Attackers ran paid Facebook ads that mimicked official Microsoft Windows 11 update promotions and redirected victims to near-perfect counterfeit download pages that delivered a malicious 75 MB installer (ms-update32.exe) hosted on GitHub which installs an Electron-based LunarApplication to harvest saved passwords, browser sessions, and cryptocurrency wallet data. The campaign used geofencing…
Tag: SSO
The French Ministry of Finance disclosed a cyber incident in which hackers accessed the national bank account registry FICOBA and exposed data tied to about 1.2 million user accounts. Stolen information included RIBs/IBANs, account holder identities, addresses and some taxpayer IDs after attackers used credentials from a civil servant, and authorities are working to secure the system and notify affected users. #FICOBA #DGFiP
A sophisticated fraud campaign exploiting Indonesia’s official Coretax tax platform has caused an estimated nationwide financial impact of $1.5m to $2m. Beginning in July 2025 and surging during the January 2026 tax filing period, the operation impersonated Coretax to distribute malicious APKs via phishing sites, WhatsApp and vishing, and was linked…
Lotus Blossom is a long-running, China-attributed APT that evolved from spear-phishing and watering-hole campaigns into sophisticated supply-chain compromises and targeted espionage using custom implants like Elise, Sagerunex, Hannotog, and Chrysalis. The group’s Notepad++ update-channel compromise and prior attacks against diplomatic, military, and maritime infrastructure demonstrate a “low-and-slow” intelligence collection approach emphasizing DLL sideloading, living-off-the-land techniques, and clandestine persistence. #LotusBlossom #Chrysalis
In October 2025 researchers discovered forum posts advertising a previously unknown MaaS called “Arkanix Stealer” offering both native C++ and Python implants, a configurable control panel, and payload generation. The malware harvested browser credentials, cryptocurrency wallets (using an embedded ChromElevator injector), system and application data, communicated with C2 endpoints on arkanix[.]pw, and the affiliate program and panel were subsequently taken down. #ArkanixStealer #ChromElevator
Two former Google engineers and one of their husbands were indicted in the U.S. for allegedly stealing trade secrets from Google and other tech firms and transferring them to unauthorized locations, including Iran. The stolen material reportedly included processor security and cryptography details tied to Google’s Tensor processor, and the defendants…
CloudSEK and follow-up research focused on QakBot as a top access trojan/loader that is commonly distributed via phishing, harvests credentials, maintains C2 access, delivers payloads, and moves laterally to enable targeted attacks and ransomware against email-reliant enterprises. The investigation analyzed Trellix IoCs (extracted 929 domains, filtered to 492, studied 125), 19 subdomains, multiple client and infrastructure IPs, and thousands of email-connected domains, identifying specific malicious artifacts (e.g., books[.]ttc[.]edu[.]sg -> 200[.]69[.]23[.]93) and providing a downloadable dataset for further hunting. #QakBot #Trellix
AhnLab’s January 2026 report summarizes automated collection and analysis of Infostealer samples distributed via SEO-poisoned crack/keygen pages, forum and corporate site posts, and highlights differences in Windows and macOS distribution and obfuscation techniques. Notable findings include ACRStealer’s shift to ECDH + ChaCha20-Poly1305 for C2 encryption and rapid macOS sample churn with…
Security researchers uncovered a mass-distributed macOS loader delivered via cracked music plugin DMGs that deploys multistage payloads including Odyssey and MacSyncStealer and an additional Mach-O loader. The campaign leverages social engineering (including ClickFix-style browser prompts), obfuscated shell scripts, and PPI/affiliate tracking to retrieve and execute secondary payloads from domains such as mac[.]fleebottom-33[.]xyz and robincompany[.]xyz. #MacSyncStealer #Odyssey
Researchers demonstrate a new False File Immutability (FFI) exploit, Redux, that leverages the Windows Cloud Files driver (cldflt.sys) and FltWriteFileEx to modify in-use executables and achieve kernel-level code execution without requiring SMB/network redirectors. The technique bypasses prior mitigations (and remains effective on some patched Windows versions), and proof-of-concept exploits and mitigations (including an Elastic Defend rule and a filesystem minifilter) were released. #FalseFileImmutability #PPLFault
Self-hosted agent runtimes like OpenClaw significantly widen the execution boundary by ingesting untrusted text, downloading and executing external skills, and acting with the credentials of the host, creating risks of credential exposure, persistent memory manipulation, and host compromise. Organizations should treat OpenClaw as untrusted code execution and, if evaluated, run it only in isolated environments with dedicated non-privileged credentials, continuous monitoring, and a rebuild plan. #OpenClaw #Moltbook
CVE-2026-1731 is a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support’s thin-scc-wrapper WebSocket handler that Unit 42 has observed being actively exploited to deploy web shells, backdoors (including SparkRAT and VShell), create accounts, move laterally, and exfiltrate data across multiple sectors and countries. CISA added the vulnerability to its…
A Nigerian national, Matthew Abiodun Akande, was sentenced to eight years in prison for hacking multiple Massachusetts tax preparation firms and filing over 1,000 fraudulent tax returns seeking more than $8.1 million in refunds. He used the Warzone RAT and a crypter, delivered via CEO‑impersonation phishing emails with a disguised Dropbox link, to steal clients’ Social Security numbers and prior-year tax data before funneling refunds through co-conspirators. #WarzoneRAT #MatthewAkande
Modern infostealers harvest credentials along with browser cookies, browsing history, and system files, enabling attackers to tie technical data back to real people and organizations. Specops research of 90,000+ infostealer dumps (800M+ rows) shows credential reuse and session data let attackers escalate personal compromises into enterprise breaches, and continuous Active Directory scanning with Specops Password Policy can block known-compromised credentials to reduce that risk. #SpecopsPasswordPolicy #LinkedIn
CISA ordered federal agencies to patch a maximum-severity hardcoded-credential vulnerability in Dell RecoverPoint (CVE-2026-22769) within three days after researchers found it has been actively exploited since mid-2024. Security firms attribute the exploitation to suspected Chinese threat cluster UNC6201, which has used the flaw for lateral movement and to deploy payloads including SLAYSTYLE, BRICKSTORM, and a new hard-to-analyze backdoor named GRIMBOLT. #UNC6201 #GRIMBOLT