DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Threat actors are utilizing Traffic Distribution Systems (TDS) to direct mobile users to fake CAPTCHA pages that trick them into sending premium international SMS messages. This International Revenue Share Fraud (IRSF) scheme leverages social engineering and back button hijacking to generate multiple SMS messages per victim, resulting in significant financial charges.
ESET researchers uncovered GopherWhisper, a previously undocumented China-aligned APT group targeting a Mongolian governmental entity. The group utilizes a diverse arsenal of custom, primarily Go-based malware that leverages legitimate services like Slack, Discord, and Microsoft Outlook for command and control, blending malicious traffic with normal enterprise communications.
CISA and NCSC identified FIRESTARTER, a persistent Linux ELF backdoor deployed by APT actors on Cisco Firepower and Secure Firewall devices. The malware hooks into the LINA engine, survives firmware updates and soft reboots, and facilitates the deployment of secondary payloads like LINE VIPER to establish unauthorized VPN sessions.
China-nexus threat actors are increasingly leveraging compromised SOHO and edge devices to form dynamic covert networks. These botnets facilitate various stages of cyber attacks while rendering traditional static indicators of compromise obsolete, necessitating adaptive defense strategies like traffic baselining and zero trust architecture.
China-nexus cyber actors have strategically shifted to utilizing large-scale covert networks of compromised SOHO and IoT devices to obfuscate their operations. These dynamic botnets, such as Raptor Train and KV Botnet, facilitate deniable access and complicate traditional static IOC-based defense, requiring organizations to adopt behavioral baselining and dynamic threat intelligence.
China-nexus threat actors are increasingly utilizing large-scale covert networks of compromised SOHO routers and IoT devices to obfuscate their operations and route malicious traffic. This strategic shift renders traditional static IOC blocklists ineffective, requiring defenders to adopt behavioral profiling, zero trust principles, and active network hunting to detect multi-hop proxy traffic.
The Canadian Centre for Cyber Security published a daily digest highlighting recent security advisories for Google Chrome and GitHub Enterprise Server. Organizations are advised to patch these products to their latest versions to mitigate undisclosed vulnerabilities.
The geopolitical competition for critical minerals and rare earth elements is driving an increase in cyber operations targeting the mining sector. State-sponsored actors, particularly from China, alongside financially motivated ransomware groups, are conducting espionage, extortion, and disruptive attacks to gain strategic advantages in global supply chains.
Unit 42 developed a multi-agent AI proof-of-concept named Zealot to empirically test autonomous offensive capabilities in cloud environments. The PoC successfully demonstrated that AI can autonomously chain reconnaissance, SSRF exploitation, IAM privilege escalation, and data exfiltration at machine speed against a misconfigured GCP environment.
CISA has added CVE-2026-39987, a Remote Code Execution (RCE) vulnerability in Marimo, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to cyberattacks.
The UK's National Cyber Security Centre (NCSC) has developed SilentGlass, a commercially available plug-and-play hardware device designed to secure HDMI and DisplayPort connections against malicious exploitation. Manufactured by Goldilock Labs, the device treats physical display interfaces as security boundaries to prevent unauthorized network access and espionage.
Researchers have disclosed AirSnitch, a novel set of attack techniques that bypass WPA2 and WPA3-Enterprise Wi-Fi encryption and client isolation. By exploiting vulnerabilities in protocol-infrastructure interactions such as MAC address tables and routing layers, attackers can achieve Meddler-in-the-Middle (MitM) capabilities to intercept and inject traffic across enterprise networks.
Threat actors are increasingly weaponizing legitimate software and known vulnerabilities to bypass endpoint detection and response (EDR) systems. Between December 2021 and December 2024, the abuse of legitimate Remote Access Tools (RATs) like NetSupport Manager and ConnectWise has surged, often delivered via phishing emails exploiting older Microsoft Office vulnerabilities to establish persistent, stealthy access.
Tropic Trooper is conducting a cyber espionage campaign targeting Chinese-speaking individuals in Asia using military-themed lures. The threat actors employ a trojanized SumatraPDF reader (TOSHIS loader) to deploy a custom AdaptixC2 Beacon that uses GitHub for command-and-control, ultimately establishing persistent remote access via VS Code tunnels.
A supply chain attack targeting npm packages associated with Namastex.ai has been discovered, utilizing CanisterWorm-style malware. The malicious packages execute upon installation to harvest developer credentials, cloud secrets, and cryptocurrency wallets, exfiltrating data to an ICP canister and webhooks while attempting to self-propagate across the npm and PyPI ecosystems.
Security researchers analyzed ultra-cheap Chinese smart home devices, revealing a shadow supply chain utilizing shared hardware with hardcoded root passwords and superficial security fixes. These devices route metadata and video content through servers in China and are shielded from regulatory oversight by shell companies, creating a massive, vulnerable IoT attack surface.
Socket has launched a new extensible reporting framework within its dashboard to provide chart-based views of vulnerabilities, dependencies, and usage. The feature aims to streamline security reporting by offering exportable visualizations aligned with standard frameworks like OWASP and CWE, improving operational visibility and risk communication.
Talos IR's Q1 2026 trends report highlights the resurgence of phishing as the primary initial access vector, heavily targeting public administration and healthcare. The quarter saw novel abuses of AI tools like Softr for credential harvesting, the emergence of the Crimson Collective extortion group leveraging valid accounts and TruffleHog, and Rhysida ransomware deploying the MeowBackConn backdoor.
Dabai Guarantee is a decentralized, Telegram-based marketplace utilized by Chinese-speaking cybercriminal syndicates to coordinate global fraud, ghost-tapping, and money laundering operations. The platform acts as an escrow service using USDT, enabling siloed teams to execute retail and financial fraud across various countries while minimizing trust issues among criminals and reducing law enforcement visibility.
The Canadian Centre for Cyber Security issued a daily digest highlighting two major security advisories. Notably, Microsoft released an out-of-band update to patch a critical elevation of privilege vulnerability (CVE-2026-40372) in ASP.NET Core, and GitLab released updates to address vulnerabilities across its Community and Enterprise editions.
