#0034
CISAabout 2 months ago3 min▣LLM reporthigh CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with five additional flaws affecting Hikvision, Rockwell, and Apple products based on evidence of active exploitation. Organizations, particularly federal agencies under BOD 22-01, are urged to prioritize remediation to reduce their exposure to cyberattacks.
#0033
Akamaiabout 2 months ago4 min▣LLM reportmedium The article highlights the critical need to transition various network protocols, including SSH, IPsec, OpenPGP, and DNSSEC, to post-quantum cryptography (PQC) to mitigate the 'harvest now, decrypt later' threat. While TLS and SSH have clear upgrade paths with hybrid key exchanges, protocols like DNSSEC face complex architectural challenges due to signature sizes and UDP limitations.
#0032
Microsoftabout 2 months ago6 min▣LLM reportcritical Tycoon2FA is a widespread Adversary-in-the-Middle (AiTM) Phishing-as-a-Service platform operated by the threat actor Storm-1747. It enables cybercriminals to bypass standard multifactor authentication (MFA) at scale by intercepting session cookies and credentials using spoofed sign-in pages, custom CAPTCHAs, and complex redirect chains.
#0031
Trend Microabout 2 months ago4 min▣LLM reporthigh A coordinated international law enforcement and private sector operation successfully disrupted Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform. The service enabled low-skill attackers to bypass multi-factor authentication (MFA) using adversary-in-the-middle (AitM) techniques to harvest credentials and session cookies, which were subsequently used for BEC and ransomware attacks.
#0030
Check Pointabout 2 months ago5 min▣LLM reportcritical Check Point Research discovered critical vulnerabilities in Anthropic's Claude Code CLI that enable Remote Code Execution (RCE) and API token exfiltration. By injecting malicious configurations into project files like .claude/settings.json and .mcp.json, attackers could execute arbitrary commands and steal API keys when a developer opens a compromised repository, leading to potential supply chain attacks and unauthorized access to shared Claude Workspaces.
#0029
Socketabout 2 months ago6 min▣LLM reportcritical Malicious versions of the Aqua Trivy VS Code extension were published to the OpenVSX registry, containing unauthorized code that hijacks locally installed AI coding assistants. By using carefully crafted natural language prompts and permissive execution flags, the payload instructs the AI agents to harvest sensitive developer credentials and system data, subsequently attempting to exfiltrate the information via available communication channels or by creating a new GitHub repository.
#0028
Check Pointabout 2 months ago7 min▣LLM reportcritical Check Point Research identified Silver Dragon, a Chinese-nexus APT group likely affiliated with APT41, targeting organizations in Southeast Asia and Europe. The group utilizes public-facing server exploits and phishing to deploy custom loaders that establish persistence via AppDomain hijacking and service manipulation. These loaders deliver Cobalt Strike and a novel Google Drive-based backdoor called GearDoor.
#0027
Socketabout 2 months ago5 min▣LLM reportcritical Socket's Threat Research Team discovered a supply chain attack involving malicious Packagist packages that deploy an encrypted Remote Access Trojan (RAT). The packages, disguised as Laravel utilities, execute automatically upon application boot or class autoloading, granting the attacker full remote shell access, file manipulation, and system reconnaissance capabilities across Windows, macOS, and Linux environments.
#0026
Check Pointabout 2 months ago4 min▣LLM reportcritical Iranian threat actors are actively exploiting vulnerabilities in Hikvision and Dahua IP cameras across the Middle East to support physical warfare operations. The compromised devices are utilized for battle damage assessment (BDA) and targeting correction during kinetic military operations, with exploitation spikes correlating closely with regional geopolitical events.
#0025
Sophosabout 2 months ago4 min▣LLM reporthigh Following coordinated military strikes by the U.S. and Israel against Iran, there has been a significant surge in hacktivist activity. Pro-Iran groups are conducting website defacements, DDoS attacks, doxxing, and claiming unverified attacks on critical infrastructure, while pro-Israel groups are retaliating, elevating the cyber threat landscape for organizations in the U.S., Israel, and the Middle East.
#0024
Palo Alto Networksabout 2 months ago7 min▣LLM reportcritical Adversaries are actively exploiting web-based Indirect Prompt Injection (IDPI) to manipulate Large Language Models (LLMs) and AI agents. By embedding hidden or obfuscated instructions within benign web content, attackers can coerce AI systems into performing unauthorized actions such as data destruction, SEO poisoning, and bypassing content moderation when the AI processes the webpage.
#0023
Mandiantabout 2 months ago9 min▣LLM reportcritical Google Threat Intelligence Group discovered 'Coruna', a highly sophisticated iOS exploit kit containing 23 exploits that target iOS versions 13.0 through 17.2.1. Initially observed in use by a commercial surveillance vendor, the kit has since proliferated to state-sponsored and financially motivated threat actors to deploy PLASMAGRID, a payload designed to steal cryptocurrency wallets and financial data.
#0022
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added two actively exploited vulnerabilities, CVE-2026-21385 (Qualcomm Memory Corruption) and CVE-2026-22719 (VMware Aria Operations Command Injection), to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to prioritize patching these flaws to reduce exposure to cyberattacks.
#0021
Arctic Wolfabout 2 months ago8 min▣LLM reporthigh Between January 2025 and January 2026, the India-nexus threat actor SloppyLemming conducted a cyber espionage campaign targeting government and critical infrastructure in Pakistan and Bangladesh. The campaign utilized PDF and Excel lures to deploy two custom implants—an in-memory shellcode backdoor named BurrowShell and a Rust-based keylogger—via DLL search order hijacking and extensive abuse of Cloudflare Workers infrastructure.
#0020
Cofenseabout 2 months ago4 min▣LLM reporthigh Threat actors are leveraging fake digital invitations mimicking trusted brands like Paperless Post to redirect victims to credential harvesting sites. These phishing pages impersonate major login portals and utilize fake error messages to extract multiple sets of credentials, employing newly registered domains and URL shorteners to evade detection.
#0019
Cofenseabout 2 months ago4 min▣LLM reporthigh A sophisticated phishing campaign is targeting Bitpanda cryptocurrency users by impersonating security update alerts. The attack utilizes a deceptively similar lookalike domain to harvest not only login credentials but also sensitive personally identifiable information (PII) such as addresses and dates of birth, which can be leveraged for identity theft or further account takeovers.
#0018
NCSCabout 2 months ago3 min▣LLM reportmedium The NCSC has issued an alert advising UK organizations, particularly those with ties to the Middle East, to bolster their cybersecurity posture amid ongoing regional conflicts. While direct threats to the UK remain low, there is a heightened risk of collateral damage from Iran-linked hacktivists utilizing DDoS, phishing, and ICS targeting.
#0017
Cofenseabout 2 months ago6 min▣LLM reporthigh Threat actors are leveraging WebDAV and Windows File Explorer to deliver Remote Access Trojans (RATs) while bypassing traditional web browser security controls. By utilizing .url and .lnk shortcut files pointing to WebDAV servers hosted on temporary Cloudflare Tunnels, attackers can trick users into executing malicious scripts that appear as local files.
#0016
Infobloxabout 2 months ago5 min▣LLM reporthigh Threat actors are utilizing a novel phishing technique that abuses the implicitly trusted .arpa top-level domain and IPv6 tunnels to bypass standard security controls. By registering reverse DNS domains for IPv6 blocks and creating A records instead of PTR records, attackers host malicious content on infrastructure that evades reputation-based blocking and policy filters.
#0015
Trail of Bitsabout 2 months ago3 min▣LLM reportlow Trail of Bits has open-sourced mquire, a Linux memory forensics tool that eliminates the need for external kernel debug symbols. By utilizing embedded BTF and Kallsyms data, mquire allows incident responders to perform reliable memory analysis on unknown or custom Linux kernels using an intuitive SQL interface.