This media is not supported in your browser
VIEW IN TELEGRAM
#ThreatsDay this week reads like attackers opened the junk drawer of the internet and found everything still plugged in:
π§ exposed AI compute
π§ email privacy gaps
π§© fake browser extensions
π€ meeting bots
π clipboard tricks
π‘οΈ Defender flaws
π fake INTERPOL ransomware
Just an Empire State Building-sized amount of trust left unattended - https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π§ exposed AI compute
π§ email privacy gaps
π§© fake browser extensions
π€ meeting bots
π clipboard tricks
π‘οΈ Defender flaws
π fake INTERPOL ransomware
Just an Empire State Building-sized amount of trust left unattended - https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π₯8π€2π1
β οΈ Armored Likho targeted power and government agencies.
Kaspersky says the attacks span Russia, Brazil, and Kazakhstan, using BusySnake Stealer, GitHub-hosted payloads, Go2Tunnel reverse tunneling, and patched CVE-2025-9491 LNK abuse.
How the stealer chain works: https://thehackernews.com/2026/07/armored-likho-targets-government.html
Kaspersky says the attacks span Russia, Brazil, and Kazakhstan, using BusySnake Stealer, GitHub-hosted payloads, Go2Tunnel reverse tunneling, and patched CVE-2025-9491 LNK abuse.
How the stealer chain works: https://thehackernews.com/2026/07/armored-likho-targets-government.html
π₯4π4π€3
π Six malicious npm packages mimicked Rollup polyfill tools.
Experts link them to North Korea-linked actors. They used hidden install-time execution and JSONKeeper fetches to load payloads for remote access and browser, wallet, cloud, SSH, and npm secret theft.
Read: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html
Experts link them to North Korea-linked actors. They used hidden install-time execution and JSONKeeper fetches to load payloads for remote access and browser, wallet, cloud, SSH, and npm secret theft.
Read: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html
π₯3
π Avalon turns a PDF-themed .LNK into CrownX ransomware.
Proton Drive β ISO image β MSBuild β ETW tampering β HTTPS payload.
By the ransom note, credentials, C2, and recovery disruption are already in play.
Inside the attack chain: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
Proton Drive β ISO image β MSBuild β ETW tampering β HTTPS payload.
By the ransom note, credentials, C2, and recovery disruption are already in play.
Inside the attack chain: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
π₯5β‘3
This media is not supported in your browser
VIEW IN TELEGRAM
β‘ New "Bad Epoll" (CVE-2026-46242) vulnerability affects #Linux 6.4+ kernels and may reach newer #Android devices.
It can turn a local user into root; the PoC hit 99% reliability and may trigger from Chromeβs renderer sandbox.
π Read how the bug works: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
It can turn a local user into root; the PoC hit 99% reliability and may trigger from Chromeβs renderer sandbox.
π Read how the bug works: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
π8π±5π€―2β‘1
π New UNPATCHED FatFs vulnerabilities hit a filesystem library bundled into potentially MILLIONS of embedded devices.
Malformed USB drives, SD cards, or update files can trigger memory corruption, crashes, leaks, or hangs.
Read details here: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
Malformed USB drives, SD cards, or update files can trigger memory corruption, crashes, leaks, or hangs.
Read details here: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
π₯7π€―5
β οΈ 108 malicious packages and extensions were published across npm, Packagist, Go, and Chrome.
North Korea-linked PolinRider uses obfuscated JavaScript loaders, VS Code auto-run tasks, and blockchain services to fetch DEV#POPPER RAT and OmniStealer.
Inside the attack chain: https://thehackernews.com/2026/07/north-korean-hackers-publish-108.html
North Korea-linked PolinRider uses obfuscated JavaScript loaders, VS Code auto-run tasks, and blockchain services to fetch DEV#POPPER RAT and OmniStealer.
Inside the attack chain: https://thehackernews.com/2026/07/north-korean-hackers-publish-108.html
π€―15π₯4π2β‘1π1
π A U.S. government entity paid Kairos about $1 million in #Bitcoin.
The payment was made to keep stolen files from being leaked, according to a Ransom-ISAC case study.
This was not a lock-and-key ransomware case. The pressure point was the stolen data itself.
Read the story: https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html
The payment was made to keep stolen files from being leaked, according to a Ransom-ISAC case study.
This was not a lock-and-key ransomware case. The pressure point was the stolen data itself.
Read the story: https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html
π33π₯10β‘4π€3π1π±1
π Malicious AI skills can bypass scanners.
SKILLCLOAK hides payloads in folders scanners often skip, then rebuilds them only when the agent runs the skill.
In tests, its packing trick bypassed all 8 scanners more than 90% of the time.
Read how the cloaking works: https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html
SKILLCLOAK hides payloads in folders scanners often skip, then rebuilds them only when the agent runs the skill.
In tests, its packing trick bypassed all 8 scanners more than 90% of the time.
Read how the cloaking works: https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html
π8β‘4π₯4π2
This media is not supported in your browser
VIEW IN TELEGRAM
π¨ A zero-click Opera GX flaw let malicious sites silently install GX Mods and leak data exposed in pages the victim visited.
In a PoC, researchers used CSS to rebuild a signed-in userβs Gmail address after one visit.
Learn how βjust stylingβ crossed sites: https://thehackernews.com/2026/07/opera-gx-flaw-let-malicious-sites-auto.html
In a PoC, researchers used CSS to rebuild a signed-in userβs Gmail address after one visit.
Learn how βjust stylingβ crossed sites: https://thehackernews.com/2026/07/opera-gx-flaw-let-malicious-sites-auto.html
π8π3π1π₯1
β οΈ New Java RAT is being sold as MaaS.
QuimaRAT is built to run on Windows, #Linux, and #macOS, with encrypted plugins, OS-specific persistence, C2 rotation via Pastebin, and a browser-cache loader for staging payloads.
Read: https://thehackernews.com/2026/07/new-java-based-quimarat-maas-built-to.html
QuimaRAT is built to run on Windows, #Linux, and #macOS, with encrypted plugins, OS-specific persistence, C2 rotation via Pastebin, and a browser-cache loader for staging payloads.
Read: https://thehackernews.com/2026/07/new-java-based-quimarat-maas-built-to.html
π₯10π8β‘2
π¨ New TrojPix attack can leak data from an air-gapped PC through its video cable.
It uses user-level malware to turn invisible pixel changes into radio signals from a video cable, leaking data at up to 8.1 Mbps.
Learn how TrojPix turns pixels into a radio leak: https://thehackernews.com/2026/07/new-trojpix-attack-leaks-data-from-air.html
It uses user-level malware to turn invisible pixel changes into radio signals from a video cable, leaking data at up to 8.1 Mbps.
Learn how TrojPix turns pixels into a radio leak: https://thehackernews.com/2026/07/new-trojpix-attack-leaks-data-from-air.html
π₯5π±2
π¨ A suspected China-nexus campaign is targeting Indian taxpayers, tax professionals, and finance teams with fake Income Tax Department emails.
Operation DragonReturn leads victims to a fake tax-filing utility that uses DLL sideloading, JPG payload concealment, and DCRat.Attribution remains unclear.
Read: https://thehackernews.com/2026/07/suspected-china-nexus-hackers-use-fake.html
Operation DragonReturn leads victims to a fake tax-filing utility that uses DLL sideloading, JPG payload concealment, and DCRat.Attribution remains unclear.
Read: https://thehackernews.com/2026/07/suspected-china-nexus-hackers-use-fake.html
π6π€4π₯2π€―1
AI SOC can mean a chat box bolted onto a SIEM, or agents that handle detection, triage, investigation, and response on their own data foundation.
The label tells you little. The POC has to show what is actually doing the work.
Read this for the six checks that tell them apart: https://thehackernews.com/2026/07/how-to-evaluate-ai-soc-platform-in-2026.html
The label tells you little. The POC has to show what is actually doing the work.
Read this for the six checks that tell them apart: https://thehackernews.com/2026/07/how-to-evaluate-ai-soc-platform-in-2026.html
π1π₯1
AI does not just make phishing cleaner. It changes the clock.
Guy Segal, CEO at Sygnia, frames the real gap: incident response plans were designed for slower, human-led attacks, while AI can compress recon, deception, payload changes, and the path to business impact.
See where your IR plan breaks when AI compresses the timeline: https://thehackernews.com/expert-insights/2026/07/ai-speed-attacks-are-forcing-rethink-of.html
Guy Segal, CEO at Sygnia, frames the real gap: incident response plans were designed for slower, human-led attacks, while AI can compress recon, deception, payload changes, and the path to business impact.
See where your IR plan breaks when AI compresses the timeline: https://thehackernews.com/expert-insights/2026/07/ai-speed-attacks-are-forcing-rethink-of.html
π3π₯1π€1
π A streaming box. A browser prompt. A fake repo. An AI agent reading the wrong thing.
This weekβs cyber risks did not look exotic. That was the problem.
Monday Recap: proxy botnets, browser ransomware research, AI agent tricks, fake PoC malware, ClickFix attacks, and more.
Read the full recap: https://thehackernews.com/2026/07/monday-recap-proxy-botnets-browser.html
This weekβs cyber risks did not look exotic. That was the problem.
Monday Recap: proxy botnets, browser ransomware research, AI agent tricks, fake PoC malware, ClickFix attacks, and more.
Read the full recap: https://thehackernews.com/2026/07/monday-recap-proxy-botnets-browser.html
π₯4π3
π Itβs easier to log in than hack in.
Attackers donβt need a zero-day if weak, reused, or compromised passwords are already sitting in Active Directory.
Specopsβ Password Auditing Guide shows how to uncover hidden password risks, spot policy gaps, and start auditing AD with a free tool.
Download the guide to learn more: https://thn.news/audit-active-directory
Attackers donβt need a zero-day if weak, reused, or compromised passwords are already sitting in Active Directory.
Specopsβ Password Auditing Guide shows how to uncover hidden password risks, spot policy gaps, and start auditing AD with a free tool.
Download the guide to learn more: https://thn.news/audit-active-directory
π5π1
π¨ CVE-2026-20896 saw its first in-the-wild attempt 13 days after disclosure.
The Gitea Docker flaw lets reachable containers trust spoofed X-WEBAUTH-USER headers when reverse proxy auth is enabled.
See which setups are exposed and where the probe stopped: https://thehackernews.com/2026/07/threat-actors-probe-gitea-docker-flaw.html
The Gitea Docker flaw lets reachable containers trust spoofed X-WEBAUTH-USER headers when reverse proxy auth is enabled.
See which setups are exposed and where the probe stopped: https://thehackernews.com/2026/07/threat-actors-probe-gitea-docker-flaw.html
π₯4π3
π₯ A new 16-year-old #Linux KVM flaw lets a rooted nested VM crash the x86 host and take down other tenants on the same machine.
Dubbed "Januscape" (CVE-2026-53359), the bug sits in KVMβs shadow MMU.
Researcher says a full guest-to-host escape exploit also exists in a controlled setup; only the host-crash PoC is public.
Explained here: https://thehackernews.com/2026/07/16-year-old-linux-kvm-flaw-lets-guest.html
Dubbed "Januscape" (CVE-2026-53359), the bug sits in KVMβs shadow MMU.
Researcher says a full guest-to-host escape exploit also exists in a controlled setup; only the host-crash PoC is public.
Explained here: https://thehackernews.com/2026/07/16-year-old-linux-kvm-flaw-lets-guest.html
π₯13π2
π¨ Iran-linked Cavern Manticore is targeting Israeli government and IT organizations with 'Cavern,' a modular .NET C2 framework.
Researchers say the group abused RMM tools, then used DLL side-loading, NativeAOT modules, and AppDomain isolation to hide post-compromise activity.
How Cavern works: https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html
Researchers say the group abused RMM tools, then used DLL side-loading, NativeAOT modules, and AppDomain isolation to hide post-compromise activity.
How Cavern works: https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html
π12π11π₯4β‘2π€1π€―1
β οΈ BeyondTrust fixed four RS and PRA flaws. Two are critical pre-auth bugs that could let unauthenticated attackers bypass access controls, but only under specific auth configurations.
No exploitation is reported. RS 25.3.3 and PRA 25.3.3 carry the fixes.
Check which setups need patching: https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html
No exploitation is reported. RS 25.3.3 and PRA 25.3.3 carry the fixes.
Check which setups need patching: https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html
π₯3