AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2026 January(89) February(123) March(106) April(119) May(124) June(0) July(0) August(0) September(0) October(0) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 30.5.26 | While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground. Google Threat Intelligence Group (GTIG) analyzed a dozen current PhaaS offerings in the Chinese underground, all of them mature services and many likely tied intricately to the broader criminal ecosystem in that region. | Exploit blog | GTI | |
| 30.5.26 | In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). | Phishing blog | GTI | |
| 30.5.26 | Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2 | Contents Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Document Technical Analysis Stage 1 – Initial Delivery Path A: LNK-Based Execution Path B: Executable-Based Delivery Stage 2 – Script-Based Dropper Chain Stage... | Hacking blog | Seqrite |
| 30.5.26 | Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan | Authors: Dixit Panchal & Vaibhav Krushna Billade Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoy: Technical Analysis: Stage 1: Analysis of LNK File. Stage 2: Analysis of HTA/JavaScript Payload Stage 3: Analysis... | Hacking blog | Seqrite |
| 30.5.26 | OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight | Cyble analyzes OverlayPhantom, an Android banking trojan targeting 180+ apps across 10 countries, stealing credentials via fake overlays and real-time screen streaming. | Malware blog | Cyble |
| 30.5.26 | The Gentlemen ransomware: Dissecting a self-propagating Go encryptor | Microsoft Threat Intelligence presents a comprehensive analysis of The Gentlemen, a Go-based ransomware deployed by affiliates of Storm-2697 that combines per-file ephemeral key encryption with an aggressive self-propagation module to deploy itself across an entire network using series of simultaneous lateral movement techniques per target. | Ransom blog | Microsoft blog |
| 30.5.26 | Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet | TrendAI™ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. | Hacking blog | Trend Micro |
| 30.5.26 | H2O-3 Unauthenticated RCE via PostgreSQL JDBC socketFactory | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-3960, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also known as the H2O-3 ImportSQLTable PostgreSQL JDBC SocketFactory RCE, is a critical remote code execution vulnerability affecting the open-source H2O-3 machine learning platform (h2oai/h2o-3) in all releases up to and including 3.46.0.9 | Vulnerebility blog | SonicWall |
| 30.5.26 | Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake | EvidenceForge generates high-quality, realistic, and consistent datasets across multiple log formats, enabling teams to effectively train personnel and validate detection models without the need for complex manual simulations. | Cyber blog | CISCO TALOS |
| 30.5.26 | Less panic patching, more precision | In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter. | Cyber blog | CISCO TALOS |
| 30.5.26 | DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap | This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format. | Cyber blog | CISCO TALOS |
| 30.5.26 | MediaArea heap-based buffer overflow vulnerabilities | Talos researchers find 4 heap-based buffer overflow vulnerabilities in MediaArea's MediaInfoLib. | Vulnerebility blog | CISCO TALOS |
| 30.5.26 | This month in security with Tony Anscombe – May 2026 edition | In this roundup, Tony looks at attacks against Polish water treatment facilities, how AI-directed attacks failed in Mexico, and what Google believes is the first AI-generated zero-day exploit | Cyber blog | Eset |
| 30.5.26 | ESET APT Activity Report Q4 2025–Q1 2026 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2025 and Q1 2026 | APT blog | Eset |
| 30.5.26 | What to consider before asking an AI chatbot for health advice | Using chatbots for medical advice could elicit hallucinations and even expose you to security and privacy risks. Here’s what’s at stake and how to stay safe. | AI blog | Eset |
| 30.5.26 | BTMOB: A stealthy RAT burrowing deep into Android devices | The malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise | Malware blog | Eset |
| 23.5.26 | WantToCry ransomware remotely encrypts files | Brute-force attempts against SMB services can be early signs of an attack | Ransom blog | SOPHOS |
| 23.5.26 | Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand, that targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. | Phishing blog | GTI | |
| 23.5.26 | DBIR 2026: Network Asset Breaches Up 3x as Vulnerability Exploitation Accelerates | The Verizon Data Breach Investigations Report remains one of the most useful annual sources for understanding how real-world breaches are changing. The 2026 report analyzes more than 31,000 security incidents, including more than 22,000 confirmed data breaches, and shows a clear shift in attacker focus: exploitation of vulnerabilities is now the leading known initial access vector. | Security blog | Eclypsium |
| 23.5.26 | YellowKey: The Unpatched BitLocker Bypass Hidden in Windows Recovery | A stolen Windows 11 laptop and a USB stick are enough to read a BitLocker-encrypted drive using nothing but Microsoft’s own recovery tools, and the researcher is holding back a follow-on attack that also defeats the startup PIN defenders are scrambling to enable in response. | Hacking blog | Eclypsium |
| 23.5.26 | Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure | Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys & Spear phishing Email: Technical Analysis: Stage1: Analysis of LNK File. Stage2: Analysis of VBS. Stage3: DLL Side Loading. Infrastructural Artefacts & Threat actor... | Cyber blog | Seqrite |
| 23.5.26 | JOMANGY: INJ3CTOR3’s Self-Healing FreePBX Toll Fraud Campaign | CRIL uncovers JOMANGY, a stealth PHP webshell by INJ3CTOR3 with 6 persistence layers and self-healing cron jobs built to survive host cleanup. | Malware blog | Cyble |
| 23.5.26 | Cyble Named a Challenger in the Inaugural 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies | One of the only two vendors recognized as a Challenger out of 17 evaluated vendors in the first-ever Gartner® evaluation of cyberthreat intelligence market. | Cyber blog | Cyble |
| 23.5.26 | GCC Cyber 2026: How Digital Banking Expansion Is Creating a New Attack Surface Attackers Are Already Exploiting | The GCC digital banking attack surface is expanding rapidly, driven by AI threats, ransomware, open banking risks, and rising cyberattacks in 2026. | Attack blog | Cyble |
| 23.5.26 | Why Australian Dark Web Data Is Now Being Sold in Bundles — and What It Means for Organizational Exposure in 2026 | Australian dark web data is fueling bundled breach sales, with ransomware groups expanding cyber risks across industries in 2025. | Ransom blog | Cyble |
| 23.5.26 | Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus | Malware that hid itself on infected systems and disabled antivirus protection. | Security blog | GENDIGITAL |
| 23.5.26 | Fast16: Pre-Stuxnet Sabotage Tool Was Built to Subvert Nuclear Weapons Simulations | New analysis confirms the targeted applications and reveals fast16 was tailored to corrupt uranium-compression simulations central to nuclear weapon design. | APT blog | SECURITY.COM |
| 23.5.26 | Exposing Fox Tempest: A malware-signing service operation | Fox Tempest is a financially motivated threat actor operating a malware‑signing‑as‑a‑service (MSaaS) used by other cybercriminals, including Vanilla Tempest and Storm groups, to more effectively distribute malicious code, including ransomware. | APT blog | Microsoft blog |
| 23.5.26 | One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign | A solo Russian-speaking threat actor ran a 5-year Telegram channel and, starting September 2025, used AI to automate its content, credential theft, and a cryptocurrency fraud scheme targeting American audiences. | AI blog | Trend Micro |
| 23.5.26 | Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware | Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections. | Malware blog | Trend Micro |
| 23.5.26 | Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud | In this blog entry, researchers from the TrendAI™ MDR team discuss how they mapped the full end-to-end operation of SHADOW-WATER-063’s Banana RAT banking malware by analyzing server-side artifacts and victim-side data. | Malware blog | Trend Micro |
| 23.5.26 | Next.js WebSocket Upgrade Handler SSRF | The SonicWall Capture Labs threat research team became aware of a Server-Side Request Forgery vulnerability in Next.js, assessed its impact and developed mitigation measures. Next.js enables organizations to create full-stack web applications by extending the latest React features and integrating powerful Rust-based JavaScript tooling for the fastest builds. | Malware blog | SonicWall |
| 23.5.26 | Paved With Intent: ROADtools and Nation-State Tactics in the Cloud | ROADtools is a publicly available toolkit for offensive and defensive security purposes that attackers have integrated into cloud attacks. The tool is designed to: | Security blog | Palo Alto |
| 23.5.26 | Tracking TamperedChef Clusters via Certificate and Code Reuse | This article documents novel activity clusters that have significant overlap with the publicly described threat known as TamperedChef (aka EvilAI). TamperedChef-style malware is trojanized productivity software, such as PDF editors or calendars, that deliver malicious payloads. | Malware blog | Palo Alto |
| 23.5.26 | The npm Threat Landscape: Attack Surface and Mitigations (Updated May 21) | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Malware blog | Palo Alto |
| 23.5.26 | The art of being ungovernable | In this edition of the Threat Source newsletter, William explores the value of being "ungovernable" in a professional setting, sharing how challenging the status quo and seeking out the smartest people in the room can lead to a more fulfilling and successful career. | Security blog | CISCO TALOS |
| 23.5.26 | From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat | Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware, likely sold or shared among multiple Chinese-speaking cyber crime groups operating under a malware-as-a-service (MaaS) model for continuous monetization. | APT blog | CISCO TALOS |
| 23.5.26 | Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise | Cyber blog | Eset | |
| 23.5.26 | Webworm: New burrowing techniques | ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal | Malware blog | Eset |
| 23.5.26 | The quest for greater tech independence | A complete decoupling from US technology is neither realistic nor necessary, but the changing environment does require nations and companies to reassess their relationships and dependencies | Cyber blog | Eset |
| 16.5.26 | Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments | Seven things security teams can start doing today to reduce risk | AI blog | SOPHOS |
| 16.5.26 | May’s Patch Tuesday hauls out 132 CVEs | With advisories, this month’s count approaches 300 – though many are already in place | OS Blog | SOPHOS |
| 16.5.26 | Why AMOS matters: The macOS malware stealing data at scale | Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities | Malware blog | SOPHOS |
| 16.5.26 | When Malware Authors Study Algebra: The Group Theory Inside Bedep's DGA | A closer look at how Bedep used foreign exchange data and advanced math to generate hard-to-predict domains, making its command-and-control infrastructure more difficult for defenders to block and disrupt | Malware blog | GENDIGITAL |
| 16.5.26 | Building a last-resort unpacker with AI | Exploring how AI can assist in unpacking protected binaries, recovering payloads from unsupported packers, while reducing repetitive analysis | AI blog | GENDIGITAL |
| 16.5.26 | Chasing an Angry Spark | A VM-obfuscated backdoor observed on a single machine in the UK, operated for one year, and vanished without a trace. | Malware blog | GENDIGITAL |
| 16.5.26 | Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign | Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service. | APT blog | SECURITY.COM |
| 16.5.26 | Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise | Microsoft Incident Response investigated an attack operated through legitimate and trusted administrative mechanisms to blend seamlessly into routine operations and remain undetected demonstrating that intrusions have increasingly avoided using noisy exploits, obvious malware, or custom tooling, instead leveraging systems that organizations already trust within their environments. | Security blog | Microsoft blog |
| 16.5.26 | Kazuar: Anatomy of a nation-state botnet | Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. | BotNet blog | Microsoft blog |
| 16.5.26 | Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft | Our research examines the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign. Across both cases, the actor abused trusted CI/CD and release workflows to steal credentials at scale. | Hacking blog | Trend Micro |
| 16.5.26 | Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America | TrendAI™ Research has identified two emerging threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that use agentic AI to drive intrusion operations against government and financial organizations in Latin America, marking these among the first cases we have observed of AI agents executing attacks from initial access to data exfiltration. | AI blog | Trend Micro |
| 16.5.26 | What Is the Instructure Canvas Breach? Impact, Risks, and What Institutions Should Do | The Instructure Canvas breach affects universities, K–12 school districts, and teaching hospitals globally. This blog entry intends to provide context and practical guidance. | Security blog | Trend Micro |
| 16.5.26 | The Ransomware Chimera That Does Everything | Malware typically falls into well-defined categories. Ransomware encrypts files and demands payment. Banking trojans steal credentials. Botnets await remote commands. However, some samples defy these conventional classifications by incorporating multiple threat vectors into a single executable. | Ransom blog | SonicWall |
| 16.5.26 | Adversary in the Middle Attacks - Abusing Trust via Weaponized PDFs | The SonicWall Capture Labs threat research team has identified an active Adversary-in-the-Middle (AiTM) phishing campaign that leverages PDF documents as the initial delivery vector. This is a technique that bypasses multi-factor authentication entirely by stealing authenticated session cookies, not just credentials. | Hacking blog | SonicWall |
| 16.5.26 | Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files | This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. | Malware blog | Palo Alto |
| 16.5.26 | Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools | Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. | Hacking blog | Palo Alto |
| 16.5.26 | The State of Ransomware – Q1 2026 | Consolidation after peak fragmentation: The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025. The ransomware ecosystem is once again consolidating around fewer, more dominant operators. | Ransom blog | CHECKPOINT |
| 16.5.26 | Thus Spoke…The Gentlemen | On May 4th, 2026, The Gentlemen RaaS administrator acknowledged on underground forums that an internal backend database (Rocket) had been leaked. This leak exposed 9 accounts, including zeta88 (aka hastalamuerte), who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the administrator of the program. | Ransom blog | CHECKPOINT |
| 16.5.26 | Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities | Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. | Exploit blog | CISCO TALOS |
| 16.5.26 | The time of much patching is coming | In this week’s newsletter, Martin reflects on what the next iteration of AI tools means for vulnerability discovery and our ability to manage large-scale patch releases. | Security blog | CISCO TALOS |
| 16.5.26 | Breaking things to keep them safe with Philippe Laulheret | Philippe shares his unique journey from French engineering school to the front lines of cybersecurity, explaining how his lifelong love for solving puzzles helps him uncover critical security flaws before they can be exploited. | Cyber blog | CISCO TALOS |
| 16.5.26 | State-sponsored actors, better known as the friends you don’t want | Responding to a state-sponsored threat is nothing like responding to ransomware, and the differences can make or break the outcome. Learn why your IR plan might need revisiting, and the factors you should consider. | Ransom blog | CISCO TALOS |
| 16.5.26 | Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 16 that Microsoft marked as “critical”. | Vulnerebility blog | CISCO TALOS |
| 16.5.26 | Unplug your way to better code | Cybersecurity concepts — logs, packets, DNS exfiltration, and more — are usually intangible, and its practitioners are prone to mental fatigue, Amy takes a second to yell at you to go touch grass. | Cyber blog | CISCO TALOS |
| 16.5.26 | Why geopolitical turmoil is a gift for scammers, and how to stay safe | Conflict is a boon for opportunistic fraudsters. Look out for their ploys. | Cyber blog | Eset |
| 16.5.26 | FrostyNeighbor: Fresh mischief and digital shenanigans | ESConflict is a boon for opportunistic fraudsters. Look out for their ploys.ET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations | APT blog | Eset |
| 16.5.26 | Eyes wide open: How to mitigate the security and privacy risks of smart glasses | Smart glasses allow anyone to track and record the world around them. That could put your data and the privacy of those nearby at risk. | Security blog | Eset |
| 16.5.26 | On the Effectiveness of Mutational Grammar Fuzzing | Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. When a sample gets mutated, the mutations happen in such a way that any resulting samples still adhere to the grammar rules, thus the structure of the samples gets maintained by the mutation process. | Vulnerebility blog | Project Zero |
| 9.5.26 | Pull the Plug: FIRESTARTER Survives Patches, Reboots, and Your Incident Response Plan | You patched your Cisco ASA. You rebooted it. Your vulnerability scanner shows green. You closed the ticket. However, the backdoor is still there! | Vulnerebility blog | Eclypsium |
| 9.5.26 | Zero Trust Target Level Compliance Device Pillar Challenges: Do The Hard Parts Now | The Department of War’s Zero Trust Target Level deadline may be September 30, 2027, but for agencies responsible for device security, the practical deadline comes much sooner. | Cyber blog | Eclypsium |
| 9.5.26 | Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam’s Military Telecom & Philippine Healthcare | Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys: Technical Analysis: Campaign-1: Stage-1: Ho so.rar Campaign: 2 Stage-1: download.zip Stage-2: The LNK & Batch file (Common in 1 & 2 both) Stage-3: Analysis | Hacking blog | Seqrite |
| 9.5.26 | Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit | Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit Table of Content Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Analysis of... | Hacking blog | Seqrite |
| 9.5.26 | Cyble Recognized in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies — and What Cyble Feels It Means for the Next Era of Threat Intel | A note from our CEO on the recognition, what we believe it signals about the category, and where we go from here. | Cyber blog | Cyble |
| 9.5.26 | Operation HumanitarianBait: An Infostealer Campaign in Disguise | Cyble analyzes Operation HumanitarianBait, a stealthy espionage campaign using aid-themed lures to deploy a fileless Python infostealer. | Hacking blog | Cyble |
| 9.5.26 | Third-Party Breaches Without Breaches: How Attackers Use Trusted Access to Bypass US Enterprise Defenses | A new supply chain attack exploits trusted access and browsers. Learn how attackers bypass defenses and how to prevent supply chain attack risks. | Hacking blog | Cyble |
| 9.5.26 | Cyble Named a Challenger in the 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence | Recognized for Completeness of Vision and Ability to Execute | Security blog | Cyble |
| 9.5.26 | Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Defender Research observed a large-scale credential theft campaign that exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains. | Phishing blog | Microsoft blog |
| 9.5.26 | Supporting the National Cyber Strategy: How TrendAI™ Helps | A deeper look at the first three pillars and outlining how our capabilities directly support government agencies working to bring this strategy to life. | AI blog | Trend Micro |
| 9.5.26 | InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise | Targeting multiple industries worldwide, the InstallFix campaign uses fake Claude AI installer pages to trick users into running malware that collects system information, disables security features, achieves persistence, and connects to attacker-controlled C&C servers for additional payloads. | Malware blog | Trend Micro |
| 9.5.26 | Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities | TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a rootkit, a PAM backdoor, credential harvesting, and more, revealing how this malware enables stealthy access, persistence, and potential supply-chain attacks. | Malware blog | Trend Micro |
| 9.5.26 | Mesop AI Sandbox Unauthenticated Remote Code Execution | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-33057, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also known as the Mesop AI Sandbox /exec-py Unauthenticated RCE, is a critical remote code execution vulnerability affecting Google-originated Mesop in PyPI versions up to and including 1.2.2. | AI blog | SonicWall |
| 9.5.26 | Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution | On May 6, 2026, Palo Alto Networks released a security advisory for CVE-2026-0300, identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. Vulnerable systems allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. | Vulnerebility blog | Palo Alto |
| 9.5.26 | Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years | On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431. This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process, this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017. | Vulnerebility blog | Palo Alto |
| 9.5.26 | Insights into the clustering and reuse of phone numbers in scam emails | Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails. | Spam blog | CISCO TALOS |
| 9.5.26 | Unplug your way to better code | Cybersecurity concepts — logs, packets, DNS exfiltration, and more — are usually intangible, and its practitioners are prone to mental fatigue, Amy takes a second to yell at you to go touch grass. | Security blog | CISCO TALOS |
| 9.5.26 | UAT-8302 and its box full of malware | Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. | APT blog | CISCO TALOS |
| 9.5.26 | CloudZ RAT potentially steals OTP messages using Pheno plugin | Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.” | Malware blog | CISCO TALOS |
| 9.5.26 | Fake call logs, real payments: How CallPhantom tricks Android users | ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down | OS Blog | Eset |
| 9.5.26 | Fixing the password problem is as easy as 123456 | How come it’s still possible to ‘secure’ an online account with a six-digit string? | Security blog | Eset |
| 9.5.26 | A rigged game: ScarCruft compromises gaming platform in a supply-chain attack | ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games | APT blog | Eset |
| 2.5.26 | CISA’s Advisory On Botnets: Why Banning SOHO Routers Won’t Fix Critical Infrastructure Cyber Risk | CISA recently released a new cybersecurity advisory focused on defending against botnets built from compromised consumer and small-office/home-office (SOHO) routers. The advisory highlights how threat actors are actively exploiting vulnerable, internet-exposed devices to build large-scale proxy networks. | Vulnerebility blog | Eclypsium |
| 2.5.26 | The Week in Vulnerabilities: GitHub Enterprise, Argo CD, Oracle Identity Manager, and Mozilla Security Flaws | Cyble weekly vulnerability report shows 1,095 vulnerabilities, PoCs, KEV additions, and active attacks across enterprise, cloud, and open-source. | Cyber blog | Cyble |
| 2.5.26 | How Cyble Blaze AI Turns Billions of Threat Signals into Actionable Intelligence | Cyble Blaze AI transforms fragmented threat data into real-time action using AI security analytics and automated cyber threat intelligence. | AI blog | Cyble |
| 2.5.26 | ANZ Organizations Are in the Ransomware Crosshairs— What the Dark Web Is Telling Us | Ransomware in ANZ is evolving into a scalable cybercrime model, with dark web intelligence revealing targeted attacks, data theft, and rising risks. | Ransom blog | Cyble |
| 2.5.26 | Why U.S. Critical Infrastructure Is the Highest-Value Target in the Global Cyber War | A critical infrastructure cyberattack is driving new risks as ransomware and nation-state threats target essential US systems in 2026. | ICS blog | Cyble |
| 2.5.26 | Email threat landscape: Q1 2026 trends and insights | In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics. | Spam blog | Microsoft blog |
| 2.5.26 | Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across Asia and beyond. | APT blog | Trend Micro |
| 2.5.26 | Kuse Web App Abused to Host Phishing Document | Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users’ trust in Kuse to carry out a phishing attack. | AI blog | Trend Micro |
| 2.5.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Hacking blog | Palo Alto |
| 2.5.26 | TGR-STA-1030: New Activity in Central and South America | TGR-STA-1030 remains an active threat. Since February, we have observed widespread activity from this group across multiple countries. Most recently, their efforts appear to be heavily focused on regions within Central and South America. | Hacking blog | Palo Alto |
| 2.5.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Attack blog | Palo Alto |
| 2.5.26 | VECT: Ransomware by design, Wiper by accident | Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them. A critical flaw in the encryption implementation, identical across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file above 131,072 bytes (128 KB). | Ransom blog | CHECKPOINT |
| 2.5.26 | Five defender priorities from the Talos Year in Review | With attackers moving faster than ever, it’s easy to feel overwhelmed. This blog breaks down five practical priorities from the Cisco Talos 2025 Year in Review to help defenders focus and prioritize, amidst all the noise. | Cyber blog | CISCO TALOS |
| 2.5.26 | Great responsibility, without great power | In this week’s newsletter, Hazel uses International Superhero Day as a springboard to explore why empathy — rather than just technical prowess — is the most essential, underrated superpower for navigating the human side of cybersecurity. | Cyber blog | CISCO TALOS |
| 2.5.26 | AI-powered honeypots: Turning the tables on malicious AI agents | Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. We can take the advantage back. This blog shows how generative AI can be used to rapidly deploy adaptive honeypot systems. | AI blog | CISCO TALOS |
| 2.5.26 | It pays to be a forever student | In this newsletter, Joe discusses why understanding other disciplines can often flow back into the macro and micro of cybersecurity, especially in a world of AI. | AI blog | CISCO TALOS |
| 2.5.26 | UAT-4356's Targeting of Cisco Firepower Devices | Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. | Hacking blog | CISCO TALOS |
| 2.5.26 | This month in security with Tony Anscombe – April 2026 edition | Warnings about helpdesk impersonation scams and Iran-linked hackers targeting critical sectors in the US, plus the most damaging scams of 2025 - here's some of what made the headlines this month | Cyber blog | Eset |