Acronis TRU uncovered a targeted espionage campaign named CRESCENTHARVEST that uses Farsi-language protest lures to trick victims into opening malicious .LNK shortcuts and install a multi-module stealer/RAT. The implant chain relies on DLL sideloading via a signed Google binary, extracts browser app‑bound keys, logs keystrokes and exfiltrates data to a C2 in Riga. #CRESCENTHARVEST #AcronisTRU
Tag: SSO
Critical and high-severity vulnerabilities in popular VSCode extensions could be exploited to steal local files and enable remote code execution across environments with more than 128 million combined downloads. Ox Security disclosed the issues after maintainers failed to respond and warned developers to remove unnecessary extensions, avoid opening untrusted HTML or running localhost servers, and monitor for unexpected configuration changes. #LiveServer #CodeRunner
Kaspersky discovered a sophisticated Android backdoor named Keenadu embedded in device firmware that can silently harvest data and remotely control infected tablets. The backdoor is injected via libandroid_runtime.so into the Zygote process, uses a client-server AKServer/AKClient architecture to load malicious modules, and has been observed in Alldocube firmware and other undisclosed…
Two critical zero-day remote code execution vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited to gain unauthenticated control of enterprise MDM infrastructure. Unit 42 documents automated mass scanning and exploitation leading to reverse shells, web shell installation, malware downloads (including the Nezha monitoring agent), and…
Sinobi is a Ransomware-as-a-Service operation that emerged in mid-2025 and appears to be a rebrand or successor to the Lynx and INC Ransom families based on significant code overlap. The group uses a closed affiliate model and double-extortion tactics—gaining access via compromised credentials and CVE exploits, exfiltrating data with Rclone, and encrypting files with Curve-25519/AES-128-CTR to demand payment. #Sinobi #Lynx
.png "Invitation to Trouble: The Rise of Calendar Phishing Attacks")
Cofense PDC observed threat actors using spoofed Microsoft and Google Calendar invitations with embedded malicious links that redirect victims to fake login pages to harvest credentials. Users should carefully verify sender addresses and URLs before clicking calendar invites and organizations should deploy real-time defenses to detect and respond to these calendar-based phishing campaigns. #Microsoft #GoogleCalendar
Microsoft is working to resolve an outage that caused delays and prevented some users from accessing Microsoft Teams, affecting meeting joins, sign-ins, and chat messages with inline media. Engineers identified a caching-related configuration change, reverted to a healthy version, and confirmed the impact was remediated after monitoring. #MicrosoftTeams #Microsoft365 #CopilotStudio #MicrosoftEntra
Notepad++ has rolled out a “double-lock” update verification in version 8.9.2 that checks both the GitHub-signed installer and an XMLDSig-signed XML from notepad-plus-plus.org to prevent supply-chain tampering. The change follows a six-month compromise attributed to the Lotus Blossom group that used the Chrysalis backdoor, and users are urged to upgrade to 8.9.2 and download installers only from the official domain. #NotepadPlusPlus #LotusBlossom
A suspected Chinese state-backed group, UNC6201, has been exploiting a hardcoded-credential zero-day (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024 to gain unauthenticated access and root persistence. The intruders deployed a new C# backdoor called Grimbolt (replacing Brickstorm) and used stealthy Ghost NICs on VMware ESXi to move laterally; Dell urges immediate remediation. #UNC6201 #Grimbolt
Canada Goose said a recently published dataset claimed by the ShinyHunters group appears to be a historical customer transactions file and not the result of a breach of its systems. The company is reviewing the data and reports no evidence of unmasked financial information, while ShinyHunters has continued high-profile campaigns using…
Mandiant and Google Threat Intelligence Group identified exploitation of a critical Dell RecoverPoint for Virtual Machines vulnerability (CVE-2026-22769) by UNC6201 beginning in mid-2024, enabling lateral movement, persistent access, and deployment of SLAYSTYLE, BRICKSTORM, and a new AOT-compiled backdoor called GRIMBOLT. Dell published remediations and the report details Tomcat Manager WAR deployment using hard-coded admin credentials, persistence via convert_hosts.sh modification, VMware pivoting using “Ghost NICs,” and iptables-based Single Packet Authorization techniques. #CVE-2026-22769 #UNC6201 #GRIMBOLT #BRICKSTORM #SLAYSTYLE #DellRecoverPoint
Keenadu is a newly discovered, highly sophisticated Android backdoor embedded in firmware across multiple device brands that can compromise every installed app and give attackers unrestricted control. Kaspersky reports multiple distribution methods — including compromised OTA firmware, system apps, modified APKs, and apps on Google Play — and has confirmed about 13,000 infected devices worldwide. #Keenadu #Kaspersky
APIs remain a primary attacker-favored route — Wallarm found 17% of 2025 vulnerabilities were API-related and 43% of exploited CISA KEV entries in 2025 were tied to APIs, contributing to major breaches at 700Credit, Qantas, and Salesloft. The rapid growth of AI and the Model Context Protocol (MCP) is amplifying API…
Ireland’s Data Protection Commission has opened a large-scale GDPR investigation into Elon Musk’s X Internet Unlimited Company over its Grok AI generating nonconsensual sexually explicit deepfake images, including images reportedly involving children. The probe — running alongside separate EU and UK inquiries under the Digital Services Act — could result in…
The NCSC warns SMEs that assuming they are too small to be targeted is dangerous and urges urgent action through the UK government-backed Cyber Essentials baseline. Richard Horne stresses closing the awareness–action gap by implementing simple controls and using NCSC-assured support to reduce exposure to opportunistic automated attacks. #CyberEssentials #NCSC…