< ciso
brief />
Tag Banner

All news with #threat report tag

542 articles

Dormant GitHub Accounts Exploited to Scrape Orgs

🔎 Datadog Security Labs warns of coordinated campaigns using dormant or compromised GitHub accounts and exposed personal access tokens to enumerate organizations via the GitHub API. Operators use automated scraping tools, aged "ghost" accounts, and legitimate-sounding user agents to blend into normal API traffic, primarily collecting public data but occasionally cloning private repositories. The activity leverages unauthenticated API surfaces and GraphQL queries to map repos, memberships, followers, and other artifacts for reconnaissance.
read more →

GigaWiper: Multipurpose Windows backdoor and wiper

🛡️ Microsoft dissected a destructive Windows backdoor dubbed GigaWiper, which bundles three older wipers into a single Go-based platform offering selectable destructive commands. The implant can wipe entire disks, overwrite the Windows drive, or run fake ransomware that encrypts files without saving keys, and also provides remote control capabilities like screenshots, VNC access, and process management. Microsoft and Binary Defense observed the same file hashes and command servers, with Binary Defense linking the samples to an Iran-linked actor while Microsoft refrains from attributing a country. Defenders should monitor for a OneDrive Update scheduled task, RabbitMQ/Redis traffic from desktops, and suspicious use of takeown/icacls, and apply tamper protection, endpoint blocking, and blocklisted server addresses.
read more →

Weekly ThreatsDay: Emerging cyber risks and trends

🔒 This ThreatsDay roundup highlights a series of recent, pragmatic security incidents and research findings that stem from routine administrative mistakes and small configuration errors. It covers a multinational fraud takedown, malicious typosquatting of payment SDKs, novel code-injection techniques, and a critical unauthenticated ArcGIS Server flaw. The report also outlines ransomware tool overlaps, data-exfiltration concerns in Claude Code, social engineering campaigns abusing Teams and Meta, and multiple kernel and driver vulnerabilities.
read more →

June 2026: Global Cyber Attacks and Ransomware Shift

📈 June 2026 saw a notable rebound in global cyber attacks, with weekly incidents per organization averaging 2,270, up 10% from May and 17% year over year. Education, Government, and Telecommunications were the most targeted industries, while Latin America recorded the largest regional increase. Ransomware incidents surged 33% year over year, and The Gentlemen overtook Qilin as the most active ransomware group.
read more →

AI-Accelerated Cloud Attack Exploits Management Gaps

🔎 A Sygnia report details how a lone threat actor leveraged AI to complete in 72 hours what would normally take weeks, using established cloud attack techniques rather than novel exploits. The attacker obtained an AWS access key via an internet-facing app and used agentic AI workflows to search for secrets, establish persistence, exfiltrate RDS data, and perform impact actions. The report highlights gaps in secrets management, identity governance, deployment workflows and visibility, and provides containment recommendations for defenders.
read more →

ESET H1 2026: Threats, AI, and Ransomware Trends

🔍 The first half of 2026 sees attackers adapting established techniques to new platforms and behaviours, with AI increasingly shaping operations. ESET analyzed nearly 900,000 AI skills and found tens of thousands suspicious and thousands malicious, while AI features began appearing inside malware such as the Android PromptSpy. Other trends include expanded click-based social engineering, surging QR-code phishing, and persistent ransomware activity using EDR killers.
read more →

New Java-based QuimaRAT MaaS Targets All Platforms

🛡️ Cybersecurity researchers have identified QuimaRAT, a modular Java-based remote access trojan offered as malware-as-a-service that targets Windows, Linux, and macOS. The kit includes a builder, loader, dropper, and the RAT itself, with subscription tiers from $150 to $1,200. QuimaRAT uses encrypted plugins, native libraries via JNA, and multiple persistence and delivery techniques to evade protections and maintain robust C2 connectivity.
read more →

Qilin Emerges as Dominant Ransomware Operation

🛡️ Check Point and Sophos research shows Qilin has consolidated a large share of the ransomware market after disruption of rival groups. Active since 2022, Qilin lists the most victims and attracts affiliates with high payouts, mature infrastructure and AI-enabled tools. Rival groups like The Gentlemen have resurged, while increased prominence raises the likelihood of law enforcement action.
read more →

Industrialized ransomware through criminal collaboration

🔐 Sophos reports a new collaboration between the Vect ransomware group and TeamPCP, a supply-chain credential theft gang linked to The Com collective. The partnership combines TeamPCP’s large-scale credential harvesting from developer toolchains with Vect’s ransomware-as-a-service operations, raising the risk that compromised accounts could be escalated into ransomware incidents. Sophos and the FBI have both issued warnings and detailed associated malware and tactics, urging organizations to harden developer and supply-chain security.
read more →

2026 Cybersecurity Assessment Reveals Resilience Gap

🔍 The 2026 Bitdefender Cybersecurity Assessment surveyed 1,200 IT and security professionals across six countries and found striking contradictions between awareness and operational resilience. Leaders often overestimate visibility into AI use, while frontline staff report gaps. Organizations agree reducing the attack surface is critical but face policy, resource, and disruption concerns. Many report pressure to conceal breaches despite acknowledging the importance of transparency.
read more →

Evolution of the Pro‑Russia Influence Ecosystem

🛡️ Four years into Russia’s invasion of Ukraine, the pro‑Russia influence ecosystem has shifted from wartime tools back toward a global strategic asset. GTIG observes expansion of covert information operations, revived hacktivism, and increasing use of generative AI across planning and content creation. The ecosystem blends state, state‑aligned, and independent actors, targeting the West, Russia’s near abroad, the Middle East, Africa, and domestic audiences while exploiting media mimicry, cyber‑enabled IO, and direct dissemination.
read more →

Threatsday bulletin: proxyware, exploits, and trends

🛡️ This week’s bulletin highlights a string of practical and persistent threats: privacy-preserving bot defense work from Cloudflare and browsers, six serious curl vulnerabilities fixed in 8.21.0, and a critical unauthenticated takeover in Hoppscotch. Spur Intelligence found widespread proxyware in LG and Samsung smart TV apps, while Teams-based social engineering delivered the Edgecution extension. Other items include legacy credential breaches, state-crime convergence, admin reset alerts, and macOS ClickFix campaigns.
read more →

AI Enables Faster, Cheaper, Harder-to-Detect Attacks

🛡️ A ReliaQuest report finds AI is making cyber-attacks cheaper, faster to scale, easier to customize and harder to spot while not fundamentally altering attacker tradecraft. Initially used for polishing phishing and basic scripting in 2024, by mid-2025 AI had expanded into deepfakes, AI-assisted scripts and an underground market for tools. Today AI appears embedded in workflows—generating phishing pages, web shells, and obfuscating code—and as the lure itself, with attackers leveraging trusted AI brands to trick users.
read more →

OpenClaw AI supply chain risks and findings

🧭 OpenClaw is an AI agent executing third-party skills from ClawHub, and several malicious campaigns emerged after launch. Our Feb–May 2026 analysis identified five skills that bypassed screening and fell into three threat categories: macOS infostealers, an evasion technique using inflated file size, and novel agentic threats for financial gain. All five skills were reported and removed; OpenClaw and NVIDIA have since increased screening and analysis.
read more →

One intrusion, two attackers: uncovering parallel threats

🔍 Microsoft DART describes a complex multi-stage intrusion where two unrelated threat actors operated simultaneously, blending ransomware tactics with stealthy reconnaissance and persistence. Investigators observed exploitation attempts against on-premises SharePoint, use of legitimate tools like Velociraptor, cloud tunneling, credential misuse, and DLL sideloading to maintain access and evade detection. Coordinated telemetry correlation and threat intelligence enabled containment and targeted remediation guidance.
read more →

INTERPOL: Cybercrime Surge in Asia and South Pacific

🔍 INTERPOL warns of a dramatic rise in cybercrime across Asia and the South Pacific driven by rapid digitalization, organized criminal networks, and uneven cybersecurity maturity. Phishing is identified as the most widespread and costly threat, while ransomware, AI-driven scams, deepfakes, and banking trojans have also surged. Authorities are scaling cross-border cooperation and resilience efforts to counter these threats.
read more →

Gentlemen RaaS standardizes EDR-killer suite

🛡️ ESET researchers say the Gentlemen ransomware-as-a-service (RaaS) operation supplies affiliates with a standardized suite of EDR killers, centered on a framework named GentleKiller, to disable security tooling prior to encryption. The tooling mimics legitimate security products and leverages abused vulnerable drivers through a BYOVD technique, incorporating third-party killers like HexKiller and ThrottleBlood. The group rapidly operationalizes public proof-of-concept exploits, and ESET also found a Rust-based credential stealer called OxideHarvest in use.
read more →

Analysis of Reported Credential Compromise of FortiGate

🔐 Fortinet has observed malicious actors harvesting FortiGate credentials in an activity labeled "FortiBleed." Their initial analysis indicates attackers are reusing credentials from prior incidents and leveraging brute-force techniques against devices lacking strong passwords and multi-factor authentication. This is not a new Fortinet vulnerability and is unrelated to recent advisories. Fortinet is investigating, notifying impacted customers, and recommending immediate defensive actions and hardening.
read more →

Cloudflare Celebrates 12 Years of Project Galileo

🎉 Project Galileo provides free cybersecurity services to over 3,400 websites belonging to journalists, human rights defenders, and nonprofits across 120 countries. Cloudflare published its first comprehensive report on cyberattacks targeting civil society, released 16 participant case studies, and announced new partners. The findings show civil society faces more frequent and intense attacks, including prolonged DDoS, higher exploitation attempts, and elevated phishing rates. Cloudflare calls for broader, affordable protections and will produce this report annually.
read more →

Fortibleed campaign exposes 75,000 Fortinet firewalls

🔒 Researchers have uncovered a large credential-compromise campaign called Fortibleed that exposed tens of thousands of Fortinet FortiGate devices worldwide. Analysis by SOCRadar, Hudson Rock, and independent researchers found stolen configuration files, administrator and SSL VPN credentials, and tooling used to automate collection and cracking. Affected devices span 194 countries, with roughly 75,000 devices reportedly compromised, prompting urgent remediation advice including credential rotation and upgrading to modern FortiOS hashes.
read more →