Security firms uncovered coordinated abuse of Chrome extensions across business, social, and AI tools.
From Meta ad accounts to Gmail inboxes, attackers used add-ons to scrape data, inject payloads, and persist inside sessions.
From Meta ad accounts to Gmail inboxes, attackers used add-ons to scrape data, inject payloads, and persist inside sessions.
One bulletproof-hosted IP drove 346 of 417 Ivanti EPMM exploit attempts.
Activity targeted CVSS 9.8 RCE flaws, rotating 300+ user agents while scanning other enterprise platforms in parallel. Signals automated initial-access reconnaissance.
Activity targeted CVSS 9.8 RCE flaws, rotating 300+ user agents while scanning other enterprise platforms in parallel. Signals automated initial-access reconnaissance.
Apple shipped emergency updates after confirming exploitation of a zero-day in dyld.
The bug (CVE-2026-20700) could allow attackers to execute arbitrary code on vulnerable Apple devices.
The bug (CVE-2026-20700) could allow attackers to execute arbitrary code on vulnerable Apple devices.
North Korea-linked UNC1069 used deepfake Zoom calls to hack crypto firms.
Posing via Telegram, attackers lured victims into fake meetings, triggering ClickFix commands that deployed multi-stage malware on macOS & Windows to steal wallets and credentials.
Posing via Telegram, attackers lured victims into fake meetings, triggering ClickFix commands that deployed multi-stage malware on macOS & Windows to steal wallets and credentials.
North Korean operatives are using real LinkedIn accounts to land remote IT jobs in Western firms.
With impersonated profiles and verified emails, DPRK actors secure roles to fund weapons programs and conduct espionage—some gain admin access, steal data, and maintain persistence.
With impersonated profiles and verified emails, DPRK actors secure roles to fund weapons programs and conduct espionage—some gain admin access, steal data, and maintain persistence.
Reynolds ransomware embeds its own BYOVD evasion, bundling a vulnerable driver to disable EDR before encryption.
It drops the NSecKrnl driver (CVE-2025-68947) to kill security tools, reducing detection and affiliate effort.
It drops the NSecKrnl driver (CVE-2025-68947) to kill security tools, reducing detection and affiliate effort.
Ransomware Persists — But Encryption Is No Longer the Main Signal of Attack!
Picus reviewed 1.1M malware samples and found a shift toward stealth access over disruption. Encryption attacks fell 38% YoY as extortion moves to data theft and credential abuse.
Picus reviewed 1.1M malware samples and found a shift toward stealth access over disruption. Encryption attacks fell 38% YoY as extortion moves to data theft and credential abuse.
Warlock ransomware breached SmarterTools via unpatched SmarterMail VM.
Attackers entered Jan 29, moved laterally, seized Active Directory, and staged Velociraptor pre-encryption. ~12 servers and a QC data center were hit; core apps and customer data stayed unaffected.
Attackers entered Jan 29, moved laterally, seized Active Directory, and staged Velociraptor pre-encryption. ~12 servers and a QC data center were hit; core apps and customer data stayed unaffected.
BeyondTrust patched pre-auth RCE (CVE-2026-1731) in Remote Support and PRA.
Attackers could run OS commands via crafted requests.~11K exposed instances found. Patches released.
Attackers could run OS commands via crafted requests.~11K exposed instances found. Patches released.
Cloud worm malware campaign is systematically taking over cloud infrastructure.
TeamPCP exploits exposed Docker, Kubernetes, Redis, and React2Shell to mass-deploy proxies, scanners, crypto miners & ransomware across compromised clusters.
TeamPCP exploits exposed Docker, Kubernetes, Redis, and React2Shell to mass-deploy proxies, scanners, crypto miners & ransomware across compromised clusters.
Microsoft traced a multi-stage intrusion to exposed SolarWinds Web Help Desk servers.
Attackers used unauthenticated RCE, moved laterally, and abused legit RMM tools for persistence — plus credential dumping and DCSync.
Attackers used unauthenticated RCE, moved laterally, and abused legit RMM tools for persistence — plus credential dumping and DCSync.
Singapore’s cyber agency says China-linked UNC3886 targeted all four national telecom operators.
Attackers used a firewall zero-day and rootkits to access parts of critical systems. Espionage activity was contained. No service disruption or customer data theft found.
Attackers used a firewall zero-day and rootkits to access parts of critical systems. Espionage activity was contained. No service disruption or customer data theft found.
Fortinet Fixes Critical FortiClientEMS RCE (CVE-2026-21643, CVSS 9.1).
SQL injection flaw enables unauthenticated remote command execution via crafted requests. Affects EMS 7.4.4 (patch available).
Separate FortiCloud SSO bug is actively exploited for admin persistence and firewall config theft.
SQL injection flaw enables unauthenticated remote command execution via crafted requests. Affects EMS 7.4.4 (patch available).
Separate FortiCloud SSO bug is actively exploited for admin persistence and firewall config theft.
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
أعلنت شركة الأمن السيبراني الإسرائيلية CyberArk المتخصصة في أمن الهوية الرقمية أن السعودية أصبحت "محرك النمو" الرئيسي لها بعد 7 أكتوبر.
وأكد أحد كبار مسؤولي الشركة التي تتخذ من بتاح تكفا وبئر السبع مقراً لها، أنها تحقق نمواً سنوياً يقارب 25% في المنطقة فيما تمثل السوق السعودية نحو 40% من إجمالي أعمالها في الشرق الأوسط.
@TheGhostsITM
وأكد أحد كبار مسؤولي الشركة التي تتخذ من بتاح تكفا وبئر السبع مقراً لها، أنها تحقق نمواً سنوياً يقارب 25% في المنطقة فيما تمثل السوق السعودية نحو 40% من إجمالي أعمالها في الشرق الأوسط.
@TheGhostsITM
Lithuania is investing €24.1M to harden its digital society against AI-era cybercrime.
The national mission links universities, industry, and government to build fraud detection, disinformation tracking, and critical infrastructure defenses as GenAI reshapes attack tactics.
The national mission links universities, industry, and government to build fraud detection, disinformation tracking, and critical infrastructure defenses as GenAI reshapes attack tactics.
Researchers uncovered ZeroDayRAT, a commercial mobile spyware sold on Telegram targeting Android and iOS.
It enables live camera/mic feeds, GPS tracking, SMS and OTP theft, and wallet hijacking via a self-hosted panel — turning phones into full surveillance nodes.
It enables live camera/mic feeds, GPS tracking, SMS and OTP theft, and wallet hijacking via a self-hosted panel — turning phones into full surveillance nodes.
Google patched Chrome zero-day CVE-2026-2441, a CVSS 8.8 bug already exploited in attacks.
The CSS use-after-free flaw allows sandboxed remote code execution via malicious pages.
The CSS use-after-free flaw allows sandboxed remote code execution via malicious pages.
A firmware-level Android backdoor called Keenadu is being shipped inside signed tablet builds.
Telemetry shows 13,715 users globally encountered its modules. It injects into every app via core system libraries, enabling remote control, data theft, and ad fraud.
Telemetry shows 13,715 users globally encountered its modules. It injects into every app via core system libraries, enabling remote control, data theft, and ad fraud.
A trojanized Oura AI connector is being used to spread SmartLoader malware.
Attackers cloned the MCP server, staged fake GitHub contributors, and planted it in trusted registries. The payload drops StealC to steal credentials, wallets, and cloud access.
Attackers cloned the MCP server, staged fake GitHub contributors, and planted it in trusted registries. The payload drops StealC to steal credentials, wallets, and cloud access.
Israeli technology companies have developed advanced tools to turn modern cars into espionage and intelligence-gathering devices.