Threat Intelligence
Cyber Intel Brief
Weekly reports provided from the Deepwatch Threat Intel Team to improve situational awareness and education on the latest cyber threats.
Need Help? 855.303.3033 | Contact Us | Customer Login
09.29.25
From npm Infiltration to Federal Exposure: Shai-Hulud Supply Chain Attack, Ransomware Trends, and Critical Cisco & Google Exploits Highlight Security Gaps
09.18.25
When Invites Become Threats: iCloud Calendar Lures, Salesforce Exploits, and Ransomware Actors Leverage Human Error and App Integrations.
09.12.25
Cloud Account Takeovers, Emerging Botnets, and Exploited Vulnerabilities: AWS Campaign and NightshadeC2 Mark a Shift in Threat Actor Tactics
09.08.25
Critical Infrastructure Under Siege: Chinese Espionage, SVG-Based Phishing, Ransomware Surge, and Zero-Day Exploits Target Global Networks
08.27.25
Brand Impersonation, SaaS Abuse, and $1M Scams: From Salesforce Data Theft to Citrix Exploits, Threat Actors Expand Their Playbook
08.22.25
Fake ChatGPT Apps, Phishing-as-a-Service, and Zero-Days: Modular Backdoors and Exploited Vulnerabilities Push Cyber Threats Further Underground.
08.14.25
From ClickFix to RomCom: Deceptive Delivery Tactics, WinRAR Exploits, and Ransomware Escalation Fuel New Wave of Targeted Attacks
08.07.25
From Fake IT Tools to VPN Breaches: Akira Ransomware, SonicWall Exploits, and D-Link Vulnerabilities Accelerate Full-Spectrum Attacks
07.31.25
Scattered Spider Strikes vSphere: Advanced Social Engineering, Ransomware Extortion, and Exploits in Cisco and PaperCut Elevate Enterprise Threats
07.24.25
SharePoint Exploits, Interlock Ransomware, and Critical Vulnerabilities in Microsoft and Fortinet Underscore Escalating Enterprise Risk
07.17.25
Behind the CAPTCHA, Beyond the Flood: Interlock RAT, Record DDoS Attacks, and Citrix Exploits Shape the Mid-Year Threat Landscape
07.10.25
Silent Intrusions and Stealthy Control: North Korean macOS Malware, DoNot APT Tactics, and Ransomware Trends Uncovered
07.03.25
From Password Sprays to Persistent Threats: RansomHub Attacks, Iranian Cyber Ops, and Critical Vulnerabilities Target U.S. Interests
06.26.25
From MacOS Credential Theft to China’s Cyber Campaigns: Nation-State Intrusions, Ransomware Trends, and Fortinet Exploits in Focus
06.20.25
Stealth Access, Memory-Only Malware, and Exploited Tech: Ransomware Actors Leverage SimpleHelp, AsyncRAT, and Critical Vulnerabilities to Breach Defenses
06.12.25
State-Sponsored Intrusions, Cloud-Targeting Malware, and Rising Ransomware: China and ELF-Based Threats Dominate the Cyber Landscape
06.05.25
EDDIESTEALER Malware, Brand-Based Intrusions, Ransomware Activity, and Critical Vulnerabilities in ASUS, ConnectWise, and Qualcomm Products
05.29.25
Stealth Malware, Nation-State Phishing, and Ransomware Trends Highlight an Evolving Threat Landscape
05.22.25
Expression Injection, Social Engineering, and Expanding Exploits: Ivanti RCE, Scattered Spider Tactics, and Ransomware Trends Define This Week in Cyber Threats
05.15.25
DIY Malware Bypasses AV, SAP Flaw Enables Remote Attacks, and CISA Adds New Exploited Vulnerabilities Amid Rising Ransomware Activity
05.08.25
Golden Chickens Unleash New Malware, Scattered Spider Threats Persist, and New Vulnerabilities Added to CISA’s Catalog Amid Rising Ransomware Trends
05.01.25
FOG Ransomware Tactics Uncovered, Dual Threats Delivered via Phishing, and New Broadcom, Qualitia, Commvault, and SAP Vulnerabilities Added to CISA’s Catalog
04.24.25
FOG Ransomware Masquerades as Legit Software, Fake CAPTCHAs Fuel Lumma Stealer Infections, and CISA Flags New Microsoft and Apple Vulnerabilities
04.17.25
Threat Actors Evolve Tactics, North Korean Group Targets Developers, and CISA Flags SonicWall Vulnerability
04.10.25
China-Linked Espionage Targets Ivanti, Scattered Spider Adapts with Broader Attacks, and CISA Adds Critical Vulnerabilities Across Multiple Platforms
04.03.25
Weaver Ant Espionage Tactics Unveiled, Qilin Ransomware Targets MSPs via ScreenConnect, and CISA Flags New Exploited Vulnerabilities
03.27.25
RansomHub Deploys Betruger Backdoor, Oracle Cloud Data Leak Raises Concerns, and CISA Flags New Exploited Vulnerabilities
03.20.25
Medusa Ransomware Evolves, Tomcat RCE Exploited in the Wild, and CISA Warns of Newly Exploited Vulnerabilities
03.13.25
Attackers Exploit IoT for Ransomware, RMM Tools Become a Prime Target, and CISA Flags New Exploited Vulnerabilities.
03.06.25
China-Linked Cyber Espionage Exploits IIS, Black Basta and Cactus Ransomware Show Overlapping Tactics, and CISA Flags New Exploited Vulnerabilities
02.26.25
Green Nailao Campaign Blurs Cybercrime and Espionage, LockBit Targets Confluence, Ransomware Trends Evolve, and CISA Adds New Exploited Vulnerabilities
02.20.25
Russian Adversaries Exploit Device Code Authentication, Earth Preta Uses MAVInject for Stealthy Attacks, Ransomware Trends Shift, and CISA Adds New Exploited Vulnerabilities
02.14.25
Threat Actors Exploit ASP.NET Machine Keys, Credential-Stuffing Attacks Target Mobile Apps, Ransomware Trends Evolve, and CISA Adds New Exploited Vulnerabilities
02.05.25
GitHub Abuse Delivers Lumma Stealer, XE Group Exploits VeraCore for Persistent Access, CISA Flags New Vulnerabilities, and Rising Ransomware and Extortion Trends Persist
01.30.25
Ivanti Cloud Service Vulnerability, Ransomware Affiliates Stick to Proven Tactics, 73 Firms Hit, and CISA Flags JQuery, SonicWall, and Apple Flaws
01.22.25
SocGholish Backdoor Powers Ransomware Attacks, Email Bombing and Teams Threats Persist, 167 Firms Listed on Leak Sites, and CISA Flags Aviatrix Vulnerability
01.15.25
Ivanti Zero-Day CVE-2025-0282 Exploited as Macro Malware and Data Leaks Impact 103 Firms—CISA Flags Critical Vulnerabilities in Latest Update
01.08.25
Google Domain Abuse and PLAYFULGHOST Threats Unveiled as CISA Adds Oracle and Mitel Vulnerabilities, and Professional Services Tops Data Leak Sites
01.02.25
Cyberhaven Chrome Extension Attack Unveiled as CISA Highlights Palo Alto PAN-OS Vulnerability Amid Rising Data Leaks
12.27.24
Significant Changes to the PaaS Threat Landscape, Fortinet EMS Vulnerability Exploited, and CISA Exploited List Additions
12.19.24
Malware via Teams and Ransomware on C2 Servers Dominate Threats as CISA Flags 8 Vulnerabilities, Including Apache Struts2
12.12.24
LNK Attacks, Black Basta Malware, and a Surge in Leak Site Activity Highlight as CISA Highlights Exploited Vulnerabilities
12.04.24
Phishing Campaign Deploys RATs and Infostealers, Rhadamanthys Infection Chain Analyzed, 81 Firms Leaked, and CISA Adds North Grid, ProjectSend, and Zyxel Vulnerabilities
11.28.24
BianLian Shifts Tactics Away from Ransomware, Chinese APT Earth Estries Expands Espionage Operations, 129 Firms Leaked, and CISA Highlights VMWare, Oracle, Apple, and Array Networks Vulnerabilities
11.20.24
ClickFix Campaign Unleashes New Infostealer, DEEPDATA Malware Exploits Fortinet FortiClient Zero-Day, 69 Firms Leaked with Manufacturing Hit Hardest, and CISA Adds Progress and Palo Alto Vulnerabilities
11.13.24
Threat Actors Exploit Teams, SharePoint, and OneDrive for Stealthy Malware Delivery, New ZIP File Tactic Unveiled, 142 Firms Leaked with Professional Services Hit Hardest, and CISA Adds Key Vendor Vulnerabilities
11.06.24
North Korea’s Ransomware Collaboration Escalates Threats, SharePoint Vulnerability CVE-2024-38094 Exploitation Details Released, 107 Firms Leaked with Manufacturing Most Affected, and CISA Adds PTZOptics Vulnerabilities
10.30.24
FortiManager Zero-Day Exploited for Data Theft, ClickFix Campaign Threatens Organizations, 162 Firms Leaked with Manufacturing Most Affected, and CISA Adds Cisco, Roundcube, and Fortinet Vulnerabilities
10.24.24
Iranian Actors Sell Critical Infrastructure Access, Bumblebee Returns with New Threats, 108 Firms Leaked with Professional Services Most Affected, and CISA Adds Microsoft, ScienceLogic, and Veeam Vulnerabilities
10.17.24
Credential Harvesting Spreads via File-Hosting Platforms, Nation-State Hackers Exploit Ivanti Flaws, 113 Firms Leaked with Professional Services Hit Hardest, and CISA Adds Key Vendor Vulnerabilities
10.09.24
MedusaLocker Variant BabyLockerKZ Spreads Globally, Zimbra RCE Exploited in Phishing Attacks, 64 Firms Leaked with Professional Services Hit Hardest, and CISA Adds Synacor, Microsoft, and Qualcomm Vulnerabilities
10.02.24
Critical UNIX/Linux Printing Flaws Enable RCE, Malvertising Drives BlackCat Ransomware, 73 Firms Leaked with Manufacturing Hit Hardest, and CISA Adds SAP, Motion Spell, DrayTek, and D-Link Vulnerabilities
09.26.24
Shadow IT Risks Exposed in Server Compromise, Vice Society Targets Healthcare with INC Ransomware, 131 Firms Leaked Amid CL0P's Surge, and CISA Adds New Ivanti Vulnerabilities
09.19.24
Critical Ivanti Vulnerability CVE-2024-29847 Exposed, WhatsUp Gold Targeted, Azure Storage Tool Misused for Data Theft, 72 Firms Leaked, and CISA Adds Major Vendor Vulnerabilities
09.11.24
Earth Lusca Unveils KTLVdoor Backdoor, Russia's GRU Cyber Unit Exposed, 60 Firms Leaked with Manufacturing Hit Hardest, and CISA Adds Microsoft, ImageMagick, Linux, and SonicWall Vulnerabilities
09.04.24
Iranian Hackers Join Forces with Ransomware Groups, BlackByte's Tactics Unveiled, RansomHub Compromises 200+ Organizations, New CVE-2023-22527 Exploits Deliver Godzilla Webshell, and CISA Updates
08.28.24
PEAKLIGHT Memory-Only Malware Uncovered, Qilin Ransomware Strikes, ShinyHunters Target AWS in Extortion Campaign, 65 Firms Leaked, and CISA Adds New Vulnerabilities
08.22.24
EDRKillShifter Targets Endpoint Defenses, Cloud Extortion Exploits .env Files, New DNS Tunneling Backdoor Emerges, Social Engineering Tactics Evolve, 90 Firms Hit by Ransomware, and CISA Updates Exploited List
08.14.24
0.0.0.0 Day Browser Vulnerability Exposes Networks, CISA & FBI Update on Royal Ransomware, Cloud-Based Threats Rise, Qilin Ransomware's Global Impact, Earth Baku Expands Espionage, and Lockbit Leads Ransomware Surge
08.07.24
Phishing Exploits TryCloudflare for RATs, Stealthy Windows Backdoor, Russian APT’s Free Service Malware, StormBamboo’s DNS Poisoning, RAT Unveiled in Ransomware Attack, Ransomware Activity Declines, and CISA Updates
08.01.24
Onyx Sleet Indictments, Black Basta's Dangerous Tactics, ESXi Exploited in Ransomware Attacks, 100 New Ransomware Victims, and CISA Adds VMware, ServiceNow, Acronis Vulnerabilities
07.25.24
Cyberespionage Uses Open-source Tools, FIN7 Tool AvNeutralizer Sold, SocGholish Delivers AsyncRAT, Serverless Computing Threats, Credit Card Data Theft via Swap Files, ICS Malware Modbus Threat, Ransomware Surge, and 2 New Vulnerabilities
07.17.24
APT40's Espionage Techniques, FIN7's Vast Network Exposed, CRYSTALRAY's Credential Theft and Cryptomining, New APT41-Linked Malware, Snowflake Data Theft Impact, and Ransomware Leak Sites
07.10.24
Gootloader v3, Eldorado ransomware, Rejetto Update, MSBuild Abuse, data-leak site additions, and CISA Updates
07.03.24
Critical OpenSSH and Fortra FileCatalyst Vulnerabilities Exploited, Chinese APTs Blur Cybercrime Lines, P2Pinfect Botnet Upgraded, TeamViewer Breach Details, Velvet Ant Zero-Day Attack on Cisco, and CISA Updates
06.27.24
SolarWinds Vulnerability Exploited, Rafel RAT Targets Android, UNC3886 Accesses VMs, MOVEit Transfer Exploited, BMANAGER Malware Emerges, 76 New Leaks, and CISA Updates
06.20.24
‘Sleepy Pickle’ Targets ML Models, Scattered Spider Threatens Cloud Security, Copy-Paste Malware Rises, ShinyHunters Breach Snowflake, 87 New Leaks, and CISA Adds 3 Vulnerabilities
06.13.24
DarkGate Malware Hits U.S. in Malspam Campaign, Chinese Cyber Espionage Groups Exposed, Snowflake Extortion Reveals Security Gaps, 82 Organizations Leaked, and CISA Updates Vulnerabilities Catalog
06.06.24
Active Exploits on Check Point, North Korean Moonstone Sleet Unveiled, and Snowflake Data Breach Underscores MFA Necessity
05.30.24
BitLocker Hijacked by VBS Script, Rust-Based Embargo Ransomware Surges, CISA Alerts on New Vulnerabilities, and Tips to Defend Virtual Environments
05.23.24
New Linux Backdoor from North Korea, LATRODECTUS Phishing Surge, Malicious LNK Files, Data Leak Sites Grow, and CISA Warns of 5 Active Vulnerabilities
05.16.24
VPN RCEs Continue, LLMjacking, Social Engineering by Overload, Hundreds of Newly Published Data Leaks, and Chromium Vulns Added to the KEV Catalog
05.09.24
Command Injection Vulnerability Exploits, Ransomware Surge, Data Leak Sites Multiply, and CISA Bolsters CVE Catalog
05.02.24
Critical Command Injection Vulnerability Exploited, IcedID & Dagon Locker Ransomware Active, Data Leak Sites Expand, and CISA Adds to the CVE Catalog
04.25.24
OpenMetadata Vulnerabilities Mine Crypto, Spoofed IP Scanning Websites Target IT Teams, and DuneQuixote Campaign Includes Spanish Poetry to Deliver CR4T Backdoor
04.18.24
Rhadamanthys Infostealer, Credit Card Skimmer in Fake Meta Pixel Tracker, and Operation Midnight Eclipse
04.11.24
CoralRaider Gets Social, VenomRAT Deployed by ScrubCrypt, and Nearly 50 New Data Leak Victims
04.04.24
WarzoneRAT is Back, Ransomware Has a New Agenda, XZ Backdoor Delivered by Trusted Source, and the Latest from Data Leak Sites
03.28.24
Kimsuky Updates Playbook, Turla Backdoor Attack Chain Exposed, StrelaStealer Debuts, and MuddyWater Rises
03.21.24
Latest Phishing Tactics and Techniques, ShadowSyndicate Scanning Servers, and Fake Google Docs Pages Deliver Azorult Infostealer
03.14.24
Infostealer Circulated Through Facebook, Magnet Goblin Deploys Malware, PLUS 3 Common Post Network Device Tactics and eRAT
03.07.24
CISA Exposes Phobos Affiliates, New Attack Chain Steals NTLM, Plus Terminator and BABYSHARK
02.29.24
Russian Turla Deploys New Arsenal, Attackers Exploit ScreenConnect to Deliver Malware, and Cozy Bear Goes Cloud
02.22.24
TicTacToe Dropper Is No Game, No Malware Needed for Access to Government Victim, and Tycoon Group Offers New Phishing-as-a-Service
02.15.24
CISA Warns of Chinese Pre-Positioning for Attacks, New Raspberry Robin Variant, Bumblebee and Pikabot Return, Ivanti Vulnerability Deploys Unknown Webshell, and Nearly 100 New Ransomware Victims in a Week.
02.08.24
Another Ivanti Connect Secure and Policy Secure Vulnerability, Details on the Cloudflare Attack, a New Variant of Mispadu Stealer, and Valid Account Abuse Challenges.
02.01.24
Fake Website Impersonates Apple Apps, Midnight Blizzard Attacks Microsoft, Publicly-exposed RDP Gets Data Stolen and Ransomware in Three Hours
01.25.24
Androxgh0st Spooks Targets, Iranian APT Spear Phishing, North Korean ScarCruft Campaign Planning, and Critical Vulnerabilities in Confluence
01.18.24
Github Abuses, Ivanti Connect Secure VPN Compromises, New Cloud Hacking Tool FBot, and Phemedrone Infostealer Targets Microsoft Windows Defender SmartScreen
01.12.24
NVIDIA Executable for DLL Sideloading, Phishing with AsyncRAT, and Compromised YouTube Channels Spread Lumma Stealer
01.04.24
New qBit Infostealer, Cybercriminals Utilize Microsoft's App Installer to Deploy Malware, and a Google Exploit Restores Expired Cookies to Allow Persistent Access
12.28.23
Phishing Campaign Uses DarkGate RAT and NetSupport, ATI OSINT and Diligence Pays Dividends, and For Crying Out Loud–Stop Using Microsoft Exchange Server 2013
12.21.23
CozyBear Exploits JetBrains TeamCity, Qakbot Gets Regifted, Phishing Campaign Uses Publicly Available Tool Predator, and an Unexpected Gift from CISA
12.15.23
Russian APT Star Blizzard, Growing Insider Threats, Escalating QR Code Phishing, and the More_Eggs Backdoor
12.07.23
New Nova Infostealer, Gh0st RAT Evolves, New Toolset Unleashed, and a Look at Microsoft Outlook Attack Vectors
12.01.23
Diamond Sleet Rains Worldwide, Two New Web Shell Threats, New Botnet GoTitan Discovered, and Malware Shop Persian Remote World Sells RATS
11.24.23
Scattered Spider Targets IT Help Desks, Compromised VPN Credentials Lead to Rhysida, and a New Phishing Campaign Delivers Darkgate/Pikabot
11.17.23
Lace Tempest Storms Zero-day, Confluence Suffers Vulnerability, APT MuddyWater Evolves C2, and BatLoaders Spread Infostealers
11.09.23
Critical Apache ActiveMQ Vulnerability, New Millenium RAT & AsyncRAT, Socks5Systemz Botnet, and Gootloader Adds Gootbot
11.03.23
APT Octo-Tempest Methods, StripedFly Malware, NetSupport Manager Compromises, and Threat Actors Bypassing MFA
10.27.23
Vulnerability in JetBrains TeamCity Servers, Massive Attacks lead to Cryptomining and Backdoors, SSH Servers Offer Threat Actors Opportunities, and New Dual DLL Sideloading Technique Deploys QasarRat
10.20.23
Darkgate Malware Hits Skype and Teams, ToddyCat APT Creates Backdoors, Ether-Hiding Technique Moves Malware to Blockchain, and Ransomware Data Leak Sites Continue to Add Victims
10.12.23
Qakbot Actors Distribute Ransom Knight Ransomware, Storm-0324 Leverages Microsoft Teams to Distribute JSSLoader, a new APT Grayling Emerges, and Rhysida Ransomware Operators Leverage Valid VPN Credentials
10.06.23
BlackTech Compromises Routers, Lumma Sets Up On Over 150 Servers, Ransomware Groups Repeatedly Hitting Victims, New Malware-as-a-Service Bunnyloader Surfaces, and EvilProxy Phishing Targets Job Site Indeed
