A ShowDoc flaw (CVSS 9.4) is now under active exploitation.

CVE-2025-0520 lets attackers upload web shells via unauthenticated file upload → full server control. First attacks seen via a U.S. honeypot; ~2,000 instances remain exposed, mostly in China.

CISA added 6 flaws to its KEV list after active exploitation.

A Fortinet bug (9.1) allows unauthenticated remote code execution, while an Exchange flaw is being used to deploy Medusa ransomware.

Federal agencies must patch by April 27.

FBI and Indonesian police dismantled W3LL, a phishing platform behind $20M+ fraud attempts.

Used by 500+ actors, it sold tools to steal credentials, bypass MFA, and resell access to 25,000+ accounts.

APT37 used Facebook to run a targeted malware campaign.

Fake profiles built trust, moved chats to Telegram, then pushed a trojanized PDF app that installs RokRAT via a JPG payload, using compromised sites and Zoho WorkDrive for control.

Hacktivist group Handala claims responsibility for taking down Foulat (Bahrain) & SULB (Saudi Arabia), calling it retaliation for "crimes against resistance axis" & slain hackers during "Ramadan War."

Both firms reportedly knocked offline—$5B+ annual revenue, 2M tons steel capacity, 2K+ staff. Group warns: "No point of enemy geography is out of reach."

#TGITM @TheGhostITM

Hacker group Handala has announced that it will release, for the first time, footage of reconnaissance and intelligence operations carried out by its operatives in the occupied territories within the coming hours.

#TGITM @TheGhostITM

Handala hackers deep penetration of Mossad and Shin Bet facilities as unprecedented footage surfaces of spy chiefs’ homes.

#TGITM @TheGhostITM

Handala has obtained and released aerial surveillance of sensitive Israeli sites, including what it describes as Mossad facilities, residences of air force pilots, and homes of senior intelligence officials. A public statement from the group claims the material was gathered over months through operations conducted with the assistance of local collaborators inside the occupied territories:

#TGITM @TheGhostITM

Handala hackers captured aerial footage on operatives of top-secret Mossad headquarters, the homes of Israeli Air Force pilots, residences of senior Iran Desk officials within Mossad, homes of Shin Bet counter-terrorism managers, as well as the travel routes and daily movements of senior Zionist security and military officials,

#TGITM @TheGhostITM

Handala: the footage maps not only locations but also movement patterns and daily routes of senior military and security figures, presenting it as evidence of sustained intelligence access and operational reach. It frames the release as a glimpse into capabilities behind recent undisclosed actions, suggesting a broader campaign that has so far remained largely in the shadows.

#TGITM @TheGhostITM

Composer disclosed two command injection flaws (CVE-2026-40176 and CVE-2026-40261) with up to CVSS 8.8 severity.

Malicious composer.json or crafted source refs can execute arbitrary commands—even without Perforce installed. Affects multiple 2.x versions; patches released and metadata disabled as a precaution.

Booking.com Issues Data Breach Alert: Customer Info Potentially Compromised

Booking.com has notified select users via email that unauthorized actors may have accessed reservation-related data, including names, email addresses, phone numbers, postal addresses, and details shared with properties.

French cops free mother and son after 20-hour crypto kidnap ordeal.

Automotive data biz Autovista blames ransomware for service disruption.

ShinyHunters Leak Rockstar Games Data, No Player Records Impacted.

Attackers are abusing automation tools as delivery infrastructure.

Cisco Talos found #n8n webhooks used for phishing, malware, and tracking, leveraging trusted *.n8n.cloud domains to bypass filters.

email link → CAPTCHA → silent download → RMM-based persistence.