CISA will remain operational during the DHS shutdown but at reduced capacity, requiring 888 of its 2,341 staff to work in excepted areas without pay while many projects and new work are curtailed. The KEV Catalog will remain online and can be updated for actively exploited vulnerabilities, but regulatory work like…
Tag: CRITICAL INFRASTRUCTURE
Unit 42 revealed that Lotus Blossom, a state-sponsored group, compromised Notepad++’s shared hosting to hijack update traffic and deliver targeted malicious updates between June and December 2025. The attackers used an Adversary-in-the-Middle capability to selectively serve payloadsâdeploying the Chrysalis backdoor via DLL side-loading or a Cobalt Strike Beacon via injected Lua…
European Commission Executive Vice President Henna Virkkunen warned that Europe can no longer be naive about adversariesâ ability to disable critical infrastructure, noting cyberattacks are often paired with physical sabotage, disinformation and economic pressure. She called for tougher rules and investmentâincluding a revision of the EU Cybersecurity Act to phase out…
Acronis TRU analyzed LockBit 5.0, a crossâplatform ransomware family (Windows, Linux, ESXi) that uses XChaCha20 and Curve25519 encryption, random perâfile extensions, and shared execution/encryption logic while applying extensive defenseâevasion techniques on Windows. The report also links LockBit infrastructure to a SmokeLoaderâassociated IP and documents doubleâextortion exfiltration and enterprise/virtualization targeting (including Proxmox and ESXi). #LockBit #SmokeLoader
This week’s SecurityWeek roundup highlights notable developmentsâthreat actors are increasingly using AI across attack stages while CISA, EPA and researchers flag persistent vulnerabilities in OT, water systems, and aviation supply chains. It also covers legal and policy actions, including a DoD employee indictment, Disney’s $2.75M CCPA fine, Trend Micro’s new attribution…
Between June and December 2025, the state-sponsored group Lotus Blossom compromised the shared hosting environment for Notepad++ updates and intercepted update traffic to serve malicious installers that delivered the Chrysalis backdoor and Cobalt Strike beacons. The campaign used DLL side-loading, Lua script injection and an adversary-in-the-middle filtering capability to selectively target…
Fancy Bear (APT28) remains an active Russian stateâaligned espionage actor that quickly adopts newly disclosed vulnerabilities and uses spearâphishing and credential harvesting to maintain longâterm access to government, defense, energy, and communications targets. The group recently weaponized a Microsoft Office vulnerability to compromise organizations in Eastern Europe and the EU, demonstrating a shift toward lightweight, highâROI tradecraft. #FancyBear #CVE-2026-21509
China appears to have used a secret cyber range called Expedition Cloud to rehearse attacks on replicas of neighboring countries’ critical infrastructure, according to a cache of leaked development and training files. The materials, linked to developer files from CyberPeace and obtained via an exposed FTP server, show staged reconnaissance and…
The European Commission is investigating a breach after detecting traces of a cyberattack on its mobile device management platform that may have exposed some staff names and phone numbers, though no mobile devices have been found to be compromised. The incident appears linked to zero-day code-injection flaws in Ivanti Endpoint Manager Mobile (EPMM) that have also affected Dutch authorities and Finland’s Valtori, and the Commission says the system was contained and cleaned within nine hours. #IvantiEPMM #EuropeanCommission
Singapore launched its largest coordinated cyber defense operation, Operation Cyber Guardian, after a highly targeted attack affected all four major telecommunications operators: M1, Singtel, StarHub, and Simba. The assault was attributed to UNC3886, which exploited a zero-day vulnerability and accessed a small number of critical systems but was contained by government…
Unit 42 reveals a state-aligned cyber espionage campaign by TGR-STA-1030 (also tracked as UNC6619) that infiltrated government networks across 37 countries and compromised at least 70 organizations, focusing on finance ministries, law enforcement, and critical infrastructure. The Asia-based group times operations to geopolitical events and uses sophisticated phishing (links hosted on…
A state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 conducted global espionage operations called “Shadow Campaigns,” compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance against entities in 155 countries. The group used tailored phishing with Mega.nz-hosted archives, the Diaoyu loader (delivering Cobalt Strike and VShell), multiple exploit chains, and a custom eBPF Linux rootkit named ShadowGuard to evade detection and maintain persistent access. #TGR-STA-1030 #ShadowGuard
Multiple critical vulnerabilities in Ilevia EVE X1 Server (…
On December 29, 2025, a coordinated destructive campaign using a custom wiper called DYNOWIPER targeted Poland’s energy infrastructure, impacting more than 30 renewable sites and a major CHP plant. CERT Polska attributes the attack infrastructure to clusters tracked as Static Tundra / Berserk Bear / Ghost Blizzard / Dragonfly, and Elastic Defend’s canary-file ransomware protection successfully detected and blocked DYNOWIPER activity. #DYNOWIPER #CERTPolska
0APT surfaced in late January 2026 as a Ransomware-as-a-Service operation claiming hundreds of high-profile victims worldwide but rapid analysis has cast doubt on its technical capability. Evidence such as 0-byte dummy files, low-quality code and developer comments in Hindi/Urdu suggest 0APT may be a scam-as-a-service rather than a sophisticated ransomware cartel. #0APT #SolsticeEnergyGrid