weekly
SIGNALS WEEKLY: Android Banking Malware & VS Code Worms Go Mainstream
🚨 CodeRED alerts ransomed. 🐛 Shai Hulud 2.0 looting CI/CD secrets. 📱 107 Android bugs + Albiriox on-device fraud. Signals Weekly on what to fix first.
Latest
ai
Dark LLMs: When Your AI Traffic Is C2
Your “normal” AI traffic can be stealth C2 now. Dark LLMs are writing per-host pwsh one-liners, self-rewriting droppers, and hiding in model APIs you approved. If you’re not policing AI egress, you’re not doing detection. 😬🤖
forecasts
AI Agents as Regulated C2: Will Anyone Be Forced to Act?
AI just ran most of an espionage op, and regulators are still in “interesting case study” mode. 😏 We’re forecasting: 55% odds that by 2026, someone will force signed AI connectors + agent logs by default.
weekly
SIGNALS WEEKLY: Wormed Repos, Multi-Vector APTs, KEV Identity RCE
Wormed npm repos. Multi-vector APTs. KEV-listed identity RCE. If your CI/CD + SSO aren’t on the same crisis board this week, you’re already late. 😈🚨
ai
Your AI Agents Are the New C2 — Lock Down Identity & Connectors
Anthropic just showed what happens when your “helpful” AI agents become C2: 80–90% of an espionage op automated, humans just clicking approve. Lock down identity + connectors or you’re renting your SaaS to someone else’s botnet. 🤖🚨
forecasts
Will Akira trigger a week-long hospital disruption by end of 2026?
20% odds Akira triggers a 7-day ambulance diversion at a 10+ hospital system by end of 2026. 🚑 Still feeling “low risk”?
weekly
SIGNALS WEEKLY: The Quiet Shift- When Intrusions Start Thinking for Themselves
A Chinese crew let a jailbroken AI run most of the intrusion while FortiWeb + Firebox burn in KEV and a contractor leak drops the playbook.
cl0p
After LockBit and BlackCat, Is Cl0p Really Next in Line?
LockBit got the Operation Cronos takedown. BlackCat imploded. Cl0p just logged a record leak month—and shows no sign of slowing. By 2026, do we really keep Cl0p dark for 90+ days… or just get Cl0p v2 with a fresh logo?
unc6485
Triofox Exploitation Cluster (UNC6485): Six-Month Outlook, Copycat Risk, and What to Watch
UNC6485 is farming Triofox: Host: localhost → setup → mint admin → AV path = your script → SYSTEM → RMM + reverse RDP/443. Patch to 16.7.10368.56560 now. Copycats next. 🔥🛡️
weekly
SIGNALS WEEKLY: Keys & Gates — Windows kernel EoP; Cisco RA VPN reloads
Keys. Gates. Windows. Actively exploited Win kernel EoP ✅ (CVE-2025-62215). Cisco RA-VPN bugs can reload unpatched edges. LANDFALL used Samsung’s image bug (CVE-2025-21042). Which breaks first in your shop?
china
Typhoon by Consent: Quiet, Durable, Everywhere
One “Allow” → tenant-wide weather event. 🌀 AI agent phish wraps the consent flow, device-code keeps churning, and Typhoon rides “good” U.S. infra. Kill list: user consent, device-code, or EWS app perms—what’s first?
forecasts
Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2025-11-06
We’re at 29% that RedNovember will be publicly reported exploiting at least one zero‑day in 2026 under strict timing and attribution rules. The hinge is whether the group escalates beyond PoC‑driven N‑day edge exploits and whether attribution survives rebranding.