Team Cymru has identified a significant uptick in the use of CyberStrikeAI, an open-source, AI-augmented offensive security tool (OST) developed by a China-based individual, "Ed1s0nZ," who is assessed to have ties to Chinese state-sponsored cyber operations.
Microsoft has identified a sophisticated phishing campaign that abuses the legitimate OAuth 2.0 protocol to bypass traditional email and browser security defenses.
The StegaBin campaign is a sophisticated software supply chain attack involving 26 malicious npm packages that deploy a multistage credential and secret harvesting operation targeting developers.
Iranian drone strikes struck three Amazon data center facilities in the UAE and Bahrain this week, disrupting cloud services across parts of the Middle East.
Between February 22 and 25, 2026, GreyNoise recorded 84,142 scanning sessions targeting SonicWall SonicOS devices' SSL VPN interfaces, originating from 4,305 unique IP addresses across 20 autonomous systems.
Security researchers at Oasis Security recently disclosed a critical vulnerability chain in OpenClaw, an increasingly popular open-source autonomous AI agent framework, codenamed “ClawJacked.”
The Iranian cyber threat landscape has undergone a significant transformation, evolving from localized, reactive strikes into a sophisticated, global operation characterized by "influence-driven disruption."
Google Cloud API keys (identifiable by the AIza... prefix), which have traditionally been designed and documented as safe to embed in public client-side code for services like Maps and Firebase, are inadvertently functioning as highly privileged authentication credentials for Google's Gemini AI.
Microsoft patched CVE-2026-21513 during February 2026's Patch Tuesday, a security features bypass vulnerability within the MSHTML framework carrying a CVSS score of 8.8.
While the line between hacktivist and state-sponsored threat actors can be blurry, Iran is a formidable adversary hosting several prominent threat actors. Iran's geopolitical objectives range from disruptive and destructive attacks, cyber espionage, and financially motivated cyber attacks in collaboration with ransomware actors.
Check Point Research recently identified critical vulnerabilities (CVE-2025-59536 and CVE-2026-21852) in Anthropic's Claude Code, an AI-powered command-line development tool.
For over a decade, Google told developers that standard Google Cloud API keys (the familiar “AIza…” format used for services like Maps and Firebase) were not secrets and were safe to embed in client-side code.
Aeternum C2 represents a significant evolution in botnet architecture, specifically in its use of the Polygon blockchain for command-and-control (C2) operations.
A recent deep-dive analysis by FortiGuard Labs has unmasked a sophisticated, multi-stage infection chain used to deliver the Agent Tesla infostealer. The campaign begins with business-themed phishing emails, often using lures such as "New Purchase Orders" to create urgency.
Vshell is a mature, Go-based command-and-control (C2) framework that has been actively developed since 2021 within Chinese-speaking offensive security ecosystems. Originally released as an open-source RAT,
In December 2025, Zscaler's ThreatLabz identified a new cyberespionage campaign dubbed "Ruby Jumper," orchestrated by the DPRK-sponsored threat group, APT37 (AKA ScarCruft, Ruby Sleet, and Velvet Chollima).
Zyxel has disclosed and patched a critical command injection vulnerability, CVE-2025-13942 (CVSS 9.8), affecting more than a dozen of its router and CPE models, including 4G LTE/5G NR CPEs, DSL/Ethernet CPEs, Fiber ONTs, and wireless extenders.
Steaelite is a newly observed remote access trojan (RAT) that is rapidly gaining attention on underground cybercrime networks for combining multiple malicious capabilities into a single, browser-based control panel.
Zoom meeting interface to trick users into installing surveillance software. Victims are typically lured via an email or text containing a link to a fraudulent domain, uswebzoomus[.]com/zoom/, which presents a realistic "waiting room" experience.
Microsoft Defender Experts have uncovered a highly coordinated campaign targeting software developers through malicious repositories hosted on platforms like Bitbucket, disguised as legitimate Next.js projects and recruitment "coding tests."
UNC2814, a suspected People's Republic of China (PRC)-nexus cyber espionage group active since at least 2017, has orchestrated a massive global espionage campaign targeting telecommunications and government entities across four continents.
A 39-year-old Australian national, Peter Williams, a former employee of U.S. defense contractor L3Harris, has been sentenced to 87 months in prison for selling eight zero-day exploits to Russian exploit broker Operation Zero in exchange for millions of dollars in cryptocurrency.
Summary: The "Diesel Vortex" operation, active from late 2025 through February 2026, represents a highly industrialized approach to logistics-themed cybercrime.
A recent intelligence brief from Dataminr has identified a tactical evolution in the operations of the cybercrime "supergroup" known as Scattered Lapsus$ Hunters (SLH).
A critical authentication bypass vulnerability exists in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage).
Severity - High: The attack relies on ClickFix social engineering, preying on the habit of quickly copying and pasting curl installation commands from documentation or websites into the macOS Terminal.
Sinobi is a financially motivated Ransomware-as-a-Service (RaaS) operation that emerged in mid-2025. Employing a double-extortion strategy, the threat actor exfiltrates sensitive data before executing high-speed encryption, forcing victims into negotiations under the threat of public data release.
North Korean state-backed hackers linked to the Lazarus Group are targeting U.S. healthcare organizations in extortion attacks using the Medusa ransomware, according to a new report from Symantec.
Trend Micro researchers have identified a novel distribution campaign for the Atomic macOS Stealer (AMOS), targeting users of the OpenClaw AI agent framework. Historically, AMOS was distributed through "cracked" software or malvertising; however, threat actors are now weaponizing the emerging "agentic AI" ecosystem.
The "SANDWORM_MODE" campaign represents a highly sophisticated evolution in software supply chain attacks, specifically targeting the JavaScript (npm) ecosystem and modern AI-driven development workflows.
Starkiller is a commercially sold phishing-as-a-service framework developed by a threat group called Jinkusu, first reported by Abnormal AI in February 2026. Unlike traditional phishing kits that rely on static HTML clones of legitimate login pages, Starkiller takes a fundamentally different approach: it spins up a headless Chrome instance inside a Docker container that loads a brand's real website and proxies it live to the victim.
BeyondTrust recently disclosed a critical pre-authentication Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-1731 (CVSS 9.9), affecting its Remote Support (RS) and Privileged Remote Access (PRA) solutions.
First identified in late January 2026, Operation Olalampo represents a significant evolution in the tactical playbook of MuddyWater (also known as Mango Sandstorm or Static Kitten), a threat actor linked to Iran's Ministry of Intelligence and Security (MOIS).
A Russian-speaking, financially motivated threat actor has been observed using commercial generative artificial intelligence (AI) services to compromise more than 600 FortiGate devices across 55 countries.
CISA has added two actively exploited Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, flagging them as significant threats to both federal and private sector infrastructure.
In a recently observed campaign identified by the Cofense Phishing Defense Center (PDC) during an analysis of suspicious remote access activity, threat actors are weaponizing the trust associated with familiar brands like DocuSign, Adobe Sign, and Zoom Meeting.
Dutch intelligence agencies (AIVD and MIVD), released a joint assessment warning that Russia is conducting an intensifying hybrid warfare campaign against European nations and is actively preparing for a prolonged confrontation with the West.
CVE-2026-1731 is a critical, pre-authentication remote code execution vulnerability affecting BeyondTrust Remote Support (RS) and older versions of the BeyondTrust Privileged Remote Access (PRA) codebase.
Proofpoint threat researchers have uncovered a sophisticated Malware-as-a-Service (MaaS) operation branded as TrustConnect, which represents a deceptive evolution in the Remote Monitoring and Management (RMM) threat landscape.
Recent threat research by FortiGuard Labs has exposed massive phishing campaigns targeting Taiwan with the Winos 4.0 (ValleyRat) malware.
A recently observed spam and phishing campaign, active from late December 2025 through late January 2026, abused Atlassian Jira Cloud infrastructure to bypass traditional email security controls.
The Acronis Threat Research Unit (TRU) has identified a sophisticated cyberespionage campaign, CRESCENTHARVEST, active since at least January 2026. Targeting Farsi-speaking dissidents and supporters of Iranian protests, the campaign uses high-fidelity social engineering lures, including authentic media and a Farsi-language report on "rebellious cities."
KnowBe4 Threat Labs has identified a highly sophisticated phishing campaign, active since December 2025, specifically targeting North American organizations within the technology, manufacturing, and financial services sectors.
PromptSpy is the first known Android malware family to weaponize a generative AI model, specifically Google's Gemini, as part of its execution flow.
Check Point Research has published a proof-of-concept demonstrating that AI assistants with web browsing or URL-fetching capabilities, specifically Grok and Microsoft Copilot, can be weaponized as covert command-and-control (C2) relay channels without requiring an API key or authenticated account.
The OX Security Research team has identified a critical supply chain security blind spot stemming from vulnerabilities in four highly popular Integrated Development Environment (IDE) extensions, which collectively boast over 120 million downloads.
Since early January 2026, researchers at Bridewell have observed a resurgence in activity targeting the hotel and retail sectors through impersonation of Booking[.]com.