Victims
Last 90 days
Priority Threats
Live Feed Last 24 hours
Data refreshes every 30 minutes.
Active IOC Feed
| IOC Value | Type | Malware / Family | Threat Type | Source | Confidence | First Seen | Ref |
|---|---|---|---|---|---|---|---|
908ba87316fb65dd8a155177d53343bd19a2a0c99ff5d92a18c785a2746ff8ec
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
e3d5a0c97327eb83b2674aac333131cb1030f4256f12b4ea31244f4fe112d874
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
623fc73d98e3105411b49ae20573da2991faa73f5586c0dd0255f48d85d596ea
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
83ed44068b1fec44e77dded6511f9f308b2d818c78780a0cb6ded293bcf88e8e
|
sha256 | js | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
b27070a8cea93bd95ce8dc3e70a69391138f030bc8e48927bcd16d87e492b67a
|
sha256 | js | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
9151cf8957119d6549bfb4308e5f281263e7fbff2874f2d6f1847eac2dc1b556
|
sha256 | elf | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
4d032532f4bfee05049fd3fba048a8da88936e4259be0fe9d8457ae05a68ecfe
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
aac0d088885a088e627c59514f90b485c874551e9dfb006adbb534acd3b57ad3
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
1b9c73c1e4dfc4643ac50d78af99963e0adc9e28ca35cb5f38fbb01293ee40a2
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
595d02ea8d59413eeed0c093b6b051a9f226da3d1d86bd0a03c956d58fa9c870
|
sha256 | elf | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
29f5392bfbad0ee2111af3f4cc1e0ecd605e1019131bb25c99b325a036e3b86c
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
http://110.36.4.89:53768/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.239.157.9:55135/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
64.89.162.178:7007
|
ip:port | win.xworm | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
abadi136.net
|
domain | unknown_stealer | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
abenegihugu.com
|
domain | unknown_stealer | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
accidentclinic.miami
|
domain | unknown_stealer | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
adalyametal.com
|
domain | unknown_stealer | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
2leap.es
|
domain | unknown_stealer | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
24cart.store
|
domain | unknown_stealer | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
114.132.150.96:8080
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
82cb5dfe51d3f66119dcb4340b4fabef0ce6a2a4da226f89be1b85443aa2ea24
|
sha256 | elf | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
7b118c32e261265adfa19e811de28f0c8be1593762c98bf8a74626c7345d2817
|
sha256 | elf | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
1bdeb2287faa1145ae1b4aae2bf6049f428ae5565b929a3b3273582e2e854d62
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
284189d1927f940980ba488c7472a8874e0bac8fd98dc3ae474a68b96a537ed0
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
412cae438376a34129cd05ba25556a3579516b0fd6a956a42f48691ed3f26461
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
9a618a6a73d274ac9102c388f4f1ec303abce082e99cbd49a542d1609bac4931
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
cfa38f49fe074831b13faa8b95662767f5108f55c57de98512e08eed67b3b17b
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
5e6ab3489eb358e76a853602e8d9aa4f928925cb2a37e007d03c1b4bccfbaeb0
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
fb8afadcb109f815b834768b1242515dabcdf209cd7973fd1be1360f2480d18b
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
1183ad0536c58299e6a80001a466be358d596fc9d130bd2112cb25b957d784da
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
5e92efef58c946c74179eabcb0b4b91a767fa6367c5344fe3bdf4a985d38bd22
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
2a5585d256e92580fb2752fcfddc0a7d9b31256a72006e78e99795c5236301db
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
http://162.255.251.91:33439/i
|
url | 32-bit, arm, elf, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://220.135.42.30:53519/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://163.142.95.89:43256/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://45.90.163.37/GOONGANGONTOP/i486
|
url | elf, mirai, opendir, ua-wget | malware_download | URLhaus | — | 2026-07-07 | |
9481dbfb659113e977977f4872d9e620a83a5811fdc30fc4054495fe48cdbcbe
|
sha256 | zip | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
2a57354f1393e07c42b82322d2b18ee2c6da7b18212db5788c94f857e4cfe121
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
cafa5753b4471a613cb44cd88fc36b9acef511509bf85f76940a2813808fc691
|
sha256 | zip | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
918c42d88be3dd369ddf630867901eaec3a90f1e833d486a2a1ecff6879bd8af
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
75e7bfed5d9087512862794295b14258bab7a853b100f093804c92080cd69f98
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
5cd69a8d537df27c9ffe4ea201bf72dc98b55f2e2466b82b79fa6cb8b957b396
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
4a72842ff25b47bc912714046a833ace69d6cb68f8f2be8d65a6421c4a9cc5a1
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
0255ae1616eec19d9b97440779b34a01602bb933699816121d705c069974c7db
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
ba1584ade44b7285a92de901daca752a433e8411c1efd6dfabd716ce737d10e0
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
http://115.63.230.109:35501/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://5.167.229.94:27250/i
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://61.52.61.209:54559/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.9.104.69:34901/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.36.4.89:53768/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://162.255.251.91:33439/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
https://kaloed.pro/1e523332.exe
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://123.9.104.69:34901/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://220.135.42.30:53519/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://60.176.4.229:58811/i
|
url | mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://182.124.126.196:40819/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.242.236/files-129312398/files/file_b66749d846629102.exe
|
url | 54e64e, dropped-by-amadey | malware_download | URLhaus | — | 2026-07-08 | |
http://39.73.108.18:46667/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://105.224.33.217:41583/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.238.254.190:33907/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://60.176.4.229:58811/bin.sh
|
url | mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://105.224.33.217:41583/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.12.240.37:49403/i
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.242.236/files-129312398/files/file_55c1b708fcd2591a.exe
|
url | 9d2ca3, dropped-by-amadey | malware_download | URLhaus | — | 2026-07-08 | |
http://42.232.228.31:53154/bin.sh
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.238.254.190:33907/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.39.238.66:42378/i
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://123.12.240.37:49403/bin.sh
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://61.52.47.54:36456/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.242.236/files-129312398/files/file_a412f485ab9549f8.exe
|
url | 9d2ca3, dropped-by-amadey, SalatStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://109.236.44.113:54968/i
|
url | mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://216.126.86.26:36797/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.37.102.129:42317/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://109.236.44.113:54968/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://27.153.196.115:50179/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.4.238.122:50867/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://188.19.147.138:45305/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.231.91.217:53883/i
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://188.19.147.138:45305/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.7.226.252:39722/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://182.127.4.27:43671/bin.sh
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.37.65.212:34828/i
|
url | mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://103.19.49.134:50928/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://112.240.206.31:53993/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://105.225.113.253:36827/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.37.65.212:34828/bin.sh
|
url | mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://105.225.113.253:36827/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://115.48.14.97:44539/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://61.53.206.243:54006/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://61.52.78.136:39827/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://182.123.245.187:35967/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
https://verify.hashtopoils.org/verify_amd
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
https://verify.hashtopoils.org/verify_arm
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.242.236/files-129312398/files/file_da8de9dae556667a.exe
|
url | c2-monitor-auto, dropped-by-amadey | malware_download | URLhaus | — | 2026-07-08 | |
http://115.48.14.97:44539/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://61.52.78.136:39827/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://112.240.206.31:53993/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://182.123.245.187:35967/bin.sh
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://125.44.217.16:45814/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://130.0.44.29:48255/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.7.226.252:39722/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://218.59.14.73:36944/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://115.50.69.1:59335/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://218.59.14.73:36944/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://113.190.61.94:29420/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.235.181.25:38851/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://113.190.61.94:29420/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://105.186.143.79:49489/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.235.181.25:38851/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://27.207.228.158:46589/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://163.142.92.59:56422/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://200.112.129.57:42371/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://182.116.51.13:39041/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://222.136.52.228:56020/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://200.112.129.57:42371/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://182.127.4.27:43671/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://222.141.122.76:43722/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://108.170.136.155:37272/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.224.89.156:57932/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.224.89.156:57932/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://105.186.143.79:49489/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://163.142.95.89:43256/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.14.219.127:41338/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://218.61.126.54:57066/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.11.77.40:40335/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.14.219.127:41338/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://175.147.243.250:35517/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://112.93.137.16:35671/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://223.10.4.70:55867/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.5.158.194:57168/bin.sh
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://163.142.93.90:45440/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://83.219.1.198:42561/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.8.55.58:53035/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://5.175.192.197/bot_x86_64
|
url | 5-175-192-197, elf, mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://182.127.112.76:42224/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-07 | |
https://t08.kataksm188.top/
|
url | win.vidar | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
t08.omni-signage.com
|
domain | win.vidar | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://t08.omni-signage.com/
|
url | win.vidar | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
t08.kataksm188.top
|
domain | win.vidar | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
gtv6eszx.riskybet.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
mouvwpcv.riskybet.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
riskybet.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://potty.com/
|
url | js.iclickfix | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
159.203.1.105:9035
|
ip:port | elf.aisuru | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://tommy-q.lol/o
|
url | js.kongtuke | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
tommy-q.lol
|
domain | js.kongtuke | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
152.42.214.91:8443
|
ip:port | elf.aisuru | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
noveuam.top
|
domain | unknown | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
abitarix.top
|
domain | unknown | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
e0d1e9dbfb7ee326cc6152ac810d7835cb1f2cd2031e3d8ba83e3777e18bd755
|
sha256_hash | unknown | payload | ThreatFox | 75% | 2026-07-08 | 🔗 |
nubeauty.co
|
domain | unknown_stealer | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
topontmosser.be
|
domain | unknown_stealer | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
gtm-helper.xyz
|
domain | unknown_loader | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
recap-cha.xyz
|
domain | unknown_loader | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
jrudq.ganj.bet
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
blhs.20sport.ir
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
mbifcxdz.careeriran.ir
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
ganj.bet
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
20sport.ir
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
careeriran.ir
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
betwinner.poker
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
9c8c0b26c1ac72688e0f1a5d43ddcf16cb2726e2
|
sha1_hash | elf.kuiper | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
84e114db07c2fbe9225d08bc856ed52f
|
md5_hash | elf.kuiper | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
a237210c342b24325ac4cae7977613a85966c8b1
|
sha1_hash | elf.kuiper | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
16f2b00efb6012eddafdabaf21f7e7ff
|
md5_hash | elf.kuiper | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
fdf03609a12b2535488e008293cd89d596f967af96d7763b880ee1ffd8702630
|
sha256_hash | elf.kuiper | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
7c0f9f1375d685ec9a30c2e1a5cf7817
|
md5_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
07e019e4309cd2d20874488411df839728fbda0b580c6f09a72c99f4d873f931
|
sha256_hash | elf.kuiper | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
b62119f0ae9ad41612f252dd703799d4
|
md5_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
60c730addd2a15e4213a1d37f55186686976de73a106317b5a258fe0121cfd5c
|
sha256_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
4dd9e00b51b94a5c9dda104f9cc9d5887cfa6819
|
sha1_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
897a9a38ebc67beb0775184520c8ce3b0bec04e5
|
sha1_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
57d20ed65870aa249ca374142d763d13
|
md5_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
dc8b056dd6eb75df21e9721ac2e340f91bb5e94d5a6ff412d7d0c7539e0f06e2
|
sha256_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
a54e21752a34a4663cef87b75efe74be139a2c8e
|
sha1_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
e2ffa36e0a8661af0695eb11fe11ae21aca77367
|
sha1_hash | win.njrat | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
75f68d369e48fba33a4d53d45f32a6c6
|
md5_hash | win.njrat | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
433b61c29aefaa5b55fe78063e6ad8597d3835f36e1242d5402ab23e6dc61194
|
sha256_hash | win.netwire | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
0b64e89c66e5f0f93b164967c738949d7521002f
|
sha1_hash | win.agent_tesla | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
6e9cd29d317d6f0251aba016f04ea281
|
md5_hash | win.agent_tesla | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
3f434324ac709227290512410977bca99eb164fc86cae6f22cd4844eb9eb9130
|
sha256_hash | win.njrat | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
f5088b617e231c7ea495c78deb83813dd5f98ef6
|
sha1_hash | win.stealc | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
fe2226cdeb007a5b1f5aa13e042d9b11
|
md5_hash | win.stealc | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
ec8642b8f9d76743c3d9b65f2496f41ba136ff4f1ccfbe4069d494e6a3e579f3
|
sha256_hash | win.agent_tesla | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
f5d8c56c2b66818eba0bacd35be33b2d2069ff3e28befe67dd4ca17b675b7b27
|
sha256_hash | win.njrat | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
04ed410e130bba2e28e7fc5e921ee6820547c31f
|
sha1_hash | win.njrat | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
97960cb546365a3a320fd26dac47d10e
|
md5_hash | win.njrat | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
c4ce7dd05a3865b7d16a33adc9fa57d15a221abb83cb57fad43e947bc0a17eb1
|
sha256_hash | win.stealc | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
da483f0d56aabc55d45b170c4f605c97c722b3c2400cc6a5643a45f116121258
|
sha256_hash | py.venus_stealer | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
8c148fad9feaa0b196989b83eeaed9334083e221
|
sha1_hash | py.venus_stealer | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
55b80c0bb297e1cdbd85530c30c6d723
|
md5_hash | py.venus_stealer | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
06f915bc056a74c1c9b6faa3098a700ef4e5f54b8b1e84f73c70dcc6f5096949
|
sha256_hash | win.arkei_stealer | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
73a97de7a2edda2419f060567ecd07ecc6b9b89e
|
sha1_hash | win.arkei_stealer | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
32ba76496cf54bf0c9302e6ddab64cd9
|
md5_hash | win.arkei_stealer | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
86f77feba22ad9641d9464ac07c0fc4c2657f62cf02b85bdb50a192980265ebf
|
sha256_hash | win.vidar | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
c43ca244dc9905ea3260dff1e7c9414dc3890b37
|
sha1_hash | win.vidar | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
c6da85645488cfbb1120310f837f7fc7
|
md5_hash | win.vidar | payload | ThreatFox | 95% | 2026-07-08 | 🔗 |
lddwegnb.ketabworld.ir
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
ketabworld.ir
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
107.172.20.215:8080
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
113.44.90.0:443
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
107.172.20.215:80
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
rcodtjdj.melbetiran.bet
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
aafnojwq.megashart.blog
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
104.225.149.151:8080
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
104.225.149.151:80
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
104.225.149.151:443
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
103.215.81.156:8080
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
160.20.109.47:8090
|
ip:port | win.dcrat | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
etorvugt.betsher.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
wrov.betfa.download
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
4lbsgx9v.powershart.com
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
89g5nu0q.powershart.com
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
drvepxdy.milioner.bet
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
instnhvy.melbetiran.bet
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
melbetiran.bet
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
metabluefire.dexispointnexus.garden
|
domain | js.clearfake | botnet_cc | ThreatFox | 90% | 2026-07-08 | 🔗 |
103.236.92.210:80
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
103.236.92.210:8080
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
103.236.92.210:443
|
ip:port | unknown | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
obds.betsher.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
dpbp.betsher.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
xclparsl.megashart.blog
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
megashart.blog
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
159.203.1.105:9034
|
ip:port | elf.aisuru | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://fraitas.lol/api/v1/status
|
url | js.kongtuke | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
165.232.169.49:8443
|
ip:port | elf.aisuru | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
122.51.221.207:8080
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
2.50.157.201:8808
|
ip:port | win.asyncrat | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
122.51.221.207:443
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
152.42.174.192:8080
|
ip:port | win.adaptix_c2 | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
9c8joror.melbetir.app
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
melbetir.app
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
rmwj.betfa.download
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
120.205.80.152:8443
|
ip:port | elf.aisuru | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
betfa.download
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://azevedo.lol/api/v1/status
|
url | js.kongtuke | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://microcrypt1987.com/update/package
|
url | js.kongtuke | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
microcrypt1987.com
|
domain | js.kongtuke | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
img-slow.alternativesynergies.com
|
domain | js.fakeupdates | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
8n2r77nt.app888starz.download
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
app888starz.download
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
zqjjyamd.megaparifarsi.com
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
hostfastland.mivonflowsrv.garden
|
domain | js.clearfake | botnet_cc | ThreatFox | 90% | 2026-07-08 | 🔗 |
megaparifarsi.com
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
117.72.181.104:8080
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
117.72.181.104:80
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
152.42.174.192:80
|
ip:port | win.adaptix_c2 | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
23.227.199.61:80
|
ip:port | win.adaptix_c2 | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
158.160.75.185:43291
|
ip:port | win.njrat | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
cabv.bet24.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
rieo.bet24.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
217.60.195.113:80
|
ip:port | elf.mirai | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
mancityiran.club
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
sjgejs29.itsport.ir
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
itsport.ir
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
13.204.46.27:5173
|
ip:port | win.overlord | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
144.31.62.81:8080
|
ip:port | win.adaptix_c2 | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
107.172.140.187:80
|
ip:port | win.adaptix_c2 | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
107.172.140.187:8080
|
ip:port | win.adaptix_c2 | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
144.31.62.81:80
|
ip:port | win.adaptix_c2 | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
101.33.202.134:80
|
ip:port | win.adaptix_c2 | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
120.205.80.152:34567
|
ip:port | elf.aisuru | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
acesgaragesanjose.com
|
domain | unknown | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
emtd.bcgame90.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
agvw.bcgame90.casino
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
hzfe.mellbeet.com
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
mpv5bjr9.yasbet.co
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
94fngygd.yasbet.co
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
bleu2zeit8zone.mivonflowsrv.garden
|
domain | js.clearfake | botnet_cc | ThreatFox | 90% | 2026-07-08 | 🔗 |
mon.kawahsm188.top
|
domain | win.vidar | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://mon.kawahsm188.top/
|
url | win.vidar | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
mon.kataksm188.top
|
domain | win.vidar | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://mon.kataksm188.top/
|
url | win.vidar | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
https://saisrls.it/
|
url | win.vidar | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
dcaxdwoo.barcelona11.com
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
ztop.hazzaratbet.com
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
1ca17239f5bec17ef244fc55357c6d0560337d7cadd1bb61574ab010f14a8d14
|
sha256_hash | unknown | payload | ThreatFox | 100% | 2026-07-08 | 🔗 |
830a22ea4eb2ebb8c60c7731fa5175d3a315d023a812aea40147326cc4c8a4dd
|
sha256_hash | unknown | payload | ThreatFox | 100% | 2026-07-08 | 🔗 |
91.92.240.100:53
|
ip:port | unknown | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
https://pub-1f5a501a59d74a6a97e77126cf1fc526.r2.dev/dcaczhjitqazbalk.exe
|
url | unknown | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
https://qgypyyvvzeouq.mospoqkzvk.com/d/cani
|
url | unknown | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
https://qgypyyvvzeouq.mospoqkzvk.com/s/psc2
|
url | unknown | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
qgypyyvvzeouq.mospoqkzvk.com
|
domain | unknown | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
92429d9ab6518c2d0aca85f1e337a607c861d81445d2a56b027555824dc1fd4f
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
a8877412d22348aafce79060d9f8578a94ec9adcf07dcea615735bf664370753
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
e97e92cd7f069edb07be58a78c2747d458256a120b0635a0b3ad4d159fcf3d92
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
ede4b155ce8f2c65614c0abda1797bfe3fec8bd78a2ff1a7031d28fbfd4b15ea
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
f9c6900e015c0e9f5b4d57ff7fa3cd936f1fbf2a5fb08c2ab1a76723538bf692
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
9e53b8b2bed292c433480ddd989f4a693893a971c67dbf13174adc0b09780f4f
|
sha256 | sh | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
0563bc585570d57435df9d6b5090967fb3ec128e269a658402775acc00455af1
|
sha256 | sh | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
dd3b199d255a5f35da02e170f840207ec1b0ce60425a3344bba4da47bfddcfee
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
d85d164e46fabb085609f2586e8fec364539a6ec81f74659f0cb28ac76e7880b
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
c96ddbdab5bbe445d8f3604daca62b80541ece02cc874c338146965e4820a595
|
sha256 | js | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
http://187.121.141.137:59432/i
|
url | 32-bit, arm, elf, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://77.247.88.83:46373/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://219.156.60.141:46448/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.39.239.253:40635/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-netns-rt
|
url | elf, mips, mirai, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://94.154.43.22/arm5
|
url | arm, elf, mirai, ua-wget | malware_download | URLhaus | — | 2026-07-07 | |
fezk.polbaz.bet
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
nqwr.polbaz.bet
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
39.105.200.188:8080
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
49.234.198.180:80
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
39.106.113.249:80
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
139.226.191.149:2082
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
origin-al.org
|
domain | unknown | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
sallyflint.com
|
domain | unknown | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
infobpi.pl
|
domain | unknown | payload_delivery | ThreatFox | 75% | 2026-07-08 | 🔗 |
cdn-79fe96.cloudflareinsight.com
|
domain | unknown | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
cdn-d57299.cloudflareinsight.com
|
domain | unknown | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
cdn-a085f7.cloudflareinsight.com
|
domain | unknown | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
cdn-b1192b.cloudflareinsight.com
|
domain | unknown | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
https://88.99.120.224
|
url | win.vidar | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
edcc2ad793e6c3def42d16dfefaff86dd1dbbc479b3e406405960438432fc0cd
|
sha256 | AgentTesla | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
ad8657d3235485efd37d9b91ba0254f93a72e206bf45ed49fffe00aa3fc010be
|
sha256 | elf | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
ironhausflow.mivonflowsrv.garden
|
domain | js.clearfake | botnet_cc | ThreatFox | 90% | 2026-07-08 | 🔗 |
desecq.shop
|
domain | win.remus | botnet_cc | ThreatFox | 75% | 2026-07-08 | 🔗 |
tiduflxx.farsi1xbet.shop
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
farsi1xbet.shop
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
47.96.254.114:80
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
47.96.254.114:8080
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
47.116.57.211:8080
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
47.116.57.211:80
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
39.106.80.126:80
|
ip:port | win.cobalt_strike | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
http://144.31.57.70/c0e070fa9435429c8ea5.php
|
url | win.stealc | botnet_cc | ThreatFox | 100% | 2026-07-08 | 🔗 |
srgq.icebet90.com
|
domain | js.clearfake | payload_delivery | ThreatFox | 100% | 2026-07-08 | 🔗 |
38917247ac41fae313ded776f64b0380068e117ddc412a256bcd313279fd45d0
|
sha256 | exe | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
550eda8ed1c8777c02d4144c3602e0e078a95afa5df66d7284d2a8441cdd0751
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
f1e5b38ba51f3d5a333e21922335c07177338d65ba842d4b682bb6f9d1b6d02e
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
3625de02e6d829a337ce865c719c078466c7aff8c89e9b88384fbcd9003b918f
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
0b352d3e66ec7b97e9d26a04d625f1cbafaa31376f753c6beba1d42af01ac504
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
3e2e9ca2f1ad47e319d7960802297e97cde7624648ac8d0a04c522fa0a612f64
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
f6126eefa85ebab83ec702eaf0871350409b526a579ea9086aa3daddc09e46d7
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
d0cbfa367dd44966ca3646fc28c613c152704bd145e4ac99212782600e96eb52
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
195231de9197a9283f11ca7e731120b5694a034fc498a255e98b2827320595cd
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
7f5004c33185df5e036ed42d6d3e2f7933081a562a1ec3795ac173b968383b80
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
ca8b44bf1765547ffb92d3dec240b3ec0c7f07f74128faf8436a87661c53ab4b
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
b9f4913add84ff01bec5f0f238e719b5128b7efc578118c5fac4f881fb97167c
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
7a725b6b4151e23675f5cfc9d8077f83f3a7d837f2615ee6646461f0d21b7cf8
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
6097d600120da31c7cfcaf07aff76c07a75a5c942d9c39489c1283e0c5604846
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
b6cd1a7945bf1268a516a55eafbbddf48e368b495c12bab4b3e9c9df854aad67
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
0a5f61085097eb8fc63159fca73f3c365e28860e3f37d23ff57a3af5736a5b1c
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
be83ebe9f3cd0d2a84f92fba0ed2f7d5810369b5c1c9ef672edfd4f09aea3b7c
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
175a7d2a8dcc50665e5f3dd5f0513cc091184065b424907d3e544a56c163e2a3
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
e8f15d19c9c20108530850a8addb4a013eef0b4f96687519a5cacc3e90c9169e
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
f320cb93aca97694e2935d87576da8cda03d47659021c3f79e15dd164e894599
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
e5ad234bb8d0205dbc2fd60e220fb4fe879fb2d252f716cff78eb309c30c7421
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
e13563d62d614eedee6768e235be05eca67e86d0329b604bd26de5f929622851
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
15988f3d46d1c569f90fe3e9afa46f018be526b918102b8b2d20c0088f025c29
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
f18ecf8b4da6262bdc42efc531cc5302dc90720eb7744859be63f79627c34939
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
4eb1c6fdd48256c19d9b639c1087a1184daeb263865582e557460b1358bbca06
|
sha256 | Vidar | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
1f2b4cd5fddc89fe846556ebba5e96458cc56bf935bbf34055744ff54e0fcecf
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
e4556f7a0e2356a4e6816987bd8b4d9b408c7aa8609bc22cba1e6e968097ad20
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
625f0ea72da6eb0ddca4ae4d3e680dc5df30faebf648f82e93006165bd02b981
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
d6b74a926002e9d018073eed697c1b75250deab3945c8388532ad1711984f1bb
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
d9013fa366c2460da14ac377b986dc54acaf08633bf4b436157ea74ae15f991d
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
d4123e8d75feffa620107a4a4ee69848a3011a4de9903b732e03e8a0e4e56f86
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
588a8359d3e29e8334d628214f12cc660f92c3c47c6ff734793d9d2af1bd418d
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
8edf5865a87829fe59b97ffe2c3dda7a4b104b0ae08a202b6be7a5e6ba90eea7
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
22dd141a82c74ef617693b7007f98e681765f0726a0657618d5fd7d1eea0e0c7
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
916b63175a16484b5dc36e51ac2453c6c60e481b4fad4ec9ab511b6c28f2f1ed
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
dc1cbd35e7de92b10f9d5f63bf34610c2ca78e855cd7b9eac1d540e89c9d9a94
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
770abdea2a1560325636bb70cfd5c736e98c7d7ab4478fed43bebb87745898c4
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
d359681ebc98c73c45c803ee55d3b24aea94284cec4a961c79f0e528799febc3
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
c5f481f7023a4b9ee28b83be862286264195ab77e353d999dbf6debee05daa09
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
839dc73d9bb3f3562ea39c5faf41d8908cb9f52a4f9d7cdf005a3f3ec4d58dd6
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
a257198794219f14985ae2cb54c3938e8dddd0f6c1f245044fb991c7312a04ca
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
ffb8bafc3c18814a68f791dec5f38b721e4b1918f387568bc57a873d069b19f5
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
3d7fc882384188cee82010f0d000e37f758a626d2b394b52f87726d9b0333053
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
6ebee939adf95f55cb6a44b9bb82d0e8c2e3ce41b3427a615d9b3cfe3cc0577c
|
sha256 | ArkeiStealer | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
4e844539d95862ea53a47d0ed5d1cf0809d83a79c24f59afc5b6186054edf54b
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
378389637bf1a818f395c034f1b207bccdc6306f35117e27d163727664df748b
|
sha256 | NetSupport | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
c46684753c0e86e0fc5aabf24fa2d9d02b26f957027938767c3cfa5545c1cd44
|
sha256 | NetSupport | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
21c25061c4b47dc528f62813dd6baae6d9827c6dd71199ed5c7db63872a4ea24
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
5871e9ed44d989827c88ef3308a1f808d0822d8c936dd3cc0b684a258e62b06d
|
sha256 | Mirai | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
d11d2e36d17dc323dbafc5e361eb51eb8e0ab078c2f50ec5bc98e5a87190aefb
|
sha256 | elf | Malware Sample | MalwareBazaar | — | 2026-07-08 | 🔗 |
http://91.92.40.118/init.sh
|
url | sh, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
https://pub-61124cd6b14a43ab85c051bf3b7bf33f.r2.dev/Semoklu.msi
|
url | NetSupport | malware_download | URLhaus | — | 2026-07-08 | |
http://113.9.240.142:42978/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://83.219.1.198:42561/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://113.9.240.142:42978/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.86.113.243:40712/i
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
https://pastefy.app/2UAyY6A9/raw
|
url | ascii, Encoded, PhantomGate | malware_download | URLhaus | — | 2026-07-08 | |
http://115.61.51.91:46415/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
https://pastefy.app/lBTfY3Xg/raw
|
url | ascii, Encoded, PhantomGate | malware_download | URLhaus | — | 2026-07-08 | |
http://46.217.141.171:6457/.i
|
url | hajime | malware_download | URLhaus | — | 2026-07-08 | |
http://116.139.183.228:43439/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://115.55.192.200:33588/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://115.55.192.200:33588/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://115.55.177.183:36148/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://163.142.78.118:39139/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://175.167.76.60:53013/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.242.236/files-129312398/files/file_3a1cc00092af29d0.exe
|
url | 54e64e, dropped-by-amadey | malware_download | URLhaus | — | 2026-07-08 | |
http://163.142.78.118:39139/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/f92d1b86bac243da86e3290c1907c299.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/b7af5ef8c6b24dbc84b18b3ef139cbe2.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/480e1d7b7c1f4f86893e91d7297ff652.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/aa608087adce4522b98fedc62b0de2ee.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/f8238fad9aff45f3a33bf8037a3ca78a.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/c48d8858c31d4439a5a58204effb3d85.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/273a7ebce05249a880abb34ebbb26b14.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/3bf4d96d7ba74ee7ad4ce7cdea8e7033.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/e36ea4fdb2994fe9b58aaecc72c71f06.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/ee22c737e8b348d49582f9e1790f134f.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/ca089a46f61743cd83884b1577b489ef.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/ac68a70ed1654d04b29a8985d5ab58e8.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/fe9c82f39a8a4fd0b607fac129f59184.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/3923ae729e2c4adf85dc26b2db55768a.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/c61eb43180354427870fc6de651cc63e.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/4b5b8620309f491789af03500ede5528.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/37ca1ffeb4e14e6f9b4854013b1c4ca5.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/3f319bcbb3744ae8a49dc54a1b02c02c.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/f0f1d4b4522f4c9f897ac08a4e1d1623.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/856f3e600b2c4b4fa31993e52fba8d28.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/9ee3fe2f7fbf467285527df5252d5f04.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/4da769b12f2447869cad2cd0b27b61a9.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/85af7d651b5d48ebb2753bc53d694c32.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/12b4a453931143629c867b8acf6ecb1f.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/7e02c8bb4178455e8d3af50503fd27c8.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/888412a0a67842f2a0ec6bcf581ab656.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/d63419ec10664d4384a260b3f7e614cc.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/2ad3b5bf932d444a8ed96d6a1211ae68.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://119.179.249.198:60598/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
https://fesold.com/db9c0fee.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/6b3b40e54b9c4c26a13d7a72a2eaab3c.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
https://mekasa.pro/3479ba86.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/fe74b5ae594c4eda870ac2ec9dc214a0.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
https://mekasa.pro/b5d036ea.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/32daa1c9eac744b98d12ae18e00f9ad2.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/a14d88353c6441d89205a760ac7a1c79.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/d71f44238cb84457afebf421116f1c92.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/734f12aafddc4617a3bcae5e56ccbe58.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/6d4b5504e589459f8e11ad3d1838f3f5.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
https://mekasa.pro/e3970037.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
https://mekasa.pro/72c4197f.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
https://mekasa.pro/a240a55d.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/edfaeaf2bb634e3bb0f45339142bec7f.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/99d213b876a747b6a9ff5322cec7f506.exe
|
url | ArkeiStealer | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/25c935b940ea40cfba6db6c752400178.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/d9e1709923ce40c49d6add23c7c95d0e.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/f9a78169df37447aa3dfc6ad4d3593e7.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/57c96d44ac93466f8cf814703a77fe4c.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://62.60.226.198/uploads/7d3839dfd03646a282c79d407acc92e8.exe
|
url | Vidar | malware_download | URLhaus | — | 2026-07-08 | |
http://39.64.9.139:43526/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.36.27.207:33177/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://90.153.217.151:59587/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://115.52.22.6:35725/i
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://119.179.249.198:60598/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://115.55.234.28:52773/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://151.192.135.88:41726/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.36.27.207:33177/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://105.184.91.145:44637/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://151.192.135.88:41726/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.238.64.12:58417/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://115.55.234.28:52773/bin.sh
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://59.103.116.68:46941/bin.sh
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://59.103.116.68:46941/i
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.14.97.76:44096/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://105.184.91.145:44637/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://123.235.194.222:60042/bin.sh
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://61.137.129.191:59754/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://120.84.214.35:43836/bin.sh
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://110.37.118.66:51233/i
|
url | mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://110.37.118.66:51233/bin.sh
|
url | mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://115.55.10.88:38789/bin.sh
|
url | Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://42.229.160.104:58096/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://222.139.122.118:42542/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://61.54.43.201:39395/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://61.137.129.191:59754/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://105.184.76.93:57607/i
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://61.54.43.201:39395/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://27.37.100.207:54087/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://222.137.95.232:58447/i
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://105.184.76.93:57607/bin.sh
|
url | 32-bit, arm, elf, mirai, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-blkcg
|
url | arm, elf, mirai, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd
|
url | elf, gafgyt, mirai, ua-wget, x86 | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-irq-bal
|
url | arm, elf, mirai, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-crypto
|
url | elf, mirai, SuperH, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-softirq
|
url | arm, elf, mirai, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-events
|
url | elf, mirai, ua-wget, x86 | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-writeback
|
url | elf, mirai, PowerPC, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-irq
|
url | arm, elf, mirai, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-netns
|
url | elf, mips, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://91.92.40.118/kworkerd-rcu
|
url | elf, mips, ua-wget | malware_download | URLhaus | — | 2026-07-08 | |
http://222.137.95.232:58447/bin.sh
|
url | — | malware_download | URLhaus | — | 2026-07-08 | |
http://207.34.149.169:32877/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://178.176.107.122:33136/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://5.175.192.197/bot.sh
|
url | 5-175-192-197, sh | malware_download | URLhaus | — | 2026-07-08 | |
http://5.175.192.197/bot
|
url | 5-175-192-197, elf, mirai | malware_download | URLhaus | — | 2026-07-08 | |
http://130.12.181.111/Bin/ScreenConnect.ClientSetup.exe
|
url | 130-12-181-111, connectwise, exe | malware_download | URLhaus | — | 2026-07-08 | |
http://222.137.96.242:55578/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://110.37.14.156:33710/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-08 | |
http://59.103.86.89:52040/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-07 | |
http://110.37.14.156:33710/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-07 | |
http://115.56.64.251:58971/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-07 | |
http://59.97.251.109:44801/i
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-07 | |
http://27.222.178.246:42909/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-07 | |
http://59.97.251.109:44801/bin.sh
|
url | 32-bit, elf, mips, Mozi | malware_download | URLhaus | — | 2026-07-07 |
Analyst Tools
Paste raw text — emails, reports, logs — to automatically extract and classify all IOCs.
| IOC Value | Type | Defanged | Actions |
|---|
Enter any IOC — type is auto-detected and a curated set of intel sources appears.
Decode common obfuscation schemes found in malware, phishing kits, and threat reports.
Convert IOCs between defanged (report-safe) and live formats. Handles hxxp, [.], and [://] notations.
Convert timestamps between Unix epoch, UTC, and local time. Paste any format into any field.
Paste raw email headers to extract the sending chain, authentication results (SPF / DKIM / DMARC), originating IPs, and timing data.
Threat Intelligence News
The Hacker News
- Jul 8AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers
- Jul 8New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet MalwareMalware
- Jul 8Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS
- Jul 8New Ghost Phishing Wave Is Breaking Traditional Email SecurityPhishing
- Jul 8SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking UsersMalware
Dark Reading
- Jul 8Vidar Infostealer Hammers SMBs via Malvertising CampaignMalware
- Jul 8State IDs for AI Agents: Will Estonia Set a Precedent?
- Jul 7Big Brand Jobs Scam Targets Marketing Pros' Google Accounts
- Jul 7Dialogflow CX 'Rogue Agent' Flaw Enabled AI Chatbot Data Theft
- Jul 7'GitLost' Flaw Leaks Private Data from GitHub's Agentic Workflows
Talos Intelligence
- Jul 7UAT-7810 continues building ORB networks using new malwareRansomwareMalware
Securelist
- Jul 7Threat landscape for industrial automation systems. Q1 2026
- Jul 6When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft websitePhishing
The Record
- Jul 8Taiwan charges two businessmen over alleged role in Chinese espionage campaignAPT
- Jul 8Former UK privacy chief preparing legal action against woman who reported him, minister says
- Jul 8Spain arrests alleged supporter of pro-Russian hacktivist groups after FBI tip
- Jul 8EU unveils cyber plan to reduce reliance on foreign AI systems
- Jul 7Supreme Court allows Texas app law requiring age verification to take effect
CISA Alerts
- Jul 7CISA Adds One Known Exploited Vulnerability to CatalogVulnerability
- Jul 7CISA Adds Three Known Exploited Vulnerabilities to Catalog
- Jul 7Siemens SINEC OS
- Jul 7Hitachi Energy PROMOD V
- Jul 7Labcenter Proteus 9
SANS Internet Storm Center
- Jul 8My Stack Simulator, (Wed, Jul 8th)
- Jul 8ISC Stormcast For Wednesday, July 8th, 2026 https://isc.sans.edu/podcastdetail/9998, (Wed, Jul 8th)
- Jul 7More Odd DNS Records: NIMLOC, (Tue, Jul 7th)
- Jul 7ISC Stormcast For Tuesday, July 7th, 2026 https://isc.sans.edu/podcastdetail/9996, (Tue, Jul 7th)
- Jul 6RCS and DNS: The NAPTR Record, (Mon, Jul 6th)APT
Malwarebytes Labs
- Jul 8 Your next car could be watching your face
- Jul 7 How the Reddit and Discord false report scam steals accounts
- Jul 7 Fake Netflix, Coca-Cola, and FIFA job scams target marketers
- Jul 7 Claude Code’s hidden tracker was an “experiment,” says Anthropic
- Jul 7 Scammers are using AI to sell impossible flowers
Infosecurity Magazine
- Jul 8RedWing Android Spyware Sold as a Service on TelegramMalware
- Jul 8China-Linked APT Expands Proxy Network With New MalwareAPTMalware
- Jul 8Threat Actors Uses Agentic AI to Rapidly Compromise Cloud Target
- Jul 8New Malicious Campaign Delivers Vidar Infostealer and Monero Crypto MinerMalware
- Jul 8NCSC Touts National Scale, AI-Powered “Cyber Shield” for Defense
Ransomware activity
| Victim Name | Ransom Group | Industry / Sector | Country | Date Discovered |
|---|---|---|---|---|
|
opportune.com
|
chaos | Business Services | US | 2026-07-08 |
|
corepharma.com
CRITICAL SECTOR
|
chaos | Healthcare | US | 2026-07-08 |
|
Biessse
|
spacebears | General | IT | 2026-07-08 |
|
Aesthetic Surgical Images
CRITICAL SECTOR
|
incransom | Healthcare | US | 2026-07-07 |
|
Shamrock Holdings Inc.
|
thegentlemen | General | US | 2026-07-07 |
|
Medic Rescue
CRITICAL SECTOR
|
thegentlemen | Healthcare | Unknown | 2026-07-07 |
|
LogiQuip
|
thegentlemen | Transportation/Logistics | GB | 2026-07-07 |
|
Virginia Historical Society
|
thegentlemen | Public Sector | US | 2026-07-07 |
|
Quanterm Logistics Sdn Bhd
|
thegentlemen | Transportation/Logistics | MY | 2026-07-07 |
|
Spedidam
|
thegentlemen | Transportation/Logistics | FR | 2026-07-07 |
|
hiddeenn
|
thegentlemen | General | Unknown | 2026-07-07 |
|
Arabia Falcon Insurance Company SAOG
|
thegentlemen | Financial Services | OM | 2026-07-07 |
|
Ce Ratp Comite D entreprise Ratp
|
thegentlemen | Transportation/Logistics | FR | 2026-07-07 |
|
Keifert
|
thegentlemen | General | DE | 2026-07-07 |
|
Kosmos
CRITICAL SECTOR
|
thegentlemen | Energy | DE | 2026-07-07 |
|
EBNY Development
|
thegentlemen | Construction | EG | 2026-07-07 |
|
Tonnies Group
|
thegentlemen | Agriculture and Food Production | DE | 2026-07-07 |
|
Automovil Supply S.A
|
thegentlemen | Manufacturing | PY | 2026-07-07 |
|
Excel Cell Electronic
|
thegentlemen | Manufacturing | TW | 2026-07-07 |
|
Mercado Libre
|
thegentlemen | Technology | AR | 2026-07-07 |
|
CSIR Structural Engineering Research Centre
|
thegentlemen | Public Sector | IN | 2026-07-07 |
|
Jump Solutions Inc
|
thegentlemen | Business Services | PH | 2026-07-07 |
|
MBT Energy
CRITICAL SECTOR
|
thegentlemen | Energy | DE | 2026-07-07 |
|
Lechner Massivhaus GmbH
|
qilin | Construction | AT | 2026-07-07 |
|
Pro-Tech Technology
|
thegentlemen | Technology | SG | 2026-07-07 |
|
Technical Solutions Group
|
thegentlemen | Business Services | US | 2026-07-07 |
|
COP® Vertriebs-GmbH Zentrale
|
qilin | Business Services | DE | 2026-07-07 |
|
Welldyne
CRITICAL SECTOR
|
payoutsking | Healthcare | US | 2026-07-07 |
|
C****p
|
payoutsking | General | IT | 2026-07-07 |
|
Preneed Funeral Programs
|
play | Consumer Services | US | 2026-07-07 |
|
Next Clinics
CRITICAL SECTOR
|
qilin | Healthcare | CZ | 2026-07-07 |
|
Kevin Bao Lenguyen
|
play | General | Unknown | 2026-07-07 |
|
United Infrastructure
CRITICAL SECTOR
|
play | Energy | US | 2026-07-07 |
|
YMCA of Western North Carolina
|
interlock | Consumer Services | US | 2026-07-07 |
|
URA Group
|
Booba Project | Business Services | RU | 2026-07-07 |
|
seprec.gob.bo
|
krybit | Public Sector | BO | 2026-07-07 |
|
RISE Architecture
|
akira | Business Services | Unknown | 2026-07-07 |
|
Accelirate
|
qilin | Business Services | US | 2026-07-07 |
|
Chisholm Persson & Ball
|
akira | Business Services | Unknown | 2026-07-07 |
|
Excalibur Rentals
|
akira | Consumer Services | Unknown | 2026-07-07 |
|
Mount Royal University
|
cmdorganization | Education | CA | 2026-07-07 |
|
Edge Solutions | Stone Ridge Payments
|
akira | Financial Services | US | 2026-07-07 |
|
PB Fiduciaire SA
|
bravox | Financial Services | CH | 2026-07-07 |
|
Studio Sardano
|
AiLock | Consumer Services | IT | 2026-07-07 |
|
Richmont Graduate University
|
AiLock | Education | US | 2026-07-07 |
|
hive360.com
|
dragonforce | Technology | Unknown | 2026-07-07 |
|
amplesurveyor.com
|
dragonforce | Business Services | US | 2026-07-07 |
|
Forces
|
medusalocker | General | CA | 2026-07-07 |
|
Fitcrunch
|
spacebears | Consumer Services | US | 2026-07-07 |
|
tecnocurva.com.br
|
incransom | Technology | BR | 2026-07-07 |
|
samberger24.de
|
incransom | Business Services | DE | 2026-07-07 |
|
matrixwebagency.com
|
safepay | Business Services | US | 2026-07-06 |
|
bmiprojects.de
|
safepay | Construction | DE | 2026-07-06 |
|
caritas-koblenz.de
CRITICAL SECTOR
|
safepay | Healthcare | DE | 2026-07-06 |
|
knobel-bau.de
|
safepay | Construction | DE | 2026-07-06 |
|
rtngmbh.de
|
safepay | Business Services | DE | 2026-07-06 |
|
stedwardscatholicfirstschool.co.uk
|
safepay | Education | GB | 2026-07-06 |
|
lh-wohnverbund-wohnen-nrw.de
|
safepay | Consumer Services | DE | 2026-07-06 |
|
shw-fr.de
|
safepay | General | DE | 2026-07-06 |
|
gisy.com
|
chaos | Technology | US | 2026-07-06 |
|
hahn-airport.de
|
safepay | Transportation/Logistics | DE | 2026-07-06 |
|
aircreebec.ca
|
chaos | Transportation/Logistics | CA | 2026-07-06 |
|
Hansa Research Group Pvt. Ltd
|
morpheus | Business Services | IN | 2026-07-06 |
|
Keystone Homes
|
qilin | Construction | US | 2026-07-06 |
|
Precision Steel Services
|
qilin | Manufacturing | Unknown | 2026-07-06 |
|
Answer Precision Tool
|
qilin | Business Services | US | 2026-07-06 |
|
dgcement.com
|
apt73 | Manufacturing | DZ | 2026-07-06 |
|
Wood Ellis & Wood CPA
|
qilin | Business Services | US | 2026-07-06 |
|
Max Fordham
|
qilin | Business Services | GB | 2026-07-06 |
|
Grupo Inteca
|
qilin | Business Services | MX | 2026-07-06 |
|
azarestan.com
|
apt73 | General | IR | 2026-07-06 |
|
Upstaging
|
Booba Project | Business Services | US | 2026-07-06 |
|
vicentetrapani.com
|
apt73 | General | AR | 2026-07-06 |
|
LabelDaddy
|
qilin | Business Services | US | 2026-07-06 |
|
westernint.com
|
apt73 | Business Services | US | 2026-07-06 |
|
East African Gasoil
CRITICAL SECTOR
|
arcusmedia | Energy | KE | 2026-07-06 |
|
dinisrl.it
|
cry0 | Transportation/Logistics | IT | 2026-07-06 |
|
KOLORKIM KIMYA
|
Doommageddon | Manufacturing | TR | 2026-07-06 |
|
Mercedes-Benz Turk
|
Doommageddon | Manufacturing | TR | 2026-07-06 |
|
Innovano
|
Doommageddon | Technology | IN | 2026-07-06 |
|
Francisco Imóveis
|
Doommageddon | Consumer Services | BR | 2026-07-06 |
|
Solventa & Riskmetrica | Calificadora de Riesgos
|
Doommageddon | Financial Services | PY | 2026-07-06 |
|
Frosty Acres Brands
|
Booba Project | Agriculture and Food Production | US | 2026-07-06 |
|
Telewave, Inc.
|
Booba Project | Telecommunication | US | 2026-07-06 |
|
Fonsan
|
Booba Project | General | ES | 2026-07-06 |
|
Nfinite 9000 S.L.
|
Booba Project | Technology | ES | 2026-07-06 |
|
Blenheim
|
spacebears | General | GB | 2026-07-06 |
|
ENB Versich
CRITICAL SECTOR
|
payload | Energy | CH | 2026-07-05 |
|
Vela Film S.r.l.
|
payload | Consumer Services | IT | 2026-07-05 |
|
Apex Agro, LLC
|
genesis | Agriculture and Food Production | US | 2026-07-05 |
|
Mirage Endoscopy Center
CRITICAL SECTOR
|
genesis | Healthcare | US | 2026-07-05 |
|
Bri-Tech, Inc
|
genesis | Technology | US | 2026-07-05 |
|
SBI Software
|
genesis | Technology | US | 2026-07-05 |
|
DICON
|
genesis | General | US | 2026-07-05 |
|
Westgate
|
genesis | General | US | 2026-07-05 |
|
Dunagan Associates
|
genesis | Business Services | US | 2026-07-05 |
|
Synergy Interactive
|
genesis | Technology | US | 2026-07-05 |
|
East Texas Family Medicine
CRITICAL SECTOR
|
genesis | Healthcare | US | 2026-07-05 |
|
Gold Standard Automotive
|
Wallstreet | Manufacturing | US | 2026-07-04 |
|
Baraga County Memorial Hospital
CRITICAL SECTOR
|
Wallstreet | Healthcare | US | 2026-07-04 |
thegentlemen
lockbit5
qilin
safepay
incransom
shinyhunters
nova
dragonforce
nightspire
threeam
genesis
icarus
medusalocker
akira
deadlock
krybit
payload
apt73
aurora
play
spacebears
booba project
chaos
cmdorganization
m3rx
doommageddon
anubis
braincipher
direwolf
wallstreet
ailock
cloak
lynx
bravox
coinbasecartel
gunra
interlock
lapsus$
payoutsking
pear
ransomhouse
shadowbyt3$
silentransomgroup
stormous
triple x
worldleaks
arcusmedia
auditteam
black x
blackfield
cry0
fulcrumsec
insomnia
lamashtu
morpheus
prinzeugen
ransomexx
securotrop
unsafe
0apt
0day syndicate
0mega
8base
abrahams_ax
abyss
adminlocker
againstthewest
agl0bgvycg
ako
alp-001
alphalocker
alphv
apos
argonauts
arkana
arvinclub
atomsilo
avaddon
avos
avoslocker
aware
aztroteam
babuk
babuk2
babyduck
beast
benzona
bert
bianlian
blackbasta
blackbyte
blacklock
blackmatter
blacknevas
blackout
blackshadow
blackshrantac
blacksuit
blacktor
blackwater
bluebox
bluelocker
bluesky
bonacigroup
bqtlock
brotherhood
cactus
cephalus
cheers
chilelocker
chort
cicada3301
ciphbit
cipherforce
clop
contfr
conti
cooming
crazyhunter
crosslock
crylock
cryp70n1c0d3
cryptbb
cryptnet
crypto24
cuba
cyclops
d4rk4rmy
dagonlocker
daixin
dan0n
darkangels
darkbit
darkleakmarket
darkpower
darkrace
darkside
darkvault
datacarry
datakeeper
dataleak
desolator
devman
diavol
dispossessor
donex
donutleaks
doppelpaymer
dragonransomware
dread
dunghill
ech0raix
eldorado
embargo
entropy
ep918
esxiargs
everest
exitium
exorcist
fletchen
flocker
fog
frag
freecivilian
fsteam
funksec
gdlockersec
global
grief
groove
hades
handala
haron
hellcat
helldown
hellogookie
hellokitty
hive
holyghost
hotarus
hunters
icefire
imncrew
insane
j
kairos
karakurt
karma
kawa4096
kazu
kelvinsecurity
killsec
kittykatkrew
knight
kraken
kryptos
kyber
la_piovra
leakbazaar
leaktheanalyst
lilith
linkc
lockbit
lockbit2
lockbit3
lockbit3_fs
lockdata
loki
lolnek
lorenz
losttrust
lunalock
lv
madcat
madliberator
malas
malekteam
mallox
mamona
marketo
maze
mbc
medusa
meow
metaencryptor
midas
mindware
minteye
mnt6
mogilevich
moneymessage
monti
mosesstaff
mountlocker
ms13089
mydecryptor
n3tworm
nasirsecurity
nefilim
nemty
netrunner
netwalker
nevada
nightsky
nitrogen
noescape
nokoyawa
noname
obscura
onepercent
onyx
orca
orion
osiris
pandora
pay2key
payday
payloadbin
playboy
projectrelic
prolock
prometheus
promptlock
pysa
qiulong
qlocker
quantum
rabbithole
radar
radiant
ragnarlocker
ragnarok
ralord
ramp
rancoz
ranion
ransombay
ransomcartel
ransomcortex
ransomed
ransomhub
ranstreet
ranzy
raworld
raznatovic
rebornvc
redact
redalert
redransomware
revil
reynolds
rhysida
robinhood
rook
royal
rransom
runsomewares
sabbath
sarcoma
satanlockv2
secp0
sensayq
settra
sevyware
shadow
shaoleaks
shinysp1d3r
sicarii
siegedsec
silent
sinobi
skira
slug
snatch
solidbit
sparta
spook
sugar
suncrypt
synack
teamxxx
tengu
termite
thegreenbloodgroup
timc
titan
toufan
tridentlocker
trigona
trinity
trisec
u-bomb
underground
unknown
valencialeaks
vanhelsing
vanirgroup
vect
vendetta
vfokx
vicesociety
walocker
wannacry
warlock
werewolves
weyhro
x001xs
xinglocker
xinof
xp95
yanluowang
yurei
zeon
zerolockersec
zerotolerance
Global Victim Distribution (30 days)
Targeted Sectors (30 days)
Top Targeted Countries (30 days)
| Country | Incidents (30d) | Share |
|---|---|---|
| US | 118 |
|
| DE | 41 |
|
| BR | 17 |
|
| CA | 15 |
|
| IT | 14 |
|
| FR | 12 |
|
| TH | 9 |
|
| GB | 9 |
|
| ES | 8 |
|
| MX | 8 |
|
| CH | 7 |
|
| AR | 7 |
|
| AU | 7 |
|
| AE | 7 |
|
| MY | 7 |
|
Vulnerabilities
High Severity (>9.0)
CVE-2026-9695
An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an a...
CVE-2026-56843
Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated custo...
CVE-2026-9074
IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulner...
CVE-2026-58480
Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability...
CVE-2026-59702
repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated ...
CVE-2026-8307
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Desig...
CVE-2026-9701
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and includ...
CVE-2026-14487
The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path val...
CVE-2026-54061
Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for e...
CVE-2026-12153
The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1....
CVE-2026-15062
SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allo...
Medium Severity (5.0 - 8.9)
CVE-2026-6818
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Sc...
CVE-2026-59875
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip...
CVE-2026-6742
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'addit...
CVE-2026-59999
In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTun...
CVE-2026-56401
Wazuh wazuh-modulesd before 5.0.0-beta3 contains a null pointer dereference vulnerability in invento...
CVE-2026-59929
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter ...
CVE-2026-6740
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vuln...
CVE-2026-14158
The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions ...
CVE-2026-15063
A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even...
CVE-2026-15035
A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async_run_command of ...
CVE-2026-56283
Capgo before 12.128.2 contains an html injection vulnerability in the organization settings endpoint...
CVE-2026-59895
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 bef...
CVE-2026-59928
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document ...
CVE-2026-6459
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is v...
CVE-2026-5459
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registrat...
CVE-2026-3688
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vu...
CVE-2026-60002
ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key...
CVE-2026-56086
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through...
CVE-2026-15067
Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, incl...
CVE-2026-56002
A heap bufferflow in pcfReadFont() due to missing glyph bounds checking in libXfont2 before 2.0.8 a...
CVE-2026-56226
Capgo (Cap-go/capgo) before 12.128.2 exposes the Supabase PostgREST RPC function public.get_orgs_v6(...
CVE-2026-56273
Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store i...
CVE-2026-56297
FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_cal...
CVE-2026-59703
repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthen...
CVE-2026-59871
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-di...
CVE-2026-59892
OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/prop...
CVE-2026-59922
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tild...
CVE-2026-59927
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directiv...
CVE-2026-60001
sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
CVE-2026-6820
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Sc...
CVE-2026-9842
The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in...
CVE-2026-8310
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability i...
CVE-2026-6854
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQ...
CVE-2026-60092
AVideo (Meet plugin) through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross...
CVE-2026-55431
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-55433
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-55437
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-5356
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerab...
CVE-2026-41122
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through...
CVE-2026-56003
A heap buffer overflow due to missing size checking in the property buffer when parsing PCF files in...
CVE-2026-55874
SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot...
CVE-2026-56220
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT p...
CVE-2026-56246
Capgo before 12.128.2 contains a broken access control vulnerability in the organization management ...
CVE-2026-56250
Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable app_versions.r2_path field...
CVE-2026-56293
Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_h...
CVE-2026-3144
IBM API Connect 12.1.0.0 through 12.1.0.3 uses default credentials which could allow an attacker to ...
CVE-2026-56775
n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization vulnerability in three mutating ev...
CVE-2026-56778
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an authorization bypass in the Public API execut...
CVE-2026-59261
OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files ...
CVE-2026-59731
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions...
CVE-2026-59870
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for t...
CVE-2026-59877
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, p...
CVE-2026-59890
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python...
CVE-2026-15053
Tanium addressed a denial of service vulnerability in Tanium Server.
CVE-2026-59923
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_ur...
CVE-2026-53482
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through...
CVE-2026-60102
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in t...
CVE-2026-6230
The Tainacan plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geoquery'...
CVE-2026-55430
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-8315
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability i...
CVE-2026-9700
The Eventer plugin for WordPress is vulnerable to time-based SQL Injection via the ‘code’ parameter ...
CVE-2026-54652
Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} end...
CVE-2026-55429
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-11798
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is...
CVE-2026-10570
The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scr...
CVE-2026-14489
The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file ty...
CVE-2026-55432
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-11903
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability i...
CVE-2026-55436
Coder allows organizations to provision remote development environments via Terraform. Starting in v...
CVE-2026-55438
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-14500
The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in v...
CVE-2026-55668
File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the neares...
CVE-2026-14495
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Ra...
CVE-2026-12097
The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to...
CVE-2026-22927
Omnissa Workspace ONE® Tunnel for Windows addresses a Local Privilege Escalation Vulnerability.
CVE-2026-15044
A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardra...
CVE-2026-44840
Dgraph is an open source distributed GraphQL database. Prior to version 25.3.4, the `checkUserPasswo...
CVE-2026-10698
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Tra...
CVE-2026-10699
Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom...
CVE-2026-56284
Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabas...
CVE-2026-14250
The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versi...
CVE-2026-29007
U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcp_rx_state_machine() (n...
CVE-2026-29009
U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs...
CVE-2026-56359
n8n before 2.8.0 contains a cross-site scripting vulnerability in the credential management flow whe...
CVE-2026-29008
U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine()...
CVE-2026-56437
Uncontrolled search path element issue exists in Pupsman versions prior to 3.9.0. If a crafted DLL f...
CVE-2026-56776
n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/{wor...
CVE-2026-57439
CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, th...
CVE-2026-57895
Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place...
CVE-2026-58656
Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and respo...
CVE-2026-59262
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit...
CVE-2026-59724
Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before ...
CVE-2026-59725
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before ...
CVE-2026-59868
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled...
CVE-2026-59869
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0...
CVE-2026-59887
linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: sch...
CVE-2026-14482
The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and i...
CVE-2026-59896
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 be...
CVE-2026-50813
An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive i...
CVE-2026-59924
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() join...
CVE-2026-59925
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of we...
CVE-2026-14244
The Jssor Slider by jssor.com plugin for WordPress is vulnerable to Directory Traversal in all versi...
CVE-2026-15033
A flaw has been found in christopherthielen check-peer-dependencies up to 4.3.4. Affected by this vu...
CVE-2026-55490
OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflo...
CVE-2026-55434
Coder allows organizations to provision remote development environments via Terraform. Starting in v...
CVE-2026-55427
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-55418
FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handl...
CVE-2026-55428
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-55078
Coder allows organizations to provision remote development environments via Terraform. Starting in v...
CVE-2026-55076
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-55077
Coder allows organizations to provision remote development environments via Terraform. Prior to vers...
CVE-2026-11610
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). A...
CVE-2026-54607
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI s...
Low Severity (1.0 - 4.9)
CVE-2026-14966
BBOT's unarchive module rejects archives containing symlink entries before extra...
CVE-2026-14967
BBOT's `github_workflows` module could be induced to write a downloaded artifact...
CVE-2026-14362
HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service i...
CVE-2026-56374
ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the...
CVE-2026-59996
scp in OpenSSH before 10.4 may place a file in the parent directory of an intend...
CVE-2026-12936
The Recurio – Ultimate Subscription for WooCommerce plugin for WordPress is vuln...
CVE-2026-56362
ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability i...
CVE-2026-59930
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, ...
CVE-2026-59995
sftp in OpenSSH before 10.4 does not properly constrain the location of download...
CVE-2026-6371
Improper neutralization of input during web page generation ('cross-site scripti...
CVE-2026-54344
ToolJet is an open-source low-code platform for building internal tools. Prior t...
CVE-2026-56298
Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the ...
CVE-2026-56360
n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on...
CVE-2026-58657
Grav before 2.0.0 (affected through 2.0.0-rc.9 and the 2.0 branch) contains a st...
CVE-2026-59883
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not rest...
CVE-2026-59897
Hono is a Web application framework that provides support for any JavaScript run...
CVE-2026-15034
A vulnerability has been found in flask-dashboard Flask-MonitoringDashboard up t...
CVE-2026-59998
sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSA...
CVE-2026-60000
sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service...
CVE-2026-56217
Capgo before 12.128.2 contains a policy bypass vulnerability in app_versions upd...
CVE-2026-9731
The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forger...
CVE-2026-12002
The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPr...
CVE-2026-59997
internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command...
CVE-2026-12041
The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable t...
CVE-2026-55873
SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, reques...
CVE-2026-15041
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verificatio...
CVE-2026-58654
The Grav API plugin (getgrav/grav-plugin-api) 1.0.0 contains an unrestricted fil...
CVE-2026-59876
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8....
CVE-2026-59882
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to ...
CVE-2026-15036
A vulnerability was determined in Harness up to 2.28.2. This vulnerability affec...
CVE-2026-53480
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release ver...
CVE-2026-55592
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace v...
CVE-2026-55079
Coder allows organizations to provision remote development environments via Terr...
CVE-2026-59927
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.
CVE-2026-57439
CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. This issue is fixed in version 11.2.0.
CVE-2026-49146
App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements. A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition.
CVE-2026-6818
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'special_requests' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-56003
A heap buffer overflow due to missing size checking in the property buffer when parsing PCF files in libXfont2 ComputeScaledProperties() before libXfont2 before 2.0.8 could be used by attackers using authenticated X clients to execute code within the X server.
CVE-2026-55873
SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs. This issue is fixed in version 4.34.
CVE-2026-15033
A flaw has been found in christopherthielen check-peer-dependencies up to 4.3.4. Affected by this vulnerability is the function shelljs.exec of the file dist/packageUtils.js of the component peerDependencies. This manipulation causes os command injection. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-56359
n8n before 2.8.0 contains a cross-site scripting vulnerability in the credential management flow where authenticated users can inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields. Attackers can craft malicious credentials and trick victims into clicking the OAuth authorization button, executing arbitrary scripts in their browser session with the victim's privileges.
CVE-2026-59882
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.
CVE-2026-24697
An OS command injection vulnerability exists in the start_bonjour() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The wan_hostname configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
CVE-2026-56246
Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited_to_orgs) inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mode API key restricted to one organization, that key can still perform destructive operations (e.g., DELETE /organization, DELETE /organization/members) against another organization. The root cause is route-level authorization (rbac_check_permission_direct) that evaluates the key owner's user privileges before enforcing the API key's limited_to_orgs scope.
CVE-2026-56401
Wazuh wazuh-modulesd before 5.0.0-beta3 contains a null pointer dereference vulnerability in inventory_sync FlatBuffer DataValue handling. An enrolled agent can send a verifier-valid DataValue message omitting the optional id field, causing wazuh-modulesd to crash when dereferencing data->id()->string_view() without null validation, resulting in denial of service.
CVE-2026-9074
IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.
CVE-2026-55429
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available.
CVE-2026-59874
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18.
CVE-2026-6371
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Limatek System Inc. LimRAD NAC allows Stored XSS. This issue affects LimRAD NAC: through 08072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6459
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-50812
A NULL pointer dereference in the SQLite Session Extension in SQLite 3.53.1 and SQLite trunk builds before check-in e807d4e3798efd53 allows an attacker who can supply a malformed changeset blob to cause a denial of service. The issue occurs when sqlite3changeset_apply_v3() applies a corrupt changeset and reaches sqlite3_value_type() with a NULL sqlite3_value pointer.
CVE-2026-58654
The Grav API plugin (getgrav/grav-plugin-api) 1.0.0 contains an unrestricted file upload vulnerability in the avatar upload endpoint (/api/v1/users/user/avatar). The endpoint validates only the client-declared MIME type (getClientMediaType) beginning with 'image/' and does not inspect the actual file content or restrict the resulting extension, allowing an authenticated user to store arbitrary content — including PHP code, SVG with embedded JavaScript, and polyglot payloads — under user/accounts/avatars/ with predictable filenames. Direct HTTP access to the stored files is blocked by .htaccess (returns 403), but the files persist on disk and could lead to remote code execution or stored XSS in the presence of a path traversal flaw or server misconfiguration. Fixed in 1.0.1.
CVE-2026-10708
This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.
CVE-2026-15067
Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input could result in arbitrary SQL execution under the provider's privileged Snowflake session, potentially enabling sensitive data exfiltration and minting of long-lived access credentials. Exploitation requires the ability for an attacker to influence a workspace variable in a pipeline where this data source was enabled. Improper neutralization of identifier content in user resource inputs could allow DDL injection into user management statements, potentially causing accounts to be created with attacker-controlled credentials and without the security controls configured by the operator. The fix is available in Snowflake Terraform Provider version 2.18.0. Users must manually upgrade.
CVE-2026-59262
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.
CVE-2026-55874
SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side copy. This issue is fixed in version 4.34.
CVE-2026-6742
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in all versions up to, and including, 2026.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-59257
n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ ... }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.
CVE-2026-59880
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
CVE-2026-15063
A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing the kube-rbac-proxy and its authentication mechanisms. This could lead to unauthorized access to the orchestrator and detector metrics.
CVE-2026-15034
A vulnerability has been found in flask-dashboard Flask-MonitoringDashboard up to 5.0.2. Affected by this issue is some unknown functionality. Such manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-58657
Grav before 2.0.0 (affected through 2.0.0-rc.9 and the 2.0 branch) contains a stored CSS injection vulnerability in the Markdown image resize() media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute() fallbacks, but the resize() action in Excerpts::processMediaActions() writes caller-controlled values directly into the image's styleAttributes. A lower-privileged content editor who can edit page Markdown can store a crafted image URL with semicolon-delimited CSS declarations in the resize parameters, which are rendered into the final <img style=...> attribute when a higher-privileged reviewer/admin views the page or preview. This does not require JavaScript execution but enables UI redress/overlay and content-manipulation attacks (e.g., a full-viewport fixed overlay). Fixed in 2.0.0.
CVE-2026-59261
OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries.
CVE-2026-14158
The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action combined with insufficient sanitization of the 'nwlv[cod-tag]' parameter before storage and subsequent use in an eval() call. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.
CVE-2026-59725
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated attacker to exhaust server-side connections and sockets. This issue is fixed in version 6.6.7.
CVE-2026-59703
repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/core/git/gitRemoteParse.ts fails to block file:// URLs, permitting attackers to supply file:// scheme URLs that bypass validation and are passed directly to git clone, enabling unauthorized access to all tracked file contents on the server filesystem.
CVE-2026-59887
linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.
CVE-2026-58656
Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: *, allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token from access logs, proxy logs, browser history, or Referrer headers can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data.
CVE-2026-59938
pypdf is a free and open-source pure-python PDF library. Prior to 6.14.0, an attacker can craft a PDF with declared image size values that are much too large compared to the actual data, causing large memory usage in pypdf image parsing. This issue is fixed in version 6.14.0.
CVE-2026-56776
n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/{workflowId}/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a workflow can trigger a real evaluation test run, causing the workflow to execute via the internal workflow runner and resulting in unintended outbound API calls, data mutations, or other side effects in connected downstream systems. The issue primarily affects instances using the Evaluations feature where RBAC project roles grant workflow:read without workflow:execute.
CVE-2026-59869
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
CVE-2026-59724
Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as __proto__ through an inherited property of the clients object during WebTransport upgrade handling, causing a TypeError and denial of service. This issue is fixed in version 6.6.7.
CVE-2026-49145
App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted. A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.
CVE-2026-60102
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
CVE-2026-59923
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3.3.0.
CVE-2026-10706
In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.
CVE-2026-3144
IBM API Connect 12.1.0.0 through 12.1.0.3 uses default credentials which could allow an attacker to gain unauthorized access to the application before the system enforces a credential update.
CVE-2026-14966
BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted during a scan (for example via filedownload), bypassed the guard and caused an attacker-controlled symlink to be written into the extraction directory. The effect is limited to planting the symlink (its target is not written through), and only hosts using such a legacy p7zip build are affected; current mainline 7-Zip is not.
CVE-2026-59922
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
CVE-2026-59870
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key scan on every insertion, causing O(n^2) CPU consumption when yaml.load() parses a crafted ordered-map document. This issue is fixed in version 5.2.1.
CVE-2026-56220
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint, enabling OTA metadata poisoning and potential malicious asset delivery.
CVE-2026-55432
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template's `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing.
CVE-2026-55430
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middleware strips `X-Forwarded-Host` before routing and the header is not browser-forbidden so client-side JavaScript can set it on `fetch()` calls. Practical exploitation requires subdomain app routing (wildcard hostname) enabled, a victim who visits the attacker's shared app and a deployment whose upstream proxy does not strip `X-Forwarded-Host`. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts `X-Forwarded-Host` only from configured trusted proxies and otherwise resolves the routing host from the verified request host. As a workaround, place an upstream reverse proxy that strips or overwrites `X-Forwarded-Host` on untrusted requests.
CVE-2026-15062
SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database column names to escalate privileges via the DataFrameReader.dbapi() API by supplying a specially crafted location parameter to DataFrameWriter write methods to redirect a COPY INTO to an arbitrary source query, or by including a backslash-single-quote sequence in an export path to defeat the normalize_path() sanitizer and inject SQL via DataFrame.to_csv(). Successful exploitation may result in source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data.
CVE-2026-14500
The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouw_fetch_csv_data() AJAX handler being registered on the wp_ajax_nopriv_ hook with no capability or nonce check, and passing the attacker-supplied csv_url POST parameter — filtered only by esc_url_raw() (which leaves absolute filesystem paths intact) and validate_file() (which only rejects '..' traversal patterns) — directly into fopen()/fgetcsv() and reflecting the first parsed line in the JSON response. This makes it possible for unauthenticated attackers to read the first line of arbitrary files on the server (such as /etc/passwd) and to use the handler as a file-existence oracle.
CVE-2026-12041
The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2026-11798
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'heateor_mastodon_share' parameter in all versions up to, and including, 7.14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2026-59996
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
CVE-2026-59895
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class attribute during server-side rendering to break out of the attribute and inject arbitrary markup. This issue is fixed in version 4.12.27.
CVE-2026-60125
MISP’s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricted via Plugin.Import_<module>_restrict could still invoke that import module directly if they knew its name. This could allow unauthorised access to restricted import-module functionality and, depending on the module and the user’s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user’s organisation.
CVE-2026-56360
n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data.
CVE-2026-60124
An authorization bypass in MISP’s EventsController::importModule() allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the misp_standard format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing misp_standard imports.
CVE-2026-6820
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-55433
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.
CVE-2026-14487
The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source, meaning neither control presents a real authorization boundary.
CVE-2026-9731
The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the plugin_settings function. This makes it possible for unauthenticated attackers to update the plugin's notification text and CSS settings (wp_non_js_notification_text and wp_non_js_notification_css), injecting arbitrary content that is echoed unescaped on the frontend via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-56437
Uncontrolled search path element issue exists in Pupsman versions prior to 3.9.0. If a crafted DLL file is placed in the same folder as the affected installer and the installer is executed, arbitrary code may be executed with SYSTEM privilege.
CVE-2026-14967
BBOT's `github_workflows` module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve `..`, so a crafted `CODE_REPOSITORY` URL could traverse out of the intended folder. The write is bounded to two directory levels above the output location and its target is determined by the operator's configuration, not the attacker.
CVE-2026-6740
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-15053
Tanium addressed a denial of service vulnerability in Tanium Server.
CVE-2026-59896
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight request to be used after an await in an async component. This issue is fixed in version 4.12.27.
CVE-2026-59875
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is fixed in version 7.5.17.
CVE-2026-54344
ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.
CVE-2026-54652
Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified.
CVE-2026-56086
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Incorrect Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.
CVE-2026-12936
The Recurio – Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-59925
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.
CVE-2026-59926
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.
CVE-2026-49147
App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename. A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.
CVE-2026-56226
Capgo (Cap-go/capgo) before 12.128.2 exposes the Supabase PostgREST RPC function public.get_orgs_v6(userid uuid), which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the authenticated user, an attacker using only the public publishable API key can query POST /rest/v1/rpc/get_orgs_v6 with an arbitrary user UUID to retrieve that user's organization membership, roles, subscription/trial metadata, and management_email (PII).
CVE-2026-60092
AVideo (Meet plugin) through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored (meet_join_log.user_agent) without sanitization (bypassing AVideo's setter-level xss_esc() layer) and later echoed without output encoding (no htmlspecialchars()) in the Participants management panel, which is accessible to the meeting host and site administrators. An anonymous, unauthenticated attacker can join any public meeting while supplying a User-Agent header containing an HTML/JavaScript payload; the payload is persisted and executes in the privileged, authenticated browser session of the meeting host or a site administrator when they open the participant list. The issue was unpatched at the time of the report.
CVE-2026-59873
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk space and CPU. This issue is fixed in version 7.5.19.
CVE-2026-24700
An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
CVE-2026-56273
Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store implementations that accept unsanitized basePath parameters from authenticated users. Attackers with valid API tokens can write vector store data to arbitrary filesystem locations, potentially enabling code execution or data exfiltration.
CVE-2026-29009
U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by returning multiple relative symlink targets that are appended without cumulative length validation. Attackers can send two or more READLINK responses containing relative symlink targets of approximately 1100 bytes each to corrupt adjacent BSS variables including nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, and rpc_id, potentially achieving memory corruption and control over the NFS client state machine.
CVE-2026-10698
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
CVE-2026-59883
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3.
CVE-2026-14250
The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter and validating it only against get_editable_roles() — which returns every defined editable site role, including 'editor' — before passing it to wp_insert_user(). This makes it possible for unauthenticated attackers, when public user registration is enabled, to create new accounts with the editor role.
CVE-2026-59868
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0.
CVE-2026-59929
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:, and res: to reach rendered href and src attributes and potentially execute script in affected user agents. This issue is fixed in version 3.3.0.
CVE-2026-59871
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPath(entry.path).split('/') to throw an uncaught TypeError. This issue is fixed in version 7.5.18.
CVE-2026-60002
ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
CVE-2026-24698
An OS command injection vulnerability exists in the save_syslog_to_file() function of the "httpd" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The model_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
CVE-2026-22927
Omnissa Workspace ONE® Tunnel for Windows addresses a Local Privilege Escalation Vulnerability.
CVE-2026-39822
On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.
CVE-2026-59997
internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
CVE-2026-55437
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.
CVE-2026-14454
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. An attacker could craft an image with EXIF data that terminates a worker process.
CVE-2026-56284
Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.get_total_metrics(org_id), which is callable by the anon role using only the public sb_publishable_* key. An unauthenticated attacker can probe organization existence and leak sensitive usage metrics including MAU, bandwidth, and install counts by sending POST requests to /rest/v1/rpc/get_total_metrics with valid organization UUIDs.
CVE-2026-9695
An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an attacker to gain privileged access to the server.
CVE-2026-11903
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module). This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.
CVE-2026-8307
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.
CVE-2026-9700
The Eventer plugin for WordPress is vulnerable to time-based SQL Injection via the ‘code’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-60001
sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
CVE-2026-10570
The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function, which uses str_replace() to substitute raw ACF field values (retrieved via get_field()) directly into Elementor-rendered HTML without any escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-8315
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Stored XSS. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.
CVE-2026-44840
Dgraph is an open source distributed GraphQL database. Prior to version 25.3.4, the `checkUserPassword` GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL `checkpwd()` query via `fmt.Sprintf` without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks. Version 25.3.4 patches the issue.
CVE-2026-15036
A vulnerability was determined in Harness up to 2.28.2. This vulnerability affects the function getAuthorizedSpaces of the file app/api/controller/gitspace/list_all.go of the component gitspaces Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-56002
A heap bufferflow in pcfReadFont() due to missing glyph bounds checking in libXfont2 before 2.0.8 allows attackers authenticated as X client to execute code within the X server.
CVE-2026-56217
Capgo before 12.128.2 contains a policy bypass vulnerability in app_versions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the app_versions table via PostgREST to clear session_key and key_id fields, bypassing organization-enforced encrypted-bundle policies and weakening OTA security controls.
CVE-2026-56843
Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.
CVE-2026-50813
An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path
CVE-2026-14244
The Jssor Slider by jssor.com plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.1.24 via the 'url' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
CVE-2026-55431
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. Practical exploitation requires the victim to run `coder open app` against a workspace whose external app definition the attacker controls. Only a malicious template author can control external app URLs. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 applies a URL-scheme allowlist in the CLI and limits `$SESSION_TOKEN` substitution to trusted destinations like the web frontend. As a workaround, avoid running `coder open app` for untrusted workspaces.
CVE-2026-9701
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.
CVE-2026-55436
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned a secure transport when an upstream proxy was configured. In the default configuration (no upstream proxy), outbound HTTPS to the Coder access URL accepted any TLS certificate. Practical exploitation requires an on-path (man-in-the-middle) position between the AI Bridge Proxy and the Coder server. Deployments where they are co-located over loopback are effectively unaffected. The fix in versions 2.32.7, 2.33.8, and 2.34.2 applies the secure transport (TLS 1.2 or higher using system root CAs) unconditionally. As a workaround, ensure the Coder access URL uses a trusted certificate and secure the network path between the AI Bridge Proxy and the Coder server (for example, loopback or mTLS).
CVE-2026-56293
Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_history.owner_org when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause the destination organization to lose access to transferred application deployment records.
CVE-2026-9842
The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the `manage_options` capability to the `backstage_customizer_user` demo role, which is more permissive than necessary for Customizer-only demo access. This makes it possible for unauthenticated attackers to navigate beyond the Customizer and update arbitrary WordPress options such as `default_role`, leading to privilege escalation.
CVE-2026-55668
File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16.
CVE-2026-8310
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Reflected XSS. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.
CVE-2026-56374
ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the FTXT encoder due to missing boundary checks when parsing ftxt:format. Remote attackers can trigger an out of bounds read by crafting malicious FTXT image files to cause denial of service or information disclosure.
CVE-2026-53480
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper limitation of a pathname to a restricted directory ('path traversal') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized file modification.
CVE-2026-59998
sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
CVE-2026-6230
The Tainacan plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geoquery' parameter in all versions up to and including 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-56297
FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_call_on_receive due to improper synchronization of channel_callback access. A malicious RDP server can trigger a race condition by sending DYNVC_DATA and DYNVC_CLOSE messages concurrently, causing heap-use-after-free in the drdynvc client thread and potentially enabling remote code execution or denial of service.
CVE-2026-5356
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it possible for unauthenticated attackers to pay an arbitrary amount by supplying a previously succeeded PaymentIntent token.
CVE-2026-12153
The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on the vulnerable site.
CVE-2026-14482
The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability exists due to a missing capability and nonce check on a directly web-accessible API endpoint, combined with a trivially forgeable HMAC-SHA1 signature keyed on an always-empty WordPress option, which allows the endpoint's `update_option` handler to pass attacker-controlled `option` and `value` parameters directly to WordPress's `update_option` function without any allowlist or sanitization. This makes it possible for unauthenticated attackers to update arbitrary WordPress options — such as setting `default_role` to `administrator` and enabling open registration — and subsequently register an account with full administrator privileges.
CVE-2026-57895
Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with SYSTEM privilege
CVE-2026-14489
The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2026-59995
sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
CVE-2026-12378
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
CVE-2026-12097
The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's export field configuration stored in the uiewp_export_field option, controlling which user fields such as password hashes are included in CSV exports and how columns are mapped during imports.
CVE-2026-55438
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the unverified username in the hostname. Practical exploitation requires subdomain app routing (wildcard hostname) enabled and a victim who visits the attacker's crafted app URL while authenticated. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 validates the subdomain username against the resolved workspace's actual owner and bases the same-owner CORS decision on the authoritative owner identity. No known workarounds are available.
CVE-2026-14495
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.
CVE-2026-42505
Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.
CVE-2026-10699
Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
CVE-2026-15035
A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async_run_command of the file src/openllm/common.py of the component Model Repository Directory Name Handler. Performing a manipulation of the argument cmd results in command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-53951
Copier is a library and CLI app for rendering project templates. In versions 9.5.0 through 9.15.1, the `trust` setting's prefix match (`copier/_settings.py`) compares the template URL against a trusted prefix with a raw `str.startswith` and no path normalization, while the URL is normalized when the template is actually fetched (`Path.resolve()` for local paths; libcurl dot-segment removal for `https`). A template reference that textually starts with a trusted prefix but contains `..` is therefore granted trust yet resolves to a different, attacker-controlled template, whose `tasks` / `migrations` / `jinja_extensions` then run without the `--trust` prompt — arbitrary command execution. Version 9.15.2 patches the issue.
CVE-2026-59879
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.
CVE-2026-60000
sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
CVE-2026-59930
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id="toc_N" content to collide with generated anchors and redirect same-page navigation, CSS selectors, or JavaScript handlers. This issue is fixed in version 3.3.0.
CVE-2026-53482
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.
CVE-2026-59937
pypdf is a free and open-source pure-python PDF library. Prior to 6.14.0, an attacker can craft a PDF with repeated malformed cross-reference streams that cause pypdf to spend long runtimes recovering broken cross-reference table entries. This issue is fixed in version 6.14.0.
CVE-2026-59999
In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
CVE-2026-55761
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, unauthenticated restore and administrator initialization endpoints (/api/restore and /api/users/admin/init) remain accessible during the five-minute setup window for uninitialized instances, allowing a network attacker to restore a crafted backup or create the first administrator account and gain full administrative access. This issue is fixed in versions 2.39.4 and 2.43.0.
CVE-2026-59876
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto__ to change the prototype of the returned map object instead of creating an own map entry in protobufjs/ext/textformat. This issue is fixed in version 8.6.5.
CVE-2026-59731
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI() operation and can resolve the request to a protected route. This issue is fixed in version 6.4.8.
CVE-2026-59928
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
CVE-2026-59877
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without checking for end of input, so a crafted .proto schema that opens an option declaration and ends prematurely can cause parse, Root.load, or Root.loadSync to loop indefinitely. This issue is fixed in versions 7.6.5 and 8.6.6.
CVE-2026-45659
Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network.
CVE-2026-48558
SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication.
Advanced Persistent Threats (APT)
The Crown Prince, Nezha
Beginning in August 2025, a sophisticated intrusion was discovered where attackers used log poisoning techniques to deploy a web shell on vulnerable phpMyAdmin panels. The threat actors exploited misconfigured web applications to plant China Chopper web shells, controlled via AntSword, before deploying Nezha, an open-source monitoring tool, to facilitate remote command execution. This led to the deployment of Ghost RAT on compromised systems. Analysis revealed over 100 compromised machines, predominantly located in Taiwan, Japan, South Korea, and Hong Kong. The attackers demonstrated technical proficiency through multi-stage operations, utilizing AWS and VPS infrastructure, with indicators pointing to China-nexus threat actors. The campaign highlights increasing abuse of legitimate publicly available tools to achieve malicious objectives while maintaining plausible deniability.
What Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaign.
The BabaDeda loader family has undergone significant advancements in its capabilities, particularly in stealth, evasion, and payload flexibility. Discovered during April 2026, this evolved framework continues to conceal malicious payloads within seemingly legitimate installer packages while expanding its functionality. The attack methodology begins with a social engineering exploit known as ClickFix, which encourages users to execute commands via trusted operating system utilities. This initial step transitions into a sophisticated multi-stage loader that employs several tactics, including hidden PowerShell commands, in-memory shellcode, DLL sideloading, and external payload storage.
Armored Likho's new weapon: BusySnake Stealer
Kaspersky uncovered a sophisticated phishing campaign by the APT group Armored Likho, deploying a previously undocumented Python-based infostealer dubbed BusySnake Stealer. The campaign targets government agencies and electric power sectors across Russia, Brazil, and Kazakhstan through spear-phishing emails containing malicious EXE or LNK attachments. BusySnake Stealer features advanced obfuscation using PyArmor Pro, extracts credentials from browsers using DPAPI and NSS libraries, captures screenshots, logs keystrokes, scrapes cryptocurrency wallets and 2FA tokens, and establishes reverse SSH tunnels for remote access. The threat actor leverages AI-generated code for first-stage payloads and distributes components via GitHub repositories. The stealer maintains persistence through scheduled tasks and communicates with C2 infrastructure to receive commands dynamically, representing a significant evolution in the group's technical capabilities.
Roblox, Minecraft, and the Insidious Internet for Children
Children are targeted by a sprawling ecosystem of websites exploiting their interest in Roblox and Minecraft through offerwall reward schemes and phishing campaigns. These sites promise free in-game currency in exchange for completing tasks, collecting personal data, enrolling minors in paid subscriptions, and violating platform terms of service that can result in account bans. The infrastructure relies on cheap, disposable hosting with aggressive domain rotation. Using Internet-wide scan data from Censys, this analysis characterizes two categories: offerwall get-paid-to reward sites and credential harvesting generators. The exposed infrastructure handles children's data with minimal security, monetizing their attention at scale through affiliate commissions while presenting significant privacy and security risks.
PamStealer: a Rust-based macOS infostealer that validates credentials through PAM
PamStealer is a two-stage macOS infostealer distributed as a compiled AppleScript impersonating Maccy, a legitimate clipboard manager, hosted on a fake domain. The first stage uses JavaScript for Automation with Objective-C APIs to download payloads while avoiding shell commands. The second stage is a Rust-based Mach-O binary that validates stolen credentials through PAM before harvesting, reads browser databases directly using bundled SQLite, captures clipboard contents repeatedly via pbpaste, and exfiltrates encrypted data using ChaCha20-Poly1305. It establishes persistence through both modern and legacy login item APIs, masquerades as Finder or System Settings, and tricks victims into granting Full Disk Access through counterfeit alerts. The stealer contacts Ethereum RPC endpoints and employs region-based exclusions targeting Apple silicon systems while avoiding Commonwealth of Independent States countries.
AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign
A widespread phishing campaign distributing AsyncRAT and Remcos RATs has been observed targeting organizations across manufacturing, media, professional services, agriculture, and chemical industries globally. The attack leverages malicious Excel spreadsheets sent via emails impersonating business communications like purchase orders and payment advice. When macros are enabled, VBA code retrieves HTA payloads through URL shorteners and Cloudflare Workers infrastructure. The multi-stage infection chain employs heavy obfuscation including Base64 encoding, steganography in PNG files, and character substitution. The campaign intensified during June 2026, affecting organizations across Europe, Asia-Pacific, and the Americas. Infrastructure includes distinctive HTA naming conventions using concatenated positive English words. The operation likely uses automation for payload generation and may leverage LLMs for development efficiency.
Branded Gambling Campaigns: How Scammers Are Exploiting Trusted Brand Names to Drive Casino Traffic
Scam advertising campaigns have been identified that impersonate trusted brands to redirect consumers to unrelated online gambling sites. These operations utilize paid social media advertisements on platforms like Facebook, Instagram, and TikTok, combined with fake app store pages and Progressive Web Apps. The campaigns target UK consumers primarily, with variants observed in German and Spanish. Scammers impersonate major brands including financial institutions like Monzo, Revolut, and Barclays, as well as household names such as Tesco, Amazon, Netflix, and Facebook. The scheme involves three stages: paid ads claiming brands have launched official casino products, fake landing pages mimicking app stores, and PWAs that redirect to gambling sites through affiliate tracking links. Typical affiliate payouts range from $50 to $350 per depositing player, indicating significant financial motivation behind these operations.
Vibe Coded Extortion: Path from Legal Lure to CrownX Ransom Capabilities
A sophisticated multi-stage phishing campaign delivers a previously undocumented framework called Avalon through spoofed legal documents hosted on Proton Drive. The intrusion begins with password-protected archives containing ISO images that execute malicious MSBuild projects, loading payloads entirely in memory without conventional executable attachments. Avalon consolidates credential theft, lateral movement, recovery disruption, and ransomware capabilities within a single framework, with its encryption component branded as CrownX. The framework demonstrates hallmarks of AI-assisted development, rapidly combining multiple post-exploitation capabilities that previously required sustained development effort. Avalon targets browsers, cryptocurrency wallets, messaging platforms, VPN configurations, and infrastructure systems while implementing extensive defense evasion techniques against major security products. The framework disrupts recovery by eliminating Volume Shadow Copies, Windows Recovery Environment...
Indirect Prompt Injection in Web Content Targets AI Agents
AI agents are increasingly vulnerable to indirect prompt injection (IPI) attacks, where malicious instructions are embedded in web content to manipulate AI-driven workflows. Two campaigns were identified that combine SEO poisoning with CSS/HTML abuse to influence AI decision-making. The first campaign uses fake API documentation to trick AI agents into making fraudulent payments for a fake Python library, incorporating hidden instructions in JSON-LD and CSS-concealed content directing payment of $3.00 via Stripe or approximately 0.0012 ETH to attacker wallets. The second campaign employs typosquatting to impersonate DeBank, a cryptocurrency portfolio tracker, embedding hidden prompts to make the fraudulent site appear as an authoritative source. Testing across 26 LLMs revealed 4 models were vulnerable to the payment scam and 2 models misclassified the typosquatting site, demonstrating measurable real-world impact.
GitHub Impersonation Deploys Information Stealer
An internal security operations team identified a fraudulent GitHub page impersonating a cybersecurity vendor to target customers and the general public. The malicious page appeared legitimate by referencing authentic services and operational requirements. While the GitHub page itself contained non-malicious content, a disguised link led victims to download a ZIP archive containing malicious executables. The attack chain deployed BoryptGrab Stealer information-stealing malware through DLL side-loading techniques. Investigation revealed nearly 300 similar repositories impersonating well-known organizations including Malwarebytes, Bitdefender, and 360 Total Security, using SEO keywords to attract victims. The malicious page has been removed and detection capabilities have been enhanced.
A single RedLine C2 pivots into a maritime spear-phishing cluster and attacker-owned infrastructure.
An investigation beginning with a single RedLine Stealer C2 server from VMRay UniqueSignal evolved into uncovering a targeted Business Email Compromise campaign against South Korean maritime infrastructure. The analysis started with IP 194.156.79.122 on port 55615, leveraging fingerprinting techniques through FOFA and VirusTotal to identify additional C2 infrastructure. Pivoting through communicating files revealed spear-phishing emails targeting Kangrim Heavy Industries, a major South Korean marine boiler manufacturer. The campaign delivered Formbook malware through impersonated maritime supply chain companies. Further infrastructure analysis identified seven fraudulent domains hosted on TheHost LLC infrastructure, utilizing similar naming patterns and TLS certificates. The attack demonstrates sophisticated BEC tactics combining malware delivery with social engineering, mimicking legitimate business correspondence within the maritime shipping sector.
RustDuck: An In-Depth Analysis of a Two-Stage Botnet
Since February 2026, a new malware family utilizing a Loader plus Core two-stage architecture has been detected, primarily conducting large-scale DDoS attacks with strong cross-platform capabilities. The family is transitioning from C to Rust programming language, demonstrating rapid evolution in anti-defense and traffic encryption techniques. Propagation methods include weak password brute-forcing via Telnet and SSH, exploitation of IoT device vulnerabilities affecting Android ADB, TVT API, Ruijie, TP-Link, and ZTE devices, plus web component vulnerabilities in ThinkPHP, Jenkins, and YARN. The botnet employs sophisticated anti-debugging mechanisms including environment checks, honeypot detection, and timing verification. Communication protocols leverage Curve25519 key exchange, ChaCha20-Poly1305 and AES-GCM encryption, implementing strict handshake verification processes. Over 20 IPs have been observed spreading the botnet, with multiple variants showing increasingly complex encryption and obfuscation techn
Blacksite: New AiTM Phishing Kit Evades URL Scanners via Cloaked.gg
Blacksite is a newly identified adversary-in-the-middle phishing-as-a-service offering sold alongside Cloaked.gg, a cloaking platform that conceals phishing infrastructure from automated security analysis. The kit operates as a reverse-proxy that intercepts authentication tokens, session cookies, and 2FA codes in real time, enabling full account takeover even against MFA-protected accounts. Cloaked.gg blocks traffic from AWS, Google Cloud, and Azure networks while serving AI-generated decoy pages to suspected scanners, making malicious URLs appear benign during automated analysis. Priced between $600-$1,000 monthly, the service commercializes sophisticated AiTM techniques, lowering technical barriers for attackers. The pairing of credential theft capabilities with anti-detection infrastructure creates a split-view environment where security tools see harmless content while intended victims are routed to live phishing pages targeting consumer, financial, and enterprise identity systems.
Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula
In May 2026, an attack campaign targeting banking users in Spain and Portugal was identified involving the Ousaban banking Trojan. The malware, previously active in Brazil, spreads through phishing PDFs that redirect victims to malicious webpages performing environment checks to ensure targets are located in Spain or Portugal. The attack chain involves VBS scripts downloading steganographic images containing the payload, which is then dropped and executed on victims' systems. Ousaban establishes persistence, monitors banking activity across multiple financial institutions, and uses daily-changing DDNS domains to resolve C2 server addresses. The malware employs screenshot capture, keylogging, clipboard injection, and remote control capabilities to steal banking credentials. It utilizes custom encryption algorithms and geofencing techniques to evade detection and limit exposure to intended targets.
Iran-Nexus Disseminates MarkiRAT Surveillance Tool
TAG-182, an Iran-nexus threat cluster, is conducting surveillance operations targeting Iranian citizens both domestically and abroad using MarkiRAT malware. The group distributes fake Android applications masquerading as VPN services and media players through social media platforms, particularly Instagram. Following Iran's partial internet restoration in May 2026 after an 88-day shutdown, these surveillance activities have intensified as Iranian security apparatus seeks to monitor perceived dissidents and anti-government activists. MarkiRAT samples demonstrate tradecraft overlaps with previously documented Ferocious Kitten operations, including use of Background Intelligent Transfer Service (BITS). The group operates infrastructure across multiple autonomous systems, utilizing domains with naming conventions mimicking legitimate services like Microsoft, Google, and Facebook.
How a single ScreenConnect incident exposed a massive campaign
A massive campaign distributes malicious installer archives hosted on spoofed websites masquerading as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Over 90 domain names localized across 10 languages were discovered. The malicious archives bundle a legitimate Microsoft-signed install.exe binary with a rogue install.res.1033.dll library deployed via DLL sideloading. This installs the ScreenConnect remote access service, which then deploys AsyncRAT payloads through PowerShell and VBS scripts. The threat actors leverage SEO techniques to position fraudulent sites at the top of search engine results, targeting both individual users and corporate networks. The infrastructure spans three IP addresses with domains registered between October 2025 and March 2026, creating a global footprint with multi-language support.
Phishing in the Balkans: Fake Traffic Fines, Real Losses
An active SMS phishing campaign targets Serbian road users by impersonating Putevi Srbije, Serbia's state road authority. Victims receive text messages claiming they have unpaid traffic fines with urgent payment demands. The fraudulent links lead to cloned government websites designed to steal payment card details. The infrastructure employs JavaScript-based obfuscation techniques to evade automated security scanners and uses disposable domains with uncommon TLDs. Technical analysis reveals connections to both Darcula and Phoenix Phishing-as-a-Service platforms, indicating fraudsters are combining tools from multiple PhaaS vendors. The operation demonstrates coordinated roles including infrastructure setup, SMS distribution, and data harvesting. Similar campaigns have targeted victims globally across government bodies, postal services, and financial institutions.
Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique
Check Point Research discovered a novel browser-native ransomware technique that emerged from AI-generated code attributed to DeepSeek. The attack leverages the File System Access API in Chromium browsers to encrypt files without requiring native payloads, exploits, or app installations. A malicious sample disguised as an AI image upscaler was analyzed, revealing how LLMs can connect theoretical platform risks to practical attack workflows. The technique is particularly concerning on Android, where Chrome allows web pages to access photo directories after user approval through legitimate permission prompts. By using social engineering with a fake AI enhancement tool, attackers can persuade victims to grant folder-level access, enabling file exfiltration and encryption entirely within the browser. This demonstrates how frontier AI models can autonomously design novel attack chains by reasoning across existing knowledge.
Inside an affiliate panel targeting Microsoft 365
Cisco Talos discovered ARToken, a sophisticated phishing-as-a-service panel sharing infrastructure and operational patterns with the EvilTokens platform. The panel exposes over 80 API endpoints enabling device code phishing, Primary Refresh Token persistence, email access, business email compromise operations, and SharePoint exfiltration through a React-based dashboard. The platform deploys a seven-layer anti-analysis system combining client-side behavioral verification with XOR-encrypted payloads. ARToken abuses Microsoft's OAuth 2.0 Device Authorization Grant to bypass multi-factor authentication entirely. Analysis reveals post-compromise capabilities including token management across password resets, automated BEC operations, inbox rule manipulation for evidence suppression, cross-account keyword monitoring, and SharePoint file operations. The platform operates as multi-tenant infrastructure with subscription-based affiliate access, representing a complete operations environment rather than simple phish...
An Analysis of ValleyRAT Infection Campaigns from Fake Installers, Japanese Malicious Emails
LevelBlue has identified two distinct ValleyRAT attack vectors: campaigns using fake installers and malicious email-based campaigns. Detection volume increased significantly from May 2025, nearly doubling in 2026. The fake installer attacks primarily target Chinese-speaking users and employ advanced techniques including Pool Party Variant 7 process injection and BYOVD methods. The malicious email campaigns target both Chinese and Japanese-speaking users, delivering ZIP archives containing EXE and DLL files that leverage DLL sideloading. The malware employs multiple evasion techniques including junk code insertion, memory size checks, sleeping duration checks, process count validation, and fileless execution using Donut-generated shellcode. ValleyRAT establishes persistence through registry modification and enables remote access capabilities for threat actors.
Not very gentlemanly: Analyzing a zero-day exploit used to disable targets' EDRs
The Gentlemen ransomware group, which emerged in July 2025, employed a zero-day vulnerability in a bring-your-own-vulnerable-driver (BYOVD) attack to disable endpoint detection and response systems. During an incident investigated in early April, the group leveraged an obscure third-party driver named ktapi.sys from Kontron to bypass security protections. The sophisticated exploit chains multiple advanced techniques to navigate Windows exploit mitigations, including bypassing Supervisor Mode Access Prevention and Supervisor Mode Execution Prevention. The toolkit enables the attackers to call privileged kernel mode functions from user mode processes, ultimately terminating EDR processes including Windows Defender, ESET, Palo Alto Cortex XDR, and SentinelOne. The vulnerability had no prior public documentation and was previously absent from vulnerable driver blocklists.
India's government and energy sectors targeted with ZOHOMURK and MINIRECON
Mustang Panda orchestrated two concurrent espionage campaigns targeting Indian government entities and hydropower infrastructure between May and June 2026. The campaigns leveraged DLL sideloading via legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON, and ZOHOMURK. MINIRECON represents an evolution of Toneshell with WebSocket-based command-and-control capabilities, while ZOHOMURK abuses Zoho WorkDrive cloud services for C2 communications and data exfiltration. Distribution occurred through spear-phishing with lures themed around India-Taiwan cooperation agreements and hydropower projects. The activity demonstrates code overlaps with previous tooling, infrastructure proximity to known operations, and targeting patterns aligned with Chinese strategic intelligence collection priorities. Multiple compromised government systems were identified, with coordination conducted through CERT-In for victim notification and remediation.
The Gentlemen are knocking: сustom backdoors and evolving tactics
The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. The group exploits vulnerabilities in internet-facing devices like VPNs and firewalls, potentially collaborating with initial access brokers. They employ comprehensive reconnaissance using tools like SharpADWS, NetScan, and Advanced IP Scanner, capturing network traffic with netsh. The attackers disable security products through BYOVD techniques using vulnerable drivers, and deploy custom Go-based backdoors and ransomware variants. They spread laterally via GPO deployment and PsExec, encrypt files using Curve25519 and XChaCha20, and recently developed a C-based ransomware variant using AES256-GCM and RSA. The group targets multiple industries worldwide, particularly in Brazil, China, Indonesia, Taiwan, and Thailand, with attacks focusing on manufacturing, IT services, healthcare, and financial sectors.
AsyncRAT and Remcos delivered in an optimistic campaign
A global phishing campaign targets business functions with emails carrying malicious Excel attachments that initiate a multi-stage infection chain when macros are enabled. The attack uses layered obfuscation, including HTA scripts, PowerShell, encoded payloads, and steganography in PNG files, to deliver and execute Remote Access Trojans such as Remcos and AsyncRAT in a largely fileless manner. It achieves scale and persistence through high variability, automation, disposable infrastructure, and consistent patterns that help evade detection despite relatively simple techniques.
3CXDesktopApp Intrusion Campaign Prevention
A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.
Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind
An exposed attacker server has unveiled FortiBleed, a large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways globally. This operation involved credential harvesting through reuse, brute force, and hash cracking using a distributed GPU infrastructure with approximately 36 rented GPUs via Hashtopolis. The exposed directory contained 319 files revealing scanning tools, cracking infrastructure, credential databases, post-exploitation toolkits, and active VPN configurations. While initially reported as affecting 21,632 domains, analysis of the attacker's own tooling reveals only 918 organizations showed evidence of internal network compromise, with merely 148 confirmed cases where credentials were fully cracked. The operation ultimately aimed to sell initial access to compromised networks, with victims spanning 194 countries, predominantly India, United States, and Taiwan.
Threat Actors Weaponizing RAR Archives to Target Thailand's Healthcare Sector
An active malware campaign is targeting Thailand's healthcare sector, including Ministry of Health personnel and affiliated organizations. The operation leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, and persistence mechanisms. The final payload is a Python-based information stealer designed to harvest browser credentials, session data, and cookies, with exfiltration attempts through Telegram Bot API. The campaign demonstrates sophisticated tradecraft including Rouki-obfuscated batch loaders, Startup folder persistence, and bundled Python interpreters. Active operational window spans from April to June 2026, with all samples uploaded from Thailand.
Operation Poisson – Analyzing a Cybercriminal’s Entire Operation
A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking and email credentials. The operation leveraged free-tier infrastructure including Havoc C2 framework, Backblaze B2 storage, and DuckDNS. Most significantly, the attacker installed OpenSSH and Tailscale VPN on victim machines, creating persistent access that survived C2 server takedown. When the C2 went offline for 18 days, the attacker's access remained intact through the VPN mesh, demonstrating that VPN-mesh-based persistence is actively used in real-world intrusions and that traditional C2 takedown is insufficient for remediation.
Analysis of Gamaredon campaign targeting Ukraine weaponizing CVE-2025-8088
A campaign exploiting the WinRAR path-traversal vulnerability CVE-2025-8088 has been actively targeting Ukraine since February 2026, with ongoing activity through June 2026. The operation uses Ukrainian military and conscription-themed documents as lures, distributed as RAR archives. The malicious archives contain NTFS alternate data streams with path-traversal sequences that automatically place LNK files into the Windows Startup folder upon extraction. These shortcuts execute hidden PowerShell stagers incorporating anti-analysis techniques including debugger checks, disk-space verification, and sleep delays to evade sandbox detection. The persistent nature of the attacks demonstrates continuous targeting of Ukrainian entities over a four-month period using social engineering focused on military documentation themes.
OXLOADER: new loader evading detection to drop infostealer
A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices.
Operation FlutterBridge: The FlutterShell macOS Backdoor
FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.
Popa: From Sourcing to Distribution
An Android proxyware SDK named Popa enrolls consumer devices including phones, tablets, and streaming boxes into a commercial residential proxy network. Operating since at least 2020, Popa and its variants (Loopop, Neupop, and Moneytiser) are distributed inside consumer streaming, IPTV, and utility applications. The SDK begins relaying third-party traffic at host-app launch without displaying informed-consent prompts in analyzed samples. Multiple variants communicate directly with NetNut SDK endpoints, sharing operational infrastructure and telemetry. Controlled testing showed traffic from Popa-enrolled devices egressing through NetNut's commercial gateway. The SDK uses encrypted Google Drive files to resolve relay servers in later versions. Analysis of over 20 publishers revealed significant links to piracy-related applications, with none observed requesting user consent despite later builds including this capability.
Okendo Reviews Supply Chain Attack
On May 14, 2026, a supply chain attack was discovered targeting the Okendo Reviews widget, a customer review platform used by over 18,000 brands. The threat actor injected malicious JavaScript code into the legitimate widget, which is deployed on high-traffic e-commerce pages including storefronts and product pages. The compromised JavaScript acted as a staged loader, using obfuscation, localStorage tracking, User-Agent filtering, and XOR-based decoding to conceal next-stage infrastructure. The attack employed ClickFix-style social engineering to deceive users into executing malicious commands, ultimately delivering remote access trojans like NetSupport and Remcos, or information stealers such as StealC. Affected websites received hundreds of thousands to millions of monthly visitors, with nearly 15,000 blocks recorded in a single day.
Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation
Global law enforcement, including agencies from the Netherlands, Canada, United States, and Germany, coordinated Operation Endgame to disrupt TA569, a prominent cybercriminal group tracked since 2018. The operation targeted SocGholish infrastructure, taking down over 100 servers and domains while remediating 14,971 compromised websites. TA569 pioneered web inject techniques using fake browser updates to distribute malware, often leading to ransomware attacks. The group compromised high-traffic websites across multiple industries, affecting millions of visitors globally. Their attack chains involved traffic distribution systems like Keitaro TDS and ParrotTDS, delivering GhoLoader payloads that could lead to ransomware deployment in enterprise environments. Law enforcement actions included server disruption and website disinfection, significantly impacting the threat actor's operations, infrastructure, and reputation within the cybercriminal ecosystem.
May 2026 Infostealer Trend Report
This analysis covers infostealer distribution trends observed during May 2026, based on automated collection systems and diagnostic logs. Distribution occurred primarily through illegal software disguised as cracks and keygens, as well as email campaigns. ACRStealer, Remus, and LummaC2 were most prevalent, with distribution via domains including Mediafire and AWS S3 buckets. Microsoft was the most impersonated company, followed by Auslogics and NVIDIA. EXE files represented 78.9% of execution types, while DLL side-loading accounted for 21.1%. macOS environments saw ClickFix techniques and malicious Bash scripts, with 142 scripts and 12 C2 domains identified. Email campaigns distributed AgentTesla and DarkCloud. Remus showed significant growth, comprising 36% of distributions. LummaC2 remained the most prevalent overall variant.
Operation Endgame vs. SocGholish Fake Updates
A multinational law enforcement operation called Operation Endgame has successfully disrupted SocGholish, a malware framework operated by threat actor TA569 since 2017. The operation took down 106 servers and domains and remediated nearly 15,000 compromised WordPress websites. SocGholish uses fake browser update prompts on compromised websites to trick victims into downloading malicious JScript payloads, providing initial access to corporate networks for ransomware deployment and data breaches. Analysis revealed that 55% of Infoblox cloud customers were exposed to SocGholish in 2026, demonstrating widespread impact across multiple industries including government, education, and healthcare. The framework employs domain shadowing techniques and operates through a four-stage attack chain involving traffic acquisition, filtering, fake update lures, and on-device implant execution. SocGholish infrastructure has facilitated access for various ransomware families and has been extensively used by the notorious Evi...
GitBait: Phishing targeting the Mexican financial sector
A sophisticated, modular phishing infrastructure has been identified targeting at least 12 Mexican financial institutions over a three-year period. The operation leverages GitHub Pages for hosting and SheetBest API for credential exfiltration, eliminating the need for dedicated backend infrastructure. Attackers employ obfuscated JavaScript, randomized paths, and dynamic brand selection panels to impersonate legitimate banking portals. Over 100 associated domains were identified, each hosting multiple phishing pages across different paths. Credentials are collected through multi-stage forms mimicking authentic banking authentication flows and exfiltrated in real-time to attacker-controlled Google Sheets. An alternative exfiltration method via Telegram bot was also observed. The campaign demonstrates operational persistence with multiple operator accounts maintaining the infrastructure through continuous commits and updates.
Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.
From package to postinstall payload: Inside the Mastra npm supply chain compromise
Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.
Twitter Feed - nextronresearch - 17-06-2026
SideCopy, also tracked as APT36 or Transparent Tribe, has launched a new attack campaign targeting Indian defense personnel using a fake 'Minutes Of Meeting' document as lure. The attack employs an identical playbook to previous operations: a double-extension Minutes Of Meeting.docx.lnk file executes a PowerShell stager (pdfdocs.bat) from a nested pdfdocs folder while displaying a clean decoy document. The chain deploys a Remote Access Trojan (pdfdocs) that establishes persistence through the HKCU Run key. The staged components demonstrate low detection rates at initial delivery, with the decoy document scoring 0/66, the stager 1/61, and only the final executable reaching 35/71 detections.
Klue Integration Abused in Salesforce Data Theft | Threat Spotlight
In June 2026, a compromised Klue competitive-intelligence platform integration was exploited to exfiltrate customer relationship management data from enterprise Salesforce environments. Attackers authenticated through compromised Klue service accounts, generated OAuth tokens, and executed automated Python scripts to conduct bulk data extraction via Salesforce REST API queries over approximately 24 hours. The activity included concentrated bursts of nearly a thousand queries within 15 minutes and sustained extraction windows exceeding 6 hours. This incident follows similar third-party OAuth-abuse campaigns targeting Salesforce through Salesloft Drift and Gainsight integrations throughout 2025 and 2026. While the tactics resemble operations attributed to ShinyHunters and UNC6395 threat groups, attribution remains uncertain. The initial access vector, full scope of exfiltration, and attacker intent are still under investigation, with no extortion demands observed to date.
Crypto Clipper uses Tor and worm-like propagation for persistence and control
A Windows-based cryptocurrency clipper has been actively targeting users since February 2026, employing sophisticated techniques to steal digital assets. The malware propagates through malicious shortcut files on USB devices, creating a worm-like infection chain. Once deployed, it utilizes Windows Script Host and ActiveX to launch a bundled Tor proxy client, enabling anonymous communication with hidden-service command and control servers. The clipper performs high-frequency clipboard monitoring to intercept cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled alternatives. Additionally, it captures screenshots for context and maintains persistent access through scheduled tasks. The threat demonstrates advanced capabilities including remote code execution, making it more than a simple stealer by functioning as a lightweight backdoor. The malware employs multiple defense evasion techniques including multi-layer obfuscation, anti-analysis checks, and local S...
Invisible Sting: Over 4000 Outdated Routers Compromised by AryStinger, Becoming Global Attack Springboards for Hackers
AryStinger is a sophisticated botnet targeting legacy routers based on RTL819X chipsets and NAS devices through vulnerabilities disclosed over a decade ago, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837. The malware exists in two versions: a C-based RTL819X variant for resource-constrained routers and a Go-based Standard version for NAS devices. Both communicate with command-and-control servers using Protobuf-encoded, XOR-encrypted traffic. Infected devices function as Executors in a distributed infrastructure, performing reconnaissance activities including port scanning, subdomain enumeration, and service identification. The botnet supports traffic tunneling, remote access via Dropbear or gs-netcat, and can execute payloads in Go, Java, and Python. Over 4,300 routers globally have been confirmed infected, predominantly D-Link models, with concentrations in South Korea, China, and Sweden. The infrastructure serves as both a concealment layer and attack platform for cyber espionage and intrusio...
ClickFix Campaign Generated Via AI Delivers SmartRAT
In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.
More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers
Security researchers discovered AryStinger, a botnet targeting legacy routers and NAS devices to build reconnaissance and attack infrastructure. The malware exploits vulnerabilities from 2013-2025 to compromise over 4,300 devices globally, primarily D-Link routers using RTL819X chips. AryStinger communicates via HTTP/HTTPS using Protobuf encoding and XOR encryption, supporting tasks including network scanning, traffic proxying, command execution, and persistent backdoor deployment through dropbear or gs-netcat. Two versions exist: RTL819X in C for routers, and Standard in Go for NAS devices with expanded capabilities including integration of fscan, ksubdomain, and httpx tools. Infected devices serve as distributed scanning nodes and attack proxies, effectively hiding attacker identities while conducting footprinting activities. The campaign shows extremely low detection rates in mainstream security engines, with evidence suggesting operations possibly began in 2024.
140+ npm Packages Compromised in Coordinated Supply Chain Attack
More than 140 Mastra npm packages were compromised through a supply chain attack that injected a typosquatted dependency called easy-day-js. A single npm account published malicious versions within a short timeframe, affecting packages including @mastra/core with over 918K weekly downloads. The attack executes during npm install via a postinstall hook, deploying a two-stage payload. The first stage disables TLS validation and downloads a second-stage implant that installs cross-platform persistence on Windows, macOS, and Linux. This implant functions as a command-and-control client that steals cryptocurrency wallet inventories from 166+ browser extensions, harvests browser history, and can execute arbitrary code sent by operators. The malicious code executes before developers import packages, compromising systems during installation.
From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware
INC has evolved from an emerging ransomware-as-a-service operation into one of the most active groups in 2026, claiming over 800 victims since 2023. The disruption of LockBit and BlackCat's shutdown created opportunities for INC to expand as affiliates migrated. Both Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform development and increasing analysis complexity. Recent incidents reveal updated tooling, including a modified credential dumper targeting newer Veeam backup deployments with support for salted DPAPI encryption. INC's influence extends beyond its operations; following the 2024 source code sale for $300,000, related families like Lynx and Sinobi emerged. United States organizations account for over 65% of victims, with legal services, manufacturing, construction, technology, and healthcare among the most targeted sectors.
New APT-Q-27 sample spotted
A new campaign has been identified utilizing a valid digital signature from a Chinese technology company that remains unrevoked. The attack chain employs a dropper that retrieves an extension-based module list from command and control infrastructure. The malicious payloads exploit DLL Side-Loading techniques through a legitimate Tencent-signed executable to achieve code execution. The infrastructure includes Google Cloud Storage and a dedicated domain for command and control operations. Multiple components have been identified including an EXE dropper, DLL loader, DAT payload, and the legitimate Tencent executable used for side-loading purposes.
Bluekit Phishing as a Service (PhaaS)
BlueKit operates as a mature commercial Phishing-as-a-Service platform offering 87 ready-made phishing kits targeting banks, cloud services, cryptocurrency exchanges, and global brands. The platform features subscription-based access, automated account takeover capabilities, peer-to-peer infrastructure for stealth, and integrated anti-detection tooling. BlueKit supports credential harvesting, session hijacking, and automated post-compromise workflows including password resets and passkey enrollment. The platform includes bulk SMS phishing capabilities, Telegram notifications, hardware wallet seed phrase harvesting, and integration with anti-detect browsers. Operating through Tor and clearnet domains with cryptocurrency payments, BlueKit employs a reseller model enabling white-label redistribution. The platform significantly lowers technical barriers for cybercriminals while providing enterprise-grade phishing infrastructure, posing critical threats to financial institutions, cloud environments, and cryptoc...
Attackers Weaponize Microsoft Teams Relays to Stay Hidden
Attackers deploying DragonForce ransomware against a major U.S. services firm concealed their command-and-control traffic within Microsoft Teams relay infrastructure using Backdoor.Turn, a custom Go-based remote access trojan. This novel technique leverages anonymous Teams visitor tokens and TURN relay servers to mask malicious communications as legitimate Microsoft traffic. The intrusion lasted one to two months, beginning in December 2025 with exploitation of an SQL server vulnerability. Attackers employed sophisticated defense evasion tactics including DLL side-loading with VirtualBox executables and multiple Bring Your Own Vulnerable Driver techniques. They exploited a previously unknown vulnerability in Huawei's HWAuidoOs2Ec.sys driver, along with several other vulnerable drivers, to terminate security processes at kernel level. The campaign demonstrates DragonForce's evolution into a highly capable ransomware cartel with advanced operational maturity.
Stealth Mango and Tangelo
This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense secto…
1937CN
1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizati…
313 Team
313 Team is an Iraq-based threat actor that has conducted coordinated DDoS campaigns targeting multiple government servers in the …
APT-C-27
A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the …
APT.3102
APT1
PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Ar…
APT10
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in ass…
APT12
A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.
APT14
PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and mili…
APT15
This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage pu…
APT16
Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attack…
APT17
FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intellige…
APT18
Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targe…
APT19
Adversary group targeting financial, technology, non-profit organisations.
APT2
Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tra…
APT20
We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering ho…
APT21
APT22
Suckfly is a China-based threat group that has been active since at least 2014
APT23
TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaig…
APT24
The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly…
APT26
APT27
A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.
APT28
The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the …
APT29
A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group …
APT3
Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage …
APT30
APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT3…
APT31
FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a part…
APT32
Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector com…
APT33
Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess …
APT35
FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored…
APT37
APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea.…
APT39
APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a gr…
APT4
APT40
Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 20…
APT41
APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially moti…
APT42
Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against in…
APT45
APT45 is a North Korean cyber threat actor that has been active since at least 2009. They have conducted espionage campaigns targe…
APT5
We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than…
APT6
The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer…
APT9
APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular or…
APTIran
APTIran has claimed responsibility for a large-scale campaign targeting Israeli critical infrastructure, asserting infiltration of…
Ababil of Minab
Ababil of Minab is an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior activity in …
Altahrea Team
Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020. The group has claimed responsibility for a …
Amaranth-Dragon
Amaranth-Dragon is a previously untracked threat actor assessed to be closely linked to the China-affiliated APT 41 ecosystem, exh…
Amethyst Rain
Microsoft threat actor profile. Origin/Threat: Lebanon.
Angry Likho
Angry Likho is an APT group that has been active since 2023, primarily targeting large organizations and government agencies in Ru…
Anonymous64
Anonymous 64 is a group accused by China's national security ministry of attempting to gain control of web portals, outdoor electr…
Antlion
Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan.…
Aoqin Dragon
SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primari…
AppMilad
AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is…
AridViper
AridViper is a state-sponsored APT primarily targeting military personnel, journalists, and dissidents in the Middle East, with a …
Aslan Neferler Tim
Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has bee…
Avivore
The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that c…
Ayyıldız Tim
Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against …
AzzaSec
AzzaSec is a hacktivist group that originated in Italy. Known for their pro-Palestine stance, they have been involved in various c…
BANISHED KITTEN
BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversary’s most prominent activity is t…
BIG PANDA
BRONZE EDGEWOOD
In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast As…
BRONZE HIGHLAND
BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan agai…
BRONZE SPIRAL
In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulne…
BRONZE SPRING
BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intel…
BRONZE STARLIGHT
BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group…
BRONZE VAPOR
BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated…
BatShadow
BatShadow is a Vietnamese threat actor that targets job seekers and digital marketing professionals through social engineering cam…
Bearlyfy
Bearlyfy has been attributed to over 70 cyber attacks targeting Russian companies since its emergence in January 2025, employing a…
Beijing Group
BiBiGun
A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impers…
Bignosa
Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails wi…
BlackJack
Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, …
BlackTech
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong…
Blackatom
Recent campaigns suggest Hamas-linked actors may be advancing their TTPs to include intricate social engineering lures specially c…
Blackgear
BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released…
Blackmeta
BLACKMETA is a pro-Palestinian hacktivist group that has claimed responsibility for a series of DDoS attacks and data breaches tar…
Blackwood
Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operation…
BladedFeline
BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officia…
Blue Termite
Blue Termite is a group of suspected Chinese origin active in Japan.
Blue Tsunami
Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They …
Bohrium
Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle E…
Boulder Bear
First observed activity in December 2013.
BrazenBamboo
BrazenBamboo is a Chinese state-affiliated threat actor known for developing the LIGHTSPY, DEEPDATA, and DEEPPOST malware families…
Budminer
Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced thr…
BuhTrap
Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. …
CIRCUS SPIDER
According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIR…
CL-STA-0048
CL-STA-0048 is a Chinese state-backed APT that targets strategic sectors in South Asia, particularly government and telecommunicat…
CL-STA-1087
CL-STA-1087 is a suspected state-sponsored espionage campaign operating out of China, targeting military organizations in Southeas…
CL-UNK-1068
CL-UNK-1068 is a Chinese threat actor that has targeted critical infrastructure in Asia, primarily focusing on cyberespionage. The…
Cadelle
Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity…
Callisto
The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, …
Calypso
For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, duri…
Camaro Dragon
In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare instit…
CardinalLizard
CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishi…
Careto
This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage pu…
Carmine Tsunami
Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platf…
CeranaKeeper
CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions …
Charming Kitten
Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in g…
Chaya_004
Chaya_004 is a Chinese threat actor identified through malicious infrastructure, including a network of servers hosting Supershell…
Chernovite
Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPE…
Cleaver
A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity again…
Clever Kitten
Confucious
Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's …
CopyKittens
CoralRaider
CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries…
Corsair Jackal
Cotton Sandstorm
Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, includ…
Cuboid Sandstorm
Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the compa…
Curious Gorge
Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in…
Curly COMrades
Curly COMrades is a threat actor identified by Amazon Threat Intelligence and Bitdefender, believed to operate in support of Russi…
Cutting Kitten
One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with…
Cyber Alliance
The Ukrainian Cyber Alliance is a pro-Ukraine hacktivist group formed in 2016, primarily targeting Russian entities since the inva…
Cyber Av3ngers
Cyber Av3ngers is an Iranian IRGC Cyber-Electronic Command-affiliated threat actor that targets internet-exposed operational techn…
Cyber Berkut
Cyber Islamic Resistance
Cyber Islamic Resistance is a hacktivist collective ideologically aligned with Iran, engaging in operations such as website deface…
Cyber Partisans
The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and i…
Cyber Serp
UAC-0255 is a threat actor that conducted a phishing campaign impersonating CERT-UA to distribute the AGEWHEEZE RAT, targeting org…
Cyber Toufan
Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group's …
Cyber fighters of Izz Ad-Din Al Qassam
Cyber.Anarchy.Squad
Cyber Anarchy Squad is a pro-Ukrainian hacktivist group known for targeting Russian companies and infrastructure. They have carrie…
DAGGER PANDA
Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion D…
DEV-0147
DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion…
DEV-0270
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also…
DEV-0586
MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups.…
Dalbit
The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and de…
Dark Caracal
Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of…
DarkHotel
Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advan…
Deadeye Jackal
The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of S…
Denim Tsunami
Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. …
DiceyF
DiceyF is an advanced persistent threat group that has been targeting online casinos and other victims in Southeast Asia for an ex…
Domestic Kitten
An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive infor…
DragonForce
DragonForce is a hacktivist group based in Malaysia that has been involved in cyberattacks targeting government institutions and c…
DragonOK
Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tool…
DragonSpark
DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the op…
Dragonbridge
DRAGONBRIDGE is a Chinese state-sponsored threat actor known for engaging in information operations to promote the political inter…
DriftingCloud
DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or…
DustSquad
Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking grou…
ELECTRIC PANDA
ELOQUENT PANDA
ELUSIVE COMET
ELUSIVE COMET is a threat actor responsible for significant cryptocurrency theft through sophisticated social engineering attacks,…
ENERGETIC BEAR
A Russian group that collects intelligence on the energy industry.
Earth Alux
Earth Alux is a China-linked APT group known for conducting cyberespionage attacks across various sectors, including government, t…
Earth Baxia
Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC…
Earth Berberoka
According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websit…
Earth Freybug
Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and finan…
Earth Krahang
Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing s…
Earth Lamia
Earth Lamia is a China-nexus APT that targets organizations across multiple sectors, including finance, logistics, and government,…
Earth Lusca
Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic inst…
Earth Naga
Earth Naga is an APT group that has persistently targeted high-value organizations, including government agencies, telecommunicati…
Earth Wendigo
Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, res…
Edalat-e Ali
Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, su…
Educated Manticore
Educated Manticore is an Iranian APT group aligned with the Islamic Revolutionary Guard Corps, primarily engaged in espionage targ…
Equation Group
The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophis…
Evasive Panda
Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, governmen…
EvilWeb
EvilWeb is a pro-Russian hacktivist group created in March 2024 that targets American and European entities using a hack-and-leak …
FIN1
FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified…
FIN13
Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term…
FIN7
Groups targeting financial organizations or people with significant financial assets.
FOXY PANDA
Adversary group targeting telecommunication and technology organizations.
Femwar02
Femwar02 is a previously unknown pro-Russian ransomware threat actor that emerged in early 2026, linked to a major cyberattack on …
Ferocious Kitten
Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in I…
Flax Typhoon
Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage camp…
Flying Kitten
Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.
FlyingYeti
FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities. They conduct reconnaissance activities and laun…
Fox Kitten
PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian govern…
FrostyNeighbor
FrostyNeighbor is a Belarus-aligned APT group known for conducting influence and disinformation campaigns, particularly targeting …
GALLIUM
GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and…
GCMAN
GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.
GHOST STADIUM
GHOST STADIUM is a Chinese-speaking, financially motivated threat actor operating a sophisticated phishing campaign across over 30…
GIBBERISH PANDA
GOBLIN PANDA
Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups. Most Chinese APTs target the United Sta…
GREF
GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loade…
GTG-1002
GTG-1002 is a Chinese state-sponsored APT that conducted a large-scale autonomous cyber espionage campaign targeting approximately…
Gamaredon Group
Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this…
GhostEmperor
GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They emp…
GhostRedirector
GhostRedirector is a China-aligned threat actor that has compromised at least 65 Windows servers across various sectors, primarily…
Ghostwriter
Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and p…
GoldFactory
GoldFactory is a threat actor group attributed to developing sophisticated mobile banking malware targeting victims primarily in t…
GopherWhisper
GopherWhisper is a China-aligned APT that routes C2 traffic through legitimate enterprise platforms like Slack, Discord, and Micro…
Gray Sandstorm
Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology comp…
Grayling
Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-l…
GreedyBear
GreedyBear is a sophisticated threat actor responsible for over $1 million in cryptocurrency theft through a campaign involving 15…
GreenSpot
GreenSpot is an APT group believed to operate from Taiwan, active since at least 2007, primarily targeting government, academic, a…
Greenbug
Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, governm…
GreyVibe
GREYVIBE is a low-to-moderately sophisticated threat actor associated with Russian state interests, primarily targeting Ukrainian …
Groundbait
Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.
HAFNIUM
HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease research…
HAZY TIGER
The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released i…
HURRICANE PANDA
We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommu…
Handala
Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, …
Hellsing
This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States.…
HenBox
This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile …
HiddenArt
It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the p…
Higaisa
The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The …
HomeLand Justice
HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted…
Houken
Houken is a Chinese state-sponsored threat actor that exploits zero-day vulnerabilities in Ivanti Cloud Services Appliance devices…
Houndstooth Typhoon
Microsoft threat actor profile. Origin/Threat: China.
HummingBad
This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group…
Hunt3r Kill3rs
Hunt3r Kill3rs is a newly emerged threat group claiming expertise in cyber operations, including ICS breaches and web application …
IMPERSONATING PANDA
INDOHAXSEC TEAM
INDOHAXSEC TEAM is an Indonesian group that claims to have developed a web-based version of WannaCry, asserting the ability to enc…
INDRIK SPIDER
INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of …
IRIDIUM
Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a …
