A hacker used an AI agent to run cyber ops, with 80–90% handled autonomously.

Compromise an AI agent already inside your environment, and the kill chain disappears. It already has access, permissions, and normal data flows—so activity looks legitimate.

A new Magento skimmer uses WebRTC data channels instead of HTTP to steal payment data.

It pulls payloads and exfiltrates card details over encrypted UDP, bypassing CSP and staying invisible to most monitoring tools.

Attacks are exploiting the PolyShell RCE flaw at scale.

Coruna turns a 2023 #iOS espionage exploit into a broader attack kit.

Kaspersky confirms it reuses and evolves the Triangulation kernel exploit, now updated for newer chips and iOS versions and still actively maintained.

Now bundled into 23 exploits across 5 chains and used beyond targeted ops, it shows #iPhone exploitation is scaling.

Security Manager Warning: Critical Infrastructures Are Direct Targets of Cyber Attacks

According to Izum magazine, Dave Dault, former CEO of FireEye and McAfee, warned that attackers' use of artificial intelligence has greatly widened the gap between offensive and defensive cyber capabilities, and the world has entered a "dark age" of cybersecurity.

Hezbollah's cyber unit hacked into surveillance cameras to target Israeli regime.

@TheGhostITM

Anonymous collective has hacked a company in Israel that provides consulting services to organizations.

@TheGhostITM

Handala has leaked sensitive data on 28 American military engineers currently operating in Israel.

@TheGhostITM

Handala hacking group breach of the FBI is “coming soon”; FBI director's information has been compromised.

@TheGhostITM

Hacker group Handala breached FBI Director Kash Patel’s account after the US seized its domains and put a $10M bounty on its leaders. The group is now threatening more attacks, mocking FBI cybersecurity, and sharing alleged data.

@TheGhostITM

TeamPCP escalates supply chain attacks, now poisoning Telnyx (US comms provider) PyPI library.

@TheGhostITM

קבוצת ההאקטיביסטים הבינלאומית של חמאס "הנדאלה" פרצה לחשבון מנהל ה-FBI קאש פאטל, לאחר שהאמריקאים תפסו את דומיינים שלה והציבו ראש פרוע של 10 מיליון דולר על ראש מנהיגיה. הקבוצה מאיימת על מתקפות נוספות, לועגת לאבטחת הסייבר של ה-FBI ומפרסמת נתונים שהיא טוענת כי גנבה.

@TheGhostITM

Cyberattack on the European Commission; Hackers publish data without ransom demands.

In an advanced cyberattack, the European Commission's cloud infrastructure was breached, and more than 350 gigabytes of data, including sensitive information and databases, were extracted.

Iran is reportedly leveraging AI-powered surveillance networks to monitor its airspace in real time—turning the sky into a tracked domain. The fusion of computer vision + distributed sensors is quietly reshaping air defense and raising new questions about asymmetric warfare.

Recent activity across multiple domains and messaging platforms indicates a growing pattern of entities presenting themselves as affiliated with the “Handala” hacking collective—complicating attribution and raising concerns among analysts tracking operations linked to the group.

Several domains, including Handala .ps and handala .tw, along with a Telegram channel operating under Handala intel/rss have emerged claiming association. These outlets, however, differ from the group’s previously and currently identified primary web presence at www.handala-team.to, which has been more consistently referenced in past operations and official communications.

This fragmentation reflects a broader challenge within the cyber threat landscape: identity replication and brand mimicry. By reusing established names, symbols, and even referencing known infrastructure, emerging actors can cultivate perceived legitimacy while simultaneously obscuring the operational footprint of the original entity.

From an intelligence standpoint, this dynamic introduces significant attribution challenges. Security agencies and independent researchers may struggle to distinguish between core operators, affiliated participants, and unrelated actors leveraging the same branding. In such conditions, the risk of misattribution increases—particularly when early assessments are influenced by geopolitical assumptions rather than technical evidence.

The situation is further complicated by the transnational character often associated with hacktivist ecosystems. Handala operating under a unified banner may draw participation from multiple regions—including Palestinian territories, Iran, Algeria, Lebanon, and Turkey—whether through loose coordination or shared ideological alignment. As a result, geographic indicators alone are insufficient for determining origin or command structure.

Historically, the Handala name has been associated with operations aligned with the Palestinian struggle, with indications of activity extending beyond the West Bank. Concurrently, open-source observations point to overlapping interests and potential cooperation across broader regional networks, although the group’s structure and hierarchy—if any—remain opaque.

The emergence of parallel domains and communication channels employing similar identifiers underscores a central reality of modern cyber conflict: identity is increasingly fluid, and influence can be constructed as readily as it is established.

For analysts and observers, the priority remains rigorous verification—focusing on infrastructure consistency, communication patterns, and technical signatures rather than relying solely on public-facing claims or branding.

At present, available evidence does not support the characterization of Handala as an exclusively Iranian hacktivist entity.

"Referencing the official website in your bio does not establish authenticity or affiliation. That said, the visibility and attention—whether intentional or not—are noted and, from a broader perspective, reflect a level of interest and support that is acknowledged."

Attackers are probing Citrix NetScaler for CVE-2026-3055 (CVSS 9.3).

Honeypots show requests to /cgi/GetAuthMethods to identify SAML IdP setups, which are required for exploitation.

CISA flagged active exploitation of an F5 BIG-IP APM flaw.CVE-2025-53521 (CVSS 9.3) enables RCE, reclassified from DoS after new findings.

Exploitation is confirmed in the wild, with a federal patch deadline set.

Russian-linked TA446 is using DarkSword iOS exploit kit in targeted phishing emails.

Spoofed “discussion invites” trigger exploits only on iPhones and deliver GHOSTBLADE malware, expanding from credential theft to device compromise across government, academia, and policy targets.

Apple is sending #iPhone Lock Screen alerts warning users about active web-based attacks targeting outdated iOS.

Coruna and DarkSword exploit kits target older iOS via compromised sites, expanding risk beyond targeted attacks.

A supply chain attack hit the telnyx Python package—versions 4.87.1 and 4.87.2 were backdoored to steal credentials.

Malware hidden in .WAV files runs on import, exfiltrates data, persists on Windows, and runs fileless on Linux/macOS before deleting traces.

A drone attack on strategic electronic warfare and radar centers in Haifa.

🔍 Domain intel: not all ccTLDs are created equal.

.to (Tonga) → attacker’s playground. Lax registration, no public WHOIS. Perfect for phishing infra, C2, and propaganda sites.

.tw (Taiwan) → attacker’s target. High user trust → prime impersonation bait for banking & gov phishing.

Know the risk.

#cybersecurity #threatintel #infosec #domains