During monitoring of one of their Docker honeypots, the Beelzebub Research Team identified the PCPcat campaign, a highly sophisticated cyber-espionage operation targeting cloud infrastructure and development environments by exploiting CVE-2025-29927 and CVE-2025-55182 in Next.js and React frameworks to deploy PCPcat.
A critical vulnerability, tracked as CVE-2025-68613 with a CNA CVSS score of 9.9, has been disclosed in the n8n workflow automation platform. The flaw stems from insufficient isolation of authenticated user-supplied expressions from the underlying runtime during workflow configuration under certain conditions.
Socket's Threat Research Team identified two malicious Chrome extensions called Phantom Shuttle that masquerade as network speed testing and proxy tools for developers and foreign trade personnel.
WebRAT is a backdoor with information-stealing capabilities that is commonly distributed through pirate software and cheats for games like Roblox, Counter Strike, and Rust.
The Federal Communications Commission (FCC) has officially added DJI and other foreign drone manufacturers to its list of communications equipment deemed an "unacceptable risk to national security."
SentinelOne assesses that LLMs are acting as an accelerant for the ransomware lifecycle, driving operational efficiency rather than causing a fundamental transformation of adversary capabilities.
On September 15, 2025, a Russian underground forum post by the user "dragonforce" announced the formal creation of an alliance between DragonForce, Qilin, and LockBit.
Jamf Threat Labs identified a new MacSync Stealer variant targeting macOS that is delivered through a digitally signed and notarized Swift application, marking an evolution in how the malware is distributed.
HardBit 4.0 is the latest iteration of the HardBit ransomware family, which has been active since 2022 and operates without a public data leak site.
France's national postal service, La Poste, and its banking subsidiary, La Banque Postale, were targeted by a massive Distributed Denial-of-Service (DDoS) attack. The incident severely disrupted digital operations, knocking websites and mobile applications offline and creating significant logistical bottlenecks during the year's busiest shipping week.
A joint investigation by Hunt[.]io and the Acronis Threat Research Unit has mapped the shared operational infrastructure supporting DPRK state-sponsored threat actors, including Lazarus, Kimsuky, and BlueNoroff.
Cybersecurity researchers have identified a malicious npm package named "lotusbail" that masquerades as a legitimate WhatsApp API library. Uploaded in May 2025 by the user "seiren_primrose," the package has been downloaded over 56,000 times and remains available for download on the registry.
Nezha is a legitimate, open-source server monitoring platform designed to help administrators monitor and manage systems across Windows, Linux, and network appliances.
Over the weekend, Romania's national water management authority, Romanian Waters (Administrația Națională Apele Române), was hit by a ransomware attack, impacting several workstations and servers belonging to the administration and 10 of its 11 regional offices.
Members, we continue to monitor CVE-2025-14733 and it's active exploitation. At this time, no formal attribution has been attributed to any specific adversaries targeting these devices, but there is some evidence that the activity is part of a larger, multi-vendor campaign targeting edge networking equipment.
WatchGuard has issued a critical security advisory regarding CVE-2025-14733 (CVSS 9.3), an out-of-bounds write vulnerability in the Fireware OS iked process that allows remote, unauthenticated attackers to execute arbitrary code.
A novel attack vector dubbed "Lies-in-the-Loop" (LITL) exploits the Human-in-the-Loop (HITL) safety mechanism, the final safeguard intended to prevent AI agents from executing harmful actions without user consent.
The ClickFix social engineering tactic has evolved into a primary delivery vector for high-impact cyberattacks, recently documented in a campaign leading to Qilin ransomware deployment.
Cl0P ransomware is conducting a new data-theft extortion campaign targeting internet-exposed Gladinet CentreStack file servers.
A critical authentication bypass vulnerability (tracked as CVE-2025-59718 and CVE-2025-59719) has been discovered affecting Fortinet devices with the FortiCloud SSO (Single Sign-On) feature enabled.
The Iranian state-sponsored threat actor known as Prince of Persia (or Infy) has significantly evolved its technical proficiency and operational security methods after three years of relative silence in the media.
Hewlett Packard Enterprise (HPE) issued a critical security bulletin regarding a maximum-severity remote code execution (RCE) vulnerability in its OneView infrastructure management software. Identified as CVE-2025-37164, the flaw allows a remote, unauthenticated attacker to execute arbitrary code on the underlying appliance.
Proofpoint Threat Research has identified an increase in phishing campaigns that leverage the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 (M365) accounts.
Cisco Talos has identified a targeted campaign against Cisco Secure Email Gateway (formerly ESA) and Cisco Secure Email and Web Manager (formerly SMA) running Cisco AsyncOS.
Stuxnet, discovered in 2010, represented a critical shift in the threat landscape as one of the first identified cyberweapons designed to inflict physical destruction against critical infrastructure.
ClickFix is a social engineering technique that tricks victims into executing malicious commands under the pretext of fixing an error on a site or verifying the user is human. Since the user voluntarily initiates the action, this technique enables actors to bypass traditional security controls designed to detect automated or unauthorized execution.
Ink Dragon, a sophisticated espionage cluster, also known in the industry as Earth Alux, Jewelbug, or REF7707, has significantly expanded its operational footprint from Southeast Asia and South America into European government networks.
RansomHouse, a Ransomware-as-a-Service (RaaS) operation tracked by Unit 42 as "Jolly Scorpius," has undergone a significant technical evolution in its encryption methodology.
Threat actors have swiftly begun exploiting two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719 (CVSS score: 9.8), in Fortinet FortiGate, FortiWeb, FortiProxy, and FortiSwitchManager devices.
A malicious GitHub repository named "React2shell-scanner," hosted by the user "niha0wa," was recently identified as a delivery vehicle for malware rather than a legitimate security tool.
Amazon Threat Intelligence has reported on a years-long campaign, spanning 2021-2025, conducted by a Russian state-sponsored actor strongly assessed to be Sandworm (also known as APT44 and Seashell Blizzard), linked to the GRU.
The NCSC's cyber deception trials assessed whether defensive techniques like honeypots can help improve detection, observability, and threat hunting in real-world environments.
The JumpCloud Remote Assist for Windows agent is affected by a critical security flaw, tracked as CVE-2025-34352, which enables Local Privilege Escalation (LPE) and Denial-of-Service (DoS) attacks.
In December 2025, security researchers exposed a sophisticated, long-running cybercrime campaign conducted by the threat actor ShadyPanda, which conducted a browser extension supply-chain attack that infected over 4.3 million Chrome and Edge users.
Gentlemen is a new ransomware group that emerged around August 2025. Like any other ransomware operation, the gang operates a double extortion model, where it will exfiltrate data and encrypt systems to pressure victims into complying with ransom demands.
he React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure.
On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (informally "React2Shell"), was publicly disclosed.
PyStoreRAT is an undocumented, multi-stage JavaScript Remote Access Trojan (RAT) primarily delivered through malicious GitHub repositories.
Campaigns observed in October and November 2025, tracked under the temporary intrusion set SHADOW-VOID-042, targeted several high-value sectors, including energy, defense, pharmaceuticals, and cybersecurity, according to Trend Micro.
Cybersecurity researchers have documented the return of CyberVolk, a pro-Russia hacktivist persona that has evolved into a Ransomware-as-a-Service (RaaS) provider following a period of dormancy in early 2025.
Cybersecurity researchers have documented the emergence of four sophisticated phishing kits, BlackForce, GhostFrame, InboxPrime AI, and Spiderman, designed to facilitate large-scale credential theft and bypass modern security perimeters.
Notepad++ recently addressed a security weakness in its update tool (WinGUp) after receiving word of several incidents wherein the updater was manipulated to download and run malicious executables instead of legitimate updates.
MITRE has shared this year's top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
Cybersecurity researchers have unveiled details of NANOREMOTE, a newly observed, full-featured Windows backdoor written in C++ without obfuscation that utilizes the Google Drive API for C2.
Cybersecurity researchers have unveiled details of NANOREMOTE, a newly observed, full-featured Windows backdoor written in C++ without obfuscation that utilizes the Google Drive API for C2.
Wiz Threat Research has identified and publicly disclosed a critical zero-day vulnerability, CVE-2025-8110 (CVSS: 8.7), actively being exploited in-the-wild against Gogs, a popular self-hosted Git service.
U.S. agencies warned critical infrastructure organizations this week of attacks launched by multiple Russian groups backed financially by the country's government.