china
RedNovember likely stays fast-follow on edge devices using N-days and public PoCs, not 0-days. China-nexus peers show willingness to burn edge 0-days, so a pivot is plausible but not base case...
unc5221
Question: By Dec 31, 2025, will UNC5221 be publicly linked to exploiting at least one new zero-day in a non-Ivanti edge platform (e.g., VMware vCenter/ESXi, Citrix NetScaler, F5, Palo Alto, Fortinet)?
void-proxy
VoidProxy is reshaping the phishing landscape, enabling adversaries to bypass MFA and hijack enterprise cloud sessions with minimal technical skill. Its rapid adoption, use of trusted email providers, and evasive infrastructure demand urgent, layered defenses—especially for organizations...
c2
Attackers are rapidly shifting to modular, cloud-integrated C2 frameworks—Sliver, Havoc, Mythic, Brute Ratel C4, and Cobalt Strike—blurring lines between APT and cybercrime. These tools’ stealth, automation, and cloud API abuse are outpacing legacy detection, demanding urgent defensive adaptation.
geopolitics
Financial institutions are quietly overhauling cyber defenses, blending geopolitical risk with threat intelligence to counter state-sponsored attacks and regulatory pressure. This shift is driving new investments in automation, incident response, and sector-wide collaboration..
ta558
TA558’s “SteganoAmor” campaign leverages steganography to deliver commodity malware across oil, gas, maritime, and industrial targets. The group’s use of image-embedded payloads and compromised infrastructure...
poisonseed
If your bulk email or CRM gets popped, PoisonSeed rides your good reputation straight past filters and users’ instincts. Here’s the fast path to detect and blunt it—without boiling the ocean.
TA558’s “SteganoAmor” campaign leverages steganography to deliver commodity malware across oil, gas, maritime, and industrial targets. The group’s use of image-embedded payloads and compromised infrastructure...
If your organization consumes satellite data, runs VSATs (very small aperture terminals), or depends on vendors who do—you’re in scope. Since 2020, attackers have shifted from “space” to the easier target: ground networks and cloud storage.
Shamos, a new Atomic macOS Stealer (AMOS) variant attributed to COOKIE SPIDER, is targeting U.S. tech and education sectors via malvertising and fake support sites.
Hybrid attacks are hitting navigation and port systems harder than ever — from ransomware to GPS spoofing — threatening safety, operations, and global trade.
Your SOC’s Burning—Find the Arsonist, Not the Ashes.
If your organization consumes satellite data, runs VSATs (very small aperture terminals), or depends on vendors who do—you’re in scope. Since 2020, attackers have shifted from “space” to the easier target: ground networks and cloud storage.
Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest moves that buy real risk reduction.
Three financially motivated clusters—UNC3944 (“Scattered Spider”), UNC6040, and UNC6395—are driving a surge in SaaS and cloud data theft via social engineering, OAuth abuse, and supply-chain attacks. Their evolving TTPs and anti-forensics are raising the stakes for defenders..
Shamos, a new Atomic macOS Stealer (AMOS) variant attributed to COOKIE SPIDER, is targeting U.S. tech and education sectors via malvertising and fake support sites.
Your code assistant invents a “helpful” package; an attacker registers it; your pipeline installs it. As of Aug 27, 2025, this is moving from edge case to repeatable tactic. Here’s how to spot it fast and force your builds to fail-closed.
If Redis is open to the internet, assume compromise. This actor gains root with native Redis tricks, plants miners, and hides using “rootkit-style” evasion. Here’s how to spot it fast and close the hole for good.
Hybrid attacks are hitting navigation and port systems harder than ever — from ransomware to GPS spoofing — threatening safety, operations, and global trade.
Three converging trends—ransomware, volatile regulations, and global instability—are reshaping risk for US tech, finance, and education. The common thread? Disruption spreads faster than most organizations can detect or respond.
In the last 90 days, HeartCrypt-packed ransomware has evaded initial SOC detection in up to 40% of targeted incidents. Attackers no longer waste time building stealth — they rent it. HeartCrypt’s PaaS delivers EDR-kill tools, sandbox evasion, and polymorphic payloads at industrial scale.
Russian-linked RomCom is abusing a critical WinRAR bug to quietly persist in networks, move laterally, and siphon data over encrypted channels — hitting government, finance, and telecom sectors hard. Patch lag is keeping doors wide open.
Storm-2603 is a China-based threat actor, first identified in 2025, leveraging a hybrid operational model that combines espionage tactics with financially motivated ransomware deployment. The group is distinct from, but shares some infrastructure and tooling with, other Chinese APTs such as...
Akira ransomware, first observed in March 2023, is attributed to a financially motivated cybercrime group composed of former Conti affiliates. The group operates a ransomware-as-a-service (RaaS) model, reusing code and infrastructure from Conti, and has been responsible for...