All news with #threat report tag

🚨 A Bitdefender report warns that cybercriminals have built extensive ecosystems to scam Formula 1 fans, exploiting the sport’s fast-moving digital culture. Scams include counterfeit merchandise, fake grand prix tickets, illegal streaming apps and boxes, social media fraud and distribution of infostealer malware. Fans may also be coerced into botnets for DDoS attacks. Bitdefender urges vigilance and recommends anti-phishing and antivirus tools to reduce risk.

🛡️ Check Point Research’s March–April 2026 Threat Landscape Digest documents that AI-powered attacks have moved from experimental and state-sponsored exercises into routine criminal deployment. The report details a campaign in Mexico where a single operator used commercial AI to compromise nine government agencies, leveraging persistent jailbreaks, weaponized agent configuration files, and commodified attack platforms like EvilTokens. It warns that stolen AI provider keys, rapid exploit timelines, and shadow AI use create urgent operational and supply-chain risks for organizations.

🛡️ This week's ThreatsDay bulletin highlights a string of notable cybersecurity developments, from 47 zero-day exploits revealed at Pwn2Own Berlin 2026 to active Linux rootkit evolution. It summarizes warnings about agentic AI, targeted intrusions using AI agents, and advisories on token and dependency leaks. The report also covers nation-state tensions, ransomware activity, encrypted communications, and campaigns abusing identity recovery flows.

🔍 Verizon's latest DBIR reports that vulnerability exploitation has become the top initial access vector, accounting for 31% of breaches compared with 13% for credential abuse. The study links this shift to slower patching—only 26% of CISA KEV critical flaws were fully remediated—and a larger backlog of critical vulnerabilities. It also warns that threat actors may be using AI to scale discovery and exploitation, and highlights rising supply-chain incidents, increased shadow AI adoption, and persistent human-factor risks.

🔍 Check Point found a 124% rise in hacktivism and ransomware across Germany, Austria, and Switzerland in 2025, with Germany accounting for roughly 82% of incidents. Defacement and DDoS drove the volume—66% of events—while ransomware comprised nearly 30%, led by Akira, Qilin, and Safepay. The report highlights identity weaknesses, exposed remote services, and insufficient patching as primary enablers, and recommends MFA, patch discipline, credential monitoring, and reduced public attack surface.

🔒 At Pwn2Own Berlin (May 14–16), researchers uncovered 47 zero-day vulnerabilities and shared almost $1.3 million in prize money, with Devcore taking $505,000. The enterprise-focused competition targeted AI databases, coding agents, LLM toolchains and NVIDIA products. Notable wins included exploits against VMware ESXi, Microsoft Exchange, SharePoint and a sandbox escape on Microsoft Edge. ZDI will disclose the findings to vendors, who have 90 days to patch.

🔐 The Tycoon2FA phishing kit now exploits OAuth device-code flows and misuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. eSentire found the kit rebuilt after a March takedown, adding obfuscation layers, a 230-vendor blocklist, and extensive anti-analysis checks to evade detection. Attackers trick victims into pasting device codes at microsoft.com/devicelogin, granting OAuth tokens and full access to email, calendar and cloud storage.

🔒 Ransomware campaigns are increasingly paired with explicit threats of physical harm, with a Semperis study finding 40% of incidents involved intimidation and 46% in the US. Reported tactics include threatening notes left at homes, phone calls reciting staff addresses and identity details, and extortionists recruiting local actors to carry out violence. The FBI and vendors warn of a growing pattern — described as violence-as-a-service — and advise organisations to treat employee data as critically sensitive and update incident response plans to manage physical-threat scenarios.

📈 April 2026 saw a sharp rebound in global cyber activity, with organizations averaging 2,201 weekly attacks — a 10% month‑over‑month rise and 8% year‑over‑year. Check Point Research attributes the surge to automation, expanded cloud and GenAI exposures and attackers exploiting larger digital footprints. Education, Government and Telecommunications were among the hardest hit. Ransomware incidents and GenAI data leakage risks intensified across regions.

🛡️ Google disclosed detection of an unknown threat actor using a zero-day exploit likely developed with an AI model, marking the first observed malicious application of AI for vulnerability discovery and exploit generation. GTIG said the exploit was a Python script implementing a 2FA bypass in a widely used open-source web administration tool and contained hallmarks of LLM-generated code. Google worked with the vendor to patch the flaw, disabled malicious assets, and linked the activity to a broader set of AI-enabled abuse campaigns including the Android backdoor PromptSpy.

📡 ThreatFabric has identified a new Android banking trojan variant, TrickMo C, that shifts its command-and-control channel into The Open Network (TON) blockchain by resolving operator endpoints as .adnl identities. The malicious APK embeds a native TON proxy and routes its HTTP client through a loopback port, while any remaining clearnet queries are sent via DNS-over-HTTPS. This design makes conventional domain takedowns ineffective and helps conceal malicious traffic as legitimate TON application activity.

🔒 Ontinue detailed a campaign distributing a previously undocumented information stealer via fake Claude Code install pages that hijack Chromium browsers to bypass App-Bound Encryption and exfiltrate cookies, passwords and payment data from developer workstations. The lure substituted the canonical Anthropic host for an attacker-controlled domain while /install.ps1 returned a verbatim genuine installer, letting automated scanners see benign PowerShell. A native helper is reflectively injected into browser processes to invoke the IElevator2 COM interface and extract encryption keys, while the PowerShell layer handles persistence, collection and C2 communications. Defenders are urged to enforce constrained PowerShell, enable script block logging and block newly registered domains.

🔍 Google Threat Intelligence Group (GTIG) reports a rapid shift from nascent AI-enabled operations to industrial-scale use of generative models by threat actors. Based on Mandiant incident response, Gemini telemetry, and GTIG research, the report documents AI-assisted zero-day exploit development, autonomous malware like PROMPTSPY, and advanced obfuscation techniques. It highlights supply chain targeting of AI environments, anonymized premium LLM access, and specific interest from PRC- and DPRK-linked clusters. The report also outlines mitigations and defensive AI uses.

🔍 Google’s Threat Intelligence Group (GTIG) reports the first observed case of cybercriminals using AI to discover and weaponize a zero-day, targeting a popular open-source web-based system administration tool to bypass two-factor authentication. GTIG worked with the vendor to close the flaw and disrupt the campaign. Forensic analysis of the Python exploit showed AI-like traits—structured docstrings, Pythonic formatting, and a hallucinated CVSS score. Google noted the attackers did not use Gemini or Anthropic Mythos.

🔒 Check Point Research's Q1 2026 report finds ransomware volume near historic highs while activity consolidates around a smaller set of dominant groups. The top 10 operators now claim 71% of victims, led by Qilin, The Gentlemen, and LockBit. Consolidation raises individual incident impact and shifts attacker geography and target patterns. Defenders should prioritize prevention, exposure management, and network/cloud access controls to limit exploitation.

⚠ OpenAI and Anthropic models were used by attackers in a cyber-attack that targeted a municipal water and drainage utility in the Monterrey metropolitan area, Dragos reports. The incident, which unfolded between December 2025 and February 2026, involved roughly 350 artifacts, many of them AI-generated malicious scripts used as offensive tooling. According to the report, Anthropic's Claude served as the primary technical executor—handling prompt-and-response interactions, intrusion planning and deployment—while OpenAI's GPT models were used for analytical tasks and generating Spanish-language outputs. Although the OT breach was ultimately unsuccessful, Dragos warns the campaign demonstrates how commercial LLMs can accelerate and refine attacks against operational environments and recommends tighter remote access policies and stronger authentication controls.

⚠️ ThreatsDay reports a mix of blunt‑force commodity attacks and high‑impact technical flaws this week. A new MicroStealer campaign is targeting education and telecom organizations, exfiltrating browser credentials, active sessions and wallets via Discord webhooks and attacker servers. Researchers disclosed critical ICS and MOVEit vulnerabilities while analysis shows the VECT 2.0 ransomware encryptor is broken. Browsers and AI are accelerating risk vectors — patch and verify installs urgently.

🛡️ Kaspersky researchers found three malicious PyPI wheel packages — uuid32-utils, colorinal and termncolor — that covertly delivered a new malware family named ZiChatBot to Windows and Linux hosts. The packages drop platform-specific loaders (terminate.dll or terminate.so) that persist via a Registry autorun entry or a crontab and act as droppers for the main payload. ZiChatBot uses public Zulip REST APIs as its command-and-control channel, executes shellcode received from the service, and signals success by sending a heart emoji. The packages were uploaded in July 2025 and have been removed; organizations should audit dependencies, verify build environments, and monitor the published indicators.

⚠️ Cofense warns that low-skilled threat actors are increasingly abusing Vercel's v0.dev GenAI tools to generate convincing phishing pages with minimal effort. Attackers can prototype for free, purchase tokens to build pages, and use Vercel hosting—its pro tier is roughly $20/month—to deploy and tear down sites quickly. Integrations with services like Telegram, AWS, Stripe and xAI further simplify operations. Cofense advises security teams to verify sender domains, watch for urgency cues and report malicious Vercel sites for takedown.

🐧 Trend Micro researchers revealed a previously undocumented Linux implant named Quasar Linux (QLNX) that targets software developers by compromising development and DevOps environments such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX dynamically compiles rootkit and PAM backdoor modules on the host, runs fileless in memory, and employs multiple persistence methods while wiping logs and spoofing process names to remain stealthy. The toolkit includes a 58-command RAT, credential harvesting (SSH keys, cloud configs, and /etc/shadow), kernel eBPF hiding, surveillance, lateral movement, and in-memory injection; Trend Micro provided IoCs but attribution and prevalence remain unclear.