✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Information Technology/IT
Breach intelligence, attack campaigns, and threat reports targeting the Information Technology/IT sector.
Explore Other Sectors
Information Technology/IT Threat Reports
Bluekit's Evolution: Browser-in-the-Middle Phishing Attacks
In June 2026, the Bluekit phishing-as-a-service platform introduced browser-in-the-middle (BitM) capabilities, enhancing its ability to steal user credentials. This method involves the attacker controlling a browser session that loads legitimate login pages, intercepting user inputs and session tokens. By leveraging the open-source JavaScript library 'rrweb,' Bluekit streams the page's DOM over a WebSocket connection, allowing real-time interaction and data theft. This evolution signifies a shift towards more sophisticated phishing techniques that can bypass traditional security measures, including multi-factor authentication (MFA). Organizations must be aware of these advanced tactics to bolster their defenses against such threats.
13 hours ago
Kill Chain
Gaslight Malware: A New Challenge for AI-Based Security on macOS
In June 2026, cybersecurity researchers identified a new macOS malware named 'Gaslight,' attributed to a North Korean-linked threat actor. This Rust-based malware functions as a backdoor and information stealer, embedding 38 fabricated system messages within its binary. These messages, formatted to resemble legitimate developer logs and error reports, aim to mislead AI-assisted malware analysis tools by simulating analysis errors, potentially causing the tools to abort or misinterpret the malware's behavior. The emergence of 'Gaslight' underscores a growing trend where threat actors develop sophisticated techniques to evade detection by AI-driven security solutions. This incident highlights the need for continuous advancement in cybersecurity defenses to counteract evolving obfuscation methods employed by adversaries.
13 hours ago
Kill Chain
Kaspersky SMB Threat Report 2026: Unveiling New Cyber Threats
In early 2026, Kaspersky's analysis revealed a significant surge in cyberattacks targeting small and medium-sized businesses (SMBs). Notably, over 92,000 malware attacks were disguised as popular AI services, with fake ChatGPT applications accounting for 49% of these incidents. This trend underscores cybercriminals' exploitation of trusted AI brands to distribute malicious software. Additionally, the report highlighted a rise in 'encryption-less' extortion attacks, where attackers focus on stealing and leaking sensitive data rather than encrypting systems. The emergence of ransomware groups adopting post-quantum cryptography standards further complicates the threat landscape. ([me-en.kaspersky.com](https://me-en.kaspersky.com/about/press-releases/kaspersky-detected-more-than-92000-malware-attacks-disguised-as-ai-services-in-2026?utm_source=openai)) This escalation in sophisticated cyber threats against SMBs emphasizes the urgent need for enhanced cybersecurity measures. The increasing use of AI as a lure, coupled with advanced extortion tactics, indicates a shift in cybercriminal strategies that SMBs must proactively address to safeguard their operations and sensitive data.
13 hours ago
Kill Chain
Unveiling Mistic: The Stealthy Backdoor Linked to KongTuke
In April 2026, a new backdoor named Mistic was identified in attacks targeting organizations across the insurance, education, IT, and professional services sectors. Linked to the initial access broker KongTuke, Mistic operates entirely in memory, avoiding disk writes and incorporating a self-deletion feature to evade detection. The malware is deployed through DLL side-loading techniques, utilizing legitimate Microsoft endpoint security tools to blend in with trusted software. Once established, Mistic enables attackers to execute code, manage files, and load additional modules, facilitating long-term, low-visibility access to compromised systems. The emergence of Mistic underscores a growing trend among threat actors to develop and deploy sophisticated, stealthy malware capable of evading traditional security measures. This development highlights the need for organizations to enhance their detection and response capabilities, particularly against fileless malware that operates in memory and leverages legitimate processes to achieve persistence.
13 hours ago
Kill Chain
Gaslight Malware: A New Threat Targeting AI-Assisted Security on macOS
In June 2026, cybersecurity researchers identified 'Gaslight,' a Rust-based macOS malware attributed to North Korean threat actors. Gaslight employs a novel prompt injection technique, embedding 38 fabricated system messages to deceive AI-assisted malware analysis tools into aborting or refusing analysis. The malware establishes persistence via a LaunchAgent labeled 'com.apple.system.services.activity' and utilizes the Telegram Bot API for command-and-control communication. It collects sensitive data, including browser information, terminal histories, and the macOS Keychain database, exfiltrating this data through encrypted channels. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/?utm_source=openai)) This incident underscores the evolving tactics of threat actors who are now targeting AI-based security tools. The use of prompt injection to manipulate AI analysis represents a significant shift in cyberattack methodologies, highlighting the need for enhanced security measures to protect AI-driven systems from such adversarial inputs. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/?utm_source=openai))
13 hours ago
Kill Chain
Cisco SD-WAN Vulnerability Exploited Two Months Before Disclosure
In March 2026, attackers began exploiting a critical vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN, two months prior to its public disclosure. This flaw allows authenticated users with netadmin privileges to escalate to root-level access by uploading a crafted file, due to insufficient input validation in the command-line interface. Exploitation was observed in service provider environments, where attackers gained initial access via rogue peering connections, potentially by leveraging other vulnerabilities such as CVE-2026-20182 or CVE-2026-20127. The incident underscores the increasing targeting of network infrastructure by threat actors, highlighting the necessity for organizations to promptly apply security patches and monitor for unauthorized access. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20245 to its catalog of known exploited vulnerabilities on June 4, 2026, emphasizing the urgency of remediation efforts.
20 hours ago
Kill Chain
Terrabot Botnet's 2026 Exploitation of IoT Vulnerabilities
In June 2026, the Terrabot botnet, an aggressive IoT malware variant derived from Mirai and Gafgyt frameworks, was observed scanning the internet for vulnerabilities to exploit and expand its network of compromised devices. The botnet targeted known vulnerabilities in legacy D-Link DSL routers (CVE-2016-20017) and Dasan GPON routers (CVE-2018-10561), attempting unauthenticated command injections. However, due to automation errors, such as empty POST request bodies and malformed payloads, many of these exploit attempts failed, highlighting the botnet's technical limitations. ([isc.sans.edu](https://isc.sans.edu/diary?utm_source=openai)) This incident underscores the persistent threat posed by IoT botnets, even those with flawed execution, as they continue to exploit unpatched vulnerabilities in widely used devices. The rapid proliferation of such botnets emphasizes the need for robust security measures, timely patching, and vigilant monitoring to protect against automated cyber threats.
20 hours ago
Kill Chain
Cisco SD-WAN Zero-Day Exploited in Communications Provider Breach
In early 2026, a sophisticated threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager to infiltrate a communications service provider's network. The attacker gained root-level access by uploading a malicious CSV file, creating a rogue user account named 'troot,' and potentially achieving undetected visibility into the provider's internal traffic. Cisco has since patched the flaw, but the full extent of the compromise remains unclear due to the attacker's anti-forensic measures. This incident underscores the increasing targeting of edge devices by cyber adversaries, highlighting the need for enhanced security measures in network management platforms. Organizations are urged to prioritize patching, implement robust monitoring, and adopt zero-trust architectures to mitigate similar threats.
22 hours ago
Kill Chain
Critical Check Point VPN Vulnerability Exploited by Ransomware
In May 2026, a critical authentication bypass vulnerability (CVE-2026-50751) was discovered in Check Point's Remote Access VPN and Mobile Access products, specifically affecting configurations using the deprecated IKEv1 protocol. This flaw allowed unauthenticated attackers to establish VPN sessions without valid credentials, granting them unauthorized access to internal networks. Exploitation of this vulnerability began on May 7, 2026, with at least one incident linked to a Qilin ransomware affiliate. The vulnerability was publicly disclosed on June 8, 2026, and patches were subsequently released. ([mishcon.com](https://www.mishcon.com/news/active-exploitation-of-check-point-vpn-authentication-bypass-vulnerability-cve202650751?utm_source=openai)) The incident underscores the risks associated with relying on outdated protocols and the importance of timely patching. It also highlights the evolving tactics of ransomware groups, who are increasingly exploiting vulnerabilities in widely used security products to gain initial access. Organizations must reassess their security architectures to ensure they are not solely dependent on perimeter defenses, which can be compromised through such vulnerabilities.
22 hours ago
Kill Chain
Operation Endgame: A Major Blow to Amadey and StealC Malware Networks
In June 2026, an international coalition led by Europol, in partnership with Microsoft and other private entities, executed Operation Endgame to dismantle the infrastructure supporting the Amadey and StealC malware operations. This coordinated effort resulted in the disruption of 326 servers and 142 domains, the identification of over €41 million in illicit cryptocurrency, and the recovery of approximately 27 million stolen credentials from more than 385,000 compromised systems. The operation targeted the cybercrime assembly line, aiming to increase friction for cybercriminals and hinder their ability to conduct attacks. The significance of this operation lies in its comprehensive approach to disrupting malware-as-a-service platforms that facilitate initial access, credential theft, and subsequent deployment of ransomware or financial fraud. By targeting the foundational infrastructure of these malware families, law enforcement and private partners have set a precedent for future collaborative efforts to combat cybercrime at its roots.
1 day ago
Kill Chain
Mistic Backdoor: A New Threat in Ransomware Attacks
In April 2026, a new backdoor named Mistic was identified in attacks targeting sectors such as insurance, education, IT, and professional services. Linked to the initial access broker KongTuke (also known as Woodgnat), Mistic facilitates unauthorized access to corporate networks, which is then sold to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The malware employs DLL side-loading techniques to maintain stealth and persistence, allowing attackers to execute commands, manipulate files, and exfiltrate data without detection. The emergence of Mistic underscores a growing trend where initial access brokers develop sophisticated tools to infiltrate networks, subsequently enabling ransomware operations. This development highlights the critical need for organizations to enhance their cybersecurity measures to detect and prevent such stealthy intrusions.
1 day ago
Kill Chain
Cisco SD-WAN Zero-Day CVE-2026-20245: Active Exploitation with No Patch Available
In June 2026, Cisco disclosed CVE-2026-20245, a high-severity zero-day vulnerability in its Catalyst SD-WAN Manager, which was actively exploited in the wild. This flaw allows authenticated attackers with netadmin privileges to upload crafted files and execute arbitrary commands as root, potentially compromising the entire SD-WAN infrastructure. The vulnerability affects all deployment types, including on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP environments. Notably, this marks the seventh SD-WAN zero-day exploited in 2026, highlighting a concerning trend of targeted attacks on Cisco's SD-WAN solutions. Organizations utilizing Cisco SD-WAN should prioritize mitigating this vulnerability by restricting and auditing netadmin accounts, isolating management interfaces, and monitoring for anomalous command executions. ([thecybersignal.com](https://www.thecybersignal.com/cisco-catalyst-sd-wan-manager-cve-2026-20245-zero-day-exploited-no-patch-2026/?utm_source=openai))
1 day ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports