🤖 GreyVibe hackers use ChatGPT, Gemini to power cyberattacks
GreyVibe hackers are leveraging ChatGPT and Gemini to drive offensive operations, signaling that mainstream AI assistants are now embedded in active cyberattack workflows.
Operationally, adversary access to public LLMs compresses timelines and raises output quality at scale. Defenders should pivot toward behavior-led detection, monitor automation and access patterns around AI services, and treat polished content as routine rather than exceptional.
🛰️ Open sources - closed narratives
@sitreports
GreyVibe hackers are leveraging ChatGPT and Gemini to drive offensive operations, signaling that mainstream AI assistants are now embedded in active cyberattack workflows.
Operationally, adversary access to public LLMs compresses timelines and raises output quality at scale. Defenders should pivot toward behavior-led detection, monitor automation and access patterns around AI services, and treat polished content as routine rather than exceptional.
🛰️ Open sources - closed narratives
@sitreports
⚡ Hackers exploit FortiClient EMS flaw to push infostealer malware
Threat actors are exploiting a vulnerability in the FortiClient Enterprise Management Server, using the centralized endpoint management platform to deliver credential‑stealing malware to systems under its control. By abusing trusted distribution channels, routine software management becomes a vector for infostealer deployment across enterprise fleets.
Operational impact: EMS sits at the distribution layer. A compromise here can propagate payloads rapidly and accelerate data theft. Admins should prioritize patching, limit external exposure, audit EMS authentication and deployment logs, rotate credentials, and review recent package and script pushes for anomalies.
🛰️ Open sources - closed narratives
@sitreports
Threat actors are exploiting a vulnerability in the FortiClient Enterprise Management Server, using the centralized endpoint management platform to deliver credential‑stealing malware to systems under its control. By abusing trusted distribution channels, routine software management becomes a vector for infostealer deployment across enterprise fleets.
Operational impact: EMS sits at the distribution layer. A compromise here can propagate payloads rapidly and accelerate data theft. Admins should prioritize patching, limit external exposure, audit EMS authentication and deployment logs, rotate credentials, and review recent package and script pushes for anomalies.
🛰️ Open sources - closed narratives
@sitreports
📡 Resecurity Supports Microsoft DCU in Disrupting Fox Tempest’s Cybercriminal Code-Signing Ecosystem
Resecurity supported the Microsoft DCU in disrupting Fox Tempest’s cybercriminal code-signing ecosystem. The action targets tooling and channels used to pass malware as trusted software.
Operationally, neutralizing code-signing pipelines undermines adversary trust signals and raises retooling costs. For defenders, this highlights the need to validate signatures in context and monitor certificate revocation to reduce signed‑malware risk.
🛰️ Open sources - closed narratives
@sitreports
Resecurity supported the Microsoft DCU in disrupting Fox Tempest’s cybercriminal code-signing ecosystem. The action targets tooling and channels used to pass malware as trusted software.
Operationally, neutralizing code-signing pipelines undermines adversary trust signals and raises retooling costs. For defenders, this highlights the need to validate signatures in context and monitor certificate revocation to reduce signed‑malware risk.
🛰️ Open sources - closed narratives
@sitreports
🔍 Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump
A Microsoft 0-day feud has escalated as a security researcher threatens to release another Windows exploit dump. The standoff heightens risk for Windows users and enterprise environments.
A public drop would shrink defender timelines and widen exposure across Windows fleets. Accelerate patching, harden legacy hosts, and focus detections on privilege escalation and code execution to limit potential impact.
🛰️ Open sources - closed narratives
@sitreports
A Microsoft 0-day feud has escalated as a security researcher threatens to release another Windows exploit dump. The standoff heightens risk for Windows users and enterprise environments.
A public drop would shrink defender timelines and widen exposure across Windows fleets. Accelerate patching, harden legacy hosts, and focus detections on privilege escalation and code execution to limit potential impact.
🛰️ Open sources - closed narratives
@sitreports
📡 DOD wants more than $2B in fiscal 2027 to move beyond ‘fragmented’ CJADC2 deployments
The Pentagon seeks over $2B in FY27 to move CJADC2 beyond fragmented rollouts, aiming to consolidate software‑centric C2 on a single pane of glass, per budget documents.
Consolidation would tighten interoperability, speed decision cycles, and reduce tool sprawl across services. A common architecture raises requirements for data standards, zero‑trust security, and vendor alignment.
🛰️ Open sources - closed narratives
@sitreports
The Pentagon seeks over $2B in FY27 to move CJADC2 beyond fragmented rollouts, aiming to consolidate software‑centric C2 on a single pane of glass, per budget documents.
Consolidation would tighten interoperability, speed decision cycles, and reduce tool sprawl across services. A common architecture raises requirements for data standards, zero‑trust security, and vendor alignment.
🛰️ Open sources - closed narratives
@sitreports
📄 Draft NDAA would dissolve Space Development Agency, Rapid Capabilities Office
The Draft NDAA would dissolve the Space Development Agency and the Rapid Capabilities Office, ending both organizations in their current form.
If enacted, dissolution would force program transfers to other acquisition channels, with implications for continuity, contracting timelines, and oversight. Watch for transition frameworks, governance assignments, and budget realignments as the authorization process advances.
🛰️ Open sources - closed narratives
@sitreports
The Draft NDAA would dissolve the Space Development Agency and the Rapid Capabilities Office, ending both organizations in their current form.
If enacted, dissolution would force program transfers to other acquisition channels, with implications for continuity, contracting timelines, and oversight. Watch for transition frameworks, governance assignments, and budget realignments as the authorization process advances.
🛰️ Open sources - closed narratives
@sitreports
🤖 Army’s new data operations center may stay ‘lean’ on people, expecting automation to help pick up growing workload
The Army’s new data operations center may remain light on personnel, with automation taking on an expanding set of tasks as demand grows.
Operationally, a lean construct can accelerate scaling and cut overhead, but raises dependence on mature tooling, tight integration, and clear governance. Key watchpoints include resilience under surge conditions, transparency of automated outputs, cybersecurity across pipelines, and sufficient skilled oversight to manage exceptions.
🛰️ Open sources - closed narratives
@sitreports
The Army’s new data operations center may remain light on personnel, with automation taking on an expanding set of tasks as demand grows.
Operationally, a lean construct can accelerate scaling and cut overhead, but raises dependence on mature tooling, tight integration, and clear governance. Key watchpoints include resilience under surge conditions, transparency of automated outputs, cybersecurity across pipelines, and sufficient skilled oversight to manage exceptions.
🛰️ Open sources - closed narratives
@sitreports
🔍 BTMOB Android malware service generates custom phishing payloads
An Android malware-as-a-service named BTMOB generates custom phishing payloads through a builder, allowing operators to tailor lures to specific themes.
This capability streamlines phishing operations at scale and increases pressure on mobile defenses. Organizations should expect more diverse lure content and faster campaign cycles, and prioritize controls around mobile phishing, app installation flows, and sideloading policies.
🛰️ Open sources - closed narratives
@sitreports
An Android malware-as-a-service named BTMOB generates custom phishing payloads through a builder, allowing operators to tailor lures to specific themes.
This capability streamlines phishing operations at scale and increases pressure on mobile defenses. Organizations should expect more diverse lure content and faster campaign cycles, and prioritize controls around mobile phishing, app installation flows, and sideloading policies.
🛰️ Open sources - closed narratives
@sitreports
⚡ New Gogs zero-day flaw lets hackers get remote code execution
A new zero-day in the Gogs Git service allows remote code execution. The Gogs zero-day elevates exposure from repo access to potential server takeover.
Operationally, RCE on Gogs threatens repository integrity and developer infrastructure, enabling credential theft and lateral movement. Admins should restrict external access, enforce strong auth, review logs for anomalous pushes or privilege changes, back up key repos, and fast-track patches or interim mitigations.
🛰️ Open sources - closed narratives
@sitreports
A new zero-day in the Gogs Git service allows remote code execution. The Gogs zero-day elevates exposure from repo access to potential server takeover.
Operationally, RCE on Gogs threatens repository integrity and developer infrastructure, enabling credential theft and lateral movement. Admins should restrict external access, enforce strong auth, review logs for anomalous pushes or privilege changes, back up key repos, and fast-track patches or interim mitigations.
🛰️ Open sources - closed narratives
@sitreports
📡 Operation Jailbreak: the Army’s massive push to hack its own systems and make them talk to each other
The U.S. Army has launched Operation Jailbreak to hack its own systems and force cross-platform interoperability.
Operationally, the push aims to streamline interoperability across sensors, shooters, and command nodes, accelerate data flows at the edge, and expose integration gaps earlier—shrinking stovepipes and enabling more resilient, scalable battlefield networks.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Army has launched Operation Jailbreak to hack its own systems and force cross-platform interoperability.
Operationally, the push aims to streamline interoperability across sensors, shooters, and command nodes, accelerate data flows at the edge, and expose integration gaps earlier—shrinking stovepipes and enabling more resilient, scalable battlefield networks.
🛰️ Open sources - closed narratives
@sitreports
🤖 GREYVIBE Hackers Use ChatGPT and Gemini to Power Cyberattacks
A threat group identified as GREYVIBE is leveraging mainstream generative AI tools, including ChatGPT and Google Gemini, to enable and scale cyberattacks.
Operationally, this highlights how off-the-shelf LLMs can accelerate content creation, targeting, and tooling, lowering skill barriers and compressing attack timelines. Defenders should prioritize email and identity controls, restrict unmanaged AI tool access, and monitor for AI-assisted techniques across logs and endpoints.
🛰️ Open sources - closed narratives
@sitreports
A threat group identified as GREYVIBE is leveraging mainstream generative AI tools, including ChatGPT and Google Gemini, to enable and scale cyberattacks.
Operationally, this highlights how off-the-shelf LLMs can accelerate content creation, targeting, and tooling, lowering skill barriers and compressing attack timelines. Defenders should prioritize email and identity controls, restrict unmanaged AI tool access, and monitor for AI-assisted techniques across logs and endpoints.
🛰️ Open sources - closed narratives
@sitreports
🤖 Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
On May 10, 2026, threat actors exploited CVE-2026-39987 in Marimo and deployed an LLM-driven agent for post-exploitation, enabling credential theft and exfiltration of a PostgreSQL database. The incident highlights coordinated automation immediately following initial access.
The operational shift is clear: agentic tooling can chain tasks—environment enumeration, credential reuse, and database dumping—faster than manual playbooks, shrinking detection windows. Priority actions include rapid patching, credential rotation, and telemetry on scripted SQL exports and anomalous outbound flows from database hosts.
🛰️ Open sources - closed narratives
@sitreports
On May 10, 2026, threat actors exploited CVE-2026-39987 in Marimo and deployed an LLM-driven agent for post-exploitation, enabling credential theft and exfiltration of a PostgreSQL database. The incident highlights coordinated automation immediately following initial access.
The operational shift is clear: agentic tooling can chain tasks—environment enumeration, credential reuse, and database dumping—faster than manual playbooks, shrinking detection windows. Priority actions include rapid patching, credential rotation, and telemetry on scripted SQL exports and anomalous outbound flows from database hosts.
🛰️ Open sources - closed narratives
@sitreports
🔍 Microsoft Calls the Zero-Day Dumps Irresponsible. The Researcher Says Microsoft Started It.
Microsoft calls recent zero-day dumps irresponsible; the researcher responds that Microsoft set the events in motion. A public dispute over disclosure and accountability is now explicit.
Operationally, the clash spotlights gaps in coordinated disclosure, vendor–researcher trust, and release timing—key factors for patch pipelines and risk communication across enterprises.
🛰️ Open sources - closed narratives
@sitreports
Microsoft calls recent zero-day dumps irresponsible; the researcher responds that Microsoft set the events in motion. A public dispute over disclosure and accountability is now explicit.
Operationally, the clash spotlights gaps in coordinated disclosure, vendor–researcher trust, and release timing—key factors for patch pipelines and risk communication across enterprises.
🛰️ Open sources - closed narratives
@sitreports
🤖 Dutch govt disrupts malware botnet with 17 million infected devices
Dutch authorities have disrupted a massive malware botnet involving 17 million infected devices.
The action reduces capacity for spam, credential theft, and DDoS, and signals stronger state pressure on criminal infrastructure. Defenders should watch for orphaned C2 traffic, patch exposed IoT/SOHO devices, and use network telemetry to confirm cleanup and spot reinfection.
🛰️ Open sources - closed narratives
@sitreports
Dutch authorities have disrupted a massive malware botnet involving 17 million infected devices.
The action reduces capacity for spam, credential theft, and DDoS, and signals stronger state pressure on criminal infrastructure. Defenders should watch for orphaned C2 traffic, patch exposed IoT/SOHO devices, and use network telemetry to confirm cleanup and spot reinfection.
🛰️ Open sources - closed narratives
@sitreports
🔍 14 malicious npm packages impersonated OpenSearch, Elasticsearch libraries
Fourteen malicious npm packages impersonated OpenSearch and Elasticsearch libraries on npm, posing as trusted components for search integrations.
The incident highlights ongoing supply chain risk in the JavaScript ecosystem. Teams should verify maintainers and package scopes, monitor for typosquats, pin and checksum dependencies, and run continuous audits to minimize exposure during installation and CI builds.
🛰️ Open sources - closed narratives
@sitreports
Fourteen malicious npm packages impersonated OpenSearch and Elasticsearch libraries on npm, posing as trusted components for search integrations.
The incident highlights ongoing supply chain risk in the JavaScript ecosystem. Teams should verify maintainers and package scopes, monitor for typosquats, pin and checksum dependencies, and run continuous audits to minimize exposure during installation and CI builds.
🛰️ Open sources - closed narratives
@sitreports
🔍 Malicious NuGet Package Poses as Sicoob SDK to Steal Passwords
A fraudulent NuGet package posing as the Sicoob SDK has been identified stealing passwords. By mimicking a trusted SDK, it targets developers pulling dependencies through routine workflows.
Operationally, this highlights software supply-chain risk in the .NET ecosystem. Any environment that installed the spoofed SDK could have exposed credentials across dev machines or CI/CD. Enforce publisher verification, lock dependencies, rotate secrets, and audit recent builds.
🛰️ Open sources - closed narratives
@sitreports
A fraudulent NuGet package posing as the Sicoob SDK has been identified stealing passwords. By mimicking a trusted SDK, it targets developers pulling dependencies through routine workflows.
Operationally, this highlights software supply-chain risk in the .NET ecosystem. Any environment that installed the spoofed SDK could have exposed credentials across dev machines or CI/CD. Enforce publisher verification, lock dependencies, rotate secrets, and audit recent builds.
🛰️ Open sources - closed narratives
@sitreports
🤖 ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
A disclosed ChatGPhish vulnerability exploits ChatGPT’s Markdown rendering to inject phishing content through web page summaries, effectively turning the summarization feature into a delivery path for malicious links.
Operationally, this widens the attack surface at the model interface: users may encounter convincing lures inside in-chat summaries without visiting the original site. Mitigate with stricter rendering and sanitization, URL/HTML filtering on outputs, and treating AI summaries as untrusted content.
🛰️ Open sources - closed narratives
@sitreports
A disclosed ChatGPhish vulnerability exploits ChatGPT’s Markdown rendering to inject phishing content through web page summaries, effectively turning the summarization feature into a delivery path for malicious links.
Operationally, this widens the attack surface at the model interface: users may encounter convincing lures inside in-chat summaries without visiting the original site. Mitigate with stricter rendering and sanitization, URL/HTML filtering on outputs, and treating AI summaries as untrusted content.
🛰️ Open sources - closed narratives
@sitreports
🔍 No fix yet for critical Gogs RCE bug - exploit module is out
A critical remote code execution flaw in Gogs remains unpatched, and an exploit module is now public. Coverage of the Gogs RCE bug highlights immediate risk to exposed instances.
Priority actions: reduce attack surface, restrict external access, disable risky integrations, enforce auth, and monitor logs for command abuse. Deploy WAF/IDS signatures and sandboxing, consider temporary isolation, and verify whether any Gogs hosts are internet-facing until a fix is released.
🛰️ Open sources - closed narratives
@sitreports
A critical remote code execution flaw in Gogs remains unpatched, and an exploit module is now public. Coverage of the Gogs RCE bug highlights immediate risk to exposed instances.
Priority actions: reduce attack surface, restrict external access, disable risky integrations, enforce auth, and monitor logs for command abuse. Deploy WAF/IDS signatures and sandboxing, consider temporary isolation, and verify whether any Gogs hosts are internet-facing until a fix is released.
🛰️ Open sources - closed narratives
@sitreports
📡 Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
Attackers are now exploiting a GlobalProtect VPN authentication bypass flaw in Palo Alto Networks gateways, enabling login checks to be bypassed.
Operationally, GlobalProtect becomes an active ingress vector. Organizations should expedite fixes, restrict portal/gateway exposure, and audit VPN logs for anomalous sessions, geo mismatches, and unexpected admin changes to limit lateral movement.
🛰️ Open sources - closed narratives
@sitreports
Attackers are now exploiting a GlobalProtect VPN authentication bypass flaw in Palo Alto Networks gateways, enabling login checks to be bypassed.
Operationally, GlobalProtect becomes an active ingress vector. Organizations should expedite fixes, restrict portal/gateway exposure, and audit VPN logs for anomalous sessions, geo mismatches, and unexpected admin changes to limit lateral movement.
🛰️ Open sources - closed narratives
@sitreports
🔍 SideCopy Uses XenoRAT Against Afghan Finance Network
SideCopy, linked to Transparent Tribe/APT36, is assessed to have targeted Afghanistan’s Ministry of Finance and all 34 provincial revenue directorates with a spear-phishing chain delivering XenoRAT 1.8.7. The lure used a Pashto-named LNK inside a ZIP archive, then abused mshta.exe, remote HTA stages, reflective .NET loading, AMSI patching, and registry persistence. XenoRAT connected to 185.235.137.106 via AES-encrypted TCP traffic.
The operation stands out for target-specific decoy material listing provincial finance staff and direct numbers, indicating prior collection before delivery. TTPs remain consistent with long-observed SideCopy tradecraft, while the use of government-adjacent Afghan infrastructure and bulletproof hosting shows a layered setup for access, persistence, and command-and-control.
🛰️ Open sources - closed narratives
@sitreports
SideCopy, linked to Transparent Tribe/APT36, is assessed to have targeted Afghanistan’s Ministry of Finance and all 34 provincial revenue directorates with a spear-phishing chain delivering XenoRAT 1.8.7. The lure used a Pashto-named LNK inside a ZIP archive, then abused mshta.exe, remote HTA stages, reflective .NET loading, AMSI patching, and registry persistence. XenoRAT connected to 185.235.137.106 via AES-encrypted TCP traffic.
The operation stands out for target-specific decoy material listing provincial finance staff and direct numbers, indicating prior collection before delivery. TTPs remain consistent with long-observed SideCopy tradecraft, while the use of government-adjacent Afghan infrastructure and bulletproof hosting shows a layered setup for access, persistence, and command-and-control.
🛰️ Open sources - closed narratives
@sitreports
📡 Netherlands seizes 200 servers in 17-million-device botnet case
Dutch police and the NCSC say they dismantled a botnet spanning at least 17 million infected computers, tablets, and smartphones, and seized more than 200 servers hosted in the country. The infrastructure was tied to the residential proxy service Asocks, with servers taken for forensic analysis after the hosting provider confirmed criminal use.
The case underlines how residential proxy networks can mask malicious traffic behind ordinary consumer devices, complicating attribution and filtering. It also shows the central role of domestic hosting infrastructure in sustaining globally distributed botnets.
🛰️ Open sources - closed narratives
@sitreports
Dutch police and the NCSC say they dismantled a botnet spanning at least 17 million infected computers, tablets, and smartphones, and seized more than 200 servers hosted in the country. The infrastructure was tied to the residential proxy service Asocks, with servers taken for forensic analysis after the hosting provider confirmed criminal use.
The case underlines how residential proxy networks can mask malicious traffic behind ordinary consumer devices, complicating attribution and filtering. It also shows the central role of domestic hosting infrastructure in sustaining globally distributed botnets.
🛰️ Open sources - closed narratives
@sitreports