supply-chain
Your code assistant invents a “helpful” package; an attacker registers it; your pipeline installs it. As of Aug 27, 2025, this is moving from edge case to repeatable tactic. Here’s how to spot it fast and force your builds to fail-closed.
ta-natalstatus
If Redis is open to the internet, assume compromise. This actor gains root with native Redis tricks, plants miners, and hides using “rootkit-style” evasion. Here’s how to spot it fast and close the hole for good.
ransomware
Hybrid attacks are hitting navigation and port systems harder than ever — from ransomware to GPS spoofing — threatening safety, operations, and global trade.
ransomware
Three converging trends—ransomware, volatile regulations, and global instability—are reshaping risk for US tech, finance, and education. The common thread? Disruption spreads faster than most organizations can detect or respond.
heartcrypt
In the last 90 days, HeartCrypt-packed ransomware has evaded initial SOC detection in up to 40% of targeted incidents. Attackers no longer waste time building stealth — they rent it. HeartCrypt’s PaaS delivers EDR-kill tools, sandbox evasion, and polymorphic payloads at industrial scale.
romcom
Russian-linked RomCom is abusing a critical WinRAR bug to quietly persist in networks, move laterally, and siphon data over encrypted channels — hitting government, finance, and telecom sectors hard. Patch lag is keeping doors wide open.
storm-2603
Storm-2603 is a China-based threat actor, first identified in 2025, leveraging a hybrid operational model that combines espionage tactics with financially motivated ransomware deployment. The group is distinct from, but shares some infrastructure and tooling with, other Chinese APTs such as...
Hybrid attacks are hitting navigation and port systems harder than ever — from ransomware to GPS spoofing — threatening safety, operations, and global trade.
In the last 90 days, HeartCrypt-packed ransomware has evaded initial SOC detection in up to 40% of targeted incidents. Attackers no longer waste time building stealth — they rent it. HeartCrypt’s PaaS delivers EDR-kill tools, sandbox evasion, and polymorphic payloads at industrial scale.
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi and similar virtualization platforms using advanced hypervisor-level attack techniques. The exploitation of CVE-2024-37085..
DarkWatchMan is a fileless, modular malware family first observed in late 2021 and attributed to the financially motivated Hive0117 group. The malware is primarily delivered via spear-phishing emails containing password-protected archives, targeting Russian critical infrastructure (energy, etc).
Your SOC’s Burning—Find the Arsonist, Not the Ashes.
Akira ransomware, first observed in March 2023, is attributed to a financially motivated cybercrime group composed of former Conti affiliates. The group operates a ransomware-as-a-service (RaaS) model, reusing code and infrastructure from Conti, and has been responsible for...
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi and similar virtualization platforms using advanced hypervisor-level attack techniques. The exploitation of CVE-2024-37085..
Storm-2603 is a China-based, financially motivated threat actor first identified in early 2025, responsible for a global campaign exploiting critical Microsoft SharePoint zero-day vulnerabilities (CVE-2025-53770, CVE-2025-49706, CVE-2025-49704).
UNC6148, a financially motivated threat actor tracked by Google Threat Intelligence Group (GTIG), has been actively exploiting fully patched but end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances since at least October 2024...
DarkWatchMan is a fileless, modular malware family first observed in late 2021 and attributed to the financially motivated Hive0117 group. The malware is primarily delivered via spear-phishing emails containing password-protected archives, targeting Russian critical infrastructure (energy, etc).
PSLoramyra represents a sophisticated fileless malware loader employing advanced obfuscation and stealth techniques to evade detection and maintain persistence. The latest detection strategies center on a suite of YARA rules designed to identify HEX-encoded..
Dark Partners is a financially motivated cybercrime group active since at least May 2025, orchestrating large-scale cryptocurrency theft campaigns through a sophisticated infrastructure of fake websites mimicking AI tools, VPN services, crypto wallets, and widely used software brands.
UNC6040 is a financially motivated threat actor specializing in voice phishing (vishing) campaigns that abuse Salesforce Data Loader connected apps to gain unauthorized access and exfiltrate sensitive data. This novel attack vector leverages social engineering via telephone impersonation of...
UAC-0226, a threat cluster tracked by CERT-UA has intensified cyber-espionage operations against Ukrainian military, law enforcement, and government institutions since early 2025.
In April 2024, the People’s Liberation Army (PLA) disbanded its Strategic Support Force (SSF), establishing three independent branches: the Cyberspace Force, Aerospace Force, and Information Support Force (ISF). This reorganization reflects a strategic pivot toward specialization and operation...
Healthcare organizations with SIEM deployments and immature SOCs face escalating risks from AI-driven vishing attacks leveraging voice deepfakes. This analysis outlines a pragmatic, phased approach for integrating AI-based voice deepfake detection and audio watermarking..
LapDogs, PolarEdge, and Volt Typhoon represent a new wave of China-linked ORB (Operational Relay Box) networks, each leveraging compromised SOHO routers, IoT devices, and enterprise infrastructure to conduct targeted, persistent espionage. LapDogs, first identified in 2025, uses the "ShortLeash"..