A China-aligned threat group known as PlushDaemon runs a Chinese APT router hijacking campaign that implants EdgeStepper on vulnerable routers, reroutes software-update traffic for popular Chinese-language applications and delivers the SlowStepper espionage toolkit through trusted update channels, turning routine network gear into an adversary-in-the-middle platform.
BadAudio gives APT24 a stealthy first-stage foothold in a long-running espionage campaign that focuses on Windows environments. The C++ downloader hides behind DLL search-order hijacking, control-flow obfuscation and AES-encrypted C2, while the group rotates between watering-hole attacks, supply-chain compromises and targeted spearphishing to deliver it. This article breaks down BadAudio’s loader behavior, APT24’s evolving tradecraft and the defensive steps that help security teams detect, contain and disrupt this PRC-nexus operation.
Matrix Push C2 is a browser-native command-and-control framework that hijacks web push notifications to deliver phishing prompts, brand-spoofed alerts and malware. By abusing legitimate notification flows, it turns a routine “Allow notifications” click into a persistent phishing channel that most security stacks barely monitor.
TamperedChef malware no longer hides only behind a rogue PDF editor. In its latest evolution, the campaign uses signed fake software installers, malvertising and SEO poisoning to deliver an obfuscated JavaScript backdoor via a dropped XML-scheduled task. Telemetry shows a strong footprint in the U.S. and heavy impact on healthcare, construction and manufacturing, where users often search online for product manuals and tools. This article unpacks the global infrastructure, shell-company certificates and execution chain so defenders can hunt and harden effectively.
Newly disclosed vulnerabilities in the Ollama framework allow attackers to execute arbitrary code by feeding the server malicious GGUF model files. This article explains how the mllama metadata parsing flaw works, why versions before 0.7.0 are at risk, and what AI security teams should do to harden their local LLM infrastructure against code execution attacks.
The RondoDox botnet now targets unpatched XWiki servers through CVE-2025-24893, a critical eval injection flaw that lets any guest execute remote code and drop miners, turning forgotten wiki instances into entry points and compute fuel.
Akira ransomware has evolved into one of the most disruptive ransomware-as-a-service operations, hitting more than 250 organizations and extorting over $244 million. This article walks through how Akira gains initial access, exploits VPN and firewall weaknesses, moves laterally, and applies double extortion — then outlines practical defenses security teams can deploy now.
macOS now attracts serious attention from nation-state and criminal actors, especially credential stealers. A new public dataset, Malet, and a static analysis tool, Katalina, give defenders large-scale visibility into Mach-O malware traits. Teams can use them to tune EDR, test vendor claims, and finally treat Mac fleets as first-class citizens.
Researchers identified Android-based photo frames that auto-download malware at boot, then execute payloads after each restart. Consequently, attackers gain control on rooted devices with disabled SELinux and weak signing.
Kraken ransomware has quickly evolved into a cross-platform threat that can disrupt Windows, Linux, and VMware ESXi environments in a single campaign. By abusing SMB exposure, tunneling through Cloudflared, and using benchmark-driven encryption, the group focuses on high-value data, double extortion, and maximum downtime for large enterprises.