DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Tycoon2FA is a widespread Adversary-in-the-Middle (AiTM) Phishing-as-a-Service platform operated by the threat actor Storm-1747. It enables cybercriminals to bypass standard multifactor authentication (MFA) at scale by intercepting session cookies and credentials using spoofed sign-in pages, custom CAPTCHAs, and complex redirect chains.
A coordinated international law enforcement and private sector operation successfully disrupted Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform. The service enabled low-skill attackers to bypass multi-factor authentication (MFA) using adversary-in-the-middle (AitM) techniques to harvest credentials and session cookies, which were subsequently used for BEC and ransomware attacks.
Check Point Research discovered critical vulnerabilities in Anthropic's Claude Code CLI that enable Remote Code Execution (RCE) and API token exfiltration. By injecting malicious configurations into project files like .claude/settings.json and .mcp.json, attackers could execute arbitrary commands and steal API keys when a developer opens a compromised repository, leading to potential supply chain attacks and unauthorized access to shared Claude Workspaces.
Malicious versions of the Aqua Trivy VS Code extension were published to the OpenVSX registry, containing unauthorized code that hijacks locally installed AI coding assistants. By using carefully crafted natural language prompts and permissive execution flags, the payload instructs the AI agents to harvest sensitive developer credentials and system data, subsequently attempting to exfiltrate the information via available communication channels or by creating a new GitHub repository.
Check Point Research identified Silver Dragon, a Chinese-nexus APT group likely affiliated with APT41, targeting organizations in Southeast Asia and Europe. The group utilizes public-facing server exploits and phishing to deploy custom loaders that establish persistence via AppDomain hijacking and service manipulation. These loaders deliver Cobalt Strike and a novel Google Drive-based backdoor called GearDoor.
Socket's Threat Research Team discovered a supply chain attack involving malicious Packagist packages that deploy an encrypted Remote Access Trojan (RAT). The packages, disguised as Laravel utilities, execute automatically upon application boot or class autoloading, granting the attacker full remote shell access, file manipulation, and system reconnaissance capabilities across Windows, macOS, and Linux environments.
Iranian threat actors are actively exploiting vulnerabilities in Hikvision and Dahua IP cameras across the Middle East to support physical warfare operations. The compromised devices are utilized for battle damage assessment (BDA) and targeting correction during kinetic military operations, with exploitation spikes correlating closely with regional geopolitical events.
Following coordinated military strikes by the U.S. and Israel against Iran, there has been a significant surge in hacktivist activity. Pro-Iran groups are conducting website defacements, DDoS attacks, doxxing, and claiming unverified attacks on critical infrastructure, while pro-Israel groups are retaliating, elevating the cyber threat landscape for organizations in the U.S., Israel, and the Middle East.
Adversaries are actively exploiting web-based Indirect Prompt Injection (IDPI) to manipulate Large Language Models (LLMs) and AI agents. By embedding hidden or obfuscated instructions within benign web content, attackers can coerce AI systems into performing unauthorized actions such as data destruction, SEO poisoning, and bypassing content moderation when the AI processes the webpage.
Google Threat Intelligence Group discovered 'Coruna', a highly sophisticated iOS exploit kit containing 23 exploits that target iOS versions 13.0 through 17.2.1. Initially observed in use by a commercial surveillance vendor, the kit has since proliferated to state-sponsored and financially motivated threat actors to deploy PLASMAGRID, a payload designed to steal cryptocurrency wallets and financial data.
CISA has added two actively exploited vulnerabilities, CVE-2026-21385 (Qualcomm Memory Corruption) and CVE-2026-22719 (VMware Aria Operations Command Injection), to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to prioritize patching these flaws to reduce exposure to cyberattacks.
Between January 2025 and January 2026, the India-nexus threat actor SloppyLemming conducted a cyber espionage campaign targeting government and critical infrastructure in Pakistan and Bangladesh. The campaign utilized PDF and Excel lures to deploy two custom implants—an in-memory shellcode backdoor named BurrowShell and a Rust-based keylogger—via DLL search order hijacking and extensive abuse of Cloudflare Workers infrastructure.
Threat actors are leveraging fake digital invitations mimicking trusted brands like Paperless Post to redirect victims to credential harvesting sites. These phishing pages impersonate major login portals and utilize fake error messages to extract multiple sets of credentials, employing newly registered domains and URL shorteners to evade detection.
A sophisticated phishing campaign is targeting Bitpanda cryptocurrency users by impersonating security update alerts. The attack utilizes a deceptively similar lookalike domain to harvest not only login credentials but also sensitive personally identifiable information (PII) such as addresses and dates of birth, which can be leveraged for identity theft or further account takeovers.
The NCSC has issued an alert advising UK organizations, particularly those with ties to the Middle East, to bolster their cybersecurity posture amid ongoing regional conflicts. While direct threats to the UK remain low, there is a heightened risk of collateral damage from Iran-linked hacktivists utilizing DDoS, phishing, and ICS targeting.
Threat actors are leveraging WebDAV and Windows File Explorer to deliver Remote Access Trojans (RATs) while bypassing traditional web browser security controls. By utilizing .url and .lnk shortcut files pointing to WebDAV servers hosted on temporary Cloudflare Tunnels, attackers can trick users into executing malicious scripts that appear as local files.
Threat actors are utilizing a novel phishing technique that abuses the implicitly trusted .arpa top-level domain and IPv6 tunnels to bypass standard security controls. By registering reverse DNS domains for IPv6 blocks and creating A records instead of PTR records, attackers host malicious content on infrastructure that evades reputation-based blocking and policy filters.
Trail of Bits has open-sourced mquire, a Linux memory forensics tool that eliminates the need for external kernel debug symbols. By utilizing embedded BTF and Kallsyms data, mquire allows incident responders to perform reliable memory analysis on unknown or custom Linux kernels using an intuitive SQL interface.
Malicious cyber threat actors are actively exploiting Cisco Catalyst SD-WANs globally, primarily targeting systems with internet-exposed management interfaces. Upon compromise, attackers add malicious rogue peers to the network, enabling them to escalate privileges to root and maintain persistent access. A coalition of international cybersecurity agencies has released a joint Hunt Guide, and Cisco has issued software updates to mitigate the threat.
The Canadian Centre for Cyber Security has issued an alert regarding the active exploitation of CVE-2026-20127, a critical improper authentication vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager systems. Unauthenticated remote attackers can exploit this flaw to bypass peering authentication, gain administrative privileges, and add malicious rogue peers to the network configuration for long-term persistence.
