Securityblog

Microsoft Azure Monitor alerts abused in callback phishing campaigns bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

Thread: How real adversaries are using C2 in 2026 (From building @scythe_io + watching nation-state/red team playbooks)  Spoiler: It's not just fancy Cobalt Strike beacons anymore. 🦄 1/10

Join us next Friday, 27-March at 11AM on the @offby1security stream with the great @mrgretzky on "Evilginx MFA Phishing Evolution with Phishlets 2.0!" youtube.com/live/eeauoOYUw…

I have managed to prepare some goodies to show. 🔥

Iranian cyber actors are using Telegram as command-and-control (C2) infrastructure to push malware targeting Iranian dissidents and opposition groups around the world – resulting in data leaks and reputational harm. Read the #FBI’s new advisory on tactics used by Iranian intelligence and mitigation strategies to reduce the risk of compromise🔗ic3.gov/CSA/2026/26032…

🇲🇽 El Chapo thought burner phones kept him safe. Wiretaps proved otherwise. Today, OSINT would map his entire network before a single call is heard: osint.industries/project/osint-…

🚨The iOS exploit kit #Coruna is a fascinating case. With XLAB #PDNS, its DGA C2s are easily exposed—we grabbed four ourselves. Stats show ~4,400+ infected IPs (or researchers) per day. Surprisingly, 98.5% of these IPs are located in China, why?🤔 Happy hunting 🍷@Xlab_qax

ClickFix… Yes your users will fall for this. Plan and secure accordingly. Source: ctrlaltintel.com/threat%20resea…

QNAP warns of a critical 9.3 CVSS flaw (CVE-2026-22898) allowing remote attackers to bypass authentication and access QVR Pro surveillance systems. Patch now. #QNAP #QVRPro #CVE #CyberSecurity #InfoSec #SurveillanceSecurity #Vulnerability #PatchAlert securityonline.info/critical-9-3-c…

Exploit code and details for CVE-2025-59284 are now public. Discover how a Windows libarchive flaw leaks NetNTLMv2 hashes via malicious .tar archives #CVE #WindowsSecurity #PoCExploit #CyberSecurity #InfoSec #HashLeak #Vulnerability #CyberAttack #NetNTLMv2 securityonline.info/poc-exploit-di…

Threat Research: Iran 2026 Threat Posture Assessment Augur Security augursecurity.com/post/threat-re…

RegPhantom a signed Windows kernel rootkit that turns the registry into a covert execution channel. Gives the ability to an unprivileged usermode to reflectively load an arbitrary PE into kernel memory, invisible to PsLoadedModuleList and standard driver enumeration tools. The implant includes several stealth techniques: - Post-execution memory wipe - XOR-encoded hook pointers in-memory obfuscation - Valid code-signing certificates - CFG obfuscation with opaque predicates - 28+ samples tracked (June–August 2025), signed with certificates from two Chinese companies. We're releasing: - Full technical writeup - Extensive deobfuscation scripts - YARA detection rule Full analysis: nextron-systems.com/2026/03/20/reg… #MalwareAnalysis #Rootkit #ThreatIntel #DFIR #Windows #KernelDriver

here's an incredible video demo of VESPER from the legendary hardware hacker himself: Matt Brown! @nmatt0 VIDEO LINK: youtube.com/watch?v=7FmY2s… (he also happens to be the newest member of BT6! welcome to the crew, Matt 🫡🐉🏴‍☠️)

Oracle pushes emergency fix for critical Identity Manager RCE flaw bleepingcomputer.com/news/security/…

Here's a useful resource for victims of data breaches, including checklists and letter templates: bit.ly/2xFuvUV

Good overview of tactics being used to compromise Signal accounts. Government/military officials, or anyone working at the intersection of Russian security issues (private sector, journalists, civil society orgs writ large) should urgently review. ic3.gov/PSA/2026/PSA26…

Mildly Interesting: Windows Defender 1.445.674.0 contains logic to detect malware designed to target "AIGen" threats. It is titled "AIGen.Trojan.ClawHavoc".

🚨 Wiz Research: Trivy supply chain attack. Backdoored version + poisoned GitHub Actions exposed secrets and cloud creds. Used it March 19–20? Rotate creds, audit pipelines, pin actions to SHA. wiz.io/blog/trivy-com…

Tax hunting season is open… It’s that time of year again—threat actors are exploiting tax season to phish unsuspecting users, leveraging trusted cloud infrastructure to slip past security controls. One recent example uncovered by me via ANY.RUN intelligence lookup: a newly created SharePoint site masquerading as a tax document portal. This domain has been attributed to the FlowerStorm threat actor and, alarmingly, remains undetected across all 94 VirusTotal engines. Fellow defenders, stay vigilant and keep an eye out for this domain.🫡 totaltaxinc-my[.]sharepoint[.]com #Cybersecurity #Phishing #FlowerStorm #TaxSeason

CrowdStrike highlights a supply chain compromise described as a trivy-action attack, illustrating how the compromise unfolded from scanner to stealer in the affected ecosystem. crowdstrike.com/en-us/blog/fro…