Stay Ahead of
the Threat Landscape

Operation PowerOFF identifies 75k DDoS users, takes down 53 domains

Law enforcement across 21 countries recently identified approximately 75,000 users involved in distributed denial-of-service attacks and shut down 53 domains supporting DDoS operations, demonstrating increased international coordination against this threa

ZionSiphon malware designed to sabotage water treatment systems

A new malware called ZionSiphon has been discovered specifically targeting water treatment and desalination facilities to sabotage their operations by compromising operational technology systems. If your organization operates critical water infrastructure

New Microsoft Defender “RedSun” zero-day PoC grants SYSTEM privileges

A security researcher has publicly released an exploit for a zero-day vulnerability in Microsoft Defender that allows attackers to gain SYSTEM-level privileges on Windows systems. You should immediately prioritize patching Microsoft Defender and monitor y

North Korea Uses ClickFix to Target macOS Users' Data

North Korean threat actors are using deceptive tactics like fake job offers and fraudulent software update notifications to trick macOS users into downloading ClickFix malware, which then steals their login credentials and sensitive data. Your organizatio

'Harmless' Global Adware Transforms Into an AV Killer

Dragon Boss, a piece of software that appeared harmless, was updated in March 2025 to secretly disable Windows Defender protections and establish persistent access to infected systems. Business leaders and security teams should immediately audit any syste

Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic

A newly discovered botnet called PowMix is actively targeting Czech workers by using randomized command-and-control traffic that makes detection by traditional security tools significantly more difficult. Organizations should immediately review their netw

Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face

Attackers are exploiting a critical vulnerability in Marimo, a Python notebook tool, to deliver NKAbuse malware that enables remote code execution, with the malware being hosted on Hugging Face's platform. Organizations using Marimo should immediately upd

Two-Factor Authentication Breaks Free from the Desktop

Two-factor authentication is moving beyond computers into physical security systems, and threat actors are already adapting their tactics to bypass these emerging implementations. You should evaluate whether your organization's 2FA deployments in physical

Google expands Gemini AI use to fight malicious ads on its platform

Google is deploying its Gemini AI to detect and block malicious advertisements on its platforms, responding to increasingly sophisticated evasion tactics used by scammers and threat actors. You should remain vigilant about ads appearing in Google's ecosys

Microsoft's Original Windows Secure Boot Certificate Is Expiring

Microsoft's Secure Boot certificate, a foundational security component that validates the integrity of Windows systems during startup, is expiring and requires immediate updates across your organization. You should prioritize deploying Microsoft's Secure

New ATHR vishing platform uses AI voice agents for automated attacks

A new cybercrime platform called ATHR is conducting automated voice phishing attacks using AI agents combined with human operators to trick people into revealing their credentials over the phone. Your organization should train employees to be suspicious o

Most "AI SOCs" Are Just Faster Triage. That's Not Enough.

Many organizations deploying AI in their Security Operations Centers are only accelerating alert triage rather than achieving meaningful automation that reduces analyst workload or improves response times. To maximize the value of AI investments, you shou

ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories

Multiple critical vulnerabilities are currently under active exploit, including a zero-day in Microsoft Defender, brute-force attacks targeting SonicWall appliances, and a 17-year-old remote code execution flaw in Excel that remains dangerous despite its

Cisco says critical Webex Services flaw requires customer action

Cisco has released critical security updates for Webex Services that patch vulnerabilities including an improper certificate validation flaw, which requires customers to take additional action beyond standard patching. You should immediately check with Ci

Horner Automation Cscape and XL4, XL7 PLC

I cannot complete this task because the article text provided appears to be corrupted or incomplete—it contains only HTML metadata and configuration code without the actual vulnerability details or advisory content about Horner Automation Cscape and XL4,

Anviz Multiple Products

I appreciate you sharing this request, but the article text provided appears to be incomplete—it contains only JSON configuration data and metadata from a CISA webpage without the actual vulnerability details, affected products, or security guidance. To w

Delta Electronics ASDA-Soft

I cannot provide a summary of this article because the text provided appears to be corrupted or incomplete—it contains only technical configuration data and metadata rather than actual article content about Delta Electronics ASDA-Soft vulnerabilities or s

AVEVA Pipeline Simulation

I appreciate your request, but the article text you've provided appears to be corrupted or incomplete—it contains only JSON configuration code and metadata from a CISA webpage rather than actual content about AVEVA Pipeline Simulation vulnerabilities or t

[Webinar] Find and Eliminate Orphaned Non-Human Identities in Your Environment

Orphaned non-human identities—such as service accounts, API keys, and application credentials that are no longer actively managed or monitored—represent a significant security gap that attackers can exploit to gain unauthorized access to your systems. You

Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution

Cisco has released patches for four critical vulnerabilities in its Identity Services Engine and Webex products that allow attackers to execute arbitrary code and potentially compromise affected systems. Organizations using these Cisco products should pri

Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu

Taboola, a major content recommendation platform embedded on countless websites, has been observed routing users with active banking sessions to Temu and other third-party sites, potentially exposing sensitive authentication tokens and session data to una

Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks

Attackers are exploiting Obsidian note-taking application plugins to deliver PHANTOMPULSE remote access malware, specifically targeting professionals in finance and cryptocurrency sectors. Organizations using Obsidian should audit installed plugins for su

6-Year Ransomware Campaign Targets Turkish Homes & SMBs

A ransomware campaign has been targeting Turkish homes and small businesses for six years, operating largely undetected because smaller victims rarely report breaches publicly, which allows attackers to continue their operations with minimal interference.

Critical MCP Integration Flaw Puts NGINX at Risk

A critical vulnerability in nginx-ui allows attackers to manipulate NGINX configuration files, potentially disrupting web services or injecting malicious configurations that could compromise your infrastructure. You should immediately audit systems runnin

Navigating the Unique Security Risks of Asia's Digital Supply Chain

Asia's digital supply chain faces heightened security risks due to fragmented regulatory frameworks across countries, deeply interconnected systems that amplify breach impact, and emerging AI vulnerabilities that attackers are actively exploiting. Organiz

Patch Tuesday, April 2026 Edition

I cannot provide the requested analysis because the article text provided is not substantive—it contains only website code and formatting elements with no actual content about security threats or patches. To write accurate guidance for business leaders an

CISA Adds Two Known Exploited Vulnerabilities to Catalog

I cannot complete this request because the article content provided is incomplete—it only contains website code and metadata without the actual article text about the vulnerabilities. To provide accurate and actionable guidance, I would need the full arti

OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

I appreciate you sharing this article, but the provided text appears to be corrupted or incomplete—it only contains CSS font declarations and no actual article content about the OpenAI security incident. To provide you with the two to three actionable sen

Critical Marimo pre-auth RCE flaw now under active exploitation

A critical vulnerability in Marimo that allows attackers to execute code without authentication is currently being exploited in the wild to steal credentials. If your organization uses Marimo, you should immediately patch to the latest version and monitor

CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads

Attackers compromised the download servers for CPUID's popular CPU-Z and HWMonitor tools and distributed them bundled with STX RAT malware, which gives attackers remote access and control over infected systems. You should immediately verify that any CPU-Z

Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621

Adobe has released a patch for CVE-2026-34621, a vulnerability in Acrobat Reader that is currently being actively exploited by attackers in the wild. You should prioritize updating Acrobat Reader to the latest patched version immediately across your organ

Over 20,000 crypto fraud victims identified in international crackdown

An international law enforcement operation has identified over 20,000 victims of cryptocurrency fraud across North America and the United Kingdom, demonstrating that crypto scams remain a widespread and persistent threat to your organization and employees

Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data

Law enforcement agencies have exploited advertising data collection through a platform called Webloc to track approximately 500 million devices without apparent transparency or oversight, according to research from Citizen Lab. Organizations should audit

ChatGPT rolls out new $100 Pro subscription to challenge Claude

OpenAI has launched a $100 monthly Pro subscription tier to compete directly with Claude's pricing structure, signaling an escalation in the AI platform market that will likely drive up costs for enterprises adopting these tools at scale. Business leaders

Hims Breach Exposes the Most Sensitive Kinds of PHI

Hackers breached Hims and gained access to highly sensitive personal health information including details about patients' conditions like hair loss, weight management, and erectile dysfunction. You should assume this data could be used for blackmail, targ

Your Next Breach Will Look Like Business as Usual

Attackers are increasingly using stolen or compromised credentials to access systems while making their activity appear as normal business operations, making these attacks extremely difficult to detect with traditional security tools. Your organization sh

Nearly 4,000 US industrial devices exposed to Iranian cyberattacks

Iranian-linked hackers have exposed nearly 4,000 internet-connected industrial control devices manufactured by Rockwell Automation that manage critical US infrastructure operations. Your organization should immediately audit whether you have any internet-

FINRA Launches Financial Intelligence Fusion Center to Combat Cybersecurity and Fraud Threats

Orange Business Reimagines Enterprise Voice Communications With Trust and AI

Analysis of one billion CISA KEV remediation records exposes limits of human-scale security

Most critical vulnerabilities tracked by CISA are being actively exploited by attackers before organizations have time to patch them, revealing that traditional manual patching processes cannot keep pace with modern threat timelines. Organizations need to

Industrial Controllers Still Vulnerable As Conflicts Move to Cyber

Industrial control systems remain dangerously exposed to cyberattacks, with US government warnings confirming that programmable logic controllers are actively being targeted and researchers discovering 179 vulnerable operational technology devices in the

GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs

Attackers are using a malware campaign called GlassWorm that deploys a Zig-based dropper to compromise developer integrated development environments (IDEs), potentially giving them access to source code and development infrastructure. Development teams sh

Browser Extensions Are the New AI Consumption Channel That No One Is Talking About

I appreciate your request, but the article text provided appears to be corrupted or incomplete—it contains only CSS font formatting code and no actual article content beyond the title. Without the substantive details about browser extensions, AI consumpti

Contemporary Controls BASC 20T

I appreciate your request, but the article text provided appears to be corrupted or incomplete—it contains only JSON configuration code and metadata from a CISA webpage rather than actual article content about the Contemporary Controls BASC 20T vulnerabil

GPL Odorizers GPL750

I cannot provide the requested analysis because the article text provided does not contain substantive information about a GPL Odorizers GPL750 vulnerability or threat. The text appears to be only website configuration code and metadata from a CISA page,

Russia Hacked Routers to Steal Microsoft Office Tokens

Russian state-sponsored actors compromised network routers to intercept and steal authentication tokens for Microsoft Office 365, giving them persistent access to corporate email and cloud services without needing passwords. You should immediately audit y

Mitsubishi Electric GENESIS64 and ICONICS Suite products

I'm unable to complete this task because the article text provided is incomplete and corrupted. The content appears to be only website metadata and configuration code without the actual vulnerability details or threat information needed to write the reque

Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

Iranian-affiliated cyber actors are actively targeting programmable logic controllers (PLCs) and other operational technology systems across U.S. critical infrastructure sectors, presenting a serious risk to essential services like power grids, water syst

Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

Summary for Leaders An Iran-linked threat group is conducting large-scale password-spraying attacks against over 300 Israeli organizations using Microsoft 365, attempting to guess weak or common passwords at scale to gain account access. If your organi

Microsoft removes Support and Recovery Assistant from Windows

Microsoft has deprecated and removed the Support and Recovery Assistant (SaRA) command-line utility from all in-support versions of Windows updates starting March 10. [...]

Microsoft links Medusa ransomware affiliate to zero-day attacks

Microsoft says that Storm-1175, a China-based financially motivated cybercriminal group known for deploying Medusa ransomware payloads, has been deploying n-day and zero-day exploits in high-velocity attacks. [...]

Drift $280M crypto theft linked to 6-month in-person operation

The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." [...]

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea. The attack chain

CISA orders feds to patch exploited Fortinet EMS flaw by Friday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday. [...]

Automated Credential Harvesting Campaign Exploits React2Shell Flaw

An emerging threat cluster tracked as UAT-10608 is exploiting vulnerable Web-exposed Next.js apps and using an automated tool to exfiltrate credentials, secrets, and other system data.

Shadow AI in Healthcare Is Here to Stay

Medical professionals are not going to stop using AI tools to manage growing workloads. Organizations should prioritize bolstering security protocols to limit their blast radius.

Why Simple Breach Monitoring is No Longer Enough

Infostealers are harvesting credentials and session cookies at scale, bypassing traditional defenses. Lunar explains why simple breach monitoring alone can't keep up with modern credential-based attacks. [...]

OWASP GenAI Security Project Gets Update, New Tools Matrix

In recognition of 21 generative AI risks, the standards groups recommends that companies take separate but linked approaches to defending GenAI and agentic AI systems.

Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps

Your attack surface no longer lives on one operating system, and neither do the campaigns targeting it. In enterprise environments, attackers move across Windows endpoints, executive MacBooks, Linux infrastructure, and mobile devices, takin

⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More

This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there. One weak spot now spreads wider th

CISA Adds One Known Exploited Vulnerability to Catalog

<p>CISA has added one new vulnerability to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploit

How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers

The&nbsp;most active piece of enterprise infrastructure in the company is the developer workstation. That&nbsp;laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI&nbsp;agents. In

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Threat actors associated&nbsp;with Qilin&nbsp;and Warlock ransomware operations&nbsp;have been&nbsp;observed using the bring your own vulnerable driver&nbsp;(BYOVD) technique to silence security tools running on compromised hosts, according to findings fr

Germany Doxes &#8220;UNKN,&#8221; Head of RU Ransomware Gangs REvil, GandCrab

Key Takeaway German authorities have publicly identified "UNKN," the alleged operator behind REvil and GandCrab—two of the most prolific ransomware gangs responsible for billions in damages globally. Watch for retaliatory attacks or operational shifts

Inconsistent Privacy Labels Don't Tell Users What They Are Getting

Data privacy labels are a great idea for mobile apps, but the current versions just aren't good enough.

Apple Breaks Precedent, Patches DarkSword for iOS 18

Even organizations with users unwilling or unable to adopt iOS 26 can now protect themselves from a severe mobile OS-cracking tool.

Hitachi Energy Ellipse

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-092-03.json"><strong>View CSAF</strong></a></p> <h2>Summary</h2> <p><strong>Hitachi Energy is aware of a Jasper Report vulnerability that affects the Ellipse product

Siemens SICAM 8 Products

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-092-01.json"><strong>View CSAF</strong></a></p> <h2>Summary</h2> <p><strong>Multiple SICAM 8 products are affected by multiple vulnerabilities that could lead to den

Yokogawa CENTUM VP

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-092-02.json"><strong>View CSAF</strong></a></p> <h2>Summary</h2> <p><strong>Successful exploitation of this vulnerability could allow an attacker to login as the PRO