< ciso
brief />
Tag Banner

All news with #threat report tag

542 articles · page 14 of 28

Active Exploitation of Critical WinRAR CVE-2025-8088

⚠️ The Google Threat Intelligence Group (GTIG) has observed widespread exploitation of WinRAR via the critical path traversal vulnerability CVE-2025-8088, which attackers use to drop payloads into the Windows Startup folder by abusing Alternate Data Streams (ADS). Adversaries—from government-backed Russian and Chinese groups to financially motivated operators—craft RAR archives that conceal decoy documents and hidden ADS entries to achieve persistence. Defenders should prioritize installing the WinRAR patch, enable Safe Browsing protections, and hunt for ADS extraction activity and newly created Startup-folder LNK/HTA/BAT artifacts.
read more →

Threatsday Bulletin: Supply, Ads, Zero-Click, Scans

🔐 Most of this week's threats exploited trusted systems and routine workflows rather than new techniques, achieving access with low friction and high persistence. Incidents ranged from targeted spear‑phishing that delivered the FALSECUB backdoor to widespread malvertising campaigns distributing .NET RATs and the TamperedChef infostealer. Google Project Zero detailed a multi‑stage Pixel zero‑click chain, vendors disclosed DLL side‑loading and WSL abuse, and supply‑chain exposures and large reconnaissance sweeps were widely observed. Administrators should prioritize patching, plugin hygiene, and tightening automated support and supply‑chain controls.
read more →

Global Collaboration to Deter Systemic Cybercrime at Scale

🌐 At the World Economic Forum in Davos, Fortinet highlighted that cybercrime has evolved into a transnational economic system driven by specialization, automation, and AI. Leaders emphasized an acute imbalance: attackers benefit from low-risk, high-reward models while defenders are hindered by fragmented collaboration, jurisdictional limits, and a widening skills gap. Participants called for scaling structured, incentive-driven collaboration and validated community intelligence, together with targeted training and technology investment, to shift the economics in favor of defenders.
read more →

Global Collaboration to Deter Systemic Cybercrime at Scale

🤝 At Davos, Fortinet argues that cybercrime has evolved into an economic system sustained by specialized markets such as ransomware collectives and Cybercrime-as-a-Service. Attackers are leveraging automation and AI to scale and personalize campaigns, while defenders remain constrained by fragmented jurisdictions, voluntary sharing, and an enduring skills gap. The piece calls for scalable, incentive-driven collaboration, trusted reporting, expert validation, and stronger law enforcement partnerships to shift the economics in favor of defenders.
read more →

Zero-day and One-day Exploits Rose in 2025, Says VulnCheck

🔍 VulnCheck’s State of Exploitation 2026 report finds 28.96% of known exploited vulnerabilities (KEVs) were exploited before or on the day they were disclosed, up from 23.6% in 2024. In 2025 the firm observed exploitation of 884 vulnerabilities — a 15% year‑over‑year increase — across hundreds of vendors and products. Network edge devices (191 KEVs), content management systems (163) and open source software (129) were the most targeted, while operating systems saw the highest share of zero‑day and one‑day exploits. The report also notes time‑to‑exploitation patterns remained consistent and that ransomware attribution often lagged initial exploit disclosures.
read more →

Smashing Security #451: Gov Hacks and Headphone Risks

🔒 In episode 451 of Smashing Security, host Graham Cluley and guest Ray Redacted explore a prolific intruder who claims to have compromised the U.S. Supreme Court, Veterans Affairs, AmeriCorps and other organisations, posting screenshots and even a victim’s blood type under the account I hacked the government. They also examine research revealing flaws in wireless headphone pairing — notably in Google’s Fast Pair ecosystem — that let attackers hijack earbuds, inject audio and eavesdrop without obvious signs. The episode mixes incident reporting, legal context and consumer privacy implications.
read more →

DPRK-linked Actors Abuse VS Code Tasks to Deliver Backdoor

🚨 Jamf Threat Labs and other researchers observed DPRK-linked actors using malicious Visual Studio Code project repositories to deliver a multi-stage backdoor enabling remote code execution. The campaign abuses VS Code task configuration files (runOn: folderOpen) to fetch obfuscated JavaScript from Vercel and deploy implants named BeaverTail and InvisibleFerret. Targets are lured to clone and open repository-based job assessments, and on macOS the chain uses nohup/curl to run Node.js payloads that persist beyond the IDE.
read more →

Kimwolf IoT Botnet Infects Corporate and Government Networks

🚨A new IoT botnet, Kimwolf, has infected more than two million devices and is being used for large-scale DDoS and to relay abusive traffic. Operators abuse commercial residential proxy services—most prominently IPIDEA—to reach proxy endpoints and scan local networks, enabling lateral infections of vulnerable devices, particularly unofficial Android TV boxes. Some proxy providers have begun blocking Kimwolf-related traffic, but millions of infected endpoints remain within corporate and government networks.
read more →

Cyber Risk Rises Among CEOs Amid Weak Growth Outlook

🔒 PwC’s 29th Global CEO Survey of 4,454 executives finds cyber risk among the top threats as CEOs lose confidence in short-term growth. Nearly a third (31%) see high or extreme exposure to potential financial loss from cyber attacks, and 84% plan enterprise-wide cybersecurity improvements. PwC recommends investing in data, processes and responsible AI to help preserve stakeholder trust.
read more →

Five Chrome Extensions Hijack Enterprise Sessions, Target HR

🔒 Researchers at Socket uncovered a coordinated campaign in which five Chrome extensions, marketed as productivity tools, clandestinely stole session authentication tokens and enabled full account takeover. More than 2,300 users installed the malicious add-ons, which targeted enterprise HR and ERP platforms such as Workday, NetSuite and SuccessFactors. Some extensions exfiltrated cookies every 60 seconds, while others blocked admin and security pages to prevent incident response. Removal requests have been filed with the Chrome Web Store security team.
read more →

Multi-Stage Windows Malware Campaign Abusing Defendnot

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.
read more →

LinkedIn Messages Used to Distribute RAT via DLL Sideload

📩 ReliaQuest researchers uncovered a LinkedIn-based phishing campaign that delivers weaponized WinRAR self-extracting archives to targets. The archive extracts four components: a legitimate open-source PDF reader, a malicious DLL used for DLL sideloading, a portable Python interpreter PE, and a decoy RAR. When the PDF reader is run the rogue DLL is sideloaded, drops the Python interpreter, creates a Windows Run registry key, and executes Base64-encoded open-source shellcode in memory to deploy a remote access trojan. The campaign leverages social media DMs and legitimate tools to evade detection and maintain persistent access.
read more →

LinkedIn phishing uses legitimate tools to deploy RAT

🔒 Researchers at ReliaQuest uncovered a LinkedIn-based phishing campaign that delivers a Remote Access Trojan by abusing legitimate software. Attackers send role-tailored messages containing a WinRAR self-extracting archive that unpacks a legitimate open-source PDF reader alongside a malicious DLL that uses DLL sideloading. The campaign leverages a real penetration-testing tool to establish persistence, enabling data exfiltration and lateral movement.
read more →

AI 'Fifth Wave' Supercharges Cybercrime Operations

🔍 Group-IB's January report argues that AI has created a new 'fifth wave' of cybercrime by turning advanced skills into inexpensive, scalable services that make attacks cheaper and faster. Analysts documented low-cost synthetic identity kits, deepfake-as-a-service subscriptions and biometric datasets sold for as little as $5, plus subscription dark LLMs. The firm highlights agentized phishing that automates lure creation, delivery and campaign adaptation and the rise of self-hosted dark LLMs used to generate scams, malware and exploit code.
read more →

WEF 2026: AI Drives Cybersecurity Risks and Responses

🔐 The World Economic Forum's Global Cybersecurity Outlook 2026 finds that advances in AI, geopolitical fragmentation and complex supply chains are intensifying cyber risk. Respondents named AI the top driver of change (94%) and reported rising AI-related vulnerabilities (87%), while confidence in national preparedness continued to fall. The report urges security-by-design, strong governance, and retained human oversight as organizations scale AI defenses. Notably, 64% now assess AI tools before deployment and 77% have deployed AI in security operations, though skills gaps and trust remain major obstacles.
read more →

Account Compromise Soars 389% in 2025: eSentire Report

🔐 eSentire's 2025 Year in Review (published 15 Jan 2026) documents a 389% year‑over‑year surge in account compromises, which accounted for 55% of observed attacks. Credential access comprised 75% of malicious activity, with Microsoft 365 accounts heavily targeted and two‑thirds of compromises used for account takeovers. Phishing‑as‑a‑service (PhaaS) kits — including Tycoon2FA, FlowerStorm and EvilProxy — fueled many Business Email Compromise operations, while malware represented 25% of threats, down slightly from 2024.
read more →

Gootloader Abuses 1,000-Part ZIPs to Evade Detection

🛡️ Gootloader operators now deliver malformed ZIP archives that concatenate up to 1,000 parts to evade analysis and detection. The archived JScript unpacks successfully with Windows' built-in extractor while tools relying on 7-Zip and WinRAR often crash. Samples employ truncated EOCD entries, randomized disk fields, metadata mismatches and XOR-encoded blobs appended client-side. Researchers devised a YARA rule and advise changing the default .js opener to Notepad and blocking wscript.exe/cscript.exe where possible.
read more →

Predicting 2026: Cyber Threats, AI Risks, and APTs

🔮 Cisco Talos outlines expectations for cybersecurity in 2026, warning of continued geopolitical-driven campaigns such as infostealers, phishing, and proxy-enabled destructive operations. The briefing highlights the growing risk posed by inadequately governed generative AI agents that could cause breaches or mimic insider threats through flawed design or prompt manipulation. Talos also emphasizes that familiar weaknesses — unpatched systems, leaked credentials, and absent MFA — will remain primary enablers of intrusion. The advisory specifically flags UAT-8837, a medium-confidence China-nexus APT targeting critical infrastructure since 2025, and urges patching, credential hygiene, and proactive hunting.
read more →

Hackers Shift from Encryption to Pure Data Extortion

🚨 New research from Symantec and Carbon Black shows cybercriminals increasingly favour data theft and extortion over file encryption. While counts of traditional ransomware incidents remained broadly stable in 2025, attacks that rely solely on stolen data rose sharply. Threat actors exploit unpatched zero‑days, software supply‑chain weaknesses and credential theft, prompting firms to prioritise patching, robust credential hygiene and MFA.
read more →

Cyber Threat Actors Intensify Attacks on Industrial ICS

🔒 Cyble's Annual Threat Landscape Report 2025 (published Jan 15, 2026) found a sharp rise in attacks against industrial environments, with ICS vulnerability disclosures nearly doubling to 2,451 across 152 vendors in 2025. The report highlights an August spike (802 disclosures) and Q3 accounting for 45.26% of disclosures. HMI and SCADA systems were increasingly exploited, with Siemens and Schneider among the most affected vendors. Cyble warns threat actors — including ransomware groups and coordinated hacktivists — will focus on exposed HMI/SCADA and VNC takeovers in 2026.
read more →