All news with #threat research tag

🛡️ Joe Slowik warned at Infosecurity Europe that defenders must adopt AI to keep pace with adversaries. He argued that purely human-driven SOCs cannot match the accelerated timescales enabled by AI, ML and LLMs, leaving organisations exposed. Slowik recommended rethinking security operations to integrate AI agents for rapid intelligence, enrichment and remediation, while keeping humans in the decision loop. He used the React2Shell example to illustrate the speed of modern exploits.

🛡️ Recent developments show AI moving from automation to autonomous cyber operations, shifting how offense and defense interact. The Anthropic Mythos Preview and related incidents illustrate models discovering and chaining vulnerabilities with limited human direction, prompting coordinated defensive responses from major vendors. Policy and procurement are adapting, and security leaders must treat AI agents as principals, invest in adaptive defenses, and reframe risk models for continuous compromise.

🛡️ New studies reveal that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year but still alarmingly high. Checkmarx warns that AI-augmented attackers are dramatically shortening time-to-exploit, while Verizon’s DBIR links increased initial access to vulnerability exploitation aided by AI. A QBE survey found UK firms are worried about suppliers' AI use, yet few audit third-party AI or maintain formal AI governance.

🛡️ ESET researchers analyzed Webworm’s 2025 campaigns and found a shift from traditional RATs to stealthier proxy tools and two new backdoors, EchoCreep and GraphWorm, which abuse Discord and the Microsoft Graph API for C2. They decrypted over 400 Discord messages, uncovered GitHub staging repositories and a compromised Amazon S3 bucket, linking infrastructure to Vultr and IT7 Networks. Victims across Europe and South Africa were targeted; identified services have been taken down and impacted parties notified.

🔍 New benchmarks from the UK’s AI Security Institute (AISI) show leading AI models rapidly improving at multi-stage penetration testing, with the difficulty of tasks solvable by models doubling every 4.7 months as of early 2026. The tests measure the longest task an AI can complete with 80% success relative to human work-hours, emphasizing autonomous chaining of steps rather than raw speed. While there are caveats — token limits and inconsistent model performance — the findings highlight growing offensive and defensive implications for enterprise security.

🔎 Symantec and Carbon Black confirm the Lua-based fast16 malware was a pre-Stuxnet sabotage tool designed to corrupt nuclear weapons testing simulations. The threat specifically targets high-explosive runs in LS-DYNA and AUTODYN, activating only when simulated material density reaches ~30 g/cm³. With 101 hook rules organized into 9–10 groups, the framework tracked software versions and spread laterally while avoiding some security products, indicating a methodical, long-running operation.

🛡️Elastic Security Labs has detailed a previously undocumented Brazilian banking trojan named TCLBANKER, tracked as REF3076, which targets 59 banks, fintechs and cryptocurrency platforms. The campaign appears to be a major evolution of the Maverick family and bundles a robust loader, a full-featured trojan, and a worm that propagates via WhatsApp Web and Outlook. The loader abuses a signed Logitech installer and uses DLL side-loading, anti-analysis checks, and environment-gated payload decryption to evade detection.

🔍 Traditional SIEM logic — fixed rules that match event A followed by event B — is increasingly insufficient against modern, sophisticated threats that use legitimate tools and supply-chain vectors. Kaspersky describes a shift to continuously updated correlation content informed by its MDR service and threat research. In 2025 the team delivered dozens of updates and hundreds of new or refined rules, and now maintains over 850 rules mapped to MITRE ATT&CK. Integration with Kaspersky EDR and expanded telemetry helps detect multi-stage attack chains and reduce false positives.

🔍 A joint investigation uncovered a covert faculty at Bauman Moscow State Technical University, known as Department 4, that appears to funnel students into GRU-linked hacking units. Leaked documents show the GRU controls admissions, curricula, and graduate postings, teaching malware development, penetration testing, and physical surveillance. The report highlights a state-run pipeline producing highly trained cyber operators.

🔐 At the World Economic Forum Annual Meeting on Cybersecurity 2026, Fortinet highlighted how AI and deepfakes are reshaping attack surfaces, with identity now a primary vector and attackers operating in structured, continuous campaigns. Discussions stressed that AI accelerates reconnaissance and exploitation while defenders contend with fragmentation, governance gaps, and inconsistent visibility. Fortinet urged platform consolidation, stronger identity and exposure management, and operationalized public-private collaboration to better align detection with response.

🔒 Palo Alto Networks introduces Frontier AI Defense, a platform initiative designed to counter next-generation, agentic AI threats that can autonomously discover and chain software flaws. Their testing of frontier models (including GPT-5.5-Cyber, Mythos, and Claude Opus 4.7) revealed a step-change in coding capability and attack automation. The program combines Unit 42 expertise, early model access, platform integration, and partner alliances to enable prioritized mitigation and autonomous remediation at machine speed.

📞 Cisco Talos analyzed phone numbers extracted from scam emails and found that API-driven VoIP provisioning enables large-scale, low-cost operations that are difficult to trace. Attackers rotate through sequential DID blocks, use cool-down windows, and frequently recycle numbers across multiple lures and attachment types. In a Feb 26–Mar 31, 2026 dataset of 1,652 numbers, the median lifespan was ~14 days; Sinch was the most abused provider. Talos recommends using phone numbers as anchors for cross-channel threat mapping.

🔒 CrowdStrike was named a Leader in the inaugural 2026 Gartner Magic Quadrant for Cyberthreat Intelligence Technologies and ranked furthest to the right for Completeness of Vision. The company emphasizes its AI-native Falcon platform and Threat AI agents — including Malware Analysis and Hunt agents — to deliver tailored, actionable intelligence at decision points. It highlights telemetry from trillions of daily events and multiple integration paths to operationalize intelligence.

🔒 CISA and the U.K. NCSC analyzed a sample of the FIRESTARTER Linux ELF backdoor affecting Cisco Firepower and Secure Firewall devices running ASA/FTD. The agency assesses the malware provides persistent remote access, installs a hook into LINA to execute arbitrary shellcode, and can survive firmware updates and reboots. CISA provides YARA rules for detection and directs U.S. FCEB agencies to collect and submit core dumps per V1: ED 25-03, and to await further guidance.

🔐 Symantec researchers describe a new Linux variant of the GoGra backdoor that abuses Microsoft Graph API and Outlook mailboxes for stealthy command-and-control. The malware uses hardcoded Azure AD credentials to obtain OAuth2 tokens and polls a mailbox folder named "Zomato Pizza" for base64-encoded, AES-CBC-encrypted commands. A Go-based dropper hides an i386 ELF payload as a PDF and establishes persistence via systemd and an XDG autostart entry mimicking the Conky monitor. Processed commands are encrypted and returned by reply email with the subject "Output," and the original command email is removed to limit forensic visibility.

🔴 Kaspersky researchers analyzed a previously undocumented data-wiping malware, dubbed Lotus, uploaded from a Venezuelan host in mid-December and used in targeted attacks against energy and utility organizations in Venezuela. Before detonation the attacker runs two batch scripts that weaken defenses, change account passwords, log off users, disable network interfaces and run destructive tools like diskpart, robocopy and fsutil to overwrite and fill drives. The Lotus binary then performs low-level IOCTL operations, clears USN journals, deletes restore points and overwrites physical sectors to render systems unrecoverable. Administrators are advised to monitor these precursor activities and maintain offline, validated backups.

⚠️ Anthropic's reported Claude Mythos marks a shift: AI is compressing attack timelines by accelerating vulnerability discovery, exploit development, and multi-step attack planning. Attackers can now run malware, phishing, and vulnerability exploitation in parallel, reducing time to compromise and widening exposure. This trend demands prevention-first controls and real-time detection to identify and remediate gaps earlier, limiting impact.

🔍 This podcast episode examines the 2025 Talos Year in Review, highlighting a sharp increase in internal phishing that evades traditional perimeter defenses. Hosts Amy Ciminnisi and Martin Lee explain how Microsoft 365's Direct Send feature has been broadly weaponized to deliver trusted-looking internal mail. They also unpack blended state-sponsored campaigns from China and North Korea that pair zero-day exploitation with advanced social engineering.

🔐 Talos demonstrates how adversaries can repurpose legitimate macOS features to achieve remote execution and lateral movement across enterprise fleets. By weaponizing Remote Application Scripting (RAE) and abusing Spotlight Finder comments as a staging area, attackers can bypass static file analysis and traditional SSH-focused telemetry. The research validates multiple native transfer channels—including SMB, netcat, Git, TFTP, and SNMP—and urges defenders to emphasize process lineage, IPC anomalies, and strict MDM controls.

🔍 US authorities issued an April 7 advisory warning that Iranian-affiliated APTs could be conducting infrastructural cyberattacks, citing links to 2023 water and wastewater incidents attributed to CyberAv3ngers. The article examines two prominent groups — Handala Hack Team and CyberAv3ngers — and argues they function as proxy or false-flag operations likely tied to Iran’s Ministry of Intelligence. It describes a broader pattern of gray warfare, where state actors obscure involvement to retain plausible deniability while exerting persistent pressure on adversaries.