✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Financial Services
Breach intelligence, attack campaigns, and threat reports targeting the Financial Services sector.
Explore Other Sectors
Financial Services Threat Reports
Bluekit's Evolution: Browser-in-the-Middle Phishing Attacks
In June 2026, the Bluekit phishing-as-a-service platform introduced browser-in-the-middle (BitM) capabilities, enhancing its ability to steal user credentials. This method involves the attacker controlling a browser session that loads legitimate login pages, intercepting user inputs and session tokens. By leveraging the open-source JavaScript library 'rrweb,' Bluekit streams the page's DOM over a WebSocket connection, allowing real-time interaction and data theft. This evolution signifies a shift towards more sophisticated phishing techniques that can bypass traditional security measures, including multi-factor authentication (MFA). Organizations must be aware of these advanced tactics to bolster their defenses against such threats.
13 hours ago
Kill Chain
Gaslight Malware: A New Challenge for AI-Based Security on macOS
In June 2026, cybersecurity researchers identified a new macOS malware named 'Gaslight,' attributed to a North Korean-linked threat actor. This Rust-based malware functions as a backdoor and information stealer, embedding 38 fabricated system messages within its binary. These messages, formatted to resemble legitimate developer logs and error reports, aim to mislead AI-assisted malware analysis tools by simulating analysis errors, potentially causing the tools to abort or misinterpret the malware's behavior. The emergence of 'Gaslight' underscores a growing trend where threat actors develop sophisticated techniques to evade detection by AI-driven security solutions. This incident highlights the need for continuous advancement in cybersecurity defenses to counteract evolving obfuscation methods employed by adversaries.
13 hours ago
Kill Chain
Cybercriminals Exploit Shop App in Advanced Phishing Attack - June 2026
In June 2026, threat actors exploited Shopify's order-tracking app, Shop, by inserting fraudulent purchase receipts into users' order histories. These fake receipts, impersonating brands like Norton and PayPal, included phone numbers leading to scammers posing as support agents. Victims were deceived into disclosing sensitive information or installing remote access software, facilitating unauthorized access to their devices. This method leverages the inherent trust users place in the Shop app, making the scam particularly effective. This incident underscores a significant evolution in phishing tactics, moving beyond traditional email-based schemes to infiltrate trusted applications directly. The rise of such sophisticated social engineering attacks highlights the urgent need for enhanced security measures and user vigilance within digital platforms.
13 hours ago
Kill Chain
Poland's Crackdown on SIM-Swap Crypto Theft: A 2026 Case Study
In June 2026, Polish authorities, with support from the FBI and Homeland Security Investigations, arrested four individuals involved in a sophisticated SIM-swapping scheme targeting cryptocurrency exchanges. The perpetrators breached IT systems of entities collaborating with telecom operators, using specialized software and social engineering to access employee email accounts. This enabled them to hijack victims' phone numbers, intercept SMS messages, and gain control over cryptocurrency exchange accounts, resulting in the theft and laundering of digital assets exceeding tens of millions of Polish zloty. ([thecoinomist.com](https://thecoinomist.com/news/poland-detains-four-sim-swap-crypto-heist-merry-linked/?utm_source=openai)) This incident underscores the escalating threat of SIM-swapping attacks in the cryptocurrency sector, highlighting the need for enhanced security measures beyond SMS-based two-factor authentication. The collaboration between Polish authorities and U.S. agencies reflects the global nature of cybercrime and the importance of international cooperation in combating such threats.
13 hours ago
Kill Chain
Cisco SD-WAN Zero-Day CVE-2026-20245 Exploited
In June 2026, a high-severity zero-day vulnerability, CVE-2026-20245, was discovered in Cisco Catalyst SD-WAN Manager. This flaw allows authenticated attackers with netadmin privileges to execute arbitrary commands as root by uploading specially crafted files. Exploitation of this vulnerability has been observed in the wild, leading to unauthorized configuration changes on edge devices. Notably, attackers have been exploiting this vulnerability for months prior to its public disclosure, highlighting significant security gaps in the SD-WAN infrastructure. The exploitation of CVE-2026-20245 underscores a concerning trend of increasing attacks targeting SD-WAN solutions. Organizations relying on Cisco's SD-WAN products must prioritize immediate mitigation strategies, as the absence of a patch leaves systems vulnerable to potential breaches and operational disruptions.
13 hours ago
Kill Chain
Kaspersky SMB Threat Report 2026: Unveiling New Cyber Threats
In early 2026, Kaspersky's analysis revealed a significant surge in cyberattacks targeting small and medium-sized businesses (SMBs). Notably, over 92,000 malware attacks were disguised as popular AI services, with fake ChatGPT applications accounting for 49% of these incidents. This trend underscores cybercriminals' exploitation of trusted AI brands to distribute malicious software. Additionally, the report highlighted a rise in 'encryption-less' extortion attacks, where attackers focus on stealing and leaking sensitive data rather than encrypting systems. The emergence of ransomware groups adopting post-quantum cryptography standards further complicates the threat landscape. ([me-en.kaspersky.com](https://me-en.kaspersky.com/about/press-releases/kaspersky-detected-more-than-92000-malware-attacks-disguised-as-ai-services-in-2026?utm_source=openai)) This escalation in sophisticated cyber threats against SMBs emphasizes the urgent need for enhanced cybersecurity measures. The increasing use of AI as a lure, coupled with advanced extortion tactics, indicates a shift in cybercriminal strategies that SMBs must proactively address to safeguard their operations and sensitive data.
13 hours ago
Kill Chain
Gaslight Malware: A New Threat Targeting AI-Assisted Security on macOS
In June 2026, cybersecurity researchers identified 'Gaslight,' a Rust-based macOS malware attributed to North Korean threat actors. Gaslight employs a novel prompt injection technique, embedding 38 fabricated system messages to deceive AI-assisted malware analysis tools into aborting or refusing analysis. The malware establishes persistence via a LaunchAgent labeled 'com.apple.system.services.activity' and utilizes the Telegram Bot API for command-and-control communication. It collects sensitive data, including browser information, terminal histories, and the macOS Keychain database, exfiltrating this data through encrypted channels. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/?utm_source=openai)) This incident underscores the evolving tactics of threat actors who are now targeting AI-based security tools. The use of prompt injection to manipulate AI analysis represents a significant shift in cyberattack methodologies, highlighting the need for enhanced security measures to protect AI-driven systems from such adversarial inputs. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/?utm_source=openai))
14 hours ago
Kill Chain
Cisco SD-WAN Vulnerability Exploited Two Months Before Disclosure
In March 2026, attackers began exploiting a critical vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN, two months prior to its public disclosure. This flaw allows authenticated users with netadmin privileges to escalate to root-level access by uploading a crafted file, due to insufficient input validation in the command-line interface. Exploitation was observed in service provider environments, where attackers gained initial access via rogue peering connections, potentially by leveraging other vulnerabilities such as CVE-2026-20182 or CVE-2026-20127. The incident underscores the increasing targeting of network infrastructure by threat actors, highlighting the necessity for organizations to promptly apply security patches and monitor for unauthorized access. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20245 to its catalog of known exploited vulnerabilities on June 4, 2026, emphasizing the urgency of remediation efforts.
20 hours ago
Kill Chain
Terrabot Botnet's 2026 Exploitation of IoT Vulnerabilities
In June 2026, the Terrabot botnet, an aggressive IoT malware variant derived from Mirai and Gafgyt frameworks, was observed scanning the internet for vulnerabilities to exploit and expand its network of compromised devices. The botnet targeted known vulnerabilities in legacy D-Link DSL routers (CVE-2016-20017) and Dasan GPON routers (CVE-2018-10561), attempting unauthenticated command injections. However, due to automation errors, such as empty POST request bodies and malformed payloads, many of these exploit attempts failed, highlighting the botnet's technical limitations. ([isc.sans.edu](https://isc.sans.edu/diary?utm_source=openai)) This incident underscores the persistent threat posed by IoT botnets, even those with flawed execution, as they continue to exploit unpatched vulnerabilities in widely used devices. The rapid proliferation of such botnets emphasizes the need for robust security measures, timely patching, and vigilant monitoring to protect against automated cyber threats.
20 hours ago
Kill Chain
Understanding 'Prompt Injection as Role Confusion' and Its Implications for AI Security
In February 2026, researchers Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell published a study titled "Prompt Injection as Role Confusion," highlighting a critical vulnerability in large language models (LLMs). The study reveals that LLMs often misinterpret the source of text based on its style rather than its origin, leading to 'role confusion.' This flaw allows malicious actors to craft inputs that mimic authoritative roles, effectively bypassing safety protocols and manipulating the model's behavior. The researchers demonstrated that by injecting deceptive reasoning into user prompts and tool outputs, they achieved success rates of 60% on StrongREJECT and 61% on agent exfiltration tasks across various LLMs. This indicates a significant security gap where models assign authority in latent space, making them susceptible to prompt injection attacks. ([arxiv.org](https://arxiv.org/abs/2603.12277?utm_source=openai)) The study underscores the urgent need for enhanced security measures in AI systems, as prompt injection attacks exploit fundamental weaknesses in LLMs' role recognition. As AI integration expands across industries, understanding and mitigating such vulnerabilities is crucial to prevent unauthorized data access and manipulation. ([arxiv.org](https://arxiv.org/abs/2603.12277?utm_source=openai))
22 hours ago
Kill Chain
DraftKings 2022 Credential Stuffing Attack: A Case Study
In November 2022, DraftKings, a prominent fantasy sports and betting platform, experienced a credential stuffing attack that compromised approximately 60,000 user accounts. The attackers, led by Nathan Austad, known online as "Snoopy," exploited reused login credentials to gain unauthorized access. In about 1,600 cases, they added new payment methods to the compromised accounts and withdrew funds, resulting in approximately $600,000 in losses. The remaining compromised accounts were sold on cybercriminal marketplaces. Austad was sentenced to 18 months in federal prison, ordered to serve three years of supervised release, pay over $1.3 million in restitution, and forfeit an additional $463,000. This incident underscores the persistent threat of credential stuffing attacks, particularly in the online betting industry, where user accounts often contain sensitive financial information. It highlights the critical need for robust password policies, multi-factor authentication, and user education to prevent unauthorized access and financial losses.
22 hours ago
Kill Chain
Critical Check Point VPN Vulnerability Exploited by Ransomware
In May 2026, a critical authentication bypass vulnerability (CVE-2026-50751) was discovered in Check Point's Remote Access VPN and Mobile Access products, specifically affecting configurations using the deprecated IKEv1 protocol. This flaw allowed unauthenticated attackers to establish VPN sessions without valid credentials, granting them unauthorized access to internal networks. Exploitation of this vulnerability began on May 7, 2026, with at least one incident linked to a Qilin ransomware affiliate. The vulnerability was publicly disclosed on June 8, 2026, and patches were subsequently released. ([mishcon.com](https://www.mishcon.com/news/active-exploitation-of-check-point-vpn-authentication-bypass-vulnerability-cve202650751?utm_source=openai)) The incident underscores the risks associated with relying on outdated protocols and the importance of timely patching. It also highlights the evolving tactics of ransomware groups, who are increasingly exploiting vulnerabilities in widely used security products to gain initial access. Organizations must reassess their security architectures to ensure they are not solely dependent on perimeter defenses, which can be compromised through such vulnerabilities.
22 hours ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports