New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images
Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery…
Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate
The company's 8-K filing notes "unauthorized access" and that it's activated business continuity plans and taken some systems offline.
Drift loses $280 million as North Korean hackers seize Security Council powers
The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation. [...]
Drift loses $280 million North Korean hackers seize Security Council powers
The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation. [...]
Residential proxies evaded IP reputation checks in 78% of 4B sessions
Researchers warn that residential proxies used to route malicious traffic are a big problem for IP reputation systems, as there is no clear distinction between attackers and legitimate users. [...]
Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners
A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software…
New CrystalRAT malware adds RAT, stealer and prankware features
A new malware-as-a-service called CrystalRAT is being promoted on Telegram, offering remote access, data theft, keylogging, and clipboard hijacking capabilities. [...]
'NoVoice' Android malware on Google Play infected 2.3 million devices
A new Android malware named NoVoice was found on Google Play, hidden in more than 50 apps that were downloaded at least 2.3 million times. [...]
Venom Stealer MaaS Platform Commoditizes ClickFix Attacks
A new service on the cybercrime market provides automated capabilities to create persistent information-stealing social engineering attacks.
Block the Prompt, Not the Work: The End of "Doctor No"
There is a character that keeps appearing in enterprise security departments, and most CISOs know exactly who that is. It doesn’t build. It doesn’t enable.
GIGABYTE Control Center vulnerable to arbitrary file write flaw
The GIGABYTE Control Center is vulnerable to an arbitrary file-write flaw that could allow a remote, unauthenticated attacker to access files on vulnerable hosts. [...]
Manufacturing & Healthcare Share Struggles with Passwords
The two key economic sectors struggle with security for a reason: Many insiders view access management as a roadblock, while attackers see it as a way in.
Manufacturing and Healthcare Share Struggles with Passwords
The two key economic sectors struggle with security for a reason: Many insiders view access management as a roadblock, while attackers see it as a way in.
3 SOC Process Fixes That Unlock Tier 1 Productivity
What is really slowing Tier 1 down: the threat itself or the process around it? In many SOCs, the biggest delays do not come from the threat alone. They come from fragmented workflows, manual triage steps, and limited visibility early in the investigation.
The State of Secrets Sprawl 2026: 9 Takeaways for CISOs
Secrets sprawl isn't slowing down: in 2025, it accelerated faster than most security teams anticipated. GitGuardian's State of Secrets Sprawl 2026 report analyzed billions of commits across public GitHub and uncovered 29 million new hardcoded secrets in 2025 alone, a 34% increase year over year and the largest single-year jump ever recorded. This year's findings reveal three…
Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels
Cybersecurity researchers have discovered a remote access toolkit of Russian-origin that's distributed via malicious Windows shortcut (LNK) files that are disguised as private key folders. The CTRL toolkit, according to Censys, is custom-built using .NET and includes various executables" to facilitate credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking,…
China Upgrades the Backdoor It Uses to Spy on Telcos Globally
Chinese APT Red Menshen's super-advanced BPFdoor malware defeats traditional cybersecurity protections. All telcos can do, really, is try hunting it down.
We Are At War
Rising geopolitical tensions are reflected (or in some cases preceded) by cyber operations, while technology itself has become politicized. Let’s admit it: we are in the middle of it. Introduction: One tech power to rule them all is a thing of the past The relative safety, peace and prosperity that much of the world has enjoyed since 1945 was not accidental. It…
Suspected RedLine infostealer malware admin extradited to US
An Armenian suspect was extradited to the United States to face criminal charges for allegedly helping manage RedLine, one of the most prolific infostealer malware operations in recent years. [...]
New Torg Grabber infostealer malware targets 728 crypto wallets
A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets. [...]
Blame Game: Why Public Cyber Attribution Carries Risks
Publicly accusing an entity of a cyberattack could have negative consequences that organizations should consider before taking the plunge.
Ex-NSA Directors Discuss 'Red Line' for Offensive Cyberattacks
Four former NSA chiefs representing a near-complete history of US Cyber Command debate the role of offensive cyber in the government at RSAC.
The Hidden Cost of Cybersecurity Specialization: Losing Foundational Skills
Cybersecurity has changed fast. Roles are more specialized, and tooling is more advanced. On paper, this should make organizations more secure.
Tycoon2FA phishing platform returns after recent police disruption
The Tycoon2FA phishing-as-a-service (PhaaS) platform that Europol and partners disrupted on March 4 has already returned to previously observed activity levels. [...]
TeamPCP deploys Iran-targeted wiper in Kubernetes attacks
The TeamPCP hacking group is targeting Kubernetes clusters with a malicious script that wipes all machines when it detects systems configured for Iran. [...]
‘CanisterWorm’ Springs Wiper Attack Targeting Iran
A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran's time zone or have Farsi set as the default language.
FBI warns of Handala hackers using Telegram in malware attacks
The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks. [...]
Bitrefill blames North Korean Lazarus group for cyberattack
Crypto-powered gift card store Bitrefill says that the attack it suffered at the beginning of the month was likely perpetrated by North Korean hackers of the Bluenoroff group. [...]
New ‘Perseus’ Android malware checks user notes for secrets
A new Android malware called Perseus is checking user-curated notes to steal sensitive information, like passwords, recovery phrases, or financial data. [...]
EU Sanctions Companies in China, Iran for Cyberattacks
Already sanctioned in the US and the UK, these rulings prohibit companies and a couple of principals from entering or doing business in the European Union.
C2 Implant 'SnappyClient' Targets Crypto Wallets
In addition to enabling remote access, the malware supports a wide range of capabilities, including data theft and spying.
Stryker attack wiped tens of thousands of devices, no malware needed
Last week's cyberattack on medical technology giant Stryker was limited to its internal Microsoft environment and remotely wiped tens of thousands of employee devices. [...]
Microsoft: Windows 11 users can't access C: drive on some Samsung PCs
Microsoft is investigating a new issue affecting some Samsung laptops running Windows 11 after installing the February 2026 security updates, in which users lose access to their C:\ drive and are unable to launch applications. [...]
The Data Gap: Why Nonprofit Cyber Incidents Go Underreported
Threat actors target nonprofits due to security gaps and highly coveted information, but a lack of sufficient data makes it difficult to grasp the entire picture.
Poland's nuclear research centre targeted by cyberattack
Poland's National Centre for Nuclear Research (NCBJ) says hackers targeted its IT infrastructure, but the attack was detected and blocked before causing any impact. [...]
Fake enterprise VPN sites used to steal company credentials
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users. [...]
Iran MOIS Colludes With Criminals to Boost Cyberattacks
Iranian APTs have long pretended to be cybercriminal groups. Now they're working with actual cybercriminal groups.
Why Stryker's Outage Is a Disaster Recovery Wake-Up Call
The Iranian cyberattack on Stryker is the kind of stress test that business continuity and disaster recovery programs often do not plan for.
Chinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict
Two attacks on Qatari entities signal a shift in focus for China-backed actors and demonstrate how quickly they can pivot in response to geopolitical events.
New BeatBanker Android malware poses as Starlink app to hijack devices
A new Android malware named BeatBanker can hijack devices and tricks users into installing it by posing as a Starlink app on websites masquerading as the official Google Play Store. [...]
Russian Threat Actor Sednit Resurfaces With Sophisticated Toolkit
After several years of using simple implants, the Russia-affiliated actor is back with two new sophisticated malware tools.
KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet
Cybersecurity researchers have discovered a new malware called KadNap that's primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic. The malware, first detected in the wild in August 2025, has expanded to over 14,000 infected devices, with more than 60% of victims located in the U.S., according to the Black Lotus Labs team at Lumen. A…
Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys
Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, adding phishing-resistant passwordless authentication via Windows Hello. [...]
New KadNap botnet hijacks ASUS routers to fuel cybercrime proxy network
A newly discovered botnet malware called KadNap is targeting ASUS routers and other edge networking devices to turn them into proxies for malicious traffic. [...]
The New Turing Test: How Threats Use Geometry to Prove 'Humanness'
Malware is evolving to evade sandboxes by pretending to be a real human behind the keyboard. The Picus Red Report 2026 shows 80% of top attacker techniques now focus on evasion and persistence, including geometry-based cursor tests and CPU timing checks. [...]
Microsoft Teams phishing targets employees with A0Backdoor malware
Hackers contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor. [...]
White House Cyber Strategy Prioritizes Offense
In a seven-page strategy document, the Trump administration signaled a shift to preemption and deterrence to handling cyber threats.
FBI warns of phishing attacks impersonating US city, county officials
The Federal Bureau of Investigation (FBI) warns that criminals are impersonating U.S. officials in phishing attacks targeting businesses and individuals who request city and county planning and zoning permits. [...]
EU court adviser says banks must immediately refund phishing victims
Athanasios Rantos, the Advocate General of the Court of Justice of the EU (CJEU), has issued a formal opinion suggesting that banks must immediately refund account holders affected by unauthorized transactions, even when it's their fault. [...]
Over 100 GitHub Repositories Distributing BoryptGrab Stealer
The malware targets browser and cryptocurrency wallet data, along with system information and user files. The post Over 100 GitHub Repositories Distributing BoryptGrab Stealer appeared first on SecurityWeek .
EU Auto Rules Shift Gears on Cybersecurity Standards
The European Union is taking new precautions as climate change and cybersecurity threats rise across the automotive industry.
Fake Claude Code install guides push infostealers in InstallFix attacks
Threat actors are employing a new variation of the ClickFix social engineering technique called InstallFix to convince users into running malicious commands under the pretext of installing legitimate command line interface (CLI) tools. [...]
Chinese state hackers target telcos with new malware toolkit
A China-linked advanced persistent threat actor tracked as UAT-9244 has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices. [...]
Tycoon 2FA Goes Boom as Europol, Vendors Bust Phishing Platform
The phishing-as-a-service platform was popular among cyber threat actors because of its ability to bypass multifactor authentication defenses.
LatAm Now Faces 2x More Cyberattacks Than US
Much of Central and South America struggles with cybersecurity maturity, and hackers are taking advantage.
Where Multi-Factor Authentication Stops and Credential Abuse Starts
Organizations typically roll out multi-factor authentication (MFA) and assume stolen passwords are no longer enough to access systems. In Windows environments, that assumption is often wrong. Attackers still compromise networks every day using valid credentials.
Bitwarden adds support for passkey login on Windows 11
Bitwarden announced support for logging into Windows 11 devices using passkeys stored in the manager's vault, enabling phishing-resistant authentication. [...]
Dark Reading Confidential: This Threat Hunter Helped Cops Bust Up An African Cybercrime Syndicate
Dark Reading Confidential Episode 15: Interpol relied on Will Thomas and team to help break up a sprawling cybercrime ring, leading to the arrest of 574 suspects, the recovery of more than $3 million, and the decryption of six malware variants. Here's his story.
Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux
Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that's functional on Windows, macOS, and Linux systems. The names of the packages are listed below - nhattuanbl/lara-helper (37 Downloads) nhattuanbl/simple-queue (29 Downloads) nhattuanbl/lara-swagger…
Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure
India-nexus cyber threat actors are growing more active and sophisticated, using custom tools coded in Rust and cloud-based command and control.
Building a High-Impact Tier 1: The 3 Steps CISOs Must Follow
Every CISO knows the uncomfortable truth about their Security Operations Center: the people most responsible for catching threats in real time are the people with the least experience. Tier 1 analysts sit at the front line of detection, and yet they are also the most vulnerable to the cognitive and organizational pressures that quietly erode SOC performance over time. The…
How to Protect Your SaaS from Bot Attacks with SafeLine WAF
Most SaaS teams remember the day their user traffic started growing fast. Few notice the day bots started targeting them. On paper, everything looks great: more sign-ups, more sessions, more API calls.
US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates
Both sides conduct hacking and other attacks, including the deployment of wiper malware, DDoS, and disruptions to critical infrastructure. The post US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates appeared first on SecurityWeek .
Cities Hosting Major Events Need More Focus on Wireless, Drone Defense
Major events like the FIFA World Cup need to look beyond traditional physical and cyber security to active and passive wireless threats, say experts.
ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit & 15+ Stories
Nothing here looks dramatic at first glance. That’s the point. Many of this week’s threats begin with something ordinary, like an ad, a meeting invite, or a software update.
PCI Council Says Threats to Payments Systems Are Speeding Up
The PCI Security Standards Council experienced a record year in many regards, but its first annual report shows it needs to work even faster to stay ahead of attackers.
Manual Processes Are Putting National Security at Risk
Why automating sensitive data transfers is now a mission-critical priority More than half of national security organizations still rely on manual processes to transfer sensitive data, according to The CYBER360: Defending the Digital Battlespace report. This should alarm every defense and government leader because manual handling of sensitive data is not just inefficient, it is…
Spitting Cash: ATM Jackpotting Attacks Surged in 2025
The attacks cost banks more than $20 million in losses last year, as criminals used many of the same tools and tactics they have wielded for more than a decade.
‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA
Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a…
FBI: $20 Million Losses Caused by 700 ATM Jackpotting Attacks in 2025
The FBI has confirmed that the Ploutus malware, which has been around for over a decade, is still being used in the wild. The post FBI: $20 Million Losses Caused by 700 ATM Jackpotting Attacks in 2025 appeared first on SecurityWeek .
Former Google Engineers Indicted Over Trade Secret Transfers to Iran
Two former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from the search giant and other tech firms and transferring the information to unauthorized locations, including Iran. Samaneh Ghandali, 41, and her husband Mohammadjavad Khosravi (aka Mohammad Khosravi), 40, along with her sister Soroor Ghandali,…
Best-in-Class 'Starkiller' Phishing Kit Bypasses MFA
A user-friendly PhaaS tool beats standard methods for detecting phishing attacks by live-proxying legitimate login sites.
New 'Massiv' Android banking malware poses as an IPTV app
A newly identified Android banking trojan named Massiv has been under active distribution across south Europe, disguised as an IPTV app. [...]
Threat Intelligence Has a Human-Shaped Blind Spot
How I realized what I was taught to about threat intelligence was missing something crucial.
Cybersecurity Tech Predictions for 2026: Operating in a World of Permanent Instability
In 2025, navigating the digital seas still felt like a matter of direction. Organizations charted routes, watched the horizon, and adjusted course to reach safe harbors of resilience, trust, and compliance. In 2026, the seas are no longer calm between storms.
RMM Abuse Explodes as Hackers Ditch Malware
Remote monitoring and management (RMM) software offers hackers multiple benefits, including stealth, persistence, and operational efficiency.
Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps
Threat actors are abusing Pastebin comments to distribute a new ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser, allowing attackers to hijack Bitcoin swap transactions and redirect funds to attacker-controlled wallets. [...]
SpecterOps Launches BloodHound Scentry to Accelerate the Practice of Identity Attack Path Management
Drawing on years of adversary tradecraft, SpecterOps experts work alongside customers to analyze and eliminate attack paths, protect critical assets, and stay ahead of emerging threats.
Microsoft: New Windows LNK spoofing issues aren't vulnerabilities
Today, at Wild West Hackin' Fest, security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LK shortcut files that allow attackers to deploy malicious payloads. [...]
In Bypassing MFA, ZeroDayRAT Is 'Textbook Stalkerware'
With access to SIM, location data, and a preview of recent SMSes, attackers have everything they need for account takeover or targeted social engineering.
OT Attacks Get Scary With 'Living-off-the-Plant' Techniques
Ironically, security by obscurity has helped prevent dangerous OT attacks in recent years. It won't be that way forever.
How Top CISOs Solve Burnout and Speed up MTTR without Extra Hiring
Why do SOC teams keep burning out and missing SLAs even after spending big on security tools? Routine triage piles up, senior specialists get dragged into basic validation, and MTTR climbs, while stealthy threats still find room to slip through. Top CISOs have realized the solution isn’t hiring more people or stacking yet another tool onto the workflow, but giving their teams…
OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills
OpenClaw (formerly Moltbot and Clawdbot) has announced that it's partnering with Google-owned VirusTotal to scan skills that are being uploaded to ClawHub, its skill marketplace, as part of broader efforts to bolster the security of the agentic ecosystem. "All skills published to ClawHub are now scanned using VirusTotal's threat intelligence, including their new Code Insight…
Protests Don't Impede Iranian Spying on Expats, Syrians, Israelis
Iranian threat actors have been stealing credentials from people of interest across the Middle East, using spear-phishing and social engineering.
Attackers Use Windows Screensavers to Drop Malware, RMM Tools
By tapping the unusual .scr file type, attackers leverage "executables that don't always receive executable-level controls," one researcher noted.
GlassWorm Malware Returns to Shatter Developer Ecosystems
The self-replicating malware has poisoned a fresh set of Open VSX software components, leaving potential downstream victims with infostealer infections.
Please Don’t Feed the Scattered Lapsus ShinyHunters
A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators… Read More »
Happy 16th Birthday, KrebsOnSecurity.com!
KrebsOnSecurity.com celebrates its 16th anniversary today! A huge "thank you" to all of our readers -- newcomers, long-timers and drive-by critics alike. Your engagement this past year here has been tremendous and truly a salve on a handful of dark days.