Hackers are increasingly abusing Anthropic’s Claude and OpenAI’s Codex agents to automate reconnaissance, exploitation, and data exfiltration, often by disguising real intrusions as “authorized red team” work. These AI coding assistants are being treated like full-fledged operators, dramatically lowering the…
Tag: Cyber Security News
UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data
A sophisticated cybercriminal group has been quietly targeting law firms and professional services organizations across the United States since the beginning of 2026. The campaign is financially motivated and relies heavily on deception rather than technical exploits. Victims are manipulated…
Ghostwriter Hackers Abuse Gmail Admin-Themed Emails to Steal Credentials and 2FA Codes
A state-linked hacker group known as Ghostwriter has launched a wave of targeted phishing attacks aimed at Gmail users, disguising malicious emails as official security alerts from Google. The campaign is designed to trick recipients into handing over their login…
ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA
A new cyberattack campaign is targeting Windows users through fake CAPTCHA pages, combining three techniques to slip past standard security defenses without raising alarms. The campaign, first observed in April 2026, begins on a compromised European small-business website and ends…
New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads
A newly identified loader campaign is raising serious concerns across the cybersecurity community. Threat researchers have uncovered an active operation using a sophisticated multi-stage loader called OnionDrop, which is being used to deliver harmful payloads, including the well-known LegionLoader, to…
Critical Fortinet FortiSandbox Vulnerabilities Actively Exploited in Attacks
Threat actors are actively exploiting multiple critical vulnerabilities in Fortinet’s FortiSandbox platform, with live attack telemetry confirming exploitation attempts over the past 24 hours. Defused has flagged three CVEs under active targeting — including one, CVE-2026-39813, with no previously recorded…
The Half-Life of Threat Intelligence: When Does an IOC Stop Being Useful?
The concept of the IOC — the Indicator of Compromise — sits at the operational heart of modern threat detection. Block the IP. Flag the domain. Quarantine the hash. The logic is clean and satisfying. But embedded in every IOC…
Microsoft 365 Device Code Phishing Campaign Bypasses Password Theft With Legitimate Login Flow
A new phishing campaign targeting Microsoft 365 users has been uncovered, and it takes a different approach than most attacks seen in the wild. Instead of trying to steal a victim’s password directly, this campaign tricks users into completing a…
India Temporarily Bans Telegram Messenger Over Medical Exam Fraud
India’s Ministry of Electronics and Information Technology (MeitY) has imposed a temporary ban on the Telegram messaging platform, restricting access nationwide until June 22, 2026. This decision is part of a comprehensive effort to combat organized cheating schemes that are…
Novo Nordisk Confirms Cyber Attack — Hackers Accessed Patient Medical Data and Internal AI Assets
Danish pharmaceutical giant Novo Nordisk has confirmed a cyberattack in which threat actors gained unauthorized access to internal IT systems, exfiltrating pseudonymized patient data from clinical trials and, according to the alleged attackers, a trove of proprietary AI model assets.…
Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase
Two of the more active ransomware groups operating today, Interlock and Rhysida, have more in common than previously thought. New research shows both groups share a backdoor called Supper, and that several of their malware tools appear to have grown…
Microsoft Teams Analyze the Wi-Fi Hotspot Data Connected to an Employee’s Device
Microsoft has introduced a new capability in its Microsoft 365 ecosystem that enables Microsoft Teams to analyze Wi-Fi hotspot data on an employee’s device, raising both security benefits and privacy considerations. The feature, highlighted on the Microsoft 365 roadmap, aims…
Russian and Chinese Influence Actors Use AI to Evade Bot Detection and Mimic Human Behavior
State-linked influence operations from Russia and China have entered a new and more dangerous phase. Rather than overwhelming social media with floods of low-quality posts, these actors now use artificial intelligence to make their accounts look and act more like…
Infinite Campus Data Breach Exposes 137,000 Users Personal Details
Infinite Campus, a widely used student information system in U.S. K-12 schools, has disclosed a data breach affecting approximately 137,000 individuals. The incident has been linked to the ShinyHunters cybercriminal group, known for carrying out large-scale data theft and extortion…
PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions
Google’s Threat Intelligence Group (GTIG) uncovered a long-running Chinese cyber-espionage campaign targeting North American medical, academic, and military research institutions that remained undetected for over a year. GTIG has attributed the campaign with high confidence to UNC6508, a People’s Republic of…
Ransomware Ecosystem Consolidates Around LockBit Alumni, Qilin, Hyflock, and The Gentlemen
The global ransomware landscape shifted noticeably in the first quarter of 2026, as former operators from well-known criminal groups began launching their own competing programs. Data leak sites tracked 2,122 new victims during Q1 2026, making it the second-highest first-quarter…
OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack
A large-scale supply chain attack targeting widely used WordPress plugins has exposed more than 1.2 million websites to potential compromise after attackers injected malicious code into legitimate JavaScript files distributed through trusted CDN infrastructure. Security researchers at Sansec discovered an…
Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks
Cisco has disclosed a critical security issue in its Catalyst SD-WAN Manager (formerly vManage) that is now being actively exploited in zero-day attacks, raising concerns for enterprise network environments worldwide. The vulnerability, tracked as CVE-2026-20262, is an arbitrary-file-write flaw in…
LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild
A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is being actively exploited in the wild, posing a serious threat to shared hosting environments worldwide. The flaw, tracked as CVE-2026-54420, enables privilege escalation to root level, allowing attackers to…
Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns
A wave of phishing campaigns targeting American taxpayers has been traced back to a single, highly organized cybercrime operation known as The Quarry. What appeared to be dozens of unrelated incidents impersonating the IRS, Social Security Administration, and platforms like…