Google has released emergency security updates to address a zero-day vulnerability in its Chrome browser. The zero-day flaw, tracked as CVE-2026-5281, is a use-after-free issue in the Dawn component in Google Chrome. It could be abused by a remote attacker for code execution by tricking a user into visiting a malicious web page.
A suspected Chinese-linked threat actor has been observed exploiting a zero-day vulnerability in the TrueConf client in campaigns targeting government entities in Southeast Asia. Attackers leveraged the update channel of TrueConf to deliver malware, more specifically a payload linked to the Havoc command-and-control framework. The flaw (CVE-2026-3502) affects the application’s update validation mechanism, allowing attackers who control an on-premises server to distribute and execute arbitrary files across connected systems.
Threat actors are actively targeting a critical vulnerability in Fortinet’s FortiClient EMS platform. The flaw, tracked as CVE-2026-21643, allows unauthenticated attackers to execute arbitrary code on vulnerable systems.
A recently disclosed critical vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway devices is already drawing attention from threat actors. The flaw, tracked as CVE-2026-3055, is an out-of-bound read issue that could allow a remote attacker read contents of memory on the system. If successfully exploited, attackers could potentially access sensitive data on affected systems.
Ukraine’s national cyber incident response team CERT-UA has warned of a wave of malicious emails impersonating the agency and urging recipients to download a “protected” archive and install so-called security software. The emails, distributed to a wide range of organizations, including government bodies, medical centers, security firms, educational institutions, financial companies, and software developers, contained links to password-protected files hosted on the Files.fm service.
Ukraine’s cybersecurity authorities have released an analytical report about the threat landscape in Ukraine in the second half of 2025. Officials note that for the first time since the beginning of the Russian invasion, a number cyber incidents have decreased 4% compared to the previous half-year. No critical incidents were observed; and the number of high-level incidents decreased. Despite a slight increase in the number of malware distribution campaigns, actual infections have declined. Also was observed a shift in initial compromise vectors. Hackers are now focusing on building trust with their victims, actively using legitimate communication channels, and applying a highly personalized approach to their targets.
An advanced remote access toolkit, dubbed “CTRL,” is being distributed through malicious Windows shortcut (LNK) files disguised as private key folders. The CTRL toolkit is custom-built using the .NET framework and consists of multiple executables designed to carry out credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling.
The China-aligned threat actor TA416 has renewed its targeting of European and Middle Eastern government and diplomatic organizations from mid-2025 through early 2026. While some of TA416’s techniques, tactics and procedures remained unchanged, Proofpoint observed the group modifying its infection chains, including the use of fake Cloudflare Turnstile verification pages, abuse of OAuth redirects via Microsoft Entra ID applications, and the deployment of malicious C# project files. Multi-stage infection chains, which involved ZIP smuggling, LNK files, and encrypted payloads, ultimately led to the deployment of the PlugX malware.
Palo Alto Networks’ Unit 42 researchers have discovered a series of cyberespionage campaigns targeting a government organization in Southeast Asia, using multiple malware families and techniques to maintain long-term access. The investigation began when the researchers examined activity linked to the Stately Taurus group that leveraged USB-based malware called USBFect, aka HIUPAN.
Opensourcemalware discovered a North Korea-linked attack, dubbed 'TasksJacker,' that has compromised over 400 GitHub repositories in about a month. TasksJacker exploits VS Code’s tasks.json auto-execution feature, allowing attackers to compromise systems simply by cloning and opening a repository.
AhnLab SEcurity intelligence Center (ASEC) says it observed a change in the North Korean Kimsuky group’s method of distributing malicious LNK files. The overall attack flow remains largely the same, with a malicious LNK ultimately executing a Python-based backdoor or downloader.
Cisco has experienced a cybersecurity incident after threat actors exploited stolen credentials from the recent Trivy supply chain compromise to breach the company's internal development environment and steal sensitive source code. Cisco was able to contain the breach, which involved a malicious GitHub Action plugin linked to the Trivy attack. The compromised plugin allowed attackers to harvest credentials and access data from the company’s build systems, affecting dozens of devices, including developer and lab workstations.
In the mean time, CERT-EU confirmed that a recent EU breach was carried out by the ShinyHunters group and is linked to a Trivy supply chain attack, which was publicly attributed to the TeamPCP threat actor. Attackers gained access around March 24-25, exploiting AWS systems and stealing about 91.7 GB of data, including personal information. The breach affects European Commission infrastructure and may impact at least 29 other EU entities.
A major software supply chain attack has targeted the popular Axios JavaScript library, after hackers hijacked the npm account of its primary maintainer to distribute malicious code to developers worldwide. Axios maintainer Jason Saayman said that the compromise was the result of a social engineering campaign, with the attacker hijacking the developer’s active sessions and gaining full control of his npm and GitHub accounts.
The SlowMist team discovered a supply-chain attack where threat actors modified a script on Apifox’s official CDN with hidden malicious code. It looked like normal tracking code but actually stole user credentials and system data, sent them to attackers, and allowed them to run remote commands on affected systems.
GreyNoise researchers say residential proxies are a major challenge for IP reputation systems because they make malicious traffic look like normal user activity. Attackers frequently rotate the IPs, and many are short-lived, so security systems can’t track or block them in time. GreyNoise found that 39% of malicious traffic comes from home networks, and most of the IPs are used only once or twice before disappearing.
Anthropic accidentally released internal source code for its AI coding assistant Claude Code due to a human error in a software package update. The issue exposed a large amount of code but did not involve any customer data or credentials. The company said it was not a security breach and has removed the affected version while working to prevent similar mistakes.
Sekoia’s threat intelligence team discovered a new phishing kit named EvilTokens, which is sold as a service that targets Microsoft device code authentication. The tool is managed through Telegram bots and is regularly updated with new features. The developers also plan to expand it to target Gmail and Okta accounts.
Elastic Security Labs has observed a financially motivated operation called REF1695, which spreads malware using fake software installers deploying tools like remote access programs and cryptominers. The threat actor also makes money through scam websites that trick victims into completing actions.
Cisco Talos released an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market.
Team Cymru discovered and analyzed a server linked to the Yurei ransomware, which allowed the researchers to determine the attack flow and identify a ransomware operator’s toolkit.
Bitsight research dives into the recent activities of the Phorpiex botnet (Twizt Variant) that hijacks cryptocurrency wallets, replacing victims’ clipboard data with attacker wallets. It spreads like a worm via removable drives, network shares, and infected executable files. It also delivers ransomware and conducts large-scale sextortion email campaigns.
A new campaign is leveraging WhatsApp messages to deliver malicious Visual Basic Script (VBS) files in a multi-stage infection chain designed to establish persistence on victim systems and enable remote access. The campaign combines social engineering with “living-off-the-land” techniques that involves renaming trusted Windows utilities and using cloud platforms such as AWS, Tencent Cloud, and Backblaze B2.
US authorities have charged 36-year-old Jonathan Spalletta with stealing over $53 million from the Uranium Finance cryptocurrency platform. According to the indictment, Spalletta, also known as “Cthulhon” and “Jspalletta,” carried out two attacks in April 2021. The first attack exploited a smart contract flaw to take about $1.4 million, part of which he later labeled as a “bug bounty.” The second attack used a coding error to drain around $53.3 million from 26 liquidity pools, ultimately forcing Uranium Finance to shut down.
Ukrainian police have dismantled a criminal group that targeted people on dating sites and messengers tricking them into investing in cryptocurrency. Using fake accounts, video manipulation, and controlled wallets, members of the gang created the illusion of profit and stole millions, including from foreign victims. Police arrested 8 key members, seized cash, crypto wallets, computers, and luxury cars. The suspects face up to 12 years in prison.