AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2025 January(29) February(72) March(67) April(108) May(118) June(159) July(143) August(131) September(170) October(145) November(166) December(126)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 1.2.26 | Eeny, meeny, miny, moe? How ransomware operators choose victims | Most ransomware attacks are opportunistic, not targeted at a specific sector or region | Ransom blog | SOPHOS |
| 1.2.26 | Generative AI and cybersecurity: What Sophos experts expect in 2026 | AI has dominated cybersecurity headlines for years, but as we enter 2026, the conversation is shifting from hype to hard realities. Across incident response, threat intelligence, and security operations, Sophos experts see clearer signals of where AI is truly making an impact. For IT teams already stretched thin, this isn’t theoretical — it’s reshaping daily decisions. | AI blog | SOPHOS |
| 1.2.26 | Beyond MFA: Building true resilience against identity-based attacks | As identity-driven attacks continue to rise, organizations must go beyond MFA to build resilience. Sophos experts and recent Gartner research agree: It’s time for an identity-first security strategy backed by continuous detection and response. For many organizations, keeping pace with identity threats feels overwhelming, especially as hybrid environments expand. But there’s a clear path forward. | Hacking blog | SOPHOS |
| 1.2.26 | Microsoft Office vulnerability (CVE-2026-21509) in active exploitation | On January 26, 2026, Microsoft released an out-of-band update to address a high-severity (CVSS score of 7.8) vulnerability affecting multiple Microsoft Office products. This vulnerability, tracked as CVE-2026-21509, is being actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. | Vulnerebility blog | SOPHOS |
| 1.2.26 | This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. IPIDEA’s proxy infrastructure is a little-known component of the digital ecosystem leveraged by a wide array of bad actors. | Cyber blog | GTI | |
| 1.2.26 | Fortinet Under Fire: Why Your Network Edge Remains Attackers' Favorite Entry Point | Fortinet’s January patch for CVE-2025-59718 didn’t hold. On January 21, FortiGate admins began reporting that patched systems were still being exploited. Two days later, Fortinet confirmed the patch had failed to fully remediate the vulnerability. As reported by BleepingComputer, Fortinet is now recommending that admins restrict administrative access and disable FortiCloud SSO while they work on a follow-up fix. | Vulnerebility blog | Eclypsium |
| 1.2.26 | ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell | Cyble uncovers ShadowHS, a stealthy fileless Linux framework running entirely in memory for covert, adaptive post‑exploitation control. | Malware blog | Cyble |
| 1.2.26 | The Week in Vulnerabilities: Cyble Urges Oracle, OpenStack Fixes | Oracle, OpenStack, SAP, Salesforce and ServiceNow are among the high-profile enterprise products with vulnerabilities in need of attention by security teams. | Vulnerebility blog | Cyble |
| 1.2.26 | Special Alert: SLSH Malicious "Supergroup" Targeting 100+ Organizations via Live Phishing Panels | A massive identity-theft campaign is currently active, targeting Okta Single Sign-On (SSO) and other SSO platform accounts across 100+ high-value enterprises. | Phishing blog | Silent Push |
| 1.2.26 | PureRAT: Attacker Now Using AI to Build Toolset | Vietnam-based cybercrime actor appears to now be using AI to write scripts used in phishing campaigns | Malware blog | SECURITY.COM |
| 1.2.26 | Chrome Extensions: Are you getting more than you bargained for? | Browser extensions can be really useful, but hidden dangers may lurk beyond their marketing. | Hacking blog | SECURITY.COM |
| 1.2.26 | PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups | PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities. | Exploit blog | Trend Micro |
| 1.2.26 | Embracing Choice in Cybersecurity: TrendAI Vision One™ and SentinelOne Integration | Discover how the TrendAI Vision One and SentinelOne integration exemplifies our commitment to endpoint flexibility. | Cyber blog | Trend Micro |
| 1.2.26 | Pwn2Own: Researchers Earn $1 Million for 76 Zero-Days | Discover how TrendAI Zero Day Initiative (ZDI) identified critical vulnerabilities across connected vehicles, EV chargers, and automotive systems. | Cyber blog | Trend Micro |
| 1.2.26 | "Ni8mare" - RCE Vulnerability in N8n AI Workflow Automation (CVE-2026-21858) | The SonicWall Capture Labs threat research team became aware of a Critical unauthenticated file read vulnerability in n8n – a flexible AI workflow automation platform, assessed their impact, and developed mitigation measures. | Vulnerebility blog | SonicWall |
| 1.2.26 | njRAT: A Persistent Commodity Threat in the Modern Landscape | The SonicWall Capture Labs threat research team continues to monitor the activity of the infamous njRAT (also known as Bladabindi), a prolific Remote Access Trojan (RAT) that remains a staple in the toolkit of various threat actors. | Malware blog | SonicWall |
| 1.2.26 | Multiple vulnerabilities in SolarWinds Web Help Desk Leading to RCE: CVE-2025-40551 | The SonicWall Capture Labs threat research team became aware of a critical vulnerability chain in SolarWinds Web Help Desk (WHD), assessed its impact and developed mitigation measures. | Vulnerebility blog | SonicWall |
| 1.2.26 | Understanding the Russian Cyber Threat to the 2026 Winter Olympics | The 2026 Winter Games in Milano Cortina extend beyond sport. Tensions between the Russian Federation and the International Olympic Committee (IOC), stemming from disputes over compliance and governance, lie within a broader geopolitical context. | Cyber blog | Palo Alto |
| 1.2.26 | Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense | At certain moments in a career, you get the rare opportunity to look back and say, this work mattered. Not because of an individual accomplishment, but because it contributed to something larger — something that changed how an industry thinks and operates. The Cyber Threat Alliance (CTA) is one of those efforts. | Cyber blog | Palo Alto |
| 1.2.26 | The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time | Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page. | AI blog | Palo Alto |
| 1.2.26 | Privileged File System Vulnerability Present in a SCADA System | This report details a vulnerability we found in the Iconics Suite, tracked as CVE-2025-0921 with a Medium CVSS score of 6.5. Iconics Suite is the name of a supervisory control and data acquisition (SCADA) system. This system is used for controlling and monitoring industrial processes in different industries including automotive, energy and manufacturing. | ICS blog | Palo Alto |
| 1.2.26 | Cyber Security Report 2026 | Check Point Research continuously investigates real-world attacks, vulnerabilities, attackers’ infrastructure, and emerging techniques across global networks and environments. The Cyber Security Report 2026 consolidates our research efforts throughout 2025 to deliver a clear, data-driven view of the current threat landscape and its trajectory in 2026. | Cyber blog | |
| 1.2.26 | KONNI Adopts AI to Generate PowerShell Backdoors | Check Point Research (CPR) identified an ongoing phishing campaign that we associate with KONNI, a North Korean–linked threat actor active since at least 2014. KONNI is best known for targeting organizations and individuals in South Korea, with a focus on diplomatic channels, international relations, NGOs, academia, and government. | Malware blog | |
| 1.2.26 | IR Trends Q4 2025: Exploitation remains dominant, phishing campaign targets Native American tribal organizations | A drop in exploitation and ransomware, but a spike in phishing and credential abuse, show why timely patching and robust MFA matter more than ever. | Cyber blog | CISCO TALOS |
| 1.2.26 | I'm locked in! | Hazel reflects on how to find balance while staying informed, then delivers practical updates and insights on the latest cybersecurity threats. | Cyber blog | CISCO TALOS |
| 1.2.26 | Dissecting UAT-8099: New persistence mechanisms and regional focus | Cisco Talos has identified a new, regionally targeted campaign by UAT-8099 that leverages advanced persistence techniques and custom BadIIS malware variants to compromise IIS servers, particularly in Thailand and Vietnam. | APT blog | CISCO TALOS |
| 1.2.26 | Foxit, Epic Games Store, MedDreams vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Foxit PDF Editor, one in the Epic Games Store, and twenty-one in MedDream PACS.. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, al | Vulnerebility blog | CISCO TALOS |
| 1.2.26 | Microsoft releases update to address zero-day vulnerability in Microsoft Office | Microsoft has published three out-of-band (OOB) updates so far in January 2026. One of these updates was released to address a vulnerability, CVE-2026-21509, affecting Microsoft Office that has been reportedly exploited in the wild. | Vulnerebility blog | CISCO TALOS |
| 1.2.26 | I scan, you scan, we all scan for... knowledge? | In this week's newsletter, Bill hammers home the old adage, "Know your environment" — even throughout alert fatigue. | Cyber blog | CISCO TALOS |
| 1.2.26 | Predicting 2026 | In this week’s newsletter, Martin examines the evolving landscape for 2026, highlighting key threats, emerging trends like AI-driven risks, and the continued importance of addressing familiar vulnerabilities. | Cyber blog | CISCO TALOS |
| 1.2.26 | This month in security with Tony Anscombe – January 2026 edition | The trends that emerged in January offer useful clues about the risks and priorities that security teams are likely to contend with throughout the year | Cyber blog | Eset |
| 1.2.26 | DynoWiper update: Technical analysis and attribution | ESET researchers present technical details on a recent data destruction incident affecting a company in Poland’s energy sector | Malware blog | Eset |
| 1.2.26 | Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan | ESET researchers discover an Android spyware campaign targeting users in Pakistan via romance scam tactics, revealing links to a broader spy operation | Malware blog | Eset |
| 1.2.26 | Drowning in spam or scam emails? Here’s probably why | Has your inbox recently been deluged with unwanted and even outright malicious messages? Here are 10 possible reasons – and how to stem the tide. | Spam blog | Eset |
| 1.2.26 | ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 | Malware blog | Eset | |
| 1.2.26 | Children and chatbots: What parents should know | As children turn to AI chatbots for answers, advice, and companionship, questions emerge about their safety, privacy, and emotional development | AI blog | Eset |
| 1.2.26 | Identity & Beyond: 2026 Incident Response Predictions | DFIR expert Jamie Mamroe shares 2026 Incident Response Predictions around Identity and Cloud attacks | Incident blog | Cybereason |
| 1.2.26 | Bypassing Windows Administrator Protection | A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. | Vulnerebility blog | Project Zero |
| 1.2.26 | From Digital Innovation to Patient Harm: Why Healthcare Cybersecurity Is Now a C-Suite Imperative | Healthcare is in the midst of a digital revolution, but without cybersecurity at the center of this transformation, innovation becomes a liability. | Cyber blog | Trelix |
| 24.1.26 | Osiris: New Ransomware, Experienced Attackers? | Poortry driver and modified Rustdesk tool used in recent attack campaign, which bears similarities to previous Inc ransomware attacks. | Ransom blog | SECURITY.COM |
| 24.1.26 | Ransomware: Tactical Evolution Fuels Extortion Epidemic | New whitepaper reveals record number of attacks as threat landscape evolves with new players and new tactics. | Ransom blog | SECURITY.COM |
| 24.1.26 | TamperedChef serves bad ads, with infostealers as the main course | Sophos X-Ops explores a malvertising campaign that leverages Google Ads to distribute an infostealer | Malware blog | SOPHOS |
| 24.1.26 | Inside a Multi-Stage Windows Malware Campaign | FortiGuard Labs analysis of a multi-stage Windows malware campaign that abuses trusted platforms to disable defenses, deploy RATs, and deliver ransomware. | Malware blog | FORTINET |
| 24.1.26 | The Invisible Insider: Why AML and KYC Compliance Fail Against Digital Deception | North Korean operatives and professional money launderers have been drawing six-figure salaries from Fortune Global 500 companies by exploiting a fundamental flaw in identity verification. | APT blog | Silent Push |
| 24.1.26 | Check Point Research is tracking an active phishing campaign involving KONNI, a North Korea-affiliated threat ... | Malware blog | ||
| 24.1.26 | Check Point Research has identified VoidLink, one of the first known examples of advanced malware ... | Malware blog | ||
| 24.1.26 | Critical Infrastructure Attacks Became Routine for Hacktivists in 2025 | 2025 may be remembered as the year that hacktivist attacks became significantly more dangerous. | ICS blog | Cyble |
| 24.1.26 | Operation DupeHike : UNG0902 targets Russian employees with DUPERUNNER and AdaptixC2 | Contents Introduction Key Targets. Industries Affected. Geographical Focus. Infection Chain. Initial Findings. Looking into the decoy-document Technical Analysis Stage 1 – Malicious LNK Script Stage 2 – DUPERUNNER Implant Stage 3 – AdaptixC2 Beacon. Infrastructural Artefacts. Conclusion SEQRITE Protection.... | Cyber blog | Seqrite |
| 24.1.26 | Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina’s Judicial Sector to Deploy a Covert RAT | Table of Contents: Introduction: Infection Chain: Targeted sectors: Initial Findings about Campaign: Analysis of Decoy: Technical Analysis: Stage-1: Analysis of Windows Shortcut file (.LNK). Stage-2: Analysis of Batch file. Stage-3: Details analysis of Covert RAT. Conclusion: Seqrite Coverage: IOCs... | Cyber blog | Seqrite |
| 24.1.26 | Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan | Contents Introduction Key Targets Industries Affected Geographical focus Infection Chain. Initial Findings Looking into the decoy-document Technical Analysis Stage 1 – Malicious ISO File Stage 2 – Malicious LNK File Stage 3 – Final Payload: FALSECUB Infrastructure & Attribution... | Cyber blog | Seqrite |
| 24.1.26 | FINANCE Q1 I 2026 : INDUSTRY REPORT | EXECUTIVE SUMMARY The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. | ICS blog | Cyfirma |
| 24.1.26 | Weaponized WinRAR Exploitation and Stealth Deployment of Fileless .NET RAT | EXECUTIVE SUMMARY At CYFIRMA, we continuously monitor emerging threat techniques that abuse trusted software and routine user behavior to achieve stealthy system compromise. | Malware blog | Cyfirma |
| 24.1.26 |
We X-Rayed A Suspicious FTDI USB Cable |
We recently got an industrial X-Ray machine in the Eclypsium office to use to make the next Doctor Manhattan do serious cybersecurity research. In between X-raying yet-to-be released industrial IT technologies on behalf of giant companies whose names we cannot reveal, we have done some other fun experiments. | Hacking blog | Eclypsium |
| 24.1.26 | From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers | This blog entry provides an in-depth analysis of the multistage delivery of the Evelyn information stealer, which was used in a campaign targeting software developers. | Cyber blog | Trend Micro |
| 24.1.26 | Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware | TrendAI™ Research provides a technical analysis of a compromised EmEditor installer used to deliver multistage malware that performs a range of malicious actions. | AI blog | Trend Micro |
| 24.1.26 | Introducing ÆSIR: Finding Zero-Day Vulnerabilities at the Speed of AI | TrendAI™’s ÆSIR platform combines AI automation with expert oversight to discover zero-day vulnerabilities in AI infrastructure – 21 CVEs across NVIDIA, Tencent, and MLflow since mid-2025. | AI blog | Trend Micro |
| 24.1.26 | DNS OverDoS: Are Private Endpoints Too Private? | We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentional and inadvertent acts could result in limited access to Azure resources through the Azure Private Link mechanism. We uncovered this issue while investigating irregular behavior in Azure test environments. | Attack blog | Palo Alto |
| 24.1.26 | The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time | Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page. | Phishing blog | Palo Alto |
| 24.1.26 | VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun | Check Point Research (CPR) believes a new era of AI-generated malware has begun. VoidLink stands as the first evidently documented case of this era, as a truly advanced malware framework authored almost entirely by artificial intelligence, likely under the direction of a single individual. | Malware blog | |
| 24.1.26 | KONNI Adopts AI to Generate PowerShell Backdoors | Check Point Research (CPR) is tracking a phishing campaign linked to a North Korea–aligned threat actor known as KONNI. | AI blog | |
| 24.1.26 | I scan, you scan, we all scan for... knowledge? | In this week's newsletter, Bill hammers home the old adage, "Know your environment" — even throughout alert fatigue. | Cyber blog | CISCO TALOS |
| 24.1.26 | Foxit, Epic Games Store, MedDreams vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Foxit PDF Editor, one in the Epic Games Store, and twenty-one in MedDream PACS.. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, al | Vulnerebility blog | CISCO TALOS |
| 24.1.26 | Common Apple Pay scams, and how to stay safe | Here’s how the most common scams targeting Apple Pay users work and what you can do to stay one step ahead | Spam blog | Eset |
| 24.1.26 | Old habits die hard: 2025’s most common passwords were as predictable as ever | Once again, data shows an uncomfortable truth: the habit of choosing eminently hackable passwords is alive and well | Cyber blog | Eset |
| 24.1.26 | From the Shadows to the Headlines: A Decade of State-Sponsored Cyber Leaks | Analysis of a decade of major state-sponsored cyber leaks (Shadow Brokers, Vault 7, i-Soon, KittenBusters): patterns, impact, and the centrality of human vulnerability. | APT blog | Trelix |
| 17.1.26 | New Remcos Campaign Distributed Through Fake Shipping Document | FortiGuard Labs analyzes a phishing campaign delivering a fileless Remcos RAT via malicious Word templates, CVE-2017-11882 exploitation, and in-memory execution. | Malware blog | FORTINET |
| 17.1.26 | Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl | FortiGuard IR uncovers forensic insights in Windows AutoLogger-Diagtrack-Listener.etl, a telemetry artefact with untapped investigative value. | Malware blog | FORTINET |
| 17.1.26 | Silent Push Uncovers New Magecart Network: Disrupting Online Shoppers Worldwide | Silent Push Preemptive Cyber Defense Analysts recently uncovered an extensive network of domains associated with a long-term, ongoing web-skimmer campaign, known under the umbrella name: “Magecart.” | Cyber blog | Silent Push |
| 17.1.26 | Looking for fingerprints instead of footprints: A bit of honesty about the current cybersecurity landscape by Ken Bagnall | Most of us in cybersecurity have fallen into a bit of a trap. We have been taught to defend our networks by looking at the past. We rely on Indicators of Compromise (IOCs). These are things like malicious IPs or file hashes. Using them as a primary defense is not really a strategy. It is just playing catch-up. | Cyber blog | Silent Push |
| 17.1.26 | Unmasking the DPRK Remote Worker Problem | The DPRK remote worker program functions as a high-volume revenue engine for the North Korean regime. These state-sponsored operatives use stolen identities to secure remote roles within Western enterprises. They establish long-term persistence inside corporate infrastructure before their first meeting. These actors bypass standard IAM and EDR by mimicking the behavior, location, and hardware signatures of a domestic employee. | APT blog | Silent Push |
| 17.1.26 | Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation | Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk. | Hacking blog | |
| 17.1.26 | AuraInspector: Auditing Salesforce Aura for Data Exposure | Mandiant is releasing AuraInspector, a new open-source tool designed to help defenders identify and audit access control misconfigurations within the Salesforce Aura framework. | Security blog | |
| 17.1.26 | In December 2025, organizations experienced an average of 2,027 cyber attacks per organization per week. ... | Ransom blog | CHECKPOINT | |
| 17.1.26 | Executive Summary Check Point Research identified active, large-scale exploitation of CVE-2025-37164, a critical remote code ... | Vulnerebility blog | CHECKPOINT | |
| 17.1.26 | In Q4 2025, Microsoft once again ranked as the most impersonated brand in phishing attacks, ... | Phishing blog | CHECKPOINT | |
| 17.1.26 | Ransomware and Supply Chain Attacks Soared in 2025 | The threat landscape shifted significantly in 2025. Here are the threats and trends to watch as we enter 2026. | Phishing blog | |
| 17.1.26 | deVixor: An Evolving Android Banking RAT with Ransomware Capabilities Targeting Iran | Cyble analyzed deVixor, an advanced Android banking RAT with ransomware features actively targeting Iranian users. | Malware blog | |
| 17.1.26 | Mamba Phishing-as-a-Service Kit: How Modern adversary-in-the-middle (AiTM) Attacks Operate | INTRODUCTION CYFIRMA assesses that Mamba 2FA is a representative of a broader class of adversary-in-the-middle phishing frameworks that have become increasingly prevalen | Phishing blog | |
| 17.1.26 | SOLYXIMMORTAL : PYTHON MALWARE ANALYSIS | EXECUTIVE SUMMARY SolyxImmortal is a Python-based Windows information-stealing malware that combines credential theft, document harvesting, keystroke logging, screen surveillance, | Malware blog | |
| 17.1.26 | APT PROFILE – KIMSUKI | Kimsuki, an advanced persistent threat (APT) group active since at least 2012, is suspected to be operating out of North Korea in direct support of the regime’s strategic objectives. The… | APT blog | |
| 17.1.26 | CYFIRMA ANNUAL INDUSTRIES REPORT 2025 : PART 3 | EXECUTIVE SUMMARY The CYFIRMA Industries Report provides cutting-edge cybersecurity insights and telemetry-driven statistics on global industries. Spanning the last 365 days and | ICS blog | |
| 17.1.26 | Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations | Microsoft’s investigation into RedVDS services and infrastructure uncovered a global network of disparate cybercriminals purchasing and using to target multiple sectors. | APT blog | Microsoft blog |
| 17.1.26 | Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response | Threat actors exploited Cloudflare's free-tier infrastructure and legitimate Python environments to deploy the AsyncRAT remote access trojan, demonstrating advanced evasion techniques that abuse trusted cloud services for malicious operations. | Malware blog | |
| 17.1.26 | Key Insights on SHADOW-AETHER-015 and Earth Preta from the 2025 MITRE ATT&CK Evaluation with TrendAI Vision One™ | This blog discusses notable modern TTPs observed from SHADOW-AETHER-015 and Earth Preta, from TrendAI™ Research monitoring and TrendAI Vision One™ intelligence. These findings support the performance of TrendAI™ in the 2025 MITRE ATT&CK Evaluations. | Hacking blog | |
| 17.1.26 | Anatomy of an Attack: The Payroll Pirates and the Power of Social Engineering | No employee wants their paycheck to go missing. One organization learned about an incident when they started hearing exactly this complaint. It turned out that an attacker had modified direct-deposit details in order to redirect an organization’s paychecks into attacker-controlled accounts. | Hacking blog | Palo Alto |
| 17.1.26 | Threat Brief: MongoDB Vulnerability (CVE-2025-14847) | On Dec. 19, 2025, MongoDB publicly disclosed MongoBleed, a security vulnerability (CVE-2025-14847) that allows unauthenticated attackers to leak sensitive heap memory by exploiting a trust issue in how MongoDB Server handles zlib-compressed network messages. This flaw occurs prior to authentication, meaning an attacker only needs network access to the database's default port to trigger it. | Vulnerebility blog | Palo Alto |
| 17.1.26 | Remote Code Execution With Modern AI/ML Formats and Libraries | We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded. | AI blog | Palo Alto |
| 17.1.26 | Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework | VoidLink is an advanced malware framework made up of custom loaders, implants, rootkits, and modular plugins designed to maintain long-term access to Linux systems. The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods. | Malware blog | |
| 17.1.26 | Sicarii Ransomware: Truth vs Myth | Sicarii is a newly observed RaaS operation that surfaced in late 2025 and has only published 1 claimed victim. | Ransom blog | |
| 17.1.26 | UAT-8837 targets critical infrastructure sectors in North America | Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor. | APT blog | CISCO TALOS |
| 17.1.26 | Predicting 2026 | In this week’s newsletter, Martin examines the evolving landscape for 2026, highlighting key threats, emerging trends like AI-driven risks, and the continued importance of addressing familiar vulnerabilities. | Cyber blog | CISCO TALOS |
| 17.1.26 | Brushstrokes and breaches with Terryn Valikodath | Terryn’s path to cybersecurity started with a fascination for criminal forensics and a knack for jailbreaking his family's tech — interests that eventually steered him toward the fast-paced world of digital investigations. | Incident blog | |
| 17.1.26 | Why LinkedIn is a hunting ground for threat actors – and how to protect yourself | The business social networking site is a vast, publicly accessible database of corporate information. Don’t believe everyone on the site is who they say they are. | Social blog | Eset |
| 17.1.26 | Is it time for internet services to adopt identity verification? | Should verified identities become the standard online? Australia’s social media ban for under-16s shows why the question matters. | Cyber blog | Eset |
| 17.1.26 | Your personal information is on the dark web. What happens next? | If your data is on the dark web, it’s probably only a matter of time before it’s abused for fraud or account hijacking. Here’s what to do. | Hacking blog | Eset |
| 17.1.26 | Analyzing React2Shell Threat Actors | In this installment of the Sensor Intel Series, we provide an analysis of the most exploited vulnerabilities, highlighting trends and significant activity, with a deep-dive into React2Shell exploitation attempts, methods and tactics. This article focuses on the top 10 CVEs, their rankings, and long-term trends, offering insights into the evolving threat landscape. | Vulnerebility blog | F5 |
| 17.1.26 | When AI Gets Bullied: How Agentic Attacks Are Replaying Human Social Engineering | December closed out 2025 with a clear signal that AI risk, capability, and governance are evolving faster than ever. Updated CASI and ARS leaderboards showed a notable shift at the top, with GPT-5.2 delivering an 11-point security improvement over GPT-5.1, while NVIDIA’s latest model demonstrated that strong performance and efficiency are increasingly attainable outside the traditional hyperscaler ecosystem. | AI blog | F5 |
| 17.1.26 | A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here? | While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Android ecosystem. This post describes the problems we encountered and recommendations for improvement. | Exploit blog | Project Zero |
| 17.1.26 | A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave | With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the resulting userland context, the mediacodec context. As per the AOSP documentation, the mediacodec SELinux context is intended to be a constrained (a.k.a sandboxed) context where non-secure software decoders are utilized. Nevertheless, using my DriverCartographer tool, I discovered an interesting device driver, /dev/bigwave that was accessible from the mediacodec SELinux context. | Exploit blog | Project Zero |
| 17.1.26 | A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby | Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. | Exploit blog | Project Zero |
| 17.1.26 | Dark Web Roast December 2025 Edition | This month's underground activities proved that while crime may not pay, it certainly provides endless entertainment for those monitoring the digital underbelly of society. | Cyber blog | Trelix |
| 17.1.26 | Hiding in Plain Sight: Multi-Actor ahost.exe Attacks | The Trellix Advanced Research Center found an active malware campaign exploiting a DLL sideloading vulnerability in the legitimate Git tools to target supply chains. Stay protected—update EDR/XDR and monitor for suspicious activity. | Hacking blog | Trelix |
| 17.1.26 | The Unfriending Truth: How to Spot a Facebook Phishing Scam Before It's Too Late | In the second half of 2025, Trellix observed a surge in credential-stealing Facebook phishing scams, particularly those using the sophisticated "Browser in the Browser" (BitB) technique to trick users with fake login pop-ups. | Phishing blog | Trelix |
| 10.1.26 | Unpacking the packer ‘pkr_mtsi’ | This RL Researcher’s Notebook highlights the packer’s evolution — and offers a YARA rule to detect all versions. | Malware blog | REVERSINGLABS |
| 10.1.26 | 5 ways your firewall can keep ransomware out — and lock it down if it gets in | Ransomware continues to cripple organizations worldwide, draining budgets and halting operations. For IT teams already stretched thin, a single attack can mean days of downtime and irreversible data loss. | Ransom blog | SOPHOS |
| 10.1.26 | Human-in-the-loop security will define 2026: Predictions from Sophos experts | Cybersecurity in 2026 will be shaped by extremes: attackers operating with unprecedented speed and scale, and defenders navigating the widening gap between automation and human judgment. Sophos experts predict a year where the “little things” — basic hygiene, configuration discipline, visibility across platforms — will matter more than ever. | Cyber blog | SOPHOS |
| 10.1.26 | Winning the AI War: Why Preemptive Cyber Defense is the Only Viable Countermeasure for CISOs | The escalation of AI-driven cyber threats has fundamentally broken the traditional security lifecycle. For decades, the industry has operated on a reactive cadence: an attack occurs, indicators are gathered, and defenses are updated. This model assumes that defenders have time to react. | AI blog | Silent Push |
| 10.1.26 | Executive Summary The OPCOPRO “Truman Show” operation is a fully synthetic, AI‑powered investment scam that ... | AI blog | CHECKPOINT | |
| 10.1.26 | The Week in Vulnerabilities: 2026 Starts with 100 PoCs and New Exploits | The year may be a little more than a week old, but threat actors have already amassed nearly 100 Proof of Concepts and newly exploited vulnerabilities. | Vulnerebility blog | |
| 10.1.26 | Initial Access Sales Accelerated Across Australia and New Zealand in 2025 | Cyble’s 2025 report analyzes Initial Access sales, ransomware operations, and data breaches shaping the cyber threat landscape in Australia and New Zealand. | APT blog | |
| 10.1.26 | Singapore Cyber Agency Warns of Critical IBM API Connect Vulnerability (CVE-2025-13915) | A critical authentication bypass flaw, CVE-2025-13915, affects IBM API Connect. Singapore issues alert as IBM releases fixes. | Vulnerebility blog | |
| 10.1.26 | CISA Known Exploited Vulnerabilities Surged 20% in 2025 | CISA’s Known Exploited Vulnerabilities (KEV) catalog grew by 20% in 2025, including 24 vulnerabilities exploited by ransomware groups. | Exploit blog | |
| 10.1.26 | TRACKING RANSOMWARE : DEC 2025 | EXECUTIVE SUMMARY Ransomware activity in December 2025 highlights an evolution toward cartel-style, collaborative ecosystems, where initial access, persistence, encryption, and | Ransom blog | |
| 10.1.26 | Beyond MFA: Identity Abuse Through Token Interception and Consent Manipulation | EXECUTIVE SUMMARY Multi-Factor Authentication (MFA) has long been positioned as a definitive control against credential-based attacks. However, recent phishing campaigns | Phishing blog | |
| 10.1.26 | CYFIRMA ANNUAL INDUSTRIES REPORT 2025 : PART 2 | EXECUTIVE SUMMARY The CYFIRMA Industries Report provides cutting-edge cybersecurity insights and telemetry-driven statistics on global industries. Spanning the last 365 days and | ICS blog | |
| 10.1.26 | Resurgence of Scattered Lapsus$ hunters | Executive Summary: Recent monitoring of underground forums and Telegram communities has identified the resurgence of the Scattered Lapsus$ collective. The actors appear to be | APT blog | Cyfirma |
| 10.1.26 | Fortinet Under Fire: Why Your Network Edge Remains Attackers' Favorite Entry Point | CVE-2020-12812, a five-year-old authentication bypass flaw that should have been relegated to history, is being actively exploited. Coming on the heels of two brand-new SAML authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) discovered in late 2025, Fortinet administrators must be on high alert and work to remediate them as quickly as possible, as the trend of network device exploitation is continuing. | Vulnerebility blog | Eclypsium |
| 10.1.26 | Phishing actors exploit complex routing and misconfigurations to spoof domains | Threat actors are exploiting complex routing scenarios and misconfigured spoof protections to send spoofed phishing emails, crafted to appear as internally sent messages. | Phishing blog | Microsoft blog |
| 10.1.26 | Ladvix: Inside a Self-Propagating ELF Malware with IoT Botnet Traits | This week, the SonicWall Capture Labs Threat Research team analyzed a sample of a malicious ELF file infector that shares characteristics of IoT botnet malware. The sample demonstrates self-propagation capabilities, file system scanning, and selective infection mechanisms targeting other ELF binaries. | Malware blog | SonicWall |
| 10.1.26 | MongoBleed MongoDB SBE Use-After-Free (CVE-2025-6706 / CVE-2025-14847) | SonicWall Capture Labs threat research team became aware of the threats CVE-2025-6706 and CVE-2025-14847, assessed their impact, and developed mitigation measures for these vulnerabilities. CVE-2025-6706, also known as MongoDB SBE Use-After-Free, is a critical memory corruption vulnerability affecting MongoDB Server in versions 7.0.0 through 7.0.16. | Vulnerebility blog | SonicWall |
| 10.1.26 | Securing Vibe Coding Tools: Scaling Productivity Without Scaling Risk | The promise of AI-assisted development, or “vibe coding,” is undeniable: unprecedented speed and productivity for development teams. In a landscape defined by complex cloud-native architectures and intense demand for new software, this force multiplier is rapidly becoming standard practice. | AI blog | Palo Alto |
| 10.1.26 | VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion | This article details our technical analysis of VVS stealer, also styled VVS $tealer, including its distributors’ use of obfuscation and detection evasion. | Malware blog | Palo Alto |
| 10.1.26 | Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns | GoBruteforcer (also called GoBrut) is a modular botnet, written in Go, that brute-forces user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers. The botnet spreads through a chain of web shell, downloader, IRC bot, and bruteforcer modules. | BotNet blog | CHECKPOINT |
| 10.1.26 | UAT-7290 targets high value telecommunications infrastructure in South Asia | Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of advanced persistent threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia. | APT blog | |
| 10.1.26 | Resolutions, shmesolutions (and what’s actually worked for me) | Talos' editor ditches the pressure of traditional New Year’s resolutions in favor of practical, in-the-moment changes, and finds more success by letting go of perfection. Plus, we break down the latest on UAT-7290, a newly disclosed threat actor targeting critical infrastructure. | APT blog | |
| 10.1.26 | How Cisco Talos powers the solutions protecting your organization | What happens under the hood of Cisco's security portfolio? Our reputation and detection services apply Talos' real-time intelligence to detect and block threats. Here's how. | Security blog | |
| 10.1.26 | Credential stuffing: What it is and how to protect yourself | Reusing passwords may feel like a harmless shortcut – until a single breach opens the door to multiple accounts | Incident blog | Eset |
| 10.1.26 | The Ghost in the Machine: Unmasking CrazyHunter's Stealth Tactics | Trellix provides an in-depth analysis of CrazyHunter ransomware and its attack flow, which has emerged as a significant and concerning threat. | Hacking blog | Trelix |