice | Operation NoVoice: Rootkit Tells No Tales | OPERATION | OPERATION |
| 5.4.26 | CVE-2025-53521 | When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | VULNEREBILITY | VULNEREBILITY |
| 5.4.26 | CVE-2026-3502 | TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user. | VULNEREBILITY | VULNEREBILITY |
| 5.4.26 | RoadK1ll | RoadK1ll: A WebSocket Based Pivoting Implant | HACKING | HACKING |
| 5.4.26 | CVE-2026-4415 | Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation. | VULNEREBILITY | VULNEREBILITY |
| 5.4.26 | TA416 | I’d come running back to EU again: TA416 resumes European government espionage campaigns | GROUP | GROUP |
| 5.4.26 | Cookie-controlled PHP webshells | Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments | HACKING | HACKING |
| 5.4.26 | MuPDF by Artifex contains integer overflow vulnerability. | Artifex's MuPDF contains an integer overflow vulnerability, CVE-2026-3308, in versions up to and including 1.27.0. Using a specially crafted PDF, an attacker can trigger an integer overflow resulting in out-of-bounds heap writes. | ALERT | ALERT |
| 4.4.26 | Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets | Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. | OPERATION | OPERATION |
| 4.4.26 | Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity | Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity Introduction During our investigation, we identified a multi-stage malware infection leveraging Scheduled Task persistence, VBScript launchers, and PowerShell-based execution. The attack operates through two parallel chains:... | OPERATION | OPERATION |
| 3.4.26 | Infiniti Stealer | Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka | MALWARE | MACOS |
| 3.4.26 | CVE-2026-21643 | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | VULNEREBILITY | VULNEREBILITY |
| 3.4.26 | CVE-2026-3098 | The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | VULNEREBILITY | VULNEREBILITY |
| 3.4.26 | Chinese-Nexus Monarch APT Deploys In-Memory AtlasCross RAT via Fake Installers | A recent report by Hexastrike details a campaign by Monarch (also known as Silver Fox or Void Arachne), a Chinese-nexus APT targeting Chinese-speaking users. The campaign leverages typosquatted domains impersonating popular applications such as Microsoft Teams, Signal, Telegram, and Zoom to distribute ZIP archives disguised as legitimate installers. | ALERTS | APT |
| 3.4.26 | CrystalX malware | CrystalX RAT is a novel Malware-as-a-Service (MaaS) variant marketed across Telegram and YouTube and utilizing promotional tactics like giveaways and video demonstrations. | VIRUS | |
| 3.4.26 | XLoader Levels Up: Advanced Obfuscation Fuels Stealthy Data Theft | An evolution of the Formbook infostealer, XLoader is doubling down on stealth. New variants detailed by Zscaler researchers employ advanced obfuscation and multi-layered network protection to mask their command-and-control infrastructure. | ALERTS | VIRUS |
| 3.4.26 | CrystalX | A laughing RAT: CrystalX combines spyware, stealer, and prankware features | MALWARE | RAT |
| 3.4.26 | UAT-10608 | UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications | GROUP | GROUP |
| 3.4.26 | Multi-Tool Mining Operation | Fake Installers to Monero: A Multi-Tool Mining Operation | OPERATION | OPERATION |
| 3.4.26 | CVE-2026-20093 | Cisco Integrated Management Controller Authentication Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 2.4.26 | Torg Grabber | Torg Grabber: Anatomy of a New Credential Stealer | MALWARE | STEALER |
| 2.4.26 | Xinbi | UK Government Designates Xinbi, Key Node in Chinese-Language Crypto-Enabled Scam Infrastructure | CRYPTOCURRENCY | CRYPTOCURRENCY |
| 2.4.26 | Bubble | Bubble: a new tool for phishing scams | PHISHING | TOOLS |
| 1.4.26 | Resoker RAT malware | Resoker is a recently identified Remote Access Trojan (RAT) designed to grant threat actors comprehensive control over compromised endpoints. Unlike conventional malware that relies on dedicated centralized server infrastructure, this threat leverages legitimate Telegram Bot APIs instead. | ALERTS | VIRUS |
| 1.4.26 | Prismex malware distributed by the Swallowtail APT | Swallowtail threat group (also known as Pawn Storm, APT28 or Fancy Bear) has been reported to have launched a major cyber espionage campaign targeting the military and humanitarian supply chains of Ukraine and its allies across Central and Eastern Europe | VIRUS | |
| 1.4.26 | BrushWorm and BrushLogger malware | Elastic Security Labs recently uncovered a cyberattack targeting a financial organization in South Asia, deploying two custom-built malicious tools: a backdoor dubbed BrushWorm and a keylogger named BrushLogger. BrushWorm serves as the primary infection mechanism. I | ALERTS | VIRUS |
| 1.4.26 | BPFdoor - a stealthy backdoor distributed to telecommunications network for persistent access | A recent investigation by Rapid7 Labs has exposed a highly sophisticated, long-term espionage operation orchestrated by the Red Menshen threat group. | VIRUS | |
| 1.4.26 | EtherRAT malware distribution campaign | EtherRAT is a highly sophisticated malware designed to execute unauthorized commands, exfiltrate cloud credentials, and drain cryptocurrency wallets from the infected systems. | VIRUS | |
| 1.4.26 | HRSword tool abused by ransomware actors | The HRSword is a specialized, legitimate system monitoring tool developed by Chinese cybersecurity firm Huorong Network Technology, designed for diagnosing Windows system issues | RANSOM | |
| 1.4.26 | TDSSKiller tool abused by ransomware actors | TDSSKiller is a portable, free utility used to detect and remove advanced rootkits and bootkits that hide from standard antivirus software. | ALERTS | RANSOM |
| 1.4.26 | Three China-Aligned Clusters Orchestrate Layered Intrusion Against SEA Government | Unit 42 researchers at Palo Alto Networks identified a multi-faceted cyberespionage campaign targeting a Southeast Asian government, attributed to three China-aligned clusters. | CAMPAIGN | |
| 1.4.26 | A new GlassWorm distribution campaign | Cybersecurity experts at Aikido identified a sophisticated new phase of the GlassWorm malware campaign, which utilizes a complex, multi-stage attack framework to steal sensitive data and deploy a remote access trojan variant. | ALERTS | CAMPAIGN |
| 1.4.26 | Kyverno is vulnerable to server-side request forgery (SSRF) | Kyverno, versions 1.16.0 to present, contains an SSRF vulnerability in its CEL-based HTTP functions, which lack URL validation or namespace scoping and allow namespaced policies to trigger arbitrary internal HTTP requests. | ALERT | ALERT |
| 1.4.26 | CrewAI contains multiple vulnerabilities including SSRF, RCE and local file read | Four vulnerabilities have been identified in CrewAI, including remote code execution (RCE), arbitrary local file read, and server-side request forgery (SSRF). CVE-2026-2275 is directly caused by the Code Interpreter Tool. | ALERT | ALERT |
| 1.4.26 | Кібератака UAC-0255 під виглядом сповіщення від CERT-UA із застосуванням програмного засобу AGEWHEEZE (CERT-UA#21075) | Національною командою реагування на кіберінциденти, кібератаки, кіберзагрози CERT-UA 26-27 березня 2026 року зафіксовано випадки розповсюдження електронних листів нібито від імені CERT-UA із закликом завантажити з сервісу Files.fm захищений паролем архів ("CERT_UA_protection_tool.zip", "protection_tool.zip") та встановити "спеціалізоване програмне забезпечення". | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 1.4.26 | WhatsApp malware campaign | WhatsApp malware campaign delivers VBScript and MSI backdoors | CAMPAIGN | CAMPAIGN |
| 1.4.26 | Augmented Marauder’s Multi-Pronged Casbaneiro Campaigns | Unpacking Augmented Marauder’s Multi-Pronged Casbaneiro Campaigns | CAMPAIGN | CAMPAIGN |
| 1.4.26 | CVE-2026-5281 | Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | VULNEREBILITY | VULNEREBILITY |
| 1.4.26 | UNC1069 | North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack | GROUP | GROUP |
| 1.4.26 | CVE-2026-3502 | TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. | VULNEREBILITY | VULNEREBILITY |