#0039
Trend Microabout 2 months ago6 min▣LLM reporthigh A new information stealer named BoryptGrab is being distributed through deceptive GitHub repositories that masquerade as legitimate software tools. The malware employs complex infection chains involving DLL side-loading, VBS downloaders, and encrypted payloads to deliver the stealer alongside additional backdoors like TunnesshClient and HeaconLoad.
#0038
Socketabout 2 months ago2 min▣LLM reportlow This article is a promotional announcement for the Socket team's attendance at the RSAC and BSidesSF 2026 conferences. It briefly highlights the growing industry trend of threat actors weaponizing AI coding assistants to execute supply chain attacks by slipping malicious dependencies into developer workflows.
#0037
Mandiantabout 2 months ago5 min▣LLM reportcritical Google Threat Intelligence Group's 2025 review highlights 90 exploited zero-day vulnerabilities, with a significant shift toward enterprise infrastructure and edge devices. Commercial surveillance vendors outpaced state-sponsored actors in zero-day usage, while financially motivated groups and PRC-nexus espionage operators continued to heavily leverage zero-days for initial access, persistence, and data theft.
#0036
Elastic Security Labsabout 2 months ago5 min▣LLM reporthigh This report details the taxonomy, evolution, and hooking techniques of Linux rootkits. It highlights the shift from userland and LKM-based rootkits to advanced evasive techniques leveraging eBPF and io_uring, which challenge traditional EDR visibility and kernel hardening measures.
#0035
CISAabout 2 months ago3 min▣LLM reporthigh CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with five additional flaws affecting Hikvision, Rockwell, and Apple products based on evidence of active exploitation. Organizations, particularly federal agencies under BOD 22-01, are urged to prioritize remediation to reduce their exposure to cyberattacks.
#0034
Akamaiabout 2 months ago4 min▣LLM reportmedium The article highlights the critical need to transition various network protocols, including SSH, IPsec, OpenPGP, and DNSSEC, to post-quantum cryptography (PQC) to mitigate the 'harvest now, decrypt later' threat. While TLS and SSH have clear upgrade paths with hybrid key exchanges, protocols like DNSSEC face complex architectural challenges due to signature sizes and UDP limitations.
#0033
Microsoftabout 2 months ago6 min▣LLM reportcritical Tycoon2FA is a widespread Adversary-in-the-Middle (AiTM) Phishing-as-a-Service platform operated by the threat actor Storm-1747. It enables cybercriminals to bypass standard multifactor authentication (MFA) at scale by intercepting session cookies and credentials using spoofed sign-in pages, custom CAPTCHAs, and complex redirect chains.
#0032
Trend Microabout 2 months ago4 min▣LLM reporthigh A coordinated international law enforcement and private sector operation successfully disrupted Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform. The service enabled low-skill attackers to bypass multi-factor authentication (MFA) using adversary-in-the-middle (AitM) techniques to harvest credentials and session cookies, which were subsequently used for BEC and ransomware attacks.
#0031
Check Pointabout 2 months ago5 min▣LLM reportcritical Check Point Research discovered critical vulnerabilities in Anthropic's Claude Code CLI that enable Remote Code Execution (RCE) and API token exfiltration. By injecting malicious configurations into project files like .claude/settings.json and .mcp.json, attackers could execute arbitrary commands and steal API keys when a developer opens a compromised repository, leading to potential supply chain attacks and unauthorized access to shared Claude Workspaces.
#0030
Socketabout 2 months ago6 min▣LLM reportcritical Malicious versions of the Aqua Trivy VS Code extension were published to the OpenVSX registry, containing unauthorized code that hijacks locally installed AI coding assistants. By using carefully crafted natural language prompts and permissive execution flags, the payload instructs the AI agents to harvest sensitive developer credentials and system data, subsequently attempting to exfiltrate the information via available communication channels or by creating a new GitHub repository.
#0029
Check Pointabout 2 months ago7 min▣LLM reportcritical Check Point Research identified Silver Dragon, a Chinese-nexus APT group likely affiliated with APT41, targeting organizations in Southeast Asia and Europe. The group utilizes public-facing server exploits and phishing to deploy custom loaders that establish persistence via AppDomain hijacking and service manipulation. These loaders deliver Cobalt Strike and a novel Google Drive-based backdoor called GearDoor.
#0028
Socketabout 2 months ago5 min▣LLM reportcritical Socket's Threat Research Team discovered a supply chain attack involving malicious Packagist packages that deploy an encrypted Remote Access Trojan (RAT). The packages, disguised as Laravel utilities, execute automatically upon application boot or class autoloading, granting the attacker full remote shell access, file manipulation, and system reconnaissance capabilities across Windows, macOS, and Linux environments.
#0027
Check Pointabout 2 months ago4 min▣LLM reportcritical Iranian threat actors are actively exploiting vulnerabilities in Hikvision and Dahua IP cameras across the Middle East to support physical warfare operations. The compromised devices are utilized for battle damage assessment (BDA) and targeting correction during kinetic military operations, with exploitation spikes correlating closely with regional geopolitical events.
#0026
Sophosabout 2 months ago4 min▣LLM reporthigh Following coordinated military strikes by the U.S. and Israel against Iran, there has been a significant surge in hacktivist activity. Pro-Iran groups are conducting website defacements, DDoS attacks, doxxing, and claiming unverified attacks on critical infrastructure, while pro-Israel groups are retaliating, elevating the cyber threat landscape for organizations in the U.S., Israel, and the Middle East.
#0025
Palo Alto Networksabout 2 months ago7 min▣LLM reportcritical Adversaries are actively exploiting web-based Indirect Prompt Injection (IDPI) to manipulate Large Language Models (LLMs) and AI agents. By embedding hidden or obfuscated instructions within benign web content, attackers can coerce AI systems into performing unauthorized actions such as data destruction, SEO poisoning, and bypassing content moderation when the AI processes the webpage.
#0024
Mandiantabout 2 months ago9 min▣LLM reportcritical Google Threat Intelligence Group discovered 'Coruna', a highly sophisticated iOS exploit kit containing 23 exploits that target iOS versions 13.0 through 17.2.1. Initially observed in use by a commercial surveillance vendor, the kit has since proliferated to state-sponsored and financially motivated threat actors to deploy PLASMAGRID, a payload designed to steal cryptocurrency wallets and financial data.
#0023
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added two actively exploited vulnerabilities, CVE-2026-21385 (Qualcomm Memory Corruption) and CVE-2026-22719 (VMware Aria Operations Command Injection), to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to prioritize patching these flaws to reduce exposure to cyberattacks.
#0022
Arctic Wolfabout 2 months ago8 min▣LLM reporthigh Between January 2025 and January 2026, the India-nexus threat actor SloppyLemming conducted a cyber espionage campaign targeting government and critical infrastructure in Pakistan and Bangladesh. The campaign utilized PDF and Excel lures to deploy two custom implants—an in-memory shellcode backdoor named BurrowShell and a Rust-based keylogger—via DLL search order hijacking and extensive abuse of Cloudflare Workers infrastructure.
#0021
Cofenseabout 2 months ago4 min▣LLM reporthigh Threat actors are leveraging fake digital invitations mimicking trusted brands like Paperless Post to redirect victims to credential harvesting sites. These phishing pages impersonate major login portals and utilize fake error messages to extract multiple sets of credentials, employing newly registered domains and URL shorteners to evade detection.
#0020
Cofenseabout 2 months ago4 min▣LLM reporthigh A sophisticated phishing campaign is targeting Bitpanda cryptocurrency users by impersonating security update alerts. The attack utilizes a deceptively similar lookalike domain to harvest not only login credentials but also sensitive personally identifiable information (PII) such as addresses and dates of birth, which can be leveraged for identity theft or further account takeovers.