Skip to main content

Tag: threat actor

39 articles

Dental clinic back office with computer workstation and equipment.

Google's Gemini CLI Exploited in Botnet Operation

A Russian-speaking hacker, known as "bandcampro", cleverly exploited Google's open-source Gemini CLI AI tool to create a small but powerful botnet, taking control of eight systems at a dental clinic and breaching the OpenDental database. The AI tool even helped the hacker troubleshoot problems and optimize operations in real-time, making it a highly effective accomplice in the cyber attack.

Analyst 207
Empty seats and scattered devices in a large public venue's ticketing area.

Multiple Breaches Expose Millions in June

A massive data breach at Madison Square Garden put over 26 million records at risk after a threat actor group, ShinyHunters, made a ransom demand and released the data when it wasn't met. This alarming incident highlights the growing threat of data breaches and the importance of robust cybersecurity measures.

Analyst 207
Dark industrial control room with a lone, open laptop on a metal console.

Armored Likho Exploits Global Targets with BusySnake Stealer

Meet Armored Likho, a sneaky threat actor who's been wreaking havoc globally, exploiting both private individuals and organizations, including government agencies and electric power sectors in Russia, Brazil, and Kazakhstan. With a blend of financially motivated attacks and targeted cyber espionage, Armored Likho is a force to be reckoned with.

Analyst 207
User downloads software from computer in home office, with fake website and zip file in foreground.

ScreenConnect Exploited in Large-Scale Campaign Disguised as Freeware

Cybercriminals have launched a massive campaign disguising a malicious ScreenConnect installer as freeware, tricking users into downloading it from over 90 fake websites in 10 languages. The scam starts with a bogus OBS Studio download that secretly installs the ScreenConnect utility, ultimately delivering a nasty AsyncRAT payload.

Analyst 207
Dimly lit cloud server room with rows of server racks and a single out-of-focus server screen in the foreground.

PCPJack Hijacks Cloud Servers for Covert SMTP Relay Network

Security firm Hunt.io uncovered a sneaky operation where hackers known as PCPJack hijacked cloud servers worldwide, turning them into secret SMTP relays that pumped out spam every five minutes. The stolen servers, found in major cloud platforms like AWS, Google Cloud, and Azure, were quietly converted into spam-spewing machines.

Analyst 207
Laboratory setting with computer workstations, coding terminals, and testing equipment.

Threat Actor Leverages AI to Craft EDR Evasion Tools

Sophos X-Ops stumbled upon a secret laboratory while investigating a routine endpoint alert, uncovering a trove of AI-powered tools designed to sneak past modern EDR agents. The surprising discovery revealed a sophisticated operation using partly AI-generated Python scripts to craft evasive tools.

Analyst 207
Software development workspace with laptop and monitor displaying Git repository interface.

GitHub Tags Exploited to Deploy Credential-Stealing Malware

Malicious actors have manipulated hundreds of GitHub tags to spread credential-stealing malware through popular Laravel Lang localization packages, putting countless users at risk. By rewriting historical tags, attackers tricked Composer installations into downloading the malicious payload.

Analyst 207
Developer workstation with laptop, coding tools, and scattered papers.

GitHub Breach Exposes 3,800 Repositories via Malicious VS Code Extension

GitHub's security chief confirms that customer data remains safe, with no evidence of impact outside of GitHub's internal repositories. The breach originated from a poisoned VS Code extension installed on a compromised employee device, allowing attackers to steal credentials.

Analyst 207
Disarrayed developer workstation with scattered coding tools and crossed-out code.

GitHub Breach Exposes 3,800 Internal Repositories

GitHub has confirmed a significant breach, revealing that hackers made off with approximately 3,800 internal repositories after a developer fell victim to a poisoned VS Code script. Fortunately, the company assures that customer data appears to be safe, and the incident seems to be contained within GitHub's internal systems.

Analyst 207
Cluttered developer workstation with laptop and monitor in bright office setting.

GitHub Hit by Internal Repo Breach via Malicious VS Code Extension

GitHub's internal repositories were breached after a malicious Visual Studio Code extension was used to launch the attack, but thankfully, customer data appears to be safe. The incident has left users wondering what else may have been compromised.

Analyst 207
Developer workstation with laptop, monitor, and coding tools in a modern office space.

GitHub Breach Exposes 3,800 Repos via Malicious VSCode Extension

GitHub recently uncovered a sneaky attack involving a tainted VS Code extension that compromised an employee's device, putting 3,800 repositories at risk. The breach was quickly contained, but not before some internal repositories were exfiltrated.

Analyst 207
Brightly-lit tech office interior with employees at desks and a large window in the background.

GitHub Probes Breach Claim by TeamPCP Hackers

GitHub is investigating a security breach claim by hackers TeamPCP, who allegedly stole around 4,000 of the platform's internal repositories and put the source code up for sale for a hefty $50,000. The company has already sprung into action, detecting and containing the breach and taking steps to mitigate the risk.

Analyst 207
IT manager sits at desk with concerned expression, surrounded by office decor.

Social Engineering Tactics Expose Company's Vulnerability

A simple request from "the boss" was all it took for a threat actor to gain root access to a company's system, exposing a shocking vulnerability in their security - one that was exploited through a clever social engineering tactic. Human IT managers, trying to be helpful, inadvertently handed over the keys to the kingdom.

Analyst 207
Ransomware incident responder sits at desk with laptop and papers, highlighting vulnerability.

Ransomware Negotiator Exposed as Insider for Gang

A shocking case reveals a glaring weakness in ransomware incident response: organizations often put blind trust in single negotiators, leaving them vulnerable to exploitation by attackers. This human error, not a technical bug, can turn a trusted role into a gateway for cybercriminals.

Analyst 207
Cluttered home office workspace with laptop and faint GitHub logo.

GitHub Facades Used to Disguise EtherRAT Malware Distribution

Malicious actors have been using 44 cleverly disguised GitHub facades to spread EtherRAT malware, masquerading as legitimate admin and dev tools between December 2025 and April 2026. These fake repositories were designed to manipulate search results, leading victims to download a malicious MSI installer hidden in a second, secret GitHub account.

Analyst 207
Gaming setup with Minecraft on screen, surrounded by peripherals, with a messy room and blurred laptop screen in the…

LofyGang Revives With Minecraft-Focused LofyStealer Campaign

Meet LofyGang, a notorious threat actor that's back in the game with a sneaky new campaign called LofyStealer, targeting Minecraft fans with malware disguised as a hack called 'Slinky'. This Brazil-based group has a history of infiltrating gaming communities and digital entertainment services.

Analyst 207
Busy airport terminal in Central or South America with laptop on luggage cart.

TGR-STA-1030 Intensifies Espionage Push in Central, South America

The threat group TGR-STA-1030 is ramping up its espionage efforts in Central and South America, with sustained and widespread activity observed across multiple countries since February. This persistent campaign has recently intensified, with a heavy focus on regions within Central and South America.

Analyst 207
Dort Unmasked: Alarming Rise of Kimwolf Botmaster Threat

Dort Unmasked: Alarming Rise of Kimwolf Botmaster Threat

Meet Dort, the mysterious mastermind behind the notorious Kimwolf botnet, a cybercrime powerhouse wreaking havoc on the internet. As the true identity and motives of this elusive threat actor remain shrouded in mystery, one thing is certain: their malicious activities have sent shockwaves through the cybersecurity landscape.

Analyst 207
BeaverTail and OtterCookie: Stunning Critical Threat

BeaverTail and OtterCookie: Stunning Critical Threat

Cisco Talos warns a North Korean group is fusing BeaverTail’s credential-theft with OtterCookie’s browser persistence into single, stealthier JavaScript malware that’s harder to spot — defenders should start hunting for blended behaviors and tighten basics like MFA, patching, and anomaly detection now.

Analyst 207
Rhysida ransomware: Stunningly Dangerous Threat

Rhysida ransomware: Stunningly Dangerous Threat

Microsoft revoked more than 200 fraudulent certificates after attackers used fake Teams installers to deliver the Oyster backdoor and Rhysida ransomware — a reminder that even seemingly trusted files can be malicious. Treat unexpected downloads with suspicion, enforce layered defenses, and prioritize timely revocation and certificate hygiene to stay safer.

Analyst 207
cloud backup service Risky Breach: Must-Have Fixes

cloud backup service Risky Breach: Must-Have Fixes

SonicWall says attackers accessed cloud backup files holding encrypted firewall credentials and configs — turning the safety net meant to speed recovery into a potential roadmap for targeted attacks. If you used their Cloud Backup, assume exposure: rotate keys and credentials, review firewall and VPN access, and verify your backups and key management now.

Analyst 207
SnakeDisk worm: Stunning Risky Thai-Targeted Threat

SnakeDisk worm: Stunning Risky Thai-Targeted Threat

A China-aligned group called Mustang Panda has paired an updated TONESHELL backdoor with a USB worm named SnakeDisk that only activates for Thailand-based devices to drop a persistent Yokai backdoor — a surgical, geographically targeted campaign that ups the stakes for anyone who plugs in removable media. Stay cautious with USB drives and tighten removable-media policies: this is a reminder that one careless plug can invite long-term access.

Analyst 207
AI-powered operations: Stunning Exposure, Defender Win

AI-powered operations: Stunning Exposure, Defender Win

An attacker’s bid for stealth backfired when legitimate security software exposed their AI‑assisted playbook — Huntress telemetry captured model‑like artifacts that turned a covert campaign into a forensic treasure trove, proving AI speeds attacks but also leaves telltale traces defenders can use.

Analyst 207
signed Windows kernel driver: Stunning Risky Backdoor

signed Windows kernel driver: Stunning Risky Backdoor

When a Microsoft‑signed WatchDog driver (amsdk.sys) was abused to neuter endpoint defenses and plant ValleyRAT, it proved that a valid signature isn’t a guarantee of safety. This Silver Fox campaign underscores why organizations must stop trusting signatures alone and add behavior‑based controls and tighter vetting for privileged drivers.

Analyst 207