OverResearched Intelligence
Structured cyber threat intelligence generated by the CognitiveCTI pipeline. Daily briefs, weekly summaries, monthly landscapes, and bespoke analyses delivered as static, machine-readable content with full RSS support.
-
CTI Daily Brief: 2026-06-12 - Critical OpenSSL CMS/PKCS7 cluster, Vim Python RCE, and ShadowByt3$ ransomware spree
Four critical CVEs dominate the day: a Bleichenbacher oracle in OpenSSL CMS_decrypt(), a heap UAF in PKCS7_verify(), and two Vim Python omni-completion code-execution flaws. ShadowByt3$ ransomware breaches eight high-profile victims...
-
CTI Daily Brief: 2026-06-11 - CISA KEV adds CVE-2026-10520 Ivanti Sentry and CVE-2026-35273 Oracle PeopleSoft under active exploitation; phpBB decade-old auth bypass; 400+ Arch Linux packages backdoored
Two CISA KEV additions under active exploitation (Ivanti Sentry, Oracle PeopleSoft), a critical decade-old phpBB auth bypass, an Arch Linux AUR supply-chain compromise distributing an eBPF rootkit and infostealer, and...
-
CTI Daily Brief: 2026-06-10 — CISA BOD 26-04 mandates 3-day KEV patching; Langflow CVE-2026-5027 exploited in the wild; ShinyHunters claims University of Nottingham PeopleSoft breach
CISA Binding Operational Directive 26-04 shortens federal KEV-patching timelines to three days. Critical hard-coded credentials disclosed in Yarbo IoT robots (CVE-2026-10557, CVSS 9.8). Path traversal CVE-2026-5027 in AI dev platform...
-
CTI Monthly Report: May 2026 - Qilin-linked Check Point VPN zero-day, record 200-flaw Microsoft Patch Tuesday, ShinyHunters PeopleSoft mass extortion, Miasma/Shai-Hulud supply-chain wave
May 2026 monthly threat intelligence report: 2,621 reports across 50 correlation batches. Headlines include actively exploited Check Point VPN auth bypass (CVE-2026-50751) tied to Qilin affiliates; record-volume Microsoft June Patch...
-
CTI Daily Brief: 2026-06-10 - Record Microsoft Patch Tuesday, Ivanti Sentry CVE-2026-10520 (CVSS 10), Exchange & Netlogon Zero-Days Under Active Exploitation
Microsoft ships its largest-ever Patch Tuesday (206 CVEs, six zero-days including actively-exploited CVE-2026-41091 Defender EoP and CVE-2026-42897 Exchange XSS); Ivanti Sentry hit by maximum-severity unauth RCE chain; Windows Netlogon CVE-2026-41089...
-
CTI Daily Brief: 2026-06-08 - Chrome V8 zero-day exploited in the wild; Shai-Hulud PyPI supply-chain wave; Termite/Qilin ransomware sustained activity
66 reports processed across 1 correlation cycle. Headlines: actively exploited Chrome V8 zero-day (CVE-2026-11645), 19 trojanised PyPI packages in a new Shai-Hulud wave, NFCShare Android banking malware on GitHub, MS...
-
CTI Daily Brief: 2026-06-07 — Qilin Exploits Check Point VPN Zero-Day; Critical Gogs & UniFi RCE Chains; TeamPCP Supply-Chain Worms Hit npm After CISA KEV Listing
52 reports across 10 sources. Qilin ransomware tied to Check Point VPN zero-day (CVE-2026-50751); unauthenticated UniFi OS root chain (CVE-2026-34908/9/10); Gogs argument-injection RCE; TeamPCP Mini Shai-Hulud framework seeds Miasma/Phantom Gyp...
-
CTI Weekly Brief: 2026-06-01 to 2026-06-07 - npm Supply-Chain Worm, Cisco/Acer Zero-Days, Silent Ransom Callback Phishing
Weekly threat intelligence summary covering 469 reports across 15 sources: TeamPCP's Miasma worm hits @redhat-cloud-services npm packages, Acer Wave 7 max-severity zero-days, Cisco Unified CM PoC, actively-exploited Android and WordPress...
-
CTI Daily Brief: 2026-06-06 - Silent Ransom Group targets U.S. law firms; BlackByte Crux ransomware hits professional services; C0XMO botnet exploits DD-WRT routers
21 reports across 5 sources. Silent Ransom Group (UNC3753/Luna Moth) escalates social-engineering attacks against U.S. law firms via callback phishing; BlackByte affiliate Crux ransomware claims Quanticate; C0XMO botnet weaponises CVE-2021-27137...
-
CTI Daily Brief: 2026-06-05 - Everest Forms Pro RCE (CVE-2026-3300) actively exploited; Coinbase Cartel issues $200M demand
Active in-the-wild exploitation of CVE-2026-3300 (Everest Forms Pro) creating rogue WordPress admins. Coinbase Cartel posts Cambridge Mobile Telematics ($200M) and Demand.io. Krybit, Nova, Inc Ransom, Genesis, Play, and Blackwater continue...
-
CTI Daily Brief: 2026-06-04 — PAN-OS CVE-2026-0257 in-the-wild, CISA KEV adds SolarWinds Serv-U, Cisco SD-WAN zero-day, Chinese UNC5221 Brickstorm
Unit 42 confirms active exploitation of PAN-OS GlobalProtect (CVE-2026-0257); CISA KEV adds SolarWinds Serv-U CVE-2026-28318; Cisco warns of unpatched SD-WAN Manager zero-day CVE-2026-20245; Chinese APT UNC5221 (VerdantBamboo) maintains 18-month access...
-
CTI Daily Brief: 2026-06-03 — Cisco Unified CM PoC, npm supply-chain worms, CISA ATG advisory
Cisco Unified CM critical SSRF with public PoC, Miasma worm hits Red Hat npm scope, IronWorm targets 36 packages, ShinyHunters leaks 2.6M DentaQuest records, CISA warns on fuel tank monitoring...
-
CTI Daily Brief: 2026-06-02 - Acer Wave 7 router zero-days, VS Code GitHub token theft, Kirki WordPress in-the-wild exploitation, CISA KEV adds Mirasvit/Android/Linux flaws
140 reports processed; 15 critical and 72 high-severity items led by Acer Wave 7 router zero-days, an unpatched VS Code GitHub token-theft exploit, active exploitation of the Kirki WordPress plugin...
-
CTI Daily Brief: 2026-06-01 — Android Zero-Day CVE-2025-48595 Under Active Exploitation, CISA Adds Oracle WebLogic CVE-2024-21182 to KEV, Mini Shai-Hulud Hits Red Hat npm
Google patches an actively exploited Android Framework zero-day; CISA adds a two-year-old Oracle WebLogic flaw to KEV; a Mini Shai-Hulud variant (Miasma) compromises 32 @redhat-cloud-services npm packages; Gamaredon and Turla...
-
CTI Weekly Brief: 25–31 May 2026 — TeamPCP supply-chain campaign breaches GitHub, WordPress and Gogs zero-days under exploitation, Mbed TLS / GnuTLS critical batch
Weekly summary of 695 ingested reports (36 critical, 287 high). TeamPCP supply-chain operation reached GitHub's internal codebase and trojanised Microsoft's durabletask SDK; CVE-2026-8732 in WP Maps Pro is being actively...
-
CTI Daily Brief: 2026-05-30 — WP Maps Pro CVE-2026-8732 actively exploited; cryptographic library CVE cluster (Mbed TLS, GnuTLS, OpenSC); Gunra and Genesis ransomware activity
53 reports processed. WP Maps Pro plugin (CVE-2026-8732) exploited in the wild with 3,600+ blocked attempts in 24h; six critical CVEs landed across cryptographic libraries (Mbed TLS, GnuTLS, libsolv, bzip2,...
-
CTI Daily Brief: 2026-05-24 - Qilin, Inc Ransom, Stormous and Nova Drive Ransomware Surge; Brazilian State Agency Hit
Eight new ransomware victim disclosures dominate the 24-hour window: Qilin lists four targets, Inc Ransom posts Meirc, Stormous publishes a 40GB vspsolutions.com.au dump, and Nova (RALord rebrand) leaks the Brazilian...
-
CTI Weekly Brief: 2026-05-18 to 2026-05-24 - Actively-exploited Defender, Apex One and BitLocker zero-days; Drupal and Ghost CMS mass exploitation; Shai-Hulud npm wave continues
577 reports processed: 47 critical and 333 high. Microsoft Defender, Trend Micro Apex One, Windows BitLocker (YellowKey) and Drupal under active exploitation. Cisco Secure Workload, Ubiquiti UniFi OS and ChromaDB...
-
CTI Daily Brief: 2026-05-23 - The Gentlemen ransomware sweeps 8 organisations; Laravel Lang supply-chain attack drops credential stealer; ShinyHunters extort 7-Eleven (185k records)
The Gentlemen ransomware group claimed 8 fresh victims across Japan, Ireland, Turkey, Poland, Austria, the US, France and Argentina in a single 24-hour burst. A separate supply-chain compromise rewrote GitHub...
-
CTI Daily Brief: 2026-05-22 - Apache.NMS.AMQP unauthenticated RCE; BIND 9 / Rsync / DNSCrypt critical drop; ShinyHunters and Inc Ransom continue extortion sprees
51 reports across 8 sources. Eight critical CVEs led by an unauthenticated RCE in Apache.NMS.AMQP and a large Microsoft / upstream BIND 9, Rsync, DNSCrypt, DNSSEC patch wave. ShinyHunters keep...
-
CTI Daily Brief: 2026-05-21 - Kimwolf botmaster arrested, Qilin RaaS spree, AI-jailbroken 'Patriot Bait' influence op exposed
12 reports across 6 sources. Law enforcement arrest of Kimwolf IoT botmaster Dort; Qilin RaaS posts three new victims; Trend Micro exposes AI-assisted 'Patriot Bait' influence and fraud campaign using...
-
CTI Daily Brief: 2026-05-20 - In-the-wild exploitation of SonicWall CVE-2024-12802; Ukraine takedown of 28k-account infostealer operator; Qilin RaaS persistence
Ten reports across six sources covering confirmed in-the-wild exploitation of SonicWall CVE-2024-12802 for MFA bypass, a Ukrainian/U.S. joint takedown of an 18-year-old infostealer operator linked to 28,000 stolen accounts, continued...
-
CTI Daily Brief: 2026-05-19 - ChromaDB max-severity RCE, GitHub breach claimed by TeamPCP, Microsoft seizes Fox Tempest malware-signing service
Critical unauthenticated RCE in ChromaDB (CVE-2026-45829) impacts the AI vector-database ecosystem. TeamPCP claims theft of ~4,000 internal GitHub repositories. Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service tied to Rhysida, Akira, INC...
-
CTI Daily Brief: 2026-05-18 - Suspected npm/PyPI Supply Chain Wave, CISA GovCloud Credential Leak, SHub Reaper macOS Infostealer
Suspected large-scale npm/PyPI supply chain campaign tracked by Upwind alongside TeamPCP Mini Shai-Hulud activity; CISA contractor exposes AWS GovCloud credentials on public GitHub; SHub 'Reaper' macOS infostealer spoofs Apple security...
-
CTI Weekly Brief: 11 to 17 May 2026 - Actively exploited Cisco SD-WAN zero-day, npm supply-chain worm hits TanStack/UiPath, Windows BitLocker and MiniPlasma zero-days, and a Qilin/Chaos/Stormous RaaS surge
CISA-mandated emergency patching of Cisco SD-WAN CVE-2026-20182; coordinated npm/PyPI supply-chain compromises (TanStack, UiPath, Mistral, node-ipc) by TeamPCP and a separate maintainer-account hijack; unpatched Windows MiniPlasma SYSTEM and BitLocker bypass PoCs...
-
CTI Daily Brief: 2026-05-17 - Unpatched Windows MiniPlasma zero-day grants SYSTEM; Chaos and Qilin RaaS dominate ransomware activity
An unpatched Windows privilege escalation zero-day (MiniPlasma) with a public PoC anchors a high-severity day dominated by Chaos and Qilin Ransomware-as-a-Service activity; Pwn2Own Berlin 2026 closed with 47 fresh zero-days...
-
CTI Daily Brief: 2026-05-16 - Qilin hits Argentine medical centre; Beast and Lamashtu RaaS expand victim sets
Five reports in 24h dominated by RaaS activity: Qilin posts a healthcare victim, Beast and Lamashtu add new entries, and Microsoft rejects a critical Azure Backup for AKS privilege-escalation report...
-
CTI Daily Brief: 2026-05-15 - PostgreSQL Critical Patch Cluster, Secret Blizzard Kazuar P2P Botnet, Sustained Qilin/DragonForce Ransomware Spree
Five critical PostgreSQL/libyang CVEs published, Russian FSB-linked Secret Blizzard upgrades Kazuar into modular P2P botnet, and Qilin, DragonForce, Exitium and Coinbase Cartel continue high-tempo ransomware operations against healthcare, engineering and...
-
CTI Daily Brief: 2026-05-14 - Cisco SD-WAN Zero-Day Added to CISA KEV; WordPress Burst Statistics Auth Bypass Under Mass Exploitation; TanStack Supply Chain Hits Mistral and OpenAI
Two critical vulnerabilities under active exploitation (Cisco Catalyst SD-WAN CVE-2026-20182 added to CISA KEV; Burst Statistics WordPress plugin CVE-2026-8181 with 7,400+ blocked attacks in 24h), TanStack npm supply chain campaign...
-
CTI Daily Brief: 2026-05-13 — Cisco SD-WAN ITW exploitation by UAT-8616, node-ipc supply chain compromise, 18-year NGINX RCE
65 reports across 18 sources: active exploitation of Cisco Catalyst SD-WAN (CVE-2026-20182) by UAT-8616, credential-stealing payload in node-ipc npm (3.35M monthly downloads), 18-year-old NGINX heap overflow CVE-2026-42945, Microsoft May Patch...
-
CTI Daily Brief: 2026-05-12 — Unpatched BitLocker zero-day PoC, PgBouncer auth bypass, ShinyHunters Canvas extortion
Unpatched Windows BitLocker bypass PoC released; critical PgBouncer authorization flaw (CVE-2026-6667); ShinyHunters Canvas/Canada Life extortion; Nitrogen ransomware confirmed at Foxconn; Shai-Hulud supply-chain source code leaked; Fragnesia Linux LPE; NATS-as-C2 cloud...
-
CTI Daily Brief: 2026-05-11 - Shai-Hulud TanStack supply-chain attack, Copy.Fail Linux LPE, SAP critical patches, Iran's Seedworm campaign
TeamPCP escalates the Shai-Hulud npm/PyPI supply-chain campaign to TanStack, Mistral and UiPath packages while SAP patches critical Commerce Cloud and S/4HANA flaws. Theori discloses Copy.Fail, a working Linux kernel LPE....
-
CTI Daily Brief: 2026-05-10 — Mr_Rot13 weaponises critical cPanel flaw (CVE-2026-41940); ShinyHunters extort Instructure via Canvas XSS; Linux 'Dirty Frag' container-escape exploit goes public
Mr_Rot13 (a six-year-old crew) actively exploits CVE-2026-41940 in cPanel with Telegram exfiltration; ShinyHunters re-breach Instructure Canvas to extort schools; Linux 'Dirty Frag' (CVE-2026-43284/-43500) has a working public exploit with no...
-
CTI Weekly Brief: 4 May to 10 May 2026 - PAN-OS Zero-Day Exploited In-the-Wild, Linux Kernel Page-Cache Bugs Chain to Root, npm Supply Chain Worm Hits Intercom SDK
Weekly intelligence covering 559 reports across the pipeline: state-sponsored exploitation of PAN-OS CVE-2026-0300, two unpatched Linux LPE chains (Copy Fail and Dirty Frag), Ivanti EPMM zero-day under CISA emergency directive,...
-
CTI Daily Brief: 2026-05-09 - Lynx RaaS surge, Devs Palace ERP critical CVEs, Claude.ai chats abused for Mac infostealer
40 reports across 4 sources: critical Devs Palace ERP and Go/Vim CVEs, Lynx ransomware infrastructure expansion, FulcrumSec sells Avnet 7-12TB breach, and a malvertising campaign weaponising Claude.ai shared chats to...
-
CTI Daily Brief: 2026-05-08 - Linux page-cache 0-days exploited in the wild; Genesis ransomware burst hits US healthcare and legal sectors
Elastic confirms Copy Fail (CVE-2026-31431) added to CISA KEV; DirtyFrag widens the same bug class across the Linux network stack. Genesis ransomware posts five US victims in one day. Trending...
-
CTI Daily Brief: 2026-05-07 - Apache HTTP/2 RCE & mod_rewrite EoP CVEs; PCPJack cloud worm; Akira ransomware spree (38 victims)
Critical Apache HTTP Server RCE and privilege-escalation flaws lead the day; the PCPJack worm steals credentials at cloud scale by evicting TeamPCP; Akira posts 38 fresh victims spanning healthcare, manufacturing...
-
CTI Daily Brief: 2026-05-06 — PAN-OS Captive Portal zero-day exploited in-the-wild by CL-STA-1132; FortiClient EMS pre-auth bypass exploit circulating; APT37 deploys BirdCall Android backdoor
Nine reports across eight sources. One critical (FortiClient EMS pre-auth bypass exploit on Telegram), four high-severity items including limited in-the-wild exploitation of PAN-OS CVE-2026-0300 by CL-STA-1132, North Korean APT37 deploying...
-
CTI Daily Brief: 2026-05-05 - Palo Alto PAN-OS Zero-Day Under Active Exploitation; Linux 'Copy Fail' LPE; APT29, APT37, MuddyWater Activity
Critical PAN-OS CVE-2026-0300 (CVSS 9.3) actively exploited in the wild, Linux kernel 'Copy Fail' (CVE-2026-31431) deterministic LPE, APT37 BirdCall Android backdoor, MuddyWater Chaos-decoy espionage, ShinyHunters claims 280M Instructure records, and...
-
CTI Daily Brief: 2026-05-04 - Weaver E-cology CVE-2026-22679 actively exploited; ShinyHunters dumps Vimeo data; Safepay ransomware surge
25 reports processed. Three critical vulnerabilities (Weaver E-cology CVE-2026-22679 in-the-wild RCE, GNU Binutils CVE-2025-11083, libssh2 CVE-2026-7598). Safepay drives a five-victim ransomware cluster across IT services and construction; ShinyHunters publishes 119k...
-
CTI Daily Brief: 2026-05-03 - ShinyHunters multi-sector extortion campaign hits Marcus & Millichap and Instructure
ShinyHunters claims back-to-back data theft from Marcus & Millichap (1.8M accounts) and Instructure/Canvas (~9,000 schools). Inc Ransom adds Wilkem Group to its leak site. No critical-severity reports or new CISA...
-
CTI Weekly Brief: 27 April to 3 May 2026 - Mass cPanel exploitation, GitHub RCE, APT28 zero-day, ShinyHunters extortion wave
346 reports across 15 sources. Mass-exploited cPanel zero-day driving 'Sorry' ransomware; GitHub RCE in core git infrastructure; CISA KEV addition for APT28-exploited Windows NTLM leak; Linux 'Copy Fail' kernel LPE...
-
CTI Daily Brief: 2026-05-02 — cPanel Zero-Day Mass-Exploited in Sorry Ransomware Campaign; Shinyhunters, M3rx, and Everest All Active
26 reports across 5 sources. CVE-2026-41940 cPanel auth-bypass exploited at scale to deploy Sorry ransomware on 44,000+ hosts. Critical libssh2 and binutils RCEs disclosed. Shinyhunters, M3rx, and Everest post fresh...
-
CTI Daily Brief: 2026-05-01 — Apache MINA RCE, ConsentFix v3 OAuth abuse, CopyFail Linux LPE in active discussion
Two critical Telegram-tracked CVEs (Apache MINA RCE, authentication bypass), automated OAuth phishing against Azure, the CopyFail Linux LPE remains widely unpatched, npm supply-chain campaigns continue, and Qilin/Everest/Safepay drive a heavy...
-
CTI Daily Brief: 2026-04-30 — Two Critical Chromium CVEs, ShinyHunters Targets Finance Sector, Unit42 Flags 18 Malicious AI Browser Extensions
Two critical Chromium CVEs (Skia heap overflow, ANGLE use-after-free) lead a 21-CVE Microsoft Edge advisory batch; ShinyHunters claims Aman, Towerpoint Wealth and Follett Software in a finance/hospitality extortion campaign; Unit42...
-
CTI Daily Brief: 2026-04-29 - Linux privilege escalation, TeamPCP SAP npm supply-chain attack, dormant WordPress backdoor
23 reports processed across 2 correlation batches. Critical Linux root-escalation CVE, TeamPCP supply-chain compromise of official SAP npm packages, a dormant WordPress backdoor in 70K sites, and active Qinglong RCE...
-
CTI Daily Brief: 2026-04-28 - LiteLLM SQLi (CVE-2026-42208) actively exploited; ProFTPD CVE-2026-42167 PoC released; TeamPCP linked to VECT 2.0 wiper
Two critical vulnerabilities under active or PoC exploitation (LiteLLM CVE-2026-42208, ProFTPD CVE-2026-42167); TeamPCP threat group ties LiteLLM exploitation to broken VECT 2.0 ransomware acting as a wiper; sustained ransomware extortion...
-
CTI Daily Brief: 2026-04-27 - Critical GitHub RCE (CVE-2026-3854) actively exploitable; ShinyHunters, LAPSUS$ and Qilin dominate ransomware activity
Wiz disclosed CVE-2026-3854, a critical RCE in GitHub.com and GitHub Enterprise Server with 88% of GHES instances still unpatched. ShinyHunters monetised the Anodot supply-chain compromise (Vimeo, Pitney Bowes 8.2M breach),...
-
CTI Daily Brief: 2026-04-26 - ShinyHunters Leak 1.4M Udemy Accounts; Qilin, Inc Ransom and Tridentlocker Post New Victims
Eight high-severity reports dominated by ransomware leak-site activity from Qilin, Inc Ransom, Tridentlocker and Payload, alongside a ShinyHunters extortion of Udemy exposing 1.4 million accounts and republished Microsoft advisories for...
-
CTI Weekly Brief: 2026-04-20 to 2026-04-26 - Three CISA KEV additions, ArcaneDoor returns to Cisco Firepower, Qilin RaaS dominates the leak-site economy
611 reports processed across 14 correlation batches. UAT-4356 (ArcaneDoor) deploys FIRESTARTER on Cisco Firepower devices; CISA KEV additions for Microsoft Defender BlueHammer, Cisco SD-WAN, and Apache ActiveMQ; Microsoft ships out-of-band...
-
CTI Daily Brief: 2026-04-25 — Critical Breeze Cache RCE PoC circulating; Qilin, Lockbit5, M3rx ransomware surge
Two critical vulnerabilities lead the day: a public PoC for CVE-2026-3844 (Breeze Cache unauthenticated RCE) circulating on Telegram, and a Linux BPF stack-out-of-bounds write (CVE-2026-23359). Ransomware activity dominates the picture...
-
CTI Daily Brief: 2026-04-24 - Shai-Hulud npm worm escalates, UAT-4356 Firestarter persists on Cisco firewalls, UNC6692 abuses Teams to drop Snow malware
Unit 42 details the post-Shai-Hulud npm supply chain landscape with TeamPCP republishing trojanised packages; CISA and NCSC warn that UAT-4356's Firestarter implant survives Cisco ASA/FTD patching; Mandiant exposes UNC6692 using...
-
CTI Daily Brief: 2026-04-23 - Breeze Cache WordPress plugin actively exploited; CISA adds four KEVs; ShinyHunters hits ADT and Carnival
Critical Breeze Cache WordPress RCE under active exploitation, CISA adds four new KEV entries, 10K+ Zimbra servers unpatched, ShinyHunters breaches ADT and Carnival, new BlackFile vishing gang, Pack2TheRoot Linux LPE,...
-
CTI Daily Brief: 2026-04-22 — HexagonalRodent DPRK $12M Crypto Heist, RaaS Sophistication Surge, FortiSandbox Path Traversal
DPRK-linked HexagonalRodent siphons $12M from 26,584 crypto wallets via fake job lures; Embargo, Chaos, DragonForce, and Inc Ransom drive a RaaS sophistication trend; FortiSandbox CVE-2026-39813 path-traversal auth bypass disclosed; Apple...
-
CTI Daily Brief: 2026-04-21 - CISA KEV SharePoint CVE-2026-32201 with 1,300+ unpatched; Microsoft OOB patch for ASP.NET CVE-2026-40372; Harvester APT deploys Linux GoGra; Lazarus macOS campaign
51 reports processed across 3 correlation batches. Microsoft issues out-of-band patch for critical ASP.NET Core flaw CVE-2026-40372; Shadowserver warns 1,300+ SharePoint servers remain unpatched against CISA KEV-listed CVE-2026-32201; Unit 42...
-
CTI Daily Brief: 2026-04-20 - CISA adds Cisco SD-WAN flaw to KEV; Lotus wiper hits Venezuelan energy; Lazarus steals $290M from KelpDAO
89 reports processed across 2 correlation batches. CISA adds actively exploited Cisco Catalyst SD-WAN flaw (CVE-2026-20133) to KEV with a 4-day patch deadline; destructive Lotus wiper used against Venezuelan energy...
-
CTI Daily Brief: 2026-04-19 — CISA Axios npm Supply Chain Alert; North Korean Lazarus $290M Kelp Heist; Microsoft Teams Helpdesk Impersonation
53 reports across 13 sources. CISA issued an emergency alert on a compromised Axios npm package delivering a RAT; Lazarus sub-group TraderTraitor stole $290M from LayerZero/Kelp; Microsoft warned of Teams-based...
-
CTI Weekly Brief: 2026-04-13 to 2026-04-19 - Microsoft Patch Tuesday delivers 167 fixes and two zero-days as RedSun LPE, protobuf.js RCE and Nginx UI exploitation escalate alongside a surging Everest/Qilin/Gentlemen ransomware wave
Microsoft shipped 167 April fixes with two zero-days (CVE-2026-32201 exploited; CVE-2026-33825 Defender LPE public) while a second Defender zero-day PoC (RedSun) grants SYSTEM on fully patched hosts. A critical protobuf.js...
-
CTI Daily Brief: 2026-04-18 - Vercel/ShinyHunters breach, Gentlemen & Qilin RaaS surge, Apple alert abuse, Microsoft CVE batch
Vercel confirms ShinyHunters-claimed breach; Apple account alerts abused to deliver phishing via legitimate infrastructure; Gentlemen and Qilin ransomware expand across logistics, legal, healthcare; Microsoft publishes advisories for CPython and tar-rs...
-
CTI Daily Brief: 2026-04-17 - Critical Protobuf.js RCE PoC; Iran-Linked Cyber Av3ngers Pivot to Rockwell ICS; RaaS Surge from Qilin, Kairos & Coinbase Cartel
PoC released for critical RCE in protobuf.js (GHSA-xq3m-2v4x-88gg); Unit 42 details Iranian Cyber Av3ngers (CL-STA-1128) targeting Rockwell Automation OT/ICS; 19 fresh ransomware leak-site postings spanning Qilin, Kairos, Coinbase Cartel, Blackwater,...
-
CTI Daily Brief: 2026-04-16 - RedSun Defender Zero-Day Exploited in the Wild; ShinyHunters Dumps 2.1M Amtrak Records
Huntress confirms active exploitation of three leaked Microsoft Defender zero-days (BlueHammer/RedSun/UnDefend); ShinyHunters publishes 2.1M Amtrak Salesforce records; DragonForce and Safepay RaaS activity dominates ransomware volume; Unit 42 detects renewed scanning...
-
CTI Daily Brief: 2026-04-15 - In-the-wild exploitation of Marimo (CVE-2026-39987) and Nginx UI (CVE-2026-33032); ShinyHunters leaks 13.5M McGraw Hill records
48 reports processed across two correlation batches. Three critical vulnerabilities under active exploitation or requiring urgent customer action (Marimo, Nginx UI, Cisco Webex). ShinyHunters publishes 13.5M McGraw Hill records from...
-
CTI Monthly Report: March 2026 - TeamPCP Supply Chain Siege, CanisterWorm Iran Wiper, Handala Stryker Intrusion, DarkSword iOS KEV, Ransomware Surge
March 2026 saw a historic supply chain campaign by TeamPCP across Trivy, LiteLLM, Checkmarx KICS, Telnyx, Axios, and OpenVSX; the CanisterWorm Kubernetes wiper targeting Iranian infrastructure; Handala's destructive wipe of...
-
CTI Daily Brief: 2026-04-14 — 15 Critical CVEs in OSS Crypto/Runtime Libraries; Signed Adware Killing AV; Trust Wallet Drainer Campaign
15 critical CVEs disclosed across wolfSSL, XZ Utils, Go runtime, libinput and Handlebars.js; Huntress exposes signed 'Dragon Boss Solutions' adware disabling AV on 23,500 hosts; AlienVault flags NWHStealer and Trust...
-
CTI Daily Brief: 2026-04-13 - Microsoft April Patch Tuesday (167 flaws, 2 zero-days incl. actively-exploited SharePoint); Interlock ransomware exploits Cisco FMC zero-day
Microsoft April 2026 Patch Tuesday addresses 167 vulnerabilities including an actively-exploited SharePoint spoofing zero-day (CVE-2026-32201) and a publicly-disclosed Defender EoP (CVE-2026-33825). Interlock ransomware group is exploiting a Cisco FMC zero-day,...
-
CTI Daily Brief: 2026-04-12 - Adobe Acrobat zero-day CVE-2026-34621 added to CISA KEV; DPRK npm package targets Polymarket; FBI/Indonesia dismantle W3LL PhaaS
66 reports processed. Adobe Acrobat/Reader zero-day (CVE-2026-34621) under active exploitation joined CISA KEV alongside six other CVEs. DPRK Lazarus pushes malicious npm package targeting Polymarket trading bots. FBI and Indonesian...
-
CTI Weekly Brief: 6 Apr – 12 Apr 2026 - State-Sponsored DNS Hijacking, Supply Chain Compromises, and Ransomware Cartel Surge
A high-tempo week dominated by APT28 router-based DNS hijacking for OAuth token theft, dual supply-chain attacks on Axios and DPRK's Contagious Interview campaign, Iranian OT targeting of US critical infrastructure,...
-
CTI Daily Brief: 2026-04-11 - Marimo RCE Under Active Exploitation; Krybit and Lamashtu Ransomware Surge
36 reports processed across 5 sources. Two critical vulnerabilities disclosed — CVE-2026-39987 (Marimo pre-auth RCE) confirmed actively exploited within hours of disclosure, and CVE-2026-34757 (LIBPNG use-after-free). Ransomware operations dominated the...
-
CTI Daily Brief: 2026-04-10 — Four critical CVEs (crypto/x509 auth bypass, Linux TOCTOU root escape, heap overflow, Chromium WebCodecs race); The Gentlemen and ShinyHunters ransomware escalate
124 reports processed: four critical vulnerability alerts affecting Go crypto/x509, Linux, and Chromium WebCodecs; ransomware leak activity by The Gentlemen, Nightspire and ShinyHunters dominates the criminal landscape.
-
CTI Daily Brief: 2026-04-09 - Flannel cross-node RCE (CVE-2026-32241), iOS kexploit, Iranian ICS targeting, CPUID supply-chain compromise
52 reports processed. Critical Flannel cross-node RCE and an iOS 18/26 kexploit headline the day. Iranian state-backed actors targeting ~4,000 US Rockwell PLCs, a CPUID supply-chain compromise pushing trojanised CPU-Z/HWMonitor,...
-
CTI Daily Brief: 2026-04-08 — Adobe Reader Zero-Day Exploited in Wild; Marimo RCE Weaponised in Under 10 Hours; Qilin Ransomware Surge
89 reports processed across 15 sources. Critical zero-day exploitation of Adobe Reader ongoing since December. Marimo Python notebook RCE exploited within 10 hours of disclosure. CISA ICS advisory for Contemporary...
-
CTI Daily Brief: 2026-04-07 — Iran OT Sabotage Campaign, CISA KEV Ivanti EPMM, Coinbase Cartel RaaS Blitz
70 reports processed across 15 sources. Iranian APT groups actively sabotaging US energy and water OT infrastructure. CISA added CVE-2026-1340 (Ivanti EPMM) to the KEV catalogue with an April 11...
-
CTI Daily Brief: 2026-04-06 — Iranian APT Targets US Critical Infrastructure PLCs; Russian Cyber Units Hijack Home Routers; Flowise RCE Exploited in the Wild
79 reports processed across 15 sources. Dominant themes include Iranian APT targeting of Rockwell/Allen-Bradley PLCs in US critical infrastructure, Russian GRU-linked router hijacking campaigns to steal Microsoft 365 tokens, active...
-
CTI Weekly Brief: 30 Mar – 05 Apr 2026 — TeamPCP Supply Chain Escalation, Axios npm Compromise, and Ransomware Surge Across Critical Sectors
523 reports processed across 14 correlation batches. The week was dominated by the TeamPCP supply chain campaign reaching the European Commission, the North Korean-attributed Axios npm compromise, a critical FortiClient...
-
CTI Daily Brief: 2026-04-05 — Fortinet EMS Zero-Day Added to CISA KEV; Storm-1175 Chains Medusa Ransomware with Zero-Day Exploits; North Korean Hackers Behind $280M Drift Crypto Theft
Critical 24-hour period dominated by active exploitation of Fortinet FortiClient EMS (CVE-2026-35616) added to CISA KEV, Microsoft attribution of Storm-1175 to Medusa ransomware zero-day campaigns, a $280M North Korean crypto...
-
CTI Daily Brief: 2026-04-04 — FortiClient EMS Zero-Day Exploited, Axios npm Supply Chain Attack Linked to North Korea, DragonForce RaaS Campaigns Continue
Eight critical reports dominated the 24-hour cycle, led by an actively exploited FortiClient EMS zero-day (CVE-2026-35616), a North Korean supply chain attack on the Axios npm package, and continued DragonForce...
-
CTI Daily Brief: 2026-04-03 — DragonForce RaaS Cartel Surges, BQTLock Hits US Hospital, Device Code Phishing Explodes 37x
Ransomware-as-a-service operations dominated the threat landscape with DragonForce claiming five victims across pharma, manufacturing, and retail sectors while BQTLock exfiltrated 5.3TB from a US hospital. Device code phishing attacks surged...
-
CTI Daily Brief: 2026-04-02 — TeamPCP Supply Chain Campaign Breaches European Commission, Chromium V8 Critical CVEs, Akira Ransomware Surge
Supply chain attacks dominate the threat landscape as TeamPCP's Trivy compromise reaches the European Commission, six critical Chromium CVEs disclosed, Akira and Nightspire ransomware groups claim multiple victims, and DPRK-linked...
-
CTI Daily Brief: 2026-04-01 — DPRK-Linked $280M Drift Crypto Heist, Qilin EDR Killer Analysis, F5 BIG-IP APM Actively Exploited
High-tempo day dominated by a $280M cryptocurrency theft attributed to North Korea, Cisco Talos analysis of Qilin's EDR-killing infection chain, active exploitation of F5 BIG-IP APM and Apple DarkSword iOS...
-
CTI Daily Brief: 2026-03-31 — Axios npm Supply Chain Attack Attributed to North Korea; Chrome Zero-Day CVE-2026-5281 Exploited in the Wild
Supply chain attacks dominate the threat landscape as the DPRK-attributed axios npm compromise and ongoing TeamPCP campaign against security tooling converge with a fourth Chrome zero-day, mass Android malware on...
-
CTI Daily Brief: 2026-03-30 - Axios npm Supply Chain Compromise Delivers Cross-Platform RAT; CISA Orders Citrix NetScaler Patch; TeamPCP Post-Compromise Activity Escalates
High-volume day with 133 reports across 15 sources dominated by the Axios npm supply chain compromise delivering cross-platform RATs, CISA emergency directive for CVE-2026-3055 in Citrix NetScaler, TeamPCP post-compromise lateral...
-
CTI Daily Brief: 2026-03-29 — Active Exploitation of Citrix, F5, and Fortinet Flaws; PLAY and Qilin Ransomware Surge; TeamPCP Supply Chain Campaign Escalates
Three critical network appliance vulnerabilities under active exploitation (CVE-2026-3055, CVE-2025-53521, CVE-2026-21643), PLAY ransomware claims 10 new victims across multiple sectors, Qilin RaaS operations expand, TeamPCP supply chain campaign linked to...
-
CTI Weekly Brief: 23 Mar to 29 Mar 2026 - TeamPCP Supply Chain Campaign Escalates Across PyPI Ecosystem, Ransomware Surge, and Government Sector Breaches
A week dominated by TeamPCP's multi-stage supply chain campaign compromising Trivy, Checkmarx, LiteLLM, and Telnyx on PyPI, alongside elevated ransomware operations from Qilin, Nightspire, Akira, and DragonForce. ShinyHunters breached the...
-
CTI Daily Brief: 2026-03-28 — Exitium Ransomware Exfiltrates 278 GB from IKRON; Nightspire Blitzes Healthcare Sector
Ransomware-dominated day with 27 reports across 3 sources. Exitium group claimed two critical-severity victims including IKRON (278 GB exfiltrated) and Ming Hwei Energy (infrastructure encrypted). Nightspire posted four new healthcare...
-
CTI Daily Brief: 2026-03-27 — ShinyHunters Claims 350 GB European Commission Breach; TeamPCP Supply Chain Campaign Enters Monetization Phase
29 reports processed across 7 sources. Dominant themes include a claimed ShinyHunters breach of European Commission infrastructure, continued TeamPCP supply chain operations via a backdoored Telnyx PyPI package, five critical...
-
CTI Daily Brief: 2026-03-26 — TeamPCP Attributed to EU Commission Breach; Chromium Patches 6 Critical CVEs; DPRK-Linked $280M Crypto Heist
57 reports processed across 10 sources. TeamPCP formally attributed by CERT-EU to the European Commission AWS breach exposing 30+ EU entities. Google Chromium patched 17 vulnerabilities including 6 critical memory-safety...
-
CTI Daily Brief: 2026-03-25 — TeamPCP Supply Chain Campaign Widens With CISA KEV Addition; Qilin Ransomware Surge Across Multiple Sectors
155 reports processed across 15 sources. Dominant themes include the expanding TeamPCP supply chain campaign with CISA KEV entry for CVE-2026-33634, mass exploitation of Magento PolyShell targeting 56% of vulnerable...
-
CTI Daily Brief: 2026-03-24 — TeamPCP Supply Chain Campaign Escalates; SharePoint RCE Added to CISA KEV; VoidLink Rootkit Framework Exposed
77 reports processed across 15 sources. Dominant theme: TeamPCP supply chain campaign targeting AI/cloud tooling (LiteLLM, Trivy). Critical SharePoint RCE (CVE-2026-20963) confirmed exploited in the wild and added to CISA...
-
CTI Daily Brief: 2026-03-23 — TeamPCP Supply Chain Campaign Escalates to LiteLLM; Iran-linked Pay2Key Targets US Healthcare
63 reports processed across 15 sources. TeamPCP's supply chain campaign expanded from Trivy and Checkmarx GitHub Actions into the Python AI/ML ecosystem via compromised LiteLLM PyPI packages. Iran-linked Pay2Key ransomware...
-
CTI Daily Brief: 2026-03-22 — Trivy Supply-Chain Attack Escalates, CISA Adds DarkSword iOS Exploits to KEV, FBI Warns of Handala Telegram C2
Supply-chain compromises dominated the reporting period as TeamPCP re-compromised Aqua Security's Trivy scanner and deployed the CanisterWorm wiper against Iranian targets. CISA added three DarkSword iOS exploit-chain CVEs to the...
-
CTI Weekly Brief: 16 Mar – 22 Mar 2026 — Trivy Supply-Chain Compromise, Cisco FMC Zero-Day Exploitation, and FBI Dismantles Iranian MOIS Infrastructure
A high-tempo week dominated by the TeamPCP supply-chain attack on Trivy GitHub Actions, active zero-day exploitation of Cisco Secure FMC by Interlock ransomware, FBI seizures of Iranian Handala infrastructure after...
-
CTI Daily Brief: 2026-03-21 — Qilin and Nightspire ransomware campaigns surge; VoidStealer debuts novel Chrome ABE bypass
Ransomware dominated the 24-hour reporting window with Qilin claiming six victims and Nightspire adding five. VoidStealer introduced a first-of-its-kind hardware-breakpoint technique to steal Chrome master keys. Correlated trends flagged Citrix...
-
CTI Daily Brief: 2026-03-20 — Trivy Supply-Chain Compromise Distributes Infostealer via GitHub Actions; Linux Kernel and pyOpenSSL Critical CVEs Published
Supply-chain attack on Trivy vulnerability scanner by TeamPCP dominates a 28-report day alongside critical Linux kernel netfilter and pyOpenSSL vulnerabilities, Azure Monitor callback phishing abuse, and a botnet takedown affecting...
-
CTI Daily Brief: 2026-03-19 — Cisco FMC Zero-Day Exploited by Interlock Ransomware; CISA Adds Five KEVs; FBI Seizes Iran-Linked Handala Infrastructure
Forty-four reports processed across 10 sources. Dominant themes include active exploitation of Cisco FMC CVE-2026-20131 by Interlock ransomware, FBI takedown of Iran MOIS leak sites tied to Stryker healthcare attack,...
-
CTI Daily Brief: 2026-03-18 — Handala/Stryker FBI Seizure, Cisco Firewall Zero-Day Added to KEV, SharePoint RCE Exploited in the Wild
67 reports processed across 12 sources. Dominant themes include active exploitation of Cisco FMC (CVE-2026-20131) and SharePoint (CVE-2026-20963) vulnerabilities, FBI seizure of Iran-linked Handala infrastructure after the Stryker wiper attack,...
-
CTI Daily Brief: 2026-03-17 - DarkSword iOS zero-day exploit chain proliferates; Interlock ransomware exploits Cisco FMC zero-day; CISA adds Zimbra XSS to KEV
Critical 24-hour period dominated by the DarkSword iOS exploit chain targeting hundreds of millions of devices across four countries, Interlock ransomware leveraging a Cisco Secure FMC zero-day exploited since January,...
-
CTI Daily Brief: 2026-03-16 — CVE-2026-3909 Chromium Skia exploited in the wild; EU sanctions Chinese and Iranian cyber firms; four CISA ICS advisories
High-tempo day with 52 reports across 11 sources. Active exploitation of Chromium Skia CVE-2026-3909, EU cyber sanctions against state-linked entities, four CISA ICS advisories including two at CVSS 9.8, and...
-
CTI Weekly Brief: 10–16 March 2026 — Iran-Linked Wiper Devastates Stryker, Chrome Zero-Days Actively Exploited, FortiGate Intrusions Escalate
A high-tempo week dominated by Iran-linked Handala/Void Manticore wiper operations against medical technology giant Stryker, two actively exploited Chrome zero-days added to the CISA KEV catalogue, critical Veeam Backup &...
-
CTI Daily Brief: 2026-03-15 — CISA Adds Wing FTP Server to KEV; Iran-linked Handala Wipes Stryker Devices via Intune
35 reports processed across 10 sources. Dominant theme: Iranian state-aligned actors shifting to identity-based destruction, demonstrated by the Handala/Void Manticore wipe of ~80,000 Stryker devices via Microsoft Intune. CISA added...
-
CTI Daily Brief: 2026-03-15 — Low-Activity Period; Open-Source Security Tooling and BreachForums Rank-Transfer Activity
A quiet 24-hour period with one informational report on the Betterleaks secrets scanner. Correlation analysis flagged two high-risk trends around open-source vulnerability exploitation and enterprise attack surfaces. No critical-severity items....