Research
-
Researchers: Russian-linked group used Hyper-V to hide Alpine VM and bypass endpoint security
Bitdefender and Georgia CERT say Curly COMrades abused Hyper-V to run a hidden Alpine VM hosting custom implants CurlyShell and CurlCat, bypassing endpoint security and using host networking to mask malicious traffic; researchers published IoCs on GitHub.
-
Google AI agent Big Sleep credited with finding five WebKit bugs in Safari; Apple issues patches
Apple credited Google’s AI agent Big Sleep with finding five WebKit vulnerabilities affecting Safari that could cause crashes or memory corruption; Apple issued patches in iOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1 and Safari 26.1 and urged users to update.
-
Malicious Open VSX extension delivers SleepyDuck RAT and uses Ethereum contract for fallback control
Researchers warned that a malicious Open VSX extension, juan-bianco.solidity-vlang, installs a SleepyDuck remote access trojan that uses an Ethereum smart contract and a fallback RPC mechanism to update its command-and-control details.
-
Microsoft finds SesameOp backdoor that uses OpenAI Assistants API for C2
Microsoft’s DART reported discovery of a custom .NET backdoor called SesameOp that uses the OpenAI Assistants API as a covert command-and-control channel; Microsoft shared its findings with OpenAI, which disabled a suspected API key, and the victim remains unnamed.
-
Researchers detail BankBot‑YNRK and DeliveryRAT Android trojans that steal credentials and payment data
Researchers say two Android trojans, BankBot‑YNRK and DeliveryRAT, have been observed harvesting credentials, payment and device data; reports from CYFIRMA and F6 detail targeted device checks, use of accessibility services, persistence mechanisms and distribution via fake apps and malware‑as‑a‑service.
-
North Korea‑linked Kimsuky uses HttpTroy backdoor in spear‑phishing attack on South Korea
Security vendor Gen Digital said DPRK‑linked Kimsuky used a ZIP‑based spear‑phishing lure to deliver a three‑stage malware chain culminating in a new HttpTroy backdoor that provides extensive remote control and uses layered obfuscation.
-
Hezi Rash hacktivist group tied to hundreds of DDoS attacks, Check Point reports
Hezi Rash, a Kurdish nationalist hacktivist group founded in 2023, has been linked by Check Point to about 350 DDoS attacks between August and October 2025 targeting sites in Japan, Turkey, Israel, Iran, Iraq and Germany; analysts say the campaigns are ideologically driven and focus on disruption.
-
China-linked Tick group exploits Lanscope flaw to deploy Gokcpdoor backdoor
A critical Lanscope Endpoint Manager flaw (CVE-2025-61932, CVSS 9.3) has been exploited by the Tick espionage group to deploy a Gokcpdoor backdoor and other tooling, with JPCERT/CC confirming active abuse and researchers advising prompt patching and review of internet-exposed servers.
-
Open-source C2 Framework AdaptixC2 Draws Use by Groups Linked to Russian Ransomware
AdaptixC2, an open-source command-and-control framework published on GitHub, has been adopted by multiple threat actors, including groups linked to Russian ransomware, prompting analysis from Palo Alto Networks Unit 42 and an investigation by Silent Push into the project’s author and Telegram activity.
-
Researcher discloses ‘Brash’ flaw that can crash Chromium-based browsers by spamming tab title
A researcher has published details of ‘Brash’, a vulnerability in Chromium’s Blink engine that can crash Chromium-based browsers by rapidly updating the document.title field, causing massive DOM mutations and UI thread saturation.
