ReversingLabs documented two short-form video phishing campaigns on TikTok and Instagram Reels that lure users with promises of free premium software and then redirect them to attacker-controlled sites. One campaign delivers Vidarstealer through a fake Spotify Premium tutorial, while the other uses engagement bait and comment replies to push victims toward dubious download pages. #Vidarstealer #TikTok #InstagramReels #SpotifyPremium
Category: Threat Research
Varonis Threat Labs showed that an OpenClaw AI agent named Pinchy could be tricked by believable phishing emails into forwarding AWS IAM keys, database passwords, SSH credentials, and a customer export, while also demonstrating mixed defenses against phishing links and OAuth abuse. The research found that social-engineering attacks against AI agents…
The Duo Auth Proxy was shown to be forwarding live Active Directory authentication requests, and packet capture plus a recovered RADIUS shared secret allowed the authentication exchanges to be decrypted. This exposed cleartext credentials and revealed that MFA through the Duo Auth Proxy could be abused as a mechanism for password theft rather than a defense, while user group analysis highlighted a developer account with broad development-related AD memberships. #DuoAuthProxy #RADIUS #ActiveDirectory #MFA
Socket Threat Research identified 23 new PyPI artifacts tied to the broader Mini Shai-Hulud, Miasma, and Hades supply chain attacks, bringing the tracker to 471 affected artifacts across npm and PyPI. The new wave changes delivery methods with malicious .pth hooks, trojanized .abi3.so extensions, and a langchain-core-mcp loader that searches sys.path for _index.js while the payload steals developer and CI/CD secrets after running through Bun. #MiniShaiHulud #Miasma #Hades #langchaincoremcp #embiggen #ensmallen #gpsea #pyphetools
Two Russia-aligned campaigns are still exploiting CVE-2025-8088 in WinRAR against Ukrainian organizations long after the patch, using decoy archives to silently drop payloads and steal data. SHADOW-EARTH-066 delivers the evolved GIFTEDCROOK stealer while Earth Dahu uses an HTA-based espionage chain, underscoring how unmanaged software keeps the same entry point open. #CVE-2025-8088…
Proofpoint tracked UNK_DeadDrop, a likely North Korea-aligned phishing cluster that used recruiter and code-review lures to target developers across nearly 100 organizations and delivered malicious GitHub/GitLab repositories with cross-platform payloads. The campaigns abused VS Code and Cursor task automation plus malicious VSIX extensions to steal cryptocurrency wallets and credentials on macOS,…
An ISO titled UAE-India_Strategic_Partnership_Week.iso was uploaded from the UAE and delivers a new .NET RAT that the author temporarily calls PulseRAT through a dropper and LNK-based execution chain. The malware persists as WindowsVaultSyncService, disguises itself as Windows system software, and uses a Google Sheets spreadsheet for command-and-control while also sharing artifacts that may link to a host named desktop-526nitv. #PulseRAT #WindowsVaultSyncService #desktop-526nitv #UAE-India_Strategic_Partnership_Week.iso
Socket identified a coordinated PyPI supply-chain compromise with 37 malicious wheel artifacts across 19 packages, using a *-setup.pth startup hook to launch a Bun-based JavaScript stealer named _index.js. The campaign is a PyPI branch of the Shai-Hulud/Miasma lineage that steals developer and CI/CD secrets, exfiltrates to GitHub, and uses markers such as Hades – The End for the Damned. #PyPI #ShaiHulud #Miasma #Bun #Hades
Acronis Cyber Protect H2 2025 telemetry shows that backup jobs can succeed while still finishing too late, with tail latency and queued runtimes eroding real recovery readiness. Deep MSP tenant nesting also drives a sharp rise in failures, making governance, restore testing, and success-in-window measurement critical for resilience. #AcronisCyberProtect #CISA #Microsoft #AzureArchitectureCenter #AWS
Palo Alto Networks Unit 42 reported active exploitation of CVE-2026-0257 against PAN-OS GlobalProtect portal and gateway components by an unidentified threat actor attempting to establish VPN connections. The advisory urges defenders to hunt for listed IP addresses, suspicious host identifiers, and PoC-related client values, while applying mitigations or upgrading to a…
Mandiant reported that UNC3753, also known as Luna Moth, Chatty Spider, and Silent Ransom Group, ran a fast-moving data theft extortion campaign against U.S. professional, legal, and financial services organizations by using vishing, screen-sharing, RMM tools, and sometimes physical office access. The group stole sensitive data such as legal agreements, PII, and financial records, then used extortion emails and the LEAKEDDATA site to pressure victims into paying. #UNC3753 #LunaMoth #ChattySpider #SilentRansomGroup #LEAKEDDATA
Volexity investigated a long-running compromise of an Egnyte Storage Sync appliance and the victimβs MSP, attributing the activity to VerdantBamboo (WARP PANDA, UNC5221) and the BRICKSTORM backdoor. The campaign also involved two previously undocumented malware families, AGENTPSD and PLENET, used to maintain access, pivot into Microsoft 365, and persist on Linux and BSD appliances. #VerdantBamboo #WARP_PANDA #UNC5221 #BRICKSTORM #AGENTPSD #PLENET #Egnyte #pfSense #Synology #Microsoft365
Vect emerged rapidly after its December 31, 2025 debut, publishing 25 victims, recruiting affiliates through BreachForums, and linking its operations to TeamPCP supply chain compromises and the Devman ecosystem. Its broken ChaCha20-based locker, aggressive defense evasion, and broad propagation across Windows, Linux, and VMware ESXi make it functionally similar to a wiper in many cases. #Vect #BreachForums #TeamPCP #Devman #Trivy #CheckmarxKICS #LiteLLM #Telnyx
Sysdig TRT observed an agentic threat actor exploiting CVE-2026-39987 in a marimo notebook to automate container escape, host breakout, and Kubernetes secret theft without human interaction. The operation used a mounted Docker socket, nsenter, and Kubernetes service-account replay to dump host credentials and the cluster Secret store. #CVE-2026-39987 #marimo #SysdigTRT #nsenter #DockerSocket #Kubernetes
LevelBlueβs CTI team analyzed a new ClickFix campaign that uses typosquatted LinkedIn and Indeed pages, the Finger protocol, and legitimate Windows utilities to deliver CastleLoader and a Python-based RAT. The operation relies on fileless execution, encrypted C2 traffic, and WebSocket-based control to stage payloads, evade defenses, and maintain persistence. #ClickFix #LinkedIn #Indeed #Finger #CastleLoader #kevinnotanother.com