DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
UNC6671, operating under the BlackFile brand, conducts sophisticated vishing and Adversary-in-the-Middle (AiTM) attacks to bypass MFA and compromise SSO platforms like Microsoft 365 and Okta. Once inside, the group uses automated Python and PowerShell scripts to rapidly exfiltrate sensitive data via APIs, often masking their activity as routine file access events, before launching aggressive extortion campaigns.
In April 2026, 37 high-impact vulnerabilities were actively exploited, heavily impacting enterprise systems and edge infrastructure. Notable exploitation includes the delivery of the Nexcorium botnet via CVE-2024-3721 in TBK DVR devices and complete service takeovers of Nginx UI instances via CVE-2026-33032, a missing authentication flaw.
The Canadian Centre for Cyber Security issued advisories warning of active exploitation of two critical vulnerabilities. CVE-2026-20182 affects Cisco Catalyst SD-WAN devices, allowing unauthenticated remote attackers to bypass authentication and gain root privileges, while CVE-2026-42897 is a spoofing vulnerability affecting on-premises Microsoft Exchange Servers.
The TeamPCP threat actor deployed the Mini Shai-Hulud worm in a sophisticated supply chain attack targeting the npm ecosystem via a GitHub Actions CI cache-poisoning technique. The malware steals credentials, establishes persistence via developer tools like VS Code and Claude Code, and features a destructive dead man switch that wipes the victim's home directory if access tokens are revoked.
Gremlin stealer has evolved from a basic credential harvester into a sophisticated, modular infostealer capable of active financial fraud and live session hijacking. Recent variants employ advanced anti-analysis techniques, including Themida packing, .NET resource section payload hiding with XOR encryption, and extensive code obfuscation, significantly complicating static detection efforts.
The CrowdStrike 2026 Financial Services Threat Landscape Report highlights a 43% global increase in hands-on-keyboard intrusions against the financial sector. The threat landscape is dominated by eCrime ransomware operations, DPRK-nexus cryptocurrency theft via supply chain compromises, and China-nexus intelligence collection leveraging Operational Relay Box (ORB) networks and DLL search-order hijacking.
NIST has significantly reduced its enrichment of CVEs in the National Vulnerability Database (NVD), limiting full analysis to a small subset of critical vulnerabilities. This policy change exposes organizations relying solely on NVD CVSS scores to significant blind spots, necessitating a shift toward threat intelligence-driven prioritization based on real-world weaponization and active exploitation.
The Department of Defense has finalized the Cybersecurity Maturity Model Certification (CMMC) rule, effective November 10, 2025, shifting from self-attestation to mandatory third-party verification for contractors handling sensitive data. Organizations must proactively prepare their technology, processes, and documentation to meet NIST SP 800-171 requirements and avoid anticipated assessment bottlenecks.
This article provides an overview of 13 major cybersecurity frameworks, including NIST CSF, CIS Controls, and ISO 27001, detailing their core functions and target audiences. It offers guidance on selecting and implementing the appropriate framework based on regulatory requirements, business goals, and organizational maturity.
CISA has added CVE-2026-20182, an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controllers, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. Federal agencies and private organizations are strongly urged to apply mitigations outlined in Emergency Directive 26-03 or discontinue use of the product if mitigations are unavailable.
The Talos Threat Source newsletter highlights an impending surge in software patching driven by AI vulnerability discovery tools. It also contrasts state-sponsored espionage tactics—which leverage valid credentials and native tools to bypass traditional defenses—with commodity ransomware, while summarizing recent supply chain compromises across developer platforms like Hugging Face and Jenkins.
TeamPCP has partnered with BreachForums to launch a supply chain attack contest, incentivizing threat actors to compromise open-source packages using the open-sourced Shai-Hulud worm. The campaign targets CI/CD pipelines and developer environments to harvest credentials, posing a significant risk of downstream enterprise compromises.
Cisco Talos is tracking active exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager. Threat actor UAT-8616 is exploiting CVE-2026-20182 for authentication bypass, while other clusters are chaining CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to deploy JSP webshells and post-exploitation frameworks like Sliver and AdaptixC2.
Kazuar is a sophisticated, modular P2P botnet attributed to the Russian state-sponsored actor Secret Blizzard. It utilizes a tripartite architecture (Kernel, Bridge, Worker) and a leader election mechanism to minimize external C2 traffic, relying on Mailslots, Window Messaging, and Named Pipes for internal communication and HTTP, WSS, or EWS for external C2.
The Canadian Centre for Cyber Security issued a daily digest highlighting critical security updates for GitLab, MongoDB, and VMware Fusion. Notably, MongoDB addressed an undefined behavior vulnerability (CVE-2026-8053) in timeseries collections, and Broadcom patched a privilege escalation flaw (CVE-2026-41702) in VMware Fusion.
SentinelLABS discovered PCPJack, a cloud-focused worm designed to harvest credentials at scale while actively evicting artifacts of a rival threat actor, TeamPCP. The framework targets exposed cloud services like Docker, Kubernetes, and Redis for propagation and lateral movement, notably omitting cryptomining payloads in favor of credential theft and Sliver C2 deployment.
Sophos MDR investigated a macOS infostealer infection attributed to an AMOS (Atomic macOS) variant. The attack leverages ClickFix social engineering to trick users into running a malicious Terminal command, which initiates a multi-stage infection chain. The malware captures the user's system password via a spoofed prompt, evades analysis by checking for virtualized environments, and exfiltrates sensitive data like Keychain and browser credentials before establishing persistence via a LaunchDaemon.
A vulnerability in Composer causes it to inadvertently log GitHub Actions tokens and GitHub App installation tokens to stderr when token validation fails. This was triggered by a recent GitHub token format change, exposing credentials in CI/CD logs and requiring immediate updates to Composer versions 2.9.8, 2.2.28 LTS, or 1.10.28.
Infoblox Threat Intel uncovered a thriving underground economy on Telegram dedicated to unlocking stolen iPhones. Threat actors utilize specialized Windows binaries to extract device information and deploy targeted smishing campaigns via Apple lookalike domains to steal iCloud credentials, allowing them to bypass Activation Lock, wipe the device, and resell the hardware.
An 18-month Agent Tesla campaign is targeting LATAM enterprises, particularly in Chile, using procurement-themed phishing lures. The attack chain employs a multi-stage loader protected by .NET Reactor 6.x, utilizing process hollowing into aspnet_compiler.exe to execute the credential-stealing payload entirely in memory. Stolen data is exfiltrated via cleartext FTP to compromised legitimate infrastructure.
