Threats

Malware, attack campaigns, APT groups

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

Threats

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

By Zero Day Wire
ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Threats

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

Threats

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire
Underground Telegram Channels Weaponize SmarterMail Exploits Within Days of Disclosure, Enabling Ransomware Campaigns

Threats

Underground Telegram Channels Weaponize SmarterMail Exploits Within Days of Disclosure, Enabling Ransomware Campaigns

Researchers at Flare have documented the rapid weaponization of critical SmarterMail vulnerabilities across underground Telegram channels, showing how threat actors moved from disclosure to exploit sharing to ransomware deployment in a matter of days. The activity centers on two critical vulnerabilities — CVE-2026-24423 (CVSS 9.3), an unauthenticated remote code execution

By Zero Day Wire
APT UNC6201 Exploited Dell Zero-Day Since Mid-2024, Deploying Novel Grimbolt Backdoor and ESXi Ghost NICs

Threats

APT UNC6201 Exploited Dell Zero-Day Since Mid-2024, Deploying Novel Grimbolt Backdoor and ESXi Ghost NICs

Mandiant and the Google Threat Intelligence Group (GTIG) have disclosed that a suspected Chinese state-backed threat group tracked as UNC6201 has been exploiting a maximum-severity Dell zero-day vulnerability since mid-2024 — remaining undetected in victim networks for over 18 months. The vulnerability, CVE-2026-22769, is a hardcoded-credential flaw in Dell RecoverPoint for

By Zero Day Wire
Check Point Demonstrates AI Chatbots as Covert C2 Channels — Grok and Copilot Exploited Without Authentication

Threats

Check Point Demonstrates AI Chatbots as Covert C2 Channels — Grok and Copilot Exploited Without Authentication

Check Point Research (CPR) has published findings showing that AI assistants with web-browsing capabilities can be weaponized as covert command-and-control infrastructure — allowing malware to communicate with attacker servers through trusted AI domains that blend seamlessly into normal enterprise traffic. The technique was demonstrated against Grok and Microsoft Copilot, both of

By Zero Day Wire
GS7 Threat Group Targets Fortune 500 Financial Institutions With Near-Perfect Brand Impersonation in Operation DoppelBrand

Threats

GS7 Threat Group Targets Fortune 500 Financial Institutions With Near-Perfect Brand Impersonation in Operation DoppelBrand

A financially motivated threat group tracked as GS7 has been running a large-scale phishing operation against Fortune 500 financial institutions, constructing near-perfect replicas of corporate login portals to harvest credentials and deploy remote access tools, according to research published by SOCRadar. The campaign, dubbed Operation DoppelBrand, was first observed between

By Zero Day Wire