#0005
Arctic Wolfabout 2 months ago7 min▣LLM reportcritical Arctic Wolf Labs has identified a cyber espionage campaign by the Chinese-affiliated threat actor UNC6384 targeting European diplomatic entities. The campaign exploits the ZDI-CAN-25373 Windows shortcut vulnerability to deliver malicious LNK files, ultimately deploying the PlugX RAT via DLL side-loading of legitimate Canon printer utilities.
#0004about 2 months ago8 min■By me
CapeV2 is one of those tools that looks straightforward on paper and humbles you in practice. After several failed attempts over the years, I finally got a stable deployment running on July 8th 2025 — and have since rebuilt it cleanly multiple times. This guide is the consolidated walk-through I wish I'd had on the first attempt.
It targets a bare-metal Ubuntu 24.04 host running KVM with a Windows 10 guest. If your setup differs, the structure should still apply; only paths and IPs will change.
#0003about 2 months ago8 min▤RecapMay 4 – May 11
AI Rush Opens New Attack Paths as Trusted Cloud Services Fuel Phishing
The rush to adopt artificial intelligence is giving attackers two new advantages: convincing lures to trick users and poorly secured infrastructure to exploit. This week, multiple campaigns used fake websites for the Claude AI assistant to infect victims with password-stealing malware, while researchers revealed that commercial robots and AI connection protocols contain critical flaws that let hackers hijack them. Because organizations are deploying AI tools faster than they can secure them, attackers are finding easy entry points into corporate networks.
In parallel, phishing campaigns are increasingly hijacking trusted cloud services like Amazon's email platform and Vercel's AI-powered website builder to send messages that bypass security filters entirely. A massive campaign targeting US employees used fake HR reviews to steal login sessions even when multi-factor authentication was enabled, and the breach of the Canvas learning platform exposed data on 275 million people that can now be used for highly convincing follow-up scams. These trends together suggest that traditional defenses are losing effectiveness because attackers are hiding inside the systems we already trust.
Organizations should immediately patch the actively exploited Palo Alto Networks and Ivanti vulnerabilities flagged by CISA this week, require phishing-resistant authentication methods, and treat every AI tool and robot connected to their network as a high-risk device that needs strict monitoring.
#00022 months ago6 min▤RecapApr 27 – May 4
AI Weaponization and Developer Supply Chain Attacks Redefine the Perimeter
Attackers are aggressively targeting the software development process because compromising a single developer tool can unlock thousands of corporate networks. In parallel, artificial intelligence is collapsing the cost of attacks, allowing criminals to build convincing deepfakes and automated phishing campaigns in minutes. As a result, traditional security like multi-factor authentication is increasingly bypassed using tricks that steal active login sessions rather than passwords. These trends together suggest that relying on perimeter defenses and basic hygiene is no longer enough, as attackers hide inside trusted cloud services and legitimate software updates. This matters because organizations are losing visibility into where their sensitive data actually lives, especially as AI tools create hidden pathways into company systems. Defenders must shift their focus to monitoring user behavior after login and securing the automated systems that build their software. Watch for unusual activity in your developer tools and implement stricter checks on third-party software.
#00012 months ago7 min▤RecapApr 2026
AI Weaponization Collapses Trust as Identity Becomes the Perimeter
Attackers are using artificial intelligence to make phishing and social engineering dramatically cheaper and more convincing, as seen in BlueNoroff's AI-generated deepfake meetings targeting Web3 executives and the Bluekit phishing platform's built-in AI assistant that crafts lures on demand. Because these AI tools can generate convincing scams and steal session cookies to bypass multi-factor authentication, traditional email filters and basic MFA are no longer sufficient barriers. In parallel, attackers are shifting from hacking infrastructure to hijacking identity and trust systems—installing legitimate remote-access tools via phishing, exploiting API authentication flaws like BOLA, and harvesting credentials through malicious AI browser extensions that spy on users in real time. This identity-focused shift compounds with the persistent exploitation of older vulnerabilities; groups like SHADOW-EARTH-053 still use years-old ProxyLogon flaws on unpatched Exchange servers, while CISA confirms CVE-2026-32202 (Microsoft Windows) and CVE-2026-41940 (cPanel) are already being exploited in the wild. Because AI models like Claude Mythos can now autonomously chain these vulnerabilities into working exploits at machine speed, defenders cannot rely on manual patching cadences to stay safe. These trends together suggest that the real perimeter is no longer the firewall but the identity layer, and defending it requires phishing-resistant authentication, automated response, and rigorous vetting of developer pipelines and third-party trust. Watch for AI-accelerated exploitation of unpatched systems and invest in identity-centric, machine-speed defenses before the next wave of automated attacks outpaces your team's response.