Malware, attack campaigns, APT groups
Threats
Backdoor.Mistic (Zscaler: MLTBackdoor), used since April 2026 by the access broker Woodgnat/KongTuke, is a fileless RAT that establishes durable remote access and sells it to ransomware crews including Qilin, Akira, and Black Basta. It spreads via fake IT-helpdesk lures on Microsoft Teams.
Threats
Miasma/Shai-Hulud trojanized 20+ Leo Platform and RStreams npm packages in a sub-three-second burst on June 24, hiding its install hook in binding.gyp. It reads CI runner memory for masked secrets and exfiltrates via the victim's own GitHub token, beating egress blocklists.
Threats
SentinelOne has detailed Gaslight, a Rust-based macOS implant tied to North Korea-aligned actors that embeds 38 fake system messages to trick AI-assisted triage tools into aborting analysis. It runs a Telegram-based C2 shell and drops a Python stealer that lifts browser data and the Keychain.
Threats
FulcrumSec is a financially motivated data-extortion group that breaches large organizations, loots plaintext cloud secrets and over-privileged IAM roles, exfiltrates at scale, then publishes detailed breakdowns to extort. Confirmed victims include LexisNexis and Arup Group.
Threats
Elastic Security Labs has uncovered OXLOADER, a previously undocumented Windows loader delivering the CASTLESTEALER infostealer through malicious Google Ads impersonating Node.js. It abuses the PE .reloc section to stage shellcode and evades static engines and sandboxes.
Threats
Group-IB, INTERPOL and Algerian police dismantled SniperDz, a decade-old free phishing-as-a-service platform: 80 templates, 30+ brands, 20,000+ domains, 45,000+ stolen records. Its developer Guedz was arrested after exposing his own admin panel in recruitment videos.
Threats
Attackers are exploiting CVE-2026-10520, a max-severity OS command injection flaw in Ivanti Sentry, to run code as root on internet-exposed gateways. Shadowserver reports most exposed instances already backdoored. Patched Tuesday in R10.5.2, R10.6.2, R10.7.1 — patch now.
Threats
Attackers are actively exploiting CVE-2026-5027 in Langflow, writing arbitrary files to exposed servers. Default unauthenticated auto-login means a single request reaches the vulnerable endpoint with no credentials. Roughly 7,000 instances were exposed; patch in 1.10.0.
Threats
Google Mandiant attributes a sustained data theft and extortion campaign to UNC3753, combining voice phishing, IT impersonation, and in-person office break-ins to compromise US law and financial firms — progressing from initial contact to ransom demand in under an hour.
Threats
GitHub has disabled 73 Microsoft repositories after the Miasma worm infiltrated Azure infrastructure through a compromised contributor account, breaking CI/CD pipelines across the Azure Functions ecosystem and triggering remote code execution on developer machines that opened the infected repos in IDEs and AI coding tools. The attack began on
Threats
The intelligence agencies of all five Five Eyes nations have issued a joint alert warning that Chinese military intelligence officers are conducting coordinated recruitment campaigns on professional networking platforms, targeting government and military personnel with access to classified or privileged information. The alert — co-authored by the FBI, MI5, the
Threats
A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious