#0344
Palo Alto Networksabout 2 months ago6 min▣LLM reporthigh Unit 42 observed active, automated exploitation attempts targeting CVE-2023-33538, a command injection vulnerability in end-of-life TP-Link routers, to deploy Mirai-like botnet malware. While the observed in-the-wild attacks were flawed and failed, technical analysis confirmed the vulnerability is exploitable if attackers authenticate using default credentials, allowing them to inject shell commands via the ssid1 parameter.
#0343
Huntressabout 2 months ago4 min▣LLM reportmedium A third-party security researcher discovered a vulnerability in a staging environment via Server-Side Request Forgery (SSRF) probing. The incident underscores the critical importance of applying production-level security monitoring, access controls, and incident response capabilities to non-production environments to prevent them from becoming initial access vectors.
#0342
Huntressabout 2 months ago4 min▣LLM reportinfo A recent Huntress survey reveals that modern security teams struggle primarily with alert fatigue and a shifting threat landscape rather than budget constraints. Organizations are increasingly vulnerable to identity-based attacks such as business email compromise and session hijacking, necessitating a strategic pivot from traditional endpoint-centric prevention to Identity Threat Detection and Response (ITDR) supported by AI.
#0341
Huntressabout 2 months ago6 min▣LLM reportcritical A potentially unwanted program (PUP) signed by Dragon Boss Solutions LLC utilizes a silent update mechanism to deploy a sophisticated AV-killing PowerShell payload. The updater's primary domain was left unregistered, creating a severe supply chain vulnerability that exposed over 25,000 endpoints to arbitrary code execution before being sinkholed by researchers.
#0340
Sophosabout 2 months ago7 min▣LLM reportcritical Threat actors are actively abusing the QEMU hardware emulator to create hidden virtual machines on compromised hosts, effectively shielding their attack toolkits from endpoint detection and response (EDR) solutions. Recent campaigns, including those linked to the PayoutsKing ransomware group, leverage this technique alongside vulnerability exploitation and legitimate remote access tools to establish persistence, harvest credentials, and exfiltrate data.
#0339
Zscaler ThreatLabzabout 2 months ago5 min▣LLM reportcritical Payouts King is a sophisticated ransomware family operated by former BlackBasta affiliates. It gains initial access via social engineering tactics like spam bombing and Quick Assist, then deploys ransomware that utilizes direct system calls, custom API hashing, and robust RSA/AES encryption while actively evading EDR detection.
#0338
Cisco Talosabout 2 months ago5 min▣LLM reporthigh The Q1 2026 vulnerability landscape shows a continued rise in overall CVEs and KEVs, with a significant focus on software supply chain compromises and networking gear. A notable emerging threat is the abuse of the n8n AI workflow automation platform to bypass traditional security filters, alongside the discovery of the PowMix botnet targeting Czech workers and ongoing exploitation of legacy vulnerabilities.
#0337
Recorded Futureabout 2 months ago4 min▣LLM reportmedium Threat actors are increasingly utilizing business impersonation to exploit ecosystem gaps in the financial and retail sectors. By creating copycat corporate entities and AI-generated fake storefronts, fraudsters successfully bypass traditional security controls like Positive Pay and 3D Secure authentication to conduct commercial check fraud and card-not-present scams.
#0336
Sekoia.ioabout 2 months ago4 min▣LLM reportmedium Sekoia TDR details their methodology for automating .NET malware analysis, focusing on an obfuscated Covenant Grunt implant used by APT28. The researchers demonstrate how to programmatically decrypt strings and decompile code using pythonnet and dnlib, culminating in the release of RePythonNET-MCP, a tool that enables AI-assisted reverse engineering and configuration extraction.
#0335
Socketabout 2 months ago3 min▣LLM reportinfo The article highlights a podcast discussion featuring Socket CEO Feross Aboukhadijeh on the escalating threats to the open-source supply chain, including the Axios backdoor attack and nation-state targeting of maintainers. It emphasizes the systemic risks of relying on unreviewed open-source code and the dual role of AI in both exacerbating and defending against these emerging threats.
#0334
Microsoftabout 2 months ago7 min▣LLM reporthigh Microsoft Threat Intelligence identified a macOS-focused campaign by North Korean threat actor Sapphire Sleet that uses social engineering to deliver malicious AppleScripts disguised as Zoom updates. The attack leverages built-in macOS utilities like curl and osascript to bypass security controls, manipulate TCC databases, harvest credentials, and exfiltrate sensitive data such as cryptocurrency wallets.
#0333
Mandiantabout 2 months ago4 min▣LLM reporthigh The rapid advancement of AI models has significantly lowered the barrier for threat actors to discover vulnerabilities and generate exploits at scale, compressing the attack lifecycle. To defend against these machine-speed threats, organizations must modernize their security posture by integrating AI defensively, automating vulnerability management, securing software supply chains, and protecting newly deployed AI assets.
#0332
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security issued advisories for critical vulnerabilities in Drupal core and Nginx UI. Notably, the Nginx UI vulnerability (CVE-2026-33032) is currently being exploited in the wild, requiring immediate patching and monitoring of exposed management interfaces.
#0331
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-34197, an improper input validation vulnerability in Apache ActiveMQ, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize patching and remediation to reduce their exposure to cyberattacks.
#0330
ANY.RUNabout 2 months ago5 min▣LLM reporthigh BlobPhish is an evasive credential-phishing campaign that generates fake authentication forms directly in the victim's browser memory using Blob objects. By avoiding traditional HTTP requests and disk writes, it bypasses standard network and file-based detection mechanisms to steal high-value financial and cloud service credentials.
#0329
Recorded Futureabout 2 months ago4 min▣LLM reportcritical Threat actor TeamPCP leveraged stolen credentials to compromise trusted software repositories, including LiteLLM and Checkmarx, injecting credential-harvesting malware into the supply chain. This campaign highlights the severe business risks of identity compromise, as stolen access tokens enable downstream attacks such as ransomware, payroll redirection, and logistics fraud without triggering traditional perimeter alerts.
#0328
WithSecureabout 2 months ago7 min▣LLM reporthigh Threat actors are leveraging social media platforms, SEO poisoning, and AI agent responses to distribute ClickFix-style attacks disguised as tech tips. Victims are socially engineered into executing malicious PowerShell commands that initiate a fileless infection chain, bypassing traditional security controls to deploy information stealers like Vidar on their endpoints.
#0327
Mandiantabout 2 months ago4 min▣LLM reporthigh In 2025, Germany became the primary focus for cyber extortion in Europe, experiencing a 92% surge in data leak site victims. The disruption of major ransomware cartels has given rise to agile mid-tier groups like SAFEPAY and Qilin, who are heavily targeting the German Mittelstand (SMEs) and critical supply chain sectors such as manufacturing and professional services.
#0326
Cisco Talosabout 2 months ago6 min▣LLM reporthigh Threat actors are increasingly abusing the n8n AI workflow automation platform by leveraging its webhook functionality to bypass traditional security filters. These webhooks are embedded in phishing emails to serve CAPTCHA-protected malware payloads, including modified Datto and ITarian RMM tools, or to deploy invisible tracking pixels for device fingerprinting and reconnaissance.
#0325
Trend Microabout 2 months ago4 min▣LLM reportmedium The article highlights the critical shift towards identity-centric cybersecurity in the AI era, where human, machine, and AI-agent identities form the primary attack surface. It advocates for unified Identity Visibility and Intelligence Platforms (IVIP) to combat AI-generated phishing, insider risks, and fragmented visibility, emphasizing automated threat detection and response.