< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1640 articles · page 16 of 82

Phishing Crypto-Wallet Clones on iOS and macOS Platforms

🔒 Kaspersky researchers discovered a campaign that placed 26 fake crypto-wallet apps in the Chinese App Store, impersonating popular wallets and using benign features to pass review. The malicious apps direct users to phishing pages that prompt installation of a provisioning profile, enabling sideloaded, trojanized wallet builds that request seed phrases. On macOS, infostealers like MacSync use ClickFix lures and can patch legitimate wallet apps to display fake recovery dialogs. The report includes concrete mitigation steps to protect seed phrases and devices.
read more →

Weekly Cyber Recap: Fast16, XChat, FIRESTARTER Threats

⚠️ This week’s recap shows old techniques resurfacing alongside sophisticated new tooling that targets supply chains, enterprise remote access, and AI agents. Analysts detail fast16, a Lua-based framework predating Stuxnet that targets high-precision simulation software, and multiple active campaigns including help-desk impersonation by UNC6692 and the persistent FIRESTARTER backdoor in Cisco Firepower. Expect urgent patching, scrutiny of browser extensions and CI/CD components, and tighter monitoring of remote access and build pipelines.
read more →

Study Finds Many Browser Extensions Collect and Sell Data

🔍 A LayerX Security study found more than 80 widely used browser extensions explicitly reserve the right to collect and sell user data, with millions of combined installations across categories such as streaming, ad blocking and productivity. The researchers reported that 71% of Chrome Web Store extensions do not publish a privacy policy, leaving many users without visibility into how their data is handled. The findings detail networks of media extensions aggregating viewing behavior and at least a dozen ad blockers and 29 business-focused extensions that may expose enterprise browsing activity. LayerX recommends organisations adopt centralized extension governance and add privacy policy review to extension evaluation criteria.
read more →

Most Cybersecurity Staff Feel Undervalued and Underpaid

🔍 Over three quarters of cybersecurity professionals did not receive a pay rise last year, and roughly half report feeling undervalued, according to the Harvey Nash Global Tech Talent & Salary Report. Only 45% expect a pay increase in the next 12 months, placing information security professionals among the most pessimistic about pay prospects. Just 22% said their organisations increased cybersecurity resources after high-profile incidents, driving dissatisfaction and turnover risk.
read more →

Medieval Encrypted Letter Finally Decoded After Centuries

🔓Recent analysis has decoded a medieval encrypted letter originally sent by a Spanish diplomat, resolving a puzzle scholars have pursued since the document was rediscovered in 1860. The successful decryption reveals new primary material about diplomatic language and secrecy practices in the period. The result highlights how combining historical scholarship with modern analytical techniques can unlock long-standing mysteries.
read more →

Fast16 Sabotage Malware Discovered Predating Stuxnet

🔎 SentinelOne researchers have identified a sabotage-focused malware framework from around 2005 that predates Stuxnet by at least five years. The investigation uncovered a service binary (svcmgmt.exe) embedding a Lua 5.0 VM and a boot-start kernel driver (fast16.sys) that intercepts and patches executables at the storage layer. Fast16 acted as a wormable carrier with multiple 'wormlet' payloads, targeted Windows 2000/XP file shares using weak credentials, and included environmental checks to avoid specific security software. The framework was designed to corrupt outputs from engineering and simulation suites, and was later referenced in the Shadow Brokers leak.
read more →

Fake CAPTCHA IRSF Scam and Keitaro Abuse Findings Report

🔍 Cybersecurity researchers from Infoblox disclosed an international revenue‑share fraud campaign that uses multi‑step fake CAPTCHA pages to trick users into sending premium SMS messages. The scheme leverages traffic distribution systems and JavaScript back‑button hijacking to force multiple prefilled SMS sends to dozens of international numbers, with charges often appearing weeks later. Operators also repurpose Keitaro TDS instances and compromised licenses to scale cloaking, tracking, and delivery of scams and malware.
read more →

Researchers Uncover pre-Stuxnet Lua Sabotage Tool fast16

🔎 SentinelOne researchers have disclosed fast16, a Lua-based cyber‑sabotage framework compiled in 2005 that predates Stuxnet. The implant embeds a Lua 5.0 VM and encrypted bytecode inside a carrier binary svcmgmt.exe and pairs with a kernel driver that patches executables to corrupt high‑precision calculations. fast16 targets legacy Windows 2000/XP environments and engineering simulation tools, and its discovery revises the timeline of state-backed cyber sabotage.
read more →

Researchers Demonstrate Fiber-Optic Eavesdropping Limits

🔍 Researchers from three Hong Kong universities demonstrated a method to extract acoustic information from fiber-optic cables by measuring vibration-induced changes in the optical signal. Their experiments showed that strong vibrations such as footsteps can be detected remotely, but clear human speech was not recoverable without a local audio-to-vibration converter or significant control over provider equipment. The attack relies on sending optical pulses and measuring Rayleigh scattering-related deviations, and while technically feasible, it remains an unlikely and costly targeted threat requiring access to the Optical Distribution Network or an implanted converter to amplify audio signals.
read more →

Calm Ransom: When Confidence Hides Cybersecurity Risk

🔒 Calm does not equal secure — organizations often mistake a long period without incidents for strong defenses. This article warns that mental shortcuts like WYSIATI (What You See Is All There Is) and overreliance on compliance can blind teams to active threats, such as credentials appearing in infostealer logs before attacks. Remediation requires behavioral detection, continuous threat intelligence, and disciplined vigilance to prevent costly ransomware and data‑leak consequences.
read more →

Forever Student Mindset: AI, Phishing, and Q1 2026 Trends

🔍 Cisco Talos highlights Q1 2026 incident response trends, noting phishing has reclaimed the top initial access vector and adversaries are using AI platforms like Softr to rapidly create convincing credential-harvesting pages. Talos IR reported zero completed ransomware deployments this quarter due to swift mitigation, though pre-ransomware activity still accounted for 18% of engagements. The team warns attackers increasingly abuse legitimate developer tools and cloud APIs to quietly hunt exposed secrets, complicating detection. Organizations should enforce MFA with restricted self-enrollment, centralize logging in a SIEM, and prioritize patch management to preserve forensic evidence and reduce risk.
read more →

Tax Season Phishing Targets Individuals and Crypto Users

🛡️Scammers are creating convincing fake tax authority websites worldwide to harvest credentials, steal personal data, and distribute malware embedded in downloaded “documents.” These portals also run fraudulent paid services that collect taxpayer identifiers and financial details for later abuse. Cryptocurrency holders are specifically targeted with fake verification flows that request seed phrases or wallet connections, leading to immediate theft. Kaspersky cautions against using cloud-hosted AI for tax preparation and recommends sticking to verified official channels, encrypting sensitive files, and employing reputable security tools.
read more →

UNC6692: Social Engineering and Custom SNOW Malware

🔒 UNC6692 used persistent social engineering to lure victims via Microsoft Teams, delivering a staged payload that installed an AutoHotkey loader and a malicious Chromium extension (SNOWBELT) from attacker-controlled AWS S3. The intruders deployed a modular suite — SNOWBELT, SNOWGLAZE, and SNOWBASIN — to establish WebSocket tunnels, local HTTP backdoors, and stealthy proxying for lateral movement. The campaign combined credential theft, LSASS and NTDS extraction, and exfiltration to cloud services, highlighting the need to monitor browser extensions and cloud egress.
read more →

ThreatsDay: $290M KelpDAO Heist and Supply Chain Surge

🔔 LayerZero-linked infrastructure poisoning likely enabled a North Korean-linked group (TraderTraitor/TraderTraiter) to steal $290M from KelpDAO by compromising RPC nodes and exploiting a quorum while a DDoS distracted a third node, prompting an Arbitrum Security Council freeze. At the same time, active RCE attacks, malicious npm packages delivering credential stealers and SSH backdoors, and indirect AI prompt injection payloads are accelerating breaches. The bulletin also flags covert browser access by desktop AI apps, a surge in commodified malware, SIM-farm services, and persistent exploitation of long-known weaknesses; the practical remedies remain patch early, verify dependencies, and restrict implicit trust.
read more →

UK warns: Chinese hackers using hijacked device botnets

⚠️ The UK’s National Cyber Security Centre (NCSC-UK), alongside international partners, warns that China‑nexus threat actors are increasingly using large proxy networks of compromised consumer devices to route traffic and evade detection. These covert networks are largely composed of compromised SOHO routers, IoT cameras, DVRs, and NAS devices, and enable traffic to exit near intended targets to defeat geographic and static-IP defenses. Authorities point to large botnets such as Raptor Train (over 260,000 infected devices in 2024) and disrupted operations like KV‑Botnet; defenders are urged to deploy multifactor authentication, map edge devices, consume dynamic threat feeds, use allowlists, and adopt zero-trust and machine certificate verification.
read more →

Global Higher Education Cyberattacks Surge 63% Yearly

🔒 Quorum Cyber's 2026 Global Cyber Risk Outlook for Higher Education reports a 63% rise in recorded incidents between Nov 2023–Oct 2024 and Nov 2024–Oct 2025, increasing from 260 to 425. Across 67 countries, data breaches rose 73%, hacktivism 75% and ransomware 21%. FunkSec, Cl0p, INC and Nova were the most prolific groups. The report urges intelligence-led vulnerability management, dark web monitoring, robust backups and regular incident response exercises.
read more →

macOS LOTL Techniques Enable Stealthy Enterprise Attacks

🔍 Cisco Talos research (published 21 April) details how attackers are repurposing native macOS features to execute code, move laterally and evade detection across enterprise environments. Built-in capabilities such as Remote Application Scripting (RAS), Spotlight metadata and AppleScript can be abused to run commands, hide payloads and perform covert data transfer. The findings show gaps in visibility and recommend shifting to process-lineage analysis and tighter MDM controls to reduce exposure.
read more →

Why Attackers Are Increasingly Targeting Developers

🔐Compromising developer machines yields outsized access to source code, credentials, tokens and development infrastructure, enabling supply chain attacks or deep lateral movement into corporate networks. Recent incidents show attackers poisoning open-source packages (eg. LiteLLM), distributing malware via fake coding tests, spoofed tool downloads, paid-search clones and social engineering. Organizations should integrate security into developer workflows, vet dependencies with threat intelligence, and provide developer-focused training and runtime monitoring to reduce exposure.
read more →

Caller-as-a-Service Fuels Industrialized Phone Scams

📞 Flare outlines how a mature "Caller-as-a-Service" ecosystem professionalizes vishing by dividing labor across specialists—from data traders to supervised callers—and operating like legitimate call centers. Recruitment ads demand native English, OPSEC, and sometimes live screen-sharing for real-time supervision. Compensation varies (fixed, success-based, hybrid), and payouts can be delayed pending downstream monetization. The result is lower technical barriers, higher efficiency, and increased detection difficulty.
read more →

IR Trends Q1 2026: Phishing and public administration

🔒 Talos IR’s Q1 2026 analysis finds phishing reemerged as the top initial access vector, with public administration and health care tied as the most targeted sectors. Investigations documented abuse of AI-enabled services like Softr to build credential-harvesting pages and the first observed intrusion by Crimson Collective exploiting exposed developer secrets. Pre-ransomware activity rose but no encryptions occurred due to early mitigation. Talos emphasizes properly configured MFA, patching, and centralized logging.
read more →