Sysdig TRT observed a rapid offensive cloud operation where an attacker obtained credentials from public S3 buckets, injected code into an AWS Lambda (EC2-init) to create admin access keys, moved laterally across 19 AWS principals, abused Amazon Bedrock models, and provisioned GPU instances for model training or resale. The operation contained multiple indicators of LLM assistance—LLM-generated code with Serbian comments, hallucinated AWS account IDs and a non-existent GitHub repo—and the report outlines detection opportunities and mitigation recommendations. #AmazonBedrock #AWSLambda
Tag: EDR
Microsoft disclosed CVE-2026-21509, a security-feature-bypass in Microsoft Office that lets attacker-controlled document metadata short-circuit Kill Bit checks and cause instantiation of kill-bitted OLE/COM components, and it is confirmed to be actively exploited. APT28 has used targeted spearphishing with weaponized RTF/Word docs to deliver payloads such as MiniDoor and PixyNetLoader—leveraging Outlook VBA persistence, COM hijacking, scheduled tasks named OneDriveHealth, and steganographic staging to maintain access. #CVE-2026-21509 #APT28
Amaranth-Dragon (a nexus linked to APT-41) ran highly targeted 2025 espionage campaigns across Southeast Asia using weaponized archives that exploited WinRAR CVE-2025-8088, custom Amaranth Loader, Havoc C2, and a new Telegram-based TGAmaranth RAT. The campaigns used geo-restricted Cloudflare-protected C2s, legitimate hosting (Dropbox, Pastebin), DLL sideloading, and payload encryption to maximize stealth and persistence. #Amaranth-Dragon #TGAmaranth
Amaranth Dragon, a threat actor linked to APT41, has been conducting espionage attacks against government and law enforcement organizations across Southeast Asia by exploiting the WinRAR path traversal flaw CVE-2025-8088. The group used legitimate tools alongside a custom Amaranth Loader and Cloudflare-backed C2 infrastructure to deliver encrypted payloads (including the Havoc framework and the TGAmaranth RAT), employ strict geofencing, and maintain stealth and persistence. #AmaranthDragon #CVE2025-8088 #WinRAR #TGAmaranthRAT
Attackers deployed a custom EDR killer that abuses a long‑revoked EnCase kernel driver (EnPortv.sys) to detect and terminate 59 security tools on infected hosts. The intrusion used compromised SonicWall SSL VPN credentials without MFA, leveraged a pre‑2015 signing exception that allowed the revoked driver to load, and Huntress recommends MFA, HVCI/Memory Integrity, WDAC/ASR, and monitoring for OEM‑masquerading kernel services. #EnCase #SonicWall
Huntress identified a ransomware-precursor intrusion after ingesting SonicWall telemetry that showed successful SonicWall SSLVPN authentication from malicious external IPs, followed by aggressive network reconnaissance and deployment of an EDR-killing payload. The attackers used a wordlist-encoded kernel driver (dropped as C:ProgramDataOEMFirmwareOemHwUpd.sys and leveraging EnPortv.sys) signed with an old revoked certificate to load a driver, terminate security processes, and persist as a Windows kernel service while Huntress correlated SIEM and EDR telemetry to contain the incident. #SonicWallSSLVPN #Huntress #OemHwUpd.sys #EnPortv.sys #BYOVD
RapidFort raised $42 million in a Series A round led by Blue Cloud Ventures and Forgepoint Capital to accelerate its automated vulnerability elimination technology. The company’s platform secures the software lifecycle by generating SBOMs, offering near-zero-CVE container images, and applying runtime hardening to reduce attack surface while meeting standards like FedRAMP…
Mandiant and Google Threat Intelligence Group observed an expansion of ShinyHunters‑branded extortion operations (tracked as UNC6661, UNC6671, and UNC6240) that use vishing and victim‑branded credential harvesting sites to steal SSO credentials and MFA codes and then exfiltrate data from cloud SaaS platforms for extortion. The actors abused OAuth apps, PowerShell access, proxy/VPN infrastructure, and deletion of notification emails to evade detection while publishing proof on Limewire and communicating via Tox. #ShinyHunters #UNC6661
The 2025 State of Detection Engineering at Elastic summarizes detection engineering work from October 2023 to October 2024, covering real-world incident responses, rule development lifecycles, CI/Detections-as-Code practices, and extensive telemetry and integration enhancements across endpoint, cloud, and SaaS platforms. Key highlights include rapid coverage for the CUPS RCE disclosures, detection and analysis of activity group REF6138 and a DPRK malicious NPM campaign, expansion of kernel and macOS telemetry, an AWS CloudTrail/Okta rule audit (50+ tunings, 40+ new rules, 17 hunting queries), and operational metrics such as processing 500+ malware samples/day with a 99% detection goal. #CUPS #CVE-2024-47076 #REF6138 #ElasticDefend #AWSCloudTrail #Okta #ScatteredSpider #Panix #SWAT #DEBMM #ElasticSecurityLabs #NPM #DPRK
Infostealer campaigns have expanded beyond Windows to target macOS and cross-platform environments, using social engineering, fileless execution, AppleScript automation, and abuse of trusted platforms to harvest browser credentials, keychain items, developer secrets, and cryptocurrency wallets. Microsoft observed macOS campaigns distributing DigitStealer, MacSync, and AMOS via fake installers and ClickFix prompts, and Python-based campaigns like PXA Stealer and Eternidade Stealer using phishing, WhatsApp automation, and malicious PDF tools to exfiltrate data. #DigitStealer #PXA_Stealer
Ukraine’s CERT warns that Russian-linked APT28 is actively exploiting CVE-2026-21509 in multiple Microsoft Office versions using malicious DOC attachments to deploy the COVENANT loader. The exploit chain leverages WebDAV downloads, COM hijacking with EhStoreShell.dll, shellcode embedded in an image, and a scheduled task, and defenders are advised to apply Microsoft’s out-of-band Office updates or registry mitigations and monitor/block Filen C2 traffic. #CVE-2026-21509 #APT28
Zscaler ThreatLabz identified Operation Neusploit in January 2026, attributing the campaign to APT28 using specially crafted RTFs that exploit CVE-2026-21509 to deliver MiniDoor and PixyNetLoader/Covenant Grunt implants. The multi-stage chain used region-targeted server-side evasion, COM hijacking, steganography in a PNG, and scheduled tasks to achieve persistence and C2 via the Filen API. #APT28 #PixyNetLoader
SecurityWeek’s Cyber Insights 2026 warns that agentic AI will increasingly automate and accelerate the entire cyberattack lifecycle, enabling one-click, adaptive, and highly targeted intrusions that blur the line between code and conversation. Organizations must double down on foundational cyber hygiene and adopt behavioral, AI-aware defenses to detect and remediate automated, identity-led,…
Ukraine’s cyber defenders say Russian state-sponsored APT28 weaponized a Microsoft Office zero-day (CVE-2026-21509) and launched targeted attacks against Ukrainian government agencies and European institutions within 24 hours of public disclosure. Malicious documents exploited the flaw to deploy a multi-stage chain that drops EhStoreShell.dll and SplashScreen.png, uses COM hijacking and a scheduled…
Mandiant describes an expansion of ShinyHunters-branded extortion operations that leverage vishing and victim-branded credential harvesting to compromise single sign‑on (SSO) credentials and enroll unauthorized devices into victim MFA, enabling access to cloud SaaS environments. Immediate containment (revoke sessions, pause MFA registration, restrict password resets) plus long‑term hardening (phishing‑resistant MFA, IdP/SaaS logging and detections) are recommended to stop exfiltration and persistence. #ShinyHunters #Okta