TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages

Research reveals that TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm...

Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware

North Korean threat actors have been observed sending phishing to compromise targets and obtain access to a victim's KakaoTalk desktop application to distribute malicious payloads to certain contacts. The activity has been attributed by South Korean threat intelligence firm Genians to a hacking...

Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication

Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication MFA protections. It's advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a...

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

The elusive Iranian threat group known as Infy aka Prince of Persia has evolved its tactics as part of efforts to hide its tracks, even as it readied new command-and-control C2 infrastructure coinciding with the end of the widespread internet blackout the regime imposed at the start of January...

Hackers Still Using Patched WinRAR Flaw for Malware Drops, Warns Google

The Google Threat Intelligence Group GTIG warns that nation-state actors and financially motivated threat actors are exploiting a…...

Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware

The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT aka Winos 4.0. "This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular...

Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks

Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East. The activity has been attributed by Google-owned Mandiant to a threat cluster...

Chinese Threat Group 'Jewelbug' Quietly Infiltrated Russian IT Network for Months

A threat actor with ties to China has been attributed to a five-month-long intrusion targeting a Russian IT service provider, marking the hacking group's expansion to the country beyond Southeast Asia and South America. The activity, which took place from January to May 2025, has been attributed ...

Chinese APT Phantom Taurus Targeted MS Exchange Servers Over 3 Years

Cybersecurity researchers at Palo Alto Networks' Unit 42 say Chinese APT Phantom Taurus breached Microsoft Exchange servers for years using a backdoor to spy on diplomats and defense data...

NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign

Co-authored byAnna Širokova and Ivan Feigl Executive summary Rapid7 has been tracking a malware campaign that uses fake software installers disguised as popular apps like VPN and QQBrowser—to deliver Winos v4.0, a hard-to-detect malware that runs entirely in memory and gives attackers remote...

Unpacking Diicot - Evolving Campaign Targeting Linux Environments

Wiz Threat Research uncovered a new malware campaign targeting Linux environments attributed to the Diicot threat group...

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant...

TIDRONE Espionage Group Targets Taiwan Drone Makers in Cyber Campaign

A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024. Trend Micro is tracking the adversary under the moniker TIDRONE, stating the activity is...

Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion

While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign...

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

Summary The Federal Bureau of Investigation FBI, Cybersecurity and Infrastructure Security Agency CISA, and the Department of Defense Cyber Crime Center DC3 are releasing this joint Cybersecurity Advisory CSA to warn network defenders that, as of August 2024, a group of Iran-based cyber actors...

TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App

Meet TodoSwift, a malicious application that masquerades as a PDF downloader. Crafted by the BlueNoroff threat group, TodoSwift leverages…...

Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. "The most notable feature of this backdoor is that it communicates with a command-and-control C&C server via DNS traffic," the Symantec Threat Hunter Team, part ...

New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining

Cybersecurity researchers have discovered a new variant of the Gafgyt botnet that's targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computational power. This indicates that the "IoT botnet is targeting more robust servers runni...

Defending Against APTs: A Learning Exercise with Kimsuky

The “evolving threat landscape” is a term we often hear within webinars and presentations taking place across the cybersecurity industry. Such a catch-all term is intended to capture the litany of threat groups and their evolving tactics, but in many ways it fails to truly acknowledge the growth ...

TA577 Targeting Windows NTLM Hashes in Global Campaigns

Summary: TA577, a significant cyber threat group, has shifted tactics to steal NTLM authentication data, utilizing thread hijacking and customized HTML attachments. Organizations should block outbound SMB to thwart exploitation and remain vigilant against evolving attack methods. Threat Level - R...