Threat actor campaigns, intrusion sets, and coordinated attack activity.
113 items
Attackers are conducting social engineering campaigns through Microsoft Teams, impersonating IT staff to obtain credentials and access. This represents a significant threat because Teams' position as a trusted internal communication channel makes users more likely to comply with requests.
UNC3753 conducted a financially motivated data theft extortion campaign from January to May 2026 targeting US law firms and financial services using vishing and social engineering to gain remote access. The group's focus on high-value professional services sectors and reliance on human manipulation rather than technical exploits makes this a persistent threat requiring non-technical defences.
The PCPJack threat actor has compromised approximately 230 servers across AWS, Google Cloud, and Azure to establish a covert SMTP relay network for sending spoofed or spam emails. The campaign reflects systemic credential theft and weak access controls across major cloud providers.
ESET researchers have documented direct operational cooperation between Gamaredon and Turla, two FSB-linked threat actors, with Gamaredon facilitating initial access for Turla against Ukrainian targets in 2025. This represents an unusual departure from typical competitive dynamics between state-sponsored groups and suggests coordinated Russian intelligence operations.
Dashlane disclosed a brute-force attack in May 2026 where threat actors bypassed 2FA on fewer than 20 personal subscription accounts and downloaded encrypted vaults. The incident highlights authentication vulnerabilities in password managers and raises questions about 2FA implementation robustness.
Threat actor DriveSurge has compromised thousands of websites to distribute ClickFix and FakeUpdate malware variants. The scale and persistence of this campaign indicates sophisticated compromised-site infrastructure being repurposed for high-volume malware distribution.
Coordinated attacks targeted Polish water treatment facilities, while Google has identified what appears to be the first AI-generated zero-day exploit. These incidents signal a shift toward both critical infrastructure targeting and AI-assisted vulnerability development.
Russian state intelligence is intensifying efforts to acquire restricted Western technology through front companies, procurement intermediaries, and cyber operations to circumvent sanctions and support strategic infrastructure capabilities. This represents a coordinated supply-chain espionage campaign rather than isolated incidents.
GREYVIBE, a previously unknown Russian-speaking threat actor, has been conducting persistent cyberattacks against Ukraine and Ukraine-related entities since August 2025, reportedly incorporating AI-powered capabilities. The campaign aligns with Kremlin state interests and represents a notable escalation in sophistication.
ESET Research has published their quarterly APT activity analysis covering Q4 2025 through Q1 2026, documenting the operational patterns, targets, and tactics of selected advanced persistent threat groups. This comprehensive threat intelligence helps organisations understand the current threat landscape and adversary priorities.
SecurityWeek reports three concurrent security incidents: Trump Mobile customer data exposure, phishing attacks targeting FIFA World Cup 2026 attendees and stakeholders, and a supply chain attack wave that triggered official CISA intervention. Each represents a distinct threat pattern requiring different defensive responses.
Russia-linked threat actor GreyVibe is using generative AI tools like ChatGPT and Gemini to accelerate attack development and execution. This represents an operational shift toward AI-assisted scaling that defenders should anticipate becoming standard practice across sophisticated threat groups.
A Canadian offender received a 33-year sentence for years of child sexual exploitation material (CSEM) production via social media impersonation. The case exemplifies ongoing vulnerabilities in platform moderation and law enforcement's capacity to disrupt predatory networks at scale.
Two coordinated banking trojan campaigns deliver Grandoreiro malware to Windows systems and BTMOB RAT to Android devices across Spain, Portugal, Mexico, and Brazil. The targeting of financial institutions and mobile users suggests organised cybercriminal activity with cross-platform capabilities.
A Romanian national was sentenced to over 4 years after hacking Oregon's Office of Emergency Management systems. The case demonstrates both the vulnerability of state critical infrastructure and the increasing willingness of US authorities to pursue international extradition for cyber offences.
Threat actors are executing a multi-vector cryptojacking campaign targeting high-performance computing systems through SEO poisoning and AI chatbot manipulation to distribute GPU mining malware. This hybrid approach exploits both traditional search ranking tactics and emerging AI recommendation systems to reach victims.
Threat actors are running a coordinated cryptojacking operation that uses SEO poisoning and AI chatbot abuse to distribute malicious sites, then deploys ScreenConnect and Microsoft .NET utilities as initial access and persistence mechanisms to hijack GPU resources on high-performance systems.
MuddyWater, an Iranian state-linked threat actor, has conducted a coordinated espionage campaign in Q1 2026 targeting organisations across industrial manufacturing, education, public sector, finance, and professional services in nine countries using DLL side-loading techniques.
Foreign attackers gained unauthorised access to 600,000 records from Lithuania's Centre of Registers, which manages property and legal entity data. This represents a significant compromise of state administrative infrastructure with potential implications for identity fraud and state surveillance.
Dutch authorities arrested two co-owners of Internet hosting companies and seized approximately 800 servers used by Russian intelligence to stage cyberattacks, influence operations, and disinformation campaigns targeting the EU. The action disrupts a significant portion of Russia's operational infrastructure in Europe.
Google's threat intelligence team identified a dozen mature phishing-as-a-service offerings operating in Chinese-language underground forums, representing a significant shift in the geographic distribution of PhaaS infrastructure and suggesting intensified credential theft campaigns targeting organisations with Asia-Pacific exposure.
Attackers are exploiting a critical SQL injection flaw (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that delivers ClickFix social engineering attacks at scale. This combines server-side code execution with client-side manipulation, significantly amplifying attack reach.
Italian authorities shut down CINEMAGOAL, a piracy application that harvested authentication credentials from Netflix, Disney+, Spotify and other streaming services to provide unauthorised access. The operation represents a significant credential-theft infrastructure targeting consumer accounts at scale.
Threat actors are operating fake FIFA websites mimicking official ticket and merchandise sales platforms to harvest payment card data and personal information from World Cup fans. This represents a high-volume, low-sophistication fraud operation capitalised on major sporting events.
European and North American authorities have shut down First VPN, a criminal VPN service that facilitated ransomware attacks, data theft, and DDoS operations for approximately 25 ransomware groups. The coordinated takedown represents a significant disruption to organised cybercrime infrastructure, though similar services remain operational.
Storm-2949 exploited stolen credentials to orchestrate a cloud-wide breach without deploying malware, relying instead on trusted cloud APIs and identity systems to move laterally and exfiltrate data. This represents a significant shift in attack methodology where defenders' own tools become weapons.
Interpol-coordinated law enforcement operations arrested over 200 individuals operating cybercriminal scam networks across the Middle East and recovered hundreds of compromised devices used in the scheme. This represents a significant disruption to a regional fraud operation, though the technical sophistication and scale suggest similar networks remain active.
INTERPOL's coordinated law enforcement operation across the Middle East and North Africa resulted in the seizure of 53 malware and phishing servers and over 200 arrests. This represents a significant disruption to cybercriminal infrastructure in a region with historically high threat actor density.
Multiple US healthcare organisations have suffered data breaches affecting millions of individuals, with incidents logged across the HHS Office for Civil Rights tracker. This represents a sustained attack pattern against a high-value, regulated sector with significant compliance and operational implications.
ShinyHunters ransomware group claims to have stolen over 600,000 Salesforce records from 7-Eleven, including personal and corporate data, with confirmed breach details now public. This represents a significant compromise of a major retail organisation's customer and operational data.
Grafana Labs confirmed a data breach attributed to Coinbase Cartel, a cybercriminal group with documented links to ShinyHunters, Scattered Spider, and Lapsus$. The incident targets a critical observability platform used across thousands of organisations for infrastructure monitoring.
The Tycoon2FA phishing kit has added device-code authentication flow attacks to its arsenal and now abuses Trustifi click-tracking URLs to mask malicious redirects, enabling credential theft against Microsoft 365 users at scale.
UNC6671 operates BlackFile, an extortion campaign using sophisticated vishing and adversary-in-the-middle techniques to bypass MFA and compromise Microsoft 365 and Okta environments, exfiltrating corporate data for extortion. The attack chain circumvents traditional perimeter defences by targeting human authentication vectors rather than technical infrastructure.
SecurityWeek reports on multiple concurrent security issues including an Nvidia cloud gaming data breach, Canvas LMS compromise by ShinyHunters following FBI warning, Android 17 hardening, and automotive/enterprise vulnerabilities. The clustering suggests defenders face distributed pressure across consumer, educational, and enterprise sectors.
The TeamPCP hacker group is threatening to publicly release proprietary source code from Mistral AI unless a buyer purchases the stolen data. This represents a significant intellectual property theft and potential supply-chain risk for the AI company's customers and partners.
The Nitrogen ransomware group claims to have compromised Foxconn's North American manufacturing facilities and exfiltrated 8TB of data including confidential documents. This represents a significant supply chain risk given Foxconn's role as a critical electronics manufacturer for major tech companies.
A Chinese-affiliated threat actor designated FamousSparrow conducted a multi-wave intrusion against an Azerbaijani oil and gas company between December 2025 and February 2026, exploiting Microsoft Exchange vulnerabilities as an initial access vector. This represents a notable shift in the group's targeting geography and suggests persistent interest in critical infrastructure.
The U.S. House Committee on Homeland Security has demanded testimony from Instructure executives regarding two separate cyberattacks by the ShinyHunters extortion group against Canvas, which exposed student data and disrupted educational institutions during critical exam periods.
Google Threat Intelligence Group reports that adversaries have progressed from experimental AI use to industrial-scale deployment of generative models for vulnerability exploitation, reconnaissance, and initial access. This represents a qualitative shift in threat capability and operational maturity.
German police shut down a relaunched version of the Crimenetwork darknet marketplace and arrested its administrator. The operation demonstrates sustained law enforcement capability against criminal infrastructure despite repeated takedown and relaunch cycles.
A years-long phishing campaign has compromised over 500 organisations across aviation, energy, infrastructure, logistics, public administration, and technology sectors. The extended campaign duration and cross-sector targeting suggest either a sophisticated threat actor or multiple coordinated groups with sustained operational capability.
Attackers are running a malvertising campaign using Google Ads and Claude.ai shared chats to redirect users searching for Claude downloads to malware installers. The campaign exploits search engine placement and trusted service reputation to compromise macOS systems.
SecurityWeek reports on three concurrent threat developments: a train system attacker's arrest, PamDOORa Linux backdoor discovery, and novel mobile malware abusing Windows Phone Link for OTP theft, alongside policy moves on patch cycle acceleration and espionage targeting drone manufacturers.
Threat actors are purchasing Google Ads to rank malicious phishing pages for ManageWP login terms, intercepting administrators searching for legitimate access. This exploits Google's ad system to deliver credential theft at scale against a platform managing thousands of WordPress deployments.
A 15-year-old was detained for allegedly stealing and selling data from France Titres (ANTS), the agency managing national identity and administrative documents. The incident demonstrates how young threat actors with technical capability can compromise high-value government systems and monetise sensitive personal data.
Three Ukrainian criminals were arrested after compromising 610,000 Roblox accounts and selling them for approximately $225,000. The case highlights the persistent market for stolen gaming credentials and the cross-border enforcement challenges in combating organised account theft.
A 19-year-old dual US-Estonian national arrested in Finland faces federal charges for membership in Scattered Spider, a prolific collective known for social engineering and financial fraud targeting critical sectors. The arrest demonstrates law enforcement coordination across jurisdictions but does not significantly disrupt the group's operational capacity.
The FTC reports that Americans lost over $2.1 billion to social media scams in 2025, representing a sustained and accelerating trend since 2020. This reflects a fundamental failure of platforms to implement effective fraud detection and user verification controls, creating an environment where scammers operate with minimal friction.
A Chinese national linked to Silk Typhoon, a state-sponsored APT group conducting cyberespionage for Chinese intelligence, has been extradited from Italy to face US criminal charges. This marks a significant shift in international law enforcement coordination against Chinese cyber operations.
Canadian authorities arrested three individuals operating a fake cellular tower (IMSI catcher) in Toronto to distribute phishing SMS messages at scale. The arrests highlight how accessible cellular interception hardware has become for low-sophistication threat actors targeting local populations.
A China-linked APT group identified as GopherWhisper is conducting targeted campaigns against government entities using multiple Go-based backdoors combined with legitimate service abuse to evade detection. The group's reliance on custom loaders and injectors suggests a maturing operational capability focused on persistence and evasion.
BlackFile, a financially motivated threat actor, has orchestrated a coordinated campaign of data theft and extortion attacks against retail and hospitality organisations since February 2026, combining social engineering with data exfiltration. The group's use of vishing as a primary attack vector suggests a shift toward human-centric compromise rather than technical vulnerability exploitation.
ADT confirmed a data breach following ShinyHunters' public extortion threat to sell stolen customer data. The incident illustrates how established security vendors remain attractive targets for financially motivated threat actors despite their market position.
Microsoft has observed threat actors increasingly abusing external Teams channels to impersonate helpdesk staff, deceive users into credential disclosure, and establish footholds for lateral movement within enterprise networks. The attack exploits Teams' legitimacy and ubiquity to bypass social engineering defences.
Attackers defaced the Seiko USA website and claim to have exfiltrated customer data from its Shopify database, demanding ransom under threat of public disclosure. This represents a continued trend of threat actors targeting e-commerce platforms as high-value sources of customer personally identifiable information.
Gentlemen ransomware operators have integrated SystemBC proxy malware into their attack chain, leveraging a botnet of over 1,570 corporate hosts to obfuscate command-and-control communications and expand operational resilience. This represents a maturation of the gang's infrastructure and signals they are adopting commodity malware to increase attack surface.
Lazarus Group actors conducted a $290 million theft from KelpDAO, a DeFi protocol, likely exploiting smart contract or operational security vulnerabilities. This represents a significant escalation in state-sponsored targeting of decentralised finance infrastructure.
Attackers are exploiting Apple's account change notification system to deliver phishing emails from Apple's own servers, dramatically increasing message authenticity and bypassing traditional spam filters. This technique transforms a security feature into a distribution channel for fraud.
Grinex, a UK and US-sanctioned Kyrgyzstan-based cryptocurrency exchange, suspended operations following a $13.74M theft and attributed the attack to Western intelligence agencies. The claim raises questions about attribution credibility, state cyber capabilities against financial infrastructure, and the resilience of sanctioned platforms.
Phishing remains the primary attack vector for most cybercriminals, and managed service providers are struggling to implement integrated security and recovery strategies proportionate to current threat velocity. MSPs must evolve beyond reactive patching to include workable incident response and business continuity frameworks.
Cybercrime forums now circulate structured guides teaching threat actors how to evaluate carding shops through data quality metrics, seller reputation scoring, and shop longevity assessment. This professionalisation of underground marketplaces reduces friction in stolen payment data transactions and increases the operational security of organised crime networks.
Kyrgyzstan-based cryptocurrency exchange Grinex suffered a $13.7 million breach and suspended operations, publicly blaming Western intelligence agencies without providing technical evidence. The unsubstantiated attribution raises questions about either poor incident response practices or deliberate misdirection.
Law enforcement and private sector security research identified and disrupted 75,000 DDoS botnet operators and took down 53 infrastructure domains in a coordinated operation spanning 21 countries. This represents significant progress against organised DDoS-as-a-service providers but signals the need for sustained pressure on the ecosystem.
Hackers breached Dutch fitness chain Basic-Fit and accessed data for approximately one million members. This represents a significant exposure of personal information in a sector that has historically underinvested in security controls.
Storm-2755, a financially motivated threat actor, is compromising Microsoft employee accounts to redirect salary payments. This represents a shift in targeting from external victims to internal credential compromise for direct financial gain.
Iranian-linked cyber operators have mapped nearly 4,000 internet-exposed Rockwell Automation programmable logic controllers across U.S. critical infrastructure. This reconnaissance indicates preparation for potential disruptive attacks against operational technology networks.
German authorities have publicly identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as the operator behind the REvil and GandCrab ransomware groups. The disclosure represents a significant attribution success but raises questions about law enforcement coordination and timing given the geopolitical context.
North Korean threat actors conducted a methodical six-month social engineering operation against Drift, a Solana-based decentralised exchange, culminating in a $285 million theft in April 2026. The campaign demonstrates DPRK's shift toward patient, targeted infiltration of high-value cryptocurrency platforms rather than opportunistic attacks.
Threat actors are conducting large-scale automated attacks exploiting CVE-2025-55182 (React2Shell) in vulnerable Next.js applications to harvest credentials at scale. This represents a shift from opportunistic patching cycles to industrialised credential theft targeting the JavaScript framework ecosystem.
Scammers are distributing fake traffic violation notices via SMS with embedded QR codes that direct victims to phishing sites harvesting payment details and personal information. The shift to QR codes likely reflects successful SMS URL filtering deployed by carriers.
Device code phishing attacks exploiting OAuth 2.0's Device Authorization Grant flow have increased 37-fold this year, with automated kits now widely available. Attackers bypass traditional MFA by tricking users into authorising malicious device registrations, gaining account access without credentials.
The Handala group, assessed as Iranian state-affiliated, compromised FBI Director Kash Patel's personal email account and published sensitive materials. This represents a significant counter-intelligence breach targeting the highest levels of US law enforcement.
Attackers are posting fake VS Code security alerts in GitHub project Discussions to trick developers into downloading malware. The campaign exploits trust in legitimate tooling warnings and the open nature of GitHub's collaboration features.
Bearlyfy, a pro-Ukrainian cyber group, has conducted 70+ attacks on Russian companies since January 2025 using a custom Windows ransomware called GenieLocker. The campaign targets Russian business infrastructure as part of broader geopolitical conflict.
Dutch National Police experienced a successful phishing attack leading to a security breach with limited scope and no impact on citizen data. The incident highlights the persistence of credential-harvesting campaigns against high-value targets despite security awareness programmes.
Threat actors are abusing Bubble, a legitimate no-code app builder, to host credential-stealing phishing pages targeting Microsoft accounts whilst evading detection systems. The abuse of trusted platforms reduces security signal effectiveness and complicates credential compromise mitigation.
Threat actors are actively exploiting the PolyShell vulnerability in Magento 2 and Adobe Commerce, with attacks targeting 56% of all vulnerable instances. This represents a widespread, in-the-wild exploitation campaign affecting a substantial portion of the e-commerce attack surface.
Russian state-affiliated threat actors are conducting targeted phishing campaigns against Signal and WhatsApp users to compromise accounts of high-intelligence-value individuals. This represents a shift in targeting strategy prioritizing messaging platform access over traditional malware deployment.
Attackers are weaponizing Microsoft Azure Monitor's alert notification system to send convincing phishing emails impersonating Microsoft Security Team warnings about unauthorized charges. This exploits the trust users place in legitimate Azure infrastructure.
International law enforcement shut down 373,000 dark web sites distributing fake child sexual abuse material (CSAM) packages, disrupting a fraud scheme that victimizes both potential offenders seeking illegal content and defrauds them. This represents a significant takedown of deceptive criminal commerce infrastructure.
Russian state-linked threat actors are executing targeted phishing campaigns against Signal and WhatsApp users, with thousands of accounts already compromised. This represents a sophisticated effort to penetrate secure communications infrastructure used by journalists, activists, and government officials.
Russian intelligence services are conducting widespread phishing campaigns targeting commercial messaging application accounts of U.S. government officials, military personnel, and journalists. Attackers have successfully compromised thousands of individual accounts to access messages and contact lists, demonstrating a shift from targeting application encryption to exploiting user-level account security.
CISA confirmed March 2026 cyberattack against Stryker Corporation exploiting endpoint management system misconfigurations in Microsoft environments. This represents active adversary targeting of legitimate administration tools to achieve organizational compromise.
Stryker suffered a destructive cyberattack that remotely wiped tens of thousands of employee devices through compromised Microsoft cloud credentials, requiring no malware payload and leveraging legitimate administrative access to cloud infrastructure.
Hackers accessed personal information including names, email addresses, and phone numbers from Loblaw, one of Canada's largest retailers. This exposure affects a potentially massive customer base and creates significant identity theft and phishing risks.
Poland's National Centre for Nuclear Research (NCBJ) was targeted by cyberattackers who attempted to compromise its IT infrastructure, but intrusion detection systems successfully identified and blocked the attack before any material impact occurred. This incident underscores persistent adversarial interest in critical infrastructure sectors, particularly those with strategic national importance.
INC ransomware group is conducting sustained attacks against healthcare infrastructure across Australia, New Zealand, and Tonga, disrupting emergency services and government operations. This regional concentration indicates either a deliberate geographic pivot or emerging local infection vectors.
Threat actors execute a sophisticated social engineering campaign impersonating recruiters from crypto and AI companies, delivering backdoors (OtterCookie, FlexibleFerret) through fake coding assessments to steal developer credentials, API tokens, and source code. This represents a high-impact supply chain attack vector targeting a critical workforce demographic.
Google TAG documented APT29 (Russian state-backed group) using identical exploits to commercial surveillance vendors Intellexa and NSO Group, indicating either shared vulnerability intelligence networks, exploit procurement chains, or concerning overlap in offensive capabilities between state and commercial actors.
Israel allegedly exploited Iranian traffic camera systems to conduct surveillance and assist in targeted assassination of Iranian leadership. This demonstrates advanced state-actor capability to weaponize civilian IoT infrastructure for kinetic operations.
Hackers are increasingly leveraging artificial intelligence (AI) to enhance and accelerate cyberattacks, making them more sophisticated, scalable, and harder to detect. This trend poses a significant risk to organizations as AI tools lower the technical barriers for attackers.
Attackers are sending fake LastPass support emails to steal user vault passwords, posing a critical security risk.
UK authorities warn of increased Iranian cyberattack risks targeting British organizations due to Middle East tensions.
A 22-year-old Alabama man has pleaded guilty to hacking, cyberstalking, and extorting hundreds of women by hijacking their social media accounts.
Attackers are using a fake Google Account security page to deliver a Progressive Web App (PWA) that steals credentials, MFA codes, and proxies traffic through victims' browsers. This campaign poses a significant risk due to its ability to bypass multi-factor authentication.
Europol's Project Compass operation has led to the arrest of 30 individuals linked to The Com, a cybercrime group targeting children and teenagers. This coordinated international effort highlights the growing threat of child-targeted online exploitation.
Chinese cyberspies have breached multiple telecom companies and government agencies using SaaS API calls to hide malicious traffic, indicating a sophisticated state-sponsored espionage campaign.
Attackers created malicious GitHub repositories mimicking legitimate Next.js projects and job interview materials to infect developers' devices with backdoors.
Spanish authorities arrested four individuals linked to a hacktivist group suspected of conducting DDoS attacks on government websites, highlighting the growing threat of hacktivism against critical infrastructure.
A ransomware attack forced one of the largest US school districts to cancel classes and revert to offline operations, exposing student and staff personal data and highlighting the continued targeting of education.
A misconfigured identity management update at a major cloud provider caused a cascading multi-region outage lasting over 12 hours, affecting thousands of businesses and highlighting cloud concentration risk.
US intelligence agencies revealed that the Chinese state-sponsored Salt Typhoon campaign has expanded beyond the initially reported telecom carriers, with evidence of persistent access in additional US and allied nation telecommunications networks.
A ransomware attack forced a major US hospital network to divert ambulances and revert to paper records across multiple facilities, the largest healthcare disruption since the Change Healthcare incident.
US intelligence agencies released a joint advisory warning that Chinese state-sponsored group Volt Typhoon has expanded pre-positioning operations to water treatment facilities, maintaining persistent access for potential disruptive attacks.
A major US health insurance provider confirmed a data breach affecting approximately 15 million current and former members, with stolen data including Social Security numbers, medical records, and financial information.
Coinbase revealed that threat actors bribed overseas customer support contractors to exfiltrate personal data of roughly 1% of monthly transacting users, then demanded a $20 million ransom.
The imageboard 4chan was breached and taken offline after attackers exploited an outdated PHP installation, leaking source code, moderator information, and internal tools.
Threat actors maintained persistent read-only access to Fortinet FortiGate devices through symlinks in the SSL-VPN language files, surviving firmware updates and patches applied by defenders.
French telecommunications giant Orange confirmed a data breach after a threat actor leaked thousands of internal documents, source code, and customer records from the company's Romanian branch.
Cryptocurrency exchange Bybit lost approximately $1.5 billion in Ethereum from a cold wallet, in what is believed to be the largest cryptocurrency theft in history, attributed to North Korean state-sponsored hackers.
A Mirai botnet variant is actively scanning for and compromising Juniper SSR routers that still use factory-default credentials, incorporating them into DDoS infrastructure.
Education technology giant PowerSchool suffered a major data breach exposing personal information of students and staff across numerous K-12 school districts in North America.
Chinese state-backed hackers breached the Office of Foreign Assets Control (OFAC), potentially gaining access to sensitive sanctions-related data.