Threats

Threats

Inside the Lazarus Group's Contagious Interview Machine: 857 Developers Compromised, 241,000 Credentials Stolen

A months-long offensive investigation by Red Asgard's threat research team has produced one of the most detailed public examinations of North Korea's Contagious Interview campaign infrastructure ever published. The findings — spanning four malware families, approximately 20 previously undocumented C2 servers, a novel binary protocol, and unauthenticated

Threats

Chinese APT Lotus Blossom Hijacked Notepad++ Updates for Six Months, Deploying New Chrysalis Backdoor

Chinese state-sponsored threat actors compromised the update infrastructure for Notepad++, the popular open-source text editor with tens of millions of Windows users, and maintained access for nearly six months while selectively targeting victims with malicious updates. The Notepad++ development team confirmed the breach today, stating that attackers intercepted update requests

Threats

ShinyHunters Escalates SaaS Data Theft with Vishing and MFA Manipulation

Mandiant has published a detailed analysis of an escalation in threat activity linked to ShinyHunters-branded extortion operations. The campaigns leverage evolved voice phishing (vishing) techniques and victim-branded credential harvesting pages to compromise single sign-on credentials and enroll unauthorized devices into victim MFA solutions — enabling access to cloud SaaS environments for

Threats

GhostChat Spyware Uses Romance Scams and WhatsApp Hijacking to Target Pakistani Android Users

Security researchers have uncovered a coordinated espionage campaign targeting Android users in Pakistan through a spyware operation that combines romance-themed social engineering, mobile surveillance, and WhatsApp account hijacking. ESET researchers track the Android component as GhostChat, a spyware that masquerades as a dating application while exfiltrating sensitive data and enabling

Threats

ShadowHS: Fileless Linux Framework Executes Entirely from Memory for Long-Term Intrusion Operations

Security researchers have uncovered a sophisticated Linux post-exploitation framework that operates entirely in memory, leaving no persistent artifacts on disk while providing operators with extensive capabilities for long-term intrusion operations. Cyble Research & Intelligence Labs tracks the activity as ShadowHS, reflecting its fileless execution model and lineage from the original

Threats

Iranian APT42 Deploys TAMECAT Backdoor Against Defense and Government Officials

Security researchers have published a detailed technical analysis of TAMECAT, a PowerShell-based backdoor used by Iran's APT42 in espionage campaigns targeting senior defense and government officials. The malware, documented by Pulsedive Threat Research with additional reporting from Israel's National Digital Agency, demonstrates sophisticated anti-detection techniques and

Threats

Operation Bizarre Bazaar: First LLMjacking Marketplace Monetizes Stolen AI Infrastructure Access

Security researchers have documented the first fully attributed criminal operation dedicated to hijacking and reselling unauthorized access to AI infrastructure at scale. Dubbed Operation Bizarre Bazaar, the campaign represents a complete LLMjacking supply chain—from initial reconnaissance to commercial marketplace monetization—operated by a threat actor known as "Hecker&

Threats

North Korea's LABYRINTH CHOLLIMA Splinters into Three Specialized Cyber Units

CrowdStrike Intelligence has reclassified LABYRINTH CHOLLIMA, the North Korean threat group behind the 2017 WannaCry ransomware attack, into three distinct operational units with specialized missions, malware, and targeting patterns. The new attribution framework recognizes GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a narrower core LABYRINTH CHOLLIMA group as separate adversaries that emerged

Threats

Google Disrupts IPIDEA, One of the World's Largest Residential Proxy Networks Used by 550+ Threat Groups

Google Threat Intelligence Group (GTIG) has led a coordinated disruption of IPIDEA, believed to be one of the largest residential proxy networks in the world. The operation reduced the network's available device pool by millions and exposed infrastructure leveraged by over 550 threat groups in a single week.

Threats

Fake ClawdBot VS Code Extension Deploys ScreenConnect RAT on Developer Machines

Security researchers at Aikido Security have discovered a malicious Visual Studio Code extension masquerading as "ClawdBot Agent," a fake version of the popular AI coding assistant. The extension functions as a fully working AI tool while silently deploying remote access malware to Windows machines. The real ClawdBot team

Threats

Initial Access Broker TA584 Deploys High-Speed Phishing Campaigns with ClickFix Social Engineering and New Tsundere Bot Backdoor

The financially motivated threat actor TA584 has significantly escalated its initial access operations, adopting a high-speed attack model built around short-lived campaigns, rapid infrastructure changes, and aggressive social engineering techniques, according to research published by Proofpoint. The evolution reflects a broader shift in modern cybercrime where speed and adaptability now

Threats

Threat Actors Exploit React2Shell Vulnerability to Deploy Cryptocurrency Miners and Botnets Worldwide

Threat actors are actively exploiting a critical remote code execution vulnerability in React Server Components to compromise systems across multiple industries worldwide, deploying cryptocurrency miners, botnets, and remote access tools, according to research from BI.ZONE Threat Detection and Response. The vulnerability, tracked as CVE-2025-55182 and commonly referred to as