#0221
Infobloxabout 2 months ago5 min▣LLM reporthigh Cybercriminals are widely abusing the Keitaro ad tracking software as a Traffic Distribution System (TDS) to route victims to malware, crypto drainers, and scams. By utilizing cracked licenses, advanced traffic filtering, and third-party cloaking integrations, threat actors effectively evade detection while precisely targeting users based on device and geolocation.
#0220
Check Pointabout 2 months ago5 min▣LLM reportcritical Check Point Research discovered a zero-day vulnerability (CVE-2026-3502) in the TrueConf client update mechanism, exploited in 'Operation TrueChaos' against Southeast Asian governments. Attackers compromised on-premises TrueConf servers to distribute malicious updates, utilizing DLL sideloading and UAC bypass techniques to deploy the Havoc C2 framework.
#0219
Mandiantabout 2 months ago6 min▣LLM reportcritical A North Korea-nexus threat actor, UNC1069, executed a software supply chain attack by compromising the maintainer account of the widely used 'axios' NPM package. They introduced a malicious dependency that uses a postinstall hook to silently deploy the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux environments, enabling remote command execution and data theft.
#0218
NCSCabout 2 months ago3 min▣LLM reporthigh The NCSC and international partners have issued an alert regarding increased targeting of high-risk individuals by state-sponsored threat actors via messaging apps like WhatsApp and Signal. Attackers utilize social engineering, phishing links, and malicious QR codes to steal account recovery codes, link unauthorized devices, and intercept sensitive communications.
#0217
Zscaler ThreatLabzabout 2 months ago4 min▣LLM reporthigh Xloader is a highly obfuscated information stealer that evolved from Formbook. Recent versions (8.1+) introduce complex anti-analysis techniques, including out-of-order stack string construction and multi-layered RC4 encryption for its C2 communications, which utilize decoy servers to hide malicious traffic.
#0216
Cisco Talosabout 2 months ago4 min▣LLM reporthigh Ransomware tactics in 2025 have shifted heavily toward 'Living off the Land' (LotL) techniques, with threat actors leveraging valid accounts and built-in administrative tools like RDP, PowerShell, and PsExec to evade detection. Qilin has emerged as the most prolific ransomware group, utilizing double-extortion tactics, while manufacturing remains the most targeted industry.
#0215
Trail of Bitsabout 2 months ago3 min▣LLM reportlow Trail of Bits details their organizational shift to an AI-native workflow using Claude Code and autonomous agents. The post outlines their strategy for overcoming employee resistance, establishing an AI Maturity Matrix, and securing agent autonomy through sandboxing, curated marketplaces, and strict usage policies.
#0214
Elastic Security Labsabout 2 months ago7 min▣LLM reporthigh Elastic Security Labs identified a financially motivated operation dubbed REF1695 that distributes RATs and cryptominers via fake installer ISOs. The threat actor monetizes infections through Monero mining and CPA fraud, utilizing advanced evasion techniques like Themida packing, dynamic analysis tool detection, and a novel .NET implant named CNB Bot.
#0213
Palo Alto Networksabout 2 months ago5 min▣LLM reporthigh Unit 42 researchers discovered that malicious AI agents deployed in GCP Vertex AI could exploit default permission scoping to extract service agent credentials. This 'double agent' attack allows unauthorized access to consumer storage buckets, restricted Google internal infrastructure, and introduces risks of remote code execution via insecure pickle deserialization.
#0212
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security issued an advisory regarding a CLI ACL Bypass vulnerability (CVE-2026-34485) affecting multiple Nokia GX series devices. Administrators are advised to update affected devices to version GX r9.0 or later to mitigate the risk of unauthorized access.
#0211
Sophosabout 2 months ago4 min▣LLM reportcritical A supply chain attack compromised the widely used Axios npm package (versions 1.14.1 and 0.30.4) following a maintainer account takeover. The malicious packages deploy a cross-platform remote access trojan (RAT) during installation, which fetches second-stage payloads and actively evades forensic detection by cleaning up artifacts and altering package metadata.
#0210
Trend Microabout 2 months ago7 min▣LLM reportcritical The highly popular Axios npm package was compromised when an attacker hijacked a lead maintainer's account to publish malicious versions. These versions included a phantom dependency that deployed a cross-platform Remote Access Trojan (RAT) via a postinstall hook, utilizing advanced obfuscation and anti-forensic techniques to hide its presence. The attack highlights critical risks in the software supply chain, specifically regarding dependency resolution and CI/CD pipeline protections.
#0209
Akamaiabout 2 months ago2 min▣LLM reportlow Akamai announced that its Enterprise Application Access solution has achieved FedRAMP Moderate authorization. This certification enables U.S. federal agencies to adopt Akamai's Zero Trust Network Access (ZTNA) platform to meet government-wide cybersecurity mandates, such as OMB M-22-09, while protecting against lateral movement and credential stuffing.
#0208
NCSCabout 2 months ago3 min▣LLM reportcritical The NCSC has issued an urgent alert regarding CVE-2025-53521, an actively exploited, unauthenticated remote code execution vulnerability in F5 BIG-IP Access Policy Manager (APM). Organizations are strongly advised to investigate for compromise using vendor-provided indicators, apply updates immediately, and potentially rebuild affected systems if evidence of compromise is found.
#0207
Akamaiabout 2 months ago6 min▣LLM reportcritical Threat actor TeamPCP orchestrated a cascading supply chain attack by exploiting a misconfigured GitHub Actions workflow in Aqua Security's Trivy, harvesting credentials to compromise subsequent repositories including Checkmarx, LiteLLM, and Telnyx. The malicious packages deploy sophisticated, OS-specific remote access trojans (RATs) that utilize steganography, process hollowing, and ETW patching to evade detection while exfiltrating sensitive data.
#0206
Trend Microabout 2 months ago6 min▣LLM reportcritical The TeamPCP threat actor compromised the Telnyx Python SDK on PyPI, injecting malicious code that executes upon import. The attack utilizes split-file injection and WAV audio steganography to deliver credential-stealing malware, establishing persistence on Windows systems and exfiltrating data via plaintext HTTP.
#0205
Cofenseabout 2 months ago5 min▣LLM reportmedium A recent phishing campaign observed by the Cofense Phishing Defense Center uses highly realistic, spoofed LinkedIn notification emails to harvest user credentials. The attack leverages newly created sender domains and typosquatted landing pages to bypass traditional defenses and trick users into entering their login details on fraudulent portals.
#0204
Sekoia.ioabout 2 months ago7 min▣LLM reporthigh EvilTokens is a newly discovered Phishing-as-a-Service (PhaaS) platform that automates Microsoft device code phishing to facilitate Business Email Compromise (BEC). By tricking victims into authorizing a malicious device via legitimate Microsoft login portals, attackers harvest access and refresh tokens to gain persistent, unauthenticated access to Microsoft 365 environments.
#0203
Akamaiabout 2 months ago4 min▣LLM reportcritical A critical unauthenticated remote code execution vulnerability (APSB25-94) in Magento Open Source and Adobe Commerce allows attackers to upload polyglot files containing PHP code. By exploiting the REST API's cart item custom options, attackers can bypass basic image validation to deploy web shells and execute arbitrary code on the server.
#0202
Sophosabout 2 months ago5 min▣LLM reporthigh A phishing campaign tracked as STAC6405 uses event invitation lures to trick users into installing pre-configured legitimate RMM tools like LogMeIn Resolve and ScreenConnect. Once initial access is established, attackers deploy secondary payloads including HeartCrypt-packed infostealers and additional remote access tools, utilizing utilities to hide their activity from the user.