Check Point is rolling out a new four-pillar cybersecurity strategy to give security teams an edge in the ongoing AI arms race with threat actors and is making three acquisitions that will play a critical role in getting it going.

The post Check Point Unveils a New Security Strategy for Enterprises in the AI Age appeared first on Security Boulevard.

As February 2026 progresses, this week’s The Cyber Express Weekly Roundup examines a series of cybersecurity incidents and enforcement actions spanning Europe, Africa, Australia, and the United States.   The developments include a breach affecting the European Commission’s mobile management infrastructure, a ransomware attack disrupting Senegal’s national identity systems, a landmark financial penalty imposed on an Australian investment firm, and the sentencing of a fugitive linked to a multimillion-dollar cryptocurrency scam.  From suspected exploitation of zero-day vulnerabilities to prolonged breach detection failures and cross-border financial crime, these cases highlights the operational, legal, and systemic dimensions of modern cyber risk.  

The Cyber Express Weekly Roundup 

European Commission Mobile Infrastructure Breach Raises Supply Chain Questions 

The European Commission reported a cyberattack on its mobile device management (MDM) system on January 30, potentially exposing staff names and mobile numbers, though no devices were compromised, and the breach was contained within nine hours. Read more... 

Ransomware Disrupts Senegal’s National Identity Systems 

In West Africa, a major cyberattack hit Senegal’s Directorate of File Automation (DAF), halting identity card production and disrupting national ID, passport, and electoral services. While authorities insist no personal data was compromised, the ransomware group. The full extent of the breach is still under investigation. Read more... 

Australian Court Imposes Landmark Cybersecurity Penalty 

In Australia, FIIG Securities was fined AU$2.5 million for failing to maintain adequate cybersecurity protections, leading to a 2023 ransomware breach that exposed 385GB of client data, including IDs, bank details, and tax numbers. The firm must also pay AU$500,000 in legal costs and implement an independent compliance program. Read more... 

Crypto Investment Scam Leader Sentenced in Absentia 

U.S. authorities sentenced Daren Li in absentia to 20 years for a $73 million cryptocurrency scam targeting American victims. Li remains a fugitive after fleeing in December 2025. The Cambodia-based scheme used “pig butchering” tactics to lure victims to fake crypto platforms, laundering nearly $60 million through U.S. shell companies. Eight co-conspirators have pleaded guilty. The case was led by the U.S. Secret Service. Read more... 

India Brings AI-Generated Content Under Formal Regulation 

India has regulated AI-generated content under notification G.S.R. 120(E), effective February 20, 2026, defining “synthetically generated information” (SGI) as AI-created content that appears real, including deepfakes and voiceovers. Platforms must label AI content, embed metadata, remove unlawful content quickly, and verify user declarations. Read More... 

Weekly Takeaway 

Taken together, this weekly roundup highlights the expanding attack surface created by digital transformation, the persistence of ransomware threats to national infrastructure, and the intensifying regulatory scrutiny facing financial institutions.  From zero-day exploitation and supply chain risks to enforcement actions and transnational crypto fraud, organizations are confronting an environment where operational resilience, compliance, and proactive monitoring are no longer optional; they are foundational to trust and continuity in the digital economy. 

In the fourth quarter of 2025, the Google Threat Intelligence Group (GTIG) reported a significant uptick in the misuse of artificial intelligence by threat actors. According to GTIG’s AI threat tracker, what initially appeared as experimental probing has evolved into systematic, repeatable exploitation of large language models (LLMs) to enhance reconnaissance, phishing, malware development, and post-compromise activity.  A notable trend identified by GTIG is the rise of model extraction attempts, or “distillation attacks.” In these operations, threat actors systematically query production models to replicate proprietary AI capabilities without directly compromising internal networks. Using legitimate API access, attackers can gather outputs sufficient to train secondary “student” models. While knowledge distillation is a valid machine learning method, unauthorized replication constitutes intellectual property theft and a direct threat to developers of proprietary AI.  Throughout 2025, GTIG observed sustained campaigns involving more than 100,000 prompts aimed at uncovering internal reasoning and chain-of-thought logic. Attackers attempted to coerce Gemini into revealing hidden decision-making processes. GTIG’s monitoring systems detected these patterns and mitigated exposure, protecting the internal logic of proprietary AI.  

AI Threat Tracker, a Force Multiplier 

Beyond intellectual property theft, GTIG’s AI threat tracker reports that state-backed and sophisticated actors are leveraging LLMs to accelerate reconnaissance and social engineering. Threat actors use AI to synthesize open-source intelligence (OSINT), profile high-value individuals, map organizational hierarchies, and identify decision-makers, dramatically reducing the manual effort required for research.  For instance, UNC6418 employed Gemini to gather account credentials and email addresses prior to launching phishing campaigns targeting Ukrainian and defense-sector entities. Temp.HEX, a China-linked actor, used AI to collect intelligence on individuals in Pakistan and analyze separatist groups. While immediate operational targeting was not always observed, Google mitigated these risks by disabling associated assets.  Phishing tactics have similarly evolved. Generative AI enables actors to produce highly polished, culturally accurate messaging. APT42, linked to Iran, used Gemini to enumerate official email addresses, research business connections, and create personas tailored to targets, while translation capabilities allowed multilingual operations. North Korea’s UNC2970 leveraged AI to profile cybersecurity and defense professionals, refining phishing narratives with salary and role information. All identified assets were disabled, preventing further compromise. 

AI-Enhanced Malware Development 

GTIG also documented AI-assisted malware development. APT31 prompted Gemini with expert cybersecurity personas to automate vulnerability analysis, including remote code execution, firewall bypass, and SQL injection testing. UNC795 engaged Gemini regularly to troubleshoot code and explore AI-integrated auditing, suggesting early experimentation with agentic AI, systems capable of autonomous multi-step reasoning. While fully autonomous AI attacks have not yet been observed, GTIG anticipates growing underground interest in such capabilities.  Generative AI is also supporting information operations. Threat actors from China, Iran, Russia, and Saudi Arabia used Gemini to draft political content, generate propaganda, and localize messaging. According to GTIG’s AI threat tracker, these efforts improved efficiency and scale but did not produce transformative influence capabilities. AI is enhancing productivity rather than creating fundamentally new tactics in the information operations space. 

AI-Powered Malware Frameworks: HONESTCUE and COINBAIT 

In September 2025, GTIG identified HONESTCUE, a malware framework outsourcing code generation via Gemini’s API. HONESTCUE queries the AI for C# code to perform “stage two” functionality, which is compiled and executed in memory without writing artifacts to disk, complicating detection.   Similarly, COINBAIT, a phishing kit detected in November 2025, leveraged AI-generated code via Lovable AI to impersonate a cryptocurrency exchange. COINBAIT incorporated complex React single-page applications, verbose developer logs, and cloud-based hosting to evade traditional network defenses.  GTIG also reported that underground markets are exploiting AI services and API keys to scale attacks. One example, “Xanthorox,” marketed itself as a self-contained AI for autonomous malware generation but relied on commercial AI APIs, including Gemini.  

AI is giving online romance scammers even more ways to hide and accelerate their schemes while making it more difficult for people to detect fraud operations that are resulting in billions of dollars being stolen every year from millions of victims.

The post AI is Supercharging Romance Scams with Deepfakes and Bots appeared first on Security Boulevard.

Darktrace researchers caught a sample of malware that was created by AI and LLMs to exploit the high-profiled React2Shell vulnerability, putting defenders on notice that the technology lets even lesser-skilled hackers create malicious code and build complex exploit frameworks.

The post Hackers Use LLM to Create React2Shell Malware, the Latest Example of AI-Generated Threat appeared first on Security Boulevard.

In this post we explore the data-driven shrinkage of the Time to Exploit (TTE) window from 745 days to just 44, and examine why N-day vulnerabilities have become the "turn-key" weapon of choice for modern threat actors.

The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation appeared first on Flashpoint.

The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation appeared first on Security Boulevard.

The European Union Agency for Cybersecurity has released an updated international strategy to reinforce the EU’s cybersecurity ecosystem and strengthen cooperation beyond Europe’s borders. The revised ENISA International Strategy refreshes the agency’s approach to working with global partners while ensuring stronger alignment with the European Union’s international cybersecurity policies, core values, and long-term objectives.  Cybersecurity challenges today rarely stop at national or regional borders. Digital systems, critical infrastructure, and data flows are deeply intertwined across continents, making international cooperation a necessity rather than a choice. Against this backdrop, ENISA has clarified that it will continue to engage strategically with international partners outside the European Union, but only when such cooperation directly supports its mandate to improve cybersecurity within Europe.

ENISA International Strategy Aligns Global Cooperation With Europe’s Cybersecurity Priorities 

Under the updated ENISA International Strategy, the agency’s primary objective remains unchanged: raising cybersecurity levels across the EU. International cooperation is therefore pursued selectively and strategically, focusing on areas where collaboration can deliver tangible benefits to EU Member States and strengthen Europe’s overall cybersecurity resilience. ENISA Executive Director Juhan Lepassaar highlighted the importance of international engagement in achieving this goal. He stated: “International cooperation is essential in cybersecurity. It complements and strengthens the core tasks of ENISA to achieve a high common level of cybersecurity across the Union.   Together with our Management Board, ENISA determines how we engage at an international level to achieve our mission and mandate. ENISA stands fully prepared to cooperate on the global stage to support the EU Member States in doing so.”  The strategy is closely integrated with ENISA’s broader organizational direction, including its recently renewed stakeholders’ strategy. A central focus is cooperation with international partners that share the EU’s values and maintain strategic relationships with the Union.

Expanding Cybersecurity Partnerships Beyond Europe While Supporting EU Policy Objectives 

The revised ENISA International Strategy outlines several active areas of international cooperation. These include more tailored working arrangements with specific countries, notably Ukraine and the United States. These partnerships are designed to focus on capacity-building, best practice exchange, and structured information and knowledge sharing in the field of cybersecurity.  ENISA will also continue supporting the European Commission and the European External Action Service (EEAS) in EU cyber dialogues with partners such as Japan and the United Kingdom. Through this role, ENISA provides technical expertise to inform discussions and to help align international cooperation with Europe’s cybersecurity priorities.  Another key element of the strategy involves continued support for EU candidate countries in the Western Balkans region. From 2026 onward, this support is planned to expand through the extension of specific ENISA frameworks and tools. These may include the development of comparative cyber indexes, cybersecurity exercise methodologies, and the delivery of targeted training programs aimed at strengthening national capabilities. 

Strengthening Europe’s Cybersecurity Resilience Through Multilateral Frameworks 

The updated strategy also addresses the operationalization of the EU Cybersecurity Reserve, established under the 2025 EU Cyber Solidarity Act. ENISA plans to support making the reserve operational for third countries associated with the Digital Europe Programme, including Moldova, thereby extending coordinated cybersecurity response mechanisms while maintaining alignment with EU standards.  In addition, ENISA will continue contributing to the cybersecurity work of the G7 Cybersecurity Working Group. In this context, the agency provides EU-level cybersecurity expertise when required, supporting cooperation on shared cyber threats and resilience efforts. The strategy also leaves room for exploring further cooperation with other like-minded international partners where mutual interests align.  Finally, the ENISA International Strategy reaffirms the principles guiding ENISA’s international cooperation and clarifies working modalities with the European Commission, the EEAS, and EU Member States. These principles were first established following the adoption of ENISA’s initial international strategy in 2021 and have since been consolidated and refined based on practical experience and best practices. 

LayerX researchers say that a security in Anthropic's Claude Desktop Extensions can be exploited to allow threat actors to place a RCE vulnerability into Google Calendar, the latest report to highlight the risks that come with giving AI models with full system privileges unfettered access to sensitive data.

The post Flaw in Anthropic Claude Extensions Can Lead to RCE in Google Calendar: LayerX appeared first on Security Boulevard.

The UAE Cyber Security Council has issued a renewed warning about the growing threat of financial cybercrime, cautioning that stolen login credentials remain the most common entry point for attacks targeting individuals, companies, and institutions. According to the council, around 60% of financial cyberattacks begin with the theft of usernames and passwords, making compromised credentials a primary gateway for fraud, identity theft, and unauthorized access to sensitive financial information.  In comments to the Emirates News Agency (WAM), the UAE Cyber Security Council said that financial data remains one of the most sought-after assets for cybercriminals, particularly as digital banking and online transactions become more deeply embedded in daily life. The council stressed that while threat actors are increasingly sophisticated, many successful attacks still exploit basic security weaknesses that can be mitigated through stronger digital hygiene. The council urged individuals and organizations to exercise greater caution when handling financial information online, emphasizing that simple preventive steps can reduce exposure to cyber risks. Users were advised against storing sensitive passwords on unsecured or inadequately protected devices, and were encouraged to regularly review privacy settings, remove untrusted applications, and ensure operating systems and software are kept up to date. 

Also read: The Top 25 Women Cybersecurity Leaders in the UAE in 2025

Emirates News Agency Reports 60% of Attacks Begin with Compromised Credentials 

Speaking to the Emirates News Agency, the UAE Cyber Security Council highlighted two-factor authentication as one of the most effective defenses against unauthorized access. The council described multi-factor security controls as a critical layer of protection in an environment where stolen credentials are frequently traded, reused, or exploited across multiple platforms. “Every step taken to protect personal and financial data contributes directly to reducing the likelihood of falling victim to online fraud,” the council said.  The council also warned that cybercriminals often gain access to financial information indirectly. Rather than attacking banking systems outright, attackers may first compromise email or social media accounts and then use those accounts to reset passwords or harvest banking details. This method enables fraudsters to remain undetected while expanding their access to more sensitive systems.  To counter this, the UAE Cyber Security Council called on users to adopt safer digital habits, including using secure payment methods, avoiding the storage of financial data on mobile phones or personal computers, and monitoring bank accounts regularly for suspicious activity. The council also recommended enabling instant bank alerts to receive real-time notifications of account activity, allowing for rapid response and immediate reporting in the event of a breach. 

Council Urges Stronger Digital Habits to Protect Banking and Financial Data 

The council further cautioned against engaging with fake advertisements, phishing messages, or unverified online entities. According to the Emirates News Agency, fraudsters are increasingly using advanced technologies to imitate the logos, branding, and messaging styles of banks and trusted financial institutions, making fraudulent communications harder to identify. Users were urged to carefully verify messages, avoid clicking on suspicious links, and refrain from sharing personal or financial information outside official banking channels.  As part of its ongoing weekly cybersecurity awareness efforts, the UAE Cyber Security Council emphasized the importance of constant vigilance to prevent attacks targeting financial and banking data. It noted that cyber threats may take the form of direct attacks on bank accounts or indirect identity theft through unauthorized access to personal accounts, often resulting in financial losses.  The council also advised against using open or free Wi-Fi networks for banking activities or financial transactions, warning that such networks are often unsecured and vulnerable to interception. It stressed the importance of creating strong, unique passwords for banking and financial service accounts, noting that password reuse increases the risk of compromise. 

Also read: UAE Cyber Security Council Flags 70% Smart Home Devices as Vulnerable

A new paper gives an insider’s perspective into CISA’s Known Exploited Vulnerability catalog – and also offers a free tool to help security teams use the CISA KEV catalog more effectively. The paper, by former CISA KEV Section Chief and current runZero VP of Security Research Tod Beardsley, applies commonly used enrichment signals like CVSS, EPSS and SSVC, public exploit tooling from Metasploit and Nuclei, MITRE ATT&CK mappings, and “time-sequenced relationships” to help security teams prioritize vulnerabilities based on urgency. The paper’s findings led to the development of KEV Collider, a web application and dataset “that encourages readers to explore, recombine, and validate KEV enrichment data to better leverage the KEV in their daily operations,” the paper said. One interesting finding in the paper is that only 32% of CISA KEV vulnerabilities are “immediately exploitable for initial access.”

CISA KEV Is Not a List of the Worst Vulnerabilities

CISA KEV is not a list of the worst vulnerabilities, and the criteria for inclusion in the KEV catalog is perhaps surprisingly narrow. “The KEV is often misunderstood as a government-curated list of the most severe vulnerabilities ever discovered, or as a catalog of hyper-critical remote code execution flaws actively being used by foreign adversaries against U.S. government systems,” the paper said. “This casual interpretation is incorrect on several counts. While KEV-listed vulnerabilities do represent confirmed exploitation, the catalog exists primarily as an operational prioritization tool rather than as a comprehensive inventory of exploited vulnerabilities.” Inclusion in the KEV Catalog is limited to vulnerabilities that meet four conditions:

• The vulnerability must have an assigned Common Vulnerabilities and Exposures (CVE) identifier.
• There must be a reasonable mitigation. “This means that vulnerabilities with no realistic path to mitigation will not reach the KEV,” the paper said. The lack of a straightforward fix has kept CVE-2022-21894, aka “BlackLotus,” off the list even though the NSA has provided mitigation guidance.
• There must be evidence of exploitation. “This exploitation must be observed by CISA, either directly or through trusted reporting channels,” the paper said.
• The vulnerability must be relevant to the U.S. Federal Civilian Executive Branch (FCEB).

CISA KEV is not the only list of known exploited vulnerabilities, the paper said. Another is the VulnCheck KEV, which is three times bigger than CISA KEV. “It often adds vulnerabilities to its KEV in closer-to-real-time as exploitation evidence surfaces, sometimes beating the CISA KEV as first to publish exploitation notifications,” the paper said – and would also be an interesting place to apply the paper’s criteria. CISA KEV isn’t a list of the most severe vulnerabilities: “the vulnerabilities there are not all unauthenticated, remotely exploitable, initial intrusion vulnerabilities,” the paper said. Looking at just the last 12 vulnerabilities added to the KEV catalog in December, only four met the criteria for a “straight shot RCE bug.” Those criteria are:

• Access Vector of “Network” (as opposed to “Adjacent,” “Local,” or “Physical”)
• Privileges Required of “None” (as opposed to “Low” or “High”)
• User Interaction of “None” (as opposed to “Required”)
• Integrity Impact of “High” (as opposed to “None” or “Low”)

“These are the vulnerabilities that listen on an internet socket, don’t require a login, don’t require the victim to act, and the attacker ends up with total control over the affected system,” the paper said. Interestingly, the four straight-shot RCE vulnerabilities are all rated Critical, while the rest are rated High or Medium. Out of 1,488 KEV vulnerabilities as of January 14, 2026, only 483, or 32%, “are useful for immediate initial access,” the paper said. Using the Straight-Shot RCE filter in KEV Collider, 494 of 1,507 KEV vulnerabilities in the catalog as of Feb. 6 qualify, or 32.7 Looking at EPSS scores suggests that some of the vulnerabilities have a low probability of being exploited again in the future. There are 545 KEV vulnerabilities with very high EPSS scores – and 353 in the sub-10% category. Examining Metasploit Framework exploits, 464 KEV vulnerabilities were associated with at least one Metasploit module. “This means that just about a third of all KEVs are trivially exploitable today, as Metasploit modules are free, easy to use, and well-understood by attackers and defenders alike,” the paper said. There were 398 Nuclei templates “suitable for testing KEV vulnerabilities,” and 235 vulnerabilities with both Metasploit and Nuclei exploits. The paper also looked at the correlation of MITRE ATT&CK mappings with Metasploit and Nuclei exploit development and found that vulnerabilities associated with T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter) “are more likely to attract the attention of public exploit developers.” Also read: CISA Silently Updates Vulnerabilities Exploited by Ransomware Groups

Perfect Vulnerability Coverage ‘Unrealistic’

The paper noted that “perfect vulnerability coverage is an increasingly unrealistic goal, particularly when organizations are constrained by finite tooling, staffing, or budget. This is even true when the focus is narrowed to merely the CISA KEV catalog.” “Many KEVs now affect assets that are difficult to inventory, difficult to scan, or difficult to patch using conventional enterprise tooling,” and can’t be covered by a single product. The paper’s goal is to help security practitioners “reason about uncertainty and prioritize effort when full coverage is unattainable. In practice, organizations must decide how to sequence remediation, where to apply detection and monitoring first, and when to escalate resource allocation to meet particularly aggressive deadlines.” All source JSON files used by the KEV Collider application are available in a public GitHub repository.

Threat actors using LLMs needed only eight minutes to move from initial access to full admin privileges in an attack on a company's AWS cloud environment in the latest example of cybercriminals expanding their use of AI in their operations, Sysdig researchers said.

The post Attackers Used AI to Breach an AWS Environment in 8 Minutes appeared first on Security Boulevard.

As the first week of February 2026 concludes, The Cyber Express weekly roundup examines the developments shaping today’s global cybersecurity landscape. Over the past several days, governments, technology companies, and digital platforms have confronted a wave of cyber incidents ranging from disruptive attacks on public infrastructure to large-scale data exposures and intensifying regulatory scrutiny of artificial intelligence systems.  This week’s cybersecurity reporting reflects a broader pattern: rapid digital expansion continues to outpace security maturity. High-profile breaches, misconfigured cloud environments, and powerful AI tools are creating both defensive opportunities and significant new risks.  

The Cyber Express Weekly Roundup 

Cyberattack Disrupts Spain’s Ministry of Science Operations 

Spain’s Ministry of Science, Innovation, and Universities confirmed that a cyberattack forced a partial shutdown of its IT systems, disrupting digital services relied upon by researchers, universities, students, and businesses nationwide. Initially described as a technical incident, the disruption was later acknowledged as a cybersecurity event that required the temporary closure of the ministry’s electronic headquarters. Read more.. 

OpenAI Expands Controlled Access to Advanced Cyber Defense Models 

OpenAI announced the launch of Trusted Access for Cyber, a new initiative designed to strengthen defensive cybersecurity capabilities while limiting the potential misuse of highly capable AI systems. The program provides vetted security professionals with controlled access to advanced models such as GPT-5.3-Codex, which OpenAI identifies as its most cyber-capable reasoning model to date. Read more.. 

French Authorities Escalate Investigations Into X and Grok AI 

French police raided offices belonging to the social media platform X as European investigations expanded into alleged abuses involving its Grok AI chatbot. Authorities are examining claims that Grok generated nonconsensual sexual deepfakes, child sexual abuse material (CSAM), and content denying crimes against humanity, including Holocaust denial. Read more.. 

AI-Generated Platform Moltbook Exposes Millions of Credentials 

Security researchers disclosed that Moltbook, a viral social network built entirely using AI-generated code, exposed 1.5 million API authentication tokens, 35,000 user email addresses, and thousands of private messages due to a database misconfiguration. Wiz Security identified the issue after discovering an exposed Supabase API key embedded in client-side JavaScript, which granted unrestricted access to the platform’s production database. Read more.. 

Substack Discloses Breach Months After Initial Compromise 

Substack revealed that attackers accessed user email addresses, phone numbers, and internal metadata in October 2025, though the breach went undetected until February 3, 2026. CEO Chris Best notified affected users, stating, “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” Read more.. 

Weekly Takeaway 

This Cyber Express weekly roundup highlights a clear takeaway for the global cybersecurity community: digital expansion without equivalent security investment increases organizational and systemic risk. AI-built platforms, advanced security tooling, and large-scale public-sector systems are being deployed rapidly, often without adequate access controls, monitoring, or testing. As recent incidents show, these gaps lead to data exposure, prolonged breach detection, and service disruption. To reduce risk, organizations must embed security controls, clear ownership, and continuous monitoring into system design and daily operations, rather than relying on post-incident fixes or policy statements.

By 2026 humans remain cybersecurity’s weakest—and most vital—link as AI-enabled social engineering rises; prioritize behavioral design, real‑time interventions, and leadership.

The post The Human Layer of Security: Why People are Still the Weakest Link in 2026  appeared first on Security Boulevard.

OpenAI has announced a new initiative aimed at strengthening digital defenses while managing the risks that come with capable artificial intelligence systems. The effort, called Trusted Access for Cyber, is part of a broader strategy to enhance baseline protection for all users while selectively expanding access to advanced cybersecurity capabilities for vetted defenders.   The initiative centers on the use of frontier models such as GPT-5.3-Codex, which OpenAI identifies as its most cyber-capable reasoning model to date, and tools available through ChatGPT. 

What is Trusted Access for Cyber? 

Over the past several years, AI systems have evolved rapidly. Models that once assisted with simple tasks like auto-completing short sections of code can now operate autonomously for extended periods, sometimes hours or even days, to complete complex objectives.   In cybersecurity, this shift is especially important. According to OpenAI, advanced reasoning models can accelerate vulnerability discovery, support faster remediation, and improve resilience against targeted attacks. At the same time, these same capabilities could introduce serious risks if misused.  Trusted Access for Cyber is intended to unlock the defensive potential of models like GPT-5.3-Codex while reducing the likelihood of abuse. As part of this effort, OpenAI is also committing $10 million in API credits to support defensive cybersecurity work.

Expanding Frontier AI Access for Cyber Defense 

OpenAI argues that the rapid adoption of frontier cyber capabilities is critical to making software more secure and raising the bar for security best practices. Highly capable models accessed through ChatGPT can help organizations of all sizes strengthen their security posture, shorten incident response times, and better detect cyber threats. For security professionals, these tools can enhance analysis and improve defenses against severe and highly targeted attacks.  The company notes that many cyber-capable models will soon be broadly available from a range of providers, including open-weight models. Against that backdrop, OpenAI believes it is essential that its own models strengthen defensive capabilities from the outset. This belief has shaped the decision to pilot Trusted Access for Cyber, which prioritizes placing OpenAI’s most capable models in the hands of defenders first.  A long-standing challenge in cybersecurity is the ambiguity between legitimate and malicious actions. Requests such as “find vulnerabilities in my code” can support responsible patching and coordinated disclosure, but they can also be used to identify weaknesses for exploitation. Because of this overlap, restrictions designed to prevent harm have often slowed down good-faith research. OpenAI says the trust-based approach is meant to reduce that friction while still preventing misuse.

How Trusted Access for Cyber Works 

Frontier models like GPT-5.3-Codex are trained with protection methods that cause them to refuse clearly malicious requests, such as attempts to steal credentials. In addition to this safety training, OpenAI uses automated, classifier-based monitoring to detect potential signals of suspicious cyber activity. During this calibration phase, developers and security professionals using ChatGPT for cybersecurity tasks may still encounter limitations.  Trusted Access for Cyber introduces additional pathways for legitimate users. Individual users can verify their identity through a dedicated cyber access portal. Enterprises can request trusted access for entire teams through their OpenAI representatives. Security researchers and teams that require even more permissive or cyber-capable models to accelerate defensive work can apply to an invite-only program. All users granted trusted access must continue to follow OpenAI’s usage policies and terms of use.  The framework is designed to prevent prohibited activities, including data exfiltration, malware creation or deployment, and destructive or unauthorized testing, while minimizing unnecessary barriers for defenders. OpenAI expects both its mitigation strategies and Trusted Access for Cyber itself to evolve as it gathers feedback from early participants. 

Scaling the Cybersecurity Grant Program 

To further support defensive use cases, OpenAI is expanding its Cybersecurity Grant Program with a $10 million commitment in API credits. The program is aimed at teams with a proven track record of identifying and remediating vulnerabilities in open source software and critical infrastructure systems.   By pairing financial support with controlled access to advanced models like GPT-5.3-Codex through ChatGPT, OpenAI seeks to accelerate legitimate cybersecurity research without broadly exposing powerful tools to misuse. 

Unit 42 researchers say an Asian threat group behind what they call the Shadow Campaigns has targeted government agencies in 37 countries in a wide-ranging global cyberespionage campaign that has involved phishing attacks and the exploitation of a more than a dozen known vulnerabilities.

The post Threat Group Running Espionage Operations Against Dozens of Governments appeared first on Security Boulevard.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been “silently” updating its Known Exploited Vulnerabilities (KEV) catalog when it concludes that vulnerabilities have been exploited by ransomware groups, according to a security researcher. CISA adds a “known” or “unknown” field next to the “Known To Be Used in Ransomware Campaigns?” entry in its KEV catalog. The problem, according to a blog post by Glenn Thorpe of GreyNoise, is the agency doesn’t send out advisories when a vulnerability changes from “unknown” to “known” vulnerabilities exploited by ransomware groups. Thorpe downloaded daily CISA KEV snapshots for all of 2025 and found that the agency had flipped 59 vulnerabilities in 2025 from “unknown” to “known” evidence of exploitation by ransomware groups. “When that field flips from ‘Unknown’ to ‘Known,’ CISA is saying: ‘We have evidence that ransomware operators are now using this vulnerability in their campaigns,’" Thorpe wrote. “That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file. This has always frustrated me.” In a statement shared with The Cyber Express, CISA Executive Assistant Director for Cybersecurity Nick Andersen suggested that the agency is considering Thorpe’s input. “We continue to streamline processes and enrich vulnerability data through initiatives like the KEV catalog, the Common Vulnerabilities and Exposures (CVE) Program, and Vulnrichment,” Andersen said. “Feedback from the cybersecurity community is essential as CISA works to enhance the KEV catalog and advance vulnerability prioritization across the ecosystem.”

Microsoft Leads in Vulnerabilities Exploited by Ransomware Groups

Of the 59 CVEs that flipped to “known” exploitation by ransomware groups last year, 27% were Microsoft vulnerabilities, Thorpe said. Just over a third (34%) involved edge and network CVEs, and 39% were for CVEs before 2023. And 41% of the flipped vulnerabilities occurred in a single month, May 2025. The “Fastest time-to-ransomware flip” was one day, while the longest lag between CISA KEV addition and the change to “known” ransomware exploitation status was 1,353 days. The “Most flipped vulnerability type” was Authentication Bypass at 14% of occurrences.

Ransomware Groups Target Edge Devices

Edge devices accounted for a high number of the flipped vulnerabiities, Thorpe said. Fortinet, Ivanti, Palo Alto and Check Point Security edge devices were among the flipped CVEs. “Ransomware operators are building playbooks around your perimeter,” he said. Thorpe said that 19 of the 59 flipped vulnerabilities “target network security appliances, the very devices deployed to protect organizations.” But he added: “Legacy bugs show up too; Adobe Reader vulnerabilities from years ago suddenly became ransomware-relevant.” Authentication bypasses and RCE vulnerabilities were the most common, “as ransomware operators prioritize ‘get in and go’ attack chains.” The breakdown by vendor of the 59 vulnerabilities “shouldn't surprise anyone,” he said. Microsoft was responsible for 16 of the flipped CVEs, affecting SharePoint, Print Spooler, Group Policy, Mark-of-the-Web bypasses, and more. Ivanti products were affected by 6 of the flipped CVEs, Fortinet by 5 (with FortiOS SSL-VPN heap overflows standing out), and Palo Alto Networks and Zimbra were each affected by 3 of the CVEs. “Ransomware operators are economic actors after all,” Thorpe said. “They invest in exploit development for platforms with high deployment and high-value access. Firewalls, VPN concentrators, and email servers fit that profile perfectly.” He also noted that the pace of vulnerability exploitation by ransomware groups accelerated in 2025. “Today, ransomware operators are integrating fresh exploits into their playbooks faster than defenders are patching,” he said. Thorpe created an RSS feed to track the flipped vulnerabilities; it’s updated hourly.

In the rapidly changing landscape of cybersecurity, AI agents present both opportunities and challenges. This article examines the findings from Darktrace’s 2026 State of AI Cybersecurity Report, highlighting the benefits of AI in enhancing security measures while addressing concerns regarding AI-driven threats and the need for responsible governance.

The post Navigating the AI Revolution in Cybersecurity: Risks, Rewards, and Evolving Roles appeared first on Security Boulevard.

The influence of Chinese money laundering networks has skyrocketed since 2020, with the operations now moving almost 20% of all illicit cryptocurrency being laundered last year, according to Chainalysis researchers. In 2025, they processed more than $16 billion, or about $44 million a day.

The post Fast-Growing Chinese Crime Networks Launder 20% of Illicit Crypto: Chainalysis appeared first on Security Boulevard.

Several threat clusters are using vishing in extortion campaigns that include tactics that are consistent with those used by high-profile threat group ShinyHunters. They are stealing SSO and MFA credentials to access companies' environments and steal data from cloud applications, according to Mandiant researchers.

The post ShinyHunters Leads Surge in Vishing Attacks to Steal SaaS Data appeared first on Security Boulevard.

The BreachForums marketplace has suffered a leak, exposing the identities of nearly 324,000 cybercriminals. This incident highlights a critical shift in cyberattacks, creating opportunities for law enforcement while demonstrating the risks associated with breaches in the cybercriminal ecosystem.

The post BreachForums Breach Exposes Names of 324K Cybercriminals, Upends the Threat Intel Game appeared first on Security Boulevard.

Ukraine's cyber defenders warn Russian hackers weaponized a Microsoft zero-day within 24 hours of public disclosure, targeting government agencies with malicious documents delivering Covenant framework backdoors.

Russian state-sponsored hacking group APT28 used a critical Microsoft Office zero-day vulnerability, tracked as CVE-2026-21509, in less than a day after the vendor publicly disclosed the flaw, launching targeted attacks against Ukrainian government agencies and European Union institutions.

Ukraine's Computer Emergency Response Team detected exploitation attempts that began on January 27—just one day after Microsoft published details about CVE-2026-21509.

Microsoft had acknowledged active exploitation when it disclosed the flaw on January 26, but details pertaining to the threat actors were withheld and it is still unclear if it is the same or some other exploitation campaign that the vendor meant. However, the speed at which APT28 deployed customized attacks shows the narrow window defenders have to patch critical vulnerabilities.

Also read: APT28’s Recent Campaign Combined Steganography, Cloud C2 into a Modular Infection Chain

CERT-UA discovered a malicious DOC file titled "Consultation_Topics_Ukraine(Final).doc" containing the CVE-2026-21509 exploit on January 29. Metadata revealed attackers created the document on January 27 at 07:43 UTC. The file masqueraded as materials related to Committee of Permanent Representatives to the European Union consultations on Ukraine's situation.

[caption id="attachment_109153" align="aligncenter" width="700"] Word file laced with malware (Source: CERT-UA)[/caption]

On the same day, attackers impersonated Ukraine's Ukrhydrometeorological Center, distributing emails with an attached DOC file named "BULLETEN_H.doc" to more than 60 email addresses. Recipients primarily included Ukrainian central executive government agencies, representing a coordinated campaign against critical government infrastructure.

The attack chain begins when victims open malicious documents using Microsoft Office. The exploit establishes network connections to external resources using the WebDAV protocol—a file sharing protocol that extends HTTP to enable collaborative editing. The connection downloads a shortcut file containing program code designed to retrieve and execute additional malicious payloads.

[caption id="attachment_109150" align="aligncenter" width="600"] Exploit chain. (Source CERT-UA)[/caption]

Successful execution creates a DLL file "EhStoreShell.dll" disguised as a legitimate "Enhanced Storage Shell Extension" library, along with an image file "SplashScreen.png" containing shellcode. Attackers implement COM hijacking by modifying Windows registry values for a specific CLSID identifier, a technique that allows malicious code to execute when legitimate Windows components load.

The malware creates a scheduled task named "OneDriveHealth" that executes periodically. When triggered, the task terminates and relaunches the Windows Explorer process. Because of the COM hijacking modification, Explorer automatically loads the malicious EhStoreShell.dll file, which then executes shellcode from the image file to deploy the Covenant framework on compromised systems.

Covenant is a post-exploitation framework similar to Cobalt Strike that provides attackers persistent command-and-control access. In this campaign, APT28 configured Covenant to use Filen.io, a legitimate cloud storage service, as command-and-control infrastructure. This technique, called living-off-the-land, makes malicious traffic appear legitimate and harder to detect.

CERT-UA discovered three additional malicious documents using similar exploits in late January 2026. Analysis of embedded URL structures and other technical indicators revealed these documents targeted organizations in EU countries. In one case, attackers registered a domain name on January 30, 2026—the same day they deployed it in attacks—demonstrating the operation's speed and agility.

"It is obvious that in the near future, including due to the inertia of the process or impossibility of users updating the Microsoft Office suite and/or using recommended protection mechanisms, the number of cyberattacks using the described vulnerability will begin to increase," CERT-UA warned in its advisory.

Microsoft released an emergency fix for CVE-2026-21509, but many organizations struggle to rapidly deploy patches across enterprise environments. The vulnerability affects multiple Microsoft Office products, creating a broad attack surface that threat actors will continue exploiting as long as unpatched systems remain accessible.

Read: Microsoft Releases Emergency Fix for Exploited Office Zero-Day

CERT-UA attributes the campaign to UAC-0001, the agency's designation for APT28, also known as Fancy Bear or Forest Blizzard. The group operates on behalf of Russia's GRU military intelligence agency and has conducted extensive operations targeting Ukraine since Russia's 2022 invasion. APT28 previously exploited Microsoft vulnerabilities within hours of disclosure, demonstrating consistent capability to rapidly weaponize newly discovered flaws.

CERT-UA recommends organizations immediately implement mitigation measures outlined in Microsoft's advisory, particularly Windows registry modifications that prevent exploitation. The agency specifically urges blocking or monitoring network connections to Filen cloud storage infrastructure, providing lists of domain names and IP addresses in its indicators of compromise section.

Cloud security is hard and getting harder, a Fortinet study says, as AI widens a complexity gap and empowers attackers. 

The post A Lack of Spending Isn’t the Problem With Cloud Security, Structural Complexity Is  appeared first on Security Boulevard.

The DOJ indicted 31 people accused of participating in an ATM jackpotting scheme in which the venerable Ploutus malware was used to help steal more than $5 million from machines around the United States. In total, 87 people have been charged, with many connected to the Tren de Aragua Venezuelan crime syndicate.

The post 31 More Charged in Massive ATM Jackpotting Scheme Linked to Tren de Aragua Gang appeared first on Security Boulevard.

Momentum is building in the fight against botnets, as network operators and law enforcement ramp up crackdowns on botnet infrastructure, malware, and bulletproof hosting providers. While major takedowns show progress, cybercriminals are still adapting — learn more in this latest edition of the Botnet Spotlight.

The post Botnet Spotlight: Pressure rises on botnets — but the fight is far from over appeared first on Security Boulevard.

The third week of 2026 highlights a series of cybersecurity events affecting businesses, critical infrastructure, and regulatory compliance. This week, network administrators are grappling with the exploitation of a previously patched FortiOS vulnerability, while ransomware attacks continue to expose sensitive data across major corporations.   Meanwhile, hacktivist groups are targeting industrial systems and government networks, and the European Union has introduced new rules to phase out high-risk telecom and ICT products from non-EU suppliers.  These incidents demonstrate that cybersecurity risks are no longer confined to IT systems. They now intersect with national security, operational continuity, and regulatory oversight, requiring organizations to adopt both technical defenses and strategic risk management measures.  

The Cyber Express Weekly Roundup 

Active Exploits Hit “Patched” FortiOS 7.4.9 

Administrators report active exploitation of CVE-2025-59718 on FortiGate devices running FortiOS 7.4.9. Attackers bypass authentication through forged FortiCloud SSO logins, creating local admin accounts to maintain access. Evidence suggests that the patch may be incomplete or bypassed. Experts advise manually disabling FortiCloud SSO via CLI and auditing logs for unusual SSO activity, new admin accounts, and configuration exports. Read more… 

Ingram Micro Data Breach Exposes 42,521 Individuals 

A ransomware attack in July 2025 compromised sensitive employee and job applicant data at Ingram Micro, affecting 42,521 individuals. Exposed information includes names, contact details, dates of birth, Social Security numbers, and employment records. The attack disrupted logistics operations for about a week and was discovered in December 2025. Affected individuals have been notified and offered two years of credit monitoring and identity protection. Read more… 

One in Ten UK Businesses Could Fail After Major Cyberattack 

A Vodafone Business survey found over 10% of UK business leaders fear their organizations could fail after a major cyberattack. While 63% acknowledge rising cyber risks and 89% say high-profile breaches increased alertness, only 45% provide basic cyber-awareness training to all staff. Weak passwords, phishing, and emerging AI/deepfake scams heighten vulnerabilities. Read more… 

EU Proposes Rules on “High-Risk” Telecom Products 

The European Commission proposed updates to the Cybersecurity Act to phase out “high-risk” ICT products from mobile, fixed, and satellite networks supplied by risky countries, including China and Russia. Mobile networks have 36 months to comply; timelines for other networks will follow. Read more… 

Hacktivist Activity Surges, Targeting Critical Infrastructure 

The Cyble 2025 Threat Landscape report shows hacktivists targeting ICS, OT, and HMI/SCADA systems. Groups like Z-Pentest, Dark Engine, and NoName057(16) focused on industrial sectors in Europe and Asia. Hacktivist activity rose 51% in 2025, driven largely by pro-Russian and pro-Palestinian collectives. Many groups aligned with state interests, including GRU-backed Russian operations and Iranian-linked teams. Read more… 

NCSC Warns UK Organizations of Russian-Aligned Hacktivists 

The UK National Cyber Security Centre (NCSC) warned that Russian-aligned hacktivists, including NoName057(16), increasingly target UK organizations with denial-of-service attacks on local government and critical infrastructure. While technically simple, these attacks can severely disrupt services. Read more… 

Weekly Roundup Takeaway 

This week’s events highlight that cybersecurity in 2026 continues to influence business continuity, infrastructure integrity, and regulatory compliance. From FortiOS exploits and large-scale ransomware breaches to rising hacktivist activity and evolving EU telecom rules, organizations must integrate operational, technical, and strategic measures to mitigate risk and protect assets across sectors. 

Researchers discover phishing toolkits specifically engineered for voice-based social engineering attacks—often called "vishing"—that synchronize fake login pages with live phone conversations to defeat multifactor authentication. These custom kits, sold as-a-service to criminals, enable attackers to control what victims see in their browsers while simultaneously coaching them through fraudulent authentication steps over the phone.

The phishing toolkits target major identity providers including Google, Microsoft, Okta and various cryptocurrency platforms. Unlike traditional phishing that relies solely on deceptive emails, these hybrid attacks combine real-time human manipulation with dynamic web interfaces that adapt to each victim's security setup.

"Once you get into the driver's seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering," Moussa Diallo, threat researcher at Okta Threat Intelligence, said. The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant.

How the Latest Phishing Toolkits Work

The kits employ client-side scripts allowing attackers to orchestrate authentication flows in victims' browsers during live calls, researchers at Okta Threat Intelligence found. This real-time control delivers the plausibility criminals need to convince targets to approve push notifications, submit one-time passcodes or take actions that bypass multifactor authentication controls.

Attack sequences typically follow a consistent pattern. Threat actors perform reconnaissance to learn employee names, commonly used applications and IT support phone numbers. They then set customized phishing pages live and call targets while spoofing the company's actual support number.

Callers convince victims to navigate to phishing sites under pretenses like IT security requirements or account verification. When victims enter credentials, attackers receive them instantly via Telegram. The attacker simultaneously enters these credentials into the legitimate login page to see which multifactor authentication challenges appear.

Here's where the real-time orchestration becomes devastatingly effective. Attackers update phishing sites on the fly to display pages matching whatever they're telling victims over the phone. If the legitimate service sends a push notification, the caller verbally warns the victim to expect it while simultaneously commanding their control panel to display a message implying the push was sent legitimately.\

Also read: ‘Unprecedented Scale’ of Credential Stuffing Attacks Observed: Okta

This synchronization provides unprecedented control. The phishing kits Okta analyzed include command-and-control panels showing attackers exactly what victims see, with options to dynamically switch between different authentication scenarios—push notifications, one-time passcodes, backup codes or other challenges.

The toolkits even defeat push notifications with number matching or number challenge verification—security features designed specifically to combat phishing. Because attackers interact directly with victims, they simply ask targets to select or enter specific numbers displayed in the push challenge.

Push with number matching/challenge is not phishing-resistant by definition, as a social engineer interacting on the phone with a targeted user can simply request a user to choose or enter a specific number," Okta's threat advisory explained.

Only phishing-resistant authentication methods like FIDO passkeys protect users from these attacks. These technologies cryptographically verify users without transmitting credentials that attackers can intercept or manipulate.

Diallo predicts the industry sits at the beginning of a wave of voice-enabled phishing attacks augmented by real-time session orchestration tools. The expertise required to conduct these social engineering campaigns is itself sold as-a-service, lowering barriers to entry for less technically skilled criminals.

Okta researchers observed newer phishing kits copying the real-time orchestration features from earlier toolkits, with fraudsters selling access to bespoke control panels customized for specific identity providers and cryptocurrency platforms rather than generic kits targeting multiple services.

Earlier kits offered basic credential harvesting across multiple platforms. Current-generation toolkits provide specialized capabilities synchronized specifically to caller scripts, creating seamless fraudulent experiences that closely mimic legitimate authentication flows.

Defenders face no ambiguity about necessary countermeasures. Organizations must enforce phishing-resistant authentication for resource access. Organizations can also frustrate social engineering actors by implementing network zones or tenant access control lists that deny authentication from anonymizing services favored by threat actors. The strategy requires knowing where legitimate requests originate and allowlisting those networks.

Some financial institutions and cryptocurrency exchanges experiment with live caller verification, where users can sign into mobile apps during phone calls to confirm whether they're speaking with authorized representatives.

The emergence of these synchronized vishing toolkits shows how social engineering continues evolving beyond simple deception into orchestrated attacks combining human manipulation with sophisticated technical infrastructure. Organizations relying on traditional multifactor authentication without phishing resistance face mounting vulnerability to these hybrid threats.

Hacktivists became significantly more dangerous in 2025, moving beyond their traditional DDoS attacks and website defacements to target critical infrastructure and ransomware attacks. That’s one of the conclusions of a new blog post from Cyble adapted from the threat intelligence company’s 2025 Threat Landscape report. The trend began in earnest with Z-Pentest’s targeting of industrial control systems (ICS) in late 2024, and grew from there. Cyble said it expects those attacks to continue to grow in 2026, along with growing use of custom tools by hacktivists and “deepening alignment between nation-state interests and hacktivists.”

Hacktivist Attacks on Critical Infrastructure Soar

Z-Pentest was the most active of the hacktivist groups targeting ICS, operational technology (OT) and Human Machine Interface (HMI) environments. Dark Engine (Infrastructure Destruction Squad) and Sector 16 also persistently targeted ICS environments, while Golden Falcon Team, NoName057(16), TwoNet, RipperSec, and Inteid also claimed multiple ICS attacks. HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the systems most frequently targeted by hacktivists. Virtual Network Computing (VNC) environments were targeted less frequently, but “posed the greatest operational risks to several industries,” Cyble said. Building Management Systems (BMS) and Internet of Things (IoT) or edge-layer controllers were also targeted by the groups, reflecting a wider trend toward exploiting poorly secured IoT interfaces. Europe was the primary region targeted by pro-Russian hacktivist groups, with Spain, Italy, the Czech Republic, France, Poland, and Ukraine the most frequent targets of those groups.

State Interests and Hacktivism Align

Cyble also noted increasing alignment between hacktivist groups and state-aligned interests. When Operation Eastwood disrupted NoName057(16)’s DDoS infrastructure in July 2025, the group rapidly rebuilt its capacity and resumed operations against Ukraine, the EU, and NATO, “underscoring the resilience of state-directed ecosystems,” Cyble said. U.S. indictments “further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts,” the blog post said. The Justice Department revealed GRU-backed financing and direction of the Cyber Army of Russia Reborn (CARR) and state-sanctioned development of NoName057(16)’s DDoSia platform. Z-Pentest has also been identified as part of the CARR ecosystem and linked to GRU. Pro-Ukrainian hacktivist groups are less formally connected to state interests, but groups like the BO Team and the Ukrainian Cyber Alliance launched data destruction, encryption and wiper attacks targeting “key Russian businesses and state machinery,” and Ukrainian actors also claimed to pass exfiltrated datasets to national intelligence services. Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow significantly compromised Aeroflot’s IT environment in a long-term breach, claiming to exfiltrate more than 20TB of data, sabotaging thousands of servers, and disrupting airline systems, a breach that was confirmed by Russia’s General Prosecutor. Other hacktivists aligned with state interests include BQT.Lock (BaqiyatLock, aligned with Hezbollah) and Cyb3r Av3ngers/Mr. Soul Team, which has been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has also targeted critical infrastructure.

Hacktivist Sightings Surge 51%

Cyble said hacktivist sightings surged 51% in 2025, from 700,000 in 2024 to 1.06 million in 2025, “with the bulk of activity focused on Asia and Europe.” “Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape,” the researchers said. India, Ukraine and Israel were the countries most targeted by hacktivist activity in 2025 (chart below). [caption id="attachment_108842" align="aligncenter" width="825"] Hacktivist attacks by country in 2025 (Cyble)[/caption] Government & Law Enforcement, Energy & Utilities, Education, IT, Transportation & Logistics, and Manufacturing saw the most growth in hacktivist attacks, while the Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate also saw increasing attack numbers. “Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism,” Cyble said. “In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors,” the researchers predicted.

Ransomware and supply chain attacks set records in 2025, with ransomware attacks up more than 50% and supply chain attacks nearly doubling – trends that suggest further trouble ahead in 2026. Those are some of the data points from a new blog and annual threat landscape report from threat intelligence company Cyble. There were 6,604 ransomware attacks in 2025, 52% higher than the 4,346 attacks claimed by ransomware groups in 2024, according to Cyble data. And the year ended on an upswing for threat groups, with a near-record 731 ransomware attacks in December, behind only February 2025’s record totals (chart below). [caption id="attachment_108784" align="aligncenter" width="729"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] Ransomware groups remained resilient and decentralized in 2025, and ransomware affiliates were quick to gravitate toward new leaders like Qilin in the wake of law enforcement disruptions.

Supply Chain Attacks Soared in 2025

Supply chain attacks soared by 93% in 2025, according to Cyble dark web researchers, as supply chain attacks claimed by threat groups surged from 154 incidents in 2024 to 297 in 2025 (chart below). [caption id="attachment_108785" align="aligncenter" width="717"] Supply chain attacks by month 2024-2025 (Cyble)[/caption] “As ransomware groups are consistently behind more than half of supply chain attacks, the two attack types have become increasingly linked,” Cyble noted. Supply chain attacks have declined since setting a record in October, but Cyble noted that “they remain above even the elevated trend that began in April 2025.” Every industry and sector tracked by Cyble was hit by a software supply chain attack in 2025, but the IT and Technology sectors were by far the most frequently hit because of the potential for expanding attacks into downstream customer environments. The sophistication of those attacks also grew. Supply chain attacks in 2025 “expanded far beyond traditional package poisoning, targeting cloud integrations, SaaS trust relationships, and vendor distribution pipelines,” Cyble said. “Adversaries are increasingly abusing upstream services—such as identity providers, package registries, and software delivery channels—to compromise downstream environments on a large scale.” Attacks on Salesforce through third-party integrations is one such example, as attackers “weaponized trust between SaaS platforms, illustrating how OAuth-based integrations can become high-impact supply chain vulnerabilities when third-party tokens have been compromised.”

Qilin Dominated Following RansomHub’s Decline

Qilin emerged as the leading ransomware group in April after RansomHub was hit by a possible act of sabotage by rival Dragonforce. Qilin claimed another 190 victims in December, besting a resurgent Lockbit and other leaders such as newcomer Sinobi. Qilin claimed 17% of all ransomware victims in 2025, well ahead of Akira, CL0P, Play and SafePay (chart below). Cyble noted that of the top five ransomware groups in 2025, only Akira and Play also made the list in 2024, as RansomHub and Lockbit declined and Hunters apparently rebranded as World Leaks. [caption id="attachment_108788" align="aligncenter" width="936"] 2025's top ransomware groups (Cyble)[/caption] Cyble documented 57 new ransomware groups, 27 new extortion groups and more than 350 new ransomware strains in 2025. Those new strains were “largely based on the MedusaLocker, Chaos, and Makop ransomware families,” Cyble said. Among new groups, Devman, Sinobi, Warlock and Gunra have targeted critical infrastructure, particularly in Government & Law Enforcement and Energy & Utilities, at an above-average rate. RALord/Nova, Warlock, Sinobi, The Gentlemen and BlackNevas have focused on the IT, Technology, and Transportation & Logistics sectors. The U.S. was by far the most attacked country, suffering 55% of all ransomware attacks in 2025. Canada, Germany, the UK, Italy and France rounded out the top six (chart below). [caption id="attachment_108789" align="aligncenter" width="936"] 2025 ransomware attacks by country (Cyble)[/caption] Construction, professional services and manufacturing were the industries most targeted by ransomware groups, followed by healthcare and IT (chart below). [caption id="attachment_108791" align="aligncenter" width="936"] 2025 ransomware attacks by sector (Cyble)[/caption] “The significant supply chain and ransomware threats facing security teams as we enter 2026 require a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats,” Cyble concluded, listing best practices such as segmentation and strong access control and vulnerability management.

Poland narrowly avoided a nationwide power outage at the end of December after what senior officials have described as the most serious cyberattack on its energy infrastructure in years. The Poland cyberattack occurred during a period of severe winter weather, further complicating the crisis management efforts.  In an interview on RMF FM, Minister of Digital Affairs Krzysztof Gawkowski warned that the threat was no longer hypothetical. “The digital tanks are already here,” he said, referring to the growing use of cyber tools as weapons. According to Gawkowski, the Polish cyberattack was aimed directly at cutting off electricity to citizens in the final days of December. “We were very close to a blackout,” he admitted.  The situation was particularly challenging because the attacks coincided with harsh weather conditions, which further strained the energy system. Despite these factors, authorities managed to stabilize the network before power supplies were interrupted on a large scale. 

Russian Sabotage and the Scale of the Poland Cyberattack 

Krzysztof Gawkowski noted that the government views the incident as a deliberate sabotage rather than a random hacking attempt. “Everything suggests that we are dealing with Russian sabotage—because it has to be called by its name—which was intended to destabilize the situation in Poland,” he said during the RMF FM broadcast. He described the operation as the largest cyberattack on Poland’s energy infrastructure in years, with a clear objective of triggering a blackout.  [caption id="attachment_108679" align="alignnone" width="662"] Krzysztof Gawkowski Speaks on the Poland cyberattack (Source: RMF)[/caption] While stressing over the seriousness of the Poland cyberattack, Gawkowski also sought to reassure the public. “There is no need to panic,” he said, adding that state institutions were well prepared to respond and had acted effectively to prevent the worst-case scenario.  Additional details were provided earlier by Energy Minister Miłosz Motyka, who said that hackers attempted to breach multiple electricity-producing facilities across the country. The targets included one combined heat and power plant as well as numerous individual renewable energy sources. Motyka described the incident as unprecedented in its coordination.   “We have not experienced an attack like this before,” he said. “For the first time, various locations were targeted simultaneously.” According to the minister, the attack was successfully countered before it could cause lasting damage. 

Strengthening Defenses Against Future Attacks 

Motyka characterized the Poland cyberattack as “threatening” and fundamentally different from previous incidents. In response, he announced that Poland would step up investment in its energy infrastructure this year. The government plans to implement an “anti-blackout package” focused on modernization and stronger cybersecurity protections to better defend against similar attacks in the future.  The cyberattack on Poland is part of a wider trend affecting institutions and companies across the European Union. In recent years, cyber operations attributed to Russian state-sponsored actors have increasingly targeted critical infrastructure, often described as elements of hybrid warfare aimed at destabilizing the EU and disrupting Western support for Ukraine, accusations that Moscow has denied.  Poland itself has faced a series of cyber incidents in recent months. In November, several attacks disrupted digital payment services, while a separate breach led to the leaking of customer login details from a Polish travel agency.  

Political Fallout Amid Rising Cyber Risks 

The broader implications of the Poland cyberattack have extended into the political arena. During his RMF FM interview, Krzysztof Gawkowski was asked whether technical problems that delayed the leadership election of the Poland 2050 party could also be linked to cyber activity. The vote was not resolved on Monday “for technical reasons,” raising speculation about possible interference.  Gawkowski said he had no direct knowledge connecting the issue to the wider cyberattack on Poland but confirmed that the matter had been reported to the Internal Security Agency. “There will be a review. I’m not ruling out any scenario,” he said. He added that the party itself might have more information, noting, “The services will investigate, but what happened there? I don’t know. This is definitely a problem for Poland 2050.”  The minister also addressed other digital policy issues, including the president’s veto of a digital bill over concerns about online censorship. Gawkowski said he was willing to meet with Karol Nawrocki to discuss the legislation, describing the veto as political in nature and criticizing the narrative that content removal automatically constitutes an attack on freedom of speech. 

The FBI is warning that that the North Korean threat group Kimsuky is targeting organizations with spearphishing campaigns using malicious QR codes, a tactic known as “Quishing.” The Quishing campaigns appear to be primarily directed at organizations in the U.S. and elsewhere that are involved in foreign policy linked to North Korea, or as the FBI advisory put it, “NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea.” Since last year, Kimsuky threat actors have targeted “think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns,” the FBI said.

FBI Details Kimsuky QR Spearphishing Incidents

The FBI cited four incidents in May and June 2025 where Kimsuky actors used malicious QR codes in targeted spearphishing campaigns. In one May 2025 incident, Kimsuky threat actors impersonated “a foreign advisor” in an email “requesting insight from a think tank leader regarding recent developments on the Korean Peninsula.” The email contained a malicious QR code for the recipient to scan to access a questionnaire. Later that month, Kimsuky actors spoofed an embassy employee in an email seeking input “from a senior fellow at a think tank regarding North Korean human rights issues.” That email contained a QR code that claimed to offer access to a secure drive. Also that month, the North Korean threat actors impersonated a think tank employee in an email with a QR code “that, when scanned, would take the targeted individual to Kimsuky infrastructure designed to conduct malicious activity.” In June 2025, Kimsuky threat actors “sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference.” The email included a QR code that took recipients to a registration landing page that included a registration button. That button “took visitors to a fake Google account login page, where users could input their login credentials for harvesting.” It’s not the first time the FBI and other agencies have warned of Kimsuky and other North Korean threat actors targeting organizations involved in foreign policy; a similar warning was issued in 2023 of a spearphishing campaign that targeted think tanks, academic institutions and news organizations.

FBI Defines Quishing Tactics and Procedures

The FBI said Quishing attacks use QR codes “to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls.” QR images are typically sent as email attachments or embedded graphics to evade URL inspection and sandboxing, the agency said. Victims are typically re-routed by the attacks to collect “device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.” Quishing attacks “frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical ‘MFA failed’ alerts,” the FBI said. The compromised mailbox can then be used for additional spearphishing attacks.

Protecting Against QR and Quishing Attacks

The FBI recommends “a multi-layered security strategy to address the unique risks posed by QR code-based spearphishing.” The agency’s recommendations include:

• Employees should be educated on the risks of scanning unsolicited QR codes regardless of where they came from, and organizations should implement training programs to help users recognize social engineering tactics involving QR codes, “including urgent calls to action and impersonation of trusted entities.”
• Organizations should also have clear processes for reporting suspicious QR codes and other phishing attempts.
• QR code sources should first be verified by contacting the sender directly, “especially before entering login credentials or downloading files.”
• Organizations should deploy mobile device management (MDM) or endpoint security solutions that can analyze QR-linked URLs before permitting access to web resources.
• Phishing-resistant MFA should be required for all remote access and sensitive systems, and a strong password policy should be implemented.
• All credential entry and network activity following QR code scans should be logged and monitored for possible compromises.
• Access privileges should be reviewed according to zero trust principles, and regular audits should be conducted for unused or excessive account permissions.

The FBI encouraged organizations to establish a liaison relationship with the FBI Field Office in their region and to report malicious activity at fbi.gov/contact-us/field-offices.

The cybersecurity world is facing a "Heartbleed" moment for the NoSQL era. A critical vulnerability in MongoDB, the world’s most popular non-relational database, is being actively exploited in the wild, allowing unauthenticated attackers to "bleed" sensitive memory directly from server processes.

Dubbed "MongoBleed" and tracked as CVE-2025-14847, the flaw represents a catastrophic breakdown in how MongoDB handles compressed data. According to researchers at Wiz, who first sounded the alarm on the active exploitation, the vulnerability allows an attacker to remotely read fragments of the server's memory—potentially exposed credentials, session tokens, and the very data the database is meant to protect—without ever needing a password.

The Mechanics of the Leak

At the heart of MongoBleed is a classic security failure- an out-of-bounds (OOB) read. The vulnerability resides in MongoDB’s implementation of the 'zlib' compression library within its wire protocol.

When a client communicates with a MongoDB server, it can use compression to save bandwidth. Security researchers at OX Security noted that by sending a specially crafted, malformed compressed message, an attacker can trick the server into reading past the allocated buffer. Because the server fails to properly validate the length of the decompressed data against the actual buffer size, it responds by sending back whatever happens to be sitting in the adjacent memory.

This is a haunting echo of the 2014 Heartbleed bug in OpenSSL. Like its predecessor, MongoBleed doesn't require the attacker to "break in" through the front door; instead, it allows them to sit outside and repeatedly ask the server for "scraps" of its internal memory until they’ve reconstructed enough data to stage a full-scale breach.

Exploitation in the Wild

The situation escalated quickly from a theoretical risk to a live crisis. Wiz reported that their global sensor network has detected automated scanners and exploit attempts targeting the flaw almost immediately after technical details began to circulate.

Joe Desimone, a cybersecurity researcher from Elastic Security also published a proof-of-concept exploit which showed how data related to MongoDB internal logs and state, WiredTiger storage engine configuration, system /proc data (meminfo, network stats), Docker container paths, and connection UUIDs and client IPs could be leaked using the MongoBleed bug.

The threat is particularly acute because MongoDB is often the backbone of modern web applications, storing everything from user PII to sensitive financial records. MongoDB has a very large footprint with over 200k internet-facing instances.

The ease of exploitation combined with the lack of authentication makes this a perfect storm for attackers, the Wiz team noted in their analysis. In many cases, an attacker only needs a single successful "bleed" to capture an administrative session token, granting them full control over the entire database cluster.

The Australian Cyber Security Centre (ACSC) has also issued an urgent advisory, warning organizations that the vulnerability affects a vast range of versions, from legacy 4.4 installs up to the most recent 8.0 releases.

For defenders, the challenge is that these memory-leak attacks are notoriously "quiet." Because they happen at the protocol level and don’t involve traditional "login" events, they often bypass standard application-layer logs.

Security researchers like Kevin Beaumont, have also reiterated this. "Because of how simple this is now to exploit — the bar is removed — expect high likelihood of mass exploitation and related security incidents," Beaumont wrote in his personal blog. "The exploit author has provided no details on how to detect exploitation in logs via products like.. Elastic. Advice would be to keep calm and patch internet facing assets.

The Race to Patch

The MongoDB team has moved swiftly to release patches, but the sheer scale of the MongoDB install base makes global remediation a daunting task. The following versions have been identified as patched and safe:

• MongoDB 8.0.4

• MongoDB 7.0.16

• MongoDB 6.0.19

• MongoDB 5.0.31

For organizations that cannot patch immediately, experts recommend a "nuclear" temporary workaround: disabling zlib compression. While this may result in a slight performance hit and increased bandwidth usage, it effectively closes the vector used by MongoBleed.

The aviation sector, government agencies, and tech giants alike are now in a frantic race against time. With automated exploit kits already circulating on dark web forums, the window for patching is closing. For anyone running MongoDB, the time to act was yesterday.

Also read: MongoDB Cyberattack Reveals Customer Data Compromise: Incident Response in Progress

Cyble researchers have identified a sophisticated attack campaign that uses obfuscation, a unique User Account Control (UAC) bypass and other stealthy techniques to deliver a unified commodity loader and infect systems with Remote Access Trojans (RATs) and infostealers. The malware campaign targets the Manufacturing and Government sectors in Europe and the Middle East, with a specific focus on Italy, Finland, and Saudi Arabia, but shares common features with other attack campaigns, suggesting a shared malware delivery framework used by multiple “high-capability” threat actors. “The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials,” Cyble Research and Intelligence Labs (CRIL) said in a blog post published today.

Sophisticated Attack Campaign Uses Loader Shared by ‘High-capability’ Threat Actors

The sophisticated commodity loader at the heart of the campaign is “utilized by multiple high-capability threat actors,” Cyble said. “Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the researchers said. The CRIL researchers describe “a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.” Standardized methodology includes the use of steganography to conceal payloads within image files, the use of string reversal and Base64 encoding for obfuscation, and delivering encoded payload URLs directly to the loader. The threat actors also “consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.” Cyble said researchers from Seqrite, Nextron Systems, and Zscaler, have documented similar findings in other campaigns, including “identical class naming conventions and execution patterns across a variety of malware families and operations.” The researchers shared code samples of the shared loader architecture and noted, “This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.” The loaders have been observed delivering a variety of RATs and infostealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. “This indicates the loader is likely shared or sold across different threat actor groups,” Cyble said. “The fact that multiple malware families leverage these class naming conventions as well as execution patterns ... is further testament to how potent this threat is to the target nations and sectors,” Cyble added.

Campaign Uses Obfuscation, UAC Bypass

The campaign documented by Cyble uses “a diverse array of infection vectors,” such as Office documents that weaponize CVE-2017-11882, malicious SVG files, ZIP archives containing LNK shortcuts, and a unique User Account Control (UAC) bypass. One sample used an LNK file and PowerShell to download a VBS loader, along with the UAC bypass method. The UAC bypass technique appears in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, “tricking the system or user into granting elevated privileges under the guise of a routine operation” and “enabling the execution of a PowerShell process with elevated privileges after user approval.” “The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle,” the researchers added. “Organizations, especially in the targeted regions, should treat ‘benign’ image files and email attachments with heightened scrutiny.” The campaign starts as a phishing campaign masquerading as standard Purchase Order communications. Image files are hosted on legitimate delivery platforms and contain steganographically embedded payloads, “allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic.” The threat actors use a sophisticated “hybrid assembly” technique to “trojanize” open-source libraries. “By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult,” the researchers said. The infection chain is also engineered “to minimize forensic footprint,” including script obfuscation, steganographic extraction, reflective loading to run code directly in memory, and process injection to hide malicious activity within legitimate system processes. The full Cyble blog takes an in-depth technical look at one sample and also includes recommendations, MITRE tactics, techniques and procedures (TTPs), and Indicators of Compromise (IoCs).

The LockBit ransomware group is making a comeback, with a new data leak site and 21 new victims. LockBit was once the most feared ransomware group, and it still vastly outnumbers other ransomware groups with more than 2,700 claimed victims over its six-year-history, but a series of international law enforcement actions that began in February 2024 severely disrupted the group, and it has struggled to mount a sustained comeback since. LockBit 4.0, released in early 2025, failed to gain much traction and was never completely rolled out, and rivals like Qilin have done well attracting ransomware affiliates with favorable terms like profit sharing and enhanced features. But LockBit 5.0, announced on the underground forum RAMP in September, may be helping the group gain some traction, as it has since launched a new dark web data leak site and claimed new victims, Cyble reported in recent notes to clients. Dec. 8 update: LockBit claimed an additional 14 victims over the weekend since this article was published, raising the group's total to 21 for the month, behind only Qilin and Akira.

LockBit 'Fully Reactivated'

Despite a nearly two-year struggle to regain its footing, LockBit remains by far the most active ransomware group over its six-year history, its 2,757 victims more than double that of its nearest rivals, including Qilin, Akira, Play and CL0P (chart below from Cyble). [caption id="attachment_107448" align="aligncenter" width="1200"] LockBit remains the most dominant ransomware group of all time by a significant margin (Cyble)[/caption] Despite its history and name, LockBit’s comeback route has been a steep one, as arrests, leaked source code and operational leaks have repeatedly hampered comeback attempts and given rivals an advantage. But Cyble reported to clients on Dec. 5 that LockBit has “fully reactivated its public ransomware operations.” The new data leak site launched on November 5 and currently lists 21 new victims, plus several that had been previously claimed by the group. The new LockBit 5.0 variant, internally codenamed “ChuongDong,” has been driving the group’s reemergence. The new ransomware variant includes a complete redevelopment of the ransomware panel and lockers, and the new malware is more modular and offers faster encryption and better evasion of security defenses. Obfuscation is a key feature of the new ransomware version, which targets Linux, Windows and VMware ESXi environments.

LockBit Victims, Sectors and Targeted Countries

One notable new victim claimed by LockBit is an Asian airline providing regional passenger transport and charter services. Another new listing is a major Caribbean real estate company. Looking at the 42 victims claimed by LockBit in 2025 through Dec. 5, what stands out are the sectors and countries targeted, which differ from other leading ransomware groups. LockBit has had surprising success targeting financial services organizations. The group has claimed more victims in the Banking, Financial Services and Insurance (BFSI) sector in 2025 than in other industries (chart below). Overall, financial services isn’t among the top 10 sectors attacked by all ransomware groups, as the BFSI sector typically has stronger cybersecurity controls than other sectors. [caption id="attachment_107450" align="aligncenter" width="1200"] LockBit has had significant success targeting financial services companies (Cyble)[/caption] Also interesting is LockBit’s success targeting organizations in South America (chart below), which differs significantly from other ransomware groups, whose attacks are largely focused on the U.S., Canada and Europe. [caption id="attachment_107452" align="aligncenter" width="1200"] LockBit has had more success in South America than other ransomware groups (Cyble)[/caption] It remains to be seen if LockBit can mount a sustained comeback this time, but the group has a uniquely interesting base to build on. Ransomware affiliates are opportunistic, however, and they tend to gravitate toward the ransomware groups that offer the best chance at profitability and success. LockBit's comeback will depend on its ability to convince affiliates that it deserves to be back among the leaders. Article published on Dec. 5 and updated on Dec. 8 to reflect an increase in recent victims claimed by LockBit from seven to 21.

Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).

Security researchers have identified a new Android banking trojan that does much more than steal banking credentials. It can also record encrypted messages and essentially enables complete control of infected devices. ThreatFabric researchers are calling the new Android malware “Sturnus.” “A key differentiator is its ability to bypass encrypted messaging,” the researchers said. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.” “Sturnus represents a sophisticated and comprehensive threat, implementing multiple attack vectors that provide attackers with near-complete control over infected devices,” they said. “The combination of overlay-based credential theft, message monitoring, extensive keylogging, real-time screen streaming, remote control, device administrator abuse, and comprehensive environmental monitoring creates a dangerous threat to victims' financial security and privacy.” So far the malware has been configured for targeted attacks against financial institutions in Southern and Central Europe, suggesting that a broader campaign will follow. “While we emphasize that the malware is likely in its pre-deployment state, it is also currently fully functional, and in aspects such as its communication protocol and device support, it is more advanced than current and more established malware families,” they warned.

Android Malware Deploys Fake Login Screens

The trojan harvests banking credentials through “convincing fake login screens that replicate legitimate banking apps,” the researchers said. The Android malware also offers attacks “extensive remote control, enabling them to observe all user activity, inject text without physical interaction, and even black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge,” they warned. The malware combines HTML overlays and keylogging to capture and exfiltrate user credentials and sensitive data. The overlay engine maintains a repository of phishing templates under /data/user/0/<malware_package>/files/overlays/, where each HTML file corresponds to a specific banking application. When an overlay is triggered, the malware launches a WebView configured with JavaScript, DOM storage, and a JavaScript bridge to intercept and forward any data the victim enters directly to the command and control (C2) server. The malware also includes a full-screen “block overlay” that lets attackers hide their activities from victims by displaying a full-screen black overlay that blocks visual feedback while the malware operates in the background. Beyond basic keystroke logging, the malware continuously monitors the device’s UI tree and sends structured logs that describe what is displayed on screen, which lets attackers reconstruct user activity even when screen capture is blocked or when network conditions prevent live video transmission. “Together, these mechanisms give the operator a detailed, real-time picture of the victim’s actions while providing multiple redundant paths for data theft,” the researchers said.

Capturing Encrypted Messages

Sturnus also monitors the foreground app and automatically activates its UI tree collection when the victim opens encrypted messaging services such as WhatsApp, Signal, or Telegram. “Because it relies on Accessibility Service logging rather than network interception, the malware can read everything that appears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in real time,” the researchers said. “This makes the capability particularly dangerous: it completely sidesteps end-to-end encryption by accessing messages after they are decrypted by the legitimate app, giving the attacker a direct view into supposedly private conversations.” The ThreatFabric report also contained two SHA-256 hashes, the second of which is currently detected by 23 of 67 security vendors on VirusTotal: 045a15df1121ec2a6387ba15ae72f8e658c52af852405890d989623cf7f6b0e5 0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d

Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access attacks came from external service exploitation, while remote desktop service (RDS) credential compromises, supply chain attacks and social engineering accounted for 6% each (chart below). [caption id="attachment_106993" align="aligncenter" width="480"] Initial access vectors in ransomware attacks (Beazley Security)[/caption] “This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place,” the report said. In addition to the critical need for MFA, the report also underscores the importance of dark web monitoring for leaked credentials, which are often a precursor to much bigger cyberattacks.

SonicWall Compromises Led Attacks on VPN Credentials

A “prolonged campaign” targeting SonicWall devices by the Akira ransomware group was responsible for some of the 10-point increase in the percentage of VPN attacks. “Adding to SonicWall’s misery this quarter was a significant breach of their cloud service, including sensitive configuration backups of client SonicWall devices,” the report added. Akira, Qilin and INC were by far the most active ransomware groups in the third quarter, Beazley said – and all three exploit VPN and remote desktop credentials. Akira “typically gains initial access by exploiting weaknesses in VPN appliances and remote services,” the report said. In the third quarter, they used credential stuffing and brute force attacks to target unpatched systems and weak credentials. Akira accounted for 39% of Beazley Security incident response cases in the third quarter. Akira “consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies on the device,” the report said. Qilin’s initial access techniques include phishing emails, malicious attachments, and brute forcing weak credentials or stolen credentials in remote desktop protocol (RDP) and VPN services. INC Ransomware uses a combination of phishing, credential theft, and exploitation of exposed enterprise appliances for initial access. “Beazley Security responders observed the group leverage valid, compromised credentials to access victim environments via VPN and Remote Desktop,” the report said.

Cisco, Citrix Vulnerabilities, SEO Poisoning Also Exploited

Critical vulnerabilities in Cisco and Citrix NetScaler were also targeted by attackers in the third quarter. In one campaign, a sophisticated threat actor leveraged CVE-2025-20333 and CVE-2025-20363 in Cisco ASA VPN components to gain unauthorized access into environments, Beazley said. Another campaign targeted a critical SNMP flaw (CVE-2025-20352) in Cisco IOS.‍ Threat actors also targeted Citrix NetScaler vulnerabilities CVE-2025-7775 and CVE-2025-5777. The latter has been dubbed “Citrix Bleed 2” because of similarities to 2023’s “Citrix Bleed” vulnerability (CVE-2023-4966). A “smaller yet noteworthy subset” of ransomware attacks gained access via search engine optimization (SEO) poisoning attacks and malicious advertisements, used for initial access in some Rhysida ransomware attacks. “This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors,” the report said. “These tools can be trojanized with various malware payloads, depending on threat actor objectives, and can potentially give threat actors a foothold directly on the endpoint in a network. The attack is effective because it bypasses other traditional social engineering protections like email filters that prevent phishing attacks.”