Live Feeds
-
UNC4899 breached crypto firm after developer AirDropped trojanized file to work device
The North Korea-linked threat actor UNC4899 is suspected of breaching a cryptocurrency organization in 2025 after a developer transferred a trojanized file to a work device, leading to a cloud compromise and the theft of millions of dollars in cryptocurrency.
-
APT28 used BEARDSHELL and COVENANT to spy on Ukrainian military personnel
ESET says the Russian state-sponsored group APT28 has used two implants called BEARDSHELL and COVENANT since April 2024 to conduct long-term surveillance of Ukrainian military personnel.
-
Iran-linked MuddyWater targets U.S. networks with new Dindoor backdoor
Broadcom’s Symantec and Carbon Black Threat Hunter Team say the Iran-linked MuddyWater group embedded itself inside several U.S. organizations, including banks, airports, a non-profit, and the Israeli arm of a software company, using a newly identified backdoor named Dindoor.
-
China-linked UAT-9244 used TernDoor, PeerTime, and BruteEntry in South American telecom attacks
Cisco Talos says China-linked threat actor UAT-9244 has targeted telecommunications providers in South America since 2024, using the TernDoor, PeerTime, and BruteEntry implants across Windows, Linux, and edge devices in a campaign it says is closely associated with FamousSparrow.
-
Hikvision and Rockwell Automation CVSS 9.8 flaws added to CISA KEV catalog
CISA has added two CVSS 9.8 vulnerabilities affecting Hikvision IP cameras and Rockwell Automation ThinManager to its Known Exploited Vulnerabilities catalog, giving federal agencies until March 26, 2026, to apply mitigations or discontinue use.
-
Microsoft says ClickFix campaign used Windows Terminal to deploy Lumma Stealer
Microsoft says a widespread ClickFix campaign observed in February 2026 used Windows Terminal instead of the Run dialog to launch a multi-stage attack chain that downloaded payloads, set scheduled-task persistence, added Defender exclusions, and injected Lumma Stealer into Chrome and Edge.
-
Chrome extensions turned malicious after ownership transfer, pushing code injection and fake updates
Two Chrome extensions, QuickLens and ShotBird, turned malicious after ownership changes, enabling attackers to inject arbitrary code, strip security headers, display fake Chrome update prompts, and steal sensitive data from downstream users.
-
AppsFlyer Web SDK hijacked to deliver crypto-stealing JavaScript in supply-chain attack
The AppsFlyer Web SDK was temporarily hijacked to deliver malicious JavaScript that replaced cryptocurrency wallet addresses with attacker-controlled ones, in what AppsFlyer says was a domain registrar incident affecting the Web SDK on a segment of customer websites.
-
Critical Vulnerability Triage Playbook: How SOCs Prioritize and Patch Critical CVEs
Vulnerability triage: Practical steps SOCs use to prioritize critical CVEs, assign risk, and speed safe patching.
-
Pulse Secure network hacked via backdoor embedded in its VPN software
Pulse Secure network was breached after attackers planted a backdoor in the vendor’s VPN code, according to a Bloomberg report. The intrusion affected 119 customer organizations and underscores recurring Ivanti VPN flaws.