All news in category “Threat and Trends Reports”

⚡ This week's recap covers supply-chain compromises, resurfacing legacy bugs, and security tools themselves being targeted. Key incidents include a poisoned Nx Console VS Code extension leading to a GitHub breach, new active exploitation of Microsoft Defender flaws, and a nine-year-old Linux kernel privilege bug. Teams face increasing targeted phishing and widespread botnet scanning, while organizations scramble to patch critical CVEs and secure exposed services.

🛡️ Google Threat Intelligence Group analyzed a growing Chinese‑language phishing‑as‑a‑service (PhaaS) ecosystem, finding mature, professional offerings that facilitate real‑time credential and OTP interception and the tokenization of payment data. These services use encrypted channels like RCS and iMessage, provide extensive localization tools and ancillary criminal services, and often operate openly on Telegram. GTIG highlights the shift from simple password harvesting to financial account takeover and recommends stronger technical defenses such as FIDO2/WebAuthn and risk‑based verification.

🚨 A Bitdefender report warns that cybercriminals have built extensive ecosystems to scam Formula 1 fans, exploiting the sport’s fast-moving digital culture. Scams include counterfeit merchandise, fake grand prix tickets, illegal streaming apps and boxes, social media fraud and distribution of infostealer malware. Fans may also be coerced into botnets for DDoS attacks. Bitdefender urges vigilance and recommends anti-phishing and antivirus tools to reduce risk.

🔒 A survey of 750 CISOs in the US and UK found 58% said their organization would be willing to pay a ransom to end a ransomware incident. Experts and law enforcement advise against paying, citing encouragement of attackers and no guarantee of data recovery, but real-world evidence shows many firms still pay. Industry sources report incomplete decryption and credential exposure even after payment, while robust backups remain the best mitigation.

🛡️ Check Point Research’s March–April 2026 Threat Landscape Digest documents that AI-powered attacks have moved from experimental and state-sponsored exercises into routine criminal deployment. The report details a campaign in Mexico where a single operator used commercial AI to compromise nine government agencies, leveraging persistent jailbreaks, weaponized agent configuration files, and commodified attack platforms like EvilTokens. It warns that stolen AI provider keys, rapid exploit timelines, and shadow AI use create urgent operational and supply-chain risks for organizations.

🔍 ROADtools is an open-source Python toolkit for red teams and researchers that attackers have repurposed to target Microsoft Entra ID. It enumerates tenants, registers devices, and acquires or manipulates OAuth2/OpenID Connect tokens while using legitimate Microsoft APIs and configurable request attributes to evade detection. Nation-state actors have used ROADtools for discovery, persistence and defense evasion, and Palo Alto Networks outlines detection queries, mitigation recommendations and protections available via Cortex Cloud, Cortex XDR and Unit 42 services.

🔐 Modern breaches increasingly exploit identities rather than perimeter flaws. Cloud, SaaS, and hybrid work have dissolved traditional network borders so attackers favor stolen credentials, session token replay and OAuth consent phishing. MFA and perimeter controls remain important but can be bypassed through social engineering, proxying and misconfigured privileges. Organizations must elevate identity monitoring, enforce least privilege and realign investments toward identity governance and contextual access controls.

⚠️ ESET researchers in Latin America discovered multiple fraudulent websites impersonating FIFA and the World Cup ticketing portal to dupe fans into registering and submitting payment details. These sites use typosquatting, copied visuals, and convincing checkout flows to harvest money and personal data. Victims arrive via ads, sponsored search results, social posts or forwarded links. FIFA confirms tickets are only sold through a few official channels; users should verify domains, avoid pressure tactics, and enable unique passwords and two-factor authentication.

📝 This edition of the Threat Source newsletter blends career reflection with active threat intelligence. The author argues that being ungovernable — intellectually curious and challenging — can accelerate growth when paired with the right peers. Cisco Talos also documents a Chinese-language BadIIS MaaS campaign, highlighting indicators like embedded demo.pdb strings and recommending IIS monitoring and updated endpoint detections.

🔍 Flare researchers analyzed ~700 underground posts on the "Lucifer DaaS" between Jan 2025 and early 2026 to reveal how modern crypto drainers evolved into professionalized, service-like platforms. The study highlights affiliate-driven distribution, automation, website cloning, Permit2 abuse, and multichain support, showing how DaaS lowers technical barriers and increases resilience. It also lists practical indicators to help users avoid wallet-draining scams.

🛡️ New studies reveal that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year but still alarmingly high. Checkmarx warns that AI-augmented attackers are dramatically shortening time-to-exploit, while Verizon’s DBIR links increased initial access to vulnerability exploitation aided by AI. A QBE survey found UK firms are worried about suppliers' AI use, yet few audit third-party AI or maintain formal AI governance.

🛡️ This week's ThreatsDay bulletin highlights a string of notable cybersecurity developments, from 47 zero-day exploits revealed at Pwn2Own Berlin 2026 to active Linux rootkit evolution. It summarizes warnings about agentic AI, targeted intrusions using AI agents, and advisories on token and dependency leaks. The report also covers nation-state tensions, ransomware activity, encrypted communications, and campaigns abusing identity recovery flows.

🔐 This article examines how identities — user, machine, and AI agent credentials — have become primary attack paths across hybrid environments. It uses real-world examples like cached access keys and forgotten role assignments to show how isolated identity weaknesses chain into exploitable routes. The piece explains why traditional IGA and PAM tools miss these cross-boundary paths and calls for unified mapping of identity, permissions, and environment context to prevent breaches.

🛡️ Attackers have started embedding QR codes as ASCII art in phishing emails to bypass image and link scanners. The lure often impersonates services like DocuSign, instructing victims to scan and enter corporate credentials on mobile devices. Deploying secure email gateways with ASCII-decoding and endpoint protections helps detect and block these campaigns and reduce risk.

🔍 ESET researchers observed that China-aligned Webworm expanded its toolkit in 2025 with two new backdoors—EchoCreep and GraphWorm—that use Discord and the Microsoft Graph API for C2 communications. The actor increasingly favors proxy-based utilities and staging techniques such as SoftEther VPN and GitHub repositories to blend malicious traffic. Targets include government and enterprise entities across Asia and Europe, while older RATs appear to be abandoned.

⚠️Orchid Security's Identity Gap: Snapshot 2026 reveals that unseen, unmanaged identity elements now exceed visible ones, with 'identity dark matter' at 57% versus 43%. The report warns that rapid adoption of Agent AI amplifies risk because autonomous agents look for the most efficient access paths, often exploiting hard-coded or orphaned credentials and excessive privileges. Orchid urges strengthening identity and access management controls and using its readiness checklist to mitigate exposures.

🛡️ Attackers are embedding AI-generated lookalike domains inside legitimate third-party scripts, transforming typosquatting from a user mistake into a browser-runtime threat that traditional controls miss. Firewalls, WAFs, EDR, and CSPs cannot observe what approved scripts do once executed, enabling silent exfiltration as in the Trust Wallet compromise. Effective detection needs runtime behavioral monitoring that traces script actions, network calls, and deviations from established baselines rather than relying on static vetting.

🔎 Unit 42 documents clusters of TamperedChef-style campaigns that trojanize productivity tools (e.g., PDF editors, calendars) to deliver stealers, RATs and proxies. These operations use malvertising-driven distribution, legitimate-looking sites, frequent binary rebuilds and code signing to evade detection. We tracked three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110), over 4,000 samples and 100 variants. If compromised, contact the Unit 42 Incident Response team for assistance.

🔍 On April 22 a trojanized Bitwarden CLI briefly appeared on npm, harvesting developer tokens via a compromised GitHub Action tied to the Checkmarx supply‑chain incident. Bitwarden later issued CVE‑2026‑42994, but the author notes the CVE was retroactive and did not imply a patchable defect. The piece argues CVE’s artifact‑centric model struggles with agentic and model‑mediated threats that mutate behaviorally and often evade dashboards.

🔍 Verizon's latest DBIR reports that vulnerability exploitation has become the top initial access vector, accounting for 31% of breaches compared with 13% for credential abuse. The study links this shift to slower patching—only 26% of CISA KEV critical flaws were fully remediated—and a larger backlog of critical vulnerabilities. It also warns that threat actors may be using AI to scale discovery and exploitation, and highlights rising supply-chain incidents, increased shadow AI adoption, and persistent human-factor risks.