Threats

Threats

North Korean UNC1069 Deploys AI-Generated Deepfakes and Seven Malware Families to Target Crypto Sector

Google Mandiant has detailed a sophisticated North Korean intrusion campaign in which the threat group UNC1069 used AI-generated deepfake video calls, compromised Telegram accounts, and ClickFix social engineering to deploy seven unique malware families against cryptocurrency sector targets. UNC1069 — also tracked as CryptoCore and MASAN — has been active since at

Threats

LummaStealer Rebounds With CastleLoader Campaigns as ClickFix Infections Surge Globally

LummaStealer — the prolific infostealer-as-a-service operation that law enforcement disrupted in May 2025 — has staged a significant comeback, with Bitdefender researchers documenting a major surge in infections between December 2025 and January 2026. The resurgence is powered by CastleLoader, a modular malware loader that uses ClickFix social engineering to trick users

Threats

Kimwolf IoT Botnet Disrupts I2P Anonymity Network in Massive Sybil Attack

The massive IoT botnet known as Kimwolf has spent the past week disrupting the Invisible Internet Project (I2P), a decentralized anonymity network, after its operators attempted to join approximately 700,000 infected devices as nodes on the network. The incident represents one of the largest Sybil attacks ever observed against

Threats

Chinese APT UNC3886 Targeted All Four Singapore Telecoms in Espionage Campaign

Singapore's Cyber Security Agency (CSA) has disclosed that the China-linked cyber espionage group UNC3886 conducted a deliberate campaign against the country's entire telecommunications sector, targeting all four major operators — M1, SIMBA Telecom, Singtel, and StarHub. The disclosure follows comments made over six months ago by Singapore&

Threats

Rublevka Team: Russian Crypto Drainer Operation Steals $10 Million Through Affiliate Network

Recorded Future's Insikt Group has published a comprehensive analysis of Rublevka Team, a Russian cybercriminal operation that has generated over $10 million in cryptocurrency theft since 2023 through an affiliate-driven wallet draining ecosystem. Unlike traditional crypto-stealing operations that rely on infostealer malware, Rublevka Team deploys custom JavaScript drainer

Threats

Threat Actors Exploit 15-Year-Old EnCase Driver to Kill EDR Processes in Ransomware Precursor Attack

Huntress has published details of a February 2026 intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to access a victim network, then deployed a custom EDR killer that abuses a legitimate Guidance Software (EnCase) forensic driver to terminate security processes from kernel mode. The attack was disrupted before ransomware

Threats

Unit 42 Exposes TGR-STA-1030: State-Aligned Espionage Group Compromised 37 Countries in One Year

Palo Alto Networks' Unit 42 has published a major investigation into a newly identified cyberespionage group it tracks as TGR-STA-1030, also known as UNC6619. The group — assessed with high confidence to be state-aligned and operating out of Asia — has compromised at least 70 organizations across 37 countries over the

Threats

LockBit 5.0 Deploys Cross-Platform Ransomware Targeting Windows, Linux, and ESXi Simultaneously

LockBit 5.0 has introduced cross-platform ransomware payloads capable of hitting Windows, Linux, and VMware ESXi environments in a single campaign, according to analysis of 19 samples published by LevelBlue. The release marks a significant technical evolution for the RaaS operation, with specialized routines designed to maximize damage across enterprise

Threats

ShadowSyndicate Linked to 20+ C2 Servers After SSH Fingerprint Rotation Technique Exposed

ShadowSyndicate, a cybercrime cluster first identified in 2023, has been caught using a server transition technique designed to obscure operational continuity across its infrastructure — but OPSEC failures have given researchers visibility into the group's C2 network. Group-IB confirmed two additional SSH fingerprints linked to ShadowSyndicate operations in February

Threats

Interlock Ransomware Deploys Zero-Day Anti-Cheat Driver Exploit to Kill EDR Processes

FortiGuard Incident Response has documented a new tool in Interlock ransomware's arsenal — a bring-your-own-vulnerable-driver (BYOVD) process killer that abuses a zero-day vulnerability in a gaming anti-cheat kernel driver to terminate EDR and AV processes before ransomware deployment. The activity was observed during an intrusion against a North American

Threats

AI-Assisted Cloud Intrusion Achieves AWS Admin Access in 8 Minutes

Sysdig's Threat Research Team has published a detailed analysis of a cloud intrusion in which a threat actor went from stolen credentials to full AWS administrative access in under 10 minutes — with strong indicators that large language models were used throughout the operation to automate reconnaissance, generate exploitation

Threats

BlueNoroff Weaponizes Microsoft Teams Calls to Steal macOS Credentials in Real-Time

Daylight Security has published findings from a real-world intrusion in which BlueNoroff — the financially motivated subgroup of North Korea's Lazarus Group — used live social engineering over Microsoft Teams to compromise a macOS endpoint, steal Keychain credentials, and stage data for exfiltration. The entire attack was operator-driven in real