Global Threats

QR Codes Are the New Security Blindspots That Steal Your Card Details and Deliver Malware

Published on July 9, 2026

Severity Medium Detail Cybersecurity researchers have warned of a significant rise in quishing (QR phishing) attacks, where cybercriminals abuse QR codes to bypass traditional security controls and trick users into revealing sensitive information or installing malware. As QR codes become increasingly common for payments, authentication, restaurant menus, parking meters, and corporate communications, attackers are exploiting […]

Learn more »

HalluSquatting Attack Abuses AI Coding Assistants to Retrieve Malicious Repositories

Published on July 8, 2026

Severity Medium Detail Researchers have identified a new attack technique known as HalluSquatting, which exploits AI coding assistants by exploiting their tendency to generate incorrect repository or package names. By taking advantage of this behavior, attackers can trick AI assistants into retrieving malicious software instead of legitimate resources. AI coding assistants occasionally generate repository or […]

Learn more »

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

Published on July 8, 2026

Severity Medium Detail Researchers have uncovered a banking fraud campaign, tracked as REF6045, that targets customers of Mexican banks, fintech companies, payment processors, and cryptocurrency exchanges using ClickFix social engineering techniques. The campaign delivers a PowerShell-based toolkit called SCMBANKER, which enables attackers to monitor banking sessions, steal financial information, manipulate transactions, and remotely control compromised […]

Learn more »

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

Published on July 7, 2026

Severity Medium Detail Researchers have identified RedWing, a new Android banking malware offered as a Malware-as-a-Service (MaaS) through Telegram. Believed to be a variant of the Oblivion malware family, RedWing enables even low-skilled threat actors to steal banking credentials, intercept one-time passcodes (OTPs), and remotely control infected Android devices. The malware is marketed as a […]

Learn more »

Microsoft Warns Windows 11 Enterprise Devices May Boot to Black Screen After Updates

Published on July 6, 2026

Severity Medium Detail Microsoft has warned of a known issue affecting enterprise deployments of Windows 11 that may cause devices to boot to a black screen or experience Windows shell failures after installing recent cumulative updates. The issue is documented under KB5072911 and affects Windows 11 versions 24H2 and 25H2 in specific enterprise and virtualized […]

Learn more »

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

Published on July 6, 2026

Severity Medium Detail Researchers have identified QuimaRAT, a new cross-platform Java-based remote access trojan (RAT) offered through a Malware-as-a-Service (MaaS) model. The malware targets Windows, Linux, and macOS systems and provides attackers with a modular framework for remote access, credential theft, persistence, and plugin-based capability expansion. Its multi-platform design, flexible deployment options, and support for […]

Learn more »

Hackers Abuse EdgeUpdate and GoogleUpdater to Deploy TimbreStealer Infostealer

Published on July 5, 2026

Severity Medium Detail Security researchers have identified a targeted phishing campaign distributing the TimbreStealer infostealer by abusing legitimate Microsoft Edge and Google updater binaries through DLL side-loading. The campaign primarily targets organizations in Mexico, using phishing emails with invoicing-themed filenames such as CONTENIDO, COMPROBANTES, and CFDI to increase credibility. Researchers observed advanced anti-analysis techniques, including […]

Learn more »

Cisco Finally Confirms Attackers Exploiting Unified CM Flaw

Published on July 4, 2026

Severity High Detail Cisco has confirmed that threat actors are actively exploiting a vulnerability in Cisco Unified Communications Manager (Unified CM), tracked as CVE-2026-20230, following the release of security patches in early June 2026. The issue affects Cisco Unified CM, the centralized call control platform used to manage Cisco IP telephony systems, making organizations that […]

Learn more »

SharkLoader Malware Uses Perfect DLL Hijacking to Execute Cobalt Strike in Memory

Published on July 3, 2026

Severity Medium Detail Researchers have identified a malware campaign involving SharkLoader, a custom loader used by an intrusion cluster tracked as StrikeShark to deploy Cobalt Strike Beacon entirely in memory. The campaign targets exposed internet-facing systems and employs multiple stealth techniques to minimize forensic evidence while maintaining long-term access to compromised environments. How? The attack […]

Learn more »

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

Published on July 3, 2026

Severity Medium Detail Researchers have identified a new malware called Umbrij, used by the advanced persistent threat (APT) group ToddyCat to compromise corporate Gmail accounts through Google’s OAuth API. Rather than stealing passwords directly, the malware abuses an active Gmail session to obtain OAuth authorization tokens, allowing attackers to access email and other Google Workspace […]

Learn more »

Hackers Abuse ScreenConnect Remote Access Tool to Deploy AsyncRAT Through Fake Installers

Published on July 2, 2026

Severity Medium Detail A widespread malware campaign has been observed abusing the legitimate remote access tool ScreenConnect to deploy AsyncRAT through fake software installers disguised as popular freeware applications. The attack chain combines trusted signed binaries, DLL sideloading, reflective loading, and process hollowing to establish stealthy persistence and remote access capabilities on infected systems. The […]

Learn more »

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

Published on July 2, 2026

Severity Medium Detail Researchers have linked the recently uncovered FortiBleed campaign to the INC and Lynx ransomware operations, confirming that the large-scale theft of FortiGate credentials is being used to facilitate ransomware attacks. According to SOCRadar, the campaign has already resulted in multiple ransomware deployments after attackers gained administrative access to exposed Fortinet devices. The […]

Learn more »

Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts

Published on July 1, 2026

Severity Medium Detail Cybersecurity researchers have uncovered a large-scale automated password spraying campaign targeting Microsoft’s Azure Command-Line Interface (CLI). According to Huntress, the attackers made more than 81 million login attempts between June 12 and June 26, 2026, successfully compromising 78 Microsoft accounts across 64 organizations. The campaign is particularly concerning because it abused a […]

Learn more »

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

Published on July 1, 2026

Severity Medium Detail Cybersecurity researchers have uncovered a large-scale malware campaign that abuses the legitimate ScreenConnect remote access tool to deploy AsyncRAT on Windows systems. The campaign relies on spoofed software download websites and search engine optimization (SEO) techniques to trick users into downloading trojanized installers disguised as popular applications such as OBS Studio, DNS […]

Learn more »

Nissan Confirms Data Breach Following Oracle PeopleSoft 0-Day Attacks

Published on June 30, 2026

Severity High Detail Nissan Americas has confirmed a data breach affecting current and former employees after threat actors exploited a critical zero-day vulnerability in Oracle PeopleSoft software. The campaign has been attributed to the ShinyHunters (UNC6240/Bling Libra) cybercrime group, which targeted vulnerable Oracle PeopleSoft PeopleTools 8.61 and 8.62 instances using CVE-2026-35273, a critical Server-Side Request […]

Learn more »

Millenium RAT Rewritten in C++ Infects 62,000+ Devices Across 160 Countries

Published on June 29, 2026

Severity High  Detail Security researchers have identified a large-scale malware campaign involving Millenium RAT, that has infected more than 62,000 devices across over 160 countries. More than 39,000 infections occurred during the first quarter of 2026, indicating that the campaign is rapidly expanding. Initially identified by CYFIRMA in 2023, the malware has evolved into version […]

Learn more »

Win32k Callback Detouring Abuses Kernel-to-User Dispatch for Remote Code Execution

Published on June 29, 2026

Severity Medium Detail Security researchers have demonstrated a novel process injection technique known as Win32k Callback Detouring, which abuses the Windows graphical subsystem to achieve highly stealthy remote code execution. The technique exploits the kernel-to-user callback dispatch mechanism managed by win32k[.]sys, allowing attackers to execute arbitrary code within a remote process without relying on commonly […]

Learn more »

Cloud Bucket Hijacking Lets Attackers Silently Exfiltrate AWS, Google Cloud Data

Published on June 28, 2026

Severity Medium  Detail Security researchers have identified a critical cloud storage attack technique known as cloud bucket hijacking, which affects all major cloud service providers, including Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. The attack exploits a fundamental architectural design in cloud storage services where bucket names must be globally unique. […]

Learn more »

Bluekit phishing kit adopts browser-in-the-middle for login theft

Published on June 26, 2026

Severity Medium  Detail Security researchers have identified a phishing-as-a-service kit known as BlueKit, which uses a “browser-in-the-middle” (BITM) technique to steal user credentials and session data in real time. Unlike traditional phishing pages that simply collect usernames and passwords, BlueKit acts as a live intermediary between the victim and the legitimate login page. This allows […]

Learn more »

New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

Published on June 25, 2026

SeverityMedium Detail Researchers from Symantec and Carbon Black’s Threat Hunter Team have identified a new stealthy backdoor called Mistic, also tracked as MLTBackdoor, that has been deployed in suspected financially motivated attacks targeting organizations in the insurance, education, information technology, and professional services sectors since April 2026. The malware is linked to an initial access […]

Learn more »

Fake Domain Renewal Emails Used to Harvest Personal and Payment Information

Published on June 25, 2026

SeverityMedium Detail Researchers have identified a phishing scam targeting website owners through fraudulent domain renewal notifications. The campaign uses emails claiming that a recipient’s domain name is about to expire and warns that failure to renew could result in website and email service disruption. The emails direct recipients to a website branded as Renovarix, which […]

Learn more »

Bajaj Auto Discloses Ransomware Cyberattack Impacting Company and Technology Unit

Published on June 24, 2026

SeverityMedium  Detail Indian automotive manufacturer Bajaj Auto has disclosed a ransomware incident affecting both its core corporate IT systems and its wholly owned subsidiary, Bajaj Auto Technology Ltd (BATL). The company confirmed that the attack was detected around 8:00 AM IST on June 23, 2026, and was formally reported through a regulatory filing on June […]

Learn more »

Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

Published on June 24, 2026

SeverityMedium  Detail Security researchers at AIR demonstrated a supply chain risk affecting AI agent ecosystems by creating a fake AI agent skill named brand-landingpage that successfully passed multiple security scanning tools and was distributed through a popular skill marketplace. According to AIR, the skill reportedly reached approximately 26,000 AI agents, including some associated with corporate […]

Learn more »

Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Published on June 23, 2026

SeverityMedium  Detail Security researchers at JFrog have identified three malicious npm packages masquerading as legitimate PostCSS-related tools that are designed to deploy a Windows-based Remote Access Trojan (RAT). The malicious packages, published by an npm user named “abdrizak,” include aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser. The packages impersonate commonly used development dependencies and exploit trust in the […]

Learn more »

FortiBleed Campaign Uses FortigateSniffer to Harvest Credentials From Fortinet Firewalls

Published on June 23, 2026

SeverityMedium Detail A large-scale credential harvesting campaign known as “FortiBleed” has been identified targeting Fortinet FortiGate firewalls, where threat actors are abusing exposed or weakly secured devices to capture authentication data at massive scale. Research from the SOCRadar Threat Research Unit (STRU) indicates that the operation has resulted in the compromise of over 110 million […]

Learn more »

New Prinz Eugen ransomware prioritizes recent files for encryption

Published on June 22, 2026

SeverityMedium  Detail A new ransomware operation named Prinz Eugen has been observed using a highly targeted encryption strategy that prioritizes recently modified files, increasing operational disruption for victims. According to Malwarebytes’ ThreatDown researchers, the group uses hands-on-keyboard intrusion techniques rather than automated ransomware-as-a-service models, and relies heavily on legitimate remote monitoring and management (RMM) tools […]

Learn more »

Klue integration breach leads to Salesforce CRM data theft via OAuth token abuse

Published on June 22, 2026

SeverityMedium  Detail A security incident originating from the market intelligence platform Klue led to unauthorized access and theft of customer CRM data from multiple organizations, including cybersecurity vendor Huntress. The breach began when attackers accessed Klue’s backend using a long-dormant API credential tied to an abandoned integration. They deployed malicious code to steal OAuth tokens […]

Learn more »

AryStinger botnet infected thousands of D-Link routers worldwide

Published on June 21, 2026

SeverityMedium  Detail AryStinger is a newly identified malware botnet that has infected more than 4,000 outdated routers worldwide, mainly targeting D-Link DIR-850L and DIR-818LW devices. The malware turns infected routers into remotely controlled systems that attackers can use for malicious activities such as scanning, proxying, tunneling, command execution, and network reconnaissance. Most infections were reported […]

Learn more »

The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

Published on June 20, 2026

SeverityMedium  Detail The Gentlemen ransomware-as-a-service group has been observed using a dedicated EDR-killing framework known as GentleKiller to disable endpoint security tools before deploying ransomware. The framework targets more than 400 security-related processes from 48 different security products, including antivirus, EDR, monitoring, and endpoint protection solutions. The group provides these tools to its affiliates, making […]

Learn more »

Unpatchable ‘usbliter8’ Exploit Breaks Apple A12 and A13 SecureROM Boot Chain

Published on June 20, 2026

SeverityMedium  Detail Security researchers have released a working exploit called usbliter8 that can break the SecureROM boot chain on Apple devices using A12 and A13 chips. The affected hardware includes devices such as iPhone XS, iPhone XR, iPhone 11 series, iPhone SE 2nd generation, selected iPads, Apple Watch Series 4 and 5, Apple Watch SE […]

Learn more »

June 2026 Windows updates break Recycle Bin prompts

Published on June 19, 2026

SeverityMedium  Detail Microsoft has confirmed a Windows bug where the Recycle Bin confirmation prompt shows an internal system filename instead of the original file name when users permanently delete a single item. The issue may confuse users because the file name shown in the delete confirmation does not match the actual file name displayed in […]

Learn more »

Critical Chrome Extension Vulnerabilities Let Attackers Easily Compromise Browsers

Published on June 19, 2026

Severity Medium  Detail Security researchers have identified two critical vulnerabilities, dubbed MaXSS and Spyder, affecting the AI-powered browser extensions MaxAI and SiderAI. Together, these extensions have been installed more than 10 million times across Google Chrome and other Chromium-based browsers. Both extensions belong to a growing class of AI-powered browser tools that provide features such […]

Learn more »

FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices

Published on June 18, 2026

SeverityMedium  Detail The dataset reportedly affects 21,632 unique domains, including organizations in telecom, IT services, finance, government, healthcare, education, manufacturing, and critical infrastructure. Researchers said some affected organizations include major global companies, and Malaysia is listed among the countries with a high number of affected devices. Kevin Beaumont independently reviewed parts of the dataset and […]

Learn more »

Attackers Exploiting Cloud Logging Platforms for Defense Evasion and Persistent Visibility

Published on June 17, 2026

SeverityMedium  Detail Researchers from Unit 42 have identified increasing abuse of cloud logging platforms by threat actors seeking to evade detection and maintain visibility within compromised cloud environments. Services such as AWS CloudTrail and Google Cloud Logging, which are intended to provide comprehensive audit records of cloud activity, are being targeted to disrupt monitoring, manipulate […]

Learn more »

SprySOCKS Windows Backdoor Uses Kernel Driver to Hide Processes, Files, and Network Traffic

Published on June 17, 2026

Severity Medium  Detail Security researchers from ESET have identified two previously undocumented Windows variants of the SprySOCKS backdoor, a malware family historically associated with the FishMonger threat group (also known as Earth Lusca or TAG-22). Previously limited to Linux environments, SprySOCKS has now expanded into Windows systems while preserving its original command-and-control (C2) architecture and […]

Learn more »

Hackers Abuse Microsoft OAuth Device Code Flow to Take Over Microsoft 365 Accounts

Published on June 16, 2026

SeverityMedium Detail Researchers have identified an active phishing campaign that abuses Microsoft’s legitimate OAuth 2.0 Device Authorization Grant (device code) flow to compromise Microsoft 365 accounts. Unlike traditional phishing attacks that attempt to steal usernames and passwords through fake login pages, this technique tricks users into completing a genuine Microsoft authentication process that authorizes an […]

Learn more »

ScarCruft (APT37) Uses Fake Microsoft Alerts to Deploy NarwhalRAT Malware

Published on June 16, 2026

SeverityMedium How? The attack begins with a spear-phishing email that impersonates a Microsoft Account security alert and warns the recipient of suspicious activity and potential OTP abuse. The message is crafted to induce concern over account compromise and encourages the victim to take immediate action, such as changing their password or reviewing an attached advisory. […]

Learn more »

Prompt Injection Attack Turns Microsoft 365 Copilot Into One-Click Data Theft Vector

Published on June 15, 2026

SeverityMedium Detail Security researchers have identified a new attack technique targeting Microsoft 365 Copilot, where adversaries are able to manipulate the AI assistant into exposing sensitive data through prompt injection methods. The attack demonstrates how Copilot can be abused to extract information from connected Microsoft 365 environments without requiring traditional exploitation of software vulnerabilities. The […]

Learn more »

Chinese-Linked UNC6508 Exploits REDCap Servers and Google Workspace Rules to Steal Sensitive Research Emails

Published on June 15, 2026

SeverityMedium Detail Google’s Threat Intelligence Group (GTIG) has disclosed a cyber espionage campaign attributed with high confidence to a China-linked threat cluster tracked as UNC6508. The threat actor maintained access to North American medical, academic, and military research networks for more than a year, targeting organizations across the United States and Canada. The campaign affected […]

Learn more »

Malicious 152 Chrome Extensions Caught Spoofing Google Organic Search Traffic

Published on June 14, 2026

Severity Medium Detail Researchers have uncovered a large-scale malicious browser extension campaign involving 152 Google Chrome extensions designed to generate fraudulent Google organic search traffic while collecting user-related data. The operation, identified by Socket’s Threat Research Team, spanned 38 separate Chrome Web Store publisher accounts and was linked to three primary backend brands: tabplugins[.]com, yowgames[.]com, […]

Learn more »

Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications

Published on June 13, 2026

Severity Medium Detail Researchers have identified OnyxC2, a new Malware-as-a-Service (MaaS) credential-stealing platform being marketed on cybercrime forums for as little as $250 per month. The malware is designed to steal credentials, session cookies, password manager data, cryptocurrency wallet information, and two-factor authentication (2FA) tokens from a wide range of applications. According to analysis by […]

Learn more »

APT28 Weaponizes Outlook Zero-Click Flaw to Steal Net-NTLMv2 Hashes From NATO Targets

Published on June 12, 2026

Severity High Detail Threat intelligence researchers have reported ongoing cyber espionage activity by APT28, a Russian state-sponsored threat actor also known as Fancy Bear and Forest Blizzard. The group has been observed exploiting a Microsoft Outlook zero-click vulnerability to steal authentication credentials from organizations associated with NATO, defense sectors, and critical infrastructure. The campaign leverages […]

Learn more »

Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs

Published on June 11, 2026

SeverityHigh Detail Security researchers have identified attack techniques that target cloud logging services in Amazon Web Services (AWS) and Google Cloud Platform (GCP). The activity focuses on AWS CloudTrail and Google Cloud Logging, which are commonly used by organizations to record user actions, system changes, and access to cloud resources. Compromised administrative access allows threat […]

Learn more »

New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers

Published on June 10, 2026

Severity High Detail Security researchers have identified a new Windows Defender local privilege escalation (LPE) exploit known as RoguePlanet, publicly released by a researcher operating under the aliases Nightmare Eclipse, Chaotic Eclipse, and Dead Eclipse. The exploit targets a previously undisclosed race condition vulnerability within Microsoft Defender and can allow an unprivileged local user to […]

Learn more »

Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain

Published on June 10, 2026

Severity High Detail Security researchers have identified a new malware threat known as MLTBackdoor, a sophisticated backdoor malware first observed in May 2026. The malware is designed to establish persistent access to compromised systems while employing advanced evasion and anti-analysis techniques to avoid detection. Researchers from Zscaler ThreatLabz assessed that the malware is likely associated […]

Learn more »

New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing

Published on June 9, 2026

Severity Medium Detail Researchers from Graz University of Technology have identified a new browser-based side-channel attack called FROST(Fingerprinting Remote Operating System Timing) that allows a malicious website to determine which websites a user visits and which applications they open by monitoring SSD access timing. The attack abuses the Origin Private File System (OPFS), a browser […]

Learn more »

New Browser-in-the-Browser Phishing Attack Targets Microsoft 365 Login Credentials

Published on June 9, 2026

Severity High Detail Security researchers have identified a sophisticated phishing campaign targeting Microsoft 365 users through a Browser-in-the-Browser (BitB) attack technique. The campaign leverages highly realistic fake browser overlays to impersonate legitimate Microsoft Single Sign-On (SSO) authentication prompts and steal user credentials. Browser-in-the-Browser attacks create deceptive browser windows within a webpage, enabling attackers to replicate […]

Learn more »

Internet Explorer WebBrowser Control Attack Chain Turns Clicks Into RCE

Published on June 8, 2026

Severity High Detail Researchers from Positive Technologies (PT Security) have identified an attack chain that abuses the legacy Internet Explorer (IE) WebBrowser control to achieve RCE on Windows systems. Although Internet Explorer has been officially retired, its mshtml rendering engine and WebBrowser control remain embedded in numerous legacy desktop applications, particularly older VB, .NET, and […]

Learn more »

New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration

Published on June 7, 2026

Severity Medium Detail OpenAI has begun rolling out Lockdown Mode for eligible ChatGPT personal and business accounts to help reduce the risk of data exfiltration through prompt injection attacks. The optional security feature is designed for users and organizations that handle sensitive information and require stronger safeguards against unintended data exposure. Lockdown Mode is available […]

Learn more »

New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics

Published on June 7, 2026

Severity Medium Detail A new variant of the Gafgyt botnet, tracked as C0XMO, has been observed targeting Linux-based devices through a modular architecture that separates scanning and propagation functions. This design enables greater flexibility and scalability compared to traditional Gafgyt variants while supporting infections across multiple processor architectures. How? The malware propagates by exploiting CVE-2021-27137, […]

Learn more »