Zero Day Wire - Zero Day Wire (Page 5)

Breaches

Qilin Ransomware Gang Breaches Romania's National Oil Pipeline Operator Conpet, Claims 1TB Data Theft

Romania's national oil pipeline operator Conpet S.A. has confirmed that the Qilin ransomware group breached its corporate IT infrastructure and stole company data in an attack last week, marking another critical infrastructure target hit by the increasingly aggressive ransomware operation. Conpet S.A. is a strategic company

Threats

Lazarus Group Poisons npm and PyPI With Fake Recruitment Campaign Deploying Token-Based RAT

The North Korea-linked Lazarus Group has been planting malicious packages across both npm and PyPI repositories through an elaborate fake recruitment campaign targeting developers in the blockchain and cryptocurrency space, deploying a modular remote access trojan with a command-and-control mechanism unique to North Korean operations. ReversingLabs researchers discovered the campaign,

Breaches

30 Fake AI Chrome Extensions With 300,000 Installs Caught Stealing Credentials, Gmail Data, and Audio

Thirty malicious Chrome extensions with a combined 300,000 installations have been caught masquerading as AI assistants while stealing credentials, email content, browsing data, and even activating voice recognition to capture audio from victim environments. Researchers at browser security platform LayerX discovered the campaign, dubbed AiFrame, and confirmed all 30

Breaches

Comcast Agrees to $117.5M Settlement Over Citrix Bleed Breach That Exposed 31.6 Million Customers

Comcast has agreed to pay $117.5 million to settle a class action lawsuit stemming from the October 2023 data breach in which attackers exploited the Citrix Bleed vulnerability to compromise the personal information of 31.6 million customers. US District Judge John Milton Younge granted preliminary approval on January

China's APT31 Used Gemini AI and Hexstrike to Automate Vulnerability Analysis Against US Targets

China's APT31 used Google's Gemini AI chatbot combined with the Hexstrike red-teaming framework to automate vulnerability analysis and plan cyberattacks against specific US-based targets, according to Google's latest AI Threat Tracker report. APT31 — also tracked as Violet Typhoon, Zirconium, and Judgment Panda — is a

Threats

Single Bulletproof Hosting IP Behind 83% of Ivanti EPMM Exploitation as Sleeper Shells Target MDM Infrastructure

A single IP address on bulletproof hosting infrastructure is responsible for 83% of all exploitation attempts targeting the critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities that have already compromised multiple European government agencies. Threat intelligence firm GreyNoise recorded 417 exploitation sessions from 8 unique source IPs between February 1-9, with

Breaches

First Malicious Outlook Add-In Discovered in the Wild After Abandoned Domain Hijack Steals 4,000 Credentials

Researchers at Koi Security have discovered what they describe as the first known malicious Microsoft Outlook add-in detected in the wild — a supply chain attack that exploited an abandoned developer domain to serve a phishing kit directly inside Outlook, stealing over 4,000 Microsoft credentials. The campaign, codenamed AgreeToSteal, targeted

Alerts

Apple Patches First Zero-Day of 2026 After Google TAG Discovers Exploitation in Targeted Attacks

Apple has released security updates across its entire product ecosystem to address a zero-day vulnerability that the company says has been exploited in "extremely sophisticated" attacks targeting specific individuals. The vulnerability, tracked as CVE-2026-20700, is a memory corruption flaw in dyld — Apple's Dynamic Link Editor responsible

Threats

Crazy Ransomware Operator Weaponizes Employee Monitoring Software for Stealth Persistence

A Crazy ransomware affiliate is abusing legitimate employee monitoring software and remote support tools to maintain stealth persistence inside corporate networks, blending malicious activity with normal administrative operations before deploying ransomware. Researchers at Huntress investigated multiple intrusions where the threat actor deployed Net Monitor for Employees Professional alongside the SimpleHelp

Breaches

Dutch Police Arrest Third Suspect Behind JokerOTP Phishing Platform That Caused $10M in Losses

Netherlands police have arrested a 21-year-old man from Dordrecht suspected of selling access to the JokerOTP phishing automation platform — a tool designed to intercept one-time passwords through automated voice calls that tricked victims into handing over their MFA codes. The arrest is the third in a three-year investigation that dismantled

Threats

North Korean UNC1069 Deploys AI-Generated Deepfakes and Seven Malware Families to Target Crypto Sector

Google Mandiant has detailed a sophisticated North Korean intrusion campaign in which the threat group UNC1069 used AI-generated deepfake video calls, compromised Telegram accounts, and ClickFix social engineering to deploy seven unique malware families against cryptocurrency sector targets. UNC1069 — also tracked as CryptoCore and MASAN — has been active since at

Threats

LummaStealer Rebounds With CastleLoader Campaigns as ClickFix Infections Surge Globally

LummaStealer — the prolific infostealer-as-a-service operation that law enforcement disrupted in May 2025 — has staged a significant comeback, with Bitdefender researchers documenting a major surge in infections between December 2025 and January 2026. The resurgence is powered by CastleLoader, a modular malware loader that uses ClickFix social engineering to trick users