US CISA has added a bunch of security vulnerabilities in its KEV catalog, flagging active exploitation. The list includes CVE-2023-27351 (PaperCut NG/MF), CVE-2024-27199 (JetBrains TeamCity), CVE-2025-2749 (Kentico Xperience), CVE-2025-32975 (Quest KACE SMA), CVE-2025-48700 (Zimbra Collaboration Suite), CVE-2026-20122 (Cisco SD-WAN Manager), CVE-2026-20128 (Cisco SD-WAN Manager), CVE-2026-20133 (Cisco SD-WAN Manager), CVE-2026-33825 aka BlueHammer (Microsoft Defender). Cybersecurity firm Huntress has linked in-the-wild exploitation of CVE-2026-33825 to “compromised FortiGate SSL VPN access tied to multiple suspicious source IPs” geolocated to Russia.
CISA and the UK’s NCSC-UK have issued a malware analysis report on a state-sponsored espionage campaign targeting Cisco network security devices involving a custom backdoor called Firestarter that can survive both firmware updates and standard reboots. Cisco’s Talos threat analysis team has attributed the activity to a group tracked as UAT-4356 also linked to the 2024 ArcaneDoor campaign. The malware was discovered on a US federal civilian agency’s Cisco Firepower appliance. The attackers initially gained access by exploiting CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware, then deployed Firestarter across Cisco ASA, Firepower, and Secure Firewall systems.
CISA and international partners have also released a joint security advisory highlighting the shift in tactics, techniques and procedures (TTPs) used by China-aligned threat actors to compromise infrastructure. The agencies say that in recent years threat actors have been changing their tactics from using self-controlled infrastructure to large botnets mainly built from hacked SOHO routers and IoT or smart devices. The botnets are widely used across multiple actors, frequently updated, and can be shared among different groups.
On the same note, an alleged member of a Chinese Hafnium APT group may be extradited to the United States after Italian courts approved the request. Xu Zewei, who was arrested last year in Milan, is wanted by US authorities on charges of hacking and stealing information related to COVID-19 vaccines.
Chinese hackers are using a new variant of the Lotuslite malware in attacks targeting India’s banking sector. Lotuslite acts as a backdoor that communicates with command-and-control servers over HTTPS using dynamic DNS services. It enables attackers to execute remote shell commands, manage files, and control active sessions.
Iran-linked threat actor Seedworm has been observed exploiting Microsoft Teams in a social engineering campaign delivering the custom Dindoor backdoor.
The Harvester cyber espionage group has developed a new Linux version of its GoGra backdoor, which uses Microsoft Graph API and Outlook mailboxes as hidden command-and-control channels to avoid detection. The campaign has reportedly targeted users in India and Afghanistan.
ESET researchers have discovered a previously unknown advanced persistent threat (APT) group they track as GopherWhisper, conducting cyberespionage operations against governmental institutions in Mongolia. The attackers leverage Go-based malware, deploying a modular toolkit that includes injectors, loaders, and multiple backdoors.
Vulnerable Internet of Things (IoT) devices, including TBK digital video recorders and end-of-life TP-Link routers, are being actively targeted to deploy variants of the Mirai botnet. Attackers are exploiting a known vulnerability (CVE-2024-3721) affecting TBK DVR-4104 and DVR-4216 devices. The flaw enables command injection, allowing threat actors to install a Mirai-based malware strain dubbed Nexcorium.
Google’s Threat Intelligence Group (GTIG) discovered a new phishing campaign it attributed to a group tracked as UNC6692. The attackers pretended to be IT helpdesk staff and attempted to trick victims into joining a Microsoft Teams chat from outside their organization. The threat actor used custom malware and moved through the network to gain deeper access and control.
The EU has adopted a new sanctions package against Russia, which, among other things, prohibits the provision of cybersecurity services to Russia and introduces a full sectoral ban on Russian crypto service providers and platforms handling crypto transfers and exchanges. Also, the EU has sanctioned two pro-Russian organizations, Euromore and Pravfond, accused of spreading disinformation and supporting Moscow’s hybrid influence operations against Europe and Ukraine.
Zscaler ThreatLabz has released a technical report detailing activity attributed to the Tropic Trooper group. The campaign leverages military-themed lures and a compromised version of SumatraPDF to deliver the AdaptixC2 framework, which uses a custom command-and-control setup hosted on GitHub. The attackers then transition to Visual Studio Code tunnels to maintain remote access.
New Flare research shows that North Korea is expanding its remote IT worker schemes by recruiting individuals from Iran, Syria, Lebanon, and Saudi Arabia.
Expel researchers have detailed activities of HexagonalRodent, a subcluster of the North Korea-linked threat actor tracked as Famous Chollima. HexagonalRodent mainly targets Web3 developers to steal crypto assets. The group lures victims with the promise of high-paying tech jobs. Unlike other sophisticated North Korean threat actors, HexagonalRodent is more opportunistic and mostly steals digital assets and passwords from individual systems. The cluster also extensively uses generative AI in its campaigns.
Speaking of crypto thefts, a massive cryptocurrency heist that drained roughly $290 million from the decentralized finance project KelpDAO has been linked to TraderTraitor, a cluster of the North Korean Lazarus Group.
CitizenLab discovered two advanced telecom surveillance campaigns that exploited mobile network infrastructure. One used a malicious SMS with hidden SIM commands to track a device’s location. Both campaigns used customized tools to impersonate operators, manipulate signalling systems, and route traffic in ways that avoided detection. The attacks leveraged identifiers and infrastructure associated with operators worldwide, including networks based in the UK, Israel, China, Thailand, Sweden, Italy, Poland, and other countries.
Comparitech released an analysis of RAMP (Russian Anonymous Marketplace), a Russian-language cybercrime forum that operated from late 2021 until it was seized by the FBI in January 2026. The forum traded in various services, including network access, malware, ransomware partnerships, stolen data, and the hiring of criminal freelancers.
Recorded Future’s Insikt Group takes a look at Dabai Guarantee, a platform used by Chinese-speaking cybercriminal groups around the world to run fraud campaigns. The platform supports activities like financial scams, ATM fraud, and retail schemes such as “ghost-tapping.”
Hackers compromised multiple parts of the Checkmarx KICS ecosystem, including Docker images, VS Code, and Open VSX extensions, to install malware that steals sensitive data from developers. The attack also affected the Bitwarden CLI (version 2026.4.0), where malicious code was inserted into a file called “bw1.js.” Researchers believe the breach likely originated from a compromised GitHub Action in Bitwarden’s CI/CD pipeline.
A new supply chain attack in the npm ecosystem is stealing developers’ credentials and trying to spread through packages published from hacked accounts. Researchers from Socket and StepSecurity found the threat in several packages linked to Namastex Labs. The attack uses techniques similar to past CanisterWorm campaigns, but there’s no evidence the two campaigns are related.
Vercel, the developer behind the open source Next.js web development framework, has been targeted in a cyber incident that may have exposed certain internal data. The US-based firm said the entry point was the compromised Context.ai tool used by an employee. Attackers leveraged this access to take over the employee’s Google Workspace account, allowing them to access parts of Vercel’s internal environments and retrieve environment variables that were not classified as sensitive.
Cybersecurity researchers have uncovered a malware campaign that abuses a legitimate Intel utility to evade detection and execute malicious code. According to Cyfirma, attackers are leveraging the digitally signed Intel binary (IAStorHelp.exe), using a technique known as AppDomain hijacking.
A ransomware campaign linked to the Payouts King group is leveraging the QEMU emulator as a backdoor, allowing attackers to deploy hidden virtual machines (VMs) on compromised systems and bypass traditional endpoint security tools. Sophos researchers have observed two related campaigns, one of which, tracked as STAC4713, is directly linked to Payouts King. Another campaign, tracked ad STAC3725, exploited the CitrixBleed 2 vulnerability (CVE-2025-5777) in NetScaler systems.
Threat actors linked to the The Gentlemen ransomware operation are increasingly leveraging proxy malware to expand their reach. Affiliates of the group have been deploying SystemBC, a well-known malware tool used to establish covert communications and maintain persistence inside compromised networks. Researchers traced the malware’s command-and-control infrastructure to a botnet comprising more than 1,570 infected systems worldwide.
Angelo Martino, a 41-year-old former employee of cybersecurity incident response firm DigitalMint, has pleaded guilty to participating in a series of BlackCat/ALPHV ransomware attacks targeting US companies in 2023. Martino was charged alongside two other ransomware negotiators, Ryan Clifford Goldberg and Kevin Tyler Martin, who worked with Sygnia and DigitalMint. All three faced charges including conspiracy to interfere with interstate commerce by extortion and intentional damage to protected computer systems. Goldberg and Martin have also pleaded guilty and could face up to 20 years in prison each.
French police arrested a 20-year-old suspected hacker known as “HexDex” in western France. Authorities believe he may be behind around 100 cyberattacks targeting public institutions, sports groups, and private organizations since late 2025.
A Kazakhstani national in his 30s has been arrested in connection with a series of ransomware attacks targeting corporate servers in South Korea. Authorities allege he led a ransomware operation that breached corporate servers, encrypted sensitive data, and demanded Bitcoin payments in exchange for restoring the files.
A key member of the Scattered Spider cybercrime group has pleaded guilty in the US to charges linked to a wide-ranging hacking and fraud scheme that netted millions of dollars in stolen cryptocurrency. Prosecutors say that Tyler Buchanan and his co-conspirators targeted at least a dozen companies and stole more than $8 million from victims across the United States.
US authorities have announced a series of coordinated actions targeting Southeast Asian scam networks. Two Chinese nationals were charged for operating the Shunda scam compound in Burma, a Telegram channel used to recruit trafficking victims into a Cambodian scam center was seized, and more than 500 fake investment websites were shut down.
A 22-year-old hacker in Ukraine stole over 127 million hryvnias (~$2.9) from companies by infecting their servers and transferring money to fake bank accounts. He used over 100 “money mules” and laundered the funds through luxury cars, cryptocurrency, and cash. Police blocked many accounts and recovered more than 60 million hryvnias. The suspect now faces up to 15 years in prison.