< ciso
brief />
Tag Banner

All news with #threat report tag

542 articles · page 13 of 28

Weekly Cyber Recap: Proxy Botnet and Office Zero‑Day

🛡️ Google disrupted the IPIDEA residential proxy network by seizing or sinkholing command-and-control domains, cutting operators' ability to route traffic and reducing millions of exit nodes that had been recruited via bundled SDKs or monetization lures. Microsoft released an out‑of‑band patch for an actively exploited Office zero‑day (CVE-2026-21509), while Ivanti fixed two EPMM RCEs. CERT Polska attributed destructive intrusions against Polish energy assets to Static Tundra, and criminals were observed hijacking exposed LLM endpoints for resale and lateral access. Researchers also documented new modular frameworks, open BYOB C2 repositories, and continued exploitation of web platforms and DevOps tooling.
read more →

China-Linked UAT-8099 Targeting IIS Servers in Asia

🔍 Cisco Talos has uncovered a late-2025 to early-2026 campaign by a China-linked actor tracked as UAT-8099 targeting vulnerable IIS servers across Asia, notably Thailand and Vietnam. The actor uses web shells, PowerShell, and red-team utilities to deploy GotoHTTP and maintain persistence via hidden accounts. Infections deliver the BadIIS SEO-fraud malware family, hijacking crawlers and injecting malicious redirects to manipulate search rankings.
read more →

AI-assisted 'RedKitten' Malware Targets Iranian Protesters

🚨 French cybersecurity firm HarfangLab uncovered a January 2026 campaign dubbed RedKitten that leverages emotionally charged, forged forensic files to deliver a .NET implant called SloppyMIO. The attack begins with a password-protected 7z archive containing malicious Excel spreadsheets that prompt users to enable macros and drop a C# payload. SloppyMIO hijacks a legitimate Windows binary to run stealthily, establishes persistence via scheduled tasks, fetches modules from GitHub and Google Drive, and uses Telegram as its command-and-control channel. Researchers noted multiple traces of LLM-assisted development and assessed the campaign as aligned with Iranian government security interests.
read more →

DynoWiper analysis and Sandworm attribution update

🛡️ ESET researchers describe DynoWiper, a newly identified data-wiping malware used against an energy company in Poland. The report details a three-phase wiper that overwrites files using a single 16-byte random buffer, executes destructive passes with variant-specific behavior, and forces a reboot to complete destruction. ESET attributes the operation to Sandworm with medium confidence and highlights that ESET PROTECT blocked execution and significantly limited impact. The analysis also notes overlaps with the previously observed ZOV wiper.
read more →

Threat Source: Resilience, trends, and hard truths

📰 Hazel Burton opens this Threat Source newsletter by acknowledging how difficult it can be to stay engaged with the news and suggests small, human respites—like the U.K. show Taskmaster—to remind readers creativity and levity persist under pressure. On the technical side, Cisco Talos Incident Response’s Q4 2025 report shows exploitation of public-facing applications remains the leading initial access vector (down from 62% to ~40%), while phishing and credential harvesting rose and ransomware incidents fell to 13% with Qilin still common. The newsletter urges rapid patching, correct MFA configuration and monitoring, and comprehensive logging to detect suspicious activity.
read more →

2026 Data Security Index: Securing AI and Sensitive Data

🔒 The 2026 Microsoft Data Security Index explores how organizations can harness generative AI while protecting sensitive information and maintaining productivity. Based on responses from more than 1,700 security leaders, the report highlights three priorities: consolidating fragmented tools into unified platforms, managing AI-driven workflows securely, and leveraging generative AI to strengthen security operations. It recommends practical approaches using Microsoft Purview for continuous discovery and governance and Microsoft Security Copilot for automated investigation with human oversight.
read more →

Aisuru Botnet Launches Record 31.4 Tbps DDoS Attack

🔴 Cloudflare says the Aisuru/Kimwolf botnet launched a record DDoS campaign on December 19 that peaked at 31.4 Tbps and about 200 million requests per second. The attacks, dubbed The Night Before Christmas, targeted telecommunications and IT providers and hit Cloudflare’s dashboard and infrastructure. Sources were identified as compromised Android TVs rather than typical IoT routers, and most bursts lasted one to two minutes. Cloudflare reports the attacks were detected and mitigated automatically without triggering internal alerts.
read more →

US Data Breaches Hit Record High in 2025; Victims Drop

📈 The Identity Theft Resource Center (ITRC) reports a record 3,332 US data "compromises" in 2025, a 5% rise from 2024. Despite the higher incident count, individual victims fell to 279 million from 1.4 billion, driven by the absence of large-scale "mega breaches" seen in 2023. Financial services was the hardest-hit sector with 739 compromises (22%). The ITRC warned that opaque breach notices—70% lacked attack type—undermine consumer protection and urged Zero Trust, stronger identity verification and greater transparency.
read more →

Q4 2025 Talos IR: Public-Facing Exploits and Phishing

🔒 Talos Incident Response (Talos IR) reports that in Q4 2025 threat actors again favored exploitation of public-facing applications, appearing in nearly 40% of engagements, while phishing rose to the second-most common initial access vector. Notable exploit activity targeted Oracle E-Business Suite (CVE-2025-61882) and React2Shell (CVE-2025-55182), and attackers rapidly weaponized these flaws close to disclosure. Talos also observed deployment of APT-linked implants such as BadCandy and AquaShell, plus campaigns that targeted Native American tribal organizations for credential harvesting. The report emphasizes timely patching, strong MFA controls, centralized logging, and rapid incident response to limit impact.
read more →

Labyrinth Chollima Splits into Three Specialized Adversaries

🔍 CrowdStrike details that LABYRINTH CHOLLIMA has diverged into three distinct DPRK-linked adversaries — GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a narrowed espionage-focused LABYRINTH CHOLLIMA. Each subgroup maintains dedicated malware families and targeting priorities: GOLDEN and PRESSURE focus on cryptocurrency and fintech thefts while core LABYRINTH targets industrial, defense, and logistics sectors. Despite operational separation, shared tools and infrastructure point to centralized coordination within the DPRK cyber ecosystem.
read more →

Crooks Hijack and Resell Exposed Corporate AI Infrastructure

🔒 Researchers at Pillar Security warn of large-scale campaigns that probe and exploit exposed LLM and MCP endpoints to steal compute, exfiltrate context data, and resell API access. In recent weeks, honeypots captured roughly 35,000 attack sessions linked to Operation Bizarre Bazaar and a parallel MCP reconnaissance effort that leverage Shodan/Censys scanners, automated validators, and a criminal marketplace. Threat actors target unprotected Ollama, vLLM and OpenAI-compatible endpoints and are marketing discounted access via a site called The Unified LLM API Gateway. Organizations must require authentication, audit MCP exposure, apply rate limits, block known malicious ranges, and treat AI endpoints with the same rigor as APIs and databases immediately.
read more →

Coordinated Cyberattack on Polish Energy Grid Hits 30 Sites

⚠️ A coordinated late-December cyberattack targeted distributed energy resource (DER) sites across Poland, impacting roughly 30 facilities including combined heat and power (CHP) plants and wind and solar dispatch systems. Researchers at Dragos say attackers damaged OT equipment beyond repair and wiped Windows hosts while disabling remote monitoring, though generation continued and no outages occurred. Dragos links the operation with moderate confidence to the cluster it calls Electrum, noting overlaps with Sandworm/APT44 and ties to destructive wipers used in Ukraine.
read more →

FBI Seizes RAMP Cybercrime Forum Linked to Ransomware

🔒 The FBI has seized the RAMP cybercrime forum, replacing both its Tor and clearnet sites with an official seizure notice and switching DNS to FBI-controlled name servers. The action potentially grants investigators access to forum records — email addresses, IP logs, private messages and other data — that could identify and lead to arrests of negligent threat actors. RAMP, launched in July 2021 by the actor known as Orange, became a prominent hub for ransomware groups to advertise operations, recruit affiliates, and trade network access.
read more →

Empire Market Owner Pleads Guilty to Drug Conspiracy

⚖️ A Virginia man who co-created Empire Market pleaded guilty to federal drug conspiracy charges after facilitating roughly $430 million in illicit transactions from 2018 to 2020. The Tor-accessible marketplace, modeled after AlphaBay, reached about 1.68 million registered users and listed 166,029 controlled-substance offerings. Court filings say the operators used cryptocurrency to launder proceeds, employed moderators to resolve disputes, and oversaw sales by vendors that included heroin, methamphetamine, cocaine and fentanyl; the defendant agreed to substantial cryptocurrency and property forfeitures.
read more →

Key Cybersecurity Trends Defining 2026 Risk Landscape

🛡️ The Cyber Security Report 2026 analyzes global attack activity and shows how adversaries are evolving into faster, more automated, and more coordinated operators. It documents AI-driven attacks, expanded ransomware operations, identity abuse, and multi-channel social engineering across hybrid and edge environments. The report highlights the deliberate combination of techniques at scale and outlines defensive priorities to address these integrated threats.
read more →

Pakistan-linked Cyber Campaigns Target Indian Government

🛡️ Zscaler ThreatLabz identified two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, that targeted Indian government entities in September 2025. Gopher Strike relied on tailored phishing PDFs that display a fake update prompt and selectively deliver an ISO payload only to requests originating from India and Windows User-Agents. Sheet Attack abused legitimate services such as Google Sheets, Firebase, and email for command-and-control. The intrusions deploy Golang tools — GOGITTER, GITSHELLPAD, and GOSHELL — to maintain persistence, execute commands, and stage a Cobalt Strike Beacon.
read more →

Pakistan-linked campaigns target Indian government assets

🔎 Zscaler ThreatLabz in September 2025 uncovered two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, aimed at Indian government entities. Gopher Strike used phishing PDFs with a fake Adobe update that conditionally delivers an ISO to Indian Windows hosts, deploying a Golang downloader, GOGITTER, which establishes VBScript-based persistence and scheduled-task execution. Sheet Attack abused legitimate services such as Google Sheets, Firebase and email for command-and-control, while a lightweight backdoor, GITSHELLPAD, and a padded loader, GOSHELL, were used to ultimately deliver Cobalt Strike.
read more →

Growing Android Threats in 2026: Fake Apps and NFC Risks

🛡️ In 2025–2026 Android ecosystems saw a sharp rise in malware distributed via sideloading, fake app stores and messaging platforms, alongside a surge in NFC-based cash-out schemes. Kaspersky highlights prolific families such as ClayRat, rising Trojan bankers and preinstalled firmware threats like Triada, and documents social-engineered VPN and relay attacks. The report emphasizes strict mobile hygiene and recommends Kaspersky for Android to detect trojanized APKs, block phishing and mitigate NFC exploits.
read more →

PeckBirdy JScript C2 Framework Linked to China APTs

🔍 PeckBirdy is a previously undocumented, JScript-based command-and-control framework active since 2023 that researchers have linked to China-aligned APT activity across Asia. Trend Micro observed the framework used in multiple roles — watering-hole controller, reverse shell and C2 server — deployed via living-off-the-land binaries and browser-based social engineering. Modular implants such as HOLODONUT and MKDOOR extend capabilities with in-memory execution and attempts to evade Microsoft Defender, complicating detection and response.
read more →

From Cipher to Fear: Psychology of Modern Ransomware

🔐 Modern ransomware has evolved from a technical encryption problem into a psychology-driven extortion industry where stolen data, legal exposure, and reputation risk are the primary levers. Flare's 2025 analysis documents a fragmented, collaborative attacker ecosystem and a shift to pressure-first tactics like public shaming and identity abuse. Security teams must expand playbooks beyond backups to include legal and communications readiness, targeted configuration audits, and prioritized remediation based on active exploit intelligence.
read more →