Recent reports describe a widespread WhatsApp scam in which attackers take over a victim’s account and send urgent money requests to the victim’s contacts, often citing unexpected expenses like medical bills. Users are urged to verify requests via another channel, close all active WhatsApp sessions (including WhatsApp Web), check archived chats, enable two-step verification, and report incidents to authorities. #WhatsApp #WhatsAppWeb
Tag: SSO
The article outlines security risks and operational best practices for running AI and ML workloads on Kubernetes and Oracle Cloud Infrastructure (OCI), emphasizing the shared responsibility model and the need to secure data planes, GPU nodes, inference services, and supply chains. It reviews recent AI-targeted incidents and promotes runtime protection, CI/CD hygiene, and integrated solutions such as Sysdig Secure with OKE to provide real-time detection and response. #ShadowRay2_0 #OCI
Black Basta operators (tracked as the group Cardinal) deployed a ransomware payload that uniquely bundled a vulnerable NsecSoft NSecKrnl kernel driver (CVE-2025-68947) to kill security processes and evade defenses, appending a “.locked” extension to encrypted files. The campaign also included a prior side-loaded loader and post-deployment presence of the GotoHTTP RAT, suggesting long dwell time or attempts to maintain persistence. #BlackBasta #Cardinal
Microsoft Defender Experts discovered CrashFix, an evolved ClickFix campaign variant that intentionally crashes victims’ browsers and displays fake “CrashFix” pop-ups to socially engineer users into running malicious commands. The attack chain leverages a malicious Chrome extension impersonating uBlock Origin Lite, abuses the native finger.exe (renamed to ct.exe) to fetch obfuscated PowerShell and Python payloads, and uses attacker infrastructure for further delivery and command retrieval. #CrashFix #ClickFix
There were 10 defacement incidents targeting websites in Samoa, Kenya, Thailand, Bolivia, and Indonesia. The incidents were carried out by attackers identified as White System’./404, Rici144, Hunter Bajwa, and Maria. #Samoa #Kenya #Thailand #Bolivia #Indonesia…
Lotus Blossom has resurfaced with a sophisticated supply chain attack against the Notepad++ infrastructure and deployed a new custom backdoor called Chrysalis to spy on targets in Southeast Asia and Central America. The campaign uses a Warbird-protected loader, DLL side‑loading, commodity tools like Cobalt Strike, and undocumented system calls to evade…
Cloud migrations often create visibility blind spots, and network-layer telemetry combined with Network Detection and Response (NDR) provides consistent, provider-agnostic visibility for detecting threats in multi- and hybrid-cloud environments. The article recommends enabling flow logs and traffic mirroring, standardizing and enriching telemetry with cloud inventory, and tuning baselines to detect threats such as coinminer beaconing, stolen credentials, and suspicious interactive admin activity. #Corelight #Kubernetes
Zscaler ThreatLabz discovered Marco Stealer in June 2025, an information stealer that primarily exfiltrates browser data, cryptocurrency wallet data from extensions, and sensitive files from local and cloud storage. The malware uses ARX-based runtime string decryption, anti-analysis checks that terminate tools like x64dbg and Wireshark, named pipes and DLL injection to extract browser and wallet data, and sends AES-256–encrypted data to HTTP C2 endpoints. #MarcoStealer #Zscaler
Unit 42 attributes a large-scale, state-aligned cyberespionage campaign — tracked as TGR-STA-1030 and called the Shadow Campaigns — to an Asia-based actor that has compromised government and critical infrastructure across 37 countries using phishing, exploitation, C2 frameworks and a novel eBPF rootkit. The group used tools including Diaoyu Loader, Cobalt Strike,…
Betterment suffered a January breach that exposed personal data from 1,435,174 accounts, including email addresses, names, and other contact and identifying details. Attackers also sent fraudulent promotional emails to solicit cryptocurrency, and a CrowdStrike-supported forensic investigation reported no evidence that customer account credentials were accessed. #Betterment #CrowdStrike
Researchers mapped additional network infrastructure and indicators linked to the February 2026 Notepad++ update-channel compromise, identifying C2 domains, Cobalt Strike beacon IPs, and likely malicious file-hosting addresses. Analysis shows the attackers used access to a shared hosting account to selectively redirect update traffic and deliver malicious payloads. #Notepad++ #CobaltStrike
Acronis TRU tracked Transparent Tribe (APT36) shifting from government and defense targets to India’s startup ecosystem, delivering Crimson RAT via startup-themed ISO container files and malicious LNK shortcuts. The campaign reused established APT36 tooling, infrastructure and tradecraft — including spear-phishing ISO attachments, a batch runner for persistence, and C2 servers 93.127.133.9 and sharmaxme11.org — reinforcing attribution overlaps and the targeting of OSINT/cybersecurity startups. #TransparentTribe #CrimsonRAT
Sysdig TRT observed a rapid offensive cloud operation where an attacker obtained credentials from public S3 buckets, injected code into an AWS Lambda (EC2-init) to create admin access keys, moved laterally across 19 AWS principals, abused Amazon Bedrock models, and provisioned GPU instances for model training or resale. The operation contained multiple indicators of LLM assistance—LLM-generated code with Serbian comments, hallucinated AWS account IDs and a non-existent GitHub repo—and the report outlines detection opportunities and mitigation recommendations. #AmazonBedrock #AWSLambda
Microsoft disclosed CVE-2026-21509, a security-feature-bypass in Microsoft Office that lets attacker-controlled document metadata short-circuit Kill Bit checks and cause instantiation of kill-bitted OLE/COM components, and it is confirmed to be actively exploited. APT28 has used targeted spearphishing with weaponized RTF/Word docs to deliver payloads such as MiniDoor and PixyNetLoader—leveraging Outlook VBA persistence, COM hijacking, scheduled tasks named OneDriveHealth, and steganographic staging to maintain access. #CVE-2026-21509 #APT28
The 2026 breach of Harvard University’s Alumni Affairs and Development by the ShinyHunters collective exposed about 115,000 sensitive records, including detailed donor wealth, family networks, and admissions-related flags. The attackers likely used vishing and an SSO/MFA bypass to access SaaS platforms, underscoring the urgent need for phishing-resistant MFA and Zero Trust defenses. #ShinyHunters #HarvardUniversity