#0587
Huntressabout 2 months ago6 min▣LLM reporthigh Opportunistic threat actors continue to exploit exposed RDP, RDWeb, and vulnerable VPN configurations to gain initial access. Once inside, attackers deploy custom reverse tunnels, harvest credentials, and modify registry and firewall settings to establish persistent RDP access.
#0586
Huntressabout 2 months ago7 min▣LLM reporthigh The Ransomware-as-a-Service (RaaS) ecosystem relies heavily on affiliates who dictate the actual intrusion tradecraft, meaning a single ransomware brand can be associated with vastly different attack chains. Affiliates frequently abuse legitimate Remote Monitoring and Management (RMM) tools, exposed RDP, and vulnerable edge appliances for initial access, followed by the use of LOLBins and open-source utilities for persistence and data exfiltration.
#0585
Sophosabout 2 months ago4 min▣LLM reporthigh GitHub experienced an internal security incident where threat actor TeamPCP (UNC6780) compromised an employee's device using a malicious Visual Studio Code extension. The attacker harvested local developer secrets to clone approximately 3,800 internal repositories, which were subsequently listed for sale on a cybercrime forum.
#0584
Varonisabout 2 months ago4 min▣LLM reporthigh A malicious Visual Studio Code extension installed on a GitHub employee's endpoint provided the threat actor TeamPCP with access to exfiltrate approximately 3,800 internal repositories. The incident underscores the critical risk of IDE extensions serving as initial access vectors for supply-chain attacks, allowing threat actors to leverage developer privileges for large-scale data exfiltration.
#0583
Socketabout 2 months ago5 min▣LLM reportcritical A long-running typosquat of a popular Go decimal library was weaponized to include a DNS-based backdoor. The malicious package, github.com/shopsprint/decimal, uses an init() function to poll a dynamic DNS subdomain via TXT records, executing the returned strings as arbitrary commands on the host system.
#0582
Canadian Centre for Cyber Securityabout 2 months ago4 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily digest of five security advisories on May 20, 2026. The advisories highlight critical and high-severity vulnerabilities across FreePBX, F5 NGINX, Google Chrome, HPE Aruba Networking products, and cPanel, urging administrators to apply vendor-supplied patches immediately to prevent potential exploitation.
#0581
Cofenseabout 2 months ago5 min▣LLM reporthigh Threat actors are leveraging image steganography hosted on legitimate file-sharing platforms to deliver remote access trojans and information stealers. The attack chain utilizes a JavaScript dropper to extract a Base64-encoded DotNET loader from a seemingly benign image, which then injects the final payload into memory to evade endpoint detection.
#0580
Palo Alto Networksabout 2 months ago5 min▣LLM reporthigh TamperedChef (also known as EvilAI) is a widespread threat campaign distributing trojanized productivity applications via malvertising. The threat actors heavily abuse legitimate code-signing certificates and employ delayed execution techniques to evade detection, ultimately deploying information stealers, RATs, or adware onto victim endpoints after a dormancy period.
#0579KKasperskyabout 2 months ago4 min▣LLM reporthigh CVE-2026-3102 is a critical command injection vulnerability in ExifTool versions 13.49 and earlier on macOS. By embedding a malicious payload in an image's metadata and forcing ExifTool to copy it to the FileCreateDate tag using specific flags, an attacker can execute arbitrary shell commands with the privileges of the invoking user.
#0578
ESETabout 2 months ago7 min▣LLM reporthigh The China-aligned APT group Webworm has updated its toolset in 2025, shifting focus to European and South African targets. The group deployed two new custom backdoors, EchoCreep and GraphWorm, which abuse Discord and the Microsoft Graph API respectively for command and control. Additionally, Webworm utilizes a complex network of custom proxy tools and compromised infrastructure, including GitHub and Amazon S3, to stage payloads and exfiltrate data.
#0577
Akamaiabout 2 months ago5 min▣LLM reporthigh Financial services are facing an escalating threat landscape characterized by massive DDoS attacks, AI-empowered botnets, and targeted web attacks against API endpoints. Attackers are increasingly exploiting overlooked DNS misconfigurations and leveraging hyperscale IoT botnets to bypass traditional IP reputation defenses, necessitating a shift toward behavioral heuristics and adaptive security architectures.
#0576
Varonisabout 2 months ago4 min▣LLM reportmedium Varonis Threat Labs discovered 'GhostTree,' an evasion technique leveraging NTFS junctions to create recursive directory loops. By pointing multiple child junctions back to a parent directory, attackers can generate an exponentially large number of file paths, causing EDR and AV recursive scanners to hang and allowing malware to remain undetected.
#0575
Socketabout 2 months ago6 min▣LLM reportcritical A large-scale npm supply chain attack compromised hundreds of packages, notably within the @antv ecosystem, using a malware variant known as Mini Shai-Hulud. The malware executes upon installation to harvest sensitive developer and CI/CD secrets, exfiltrating them to a hardcoded C2 server or via a GitHub repository fallback, and leverages stolen npm tokens to propagate itself to other packages.
#0574
Cisco Talosabout 2 months ago4 min▣LLM reporthigh Cisco Talos disclosed a series of vulnerabilities affecting TP-Link routers, Adobe Photoshop, OpenVPN, and Norton VPN. Notably, a privilege escalation flaw in Norton VPN (CVE-2025-58074) was exploited in the wild before a patch was available, while the TP-Link flaws allow for remote code execution via command injection and buffer overflows.
#0573
Microsoftabout 2 months ago6 min▣LLM reporthigh Fox Tempest is a financially motivated threat actor providing malware-signing-as-a-service (MSaaS) to the cybercrime ecosystem. By abusing Microsoft Artifact Signing via stolen identities, they generate short-lived, fraudulent code-signing certificates that allow threat actors like Vanilla Tempest to bypass security controls and deploy payloads such as the Oyster backdoor and Rhysida ransomware.
#0572
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportmedium The Canadian Centre for Cyber Security (CCCS) released a daily digest highlighting recent security advisories for various Industrial Control Systems (ICS) and Microsoft Edge. Organizations are advised to review the specific CISA ICS advisories for products from ABB, Siemens, and others, and to update Microsoft Edge to version 148.0.3967.70 or later.
#0571
Trend Microabout 2 months ago6 min▣LLM reporthigh Trend Micro MDR analyzed Banana RAT, a sophisticated banking trojan operated by SHADOW-WATER-063 targeting Brazilian financial institutions. The malware utilizes a server-side polymorphic build pipeline to deliver unique, AES-encrypted PowerShell payloads that execute filelessly in memory. Once active, it enables operator-driven fraud through remote input control, keylogging, deceptive banking overlays, and a specialized Pix QR code interception subsystem.
#0570
Cisco Talosabout 2 months ago7 min▣LLM reporthigh Cisco Talos has identified a commodity BadIIS malware ecosystem operating under a Malware-as-a-Service (MaaS) model, primarily used by Chinese-speaking threat actors for SEO fraud and traffic manipulation. The developer, known as 'lwxat', provides a dedicated builder and sophisticated service-based installers that ensure persistence on compromised Windows IIS servers while evading detection through custom Base64 encoding and service impersonation.
#0569
Sophosabout 2 months ago6 min▣LLM reporthigh WantToCry is a remote ransomware operation that targets internet-exposed SMB services using brute-force authentication. Instead of deploying local malware, attackers exfiltrate files, encrypt them on their own infrastructure, and write the encrypted versions back to the victim's network via authenticated SMB sessions, effectively bypassing traditional process-based EDR detections.
#0568
Zscaler ThreatLabzabout 2 months ago4 min▣LLM reportinfo The emergence of advanced AI models capable of rapid vulnerability discovery and exploit prototyping has rendered traditional reactive patching cycles obsolete. Organizations must transition to a Modern Defensible Architecture (MDA) utilizing Zero Trust, active deception, and automated containment to defend against machine-speed threats.