All news with #threat research tag

🔍 Flare analysts recovered a forum document, The Underground Guide to Legit CC Shops, that explains how fraud actors vet stolen credit card marketplaces. The guide shifts emphasis from opportunistic card use to disciplined supplier evaluation, offering a technical checklist (domain age, WHOIS, SSL), social‑intel techniques, and strict OPSEC recommendations. It also highlights how shops emulate legitimate e‑commerce (pricing, ticketing, escrow) and warns of commercial bias in endorsed services.

🔒 Google outlines an AI-focused security strategy for public sector organizations, emphasizing agentic SOCs powered by Gemini agents and Mandiant frontline expertise. The post summarizes 2026 threat trends — compressed attack cycles, prolonged nation-state access, rising voice phishing, and emerging shadow agents — and stresses integrated visibility across code, cloud, and runtime via Security Command Center. It highlights operational gains such as Connecticut reducing investigations from months to hours and previews demonstrations at Google Cloud Next.

🤖 AI has moved from experimentation into production in security operations, creating a strategic operating-model choice for CISOs: layer AI onto existing workflows or rebuild processes around it. Defenders briefly hold a Cyber AI Parity Window, but advantage favors teams that adopt multi-agent architectures, embed deep contextual integration and measure outcomes in production. Leaders must demand transparency, reliability and workflow redesign to elevate analysts into oversight and strategy roles.

🔍 In 2025 Japan reported 134 ransomware incidents—a 17.5% increase from 2024—with Qilin responsible for 22 cases (16.4%). Talos highlights Qilin’s growing automation, credential‑based access, and use of an EDR‑killer that targets 300+ drivers and employs locale-based geo‑fencing. The blog focuses on detecting activity during the pre‑ransomware phase (average six days to execution) and shares Sigma/YARA rules plus correlation guidance to reduce false positives.

🔍 Cisco Talos introduces DispatchLogger, an open-source DLL that transparently instruments late-bound COM (IDispatch) interactions to enhance malware analysis visibility. The tool hooks COM instantiation APIs and returns proxy objects that forward calls while logging method names, parameters, return values, and object relationships. It supports recursive wrapping, enumerator proxies, and moniker handling to reveal high-level automation events often missed by low-level API tracing. Deployment requires injecting the DLL into target processes and preserves COM lifetime and threading semantics.

🔒 Researchers uncovered a campaign in which a threat actor exploited multiple enterprise software flaws to harvest system data and deposit it into a free-trial Elastic Cloud SIEM instance. The attacker used an encoded PowerShell payload to collect OS, hardware, Active Directory and patch details, sending records into an Elasticsearch index named systeminfo. Telemetry showed the trial was registered via a disposable email and accessed repeatedly through Kibana as the operator triaged victims. Huntress coordinated with Elastic and law enforcement to notify affected organisations and take the instance offline.

🛡️ This week's roundup highlights major offensive operations, critical vulnerabilities, and notable law enforcement wins. Security firms and authorities dismantled the infrastructure behind Tycoon2FA and disrupted LeakBase, striking at large-scale AitM phishing and underground data markets. At the same time, researchers disclosed high-impact flaws — from a Qualcomm chipset exploit to the powerful Coruna iOS kit — underscoring persistent risk and the need for rapid patching. Prioritize the listed CVEs and accelerate triage and remediation.

🔍 ESET’s threat research team combines telemetry, incident investigation and curated intelligence to help SMBs understand attacker methods and improve detections. Through MDR the company layers human-led hunting and rapid, tailored responses on top of endpoint protection, giving organizations clearer visibility and faster containment. This practical blend of technology and expertise makes advanced defence accessible without the cost of an in-house SOC.

🔒 Kaspersky outlines the on-premise Kaspersky Threat Attribution Engine (KTAE) and a free IDA Pro plugin that embeds attribution into the reverse-engineering workflow. The local KTAE keeps all analysis inside the customer perimeter, supports adding proprietary threat groups, and enriches attribution with internal research. The Python-based plugin requires IDA Pro (not IDA Free), a local KTAE URL and an API token, then highlights code fragments that triggered the attribution.

🔍 Threat intelligence isn't the problem—it's the type and context. Security teams need both internal intelligence (signals and telemetry from inside their environment) and external intelligence (attacker activity, campaigns, and indicators) because each alone gives an incomplete picture. Many organizations ingest multiple generic, fragmented, and delayed feeds that confuse rather than clarify risk, causing critical decisions to be based on underrefined data. Integrating and enriching feeds with internal telemetry turns raw alerts into prioritized, actionable insights.

🎬 This curated list highlights notable documentaries that explore hacker culture, cybercrime, surveillance, and the internet's infrastructure from the mid‑1980s to the mid‑2020s. It features landmark films such as Citizenfour, Zero Days, and profiles of figures including Steve Wozniak, Marcus Hutchins, and Ross Ulbricht. Several entries are freely available, and the compilation is recommended for security leaders seeking historical context and practical insights for training and strategy.

🤖 In episode 454 of the Smashing Security podcast Graham Cluley and guest Iain Thomson examine the Moltbook saga — an AI-only social network that sparked doomsday talk but largely reflected humans role-playing as bots. They also warn that “vibe coding” can be a dangerous design choice when security researchers can easily peek into private messages, API keys and databases. The show touches on pro-Russian hacker activity around the Winter Olympics and cites reporting from Forbes, Wired, Reuters, The Record and the BBC.

🔐 Fortinet and UC Berkeley's CLTC led the third AI-enabled cybercrime tabletop, Operation Black Ice, to test governance and executive decision-making under compressed timelines. The exercise showed AI accelerates impersonation and extortion, turning trust dependencies into primary attack surfaces. Key lessons: identity verification must be multi-channel, third-party disclosures must be predefined, and ransom choices require rehearsed coordination rather than improvisation.

🔒 A convincing, routine text claiming an unpaid toll demonstrates how even cautious people can fall for phishing. A well-known security expert admitted to repeatedly failing internal simulations, showing that distraction, emotional context, and timing defeat training. Flare's analysis of 8,627 underground conversations describes a mature phishing economy — PhaaS platforms, AI tools like PhishGPT, turnkey kits, and resilient infrastructure. The practical lesson: build habits, add friction, and pause before you click.

🛡️ Check Point Research and Sysdig examined a sophisticated Linux malware framework called VoidLink and concluded a single developer used an AI coding agent to accelerate development. The Zig-based project grew to over 88,000 lines by December 2025 and exhibits systematic artifacts — consistent debug formatting, placeholder data like "John Doe", uniform _v3 API patterns, and exhaustive JSON templates — that suggest heavy LLM involvement. No real-world infections have been observed, but researchers warn this case demonstrates how AI can rapidly lower the barrier to creating advanced offensive tooling.

🧠 Check Point Research reports that the VoidLink Linux cloud malware framework displays clear evidence of being developed predominantly with AI assistance. The actor used an AI-centric IDE, TRAE, and its assistant TRAE SOLO to produce specification documents, sprint plans, and large portions of source code, which reached a working state within days. Exposed development artifacts — including TRAE helper files and an open directory of source and docs — allowed researchers to match generated specs to the recovered code and reproduce the development workflow, leading Check Point to conclude this is a notable example of AI-driven malware development.

🤖 Check Point Research's analysis of VoidLink describes one of the first advanced malware families largely generated using artificial intelligence. Unlike earlier AI-assisted samples, which were often low-quality or derivative, VoidLink exhibits clear sophistication, modularity, and rapid evolution. AI appears to have enabled a single actor to plan, build, and iterate a complex malware framework in days rather than months, compressing development cycles and increasing operational tempo. Security teams must adapt detection, attribution, and incident response to meet this emerging threat class.

🔓 Mandiant released a pre-computed Net-NTLMv1 rainbow table so anyone can map challenge-response data back to real NT hashes, a move intended to force organizations to abandon the insecure NTLMv1 protocol. The dataset, hosted via the Google Cloud Research Dataset portal, can recover keys in about 12 hours using roughly $600 of hardware. Mandiant says the goal is to demonstrate immediate risk and prompt remediation rather than to create new vulnerabilities.

🛡️ Expel researchers report that the JavaScript loader GootLoader is using deliberately malformed ZIP archives — concatenating 500–1,000 archives and truncating the EOCD — to evade analysis while remaining extractable by the default Windows unarchiver. The technique, described as hashbusting, ensures each archive is unique and frustrates automated tooling like WinRAR or 7-Zip. Distribution relies on SEO poisoning and malvertising, and the payload executes via wscript.exe, establishing persistence and launching PowerShell activity. Recommended mitigations include blocking wscript.exe/cscript.exe for downloaded content and configuring Group Policy to open .js in Notepad by default.

🔒 Sophos researchers warn that the TamperedChef malvertising campaign is delivering trojanised PDF manuals and fake downloads to organisations worldwide. Attackers use malicious adverts and promoted search results to trick users searching for technical manuals into installing an infostealer that harvests browser-stored credentials and contacts a C2 server. A second-stage payload, ManualFinderApp.exe, is a trojanised application that acts as both an infostealer and a persistent backdoor. The campaign employs delayed activation, staged payload delivery and code-signing abuse to evade detection; organisations should avoid clicking advert links and obtain software only from official vendor sites.