✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Defense/Space
Breach intelligence, attack campaigns, and threat reports targeting the Defense/Space sector.
Explore Other Sectors
Defense/Space Threat Reports
FortiBleed: Massive Credential Exposure in Fortinet Firewalls
In June 2026, the 'FortiBleed' campaign emerged as a significant cybersecurity threat, compromising over 86,000 Fortinet FortiGate firewalls across 194 countries. Attackers utilized a Golang-based tool, FortigateSniffer, to exploit default credentials and weak password practices, turning these devices into passive credential collectors across 24 authentication protocols. This led to the exposure of approximately 110 million credentials, affecting major corporations and government agencies worldwide. The incident underscores the critical importance of robust password policies and the implementation of multi-factor authentication (MFA). Organizations are urged to review and enhance their security measures to prevent similar breaches, as reliance on default credentials and inadequate password management continue to be exploited by threat actors.
2 days ago
Kill Chain
Five Eyes Alliance Issues Urgent Warning on AI-Driven Cyber Threats
In June 2026, the intelligence agencies of the Five Eyes alliance—comprising the United States, Canada, the United Kingdom, Australia, and New Zealand—issued a joint statement warning that advanced AI models capable of executing sophisticated cyberattacks are expected to become publicly accessible within months. These frontier AI models, such as Anthropic's Fable 5 and OpenAI's Daybreak, possess capabilities that could significantly enhance both offensive and defensive cyber operations. The agencies highlighted vulnerabilities in legacy systems, slow patching processes, unnecessary internet connectivity, weak identity and access controls, and inadequate pre-incident planning as critical weaknesses that these AI models could exploit. This development underscores the urgency for organizations to reassess and strengthen their cybersecurity postures. The rapid evolution of AI technologies means that cyber risk assumptions can become outdated swiftly, necessitating proactive measures to adapt to and withstand emerging threats. The warning also reflects broader concerns about the democratization of powerful AI tools and their potential misuse in cyber warfare.
2 days ago
Kill Chain
Earth Lusca's Advanced Windows Malware Targets Government Entities
Between 2023 and 2024, the Chinese state-sponsored threat group Earth Lusca, also known as FishMonger, expanded its cyber espionage operations by deploying Windows variants of the previously Linux-based SprySOCKS malware. These sophisticated backdoors targeted government organizations in Taiwan, Thailand, Pakistan, and Honduras, focusing on sectors such as foreign affairs, technology, and telecommunications. The Windows versions, identified as WIN_DRV and WIN_PLUS, introduced advanced capabilities including kernel-level stealth mechanisms, enabling the malware to hide processes, network connections, and files, thereby evading detection. Both variants support over 30 command-and-control commands, facilitate communication over multiple protocols, and possess functionalities like keystroke logging and SOCKS proxy support. The emergence of these Windows variants underscores a significant evolution in Earth Lusca's tactics, highlighting the group's commitment to enhancing its toolset for broader and more effective cyber espionage campaigns. This development reflects a broader trend among nation-state actors to adapt and refine their malware to target diverse operating systems, emphasizing the need for organizations to implement comprehensive, cross-platform cybersecurity measures.
1 week ago
Kill Chain
China-Linked SprySOCKS Backdoor Expands to Windows with Advanced Stealth Techniques
In June 2026, cybersecurity researchers identified two new Windows variants of the previously Linux-exclusive backdoor, SprySOCKS. These variants, named WIN_DRV and WIN_PLUS, are equipped with hard-coded command-and-control configurations and support communication over TCP, UDP, and WebSocket protocols. Notably, WIN_DRV employs kernel drivers to conceal its network connections, processes, files, and registry keys, enhancing its stealth capabilities. The initial access method remains undetermined, but the group has a history of exploiting known vulnerabilities in public-facing applications to gain entry. This development underscores the evolving tactics of state-sponsored threat actors, particularly those linked to China, in adapting and expanding their malware across multiple operating systems. Organizations must remain vigilant and implement robust security measures to detect and mitigate such sophisticated threats.
1 week ago
Kill Chain
ScarCruft's NarwhalRAT Deployed via Fake Microsoft Alerts in 2026
In June 2026, the North Korean state-sponsored hacking group ScarCruft (also known as APT37) launched a spear-phishing campaign targeting individuals with emails impersonating Microsoft Account security alerts. These emails falsely claimed that the recipient's account had been compromised due to repeated one-time password (OTP) generation attempts. The emails urged recipients to open an attached ZIP file, which contained a malicious LNK file. When executed, this LNK file initiated a multi-stage infection process, ultimately deploying a Python-based malware named NarwhalRAT. This malware is capable of logging keystrokes, capturing screenshots, recording ambient audio, and exfiltrating data to command-and-control servers. The campaign underscores the persistent threat posed by state-sponsored actors employing sophisticated social engineering tactics to infiltrate systems and gather sensitive information. Organizations must remain vigilant against such deceptive phishing attempts and ensure robust cybersecurity measures are in place to detect and mitigate these threats.
1 week ago
Kill Chain
North Korean Hackers Exploit Developer Tools in Sophisticated Phishing Campaign
In early 2026, a North Korean state-sponsored threat actor, identified as UNK_DeadDrop, launched a sophisticated phishing campaign targeting software developers across nearly 100 organizations, primarily in the United States. The attackers sent over 250 emails between April and May, masquerading as recruitment offers or code review requests. These emails directed recipients to clone malicious GitHub or GitLab repositories, which, when opened in code editors like Visual Studio Code, executed embedded malware. This approach enabled the attackers to steal cryptocurrency wallets and sensitive developer credentials. ([theregister.com](https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526?utm_source=openai)) This incident underscores a significant evolution in cyberattack methodologies, where adversaries exploit trusted developer tools and workflows to deliver malware. The campaign's scale and sophistication highlight the increasing targeting of the tech industry by state-sponsored actors, emphasizing the need for heightened vigilance and robust security measures within development environments. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/?utm_source=openai))
1 week ago
Kill Chain
Chinese Hackers Exploit Google Workspace to Steal Sensitive Emails
Between September 2023 and November 2025, the China-linked espionage group UNC6508 infiltrated North American medical, academic, and military research networks by compromising externally facing REDCap servers. They deployed custom malware named INFINITERED, which trojanized REDCap system files to harvest login credentials and establish persistent access. With domain administrator rights, UNC6508 abused Google Workspace's content compliance rules to silently BCC emails containing specific keywords to attacker-controlled Gmail addresses, effectively exfiltrating sensitive research and defense communications without deploying additional malware or generating unusual network traffic. This incident underscores the evolving tactics of state-sponsored actors who exploit legitimate administrative features within cloud services to conduct stealthy data exfiltration. Organizations must enhance monitoring of administrative configurations and implement robust security measures to detect and prevent such abuses.
1 week ago
Kill Chain
UNC6508's Year-Long Espionage on U.S. Research Institutions
Between September 2023 and November 2025, the China-aligned threat actor UNC6508 conducted a covert cyber-espionage campaign targeting U.S. academic, medical, and military research institutions. The attackers exploited vulnerabilities in REDCap servers to deploy custom malware named Infinitered, enabling them to steal credentials and maintain persistent access. This operation led to the exfiltration of sensitive data related to defense intelligence, military strategy, artificial intelligence, and medical research. ([darkreading.com](https://www.darkreading.com/threat-intelligence/china-nexus-actor-us-researchers-undetected?utm_source=openai)) This incident underscores the evolving sophistication of state-sponsored cyber threats, highlighting the need for enhanced security measures in research institutions. The use of tailored malware and novel data exfiltration techniques by UNC6508 reflects a broader trend of advanced persistent threats employing innovative methods to achieve their objectives.
1 week ago
Kill Chain
U.S. Government Restricts Access to Anthropic's Advanced AI Models
In June 2026, the U.S. government issued an export control directive requiring Anthropic to suspend access to its advanced AI models, Fable 5 and Mythos 5, for all foreign nationals, including those within the United States. This action was taken due to national security concerns over potential vulnerabilities that could allow the models to be exploited for identifying software flaws. As a result, Anthropic disabled these models for all users to ensure compliance. This unprecedented move underscores the growing tension between technological advancement and national security, highlighting the challenges in regulating AI technologies. The directive has sparked international debate over the balance between innovation and security, with European leaders expressing concerns about overreliance on American AI providers and advocating for greater technological sovereignty.
1 week ago
Kill Chain
Anthropic's AI Models Disabled Amid National Security Concerns
In June 2026, the U.S. government ordered Anthropic to suspend foreign access to its advanced AI models, Fable 5 and Mythos 5, citing national security concerns over potential 'jailbreaking' vulnerabilities that could bypass safety restrictions. This directive led Anthropic to disable these models entirely to comply with export controls, affecting both foreign nationals and certain employees. The incident underscores the challenges in balancing AI innovation with security, as similar capabilities exist in other publicly accessible models. The government's stringent response highlights the growing scrutiny over AI technologies and their potential misuse, emphasizing the need for robust security measures and regulatory frameworks in the rapidly evolving AI landscape.
1 week ago
Kill Chain
Anthropic Halts AI Models Fable 5 and Mythos 5 Following U.S. Government Directive
In June 2026, the U.S. government issued an export control directive requiring Anthropic to suspend access to its advanced AI models, Fable 5 and Mythos 5, for all foreign nationals, including those within the United States. This directive, citing national security concerns, led Anthropic to disable these models globally to ensure compliance. The order also affected foreign national employees of Anthropic, highlighting the broad scope of the government's action. ([tomshardware.com](https://www.tomshardware.com/tech-industry/artificial-intelligence/us-export-control-order-forces-anthropic-to-disable-claude-fable-5-and-mythos-5-worldwide?utm_source=openai)) This incident underscores the increasing regulatory scrutiny over advanced AI technologies and their potential implications for national security. Organizations developing or utilizing such technologies must stay vigilant to evolving compliance requirements and assess the impact of governmental directives on their operations and international collaborations.
1 week ago
Kill Chain
Miasma Worm's 2026 Attack on Microsoft GitHub: A Wake-Up Call for Developers
In June 2026, Microsoft faced a significant supply chain attack when the Miasma worm infiltrated 73 of its GitHub repositories, including those under Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The attackers utilized previously compromised contributor credentials to push malicious commits, introducing configuration files that executed credential-harvesting payloads upon opening in AI coding tools or IDEs. This breach led to the temporary disabling of the affected repositories, disrupting critical workflows and CI/CD pipelines. ([computing.co.uk](https://www.computing.co.uk/news/2026/security/microsoft-s-github-repositories-taken-offline-amid-miasma-supply-chain-attack?utm_source=openai)) This incident underscores the escalating threat of supply chain attacks targeting trusted development environments. The Miasma worm's ability to exploit AI coding tools highlights the need for enhanced security measures in software development processes to prevent similar breaches in the future.
1 week ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports