ALERTS 2026 2025 2024 2023 2022
HOME AI
APT
BOTNET
CAMPAIGN
CRIME
CRYPTOCURRENCY
EXPLOIT
HACKING
GROUP
OPERATION
PHISHING
RANSOM
SPAM
VIRUS
VULNEREBILITY
| 2024
2025
2026 January(30)
February(48)
March(53)
April(50)
May(26)
June(0)
July(0)
August(0) SEPTEMBER(0)
October(0)
November(0)
December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 14.5.26 | CVE-2026-40466 - Remote Code Execution vulnerability in Apache ActiveMQ | CVE-2026-40466 is a recently disclosed high severity (CVSS score 8.8) Remote Code Execution vulnerability affecting Apache ActiveMQ, which is a popular open-source, Java-based message broker. If successfully exploited the flaw might allow the authenticated attacker to add a connector using an HTTP Discovery transport through Jolokia leading up to arbitrary code execution. | ALERTS | VULNEREBILITY |
| 14.5.26 | CVE-2026-39987 - Marimo RCE Vulnerability | CVE-2026-39987 is a recently disclosed critical (CVSS score 9.3) pre-authentication Remote Code Execution (RCE) vulnerability affecting Marimo which is an open-source reactive Python notebook platform. If successfully exploited the flaw might allow the unauthenticated attackers to obtain a full interactive shell on any exposed Marimo instance through a single WebSocket connection. | ALERTS | VULNEREBILITY |
| 14.5.26 | Southeast Asia Campaign Uses Legal and Whistleblower-Themed Lures to Deliver RAT | Researchers at Seqrite Labs recently reported a campaign, dubbed Operation GriefLure, in which threat actors targeted a military-linked telecom organization in Vietnam and a medical center in the Philippines. The attacks use highly credible legal and whistleblower-themed lures, delivered through compressed archives containing decoy PDFs and malicious LNK files that kick off an attack chain leading to a remote access Trojan. | CAMPAIGN | |
| 14.5.26 | Fake ScreenConnect Update Leads to CloudZ RAT | Cisco Talos reported an intrusion active since at least January 2026 involving CloudZ RAT and a previously undocumented plugin called Pheno. The activity appears focused on credential theft and possible interception of SMS-based one-time passwords by abusing Microsoft Phone Link on compromised Windows systems. | ALERTS | VIRUS |
| 14.5.26 | TCLBanker malware distributed in latest campaigns | Elastic Security Labs has discovered TCLBanker, an advanced Brazilian banking trojan believed to be a significant evolution of the Maverick/Sorvepotel malware families. The threat is distributed via ZIP files containing malicious MSI installers that exploit a legitimate, signed Logitech application through DLL side-loading techniques.S | ALERTS | VIRUS |
| 14.5.26 | CVE-2026-33032 - Nginxui Nginx UI Auth Bypass Vulnerability | CVE-2026-33032 is a recently disclosed critical (CVSS score 9.8) authentication bypass vulnerability affecting Nginx UI which is an open-source web interface used to centralize the management of Nginx configurations and SSL certificates. | ALERTS | VULNEREBILITY |
| 14.5.26 | CVE-2026-3296 - Everest Forms WordPress Plugin RCE vulnerability | CVE-2026-3296 is a recently disclosed critical (CVSS score 9.8) PHP Object Injection vulnerability affecting Everest Forms WordPress plugin. If successfully exploited the flaw might allow the unauthenticated attackers to inject malicious serialized PHP objects through any public form field leading up to remote code execution on the vulnerable instances. The vulnerability has already been patched in the updated version 3.4.4 of the plugin. | VULNEREBILITY | |
| 14.5.26 | PCPJack - a new sophisticated credential-harvesting framework | SentinelLABS has uncovered "PCPJack," a sophisticated credential-harvesting framework designed to autonomously propagate across vulnerable cloud environments. Unlike conventional cloud-based malware, PCPJack deliberately avoids deploying cryptocurrency miners. | ALERTS | VIRUS |
| 14.5.26 | Iran-Linked Hackers Breached Major Korean Electronics Maker in Global Espionage Campaign | Iran-linked attackers spent a week inside the network of a major South Korean electronics manufacturer in February 2026, as part of a sprawling early-year espionage campaign affecting at least nine organizations across four continents. | ALERTS | APT |
| 14.5.26 | Smishing Campaigns Use UAE and Singapore Service Lures | A recent investigation by a researcher describes a large smishing operation impersonating trusted transportation, logistics, and government services in the UAE and Singapore. The campaign uses deceptive domains, mobile-focused phishing pages, geo-filtering, HTTPS certificates, and centralized hosting to make fraudulent payment or identity-verification pages appear legitimate. | ALERTS | PHISHING |
| 14.5.26 | Action1 RMM Abused in “April Statements” Invoice Malspam | Symantec has identified a malspam campaign that abuses the legitimate Action1 remote monitoring and management (RMM) platform to gain hands-on-keyboard access to victim endpoints. The campaign uses an invoice-themed lure ("April Statements") impersonating a US residential property-management organization. | SPAM | |
| 9.5.26 | DirtyFrag vulnerability - CVE-2026-43284 / CVE-2026-43500 | Just a week after the disclosure of the CopyFail (CVE-2026-31431) vulnerability, a second Linux kernel critical flaw has been discovered with public technical details and proof-of-concept code released publicly. Dubbed Dirty Frag, the vulnerability chains two distinct kernel bugs: CVE-2026-43284 (ESP subsystem) and CVE-2026-43500 (RxRPC subsystem). | ALERTS | VULNEREBILITY |
| 9.5.26 | macOS infostealer delivery campaign leverages ClickFix techniques | Microsoft researchers have identified an evolving macOS infostealer campaign that leverages "ClickFix" tactics to compromise users. Rather than relying on traditional methods like malicious disk images (.dmg files), attackers now embed deceptive instructions within public blogs and user-generated content sites. These sites trick victims into executing specific Terminal commands under the guise of installing system optimization utilities. | ALERTS | VIRUS |
| 9.5.26 | Unpacking UAT-8302: A New Arsenal of China-Nexus Malware | Cisco Talos has uncovered UAT-8302, a sophisticated China-nexus threat group aggressively targeting government entities, primarily observed in Europe and South America. This actor utilizes an extensive toolkit of custom malware, notably the .NET-based NetDraft backdoor, which leverages MS Graph for stealthy command-and-control. Their arsenal further includes CloudSorcerer v3, a refined backdoor that manipulates legitimate platforms like GitHub to retrieve operational instructions | APT | |
| 9.5.26 | Supply Chain Alert: DAEMON Tools Installers Compromised | Security researchers at Kaspersky have uncovered a sophisticated supply chain attack targeting DAEMON Tools, where legitimate installers were trojanized with a multi-stage backdoor. Since April 2026, compromised binaries signed with valid certificates have deployed an initial information collector to thousands of global victims. | ALERTS | VIRUS |
| 9.5.26 | ShadowPad Resurfaces in State Espionage Campaign Targeting Asian Governments | Trend Micro researchers recently identified SHADOW-EARTH-053, a China-aligned espionage group targeting Asian government sectors. The campaign centers on the modular ShadowPad malware, often deployed through DLL sideloading using legitimate signed executables. Attackers establish initial persistence via GODZILLA web shells before utilizing registry-based loaders to execute shellcode covertly. | ALERTS | CAMPAIGN |
| 9.5.26 | Tax Lures Deliver ValleyRAT and ABCDoor | Researchers at Kaspersky recently published an article on a Silver Fox campaign in which the actor used tax-themed phishing lures against organizations in India and Russia, impersonating official tax authorities to push victims toward malicious archives. Per their analysis, the campaign used a custom RustSL loader, ValleyRAT, and a Python-based backdoor dubbed ABCDoor. | VIRUS | |
| 2.5.26 | TeamPCP Targets SAP Developers with Obfuscated npm Backdoor | A sophisticated supply chain attack recently compromised several SAP CAP npm packages, as reported by researchers at Socket. The breach utilizes a malicious preinstall script that bootstraps a Bun runtime to execute a heavily obfuscated payload. | ALERTS | VIRUS |
| 2.5.26 | Fake GitHub Repositories Push StealC | Researchers recently reported a malicious GitHub campaign that is using fake repositories across 17 accounts to impersonate popular Python projects and lure developers into running trojanized code. The repositories carried a Python dropper that fetched an encrypted Windows loader that is designed to load StealC.s | ALERTS | VIRUS |
| 2.5.26 | CopyFail (CVE-2026-31431) | CopyFail, tracked as CVE-2026-31431, is a Linux kernel local privilege escalation vulnerability affecting the authencesn / algif_aead crypto path, with public technical details and proof-of-concept code now available. The flaw can allow an unprivileged local attacker to create a controlled page-cache overwrite and potentially gain root by modifying the cached copy of a readable setuid binary, making it especially relevant after an initial foothold has already been gained. | VULNEREBILITY | |
| 2.5.26 | VECT 2.0 Ransomware - The Accidental Wiper | Check Point Research shared details of VECT 2.0, a multi-platform ransomware targeting Windows, Linux, and ESXi environments. Although marketed as a sophisticated ransomware-as-a-service offering, the malware contains a critical flaw in its encryption routine that impacts files larger than 128 KB. | ALERTS | RANSOM |
| 2.5.26 | Fake Minecraft Hacks Deliver LofyStealer Infostealer | LofyStealer is a modular infostealer currently preying on Minecraft players by masquerading as a game hack. This Brazilian-linked threat utilizes a large Node.js-based loader to bypass traditional sandbox detection before injecting a payload directly into browser memory. | ALERTS | VIRUS |
| 2.5.26 | Inside Vidar’s Latest Variant: Stealth, Social Engineering, and Memory Execution | An analysis from the Lat61 Threat Intelligence Team by Point Wild details a recent variant of the Vidar infostealer as a highly stealthy, multi-stage threat that relies on social engineering and “living-off-the-land” techniques rather than traditional exploits. Initial infections often originate from fake GitHub repositories masquerading as legitimate tools, CAPTCHA prompts, or compromised websites, which trigger scripts chaining WScript and PowerShell. | VIRUS | |
| 2.5.26 | The Rise of the Sleeper: GlassWorm’s Deceptive IDE Tactics | The GlassWorm campaign has intensified, with new research from Socket identifying 73 deceptive "sleeper" extensions on the Open VSX marketplace. These clones impersonate popular developer tools to build trust before activating malicious payloads via updates. | ALERTS | VIRUS |
| 2.5.26 | Snake Keylogger campaign: Saudi Procurement Lure and Multi-Stage Chain | Symantec's Threat Intelligence team has observed a Snake Keylogger malspam campaign leveraging a multi-stage delivery chain that starts with a forged "procurement introduction" email carrying a RAR attachment, and ends with credential theft exfiltrated over the Telegram Bot API. | ALERTS | CAMPAIGN |
| 2.5.26 | Tropic Trooper leverages trojanized binaries to distribute AdaptixC2 | Cybersecurity researchers at Zscaler ThreatLabz uncovered a sophisticated cyberespionage operation orchestrated by the Tropic Trooper threat group (aka Earth Centaur). The attackers specifically targeted Chinese-speaking users, predominantly located within Taiwan, Japan, and South Korea, using deceptive ZIP files disguised as official military documents. | VIRUS | |
| 24.4.26 | DarkCloud via Sea-Freight-Themed Malspam | Symantec has observed a DarkCloud info stealer campaign distributed through malspam messages leveraging a sea-freight quotation lure. The operators impersonated a scientific and industrial supplies distributor based in India, sending emails under the subject line "Inquiry sea shipment rate from China to India" to solicit engagement from logistics and trade-adjacent recipients. | ALERTS | SPAM |
| 24.4.26 | Recent Mirai campaign exploits old vulnerabilities | Cybersecurity researchers at the Akamai identified a recent campaign leveraging a Mirai botnet variant to compromise network devices. This Mirai strain attempts exploitation of CVE-2025-29635 D-Link flaw as well as an even older CVE-2023-1389 TP-Link Archer vulnerability. | ALERTS | CAMPAIGN |
| 24.4.26 | Needle Stealer malware spread via fraudulent websites | Malwarebytes researchers recently identified a new cybersecurity threat in the form of a Go-based modular information stealer dubbed Needle Stealer. The observed campaign deceives victims using a fraudulent website, which poses as an artificial intelligence trading assistant (called TradingClaw) for the popular financial analysis platform, TradingView. | VIRUS | |
| 24.4.26 | Dindoor backdoor malware | Dindoor is a malicious backdoor built on the Deno runtime and considered an offshoot of the Tsundere Botnet. Threat actors distribute DinDoor to unsuspecting victims through deceptive MSI installer files, often utilizing phishing campaigns or drive-by downloads. | ALERTS | VIRUS |
| 24.4.26 | Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft | While many ransomware groups rely on off-the-shelf utilities such as Rclone or MegaSync to steal victim data, recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. | ALERTS | VIRUS |
| 23.4.26 | NGate Android Malware Targets Brazil with Trojanized HandyPay App | Researchers at ESET have discovered a new variant of the NGate malware family targeting Android users in Brazil. This iteration is particularly notable because it abuses HandyPay, a legitimate NFC relay application, rather than the open-source tools used in previous campaigns. | VIRUS | |
| 23.4.26 | Typosquatted Domain Targets Developers with Malicious Antigravity Installer | Researchers at Malwarebytes have uncovered a campaign targeting developers via trojanized installers for Google’s Antigravity tool. The operation relies on a typosquatted domain that impersonates the legitimate site, distributing a version of the genuine application bundled with an additional malicious PowerShell script. | ALERTS | CAMPAIGN |
| 23.4.26 | NWHStealer via Fake Downloads | Malwarebytes reports that NWHStealer is being spread through a wide mix of lures, including fake Proton VPN downloads, bogus hardware tools, mining software, and gaming mods, showing how broadly this infostealer is being seeded across the web. | ALERTS | VIRUS |
| 23.4.26 | Dual-Payload Loader Pushes Gh0st RAT & CloverPlus adware | Splunk says attackers are using an obfuscated loader to deliver two threats at once: Gh0st RAT for covert remote access and CloverPlus adware for quick monetization, combining long-term compromise with immediate profit. | ALERTS | VIRUS |
| 23.4.26 | Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor | The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses. | APT | |
| 23.4.26 | ZionSiphon malware | Cybersecurity firm Darktrace has uncovered ZionSiphon, a politically motivated malware strain specifically targeting water treatment and desalination plants. | ALERTS | VIRUS |
| 21.4.26 | Recent Cloverworm campaign targets macOS users with social engineering | Microsoft Threat Intelligence recently exposed a macOS-focused operation attributed to the North Korean state actor Cloverworm (aka Sapphire Sleet). Instead of exploiting software vulnerabilities, the group uses social engineering to compromise systems and exfiltrate sensitive information. | CAMPAIGN | |
| 21.4.26 | Cross-Platform and Coordinated: The Gentlemen RaaS Targets Windows, Linux, and ESXi | According to findings from Check Point Research, the emerging "The Gentlemen" Ransomware-as-a-service (RaaS) operation has scaled rapidly in 2026, accounting for hundreds of confirmed victims. The group utilizes a cross-platform locker suite developed in Go and C, facilitating operations across Windows, Linux, and ESXi environments. | RANSOM | |
| 21.4.26 | Nexcorium botnet - a new Mirai variant | Cybersecurity researchers at FortiGuard Labs uncovered a new malicious campaign distributing Nexcorium, a sophisticated malware strain based on the notorious Mirai botnet. The attackers primarily compromise systems by weaponizing CVE-2024-3721, an operating system command injection flaw found in TBK DVR devices. | ALERTS | BOTNET |
| 21.4.26 | "Cracked" Software is Actually Lumma Stealer | Lumma Stealer and SectopRAT (ArechClient2) represent a previously observed attack chain currently resurfacing in a new campaign. The infection typically originates from "cracked" installers for popular software applications. | ALERTS | VIRUS |
| 21.4.26 | PowMix Botnet | Researchers at Cisco Talos recently published an article on PowMix botnet that has been targeting people and organizations in the Czech Republic since at least December 2025, using compliance- and job-themed lures to draw in victims across sectors. | BOTNET | |
| 21.4.26 | Transportation Sector Targeted by RMM-Laced Malspam | In a recent article, Proofpoint describes a cargo-theft-focused intrusion that went well beyond initial access, giving researchers a month-long view into how the actor operated after compromise. The attacker used email-delivered VBS and PowerShell to install ScreenConnect, then layered in additional remote management tools for redundancy and long-term access. | ALERTS | SPAM |
| 18.4.26 | Datto RMM Deployed via Multi-Stage Malspam Chain | Symantec has identified a multi-stage malspam campaign delivering a weaponized Datto Remote Monitoring and Management (RMM) agent as its final payload. The delivery chain is notable for its layered use of legitimate cloud infrastructure — a URL-shortening service (short.gy), Cloudflare R2 public object storage for both an HTML dropper and a PE binary — before installing a Datto RMM agent. | HACKING | |
| 18.4.26 | MiningDropper mobile malware | Cyble Research and Intelligence Labs (CRIL) has identified a significant increase in the deployment of "MiningDropper," an advanced Android malware delivery framework. It covertly mines cryptocurrency while simultaneously acting as a conduit to install secondary malicious payloads, such as banking trojans, infostealers, and Remote Access Trojans (RATs). | ALERTS | VIRUS |
| 18.4.26 | Mirax Android RAT | Mirax is an advanced Android banking trojan advertised and sold under the Malware-as-a-Service (MaaS) model. As reported by the researchers from Cleafy, Mirax grants attackers real-time control over compromised devices, enabling them to execute commands, monitor activities, and deploy dynamic, fake HTML screens over legitimate applications in efforts to steal user credentials | ALERTS | VIRUS |
| 18.4.26 | Malspam Campaign Delivers Masslogger via GitHub-Hosted Payload | Symantec has identified an active malspam campaign distributing Masslogger, a .NET-based credential stealer and keylogger, via a three-stage delivery chain that abuses GitHub for initial payload hosting. The campaign uses an order confirmation lure designed to prompt rapid user action. | CAMPAIGN | |
| 18.4.26 | ViperTunnel - A New Python-based Backdoor | The ViperTunnel backdoor is a sophisticated Python-based proxy linked to EvilCorp affiliates. It achieves persistence by abusing the sitecustomize.py module to auto-execute malicious code whenever the Python interpreter starts. This modular threat establishes encrypted SOCKS5 tunnels to command-and-control servers, often masquerading as typical HTTPS traffic to bypass detection. | VIRUS | |
| 18.4.26 | Direct-Sys Loader and CGrabber Stealer distribution campaign | The Cyderes Howler Cell Threat Research Team recently uncovered a novel, multistage cyberattack campaign deploying two previously unknown malware strains: Direct-Sys Loader and CGrabber Stealer. The intrusion begins when victims download malicious ZIP archives concealed within GitHub user attachment links. Direct-Sys Loader employs direct system calls to quietly bypass standard behavioral security software. | ALERTS | CAMPAIGN |
| 18.4.26 | SmokedHam backdoor | In early 2026, Orange Cyberdefense investigated multiple cyberattacks targeting European businesses. These breaches commenced with fraudulent advertisements disguised as well known software installation packages, including Remote Desktop Manager (RDM) tools, SSH clients and RVTools. The discovered campaign lead to infection with the SmokedHam backdoor. | VIRUS | |
| 18.4.26 | CVE-2026-34197 - Apache ActiveMQ vulnerability | CVE-2026-34197 is a recently disclosed vulnerability affecting Apache ActiveMQ Broker and Apache ActiveMQ. If successfully exploited the flaw might allow the attackers to bypass configuration validation and load a remote malicious Spring XML application context leading up to arbitrary code execution on the broker's Java Virtual Machine (JVM). The flaw has already been addressed in the updated versions of the vulnerable products. | VULNEREBILITY | |
| 18.4.26 | STX RAT malware distributed via CPUID software compromise | On April 9, 2026, cybercriminals successfully compromised the official website of cpuid[.]com, a well-known publisher of system administration utilities. Through this breach, the threat actors distributed malware-laced versions of several widely used monitoring and diagnostic tools. As reported by the researchers from Securelist, the impacted programs included CPU-Z (version 2.19), HWMonitor (version 1.63), HWMonitor Pro (version 1.57), and PerfMonitor 2 (version 2.04). | ALERTS | VIRUS |
| 18.4.26 | New JanelaRAT variant distributed in the wild | JanelaRAT is a malware family designed to harvest cryptocurrency and financial information from Latin American banking customers. Active since mid-2023, this threat is a tailored adaptation of the BX RAT malware. The researchers from Securelist have recently discovered version 33 of this trojan being distributed under the disguise of a legitimate pixel art application. | VIRUS | |
| 10.4.26 | VantaBlack Ransomware | VantaBlack (self-chosen name) is a ransomware actor first observed in late 2025. Their ransomware is a Windows x64 binary built for double extortion: it encrypts files using a modern Salsa20/ChaCha symmetric cipher paired with an asymmetric RSA public key for key encapsulation (two distinct encrypted file extensions have been observed across samples — .E2WN0 and .35RUT), while simultaneously exfiltrating data with threatened publication on a dedicated leak site. | ALERTS | RANSOM |
| 10.4.26 | Torg Grabber Infostealer | Cybersecurity experts at Gen Digital have discovered a rapidly evolving information-stealing malware known as Torg Grabber. This variant is distributed via the ClickFix social engineering attack techniques. Once a system is compromised, Torg Grabber proceeds to extract sensitive data from system web browsers, aiming for user credentials, autofill details and cookies, among others. | VIRUS | |
| 10.4.26 | Masjesu botnet | Masjesu botnet is a highly advanced threat targeting the Internet of Things (IoT). As reported by the researchers from Trellix, the malware is primarily marketed on Telegram as a DDoS-for-hire service. The botnet infects a diverse spectrum of IoT hardware, including gateways and routers, and is compatible with numerous complex system architectures. | ALERTS | BOTNET |
| 10.4.26 | LucidRook Campaigns Target Taiwanese Entities | Researchers at Cisco Talos have identified LucidRook, a Lua-based stager used by UAT-10362 to target Taiwanese entities. Delivered through spear-phishing lures disguised as antivirus installers (LNK/EXE), LucidRook often operates alongside LucidPawn, a dropper, and LucidKnight, a reconnaissance tool. | ALERTS | CAMPAIGN |
| 10.4.26 | Operation NoVoice - a new Android malware delivery campaign | Cybersecurity researchers at McAfee have uncovered "Operation NoVoice," a widespread mobile malware campaign utilizing exploits for previously patched Android vulnerabilities from 2016 to 2021. Threat actors have been observed to distribute a malicious rootkit module via the Google Play Store, hiding it within more than fifty seemingly harmless applications, such as games and device cleaner apps. | OPERATION | |
| 10.4.26 | CVE-2026-33017 - Langflow Code Injection vulnerability exploited in the wild | CVE-2026-33017 is a recently disclosed critical (CVSS score 9.3) Code Injection vulnerability affecting Langflow, which is a tool for building and deploying AI-powered agents and workflows. If successfully exploited the flaw might allow the attackers to execute arbitrary code within the context of the vulnerable application, leading to full compromise of the underlying server. | ALERTS | VULNEREBILITY |
| 10.4.26 | CVE-2026-22765 - Dell Wyse Management Suite vulnerability | CVE-2026-22765 is a recently disclosed high severity (CVSS score 8.8) Missing Authorization vulnerability affecting Dell Wyse Management Suite, which is a centralized, web-based management solution designed to configure and monitor Dell thin client endpoints. | VULNEREBILITY | |
| 10.4.26 | Supply-chain attack: Axios npm compromise | StepSecurity reported that the widely used npm package axios — with over 100 million weekly downloads — was briefly compromised through two malicious releases, 1.14.1 and 0.30.4, published from a hijacked maintainer account on March 30–31, 2026. The poisoned versions did not alter axios's own code; instead, they added a hidden dependency, plain-crypto-js@4.2.1, whose postinstall script deployed a cross-platform remote access trojan for Windows, macOS, and Linux. | HACKING | |
| 10.4.26 | Casbaneiro Banking Trojan Campaigns Target Latin America and Europe | The Augmented Marauder threat group has evolved, deploying a sophisticated multi-pronged campaign that pairs the Casbaneiro banking trojan with the Horabot spreader. Researchers from BlueVoyant have highlighted that this duo targets Spanish-speaking organizations by transitioning from password-protected PDFs to obfuscated VBScript and AutoIT loaders. | ALERTS | CAMPAIGN |
| 10.4.26 | Qilin Ransomware Deploys Kernel-Level EDR Killer to Blind Defenses | A sophisticated Qilin ransomware campaign has been identified using a specialized "EDR Killer" tool to neutralize enterprise defenses. According to Cisco Talos, the attack begins with a malicious DLL sideloading technique that deploys dual kernel drivers. | RANSOM | |
| 10.4.26 | Cybercriminals bait users with leaked Anthropic Claude Code on GitHub to deliver Vidar Stealer | Following Anthropic’s accidental exposure of Claude Code source code through an npm package on March 31, 2026, cybercriminals swiftly capitalized on this incident. As reported by Zscaler, the malicious actors established a highly visible GitHub repository masquerading as the leaked data. Instead of receiving legitimate source code, victims inadvertently downloaded a malicious Rust-based executable disguised as a standard setup file. | ALERTS | VIRUS |
| 10.4.26 | Malicious LNK Delivery and GitHub-Based C2 Observed in New DPRK Campaign | Fortinet researchers have identified a sophisticated DPRK-linked campaign targeting Windows environments via malicious LNK files. The attack uses encoded PowerShell scripts and employs GitHub for command-and-control operations. | ALERTS | APT |
| 3.4.26 | Chinese-Nexus Monarch APT Deploys In-Memory AtlasCross RAT via Fake Installers | A recent report by Hexastrike details a campaign by Monarch (also known as Silver Fox or Void Arachne), a Chinese-nexus APT targeting Chinese-speaking users. The campaign leverages typosquatted domains impersonating popular applications such as Microsoft Teams, Signal, Telegram, and Zoom to distribute ZIP archives disguised as legitimate installers. | APT | |
| 3.4.26 | CrystalX malware | CrystalX RAT is a novel Malware-as-a-Service (MaaS) variant marketed across Telegram and YouTube and utilizing promotional tactics like giveaways and video demonstrations. | ALERTS | VIRUS |
| 3.4.26 | XLoader Levels Up: Advanced Obfuscation Fuels Stealthy Data Theft | An evolution of the Formbook infostealer, XLoader is doubling down on stealth. New variants detailed by Zscaler researchers employ advanced obfuscation and multi-layered network protection to mask their command-and-control infrastructure. | VIRUS | |
| 1.4.26 | Resoker RAT malware | Resoker is a recently identified Remote Access Trojan (RAT) designed to grant threat actors comprehensive control over compromised endpoints. Unlike conventional malware that relies on dedicated centralized server infrastructure, this threat leverages legitimate Telegram Bot APIs instead. | VIRUS | |
| 1.4.26 | Prismex malware distributed by the Swallowtail APT | Swallowtail threat group (also known as Pawn Storm, APT28 or Fancy Bear) has been reported to have launched a major cyber espionage campaign targeting the military and humanitarian supply chains of Ukraine and its allies across Central and Eastern Europe | VIRUS | |
| 1.4.26 | BrushWorm and BrushLogger malware | Elastic Security Labs recently uncovered a cyberattack targeting a financial organization in South Asia, deploying two custom-built malicious tools: a backdoor dubbed BrushWorm and a keylogger named BrushLogger. BrushWorm serves as the primary infection mechanism. I | ALERTS | VIRUS |
| 1.4.26 | BPFdoor - a stealthy backdoor distributed to telecommunications network for persistent access | A recent investigation by Rapid7 Labs has exposed a highly sophisticated, long-term espionage operation orchestrated by the Red Menshen threat group. Targeting global telecommunications providers and government networks, the group's primary objective is to embed stealthy malware deep within critical systems to maintain undetected, persistent access. | VIRUS | |
| 1.4.26 | EtherRAT malware distribution campaign | EtherRAT is a highly sophisticated malware designed to execute unauthorized commands, exfiltrate cloud credentials, and drain cryptocurrency wallets from the infected systems. A defining characteristic of this threat is its use of "EtherHiding", an increasingly prevalent evasion tactic that leverages the Ethereum blockchain to conceal its Command-and-Control (C2) infrastructure. | VIRUS | |
| 1.4.26 | HRSword tool abused by ransomware actors | The HRSword is a specialized, legitimate system monitoring tool developed by Chinese cybersecurity firm Huorong Network Technology, designed for diagnosing Windows system issues | RANSOM | |
| 1.4.26 | TDSSKiller tool abused by ransomware actors | TDSSKiller is a portable, free utility used to detect and remove advanced rootkits and bootkits that hide from standard antivirus software. | ALERTS | RANSOM |
| 1.4.26 | Three China-Aligned Clusters Orchestrate Layered Intrusion Against SEA Government | Unit 42 researchers at Palo Alto Networks identified a multi-faceted cyberespionage campaign targeting a Southeast Asian government, attributed to three China-aligned clusters. | CAMPAIGN | |
| 1.4.26 | A new GlassWorm distribution campaign | Cybersecurity experts at Aikido identified a sophisticated new phase of the GlassWorm malware campaign, which utilizes a complex, multi-stage attack framework to steal sensitive data and deploy a remote access trojan variant. | ALERTS | CAMPAIGN |
| 26.3.26 | Oblivion RAT - a new mobile threat | Oblivion RAT is a recently discovered, sophisticated Android Remote Access Trojan (RAT) that operates under the Malware-as-a-Service (MaaS) business model. As reported by the researchers from iVerify, this malware relies heavily on a two-stage infection sequence initiated through targeted social engineering tactics, often deployed across popular messaging or dating applications. | VIRUS | |
| 26.3.26 | FAUX#ELEVATE: The "CV" Malware Squeezing Enterprise CPUs for Monero | The FAUX#ELEVATE campaign is a sophisticated operation targeting French enterprises using deceptive job application lures. As detailed in a report by researchers at Securonix, this threat utilizes a heavily bloated VBScript dropper, where nearly all content consists of junk text to bypass traditional security scanners. | OPERATION | |
| 26.3.26 | MioLab Stealer | MioLab is a macOS stealer offered through a malware-as-a-service framework. In a recent article, researchers at LevelBlue outlined its capabilities, noting that it is designed to harvest browser credentials, cookies, Keychain data, Apple Notes, files, and a wide range of cryptocurrency wallets, with a particular focus on high-value crypto theft. | ALERTS | VIRUS |
| 26.3.26 | PureHVNC via Google Form lures | Researchers recently observed PureHVNC as the final payload in a campaign that used fake business workflows on Google Forms, including job interviews, project briefs, and financial documents, to lure victims into downloading ZIP archives. | CAMPAIGN | |
| 26.3.26 | PureLog via Copyright Bait | Researchers at Trend Micro recently published an article on a PureLog Stealer campaign that uses fake copyright-violation notices as bait, with lure filenames matched to the victim’s language to improve execution. | CAMPAIGN | |
| 26.3.26 | VoidStealer | Gen Digital has detailed a new infostealer, VoidStealer, which is notable for being the first seen in the wild using a debugger-based bypass of Chrome’s Application-Bound Encryption (ABE). | VIRUS | |
| 21.3.26 | Multi-stage malware distribution through typosquatted Telegram websites | Cybersecurity analysts from K7 Security Labs have uncovered a sophisticated malicious campaign leveraging a typosquatted Telegram domain, "telegrgam[.]com," to trick unsuspecting users into downloading compromised software installers. | ALERTS | VIRUS |
| 21.3.26 | Winos4.0 malware distributed as a fake KakaoTalk installer | Security researchers at the AhnLab Security Intelligence Center (ASEC) have uncovered a widespread cyberattack utilizing Search Engine Optimization (SEO) poisoning to distribute Winos4.0 malware variant. This deceptive campaign successfully compromised more than 5,000 computers by disguising a malicious payload as the standard installation file for the widely used messaging application, KakaoTalk. | VIRUS | |
| 21.3.26 | Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign | A series of attacks on Libyan organizations hit an oil refinery, a telecoms organization and a state institution between November 2025 and February 2026. These attacks delivered the AsyncRAT backdoor, which is a publicly available backdoor that has previously been used by state-sponsored groups. | APT | |
| 21.3.26 | Perseus mobile malware | Security researchers from Threat Fabric have reported on a new mobile malware called Perseus which is actively circulating in the wild. Representing the next evolutionary stage of older malware families like Cerberus and Phoenix, Perseus functions as a sophisticated, flexible framework designed for a complete device compromise. | VIRUS | |
| 21.3.26 | Polymorphic Scripts and Fake Overlays: Inside the Latest Horabot Surge | Horabot has re-emerged as a sophisticated, multi-stage campaign targeting Latin America, especially Mexico, using ClickFix-style CAPTCHAs and phishing lures to initiate infection. These lures are generated on compromised systems by hijacking email data and sending malicious PDF attachments. | ALERTS | VIRUS |
| 21.3.26 | Recent activities attributed to the SeedWorm threat group | SeedWorm (aka Boggy Serpens, Muddy Water) is an Iranian state-sponsored cyberespionage threat actor active since at least 2017. According to a recent report published by Palo Alto's Unit42, this threat group has been employing high-volume strategies, relying on broad spear-phishing and legitimate remote management software to infiltrate targets. | GROUP | |
| 21.3.26 | DrillApp backdoor | LAB52 researchers uncovered a recent cyberespionage campaign aimed at Ukrainian organizations. At the core of this operation is a newly discovered, JavaScript-based backdoor dubbed DrillApp. Rather than relying on a traditional standalone executable execution, the malware hijacks the Microsoft Edge browser to infiltrate victim networks. | VIRUS | |
| 21.3.26 | New Malware Targets Users of Cobra DocGuard Software | Symantec and Carbon Black researchers have uncovered a mysterious and stealthy new threat that hijacks functionality and infrastructure of the legitimate security software Cobra DocGuard. Infostealer.Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server. | VIRUS | |
| 21.3.26 | SnappyClient | In a new technical analysis, Zscaler researchers detail SnappyClient, a stealthy C++-based command-and-control implant often delivered through HijackLoader. Operating largely in memory, it blends evasive techniques like Antimalware Scan Interface (AMSI) bypasses and direct system calls with encrypted communications to avoid detection. | VIRUS | |
| 18.3.26 | Fake FileZilla installers lead to infection with a Remote Access Trojan (RAT) | Threat actors are exploiting the popularity of the FileZilla file transfer client to infect systems with a Remote Access Trojan (RAT) variant. Once a victim downloads the seemingly legitimate software, they unwittingly introduce a multi-stage malware loader into their digital environment. | ALERTS | VIRUS |
| 18.3.26 | Vidar Stealer Evolves: Improved Performance, Stealth, and Social Distribution Vectors | A recent report by Acronis TRU researchers details the re-emergence of Vidar Stealer 2.0. This iteration introduces several advancements, specifically targeting improved operational performance and defensive evasion. Current distribution vectors involve deceptive GitHub repositories and Reddit threads masquerading as gaming utilities | VIRUS | |
| 18.3.26 | Warlock Ransomware Group Ups the Ante with New TTPs | The Warlock ransomware group is escalating operations, according to researchers at Trend Micro. Recently observed activity primarily targets organizations in government, manufacturing, and technology sectors. Attacks typically begin with the exploitation of SharePoint vulnerabilities, enabling initial access and credential dumping. | RANSOM | |
| 18.3.26 | Hyrax malware distributed in SEO poisoning operation attributed to the Storm-2561 threat group | Microsoft researchers discovered a sophisticated credential-stealing operation orchestrated by the cybercriminal group known as Storm-2561. This threat actor actively employs search engine optimization (SEO) manipulation to distribute fraudulent virtual private network (VPN) applications. | OPERATION | |
| 18.3.26 | Venon Banking malware | ZenoX recently reported that it identified a new Brazilian banking trojan, VENON, in February 2026, describing it as a Rust-based RAT that mirrors many classic Latin American banker behaviors, including overlay abuse and active window monitoring (33 financial institutions and digital asset platforms). | ALERTS | VIRUS |
| 14.3.26 | DoubleDonut loader leveraged for the delivery of various infostealing payloads | Rapid7 Labs recently uncovered a widespread malicious campaign that compromised a large number of trusted WordPress websites in efforts to distribute malicious payloads. Threat actors inject a deceptive ClickFix script into these legitimate sites, presenting unsuspecting visitors with fraudulent CAPTCHA prompts. Engaging with this fake verification triggers a sophisticated, multi-stage infection chain aimed at harvesting digital wallets and system credentials from the victims. | VIRUS | |
| 14.3.26 | GibCrypto malware | GibCrypto is a new destructive and evasive ransomware variant discovered in the wild. As reported by researchers from K7 Security Labs, this malware variant compromises the Master Boot Record (MBR) and systematically targets vital Windows dependencies. | VIRUS | |
| 14.3.26 | Iranian Intelligence Integrates Malware-as-a-Service into State Operations | Recent research from Check Point reveals a strategic shift in Iranian cyber operations. Groups linked to the Ministry of Intelligence and Security (MOIS), such as Seedworm (aka MuddyWater) and Druidfly (aka Void Manticore), are moving beyond simply imitating cybercriminals to directly collaborating with the criminal ecosystem. | APT | |
| 14.3.26 | TAXISPY RAT Android malware | TaxiSpy RAT is an Android malware variant recently discovered by the researchers from Cyfirma. To bypass static security analysis, the malware employs complex evasion tactics, utilizing native libraries for critical tasks and XOR encryption to conceal its command-and-control (C2) infrastructure, configuration data, and Firebase credentials until runtime. | VIRUS | |
| 14.3.26 | Multi-staged Remcos RAT deployment campaign | A new Remcos RAT campaign leveraging fileless execution has been observed in the wild. As reported by Trellix researchers, the attack sequence begins with procurement-themed phishing emails, often disguised for example as "Request for Quotation" documents. | ALERTS | VIRUS |
| 14.3.26 | KadNap botnet | Researchers at Black Lotus Labs recently uncovered KadNap, an advanced botnet strain that has successfully compromised over 14,000 routers since August 2025. The malware employs sophisticated evasion strategy by utilizing a customized version of the Kademlia Distributed Hash Table (DHT) protocol to establish a decentralized, peer-to-peer (P2P) network. | BOTNET | |
| 14.3.26 | CVE-2026-1207 - Django SQLi Vulnerability | CVE-2026-1207 is a recently disclosed medium severity (CVSS score 5.4) SQL Injection vulnerability affecting Django, the Python-based open-source web framework. If successfully exploited the flaw might allow attackers with low-level authentication to inject SQL commands via the band index parameter, potentially allowing for unauthorized data access or manipulation. This vulnerability has already been addressed in the updated versions of the product (6.0.2, 5.2.11, and 4.2.28 or newer). | VULNEREBILITY | |
| 14.3.26 | China-Linked Hackers Target Qatar with PlugX Malware Campaign | Qatar is yet another victim of cyber espionage directly resulting from the increasing tensions in the Middle East. The Chinese-nexus threat group Fireant (aka Camaro Dragon/Mustang Panda) utilized a multi-stage infection chain to deliver a variant of the PlugX backdoor, according to a report by Check Point Research. | CAMPAIGN | |
| 14.3.26 | ClipXDaemon | Cyble has reported a newly identified Linux threat dubbed ClipXDaemon, a clipboard hijacker built to target cryptocurrency users on X11-based desktop environments. | ALERTS | CRYPTOCURRENCY |
| 12.3.26 | UAC-0252 activity delivering ShadowSniff and SalatStealer malware | Ukraine’s Computer Emergency Response Team (CERT-UA) identified a malicious campaign (dubbed UAC-0252) impersonating national executive authorities and regional government officials to deceive the victims. | ALERTS | GROUP |
| 12.3.26 | FakeGit Campaign Uses GitHub Lures to Deliver StealC | Researchers at Derp uncovered a large GitHub-based malware operation dubbed FakeGit, active since March 2025, that masquerades as cracked extensions, gaming cheats, developer tools, and other bait to spread a LuaJIT loader. | CAMPAIGN | |
| 12.3.26 | Android Malware: BeatBanker | Researchers at Kasperky recently published an article about an Android malware campaign dubbed as "BeatBanker" that targets mobile users in Brazil. It's being spread via a fake Google Play page spoofing the “INSS Reembolso” app to lure victims into installing a trojanized APK. | VIRUS | |
| 12.3.26 | Swallowtail Returns with BeardShell Backdoor and Modified Covenant Framework | A report by researchers at ESET highlights details attributed to the Russian group Swallowtail (aka APT28/Fancy Bear/Sednit). Since early 2024, the group has pivoted toward a dual-implant strategy, deploying the custom BeardShell backdoor alongside a heavily modified Covenant framework. | APT | |
| 10.3.26 | Recent Dust Specter APT activity | A recent targeted cyber espionage campaign directed at Iraqi government officials has been reported by researchers from Zscaler. The attack has been attributed to a threat group known as Dust Specter. | ALERTS | APT |
| 10.3.26 | Cybercriminals Exploit Middle East Tensions to Deliver Backdoors and Info-Stealing Malware | Cybercriminals are increasingly exploiting Middle East geopolitical tensions to launch sophisticated digital attacks. A report by researchers from Zscaler ThreatLabz reveals a surge in malicious activity, including a suspected targeted campaign that utilizes "missile strike" lures to deploy backdoors through a multi-stage attack chain incorporating ZIP, LNK, and CHM files. | VIRUS | |
| 10.3.26 | South American Telecom Providers Targeted by Trio of Malicious Tools | Cisco Talos researchers have uncovered a sophisticated campaign by UAT-9244, a Chinese-aligned threat actor, targeting South American telecommunications providers. This operation leverages a trio of malicious tools to compromise both Windows and Linux environments. | CAMPAIGN | |
| 10.3.26 | BoryptGrab Stealer | Trend Micro has recently reported a new malware campaign centered on BoryptGrab, a stealer spread through fake GitHub repositories and lookalike download pages posing as free utilities and game-related tools. Victims are lured through SEO-manipulated repos, then redirected to pages that generate malicious ZIP files to kick off the infection chain. | VIRUS | |
| 6.3.26 | ARM47 Ransomware | ARM47 HACKERS is a newly identified ransomware threat actor observed deploying a customized variant of the LockBit Black (LockBit 3.0) builder. The group operates under a double-extortion model, encrypting victim files while threatening to publish stolen data via a TOR-hosted leak site if the ransom is not paid. ARM47 is leveraging the widely leaked LockBit 3.0 builder — a trend observed among multiple emerging threat groups since the original builder was leaked in September 2022 — while branding the operation under their own identity. | ALERTS | RANSOM |
| 6.3.26 | BadPaw and MeowMeow: Not as Cute as They Sound | A Russian-based threat actor targeted Ukraine with BadPaw and MeowMeow malware, according to a report by researchers at ClearSky. | VIRUS | |
| 6.3.26 | Datebug APT campaign targets governmental entities in India | Cybersecurity researchers at Cyfirma recently uncovered a sophisticated malware campaign orchestrated by the Datebug threat group (aka Transparent Tribe, APT36). | APT | |
| 6.3.26 | Recent Agent Tesla distribution campaign | Agent Tesla continues to be a highly adaptable threat in the current cybersecurity landscape. A recent campaign delivering this malware variant has been discussed by the researchers from Fortinet. The attack leverages the most typical infection chain and begins with a phishing email containing a malicious RAR archive. | CAMPAIGN | |
| 6.3.26 | Seedworm APT group activity following U.S. and Israeli military strikes on Iran | The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region. | APT | |
| 6.3.26 | AuraStealer malware variant | AuraStealer is an emerging Malware-as-a-Service (MaaS) information stealer promoted on underground forums. As reported by researchers from Intrinsec, this C++based malware is delivered via various channels including cracked software, ClickFix attacks and Tiktok scam campaigns. | VIRUS | |
| 6.3.26 | SloppyLemming Campaign: PDF → ClickOnce → BurrowShell; Macro Excel → Rust RAT | Arctic Wolf Labs reports a year-long cyber-espionage campaign (Jan 2025–Jan 2026) they attribute to the India-nexus actor SloppyLemming (aka Outrider Tiger / Fishing Elephant), aimed at government and critical-infrastructure targets in Pakistan and Bangladesh. The operation ran two chain: PDF lures that bounce victims to ClickOnce manifests, and macro-enabled Excel documents used as an alternate delivery route. | CAMPAIGN | |
| 5.3.26 | Silver Dragon’s Tactics, Custom Tools, and the GearDoor Backdoor | Silver Dragon is a Chinese-aligned threat group that has been actively targeting organizations in Southeast Asia and Europe since mid-2024, primarily focusing on government entities. | APT | |
| 5.3.26 | SurxRAT mobile malware | SurxRAT is a sophisticated Remote Access Trojan (RAT) for Android recently discovered by the researchers from Cyble. The malware operates under the Malware-as-a-Service (MaaS) model. | VIRUS | |
| 5.3.26 | APT-Linked PlugX Campaign: Meeting Invitation + Fake Browser Updater | A recent PlugX campaign blends social engineering with “trusted” binaries: one path uses a Meeting Invitation lure that drops a ZIP containing an MSBuild project which pulls the next stages on execution. Another path seen in January 2026 starts with a fake “Browser Updater” (STATICPLUGIN) that downloads and runs a malicious MSI even if the victim clicks Cancel. | APT | |
| 5.3.26 | Smishing Pushes Malicious “Red Alert” Android App in Israel | Global events have always been used as social engineering by both e-crime and APT groups in order to lure victims’ curiosity, fear, or urgency into kicking off an attack chain. | SPAM | |
| 5.3.26 | Zerobot Campaign Exploits CVE-2025-7544 and CVE-2025-68613 | This week, Akamai reported active exploitation of two command-injection flaws to spread a Mirai-derived botnet dubbed Zerobot: CVE-2025-7544 in Tenda AC1206 routers and CVE-2025-68613 in the n8n workflow automation platform. | VULNEREBILITY | |
| 5.3.26 | StegaBin: Another npm Supply-Chain Campaign | Researchers at Socket recently reported a supply-chain campaign dubbed “StegaBin,” in which 26 typosquatted npm packages published around Feb. | CAMPAIGN | |
| 5.3.26 | CVE-2026-25253 - OpenClaw RCE vulnerability | CVE-2026-25253 is a recently disclosed high severity (CVSS score 8.8) Remote Code Execution (RCE) vulnerability affecting OpenClaw AI personal assistant tool. | VULNEREBILITY | |
| 5.3.26 | Dohdoor backdoor delivery campaign | A sophisticated cyber campaign orchestrated by the threat actor dubbed UAT-10027 has been reported by the researchers from Cisco Talos. Focused heavily on American educational and healthcare institutions, the hackers execute a multi-staged attack chain to distribute a newly identified backdoor named Dohdoor. | VIRUS | |
| 5.3.26 | CVE-2026-24423 - SmarterTools SmarterMail vulnerability | CVE-2026-24423 is a recently disclosed critical (CVSS score 9.3) Remote Code Execution (RCE) vulnerability affecting SmarterTools SmarterMail software, which is an email, groupware, and collaboration server designed as an alternative to enterprise collaboration solutions such as Microsoft Exchange. | VULNEREBILITY | |
| 27.2.26 | Steaelite RAT | Steaelite is a newly emerged remote access trojan (RAT) that grants attackers extensive, browser-based command over compromised Windows computers. | VIRUS | |
| 27.2.26 | Open-source payloads spread via malicious npm packages | Tenable researchers recently identified a dangerous npm package named “ambar-src” that underscores the increase in modern supply chain threats targeting the npm landscape. Within just a few days of its release, the package amassed approximately 50,000 downloads before being removed from the public registry. | VIRUS | |
| 27.2.26 | Fake Microsoft 365 Admin Center Loading Screen Stages Iframe-Delivered Credential Phishing | Symantec has observed a credential-phishing campaign using the urgent email subject “Immediate Action Required: Account Lockout [ID: <6-char>-2026]” to pressure recipients into acting quickly. | PHISHING | |
| 27.2.26 | Operation MacroMaze Targets Europe | Operation MacroMaze is a campaign attributed to the Swallowtail threat group (a.k.a. APT28 or Fancy Bear). Over several months, this campaign targeted entities in Central and Western Europe to exfiltrate data. | OPERATION | |
| 27.2.26 | Mercenary Akula Threat Group Targets European Financial Institution with RMM Payload | A report by researchers at BlueVoyant shares insights into recent activity that targeted a European financial institution. The campaign leveraged socially engineered spearphishing and multiple archive files to deliver a legitimate remote administration tool, Remote Manipulator System (RMS). | GROUP | |
| 27.2.26 | UnsolicitedBooker threat group deploys LuciDoor and MarsSnake backdoor variants | UnsolicitedBooker threat group, has recently shifted its crosshairs from Saudi Arabian organizations to telecommunications providers in Kyrgyzstan and Tajikistan. According to a recent Positive Technologies report, the threat actor employs two distinct C++ backdoors called LuciDoor and MarsSnake. | GROUP | |
| 27.2.26 | XMRig delivery campaign leverages BYOVD techniques | An advanced cryptojacking operation that relies on distribution of counterfeit software packages to infect computers with a XMRig cryptocurrency miner has been reported by the cybersecurity researchers from Trellix. Once installed, the malware acts as a complex, multi-stage threat. | CAMPAIGN | |
| 27.2.26 | NetSupport RAT delivery attributed to the GrayCharlie threat actor | GrayCharlie is a financially motivated threat actor that overlaps significantly with the cybercriminal group SmartApeSG. According to a newly published intelligence report by Insikt Group researchers, GrayCharlie specializes in breaching vulnerable WordPress websites and injecting malicious JavaScripts. | VIRUS | |
| 27.2.26 | Moonrise RAT | Security researchers at ANY.RUN have identified Moonrise, a newly developed Go-based Remote Access Trojan (RAT) that aims at traditional static detection evasion. The malware provides the threat actors with comprehensive remote control over infected endpoints. | VIRUS | |
| 27.2.26 | Medusa Ransomware distributed by the Lazarus threat group | North Korean state-backed attackers are now using the Medusa ransomware and are continuing to mount extortion attacks on the U.S. healthcare sector. | RANSOM | |
| 27.2.26 | Financial Lures Leveraged to Spread Winos 4.0 to Taiwan | Phishing campaigns delivering Winos 4.0 (ValleyRAT) malware to targets in Taiwan are attributed to the Monarch (aka Silver Fox) threat group. The campaigns leveraged financial lures, specifically tax- and invoice-related documents, to deliver their payloads. | VIRUS | |
| 27.2.26 | PromptSpy Android malware | PromptSpy is a new Android malware variant utilizing generative AI to manipulate user interfaces dynamically. As reported by researchers from ESET, the malware leverages Google’s Gemini AI specifically to maintain a persistent presence on the infected devices. | VIRUS | |
| 23.2.26 | Massiv Android Trojan | Cybersecurity experts from Threat Fabric have identified a new Android banking trojan dubbed Massiv. Massiv operates by granting cybercriminals total remote access to an infected deviceS | VIRUS | |
| 23.2.26 | New deployment campaign of the CastleLoader and LummaStealer malware | A resurgence in LummaStealer activity has been observed by the researchers from Bitdefender. Despite a major law enforcement disruption in May 2025 that neutralized over 2,300 command-and-control domains, the group seems to continue their global attacks.S | CAMPAIGN | |
| 23.2.26 | CrescentHarvest cyberespionage campaign | Acronis Threat Research Unit has identified a cyberespionage operation dubbed CrescentHarvest, which aims at surveillance and data theft and is targeted at supporters of ongoing protests in Iran. Observed since early January, the campaign exploits geopolitical tension by using social engineering to trick victims. | CAMPAIGN | |
| 23.2.26 | CVE-2026-1281 and CVE-2026-1340 - Ivanti EPMM RCE Vulnerabilities | In late January, Ivanti released updates to address two critical vulnerabilities affecting Endpoint Manager Mobile (EPMM). Identified as CVE-2026-1281 (CVSS 9.8) and CVE-2026-1340 (CVSS 9.8), these vulnerabilities can allow unauthenticated remote code execution to attackers via code injection. Details of active exploitation has been shared in a report by Unit 42 researchers at Palo Alto Networks. | VULNEREBILITY | |
| 23.2.26 | Cuckoo infostealer spread via ClickFix techniques | A recent malware delivery campaign discovered by the researchers from Hunt.io involves attackers leveraging social engineering and typosquatted domains - specifically mimicking the popular Homebrew package manager - to deceive users into execution of malicious binaries. | VIRUS | |
| 23.2.26 | An Invitation to Phishing | Calendar invite spam is an increasingly observed tactic used by threat actors to steal credentials. Socially engineered emails designed to entice a recipient to accept a calendar invite direct potential victims to unwittingly share their login information. | PHISHING | |
| 23.2.26 | Interlock Ransomware: Activity Continues Into 2026 | Recent leak-site activity indicates Interlock operations continued into early 2026, with multiple newly listed alleged victims appearing in January–February. This follows a steady cadence of claimed postings in prior years: 67 in 2025 and 14 in 2024. | RANSOM | |
| 23.2.26 | Prometei botnet deployment campaign | Researchers from eSentire’s Threat Response Unit identified recently an attempt to deploy the Prometei botnet on a Windows Server within the construction sector. Active since at least 2016 Prometei is a multifaceted malware strain capable of remote control, credential theft, Monero crypto-mining, and lateral network movement. | BOTNET | |
| 16.2.26 | SSHStalker Linux botnet variant | Flare’s research team has identified "SSHStalker," a previously unreported Linux botnet operation. Rather than employing complex modern Command and Control (C2) servers, SSHStalker utilizes a resilient IRC infrastructure to manage various bot variants, including Tsunami and Keiten. | BOTNET | |
| 16.2.26 | Threat Actors Increasingly Integrate GenAI into Active Campaigns | A report by researchers of the Google Threat Intelligence Group highlights recent activity related to artificial intelligence as used by malicious actors. | CAMPAIGN | |
| 16.2.26 | IIS Servers Targeted in Long Term SEO Poisoning Campaigns | China-linked threat actors have been targeting IIS servers in ongoing SEO poisoning campaigns. According to a report by researchers at Elastic, these actors primarily compromise servers in Asian countries to push content directing visitors to illegal gambling or other illicit websites. | CAMPAIGN | |
| 16.2.26 | Japan-Targeted iCloud+ Payment Failure Scam Uses JavaScript-Driven Phishing Kit | A phishing campaign targeting Japanese users abuses a familiar iCloud+ “payment failed” theme to steal Apple Account credentials and, in a second step, harvest payment card details. | SPAM | |
| 12.2.26 | HTM Phishing Across Private and Public Sectors: Targeted Filenames + Telegram Exfil | Over the past few days Symantec has observed a lightweight credential-harvesting campaign that delivers an HTML/HTM attachment directly via email (EMAIL → HTM). HTM filenames pattern (recipient_company_domain_quote.htm) strongly suggests the actor is generating lures per target organization. | PHISHING | |
| 12.2.26 | Dating App Masquerade: SpyMax Targets Minglers in France | Android SpyMax has been observed in France, targeting minglers by posing as a dating app (“France Social: Rencontre, Chat”). If downloaded and installed, the app (France social.apk) quickly pivots from “dating” to privilege acquisition, prompting the victim to enable a custom Accessibility Service and grant Device Administrator rights. | VIRUS | |
| 12.2.26 | Guloader is Always Evolving | GuLoader is a sophisticated malware downloader primarily used to deliver Remote Access Trojans and information stealers. Active since 2019, the malware is known for its use of anti-analysis techniques which allow it to conceal its functionality from automated tools and security researchers. | VIRUS | |
| 12.2.26 | NetSupport RAT deployed in latest campaign attributed to the Stan Ghouls threat group | Stan Ghouls threat group (aka Bloody Wolf) has been launching targeted attacks against organizations within Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. These attacks are characterized by utilizing campaign-specific infrastructure and leveraging custom Java-based malware loaders. | VIRUS | |
| 12.2.26 | PCHunter tool abused by ransomware actors | PCHunter is a Windows system analysis and security tool designed for in-depth inspection and malware removal. It is often used by security professionals for deep detection of malicious activity, including rootkits, hidden processes, and unauthorized kernel drivers | RANSOM | |
| 12.2.26 | DKnife - an Adversary-in-the-Middle (AitM) framework | DKnife is a sophisticated Adversary-in-the-Middle (AitM) framework designed to monitor gateways and manipulate network traffic. | HACKING | |
| 12.2.26 | CVE-2026-21858 - n8n Workflow vulnerability | CVE-2026-21858 is a recently disclosed critical (CVSS score 10.0) Arbitrary File Read vulnerability affecting n8n, which is a workflow automation tool. If successfully exploited the flaw might allow attackers to access files on the underlying vulnerable server through execution of certain form-based workflows. The vulnerability has been already patched in product version 1.121.0 or newer. | VULNEREBILITY | |
| 12.2.26 | From Spreadsheet to Control: How XWorm RAT Infiltrates Systems | XWorm is a well-established, highly modular Remote Access Trojan (RAT). Features available in this RAT include data exfiltration, encrypted C2 communications, full system control, and surveillance. Researchers at Fortinet have published details about recent phishing campaigns attempting to deliver this payload through various financial or business-themed lures. | VIRUS | |
| 12.2.26 | CVE-2025-69200 - phpMyFAQ vulnerability | CVE-2025-69200 is a recently disclosed high severity (CVSS score 7.5) Information Disclosure vulnerability affecting phpMyFAQ, which is an open-source, database-driven FAQ (Frequently Asked Questions) web application. | VULNEREBILITY | |
| 12.2.26 | PowerTool abused by ransomware actors | PowerTool is a Windows security utility used to detect and analyze rootkits, bootkits, hidden processes, and other kernel-level threats. Recent threat intelligence indicates that multiple ransomware operators are abusing PowerTool in an attempt to disable security products. | RANSOM | |
| 12.2.26 | Malicious ClawHub Skills | Researchers from Koi Security have recently audited the ClawHub “skills” marketplace and found 341 malicious skills—most attributed to a coordinated campaign they call “ClawHavoc.” | VIRUS | |
| 12.2.26 | Opportunistic MassLogger campaign: .Z archives and PDF-lookalike executables | Symantec has observed a MassLogger malspam campaign that used routine “business workflow” themes—procurement, invoices, shipping paperwork, and document transmittals—while impersonating two legitimate organizations. | CAMPAIGN | |
| 12.2.26 | CVE-2026-24061 - GNU InetUtils vulnerability | CVE-2026-24061 is a recently disclosed critical (CVSS score 9.8) Argument Injection vulnerability affecting the GNU InetUtils telnetd service in versions from 1.9.3 through 2.7. | VULNEREBILITY | |
|
9.2.26 |
CVE-2026-23760 is a recently disclosed critical (CVSS score 9.3) Authentication Bypass vulnerability affecting SmarterTools SmarterMail software, which is an email, groupware, and collaboration server designed as an alternative to enterprise collaboration solutions such as Microsoft Exchange. |
|||
|
9.2.26 |
Darktrace reports a multi-stage macOS phishing campaign where a lure email delivers an AppleScript file disguised as a Microsoft document (for example, “.docx.scpt”) and depends on a user click to execute. |
|||
|
9.2.26 |
||||
|
9.2.26 |
Recent reports exposed a campaign targeting Kazakh and Afghan organizations with the KazakRAT remote access trojan in January 2026. The actors behind it may have been operating since August 2022. |
|||
|
9.2.26 |
WinRAR CVE-2025-8088 Drives Targeted Espionage in Southeast Asia |
Check Point Research ties espionage campaigns in Southeast Asia to a China-nexus actor dubbed Amaranth-Dragon, targeting government and law enforcement. |
||
|
9.2.26 |
Billbug Threat Actor Compromised Notepadd++ Update Infrastructure |
Notepad++, a popular text editor for Windows, was the victim of a supply-chain attack by Chinese state-linked hackers identified as Billbug (aka Lotus Blossom, Spring Dragon). |
||
|
9.2.26 |
Recent Black Basta Ransomware Campaign Embeds Vulnerable Driver in Payload |
A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself |
||
|
9.2.26 |
Operation Neusploit: Swallowtail Exploits CVE-2026-21509 to Deliver Backdoors |
Swallowtail (aka APT28 or Fancy Bear) is a Russian espionage group observed exploiting a recently disclosed Microsoft Office Security Feature Bypass Vulnerability, identified as CVE-2026-21509. In a campaign tagged "Operation Neusploit" by researchers at Zscaler, the group distributes specially crafted Office documents in RTF format. |
||
|
9.2.26 |
CVE-2026-21509: Microsoft Office Security Feature Bypass Vulnerability |
Microsoft has issued an emergency fix for a high-severity Microsoft Office zero‑day flaw, tracked as CVE-2026-21509 (CVSS Score: 7.8). Attackers are reported to be actively exploiting it to bypass security features via malicious documents that are distributed together with social engineering lures to trick users into opening them. |
||
|
9.2.26 |
Researchers have published a deeper technical breakdown of DynoWiper, a new data-wiping malware used in a December 2025 attack on a Polish energy company’s IT systems, expanding on earlier reporting and identifying similarities to the ZOV wiper observed in Ukraine earlier in the year. |
|||
|
9.2.26 |
Infostealers are a commonly observed payload in malware campaigns. They are often distributed through social engineering tactics such as the popular ClickFix method, malvertising, or disguised as installers for popular software. A recent Microsoft report highlights this activity, specifically focusing on macOS and Python-based stealers. |