Pavel Durov: Iranian accounts will not be deleted
The owner of Telegram said that due to the outbreak of war and widespread internet outages in Iran, the deletion of accounts after a certain period of inactivity will not apply to Iranian users.
The owner of Telegram said that due to the outbreak of war and widespread internet outages in Iran, the deletion of accounts after a certain period of inactivity will not apply to Iranian users.
Malicious LiteLLM versions 1.82.7–1.82.8 deploy credential theft, Kubernetes lateral movement, and a persistent backdoor.
Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service.
Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service.
GlassWorm now delivers a multi-stage malware chain via malicious packages and hijacked accounts.
It hides C2 in Solana memos, installs a fake Google Docs Chrome extension, and steals cookies, sessions, and crypto wallet data, with added hardware wallet phishing.
It hides C2 in Solana memos, installs a fake Google Docs Chrome extension, and steals cookies, sessions, and crypto wallet data, with added hardware wallet phishing.
A hacker used an AI agent to run cyber ops, with 80–90% handled autonomously.
Compromise an AI agent already inside your environment, and the kill chain disappears. It already has access, permissions, and normal data flows—so activity looks legitimate.
Compromise an AI agent already inside your environment, and the kill chain disappears. It already has access, permissions, and normal data flows—so activity looks legitimate.
A new Magento skimmer uses WebRTC data channels instead of HTTP to steal payment data.
It pulls payloads and exfiltrates card details over encrypted UDP, bypassing CSP and staying invisible to most monitoring tools.
Attacks are exploiting the PolyShell RCE flaw at scale.
It pulls payloads and exfiltrates card details over encrypted UDP, bypassing CSP and staying invisible to most monitoring tools.
Attacks are exploiting the PolyShell RCE flaw at scale.
Coruna turns a 2023 #iOS espionage exploit into a broader attack kit.
Kaspersky confirms it reuses and evolves the Triangulation kernel exploit, now updated for newer chips and iOS versions and still actively maintained.
Now bundled into 23 exploits across 5 chains and used beyond targeted ops, it shows #iPhone exploitation is scaling.
Kaspersky confirms it reuses and evolves the Triangulation kernel exploit, now updated for newer chips and iOS versions and still actively maintained.
Now bundled into 23 exploits across 5 chains and used beyond targeted ops, it shows #iPhone exploitation is scaling.
🔥1
Security Manager Warning: Critical Infrastructures Are Direct Targets of Cyber Attacks
According to Izum magazine, Dave Dault, former CEO of FireEye and McAfee, warned that attackers' use of artificial intelligence has greatly widened the gap between offensive and defensive cyber capabilities, and the world has entered a "dark age" of cybersecurity.
According to Izum magazine, Dave Dault, former CEO of FireEye and McAfee, warned that attackers' use of artificial intelligence has greatly widened the gap between offensive and defensive cyber capabilities, and the world has entered a "dark age" of cybersecurity.
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Anonymous collective has hacked a company in Israel that provides consulting services to organizations.
@TheGhostITM
@TheGhostITM
❤1
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Handala has leaked sensitive data on 28 American military engineers currently operating in Israel.
@TheGhostITM
@TheGhostITM
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Handala hacking group breach of the FBI is “coming soon”; FBI director's information has been compromised.
@TheGhostITM
@TheGhostITM
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Hacker group Handala breached FBI Director Kash Patel’s account after the US seized its domains and put a $10M bounty on its leaders. The group is now threatening more attacks, mocking FBI cybersecurity, and sharing alleged data.
@TheGhostITM
@TheGhostITM
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
TeamPCP escalates supply chain attacks, now poisoning Telnyx (US comms provider) PyPI library.
@TheGhostITM
@TheGhostITM
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Hacker group Handala breached FBI Director Kash Patel’s account after the US seized its domains and put a $10M bounty on its leaders. The group is now threatening more attacks, mocking FBI cybersecurity, and sharing alleged data. @TheGhostITM
קבוצת ההאקטיביסטים הבינלאומית של חמאס "הנדאלה" פרצה לחשבון מנהל ה-FBI קאש פאטל, לאחר שהאמריקאים תפסו את דומיינים שלה והציבו ראש פרוע של 10 מיליון דולר על ראש מנהיגיה. הקבוצה מאיימת על מתקפות נוספות, לועגת לאבטחת הסייבר של ה-FBI ומפרסמת נתונים שהיא טוענת כי גנבה.
@TheGhostITM
@TheGhostITM
Cyberattack on the European Commission; Hackers publish data without ransom demands.
In an advanced cyberattack, the European Commission's cloud infrastructure was breached, and more than 350 gigabytes of data, including sensitive information and databases, were extracted.
In an advanced cyberattack, the European Commission's cloud infrastructure was breached, and more than 350 gigabytes of data, including sensitive information and databases, were extracted.
Iran is reportedly leveraging AI-powered surveillance networks to monitor its airspace in real time—turning the sky into a tracked domain. The fusion of computer vision + distributed sensors is quietly reshaping air defense and raising new questions about asymmetric warfare.
Recent activity across multiple domains and messaging platforms indicates a growing pattern of entities presenting themselves as affiliated with the “Handala” hacking collective—complicating attribution and raising concerns among analysts tracking operations linked to the group.
Several domains, including Handala .ps and handala .tw, along with a Telegram channel operating under Handala intel/rss have emerged claiming association. These outlets, however, differ from the group’s previously and currently identified primary web presence at www.handala-team.to, which has been more consistently referenced in past operations and official communications.
This fragmentation reflects a broader challenge within the cyber threat landscape: identity replication and brand mimicry. By reusing established names, symbols, and even referencing known infrastructure, emerging actors can cultivate perceived legitimacy while simultaneously obscuring the operational footprint of the original entity.
From an intelligence standpoint, this dynamic introduces significant attribution challenges. Security agencies and independent researchers may struggle to distinguish between core operators, affiliated participants, and unrelated actors leveraging the same branding. In such conditions, the risk of misattribution increases—particularly when early assessments are influenced by geopolitical assumptions rather than technical evidence.
The situation is further complicated by the transnational character often associated with hacktivist ecosystems. Handala operating under a unified banner may draw participation from multiple regions—including Palestinian territories, Iran, Algeria, Lebanon, and Turkey—whether through loose coordination or shared ideological alignment. As a result, geographic indicators alone are insufficient for determining origin or command structure.
Historically, the Handala name has been associated with operations aligned with the Palestinian struggle, with indications of activity extending beyond the West Bank. Concurrently, open-source observations point to overlapping interests and potential cooperation across broader regional networks, although the group’s structure and hierarchy—if any—remain opaque.
The emergence of parallel domains and communication channels employing similar identifiers underscores a central reality of modern cyber conflict: identity is increasingly fluid, and influence can be constructed as readily as it is established.
For analysts and observers, the priority remains rigorous verification—focusing on infrastructure consistency, communication patterns, and technical signatures rather than relying solely on public-facing claims or branding.
At present, available evidence does not support the characterization of Handala as an exclusively Iranian hacktivist entity.
"Referencing the official website in your bio does not establish authenticity or affiliation. That said, the visibility and attention—whether intentional or not—are noted and, from a broader perspective, reflect a level of interest and support that is acknowledged."
Several domains, including Handala .ps and handala .tw, along with a Telegram channel operating under Handala intel/rss have emerged claiming association. These outlets, however, differ from the group’s previously and currently identified primary web presence at www.handala-team.to, which has been more consistently referenced in past operations and official communications.
This fragmentation reflects a broader challenge within the cyber threat landscape: identity replication and brand mimicry. By reusing established names, symbols, and even referencing known infrastructure, emerging actors can cultivate perceived legitimacy while simultaneously obscuring the operational footprint of the original entity.
From an intelligence standpoint, this dynamic introduces significant attribution challenges. Security agencies and independent researchers may struggle to distinguish between core operators, affiliated participants, and unrelated actors leveraging the same branding. In such conditions, the risk of misattribution increases—particularly when early assessments are influenced by geopolitical assumptions rather than technical evidence.
The situation is further complicated by the transnational character often associated with hacktivist ecosystems. Handala operating under a unified banner may draw participation from multiple regions—including Palestinian territories, Iran, Algeria, Lebanon, and Turkey—whether through loose coordination or shared ideological alignment. As a result, geographic indicators alone are insufficient for determining origin or command structure.
Historically, the Handala name has been associated with operations aligned with the Palestinian struggle, with indications of activity extending beyond the West Bank. Concurrently, open-source observations point to overlapping interests and potential cooperation across broader regional networks, although the group’s structure and hierarchy—if any—remain opaque.
The emergence of parallel domains and communication channels employing similar identifiers underscores a central reality of modern cyber conflict: identity is increasingly fluid, and influence can be constructed as readily as it is established.
For analysts and observers, the priority remains rigorous verification—focusing on infrastructure consistency, communication patterns, and technical signatures rather than relying solely on public-facing claims or branding.
At present, available evidence does not support the characterization of Handala as an exclusively Iranian hacktivist entity.
"Referencing the official website in your bio does not establish authenticity or affiliation. That said, the visibility and attention—whether intentional or not—are noted and, from a broader perspective, reflect a level of interest and support that is acknowledged."
❤2
Attackers are probing Citrix NetScaler for CVE-2026-3055 (CVSS 9.3).
Honeypots show requests to /cgi/GetAuthMethods to identify SAML IdP setups, which are required for exploitation.
Honeypots show requests to /cgi/GetAuthMethods to identify SAML IdP setups, which are required for exploitation.
CISA flagged active exploitation of an F5 BIG-IP APM flaw.CVE-2025-53521 (CVSS 9.3) enables RCE, reclassified from DoS after new findings.
Exploitation is confirmed in the wild, with a federal patch deadline set.
Exploitation is confirmed in the wild, with a federal patch deadline set.
Russian-linked TA446 is using DarkSword iOS exploit kit in targeted phishing emails.
Spoofed “discussion invites” trigger exploits only on iPhones and deliver GHOSTBLADE malware, expanding from credential theft to device compromise across government, academia, and policy targets.
Spoofed “discussion invites” trigger exploits only on iPhones and deliver GHOSTBLADE malware, expanding from credential theft to device compromise across government, academia, and policy targets.
Apple is sending #iPhone Lock Screen alerts warning users about active web-based attacks targeting outdated iOS.
Coruna and DarkSword exploit kits target older iOS via compromised sites, expanding risk beyond targeted attacks.
Coruna and DarkSword exploit kits target older iOS via compromised sites, expanding risk beyond targeted attacks.