The US cybersecurity agency CISA warns that hackers are already exploiting a high-risk vulnerability (CVE-2026-33017) in the Langflow AI framework. Cybersecurity firm Sysdig says that attacks began just 20 hours after the issue was publicly disclosed. Researchers believe hackers created their own exploits using details from the advisory.
Citrix has released security updates to fix two vulnerabilities affecting its NetScaler ADC and NetScaler Gateway products, including a critical flaw that could allow attackers to access sensitive data.
TP-Link has fixed multiple security vulnerabilities in its Archer NX router series, including three command injection issues, a stack-based buffer overflow bug and an improper authentication vulnerability that could allow a remote attacker to perform privileged HTTP actions without authentication, including firmware upload and configuration operations.
The popular LiteLLM package on PyPI has been compromised in a TeamPCP-linked supply-chain attack, potentially exposing data from hundreds of thousands of devices. The malicious versions 1.82.7 and 1.82.8 were uploaded with embedded infostealer code. The attack is the latest in a series of incidents linked to TeamPCP, including the breach of the Trivy vulnerability scanner, a campaign targeting Kubernets clusters with Iran-focused malware, and the compromise of Checkmarx GitHub Actions.
A Russia-aligned advanced persistent threat group known as Pawn Storm (APT28 and Fancy Bear) is using a new malware framework called ‘Prismex’ to target the defense supply chain of Ukraine and its allies, including Poland, Romania, Czech Republic, Slovakia, Slovenia, and Turkey. Prismex is a set of connected malware components designed to stay hidden and avoid detection. It includes a dropper (PrismexDrop), a loader that uses steganography (PrismexLoader), and a final implant (PrismexStager) built on the Covenant framework.
In a separate incident, APT28 reportedly compromised Serbian state institutions, including email accounts of Serbia’s Ministry of Defense, as well as accounts from the Military Academy and the Military Medical Academy.
The US Federal Bureau of Investigation has warned that threat actors linked to Russian intelligence are actively targeting users of encrypted messaging platforms, including Signal and WhatsApp, in large-scale phishing campaigns attempting to trick users into sharing verification codes or scanning malicious QR codes.
A China-linked hacking group known as Red Menshen has compromised telecom networks to spy on governments. The group has targeted providers in the Middle East and Asia since 2021. The threat actor uses backdoors and malware such as BPFDoor to maintain long-term access and gather sensitive information without being detected. BPFDoor is a Linux backdoor that doesn’t open ports or use visible command-and-control channels. Instead, it exploits Berkeley Packet Filter (BPF) to monitor network traffic inside the kernel and activates only when it receives a specially crafted packet.
Sequoia has released a report detailing the evolution of the Chinese-linked threat actor Silver Fox that has shifted from mainly financially motivated attacks to more advanced, APT-style operations since 2024. The group uses the modular backdoor ValleyRAT (Winos), as well as other advanced tools like HoldingHands (a Gh0st RAT variant) for specific tasks. At the same time, Silver Fox still runs simpler, profit-driven campaigns using common malware such as Blackmoon.
Researchers from Sophos Counter Threat Unit (CTU) have uncovered ongoing activity attributed to a threat group, tracked as NICKEL ALLEY, believed to operate on behalf of the North Korean government. The group is targeting technology professionals using fake job opportunities and sophisticated social engineering techniques.
eSentire threat intelligence team has found a backdoor called EtherRAT, likely linked to a North Korean hacking group based on significant overlaps with ‘Contagious Interview’ TTPs, which lets attackers control infected computers, steal data like crypto wallets and cloud credentials, and gather system information. The malware hides its control servers using Ethereum smart contracts. EtherRAT also shares similarities with another malware called Tsundere.
Recorded Future’s Insikt Group discovered five distinct clusters leveraging the ClickFix social engineering technique to facilitate initial access to host Windows and macOS systems. The clusters target a variety of sectors including accounting (QuickBooks), travel (Booking.com), and system optimization (macOS).
A new version of the GlassWorm campaign has been observed that uses a multi-stage attack to steal data and install a remote access trojan. It spreads a fake Google Docs Chrome extension that logs keystrokes, steals cookies and session data, takes screenshots, and receives commands from a hidden server using the Solana blockchain.
Sansec researchers have spotted a new, previously undocumented method of payment skimming that leverages the WebRTC DataChannels technology for real-time peer-to-peer communication to receive malicious code and exfiltrate stolen payment data. By using WebRTC, the attackers bypass common defenses such as Content Security Policy (CSP) and HTTP-based monitoring tools. According to Sansec, this is the first documented case of WebRTC being used as a data exfiltration channel in a payment skimming attack.
Independent security researcher Ryan Moran has published a blog post detailing the inner workings of the Cl0p ransomware/data extortion gang, including the profiles of several of its members.
The British government has sanctioned the Chinese-language cryptocurrency marketplace Xinbi for supporting large-scale online fraud and human exploitation. Authorities accused the platform of helping scam centers in Southeast Asia operate and profit.
A 40-year-old Russian man, Ilya Angelov, was sentenced to 2 years in prison for running a botnet used in ransomware attacks on dozens of US companies. He also received a $100,000 fine. Angelov, aka “milan” and “okart,” co-managed the Russia-based cybercriminal group tracked by the FBI as Mario Kart, and by cybersecurity industry as TA-551, Shathak, GOLD CABIN, Monster Libra, ATK236, and G0127. The group spread malware through spam emails, sold access to infected computers to other criminals, and helped generate over $14 million in extortion payments.
An Armenian man, Hambardzum Minasyan, appeared in a US federal court after being extradited for his alleged role in a cybercrime scheme. He is accused of helping develop and run the RedLine malware, which steals sensitive data from victims’ computers. Prosecutors say he and others managed the malware’s infrastructure, supported users, and made money through illegal activities, including cryptocurrency payments. If convicted, he could face up to 20 years in prison.
Russian authorities have arrested a man from Taganrog suspected of running the LeakBase cybercrime forum seized earlier this month. The platform allegedly allowed users to buy and sell stolen personal data, including millions of accounts, bank details, and passwords. Police also seized equipment from his home, and officials say over 147,000 users were involved in trading and using the data for fraud.
Aleksei Volkov, a 26-year-old from Russia, was sentenced to 81 months in prison for helping cybercrime groups carry out ransomware attacks. He worked as an “initial access broker,” breaking into computer systems and selling that access to hackers.
Cameron Curry, a former contractor of a US-based technology company was found guilty of attempting to extort his employer. He used his job as a data analyst to access sensitive company data. After learning his contract would end, he stole confidential files and tried to use them to extort company for $2.5 million.
An international law enforcement operation known as “Operation Alice” has taken down more than 373,000 fake dark web sites that advertised child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS) offerings. Users were lured with previews and descriptions of illegal material, then prompted to submit email addresses and pay fees ranging from €17 to €250 in Bitcoin. However, no illicit content was ever delivered.
Tycoon2FA, a phishing-as-a-service platform that targets Microsoft 365 and Gmail accounts, has recovered after a recent law enforcement takedown and is now operating at the same level as before, according to CrowdStrike. The service uses advanced techniques to bypass two-factor authentication and steal account access.