Security & IT News

Halcyon and Beazley Security track the return of Iranian ransomware group Pay2Key

The National Crime Agency has warned construction firms about surging invoice fraud

Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls. "Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week. The attack,

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LiteLLM offers an AI open source project used by millions that was infected by credential harvesting malware.

GitHub is adopting AI-based scanning for its Code Security tool to expand vulnerability detections beyond the CodeQL static analysis and cover more languages and frameworks. [...]

Attacks leveraging the 'PolyShell' vulnerability in version 2 of Magento Open Source and Adobe Commerce installations are underway, targeting more than half of all vulnerable stores. [...]

Apple released the next version of its operating system, patching 85 different vulnerabilities across all of them. None of the vulnerabilities are currently being exploited. The last three macOS generations are covered, as are the last two versions of iOS/iPadOS. For tvOS, watchOS, and visionOS, only the current version received patches. This update also includes the recently released Background Security Improvements. Some older watchOS versions received updates, but these updates do not address any security issues. iOS 26.4 and iPadOS 26.4 iOS 18.7.7 and iPadOS 18.7.7 macOS Tahoe 26.4 macOS Sequoia 15.7.5 macOS Sonoma 14.8.5 tvOS 26.4 watchOS 26.4 visionOS 26.4 Safari 26.4 Xcode 26.4 CVE-2025-43376: A remote attacker may be able to view leaked DNS queries with Private Relay turned on. Affects WebKit x CVE-2025-43534: A user with physical access to an iOS device may be able to bypass Activation Lock. Affects iTunes Store x CVE-2026-20607: An app may be able to access protected user data. Affects libxpc x x x CVE-2026-20631: A user may be able to elevate privileges. Affects PackageKit x CVE-2026-20632: An app may be able to access sensitive user data. Affects Music x CVE-2026-20633: An app may be able to access user-sensitive data. Affects Archive Utility x x x CVE-2026-20637: An app may be able to cause unexpected system termination. Affects AppleKeyStore x x x CVE-2026-20639: Processing a maliciously crafted string may lead to heap corruption. Affects configd x x CVE-2026-20643: Processing maliciously crafted web content may bypass Same Origin Policy. Affects WebKit x x x x x CVE-2026-20651: An app may be able to access sensitive user data. Affects Messages x CVE-2026-20657: Parsing a maliciously crafted file may lead to an unexpected app termination. Affects Vision x x x CVE-2026-20660: A remote user may be able to write arbitrary files. Affects CFNetwork x CVE-2026-20665: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Affects WebKit x x x x x x x CVE-2026-20668: An app may be able to access sensitive user data. Affects Focus x x x CVE-2026-20684: An app may bypass Gatekeeper checks. Affects AppleScript x CVE-2026-20687: An app may be able to cause unexpected system termination or write kernel memory. Affects Kernel x x x x x x CVE-2026-20688: An app may be able to break out of its sandbox. Affects Printing x x x x x CVE-2026-20690: Processing an audio stream in a maliciously crafted media file may terminate the process. Affects CoreMedia x x x x x x x x CVE-2026-20691: A maliciously crafted webpage may be able to fingerprint the user. Affects WebKit Sandboxing x x x x x CVE-2026-20692: Hide IP Address and Block All Remote Content may not apply to all mail content. Affects Mail x x x x CVE-2026-20693: An attacker with root privileges may be able to delete protected system files. Affects PackageKit x x x CVE-2026-20694: An app may be able to access user-sensitive data. Affects MigrationKit x x

The spyware founder's comments are the most direct suggestion yet from anyone inside Intellexa that the Mitsotakis government authorized the hacking of dozens of phones belonging to senior Greek government ministers, opposition leaders, military officials, and journalists.

Mirai malware evolves into hundreds of variants, driving botnet growth, including Aisuru and KimWolf, powering large-scale attacks, and increasing risks to vulnerable IoT devices worldwide.

Threat actors are evading phishing detection in campaigns targeting Microsoft accounts by abusing the no-code app-building platform Bubble to generate and host malicious web apps. [...]

A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets. [...]

Introduction This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. This past week, I've seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and Sectop RAT (ArecheClient2) after NetSupport RAT appeared on my infected lab host. Not all of the follow-up malware appears shortly after the initial Remcos RAT malware. Here's the timeline for malware from my SmartApeSG activity on Tuesday 2026-03-24: 17:11 UTC - Ran ClickFix script from SmartApeSG fake CAPTCHA page 17:12 UTC - Remcos RAT post-infection traffic starts 17:16 UTC - NetSupport RAT post-infection traffic starts 18:18 UTC - StealC post-infection traffic starts 19:36 UTC - Sectop RAT post-infection traffic starts While the NetSupport RAT activity happened approximately 4 minutes after the Remcos RAT activity, the StealC traffic didn't happen until approximately 1 hour after the NetSupport RAT activity started. And the traffic for Sectop RAT happened approximately 1 hour and 18 minutes after the StealC activity started. Images from the infection Shown above: Page from a legitimate but compromised website with injected script for the fake CAPTCHA page. Shown above: Fake CAPTCHA page with ClickFix instructions. This image shows the malicious script injected into a user's clipboard. Shown above: Traffic from the infection filtered in Wireshark. Indicators of Compromise Associated domains and IP addresses: fresicrto[.]top - Domain for server hosting fake CAPTCHA page urotypos[.]com - Called by ClickFix instructions, this domain is for a server hosting the initial malware 95.142.45[.]231:443 - Remcos RAT C2 server 185.163.47[.]220:443 - NetSupport RAT C2 server 89.46.38[.]100:80 - StealC C2 server 195.85.115[.]11:9000 - Sectop RAT (ArechClient2) C2 server Example of HTA file retrieved by ClickFix script: SHA256 hash: 212d8007a7ce374d38949cf54d80133bd69338131670282008940f1995d7a720 File size: 47,714 bytes File type: HTML document text, ASCII text, with very long lines (6272) Retrieved from: hxxps[:]//urotypos[.]com/cd/temp Saved location: C:\Users\[username]\AppData\Local\post.hta Note: ClickFix script deletes the file after retrieving and running it Example of ZIP archive for Remcos RAT retrieved by the above HTA file: SHA256 hash: a6a748c0606fb9600fdf04763523b7da20b382b054b875fdd1ef1c36fc16079a File size: 85,328,653 bytes File type: Zip archive data, at least v2.0 to extract, compression method=deflate Retrieved from: hxxps[:]//urotypos[.]com/ls/production Saved location: C:\Users\[username]\AppData\Local\361118191\361118191.pdf ZIP archive containing NetSupport RAT package: SHA256 hash: 6e26ff49387088178319e116700b123d27216d98ba3ae1ce492544cb9acd38f0 File size: 9,171,647 bytes File type: Zip archive data, at least v2.0 to extract, compression method=deflate File name: UpdateIn

The alleged administrator of the LeakBase cybercrime forum has been arrested by Russian law enforcement authorities, state media reported Thursday. According to TASS and MVD Media, a news website linked to the Russian Interior Ministry, the suspect is a resident of the city of Taganrog. The suspect is said to have been detained for creating and managing a criminal site that allowed stolen

The FCC has officially added foreign-made consumer routers to its restricted Covered List, citing major cybersecurity risks. Find out what it means for your current devices.

Russian state-owned media reported that police in Russia arrested the administrator of LeakBase, a large hacking forum.

Cloud Android phones fuel financial fraud, evading detection and enabling dropper accounts

Identity attacks no longer hinge on who a cyberattacker compromises, but on what that identity can access. As organizations manage growing numbers of human, non-human, and agentic identities, their access fabric multiplies across apps, resources, and environments, which increases both operational complexity for identity teams and risk exposure for security teams. Redefining identity security for the modern enterprise Read the blog ↗ The challenge isn’t just scale, it’s fragmentation. From our latest Secure Access report , research shows that 32% of organizations say their access management solutions are duplicative, and 40% say they have too many different vendors. That fragmentation for security vendors makes it harder to maintain consistent access controls and correlate risk across identities. When risk is distributed across dozens of disconnected accounts and permissions, visibility fragments and blind spots emerge—creating ideal conditions for cyberattackers to move laterally without detection. Securing identity in this reality requires more than incremental improvements. It calls for a shift from fragmented controls to an integrated, end-to-end approach that treats identity as a shared control plane that is informed by a continuous, foundational security signal. Why fragmentation fails—and what must replace it With the traditional model of identity security—built on siloed directories, disconnected access policies, and bolt-on threat detection—cyberattackers don’t have to break defenses, they just move between them. Permissions go uncorrelated, access policies drift as environments evolve, and lateral movement hides in the gaps. What is a Security Operations Center? Learn more ↗ For defenders, this creates a dangerous imbalance. Identity signals flood the security operations center (SOC) without the context to act, while identity teams enforce access without visibility into active cyberthreats. Risk accumulates across systems, but responsibility—and insight—remains fragmented. Fixing this doesn’t require more alerts or point solutions. It requires an integrated fabric that brings together all of the identities, access, and signals. A modern identity security solution must unify three critical layers: The identity infrastructure : The systems and services that underpin every access decision. This includes the identity provider, authentication services, single sign-on (SSO), user and group management, and the systems that establish and maintain trust across the enterprise. Without this foundation, there is no authoritative source of truth for who an identity is, what it can access, or how it should be governed. It’s the layer many security vendors lack—and the one Microsoft delivers at global scale. The identity control plane : Where privileged identity management and access decisions are enforced in real time, based on dynamic risk signals, behavioral context, and policy intent. This is where identity and security converge to adapt access as

Citrix has patched two NetScaler ADC and NetScaler Gateway vulnerabilities, one of which is very similar to the CitrixBleed and CitrixBleed2 flaws exploited in zero-day attacks in recent years. [...]

Cybersecurity company’s annual report issues warning over a “mass-marketed impersonation crisis” over attackers abusing legitimate credentials