Threats

Threats

Trivy Supply Chain Attack Escalates — TeamPCP Pushes Infostealers via Docker Hub, Deploys Kubernetes Wiper Targeting Iranian Systems

The supply chain compromise of Trivy, the widely used open-source vulnerability scanner maintained by Aqua Security, has escalated dramatically — with threat actor TeamPCP pushing malicious Docker images to Docker Hub, defacing Aqua Security's internal GitHub organization, distributing a self-propagating worm across dozens of npm packages, and

Threats

Storm-2561 Distributes Fake Enterprise VPN Clients From Cisco, Fortinet, and Ivanti via SEO Poisoning to Steal Corporate Credentials

Microsoft has disclosed a credential theft campaign by Storm-2561, a criminal group active since May 2025, that distributes fake enterprise VPN clients from major vendors through SEO poisoning — capturing corporate credentials before seamlessly redirecting victims to the real VPN download to erase any indication of compromise. The campaign, running

Threats

BlackBasta-Linked Actors Deploy New A0Backdoor via Microsoft Teams Social Engineering With DNS MX-Based C2

Threat actors linked to the dissolved BlackBasta ransomware operation are targeting employees at financial and healthcare organizations through Microsoft Teams social engineering to deploy a previously undocumented backdoor called A0Backdoor that hides its command-and-control communications inside DNS MX record queries. The campaign, disclosed by BlueVoyant, has confirmed targets

Threats

ClickFix Evolves to Windows Terminal Execution, Bypassing Run Dialog Defenses to Deploy Lumma Stealer

Microsoft has warned of a new ClickFix variant observed in the wild since February that evades existing defenses by shifting the execution environment from the Windows Run dialog to Windows Terminal — blending malicious command execution into legitimate administrative workflows. This marks a significant evolution in the ClickFix technique, which ZDW

Threats

Dutch Intelligence Warns of Russian State Campaign Hijacking Signal and WhatsApp Accounts of Government Officials Worldwide

The Dutch intelligence services AIVD and military intelligence service MIVD have issued a joint advisory warning that Russian state hackers are conducting a large-scale campaign to hijack Signal and WhatsApp accounts belonging to senior government officials, military personnel, civil servants, and journalists worldwide. Dutch government employees have already been

Threats

Chinese Threat Actor CL-UNK-1068 Targets Asian Critical Infrastructure Across Seven Sectors in Years-Long Espionage Campaign

Palo Alto Networks Unit 42 has disclosed a years-long espionage campaign by a previously undocumented Chinese threat group designated CL-UNK-1068 targeting high-value organizations across seven critical infrastructure sectors in South, Southeast, and East Asia. The campaign, assessed with moderate-to-high confidence as cyber espionage, targets

Threats

Iranian Threat Actors Intensify IP Camera Exploitation Across Six Countries to Support Missile Operations and Battle Damage Assessment

Check Point Research has disclosed that multiple Iran-nexus threat actors have intensified exploitation of IP cameras across six countries in the Middle East and Eastern Mediterranean since the onset of hostilities — activity assessed to support battle damage assessment (BDA) and target correction for Iranian missile operations. The targeting, which

Threats

APT41-Linked Silver Dragon Targets Governments Across Europe and Southeast Asia Using Google Drive C2 and Three Distinct Infection Chains

Check Point has disclosed a previously undocumented APT group dubbed Silver Dragon operating within the APT41 umbrella that has been targeting government entities across Europe and Southeast Asia since at least mid-2024 using three distinct infection chains, custom loaders, and a backdoor that uses Google Drive as its command-

Threats

SloppyLemming Targets Pakistan and Bangladesh Government and Critical Infrastructure With Dual Malware Chains and 112 Cloudflare Workers Domains

The South Asian threat actor SloppyLemming (also tracked as Outrider Tiger and Fishing Elephant) has been attributed to a sustained campaign targeting government entities and critical infrastructure operators in Pakistan and Bangladesh spanning January 2025 through January 2026, according to new research from Arctic Wolf. The campaign deploys two distinct

Threats

Steaelite RAT Bundles Ransomware, Credential Theft, and Live Surveillance Into Single Double-Extortion Platform

A new remote access trojan called Steaelite is being sold on cybercrime forums and Telegram that consolidates nearly every offensive capability an attacker needs — credential theft, ransomware deployment, cryptocurrency stealing, live surveillance, and DDoS — into a single browser-based dashboard, effectively eliminating the need for multiple tools or coordination between

Threats

ScarCruft Deploys Six Malware Families in Ruby Jumper Campaign to Breach Air-Gapped Networks via USB Propagation

North Korean threat actor ScarCruft has deployed a fresh arsenal of six malware families in a campaign codenamed Ruby Jumper that targets air-gapped networks through USB-based propagation and abuses Zoho WorkDrive as command-and-control infrastructure — the first time the group has used this cloud service in its

Threats

New Threat Actor UAT-10027 Deploys Dohdoor Backdoor Against US Education and Healthcare Using DNS-over-HTTPS for Stealth C2

Cisco Talos has disclosed a previously undocumented threat activity cluster tracked as UAT-10027 that has been targeting US education and healthcare organizations since at least December 2025 with a novel backdoor called Dohdoor. The backdoor uses DNS-over-HTTPS (DoH) for command-and-control communications and hides behind Cloudflare