Threats

Threats

Infostealers Begin Targeting OpenClaw AI Agent Configuration Files, Stealing Gateway Tokens and Cryptographic Keys

Information-stealing malware has been caught exfiltrating configuration files from OpenClaw, the rapidly growing open-source AI agent platform, in what researchers describe as the first observed case of infostealers targeting AI agent infrastructure. "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser

Threats

Former L3Harris Cyber Executive Sold Eight Zero-Day Exploit Kits to Russian Broker, DoJ Reveals

A former senior executive at L3Harris's cyber subsidiary Trenchant sold eight zero-day exploit kits to a broker who regularly provided exploits to the Russian government, according to a sentencing memorandum published by the US Department of Justice. Peter Williams, the former General Manager of Trenchant, pleaded guilty to

Threats

Hijacked Google Ads and Fake Claude AI Guides Used to Deliver MacSync Infostealer Through ClickFix Campaign

Attackers are hijacking verified Google Ads accounts and abusing a public Claude AI artifact page to deliver the MacSync infostealer to macOS users through ClickFix social engineering, according to researchers at Moonlock Lab. The campaign combines three distinct social engineering layers — hijacked advertising infrastructure, trusted AI platform content, and Terminal

Threats

Lazarus Group Poisons npm and PyPI With Fake Recruitment Campaign Deploying Token-Based RAT

The North Korea-linked Lazarus Group has been planting malicious packages across both npm and PyPI repositories through an elaborate fake recruitment campaign targeting developers in the blockchain and cryptocurrency space, deploying a modular remote access trojan with a command-and-control mechanism unique to North Korean operations. ReversingLabs researchers discovered the campaign,

Threats

Single Bulletproof Hosting IP Behind 83% of Ivanti EPMM Exploitation as Sleeper Shells Target MDM Infrastructure

A single IP address on bulletproof hosting infrastructure is responsible for 83% of all exploitation attempts targeting the critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities that have already compromised multiple European government agencies. Threat intelligence firm GreyNoise recorded 417 exploitation sessions from 8 unique source IPs between February 1-9, with

Threats

Crazy Ransomware Operator Weaponizes Employee Monitoring Software for Stealth Persistence

A Crazy ransomware affiliate is abusing legitimate employee monitoring software and remote support tools to maintain stealth persistence inside corporate networks, blending malicious activity with normal administrative operations before deploying ransomware. Researchers at Huntress investigated multiple intrusions where the threat actor deployed Net Monitor for Employees Professional alongside the SimpleHelp

Threats

North Korean UNC1069 Deploys AI-Generated Deepfakes and Seven Malware Families to Target Crypto Sector

Google Mandiant has detailed a sophisticated North Korean intrusion campaign in which the threat group UNC1069 used AI-generated deepfake video calls, compromised Telegram accounts, and ClickFix social engineering to deploy seven unique malware families against cryptocurrency sector targets. UNC1069 — also tracked as CryptoCore and MASAN — has been active since at

Threats

LummaStealer Rebounds With CastleLoader Campaigns as ClickFix Infections Surge Globally

LummaStealer — the prolific infostealer-as-a-service operation that law enforcement disrupted in May 2025 — has staged a significant comeback, with Bitdefender researchers documenting a major surge in infections between December 2025 and January 2026. The resurgence is powered by CastleLoader, a modular malware loader that uses ClickFix social engineering to trick users

Threats

Kimwolf IoT Botnet Disrupts I2P Anonymity Network in Massive Sybil Attack

The massive IoT botnet known as Kimwolf has spent the past week disrupting the Invisible Internet Project (I2P), a decentralized anonymity network, after its operators attempted to join approximately 700,000 infected devices as nodes on the network. The incident represents one of the largest Sybil attacks ever observed against

Threats

Chinese APT UNC3886 Targeted All Four Singapore Telecoms in Espionage Campaign

Singapore's Cyber Security Agency (CSA) has disclosed that the China-linked cyber espionage group UNC3886 conducted a deliberate campaign against the country's entire telecommunications sector, targeting all four major operators — M1, SIMBA Telecom, Singtel, and StarHub. The disclosure follows comments made over six months ago by Singapore&

Threats

Rublevka Team: Russian Crypto Drainer Operation Steals $10 Million Through Affiliate Network

Recorded Future's Insikt Group has published a comprehensive analysis of Rublevka Team, a Russian cybercriminal operation that has generated over $10 million in cryptocurrency theft since 2023 through an affiliate-driven wallet draining ecosystem. Unlike traditional crypto-stealing operations that rely on infostealer malware, Rublevka Team deploys custom JavaScript drainer

Threats

Threat Actors Exploit 15-Year-Old EnCase Driver to Kill EDR Processes in Ransomware Precursor Attack

Huntress has published details of a February 2026 intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to access a victim network, then deployed a custom EDR killer that abuses a legitimate Guidance Software (EnCase) forensic driver to terminate security processes from kernel mode. The attack was disrupted before ransomware