DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Some honeypots don't exist to catch attackers. They exist to make the environment around them convincing enough that sophisticated actors commit real tooling to the traps that do.
A single IP harvested strings from an LLM emulator's responses (`.env`, model list, MCP manifest) and replayed them as Proxmox credentials, chat-completions parameters, and MCP tool-call names against the same host — a token-reuse feedback loop, not blind brute-force. 22 of 24 credential pairs are byte-for-byte traceable to served response bodies.
The Canadian Centre for Cyber Security issued a daily digest highlighting recent security updates from Microsoft and Oracle. The advisories cover vulnerabilities in Microsoft Edge and critical flaws across several Oracle enterprise products, urging administrators to apply the latest patches to prevent potential exploitation.
ESET's Q4 2025–Q1 2026 APT Activity Report highlights global espionage and destructive campaigns by state-aligned actors. Notable incidents include a major supply chain compromise of the 'axios' npm library by Lazarus, destructive wiper attacks on Polish critical infrastructure by Sandworm, and the deployment of new edge-device implants like PhiliKit against Ivanti VPNs by China-aligned groups.
A malicious NuGet package named Sicoob.Sdk impersonated the official C# SDK for the Brazilian financial cooperative Sicoob. The package was designed to silently exfiltrate sensitive banking authentication material, including PFX certificates and passwords, as well as raw transaction data, to a third-party Sentry telemetry endpoint, posing a severe risk of API impersonation and financial data exposure.
This week's Threat Source newsletter highlights the importance of combining EPSS and CVSS for risk-based vulnerability prioritization. It also introduces EvidenceForge, a new open-source tool by Cisco Talos for generating synthetic security logs, and summarizes recent security news including the 'Megalodon' GitHub supply chain attack and 'Underminr' domain-fronting techniques.
A critical vulnerability (CVE-2026-7786, CVSS 9.8) affects the Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter. The device firmware version 7.03T.07 contains hard-coded plaintext administrative credentials, allowing unauthenticated remote attackers to extract the credentials and gain full administrator access to the device. The vendor has not responded to coordination attempts, necessitating immediate network isolation of affected devices.
Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0 are affected by a cleartext storage vulnerability (CVE-2026-6332, CVSS 5.5). This flaw allows an authorized local attacker accessing the software to view sensitive information, leading to the potential disclosure of protected source code and a loss of confidentiality. Updating to version 1.10.0 resolves the issue.
ABB EIBPORT building management systems running firmware prior to version 3.9.2 contain a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2021-22291). Successful exploitation allows attackers to steal session IDs, leading to unauthenticated device access, sensitive information disclosure, and unauthorized configuration changes.
WithSecure identified GREYVIBE, a Russia-nexus threat group targeting Ukrainian entities using spear-phishing, ClickFix, and fraudulent websites. The group systematically leverages Generative AI to develop custom malware (PhantomRelay, LegionRelay, FallSpy) and obfuscators, blending state-aligned intelligence gathering with cybercrime ecosystem overlaps.
The Gentlemen ransomware, operated by Storm-2697, is a Go-based encryptor that combines robust Curve25519/XChaCha20 encryption with aggressive lateral movement capabilities. It utilizes multiple redundant propagation methods (PsExec, WMI, scheduled tasks, services) to maximize network compromise while employing extensive defense evasion techniques to hinder detection and recovery.
The Canadian Centre for Cyber Security released a daily digest highlighting critical security updates for Drupal, Veeam, Zimbra, and Notepad++. Notably, a highly critical arbitrary PHP code execution vulnerability (SA-CONTRIB-2026-038) was patched in the Drupal AlternativeCommerce module, requiring immediate attention from administrators.
Security research highlights a heap overflow vulnerability within DICOM parsing, specifically targeting Orthanc servers during image uploads. By exploiting the complex DICOM file format, attackers can trigger an out-of-bounds write, posing a significant risk to hospital PACS systems that automatically ingest and decode these files.
The 2026 FIFA World Cup presents a massive, multi-jurisdictional attack surface threatened by state-nexus disruptive operations and financially motivated cybercrime. Key risks include Iran-aligned actors targeting municipal OT infrastructure, pro-Russian hacktivists launching high-volume DDoS attacks against tournament services, and cybercriminals deploying ransomware against the hospitality supply chain.
A cybercrime campaign is targeting users of pirated media sites with a fake video player update that deploys a modified SilentCryptoMiner and a Remote Access Trojan (RAT). The malware utilizes DLL side-loading, DNS tunneling for initial check-ins, and a DGA for C2 communications, while employing a Watchdog component to ensure persistence via a rogue Google Update service.
The Canadian Centre for Cyber Security published a daily digest of 8 security advisories on May 27, 2026. The digest highlights critical updates across multiple enterprise platforms, notably including an out-of-band patch from Microsoft for a SharePoint Remote Code Execution vulnerability (CVE-2026-45659) and a mandatory signing key rotation for GitHub Enterprise Server.
Threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient EMS, to deploy a novel credential stealer named EKZ Infostealer to managed endpoints. The attackers abused legitimate VPN scripting workflows to execute malicious PowerShell commands that downloaded the stealer, which subsequently harvested browser credentials and exfiltrated them to a threat-actor-controlled server.
Cisco Talos disclosed four heap-based buffer overflow vulnerabilities in MediaArea MediaInfoLib version 26.01. These flaws (CVE-2026-25104, CVE-2026-25713, CVE-2026-28764, CVE-2026-22554) can be triggered by processing a malicious media file, potentially leading to arbitrary code execution on the host system.
Cisco Talos has introduced EvidenceForge, an open-source tool designed to generate high-fidelity, correlated synthetic security logs across multiple formats. The tool addresses the data bottleneck in detection engineering and SOC training by providing realistic datasets with causal ordering, background noise, and AI-assisted scenario authoring.
Cybercriminals are shifting from traditional credential theft to session hijacking using infostealer malware, allowing them to bypass multi-factor authentication (MFA). By harvesting and replaying valid session tokens using automated tools, attackers gain rapid, stealthy access to corporate environments, which is then often monetized by Initial Access Brokers.
Tycoon 2FA is a prolific Phishing-as-a-Service (PhaaS) platform utilizing Adversary-in-the-Middle (AiTM) techniques to bypass MFA and steal session tokens across Microsoft 365 and Google Workspace. The kit employs sophisticated evasion tactics, automated post-compromise reconnaissance, and establishes durable persistence mechanisms, such as Device-PRT in Entra ID, which survive standard session revocation procedures.
CrowdStrike, in collaboration with Google and Shadowserver, successfully dismantled the Glassworm botnet, a highly resilient threat targeting software developers. The threat actors utilized trojanized IDE extensions and malicious package dependencies to deploy GlasswormRAT, leveraging a complex C2 infrastructure spanning the Solana blockchain, BitTorrent DHT, and Google Calendar to maintain persistent access to developer environments.
