Hacking Blog - 2026 2025 2024 2023 2022 2021 2020 2019 2018
AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
DATE | NAME | Info | CATEG. | WEB |
| 25.4.26 | Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite | Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. | Hacking blog | GTI |
| 25.4.26 | Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign | CRIL uncovered 16,800+ spoofed domains by analyzing URL trust abuse, cloud infra clustering, and human‑centric deception instead of technical exploits. | Hacking blog | Cyble |
| 25.4.26 | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables | An OAuth supply chain compromise at Vercel exposed how trusted third party apps and platform environment variables can bypass traditional defenses and amplify blast radius. This article examines the attack chain, underlying design tradeoffs, and what it reveals about modern PaaS and software supply chain risk. | Hacking blog | Trend Micro |
| 25.4.26 | Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories | Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk. | Hacking blog | Trend Micro |
| 25.4.26 | Ghost CMS Content API Blind SQL Injection | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-26980, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also known as the Ghost CMS Content API slug Filter SQL Injection, is a critical unauthenticated SQL injection vulnerability affecting Ghost in versions 3.24.0 through 6.19.0. | Hacking blog | SonicWall |
| 25.4.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Hacking blog | Palo Alto |
| 25.4.26 | UAT-4356's Targeting of Cisco Firepower Devices | Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. | Hacking blog | CISCO TALOS |
| 11.4.26 | Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees | Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. | Hacking blog | Microsoft blog |
| 11.4.26 | Mitigating the Axios npm supply chain compromise | On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages for version updates to download from command and control (C2) that Microsoft Threat Intelligence has attributed to the North Korean state actor Sapphire Sleet. | Hacking blog | Microsoft blog |
| 11.4.26 | Do not get high(jacked) off your own supply (chain) | In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe? | Hacking blog | CISCO TALOS |
| 4.4.26 | TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM | Moving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy WAV‑based payloads to steal credentials across Linux, macOS, and Windows. | Hacking blog | Trend Micro |
| 4.4.26 | Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets | Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. | Hacking blog | CHECKPOINT |
| 4.4.26 | UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications | Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we currently track as UAT-10608. The campaign is primarily leveraging a collection framework dubbed “NEXUS Listener.” | Hacking blog | CISCO TALOS |
| 4.4.26 | Qilin EDR killer infection chain | This blog provides an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. | Hacking blog | CISCO TALOS |
| 4.4.26 | Do not get high(jacked) off your own supply (chain) | In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe? | Hacking blog | CISCO TALOS |
| 28.3.26 | Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries | We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques. | Hacking blog | Trend Micro |
| 21.3.26 | From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA | Not every cloud breach starts with malware or a zero-day. In this incident, attackers discovered an exposed Spring Boot Actuator endpoint, harvested credentials from leaked configuration data, then used the OAuth2 Resource Owner Password Credentials (ROPC) flow to authenticate without MFA. | Hacking blog | Trend Micro |
| 21.3.26 | Move fast and save things: A quick guide to recovering a hacked account | What you do – and how fast – after an account is compromised often matters more than it may seem | Hacking blog | Eset |
| 21.3.26 | EDR killers explained: Beyond the drivers | ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers | Hacking blog | Eset |
| 14.3.26 | Threat actors leverage destructive malware to destroy data, eliminate evidence of malicious activity, or manipulate systems in a way that renders them inoperable | Hacking blog | GTI | |
| 14.3.26 | Insights: Increased Risk of Wiper Attacks | Unit 42 is tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the US. For the latest intelligence on cyberattacks associated with this conflict, review our Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran. | Hacking blog | Palo Alto |
| 14.3.26 | Spinning complex ideas into clear docs with Kri Dontje | The episode features Kri Dontje discussing her role in translating complex technical cybersecurity topics into clear, accessible documentation, emphasizing the importance of consistency, accuracy, and collaboration with subject matter experts. | Hacking blog | CISCO TALOS |
| 21.2.26 | Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities | We uncover how a campaign used Atlassian Jira Cloud to launch automated and targeted spam campaigns, exploiting trusted SaaS workflows to bypass security controls. | Hacking blog | Trend Micro |
| 21.2.26 | “Good enough” emulation: Fuzzing a single thread to uncover vulnerabilities | A Talos researcher used targeted emulation of the Socomec DIRIS M-70 gateway’s Modbus thread to uncover six patched vulnerabilities, showcasing efficient tools and methods for IoT security testing. | Hacking blog | CISCO TALOS |
| 14.2.26 | Dark Web Roast - January 2026 Edition | Welcome to January 2026's underground intelligence roundup, where criminal masterminds continue to demonstrate that the phrase "honour among thieves" remains the greatest oxymoron in cybercrime. | Hacking blog | Trelix |
| 7.2.2026 | Novel Technique to Detect Cloud Threat Actor Operations | Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The difficulty doesn’t lie in an inability to identify complex alerting operations across thousands of cloud resources or in a failure to follow identity resources, the problem lies in the accurate detection of known persistent threat actor group techniques specifically within cloud environments. | Hacking blog | Palo Alto |
| 7.2.2026 | Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework | Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. | Hacking blog | CISCO TALOS |
| 7.2.2026 | The Crown Jewels of Active Directory: How Trellix Helix Detects NTDS.dit Theft | This blog from the Trellix Advanced Research Center examines a security incident where adversaries infiltrated a system, extracted the NTDS.dit database, and worked to remove it from the environment while circumventing standard security measures. | Hacking blog | Trelix |
| 1.2.26 | Beyond MFA: Building true resilience against identity-based attacks | As identity-driven attacks continue to rise, organizations must go beyond MFA to build resilience. Sophos experts and recent Gartner research agree: It’s time for an identity-first security strategy backed by continuous detection and response. For many organizations, keeping pace with identity threats feels overwhelming, especially as hybrid environments expand. But there’s a clear path forward. | Hacking blog | SOPHOS |
| 1.2.26 | Chrome Extensions: Are you getting more than you bargained for? | Browser extensions can be really useful, but hidden dangers may lurk beyond their marketing. | Hacking blog | SECURITY.COM |
| 24.1.26 |
We X-Rayed A Suspicious FTDI USB Cable |
We recently got an industrial X-Ray machine in the Eclypsium office to use to make the next Doctor Manhattan do serious cybersecurity research. In between X-raying yet-to-be released industrial IT technologies on behalf of giant companies whose names we cannot reveal, we have done some other fun experiments. | Hacking blog | Eclypsium |
| 17.1.26 | Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation | Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk. | Hacking blog | |
| 17.1.26 | Key Insights on SHADOW-AETHER-015 and Earth Preta from the 2025 MITRE ATT&CK Evaluation with TrendAI Vision One™ | This blog discusses notable modern TTPs observed from SHADOW-AETHER-015 and Earth Preta, from TrendAI™ Research monitoring and TrendAI Vision One™ intelligence. These findings support the performance of TrendAI™ in the 2025 MITRE ATT&CK Evaluations. | Hacking blog | |
| 17.1.26 | Anatomy of an Attack: The Payroll Pirates and the Power of Social Engineering | No employee wants their paycheck to go missing. One organization learned about an incident when they started hearing exactly this complaint. It turned out that an attacker had modified direct-deposit details in order to redirect an organization’s paychecks into attacker-controlled accounts. | Hacking blog | Palo Alto |
| 17.1.26 | Your personal information is on the dark web. What happens next? | If your data is on the dark web, it’s probably only a matter of time before it’s abused for fraud or account hijacking. Here’s what to do. | Hacking blog | Eset |
| 17.1.26 | Hiding in Plain Sight: Multi-Actor ahost.exe Attacks | The Trellix Advanced Research Center found an active malware campaign exploiting a DLL sideloading vulnerability in the legitimate Git tools to target supply chains. Stay protected—update EDR/XDR and monitor for suspicious activity. | Hacking blog | Trelix |
| 10.1.26 | The Ghost in the Machine: Unmasking CrazyHunter's Stealth Tactics | Trellix provides an in-depth analysis of CrazyHunter ransomware and its attack flow, which has emerged as a significant and concerning threat. | Hacking blog | Trelix |