Operation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government Operation GhostMail uncovers a Russian APT campaign exploiting a Zimbra XSS vulnerability (CVE-2025-66376) to target a Ukrainian government agency via phishing emails and browser-based data exfiltrati...

Operation GhostMail: Russian APT exploits Zimbra Webmail to Target Ukraine State Agency
www.seqrite.com/blog/operati...

RedSun: How Windows Defender's Remediation Became a SYSTEM File Write
nefariousplan.com/posts/redsun...

GitHub - Nightmare-Eclipse/RedSun: The Red Sun vulnerability repository The Red Sun vulnerability repository. Contribute to Nightmare-Eclipse/RedSun development by creating an account on GitHub.

The Red Sun vulnerability repository
github.com/Nightmare-Ec...

You’re Driving Me Crazy: Analysing and Detecting BYOVD
ransom-isac.com/blog/analysi...

Frostarmada forest blizzard dns hijacking A DNS setting change on a single router can quietly reroute an entire network’s authentication traffic. In FrostArmada, Lumen observed Forest Blizzard using that technique ...

A DNS setting change on a single router can quietly reroute an entire network’s authentication traffic.
www.lumen.com/blog-and-new...

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab An elusive hacker who went by the handle "UNKN" and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimov...

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
krebsonsecurity.com/2026/04/germ...

Attackers Are Hunting High-Impact Node.js Maintainers in a C... Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
socket.dev/blog/attacke...

GitHub - j3h4ck/PoisonKiller: Another BYOVD process killer. works on CrowdStrike. fully signed. Another BYOVD process killer. works on CrowdStrike. fully signed. - j3h4ck/PoisonKiller

Another BYOVD process killer, fully signed.
github.com/j3h4ck/Poiso...

Silent Harvest: Extracting Windows Secrets Under the Radar Once you gain a foothold on a Windows host, the next objective is often to compromise additional machines. The fastest way to achieve this is by harvesting credentials and other secrets for reuse. How...

Silent Harvest: Extracting Windows Secrets Under the Radar
sud0ru.ghost.io/silent-harve...

GitHub - andreisss/KslDump: KslDump — Why bring your own knife when Defender already left one in the kitchen? KslDump — Why bring your own knife when Defender already left one in the kitchen? - andreisss/KslDump

github.com/andreisss/Ks...

Baphomet: Tooling KslDump / KslKatzBOF leverages a Microsoft-signed Defender driver (KslD.sys)
Microsoft patched the active driver, yet left a vulnerable version accessible locally
#ThreatIntel #infosec

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
cloud.google.com/blog/topics/...

Beast Ransomware Toolkit: A Proactive Threat Intelligence Report Explore our latest threat intelligence report on Beast Ransomware. See the exact incident response tools and TTPs used by operators to bypass EDR and delete backups.

The Beast Returns: Analysis of a Beast Ransomware Server
www.team-cymru.com/post/beast-r...

“Say My Name”: How MioLab is building MacOS Stealer Empire As Apple computer’s market share continues to grow, threat actors are increasingly shifting their focus toward MacOS environments.

“Say My Name”: How MioLab is building MacOS Stealer Empire
www.levelblue.com/blogs/spider...
#ThreatIntel #miolab #NovaStealer #Stealer #MAC

Hasta la vista, Hastalamuerte: An Overview of The Gentlemen's TTPs
www.group-ib.com/blog/hastala...

Who is pryx?
justpaste.it/whoispryx

Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine Hunt.io investigation uncovered Operation Roundish, an APT28 toolkit used to exploit Roundcube webmail and target Ukrainian government systems. Learn more.

Operation Roundish: Uncovering an APT28 Roundcube Toolkit Used Against Ukrainian Government Targets
hunt.io/blog/operati...

Sednit reloaded: Back in the trenches ESET researchers document how the Sednit APT group has reemerged with a modern toolkit centered on two paired implants – BeardShell and Covenant.

Sednit reloaded: Back in the trenches
The resurgence of one of Russia’s most notorious APT groups
www.welivesecurity.com/en/eset-rese...

Cybersecurity Advisory. Phishing via messaging apps Signal and WhatsApp | AIVD Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intel...

Cybersecurity Advisory. Phishing via messaging apps Signal and WhatsApp
english.aivd.nl/documents/20...

Unmasking an Attack Chain of MuddyWater | Huntress Huntress has identified and detailed a full timeline of an intrusion in a customer environment that aligns with what others have identified as MuddyWater (Iranian-linked APT).

Clearing the Water: Unmasking an Attack Chain of MuddyWater
www.huntress.com/blog/muddywa...

• Keylogger, clipboard monitoring, system recon
• DNS hijack, PacketFlight network tracking, vuln scanner
• Mass execution + unlimited client management
• AD recon (Domain Controller discovery) for lateral movement

New Atroposia infostealer + remote admin toolkit:
• Encrypted C2 with unique/native stubs (C++/Rust)
• Persistence + automatic UAC bypass + anti-VM evasion
• HVNC + Hidden RDP for invisible remote sessions
• Stealer/Grabber + Chromium/Gecko credential recovery
#ThreatIntel #infosec

Digital Forensics: How Hackers Defeat Microsoft’s 2026 NTLM Patch

hackers-arise.com/digital-fore...

Pixel Perfect: Sold Extension Injects Code Through Pixel A Google Lens extension that was sold gets weaponized overnight—stripping browser security headers and using a 1x1 GIF onload trick to execute C2-delivered JavaScript on every page

Pixel Perfect: Sold Extension Injects Code Through Pixel
annex.security/blog/pixel-p...

Tech impersonators: ClickFix and MacOS infostealers | Datadog Security Labs Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers.

Tech impersonators: ClickFix and MacOS infostealers
securitylabs.datadoghq.com/articles/tec...

GitLab Threat Intelligence Team reveals North Korean tradecraft Gain threat intelligence about North Korea’s Contagious Interview and fake IT worker campaigns and learn how GitLab disrupted their operations.

GitLab Threat Intelligence Team reveals North Korean tradecraft
about.gitlab.com/blog/gitlab-...

A shared RaaS affiliate blacklist attributed to Nova, Qilin and DragonForce suggests emerging cartel-style governance in the ransomware ecosystem. Violators get 24h to resolve disputes or face platform wide bans
#ThreatIntel #infosec

Trust Me, I’m a Shortcut Windows’ primary mechanism for shortcuts, LNK files, is frequently abused by threat actors for payload delivery and persistence. This blog post introduces several new LNK file flaws that, amongst other things, allow attackers to fully spoof an LNK’s target. It also introduces lnk-it-up, a tool suite that can generate such deceptive LNK files, as well as detect anomalous ones.

Trust Me, I’m a Shortcut
www.wietzebeukema.nl/blog/trust-m...

Aura Stealer update:
Shift to native x64 builds, citing better crypter support, reduced WoW64 visibility, and improved evasion via direct kernel calls. They claim successful tests with low detection rates.
#ThreatIntel

Digital Forensics: AnyDesk – Favorite Tool of APTs
hackers-arise.com/digital-fore...