#0119
Elastic Security Labsabout 2 months ago5 min▣LLM reporthigh Elastic Security Labs identified a new .NET loader dubbed SILENTCONNECT, which is distributed via phishing emails and Cloudflare Turnstile CAPTCHA pages. The loader utilizes living-off-the-land binaries, PEB masquerading, and UAC bypass techniques to silently install remote monitoring and management (RMM) tools like ScreenConnect for persistent access.
#0118
Huntressabout 2 months ago5 min▣LLM reporthigh Attackers are utilizing the SOAPHound enumeration tool to map Active Directory environments by querying non-existent LDAP attributes. Due to Active Directory's query optimization logic, these queries are transformed into a generic '(! (FALSE))' pattern in Event ID 1644 logs, effectively hiding the tool's signature and bypassing traditional string-based detection mechanisms.
#0117
CrowdStrikeabout 2 months ago2 min▣LLM reportlow CrowdStrike has expanded its FedRAMP High authorized Falcon Platform for Government to include Falcon for XIoT, providing federal agencies with unified visibility, AI-powered risk prioritization, and threat detection across converged IT and OT environments.
#0116
ESETabout 2 months ago7 min▣LLM reportcritical Ransomware affiliates increasingly rely on EDR killers—ranging from BYOVD exploits and abused anti-rootkits to driverless tools—to disrupt security solutions prior to deploying encryptors. This approach allows encryptors to remain simple while the EDR killers handle complex defense evasion, complicating attribution and defense strategies.
#0115
Canadian Centre for Cyber Securityabout 2 months ago2 min▣LLM reportcritical The Canadian Centre for Cyber Security issued an advisory regarding a critical vulnerability in multiple versions of the Ubiquiti UniFi Network application. Administrators are strongly encouraged to apply the latest vendor updates to mitigate potential risks.
#0114
CrowdStrikeabout 2 months ago2 min▣LLM reportlow CrowdStrike announced new product capabilities at Fal.Con Gov 2026 aimed at modernizing national security and protecting critical government systems. The updates include Falcon Flex for flexible procurement and new Charlotte AI features for automated, natural language-driven security investigations within FedRAMP-authorized environments.
#0113
Trend Microabout 2 months ago7 min▣LLM reporthigh A targeted campaign is delivering the PureLog Stealer via localized copyright violation lures. The attack employs a sophisticated multi-stage infection chain, utilizing a Python-based loader to bypass AMSI, establish registry persistence, and execute the final .NET stealer entirely in memory to evade detection.
#0112
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-20131, a deserialization of untrusted data vulnerability affecting Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC), to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
#0111PProjectzeroabout 2 months ago5 min▣LLM reporthigh Security researchers identified and disclosed nine methods to bypass the new Windows Administrator Protection feature by abusing the UI Access flag. These bypasses leveraged logical flaws in secure directory checks, shared user profiles, and RPC method handling to achieve arbitrary code execution and privilege escalation.
#0110
SentinelOneabout 2 months ago4 min▣LLM reportinfo SentinelOne Labs developed a multi-agent LLM architecture using OpenClaw and Claude models to automate malware reverse engineering. By employing a serial consensus pipeline with an active rejection mandate, the system forces independent tool agents (radare2, Ghidra, Binary Ninja, IDA Pro) to cross-validate findings, significantly reducing decompiler artifacts and hallucinations.
#0109
Sophosabout 2 months ago6 min▣LLM reporthigh Security researchers have identified the Keenadu backdoor embedded in the firmware of multiple low-cost Android devices. The malware compromises the core Zygote process via a trojanized shared object library, allowing it to download second-stage modules for ad fraud and potentially exposing corporate credentials on BYOD devices.
#0108
Palo Alto Networksabout 2 months ago4 min▣LLM reportmedium Unit 42 analyzed two malware samples leveraging Large Language Models (LLMs) for remote decision-making. One is a .NET infostealer using GPT-3.5-Turbo for superficial 'AI theater', while the other is a Golang dropper that uses GPT-4 to evaluate system telemetry and determine if the environment is safe to deploy a Sliver payload.
#0107PProjectzeroabout 2 months ago5 min▣LLM reporthigh The GetProcessHandleFromHwnd API contains historical design flaws allowing attackers to bypass User Interface Privilege Isolation (UIPI) and hijack Protected Processes. By forcing a protected process like WerFaultSecure.exe to create a window, attackers can obtain a privileged handle to inject shellcode, a vulnerability that remains exploitable on Windows 10 and pre-24H2 Windows 11 systems.
#0106
Recorded Futureabout 2 months ago4 min▣LLM reporthigh In 2025, Insikt Group observed the continued dominance of Cobalt Strike, AsyncRAT, and infostealers like Vidar, alongside the rise of new offensive tools such as RedGuard, Ligolo, and CastleLoader. The report highlights the critical role of Threat Activity Enablers (TAEs) and the abuse of legitimate infrastructure services, such as CDNs, in sustaining cybercriminal and APT operations.
#0105
Trend Microabout 2 months ago3 min▣LLM reportmedium The convergence of IT and OT in electric grid infrastructure has increased the risk of lateral movement by adversaries. To protect critical operations and comply with regulations like NERC-CIP-15, organizations must implement deep east-west network visibility capable of understanding specialized industrial protocols.
#0104
Trend Microabout 2 months ago3 min▣LLM reportinfo Trend Micro collaborated with INTERPOL and other global law enforcement agencies in Operation Synergia III, leading to the takedown of 45,000 malicious servers and 94 arrests. The operation targeted distributed infrastructure supporting widespread cybercrime, including BEC, phishing, and extortion schemes.
#0103
Mandiantabout 2 months ago5 min▣LLM reportcritical Google Threat Intelligence Group discovered DarkSword, a sophisticated iOS full-chain exploit leveraging six zero-day vulnerabilities to target iOS 18.4-18.7 devices. Adopted by multiple state-sponsored actors and commercial surveillance vendors, the pure-JavaScript exploit chain bypasses modern iOS mitigations to deploy data-mining payloads like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
#0102
Akamaiabout 2 months ago4 min▣LLM reporthigh The proliferation of autonomous AI agents like OpenClaw has introduced severe security risks, including unauthorized data access and silent exfiltration via prompt injection and malicious plug-ins. To mitigate these threats, organizations must transition from local agent deployments to hardened, isolated cloud environments utilizing defense-in-depth strategies such as kernel-level eBPF monitoring and runtime prompt interception.
#0101
Zscaler ThreatLabzabout 2 months ago5 min▣LLM reporthigh SnappyClient is a newly discovered C++ C2 framework implant delivered via HijackLoader, primarily designed for cryptocurrency theft and remote access. It utilizes advanced evasion techniques such as AMSI patching, Heaven's Gate, and transacted hollowing to bypass security controls, including Chromium's App-Bound Encryption, while communicating over a custom ChaCha20-Poly1305 encrypted protocol.
#0100
Socketabout 2 months ago2 min▣LLM report The TC39 committee has advanced the Temporal API to Stage 4, marking its official inclusion in the ECMAScript 2026 specification as a modern, immutable replacement for JavaScript's legacy Date object.