#0489
Recorded Futureabout 2 months ago5 min▣LLM reporthigh Threat Activity Enablers (TAEs) are infrastructure providers that deliberately support malicious cyber operations by offering resilient, bulletproof hosting. By leveraging corporate shell companies, controlling Autonomous Systems (ASNs), and rapidly rebranding, TAEs like Virtualine Technologies and Stark Industries evade sanctions and takedowns to sustain ransomware, botnet, and state-sponsored campaigns.
#0488
Cofenseabout 2 months ago4 min▣LLM reporthigh Threat actors are increasingly leveraging Vercel's GenAI capabilities, specifically v0.dev, to rapidly generate and host highly convincing credential phishing pages. By combining AI-generated frontends with Telegram Bot API integrations for real-time credential exfiltration, attackers can deploy resilient, low-effort phishing infrastructure on legitimate cloud services that evades traditional detection mechanisms.
#0487
CERT-EUabout 2 months ago3 min▣LLM reportcritical Palo Alto Networks has disclosed a critical buffer overflow vulnerability (CVE-2026-0300, CVSS 9.3) in the PAN-OS User-ID Authentication Portal. This flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls, with limited active exploitation already observed in the wild.
#0486KKasperskyabout 2 months ago6 min▣LLM reporthigh OceanLotus is suspected of orchestrating a PyPI supply chain attack using malicious wheel packages to deliver a novel cross-platform malware named ZiChatBot. The malware acts as a dropper for Windows and Linux systems, establishing persistence and utilizing the Zulip team chat application's REST APIs for command and control.
#0485
SentinelOneabout 2 months ago4 min▣LLM reportmedium This article summarizes a LABScon 25 presentation by Joe FitzPatrick on the systemic risks introduced by foreign-manufactured networked devices in critical infrastructure and consumer markets. It highlights issues such as undocumented cellular radios, mandatory product activation, and the ineffectiveness of import bans, advocating instead for hardware bills of materials and right-to-repair legislation.
#0484
Canadian Centre for Cyber Securityabout 2 months ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest highlighting three security advisories. The most critical is an actively exploited, unauthenticated buffer overflow vulnerability (CVE-2026-0300) affecting the Palo Alto Networks PAN-OS User-ID Authentication Portal. Additional routine security updates were announced for Google Chrome and VMware Tanzu GemFire Management Console.
#0483
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-0300, an out-of-bounds write vulnerability affecting Palo Alto Networks PAN-OS, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize remediation to reduce exposure to cyberattacks.
#0482
Akamaiabout 2 months ago4 min▣LLM reporthigh Model Context Protocol (MCP) servers introduce a new attack surface akin to AI-native APIs, exposing organizations to protocol-level attacks, injection vulnerabilities, and authorization bypasses. Because MCP tools often use permissive validation to accommodate LLM inputs and proactively broadcast their capabilities via plain-English descriptions, attackers can easily map business logic and exploit downstream systems or trigger resource exhaustion.
#0481
Socketabout 2 months ago4 min▣LLM reporthigh A recent security audit of PyPI by Trail of Bits uncovered 14 vulnerabilities, including high-severity access control flaws that allowed unauthorized role escalation and persistent stale permissions across project transfers. Additionally, a JWT replay vulnerability in the OIDC trusted publishing flow and an unpatched metadata validation gap highlight ongoing supply chain risks for Python package consumers.
#0480
Zscaler ThreatLabzabout 2 months ago6 min▣LLM reporthigh Threat actors are exploiting the OpenClaw AI agent framework by publishing a deceptive 'DeepSeek-Claw' skill that distributes malware. The campaign utilizes malicious installation instructions to deploy Remcos RAT on Windows via DLL sideloading and GhostLoader on macOS/Linux via obfuscated Node.js scripts, enabling persistent access and data exfiltration.
#0479
ANY.RUNabout 2 months ago6 min▣LLM reporthigh A large-scale phishing campaign is targeting U.S. organizations across multiple sectors using fake event invitations. The campaign employs a repeatable infrastructure to bypass initial defenses via CAPTCHA, subsequently leading to either credential and OTP interception or the deployment of legitimate Remote Monitoring and Management (RMM) tools for persistent access.
#0478
Cisco Talosabout 2 months ago7 min▣LLM reporthigh Cisco Talos identified an intrusion campaign utilizing the CloudZ RAT and a novel plugin named Pheno to intercept SMS and OTP messages. The malware abuses the Microsoft Phone Link application's PC-to-phone bridge, allowing attackers to steal sensitive authentication data from local SQLite databases without deploying malware directly to the victim's mobile device.
#0477
Cisco Talosabout 2 months ago9 min▣LLM reportcritical Cisco Talos identified UAT-8302, a China-nexus APT, targeting global government entities using a diverse toolkit of custom and shared malware. The threat actor leverages DLL side-loading to deploy implants like NetDraft, CloudSorcerer v3, and VSHELL, while utilizing open-source tools for extensive network reconnaissance, credential harvesting, and lateral movement.
#0476
Trend Microabout 2 months ago7 min▣LLM reporthigh The InstallFix campaign leverages malvertising to distribute fake Claude AI installation pages, tricking users into executing malicious MSHTA commands. This initiates a multi-stage, fileless infection chain utilizing a ZIP/HTA polyglot, COM object abuse, and AMSI/SSL bypasses to deliver a payload associated with RedLine Stealer. The campaign demonstrates advanced evasion tactics, including the use of victim-unique C2 subdomains derived from machine fingerprints.
#0475
Recorded Futureabout 2 months ago5 min▣LLM reportcritical Recent research highlights severe security flaws in commercially available embodied AI systems, specifically Unitree humanoid and quadruped robots. Vulnerabilities including undocumented backdoors, hard-coded cryptographic keys, and unauthenticated APIs enable remote attackers to hijack devices, exfiltrate sensitive multimodal telemetry, and pivot across physical fleets via wireless interfaces.
#0474
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportmedium The Canadian Centre for Cyber Security released a daily digest highlighting May 2026 security rollups for Qualcomm and Android, alongside a specific advisory for Apache HTTP Server versions 2.4.66 and prior. Organizations utilizing these technologies are advised to review the respective vendor bulletins and apply available patches to mitigate potential vulnerabilities.
#0473
Trail of Bitsabout 2 months ago6 min▣LLM reporthigh The article details two C/C++ security vulnerabilities based on code challenges. The first is a Linux command injection flaw caused by the inetntoa function's global buffer reuse and inetaton accepting trailing garbage. The second is a Windows driver Local Privilege Escalation (LPE) vulnerability stemming from missing RTLQUERYREGISTRYTYPECHECK flags during RtlQueryRegistryValues API calls. This omission allows attackers to leverage registry type confusion (e.g., using REGBINARY or REGSZ instead of REGDWORD) to overwrite kernel stack memory via writable keys in trusted system hives.
#0472
ESETabout 2 months ago9 min▣LLM reporthigh North Korea-aligned APT ScarCruft executed a multi-platform supply-chain attack compromising the sqgame platform to target ethnic Koreans in China's Yanbian region. The campaign distributed the BirdCall backdoor via trojanized Android applications and malicious Windows updates (which initially dropped RokRAT), enabling extensive espionage capabilities including data exfiltration, audio recording, and screen capture.
#0471
Akamaiabout 2 months ago5 min▣LLM reporthigh Delegated Managed Service Accounts (dMSAs) introduce a Kerberos-based authentication model to replace LDAP password retrieval, enhancing Active Directory security. However, the Ouroboros technique demonstrates that attackers controlling dMSA permissions can exploit the successor logic to inherit the privileges of superseded legacy accounts. This turns the dMSA into a persistence and account takeover primitive, requiring defenders to monitor internal authorization paths rather than just password retrieval events.
#0470
Trend Microabout 2 months ago7 min▣LLM reportcritical Quasar Linux (QLNX) is an advanced, previously undocumented Linux Remote Access Trojan (RAT) designed to compromise developer workstations and facilitate supply chain attacks. It employs sophisticated evasion techniques, including fileless execution, process name spoofing, and dynamically compiled LD_PRELOAD and eBPF rootkits, alongside a PAM backdoor to harvest critical cloud and repository credentials.