Research
-
Keenadu firmware backdoor found in Android tablets, 13,715 users encountered
Kaspersky’s technical analysis found Keenadu, a firmware backdoor embedded in libandroid_runtime.so on Android tablets. Telemetry shows 13,715 users encountered the malware, which can inject into every app and bypass Android sandboxing.
-
SmartLoader campaign trojanized Oura MCP server to deliver StealC infostealer
A SmartLoader campaign trojanized an Oura MCP server to deliver the StealC infostealer using fake GitHub accounts. The trojanized server remains listed on the MCP registry.
-
Study finds cloud password managers vulnerable to server-side recovery attacks
A technical analysis by ETH Zurich and Universit della Svizzera italiana found that Bitwarden, LastPass, and Dashlane are vulnerable to server-side password recovery attacks, with researchers detailing multiple attack types and vendor mitigations.
-
ZeroDayRAT spyware sold on Telegram enables live surveillance and financial theft on Android and iOS
A technical analysis by iVerify identified ZeroDayRAT, a commercial spyware platform sold on Telegram that targets Android and iOS. The malware enables live camera and microphone access, location tracking, account enumeration and clipboard wallet hijacking.
-
In-the-wild exploitation observed for critical BeyondTrust RCE CVE-2026-1731
Researchers observed overnight exploitation attempts for CVE-2026-1731 targeting BeyondTrust Remote Support and Privileged Remote Access. The flaw is rated CVSS 9.9. Patches are available for affected versions and administrators should apply updates immediately.
-
Abandoned Outlook add-in hijacked to phish about 4,000 Microsoft accounts
An abandoned Outlook add-in listed in Microsoft’s store was hijacked to host phishing pages that stole credentials from about 4,000 users, a technical analysis found. Users should remove the add-in and reset passwords.
-
Critical RCE flaw in WPvivid Backup & Migration affects more than 900,000 installs
A critical RCE vulnerability in the WPvivid Backup & Migration plugin impacts versions up to 0.9.123 and more than 900,000 installs. Upgrade to version 0.9.124 to remediate CVE-2026-1357.
-
Lazarus supply chain campaign plants malicious packages on npm and PyPI
Researchers found malicious npm and PyPI packages tied to the Lazarus Group in a recruitment themed campaign active since May 2025. One npm package exceeded 10,000 downloads before a malicious update was published.
-
Researchers identify first malicious Outlook add-in that stole over 4,000 credentials
Researchers found the first malicious Outlook add-in in the wild, where a hijacked add-in domain hosted a fake sign in page and captured more than 4,000 credentials, exposing gaps in marketplace content monitoring.
-
Cross platform RAT campaigns target Indian defense and government aligned organisations
Multiple campaigns used Geta RAT, Ares RAT and DeskRAT to compromise Windows and Linux systems at Indian defense and government aligned organizations in late 2025 and early 2026.
