MS-ISAC reporting shows total malware notifications rose 7% from Q3 to Q4 2025, with SocGholish accounting for 30% of detections and CoinMiner and Agent Tesla also prominent. New and returning families observed include ACR Stealer, Calendaromatic, SombRAT, and Arechclient2, with notable vectors like malvertisement, malspam, WMI-based spread, and multiple persistence and…
Tag: SSO
Mandiant and Google Threat Intelligence Group observed an expansion of ShinyHunters‑branded extortion operations (tracked as UNC6661, UNC6671, and UNC6240) that use vishing and victim‑branded credential harvesting sites to steal SSO credentials and MFA codes and then exfiltrate data from cloud SaaS platforms for extortion. The actors abused OAuth apps, PowerShell access, proxy/VPN infrastructure, and deletion of notification emails to evade detection while publishing proof on Limewire and communicating via Tox. #ShinyHunters #UNC6661
The Notepad++ update infrastructure was compromised via a hosting-provider level breach that allowed attackers to distribute malicious NSIS-based updates and maintain access from June to December 2025, targeting individuals and organizations across multiple countries. The campaign used at least three distinct execution chains—exploiting ProShow, using a Lua-based in-memory loader, and DLL sideloading that delivered Cobalt Strike beacons and the Chrysalis backdoor—#NotepadPP #CobaltStrike
Spain’s Ministry of Universities has reportedly been compromised after a high-severity IDOR vulnerability granted an unauthorized actor admin-level access to its database. The breach allegedly used leaked credentials combined with sequential DNI iteration to systematically exfiltrate large amounts of student and applicant PII and financial records, including passport scans, DNI/NIE scans,…
The 2025 State of Detection Engineering at Elastic summarizes detection engineering work from October 2023 to October 2024, covering real-world incident responses, rule development lifecycles, CI/Detections-as-Code practices, and extensive telemetry and integration enhancements across endpoint, cloud, and SaaS platforms. Key highlights include rapid coverage for the CUPS RCE disclosures, detection and analysis of activity group REF6138 and a DPRK malicious NPM campaign, expansion of kernel and macOS telemetry, an AWS CloudTrail/Okta rule audit (50+ tunings, 40+ new rules, 17 hunting queries), and operational metrics such as processing 500+ malware samples/day with a 99% detection goal. #CUPS #CVE-2024-47076 #REF6138 #ElasticDefend #AWSCloudTrail #Okta #ScatteredSpider #Panix #SWAT #DEBMM #ElasticSecurityLabs #NPM #DPRK
Microsoft announced a three-phase plan to phase out New Technology LAN Manager (NTLM) and transition Windows environments to more secure Kerberos-based authentication, citing NTLM’s weak cryptography and susceptibility to replay, relay, and pass-the-hash attacks. The rollout includes immediate enhanced NTLM auditing, pre-release migration features like IAKerb and Local KDC, and a…
Infostealer campaigns have expanded beyond Windows to target macOS and cross-platform environments, using social engineering, fileless execution, AppleScript automation, and abuse of trusted platforms to harvest browser credentials, keychain items, developer secrets, and cryptocurrency wallets. Microsoft observed macOS campaigns distributing DigitStealer, MacSync, and AMOS via fake installers and ClickFix prompts, and Python-based campaigns like PXA Stealer and Eternidade Stealer using phishing, WhatsApp automation, and malicious PDF tools to exfiltrate data. #DigitStealer #PXA_Stealer
Ukraine’s CERT warns that Russian-linked APT28 is actively exploiting CVE-2026-21509 in multiple Microsoft Office versions using malicious DOC attachments to deploy the COVENANT loader. The exploit chain leverages WebDAV downloads, COM hijacking with EhStoreShell.dll, shellcode embedded in an image, and a scheduled task, and defenders are advised to apply Microsoft’s out-of-band Office updates or registry mitigations and monitor/block Filen C2 traffic. #CVE-2026-21509 #APT28
Mandiant warns that ShinyHunters-branded extortion campaigns are expanding, using vishing and victim-branded credential-harvesting phishing kits to compromise SSO and enroll unauthorized devices into MFA for cloud SaaS environments. The group has registered fake domains targeting over 100 organizations across multiple sectors, prompting urgent guidance to revoke session tokens, disable compromised accounts,…
ZHGUI is a coordinated mirror-exchange and TRC20-focused fraud ecosystem that uses cloned domains, fake trading dashboards, social-engineering via WhatsApp communities, a self-submitted FinCEN MSB entry, and TRON-based wallets to harvest funds and KYC data from Mandarin-speaking investors in Southeast Asia. On-chain analysis links large USDT flows through a labelled “RazorPay” aggregation wallet (TETzN…) into an internal relay (TNKCBR…) and onward to major CEX deposit addresses, demonstrating a structured laundering pipeline. #ZHGUI #TRON
The Taiwan HVAC Engineering Association (THA) has reportedly suffered a significant data breach exposing administrative records and tender-related information. Leaked data appears to include full names, email addresses, usernames and plain-text passwords, IP addresses and session IDs, contact details, personal demographics, and government tender documents. #TaiwanHVACEngineeringAssociation #TaichungCityLixingElementarySchool #BadeExteriorPrison…
Securonix and follow-up analysis detail a stealthy PHALT#BLYX campaign that used phishing, fake CAPTCHAs, and fake BSOD pages to deliver DCRat and gain full remote access to infected systems. The investigation expanded the original 11 IoCs to 12 (one URL, eight domains, three IPs) and uncovered thousands of potential victim IPs and tens of thousands of email-connected domains tied to the campaign. #DCRat #PHALT_BLYX
Zscaler ThreatLabz identified Operation Neusploit in January 2026, attributing the campaign to APT28 using specially crafted RTFs that exploit CVE-2026-21509 to deliver MiniDoor and PixyNetLoader/Covenant Grunt implants. The multi-stage chain used region-targeted server-side evasion, COM hijacking, steganography in a PNG, and scheduled tasks to achieve persistence and C2 via the Filen API. #APT28 #PixyNetLoader
Have I Been Pwned reports that the Panera Bread data breach exposed 5.1 million unique email addresses and associated account information, not the 14 million customers previously reported. The data was published by the ShinyHunters extortion group after an alleged Microsoft Entra SSO vishing attack and leaked roughly 760 MB of files, with related intrusions also impacting Match Group and SoundCloud. #ShinyHunters #PaneraBread
SecurityWeek’s Cyber Insights 2026 warns that agentic AI will increasingly automate and accelerate the entire cyberattack lifecycle, enabling one-click, adaptive, and highly targeted intrusions that blur the line between code and conversation. Organizations must double down on foundational cyber hygiene and adopt behavioral, AI-aware defenses to detect and remediate automated, identity-led,…