Threat

STAC6565 Focuses on Canada in Most Attacks While Gold Blade Spreads QWCrypt Ransomware

Canadian organizations have become the primary focus of a targeted cyber campaign led by the threat cluster STAC6565. Cybersecurity company Sophos investigated nearly 40 intrusions linked to the group between February 2024 and August 2025, finding strong overlaps with the hacking group Gold Blade, also tracked under names such as Earth Kapre, RedCurl, and Red […]

STAC6565 Focuses on Canada in Most Attacks While Gold Blade Spreads QWCrypt Ransomware Read More »

Storm 0249 Amplifies Ransomware Attacks Using ClickFix, Fileless PowerShell, and DLL Sideloading

The threat actor identified as Storm 0249 is expanding its tactics beyond its previous role as an initial access broker and is now deploying more advanced intrusion methods that include domain spoofing, DLL sideloading, and fileless PowerShell execution. These upgraded techniques are being used to support ransomware operations targeting enterprise networks. In research shared with

Storm 0249 Amplifies Ransomware Attacks Using ClickFix, Fileless PowerShell, and DLL Sideloading Read More »

Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure

Cybersecurity researchers have identified four separate threat clusters using a malware loader called CastleLoader, reinforcing earlier assessments that this tool operates under a malware-as-a-service (MaaS) model, providing capabilities to multiple cybercriminal groups. The operator behind CastleLoader has been designated GrayBravo by Recorded Future’s Insikt Group, previously tracked as TAG-150. According to an analysis published by

Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure Read More »

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deliver NetSupport RAT

A newly identified cyber campaign called JS#SMUGGLER is gaining attention after researchers observed attackers using compromised websites to distribute NetSupport RAT, a remote access tool capable of giving full control over victim devices. Security analysts from Securonix reported that the operation relies on several coordinated components including an obfuscated JavaScript loader, an HTML Application (HTA)

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deliver NetSupport RAT Read More »

MuddyWater Uses UDPGangster Backdoor in Targeted Campaign Across Turkey, Israel, and Azerbaijan

In a newly identified cyber espionage operation, the Iranian aligned group MuddyWater has been found using a previously unknown backdoor named UDPGangster. The malware relies on the User Datagram Protocol (UDP) to manage command and control traffic, a choice that helps attackers avoid traditional network monitoring defenses. Security analysts at Fortinet FortiGuard Labs report that

MuddyWater Uses UDPGangster Backdoor in Targeted Campaign Across Turkey, Israel, and Azerbaijan Read More »

CISA Reports Chinese Hackers Leveraging BRICKSTORM for Persistent U.S. System Access

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed the use of a sophisticated backdoor, BRICKSTORM, by state-sponsored Chinese threat actors to maintain long-term access to compromised systems across the United States. CISA described BRICKSTORM as a highly advanced implant designed for VMware vSphere and Windows environments. It allows attackers to gain stealthy access,

CISA Reports Chinese Hackers Leveraging BRICKSTORM for Persistent U.S. System Access Read More »

Lazarus APT’s Remote-Worker Operations Caught Live on Camera

A collaborative investigation led by Mauro Eldritch, founder of BCA LTD, alongside NorthScan and ANY.RUN, has unveiled one of North Korea’s most persistent infiltration tactics: a network of remote IT workers linked to the Lazarus Group’s Famous Chollima division. For the first time, researchers observed the operators live, capturing their activity on what they believed

Lazarus APT’s Remote-Worker Operations Caught Live on Camera Read More »

GlassWorm Resurfaces With 24 Malicious Extensions Masquerading as Popular Developer Tools

The notorious supply chain threat, GlassWorm, has resurfaced, targeting developers by infiltrating both the Microsoft Visual Studio Marketplace and Open VSX with 24 malicious extensions. These extensions impersonate widely-used developer frameworks and tools, including Flutter, React, Tailwind, Vim, and Vue. Originally documented in October 2025, GlassWorm uses the Solana blockchain to manage command-and-control operations, harvest

GlassWorm Resurfaces With 24 Malicious Extensions Masquerading as Popular Developer Tools Read More »

Iran Linked Hackers Hit Israeli Sectors With New MuddyViper Backdoor

Israeli organizations across academia, engineering, local government, manufacturing, technology, transportation, and utilities have become targets of a sophisticated campaign by Iranian-linked hackers deploying a new backdoor called MuddyViper. ESET attributed the attacks to the MuddyWater group, also known as Mango Sandstorm or TA450, linked to Iran’s Ministry of Intelligence and Security (MOIS). One Egyptian technology

Iran Linked Hackers Hit Israeli Sectors With New MuddyViper Backdoor Read More »

ShadyPanda Converts Popular Browser Extensions With 4.3 M of Installs Into Spyware

A long running operation linked to the threat actor ShadyPanda has been exposed for converting widely installed browser extensions into surveillance tools. The campaign has reportedly been active for about seven years and has accumulated more than 4.3 million installs. According to Koi Security, five extensions that originally functioned as legitimate utilities were altered in

ShadyPanda Converts Popular Browser Extensions With 4.3 M of Installs Into Spyware Read More »