AI
TRENDING TOPICS FEB 19, 2026 AI as Infrastructure: Covert C2 Relays and the Emergence of Prompt-Driven Malware Security researchers at Check Point Research demonstrated that modern AI assistants with web-fetch or browsing capabilities can be repurposed as covert command-and-control relays, effectively turning trusted AI platforms into proxy infrastructure. By abusing
Lumma Stealer Impact and Exposure Matrix System Assets and Credential Theft Targets Windows Endpoints Windows 7-11 workstations and laptops Exposure Details Primary execution environment for Lumma payloads and credential harvesting activity Web Browsers and Sessions Chromium and Mozilla-based browsers (Chrome, Edge, Firefox, Opera) Exposure Details Theft of saved credentials, cookies,
OpenClaw
TRENDING TOPICS FEB 18, 2026 Update: OpenClaw Ecosystem Hit by Skill Marketplace Malware and Log Injection Weakness A coordinated supply-chain campaign named ClawHavoc targeted OpenClaw’s official skill marketplace, ClawHub, by flooding it with at least 1,184 malicious Skills published over time. Attackers registered developer accounts, uploaded Skills that
Atlassian
TRENDING TOPICS FEB 17, 2026 Attackers Abuse Atlassian Jira Cloud to Deliver Trusted-Looking Spam Campaigns TrendMicro researchers observed threat actors abusing Atlassian Jira Cloud to distribute large-scale spam campaigns by sending emails directly from legitimate atlassian[.]net domains. Since the messages originated from a trusted SaaS platform with valid SPF
ClickFix
Critical Severity 1 CVE CVE-2026-1731 BeyondTrust Remote Support & PRA Critical pre-auth remote code execution in BeyondTrust Remote Support and legacy Privileged Remote Access lets unauthenticated attackers send crafted requests that run OS commands as the site user; patch self‑hosted appliances immediately, remove unnecessary internet exposure, and enable tight
LummaStealer
TRENDING TOPICS FEB 12, 2026 Update: LummaStealer Rebuilds at Scale Using CastleLoader and Social-Engineering-Driven Delivery Chains Security researchers have observed a renewed surge in LummaStealer activity, demonstrating how the infostealer operation has rapidly recovered despite a major law-enforcement disruption in 2025 that dismantled thousands of command-and-control domains. LummaStealer, a malw
Windows Endpoints Exposure Drivers High risk because Windows users frequently download utilities, productivity tools, PDF editors, browsers, remote support tools, and security products from the web. Malvertising and search manipulation can funnel these downloads to convincing counterfeit portals that deliver trojanized EXE/MSI installers, sometimes alongside the legitimate application to
RU-APT-ChainReaver-L
Critical Severity 5 CVEs CVE-2026-21522 Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability (Azure Compute Gallery) CVE-2026-21532 Azure Function Information Disclosure Vulnerability CVE-2026-23655 Microsoft ACI Confidential Containers Information Disclosure Vulnerability (Azure Compute Gallery) CVE-2026-24300 Azure Front Door (AFD) Elevation of Privilege Vulnerability CVE-2026-24302 Azure Arc Elevation of Privilege Vulnerab
ZeroDayRAT
TRENDING TOPICS FEB 10, 2026 ZeroDayRAT Mobile Spyware Enables Cross-Platform Surveillance and Financial Theft Security researchers at iVerify have identified a commercial mobile spyware platform, ZeroDayRAT, openly sold on Telegram, offering full remote control over compromised Android and iOS devices. The platform supports a wide range of operating system versions
Shouting into the IT void
TRENDING TOPICS FEB 09, 2026 Update: ClawHub Malicious Skills Shift From Embedded Payloads to Off-Platform Lures Threat actors behind an ongoing ClawHub malicious-skills campaign have changed tactics to evade newer registry defenses. Instead of hiding encoded malware inside SKILL[.]md files, they now keep the skill pages clean and use
CVE-2026-25049 Critical n8n Workflow Automation COMMAND EXECUTION AUTH REQUIRED Critical vulnerability in the n8n workflow automation platform that allows authenticated users with workflow-editing permissions to trigger unintended system command execution through crafted expressions, potentially compromising the underlying server infrastructure. Mitigation: Update n8n to versions 1.123.17 or 2.5.
TRENDING TOPICS FEB 05, 2026 Update: LockBit 5.0 Emerges as Cross-Platform Ransomware Targeting Windows, Linux, and ESXi Environments Kaspersky has identified a new wave of LockBit 5.0 ransomware samples designed to operate across Windows, Linux, and VMware ESXi environments, reflecting a continued shift toward highly scalable, multi-platform ransomware
How the Threat is Introduced (Initial Access) Official Store Publishing or Impersonation Attackers publish extensions that appear legitimate or impersonate popular tools, relying on storefront trust signals and user intent. Developer Account Compromise (Supply Chain) Phishing and permission abuse against extension developers enables attackers to upload a malicious version of
TRENDING TOPICS FEB 04, 2026 Dual-Mode Citrix Gateway Recon Campaign: Residential Proxies and Version Enumeration Between January 28 and February 2, 2026, GreyNoise observed a coordinated reconnaissance effort targeting Citrix ADC and NetScaler Gateway environments, with activity peaking just before February 1. The campaign totaled 111,834 sessions and used
TRENDING TOPICS FEB 03, 2026 GlassWorm Supply Chain Attack Abuses Trusted Open VSX Extensions to Steal Developer Secrets A supply chain attack tracked as GlassWorm compromised the Open VSX Registry after threat actors gained unauthorized access to the publishing credentials of a legitimate developer account, oorzc. On January 30, 2026,
MONTHLY WRAP MONTHLY WRAP Overview January 2026 reinforced a clear reality: attackers are gaining leverage by abusing trust and identity far more often than by inventing new exploits. This month featured sustained identity-driven intrusions (vishing, adversary-in-the-middle, OAuth abuse, Browser-in-the-Browser phishing
TRENDING TOPICS FEB 02, 2026 Update: Google Findings on ShinyHunters SSO-Driven SaaS Intrusions Recent intrusions tied to ShinyHunters, Scattered Spider, and the Scattered LAPSUS$ Hunters label reinforce the idea that identity has become the primary entry point into SaaS environments. Instead of exploiting software flaws, operators impersonate IT or support
CVE-2026-24858 Critical Fortinet FortiCloud SSO AUTHENTICATION BYPASS CROSS-ACCOUNT ACCESS Authentication bypass vulnerability in Fortinet products that allows an attacker with a FortiCloud account and a registered device to log into other Fortinet devices owned by different accounts when FortiCloud SSO is enabled, enabling unauthorized cross-tenant access. Urgent Action: Immediately apply
TRENDING TOPICS JAN 29, 2026 Update: TA584 Accelerates Initial Access Innovation with ClickFix and Tsundere Bot MaaS TA584 is a highly active and adaptive initial access broker that significantly increased its operational tempo throughout 2025, tripling monthly campaign volume while continuously rotating infrastructure, lures, and delivery techniques. The actor demonstrated
ShinyHunters (UNC6040) Emergence Date: 2020 Attribution Financially motivated extortion group; pivoted from mass data theft to SaaS targeting Recent Activities Claimed responsibility for vishing campaigns against Okta, Microsoft Entra, and Google SSO; identified Salesforce as a primary target Targets Salesforce; SaaS platforms reachable via SSO ShinyHunters UNC6040 Financially Motivated Vishing
TRENDING TOPICS JAN 28, 2026 GitHub Repository Abuse Enables Malware Delivery Through Trusted Installer Paths GMO Researchers have identified a malware campaign that exploits GitHub's repository-forking mechanism to distribute trojanized installers under the guise of official projects. Attackers fork the legitimate GitHub Desktop repository, alter download links in
