DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Threat actor TeamPCP has formed an alliance with the Vect Ransomware-as-a-Service (RaaS) group to weaponize recent open-source supply chain compromises. By leveraging approximately 300 GB of stolen credentials and tokens harvested from CI/CD pipelines and security tools like Trivy and LiteLLM, the groups intend to facilitate large-scale ransomware deployments across affected enterprise environments.
Elastic Security Labs identified a cyberattack targeting a South Asian financial institution using two custom malware strains: BRUSHWORM and BRUSHLOGGER. BRUSHWORM functions as a backdoor and USB worm capable of extensive file theft and air-gap bridging, while BRUSHLOGGER captures system-wide keystrokes via DLL side-loading.
The Canadian Centre for Cyber Security released a daily digest highlighting recent security advisories from WatchGuard, Siemens, FreeBSD, and Ericsson. The advisories cover critical vulnerabilities including remote code execution, denial of service, and insecure deserialization across various operating systems, network appliances, and control system products.
Unit 42 identified a coordinated cyberespionage campaign targeting a Southeast Asian government entity, involving three distinct China-aligned threat clusters. The attackers utilized a variety of tools including USB worms, custom loaders, and multiple remote access Trojans (PUBLOAD, Masol, Gorem, FluffyGh0st) to establish persistent access, evade detection via DLL sideloading, and exfiltrate sensitive data.
CISA has added CVE-2025-53521, a Remote Code Execution vulnerability affecting F5 BIG-IP, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.
A sophisticated supply chain attack by the threat actor TeamPCP compromised the popular AI proxy package LiteLLM via a previously hijacked Trivy GitHub Action. The malicious package deployed a multi-stage payload utilizing a Python .pth file to harvest extensive cloud, Kubernetes, and AI credentials, encrypt them, and exfiltrate them to attacker-controlled infrastructure while establishing a persistent remote code execution backdoor.
A recent phishing campaign targets Xiaomi users by impersonating corporate HR communications regarding a new certification. The emails contain masked hyperlinks that redirect victims to a convincing replica of the Xiaomi login portal designed to harvest account credentials.
A widespread phishing campaign is exploiting GitHub Discussions to distribute fake Visual Studio Code security alerts to developers. The campaign uses fabricated CVEs and mass-tagging to trick Windows users into clicking malicious share.google links, which redirect to a JavaScript fingerprinting and Traffic Distribution System (TDS) hosted on an attacker-controlled domain.
The Russia-aligned APT group Pawn Storm has launched a sophisticated campaign deploying the PRISMEX malware suite against Ukrainian and NATO defense supply chains. The attack chain leverages two critical vulnerabilities, CVE-2026-21509 and CVE-2026-21513, to achieve zero-click execution, utilizing advanced steganography and COM hijacking to evade detection while communicating via legitimate cloud services.
Cybercriminals are increasingly abusing the Keitaro adtech platform to optimize the distribution of malware, phishing, and scams. By leveraging Keitaro's built-in tracking, cloaking, and traffic distribution capabilities, actors can efficiently target victims, evade detection, and scale operations across multiple threat types including wallet drainers and infostealers.
The Talos 2025 Year in Review highlights a significant shift towards attackers targeting identity infrastructure and network components to bypass MFA and gain privileged access. Key threats include widespread exploitation of React2Shell, supply chain attacks targeting CI/CD pipelines, and the dominance of Qilin ransomware.
VoidLink is a cloud-native Linux malware framework that employs a hybrid Loadable Kernel Module (LKM) and eBPF architecture to achieve deep system concealment. It features advanced evasion techniques such as delayed initialization, an ICMP covert command channel, and eBPF-driven manipulation of Netlink sockets to hide network connections from diagnostic tools. Analysis indicates the framework was developed iteratively using AI-assisted workflows, highlighting a growing trend of LLM-facilitated malware creation.
The Canadian Centre for Cyber Security issued advisories regarding a critical RCE vulnerability in PTC Windchill and FlexPLM, and an actively exploited critical vulnerability (CVE-2026-33634) that temporarily compromised the Aqua Security Trivy ecosystem supply chain.
CISA has added CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security Trivy, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to cyberattacks.
A sophisticated, long-running Magecart campaign has been compromising e-commerce websites to steal payment card data, with a notable focus on the Spanish payment ecosystem. The attackers utilize multi-stage JavaScript payloads, mimic legitimate payment gateways like Redsys, and exfiltrate stolen data in real-time via WebSockets to evade traditional detection mechanisms.
A supply chain attack campaign utilizing five typosquatted npm packages targets Solana and Ethereum developers. The packages silently intercept private keys during routine cryptographic operations and exfiltrate them to a Telegram bot, leveraging transitive dependencies and obfuscation to evade detection.
The NCSC has issued an alert regarding two vulnerabilities in customer-managed Citrix NetScaler ADC and Gateway appliances. CVE-2026-3055 allows for a memory overread in SAML IDP configurations, while CVE-2026-4368 causes user session mixups via a race condition in Gateway or AAA virtual server configurations. Immediate patching is strongly recommended.
Varonis Threat Labs identified a Local File Inclusion (LFI) vulnerability (CVE-2026-4270) in the AWS Remote MCP Server that allows authenticated users to read arbitrary files. By exploiting the AWS CLI shorthand file-loading syntax via the aws___call_aws tool, attackers can bypass access restrictions and extract sensitive file contents through error messages.
Trail of Bits has released a new Claude plugin that leverages LLMs to perform dimensional analysis on arithmetic-heavy codebases, such as smart contracts. By annotating code with dimensional types and mechanically flagging mismatches, the tool achieved a 93% recall rate in identifying bugs during testing, significantly outperforming baseline LLM prompts.
Since August 2025, a sophisticated phishing campaign has targeted senior professionals by impersonating Palo Alto Networks recruiters. Attackers use scraped LinkedIn data to build rapport, then falsely claim the victim's resume failed an Applicant Tracking System (ATS), ultimately soliciting fees for fraudulent resume optimization services.
