< ciso
brief />
Tag Banner

All news with #threat research tag

91 articles

Unit 42 2026 IR Report: AI as an Attack Multiplier

🔍 Unit 42’s 2026 Global Incident Response Report examines how AI is accelerating and streamlining attacker operations. Drawing on hundreds of engagements, the report finds AI shortens development cycles and automates reconnaissance while core attack techniques remain consistent. It stresses defenders can apply existing controls but should prioritize prevention and AI-aware skills.
read more →

AI-Aggregated Executive Profiles Increase Attack Surface

🔎 AI tools now synthesize publicly available executive information into coherent, queryable profiles that attackers can use for social engineering. These profiles collapse traditional OSINT timeframes from days to minutes and lower the skill needed to target executives. Security teams must monitor AI outputs, reduce unnecessary public exposure, and integrate AI-profile risk into executive protection programs. Training executives to view their own AI-generated profiles and assigning security ownership are essential countermeasures.
read more →

The Gentlemen ransomware: rise and operational profile

🔒 Unit 42 details the emergence and tactics of The Gentlemen (aka Storm-2697), a Ransomware-as-a-Service active since mid‑2025 and scaling rapidly through 2026. The group uses C and Go variants, offers affiliates a 90% payout, and employs diverse initial access methods including exploited edge devices, brute force, stolen credentials and IAB partnerships. Researchers note custom tooling such as a Go backdoor, an EDR killer called GentleKiller, and likely zero-day exploitation to evade defenses.
read more →

Check Point CTO on AI’s impact on cybersecurity

🛡️ At Engage 2026 in Paris, Check Point CTO Jonathan Zanger discussed how AI is reshaping cybersecurity operations, enabling defenders to scale threat monitoring and red-team testing while also empowering attackers. He warned that AI increases attack surface as organizations connect models to enterprise systems and urged integrating security from the start of any AI project. Zanger emphasized prevention, collaboration across defenders, and protecting AI platforms themselves to mitigate rapidly evolving AI-driven threats.
read more →

Microsoft details SFI AI system to harden cloud

🚀 Microsoft describes a multi-agent AI system within the Secure Future Initiative (SFI) that continuously evaluates and hardens its cloud services. The system combines code, configuration, identity, network, and runtime evidence to find composite vulnerabilities and assess layered defenses. It generates assurance trees tailored to each service and produces high-quality, actionable findings that speed remediation. Microsoft reports the system compresses deep security reviews from weeks to hours and that over 90% of findings were validated by engineers.
read more →

Cybersecurity and the Growing Skill–Ability Divide

🛡️ The Five Eyes recently warned that AI models increasingly enable autonomous cyberattacks, amplifying risks long present in cyberspace. Bruce Schneier argues that AI widens the gap between skill and ability: tools let less-skilled actors cause damage once limited to experts. He warns guardrails from large vendors won’t stop open-source or locally run models and urges using AI defensively to detect, remediate, and respond faster to evolving threats.
read more →

Board Games Sharpen Cybersecurity Intuition

🎲 The Threat Source newsletter draws a connection between learning board games and developing cybersecurity skills, arguing that games sharpen pattern recognition, intuition, and adaptive thinking. The piece highlights how diverse games—from Ticket to Ride to Go—teach strategy, breaking habits, and embracing failure as a learning tool. It also summarizes Talos research on the ARToken phishing-as-a-service panel and recent threat trends affecting Microsoft 365, AI agents, and RMM vulnerabilities.
read more →

Martin Lee on Threat Research and Career Transition

🧭 In this Humans of Talos feature, Martin Lee, EMEA Lead at Talos, discusses his journey from studying human viruses to leading cybersecurity efforts. He explains how early exposure to the internet prompted a career shift from academia to threat research and how his role now focuses on externalizing the evolving threat landscape to partners and customers. Martin also highlights using a sociological lens to assess organizational resilience and offers career advice about visibility, curiosity, and diverse experiences.
read more →

236,000 DCloud Uni‑App Sites Fuel Investment Scams

🛡️ Infoblox reports that over 236,000 domains use DCloud Uni‑App templates to power investment scams, including fake crypto exchanges, wallet drainers, gambling sites, and WhatsApp phishing pages. The malicious sites span continents, target multiple languages, and have been active since mid‑2022, with some operators stripping framework fingerprints to evade detection. While many domains use mainstream hosting providers, a subset relies on bulletproof hosting and centralized template sales may explain coordinated activity.
read more →

Iran-linked MuddyWater Poses as Chaos Ransomware

🔍 Analysis by NCC Group reveals Iran-linked MuddyWater impersonated the Chaos ransomware group to mask espionage operations. The report, published June 24, details how operators used extortion notes, negotiation channels and a leak site listing to simulate a financially motivated attack. Researchers warn that state-backed actors increasingly adopt cybercriminal tradecraft, complicating detection and response.
read more →

Prinz Eugen ransomware targets recent files first

🛡️ Threatdown and Malwarebytes researchers detail a new hands-on-keyboard ransomware called Prinz Eugen that prioritizes recently modified files for encryption and leaves no ransom note on compromised systems. Initial access is likely via stolen RDP credentials, with attackers manually deploying a payload named servertool.exe and sometimes using legitimate RMM tools like RemotePC for persistence. The Go-based malware encrypts files recursively without exclusions, uses ChaCha20-Poly1305 and Argon2id-derived keys, and self-deletes while overwriting keys to hinder recovery and forensics.
read more →

ESET analysis of Gentlemen’s EDR-killer suite

🔎 ESET researchers detail the EDR-killing toolset used by the ransomware-as-a-service gang Gentlemen, which rose to prominence in early 2026. The group provides affiliates with an operator-maintained suite centered on an in-house framework dubbed GentleKiller plus integrated third-party tools like HexKiller and HavocKiller. A May 2026 internal leak and long-term incident visibility enabled deep linkage between leaked data, actual samples, and the gang’s TTPs.
read more →

Investigation Identifies Alleged Administrator of The Gentlemen

🔍 Check Point and other cyber intelligence firms have been tracking The Gentlemen, a fast-growing RaaS operation that offers affiliates a 90/10 revenue split and has become the second most active ransomware group by victim count. Researchers link the group’s administrator to the handles Hastalamuerte and Zeta88, and trace forum registrations, email addresses, Telegram IDs, and phone numbers to a likely real-world identity in Izhevsk, Russia. Open-source and breach data suggest the suspect may be Alexander Yapaev, who lists employment at Uralenergo Udmurtia; he did not respond to requests for comment.
read more →

Underground Playbook Targets Vulnerability Programs

🛡️ A forum tutorial by an actor named "Hercules" outlines a simple, practical workflow for scanning, validating, exploiting, and monetizing vulnerabilities, blending «legal» disclosure steps with clear illegal options. Flare researchers tracked the post and responses across multiple forums, noting demand for mentorship and the tutorial’s repeat reposting. The write-up highlights use of public tools like Nuclei, emphasizes accessibility for beginners, and explains monetization paths including direct extortion, underground sales, and asset resale. The analysis warns defenders that readable, motivational guides scale criminal capability and underscores the importance of effective vulnerability disclosure programs.
read more →

AI-Driven Exploitability Forces Faster Patching

🔒 As AI models like GPT5.5 and Claude Mythos accelerate exploit discovery, organisations face shrinking windows to patch vulnerabilities. Industry experts at Infosecurity Europe warn mean time to exploit has fallen from days to hours, prompting regulatory responses such as India’s 12-hour patch expectation. Analysts contrast vendor-centric EU rules with market-driven US approaches and recommend exploit-intelligence led patching, automation, segmentation and stronger producer SLAs.
read more →

Defenders Must Adopt AI or Risk Failing

🛡️ Joe Slowik warned at Infosecurity Europe that defenders must adopt AI to keep pace with adversaries. He argued that purely human-driven SOCs cannot match the accelerated timescales enabled by AI, ML and LLMs, leaving organisations exposed. Slowik recommended rethinking security operations to integrate AI agents for rapid intelligence, enrichment and remediation, while keeping humans in the decision loop. He used the React2Shell example to illustrate the speed of modern exploits.
read more →

The quiet emergence of AI cyber doctrine

🛡️ Recent developments show AI moving from automation to autonomous cyber operations, shifting how offense and defense interact. The Anthropic Mythos Preview and related incidents illustrate models discovering and chaining vulnerabilities with limited human direction, prompting coordinated defensive responses from major vendors. Policy and procurement are adapting, and security leaders must treat AI agents as principals, invest in adaptive defenses, and reframe risk models for continuous compromise.
read more →

Three-Quarters Admit Shipping Vulnerable Code

🛡️ New studies reveal that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year but still alarmingly high. Checkmarx warns that AI-augmented attackers are dramatically shortening time-to-exploit, while Verizon’s DBIR links increased initial access to vulnerability exploitation aided by AI. A QBE survey found UK firms are worried about suppliers' AI use, yet few audit third-party AI or maintain formal AI governance.
read more →

Webworm APT's 2025 Shift: New Burrowing Tactics and Proxies

🛡️ ESET researchers analyzed Webworm’s 2025 campaigns and found a shift from traditional RATs to stealthier proxy tools and two new backdoors, EchoCreep and GraphWorm, which abuse Discord and the Microsoft Graph API for C2. They decrypted over 400 Discord messages, uncovered GitHub staging repositories and a compromised Amazon S3 bucket, linking infrastructure to Vultr and IT7 Networks. Victims across Europe and South Africa were targeted; identified services have been taken down and impacted parties notified.
read more →

AI Attack Capability Rising Faster Than Expected Per UK Tests

🔍 New benchmarks from the UK’s AI Security Institute (AISI) show leading AI models rapidly improving at multi-stage penetration testing, with the difficulty of tasks solvable by models doubling every 4.7 months as of early 2026. The tests measure the longest task an AI can complete with 80% success relative to human work-hours, emphasizing autonomous chaining of steps rather than raw speed. While there are caveats — token limits and inconsistent model performance — the findings highlight growing offensive and defensive implications for enterprise security.
read more →