GTIG observed widespread misuse of generative AI in late 2025, including an uptick in model extraction (“distillation”) attempts and AI-augmented operations such as reconnaissance, hyper-personalized phishing, and AI-assisted malware development. Notable examples include the HONESTCUE downloader that called Gemini’s API to generate stage-two code and the COINBAIT phishing kit built with AI-assisted code generation and hosted on legitimate services (#HONESTCUE #COINBAIT)
Tag: SSO
Criminal IP is now integrated with IBM QRadar SIEM and QRadar SOAR, bringing AI-powered, IP-based threat intelligence directly into QRadar detection, investigation, and response workflows. The integration provides real-time IP risk scoring from firewall logs, in-context investigations inside QRadar, and automated SOAR enrichment to speed prioritization and response. #CriminalIP #IBMQRadar
Threat actors are abusing public Claude artifacts and malicious Google Ads in ClickFix campaigns to trick macOS users into pasting shell commands that install the MacSync infostealer. Researchers from Moonlock Lab and AdGuard observed multiple variants and thousands of views, with the same C2 infrastructure linking the activity to a single actor. #MacSync #Claude
A new variation of a fake recruiter campaign attributed to North Korea’s Lazarus group targets JavaScript and Python developers with cryptocurrency-related coding tasks that trick applicants into running malicious repositories. Researchers uncovered 192 malicious npm and PyPI packages dubbed “Graphalgo” that deliver a modular RAT capable of MetaMask theft, token‑protected C2, remote command execution, and data exfiltration; impacted developers should rotate credentials and reinstall their OS. #Graphalgo #Lazarus
Socket Threat Research discovered a malicious Chrome extension named CL Suite by @CLMasters that advertises Meta Business Suite scraping and 2FA generation while exfiltrating TOTP seeds, current 2FA codes, Business Manager contact CSVs, and analytics to threat actor infrastructure. The extension reports data to getauth[.]pro (and optionally forwards payloads to a Telegram channel), undermining 2FA and enabling account takeover and long-term business asset hijacking. #CLSuite #MetaBusinessSuite
The Gentlemen is an operationally disciplined ransomware group first observed in mid-to-late 2025 that conducts double‑extortion attacks across Windows, Linux, NAS, BSD, and ESXi environments using password‑protected, operator-driven builds. Their campaigns leverage exposed internet-facing services and compromised administrative credentials, and victims have been publicly listed on a Dark Web leak site. #TheGentlemen #ESXi
The U.S. Virgin Islands Economic Development Authority (EDA) has been reported as the target of a cyberattack, and agency officials have not yet commented publicly. The governor confirmed the incident, said an official statement is forthcoming, and authorities warned that cyber ransom attacks are increasing locally while offering assistance for any security breaches. #EDA #USVIEDA
Robbins Parking Service Ltd in Canada reports a ransomware claim attributed to the threat actor Kairos, citing encryption of systems and disruption to its parking network. The claim highlights potential data exposure and operational impact across Robbins’ sites, with ransom demands associated with Kairos #Canada
OysterLoader (aka Broomstick / CleanUp) is a multi-stage C++ loader distributed via fake signed MSI installers that delivers payloads (notably Rhysida ransomware and commodity stealer Vidar) using staged shellcode, custom LZMA, and steganographically hidden DLLs. Its operators use extensive obfuscation (API-hammering, dynamic API hashing, custom Base64 alphabets and RC4), robust HTTP-based C2 with fallback servers, scheduled-task persistence, and anti-analysis checks. #OysterLoader #Rhysida
ReversingLabs uncovered a modular software‑supply‑chain campaign called graphalgo, attributed to North Korea’s Lazarus Group, that targets JavaScript and Python developers via fake recruiter job tasks and malicious packages on npm and PyPI. The operation uses fake company personas (e.g., Veltrix Capital), social outreach (LinkedIn, Facebook, Reddit), dependency-based infection (packages such as bigmathutils and graphnetworkx), and multistage downloaders that deploy a token‑protected RAT communicating with codepool[.]cloud. #LazarusGroup #graphalgo
Bitdefender analysis shows LummaStealer has rapidly rebounded after a 2025 takedown by rebuilding infrastructure, leveraging social-engineering lures and multiple loaders — most prominently CastleLoader — to deliver in-memory payloads and exfiltrate credentials, cookies, documents and crypto data. Detection opportunities include an anomalous DNS lookup pattern from CastleLoader and behavioral indicators around…
Cephalus is a Go-developed ransomware family observed from June 2025 that gains initial access mainly through exposed RDP without MFA, often using stolen credentials, and follows a double-extortion model by exfiltrating sensitive data prior to encryption. AttackIQ published an emulation of Cephalus TTPs to help organizations validate controls and test detection/prevention…
This analysis details a multi-stage Windows attack that begins with a fake Cloudflare CAPTCHA (ClickFix) social-engineering prompt to trick victims into executing malicious PowerShell, which in-memory loads shellcode, a PE downloader, and ultimately the StealC information stealer. The StealC payload harvests browser credentials, crypto wallets, Steam and Outlook data, system fingerprints, and screenshots exfiltrating data to RC4-encrypted HTTP C2 servers. #StealC #ClickFix
China appears to have used a secret cyber range called Expedition Cloud to rehearse attacks on replicas of neighboring countries’ critical infrastructure, according to a cache of leaked development and training files. The materials, linked to developer files from CyberPeace and obtained via an exposed FTP server, show staged reconnaissance and…
Microsoft is investigating an ongoing Exchange Online issue that began on February 5, where a new URL rule is incorrectly flagging legitimate emails as phishing and quarantining them, blocking some users from sending or receiving messages. The company is reviewing and releasing quarantined messages while working to unblock affected URLs and confirm full remediation. #Microsoft #ExchangeOnline