All news in category “Threat and Trends Reports”

🛑 The FBI warns Americans lost more than $388 million in 2025 to scams that leverage cryptocurrency kiosks, commonly called crypto or Bitcoin ATMs. These standalone terminals, often located at gas stations and convenience stores, were used to transfer victims' cash to attacker-controlled wallets, with complaints up 23% and losses up 58% year‑over‑year. The IC3 received over 13,400 kiosk-related complaints and noted adults over 50 suffered a disproportionate share of losses. The bureau recommends verifying callers, refusing QR/payment instructions from unknown individuals, and preserving transaction receipts.

🔍 Researchers at HUMAN's Satori Threat Intelligence team disclosed "Trapdoor," a multi-stage Android ad fraud and malvertising operation involving 455 malicious apps and 183 threat actor-owned C2 domains. The campaign used utility-like apps to trick users into installing secondary apps that launch hidden WebViews, load HTML5 cashout domains, and perform automated touch-fraud. At its peak Trapdoor generated about 659 million bid requests per day, drove over 24 million app installs—mostly from U.S. traffic—and Google removed the identified apps after disclosure.

🔍 The BeyondTrust 2026 Microsoft Vulnerabilities Report shows Microsoft disclosed 1,273 vulnerabilities in 2025, while critical flaws doubled from 78 to 157 year‑over‑year. The data highlights a concentration in Elevation of Privilege (40% of CVEs) and a 73% increase in Information Disclosure, signaling attacker focus on stealth and reconnaissance. Cloud and Office-critical bugs spiked, expanding potential blast radii beyond mere data leaks. Authors recommend prioritizing privilege reduction, identity visibility, and contextual remediation over patching alone.

🛡️ Bitdefender reports that Microsoft’s MSHTA (Microsoft HTML Application Host), a remnant from Internet Explorer, is actively abused as a living-off-the-land binary in ongoing malware campaigns. Attackers use it to execute obfuscated HTA content, launch PowerShell, and fetch loaders and stealers such as CountLoader, LummaStealer, Amatera and PurpleFox. Campaigns rely on fake downloads, cracked apps, SEO-poisoned pages and Discord phishing to trick victims into executing payloads. Because MSHTA is Microsoft-signed and preinstalled, it remains implicitly trusted and attractive to adversaries.

📈 Digital.ai's 2026 Application Security Threat Report found that 87% of monitored customer-facing apps were attacked in 2026, up sharply from 55% in 2022. The firm says agentic AI has lowered the skill and time required for threat actors to inspect code, generate exploits and adapt malware. Financial services, automotive and medical device apps were most targeted, and iOS attacks have nearly closed the gap with Android.

🔐 In February 2026 the EvilTokens PhaaS campaign abused the OAuth consent flow to harvest long‑lived refresh tokens, compromising over 340 Microsoft 365 organizations across five countries. Victims completed legitimate sign‑ins and MFA at microsoft.com/devicelogin, then clicked consent and unknowingly granted broad scopes for mail, drive, calendar, and contacts. Because the attacker received signed, refreshable tokens rather than credentials, MFA and typical SIEM correlation did not detect the intrusion. The incident demonstrates how normalized consent clicks have become a critical security gap.

🎵 Laurie Anderson quotes Bruce Schneier in a track and in interviews, citing his oft-repeated maxim that technology alone cannot solve problems. Schneier traces the line to Roger Needham's original aphorism about cryptography and notes he adapted it in the 2000 preface to Secrets and Lies. He acknowledges he should have credited Needham and observes the phrasing has varied over time.

🔍 Since 2024, Talos has tracked a BadIIS variant identified by consistent "demo.pdb" PDB paths across the Asia‑Pacific region and isolated cases elsewhere. The PDB path patterns—including Chinese folder names, Administrator\Desktop build artifacts, and date‑based versioning—provide a reliable fingerprint for clustering and attribution. Talos recovered a 2022 builder that produces configured 32/64‑bit payloads, uses a unique 'lwxat' C2 authentication check and XOR 0x3 obfuscation, and supports modular SEO‑fraud and proxy features. Evidence shows active development from Sept. 2021 through Jan. 2026.

🔁 Enterprises must assume cyber incidents are inevitable and prioritize fast, coordinated recovery to limit costs, disruption, and re-compromise. Experts recommend sharpening response-team skills, emphasizing early scoping and containment, establishing situational awareness, engaging external DFIR partners, and prioritizing restorations by business criticality. Disciplined execution using frameworks like NIST 800-61 and clear RACI roles helps preserve integrity and reduce downtime.

🔒 Bridewell's Cyber Threat Intelligence Report 2026 warns that attackers are abandoning traditional malware for browser- and identity-focused techniques such as ClickFix, FileFix and ConsentFix that trick users into approving commands or authentication prompts. These tactics bypass endpoint controls and MFA because they operate within trusted workflows and are harder to detect. The firm urges stronger identity protection, user awareness and threat-informed defence.

⚡ Microsoft disclosed an actively exploited XSS spoofing vulnerability in on‑premises Exchange Server (CVE-2026-42897) and issued temporary mitigation via its Exchange Emergency Mitigation Service while a permanent fix is prepared. Supply chain attacks intensified as TeamPCP compromised npm packages and node-ipc to distribute stealers and harvest credentials for cloud pivoting. A fake Hugging Face model delivered a Rust-based stealer, underscoring AI model registries as an emergent supply chain risk, while OpenAI and Microsoft announced new AI-driven vulnerability tools.

🔍 Check Point found a 124% rise in hacktivism and ransomware across Germany, Austria, and Switzerland in 2025, with Germany accounting for roughly 82% of incidents. Defacement and DDoS drove the volume—66% of events—while ransomware comprised nearly 30%, led by Akira, Qilin, and Safepay. The report highlights identity weaknesses, exposed remote services, and insufficient patching as primary enablers, and recommends MFA, patch discipline, credential monitoring, and reduced public attack surface.

🔐 Recent supply chain campaigns that struck npm, PyPI, and Docker Hub within a 48-hour window illustrate a shift: attackers now target developer environments and CI/CD contexts to harvest API keys, tokens, SSH keys, and cloud credentials. The piece explains how local repositories, .env files, package configs, and AI assistants concentrate sensitive context and delivery authority on individual machines. It urges security teams to treat the developer workstation as a local supply chain boundary and to align endpoint, identity, AppSec, and platform controls to detect, limit, and rapidly rotate exposed secrets.

🔍 Boards and security leaders repeatedly buy new tools to close perceived gaps, yet the underlying problem persists: organizations often lack a unified view of what assets exist, who has access and what is happening across systems in real time. The article argues that visibility—the ability to answer such questions in minutes, not days—is more valuable than another detection product. For 2026, executives should require a complete, current inventory and focus on connecting data across tools before approving new purchases.

🔎 Symantec and Carbon Black confirm the Lua-based fast16 malware was a pre-Stuxnet sabotage tool designed to corrupt nuclear weapons testing simulations. The threat specifically targets high-explosive runs in LS-DYNA and AUTODYN, activating only when simulated material density reaches ~30 g/cm³. With 101 hook rules organized into 9–10 groups, the framework tracked software versions and spread laterally while avoiding some security products, indicating a methodical, long-running operation.

📡 Microsoft reports that Russian-linked actor Secret Blizzard has turned the long-running Kazuar backdoor into a modular peer-to-peer botnet built for persistence, stealth, and data theft. The malware now runs three modules—Kernel, Bridge, and Worker—with an elected Kernel leader to minimize external C2 traffic and improve stealth. Internal IPC, AES encryption, and Protobuf serialization protect communications, while 150+ configuration options and AMSI/ETW/WLDP bypasses increase evasion.

🔒 Subscription services are widespread and often contain personal data, making them attractive targets for attackers. The article outlines common attack vectors — phishing, credential reuse, infostealers, and bulk-resale of hacked family slots — and explains practical defenses: use password managers, enable two-factor authentication or passkeys, and monitor active sessions. It also advises how to spot phishing and track hidden recurring charges through bank statements and app-store settings.

🐍 Microsoft and CISA report that Russian state-linked Turla has evolved its Kazuar .NET backdoor into a modular, peer-to-peer botnet engineered for stealth and persistence. The architecture now separates into Kernel, Bridge, and Worker modules to minimize footprint and enable flexible tasking. Deployments use droppers such as Pelmeni and ShadowLoader to decrypt and load modules across compromised hosts. The design centralizes staging in a dedicated working directory to maintain state and streamline exfiltration.

🔍 Researchers at Palo Alto Networks' Unit 42 say the Gremlin stealer has progressed from a basic credential harvester into a modular, stealth-oriented toolkit. New builds embed payloads in the .NET resource section and apply XOR obfuscation to evade static and heuristic detection. The threat continues to exfiltrate data via private web panels and the Telegram Bot API, while adding Discord token theft, a clipboard-based crypto clipper, and WebSocket session hijacking.

🔎 A Vulnerability Operations Center (VOC) centralizes how organizations qualify, prioritize, and drive remediation to turn vulnerability findings into measurable risk reduction. Unlike legacy vulnerability management, which relies on periodic scans and severity scores, a VOC applies exposure management, governance, and cross‑team coordination to focus remediation on reachability, exploitability, and business impact. VOC teams track execution KPIs, enforce SLAs, and work alongside SOCs to shift organizations from reactive patching to continuous prevention.