shamos
Shamos macOS Infostealer: Malvertising Lures, BYOD Gaps, and Sector Expansion
Shamos, a new Atomic macOS Stealer (AMOS) variant attributed to COOKIE SPIDER, is targeting U.S. tech and education sectors via malvertising and fake support sites.
supply-chain
Slopsquatting: AI Hallucinations Fueling a New Class of Software Supply Chain Attacks
Your code assistant invents a “helpful” package; an attacker registers it; your pipeline installs it. As of Aug 27, 2025, this is moving from edge case to repeatable tactic. Here’s how to spot it fast and force your builds to fail-closed.
ta-natalstatus
TA-NATALSTATUS: Rootkit-Style Cryptojacking Dominates Exposed Redis Servers Globally
If Redis is open to the internet, assume compromise. This actor gains root with native Redis tricks, plants miners, and hides using “rootkit-style” evasion. Here’s how to spot it fast and close the hole for good.
ransomware
Hybrid Threats at Sea: Ransomware, GPS Spoofing, and State-Linked Attacks Escalate Against Maritime Communications
Hybrid attacks are hitting navigation and port systems harder than ever — from ransomware to GPS spoofing — threatening safety, operations, and global trade.
ransomware
Q4 2025 Threat Priorities: Ransomware Surge, Regulatory Volatility, and Geopolitical Disruption in US Tech, Finance, and Education
Three converging trends—ransomware, volatile regulations, and global instability—are reshaping risk for US tech, finance, and education. The common thread? Disruption spreads faster than most organizations can detect or respond.
heartcrypt
HeartCrypt Packer-as-a-Service: Accelerating Malware Evasion and EDR Bypass in Ransomware Campaigns
In the last 90 days, HeartCrypt-packed ransomware has evaded initial SOC detection in up to 40% of targeted incidents. Attackers no longer waste time building stealth — they rent it. HeartCrypt’s PaaS delivers EDR-kill tools, sandbox evasion, and polymorphic payloads at industrial scale.
romcom
RomCom’s WinRAR Exploit: Persistent Startup Folder Attacks and Encrypted C2 Exfiltration Targeting Critical Sectors
Russian-linked RomCom is abusing a critical WinRAR bug to quietly persist in networks, move laterally, and siphon data over encrypted channels — hitting government, finance, and telecom sectors hard. Patch lag is keeping doors wide open.
storm-2603
Storm-2603: Hybrid Espionage and Ransomware Operations Exploiting SharePoint ToolShell Vulnerabilities
Storm-2603 is a China-based threat actor, first identified in 2025, leveraging a hybrid operational model that combines espionage tactics with financially motivated ransomware deployment. The group is distinct from, but shares some infrastructure and tooling with, other Chinese APTs such as...
ransomware
Akira Ransomware: Conti Lineage, VPN Exploitation, and Double Extortion at Scale
Akira ransomware, first observed in March 2023, is attributed to a financially motivated cybercrime group composed of former Conti affiliates. The group operates a ransomware-as-a-service (RaaS) model, reusing code and infrastructure from Conti, and has been responsible for...
unc3944
Hypervisor Ransomware: CVE-2024-37085, AD Abuse, and the Escalating Threat to VMware ESXi Environments
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi and similar virtualization platforms using advanced hypervisor-level attack techniques. The exploitation of CVE-2024-37085..
storm-2603
Storm-2603: SharePoint Zero-Day Exploitation and Warlock Ransomware—A Hybrid Financial and Espionage Threat
Storm-2603 is a China-based, financially motivated threat actor first identified in early 2025, responsible for a global campaign exploiting critical Microsoft SharePoint zero-day vulnerabilities (CVE-2025-53770, CVE-2025-49706, CVE-2025-49704).
unc6148
Overstep Rootkit: UNC6148’s Persistent Exploitation of End-of-Life SonicWall SMA 100 Appliances
UNC6148, a financially motivated threat actor tracked by Google Threat Intelligence Group (GTIG), has been actively exploiting fully patched but end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances since at least October 2024...