Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
Romance scam victims face fragmented support systems with limited coordination between law enforcement, financial institutions, and government agencies, leaving victims isolated and vulnerable to repeated exploitation. This policy gap demands institutional reform to create unified victim assistance pathways.
Itron, a major provider of software and hardware to electric, gas, and water utilities globally, disclosed unauthorised access to internal IT systems via SEC filing. The breach is significant because compromised systems at critical infrastructure software vendors can enable downstream attacks on utility networks serving millions.
A China-linked APT group identified as GopherWhisper is conducting targeted campaigns against government entities using multiple Go-based backdoors combined with legitimate service abuse to evade detection. The group's reliance on custom loaders and injectors suggests a maturing operational capability focused on persistence and evasion.
Researchers discovered a Lua-based malware framework dating to 2005 that targeted engineering software for cyber sabotage, predating Stuxnet by several years and suggesting a deeper operational history of state-sponsored infrastructure attacks.
Threat actor UNC6692 is using Microsoft Teams to socially engineer targets into executing a custom malware suite called Snow, which comprises a browser extension, tunneler, and backdoor. This represents a shift toward trusted communication platforms as malware delivery vectors, complicating detection and increasing organisational risk.
Microsoft is restructuring the Windows Insider Program to better address performance and reliability problems in Windows 11. This indicates widespread quality concerns that Microsoft believes require organisational and process changes to resolve.
go-zserio trusts size fields during deserialization without validation, allowing attackers to trigger excessive memory allocation (DoS). This PoC demonstrates a fundamental input validation flaw affecting all platforms.
Gemini CLI automatically trusted workspace folders in headless/CI mode without validation, allowing malicious `.gemini/` configuration files to execute arbitrary code via environment variable injection. The `--yolo` flag further bypassed tool allowlisting controls.
electerm's install.js contains a command injection flaw where attacker-controlled version strings are directly concatenated into shell commands without sanitization. Defenders must identify vulnerable installations and verify patching, as remote version metadata compromise could lead to arbitrary code execution during package installation.
Microsoft is rolling out native passkey support for Entra-protected resources on Windows devices in late April, enabling phishing-resistant passwordless authentication. This represents a significant step in reducing reliance on password-based authentication across enterprise environments.
BlackFile, a financially motivated threat actor, has orchestrated a coordinated campaign of data theft and extortion attacks against retail and hospitality organisations since February 2026, combining social engineering with data exfiltration. The group's use of vishing as a primary attack vector suggests a shift toward human-centric compromise rather than technical vulnerability exploitation.
Microsoft is expanding user controls in Windows Update to allow deferral and scheduling of restarts, reducing operational disruption. While operationally beneficial, this formalises rather than fundamentally changes the forced-restart model that remains a security and stability concern.
Custom malware called Firestarter persists on Cisco Firepower and ASA devices even after security patches and firmware updates, indicating attackers have achieved privileged compromise that survives standard remediation procedures.
ADT confirmed a data breach following ShinyHunters' public extortion threat to sell stolen customer data. The incident illustrates how established security vendors remain attractive targets for financially motivated threat actors despite their market position.
Authenticated users with script execution permissions can bypass API access controls by directly connecting to internal services (Redis, S3) via shared Docker network, escalating privileges to administrative level. This PoC demonstrates the exploitation chain requires minimal effort once script execution is granted.
Dutch cosmetics retailer Rituals suffered a data breach affecting its 'My Rituals' membership database, with attackers extracting customer names and addresses. The incident highlights ongoing targeting of loyalty programme databases by threat actors seeking PII for fraud and resale.
Attackers compromised Docker images, VSCode extensions, and Open VSX packages for the Checkmarx KICS static analysis tool to steal credentials and sensitive data from developer environments. The compromise affects any developer using these distribution channels.
Trigona ransomware operators have developed a custom command-line exfiltration utility to speed up data theft from compromised networks. This represents a shift toward operationalised tooling that reduces dwell time and increases the volume of data stolen per attack.
Attackers uploaded a malicious @bitwarden/cli package to npm that stole developer credentials and could propagate to downstream projects. The compromise was discovered and remediated rapidly, but represents a successful attack on a trusted security tool distribution channel.
A file upload vulnerability in the widely-installed Breeze Cache WordPress plugin allows attackers to upload arbitrary files without authentication, enabling remote code execution on affected servers. Active exploitation is underway.
Microsoft has observed threat actors increasingly abusing external Teams channels to impersonate helpdesk staff, deceive users into credential disclosure, and establish footholds for lateral movement within enterprise networks. The attack exploits Teams' legitimacy and ubiquity to bypass social engineering defences.
Attackers defaced the Seiko USA website and claim to have exfiltrated customer data from its Shopify database, demanding ransom under threat of public disclosure. This represents a continued trend of threat actors targeting e-commerce platforms as high-value sources of customer personally identifiable information.
Gentlemen ransomware operators have integrated SystemBC proxy malware into their attack chain, leveraging a botnet of over 1,570 corporate hosts to obfuscate command-and-control communications and expand operational resilience. This represents a maturation of the gang's infrastructure and signals they are adopting commodity malware to increase attack surface.
26 fraudulent cryptocurrency wallet apps mimicking Metamask, Coinbase, Trust Wallet, and OneKey were distributed through Apple's App Store in China, designed to harvest seed phrases and drain user funds. This represents a significant supply chain compromise of a trusted platform targeting high-value assets.
Lazarus Group actors conducted a $290 million theft from KelpDAO, a DeFi protocol, likely exploiting smart contract or operational security vulnerabilities. This represents a significant escalation in state-sponsored targeting of decentralised finance infrastructure.