Security & IT News

A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as

The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation. [...]

This is for new routers ; you don’t have to throw away your existing ones: The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.” More information : Any new router made outside the US will now need to be approved by the FCC before it can be imported, marketed, or sold in the country. In order to get that approval, companies manufacturing routers outside the US must apply for conditional approval in a process that will require the disclosure of the firm’s foreign investors or influence, as well as a plan to bring the manufacturing of the routers to the US. Certain routers may be exempted from the list if they are deemed acceptable by the Department of Defense or the Department of Homeland Security, the FCC said. Neither agency has yet added any specific routers to its list of equipment exceptions. […] Popular brands of router in the US include Netgear, a US company, which manufactures all of its products abroad. One exception to the general absence of US-made routers is the newer Starlink WiFi router. Starlink is part of Elon Musk’s company SpaceX. Presumably US companies will start making home routers, if they think this policy is stable enough to plan around. But they will be more expensive than routers made in China or Taiwan. Security is never free, but policy determines who pays for it.

An exposed Amazon-hosted server allowed anyone to access reams of customer data without needing a password.

For the last year, one word has represented the conversation living at the intersection of AI and cybersecurity: speed. Speed matters, but it’s not the most important shift we are observing across the threat landscape today. Now, threat actors from nation states to cybercrime groups are embedding AI into how they plan, refine, and sustain cyberattacks. The objectives haven’t changed, but the tempo, iteration, and scale of generative AI enabled attacks are certainly upgrading them. Explore integrated security solutions with Microsoft Defender However, like defenders, there is typically a human-in-the-loop still powering these attacks, and not fully autonomous or agentic AI running campaigns. AI is reducing friction across the attack lifecycle; helping threat actors research faster, write better lures, vibe code malware, and triage stolen data. The security leaders I spoke with at RSAC™ 2026 Conference this week are prioritizing resources and strategy shifts to get ahead of this critical progression across the threat landscape. The operational reality: Embedded, not emerging The scale of what we are tracking makes the scope impossible to dismiss. Threat activity spans every region. The United States alone represents nearly 25% of observed activity, followed by the United Kingdom, Israel, and Germany. That volume reflects economic and geopolitical realities. 1 But the bigger shift is not geographic, it’s operational. Threat actors are embedding AI into how they work across reconnaissance, malware development, and post-compromise operations. Objectives like credential theft, financial gain, and espionage might look familiar, but the precision, persistence, and scale behind them have changed. Email is still the fastest inroad Email remains the fastest and cheapest path to initial access. What has changed is the level of refinement that AI enables in crafting the message that gets someone to click. When AI is embedded into phishing operations, we are seeing click-through rates reach 54%, compared to roughly 12% for more traditional campaigns. That is a 450% increase in effectiveness . That’s not the result of increased volume, but the result of improved precision. AI is helping threat actors localize content and adapt messaging to specific roles, reducing the friction in crafting a lure that converts into access. When you combine that improved effectiveness with infrastructure designed to bypass multifactor authentication (MFA), the result is phishing operations that are more resilient, more targeted, and significantly harder to defend at scale. A 450% increase in click-through rates changes the risk calculus for every organization. It also signals that AI is not just being used to do more of the same, it is being used to do it better. Tycoon2FA: What industrial-scale cybercrime looks like Tycoon2FA is an example of how the actor we track as Storm-1747 shifted toward refinement and resilience. Understanding how it operated teaches us where threats migh

The acting director of U.S. Immigration and Customs Enforcement told lawmakers that the use of Paragon spyware is necessary to counter terrorists’ “thriving exploitation of encrypted communications platforms.”

In this article Cookie-controlled execution behavior Observed variants of cookie-controlled PHP web shells Mitigation and protection guidance Microsoft Defender XDR detections Microsoft Security Copilot prompts Microsoft Defender XDR threat analytics MITRE ATT CK™ Techniques observed References Learn more Threat actors are increasingly abusing HTTP cookies as a control channel for PHP-based webshells on Linux servers. Instead of exposing command execution through URL parameters or request bodies, these webshells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality. This approach reduces visibility by allowing malicious code to remain dormant during normal application behavior and execute only when specific cookie conditions are met. This technique has been observed across multiple execution contexts, including web requests, scheduled tasks, and trusted background workers. The consistent use of cookies as a control mechanism suggests reuse of established webshell tradecraft. By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls. Cookie-controlled execution behavior Across the activity analyzed, HTTP cookies acted as the primary trigger for malicious execution. Instead of exposing functionality through visible URL parameters or request bodies, the webshell logic remained dormant unless specific cookie values were present. Only when those conditions were satisfied did the script reconstruct and execute threat actor–controlled behavior. Threat actors likely prefer this approach because cookies blend into normal web traffic and often receive less scrutiny than request paths or payloads. In PHP, cookie values are immediately available at runtime, for example through the $_COOKIE superglobal, allowing malicious code to consume attacker-supplied input without additional parsing. By shifting execution control into cookies, the webshell can remain hidden in normal traffic, activating only during deliberate interactions. This reduces routine logging and inspection visibility while enabling persistent access without frequent changes to files on disk. Observed variants of cookie-controlled PHP web shells Although the core technique remained consistent across incidents, the PHP implementations varied in structure and complexity. The following examples illustrate how attackers adapted the same cookie-controlled execution model across different environments. Loader with execution gating and layered obfuscation One observed implementation introduced an additional execution gate before processing any cookie input. The loader first evaluated request context and reconstructed core PHP functions dynamically using arithmetic operations and string manipulation. Sensitive function names were intentionally absent in cleartext, significantly reducing obvious indicators and complicating pattern-based dete

Microsoft warns of a WhatsApp attachments spreading VBS malware that installs backdoors on Windows PCs, giving hackers remote access and control systems.

Researchers warn that residential proxies used to route malicious traffic are a big problem for IP reputation systems, as there is no clear distinction between attackers and legitimate users. [...]

Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. "This

From its GitHub repo: Vite (French word for quick , pronounced /vi?t/, like veet ) is a new breed of frontend build tooling that significantly improves the frontend development experience [ https://github.com/vitejs/vite ]. This environment introduces some neat and useful shortcuts to make developers' lives simpler. But as so often, if exposed, these features can be turned against you. Today, I noticed our honeypots collecting URLs like: /@fs/../../../../../etc/environment?raw?? /@fs/etc/environment?raw?? /@fs/home/app/.aws/credentials?raw?? and many more like it. The common denominator is the prefix /@fs/ and the ending '?raw??'. This pattern matches CVE-2025-30208, a vulnerability in Vite described by Offsec.com in July last year [ https://www.offsec.com/blog/cve-2025-30208/ ]. The '@fs' feature is a Vite prefix for retrieving files from the server. To protect the server's file system, Vite implements configuration directives to restrict access to specific directories. However, the '??raw?' suffix can be used to bypass the access list and download arbitrary files. Scanning activity on port 5173 is quite low, and the attacks we have seen use standard web server ports. Vite is typically listening on port 5173. It should be installed such that it is only reachable via localhost, but apparently, at least attackers believe that it is often exposed. The attacks we are seeing are attempting to retrieve various well-known configuration files, likely to extract secrets. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This modern infostealer adopted server-side decryption of stolen credentials to bypass security controls

The UK’s cybersecurity agency offered advice to “high-risk’ individuals” on how to protect against social engineering and cyber-attacks

Team Cymru details the Yurei ransomware campaign, using standard tools and a few Stranger Things–named payloads to breach and encrypt systems.

Threat actors are exploiting vacant homes as "drop addresses" to intercept mail and enable fraud. Flare shows how postal services and fake identities are abused to turn mail into a fraud vector. [...]

Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments. [...]

iOS/iPadOS 18.7.7 updates expanded to protect older devices from DarkSword web exploit kit

Stryker Corporation, one of the world's leading medical technology companies, says it's fully operational three weeks after many of its systems were wiped out in a cyberattack claimed by the Iranian-linked Handala hacktivist group. [...]

New research from Varonis Threat Labs reveals Storm infostealer, a malicious subscription service that bypasses Google Chrome encryption.…

Executive Overview Advanced persistent threats (APTs) are constantly and consistently changing tactics as network defenders plug holes in defenses. Static indicators of compromise (IoCs) for the BPFDoor have been widely deployed, forcing threat actors to get creative in their use of this particular strain of malware. What they came up with is ingenious. New research from Rapid7 Labs has uncovered undocumented features leading to the discovery of 7 new BPFDoor variants: a stealthy kernel-level backdoor that uses Berkeley Packet Filters (BPFs) to inspect traffic from right inside the operating system kernel. This essentially creates a silent trapdoor that can be activated by a threat actor once a “magic packet” is tunneled via stateless protocols. The malware is then able to perfectly blend into the target environment, establishing nearly undetectable persistence in global telecom infrastructure. Our latest research continues the narrative established in our blog BPFdoor in Telecom Networks: Sleeper Cells in the Backbone . It involves the analysis of nearly 300 samples and identifies two primary new variants: httpShell and icmpShell. These variants represent a significant leap in operational security, utilizing stateless C2 routing and ICMP relay to bypass multi-million dollar security stacks. Rapid7 detection and response strategy: Rapid7 is actively tracking these variants to ensure our customers remain protected against this evolving threat through the following: Intelligence Hub: Customers with access to Rapid7’s Intelligence Hub are receiving continuous updates, including the latest intelligence, YARA rules, and Suricata detection rulesets. Actionable guidance: We have released a specialized triage script ( rapid7_bpfdoor_check.sh ) designed to identify both legacy and modern BPFDoor variants by inspecting active BPF filters and validating masqueraded processes. Detection engineering: Our detection strategy focuses on structural header anomalies, such as hardcoded ICMP sequence numbers and invalid protocol codes, rather than transient payload content. The strategic shift: Beyond legacy stealth While BPFDoor has been active for years, its codebase has evolved significantly. The threat actor continues to incorporate minor features into the original codebase leaked in 2022, resulting in a "messy" but effective toolkit designed to hinder threat hunting. Given the significant code overlap among BPFDoor variants, we focused on the minor, easily overlooked details the TA (threat actor) added to the leaked codebase. From memory to disk Historically, BPFDoor was known for appearing "fileless" by executing from /dev/shm and deleting itself. However, modern endpoint detection and response (EDR) tools now flag processes running from deleted inodes in temporary filesystems. Recognizing this, the developers of the httpShell variant have eliminated the /dev/shm drop. The malware now resides on disk, using a single, hard-coded process name to blend in as a no