Trending Topics

Update: Hackers Conduct Mass Scanning Campaign Against SonicWall Firewalls Using 4,000+ IPs

A large-scale reconnaissance campaign is actively targeting SonicWall firewall infrastructure worldwide, with attackers using more than 4,000 unique IP addresses to identify vulnerable systems ahead of potential exploitation, according to new analysis by GreyNoise. Between February 22 and 25, 2026, threat actors initiated over 84,000 scanning sessions against SonicWall SonicOS devices. The activity originated from 4,305 distinct IP addresses across 20 autonomous systems, suggesting a coordinated effort that may precede widespread exploitation. Researchers warn that this campaign could put thousands of organizations at risk if follow-on attacks are launched. GreyNoise reports that 92% of all observed scans targeted a specific REST API endpoint within SonicOS responsible for SSL VPN status checks, a common reconnaissance step attackers take before attempting credential-based intrusions. This pattern indicates systematic mapping of accessible targets rather than immediate compromise attempts. The campaign operated through three distinct infrastructure clusters, reflecting a high degree of coordination. It mirrors a similar reconnaissance wave observed in December 2025, when actors conducted over 9 million scans against Palo Alto and SonicWall VPN systems using the same client fingerprinting techniques. Analysts view the February 2026 activity as a direct continuation and escalation of that earlier effort. More than 430,000 SonicWall firewalls are currently exposed to the public internet, with an estimated 25,000 SSL VPN interfaces still vulnerable to unpatched critical flaws and roughly 20,000 running unsupported firmware. Historically, SonicWall’s SSL VPN has been a favored entry point for ransomware operators such as Akira and Fog, which together have compromised hundreds of organizations. Since early 2023, Akira alone has generated an estimated $244 million in ransom proceeds through breaches involving SonicWall VPN access. The sustained focus and scale of the campaign suggest that SonicWall devices, already favored entry vectors in ransomware operations, remain at the forefront of attacker reconnaissance and exploitation efforts.

North Korea’s APT37 Targets Air-Gapped Networks in “Ruby Jumper” Campaign

North Korea-linked threat group APT37 (also known as ScarCruft, Reaper, and Group123) has launched a sophisticated cyber-espionage campaign dubbed “Ruby Jumper”, using Zoho WorkDrive for command-and-control (C2) and USB-based malware to compromise air-gapped networks. The campaign was identified by Zscaler ThreatLabz in December 2025 and demonstrates the group’s evolving tactics for targeting isolated government and defense systems. The attack chain begins with malicious LNK shortcut files that execute PowerShell scripts to unpack hidden payloads. These payloads deploy a backdoor known as RESTLEAF, which abuses Zoho WorkDrive APIs and hardcoded tokens for C2 communication. RESTLEAF then downloads and executes encrypted shellcode through process injection, delivering a secondary dropper called SNAKEDROPPER. SNAKEDROPPER installs a rogue Ruby runtime disguised as a USB utility, establishes persistence, and drops additional components, including THUMBSBD, a backdoor designed to infiltrate air-gapped environments via removable media. THUMBSBD collects system diagnostics, enumerates files, and stages data for exfiltration through hidden USB directories, allowing stolen information and commands to travel between isolated systems. According to Zscaler’s report, THUMBSBD also deploys BLUELIGHT, a previously documented backdoor that leverages legitimate cloud services, including Google Drive, OneDrive, pCloud, and Backblaze, for covert network communications. Later-stage payloads, such as FOOTWINE, add surveillance capabilities, including keylogging and audio/video capture, while VIRUSTASK propagates the infection by substituting benign USB files with malicious shortcuts. Zscaler attributes Ruby Jumper to APT37 with high confidence, citing overlapping infrastructure, code similarity, and techniques consistent with past North Korean operations. These include multi-stage LNK infections, encrypted PowerShell loaders, custom API hashing, and decoy content targeting DPRK-related targets. Active since at least 2012, ScarCruft has a history of exploiting zero-days and targeting government, military, and media organizations, most notably the Adobe Flash Player zero-day uncovered in 2018. The new Ruby Jumper campaign underscores APT37’s growing emphasis on cloud-based C2 infrastructure and physical media propagation to overcome air-gap isolation.

Hackers Exploit Claude Code Ai Assistant

Hackers leveraged Anthropic’s Claude Code AI assistant to generate exploits, build custom intrusion tools, and automate the theft of more than 150GB of sensitive data in a cyberattack targeting several Mexican government agencies, according to Israeli cybersecurity firm Gambit Security. The incident underscores how generative AI can be weaponized to accelerate and scale real-world cyber operations. The campaign, which began in December 2025, targeted 10 Mexican government agencies and a financial institution, starting with the country’s federal tax authority. Investigators found that threat actors submitted more than 1,000 prompts to Claude Code and used OpenAI’s GPT-4.1 to process and analyze exfiltrated data. By jailbreaking Claude, the attackers overcame built-in safety restrictions and ran the AI continuously for about a month to automate exploit generation and data theft. Their targets included the electoral institute, state governments, Mexico City’s civil registry, and Monterrey’s water utility. The operation compromised roughly 195 million records, representing one of the largest known breaches involving AI-assisted tooling. The threat actors posed as bug bounty testers to deceive the model into compliance. Although Claude initially flagged certain actions, such as log deletion or covert exfiltration, as suspicious, persistent prompting eventually caused it to cooperate. When Claude ceased to respond productively, the attackers pivoted to OpenAI’s ChatGPT, leveraging it to plan deeper lateral movement and organize stolen credentials. They repeatedly queried both systems for additional vulnerable endpoints and identity databases across the Mexican government network. This case follows a similar incident disclosed by Anthropic in November 2025, when China-linked threat actors reportedly abused Claude Code in a large-scale espionage campaign against nearly 30 global organizations, illustrating a broader trend of adversaries repurposing generative AI for offensive cyber operations.