Last week’s stories highlight a clear trend: attackers are succeeding by moving faster than organizations can patch and by targeting the areas that most often get overlooked—third‑party software and dependencies, exposed admin/management systems, and credentials/API keys. We’re seeing this play out in several ways:
This week’s newsletter centers on how attackers (and platforms) are increasingly using “quiet” collection and trust abuse to gain leverage—ranging from subtle tracking and data leakage (like extension fingerprinting and exposed API keys), to high-impact compromises and extortion, to social-engineering and supply-chain tactics that turn everyday tools and
This week’s newsletter focuses on urgent patching and active exploitation: critical Citrix NetScaler and Cisco FMC issues (including a ransomware-linked zero-day), plus Quest KACE and Oracle fixes. It also highlights disruption of a huge router proxy botnet, Russia-aligned phishing targeting Signal/WhatsApp accounts, and a major Trivy GitHub Actions
Overview In this report I discuss SILENTCONNECT, a newly discovered multi-stage malware loader that has targeted Windows machines since early March 2025. It has been observed actively in the wild. Its primary objective is to silently download and install ConnectWise ScreenConnect on the victim’s system, giving threat actors full
This week’s threat landscape highlights a sharp mix of ransomware and extortion pressure, credential-driven breaches, and active exploitation of high-impact enterprise and management-plane vulnerabilities. Healthcare and service providers remain prime targets, while phishing and social engineering continue to enable account takeovers and sensitive data exposure. At the same time,
This week's threat intel highlights multiple campaigns abusing trusted infrastructure and user habits to steal data and gain access. These include fake GitHub download pages and cloned install docs that trick people into running malicious commands. We cover major disruption events—the FBI system investigation and Stryker'
This week's threat intel newsletter covers AI-enabled attacks, mobile exploits, infrastructure vulnerabilities, law enforcement disruptions, and cloud security incidents. Key topics include attackers using Claude Code to automate exploits against Mexican government systems, North Korea's APT37 weaponizing USB drives to breach air-gapped networks, a sophisticated iOS
This week’s threat intel shows attackers using AI to scale malware and intrusions, with credential theft and internet-exposed systems as common entry points. Priority actions are to lock down management interfaces, enforce MFA, rotate secrets, and urgently patch actively exploited bugs (notably Roundcube and Cisco SD-WAN). Arkanix Stealer: Multi-Platform
Welcome to this week's Threat Intel Newsletter. This week we cover the most urgent threats where exploitation is happening fast and at scale. We start with mass exploitation of Ivanti EPMM—driven largely by a single bulletproof-hosted IP. Then we explain how trust is being abused in modern
Welcome to this week’s Threat Intel Newsletter. In this edition, the common thread is that compromise is increasingly happening through places defenders are forced to trust: edge infrastructure, virtualization layers, software update paths, and extension ecosystems. We break down China-linked targeting of Singapore’s telecom sector and leaked evidence
Welcome to this week’s Threat Intelligence Newsletter. This edition focuses on high-impact vulnerabilities and active tradecraft that shorten the path from initial access to full compromise, including multiple remote code execution (RCE) scenarios with low user interaction, and a notable software supply chain incident. We cover a one-click RCE
Overview ShinySp1d3r is a newly observed Ransomware-as-a-Service (RaaS) operation linked to the continued evolution of the ShinyHunters ecosystem and its collaboration with Scattered Spider/COM. While ShinyHunters first emerged in 2020 as a high-volume data theft and extortion group, recent campaigns show a clear progression toward more sophisticated intrusion models