< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1642 articles · page 33 of 83

CrowdStrike 2026 Global Threat Report Findings Overview

🔍 The CrowdStrike 2026 Global Threat Report reviews 2025 as the year of the evasive adversary, detailing how attackers shifted to subtle, trust-based techniques across endpoint, identity, SaaS, and cloud environments. Adversaries accelerated operations using AI and exploited AI systems themselves, while supply chain compromises and zero-day usage rose markedly. The report highlights rapid breakout times, a high rate of malware-free intrusions, and significant increases in state-nexus activity, offering prioritized insights for defenders.
read more →

Weekly Recap: Double-Tap Skimmers, AI Malware, 30Tbps DDoS

🛡️ This weekly recap highlights high‑impact incidents and emerging trends across devices, cloud services, and supply chains. Key items include a Dell RecoverPoint zero‑day (CVE‑2026‑22769) actively exploited to install web shells and backdoors and PromptSpy, an Android malware that leverages Google Gemini and accessibility services for persistence. The report also calls out a near‑30 Tbps DDoS surge, malicious Docker Hub images, and deceptive "double‑tap" skimmers targeting e‑commerce. Review the prioritized CVEs and advisories and map mitigations to your environment.
read more →

Arkanix stealer uses dual Python and C++ variants targeting

🔍 Kaspersky researchers uncovered a new infostealer named Arkanix that blends rapid, probable LLM-assisted development with a dual-language architecture. The malware is offered as a MaaS, giving customers a control panel to configure Python or C++ payloads and retrieve statistics. The Python variant prioritizes broad, fast data harvesting while the native C++ build focuses on stealth, performance, and persistence. Observed deployment mechanisms include configurable loaders, C2 domains and even Discord-based tests.
read more →

Typosquatting Tactics: How Actors Evade Detection Today

🔍Typosquatting remains a highly effective deception tactic where attackers register look-alike domains to phish, harvest credentials, and deliver malware. CrowdStrike describes how adversaries exploit weak registrar verification and craft convincing WHOIS records while using techniques such as strategic HTTP redirects, geo-targeted content and fake sale pages to evade detection. Organizations should monitor registrations, protect brands, and use Falcon Adversary Intelligence to detect and disrupt campaigns.
read more →

Arkanix Stealer: Short-Lived AI-Assisted Info Stealer

🔍 Kaspersky researchers analyzed a short-lived information stealer called Arkanix, promoted on dark web forums in late 2025 and likely developed with LLM assistance. The project included a control panel, a Discord community, and two tiers: a Python-based basic build and a VMProtect-wrapped C++ premium variant with enhanced AV evasion and wallet injection. Arkanix features modular data theft from browsers, wallets, Telegram and Discord, plus optional post-exploitation modules; the author removed infrastructure within two months, complicating detection and tracking.
read more →

Predator Spyware Hooks iOS SpringBoard to Hide Indicators

🔍 Researchers report that Intellexa's Predator commercial spyware can suppress iOS camera and microphone recording indicators by hooking a single SpringBoard method. The malware intercepts sensor updates using a function named HiddenDot::setupHook() and nullifies the SBSensorActivityDataProvider object so the green or orange status dots never reach the UI. The technique requires prior kernel-level access and is combined with ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection to bypass camera permission checks, while VoIP recordings also rely on the same upstream interception for stealth.
read more →

Starkiller phishing service proxies real login flows

🔐 Starkiller is a phishing-as-a-service that dynamically loads live login pages and proxies user interactions through attacker-controlled infrastructure. It generates deceptive URLs that visually mimic legitimate domains (for example using an @-based URL trick), spins up containerized headless browsers, and records every keystroke, session token, and MFA code. The platform streams sessions in real time, harvests cookies and MFA codes, and delivers campaign analytics and Telegram alerts to customers.
read more →

Why 'Shift Left' Failed for Security and Developers

🔒 The push to 'shift left' has largely failed because it places excessive security responsibility on developers who are pressured to prioritise speed. Ivan Milenkovic of Qualys highlights how noisy, slow tools and misplaced trust in public container registries let malicious images and embedded secrets slip into deployment pipelines. He urges organisations to proxy external images, create a golden path of approved templates and CI pipelines, and shift down security into platform engineering so controls are automatic and developer friction is minimised.
read more →

Massive Winos (ValleyRat) Phishing Campaigns Target Taiwan

⚠️FortiGuard Labs observed targeted phishing campaigns in Taiwan delivering Winos 4.0 (ValleyRat) and modular plugins via weaponized attachments and cloud-hosted links. Lures impersonate tax audits, e-invoice portals, and installer packages to trick recipients. Attackers employ rotating domains, malicious LNK files, DLL sideloading, and BYOVD using the vulnerable driver wsftprm.sys to gain kernel privileges and evade defenses. Fortinet detections include W64/Agent.ATW!tr and multiple email and gateway protections.
read more →

AI and Complexity Accelerate Cybercrime, Unit 42 Finds

🔒 Palo Alto Networks' Unit 42 finds that AI and growing system complexity have drastically shortened the time between initial compromise and harmful outcomes, with some intrusions progressing to data exfiltration in 72 minutes versus nearly five hours in 2024. The team analyzed 750 incidents across 50 countries and highlights persistent operational gaps—weak authentication, limited real-time visibility, and misconfigurations—that attackers repeatedly exploit. The report flags identity issues in 90% of cases and widespread excessive cloud permissions, and it argues that modern, purpose-built managed SOC services such as XSIAM 2.0 are being positioned to respond at machine speed.
read more →

DDoS Attacks Surge in Frequency and Potency: 2025 Rise

⚠️ The Radware 2026 Global Threat Analysis Report warns of a dramatic escalation in DDoS activity during 2025, recording a 168% year-over-year increase. On average, a Radware customer faced more than 25,351 attempted attacks (about 139 per day). Technology, telecommunications and financial services were hardest hit, with the technology sector accounting for 45% of network-layer attacks. Researchers note attacks are faster, stronger and increasingly coordinated by hacktivist ecosystems, and advise organisations to adopt proactive, pre-emptive defence measures.
read more →

Identity Posture Becomes Key Metric in Cyber Underwriting

🔒 Insurers and regulators are increasingly using identity posture as a primary underwriting metric, shifting focus from isolated technical controls to evidence of ongoing identity governance. Evaluations emphasize password hygiene, visibility into credential exposure, privileged access management, and comprehensive MFA coverage across remote, email, and privileged access paths. Organizations that can demonstrate continuous monitoring, regular access certification, and the removal of shared or never‑expiring credentials are more likely to secure favorable premiums and avoid claim disputes.
read more →

Remcos RAT gains real-time surveillance and evasion

🔍 Researchers at Point Wild have identified a Remcos RAT variant that shifts toward real-time espionage and enhanced evasion. The strain streams webcam footage and sends captured keystrokes directly to attacker-controlled servers while delivering modular DLL plugins on demand. It decrypts its C2 configuration only in memory, resolves Windows APIs dynamically to hinder static analysis and performs cleanup routines to remove logs, cookies and persistence artifacts. Defenders should watch for suspicious outbound connections and unauthorized registry changes.
read more →

Infostealers: Turning Stolen Credentials into Identities

🔐Modern infostealers harvest credentials, session data, cookies, and local files, turning a single compromise into a persistent identity asset. Specops researchers analyzed over 90,000 infostealer dumps and more than 800 million rows, showing how disparate signals tie accounts, employers, and roles to real people. By blocking known-compromised passwords across Active Directory, Specops Password Policy aims to reduce reuse and downstream enterprise risk.
read more →

ThreatsDay Bulletin: OpenSSL RCE, Foxit 0‑Days, AI Flaws

🛡️ This ThreatsDay round-up highlights critical developments including a patched OpenSSL CMS stack buffer overflow (CVE-2025-15467), multiple Foxit/Apryse PDF engine vulnerabilities, and a Microsoft 365 Copilot DLP bypass that allowed summarization of confidential drafts and Sent Items until a Feb 3, 2026 fix. The bulletin also details LockBit 5.0's cross-platform evolution, macOS social-engineering and stealer campaigns, widespread RMM abuse, and active exploitation of Ivanti EPMM flaws. Defenders should prioritize patching, audit cloud and RMM exposures, rotate credentials, and avoid using LLMs to generate secrets.
read more →

Record Highs in Industrial Control System Vulnerabilities

🔒 Forescout's new report finds that 2025 saw a record 508 ICS advisories covering 2,155 CVEs and a notable rise in vulnerability severity. The average CVSS for advisories rose to above 8.0 in 2024–2025, with the most affected assets including Purdue Level 1 field controllers, Level 3 operational systems and control-level devices. The vendor warns that reduced CISA advisory coverage and many untracked vulnerabilities increase OT/ICS risk and calls for greater vendor accountability and industry collaboration.
read more →

Starkiller phishing kit uses proxy to bypass MFA protections

⚠️ Abnormal researchers have identified Starkiller, a commercial-grade phishing kit that proxies live login pages to harvest credentials and session tokens. Unlike static HTML clones, Starkiller runs a headless Chrome proxy that serves genuine page content and forwards one-time codes in real time, enabling MFA bypass. Distributed as a subscription on the dark web with updates and Telegram support, it includes real-time session monitoring, a keylogger and deceptive URLs mimicking major providers. Organizations should monitor anomalous login patterns and session token reuse to reduce risk.
read more →

Mature Leadership Needed: Move Beyond Security Checklists

🔒 Cybersecurity is not a game; it demands mature leadership, sustained strategy, and clear accountability. The article argues that treating compliance as an achievement, relying on flashy tools, or measuring vanity metrics produces pseudo-security that offers visibility but not protection. CISOs should prioritize people, processes, and risk-based decisions, and build long-term resilience rather than chasing short-term wins.
read more →

Phishing Abuse of Google Tasks to Steal Credentials

🔔 Attackers are abusing Google Tasks notifications to bypass email filters and trick employees into submitting corporate credentials. Recipients receive legitimate-looking @google.com notices urging urgent action and a link to a credential-harvesting form. Organizations should train staff, maintain clear lists of authorized services, and consider mail gateway security and endpoint protection to block phishing sites. Use tools like Kaspersky Automated Security Awareness Platform to automate training.
read more →

Poshmark Scam Risks: How Buyers and Sellers Are Targeted

🔒 Poshmark users face a variety of scams that exploit the platform’s social commerce model and policies. Fraudsters commonly try to move transactions off-platform to avoid the 20% commission, then use phishing links, fake payment confirmations, or malware to steal money and data. Sellers are vulnerable to refund and non-delivery schemes, while buyers risk counterfeit or misrepresented goods. Always keep communications and payments inside Poshmark and verify payments through the app.
read more →