Malware, attack campaigns, APT groups
Threats
A ransomware-as-a-service operation called Anubis is challenging a core assumption of ransomware response: that paying the ransom guarantees data recovery. The group has introduced an optional wiper mode that permanently destroys files, making decryption impossible regardless of payment. First observed in late 2024, Anubis emerged on Russian-language cybercrime forums including
Threats
Security researchers have uncovered sophisticated phishing toolkits purpose-built for voice-based social engineering attacks that synchronize fake login pages with live phone conversations to defeat multifactor authentication in real time. The toolkits, sold as-a-service to criminals, target major identity providers including Google, Microsoft, Okta, and various cryptocurrency platforms. Unlike traditional phishing
Threats
A sophisticated Windows backdoor dubbed PDFSider has been identified in targeted attacks against enterprise environments, including a Fortune 100 financial services company. The malware demonstrates APT-grade tradecraft while being deployed in ransomware operations, blending advanced evasion techniques with financially motivated attacks. DLL Side-Loading via PDF24 Creator PDFSider is delivered through
Threats
Summary Attackers compromised the official download page of EmEditor, a popular text and code editor, to distribute a trojanized installer containing multi-stage malware. The attack targeted the software's primarily Japanese developer user base during the late December 2025 holiday period when security monitoring typically weakens. The malware performs
Threats
A sophisticated evolution of the ClearFake malware campaign is abusing a legitimate Windows component to execute malicious PowerShell commands while evading endpoint detection systems. The campaign, which has compromised hundreds of websites since August 2025, now leverages a command injection vulnerability in a trusted Microsoft-signed script to silently run malicious
Threats
A previously undocumented ransomware family dubbed Osiris has emerged in attacks targeting enterprise environments, with technical evidence suggesting the operators may have ties to the Inc ransomware group. Symantec's Threat Hunter Team identified the new strain during an investigation into an attack against a major food service franchisee
Threats
North Korean-linked threat actor KONNI is deploying an AI-generated PowerShell backdoor in an ongoing phishing campaign targeting software developers and engineering teams with access to blockchain infrastructure. The campaign, documented by Check Point Research, marks a notable evolution in both the group's targeting and tooling. Expanding Beyond Traditional
Threats
While much of the security industry's attention has been fixed on North Korea's sprawling IT worker infiltration schemes, Pyongyang's traditional cyber espionage units have been far from idle. New research from WithSecure reveals that Andariel—a state-sponsored group linked to the RGB's
Threats
CISA, the NSA, and the Canadian Centre for Cyber Security have issued a joint malware analysis report warning that Chinese state-sponsored actors are using BRICKSTORM, a sophisticated backdoor designed for long-term persistence in VMware vSphere and Windows environments. The advisory, first published in December 2025 and updated with additional samples,
Threats
Microsoft is introducing the External Domains Anomalies Report for Teams, a security feature designed to help administrators identify suspicious external communications before they escalate into breaches. The tool, scheduled for global rollout in February 2026, addresses a critical gap as threat actors increasingly exploit Teams for social engineering campaigns. How
Threats
Iranian state-sponsored hacking groups have significantly escalated their operations against U.S. and Israeli targets over the past year, shifting from opportunistic cyber espionage to sustained campaigns aimed at critical infrastructure, cloud environments, and supply chains. The shift reflects what security researchers describe as the full militarization of Iran'
Threats
North Korea's Lazarus Group is targeting software developers through fake job recruiters on LinkedIn, Fiverr, and UpWork, delivering a three-stage malware attack via a malicious npm package. Security researchers at OpenSourceMalware uncovered the campaign, which uses the package tailwindcss-forms-kit - disguised as a legitimate Tailwind CSS utility -