AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2026 January(89) February(123) March(106) April(119) May(0) June(0) July(0) August(0) September(0) October(0) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 25.4.26 | Supply chain attacks hit Checkmarx and Bitwarden developer tools | Two supply chain attacks, same day, same command-and-control domain | Security blog | SOPHOS |
| 25.4.26 | Strengthening authentication with passkeys: A CISO playbook | Our passkey rollout took three tries. Here's a playbook to make your implementation smoother. | Security blog | SOPHOS |
| 25.4.26 | Sophos Firewall v22 MR1 is now available | Sophos Firewall v22 bolstered Secure by Design, taking it to a whole new level with major updates to the architecture and new features like the Health Check to help identify high-risk configurations. | Security blog | SOPHOS |
| 25.4.26 | Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite | Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. | Hacking blog | GTI |
| 25.4.26 | Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign | CRIL uncovered 16,800+ spoofed domains by analyzing URL trust abuse, cloud infra clustering, and human‑centric deception instead of technical exploits. | Hacking blog | Cyble |
| 25.4.26 | The Week in Vulnerabilities: SharePoint, Fortinet, OpenClaw, and GPL Odorizers | Cyble Research & Intelligence Labs (CRIL) tracked 1,675 vulnerabilities, last week, reflecting continued high disclosure volume across enterprise software, cloud services, and emerging AI ecosystems. | Cyber blog | Cyble |
| 25.4.26 | Why AI Cybersecurity Is No Longer Optional for Australian Organizations: Moving from Reactive to Predictive Defense | AI cybersecurity is crucial for Australian businesses as they face rising cyber threats. Predictive solutions help detect, prevent, and respond to attacks in real-time. | AI blog | Cyble |
| 25.4.26 | Why Indian Enterprises Are a Prime Target for Dark Web Credential Markets | Dark web credential markets in India are fueling enterprise data breaches, corporate leaks, and escalating cybersecurity threats across Indian organizations. | Cyber blog | Cyble |
| 25.4.26 | Threat Landscape March 2026: Ransomware Dominance, Access Brokers, Data Leaks, and Critical Exploitation Trends | March 2026 threat landscape saw 702 ransomware attacks, rising data breaches, active access brokers, and critical vulnerability exploitation across industries globally. | Cyber blog | Cyble |
| 25.4.26 | When Malware Authors Study Algebra: The Group Theory Inside Bedep's DGA | A closer look at how Bedep used foreign exchange data and advanced math to generate hard-to-predict domains, making its command-and-control infrastructure more difficult for defenders to block and disrupt | Malware blog | GENDIGITAL |
| 25.4.26 | Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft | While many ransomware groups rely on off-the-shelf utilities such as Rclone or MegaSync to steal victim data, recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. | Incident blog | SECURITY.COM |
| 25.4.26 | Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor | The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses. | APT blog | SECURITY.COM |
| 25.4.26 | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables | An OAuth supply chain compromise at Vercel exposed how trusted third party apps and platform environment variables can bypass traditional defenses and amplify blast radius. This article examines the attack chain, underlying design tradeoffs, and what it reveals about modern PaaS and software supply chain risk. | Hacking blog | Trend Micro |
| 25.4.26 | Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories | Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk. | Hacking blog | Trend Micro |
| 25.4.26 | Ghost CMS Content API Blind SQL Injection | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-26980, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also known as the Ghost CMS Content API slug Filter SQL Injection, is a critical unauthenticated SQL injection vulnerability affecting Ghost in versions 3.24.0 through 6.19.0. | Hacking blog | SonicWall |
| 25.4.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Hacking blog | Palo Alto |
| 25.4.26 | Frontier AI and the Future of Defense: Your Top Questions Answered | Over the last several weeks, Palo Alto Networks and Unit 42 have been talking with CISOs and security leaders globally to discuss the emergence of frontier AI models and their broader implications on cybersecurity. | AI blog | Palo Alto |
| 25.4.26 | TGR-STA-1030: New Activity in Central and South America | TGR-STA-1030 remains an active threat. Since February, we have observed widespread activity from this group across multiple countries. Most recently, their efforts appear to be heavily focused on regions within Central and South America. | Cyber blog | Palo Alto |
| 25.4.26 | DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy | The Gentlemen ransomware‑as‑a‑service (RaaS) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks (240) occurring in the first months of 2026. | Ransom blog | CHECKPOINT |
| 25.4.26 | IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist | Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vertical for initial access since Q2 2025. | Cyber blog | CISCO TALOS |
| 25.4.26 | It pays to be a forever student | In this newsletter, Joe discusses why understanding other disciplines can often flow back into the macro and micro of cybersecurity, especially in a world of AI. | AI blog | CISCO TALOS |
| 25.4.26 | UAT-4356's Targeting of Cisco Firepower Devices | Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. | Hacking blog | CISCO TALOS |
| 25.4.26 | Bad Apples: Weaponizing native macOS primitives for movement and execution | Cisco Talos documents several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture. | OS Blog | CISCO TALOS |
| 25.4.26 | [Podcast] It's not you, it's your printer: State-sponsored and phishing threats in 2025 | In this episode of Talos Takes, Amy and Martin Lee unpack state-sponsored and phishing trends from the 2025 Talos Year in Review. | Cyber blog | CISCO TALOS |
| 25.4.26 | Phishing and MFA exploitation: Targeting the keys to the kingdom | In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations. | Phishing blog | CISCO TALOS |
| 25.4.26 | The calm before the ransom: What you see is not all there is | A breach claims the systems as well as the confidence that was, in retrospect, a major vulnerability | Vulnerebility blog | Eset |
| 25.4.26 | GopherWhisper: A burrow full of malware | ESET Research has discovered a new China-aligned APT group that we’ve named GopherWhisper, which targets Mongolian governmental institutions | Malware blog | Eset |
| 25.4.26 | New NGate variant hides in a trojanized NFC payment app | ESET researchers discover another iteration of NGate malware, this time possibly developed with the assistance of AI | AI blog | Eset |
| 25.4.26 | What the ransom note won’t say | An attack is what you see, but a business operation is what you’re up against | Ransom blog | Eset |
| 25.4.26 | PureRAT: A Multi-Stage, Fileless RAT Utilizing Image Steganography and Process Hollowing | PureRAT is an advanced Remote Access Trojan (RAT) characterized by its complex infection stages. The intrusion sequence is initiated by a malicious .LNK file that triggers a concealed PowerShell command to retrieve a heavily obfuscated VBS loader. | Malware blog | Trelix |
| 18.4.26 | QEMU abused to evade detection and enable ransomware delivery | The use of hidden virtual machines (VMs) enables long-term access, credential harvesting, data exfiltration, and PayoutsKing ransomware deployment | Ransom blog | SOPHOS |
| 18.4.26 | Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. As we harden existing software with AI, threat actors will use it to discover and exploit novel vulnerabilities. | AI blog | GTI | |
| 18.4.26 | Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023. | BigBrother blog | GTI | |
| 18.4.26 | Four Nationally Significant Cyberattacks Every Week — Is the UK Ready? | UK cyberattacks are rising sharply, with NCSC reporting record incidents, growing infrastructure risk, and urgent calls for stronger cyber resilience. | Cyber blog | Cyble |
| 18.4.26 | The Week in Vulnerabilities: Azure AI, Spring AI, Fortinet, and Critical ICS Exposure | Cyble’s weekly vulnerability report tracked 1,431 vulnerabilities and 6 ICS flaws last week. Know more... | Vulnerebility blog | Cyble |
| 18.4.26 | How Cyble Blaze AI Delivers 360° Threat Visibility Across Dark Web and Enterprise Systems | Cyble Blaze AI transforms cybersecurity by unifying data, predicting threats, and automating response across enterprise and dark web intelligence. | AI blog | Cyble |
| 18.4.26 | MiningDropper – A Global Modular Android Malware Campaign Operating at Scale | CRIL analyzes a surge in an ongoing campaign to deliver MiningDropper — a modular Android malware framework - at scale. | Malware blog | Cyble |
| 18.4.26 | Black Hat Asia 2026 Is Coming to Singapore — Here’s What the Threat Landscape Looks Like Ahead of It | Black Hat Asia 2026 explores ransomware growth, AI-driven cyber threats, and supply chain risks reshaping global cybersecurity and digital resilience. | Ransom blog | Cyble |
| 18.4.26 | Building a last-resort unpacker with AI | Exploring how AI can assist in unpacking protected binaries, recovering payloads from unsupported packers, while reducing repetitive analysis | AI blog | GENDIGITAL |
| 18.4.26 | Chasing an Angry Spark | A VM-obfuscated backdoor observed on a single machine in the UK, operated for one year, and vanished without a trace. | Malware blog | GENDIGITAL |
| 18.4.26 | Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise | The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data. | Malware blog | Microsoft blog |
| 18.4.26 | Identity Protection in the AI Era | Enterprises aiming to predict and mitigate human, machine, and AI‑agent risks at scale demand AI‑powered identity‑first security without compromise. | AI blog | Trend Micro |
| 18.4.26 | ACRStealer The Silent Golang Threat Behind Credential and Wallet Theft | This week the SonicWall Capture Labs Threat Research Team analyzed a sample of ACRStealer, a Golang Malware-as-a-Service used by ShieldIO. This uses a binary to sideload a malicious DLL and evade AV products, harvest credentials for browsers and FTP programs, and target a number of crypto-wallets. It is highly evasive and uses a variety of techniques to prevent analysis. | Malware blog | SonicWall |
| 18.4.26 | Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) | As of April 17, 2026, Iran has begun restoring limited access to the internet after disconnecting from it for the past 47 days. Iran is limiting domestic access to only websites and applications mirrored on its National Information Network. | Cyber blog | Palo Alto |
| 18.4.26 | A Deep Dive Into Attempted Exploitation of CVE-2023-33538 | We identified active, automated scans and probes attempting to exploit CVE-2023-33538, a vulnerability in several end-of-life TP-Link Wi-Fi router models: | Vulnerebility blog | Palo Alto |
| 18.4.26 | Cracks in the Bedrock: Agent God Mode | Our first article about the boundaries and resilience of Amazon Bedrock AgentCore focused on the Code Interpreter sandbox, and how it can be bypassed using DNS tunneling. In this second part, we delve into the identity and permissions model of AgentCore and the AgentCore starter toolkit. | Malware blog | Palo Alto |
| 18.4.26 | The n8n n8mare: How threat actors are misusing AI workflow automation | Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026. | Phishing blog | CISCO TALOS |
| 18.4.26 | The Q1 vulnerability pulse | Thor provides an overview of the Q1 2026 vulnerability statistics, highlighting key trends in legacy CVEs and the evolving impact of AI on the threat landscape. | Vulnerebility blog | CISCO TALOS |
| 18.4.26 | PowMix botnet targets Czech workforce | Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.” | BotNet blog | CISCO TALOS |
| 18.4.26 | State-sponsored threats: Different objectives, similar access paths | A look at 2025 state-sponsored threats, exploring how actors linked to China, Russia, North Korea, and Iran use vulnerabilities, identity, and trusted access paths to achieve their goals. | APT blog | CISCO TALOS |
| 18.4.26 | Foxit, LibRaw vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one Foxit Reader vulnerability, and six LibRaw file reader vulnerabilities. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s thir | Vulnerebility blog | CISCO TALOS |
| 18.4.26 | More than pretty pictures: Wendy Bishop on visual storytelling in tech | Wendy shares the unique challenges and rewards of bridging the gap between artistic expression and highly technical research. | Security blog | CISCO TALOS |
| 18.4.26 | Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities | Overview of patch tuesday release from Microsoft for April 2026. | OS Blog | CISCO TALOS |
| 18.4.26 | That data breach alert might be a trap | Ignoring a real breach notification invites risk, but falling for a bogus one could be even worse. Stop reacting on autopilot | Incident blog | Eset |
| 18.4.26 | Supply chain dependencies: Have you checked your blind spot? | Your biggest risk may be a vendor you trust. How can SMBs map their third-party blind spots and build operational resilience? | Cyber blog | Eset |
| 18.4.26 | DCSync Detection Without Signatures: Trellix NDR and the Power of Technique-Based Defense | This blog explores how Trellix Network Detection and Response (NDR) moves beyond static signatures to detect these attempts by focusing on the underlying behavioral patterns of the attack technique itself. | Malware blog | Trelix |
| 11.4.26 | Adobe Reader zero-day vulnerability in active exploitation | On April 7, 2026, a security researcher described an Adobe Reader zero-day vulnerability that has been exploited since at least December 2025. The vulnerability allows threat actors to execute privileged Acrobat APIs via specially crafted malicious PDF files that execute obfuscated JavaScript when opened. Exploitation allows attackers to steal sensitive user and system data and to potentially launch additional attacks and remotely execute code. | Exploit blog | SOPHOS |
| 11.4.26 | We let OpenClaw loose on an internal network. Here’s what it found | “Even the most ‘risk-on’ organizations with deep AI and security experience, will likely find it challenging to configure OpenClaw in a way that effectively mitigates the risk of compromise or data loss, while still retaining any productivity value.” | AI blog | SOPHOS |
| 11.4.26 | Axios npm package compromised to deploy malware | On March 30, 2026, a supply chain security attack targeted Axios, a widely used JavaScript HTTP client for web and Node.js applications. Third-party researchers identified that Axios versions 1.14.1 and 0.30.4 published to the npm registry were compromised following the apparent takeover of a legitimate maintainer account. An attacker published unauthorized package updates that appeared legitimate. | Incident blog | SOPHOS |
| 11.4.26 | FCC Bans Routers Made Outside USA. But What IS a Router? | The FCC recently announced a ban on the sale of consumer-grade internet routers manufactured outside the United States. More specifically, the FCC received a National Security Determination that caused them to update their “Covered List,” to include all foreign-made consumer-grade routers. | BigBrother blog | Eclypsium |
| 11.4.26 | Eclypsium Detects F5 BIG-IP Remote Code Execution Vulnerability (CVE-2025-53521) | A vulnerability in F5 BIG-IP systems that allows unauthenticated remote code execution by attackers has been added to the CISA Known Exploited Vulnerabilities catalog. CVE-2025-53521 was disclosed on October 15, 2025, but only added to the KEV on March 27, 2026. The vulnerability was originally given a severity score of 7.5, but was adjusted upward to 9.8 when new information emerged in March. | Vulnerebility blog | Eclypsium |
| 11.4.26 | When Geopolitical Conflict Spills into Cyberspace — How US Organizations Should Respond | The 2026 Iran-US-Israel escalation shows how cyber warfare attacks are reshaping conflict, merging cyber warfare attacks with kinetic operations AI. | AI blog | Cyble |
| 11.4.26 | The Week in Vulnerabilities: OpenClaw, FreeBSD, F5 BIG-IP, and Critical ICS Bugs | Vulnerabilities in OpenClaw, FreeBSD, F5 BIG-IP, and industrial control systems show risks growing across enterprise and critical infrastructure environments. | Vulnerebility blog | Cyble |
| 11.4.26 | Dual-Brain Architecture: The Cybersecurity AI Innovation That Changes Everything | Agentic AI architecture enables dual-brain cybersecurity with predictive intelligence, autonomous response, and faster, smarter threat defense. | AI blog | Cyble |
| 11.4.26 | UK Businesses Are Being Targeted Through Their Middle East Supply Chains — What to Do Now | Middle East supply chain risk is exposing UK businesses to indirect cyber threats through vendors, dependencies, and geopolitical tensions. | BigBrother blog | Cyble |
| 11.4.26 | Remus: Unmasking The 64-bit Variant of the Infamous Lumma Stealer | When the security industry talks about information stealers, Lumma Stealer, without a doubt, has become the notorious icon of this landscape. Not only could it count itself among the most sophisticated, technically advanced, and widespread stealers-as-a-service in the world, but it was also described in a variety of blog posts from basically everyone in the industry, including us. | Malware blog | GENDIGITAL |
| 11.4.26 | Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees | Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. | Hacking blog | Microsoft blog |
| 11.4.26 | SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks | Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. | BigBrother blog | Microsoft blog |
| 11.4.26 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations | The financially motivated cybercriminal threat actor Storm-1175 operates high-velocity ransomware campaigns that weaponize recently disclosed vulnerabilities to obtain initial access, exfiltrate data, and deploy Medusa ransomware. | Ransom blog | Microsoft blog |
| 11.4.26 | Mitigating the Axios npm supply chain compromise | On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages for version updates to download from command and control (C2) that Microsoft Threat Intelligence has attributed to the North Korean state actor Sapphire Sleet. | Hacking blog | Microsoft blog |
| 11.4.26 | TrendAI Insight: New U.S. National Cyber Strategy | TrendAI reviews the White House National Cyber Strategy, outlining six pillars to strengthen U.S. cybersecurity—from deterrence and regulation to federal modernization, critical infrastructure protection, AI leadership, and workforce development. | AI blog | Trend Micro |
| 11.4.26 | Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do | Threat actors leveraged Anthropic’s Claude Code npm release packaging error to distribute Vidar, GhostSocks, and PureLog Stealer. This blog details immediate steps organizations can take and best practices to prevent further risk. | Malware blog | Trend Micro |
| 11.4.26 | U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026 | The first quarter of 2026 has reinforced a hard truth: U.S. government agencies and educational institutions are operating in the most hostile cyber threat environment ever recorded. | BigBrother blog | Trend Micro |
| 11.4.26 | n8n Expression Sandbox Bypass RCE | n8n AI Workflow Automation Expression Sandbox Bypass to Remote Code Execution Vulnerability (CVE-2026-1470) | ICS blog | SonicWall |
| 11.4.26 | Unpacking the Nursultan Client PyInstaller Telegram Malware | The SonicWall Capture Labs threat research team identified a PyInstaller-packed Windows executable distributed as "NursultanClient" — a full-featured Telegram RAT targeting Windows systems. | Malware blog | SonicWall |
| 11.4.26 | GPT Academic Pickle Deserialization Remote Code Execution | GPT Academic Pickle Deserialization Remote Code Execution(CVE-2026-0763) | AI blog | SonicWall |
| 11.4.26 | Double Agents: Exposing Security Blind Spots in GCP Vertex AI | Artificial intelligence (AI) agents are quickly advancing into powerful autonomous systems that can perform complex tasks. These agents can be integrated into enterprise workflows, interact with various services and make decisions with a degree of independence. Google Cloud Platform’s Vertex AI, with its Agent Engine and Application Development Kit (ADK), provides a comprehensive platform for developers to build and deploy these sophisticated agents. | AI blog | Palo Alto |
| 11.4.26 | When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications | Multi-agent AI systems extend beyond single-agent architectures by enabling groups of specialized agents to collaborate on complex tasks. This approach improves functionality and scalability, but it also expands the attack surface, introducing new pathways for exploitation through inter-agent communication and orchestration. | AI blog | Palo Alto |
| 11.4.26 | Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets | Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. | Cyber blog | CHECKPOINT |
| 11.4.26 | From the field to the report and back again: How incident responders can use the Year in Review | The Year in Review distills Talos IR's observations into structured intelligence, but defenders should also be feeding this report back into their own preparation cycles. Here's how. | Incident blog | CISCO TALOS |
| 11.4.26 | New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations | Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.” | Malware blog | CISCO TALOS |
| 11.4.26 | The Trojan horse of cybercrime: Weaponizing SaaS notification pipelines | Cisco Talos has recently observed an increase in activity that is leveraging notification pipelines in popular collaboration platforms to deliver spam and phishing emails. | Phishing blog | CISCO TALOS |
| 11.4.26 | Year in Review: Vulnerabilities old and new and something React2 | The year was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of 2025. | Vulnerebility blog | CISCO TALOS |
| 11.4.26 | [Video] The TTP Ep. 22: The Collapse of the Patch Window | In this episode of The Talos Threat Perspective, we discuss how vulnerability exploitation is accelerating, and why attacker speed, AI, and exposed systems are affecting the patch window. | Cyber blog | CISCO TALOS |
| 11.4.26 | The threat hunter’s gambit | Bill discusses why obsessing over strategy games is actually a secret weapon to outsmart threat actors. | Cyber blog | CISCO TALOS |
| 11.4.26 | Talos Takes: 2025's ransomware trends and zombie vulnerabilities | In this episode of Talos Takes, Amy and Pierre Cadieux unpack the ransomware and vulnerability trends that defined 2025. | Cyber blog | CISCO TALOS |
| 11.4.26 | Do not get high(jacked) off your own supply (chain) | In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe? | Hacking blog | CISCO TALOS |
| 11.4.26 | Axios NPM supply chain incident | Overview of the recent Axios NPM supply chain incident including details of the payloads delivered from actor-controlled infrastructure. | Incident blog | CISCO TALOS |
| 11.4.26 | Recovery scammers hit you when you’re down: Here’s how to avoid a second strike | If you’ve been the victim of fraud, you’re likely already a lead on a ‘sucker list’ – and if you’re not careful, your ordeal may be about to get worse. | Spam blog | Eset |
| 11.4.26 | As breakout time accelerates, prevention-first cybersecurity takes center stage | Threat actors are using AI to supercharge tried-and-tested TTPs. When attacks move this fast, cyber-defenders need to rethink their own strategy. | AI blog | Eset |
| 11.4.26 | Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion | Masjesu Botnet: Deep dive into the commercially-run IoT threat, its stealth, multi-XOR evasion, and expanded architecture targets. Secure your network! | BotNet blog | Trelix |
| 4.4.26 | Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets. | Malware blog | GTI | |
| 4.4.26 | Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. | APT blog | GTI | |
| 4.4.26 | Eclypsium Detects F5 BIG-IP Remote Code Execution Vulnerability (CVE-2025-53521) | A vulnerability in F5 BIG-IP systems that allows unauthenticated remote code execution by attackers has been added to the CISA Known Exploited Vulnerabilities catalog. CVE-2025-53521 was disclosed on October 15, 2025, but only added to the KEV on March 27, 2026. | Vulnerebility blog | Eclypsium |
| 4.4.26 | Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity | Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity Introduction During our investigation, we identified a multi-stage malware infection leveraging Scheduled Task persistence, VBScript launchers, and PowerShell-based execution. The attack operates through two parallel chains:... | Cyber blog | Seqrite |
| 4.4.26 | The Week in Vulnerabilities: AI Frameworks, VMware, and Critical ICS Exposure | Critical vulnerabilities in AI frameworks, VMware environments, EV charging platforms, and ICS systems show growing risks across enterprise and industrial ecosystems. | Cyber blog | Cyble |
| 4.4.26 | How Cyble Blaze AI Predicts Cyber Threats 6 Months in Advance Using Agentic Intelligence | Predictive Cybersecurity with Cyble Blaze AI uses agentic AI to forecast threats months ahead and automate faster, smarter responses. | AI blog | Cyble |
| 4.4.26 | Professional Networks Under Attack: Vietnam-Linked Actors Deploy PXA Stealer in Global Infostealer Campaign | Cyble dissects a LinkedIn job‑lure campaign, exposing its multi‑stage PXA Stealer tactic that hijacks accounts and steals sensitive data. | APT blog | Cyble |
| 4.4.26 | Hybrid Warfare 2026: When Cyber Operations and Kinetic Attacks Converge | In 2026, hybrid warfare blends cyberattacks and physical strikes, disrupting infrastructure and shaping global security dynamics. | Cyber blog | Cyble |
| 4.4.26 | Mitigating the Axios npm supply chain compromise | On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages for version updates to download from command and control (C2) that Microsoft Threat Intelligence has attributed to the North Korean state actor Sapphire Sleet. | Incident blog | Microsoft blog |
| 4.4.26 | TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM | Moving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy WAV‑based payloads to steal credentials across Linux, macOS, and Windows. | Hacking blog | Trend Micro |
| 4.4.26 | Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads | A supply chain attack hit Axios when attackers used stolen npm credentials to publish malicious versions containing a phantom dependency. This triggered a cross-platform RAT during installation and replaced its files with clean decoys, making detection challenging. | Incident blog | Trend Micro |
| 4.4.26 | Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads | A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code. This entry examines how threat actors rapidly weaponized the resulting attention, pivoting an existing AI-themed campaign to spread Vidar and GhostSocks. | AI blog | Trend Micro |
| 4.4.26 | Three Decades for a 3-Line Fix: The Critical telnetd Bug Hiding in Plain Sight (CVE-2026-32746) | The SonicWall Capture Labs threat research team became aware of an out-of-bounds write vulnerability in the Telnet server shipped with GNU Inetutils, assessed its impact and developed mitigation measures. Telnetd hardly needs an introduction. It is one of the oldest and most widely distributed network utilities on Linux systems. | Vulnerebility blog | SonicWall |
| 4.4.26 | GPT Academic Pickle Deserialization Remote Code Execution | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-0763, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also tracked as ZDI-26-029, is a critical unauthenticated remote code execution vulnerability affecting GPT Academic in versions 3.91 and earlier. | AI blog | SonicWall |
| 4.4.26 | Double Agents: Exposing Security Blind Spots in GCP Vertex AI | Artificial intelligence (AI) agents are quickly advancing into powerful autonomous systems that can perform complex tasks. These agents can be integrated into enterprise workflows, interact with various services and make decisions with a degree of independence. Google Cloud Platform’s Vertex AI, with its Agent Engine and Application Development Kit (ADK), provides a comprehensive platform for developers to build and deploy these sophisticated agents. | AI blog | Palo Alto |
| 4.4.26 | ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime | Sensitive data shared with ChatGPT conversations could be silently exfiltrated without the user’s knowledge or approval. | AI blog | CHECKPOINT |
| 4.4.26 | Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets | Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. | Hacking blog | CHECKPOINT |
| 4.4.26 | UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications | Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we currently track as UAT-10608. The campaign is primarily leveraging a collection framework dubbed “NEXUS Listener.” | Hacking blog | CISCO TALOS |
| 4.4.26 | Qilin EDR killer infection chain | This blog provides an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. | Hacking blog | CISCO TALOS |
| 4.4.26 | Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders | A conversation between Cisco Talos and Cisco Security leaders on the 2025 threat landscape, from identity attacks and legacy vulnerabilities to AI-driven threats, and what defenders should prioritize now. | Cyber blog | CISCO TALOS |
| 4.4.26 | An overview of ransomware threats in Japan in 2025 and early detection insights from Qilin cases | There were 134 ransomware incidents reported in Japan in 2025, representing a 17.5% year-over-year increase from 2024. | Ransom blog | CISCO TALOS |
| 4.4.26 | Do not get high(jacked) off your own supply (chain) | In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe? | Hacking blog | CISCO TALOS |
| 4.4.26 | Axios NPM supply chain incident | Overview of the recent Axios NPM supply chain incident including details of the payloads delivered from actor-controlled infrastructure. | Incident blog | CISCO TALOS |
| 4.4.26 | The democratisation of business email compromise fraud | This week, Martin tells the story of a crime he encountered and how it shows that the threat landscape is changing. | BigBrother blog | CISCO TALOS |
| 4.4.26 | [Video] The TTP Ep 21: When Attackers Become Trusted Users | An episode of the Talos Threat Perspective on the 2025 Year in Review trends. We explore how identity is being used to gain, extend, and maintain access inside environments. | Cyber blog | CISCO TALOS |
| 4.4.26 | Ransomware in 2025: Blending in is the strategy | A summary of the top ransomware trends from the Talos 2025 Year in Review, with a focus on identity, attacker tactics, and practical defenses. | Ransom blog | CISCO TALOS |
| 4.4.26 | Digital assets after death: Managing risks to your loved one’s digital estate | Fraudsters often target the accounts of the deceased or their grieving relatives. Here’s how to keep the scammers at bay. | Spam blog | Eset |
| 4.4.26 | This month in security with Tony Anscombe – March 2026 edition | The past four weeks have seen a slew of new cybersecurity wake-up calls that showed why every organization needs a well-thought-out cyber-resilience plan | Cyber blog | Eset |