Research
-
KadNap botnet infects over 14,000 routers using peer-to-peer DHT to hide command infrastructure
KadNap, a router malware first seen in August 2025, has infected over 14,000 devices and uses a Kademlia DHT peer-to-peer network to hide command infrastructure and provide anonymized proxy services.
-
Nine LeakyLooker flaws in Google Looker Studio could expose GCP data
Tenable found nine cross-tenant vulnerabilities in Google Looker Studio that could have allowed arbitrary SQL queries and data exfiltration across Google Cloud tenants. Google patched the flaws after a June 2025 responsible disclosure.
-
APT28 uses BEARDSHELL and COVENANT to surveil Ukrainian military
ESET documented APT28 use of BEARDSHELL and COVENANT to surveil Ukrainian military since April 2024. The implants use cloud storage for command and control and show links to earlier APT28 tooling.
-
Malicious npm package posing as OpenClaw installer deploys RAT, steals credentials
A JFrog technical analysis reported a malicious npm package posing as an OpenClaw installer. Uploaded March 3, 2026, the package installs a RAT and steals credentials, browser data, wallets and other sensitive macOS data.
-
Two Chrome extensions weaponized after ownership transfers, affecting about 7,800 users
Two Chrome extensions were weaponized after ownership transfers, allowing remote JavaScript to bypass protections and harvest credentials. QuickLens affected about 7,000 users and ShotBird about 800 users. Users should remove unknown extensions and audit browsers.
-
CL-UNK-1068 espionage campaign targets critical sectors across Asia
Palo Alto Networks Unit 42 reported a years-long CL-UNK-1068 campaign that targeted critical sectors across Asia, using web server exploits, web shells and credential theft tools to steal sensitive files and maintain persistent access.
-
Iran-linked MuddyWater embeds Dindoor backdoor in multiple U.S. corporate networks
Iran-linked MuddyWater deployed a Dindoor backdoor across multiple U.S. corporate networks, including banks and an airport, and used cloud utilities in suspected data exfiltration attempts, with success unconfirmed.
-
China-linked group targets South American telecoms with Windows Linux and edge implants
A Cisco Talos technical analysis found a China-linked APT has targeted South American telecommunications since 2024 using three implants for Windows Linux and edge devices aimed at reconnaissance and brute force operations.
-
Suspected Iran-nexus actor impersonated Iraqi ministry to deploy novel malware
Zscaler ThreatLabz observed a January 2026 campaign that impersonated Iraq’s Ministry of Foreign Affairs to deliver SPLITDROP, TWINTASK, TWINTALK and GHOSTFORM using staged payloads, evasion and fileless execution.
-
New Russian-linked campaign uses BadPaw loader to deploy MeowMeow backdoor in Ukraine
A new cyber campaign targeted Ukrainian organizations using a .NET loader named BadPaw that deploys a MeowMeow backdoor after a phishing ZIP archive and HTA lure, with sandbox checks and persistence tactics.
