DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
This threat intelligence newsletter highlights the emerging 'Platform-as-a-Proxy' (PaaP) technique, where attackers abuse legitimate SaaS notifications to bypass traditional email security. It also covers active campaigns, including Storm-1175 deploying Medusa ransomware via CVE-2026-1731, and UAT-10362 targeting Taiwanese organizations with a novel Lua-based malware called LucidRook.
Attackers are utilizing a fake Adobe Acrobat Reader lure to deploy a highly obfuscated VBScript loader that executes a .NET payload entirely in-memory. The attack chain leverages PEB manipulation for process masquerading and abuses auto-elevated COM objects to bypass UAC, ultimately installing the legitimate ScreenConnect remote access tool for malicious purposes.
German critical industries are facing coordinated, highly targeted phishing campaigns utilizing Phishing-as-a-Service platforms like EvilProxy and FlowerStorm. These attacks leverage Adversary-in-the-Middle (AitM) techniques to intercept session cookies, effectively bypassing traditional Multi-Factor Authentication (MFA) to compromise Microsoft 365 and Okta accounts.
A sophisticated, multi-stage phishing campaign is spoofing the IRS and Elon Musk to conduct full-stack financial fraud. The attack leverages promises of a $5000 tax refund to trick victims into surrendering extensive PII, government IDs, bank account details, and direct cryptocurrency transfers, with stolen data exfiltrated via Telegram.
Elastic provided the core defensive security platform and AI capabilities for the UK Ministry of Defence's Defence Cyber Marvel 2026 (DCM26) cyber exercise. The deployment featured a highly scalable, multi-tenanted Elastic Cloud architecture managed via Terraform, integrating advanced AI assistants and automated workflows to support 40 defending Blue Teams.
The Canadian Centre for Cyber Security published a daily digest of security advisories on April 9, 2026. The digest highlights multiple vulnerabilities across HPE servers, Juniper Networks operating systems, Qualcomm products, and Tenable Security Center, urging administrators to apply available vendor updates.
The AWS Bedrock AgentCore starter toolkit automatically provisions overly permissive IAM roles that grant wildcard access across the AWS account. This "Agent God Mode" misconfiguration allows a compromised AI agent to exfiltrate ECR images, access other agents' memories, and escalate privileges by invoking other code interpreters or agents.
A high-severity social engineering campaign is actively targeting open source developers on Slack by impersonating Linux Foundation leaders. The multi-stage attack uses a fake AI tool lure to harvest credentials and trick victims into installing a malicious root certificate, leading to traffic interception and malware execution on macOS and Windows systems.
A zero-day vulnerability in Adobe Reader is being actively exploited in targeted attacks against the Russian oil and gas sector. Threat actors are utilizing malicious PDF files embedded with obfuscated JavaScript to execute privileged APIs, enabling sensitive data theft and potential remote code execution.
This report provides geopolitical intelligence on the political landscape of Venezuela following a January 2026 US military operation that removed Nicolás Maduro. It analyzes Acting President Delcy Rodríguez's strategies for consolidating power, managing internal regime rivals, and navigating US diplomatic pressure and OFAC sanctions relief.
Threat actors are increasingly abusing legitimate Git repository platforms like GitHub and GitLab to host malware and credential phishing pages. By leveraging the inherent trust organizations place in these domains, attackers successfully bypass secure email gateways (SEGs) to deliver dual-threat campaigns involving remote access trojans (RATs), infostealers, and credential harvesting.
AI fetcher bots are severely impacting the publishing industry by scraping proprietary content in real-time to feed AI chatbots, leading to a drastic reduction in referral traffic and revenue. Organizations are advised to implement advanced bot management and monetization strategies rather than relying solely on default blocking to mitigate infrastructure strain and financial losses.
Microsoft has released the open-source Agent Governance Toolkit to address the growing security risks associated with autonomous AI agents. The toolkit provides runtime policy enforcement, cryptographic identity, and execution sandboxing to mitigate threats outlined in the OWASP Top 10 for Agentic Applications, though challenges in credential scoping and semantic intent classification remain.
Cisco Talos identified a new threat actor, UAT-10362, targeting Taiwanese organizations with a sophisticated Lua-based malware suite named LucidRook. The attack leverages spear-phishing, DLL sideloading, and compromised FTP servers to deliver staged Lua bytecode payloads while employing strict geo-fencing to evade analysis.
The Canadian Centre for Cyber Security released a daily digest highlighting vulnerabilities across HPE, CUPS, and GitLab products. Most notably, CUPS versions 2.4.16 and prior suffer from a critical remote unauthenticated RCE-to-root chain (CVE-2026-34990, CVE-2026-34980), requiring immediate mitigation and patching to prevent system compromise.
Unit 42 researchers discovered a method to bypass the network isolation of Amazon Bedrock AgentCore's Code Interpreter sandbox using DNS tunneling. Combined with a legacy MMDSv1 configuration that lacked session token enforcement, attackers could potentially exploit SSRF to extract highly privileged IAM credentials and exfiltrate them via the DNS covert channel.
CISA has added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations, especially federal agencies under BOD 22-01, are strongly urged to prioritize timely remediation to protect their networks against active threats.
A sophisticated social engineering campaign linked to DPRK-nexus actor UNC1069 is targeting high-impact Node.js and npm maintainers. Attackers build rapport over weeks before luring victims to spoofed video conferencing sites that deploy infostealing malware designed to hijack session tokens, bypass 2FA, and compromise the open-source software supply chain.
An audit of WhatsApp's Private Inference feature revealed critical implementation flaws in its Trusted Execution Environment (TEE) deployment. Vulnerabilities included unmeasured environment variables, unverified ACPI tables, and missing attestation freshness guarantees, which could have allowed attackers to bypass privacy protections and access plaintext data before Meta patched the issues.
Threat actors are increasingly targeting Kubernetes environments by exploiting vulnerabilities like React2Shell and misconfigurations to steal service account tokens. These stolen identities are then used to escalate privileges and move laterally into backend cloud infrastructure, leading to severe impacts such as cryptocurrency theft.
