#threat-intel
23 stories taggedthreat-intel.
Monday Brief: A DirtyClone Linux Bug, Turla's New Backdoor, and the Infostealer Churn
Old access paths, missed patches, and a fresh kernel flaw kept defenders busy. A roundup of what moved this week in the cybercrime ecosystem.
Week in Brief: Russia's Cellebrite Use, Five Eyes AI Warning, macOS Backdoor, Scattered Spider Pleas
Four stories that deserved more attention: state-backed mobile forensics against activists, an intelligence alliance's AI threat advisory, a new Mac implant, and a high-profile cybercrime case moving toward resolution.
Hotel Front Desks Hit by Photo-ZIP Phishing Dropping Node.js Implant
Microsoft flags an unattributed campaign active since April 2026 against hospitality targets in Europe and Asia.
Mistic Backdoor Shows Up in IAB-Brokered Intrusions Across Four Verticals
A quiet new implant tied to the KongTuke access broker is landing on insurance, education, IT, and professional services networks — and it's not riding a CVE to get there.
Law Enforcement and Microsoft Tear Down Command Infrastructure Behind Amadey and StealC
Hundreds of C2 servers went dark in a coordinated takedown targeting the shared hosting backbone used by two prolific infostealer families.
AryStinger Quietly Conscripts 4,300 Old Routers Into a Recon Proxy Fabric
Researchers say the malware skips the usual DDoS playbook and instead builds infrastructure for pre-breach reconnaissance.
Browser Add-Ons, AI Chat Links and In-Memory macOS Attacks: A Week the Internet Worked As Designed
Shady extensions, weaponised Claude conversations, fileless macOS intrusions and cloud agents turned into shells dominated the criminal feeds this week.
INC Ransomware Fills the LockBit Vacuum, Racks Up 830+ Victims
Two years after a quiet debut, INC has graduated from boutique RaaS to one of 2026's busiest extortion brands — riding the affiliate exodus from LockBit and BlackCat.
Fortibleed: How 75,000 FortiGate Firewalls Ended Up on an Attacker's Credential List
Configuration files. Legacy SHA-256 hashes. Automation at scale. The Fortibleed campaign is a slow-burn credential harvest that perimeter defenders are still catching up to.
Clipper Crew Buys Sponsored Posts on News Sites to Push Trojanized Crypto Tools
An untracked actor is laundering credibility through paid press placements, a phishing-grade WordPress hub, and seeded GitHub and SourceForge repos to deliver clipboard hijackers.
When Every Finding Looks Urgent: The Case for Adversarial Exposure Validation
Visibility isn't the bottleneck anymore. Deciding what an actual operator would touch is.
China-Nexus Crew Burrowed Into REDCap, Turned Google Workspace Rules Into an Exfil Pipe
A 13-plus-month intrusion across medical, academic, and defense research networks abused victim-side mail forwarding instead of dropping noisy C2.
The Cybercrime Economy Is Looking a Lot Like SaaS
A leaked worm kit, a $5K/month browser-cloning RAT, and AI agents coughing up credentials — the criminal stack is industrialising.
FBI Dismantles 13 Sites Tied to Chinese Influence Operation Targeting Cleared US Personnel
The seized domains posed as consulting firms advertising jobs — a tradecraft pattern consistent with state-directed recruitment campaigns against intelligence community insiders.
OceanLotus Turns SPECTRALVIPER on Vietnamese Investors and a Construction Firm
Two campaigns, one toolset. The Vietnam-aligned crew spent eighteen months inside a state-linked infrastructure builder before pivoting to a supply chain hit on retail stock investors.