BLOG 2025 AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog 2024 2023
H January(21) February(46) March(44) April(33) May(35) June(67) July(84) August(73) September(57) October(0) November(59) December(60) 2025 January(29) February(72) March(67)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 21.6.25 | Threat actor Banana Squad exploits GitHub repos in new campaign | ReversingLabs researchers discovered more than 60 GitHub repositories that contain hundreds of trojanized files. | APT blog | Reversinglabs |
| 21.6.25 | Threat Group Targets Companies in Taiwan | FortiGuard Labs has uncovered an ongoing cyberattack, targeting companies in Taiwan using phishing emails disguised as tax-related communications | APT blog | FOTINET |
| 21.6.25 | CERT-In Vulnerability Note Highlights Critical Security Risks in Ivanti, Trend Micro, Apache Kafka, and SAP Products | CERT-In Vulnerability Note reveals serious flaws in Ivanti, Trend Micro, Apache Kafka, and SAP products. | Vulnerebility blog | Cyble |
| 21.6.25 | NCSC Q1 2025 Report Reveals 14.7% Surge in Cybercrime Financial Losses in New Zealand | The NCSC’s Cyber Security Insights report for Q1 2025 shows a 14.7% rise in financial losses from cybercrime, with $7.8M lost mainly due to scams and fraud targeting NZ businesses. | Cyber blog | Cyble |
| 21.6.25 | DOJ Seizes $225M in Crypto Tied to Fraud and Money Laundering | The U.S. Department of Justice (DOJ) filed a civil forfeiture complaint to seize over $225.3 million in cryptocurrency. The funds are allegedly tied to a sprawling cryptocurrency investment fraud and money laundering operation that targeted hundreds of victims through blockchain-based schemes. | Cryptocurrency blog | Cyble |
| 21.6.25 | Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry | During our recent investigation at Seqrite Labs, we identified a sophisticated variant of Masslogger credential stealer malware spreading through .VBE (VBScript Encoded) files | Malware blog | Seqrite |
| 21.6.25 | APT36 Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware | Executive Summary APT36, also known as Transparent Tribe, is a Pakistan-based cyber espionage group that has been actively targeting Indian defense personnel through highly | APT blog | Cyfirma |
| 21.6.25 | Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication | Proofpoint has been closely monitoring a stealer malware formerly known as ACR Stealer. In 2025, Proofpoint analysts identified a new, unnamed malware exhibiting significant code overlap, shared features, and capabilities with ACR Stealer. | Malware blog | PROOFPOINT |
| 21.6.25 | Uncovering a Tor-Enabled Docker Exploit | A recent attack campaign took advantage of exposed Docker Remote APIs and used the Tor network to deploy a stealthy cryptocurrency miner. This blog breaks down the attack chain. | Exploit blog | Trend Micro |
| 21.6.25 | An Investigation of AWS Credential Exposure via Overprivileged Containers | Overprivileged or misconfigured containers in Amazon EKS can expose sensitive AWS credentials to threats like packet sniffing and API spoofing, highlighting the need for least privilege and proactive security to detect and reduce these risks. | Incident blog | Trend Micro |
| 21.6.25 | Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet | This blog uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data. | Vulnerebility blog | Trend Micro |
| 21.6.25 | VMDetector-Based Loader Abuses Steganography to Deliver Infostealers | Recently, the SonicWall Capture Labs threat research team has identified various malware strains being distributed through a custom VMDetector Loader. | Malware blog | SonicWall |
| 21.6.25 | Medusa RaaS Group Continues Company Focused Triple Extortion Attacks | The SonicWall Capture Labs threat research team continues to track the developments of Medusa ransomware. Medusa is a Russian-speaking Ransomware-as-a-Service (RaaS) operation that has been active since mid-2021. | Ransom blog | SonicWall |
| 21.6.25 | Pre-Auth RCE Alert: Critical SSH Flaw in Erlang/OTP (CVE-2025-32433) | The SonicWall Capture Labs threat research team became aware of a pre-authentication vulnerability in Erlang/OTP (Open Telegram Platform) SSH server implementation, assessed its impact, and developed mitigation measures | Vulnerebility blog | SonicWall |
| 21.6.25 | Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation | This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer. We combine our new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. | Malware blog | Palo Alto |
| 21.6.25 | Resurgence of the Prometei Botnet | In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. | BotNet blog | Palo Alto |
| 21.6.25 | Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data | Check Point Research discovered a multistage campaign targeting Minecraft users via the distribution as a service (DaaS) Stargazers Ghost Network, which operates on GitHub. The malware impersonates, among others, Oringo and Taunahi, which are “Scripts & Macro” tools (a.k.a cheats). | Malware blog | Checkpoint |
| 21.6.25 | Famous Chollima deploying Python version of GolangGhost RAT | Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India. | Malware blog | CISCO TALOS |
| 21.6.25 | A week with a "smart" car | In this edition, Thor shares how a week off with a new car turned into a crash course in modern vehicle tech. Surprisingly, it offers many parallels to cybersecurity usability. | Hacking blog | CISCO TALOS |
| 21.6.25 | When legitimate tools go rogue | Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders. | Hacking blog | CISCO TALOS |
| 21.6.25 | Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” | Vulnerebility blog | CISCO TALOS |
| 21.6.25 | catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15. | Vulnerebility blog | CISCO TALOS |
| 21.6.25 | Ransomware Gangs Collapse as Qilin Seizes Control | In this Threat Alert, Cybereason explores the rise of Qilin amidst a turbulent realignment of the ransomware landscape. | Ransom blog | Cybereason |
| 21.6.25 | Hidden Malware Discovered in jQuery Migrate: A Stealthy Supply Chain Threat | This blog breaks down how a commonly used JavaScript library was weaponized to deliver browser-based malware via compromised WordPress assets. | Malware blog | Trelix |
| 20.6.25 | Defending the Internet: how Cloudflare blocked a monumental 7.3 Tbps DDoS attack | In mid-May 2025, Cloudflare blocked the largest DDoS attack ever recorded: a staggering 7.3 terabits per second (Tbps). | Attack blog | blog.cloudflare |
| 20.6.25 | Threat actor Banana Squad exploits GitHub repos in new campaign | ReversingLabs researchers discovered more than 60 GitHub repositories that contain hundreds of trojanized files. | Exploit blog | ReversingLabs |
| 20.6.25 | Steam Account Checker Poisoned with Infostealer | I found an interesting script targeting Steam users. Steam is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" and is available in Github | Malware blog | SANS |
| 20.6.25 | Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap on GitHub | The Trend Micro™ Managed Detection and Response team uncovered a threat campaign orchestrated by an active group, Water Curse. The threat actor exploits GitHub, one of the most trusted platforms for open-source software, as a delivery channel for weaponized repositories. | Malware blog | Trend Micro |
| 18.6.25 | Heightened Cyberthreat Amidst Israel-Iran Conflict | In the wake of Israel’s large-scale military operation, Operation Rising Lion, which targeted Iranian nuclear and military infrastructure on June 13, 2025, the Israelian cyberthreat landscape has escalated significantly. | APT blog | REDWARE |
| 18.6.25 | Team46 and TaxOff: two sides of the same coin | In March 2025, the Threat Intelligence Department of the Positive Technologies Expert Security Center (PT ESC) analyzed an attack that exploited a Google Chrome zero-day vulnerability (sandbox escape), which was registered around the same time and has since been tracked as CVE-2025-2783. | Vulnerebility blog | POSITIVE TECHNOLOGIES |
| 18.6.25 | Threat Group Targets Companies in Taiwan | In January 2025, FortiGuard Labs observed an attack targeting users in Taiwan. The threat actor is spreading the malware known as winos 4.0 via an email masquerading as being from Taiwan's National Taxation Bureau | APT blog | FOTINET |
| 18.6.25 | Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform | Welcome to June! We’re back—this time, we're exploring Sitecore’s Experience Platform (XP), demonstrating a pre-auth RCE chain that we reported to Sitecore in February 2025. | Vulnerebility blog | labs.watchtowr |
| 18.6.25 | Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet | This blog uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data. | Vulnerebility blog | Trend Micro |
| 14.6.25 | Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows | Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. | Phishing blog | VELOXITY |
| 14.6.25 | GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically | In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool. | Malware blog | VELOXITY |
| 14.6.25 | Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication | Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal. | APT blog | VELOXITY |
| 14.6.25 | The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access | In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. | APT blog | VELOXITY |
| 14.6.25 | BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA | In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. | Attack blog | VELOXITY |
| 14.6.25 | StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms | In mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”). | Malware blog | VELOXITY |
| 14.6.25 | DISGOMOJI Malware Used to Target Indian Government | In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137 | Malware blog | VELOXITY |
| 14.6.25 | Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices | Last month, Volexity reported on its discovery of zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor Volexity tracks as UTA0218. | Vulnerebility blog | VELOXITY |
| 14.6.25 | The Week in Vulnerabilities: Ivanti, Versa Flaws Flagged by Cyble | The week also included Patch Tuesday for many vendors, making it a busy one for security teams dealing... | Vulnerebility blog | Cyble |
| 14.6.25 | The Week in Vulnerabilities: Cyble Warns of Rising Exploits Targeting ICS, Enterprise, and Web Systems | Cyble reports rising vulnerability threats from May 28–June 3, highlighting flaws in ICS, enterprise,... | Exploit blog | Cyble |
| 14.6.25 | Software Supply Chain Attacks Surged in April and May | Threat actors are getting better at exploiting software supply chain vulnerabilities. We look at recent... | Hacking blog | Cyble |
| 14.6.25 | Over 20 Crypto Phishing Applications Found on the Play Store Stealing Mnemonic Phrases | CRIL discovers over 20 malicious apps targeting crypto wallet users with phishing tactics and Play Store... | Phishing blog | Cyble |
| 14.6.25 | Security Flaws in eMagicOne Store Manager for WooCommerce in WordPress (CVE-2025-5058 and CVE-2025-4603) | Security Flaws in eMagicOne Store Manager for WooCommerce in WordPress (CVE-2025-5058 and CVE-2025-4603) The eMagicOne Store Manager for WooCommerce plugin is in WordPress used to simplify and improve store management by providing functionality not found in the normal WooCommerce... | Vulnerebility blog | Seqrite |
| 14.6.25 | How Seqrite Endpoint Protection Blocks Non-Human Threats like Bots, Scripts, and Malware | How Seqrite Endpoint Protection Blocks Non-Human Threats like Bots, Scripts, and Malware In today’s hyper-connected digital world, the cybersecurity landscape is shifting dramatically. Gone are the days when cyberattacks primarily relied on human intervention. We’re now facing a new... | Security blog | Seqrite |
| 14.6.25 | Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware | Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware. Contents Introduction Initial Findings Infection Chain. Technical Analysis Stage 0 – Malicious ZIP File. Stage 1 – Malicious VELETRIX implant. Stage 2 – Malicious V-Shell implant. Hunting and... | BigBrother blog | Seqrite |
| 14.6.25 | Trapped by a Call: The Digital Arrest Scam | Digital Arrest Scam: It all starts with a phone call that seems routine at first—measured, official-sounding, and unexpectedly serious. On the other end is someone claiming to represent a government body, calmly accusing you of crimes you’ve never committed—drug... | Spam blog | Seqrite |
| 14.6.25 | TRACKING RANSOMWARE : MAY 2025 | EXECUTIVE SUMMARY In May 2025, ransomware attacks targeted critical industries such as Professional Goods & Services, Consumer Goods, and Manufacturing, with a total of | Ransom blog | Cyfirma |
| 14.6.25 | APT PROFILE – MISSION2025 | MISSION2025 is a Chinese state-sponsored advanced persistent threat (APT) group linked to APT41. Active since at least 2012, the group has conducted cyberespionage and | APT blog | Cyfirma |
| 14.6.25 | Understanding CyberEYE RAT Builder: Capabilities and Implications | EXECUTIVE SUMMARY CyberEye (also distributed under names like TelegramRAT) is a modular, .NET-based Remote Access Trojan (RAT) that provides a wide array of surveillance and | Malware blog | Cyfirma |
| 14.6.25 | AI is Critical Infrastructure: Securing the Foundation of the Global Future | AI data centers are critical infrastructure now. The U.S. investment in AI is nearing a trillion dollars, and new agreements between global superpowers and hyperscaler companies are turning AI into what recent congressional testimony from the Center for Strategic and International Studies described as “the defining competition of the 21st century.” | AI blog | Eclypsium |
| 14.6.25 | Even More Holes In Your Boot: Critical UEFI Secure Boot Bypass Vulnerabilities | Short Description: CVE-2025-427 (aka “Hydroph0bia”), CVE-2025-3052, and CVE-2025-47827 expose fundamental flaws in how firmware handles Secure Boot validation. Affecting systems using UEFI firmware, these vulnerabilities allow attackers to bypass critical security controls and execute malicious code during early boot phases. Here’s what you need to know: | Vulnerebility blog | Eclypsium |
| 14.6.25 | Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper | Anubis is an emerging ransomware-as-a-service (RaaS) group that adds a destructive edge to the typical double-extortion model with its file-wiping feature. We explore its origins and examine the tactics behind its dual-threat approach. | Ransom blog | Trend Micro |
| 14.6.25 | Critical SAP Vulnerability Exposes Enterprises | CVE-2025-31324 in SAP NetWeaver Visual Composer enables unauthenticated file uploads, exposing systems to RCE and data loss - learn what to do about it. | Vulnerebility blog | Trend Micro |
| 14.6.25 | High-Severity Open Redirect Vulnerability in Grafana Leads to Account Takeover: CVE-2025-4123 | The SonicWall Capture Labs threat research team became aware of an open redirect vulnerability in Grafana, assessed its impact and developed mitigation measures. | Vulnerebility blog | SonicWall |
| 14.6.25 | Microsoft Security Bulletin Coverage for June 2025 | Microsoft’s June 2025 Patch Tuesday includes 66 vulnerabilities, 25 of which are classified as Remote Code Execution (RCE). The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month and produced protection coverage for eight of the reported vulnerabilities. | OS Blog | SonicWall |
| 14.6.25 | JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique | We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. | Malware blog | Palo Alto |
| 14.6.25 | The Evolution of Linux Binaries in Targeted Cloud Operations | Unit 42 researchers have identified a growing threat to cloud security: Linux Executable and Linkage Format (ELF) files that threat actors are developing to target cloud infrastructure. | Hacking blog | Palo Alto |
| 14.6.25 | Serverless Tokens in the Cloud: Exploitation and Detections | This article outlines the mechanics and security implications of serverless authentication across major cloud platforms. | Exploit blog | Palo Alto |
| 14.6.25 | CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage | Check Point Research (CPR) discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server. | Vulnerebility blog | Checkpoint |
| 14.6.25 | From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery | Check Point Research uncovered an active malware campaign exploiting expired and released Discord invite links. Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers. | Malware blog | Checkpoint |
| 14.6.25 | Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine | Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” | Malware blog | CISCO TALOS |
| 14.6.25 | Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” | OS Blog | CISCO TALOS |
| 14.6.25 | Copyright Phishing Lures Leading to Rhadamanthys Stealer Now Targeting Europe | Cybereason issues Threat Alerts to inform customers of emerging impacting threats, critical vulnerabilities and attacker campaigns. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them. | Phishing blog | Cybereason |
| 14.6.25 | Inside LockBit's Admin Panel Leak | the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’. | Ransom blog | Trelix |
| 13.6.25 | Fog Ransomware: Unusual Toolset Used in Recent Attack | Legitimate employee monitoring software and various pentesting tools deployed. | Ransom blog | SYMANTEC BLOG |
| 13.6.25 | First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted | On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for the technical analysis of their cases. The key findings from our forensic analysis of their devices are summarized below: | Malware blog | THE CITIZENLAB |
| 13.6.25 | Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal | On November 13, 2024, Qurium researchers exposed that the Swiss-Czech adtech company Los Pollos was part of VexTrio, the largest and oldest known malicious TDS. | Malware blog | Infoblox |
| 13.6.25 | Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool | Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts. | Malware blog | PROOFPOINT |
| 13.6.25 | Gone But Not Forgotten: Black Basta’s Enduring Legacy | The ransomware operator “Black Basta” has experienced a sharp decline following the public leak of its internal chat logs, but its legacy lives on. | Ransom blog | RELIAQUEST |
| 10.6.25 | Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets | In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze. | APT blog | SENTINEL LABS |
| 10.6.25 | Bruteforcing the phone number of any Google user | A few months ago, I disabled javascript on my browser while testing if there were any Google services left that still worked without JS in the modern web. Interestingly enough, the username recovery form still worked! | Hacking blog | BRUTECAT |
| 10.6.25 | Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability | The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of the critical remote code execution (RCE) vulnerability CVE-2025-24016 against Wazuh servers (CVSS 9.9). | BotNet blog | AKAMAI |
| 8.6.25 | Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines | UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations | Hacking blog | Google Threat Intelligence |
| 7.6.25 | Security Flaws in Chrome Extensions: The Hidden Dangers of Hardcoded Credentials | API keys, secrets, and tokens commonly left exposed in browser extensions’ code. | Vulnerebility blog | SYMANTEC BLOG |
| 7.6.25 | The strange tale of ischhfd83: When cybercriminals eat their own | A simple customer query leads to a rabbit hole of backdoored malware and game cheats | Cyber blog | Sophos |
| 7.6.25 | How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload | Read how a malicious Excel file exploits CVE-2017-0199 to deliver FormBook malware via phishing. | Vulnerebility blog | FOTINET |
| 7.6.25 | CISA Issues Advisories Highlighting Siemens SiPass and Other Critical Vulnerabilities targeting ICS systems | CISA’s latest ICS advisories reveal major flaws in Siemens SiPass, Consilium fire panels, and more. | ICS blog | Cyble |
| 7.6.25 | Ransomware Landscape May 2025: SafePay, DevMan Emerge as Major Threats | Top Ransomware Groups of May 2025: SafePay and DevMan Rise | Ransom blog | Cyble |
| 7.6.25 | Over 20 Crypto Phishing Applications Found on the Play Store Stealing Mnemonic Phrases | CRIL discovers over 20 malicious apps targeting crypto wallet users with phishing tactics and Play Store distribution under compromised developer accounts. | Cryptocurrency blog | Cyble |
| 7.6.25 | Trapped by a Call: The Digital Arrest Scam | Digital Arrest Scam: It all starts with a phone call that seems routine at first—measured, official-sounding, and unexpectedly serious. On the other end is someone claiming to represent a government body, calmly accusing you of crimes you’ve never committed—drug | Spam blog | Seqrite |
| 7.6.25 | UKRAINE’S ATTACK ON RUSSIA’S STRATEGIC AIR FORCE – LIVE FEED FROM A REVOLUTION IN MILITARY AFFAIRS | EXECUTIVE SUMMARY In a stunning move on June 1, 2025, Ukraine unleashed "Operation Spider's Web", a daring, long-range drone attack that reportedly crippled up to a third of | BigBrother blog | Cyfirma |
| 7.6.25 | DuplexSpy RAT: Stealthy Windows Malware Enabling Full Remote Control and Surveillance | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging cyber threats and adversarial tactics targeting individuals and organizations. | Malware blog | Cyfirma |
| 7.6.25 | Firewalls and Frontlines: The India-Pakistan Cyber Battlefield Crisis | EXECUTIVE SUMMARY At CYFIRMA, we are committed to offering up-to-date insights into prevalent threats and tactics employed by malicious actors, targeting both organizations | BigBrother blog | Cyfirma |
| 7.6.25 | Versa Concerto: Understanding and Mitigating CVE-2025-34027 | EXECUTIVE SUMMARY In May 2025, a set of critical zero-day vulnerabilities was disclosed in Versa Concerto, a popular SD-WAN and SASE solution used across enterprises for secure | Vulnerebility blog | Cyfirma |
| 7.6.25 | SMM Callout Vulnerabilities in UEFI | Eclypsium Automata has identified multiple, separate SMM callout vulnerabilities in UEFI modules supplied by AMD and leading firmware vendor AMI. | Vulnerebility blog | Eclypsium |
| 7.6.25 | Verizon DBIR 2025 Key Stats: Network Device Attacks, Third Party Risk, and More | Massive shifts in cyber attack behavior have been revealed in the 2025 Verizon Data Breach Investigation Report (DBIR). Here are a few of the most surprising stats with real world implications for cybersecurity strategy and attack surface management. | Security blog | Eclypsium |
| 7.6.25 | The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Analyst note: Throughout this blog, researchers have defanged TA397-controlled indicators and modified certain technical details to protect investigation methods. | APT blog | PROOFPOINT |
| 7.6.25 | GuLoader Brings the Noise — and the Obfuscation | This week the SonicWall Capture Labs threat research team analyzed a sample of GuLoader, a dropper and infostealer capable of harvesting credentials, evading AV, and creating persistence through a variety of techniques. It drops a number of files and uses them as timers and canaries to ensure uptime on the victim system. | Malware blog | SonicWall |
| 7.6.25 | Cacti v1.2.25 CVE-2023-49085 and CVE-2023-49084 Enable SQLi, LFI, and RCE | SonicWall Capture Labs threat research team became aware of the threat CVE-2023-49085, assessed its impact and developed mitigation measures for this vulnerability. | Vulnerebility blog | SonicWall |
| 7.6.25 | High-Severity Open Redirect Vulnerability in Grafana Leads to Account Takeover: CVE-2025-4123 | The SonicWall Capture Labs threat research team became aware of an open redirect vulnerability in Grafana, assessed its impact and developed mitigation measures. Grafana is known for creating dynamic charts, graphs, and alerts based on data sources, making it a critical component in many monitoring stacks. | Vulnerebility blog | SonicWall |
| 7.6.25 | How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms | We conducted a comparative study of the built-in guardrails offered by three major cloud-based large language model (LLM) platforms. We examined how each platform's guardrails handle a broad range of prompts, from benign queries to malicious instructions. | AI blog | Palo Alto |
| 7.6.25 | Lost in Resolution: Azure OpenAI's DNS Resolution Issue | In late 2024, Unit 42 researchers discovered an issue with Azure OpenAI’s Domain Name System (DNS) resolution logic that could have enabled cross-tenant data leaks and meddler-in-the-middle (MitM) attacks. This issue stemmed from a misconfiguration in how the Azure OpenAI API handled domain assignments, versus how the user interface (UI) handled them. | AI blog | Palo Alto |
| 7.6.25 | Blitz Malware: A Tale of Game Cheats and Code Repositories | In 2024, we discovered new Windows-based malware called Blitz. This article provides an in-depth analysis of the malware, examines its distribution and reviews Blitz malware's command and control (C2) infrastructure. We found a new version of Blitz in early 2025, which indicates this malware has been in active development. | Malware blog | Palo Alto |
| 7.6.25 | Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine | Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” | Malware blog | CISCO TALOS |
| 7.6.25 | BladedFeline: Whispering in the dark | ESET researchers analyzed a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig | APT blog | Eset |
| 7.6.25 | Don’t let dormant accounts become a doorway for cybercriminals | Do you have online accounts you haven't used in years? If so, a bit of digital spring cleaning might be in order. | Cyber blog | Eset |
| 7.6.25 | Demystifying Myth Stealer: A Rust Based InfoStealer | During regular proactive threat hunting, the Trellix Advanced Research Center identified a fully undetected infostealer malware sample written in Rust. | Malware blog | Trelix |
| 7.6.25 | Unmasking Insecure HTTP Data Leaks in Popular Chrome Extensions | Extensions analyzed expose information such as browsing domains, machine IDs, OS details, usage analytics, and more. | Hacking blog | SYMANTEC BLOG |
| 5.6.25 | The Bitter End: Unraveling Eight Years of Espionage Antics – Part Two | Bitter's malware has significantly evolved since 2016, moving from basic downloaders to more capable RATs. The group primarily uses simple and home-grown payloads delivered via their infection chain, rather than relying on advanced anti-analysis techniques within the payloads itself. | APT blog | THREATRAY |
| 5.6.25 | The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint Threat Research assesses it is highly likely that TA397 is a state-backed threat actor tasked with intelligence gathering in the interests of the Indian state. | APT blog | PROOFPOINT |
| 1.6.25 | Infostealer Malware FormBook Spread via Phishing Campaign – Part II | Learn how the FormBook payload operates on a compromised machine, including the complicated anti-analysis techniques employed by this variant. | Malware blog | FOTINET |
| 1.6.25 | Storm-0558 and the Dangers of Cross-Tenant Token Forgery | Modern cloud ecosystems often place a single identity provider in charge of handling logins and tokens for a wide range of customers. | Hacking blog | TRUSTWAVE |
| 1.6.25 | U.S. Treasury Sanctions FUNNULL CDN, FBI Issues Advisory Warning Against Major Cyber Scam Facilitator | The U.S. Department of the Treasury sanctioned Chinese-based content delivery network (CDN), FUNNULL, labeling it as a major distributor of online scams. The FBI concurrently released an advisory report to disseminate indicators of compromise (IOCs) associated with malicious cyber activities linked to FUNNULL. | Spam blog | Silent Push |
| 1.6.25 | Lumma Infostealer – Down but Not Out? | The takedown achieved a significant disruption to Lumma infostealers’ infrastructure, but likely didn’t permanently affect most of its Russia-hosted infrastructure. | Malware blog | Checkpoint |
| 1.6.25 | The Week in Vulnerabilities: Cyble Sensors Detect Attack Attempts on SAP, Ivanti | Attack attempts picked up by Cyble Sensors’ honeypots highlight threat actors’ resourcefulness and the need for strong security defenses. | Vulnerebility blog | Cyble |
| 1.6.25 | CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform | CISA issues urgent update on threats targeting Commvault’s Metallic SaaS platform, widely used for Microsoft 365 backups. | Exploit blog | Cyble |
| 1.6.25 | FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing | The U.S. Federal Bureau of Investigation (FBI) has issued a fresh alert warning law firms and cybersecurity professionals about ongoing cyber threat activity linked to the Silent Ransom Group (SRG)—also known as Luna Moth, Chatty Spider, or UNC3753. | Ransom blog | Cyble |
| 1.6.25 | Lyrix Ransomware | EXECUTIVE SUMMARY CYFIRMA’s research team discovered Lyrix Ransomware while monitoring underground forums as part of our Threat Discovery Process. Developed in Python and | Ransom blog | Cyfirma |
| 1.6.25 | Windows 11 Migration: Navigating the Hardware-Driven Challenges | The clock is ticking. With Microsoft ending Windows 10 support on October 25, 2025—just six months away—organizations worldwide are racing against time to complete their Windows 11 migration. | OS Blog | Eclypsium |
| 1.6.25 | Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot | The attack surface Eclypsium set out to defend extends to areas in our systems that many security teams and monitoring tools are either overlooking or trusting someone else has secured for them. | Malware blog | Eclypsium |
| 1.6.25 | Trend Micro Leading the Fight to Secure AI | New MITRE ATLAS submission helps strengthen organizations’ cyber resilience | AI blog | Trend Micro |
| 1.6.25 | Earth Lamia Develops Custom Arsenal to Target Multiple Industries | Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations. | APT blog | Trend Micro |
| 1.6.25 | NightSpire Ransomware Encrypts Cloud-Stored OneDrive Files | This week, the SonicWall Capture Labs threat research team analyzed a ransomware variant known as NightSpire. While its behavior is typical of most ransomware—encrypting user files and providing recovery instructions via a text file—what makes NightSpire especially concerning is its rapid growth. | Ransom blog | SonicWall |
| 1.6.25 | Cybercriminals camouflaging threats as AI tool installers | Cisco Talos has uncovered new threats, including ransomware like CyberLock and Lucky_Gh0$t, and a destructive malware called Numero, all disguised as legitimate AI tool installers to target victims. | Cyber blog | CISCO TALOS |
| 1.6.25 | This month in security with Tony Anscombe – May 2025 edition | From a flurry of attacks targeting UK retailers to campaigns corralling end-of-life routers into botnets, it's a wrap on another month filled with impactful cybersecurity news | Cyber blog | Eset |
| 1.6.25 | Word to the wise: Beware of fake Docusign emails | Cybercriminals impersonate the trusted e-signature brand and send fake Docusign notifications to trick people into giving away their personal or corporate data | Cyber blog | Eset |
| 1.6.25 | The Windows Registry Adventure #8: Practical exploitation of hive memory corruption | In the previous blog post, we focused on the general security analysis of the registry and how to effectively approach finding vulnerabilities in it. | Vulnerebility blog | Project Zero |
| 1.6.25 | A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment | On May 15th, Trellix's email security products alerted on a highly targeted spear-phishing operation aimed at CFOs and finance executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. | Phishing blog | Trelix |
| 27.5.24 | 60 Malicious npm Packages Leak Network and Host Data in Active Malware Campaign | Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. | Malware blog | SOCKET DEV |
| 27.5.24 | Threat Spotlight: Hijacked Routers and Fake Searches Fueling Payroll Heist | ReliaQuest investigated a unique search engine optimization (SEO) poisoning attack targeting mobile devices, where attackers stole credentials via fake login pages to access the employee payroll portal and reroute paychecks. | Hacking blog | RELIAQUEST |
| 25.5.24 | “Anti-Ledger” malware: The battle for Ledger Live seed phrases | Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry and is unlikely to be the last. However, more low-profile heists are already underway. | Malware blog | Moonlock-lab |
| 25.5.24 | A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign | Bumblebee is a downloader malware which has become known for its sophistication and effectiveness. The malware was first discovered in 2022 and was believed to be a tool for ransomware groups due to the developer’s close ties with Conti. | Malware blog | Cyjax |
| 25.5.24 | Not content with attacking retailers, this aggressive group is fighting a turf war with other ransomware operators | Ransom blog | Sophos | |
| 25.5.24 | A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist | Another adversary picks up the email bombing / vishing Storm-1811 playbook, doing thorough reconnaissance to target specific employees with fake help desk call—this time, over the phone. | Spam blog | Sophos |
| 25.5.24 | Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool | Microsoft’s Digital Crimes Unit (DCU) and international partners are disrupting the leading tool used to indiscriminately steal sensitive personal and organizational information to facilitate cybercrime. | Malware blog | Microsoft blog |
| 25.5.24 | Hidden Threats of Dual-Function Malware Found in Chrome Extensions | An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. | Malware blog | dti domain tools |
| 25.5.24 | FIN7: Silent Push unearths the largest group of FIN7 domains ever discovered | 4000+ IOFA domains and IPs found. Louvre, Meta, and Reuters targeted in massive global phishing and malware campaigns. | Phishing blog | Silent Push |
| 24.5.24 | Ransomware Roundup – VanHelsing | The VanHelsing ransomware was first identified in March 2025 and uses TOR sites for ransom negotiations and data leaks. | Ransom blog | FOTINET |
| 24.5.24 | Horabot Unleashed: A Stealthy Phishing Threat | FortiGuard Labs observed a phishing campaign "Horabot" resurfacing with a sophisticated multi-stage attack, blending phishing, credential theft, and propagation. | Phishing blog | FOTINET |
| 24.5.24 | WHILE TRUMP DISRUPTS THE WORLD ORDER, CHINA PREPARES FOR WAR OVER TAIWAN | With Donald Trump’s erratic style and his many isolationist tendencies, none of America’s allies can be 100% sure where they stand. Unlike Ukraine—which, despite America’s wavering | BigBrother blog | Cyfirma |
| 24.5.24 | GhostSpy Web-Based Android RAT : Advanced Persistent RAT with Stealthy Remote Control and Uninstall Resistance | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging threats and attacker tactics. In this report, we analyze a high-risk Android | Malware blog | Cyfirma |
| 24.5.24 | Operation Sindoor – Anatomy of a Digital Siege | Overview Seqrite Labs, India’s largest Malware Analysis lab, has identified multiple cyber events linked to Operation Sindoor, involving state-sponsored APT activity and coordinated hacktivist operations. Observed tactics included spear phishing, deployment of malicious scripts, website defacements, and unauthorized data.. | APT blog | Seqrite |
| 24.5.24 | Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot | The attack surface Eclypsium set out to defend extends to areas in our systems that many security teams and monitoring tools are either overlooking or trusting someone else has secured for them. This pre-operating system attack surface includes components such as UEFI and bootloaders. | Malware blog | Eclypsium |
| 24.5.24 | A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame | DanaBot is a cybercrime malware-as-a-service that Proofpoint researchers first identified and named in May 2018. At the time, banking trojans were the most popular email-based cybercriminal malware threat, and DanaBot became one of the favored payloads by TA547 before being adopted by other notable cybercrime threat actors. | Malware blog | PROOFPOINT |
| 24.5.24 | Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer | Over the past year, Microsoft Threat Intelligence observed the persistent growth and operational sophistication of Lumma Stealer, an info-stealing malware used by multiple financially motivated threat actors to target various industries. | Malware blog | Microsoft blog |
| 24.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | Trend™ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain. | APT blog | Trend Micro |
| 24.5.24 | Trend Micro Puts a Spotlight on AI at Pwn2Own Berlin | At Trend Micro, we believe we can make the digital world safer by proactively discovering threats and vulnerabilities that others haven’t yet seen. That’s why, every year, we invest millions of dollars in the Trend Zero Day Initiative™ (ZDI)—the world’s largest vendor-agnostic bug bounty program. | Cyber blog | Trend Micro |
| 24.5.24 | Trend Secures AI Infrastructure with NVIDIA | Organizations worldwide are racing to implement agentic AI solutions to drive innovation and competitive advantage. However, this revolution introduces security challenges—particularly for organizations in highly regulated industries that require data sovereignty and strict compliance. | AI blog | Trend Micro |
| 24.5.24 | Using Agentic AI & Digital Twin for Cyber Resilience | Learn how Trend is combining agentic AI and digital twin to transform the way organizations protect themselves from cyber threats. | AI blog | Trend Micro |
| 24.5.24 | Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload Chain | We have detected a new tactic involving fake CAPTCHA pages that trick users into executing harmful commands in Windows. This scheme uses disguised files sent via phishing and other malicious methods. | Malware blog | Trend Micro |
| 24.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | In July 2024, we disclosed the TIDRONE campaign, in which threat actors targeted Taiwan’s military and satellite industries. During our investigation, we discovered that multiple compromised entities were using the same enterprise resource planning (ERP) software. | APT blog | Trend Micro |
| 24.5.24 | TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead | Trend Research has uncovered a novel social engineering campaign using TikTok’s vast user base to distribute information-stealing malware, specifically Vidar and StealC. Unlike the prevalent Fake CAPTCHA campaign — which relies on fake CAPTCHA pages and clipboard hijacking to trick users into running malicious scripts — this new campaign pivots to exploiting the popularity and viral nature of TikTok. | Social blog | Trend Micro |
| 24.5.24 | Critical SysAid XXE Vulnerabilities Expose Systems to Remote Exploitation (CVE-2025-2775–2777) | The SonicWall Capture Labs threat research team became aware of multiple critical XML External Entity (XXE) injection vulnerabilities in SysAid’s IT service management (ITSM) platform. SysAid is used by organizations to streamline and automate help desk operations, asset management and IT workflows, and is available as both a cloud-based and on-premises solution. | Vulnerebility blog | SonicWall |
| 24.5.24 | DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt | In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. | Malware blog | Palo Alto |
| 24.5.24 | Threat Brief: CVE-2025-31324 (Updated May 23) | Update May 23, 2025: We have added further details and indicators of compromise (IoC) to this post, to provide defenders additional information to hunt with. This information can be found in the Appendix section. | Vulnerebility blog | Palo Alto |
| 24.5.24 | Threat Group Assessment: Muddled Libra (Updated May 16, 2025) | We’ve added an additional section to this article that describes the evolution of Muddled Libra activity since the beginning for 2024. This group is a dynamic one, and as members cycle in and out of the group, its knowledgebase and skill set naturally shift. Its toolbox has now expanded to include: | Malware blog | Palo Alto |
| 24.5.24 | Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation | Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. | APT blog | Palo Alto |
| 24.5.24 | Lampion Is Back With ClickFix Lures | Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. This campaign was orchestrated by the threat actors behind Lampion malware, an infostealer that focuses on sensitive banking information. This malware family has been active since at least 2019. | Malware blog | Palo Alto |
| 24.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). | Malware blog | Palo Alto |
| 24.5.24 | The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website | In early 2025, Check Point Research (cp<r>) started tracking a threat campaign that abuses the growing popularity of AI content generation platforms by impersonating Kling AI, a legitimate AI-powered image and video synthesis tool. Promoted through Facebook advertisements, the campaign directs users to a convincing spoof of Kling AI’s website, where visitors are invited to create AI-generated images or videos directly in the browser. | AI blog | Checkpoint |
| 24.5.24 | Scarcity signals: Are rare activities red flags? | Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. | Cyber blog | CISCO TALOS |
| 24.5.24 |
UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware |
Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader. | Exploit blog | CISCO TALOS |
| 24.5.24 | Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure. | Cyber blog | CISCO TALOS | |
| 24.5.24 |
Duping Cloud Functions: An emerging serverless attack vector |
Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure. | Exploit blog | CISCO TALOS |
| 24.5.24 | In this week’s newsletter, Thor inspects the LockBit leak, finding $10,000 “security tips,” ransom negotiations gone wrong and a rare glimpse into the human side of cybercrime. | Ransom blog | CISCO TALOS | |
| 24.5.24 |
Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities |
Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”. Microsoft noted five vulnerabilities that have been observed to be exploited in the wild | OS Blog | CISCO TALOS |
| 24.5.24 |
Defining a new methodology for modeling and tracking compartmentalized threats |
How do you profile actors and defend your systems when multiple threat actors are working together? In Part 2, Cisco Talos proposes an extended Diamond Model to analyze complex relationships between attackers. | Security blog | CISCO TALOS |
| 24.5.24 | Danabot under the microscope | ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure | Malware blog | Eset |
| 24.5.24 | Danabot: Analyzing a fallen empire | Malware blog | Eset | |
| 24.5.24 | Lumma Stealer: Down for the count | The bustling cybercrime enterprise has been dealt a significant blow in a global operation that relied on the expertise of ESET and other technology companies | Malware blog | Eset |
| 24.5.24 | ESET takes part in global operation to disrupt Lumma Stealer | Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation | Malware blog | Eset |
| 24.5.24 | The who, where, and how of APT attacks in Q4 2024–Q1 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025 | APT blog | Eset |
| 24.5.24 | ESET APT Activity Report Q4 2024–Q1 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025 | APT blog | Eset |
| 24.5.24 | Canary Exploit Tool for CVE-2025-30065 Apache Parquet Avro Vulnerability | Investigating a schema parsing concern in the parquet-avro module of Apache Parquet Java. | Vulnerebility blog | F5 |
| 24.5.24 | Copyright Phishing Lures Leading to Rhadamanthys Stealer Now Targeting Europe | Analysis of new Rhadamanthys infostealer campaign in Europe and malware breakdown | Malware blog | Cybereason |
| 24.5.24 | Genesis Market - Malicious Browser Extension | In this Threat Alert, Cybereason identifies a malware infection exhibiting similarities to a previous Genesis Market campaign. | Malware blog | Cybereason |
| 24.5.24 | The Windows Registry Adventure #7: Attack surface analysis | In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally – from the perspective of its clients (e.g., user-mode applications running on Windows), the regf format used to encode hives, and finally the kernel itself, which contains its canonical implementation. | OS Blog | Project Zero |
| 17.5.24 | Ransomware Roundup – VanHelsing | The VanHelsing ransomware was first identified in March 2025 and uses TOR sites for ransom negotiations and data leaks. | Ransom blog | FOTINET |
| 17.5.24 | Horabot Unleashed: A Stealthy Phishing Threat | FortiGuard Labs observed a phishing campaign "Horabot" resurfacing with a sophisticated multi-stage attack, blending phishing, credential theft, and propagation. | Phishing blog | FOTINET |
| 17.5.24 | APT GROUP123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. | APT blog | Cyfirma |
| 17.5.24 | APT PROFILE : Transparent Tribe aka APT36 | APT36, also known as Transparent Tribe, is a Pakistan-based advanced persistent threat (APT) group active since at least 2013. | APT blog | Cyfirma |
| 17.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | Trend™ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain. | APT blog | Trend Micro |
| 17.5.24 | Trend Micro Puts a Spotlight on AI at Pwn2Own Berlin | Get a sneak peak into how Trend Micro's Pwn2Own Berlin 2025 is breaking new ground, focusing on AI infrastructure and finding the bugs to proactively safeguard the future of computing. | AI blog | Trend Micro |
| 17.5.24 | Microsoft Security Bulletin Coverage for May 2025 | Microsoft’s May 2025 Patch Tuesday has 76 vulnerabilities, 28 of which are Remote Code Execution. The SonicWall Capture Labs' threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2025 and has produced coverage for 11 of the reported vulnerabilities. | OS Blog | SonicWall |
| 17.5.24 | LCRYX Ransomware Utilizes Weak Encryption, Demands $500 Bitcoin Payment | The SonicWall Capture Labs threat research team has recently been tracking LCRYX ransomware. LCRYX is a VBScript-based ransomware strain that first emerged in November 2024 and reappeared in February 2025 with enhanced capabilities. It specifically targets Windows systems, employing a combination of Caesar cipher and XOR encryption to lock files before demanding a $500 ransom in Bitcoin for decryption. While it made its resurgence in February, it is still being seen in the wild today. | Ransom blog | SonicWall |
| 17.5.24 | DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt | In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. | Malware blog | Palo Alto |
| 17.5.24 | Threat Brief: CVE-2025-31324 | On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry. | Vulnerebility blog | Palo Alto |
| 17.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). | Malware blog | Palo Alto |
| 17.5.24 | Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation | Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. | APT blog | Palo Alto |
| 17.5.24 | Redefining IABs: Impacts of compartmentalization on threat tracking and modeling | Threat actors are teaming up, splitting attacks into stages and making defense harder than ever. In Part 1, Cisco Talos examines their tactics and defines their motivations. | Cyber blog | CISCO TALOS |
| 17.5.24 | Defining a new methodology for modeling and tracking compartmentalized threats | How do you profile actors and defend your systems when multiple threat actors are working together? In Part 2, Cisco Talos proposes an extended Diamond Model to analyze complex relationships between attackers. | Hacking blog | CISCO TALOS |
| 17.5.24 | Spam campaign targeting Brazil abuses Remote Monitoring and Management tools | A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents. | Spam blog | CISCO TALOS |
| 17.5.24 | Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”. Microsoft noted five vulnerabilities that have been observed to be exploited in the wild. CVE-2 | OS Blog | CISCO TALOS |
| 17.5.24 | Understanding the challenges of securing an NGO | Joe talks about how helping the helpers can put a fire in you and the importance of keeping nonprofits cybersecure. | Cyber blog | CISCO TALOS |
| 17.5.24 | Sednit abuses XSS flaws to hit gov't entities, defense companies | Operation RoundPress targets webmail software to steal secrets from email accounts belonging mainly to governmental organizations in Ukraine and defense contractors in the EU | Vulnerebility blog | Eset |
| 17.5.24 | Operation RoundPress | Cyber blog | Eset | |
| 17.5.24 | How can we counter online disinformation? | Unlocked 403 cybersecurity podcast (S2E2) | Ever wondered why a lie can spread faster than the truth? Tune in for an insightful look at disinformation and how we can fight one of the most pressing challenges facing our digital world. | Cyber blog | Eset |
| 17.5.24 | Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages | Every second, highly-privileged MacOS system daemons accept and process hundreds of IPC messages. In some cases, these message handlers accept data from sandboxed or unprivileged processes. | OS Blog | Project Zero |
| 10.5.24 | Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware | FortiGuard Labs highlights a malware campaign's increasing sophistication of attack methodologies, leveraging the legitimate functionalities of remote administration tools for malicious purposes. | Attack blog | FOTINET |
| 10.5.24 | FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure | The FortiGuard Incident Response (FGIR) team recently investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group. | Incident blog | FOTINET |
| 10.5.24 | New Finance Scam Discovered Abusing Niche X/Twitter Advertising Loophole | Silent Push Threat Analysts have uncovered a new finance scam exploiting an X/Twitter advertising display URL feature to spoof “cnn[.]com” while directing visitors to a crypto scam website impersonating Apple’s brand. | Social blog | Silent Push |
| 10.5.24 | How To Defend Against Threats With A Cyber Early Warning System | Security teams are constantly on the lookout for hidden threat infrastructure that isn’t already widely known, and doesn’t appear on anyone’s radar. This usually involves analyzing a significant amount of alert data and hunting for emerging domains and IPs that are in the process of being setup, across linked malicious hosting clusters. | Cyber blog | Silent Push |
| 10.5.24 | India Experiences Surge in Hacktivist Group Activity Amid Military Tensions | 40+ hacktivist groups united in cyberattacks against India after a terror attack in the Indian state... | Hacking blog | Cyble |
| 10.5.24 | Ransomware Attacks April 2025: Qilin Emerges from Chaos | Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November... | Ransom blog | Cyble |
| 10.5.24 | PupkinStealer : A .NET-Based Info-Stealer | Executive Summary At CYFIRMA, we are committed to delivering timely insights into active cyber threats and the techniques used by malicious actors to target individuals and | Malware blog | Cyfirma |
| 10.5.24 | Tracking Ransomware : April 2025 | EXECUTIVE SUMMARY April 2025 witnessed a decline in ransomware incidents, with 470 reported victims worldwide. Qilin remained the dominant group, while newer actors like | Ransom blog | Cyfirma |
| 10.5.24 | EXPLAINER : THE ALGERIA / MOROCCO TENSIONS | EXECUTIVE SUMMARY Since Algeria severed diplomatic ties with Morocco in 2021, tensions between the two neighbors have largely remained confined to the diplomatic arena. However, | BigBrother blog | Cyfirma |
| 10.5.24 | Fortnightly Vulnerability Summary | Fortnightly Vulnerability Summary CHECK OUT THESE FAST FACTS ON FORTNIGHTLY OBSERVED VULNERABILITIES. Fortnight's Most Impacted Products Linux | D-Link | Totolink Fortnightly | Vulnerebility blog | Cyfirma |
| 10.5.24 | Gunra Ransomware – A Brief Analysis | Executive Summary At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and | Ransom blog | Cyfirma |
| 10.5.24 | Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer | Introduction A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming... | Malware blog | Seqrite |
| 10.5.24 | What Is the Goal of an Insider Threat Program? | Insider risk is one of the biggest cybersecurity threats that businesses face today. Insiders include employees, contractors or business partners with legitimate access to a company’s network, systems or data. Some misuse their access intentionally, while others make mistakes or fall victim to cybercriminals. | Cyber blog | PROOFPOINT |
| 10.5.24 | CoGUI Phish Kit Targets Japan with Millions of Messages | Proofpoint has observed a notable increase in high-volume Japanese language campaigns targeting organizations in Japan to deliver a phishing kit that Proofpoint researchers refer to as CoGUI. Most of the observed campaigns abuse popular consumer or payment brands in phishing lures, including Amazon, PayPay, Rakuten, and others. | Phishing blog | PROOFPOINT |
| 10.5.24 | Email Attacks Drive Record Cybercrime Losses in 2024 | The FBI’s Internet Crime Complaint Center (IC3) has released its 2024 Internet Crime Report. And it has revealed a record-breaking surge in cybercrime losses across the United States. Last year, total losses reached $16.6 billion, which is a 33% increase from the previous year. | Cyber blog | PROOFPOINT |
| 10.5.24 | Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape | Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared our findings with Apple and a fix was released for this vulnerability, now identified as CVE-2025-31191. We encourage macOS users to apply security updates as soon as possible. | Vulnerebility blog | Microsoft blog |
| 10.5.24 | Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal | During our monitoring of Agenda ransomware activities, we uncovered campaigns that made use of the SmokeLoader malware and a new loader we've named NETXLOADER. | Ransom blog | Trend Micro |
| 10.5.24 | Exploring PLeak: An Algorithmic Method for System Prompt Leakage | What is PLeak, and what are the risks associated with it? We explored this algorithmic technique and how it can be used to jailbreak LLMs, which could be leveraged by threat actors to manipulate systems and steal sensitive data. | AI blog | Trend Micro |
| 10.5.24 | NetSupport RAT Malware Spied in Ukraine | This week, the SonicWall Capture Labs threat research team analyzed a sample of NetSupport RAT malware. OSINT shows that this malware has been regularly seen in Ukraine and Poland as of mid- to late-2024. | Malware blog | Palo Alto |
| 10.5.24 | CraftCMS Vulnerability Exposes Systems to Pre-Auth RCE, Now Exploited in the Wild (CVE-2025-32432) | The SonicWall Capture Labs threat research team became aware of a pre-authentication vulnerability in CraftCMS's asset transform generation feature, assessed its impact and developed mitigation measures. | Vulnerebility blog | Palo Alto |
| 10.5.24 | AI Agents Are Here. So Are the Threats. | Agentic applications are programs that leverage AI agents — software designed to autonomously collect data and take actions toward specific objectives — to drive their functionality. | AI blog | Palo Alto |
| 10.5.24 | Lampion Is Back With ClickFix Lures | Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. | Malware blog | Palo Alto |
| 10.5.24 | Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation | Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. | APT blog | Palo Alto |
| 10.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. | Malware blog | Palo Alto |
| 10.5.24 | State-of-the-art phishing: MFA bypass | Threat actors are bypassing MFA with adversary-in-the-middle attacks via reverse proxies. Phishing-as-a-Service tools like Evilproxy make these threats harder to detect. | Phishing blog | CISCO TALOS |
| 10.5.24 | The IT help desk kindly requests you read this newsletter | How do attackers exploit authority bias to manipulate victims? Martin shares proactive strategies to protect yourself and others in this must-read edition of the Threat Source newsletter. | Exploit blog | CISCO TALOS |
| 10.5.24 | Spam campaign targeting Brazil abuses Remote Monitoring and Management tools | A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents. | Spam blog | CISCO TALOS |
| 10.5.24 | Proactive threat hunting with Talos IR | Learn more about the framework Talos IR uses to conduct proactive threat hunts, and how we can help you stay one step ahead of emerging threats. | Cyber blog | CISCO TALOS |
| 10.5.24 | Catching a phish with many faces | Here’s a brief dive into the murky waters of shape-shifting attacks that leverage dedicated phishing kits to auto-generate customized login pages on the fly | Phishing blog | Eset |
| 10.5.24 | Beware of phone scams demanding money for ‘missed jury duty’ | Phishing blog | Eset | |
| 10.5.24 | Toll road scams are in overdrive: Here’s how to protect yourself | Have you received a text message about an unpaid road toll? Make sure you’re not the next victim of a smishing scam. | Phishing blog | Eset |
| 10.5.24 | The Bug Report - April 2025 Edition | Spring clean your security! Dive into April 2025’s top CVEs, live exploits, and patches. Stay ahead of attacks — read the full Bug Report now. | Cyber blog | Trelix |
| 10.5.24 | The Growing Threat of Vishing: How Cybercriminals Are Using Multimedia to Target You | New vishing attack technique we need to be aware of. How cybercriminals are using multimedia to target you. | Cyber blog | Trelix |
| 6.5.24 | Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | According to the Federal Trade Commission (FTC), consumers lost more money to investment scams than any other kind in 2024. | Spam | Infoblox |
| 6.5.24 | The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluste | Have you ever used pre-made deployment templates to quickly spin up applications in Kubernetes environments? While these “plug-and-play” options greatly simplify the setup process, they often prioritize ease of use over security. | Security | Microsoft blog |
| 3.5.24 | This Google Threat Intelligence Group report presents an analysis of detected 2024 zero-day exploits. | Exploit blog | Google Threat Intelligence | |
| 3.5.24 | Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer | Introduction A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming... | Phishing blog | Seqrite |
| 3.5.24 | Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government | Seqrite Labs APT team has discovered “Pahalgam Terror Attack” themed documents being used by the Pakistan-linked APT group Transparent Tribe (APT36) to target Indian Government and Defense personnel. The campaign involves both credential phishing and deployment of malicious payloads,... | APT blog | Seqrite |
| 3.5.24 | Security Brief: French BEC Threat Actor Targets Property Payments | Proofpoint identified and named a new financially motivated, business email compromise (BEC) threat actor conducting fraud, TA2900. This actor sends French language emails using rental payment themes to target people in France and occasionally in Canada. | Spam blog | PROOFPOINT |
| 3.5.24 | Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape | Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared our findings with Apple and a fix was released for this vulnerability, now identified as CVE-2025-31191. We encourage macOS users to apply security updates as soon as possible. | Vulnerebility blog | Microsoft blog |
| 3.5.24 | Exploring PLeak: An Algorithmic Method for System Prompt Leakage | What is PLeak, and what are the risks associated with it? We explored this algorithmic technique and how it can be used to jailbreak LLMs, which could be leveraged by threat actors to manipulate systems and steal sensitive data. | AI blog | Trend Micro |
| 3.5.24 | Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan | This blog discusses the latest modifications observed in Earth Kasha’s TTPs from their latest campaign detected in March 2025 targeting Taiwan and Japan. | APT blog | Trend Micro |
| 3.5.24 | NVIDIA Riva Vulnerabilities Leave AI-Powered Speech and Translation Services at Risk | Trend Research uncovered misconfigurations in NVIDIA Riva deployments, with two vulnerabilities, CVE-2025-23242 and CVE-2025-23243, contributing to their exposure. These security flaws could lead to unauthorized access, resource abuse, and potential misuse or theft of AI-powered inference services, including speech recognition and text-to-speech processing. | AI blog | Trend Micro |
| 3.5.24 | Actively Exploited SAP NetWeaver Visual Composer Vulnerability Enables Remote Code Execution (CVE-2025-31324) | The SonicWall Capture Labs threat research team became aware of an arbitrary file upload vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer, assessed its impact, and developed mitigation measures. SAP NetWeaver serves as a robust technology platform that functions as both an integration hub and application layer, enabling businesses to unify data, processes, and applications from various sources into a cohesive SAP ecosystem. | Vulnerebility blog | SonicWall |
| 3.5.24 | Exploring the State of AI in Cyber Security: Past, Present, and Future | Artificial intelligence is rapidly reshaping the cyber security landscape—but how exactly is it being used, and what risks does it introduce? At Check Point Research, we set out to evaluate the current AI security environment by examining real-world threats, analyzing how researchers and attackers are leveraging AI, and assessing how today’s security tools are evolving with these technologies. | AI blog | Checkpoint |
| 3.5.24 | RSAC 2025 wrap-up – Week in security with Tony Anscombe | From the power of collaborative defense to identity security and AI, catch up on the event's key themes and discussions | Cyber blog | Eset |
| 3.5.24 | This month in security with Tony Anscombe – April 2025 edition | From the near-demise of MITRE's CVE program to a report showing that AI outperforms elite red teamers in spearphishing, April 2025 was another whirlwind month in cybersecurity | Cyber blog | Eset |
| 3.5.24 | How safe and secure is your iPhone really? | Your iPhone isn't necessarily as invulnerable to security threats as you may think. Here are the key dangers to watch out for and how to harden your device against bad actors. | OS Blog | Eset |
| 30.4.25 | TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks | ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks | APT blog | Eset |
| 30.4.25 | Ransomware debris: an analysis of the RansomHub operation | This blog on RansomHub provides an overview into how this Ransomware-as-a-Service (RaaS) group operates, including its extortion tactics, affiliate recruitment strategies, and the features of its affiliate panel. | Ransom blog | GROUP-IB |
| 30.4.25 | ELENOR-corp Ransomware: A New Mimic Ransomware Variant Attacking the Healthcare Sector | Morphisec recently investigated an incident involving a new variant of one of the most aggressive ransomware families: Mimic version 7.5. First observed in 2022, Mimic remains relatively underreported in the public domain, aside from a detailed analysis of Mimic version 6.3 that was previously published by Cyfirma and Kaspersky. | Ransom blog | MORPHISEC |
| 29.4.25 | Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today’s Adversaries | In recent months, SentinelOne has observed and defended against a spectrum of attacks from financially motivated crimeware to tailored campaigns by advanced nation-state actors. | Hacking blog | SentinelLabs |
| 29.4.25 | Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors | An APT group dubbed Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia using advanced malware, rootkits, and trusted cloud services to conduct cyberespionage. | APT blog | Trend Micro |
| 29.4.25 | Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis | Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). | Exploit blog | Google Threat Intelligence |
| 26.4.25 | Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie | Silent Push Threat Analysts have uncovered three cryptocurrency companies that are actually fronts for the North Korean advanced persistent threat (APT) group Contagious Interview: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. | Cryptocurrency blog | Silent Push |
| 26.4.25 | Power Parasites: Job & Investment Scam Campaign Targets Energy Companies and Major Brands | Silent Push Threat Analysts are tracking a scam campaign we’ve labeled “Power Parasites” that has been operating through a combination of deceptive websites, social media groups, and Telegram channels, primarily targeting individuals across Asian countries, including Bangladesh, Nepal, and India, with job and investment scams. | Social blog | Silent Push |
| 26.4.25 | IngressNightmare: Understanding CVE‑2025‑1974 in Kubernetes Ingress-NGINX | Get an overview on how the CVE-2025-1974 works, a proof-of-concept demo of the exploit, along with outlined mitigations and detection strategies. | Vulnerebility blog | FOTINET |
| 26.4.25 | Infostealer Malware FormBook Spread via Phishing Campaign – Part I | FortiGuard Labs observed a phishing campaign in the wild that delivered a malicious Word document as an attachment. Learn more. | Malware blog | FOTINET |
| 26.4.25 | New Rust Botnet "RustoBot" is Routed via Routers | FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Learn more about this malware targeting these devices. | BotNet blog | FOTINET |
| 26.4.25 | HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging cyber threats and adversarial tactics targeting individuals and organizations. | Malware blog | Cyfirma |
| 26.4.25 | Technical Malware Analysis Report: Python-based RAT Malware | EXECUTIVE SUMMARY The malware analyzed in this report is a Python-based Remote Access Trojan (RAT) that utilizes Discord as a command-and-control (C2) platform. Disguised as a | Malware blog | Cyfirma |
| 26.4.25 | Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | In this blog entry, we discuss how North Korea's significant role in cybercrime – including campaigns attributed to Void Dokkaebi – is facilitated by extensive use of anonymization networks and the use of Russian IP ranges. | BigBrother blog | Trend Micro |
| 26.4.25 | Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors | An APT group dubbed Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia using advanced malware, rootkits, and trusted cloud services to conduct cyberespionage. | APT blog | Trend Micro |
| 26.4.25 | FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE | This blog details our investigation of malware samples that conceal within them a FOG ransomware payload. | Ransom blog | Trend Micro |
| 26.4.25 | Critical TorchServe Vulnerability (CVE-2023-43654) Enables Remote Code Execution | SonicWall Capture Lab's threat research team became aware of the threat CVE-2023-43654, assessed its impact and developed mitigation measures for this vulnerability. | Vulnerebility blog | SonicWall |
| 26.4.25 | Extortion and Ransomware Trends January-March 2025 | Unit 42 regularly monitors the cyberthreat landscape, including trends in extortion and ransomware. Ransomware actors continue to evolve to increase the effectiveness of their attacks and the likelihood that organizations will pay what is demanded. In our 2025 Unit 42 Global Incident Response Report, we found that 86% of incidents involved business disruption, spanning operational downtime, reputational damage or both. | Ransom blog | Palo Alto |
| 26.4.25 | False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation | Evidence suggests that North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. The detection strategies we outline in this report provide security and HR teams with practical guidance to strengthen their hiring processes against this threat. | APT blog | Palo Alto |
| 26.4.25 | Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs | Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme. | Malware blog | CISCO TALOS |
| 26.4.25 | Lessons from Ted Lasso for cybersecurity success | In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know. | Cyber blog | CISCO TALOS |
| 26.4.25 | Deepfake 'doctors' take to TikTok to peddle bogus cures | Look out for AI-generated 'TikDocs' who exploit the public's trust in the medical profession to drive sales of sketchy supplements | AI blog | Eset |
| 26.4.25 | How fraudsters abuse Google Forms to spread scams | The form and quiz-building tool is a popular vector for social engineering and malware. Here’s how to stay safe. | Cyber blog | |
| 26.4.25 | Will super-smart AI be attacking us anytime soon? | What practical AI attacks exist today? “More than zero” is the answer – and they’re getting better. | AI blog | |
| 26.4.25 | CVE-2025-32433: Unauthenticated RCE Vulnerability in Erlang/OTP’s SSH Implementation | A critical vulnerability, tracked as CVE-2025-32433, has been discovered in the SSH server component of Erlang/Open Telecom Platform (OTP) | Vulnerebility blog | Cybereason |
| 26.4.25 | A Deep Dive into the Latest Version of Lumma InfoStealer | The Trellix Advanced Research Center has been closely tracking the latest developments in Lumma Infostealer, particularly the recent introduction of sophisticated code flow obfuscation techniques. This report will delve into the threat actors' recent campaign and examine the evolution of their Tactics, Techniques, and Procedures (TTPs). | Malware blog | Trelix |
| 26.4.25 | Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie | Silent Push Threat Analysts have uncovered three cryptocurrency companies that are actually fronts for the North Korean advanced persistent threat (APT) group Contagious Interview: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. | APT blog | Silent Push |
| 26.4.25 | ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver | On April 22, 2025, ReliaQuest published details of our investigation into exploitation activity targeting SAP NetWeaver systems that could enable unauthorized file uploads and execution of malicious files. On April 24, 2025, SAP disclosed "CVE-2025-31324," a critical vulnerability in SAP NetWeaver Visual Composer with the highest severity score of 10. | Vulnerebility blog | ReliaQuest |
| 26.4.25 | Security Analysis of Rack Ruby Framework: CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610 | Through a comprehensive security analysis conducted by OPSWAT's Red Team, security researchers Thai Do and Minh Pham identified multiple vulnerabilities impacting the Rack Ruby framework, specifically CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610. | Vulnerebility blog | OPSWAT |
| 19.4.25 | We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. | APT blog | Google Threat Intelligence | |
| 19.4.25 | Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services. | Social blog | Google Threat Intelligence |
| 19.4.25 | Cyber Attack Surge: In Q1 2025, cyber attacks per organization increased by 47%, reaching an ... | Cyber blog | Checkpoint | |
| 19.4.25 | Executive Summary Check Point Research has been observing a sophisticated phishing campaign conducted by Advanced ... | APT blog | Checkpoint | |
| 19.4.25 | Hacktivists Target Critical Infrastructure, Move Into Ransomware | Hacktivists are increasingly adopting more sophisticated - and destructive - attack types. | Ransom blog | Cyble |
| 19.4.25 | DOGE "Big Balls" Ransomware and the False Connection to Edward Coristine | Cyble investigates the DOGE BIG BALLS Ransomware, analyzing its operation and the false ties made to... | Ransom blog | Cyble |
| 19.4.25 | APT PROFILE – EARTH ESTRIES | Earth Estries is a Chinese Advanced Persistent Threat (APT) group that has gained prominence for its sophisticated cyber espionage activities targeting critical infrastructure and | APT blog | Cyfirma |
| 19.4.25 | Fortnightly Vulnerability Summary | Fortnightly Vulnerability Summary CHECK OUT THESE FAST FACTS ON FORTNIGHTLY OBSERVED VULNERABILITIES. Fortnight's Most Impacted Products Linux | ColdFusion | FrameMaker | Vulnerebility blog | Cyfirma |
| 19.4.25 | Cyber Espionage Among Allies: Strategic Posturing in an Era of Trade Tensions | Executive Summary In the past decade, a pattern of cyber operations and espionage between the United States and its allies has emerged, complicating relationships traditionally | APT blog | Cyfirma |
| 19.4.25 | SCAMONOMICS THE DARK SIDE OF STOCK & CRYPTO INVESTMENTS IN INDIA | EXECUTIVE SUMMARY At CYFIRMA, we are committed to offering up-to-date insights into prevalent threats and tactics employed by malicious actors targeting both organizations | Cryptocurrency blog | Cyfirma |
| 19.4.25 | The Top Firmware and Hardware Attack Vectors | As firmware-level threats continue to gain popularity in the wild, security teams need to understand how these threats work and the real-world risks they pose to an organization’s security. | Attack blog | Eclypsium |
| 19.4.25 | Revolutionizing Your SOC: Welcome to Threat Protection Workbench | Email remains the number one threat vector in today’s cyber landscape, responsible for more than 90% of successful cyberattacks. As the volume and sophistication of email threats grow, security operations center (SOC) teams are under constant pressure to investigate and respond to incidents more quickly. Even with strong detection, the sheer number of alerts and investigation steps can slow down response times and strain already limited resources—leading to fatigue and increasing the risk of missed threats. | Security blog | PROOFPOINT |
| 19.4.25 | Around the World in 90 Days: State-Sponsored Actors Try ClickFix | While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social engineering technique for the first time. | Malware blog | PROOFPOINT |
| 19.4.25 | The Expanding Attack Surface: Ways That Attackers Compromise Trusted Business Communications | The modern workplace has expanded beyond email. Attackers now exploit collaboration tools, supplier relationships and human trust to bypass defenses and compromise accounts. This five-part blog series raises awareness around these shifting attack tactics. And it introduces our holistic approach to protecting users. | Attack blog | PROOFPOINT |
| 19.4.25 | Cybersecurity Stop of the Month: Bitcoin Scam—How Cybercriminals Lure Victims with Free Crypto to Steal Credentials and Funds | In recent years, cryptocurrency has grown from a niche interest into a mainstream financial ecosystem. This evolution, however, hasn’t been without drawbacks. Namely, it has attracted cybercriminals who use the allure of digital wealth to perpetrate sophisticated fraud schemes. In 2023, illicit crypto addresses received at least $46.1 billion, up from $24.2 billion. This underscores how rapidly crypto-related crimes are spreading. | Cryptocurrency blog | PROOFPOINT |
| 19.4.25 | Threat actors misuse Node.js to deliver malware and other malicious payloads | Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. | Malware blog | Microsoft blog |
| 19.4.25 | ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains | In ZDI-23-1527 and ZDI-23-1528 we uncover two possible scenarios where attackers could have compromised the Microsoft PC Manager supply chain. | Vulnerebility blog | Trend Micro |
| 19.4.25 | BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets | A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. | Malware blog | Trend Micro |
| 19.4.25 | Incomplete NVIDIA Patch to CVE-2024-0132 Exposes AI Infrastructure and Data to Critical Risks | A previously disclosed vulnerability in NVIDIA Container Toolkit has an incomplete patch, which, if exploited, could put a wide range of AI infrastructure and sensitive data at risk. | Vulnerebility blog | Trend Micro |
| 19.4.25 | Top 10 for LLM & Gen AI Project Ranked by OWASP | Trend Micro has become a Gold sponsor of the OWASP Top 10 for LLM and Gen AI Project, merging cybersecurity expertise with OWASP's collaborative efforts to address emerging AI security risks. This partnership underscores Trend Micro's unwavering commitment to advancing AI security, ensuring a secure foundation for the transformative power of AI. | AI blog | Trend Micro |
| 19.4.25 | CrazyHunter Campaign Targets Taiwanese Critical Sectors | This blog entry details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwan's essential services. | Ransom blog | Trend Micro |
| 19.4.25 | Nova RaaS: The Ransomware That ‘Spares’ Schools and Nonprofits—For Now | A new ransomware group calling themselves Nova RaaS, or ransomware-as-a-service, has been active for the past month distributing RaLord ransomware. On their blog, they claim to have no affiliations with other cybercriminal groups—and, in a surprising twist, say they’ve pledged not to target schools or nonprofit organizations. | Ransom blog | SonicWall |
| 19.4.25 | CVE-2025-29927: Next.js Middleware Can Be Bypassed with Crafted Header | The SonicWall Capture Labs threat research team became aware of an authorization bypass vulnerability in Next.js, assessed its impact, and developed mitigation measures. Next.js is a react framework designed to simplify building web applications, focusing on performance, SEO, and ease of use. It provides features like server-side rendering (SSR), static site generation (SSG), and automatic code splitting, making it a popular choice for building fast and scalable web applications. | Vulnerebility blog | SonicWall |
| 19.4.25 | Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis | In December 2024, we uncovered an attack chain that employs distinct, multi-layered stages to deliver malware like Agent Tesla variants, Remcos RAT or XLoader. Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution. The phishing campaign we analyzed used deceptive emails posing as an order release request to deliver a malicious attachment. | Malware blog | Palo Alto |
| 19.4.25 | Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware | Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored threat group primarily focused on generating revenue for the DPRK regime, typically by targeting large organizations in the cryptocurrency sector. This article analyzes their campaign that we believe is connected to recent cryptocurrency heists. | APT blog | Palo Alto |
| 19.4.25 | CVE-2025-24054, NTLM Exploit in the Wild | CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused. | Vulnerebility blog | Checkpoint |
| 19.4.25 | Renewed APT29 Phishing Campaign Against European Diplomats | Check Point Research has been tracking an advanced phishing campaign conducted by APT29, a Russia linked threat group, which is targeting diplomatic entities across Europe. | APT blog | Checkpoint |
| 19.4.25 | Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking | Process Injection is one of the important techniques in the attackers’ toolkit. In the constant cat-and-mouse game, attackers try to invent its new implementations that bypass defenses, using creative methods and lesser-known APIs. | Hacking blog | Checkpoint |
| 19.4.25 | Care what you share | In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online. | AI blog | Palo Alto |
| 19.4.25 | Unmasking the new XorDDoS controller and infrastructure | Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. | Malware blog | Palo Alto |
| 19.4.25 | Year in Review: The biggest trends in ransomware | This week, our Year in Review spotlight is on ransomware—where low-profile tactics led to high-impact consequences. Download our 2 page ransomware summary, or watch our 55 second video. | Ransom blog | Palo Alto |
| 19.4.25 | Eclipse and STMicroelectronics vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adh | Vulnerebility blog | Palo Alto |
| 19.4.25 | CapCut copycats are on the prowl | Cybercriminals lure content creators with promises of cutting-edge AI wizardry, only to attempt to steal their data or hijack their devices instead | AI blog | Eset |
| 19.4.25 | They’re coming for your data: What are infostealers and how do I stay safe? | Here's what to know about malware that raids email accounts, web browsers, crypto wallets, and more – all in a quest for your sensitive data | Cyber blog | |
| 19.4.25 | Attacks on the education sector are surging: How can cyber-defenders respond? | Academic institutions have a unique set of characteristics that makes them attractive to bad actors. What's the right antidote to cyber-risk? | Attack blog | |
| 19.4.25 | From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets | This article is a continuation of the previous research published on the malware LummaStealer: "Your Data Is Under New Lummanagement: The Rise of LummaStealer". | Malware blog | Cybereason |
| 19.4.25 | The Windows Registry Adventure #6: Kernel-mode objects | Welcome back to the Windows Registry Adventure! In the previous installment of the series, we took a deep look into the internals of the regf hive format. Understanding this foundational aspect of the registry is crucial, as it illuminates the design principles behind the mechanism, as well as its inherent strengths and weaknesses | Cyber blog | Project Zero |
| 19.4.25 | Closing the Security Gap From Threat Hunting to Detection Engineering | Learn how to use existing tooling to perform threat hunting and detection engineering to find hidden threats and strengthen your defenses. | Cyber blog | Trelix |
| 13.4.25 | Campaign Targets Amazon EC2 Instance Metadata via SSRF | Discover the latest CVE trends and a new campaign targeting websites hosted in EC2 instances on AWS. | Vulnerebility blog | F5 |
| 12.4.25 | ICS Vulnerability Report: Energy, Manufacturing Device Fixes Urged by Cyble | Multiple industrial control system (ICS) devices are affected by vulnerabilities carrying severity ratings as high as 9.9. | ICS blog | Cyble |
| 12.4.25 | IT Vulnerability Report: VMware, Microsoft Fixes Urged by Cyble | After investigating recent IT vulnerabilities, Cyble threat researchers identified eight high-priority fixes for security teams. | Vulnerebility blog | Cyble |
| 12.4.25 | Ransomware Attack Levels Remain High as Major Change Looms | March saw a potential leadership shift in ransomware attacks, sustained high attack volumes, and the rise of new threat groups. | Ransom blog | Cyble |
| 12.4.25 | TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications | Cyble analyzes TsarBot, a newly identified Android banking Trojan that employs overlay attacks to target over 750 banking, financial, and cryptocurrency applications worldwide. | Malware blog | Cyble |
| 12.4.25 | Hacktivists Increasingly Target France for Its Diplomatic Efforts | Pro-Russian and pro-Palestinian hacktivist groups share a common adversary in France, leading to coordinated cyberattacks against the country. | BigBrother blog | Cyble |
| 12.4.25 | CVE-2025-24813: Remote Code Execution in Apache Tomcat via Malicious Session Deserialization | CVE-2025-24813: Remote Code Execution in Apache Tomcat via Malicious Session Deserialization Apache Tomcat is a popular, open-source web server and servlet container maintained by the Apache Software Foundation. It provides a reliable and scalable environment for executing Java Servlets... | Vulnerebility blog | Seqrite |
| 12.4.25 | Beware! Fake ‘NextGen mParivahan’ Malware Returns with Enhanced Stealth and Data Theft | Cybercriminals continually refine their tactics, making Android malware more insidious and challenging to detect. A new variant of the fake NextGen mParivahan malware has emerged, following its predecessor’s deceptive strategies but introducing significant enhancements. Previously, attackers exploited the government’s. | Malware blog | Seqrite |
| 12.4.25 | Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks | Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and university students to now. | APT blog | Seqrite |
| 12.4.25 | Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics | Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics Contents Introduction Infection Chain Initial Findings Campaign 1 Looking into PDF document. Campaign 2 Looking into PDF document. Technical Analysis Campaign 1 & 2 Conclusion Seqrite Protection MITRE ATT&CK... | APT blog | Seqrite |
| 12.4.25 | NEPTUNE RAT : An advanced Windows RAT with System Destruction Capabilities and Password Exfiltration from 270+ Applications | At CYFIRMA, we are committed to providing up-to-date insights into current threats and the tactics used by malicious actors targeting both organizations and individuals. In this report, we will take an in-depth look at the latest version of Neptune RAT, which has been shared on GitHub using a technique involving PowerShell commands: | Malware blog | Cyfirma |
| 12.4.25 | CYFIRMA INDUSTRY REPORT : MATERIALS INDUSTRY | The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the materials industry, presenting key trends and statistics in an engaging infographic format. | Cyber blog | Cyfirma |
| 12.4.25 | TRACKING RANSOMWARE – MARCH 2025 | In March 2025, ransomware attacks targeted critical industries such as Manufacturing, IT, and Healthcare. Notable groups like Black Basta and Moonstone Sleet evolved new strategies, such as automating brute-force VPN attacks and deploying ransomware-as-a-service models. | Ransom blog | Cyfirma |
| 12.4.25 | Tik-Tok : China’s Digital Weapon System? | U.S. President Donald Trump, once a critic but now a supporter of TikTok, is granting the app’s China-based parent company, ByteDance, a second 75-day extension to finalize a deal that would transfer ownership of TikTok to an American entity. | Social blog | Cyfirma |
| 12.4.25 | Microsoft Announces New Authentication Requirements for High-Volume Senders | There was a lot of buzz in security and messaging circles at the end of 2023 when Google, Yahoo and Apple jointly announced that they were going to start enforcing strict email authentication requirements for bulk email senders. Although the implementation that started in the first quarter of 2024 has been slow to fully ramp up, momentum is building. And the overall trend towards mandatory email authentication is quite clear. | Safety blog | PROOFPOINT |
| 12.4.25 | The Expanding Attack Surface: Why Collaboration Tools Are the New Front Line in Cyberattacks | The modern workplace has expanded beyond email. Attackers now exploit collaboration tools, supplier relationships and human trust to bypass defenses and compromise accounts. This five-part blog series raises awareness around these shifting attack tactics. And it introduces our holistic approach to protecting users. | Spam blog | PROOFPOINT |
| 12.4.25 | Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI | Exchange Server and SharePoint Server are business-critical assets and considered crown jewels for many organizations, making them attractive targets for attacks. | Attack blog | Microsoft blog |
| 12.4.25 | Incomplete NVIDIA Patch to CVE-2024-0132 Exposes AI Infrastructure and Data to Critical Risks | A previously disclosed vulnerability in NVIDIA Container Toolkit has an incomplete patch, which, if exploited, could put a wide range of AI infrastructure and sensitive data at risk. | AI blog | |
| 12.4.25 | CTEM + CREM: Aligning Your Cybersecurity Strategy | Organizations looking to implement CTEM don’t have to start from scratch. CREM can help you get there faster, with actionable insights, automated workflows, and continuous risk reduction. | Cyber blog | |
| 12.4.25 | GTC 2025: AI, Security & The New Blueprint | From quantum leaps to AI factories, GTC 2025 proved one thing: the future runs on secure foundations. | AI blog | |
| 12.4.25 | Microsoft Security Bulletin Coverage for April 2025 | Microsoft’s April 2025 Patch Tuesday has 123 vulnerabilities, of which 49 are Elevation of Privilege. SonicWall Capture Labs' threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2025 and has produced coverage for ten of the reported vulnerabilities | Vulnerebility blog | SonicWall |
| 12.4.25 | How Prompt Attacks Exploit GenAI and How to Fight Back | Palo Alto Networks has released “Securing GenAI: A Comprehensive Report on Prompt Attacks: Taxonomy, Risks, and Solutions,” which surveys emerging prompt-based attacks on AI applications and AI agents. While generative AI (GenAI) has many valid applications for enterprise productivity, there is also potential for critical security vulnerabilities in AI applications and AI agents. | AI blog | Palo Alto |
| 12.4.25 | Available now: 2024 Year in Review | Download Talos' 2024 Year in Review now, and access key insights on the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. | Cyber blog | Palo Alto |
| 12.4.25 | Threat actors thrive in chaos | Martin delves into how threat actors exploit chaos, offering insights from Talos' 2024 Year in Review on how to fortify defenses against evolving email lures and frequently targeted vulnerabilities, even amidst economic disruption. | Cyber blog | Palo Alto |
| 12.4.25 | Unraveling the U.S. toll road smishing scams | Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America. | Spam blog | Palo Alto |
| 12.4.25 | Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft has marked as “critical”. | Vulnerebility blog | Palo Alto |
| 12.4.25 | Year in Review: Key vulnerabilities, tools, and shifts in attacker email tactics | From Talos' 2024 Year in Review, here are some findings from the top targeted network device vulnerabilities. We also explore how threat actors are moving away from time sensitive lures in their emails. And finally we reveal the tools that adversaries most heavily utilized last year. | Cyber blog | Palo Alto |
| 12.4.25 | One mighty fine-looking report | Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files. | BigBrother blog | Palo Alto |
| 12.4.25 | Watch out for these traps lurking in search results | Here’s how to avoid being hit by fraudulent websites that scammers can catapult directly to the top of your search results | Cyber blog | Eset |
| 12.4.25 | So your friend has been hacked: Could you be next? | When a ruse puts on a familiar face, your guard might drop, making you an easy mark. Learn how to tell a friend apart from a foe. | Cyber blog | |
| 12.4.25 | 1 billion reasons to protect your identity online | Corporate data breaches are a gateway to identity fraud, but they’re not the only one. Here’s a lowdown on how your personal data could be stolen – and how to make sure it isn’t. | Cyber blog | |
| 6.4.25 | The beginning of the end: the story of Hunters International | Learn about technical details on the ransomware and Storage Software tool, how the criminals use the affiliate panel as well as information on the Hunters International ransomware group from its emergence to the end of the operation. | BigBrother blog | Group-IB |
| 5.4.25 | Ransomware Attack Levels Remain High as Major Change Looms | March saw a potential leadership shift in ransomware attacks, sustained high attack volumes, and the rise of new threat groups. | Ransom blog | Cyble |
| 5.4.25 | Critical CrushFTP Authentication Bypass (CVE-2025-2825) Exposes Servers to Remote Attacks | The SonicWall Capture Labs threat research team became aware of an authentication bypass vulnerability in CrushFTP Servers, assessed its impact, and developed mitigation measures. CrushFTP is a resourceful enterprise-grade file transfer application used widely among organizations. It also supports multi-protocols for data exchange among systems and users with S3-compatible API access. | Vulnerebility blog | SonicWall |
| 5.4.25 | Hexamethy Ransomware Displays Scary Lock Screen During File Encryption | The Sonicwall Capture Labs threat research team has recently observed new ransomware named HEXAMETHYLCYCLOTRISILOXANE, or Hexamethy in short. This malware produces a scary cinematic display during the encryption process and flashes text stating, “No more files for you,” and “Your files are in hostage by the HEXAMETHYLCYCLOTRISILOXANE Ransomware." | Ransom blog | SonicWall |
| 5.4.25 | Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon | Since late 2024, Unit 42 researchers have observed attackers using several new tactics in phishing documents containing QR codes. One tactic involves attackers concealing the final phishing destination using legitimate websites' redirection mechanisms. | Phishing blog | Palo Alto |
| 5.4.25 | OH-MY-DC: OIDC Misconfigurations in CI/CD | In the course of investigating the use of OpenID Connect (OIDC) within continuous integration and continuous deployment (CI/CD) environments, Unit 42 researchers discovered problematic patterns and implementations that could be leveraged by threat actors to gain access to restricted resources. One instance of such an implementation was identified in CircleCI’s OIDC. | Cyber blog | Palo Alto |
| 5.4.25 | The good, the bad and the unknown of AI: A Q&A with Mária Bieliková | The computer scientist and AI researcher shares her thoughts on the technology’s potential and pitfalls – and what may lie ahead for us | AI blog | Eset |
| 5.4.25 | This month in security with Tony Anscombe – March 2025 edition | From an exploited vulnerability in a third-party ChatGPT tool to a bizarre twist on ransomware demands, it's a wrap on another month filled with impactful cybersecurity news | Cyber blog | |
| 5.4.25 | Resilience in the face of ransomware: A key to business survival | Your company’s ability to tackle the ransomware threat head-on can ultimately be a competitive advantage | Cyber blog | |
| 5.4.25 | The Bug Report - March 2025 Edition | March Madness hits infosec: kernel bugs, Tomcat deserialization, and SonicWall shenanigans. Catch the highlights and patch fast before you’re benched! | Vulnerebility blog | Trelix |