Threat Intelligence
ESET disclosed a North Korea-aligned APT37/ScarCruft supply-chain compromise of sqgame.net, a Yanbian-themed gaming platform serving the ethnic-Korean community on the China-North Korea border. Trojanized Android APKs deploy a new BirdCall backdoor port. The APKs are still live.
phishing
Securonix tracked a phishing campaign that has compromised more than 80 organizations — mostly U.S.-based — by abusing legitimate SimpleHelp and ConnectWise ScreenConnect remote-monitoring tools. The lure impersonates the U.S. Social Security Administration. The architecture is dual-RMM redundancy: when defenders detect one channel, the other persists. Securonix Threat Research
Vulnerabilities
A Defender signature update flagged DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha and quarantined them worldwide. Microsoft fixed it in 1.449.430.0. The underlying DigiCert breach is the bigger story.
Trending
Official SAP npm packages were backdoored on April 29 in the latest Mini Shai-Hulud wave — adding browser credential theft across Chrome, Safari, and Edge to the campaign's existing cloud secret harvesting. Over 1,100 victim repositories confirmed.
Trending
Versions 2.6.2 and 2.6.3 of PyTorch Lightning were compromised in a supply chain attack — executing credential-stealing malware automatically on import, targeting SSH keys, cloud credentials, GitHub tokens, and crypto wallets.
Trending
Silver Fox has launched a tax-themed phishing campaign across India, Russia, Indonesia, and Japan — deploying ValleyRAT and the newly documented ABCDoor Python backdoor via fake tax authority notifications.
Cyber Attacks
An attacker purchased a portfolio of 31 trusted WordPress plugins on a public marketplace, embedded a PHP backdoor in a routine-looking update, and left it dormant for eight months before activating it to distribute hidden SEO spam to thousands of websites — with the malware resolving its command-and-control server through an
Threat Intelligence
BlueNoroff compromised a North American Web3 company using a fake Zoom meeting interface populated with AI-generated deepfakes, deploying a fileless PowerShell implant that maintained persistent access for 66 days while stealing cryptocurrency wallet credentials, browser data, and live webcam footage repurposed to lure future victims. GLOBAL — Arctic Wolf Labs has
Threat Intelligence
North Korean threat actors have escalated their developer-targeting campaign by using an AI large language model to insert malicious npm dependencies into legitimate projects — operating through fake U.S.-registered companies and deploying full-featured remote access trojans targeting cryptocurrency wallets and developer infrastructure. GLOBAL — Cybersecurity researchers at ReversingLabs have documented
Microsoft Ecosystem
A newly-tracked threat cluster, UNC6692, is using social-engineering-driven Teams-chats to pose as IT support, tricking employees into installing a custom modular malware toolkit called SNOW. The attack signals a shift from pure-email-phishing to "chat-based intrusion." MOUNTAIN VIEW, CALIFORNIA — A sophisticated new threat cluster, identified by the Google Threat
Cyber Attacks
A newly discovered and highly destructive wiper malware, dubbed "Lotus," has been deployed against Venezuela’s energy and utility sectors, timed strategically alongside periods of significant geopolitical friction. Caracas, Venezuela — Cybersecurity researchers have identified a sophisticated new strain of data-destroying malware, known as Lotus, targeting critical infrastructure within
Token Theft
Researchers have uncovered a sophisticated evolution of the NGate malware family, which now weaponizes legitimate payment applications to intercept card data and relay physical transactions across the internet in real-time. SÃO PAULO, BRZ — A high-impact cyber-espionage and financial theft campaign is currently sweeping through Brazil, utilizing a new variant of