Threat Intelligence
Active threats with IOCs, MITRE ATT&CK mappings, and detection guidance.
Malvertising & SEO Poisoning Exploit Claude Code Interest to Deliver Infostealers
Threat actors abuse Google Sponsored Ads and trusted hosting platforms (GitLab Pages, Bitbucket Pages) to serve fake Claude Code install pages with embedded InstallFix/ClickFix payloads that deliver AMOS and Amatera infostealers.
Scattered Spider: Social Engineering and Ransomware Extortion
Scattered Spider (UNC3944/Octo Tempest) is a cybercriminal group that employs social engineering, SIM swaps, and MFA fatigue attacks to compromise large enterprises. Recent activity includes DragonForce ransomware deployment and data exfiltration via Snowflake and MEGA.
Trivy Supply Chain Compromise: TeamPCP CI/CD Credential Theft
Threat actors compromised Aqua Security's Trivy GitHub Actions by force-pushing malicious commits to release tags, injecting a credential stealer that harvests CI/CD secrets and exfiltrates them via the victim's own GitHub account.
The Chrysalis Backdoor: Vulnerable Notepad++ Updater Abuse by a Chinese APT Campaign
The 'Chrysalis' backdoor is a sophisticated espionage malware delivered via a trojanized Notepad++ installer that uses DLL sideloading, encrypted and obfuscated shellcode, persistent execution mechanisms, and stealthy loaders to provide full remote access, data exfiltration, and deployment of Cobalt Strike beacons through legitimate Microsoft-signed binaries.
Novel ClickFix Chain Delivers Amatera Stealer
A novel fake CAPTCHA campaign abuses trusted Windows scripting components to stage in-memory execution and deliver the Amatera Stealer while evading traditional detection.
Qilin Ransomware Targets Pathology Associates of Saint Thomas
Qilin ransomware operators have claimed responsibility for an attack against a U.S. healthcare provider and are threatening to publicly release stolen medical data if extortion demands are not met.
MongoBleed (CVE-2025-14847) exploited in the wild
CVE-2025-14847, an unauthenticated information leak vulnerability in MongoDB has been observed in the wild
Salesforce Deployment Compromise via Gainsight Application
Salesforce applications published by Gainsight potentially compromised
Exploitation of WSUS RCE Vulnerability
A Windows Server Update Services vulnerability exploited in a recent campaign
Cisco Firewall and VPN Zero Day Attacks: CVE-2025-20333 and CVE-2025-20362
A state-sponsored campaign has exploited chained Cisco firewall/VPN zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) since May 2025 to gain code execution and persistence on perimeter devices
CVE-2025-20352: Zero-Day in Cisco IOS & IOS XE SNMP Exploited, Allows DoS and Root RCE
A critical zero-day vulnerability affecting Cisco IOS and IOS XE Software that is currently being actively exploited in the wild
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware
The Shai-Hulud attack is a severe npm supply chain compromise that weaponizes over 100 malicious packages with worm-like propagation, exfiltrating secrets and abusing stolen npm/GitHub tokens to hijack repos and publish further malware, marking a major escalation in JavaScript ecosystem threats.
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
UNC5221, a China-nexus threat cluster, employs sophisticated capabilities to target U.S. companies, maintaining long-term, stealthy access by deploying backdoors on appliances that do not support traditional EDR tools
Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
A critical vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) enables remote command injection. Organizations that expose the admin console to the internet are at higher risk
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
UNC6395 exploited OAuth tokens from the Salesloft Drift–Salesforce integration in a large-scale supply chain attack, infiltrating numerous Salesforce instances to exfiltrate sensitive data
Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework
VoidProxy is a novel and highly evasive PhaaS framework that targets Microsoft and Google accounts
Threat Spotlight: ShinyHunters Targets Salesforce Amid Clues of Scattered Spider Collaboration
ShinyHunters has re-emerged with a phishing campaign targeting Salesforce credentials, adopting tactics used by Scattered Spider
Ransomware Gangs Collapse as Qilin Seizes Control
Qilin is a highly advanced RaaS that combines cross-platform payloads with sophisticated technical features, making it a major and structured force in the ransomware ecosystem
From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
A campaign leveraged SEO poisoning of enterprise IT tool searches to deliver Bumblebee malware via trojanized installers
Citrix Forgot to Tell You CVE-2025–6543 Has Been Used as a Zero Day Since May 2025
Citrix NetScaler flaws were exploited as zero-days for RCE enabling persistent intrusions months before disclosure
Incident Report: From CLI To Console, Chasing An Attacker In AWS
An attacker used an exposed long-term AWS access key to gain access to an AWS account prepping for resource abuse
Driver of Destruction: How a Legitimate Driver Is Being Used To Take Down AV Processes
A new AV-killer malware abuses a vulnerable, digitally-signed driver to gain kernel-level access and disable endpoint defense
A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment
A sophisticated spear-phising campaign targeted an American CFO. They used legitimate tools to maintain persistent access and gather information discreetly.
Citrix NetScaler Critical Vulnerabilities
Two new vulnerabilities in Citrix NetScaler allow attackers to gain high privileged access to the appliance, with no user interaction and can be exploited over the network.
ClickFix Emerges as Second Most Popular Initial Access Vector
ClickFix, a social engineering technique that manipulates the victim into infecting themselves, has been observed in more than 300 businesses in the Fortune 500.
Exploitation of CLFS Zero-Day Leads to Ransomware Activity
CVE-2025-29824, a critical zero-day vulnerability in the Windows Common Log File System (CLFS), is being actively exploited by Storm-2460 threat group to escalate privileges and deploy ransomware.
North Korean IT Workers Infiltrating Global Organizations
North Korea sends its hackers to work as remote IT workers across the globe. They get full access to your network, and you pay them for it.
A Peek Into Muddled Libra's Operational Playbook
Unit 42 analysis of Muddled Libra's post-compromise tradecraft using a rogue VM for living-off-the-land attacks.
Vishing for Access: ShinyHunters SaaS Data Theft Expansion
Mandiant/GTIG describe ShinyHunters-aligned clusters (UNC6661, UNC6671, UNC6240) using vishing and victim-branded credential sites to capture SSO and MFA, then plunder SharePoint, Salesforce, DocuSign, and Workspace— including ToogleBox Recall abuse and Okta MFA notification deletion—before ShinyHunters-branded extortion.