< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1640 articles · page 11 of 82

Gremlin Stealer Evolves into Modular, Stealthy Infostealer

🔍 Researchers at Palo Alto Networks' Unit 42 say the Gremlin stealer has progressed from a basic credential harvester into a modular, stealth-oriented toolkit. New builds embed payloads in the .NET resource section and apply XOR obfuscation to evade static and heuristic detection. The threat continues to exfiltrate data via private web panels and the Telegram Bot API, while adding Discord token theft, a clipboard-based crypto clipper, and WebSocket session hijacking.
read more →

Why Organizations Need a Vulnerability Operations Center

🔎 A Vulnerability Operations Center (VOC) centralizes how organizations qualify, prioritize, and drive remediation to turn vulnerability findings into measurable risk reduction. Unlike legacy vulnerability management, which relies on periodic scans and severity scores, a VOC applies exposure management, governance, and cross‑team coordination to focus remediation on reachability, exploitability, and business impact. VOC teams track execution KPIs, enforce SLAs, and work alongside SOCs to shift organizations from reactive patching to continuous prevention.
read more →

Bypassing On-Camera Age Verification Checks and Risks

🔍 This post argues that many on-camera "age verification" schemes are not primarily about keeping minors out but about deanonymizing critics and giving governments a pretext to deny platform access. It notes real-world abuses such as attempts to de-bank protesters and explains why complete failure to exclude minors is unsurprising when that is not the objective. The piece also links related technical developments — from provocative zero-knowledge research to hard drive firmware reverse engineering — that change the threat landscape and raise questions about hardware attestation and vendor control.
read more →

Gremlin Stealer Evolution: Obfuscation and New Capabilities

🔐 This report analyzes a new Gremlin stealer variant that leverages advanced obfuscation, including a commercial packer with instruction virtualization and .NET resource XOR encoding, to conceal final-stage payloads. The malware harvests browser cookies, session tokens, clipboard contents and cryptocurrency wallet data, and has added modules for Discord token theft, WebSocket session hijacking and a clipboard crypto-clipper. The variant uses staged in-memory decryption and a numeric decoder routine to frustrate static analysis, and Palo Alto Networks recommends protective coverage via Cortex XDR, Advanced WildFire and network security controls, and contacting Unit 42 for incident response.
read more →

Ransomware 3.0: Economics and Strategic Response in Business

🔒 Ransomware 3.0 has evolved from simple encryption to coordinated, multi-stage extortion campaigns that target operations, stolen data and public pressure. Attackers now deploy triple extortion—encryption, data exfiltration and public shaming—to maximize leverage. The insurance market is narrowing coverage with sublimits and exclusions, so organisations must pair policies with robust technical defences and rehearsed incident response aligned to NIST CSF. Boards should treat insurance as residual risk transfer, not a primary recovery plan.
read more →

How geopolitical turmoil fuels online gift and aid scams

⚠ Geopolitical tensions have created a fertile environment for opportunistic scammers who exploit fear and sympathy to harvest credentials, personal data, or direct payments. Common ploys include fake charities, romance and travel scams, fraudulent charges, investment schemes, sensational fake news and classic advance-fee cons. Scammers increasingly use convincing content produced with generative AI and impersonation tactics to bypass trust; verify independently, avoid unsolicited links or calls, and protect devices with reputable anti-malware.
read more →

Pwn2Own Berlin 2026 Day One: 24 Zero-Days Paid Out

🔒 On day one of Pwn2Own Berlin 2026 researchers earned $523,000 exploiting 24 unique zero-days, led by Orange Tsai, who collected $175,000 after chaining four logic flaws to escape the Microsoft Edge sandbox. Windows 11 was rooted three times for new privilege-escalation bugs, and Valentina Palmiotti secured payouts for Red Hat Workstations and an NVIDIA Container Toolkit flaw. The event focuses on enterprise and AI-targeted technologies.
read more →

Preparing for an Imminent Surge in Software Patching

🔧 Cisco Talos argues that rapid advances in AI-driven code analysis will soon expose decades of latent software defects, triggering a likely surge in vulnerability disclosures and urgent patches. While AI can augment human reviewers by scanning code at scale, threat actors will also use these tools to find exploits. Organizations should reassess patch prioritization, scale deployment processes, and plan for systems that cannot be quickly patched. Talos recommends zero trust, centralized logging, PowerShell script block logging, and updated incident response playbooks.
read more →

Threatsday Bulletin: PAN-OS RCE, AI Risks, Supply-Chain

🔥 Palo Alto released fixes for CVE-2026-0300, a critical PAN-OS buffer-overflow exploited in the wild to drop payloads like EarthWorm and ReverseSocks5. The bulletin also highlights new and recurring threats including zero-auth API data leaks at an AI training vendor, an FCC extension for router updates, supply-chain contests, and sophisticated phishing campaigns. Several incidents employ weaponized attachments, tokenizer tampering in AI models, and open-source tools to achieve stealthy remote access and long-term persistence.
read more →

Cyber-enabled Cargo Crime Mirrors Ransomware Tradecraft

🔒 Cybercriminals are applying the ransomware playbook to steal freight, using phishing and compromised email accounts to alter shipments, register fraudulent carriers, and redirect loads to criminal warehouses. These tactics affect high-value and perishable goods and frequently go unreported, amplifying losses for small and midsized fleets. NMFTA highlights controls and resources and invites practitioners to the 2026 cybersecurity conference.
read more →

Kazuar: Anatomy of a Nation-State P2P Botnet Operations

🔍 Kazuar, attributed to the Russian state actor Secret Blizzard, has progressed from a traditional backdoor into a modular peer-to-peer botnet engineered for espionage and persistent access. Its architecture separates functionality into Kernel, Bridge, and Worker modules, enabling leader election and SILENT-mode behavior to minimize external visibility. Delivery methods include the Pelmeni dropper and .NET loaders that bind payloads to targeted hosts. The malware uses named pipes, mailslots, and window messaging with AES-encrypted IPC and multiple C2 transports for resilience and stealth.
read more →

Exploitable Misconfigurations in Cloud AI Deployments

🔒 Microsoft Defender research shows AI and agentic applications on cloud-native platforms are frequently deployed with insecure defaults and missing authentication, creating exploitable misconfigurations. Observed exposures include public MCP servers, unsecured Helm chart installs, and unauthenticated agent frameworks that enable remote code execution, credential theft, and access to internal tools. Defender for Cloud can detect exposed Kubernetes services and unsafe deployment patterns to help teams prioritize remediation.
read more →

FlowerStorm Phishing Adopts Browser VM Obfuscation

🔒 Researchers at Sublime Security reported that the FlowerStorm phishing-as-a-service campaign has begun using KrakVM, an open-source browser-based JavaScript virtual machine, to conceal credential-stealing code inside HTML attachments. When victims open the attachments in a browser, encrypted bytecode is executed by the VM and launches a dynamic credential- and MFA-harvesting workflow. The kit supports real-time AiTM interception and adapts phishing pages to the victim’s provider and branding, complicating static analysis and many email defenses.
read more →

World Cup 2026: Rising Cyber Threats and Scams

⚠️Cyber criminals are exploiting World Cup 2026 excitement with fake merchandise stores, fraudulent betting platforms, and phishing domains designed to steal money and personal data. Domain registrations containing 'FIFA' or 'World Cup' surged to 9,741 in April 2026, and host countries recorded higher weekly attack averages in April versus March and the prior year. Check Point Research identified multiple impersonation and betting sites and advises fans to watch for steep discounts, suspicious domains, and 'vote‑to‑earn' schemes that solicit deposits.
read more →

Ransomware Escalates: Rising Risk of Physical Threats

🔒 Ransomware campaigns are increasingly paired with explicit threats of physical harm, with a Semperis study finding 40% of incidents involved intimidation and 46% in the US. Reported tactics include threatening notes left at homes, phone calls reciting staff addresses and identity details, and extortionists recruiting local actors to carry out violence. The FBI and vendors warn of a growing pattern — described as violence-as-a-service — and advise organisations to treat employee data as critically sensitive and update incident response plans to manage physical-threat scenarios.
read more →

How CISOs Can Prepare to Secure Board and Advisory Roles

🔒 Many CISOs are pursuing board and advisory roles to bridge gaps between security teams and directors, improve communication, and shape product roadmaps. Leaders such as ISACA vice chair Jamie Norton, Accenture’s Mitra Minai, and Nathan Morelli describe governance learning, vendor advisory seats, and targeted certifications as common pathways. The article emphasizes governance capability, strategic language, and the significant time commitment these roles demand.
read more →

FrostyNeighbor targets Ukrainian government with new loader

🧊 ESET telemetry details newly observed operations by the FrostyNeighbor actor, targeting governmental, military and key sectors in Ukraine and neighbouring Eastern European countries. The March 2026 campaign begins with spearphishing PDFs that link to RAR archives containing a JavaScript dropper; the script deploys a JavaScript variant of PicassoLoader which fetches and executes a Cobalt Strike beacon. Operators use server-side validation of IP and user agent to restrict final payload delivery and often host infrastructure behind Cloudflare. The group also employs diverse lure formats and exploit chains to evade detection.
read more →

From WarGames to Cyberwar: Nation-State Cyber Threats

🔍 In a RSA 2025 conversation, Allie Mellen, author of Code War, frames modern cyber conflict through historical doctrine, showing how nations' distinct strategies shape attacks and espionage. She cautions that attribution based solely on technical signals is insufficient because actors can forge signatures and deploy false flags, so motive and context matter. Mellen warns that AI will make attacks faster and more adaptive, and urges defenders to strengthen fundamentals and adopt automation and AI on the defensive side.
read more →

Most CISOs Would Consider Paying Ransoms to Recover

🔒 A new report from Absolute Security finds that 58% of CISOs would realistically consider paying a ransom to restore systems after a ransomware attack. US respondents were likelier to consider payment (63%) than UK peers (47%), with legal guidance, GDPR and doubts over recovery cited as reasons. Operational downtime was viewed as the most damaging impact. The report warns organizations to invest in resilience, infrastructure and governance to reduce reliance on ransom payments.
read more →

Breaking Things to Keep Them Safe: Philippe Laulheret

🔍 In this Humans of Talos interview, Senior Vulnerability Researcher Philippe Laulheret explains how his lifelong curiosity and Capture The Flag experience led him from French engineering school to a career in ethical hacking. He describes selecting research targets, reverse engineering techniques, and memorable tests—like bypassing a fingerprint reader with a green onion—to find flaws before adversaries exploit them. Philippe also contrasts the methodical reality of research with movie portrayals and outlines his path through industry roles to Talos.
read more →