All CosmicBytez Labs articles tagged #Threat Intelligence, across news, security advisories, how-to guides, and projects.
Group-IB researchers discovered ClickLock, a new macOS infostealer distributed via ClickFix lures that terminates all visible system processes in a loop until the victim surrenders their login password — with zero AV detections at discovery.
Sophos 2026: 79% of ransomware attacks start with stolen identities. MFA was present in 97% of credential-based cases yet failed to stop every one of them.
A newly identified ransomware group called Spirals has demonstrated alarming operational speed, completing the full attack lifecycle — initial access, lateral movement, data theft, and network-wide encryption — in less than 24 hours.
Microsoft has detailed three distinct attack paths used by actors aligned with ShinyHunters to infiltrate corporate Salesforce environments over the past year — none of which required exploiting any vulnerability in the Salesforce platform itself.
An attacker's operational security mistake — leaving a Python HTTP server and .bash_history exposed on a public port — allowed researchers to uncover three simultaneous Evilginx phishing campaigns targeting Microsoft 365 credentials.
The Australian Cyber Security Centre has issued an alert about a coordinated global campaign actively exploiting unpatched vulnerabilities in WordPress,...
SentinelOne researchers discovered that threat actors linked to both China and India independently targeted the Balochistan Police force in Pakistan for...
Multiple threat campaigns are leveraging disposable 'ghost' GitHub accounts to conduct mass reconnaissance against organizations, systematically mapping...
SentinelOne researchers have uncovered two years of sustained cyberespionage against Pakistani law enforcement — with China-nexus and India-nexus threat...
A single threat actor leveraged AI workflows, chained cloud misconfigurations, and stolen credentials to breach a large Amazon Web Services customer...
An authentication bypass vulnerability in OpenCTI prior to 7.260326.0 allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass...
A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service, letting even low-skill criminals take...
China's GLM 5.2 finds vulnerabilities at $0.17 each and outperforms frontier Western models on security benchmarks — while AI-enabled adversary activity...
Threat group JadePuffer leveraged an LLM agent to autonomously execute a multi-stage ransomware-style attack through a critical Langflow vulnerability,...
Kaspersky has identified a previously undocumented APT group — Armored Likho (aka Eagle Werewolf) — deploying an AI-assisted Python infostealer called...
Security researchers have documented what appears to be the first ransomware operation conducted entirely by a large language model agent — JadePuffer...
JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...
Threat actors linked to North Korea's Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist,...
Jamf Threat Labs has discovered PamStealer, a sophisticated two-stage macOS infostealer that impersonates the Maccy clipboard manager, delivers a...
Threat actors who exploited the FortiBleed vulnerability to gain persistent access to thousands of Fortinet firewalls are now monetizing that access by...
Working alongside the FBI and Lumen Technologies, Google's Threat Intelligence Group has significantly degraded NetNut — one of the largest networks that...
From outsourced labor to tiered pricing models, today's top ransomware groups operate less like rogue hackers and more like Fortune 500 companies — with...
The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information identifying members of UNC5792 and...
The FBI and CISA warn that a Russian-linked phishing campaign targeting Signal users has evolved to steal Backup Recovery Keys, giving attackers full...
Ukraine's SSU and the FBI have exposed a sustained Russian intelligence campaign using fake support SMS messages to steal Signal, WhatsApp, and Telegram...
Six weeks of undetected access through a compromised VPN appliance exposes a hard truth: patching is necessary but not sufficient. Organisations already...
The SSU and FBI jointly disclosed a sustained Russian intelligence operation targeting messaging credentials of government officials, military personnel,...
New research from Black Kite shows ransomware attacks against European organizations surged 55% in the first four months of 2026 compared to the same...
Unit 42 researchers identified five persistent malicious skill packages on ClawHub — OpenClaw's AI agent marketplace — including infostealers disguised as...
ESET research reveals FSB-sponsored Gamaredon has significantly upgraded its C2 infrastructure obfuscation and malware delivery capabilities, running 35...
Deep analysis of the FortiBleed operation reveals a sophisticated five-stage credential harvesting pipeline — custom Golang sniffers, Telegram-based...
Deploy OpenCTI to aggregate, correlate, and visualize threat intelligence from MISP, NVD, AlienVault OTX, and Shodan — all in a self-hosted Docker stack.
The FortiBleed campaign's operators weaponize Fortinet's own built-in diagnostic command to run a custom Golang sniffer that intercepts 24 authentication...
More victims have surfaced after attackers breached application vendor Klue and abused its OAuth tokens to access customers' Salesforce environments. The...
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack, with attackers injecting backdoor code into Pro plugin releases...
Google's Threat Intelligence Group discovered and disrupted a sprawling China-nexus espionage campaign that stole RedCAP credentials to silently breach...
Google's Threat Intelligence Group has unmasked UNC6508, a China-linked espionage actor that silently maintained access to critical infrastructure and...
TeamPCP's remarkable success attacking open-source software was no accident — it exploited a cultural vulnerability baked into modern development: the...
A self-spreading USB worm active since February 2026 hides real files behind malicious .lnk shortcuts, hijacks clipboard cryptocurrency addresses, hunts...
A newly detailed malware family called CryptoBandits routes all traffic through a local SOCKS5 proxy and the Tor network, blending credential theft with...
The hackers exfiltrated data from Salesforce instances of Klue customers, including Huntress and Recorded Future, in a cascading supply chain compromise.
Salesforce has disabled the Klue Battlecards app integration following a security incident in which attackers abused OAuth tokens to access customer CRM...
Human Rights Watch obtained Bulgarian export licensing records showing the government approved surveillance firm Circles' technology sales to law...
Cybersecurity researchers have charted the evolution of INC ransomware from a nascent RaaS operation to one of the most prolific cybercrime groups in...
Security researchers have traced the sprawling Popa Android botnet — which enslaved millions of consumer TV boxes for ad fraud and data scraping — to a...
A supply chain attack dubbed easy-day-js has compromised 144 npm packages in the @mastra/* namespace by hijacking a contributor account for the popular...
A comprehensive breakdown of the most dangerous attack surface exposures organizations face in 2026 — from exposed admin panels and credential reuse to...
The latest supply chain attacks against PyPI, which hit 37 wheels and 19 code packages, show a continued evolution of the persistent Shai-Hulud software...
GitHub has announced that npm version 12 will disable install scripts by default as a breaking change aimed at combating software supply chain attacks...
KrebsOnSecurity investigates the identity and structure behind The Gentlemen, the second most active ransomware gang of 2026, known for offering...
The 2026 Verizon DBIR confirms phishing, shadow AI, malicious extensions, and credential theft now execute inside the browser, exposing major security gaps.
Two distinct malware campaigns have hit the npm ecosystem simultaneously — IronWorm deploys a Rust-based infostealer via 50+ poisoned packages, while a new…
A threat actor has deployed an AI-generated ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and…
Twenty years after Dark Reading launched, security leaders are looking beyond the assume-breach paradigm toward AI-native, hyper-segmented enterprise defense…
Nation-states are racing to dominate the embodied AI and humanoid robotics market, but as governments and militaries integrate these systems, the…
DDoS attacks are increasingly sold as subscription services with pricing tiers, reseller programs, and customer support. Flare's analysis reveals how the…
As OpenAI and Anthropic push frontier AI capabilities forward, SentinelOne argues that AI-native, machine-speed cyber defense is now essential — and that the…
Anne Keast-Butler, head of the UK's GCHQ signals intelligence agency, has warned that artificial intelligence represents an unstoppable force in cyberspace…
Western intelligence officials warn that Moscow's espionage apparatus is deploying cyber spies, hackers, and recruited middlemen to steal dual-use...
UK signals-intel chief warns AI is reshaping threats as an unstoppable force while Russia escalates hostile gray-zone activity below open conflict.
Nimbus Manticore, an Iranian advanced persistent threat group, has continued operations targeting aviation and software companies during and after the US.
The Belarus-aligned Ghostwriter APT (UAC-0057/UNC1151) has launched a new phishing campaign impersonating Prometheus, a Ukrainian e-learning platform, to...
This week's threat intelligence bulletin covers Linux rootkit campaigns, an actively exploited router zero-day, AI-assisted intrusions, new scam kit...
Threat actors have compromised the widely-used actions-cool/issues-helper GitHub Action, redirecting every existing tag to a malicious imposter commit...
Researchers at HUMAN Security uncovered Trapdoor, a sophisticated Android ad fraud and malvertising operation that used 455 malicious apps and 183...
Verizon's 2026 Data Breach Investigations Report reveals a landmark shift: vulnerability exploitation has surpassed credential abuse as the leading breach...
A Flare threat intelligence analysis breaks down the REMUS infostealer — a rapidly evolving credential theft tool built around stolen browser sessions and...
Adversaries are increasingly weaponizing CI/CD pipelines as a living-off-the-land vector — abusing trusted build infrastructure to execute attacks without...
Director of National Intelligence Tulsi Gabbard has appointed two officials to lead cross-agency monitoring of foreign threats targeting the 2026 U.S....
SecurityScorecard has acquired Driftnet to expand visibility into third-party ecosystems, addressing growing supply chain attack risks that continue to...
The hacking group TeamPCP has publicly released the source code for its Shai-Hulud supply chain worm, actively encouraging other threat actors to...
An OPSEC failure provides a rare window into the inner workings of The Gentlemen ransomware-as-a-service group, exposing their affiliate model, TTPs, and...
TeamPCP has expanded its supply chain attack campaign with a fresh Mini Shai-Hulud worm that compromised npm and PyPI packages from TanStack, UiPath,...
Google Threat Intelligence Group researchers say a zero-day exploit targeting a widely used open-source web administration tool was likely generated using...
Install and configure CrowdSec on Linux to detect and block attacks using crowdsourced threat intelligence, custom scenarios, and iptables/nftables bouncers.
Analysis of more than 25 million security alerts across enterprise SOCs reveals a troubling pattern: organizations are institutionalizing the practice of...
The RansomHouse threat group has claimed responsibility for the Trellix source code repository breach disclosed last week, leaking a set of proof images...
A newly discovered phishing-as-a-service toolkit called Bluekit is emerging on underground forums, offering threat actors an AI assistant for campaign...
When rival ransomware groups 0APT and KryBit turned on each other, they exposed infrastructure details, operational data, victim lists, and internal...
ShinyHunters hits Medtronic and ADT in the same week, exposing millions of records; a critical one-push RCE lands in GitHub; LiteLLM's pre-auth SQL...
This week's ThreatsDay Bulletin covers the $290M KelpDAO DeFi hack tied to Lazarus Group, new macOS living-off-the-land attack techniques, ProxySmart SIM...
SentinelOne has discovered 'fast16', a 2005-era Lua-based cyber sabotage implant that predates Stuxnet by five years and targeted high-precision...
UNC6692 employs email bombing and Teams impersonation to deliver a three-component Snow malware suite — SnowBelt, SnowGlaze, and SnowBasin — enabling full...
Threat actors hijacked the official checkmarx/kics Docker Hub repository by overwriting existing image tags — including v2.1.20 and alpine variants — and...
Recently observed Trigona ransomware attacks are using a bespoke command-line exfiltration tool to steal data from compromised environments faster and...
Vercel has expanded its breach investigation tied to the Context.ai supply chain compromise and identified additional customer accounts with unauthorized...
Stolen credentials remain the dominant initial access vector in 2026 — no zero-days, no malware, just valid logins that blend in with normal activity...
The North Korean supply chain attack on Axios — a JavaScript library with 100 million weekly downloads — highlights why human-scale monitoring can no...
Following law enforcement disruption of the Tycoon 2FA platform, threat actors are reusing its tools and techniques across a wave of new phishing kits,...
Grinex, a Kyrgyzstan-based cryptocurrency exchange sanctioned by the U.S., U.K., and EU for facilitating sanctions evasion, has suspended all operations...
Kyrgyzstan-based cryptocurrency exchange Grinex has suspended all operations after a $13.7 million hack, with the platform controversially attributing the...
Huntress is warning that threat actors are actively exploiting three privilege escalation vulnerabilities in Microsoft Defender — codenamed BlueHammer,...
Citizen Lab has documented how an Israeli surveillance company called Cobwebs Technologies built an advertising-based global geolocation platform named...
UK communications regulator Ofcom has warned tech executives they face criminal prosecution and imprisonment if their platforms fail to adequately combat...
Bitcoin Depot, one of North America's largest Bitcoin ATM operators, has filed an SEC disclosure revealing a cyberattack in which threat actors gained...
Cybercriminals are stealing millions from Russian companies by compromising accountants' computers and disguising fraudulent transfers as routine salary...
This week's ThreatsDay Bulletin from The Hacker News covers 20 active threats including a hybrid P2P DDoS botnet, a 13-year-old Apache ActiveMQ RCE flaw...
Microsoft says the financially motivated cybercrime group Storm-1175, linked to China, has exploited N-day and zero-day vulnerabilities in high-velocity...
Microsoft has formally attributed Medusa ransomware zero-day attacks to Storm-1175, a China-based financially motivated cybercriminal group that has...
Cybersecurity researchers discovered 36 malicious npm packages disguised as Strapi CMS plugins that abused Redis and PostgreSQL connections to harvest...
Modern ransomware has evolved far beyond simple file encryption. Multi-extortion tactics — combining encryption, data theft, and public leak threats —...
Microsoft Defender researchers have documented a stealthy PHP web shell technique that uses HTTP cookies as a covert command-and-control channel on Linux...
The North Korean threat actor UNC1069 used a sophisticated, targeted social engineering campaign against the Axios npm package maintainer Jason Saayman to...
As organizations disclose breaches tied to TeamPCP's supply chain attacks, ShinyHunters and Lapsus$ are taking credit and creating a murky attribution...
Threat actors are weaponizing vacant properties as drop addresses for mail interception, blending physical access with digital fraud. A Flare threat...
The Drift Protocol DeFi platform lost at least $280 million after a sophisticated threat actor executed a planned governance attack, seizing control of...
Google's Threat Intelligence Group has formally attributed the supply chain compromise of the popular Axios npm package to UNC1069, a financially...
Security researchers at multiple firms are sounding alarms over a supply chain attack against Axios, an npm package with 100 million weekly downloads....
Security researchers have identified a newly discovered malicious implant named RoadK1ll that leverages WebSocket connections to silently move from an...
This week's cybersecurity roundup covers long-running telecom espionage operations reaching courtrooms, resurging LLM jailbreak techniques, Apple's UK age...
New research shows AI is dramatically accelerating how quickly threat actors can weaponize vulnerabilities, with 92% of security professionals expressing...
Proofpoint has attributed a targeted email campaign to Russian state-sponsored threat actor TA446, which is leveraging the recently disclosed DarkSword...
The TeamPCP threat actor — behind previous supply chain attacks on Trivy, KICS, and litellm — has now compromised the telnyx Python package on PyPI,...
Deploy CrowdSec on a Linux server to get community-powered intrusion prevention — block brute-force attacks, credential stuffing, and vulnerability...
A newly discovered .NET infostealer dubbed Speagle repurposes compromised Cobra DocGuard servers for C2 and data exfiltration, targeting organizations...
The Interlock ransomware gang has been actively exploiting a CVSS 10.0 insecure deserialization flaw in Cisco Secure Firewall Management Center since late...
The LeakNet ransomware gang is using ClickFix social engineering for initial access and a Deno-based malware loader to execute fileless payloads from...
The GlassWorm self-propagating worm campaign has compromised 72 Open VSX extensions using invisible Unicode Private Use Area characters and a Solana...
Microsoft-tracked threat actor Velvet Tempest is deploying Termite ransomware via a ClickFix social-engineering chain that loads DonutLoader and installs...
Deploy a full deception technology stack using T-Pot and OpenCanary to capture real attacker behaviour, generate threat intelligence, and sharpen your...
Cloudflare's inaugural threat intelligence report reveals its network blocks 230 billion cyber threats daily, with DDoS attacks doubling to 47.1 million...
Amazon's threat intelligence team has documented how a Russian-speaking, financially motivated actor used multiple commercial generative AI tools to...
A Russian-linked phishing operation dubbed Diesel Vortex has stolen over 1,649 credentials from major freight and logistics companies across the US and...
Multiple industry reports warn that 2026 marks the emergence of agentic AI threats — autonomous systems capable of planning and executing multi-step...
With 91 publicly disclosed ransomware attacks in January 2026 alone, the ransomware landscape is shifting toward data-only extortion while healthcare...
Security researchers discover a new Linux botnet named SSHStalker that leverages the legacy IRC protocol for C2 operations, marking a return to old-school...
The 2026 International AI Safety Report confirms AI systems can assist attackers across multiple stages of the cyberattack chain, with vulnerability...
This week: state-backed espionage campaigns across 155 countries, China-linked router hijacking, ransomware surge, new security tools, and site updates.
Palo Alto Unit 42 reveals a state-aligned group designated TGR-STA-1030 compromised government and critical infrastructure targets in 37 countries using...
A structured approach to open-source intelligence gathering covering domain reconnaissance, email enumeration, social media profiling, and infrastructure...
Security experts predict autonomous AI systems will be responsible for at least one major enterprise breach within months, as threat actors weaponize...
Security researchers identify 14 active RaaS platforms operating sophisticated affiliate programs, with entry costs as low as $40 per month lowering the...
Threat intelligence reports show 8 active ransomware groups claimed 26 victims on February 2nd alone, with major corporations including BASF and Honeywell...
Ransomware attacks against healthcare organizations have increased 67% in the first month of 2026, with multiple hospital systems reporting service disruptions.
Microsoft reveals adversaries using AI for automated vulnerability discovery, phishing campaigns, and malware generation. AI-crafted phishing emails...