#0544
Huntressabout 2 months ago3 min▣LLM reportlow This article provides an overview of 13 major cybersecurity frameworks, including NIST CSF, CIS Controls, and ISO 27001, detailing their core functions and target audiences. It offers guidance on selecting and implementing the appropriate framework based on regulatory requirements, business goals, and organizational maturity.
#0543
CISAabout 2 months ago4 min▣LLM reportcritical CISA has added CVE-2026-20182, an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controllers, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. Federal agencies and private organizations are strongly urged to apply mitigations outlined in Emergency Directive 26-03 or discontinue use of the product if mitigations are unavailable.
#0542
Cisco Talosabout 2 months ago5 min▣LLM reportmedium The Talos Threat Source newsletter highlights an impending surge in software patching driven by AI vulnerability discovery tools. It also contrasts state-sponsored espionage tactics—which leverage valid credentials and native tools to bypass traditional defenses—with commodity ransomware, while summarizing recent supply chain compromises across developer platforms like Hugging Face and Jenkins.
#0541
Socketabout 2 months ago4 min▣LLM reporthigh TeamPCP has partnered with BreachForums to launch a supply chain attack contest, incentivizing threat actors to compromise open-source packages using the open-sourced Shai-Hulud worm. The campaign targets CI/CD pipelines and developer environments to harvest credentials, posing a significant risk of downstream enterprise compromises.
#0540
Cisco Talosabout 2 months ago7 min▣LLM reportcritical Cisco Talos is tracking active exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager. Threat actor UAT-8616 is exploiting CVE-2026-20182 for authentication bypass, while other clusters are chaining CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to deploy JSP webshells and post-exploitation frameworks like Sliver and AdaptixC2.
#0539
Microsoftabout 2 months ago6 min▣LLM reportcritical Kazuar is a sophisticated, modular P2P botnet attributed to the Russian state-sponsored actor Secret Blizzard. It utilizes a tripartite architecture (Kernel, Bridge, Worker) and a leader election mechanism to minimize external C2 traffic, relying on Mailslots, Window Messaging, and Named Pipes for internal communication and HTTP, WSS, or EWS for external C2.
#0538
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security issued a daily digest highlighting critical security updates for GitLab, MongoDB, and VMware Fusion. Notably, MongoDB addressed an undefined behavior vulnerability (CVE-2026-8053) in timeseries collections, and Broadcom patched a privilege escalation flaw (CVE-2026-41702) in VMware Fusion.
#0537
SentinelOneabout 2 months ago7 min▣LLM reporthigh SentinelLABS discovered PCPJack, a cloud-focused worm designed to harvest credentials at scale while actively evicting artifacts of a rival threat actor, TeamPCP. The framework targets exposed cloud services like Docker, Kubernetes, and Redis for propagation and lateral movement, notably omitting cryptomining payloads in favor of credential theft and Sliver C2 deployment.
#0536
Sophosabout 2 months ago7 min▣LLM reporthigh Sophos MDR investigated a macOS infostealer infection attributed to an AMOS (Atomic macOS) variant. The attack leverages ClickFix social engineering to trick users into running a malicious Terminal command, which initiates a multi-stage infection chain. The malware captures the user's system password via a spoofed prompt, evades analysis by checking for virtualized environments, and exfiltrates sensitive data like Keychain and browser credentials before establishing persistence via a LaunchDaemon.
#0535
Socketabout 2 months ago4 min▣LLM reporthigh A vulnerability in Composer causes it to inadvertently log GitHub Actions tokens and GitHub App installation tokens to stderr when token validation fails. This was triggered by a recent GitHub token format change, exposing credentials in CI/CD logs and requiring immediate updates to Composer versions 2.9.8, 2.2.28 LTS, or 1.10.28.
#0534
Infobloxabout 2 months ago6 min▣LLM reporthigh Infoblox Threat Intel uncovered a thriving underground economy on Telegram dedicated to unlocking stolen iPhones. Threat actors utilize specialized Windows binaries to extract device information and deploy targeted smishing campaigns via Apple lookalike domains to steal iCloud credentials, allowing them to bypass Activation Lock, wipe the device, and resell the hardware.
#0533
ANY.RUNabout 2 months ago6 min▣LLM reporthigh An 18-month Agent Tesla campaign is targeting LATAM enterprises, particularly in Chile, using procurement-themed phishing lures. The attack chain employs a multi-stage loader protected by .NET Reactor 6.x, utilizing process hollowing into aspnet_compiler.exe to execute the credential-stealing payload entirely in memory. Stolen data is exfiltrated via cleartext FTP to compromised legitimate infrastructure.
#0532KKasperskyabout 2 months ago9 min▣LLM reporthigh Kimsuky (APT43) has updated its arsenal with new PebbleDash and AppleSeed malware variants, including the Rust-based HelloDoor and httpMalice backdoors. The group is increasingly utilizing legitimate services like VSCode Remote Tunnels, Cloudflare Quick Tunnels, and DWAgent for covert C2 and post-exploitation access, primarily targeting South Korean entities and global defense sectors.
#0531
ESETabout 2 months ago8 min▣LLM reporthigh FrostyNeighbor, a Belarus-aligned threat actor, has updated its toolset to target Ukrainian governmental organizations with a multi-stage compromise chain. The attack utilizes spearphishing with malicious PDFs that redirect to a RAR archive containing a JavaScript dropper, which ultimately deploys a Cobalt Strike beacon via the PicassoLoader malware following strict server-side and manual victim validation.
#0530
Check Pointabout 2 months ago7 min▣LLM reportcritical A recent leak of internal communications and backend data from 'The Gentlemen' RaaS operation has revealed the group's highly structured operational model and mature toolset. The threat actors actively exploit edge appliances and NTLM relay vulnerabilities for initial access, followed by extensive use of red-team tools and custom EDR evasion techniques to deploy their cross-platform ransomware.
#0529
Sophosabout 2 months ago5 min▣LLM reportcritical Microsoft's May 2026 Patch Tuesday release addresses 132 CVEs, including 29 Critical vulnerabilities and 14 with a CVSS score of 9.0 or higher. Key threats include a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence, unauthorized RCEs in Windows Netlogon and DNS Client, and multiple Office RCEs exploitable via the Preview Pane.
#0528PProjectzeroabout 2 months ago4 min▣LLM reportcritical Project Zero researchers developed a 0-click exploit chain for the Google Pixel 10 by chaining a known Dolby vulnerability (CVE-2025-54957) with a newly discovered, trivial local privilege escalation flaw in the device's VPU driver. The VPU vulnerability allowed unbounded physical memory mapping via the mmap syscall, granting arbitrary read/write access to the kernel image and enabling full device compromise.
#0527
Socketabout 2 months ago6 min▣LLM reportmedium The GemStuffer campaign leverages the RubyGems package registry as an unconventional data exfiltration channel. Threat actors deploy Ruby scripts that scrape UK local government portals, package the harvested data into valid .gem archives, and push them to RubyGems using hardcoded API keys. The malware demonstrates defense evasion by overriding the HOME environment variable to a /tmp directory to isolate its credential environment, or by bypassing the gem CLI entirely to perform direct API POST requests.
#0526
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportmedium The Canadian Centre for Cyber Security issued an advisory (AV26-457) highlighting multiple vulnerabilities in HPE Aruba Networking Operating Systems AOS-8 and AOS-10. Organizations utilizing affected ArubaOS versions are advised to review HPE's security bulletins (HPESBNW05048 and HPESBNW05049) and apply the recommended updates.
#0525
Trend Microabout 2 months ago8 min▣LLM reportcritical TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs.