Cybersecurity
Intelligence
& Analysis

01

Attack Surface 18 min read

Via a Crafted HTML Page: How Attackers Build Browser Exploits

Every Chrome CVE advisory lands on the same phrase: "via a crafted HTML page." This is what that actually means — heap spraying, HTML smuggling, renderer exploitation, sandbox escapes, and watering hole delivery, with code examples throughout.

open

02

Vulnerability 9 min read

AI vs Fuzzing Security Tools

AI-powered vulnerability discovery and traditional fuzzing are converging. Here is what that means for security teams, open-source projects, and the attackers watching closely.

open

02

Supply Chain 22 min read

The Breach That Started a Year Before Crunchyroll Knew About It

6.8 million subscribers exposed through a five-organization credential chain traced back to a chatbot's GitHub compromise in March 2025. ShinyHunters, Telus Digital, Trufflehog, and an 11-day silence — the full attack chain, every link sourced.

open

03

Threat Intel 18 min read

Qilin Is Running a Business. That's What Makes It So Dangerous.

Qilin ransomware has institutionalized itself — in-house lawyers, on-demand journalists, 85% affiliate payouts, and North Korean state actors on the roster. This is an analysis of the business model behind the dominant ransomware threat of 2025–2026.

open

04

Vulnerability 11 min read

CVE-2026-20963: CISA Confirms Active Exploitation of Critical Microsoft SharePoint RCE

A SharePoint deserialization flaw patched in January 2026 is now confirmed actively exploited. CISA added it to the KEV catalog on March 18 — the tenth SharePoint entry — with a 72-hour federal remediation deadline. Every organization running on-premises SharePoint Server 2016, 2019, or Subscription Edition needs to act now.

open

05

Vulnerability 15 min read

CVE-2025-14174: The WebKit Zero-Day That Put Every Apple Device at Risk

A memory corruption flaw in the ANGLE graphics library hit Safari, Chrome, and Edge simultaneously — and because Apple mandates WebKit on iOS, every browser on every iPhone and iPad was exposed. Confirmed exploited in the wild against high-value targets before either patch dropped.

open

06

Threat Intel 20 min read

Interlock Ransomware Exploited Cisco Firewall Zero-Day for 36 Days Before Anyone Knew

Interlock had silent root-level access to enterprise firewalls for over a month before Cisco knew CVE-2026-20131 existed. Amazon's MadPot caught them — and their exposed toolkit reveals AI-generated malware, dual-language RATs, a fileless Java webshell, and AD CS exploitation via Certify.

open

07

DDoS 9 min read

Why DDoS Refuses to Die: The $30 Weapon That Took Down 110 Organizations in a Weekend

DDoS attacks surged 168% in 2025, a single botnet reached 31.4 Tbps, and hacktivist groups hit 110 organizations across 16 countries in 72 hours. From $30 booter subscriptions to IoT mega-botnets, an analysis of why network denial-of-service keeps getting more dangerous.

open

08

Threat 25 min read

Lazarus Group Adopts Medusa Ransomware to Target Healthcare and Critical Infrastructure

North Korea's premier hacking collective has adopted the Medusa ransomware-as-a-service platform, launching extortion attacks against healthcare organizations in the United States and the Middle East. But the real story is not about the tool...

open

09

Malware 28 min read

BadPaw and MeowMeow: Inside a Russian Malware Campaign Against Ukraine — and What the APT28 Attribution Actually Means

Researchers at ClearSky have uncovered a sophisticated, multi-stage cyberespionage campaign deploying two previously undocumented malware families against Ukrainian organizations. The operation combines steganography, sandbox evasion, and a geopolitically tailored lure...

open

10

Malware 30 min read

Deno Runtime Malware: Inside the CastleRAT Fileless Attack Chain

ThreatDown researchers have documented what they describe as the first documented case of threat actors abusing the Deno JavaScript runtime in a malware infection chain observed in the wild.

open

11

Threat Intel 14 min read

Shadowserver: The Internet's Quiet Early-Warning System

Every day, without fanfare, a nonprofit foundation performs daily internet-wide scans covering most of the routable IPv4 address space, tracks live botnets, and sends free threat intelligence to the national security teams of over 170 countries.

open

12

Vulnerability 22 min read

The Machine Audited the Stack — and the Stack Failed: OpenAI Codex Security, 1.2 Million Commits, and 10,561 High-Severity Findings

OpenAI's Codex Security agent scanned 1.2 million commits in 30 days and surfaced 792 critical vulnerabilities across GnuPG, GnuTLS, GOGS, PHP, Chromium, and more — 14 assigned CVEs. What the findings mean for defenders and why the AI security race is now a real operational variable.

open

13

Patch 20 min read

Cisco Releases Major Firewall Security Update: Two CVSS-10 FMC Flaws, Active SD-WAN Exploitation, and 48 Vulnerabilities Patched

Two CVSS-10 authentication bypass and RCE flaws in Secure FMC, a Catalyst SD-WAN zero-day exploited since 2023 by UAT-8616, and 48 total CVEs patched — including SD-WAN Manager vulnerabilities under confirmed active exploitation at the time of release.

open

14

Patch 28 min read

When the Patcher Is the Attack Surface: March 2026 Patch Tuesday, 83 CVEs, and the Month AI Became Both Discoverer and Weapon

Two publicly disclosed zero-days, a CVSS 9.8 RCE found by an autonomous AI agent, and a Copilot-powered zero-click data exfiltration path in Excel — the first Patch Tuesday on record where AI simultaneously discovered a vulnerability, weaponized another, and provided the infrastructure pathway for a third.

open

15

Attack 18 min read

Your Tools, Their Rules: Kibana Became a Hit List

The index had a name. It was called systeminfo. It held data on 216 victim hosts across 34 organizations spanning 37 time zones -- government agencies, financial services firms, higher education institutions, manufacturers, IT service providers.

open

16

Vulnerability 32 min read

They Named It Buffout. Four Years Later, CISA Called It Active.

A WebKit integer overflow disclosed at a high-stakes Chinese hacking contest in October 2021 was codenamed "buffout" by its eventual exploiters — and sat quietly on the books for years.

open

17

Vulnerability 18 min read

CVE-2026-27944: The Nginx UI Flaw That Hands Over Your Server's Secrets in a Single Request

A CVSS 9.8 critical vulnerability lets any unauthenticated attacker download a full Nginx UI server backup and decrypt it immediately — encryption key included in the same HTTP response. Active probing confirmed. Two public PoCs in the wild.

open

18

Vulnerability 22 min read

When the Monitor Becomes the Threat: CVE-2026-22719 and the VMware Aria Operations RCE

A confirmed, actively exploited command injection flaw in VMware Aria Operations hands unauthenticated attackers arbitrary command execution on one of the most privileged platforms in any enterprise data center. CISA added it to the KEV catalog on March 3, 2026. Federal deadline: March 24, 2026.

open

19

Threat Intel 19 min read

Tycoon 2FA: How a $120 Subscription Turned MFA Into a Speed Bump

For two and a half years, a PhaaS platform on Telegram systematically bypassed MFA at nearly 100,000 organizations. On March 4, 2026, Europol seized 330 domains and named its alleged developer. Here is how it worked, who it hit, and why the threat is far from over.

open

20

Threat Actor 14 min read

Silver Dragon: Inside the APT41-Linked Espionage Campaign Hiding in Your Google Drive

A newly identified Chinese-linked APT operating within the APT41 umbrella has been quietly compromising government ministries across Southeast Asia and Europe since mid-2024 — using Google Drive as its covert command-and-control channel.

open

21

Threat Intel 12 min read

When the Assembly Line Comes for Your Firewall

CyberStrikeAI is a state-adjacent, open-source AI attack platform a low-skilled, Russian-speaking threat actor used to breach 600+ FortiGate firewalls across 55 countries in five weeks — no zero-days required, just exposed ports and weak credentials.

open

22

APT / Threat Actor 9 min read

Dust Specter: Iran's Ghost in the Iraqi Ministry

A newly named Iran-nexus APT hit Iraqi government officials in January 2026 with four previously undocumented malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM — using AI-assisted development, a compromised Iraqi government domain, and a ClickFix lure tied to operations running since at least July 2025.

open

23

Threat Actor 11 min read

Fancy Bear's Two-Front Attack: How APT28 Ran Dual Zero-Days Against the West

APT28 ran two unpatched Microsoft zero-days simultaneously in early 2026 — CVE-2026-21513 in MSHTML and CVE-2026-21509 in Office — deploying three distinct payload chains including MiniDoor, PixyNetLoader, and BEARDSHELL against government and defense targets across Eastern Europe.

open

24

Data Breach 12 min read

They Sell Risk Intelligence. They Couldn't Patch a CVSS 10.0

FulcrumSec breached LexisNexis AWS infrastructure via an unpatched React2Shell vulnerability left exposed for nearly three months — exfiltrating 3.9 million records, 118 government user profiles, and 53 plaintext secrets including a production password reused five times.

open

25

Supply Chain 10 min read

You Didn't Install Malware. You Bought It — The QuickLens Supply Chain Attack

A Google-featured Chrome extension was purchased on a legal marketplace, weaponized in 16 days, and silently pushed a crypto-stealing C2 agent to 7,000 browsers. No breach. Just a transaction.

open

26

Breach 12 min read

Hit Twice, Told Once: The GPOA Breach Raises Hard Questions About Healthcare Cybersecurity

RansomHouse hit Greater Pittsburgh Orthopaedic Associates in August 2025, exposing 56,954 patients. A possible prior DonutLeaks attack in 2024, a six-month notification delay, and a notification letter that never mentioned ransomware.

open

27

Insider Threat 18 min read

Operation Zero: How a Trusted Insider Sold America's Most Dangerous Cyber Weapons to Russia

The Peter Williams case exposes the fragile trust at the heart of the zero-day exploit industry — and the new legal weapons the U.S. is deploying in response.

open

28

Attack Analysis 18 min read

CVE-2025-64328: How a Single FreePBX Bug Handed 900+ Phone Systems to Criminals

INJ3CTOR3 exploited a post-authentication command injection flaw in FreePBX's Endpoint Manager to deploy EncystPHP — a six-stage web shell that survives patching, forges timestamps, and monetizes stolen VoIP access through international toll fraud.

open

29

ICS 10 min read

CISA Exposes Critical Authentication Failures Across Multiple EV Charging Platforms — CloudCharge, SWTCH, Chargemap, and More

Six EV charging vendors hit in coordinated CISA ICS advisories. CloudCharge scores CVSS 9.4. Systemic OCPP authentication failures expose the global charging ecosystem. None of the vendors responded.

open

30

Vulnerability 8 min read

The Ghost in the Network: How a Three-Year-Old Zero-Day in Cisco SD-WAN Triggered a Five Eyes Emergency

CVE-2026-20127 carries a CVSS 10.0 and was silently exploited for three years by UAT-8616 before triggering a coordinated Five Eyes emergency response and CISA Emergency Directive 26-03.

open

31

APT / Espionage 14 min read

Your Spreadsheet Is Their Weapon: How China-Linked UNC2814 Turned Google Sheets Into a Global Spy Network

Google GTIG disrupted UNC2814, a China-linked APT that weaponized Google Sheets as a command-and-control platform to spy on telecoms and governments across 42 countries using the novel GRIDTIDE backdoor.

open

32

Attack Analysis 12 min read

When AI Goes on the Offensive: The UAE Cyberattack and the New Era of AI-Powered Cyber Warfare

The UAE thwarted a coordinated wave of AI-powered cyberattacks targeting government systems and critical infrastructure, marking what officials called a "qualitative shift" in offensive cyber operations.

open

33

Threat Intel 20 min read

Starkiller: The Phishing Service That Makes MFA Worthless

A PhaaS platform proxies real login pages in real time through headless Chrome containers, bypassing MFA by relaying the entire authentication flow. Built by the Jinkusu group and sold as a subscription service with analytics and Telegram alerts.

open

34

Supply Chain 25 min read

Hiding in Plain Pixels: How Attackers Smuggled a RAT Inside PNG Images

A malicious NPM package hid a complete Remote Access Trojan inside the RGB pixel values of ordinary PNG images. Twelve layers of obfuscation, three AMSI bypasses, and a CPU-level evasion technique that leaves no artifacts.

open

35

Vulnerability 16 min read

CVE-2026-26119: The Windows Admin Center Flaw That Turns a Standard User Into a Domain Admin

A high-severity improper authentication flaw in Windows Admin Center lets a standard user escalate privileges and achieve full Active Directory domain compromise. CVSS 8.8, silently patched in December 2025, publicly disclosed February 2026.

open

36

Vulnerability 10 min read

CISA Flags Two Roundcube Flaws as Actively Exploited: A Decade-Old RCE Bug, and a Familiar XSS

A critical deserialization flaw that sat undetected in Roundcube’s codebase for over ten years was weaponized within 48 hours of disclosure. CVE-2025-49113 scores 9.9 CVSS. Federal agencies must patch by March 13, 2026.

open

37

Threat Actor 11 min read

Operation DoppelBrand: How Threat Actor GS7 Is Weaponizing Fortune 500 Brands to Steal Credentials and Sell Remote Access

GS7 has cloned the login portals of Wells Fargo, USAA, Fidelity, Microsoft, and others with 98% visual accuracy — exfiltrating credentials in real time via Telegram and planting RMM tools for persistent access. Over 150 malicious domains in a single wave.

open

38

Supply Chain 13 min read

Clinejection: How a Single GitHub Issue Title Compromised an AI Coding Tool's Entire Release Pipeline

A prompt injection in a GitHub issue title led to cache poisoning, credential theft, and an unauthorized npm publish that installed OpenClaw on 4,000 developer machines. The full attack chain.

open

39

Vulnerability 10 min read

Your Admin Console Is the Attack: The Real Story Behind CVE-2026-26119

A privilege escalation flaw in Windows Admin Center lets a standard user inherit Domain Admin rights over the network. CVSS 8.8, patched since December 2025 — but how many WAC instances are still exposed?

open

40

ICS / OT 12 min read

The File Read That Unlocks a Power Plant: CVE-2025-15577 and the OT Reconnaissance Problem

A zero-authentication path traversal in Valmet DNA Engineering Web Tools hands attackers a free look inside a live industrial control system — configuration files, credentials, network maps.

open

41

Supply Chain 14 min read

You Didn't Get Hacked. Your Vendor Did. The Conduent Breach and the Hidden Cost of Third-Party Trust

Volvo Group had nothing to do with the Conduent ransomware attack. And yet 16,991 of its employees had their data stolen anyway. The Conduent breach — 25 million Americans affected.

open

42

Vulnerability 15 min read

Four Trusted VS Code Extensions, 128 Million Installs, and Three Unpatched Critical Flaws

OX Security found critical vulnerabilities in Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Three remain unpatched after months of silence from maintainers.

open

43

Patch 14 min read

KB5077181: The Windows 11 Update That Fixes Boot Failures and Creates New Ones

Microsoft's February 2026 Patch Tuesday patches six actively exploited zero-days — but is also triggering infinite boot loops, SENS errors, and DHCP failures on a new set of systems.

open

44

Malware 12 min read

REMnux v8 and the AI-Driven Malware Analysis Workflow: What Changed and Why It Matters

REMnux v8 ships with an MCP server that connects AI agents directly to 200+ malware analysis tools with practitioner knowledge built in.

open

45

Vulnerability 14 min read

CVE-2026-2033: MLflow's Artifact Handler Directory Traversal RCE and the Platform's Persistent Path Traversal Problem

A high-severity RCE in MLflow's artifact handler marks at least the tenth path traversal flaw since 2023. The full attack chain and CVE timeline.

open

46

Attack Surface 16 min read

The Linux Layer Inside Windows: Why WSL Is Becoming a Serious Enterprise Attack Surface

Two new February 2026 CVEs continue a pattern building since 2018. The technical architecture that makes WSL vulnerable and real-world weaponization by threat actors.

open

47

Threat Intel 14 min read

Ivanti EPMM Zero-Days: Attack Chain Breakdown, Threat Actor Infrastructure, and What Defenders Need to Do Now

Two critical pre-auth RCE zero-days under active exploitation. A single bulletproof hosting IP accounts for 83% of attacks. Confirmed victims include the European Commission.

open

48

Linux 12 min read

VoidLink: The AI-Built Linux Malware Framework That Knows Your Cloud Better Than You Do

A cloud-native C2 framework with 35+ plugins, three layers of rootkit capability, and adaptive evasion — built by one developer using AI in under a week.

open

49

Threat Intel 15 min read

Salt Typhoon: Inside the Worst Telecom Hack in U.S. History

Chinese state hackers compromised nine U.S. carriers, breached lawful intercept wiretap systems, and surveilled over a million Americans. Sixteen months later, they may still be inside.

open

50

Attack Analysis 14 min read

Scattered Spider: Anatomy of the 2025 Attack Chain That Hit Three Industries in 90 Days

How a group of teenage hackers used phone calls, third-party vendor access, and DragonForce ransomware to bring retailers, insurers, and airlines to their knees.

open

51

Threat Intel 18 min read

When Attackers Build Their Own SIEM: Inside the Campaign That Weaponized Elastic Cloud

A threat actor signed up for an Elastic Cloud free trial and used Kibana to triage stolen data from 216 compromised hosts across 34 organizations — the first documented case of an adversary weaponizing a SIEM for victim management. Storm-2603, SolarWinds WHD, and living off the cloud.

open