#0055
Trend Micro17 days ago▣LLM reporthigh Trend Micro MDR uncovered an ongoing campaign by the KongTuke threat group utilizing compromised WordPress sites and fake CAPTCHA lures to trick users into executing malicious PowerShell commands. The attack leverages living-off-the-land binaries like finger.exe to deploy a Python-based backdoor known as modeloRAT, which focuses on enterprise environments for potential lateral movement and establishes persistence via scheduled tasks and registry keys.
#0054
ESET17 days ago▣LLM reportcritical The Sednit threat group (APT28) has deployed a modernized espionage toolkit targeting Ukrainian military personnel. The toolkit consists of custom implants SlimAgent and BeardShell, alongside a heavily modified version of the Covenant framework, utilizing legitimate cloud storage providers for resilient Command and Control (C&C).
#0053
ANY.RUN17 days ago▣LLM reporthigh Threat actors are increasingly utilizing OAuth Device Code phishing to compromise Microsoft 365 accounts. By tricking victims into entering a verification code on the legitimate Microsoft device login page, attackers can obtain OAuth access and refresh tokens without ever harvesting the user's credentials. This technique bypasses traditional phishing defenses by operating over encrypted channels and legitimate Microsoft infrastructure.
#0052
Check Point17 days ago▣LLM reporthigh Iranian Ministry of Intelligence and Security (MOIS) affiliated threat actors, including Void Manticore and MuddyWater, are increasingly integrating cybercriminal tools, infrastructure, and affiliate models into their operations. This strategic shift, which includes the use of commercial infostealers like Rhadamanthys and RaaS platforms like Qilin, enhances their operational capabilities while complicating attribution efforts.
#0051
Socket17 days ago▣LLM reporthigh A malicious Google Chrome extension impersonating the imToken cryptocurrency wallet is actively stealing user seed phrases and private keys. The extension functions as a lightweight redirector, fetching a destination URL from a hardcoded endpoint and sending victims to a homoglyph-obfuscated phishing site designed to harvest wallet recovery secrets.
#0050
Akamai17 days ago▣LLM reportlow Akamai has announced the integration of AI-powered WAF detections into its App & API Protector platform. This enhancement leverages machine learning models trained on global traffic to autonomously identify and mitigate sophisticated web attacks, such as evasive SQL injections and parameter pollution, while maintaining human oversight and minimizing false positives.
#0049
Palo Alto Networks17 days ago▣LLM reporthigh Unit 42 researchers developed AdvJudge-Zero, an automated fuzzer that identifies stealthy prompt injection sequences to bypass AI judges. By using low-perplexity formatting tokens, attackers can manipulate LLM-based security gatekeepers into approving harmful content or corrupting training data without triggering traditional detection mechanisms.
#0048Trend Micro17 days ago▣LLM reporthigh TrendAI researchers demonstrated novel attack vectors against AI systems, including exploiting AI-driven KYC pipelines using 'executable documents' to leak customer data. Additionally, they introduced FENRIR, an automated vulnerability hunting system that has discovered numerous zero-days in AI and Model Context Protocol (MCP) ecosystems.
#0047
SentinelOne17 days ago▣LLM reportlow SentinelLabs explores the use of Large Language Models (LLMs) to automate the extraction of indicators of compromise (IOCs) and contextual data from Cyber Threat Intelligence (CTI) narratives. The research demonstrates that LLMs can accurately parse unstructured reports into structured knowledge graphs, significantly reducing processing time while highlighting the importance of custom data models, prompt optimization, and evidence-grading frameworks.
#0046
CISA17 days ago▣LLM reporthigh CISA has added three actively exploited vulnerabilities affecting Omnissa Workspace ONE, SolarWinds Web Help Desk, and Ivanti Endpoint Manager to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to apply patches immediately to mitigate the risk of compromise.
#0045
Mandiant17 days ago▣LLM reporthigh This comprehensive guide outlines proactive hardening strategies to defend against destructive cyberattacks, such as ransomware and wipers. It provides actionable recommendations for securing external-facing assets, segmenting IT/OT and virtualization infrastructure, restricting lateral movement, and protecting privileged credentials across on-premises and cloud environments.
#0044
Elastic Security Labs17 days ago▣LLM reporthigh Researchers successfully patch-diffed a Windows Desktop Window Manager (DWM) vulnerability using LLMs, drastically reducing exploit development time. The vulnerability is a Use-After-Free in dwmcore.dll that can be exploited via the DirectComposition API, combined with a novel heap spray and CFG bypass, to achieve Local Privilege Escalation to SYSTEM.
#0043
Zscaler ThreatLabz17 days ago▣LLM reporthigh Threat actors are capitalizing on Middle East geopolitical tensions using over 8,000 newly registered domains to launch opportunistic cyber attacks. Campaigns include Mustang Panda deploying the LOTUSLITE backdoor via DLL sideloading, fake news sites distributing StealC malware, and various phishing/scam operations exhibiting Persian-language artifacts.
#0042Palo Alto Networks17 days ago▣LLM reporthigh Since 2020, a Chinese threat actor tracked as CL-UNK-1068 has targeted critical infrastructure in Asia for cyberespionage. The group utilizes a diverse, cross-platform toolkit including web shells, custom Go-based scanners, modified Fast Reverse Proxy (FRP) for tunneling, and legacy Python executables for DLL side-loading to maintain stealth, escalate privileges, and exfiltrate sensitive data.
#0041
Microsoft17 days ago▣LLM reporthigh Threat actors, particularly North Korean state-sponsored groups, are increasingly operationalizing AI to accelerate cyberattacks. They leverage generative AI for reconnaissance, social engineering, identity fabrication, and malware development, acting as a force multiplier that reduces technical friction while human operators maintain control over objectives.
#0040Socket17 days ago▣LLM reportinfo Latio's 2026 Application Security Market Report highlights supply chain malware and the securing of AI-generated code as the top security concerns for practitioners. The report emphasizes the inadequacy of traditional CVE scanning, citing the multi-wave Shai Hulud campaign—which compromised over 500 npm packages, exposed GitHub secrets, and targeted AI toolchains—as evidence that proactive dependency analysis is essential.
#0039Trend Micro17 days ago▣LLM reporthigh A new information stealer named BoryptGrab is being distributed through deceptive GitHub repositories that masquerade as legitimate software tools. The malware employs complex infection chains involving DLL side-loading, VBS downloaders, and encrypted payloads to deliver the stealer alongside additional backdoors like TunnesshClient and HeaconLoad.
#0038Socket17 days ago▣LLM reportlow This article is a promotional announcement for the Socket team's attendance at the RSAC and BSidesSF 2026 conferences. It briefly highlights the growing industry trend of threat actors weaponizing AI coding assistants to execute supply chain attacks by slipping malicious dependencies into developer workflows.
#0037Mandiant17 days ago▣LLM reportcritical Google Threat Intelligence Group's 2025 review highlights 90 exploited zero-day vulnerabilities, with a significant shift toward enterprise infrastructure and edge devices. Commercial surveillance vendors outpaced state-sponsored actors in zero-day usage, while financially motivated groups and PRC-nexus espionage operators continued to heavily leverage zero-days for initial access, persistence, and data theft.
#0036Elastic Security Labs17 days ago▣LLM reporthigh This report details the taxonomy, evolution, and hooking techniques of Linux rootkits. It highlights the shift from userland and LKM-based rootkits to advanced evasive techniques leveraging eBPF and io_uring, which challenge traditional EDR visibility and kernel hardening measures.
