BLOG 2025 AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog 2024 2023
H January(21) February(46) March(44) April(33) May(35) June(67) July(84) August(73) September(57) October(0) November(59) December(60) 2025 January(29) February(72) March(67) April(108) May(118) June(159) July(143) August(131) September(24)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 26.7.25 | Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode | The Arctic Wolf® Labs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. | APT blog | Arcticwolf.com |
| 26.7.25 | Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload | Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404 (based on the observed payload name, associated domain, and use of fake error pages). | Cryptocurrency blog | Wiz.io/blog |
| 26.7.25 | Uncovering a Stealthy WordPress Backdoor in mu-plugins | Recently, our team uncovered a particularly sneaky piece of malware tucked away in a place many WordPress users don’t even know exists: the mu-plugins folder. In fact, back in March, we saw a similar trend with hidden malware in this very directory, as detailed in our post Hidden Malware Strikes Again: MU-Plugins Under Attack. This current infection was designed to be quiet, persistent, and very hard to spot. | Malware blog | blog.sucuri.net |
| 26.7.25 | Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker | Through investigations into a string of workload compromises involving ecommerce sites, the Datadog Security Research team discovered that the Mimo threat actor (also known as Mimo'lette), previously known for targeting the Craft content management system (CMS), has evolved its tactics to compromise the Magento ecommerce CMS platform through exploitation of an undetermined PFP-FPM vulnerability. | Cryptocurrency blog | Securitylabs.datadoghq |
| 26.7.25 | ToolShell: Critical SharePoint Zero-Day Exploited in the Wild | Symantec products already block CVE-2025-53770 exploit attempts. | Vulnerebility blog | SYMANTEC BLOG |
| 26.7.25 | Sophos X-Ops explores why larger isn’t always better when it comes to solving security challenges with AI | AI blog | SOPHOS | |
| 26.7.25 | SharePoint ‘ToolShell’ vulnerabilities being exploited in the wild | Sophos X-Ops sees exploitation across multiple customer estates | Vulnerebility blog | SOPHOS |
| 26.7.25 | In-Depth Analysis of an Obfuscated Web Shell Script | Detailed analysis of an obfuscated web shell used in a CNI attack. Explores its structure, traffic patterns, and Fortinet’s detection and protection. | Hacking blog | FORTINET |
| 26.7.25 | Inside The ToolShell Campaign | FortiGuard Labs uncovers ToolShell, a sophisticated exploit chain targeting Microsoft SharePoint servers using a mix of patched and zero-day CVEs. Learn how attackers deploy GhostWebShell and KeySiphon for stealthy remote code execution and credential theft. | Vulnerebility blog | FORTINET |
| 26.7.25 | A Special Mission to Nowhere | Following the Israel-Iran ceasefire, FortiGuard Labs uncovered a phishing campaign posing as a private jet evacuation service from Tel Aviv to New York. Learn how attackers used crisis-driven fear to steal personal and financial data. | BigBrother blog | FORTINET |
| 26.7.25 | Beyond Convenience: Exposing the Risks of VMware vSphere Active Directory Integration | Broadcom's VMware vSphere product remains a popular choice for private cloud virtualization, underpinning critical infrastructure. Far from fading, organizations continue to rely heavily on vSphere for stability and control. | Vulnerebility blog | Google Threat Intelligence |
| 26.7.25 | *Updated July 24, 2025 with latest findings from Check Point Research* Key findings: A critical ... | Vulnerebility blog | Checkpoint | |
| 26.7.25 | Phishing continues to be a powerful tool in the cyber criminal arsenal. In the second ... | Phishing blog | Checkpoint | |
| 26.7.25 | The Week in Vulnerabilities: Time to Exploit Continues to Fall | Of more than 900 new vulnerabilities in the last week, nearly 200 already have public Proofs-of-Concept (POC). | Vulnerebility blog | Cyble |
| 26.7.25 | UK Identifies Russian GRU’s “AUTHENTIC ANTICS” Malware in Email Espionage Campaign | The UK linked the AUTHENTIC ANTICS malware to APT 28 and sanctioned GRU units for cyber espionage targeting Microsoft email accounts and hybrid warfare. | APT blog | Cyble |
| 26.7.25 | Australian Cyber Security Centre Warns of an Active Exploit Taking Advantage of Microsoft SharePoint Vulnerability CVE-2025-53770 | ACSC warns of active exploits targeting CVE-2025-53770 on on-premises Microsoft SharePoint and urges urgent patching to prevent remote code execution attacks. | Vulnerebility blog | Cyble |
| 26.7.25 | Operation CargoTalon : UNG0901 Targets Russian Aerospace & Defense Sector using EAGLET implant. | Contents Introduction Initial Findings Infection Chain. Technical Analysis Stage 0 – Malicious Email File. Stage 1 – Malicious LNK file. Stage 2 – Looking into the decoy file. Stage 3 – Malicious EAGLET implant. Hunting and Infrastructure. Infrastructural details.... | MalwarNe blog | Seqrite |
| 26.7.25 | RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration | EXECUTIVE SUMMARY Raven Stealer is a modern, lightweight, information-stealing malware developed primarily in Delphi and C++, designed to extract sensitive data from victim | Malware blog | Cyfirma |
| 26.7.25 | ANDROID MALWARE POSING AS INDIAN BANK APPS | ANDROID MALWARE POSING AS INDIAN BANK APPS EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging cyber threats and adversarial tactics | Malware blog | Cyfirma |
| 26.7.25 | CYFIRMA Provides Cybersecurity Platform “DeCYFIR” to Takenaka Corporation for Enhanced Threat and Risk Visibility | Takenaka Corporation has defined its vision for 2030 through digital transformation and is advancing reform activities that integrate its digital division with all business units. The | Cyber blog | Cyfirma |
| 26.7.25 | EdskManager RAT: Multi-Stage Malware with HVNC and Evasion Capabilities | Executive Summary At CYFIRMA, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious entities targeting both organizations | Malware blog | Cyfirma |
| 26.7.25 | Revisiting Bare Metal Server Security in the Age of AI | The adoption of bare metal cloud services for AI workloads has accelerated significantly, driven by performance requirements that virtualized environments struggle to meet. | AI blog | Eclypsium |
| 26.7.25 | NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods | In this report, Proofpoint threat researchers take a deep dive into a widespread Request for Quote (RFQ) scam that involves leveraging common Net financing options (Net 15, 30, 45) to steal a variety of high value electronics and goods. Net financing of 15-90 days is the most common payment terms used by businesses. | Spam blog | PROOFPOINT |
| 26.7.25 | Back to Business: Lumma Stealer Returns with Stealthier Methods | Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat. | Malware blog | Trend Micro |
| 26.7.25 | Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771) | CVE-2025-53770 and CVE-2025-53771 are vulnerabilities in on-premise Microsoft SharePoint Servers that evolved from previously patched flaws, allowing unauthenticated remote code execution through advanced deserialization and ViewState abuse. | Vulnerebility blog | Trend Micro |
| 26.7.25 | Citrix NetScaler Devices Memory Leak: CVE-2025-5777 | The SonicWall Capture Labs threat research team became aware of a pre-authentication memory leak vulnerability leading to information disclosure in Citrix NetScaler devices assessed its impact and developed mitigation measures. NetScaler ADC and NetScaler Gateway are both networking products from Citrix. NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) are primarily used for optimizing application delivery, enhancing security, and improving user experience across networks. | Vulnerebility blog | SonicWall |
| 26.7.25 | Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful | Unit 42 has tracked and responded to several waves of intrusion operations conducted by the cybercrime group we track as Muddled Libra (aka Scattered Spider, UNC3944) across different sectors in recent months. This article contains observations on Muddled Libra thus far in 2025 based on our incident response insights. We share defensive recommendations that we have seen organizations use successfully against the threat. We also include what’s likely next for this prolific adversary. | APT blog | Palo Alto |
| 26.7.25 | The Ηоmоgraph Illusion: Not Everything Is As It Seems | Since the creation of the internet, email attacks have been the predominant attack vector for spreading malware and gaining initial access to systems and endpoints. One example of an effective email compromise technique is a homograph attack. Attackers use this content manipulation tactic to evade content analysis and trick users by replacing Latin characters with similar-looking characters from other Unicode blocks. | Malware blog | Palo Alto |
| 26.7.25 | Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 25) | Unit 42 is tracking high-impact, ongoing threat activity targeting self-hosted Microsoft SharePoint servers. While SaaS environments remain unaffected, self-hosted SharePoint deployments — particularly within government, schools, healthcare (including hospitals) and large enterprise companies — are at immediate risk. | Exploit blog | Palo Alto |
| 26.7.25 | Unmasking the new Chaos RaaS group attacks | Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. | Ransom blog | CISCO TALOS |
| 26.7.25 | BRB, pausing for a "Sanctuary Moon" marathon | Get to know the real people behind cybersecurity’s front lines. In this week’s newsletter, sci-fi meets reality, humanity powers technology and a few surprises are waiting to be discovered. | Cyber blog | CISCO TALOS |
| 26.7.25 | Meet Hazel Burton | In the first Humans of Talos, Amy sits with Hazel Burton — storyteller, security advocate, and all-around Talos legend. Hazel shares her journey from small business entrepreneurship to leading content programs at Talos. | Cyber blog | CISCO TALOS |
| 26.7.25 | MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities | Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that used fake GitHub accounts to distribute a variety of dangerous payloads and evade security defenses. | Malware blog | CISCO TALOS |
| 26.7.25 | Bloomberg Comdb2 null pointer dereference and denial-of-service vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2. Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. T | Vulnerebility blog | CISCO TALOS |
| 26.7.25 | ToolShell: Details of CVEs affecting SharePoint servers | Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. | Vulnerebility blog | CISCO TALOS |
| 26.7.25 | This is your sign to step away from the keyboard | This week, Martin shows how stepping away from the screen can make you a stronger defender, alongside an inside scoop on emerging malware threats. | Cyber blog | CISCO TALOS |
| 26.7.25 | SharePoint under fire: ToolShell attacks hit organizations worldwide | The ToolShell bugs are being exploited by cybercriminals and APT groups alike, with the US on the receiving end of 13 percent of all attacks | APT blog | Eset |
| 26.7.25 | ToolShell: An all-you-can-eat buffet for threat actors | ESET Research has been monitoring attacks involving the recently discovered ToolShell zero-day vulnerabilities | Vulnerebility blog | Eset |
| 26.7.25 | Rogue CAPTCHAs: Look out for phony verification pages spreading malware | Before rushing to prove that you're not a robot, be wary of deceptive human verification pages as an increasingly popular vector for delivering malware | Malware blog | Eset |
| 26.7.25 | Why is your data worth so much? | Unlocked 403 cybersecurity podcast (S2E4) | Behind every free online service, there's a price being paid. Learn why your digital footprint is so valuable, and when you might actually be the product. | Cyber blog | Eset |
| 26.7.25 | CVE-2025-53770 & CVE-2025-53771: Critical On-Prem SharePoint Vulnerabilities | Two critical vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, have been discovered in on-premise Microsoft SharePoint. | Vulnerebility blog | Cybereason |
| 26.7.25 | Critical SharePoint Vulnerabilities Under Active Exploitation | On-premises Microsoft SharePoint servers are currently facing high-impact, ongoing threat activity due to a set of critical vulnerabilities, notably CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. | Vulnerebility blog | Trelix |
| 26.7.25 | Dark Web Roast - June 2025 Edition | At Trellix, we think it's important we don’t make cybercriminals seem larger than life or hero-worship them. This roast is about showing the human side of cybercrime and how they mess up, just like anyone else. | Cyber blog | Trelix |
| 25.7.25 | Illusory Wishes: China-nexus APT Targets the Tibetan Community | In June 2025, Zscaler ThreatLabz collaborated with TibCERT to investigate two cyberattack campaigns targeting the Tibetan community. | APT blog | Zscaler |
| 19.7.25 | SophosAI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it | Sophos’ Ben Gelman and Sean Bergeron will present their research on enhancing command line classification with benign anomalous data at Las Vegas | AI blog | SOPHOS |
| 19.7.25 | NailaoLocker Ransomware’s “Cheese” | FortiGuard Labs analyzes NailaoLocker ransomware, a unique variant using SM2 encryption and a built-in decryption function. Learn how it works, why it matters, and how Fortinet protects against it. | Ransom blog | FORTINET |
| 19.7.25 | Improving Cloud Intrusion Detection and Triage with FortiCNAPP Composite | FortiCNAPP Composite Alerts link weak signals into clear timelines—helping security teams detect cloud-native threats earlier and triage them faster. | Cyber blog | FORTINET |
| 19.7.25 | Old Miner, New Tricks | FortiCNAPP Labs uncovers Lcrypt0rx, a likely AI-generated ransomware variant used in updated H2Miner campaigns targeting cloud resources for Monero mining. | AI blog | FORTINET |
| 19.7.25 | How FortiSandbox 5.0 Detects Dark 101 Ransomware Despite Evasion Techniques | Discover how FortiSandbox 5.0 detects Dark 101 ransomware, even with sandbox evasion tactics. Learn how advanced behavioral analysis blocks file encryption, system tampering, and ransom note deployment. | Ransom blog | FORTINET |
| 19.7.25 | Check Point Research identifies how the new social engineering technique, FileFix, is being actively tested ... | Hacking blog | Checkpoint | |
| 19.7.25 | Global Attacks Continued to Rise, But the Details Tell a Bigger Story Every quarter, Check ... | Cyber blog | Checkpoint | |
| 19.7.25 | CSA Issues Alert on Critical VMware Vulnerabilities: Patch Now, Experts Warn | Singapore’s Cyber Security Agency alerts critical VMware flaws risking code execution and data leaks. | Vulnerebility blog | Cyble |
| 19.7.25 | Scanception: A QRiosity-Driven Phishing Campaign | Cyble analyzes "Scanception", an ongoing quishing campaign using QR codes in PDFs to bypass security, harvest credentials, and evade detection systems. | Phishing blog | Cyble |
| 19.7.25 | Australia Strengthens Cybersecurity for Critical Infrastructure with Adoption of AS IEC 62443 Standards | Australia adopts AS IEC 62443 to secure OT systems and critical infrastructure, aligning with its national cyber strategy and six-shield cybersecurity framework. | Cyber blog | Cyble |
| 19.7.25 | The Week in Vulnerabilities: Cyble’s Weekly Cyber Threat Report Reveals New Flaws IT and IoT Ecosystems | Cyble’s weekly report reveals 17 critical vulnerabilities, rising IoT attacks, and active malware campaigns targeting global IT infrastructure. | IoT blog | Cyble |
| 19.7.25 | APT PROFILE – FANCY BEAR | Fancy Bear, also known as APT28, is a notorious Russian cyberespionage group with a long history of targeting governments, military entities, and other high-value | APT blog | Cyfirma |
| 19.7.25 | CVE-2025-5777 – Pre-Auth Memory Leak in Citrix NetScaler (CitrixBleed 2) | EXECUTIVE SUMMARY CVE‑2025‑5777 is a critical information disclosure vulnerability in Citrix NetScaler ADC and Gateway appliances, caused by unsafe memory handling in the | Vulnerebility blog | Cyfirma |
| 19.7.25 | Android Cryptojacker Disguised as Banking App Exploits Device Lock State | The global craze around cryptocurrency has fueled both innovation and exploitation. While many legally chase digital gold, cybercriminals hijack devices to mine it covertly. Recently, we encountered a phishing website impersonating a well-known bank, hosting a fake Android app.... | Cryptocurrency blog | Seqrite |
| 19.7.25 | Vulnerabilities in Netgear Firmware-Based IoT Devices In The Enterprise | Netgear (and similar) devices, such as IoT routers, have remained a significant target for vulnerability research and exploitation. This is due to their widespread use in both consumer and enterprise environments, their role as network edge devices, and the persistent challenge of securing firmware and managing patches. With over 500 security advisories released by Netgear, the scale of the problem is undeniable. | Vulnerebility blog | Eclypsium |
| 19.7.25 | Securing Tomorrow: An Interview with Trend Micro VP of Product Management Michael Habibi | Proactive security in a rapidly evolving threat landscape | Security blog | Trend Micro |
| 19.7.25 | CISA's NIMBUS 2000 Initiative: Understanding Key Findings and Strengthening Cloud Identity Security | This blog explores key findings from CISA’s NIMBUS 2000 Cloud Identity Security Technical Exchange and how Trend Vision One™ Cloud Security aligns with these priorities. It highlights critical challenges in token validation, secrets management, and logging visibility—offering insights into how integrated security solutions can help organizations strengthen their cloud identity defenses and meet evolving federal standards. | Security blog | Trend Micro |
| 19.7.25 | Preventing Zero-Click AI Threats: Insights from EchoLeak | A zero-click exploit called EchoLeak reveals how AI assistants like Microsoft 365 Copilot can be manipulated to leak sensitive data without user interaction. This entry breaks down how the attack works, why it matters, and what defenses are available to proactively mitigate this emerging AI-native threat. | AI blog | Trend Micro |
| 19.7.25 | Wing FTP Server Remote Code Execution: CVE-2025-47812 | The SonicWall Capture Labs threat research team became aware of an open redirect vulnerability in Wing FTP Server, assessed its impact and developed mitigation measures. Wing FTP Server is a cross-platform FTP server software available for Windows, Linux, and macOS. It supports a range of protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP, making it a flexible choice for secure file transfers. | Vulnerebility blog | SonicWall |
| 19.7.25 | Ransomware Delivered Through GitHub: A PowerShell-Powered Attack | Recently, the SonicWall Capture Labs threat research team identified a PowerShell-based ransomware variant that is abusing GitHub for its distribution. The malware authors are misusing raw.githubusercontent[.]com, a GitHub domain used to host raw content of unprocessed file versions. | Ransom blog | SonicWall |
| 19.7.25 | RisePro Malware Assembles On-site | This week, the SonicWall Capture Labs threat research team analyzed a sample of RisePro malware. This is a Malware-as-a-Service family that excels in stealing data, especially related to cryptocurrency wallets. It is a multi-stage executable with layers of obfuscation, indirect API calls and extensive evasion capabilities in the form of dynamically built file types and process monitoring. | Malware blog | SonicWall |
| 19.7.25 | Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication | Since late 2024, Unit 42 researchers have been tracking a cluster of suspicious activity as CL-STA-1020, targeting governmental entities in Southeast Asia. The threat actors behind this cluster of activity have been collecting sensitive information from government agencies, including information about recent tariffs and trade disputes. | Hacking blog | Palo Alto |
| 19.7.25 | Talos IR ransomware engagements and the significance of timeliness in incident response | The decision between immediate action and delayed response made the difference between ransomware prevention and complete encryption in these two real-world Talos IR engagements. | Ransom blog | CISCO TALOS |
| 19.7.25 | This is your sign to step away from the keyboard | This week, Martin shows how stepping away from the screen can make you a stronger defender, alongside an inside scoop on emerging malware threats. | Malware blog | CISCO TALOS |
| 19.7.25 | MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities | Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that used fake GitHub accounts to distribute a variety of dangerous payloads and evade security defenses. | BigBrother blog | CISCO TALOS |
| 19.7.25 | Asus and Adobe vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products. | Vulnerebility blog | CISCO TALOS |
| 19.7.25 | Unmasking AsyncRAT: Navigating the labyrinth of forks | ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants | Malware blog | Eset |
| 19.7.25 | NoBooze1 Malware Targets TP-Link Routers via CVE-2019-9082 | This month we dig into the CVE targeting volumes and trending observed in June 2025. We present a breakdown of the exploits targeting this month’s CVE with the largest upswing in activity: CVE-2023-1389 (TP-Link AX21). | Malware blog | F5 |
| 19.7.25 | BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption | In this Threat Analysis Report, Cybereason investigates a recently observed BlackSuit ransomware attack and the tools and techniques the threat actors used. | Ransom blog | Cybereason |
| 19.7.25 | Detecting and Visualizing Lateral Movement Attacks with Trellix Helix Connect | This blog marks the third installment in our series on detecting and visualizing lateral movement attacks with Trellix Helix Connect. | Hacking blog | Trelix |
| 19.7.25 | Threat Analysis: SquidLoader - Still Swimming Under the Radar | A new wave of SquidLoader malware samples are actively targeting financial services institutions in Hong Kong. This sophisticated malware exhibits significant evasion capabilities, achieving near-zero detection rates on VirusTotal at the time of analysis. | Malware blog | Trelix |
| 16.7.25 | GLOBAL GROUP: Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile Control Panel for Their Affiliates | On June 2, 2025, EclecticIQ analysts observed the emergence of GLOBAL GROUP, a new Ransomware-as-a-Service (RaaS) brand promoted on the Ramp4u forum by the threat actor known as “$$$”. | Ransom blog | blog.eclecticiq |
| 16.7.25 | Unmasking AsyncRAT: Navigating the labyrinth of forks | ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants | Malware blog | Eset |
| 16.7.25 | Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader | North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader. | Malware blog | socket.dev |
| 16.7.25 | Russian hackers manipulate npm to make realistic packages | Safety’s malicious package detection identified a malicious npm package today named express-exp. This package was brand new, and had only one version, 1.0.1. | Malware blog | www.getsafety |
| 12.7.25 | Message from Wolf Bot | Since early June 2025, Arctic Wolf has observed a search engine optimisation (SEO) poisoning and malvertising campaign promoting malicious websites hosting Trojanized versions of legitimate IT tools such as PuTTY and WinSCP. | Malware blog | ARTICWOLF |
| 12.7.25 | Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz | Zscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware. The threat actors behind these attacks are exploiting the popularity of AI tools like ChatGPT and Luma AI. | AI blog | ZSCALER |
| 12.7.25 | Analysis of TAG-140 Campaign and DRAT V2 Development Targeting Indian Government Organizations | During an investigation into a recent TAG-140 campaign targeting Indian government organizations, Insikt Group identified a modified variant of the DRAT remote access trojan (RAT), which we designated as DRAT V2. | Malware blog | RECORDEDFUTURE |
| 12.7.25 | Crypto Wallets Continue to be Drained in Elaborate Social Media Scam | Darktrace’s latest research reveals that an evolving social engineering campaign continues to target cryptocurrency users through fake startup companies. | Cryptocurrency blog | DARKTRACE |
| 12.7.25 | Count(er) Strike – Data Inference Vulnerability in ServiceNow | Varonis Threat Labs discovered a high severity vulnerability in ServiceNow’s platform that can lead to significant data exposure and exfiltration. | Vulnerebility blog | VARONIS |
| 12.7.25 | GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed | Unit 42 researchers uncovered a campaign by an initial access broker (IAB) to exploit leaked Machine Keys — cryptographic keys used on ASP.NET sites — to gain access to targeted organizations. IABs breach organizations and then sell that access to other threat actors. | Exploit blog | Palo Alto |
| 12.7.25 | Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West | In the volatile aftermath of the Israel-Iran-USA conflict, a sophisticated cyber threat has re-emerged, targeting organizations across the West. | BigBrother blog | MORPHISEC |
| 12.7.25 | Malicious pull request infects VS Code extension | ETHcode, a VS Code extension for Ethereum smart contract development, was compromised following a GitHub pull request. | Cryptocurrency blog | REVERSINGLABS |
| 12.7.25 | Is Cyber the Next Stage of War in the Middle East Conflict? | As clashes continue in the Middle East, who are the cyber actors to be aware of? | Cyber blog | SYMANTEC BLOG |
| 12.7.25 | Hacktivist Attacks on Critical Infrastructure Grow as New Groups Emerge | Hacktivists are increasingly targeting critical infrastructure, data breaches, and other more sophisticated attack types. | Hacking blog | Cyble |
| 12.7.25 | Phishing, Pivots, and Persistence: A Look into Japan’s Q1 2025 Cyber Threat Landscape | JPCERT’s Q1 2025 report reveals a 10% rise in cyber incidents, with phishing making up 87% of confirmed cases. | Phishing blog | Cyble |
| 12.7.25 | Ongoing Phishing Campaign Utilizes LogoKit for Credential Harvesting | CRIL analyzes an ongoing LogoKit phishing campaign that pulls brand assets from Clearbit and Google Favicon. | Phishing blog | Cyble |
| 12.7.25 | Direct Memory and Container OOMKilled Errors | Recently, we encountered continuous integration (CI) build failures in two of our microservices, caused by Java unit tests. | Security blog | PROOFPOINT |
| 12.7.25 | Catching Smarter Mice with Even Smarter Cats | Explore how AI is changing the cat-and-mouse dynamic of cybersecurity, from cracking obfuscation and legacy languages to challenging new malware built with Flutter, Rust, and Delphi. | AI blog | FORTINET |
| 12.7.25 | TRACKING RANSOMWARE : JUNE 2025 | EXECUTIVE SUMMARY In June 2025, ransomware attacks targeted critical industries such as professional services, healthcare, and information technology, exploiting their | Ransom blog | Cyfirma |
| 12.7.25 | RENDERSHOCK: WEAPONIZING TRUST IN FILE RENDERING PIPELINES | EXECUTIVE SUMMARY RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments. It leverages built-in trust | Malware blog | Cyfirma |
| 12.7.25 | GitHub Abused to Spread Malware Disguised as Free VPN | EXECUTIVE SUMMARY At CYFIRMA, we continuously monitor and investigate emerging cyber threats targeting both organizations and individuals. In this report, we analysed a | Malware blog | Cyfirma |
| 12.7.25 | Microsoft Security Bulletin Coverage for July 2025 | Microsoft’s July 2025 Patch Tuesday has 127 vulnerabilities, 53 of which are Elevation of Privilege. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2025 and has produced coverage for 12 of the reported vulnerabilities. | Vulnerebility blog | SonicWall |
| 12.7.25 | Unauthenticated File Upload-to-RCE in VvvebJs (CVE-2024-29272) | The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-29272, assessed its impact and developed mitigation measures for this vulnerability. | Vulnerebility blog | SonicWall |
| 12.7.25 | Ransomware Delivered Through GitHub: A PowerShell-Powered Attack | Recently, the SonicWall Capture Labs threat research team identified a PowerShell-based ransomware variant that is abusing GitHub for its distribution. | Ransom blog | SonicWall |
| 12.7.25 | Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques | In late 2024, we discovered a malware variant related to the SLOW#TEMPEST campaign. In this research article, we explore the obfuscation techniques employed by the malware authors. We deep dive into these malware samples and highlight methods and code that can be used to detect and defeat the obfuscation techniques. | Malware blog | Palo Alto |
| 12.7.25 | GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed | Unit 42 researchers uncovered a campaign by an initial access broker (IAB) to exploit leaked Machine Keys — cryptographic keys used on ASP.NET sites — to gain access to targeted organizations. IABs breach organizations and then sell that access to other threat actors. | Exploit blog | Palo Alto |
| 12.7.25 | Fix the Click: Preventing the ClickFix Attack Vector | In this article, we share hunting tips and mitigation strategies for ClickFix campaigns and provide an inside view of some of the most prominent ClickFix campaigns we have seen so far in 2025: | Hacking blog | Palo Alto |
| 11.7.25 | BERT Ransomware Group Targets Asia and Europe on Multiple Platforms | BERT is a newly emerged ransomware group that pairs simple code with effective execution—carrying out attacks across Europe and Asia. In this entry, we examine the group’s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms. | Ransom blog | Trend Micro |
| 11.7.25 | Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack | In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2. | Vulnerebility blog | Palo Alto |
| 11.7.25 | BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption | In this Threat Analysis Report, Cybereason investigates a recently observed BlackSuit ransomware attack and the tools and techniques the threat actors used. | Ransom blog | Cybereason |
| 11.7.25 | From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities | The DoNot APT group, also identified by various security vendors as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger, has been active since at least 2016, and has been attributed by several vendors to have links to India. | APT blog | Trelix |
| 5.7.25 | NSB Alerts the Significant Cybersecurity Risks in China-Made Mobile Applications | In recent years, the international community has shown growing concerns over cybersecurity issues deriving from China-developed mobile applications (apps). | BigBrother blog | nsb.gov.tw |
| 5.7.25 | Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open | During routine monitoring, the Wiz Research Team observed an exploitation attempt targeting one of our honeypot servers running TeamCity, a popular CI/CD tool. | Exploit blog | WIZ |
| 5.7.25 | RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs analyzes RondoDox, a stealthy new botnet targeting TBK DVRs and Four-Faith routers via CVE-2024-3721 and CVE-2024-12856. Learn how it evades detection, establishes persistence, and mimics gaming and VPN traffic to launch DDoS attacks. | BotNet blog | FORTINET |
| 5.7.25 | DCRAT Impersonating the Colombian Government | Threat actor impersonates Colombian government to deliver DCRAT via phishing email, using obfuscation, steganography, and PowerShell payload chains. | Malware blog | FORTINET |
| 5.7.25 | Numerous Western Companies May Still Need to Ban FUNNULL Admin Accounts to Comply with U.S. Treasury Sanctions | Silent Push Threat Analysts have been mapping the scope of the FUNNULL content delivery network (CDN) and its use of Infrastructure Laundering to hide its infrastructure among major Western cloud providers, such as Amazon and Microsoft, burdening defenders to remain constantly alert to respond and block its accounts. We labeled the threat actor network, “Triad Nexus.” | Cyber blog | Silent Push |
| 5.7.25 | Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands | Silent Push Threat Analysts followed a tip from Mexican journalist Ignacio Gómez Villaseñor about a threat actor targeting “Hot Sale 2025,” an annual sales event similar to “Black Friday” in the U.S. | Phishing blog | Silent Push |
| 5.7.25 | Top Ransomware Groups June 2025: Qilin Reclaims Top Spot | A look at the top ransomware groups, incidents and developments in June 2025. | Ransom blog | Cyble |
| 5.7.25 | The Week in Vulnerabilities: High-Risk IT and ICS Flaws Flagged by Cyble | Cyble threat intelligence researchers identified several high-risk IT and ICS flaws this week, including some under active exploitation. | Vulnerebility blog | Cyble |
| 5.7.25 | Phishing Attack : Deploying Malware on Indian Defense BOSS Linux | Executive Summary CYFIRMA has identified a sophisticated cyber-espionage campaign orchestrated by APT36 (also known as Transparent Tribe), a threat actor based in Pakistan. | Phishing blog | Cyfirma |
| 5.7.25 | EXECUTIVE THREAT LANDSCAPE REPORT AUSTRALIA | Why Cyber Threat Actors Target Australia?Why Cyber Threat Actors Target Australia?Why Cyber Threat Actors Target Australia?Why Cyber Threat Actors Target Australia?Why Cyber | Cyber blog | Cyfirma |
| 5.7.25 | Fortnightly Vulnerability Summary | Fortnightly Vulnerability Summary CHECK OUT THESE FAST FACTS ON FORTNIGHTLY OBSERVED VULNERABILITIES. Fortnight's Most Impacted Products D-Link | Teamcity | Netbox Fortnightly | Vulnerebility blog | Cyfirma |
| 5.7.25 | Eclypsium Releases Tools for Detecting AMI MegaRAC BMC Vulnerabilities | An attacker armed with the latest knowledge of BMC vulnerabilities and exploits is poised to take control of your server(s). Given that one of these vulnerabilities, CVE-2024-54085, was recently added to the CISA KEV, we now know exploitation is happening in the wild. Organizations must inventory IT assets and then determine if a given vulnerability is present. | Vulnerebility blog | Eclypsium |
| 5.7.25 | AI Dilemma: Emerging Tech as Cyber Risk Escalates | As AI adoption accelerates, businesses face mounting cyber threats—and urgent choices about secure implementation | AI blog | Trend Micro |
| 5.7.25 | DBatLoader Reloaded: Dual Injection and Resilience | The SonicWall Capture Labs threat research team has observed the latest variant of DBatLoader performing a dual injection of Remcos RAT, utilizing two distinct injection techniques. The malware is mainly known for delivering Remcos RAT, but also delivers other malware. | Malware blog | SonicWall |
| 5.7.25 | Pay2Key: First Ransomware Utilizing I2P Network Instead of Tor | Pay2Key first emerged in late 2020 and primarily targeted Israeli businesses. It gained attention for its alleged links to Iranian threat actors. Today’s sample, however, is an obvious pivot to a ransomware-as-a-service model, welcoming even the most novice users. What sets it apart is its use of I2P, an anonymous network similar to Tor. | Ransom blog | SonicWall |
| 5.7.25 | Windows Shortcut (LNK) Malware Strategies | Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Our telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, we present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples. | Malware blog | Palo Alto |
| 5.7.25 | Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack | In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2. | Vulnerebility blog | Palo Alto |
| 5.7.25 | A message from Bruce the mechanical shark | This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing. | Cyber blog | CISCO TALOS |
| 5.7.25 | How to get into cybersecurity | Unlocked 403 cybersecurity podcast (S2E3) | Cracking the code of cybersecurity careers starts here. What skills and mindset can set you apart? Hear from ESET's Robert Lipovsky as he reveals how to thrive in this fast-paced field. | Cyber blog | Eset |
| 5.7.25 | Task scams: Why you should never pay to get paid | Spam blog | Eset | |
| 5.7.25 | How government cyber cuts will affect you and your business | Deep cuts in cybersecurity spending risk creating ripple effects that will put many organizations at a higher risk of falling victim to cyberattacks | Cyber blog | Eset |
| 5.7.25 | Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset | ESET Research analyzes Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed throughout | Phishing blog | Eset |
| 5.7.25 | Automagic Reverse Engineering | Overall, the required time to analyze a binary goes down with this approach, as a lot of manual tasks have been automated. Being able to run these scripts headless allows you to integrate them into your workflow of choice, making the methodology as flexible as possible. | Vulnerebility blog | Trelix |
| 5.7.25 | The Bug Report - June 2025 Edition | Stay cool this summer with June 2025’s top 4 CVEs: RCEs, NTLM exploits, router worms & a Google supply chain flaw. Read now to patch fast and stay safe. | Vulnerebility blog | Trelix |
| 5.7.25 | The Democratization of Phishing: Popularity of PhaaS platforms on the rise | PhaaS platforms are democratizing sophisticated phishing attacks, making them cheaper, easier, and more effective for cybercriminals, with AI amplifying their scale. | Phishing blog | Trelix |
| 4.7.25 | June's Dark Gift: The Rise of Qwizzserial | Discovered by Group-IB in mid-2024, the Qwizzserial, which was initially not very active, began to spread strongly in Uzbekistan, masquerading as legitimate applications. The malware steals banking information and intercepts 2FA sms, transmitting it to fraudsters via Telegram bots. | Malware blog | GROUP-IB |
| 4.7.25 | How IAS is Fighting Back Against the Shape-Shifting Kaleidoscope Scheme | The IAS Threat Lab has uncovered a sophisticated new threat dubbed Kaleidoscope — a deceptive Android ad fraud operation that’s as dynamic as it is dangerous. This scheme hides behind seemingly legitimate apps available on Google Play, while malicious lookalike versions are quietly distributed through third-party app stores. | Cyber blog | INTERGRALANDS |
| 4.7.25 | Satori Threat Intelligence Alert: IconAds Conceals Source of Ad Fraud from Users | HUMAN’s Satori Threat Intelligence and Research Team has uncovered and disrupted an operation dubbed IconAds. This scheme centered on a collection of 352 apps which load out-of-context ads on a user’s screen and hide the app icons, making it difficult for a user to identify the culprit app and remove it. | Cyber blog | HUMANSECURITY |
| 4.7.25 | FoxyWallet: 40+ Malicious Firefox Extensions Exposed | A large-scale malicious campaign has been uncovered involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials. | Cryptocurrency blog | KOI SECURITY |
| 3.7.25 | Further insights into Ivanti CSA 4.6 vulnerabilities exploitation | Between October 2024 and late January 2025, public reports described the exploitation of Ivanti CSA vulnerabilities which started Q4 2024. We share analysis results confirming a worldwide exploitation, that lead to Webshells deployments in September and October 2024. | Exploit blog | INSIDETHELAB |
| 3.7.25 | PDFs: Portable documents, or perfect deliveries for phish? | Cisco recently developed and released an update to its brand impersonation detection engine for emails. This new update enhances detection coverage and includes a wider range of brands that are delivered using PDF payloads (or attachments). | Phishing blog | CISCO TALOS |
| 2.7.25 | Okta observes v0 AI tool used to build phishing sites | Okta Threat Intelligence has observed threat actors abusing v0, a breakthrough Generative Artificial Intelligence (GenAI) tool created by Vercelopens in a new tab, to develop phishing sites that impersonate legitimate sign-in webpages. | AI blog | OKTA |
| 2.7.25 | 10 Things I Hate About Attribution: RomCom vs. TransferLoader | Most of the time, delineating activities from distinct clusters and separating cybercrime from espionage can be done based on differing tactics, techniques, and procedures (TTPs), tooling, volume/scale, and targeting. | Malware blog | PROOFPOINT |
| 1.7.25 | Can You Trust that Verified Symbol? Exploiting IDE Extensions is Easier Than it Should Be | OX Security researchers uncover how easy it is for malicious extensions to bypass trust checks and execute code on developer machines. | Exploit blog | OX SECURITY |
| 1.7.25 | Patch and Persist: Darktrace’s Detection of Blind Eagle (APT-C-36) | Since 2018, Blind Eagle has targeted Latin American organizations using phishing and RATs. Darktrace detected Blind Eagle activity on a customer network involving C2 connectivity, malicious payload downloads and data exfiltration. | APT blog | DARKTRACE |
| 1.7.25 | Tracing Blind Eagle to Proton66 | Trustwave SpiderLabs has assessed with high confidence that the threat group Blind Eagle, aka APT-C-36, is associated with the Russian bulletproof hosting service provider Proton66. | APT blog | SPIDERLABS BLOG |