Latest Threat Intel Articles
Hackers Exploit Adobe PDF Flaw for Months to Steal Data, No Fix Yet
A critical Adobe Acrobat zero-day has been exploited for months via malicious PDFs to steal data and potentially take over systems, with no patch yet available. The post Hackers Exploit Adobe PDF Flaw for Months to Steal Data, No Fix Yet appeared first on TechRepublic.
The threat hunter’s gambit
Bill discusses why obsessing over strategy games is actually a secret weapon to outsmart threat actors.
Protecting Cookies with Device Bound Session Credentials
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement, Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome...
New Apple Scam Hits Millions of iPhone Users Worldwide, Draining Bank Accounts
Apple warns of a new scam targeting millions of iPhone users. Learn the red flags, how it works, and how to protect your account and finances. The post New Apple Scam Hits Millions of iPhone Users Worldwide, Draining Bank Accounts appeared first on TechRepublic.
Massive Data Breach Exposes 337K LAPD-Linked Records
A massive breach exposed 337K LAPD-linked files, raising concerns over third-party risk, sensitive data exposure, and law enforcement cybersecurity gaps. The post Massive Data Breach Exposes 337K LAPD-Linked Records appeared first on TechRepublic.
Q1 2026 Attack Technique Trends Report
overview The cyber attack landscape in Q1 2026 was characterized by a step change from traditional mass-automated threats, with accelerated penetration rates driven by the use of AI, identity-centric attacks, exploitation of supply chain and SaaS linkages, and a combination of social engineering and vulnerability...
How Phishing Is Targeting Germany’s Economy: Active Threats from Finance to Manufacturing
Germany’s economy is a precision machine: finance fuels it, manufacturing builds it, telecom connects it, IT optimizes it, and healthcare sustains it. The country sits at the crossroads of industrial power and digital transformation, making it irresistibly attractive to attackers. In this article, we explore...
From the field to the report and back again: How incident responders can use the Year in Review
The Year in Review distills Talos IR's observations into structured intelligence, but defenders should also be feeding this report back into their own preparation cycles. Here's how.
Cracks in the Bedrock: Agent God Mode
Unit 42 reveals "Agent God Mode" in Amazon Bedrock AgentCore. Broad IAM permissions lead to privilege escalation and data exfiltration risks. The post Cracks in the Bedrock: Agent God Mode appeared first on Unit 42.
Why Operationalizing AI Security Is the Next Great Enterprise Hurdle
NWN launches an AI-powered security platform to tackle tool sprawl, alert fatigue, and modern cyber threats in the era of agentic enterprises. The post Why Operationalizing AI Security Is the Next Great Enterprise Hurdle appeared first on TechRepublic.
10 ChatGPT AI Prompts L1 SOC Analysts Can Use in Their Daily Work
Discover 10 practical ChatGPT prompts SOC analysts can use to speed up triage, analyze threats, improve documentation, and enhance incident response workflows. The post 10 ChatGPT AI Prompts L1 SOC Analysts Can Use in Their Daily Work appeared first on TechRepublic.
Ransom & Dark Web Issues Week 2, April 2026
ASEC Blog publishes Ransom & Dark Web Issues Week 2, April 2026 Emergence of New Ransomware Group ‘KryBit’ Gunra, Ransomware Attack Targeting South Korean Pharmaceutical Company DragonForce, Ransomware Attack Targeting Egyptian Generic Drug Developer and Manufacturer
Q1 2026 Vulnerability Trends Report
overview this report focuses on the top high-risk vulnerabilities that were disclosed or confirmed exploited in Q1 2026 and analyzes overall vulnerability trends for the period. Key characteristics of Q1 include an increase in remote code execution and authentication bypass family vulnerabilities, accelerated...
New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations
Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”
Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox
Unit 42 uncovers critical vulnerabilities in Amazon Bedrock AgentCore's sandbox, demonstrating DNS tunneling and credential exposure. The post Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox appeared first on Unit 42.
Talos Takes: 2025's ransomware trends and zombie vulnerabilities
In this episode of Talos Takes, Amy and Pierre Cadieux unpack the ransomware and vulnerability trends that defined 2025.
The Trojan horse of cybercrime: Weaponizing SaaS notification pipelines
Cisco Talos has recently observed an increase in activity that is leveraging notification pipelines in popular collaboration platforms to deliver spam and phishing emails.
Understanding Current Threats to Kubernetes Environments
Unit 42 uncovers escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments. The post Understanding Current Threats to Kubernetes Environments appeared first on Unit 42.
Post-Quantum Cryptography: Moving From Awareness to Execution
Google recently released important research that moves Q-Day — the day quantum computers will be able to “break the Internet” — up to 2029. How should enterprises secure their systems?
When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications
Unit 42 research on multi-agent AI systems on Amazon Bedrock reveals new attack surfaces and prompt injection risks. Learn how to secure your AI applications. The post When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications appeared first on Unit 42.
Google Workspace’s continuous approach to mitigating indirect prompt injections
Posted by Adam Gavish, Google GenAI Security Team Indirect prompt injection (IPI) is an evolving threat vector targeting users of complex AI applications with multiple data sources, such as Workspace with Gemini. This technique enables the attacker to influence the behavior of an LLM by injecting malicious...
BreachForums analyzes data breach incident (“Doomsday The Story of James”)
introduction: What is BreachForums? Who is BreachForums? BreachForums is a criminal marketplace where hackers buy and sell personal information (emails, passwords, credit card information, etc.) stolen from companies or government agencies. it is a large online community with hundreds of thousands of members, a...
Threat Brief: Widespread Impact of the Axios Supply Chain Attack
Unit 42 discusses the supply chain attack targeting Axios. Learn about the full attack chain, from the dropper to forensic cleanup. The post Threat Brief: Widespread Impact of the Axios Supply Chain Attack appeared first on Unit 42.
Ransom & Dark Web Issues Week 1, April 2026
ASEC Blog publishes Ransom & Dark Web Issues Week 1, April 2026 Ransomware group NetRunner attack against the Indian subsidiary of a South Korean auto parts manufacturer Ransomware group Everest attack against a major Japanese automaker ShinyHunters claims of source code and internal data leak from a U.S. network...
Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More
March 2026 brought a wave of cyber attacks that reflected how quickly modern threats can move from subtle early signals to serious business impact. ANY.RUN analysts identified and explored several major threats this month, exposing phishing campaigns, stealthy malware, payment-skimming activity, and resilient...
VRP 2025 Year in Review
Posted by Dirk Göhmann, Tony Mendez, and the Vulnerability Rewards Program Team 2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉! Originally started in 2010, our vulnerability reward program (VRP) has seen constant additions and...
Cloudflare Client-Side Security: smarter detection, now open to everyone
We are opening our advanced Client-Side Security tools to all users, featuring a new cascading AI detection system. By combining graph neural networks and LLMs, we've reduced false positives by up to 200x while catching sophisticated zero-day exploits.
RSAC 2026 Highlights: From Agentic AI to Active Defense
How can enterprises scale cyber defenses for the coming agentic workforce? What are the top cyber trends and challenges flowing from our new normal? Let’s explore through an RSAC lens.
Active Magecart Campaign Targets Spain, Steals Card Data via Hijacked eStores for Bank Fraud
A large-scale magecart operation remained active for over 24 months, leveraging an infrastructure of 100+ domains. While the targeted victims are e-commerce websites, the actual pressure falls on banks and payment systems. As ANY.RUN’s analysis shows, threat actors applied multi-step checkout hijacking, payment...
Introducing Intelligence Center 3.7: Faster decisions with clearer context across defense and enterprise
Counting intelligence outputs is simple: volume, velocity, coverage. The real question is this: does your intelligence improve decisions under pressure, with confidence you can defend?
Free TIP Bundles to test, validate, and operationalize threat intelligence faster
You cannot confidently choose threat intelligence integrations and services when you have to commit before you can validate operational impact. That is how you end up with tools that look good on paper, but do not always reduce triage time, improve detection quality, or support response the way you hoped.
Disarming disinformation: How EclecticIQ helps you analyze and track influence operations with the DISARM Framework
Disinformation is no longer just a nuisance. It’s a weapon leveraged by both state and non-state actors. For information operations analysts tracking influence campaigns across elections, national security threats, and coordinated disinformation efforts, the challenge is growing. Whether you work in a government...
Deduplication, done right: Full control, full context, one entity
Threat intelligence teams deal with a constant influx of data from multiple providers, often describing the same threat actor, malware, or vulnerability in slightly different ways. Instead of speeding up analysis, this duplication adds friction and slows decisions.
Security for the Quantum Era: Implementing Post-Quantum Cryptography in Android
Posted by Eric Lynch, Product Manager, Android and Dom Elliott, Group Product Manager, Google Play Modern digital security is at a turning point. We are on the threshold of using quantum computers to solve "impossible" problems in drug discovery, materials science, and energy—tasks that even the most powerful...
Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide
DDoS attacks are no longer only an infrastructure problem. They can quickly turn into a business issue, affecting uptime, customer experience, and operational stability. Kamasers is a strong example of this new reality, with broad attack capabilities and resilient command-and-control mechanisms that allow it to...
What Is Physical AI, and What Does It Mean for Government?
From Davos insights to state readiness, let‘s explore how robotics and sensors are moving artificial intelligence into the physical world.
Millions of iPhones can be hacked with a new tool found in the wild
DarkSword, a powerful iPhone-hacking technique, has been discovered in use by Russian hackers.
How World ID wants to put a unique human identity on every AI agent
Iris scan-backed tokens could help stop agent swarms from overwhelming online systems.
Researchers disclose vulnerabilities in IP KVMs from four manufacturers
Internet-exposed devices that give BIOS-level access? What could possibly go wrong?
New Federal Strategies, Rising Risk From Iran Top Cyber Themes
When cybersecurity experts from the public and private sectors gathered this week, AI and critical infrastructure took a back seat to frontline defense in light of recent international headlines.
MicroStealer Analysis: A Fast-Spreading Infostealer with Limited Detection
Security teams depend on early signals to spot and contain new threats. But what happens when a fully capable infostealer spreads while traditional detections stay limited? In recent investigations, ANY.RUN researchers observed MicroStealer in 40+ sandbox sessions in less than a month, despite low public...
Announcing Cloudflare Account Abuse Protection: prevent fraudulent attacks from bots and humans
Blocking bots isn’t enough anymore. Cloudflare’s new fraud prevention capabilities — now available in Early Access — help stop account abuse before it starts.
AI Security for Apps is now generally available
Cloudflare AI Security for Apps is now generally available, providing a security layer to discover and protect AI-powered applications, regardless of the model or hosting provider. We are also making AI discovery free for all plans, to help teams find and secure shadow AI deployments.
Mission-ready threat intelligence: Aligning with doctrine through Defense TIP
The defense community deserves a threat intelligence platform that speaks their language. With our new Defense TIP mode, EclecticIQ aligns fully with NATO and US military doctrine, eliminating the friction caused by mismatched terminology, structure, and limited interoperability with joint and coalition...
Investigating multi-vector attacks in Log Explorer
Log Explorer customers can now identify and investigate multi-vector attacks. Log Explorer supports 14 additional Cloudflare datasets, enabling users to have a 360-degree view of their network.
Fixing request smuggling vulnerabilities in Pingora OSS deployments
Today we’re disclosing request smuggling vulnerabilities when our open source Pingora service is deployed as an ingress proxy and how we’ve fixed them in Pingora 0.8.0.
Securing Critical Infrastructure in a Time of War
A deep dive into Iranian cyber warfare and actionable defenses for network operators.
With developer verification, Google's Apple envy threatens to dismantle Android's open legacy
Questions remain as Google prepares to lock down Android app distribution in the name of security.
Cultivating a robust and efficient quantum-safe HTTPS
Posted by Chrome Secure Web and Networking Team Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (“PLANTS”), aiming to address the performance and...
New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises
That guest network you set up for your neighbors may not be as secure as you think.
TAG Bulletin: Q4 2025
An overview of coordinated influence operation campaigns terminated on our platforms in Q4 2025.
Autumn Dragon: China-nexus APT Group Targets South East Asia
In this report, we describe how we tracked for several months a sustained espionage campaign against the government, media, and news sectors in several countries including Laos, Cambodia, Singapore, the Philippines and Indonesia. Since early 2025, China’s involvement in the Indo-Pacific has been more prolific, from...
TAG Bulletin: Q3 2025
Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q3 2025.
Earth Estries alive and kicking
Earth Estries, also known as Salt Typhoon and a few other names, is a China-nexus APT actor, and is known to have used multiple implants such as Snappybee (Deed RAT), ShadowPad, and several more. In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to...
Lessons from the BlackBasta Ransomware Attack on Capita
Introduction When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach. The aim of this blog is to extract...
Ransomware Tool Matrix Update: Community Reports
Introduction The Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such...
Three Lazarus RATs coming for your cheese
Authors: Yun Zheng Hu and Mick Koomen Introduction In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to...
TAG Bulletin: Q2 2025
Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q2 2025.
Steam Phishing: popular as ever
A month or so ago a friend of mine received the following message on Steam from someone in their Friends list (they were already friends): Figure 1 - 'this is for you' The two links are different and refer to a Gift Card on Steam's community platform. As you might have noticed, the domain is not related to Steam at...
TAG Bulletin: Q1 2025
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2025. It was last updated on May 15, 2025.JanuaryWe terminated 12 YouT…
Ransomware Tool Matrix Project Updates: May 2025
Introduction This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM). Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they...
Tracking Adversaries: EvilCorp, the RansomHub affiliate
Introduction This blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates prominent or new threat groups. The focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching ransomware attacks, and RansomHub, a prominent...
BlackBasta Leaks: Lessons from the Ascension Health attack
The BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating opportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime enterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to...
TAG Bulletin: Q4 2024
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2024. It was last updated on February 19, 2024.OctoberWe terminated 11…
Decrypting Full Disk Encryption with Dissect
Author: Guus Beckers Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regular workflow. For those of you who are not yet familiar with Dissect, it is an incident response framework built with...
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
Authors: Boudewijn Meijer && Rick Veldhoven Introduction As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from disk, especially ones well known to antivirus and Endpoint Detection and Reponse (EDR) vendors. Now, attackers focus on in-memory...
Microsoft Word and Sandboxes
Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun. Collect user name from Microsoft Office Most sandboxes will trigger somehow or something if a tool or malware tries to collect system information or user information. But what if we collect the user name via the registry and...
New North Korean based backdoor packs a punch
In recent months, North Korean based threat actors have been ramping up attack campaigns in order to achieve a myriad of their objectives, whether it be financial gain or with espionage purposes in mind. The North Korean cluster of attack groups is peculiar seeing there is quite some overlap with one another, and...
The State of Go Fuzzing - Did we already reach the peak?
During one of the recent working days, I was tasked with fuzzing some Go applications. That's something I had not done in a while, so my first course of action was to research the current state of the art of the tooling landscape. After like a couple of
Sifting through the spines: identifying (potential) Cactus ransomware victims
Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group...
Android Malware Vultur Expands Its Wingspan
Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Vultur has also started masquerading more of its malicious activity by...
DarkGate - Threat Breakdown Journey
Intro Over the past month, a widespread phishing campaign has targeted individuals globally. The campaigns execution chain ends with the deployment of a malware known as: DarkGate. A loader type malware. DarkGate is exclusively sold on underground online forums and the developer keeps a very tight amount of seats...
Kraken - The Deep Sea Lurker Part 2
Intro In the second part of analyzing the “KrakenKeylogger”, I will be diving into some proactive “threat hunting” steps I’ve done during my research about the Kraken. here What we have? Let’s start with what we currently have and how can we pivot with it: C2: thereccorp.com Payload fetching domain:...
Kraken - The Deep Sea Lurker Part 1
Intro In this first part we will be going through a recent phishing campaign delivering a never seen before “KrakenKeylogger” malware. The Phish The mail sent to the victim is a simple malspam mail with archive attachment: The archive is a .zip archive that contains .lnk file: LNK Analysis LEcmd Tool In order to...
PlutoCrypt - A CryptoJoker Ransomware Variant
Intro In This blog I will deep dive into a variant of CryptoJoker Ransomware alongside with analyzing the multi stage execution chain. BRACE YOURSELVES! The Phish Our story begins with a spear phishing email, targeting Turkish individuals and organizations. These attacks often begin with an email that appears to be...
LummaC2 - Stealer Features BreakDown
Intro This blog will be a bit different from my ususal blogs, it will mainly contain scripts and some research I’ve spent on finding some of the things you’ll read through the blog. I’ve tried to cover things that weren’t covered in previous blogs that can be found on Lumma Stealer Malpedia entry The Phish The...
WannaCry: The Most Preventable Ransomware is Still at Large
The WannaCry attack of 2017 is the perfect example of why you should always install security updates as soon as they’re released. This was, probably, the most avoidable ransomware incident. And, at the same time, one of the most damaging and rapidly spreading malware outbreaks. This is the story of the WannaCry...
Vulnerability Research Digest - Issue 1 (macOS/iOS in 2022)
In the past few years I created some twitter threads (e.g. Windows Kernel Security Linux Kernel Security) on a number of publications I found the most interesting within the vulnerability research space, this didn’t really give me that much space to actually provide detail or allow this to be stored within a format...
The End of Sodinokibi: the Infamous Ransomware Goes Down
Sodinokibi was, perhaps, the most ill-renowned ransomware. While it was active, it netted crooks hundreds of millions of dollars, hitting prominent targets such as Apple, Acer, Donald Trump’s lawyers, and most recently, HX5, a US defense company. It took a law enforcement operation coordinated between 17 countries...
Learning Linux kernel exploitation - Part 2 - CVE-2022-0847
Continuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.
Demystifying Security Research - Part 1
There are a number of key questions which are always asked by people wanting to get into security research, find out more about how others go about it or just generally improve their processes. In this post I want to highlight some of things which work for me and some guidance which may help for others. This is a...
Learning Linux kernel exploitation - Part 1 - Laying the groundwork
Table fo contents Disclaimer: This post will cover basic steps to accomplish a privilege escalation based on a vulnerable driver. The basis for this introduction will be a challenge from the hxp2020 CTF called "kernel-rop". There's (obviously) write-ups for this floating around the net (check
Overview of GLIBC heap exploitation techniques
Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way
MISC study notes about ARM AArch64 Assembly and the ARM Trusted Execution Environment (TEE)
Disclaimer: These are unfiltered study notes mostly for myself. Guaranteed not to be error free. So if you did land here, managed to get to the end of it and found some mistakes just hit me up, I'd love to know what's wrong :) AArch64 - Preface
CVE-2021-30660 - XNU Kernel Memory Disclosure
The msgrcv_nocancel syscall could disclose uninitialized memory from kernel space into userspace. This is due to an incorrect calculation being performed when copying the memory. The vulnerability was patched in the following releases: macOS 11.3 iOS 14.5 Vulnerability Details (sysv_msg.c) The msgrcv_nocancel...
Rise and Fall of Emotet
Emotet was the most threatening malware in the world. This nightmare of cybersecurity specialists challenged millions of infected computers and caused more than $2 billion in losses. And now the sophisticated botnet is taken down. Emotet was known as a destructive cyber threat out there. And ANY.RUN sandbox faced...
CVE-2020-9967 - Apple macOS 6LowPAN Vulnerability
Inspired by Kevin Backhouse’s great work on finding XNU remote vulnerabilities I decided to spend some time looking at CodeQL and performing some variant analysis. This lead to the discovery of a local root to kernel (although documented by Apple as remote) vulnerability within the 6LowPAN code of macOS 10.15.4....
Time Bombs: Malware with Delayed Execution
Did you know that there’s malware that behaves just like cliched ticker-bombs from Hollywood blockbusters? It enters the system and waits there, sometimes for ages, with the timer slowly but inevitably counting towards the destructive explosion. Or in our case — execution. Once the time comes, a cyber-bomb like...
Malware History: MyDoom
MyDoom, sometimes also called Novarg, W32.MyDoom@mm, Shimgapi, and Mimail.R is a worm type malware that infects Windows PCs. After infecting machines, the malware gets access to all files and distributes itself to the email contacts of the victim. It also features a countback timer that starts DOS attacks on...
Coverage Guided Fuzzing in Go
Recently I had the need to explore coverage guided fuzzing in Go. Whilst there is a bit of information scattered around on multiple different sites, as someone who is fairly new to Go, I couldn’t find a good concise source of information on what is already out there and the current state of play of fuzzer tooling...