A fully featured phishing-as-a-service (PhaaS) panel named “ARToken” that closely mirrors the EvilTokens infrastructure first profiled in early 2026, but with a broader and deeper post-compromise toolkit. ARToken’s React single-page application exposes more than 80 API endpoints enabling device-code phishing,…
Tag: GBHackers Security | #1 Globally Trusted Cyber Security News Platform
JetBrains Patches Critical Hub Authentication Bypass and Account Takeover Vulnerabilities
JetBrains has released patches for several critical vulnerabilities in JetBrains Hub that could allow for full authentication bypass, account takeover, and unauthorized privilege escalation across integrated JetBrains services. Administrators are urged to update their Hub instances immediately. Critical Hub Vulnerabilities…
Hackers Use Geofenced Webpages to Deliver Ousaban Banking Trojan in Spain and Portugal
A targeted phishing campaign delivering the Ousaban banking Trojan to users in Spain and Portugal, notable for its use of geofenced webpages, layered evasion techniques, and a modular delivery chain. The threat actor repurposes a playbook seen previously in Brazil…
ValleyRAT Uses RC4 Encryption, Donut Shellcode, and rundll32 Injection for Stealth
A recent surge in ValleyRAT activity that combines RC4-encrypted payloads, Donut-generated shellcode, and in-memory execution via suspended rundll32 processes to evade detection. First named by Proofpoint in 2023, ValleyRAT continues to evolve: LevelBlue’s telemetry shows a marked increase in successful…
Apple Hide My Email Vulnerability Lets Attackers Reveal Users’ Real Email Addresses
Apple’s Hide My Email privacy feature currently faces a significant flaw that may expose users’ real email addresses, compromising one of iCloud+’s core anonymity protections. According to 404 Media and independent tests, this issue has reportedly remained unaddressed for over…
JADEPUFFER Agentic Ransomware Uses LLM to Automate Database Extortion
The first instance of agentic ransomware: JADEPUFFER, an LLM-driven extortion operation that automated an end-to-end database-crippling campaign. The actor gained execution on an internet-facing Langflow instance via CVE-2025-3248, used the AI-host environment to harvest cloud and API credentials, and pivoted…
ChocoPoC Campaign Abuses GitHub PoC Repositories to Steal Browser Credentials
A coordinated supply-chain campaign has been weaponizing GitHub proof-of-concept (PoC) repositories to compromise vulnerability researchers and penetration testers, delivering a stealthy Python Remote Access Trojan (RAT) dubbed “ChocoPoC.” The lure is simple and effective: newly disclosed high-severity CVEs create urgency…
LSHIY Password Spray Attack Hits Microsoft 365 Accounts With 81 Million Login Attempts
A large-scale password spray campaign linked to the infrastructure provider LSHIY LLC has targeted Microsoft 365 environments, resulting in over 81 million login attempts. This campaign has led to at least 78 confirmed account compromises across 64 organizations between June…
Attackers Downgrade WDigest Protection to Dump Plaintext Credentials With Mimikatz
An incident that began with innocuous enumeration commands but quickly escalated into a focused, multi-stage effort to impair detection and extract credentials. The intruder uploaded a steganographic webshell to an IIS server, used the process w3wp.exe to run OS reconnaissance…
Critical Cursor IDE Flaws Let Attackers Execute Code via Zero-Click Prompt Injection
Two significant remote code execution (RCE) vulnerabilities in the widely used Cursor ID expose developers to zero-click attacks driven by prompt injection. These vulnerabilities, tracked as CVE-2026-50548 and CVE-2026-50549, collectively known as “DuneSlide,” carry a CVSS score of 9.8. They…
Browser-Only Ransomware Uses File System Access API to Encrypt Files Without Malware Installation
A novel, practical ransomware technique that runs entirely inside the browser by abusing the File System Access API, demonstrating how AI can turn high-level malicious ideas into operational attack chains without any native payload. The proof-of-concept leverages a social engineering…
Scattered Spider Hacker Arrested in Finland and Extradited to U.S. Over Cyber Intrusion Charges
U.S. authorities have announced federal charges against an alleged member of the notorious cybercriminal group Scattered Spider, following his arrest in Finland and extradition to the United States. The defendant, identified as 19-year-old Peter Stokes, a dual national of the…
FortiBleed Campaign Linked to INC and Lynx Ransomware Operations
A direct operational link between the large-scale FortiBleed credential-harvesting campaign and two active ransomware-as-a-service (RaaS) groups: INC Ransom and Lynx. This finding provides the first confirmed evidence that mass theft of FortiGate credentials is being integrated into ransomware deployment processes,…
Malicious Google Notes Extension Swaps Crypto Wallet Addresses During Transactions
Technically sophisticated campaign delivering a malicious Chromium extension that silently swaps cryptocurrency wallet addresses during transactions. Delivered via unsigned installers observed in both .NET and Golang variants access, the payload masquerades as a minimalist “Google Notes” browser extension. Once deployed,…
ToddyCat Uses Shadow Token via Remote Debug to Compromise Gmail Accounts
ToddyCat, an advanced persistent threat group long associated with targeted espionage against corporate environments, has evolved its toolkit to exploit OAuth-based authorization flows and compromise Gmail accounts without directly stealing credentials. Umbrij is deployed on Windows hosts using DLL sideloading:…
MacSync Stealer Hijacks macOS via Fake Claude Code Google Ads – Full Attack Chain Exposed
MacSync Stealer is a newly discovered macOS infostealer actively distributed through a sophisticated malvertising campaign on Google Ads that impersonates Anthropic’s Claude Code CLI. Security researchers from Beezlebub have uncovered the complete attack chain, revealing a multi-stage infection process that…
CISA Adds Actively Exploited SimpleHelp Vulnerability to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in SimpleHelp, tracked as CVE-2026-48558, and added it to its Known Exploited Vulnerabilities (KEV) catalog. This indicates that the vulnerability is actively being exploited in the wild,…
FCC Bans Chinese-Produced Network Equipment Linked to Cyber and Espionage Risks
The U.S. Federal Communications Commission (FCC) has implemented comprehensive new restrictions banning the import and marketing of Chinese-produced telecommunications and surveillance equipment identified as posing significant cybersecurity and espionage risks. Announced on June 26, 2026, this updated regulation addresses a…
The Gentlemen Ransomware Targets Large Corporations and Critical Infrastructure Worldwide
The Gentlemen ransomware group has emerged in 2026 as a highly adaptive and technically sophisticated ransomware-as-a-service (RaaS) operation targeting large corporations and critical infrastructure across multiple regions. Public reporting places The Gentlemen among the top 10 ransomware actors by victim…
RedLine Infostealer Thread Reveals Hidden Maritime Phishing and BEC Infrastructure
A routine threat-feed alert for a RedLine Stealer command-and-control (C2) IP morphed into a full-scale pivot investigation that exposed a tailored maritime spear‑phishing and business email compromise (BEC) ecosystem. The starting signal a UniqueSignal entry from VMRay identified 194[.]156.79.122:55615 as…