Threats

Threats

Unit 42 Exposes TGR-STA-1030: State-Aligned Espionage Group Compromised 37 Countries in One Year

Palo Alto Networks' Unit 42 has published a major investigation into a newly identified cyberespionage group it tracks as TGR-STA-1030, also known as UNC6619. The group — assessed with high confidence to be state-aligned and operating out of Asia — has compromised at least 70 organizations across 37 countries over the

Threats

LockBit 5.0 Deploys Cross-Platform Ransomware Targeting Windows, Linux, and ESXi Simultaneously

LockBit 5.0 has introduced cross-platform ransomware payloads capable of hitting Windows, Linux, and VMware ESXi environments in a single campaign, according to analysis of 19 samples published by LevelBlue. The release marks a significant technical evolution for the RaaS operation, with specialized routines designed to maximize damage across enterprise

Threats

ShadowSyndicate Linked to 20+ C2 Servers After SSH Fingerprint Rotation Technique Exposed

ShadowSyndicate, a cybercrime cluster first identified in 2023, has been caught using a server transition technique designed to obscure operational continuity across its infrastructure — but OPSEC failures have given researchers visibility into the group's C2 network. Group-IB confirmed two additional SSH fingerprints linked to ShadowSyndicate operations in February

Threats

Interlock Ransomware Deploys Zero-Day Anti-Cheat Driver Exploit to Kill EDR Processes

FortiGuard Incident Response has documented a new tool in Interlock ransomware's arsenal — a bring-your-own-vulnerable-driver (BYOVD) process killer that abuses a zero-day vulnerability in a gaming anti-cheat kernel driver to terminate EDR and AV processes before ransomware deployment. The activity was observed during an intrusion against a North American

Threats

AI-Assisted Cloud Intrusion Achieves AWS Admin Access in 8 Minutes

Sysdig's Threat Research Team has published a detailed analysis of a cloud intrusion in which a threat actor went from stolen credentials to full AWS administrative access in under 10 minutes — with strong indicators that large language models were used throughout the operation to automate reconnaissance, generate exploitation

Threats

BlueNoroff Weaponizes Microsoft Teams Calls to Steal macOS Credentials in Real-Time

Daylight Security has published findings from a real-world intrusion in which BlueNoroff — the financially motivated subgroup of North Korea's Lazarus Group — used live social engineering over Microsoft Teams to compromise a macOS endpoint, steal Keychain credentials, and stage data for exfiltration. The entire attack was operator-driven in real

Threats

Inside the Lazarus Group's Contagious Interview Machine: 857 Developers Compromised, 241,000 Credentials Stolen

A months-long offensive investigation by Red Asgard's threat research team has produced one of the most detailed public examinations of North Korea's Contagious Interview campaign infrastructure ever published. The findings — spanning four malware families, approximately 20 previously undocumented C2 servers, a novel binary protocol, and unauthenticated

Threats

Chinese APT Lotus Blossom Hijacked Notepad++ Updates for Six Months, Deploying New Chrysalis Backdoor

Chinese state-sponsored threat actors compromised the update infrastructure for Notepad++, the popular open-source text editor with tens of millions of Windows users, and maintained access for nearly six months while selectively targeting victims with malicious updates. The Notepad++ development team confirmed the breach today, stating that attackers intercepted update requests

Threats

ShinyHunters Escalates SaaS Data Theft with Vishing and MFA Manipulation

Mandiant has published a detailed analysis of an escalation in threat activity linked to ShinyHunters-branded extortion operations. The campaigns leverage evolved voice phishing (vishing) techniques and victim-branded credential harvesting pages to compromise single sign-on credentials and enroll unauthorized devices into victim MFA solutions — enabling access to cloud SaaS environments for

Threats

GhostChat Spyware Uses Romance Scams and WhatsApp Hijacking to Target Pakistani Android Users

Security researchers have uncovered a coordinated espionage campaign targeting Android users in Pakistan through a spyware operation that combines romance-themed social engineering, mobile surveillance, and WhatsApp account hijacking. ESET researchers track the Android component as GhostChat, a spyware that masquerades as a dating application while exfiltrating sensitive data and enabling

Threats

ShadowHS: Fileless Linux Framework Executes Entirely from Memory for Long-Term Intrusion Operations

Security researchers have uncovered a sophisticated Linux post-exploitation framework that operates entirely in memory, leaving no persistent artifacts on disk while providing operators with extensive capabilities for long-term intrusion operations. Cyble Research & Intelligence Labs tracks the activity as ShadowHS, reflecting its fileless execution model and lineage from the original

Threats

Iranian APT42 Deploys TAMECAT Backdoor Against Defense and Government Officials

Security researchers have published a detailed technical analysis of TAMECAT, a PowerShell-based backdoor used by Iran's APT42 in espionage campaigns targeting senior defense and government officials. The malware, documented by Pulsedive Threat Research with additional reporting from Israel's National Digital Agency, demonstrates sophisticated anti-detection techniques and