Category: Threat Research

Mandiant and GTIG attributed an active extortion and compromise campaign against Oracle PeopleSoft infrastructure to UNC6240 (ShinyHunters), using CVE-2026-35273 as a zero-day to target Environment Management Hub endpoints. The attackers used MeshCentral staging servers, custom propagation scripts, and data theft that culminated in leaks on the ShinyHunters Data Leak Site. #UNC6240 #ShinyHunters #OraclePeopleSoft #CVE-2026-35273 #MeshCentral #PSEMHUB

ITScape (CVE-2026-46316) is a guest-to-host escape flaw in KVM/arm64 vGIC-ITS emulation that can lead to host kernel code execution on multi-tenant cloud systems. RL released two YARA rules and guidance to detect exploit constants and the /dev/kvm privilege-drop sequence, while urging operators to patch the mainline fix and companion updates. #ITScape #CVE-2026-46316 #KVM #vGIC-ITS

Juan Andrés Guerrero-Saade argues that cybersecurity is leaving its experimental era behind, as non-standardized complexity has made systems too costly and difficult to manage through human attention alone. He says large language models can provide scalable evaluative power and help defense become more standardized, automated, and sustainable, with #SentinelLABS #LABScon #OpenAI #JAGS.

Iranian and Russian shadow fleet networks are using more than 36 inauthentic websites to impersonate maritime administrations, ship registries, classification societies, and seafarer certification bodies in order to generate fraudulent documents and evade sanctions. The infrastructure spans three linked clusters and is associated with vessels and organizations including Benin, the Comoros, Oceaniek Technologies, Med Lloyd Classification Society, Hellas Naval Bureau of Shipping, and Pioneers Maritime Ship Management. #BeninMaritimeAdministration #OceaniekTechnologies #MedLloydClassificationSociety #HellasNavalBureauofShipping #PioneersMaritimeShipManagement #Marinegov

Acronis TRU identified Khmer Shadow, a previously unreported cluster behind two espionage campaigns targeting Cambodian government entities in the defense, military intelligence, and public works sectors. The operation used SFX archives, vmtools.dll sideloading, NIGHTFORGE, KaynLdr, and Havoc Demon, while infrastructure overlaps pointed to C2 domains such as sharingfile[.]cloud and linkednewsapi[.]top. #KhmerShadow #NIGHTFORGE #HavocDemon #KaynLdr #sharingfilecloud #linkednewsapi-top

Proofpoint has been accepted into Europol EC3’s Advisory Group on Internet Security (AGIS), strengthening its role in cross-border collaboration against cybercrime. The article highlights Proofpoint’s prior contributions to disrupting Tycoon 2FA and Operation Endgame, showing how intelligence sharing and coordinated action help dismantle criminal infrastructure. #Proofpoint #Europol #EC3 #AGIS #Tycoon2FA #OperationEndgame…

CloudSEK’s TRIAD uncovered a multi-tenant FIFA World Cup 2026 ticket fraud operation that uses typosquatted domains, fake checkout pages, and live chat to steal card data and bypass OTP-based authentication. The infrastructure is linked to `tbpay[.]uk`, `ww-fifa[.]com`, `sdf-26fifa[.]top`, and operator activity consistent with China-based threat actors. #FIFA #tbpay #wwfifa #sdf26fifa

APT28, also known as Fancy Bear and linked to GRU Unit 26165, has evolved over two decades from the X-Agent/X-Tunnel implant era into fragmented disposable modules, edge-router infrastructure, cloud-based C2, and even an LLM-driven infostealer. The report highlights major campaigns such as Operation Phantom Net Voxel, RoundPress, FrostArmada, and LameHug, showing sustained targeting of Ukrainian, NATO, government, defense, and critical-infrastructure victims. #APT28 #FancyBear #GRUUnit26165 #OperationPhantomNetVoxel #RoundPress #FrostArmada #LameHug

Gen Threat Labs tracked GoFlateLoader, a widespread Golang loader that uses inflated PE overlays and manual in-memory execution to deliver infostealers such as Amatera, Remus, Lumma, Vidar, StealC, and SvitStealer. Its operators distribute it through cracked software and a malicious TDS, while its oversized binaries appear designed to evade size-limited scanning and analysis systems. #GoFlateLoader #Amatera #Remus #Lumma #Vidar #StealC #SvitStealer #CheckPointResearch

The report shows a 75% year-over-year reduction in exploitable in-use vulnerabilities among Sysdig users, but also warns that the overall volume of vulnerabilities is rising too fast for human teams to keep up. It argues that AI-assisted exploit creation and agentic AI-driven remediation, bounded by strong guardrails, will be necessary to match shrinking weaponization timelines. #Sysdig #RiskSpotlight #ProjectGlasswing #MITRE #VulnCheck

Cyfirma Research uncovered an npm supply chain campaign using 11 malicious packages to target blockchain developers, Web3 projects, and cryptocurrency infrastructure, with moralis-sdk alone reaching more than 2.7 million downloads. The campaign used typosquatting, postinstall/preinstall abuse, credential harvesting, wallet theft, blockchain-based C2 and exfiltration, and multi-stage payload delivery. #moralis-sdk #ethers-jss #coinbase-wallet-utils #Ganach #Solidty #Stelar-sdk #ethcompat

HUMAN’s Satori Threat Intelligence and Research Team exposed “Pushpaganda,” a campaign that used Google Discovery feeds, SEO manipulation, and AI-generated content to deliver scareware, fake legal threats, and financial scams to Android and Chrome users. The investigation also uncovered 90 domain IoCs and extensive related infrastructure, including malicious IPs, email-connected domains, and typosquatted look-alike domains. #Pushpaganda #HUMAN #GoogleDiscoveryFeeds #Android #Chrome

CloudSEK describes a WooCommerce Payments (Stripe) checkout skimmer that overlays a fake payment form, validates card entries in real time, and silently harvests card data and email from genuine purchases. The report shows how operators moving through carding marketplaces like Savastan0, Cvvhub, Jerrys, Zillion, Proton, VClub, and Pepe have shifted from phishing pages to direct compromise of legitimate e-commerce sites. #WooCommerce #WooCommercePayments #Stripe #Savastan0 #Cvvhub #Jerrys #Zillion #Proton #VClub #Pepe

Chaotic Eclipse (also known as Nightmare Eclipse) released RoguePlanet, a Windows local privilege escalation proof of concept that abuses a TOCTOU race in Windows Defender remediation to plant code as System32wermgr.exe and execute it as SYSTEM through Windows Error Reporting. The article also outlines related detections in Sysmon and Guardsix SIEM, including staging in %TEMP%, named pipe activity on RoguePlanet, and suspicious wermgr.exe-to-conhost.exe process chains. #RoguePlanet #ChaoticEclipse #NightmareEclipse #WindowsDefender #wermgr.exe #WindowsErrorReporting

Zscaler ThreatLabz identified MLTBackdoor in May 2026 as a new malware family likely used by a ransomware-related threat actor, delivered through a multi-stage ClickFix chain and designed for post-exploitation with expandable BOF support. It uses heavy MBA and CFF obfuscation, indirect system calls, DGA-backed C2 such as hrs2y15sungu[.]com and cwrtwright[.]com, and encrypted TLS communications to evade analysis and maintain access. #MLTBackdoor #ClickFix #BeaconObjectFiles #hrs2y15sungu[.]com #cwrtwright[.]com