#0602
Zscaler ThreatLabzabout 2 months ago4 min▣LLM reportinfo Frontier AI models such as Anthropic Mythos and OpenAI GPT 5.5 Cyber represent a paradigm shift in security testing by leveraging multi-step reasoning to chain vulnerabilities and misconfigurations into viable attack paths. Zscaler's evaluation demonstrates that these models significantly outperform legacy tools in speed and accuracy when embedded in structured testing harnesses, though they require careful contextual grounding to avoid severity inflation or pattern anchoring. Organizations are advised to implement Zero Trust architectures and deception technologies to mitigate the accelerated threat posed by AI-enabled adversaries.
#0601
Socketabout 2 months ago5 min▣LLM reporthigh In response to the ongoing Mini Shai-Hulud supply chain campaign, npm has invalidated all granular access tokens that bypass two-factor authentication. The threat actors have been harvesting credentials from CI/CD environments to automate the publishing of malicious package versions, successfully bypassing existing controls like OIDC Trusted Publishing. To provide a more robust defense, npm has introduced an opt-in Staged Publishing feature that requires interactive MFA approval for automated releases.
#0600
Palo Alto Networksabout 2 months ago7 min▣LLM reporthigh Unit 42 identified an active cyberespionage campaign by the Iran-nexus APT group Screening Serpens, targeting entities in the U.S., Israel, and the Middle East. The threat actor deployed two new RAT families, MiniUpdate and MiniJunk V2, utilizing advanced AppDomainManager hijacking and DLL sideloading to evade native .NET security mechanisms like ETW. The attacks rely on highly tailored social engineering lures, such as fake job portals and video conferencing updates, to initiate the infection chain and establish persistent command and control.
#0599
Canadian Centre for Cyber Securityabout 2 months ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest of six security advisories. Notably, a highly critical SQL injection vulnerability in Drupal Core (CVE-2026-9082) is currently being exploited in the wild, and F5 has disclosed a critical vulnerability (CVE-2026-9256) affecting multiple NGINX products.
#0598
Check Pointabout 2 months ago8 min▣LLM reporthigh Iranian threat actor Nimbus Manticore (UNC1549) conducted a series of campaigns in early 2026 utilizing AppDomain Hijacking, SEO poisoning, and task hijacking to deploy the new MiniFast backdoor. The group demonstrated rapid toolset evolution, likely aided by AI-assisted development, targeting the aviation and software sectors across the US, Europe, and the Middle East.
#0597
Trend Microabout 2 months ago7 min▣LLM reporthigh Void Dokkaebi has updated its InvisibleFerret malware by compiling the original Python scripts into Cython binaries (.pyd for Windows, .so for macOS) to evade traditional script-based detection. The campaign utilizes a multi-stage BeaverTail JavaScript infection chain to deliver these binaries, targeting software developers to steal cryptocurrency wallet credentials, establish backdoor access, and downgrade browser security controls.
#0596
Trail of Bitsabout 2 months ago4 min▣LLM reportinfo Trail of Bits collaborated with the maintainers of zizmor, a GitHub Actions static analyzer, to improve its parsing capabilities and robustness. By testing against a massive corpus of real-world workflows, they identified and fixed multiple YAML anchor handling bugs, deserialization edge cases, and expression evaluator flaws, significantly enhancing zizmor's ability to detect CI/CD misconfigurations.
#0595
Palo Alto Networksabout 2 months ago5 min▣LLM reporthigh ROADtools is an open-source Python framework designed for Entra ID exploration that has been co-opted by nation-state threat actors like APT29 and APT33. Attackers leverage its modules to conduct extensive directory reconnaissance, register rogue devices for persistence, and manipulate OAuth tokens to bypass interactive authentication controls such as MFA. Detection relies on identifying anomalous Microsoft Graph API queries, unusual user-agent strings, and default device registration artifacts.
#0594KKasperskyabout 2 months ago10 min▣LLM reporthigh The Cloud Atlas APT group has updated its toolset in 2025-2026 campaigns targeting Russia and Belarus, utilizing LNK-based phishing to deploy VBCloud and PowerShower backdoors. The group establishes persistent access by patching termsrv.dll for concurrent RDP sessions and heavily relies on reverse SSH, RevSocks, and Tor for redundant C2 channels. Additionally, a new PowerShell tool named PowerCloud is used to exfiltrate administrator data to Google Sheets.
#0593
Socketabout 2 months ago8 min▣LLM reportcritical A supply chain attack compromising the widely-used npm package 'art-template' was discovered delivering the Coruna exploit kit to iOS devices. The injected JavaScript acts as a sophisticated watering hole framework, utilizing extensive anti-bot fingerprinting and WebAssembly memory probes to deliver version-specific WebKit RCE exploits targeting Safari on iOS 11.0 through 17.2.
#0592
Huntressabout 2 months ago6 min▣LLM reporthigh The Gentlemen ransomware operates as a Ransomware-as-a-Service (RaaS) model, utilizing affiliates who employ extensive defense evasion techniques. Recent incidents reveal attackers leveraging compromised RDP accounts, disabling Microsoft Defender via PowerShell, and establishing persistence through Scheduled Tasks that beacon to SOCKS proxy C2 servers.
#0591
Akamaiabout 2 months ago4 min▣LLM reportcritical A critical SQL injection vulnerability (CVE-2026-9082) in Drupal core allows unauthenticated attackers to exfiltrate sensitive data or bypass authentication. The flaw specifically affects Drupal environments utilizing a PostgreSQL database backend alongside the JSON:API, Views, or Entity autocomplete modules, stemming from the improper sanitization of PHP array keys before they reach the database abstraction layer.
#0590
Akamaiabout 2 months ago6 min▣LLM reporthigh A sophisticated attack campaign is targeting Ollama AI endpoints to deploy a custom Go-based P2P remote access Trojan (RAT) and cryptominer. The malware, named 'vc', leverages decentralized networking via libp2p to evade traditional C2 blocking and utilizes RAM disk execution and process masquerading to maintain stealth.
#0589
Recorded Futureabout 2 months ago3 min▣LLM reportlow The emergence of AI-assisted vulnerability discovery tools has significantly compressed the timeline between vulnerability disclosure and active exploitation. To manage the resulting flood of disclosures, security programs must transition from manual triage to intelligence-led prioritization that automatically correlates vulnerabilities with real-world adversary activity at machine speed.
#0588
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportmedium The Canadian Centre for Cyber Security issued a daily digest highlighting recent security advisories from Trend Micro and FreeBSD. The advisories address unspecified vulnerabilities in Trend Micro Apex One and Vision One Endpoint products, as well as all supported versions of FreeBSD, prompting immediate patching.
#0587
Trend Microabout 2 months ago5 min▣LLM reporthigh A solo Russian-speaking threat actor tracked as 'bandcampro' leveraged jailbroken AI models to automate a multi-year influence operation and cryptocurrency fraud campaign targeting American conservative communities. The actor utilized AI for content generation, infrastructure management, password mutation for WordPress brute-forcing, and distributed a fake crypto wallet that installed the legitimate GoToResolve RMM tool for remote access.
#0586EEclecticiqabout 2 months ago9 min▣LLM reporthigh A financially motivated eCrime campaign is leveraging SEO poisoning to impersonate AI coding assistants like Gemini CLI and Claude Code, tricking developers into executing a fileless PowerShell infostealer. The malware executes entirely in memory, disables Windows telemetry (ETW and AMSI), and harvests sensitive enterprise credentials, session tokens, and files before exfiltrating them to attacker-controlled infrastructure.
#0585
Zscaler ThreatLabzabout 2 months ago4 min▣LLM reportmedium The article highlights the growing risk of prompt data leakage in Generative AI workflows, where sensitive information like PII, source code, and API keys are exposed through conversational interfaces. It outlines 12 common leakage scenarios and recommends a phased approach to implementing inline DLP, browser isolation, and content moderation to secure AI usage without hindering productivity.
#0584
Huntressabout 2 months ago6 min▣LLM reporthigh Opportunistic threat actors continue to exploit exposed RDP, RDWeb, and vulnerable VPN configurations to gain initial access. Once inside, attackers deploy custom reverse tunnels, harvest credentials, and modify registry and firewall settings to establish persistent RDP access.
#0583
Huntressabout 2 months ago7 min▣LLM reporthigh The Ransomware-as-a-Service (RaaS) ecosystem relies heavily on affiliates who dictate the actual intrusion tradecraft, meaning a single ransomware brand can be associated with vastly different attack chains. Affiliates frequently abuse legitimate Remote Monitoring and Management (RMM) tools, exposed RDP, and vulnerable edge appliances for initial access, followed by the use of LOLBins and open-source utilities for persistence and data exfiltration.