-
Before Your MSP Chases CMMC, Take an Honest Look at Your Operations
CMMC is an operating model, not a checklist. Before chasing defense work, audit your MSP's internal operations, including access controls and data handling, to ensure you’re rea...
-
Four AI Trends Transforming Network Operations
The old way used to be all about observability, dashboards, aggregated KPIs, human correlation, and manual intervention. That world is changing with AI. — Donogh O’Reilly, Vice ...
-
Inside ANY.RUN’s 10-Year Evolution: An Interview with CEO Aleksey Lapshin
What happens when a malware analyst decides to build a product he always wished he had? The case of ANY.RUN tells us that ten years later it may turn into an industry-standard s...
-
Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake
EvidenceForge generates high-quality, realistic, and consistent datasets across multiple log formats, enabling teams to effectively train personnel and validate detection models...
-
Mytheresa - 84,108 breached accounts
In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the g...
-
Ameriprise - 502,597 breached accounts
In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more t...
-
How Security Leaders Cut Through Complexity to Drive Better Outcomes
Security leaders are operating in an environment that is only getting more complex. Expanding attack surfaces, rapid AI adoption, growing toolsets, and increasing pressure to re...
-
Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More
May 2026 showed how fast routine business activity can turn into real security exposure. ANY.RUN observed phishing campaigns, fileless malware delivery, credential theft, OTP in...
-
From Cookies to Keys: The Threat of Session Hijacking
See how session hijacking reshaped cyber threats. Learn how stolen tokens enable rapid breaches, bypass security, and impact enterprise protection.
-
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
TrendAI™ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain tes...
-
7-Eleven - 185,256 breached accounts
In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email ad...
-
Emulating the Gentlemen Ransomware
AttackIQ has released two new assessments that emulate the behaviors of The Gentlemen ransomware, a cross-platform threat that emerged around July 2025. The group employs a doub...
-
Is my use case a high-risk AI system? Applying the Commission’s guidelines and next steps
The EU Commission’s long-awaited guidelines on high-risk AI systems were published on 19 May 2026. This is the promised explainer on what is – and is not – a high-risk AI system...
-
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns. The post Tracking Iranian APT S...
-
Paved With Intent: ROADtools and Nation-State Tactics in the Cloud
Open-source framework ROADtools is being misused by threat actors for cloud intrusions. Learn how to identify its malicious use. The post Paved With Intent: ROADtools and Nation...
-
Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware
Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections.
-
When AI becomes the cyber attacker: Mythos and what comes next
Anthropic’s April 7, 2026 announcement that it built a model too powerful for public consumption, Claude Mythos Preview (Mythos), marks a notable moment for the legal, complianc...
-
The art of being ungovernable
In this edition of the Threat Source newsletter, William explores the value of being "ungovernable" in a professional setting, sharing how challenging the status quo and seeking...
-
How Huntress Uses Managed SIEM to Detect Threats Faster
See how Huntress uses Managed SIEM to detect threats faster, hunt smarter, and deliver comprehensive protection across endpoints, identities, and infrastructure.
-
Automation and scripting in SMBs: Trends, challenges and what actually works
Most IT teams recognize the value of automation, yet in practice, many remain reactive, spending most of their time on tickets and outages rather than building automation. Organ...
-
The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress
Two recent incidents involving The Gentlemen ransomware show the use of defense evasion tactics, including logs being cleared and attempts to add antivirus exclusions.
-
Dragonica Lunaris - 126,293 breached accounts
In December 2025, the European Dragonica private server Dragonica Lunaris suffered a data breach. The incident exposed 126k email addresses, usernames, dates of birth and bcrypt...
-
Windows93 / Myspace93 - 46,105 breached accounts
In January 2021, the parody site Windows93 suffered a data breach of the Myspace93 sub-site after a beta application was exploited to download server files. The compromised data...
-
Colorado’s new AI governance law
We recently published an alert that highlights Colorado’s new artificial intelligence (AI) governance law. After X.AI sued to enjoin enforcement of Colorado’s first AI governanc...
-
Build Your Cybersecurity Profile: Introducing the AttackIQ Champions Program
The AttackIQ Champions Program recognizes practitioners who promote threat-informed defense and the principles behind operationalizing MITRE ATT&CK. Publish content, get early a...
-
The 1 A.M. Cloud Migration Meltdown
A lead architect for a global bank sits in a dark office at 1:00 a.m. Two hours ago, her team finished a final migration cutover, moving the bank’s core lending application from...
-
Inside the RaaS Ecosystem: Operators, Affiliates & Attack Tradecraft | Huntress
The ransomware name on the ransom note doesn't tell the full story. See how RaaS affiliates drive initial access, persistence, and exfiltration and what defenders should watch for.
-
How Can MSSPs Scale Threat Detection Without Burning Out Their Analysts?
Scaling threat detection as an MSSP doesn’t mean hiring more analysts — it means enabling the analysts you already have to handle more clients, more alerts, and more complex thr...
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets. The post Tracking TamperedChef Clu...
-
TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital's Norton VPN.
-
Top 5 Phishing-Driven Social Engineering Attacks on Companies in 2026
Your employees are not falling for “bad grammar” phishing anymore. They are being pulled into fake Microsoft logins, banking pages, AI tool instructions, real OAuth flows, and e...
-
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware, likely sold or shared among multiple Chinese-...
-
Exposed RDP: The Misconfiguration Attackers Keep Exploiting
Exposed RDP is still one of the most reliable ways attackers get in and most teams don't know it's open. See real cases where it was caught before it became a catastrophe.
-
CTT - 468,124 breached accounts
In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along wi...
-
Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud
In this blog entry, researchers from the TrendAI™ MDR team discuss how they mapped the full end-to-end operation of SHADOW-WATER-063’s Banana RAT banking malware by analyzing se...
-
Addi - 34,532,941 breached accounts
In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may ...
-
Communication Service Provider Supports Banking Application Success Across International Borders
Today’s communication service providers (CSPs) sit at the center of some of the world’s most demanding digital services—none more mission critical than international mobile bank...
-
Threat Actor Defense Evasion: How Attackers Disable AV & EDR
Threat actors are actively targeting your security tools. Learn how threat actors disable antivirus and EDR through vulnerable drivers, tampering attacks, and malicious firewall...
-
Agentic Governance: Why It Matters Now
AI agents now act inside the trust boundary with real credentials, and agentic governance is what keeps them from quietly breaking things at machine speed.
-
19 Cloud Security Challenges and How to Mitigate Risk | Huntress
Learn about some of the most common cloud security challenges facing modern businesses today, plus why it matters for you and your employees.
-
(X) Most Common Passwords to Compromise Security in 2026
Discover the most common passwords that put you and your business at risk, and get easy tips to improve your password security.
-
Defending Against DDoS Attacks at Scale
For global financial institutions, digital availability is not optional—it is foundational to trust, revenue, and regulatory compliance. When customer-facing services are expect...
-
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data. The post Gremlin Stealer's E...
-
What Is Single Sign-On? The Practical Guide | Huntress
Learn what single sign-on (SSO) login is, how it’s used in role management and cybersecurity, and how to set it up at your organization.
-
Strong Stack. Strong Team. Real Security Resilience.
Learn how to build a resilient security stack and program that cuts alert noise, strengthens identity defense, and helps teams respond faster.
-
The time of much patching is coming
In this week’s newsletter, Martin reflects on what the next iteration of AI tools means for vulnerability discovery and our ability to manage large-scale patch releases.
-
13 Cybersecurity Frameworks for 2026 and How to Choose What's Best for You
Discover some of the most common cybersecurity frameworks by what they’re best for, plus tips for choosing the right one for your organization.
-
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco ...
-
AI-Driven Workflow Automation Is the New North Star for Communication Service Providers
As we transition through the complexities of 5G standalone architectures, network slicing, and edge computing, the sheer volume of operational data has surpassed the limits of h...
-
Panic at the Distro
Learn how critical Linux kernel flaws in CopyFail, Dirty Frag, and Fragnesia let unprivileged users escalate to root access. See what security teams can do to remediate.
-
Abrigo - 711,099 breached accounts
In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the comp...
-
The remote access blind spot: An analysis of RMM tool risk for SMBs
Remote monitoring and management (RMM) tools are widely used in modern IT operations, but they are increasingly exploited by cybercriminals. Here, in this first blog, in a two-p...
-
Breaking things to keep them safe with Philippe Laulheret
Philippe shares his unique journey from French engineering school to the front lines of cybersecurity, explaining how his lifelong love for solving puzzles helps him uncover cri...
-
Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft
Our research examines the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign. Across both cases, the actor abused ...
-
Colorado AI Act: DOJ Steps In As X.AI Suit Pauses
We recently published an alert that highlights recent developments in the case filed by X.AI LLC seeking to enjoin enforcement of Colorado’s Senate Bill 24-205 (SB-24-205), ofte...
-
Scientific Research and the GDPR: EDPB Issues Long-Awaited Guidelines
On 15 April 2026, the European Data Protection Board (“EDPB”) published its long-awaited draft Guidelines 1/2026 on the processing of personal data for scientific research purpo...
-
Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 16 that Microsoft marked as “critical”.
-
Key Takeaways from the EMA Network Management Megatrends 2026
Enterprise Management Associates (EMA) has published its “Network Management Megatrends 2026” report, spotlighting automation, hybrid and multicloud networks, and artificial int...
-
AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift
COPENHAGEN, DENMARK, 12 May 2026 — Heimdal’s managed SOC processes three million alerts a month. In the year ahead, fewer than 500 of those, less than 0.02%, are expected to nee...
-
Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The post Inside AD CS Esca...
-
Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
TrendAI™ Research has identified two emerging threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that use agentic AI to drive intrusion operations against government and f...
-
What Is the Instructure Canvas Breach? Impact, Risks, and What Institutions Should Do
The Instructure Canvas breach affects universities, K–12 school districts, and teaching hospitals globally. This blog entry intends to provide context and practical guidance.
-
NYDFS Cybersecurity Enforcement: US$2.25m Fine Against Delta Dental
On April 30, 2026, the New York Department of Financial Services (NYDFS) announced a consent order with Delta Dental Insurance Company and Delta Dental of New York, Inc. for all...
-
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS C...
-
The Digital Foundation of Public Trust Is More Than Skin Deep
Imagine a parent attempting to access Supplemental Nutrition Assistance Program (SNAP) benefits to feed the family, only to meet a perpetual loading screen. Or a resident rushin...
-
Supporting the National Cyber Strategy: How TrendAI™ Helps
A deeper look at the first three pillars and outlining how our capabilities directly support government agencies working to bring this strategy to life.
-
Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
Copy Fail (CVE-2026-31431) is a critical Linux kernel LPE that allows stealthy root access. This flaw impacts millions of systems. Read our analysis. The post Copy Fail: What Yo...
-
Preparing for the UK’s New Data Protection Complaints Regime: Key Steps Before June 2026
The Data (Use and Access) Act 2025 (“DUAA”) has made a number of changes to the UK’s data protection regime, many of which have already come into force. From 19 June 2026, organ...
-
Top 10 Cybersecurity Companies in Europe
Over the last 10-15 years, the cybersecurity scene has gotten increasingly complex, as organizations adopt new technology and hackers evolve more innovative ways to target them....
-
Unlocking the Full Value of 5G with Network Slicing
As 5G networks continue to evolve, service providers face a familiar challenge: how to scale services, meet increasingly stringent enterprise expectations, and generate new reve...
-
MSP cyber protection news, May 5, 2026
SAP npm packages compromised in supply chain attack to steal developer and cloud credentials, GlassWorm campaign resurfaces via sleeper OpenVSX extensions that activate maliciou...
-
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
Targeting multiple industries worldwide, the InstallFix campaign uses fake Claude AI installer pages to trick users into running malware that collects system information, disabl...
-
Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities
TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux thr...
-
Essential Data Sources for Detection Beyond the Endpoint
Unit 42 highlights the need for a comprehensive security strategy that spans every IT zone. Explore the full details here. The post Essential Data Sources for Detection Beyond t...
-
NETSCOUT to Have a Strong Presence at Cisco Live
When it comes to everything artificial intelligence (AI), the network is key. That is why this year’s Cisco Live theme is— the network as the foundation of the AI era! And in a ...
-
U.S. SEC Regulation S-P: Compliance Deadline Approaching for Smaller Entities
The U.S. Securities and Exchange Commission has issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which becam...
-
Threat Debt: From Findings to Adversary Opportunity
The speed of adversary exploitation has outrun the cycle most security programs were built to run. Defending proactively starts with knowing what an exploit actually enables nex...
-
Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
Acronis TRU uncovered active abuse of AI platforms like Hugging Face and ClawHub for malware delivery, where attackers exploit trust in AI ecosystems and agents, and potentially...
-
Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across A...
-
Why Airlines and Airports Must Embrace Observability Ahead of the Summer Travel Surge
Air travel is entering another high-stakes summer, and early activity shows that global air passenger demand increased by 3.8 percent in January 2026 versus 2025. Ticket prices ...
-
European Biotech Act I: Navigating the EDPB/EDPS Vision for the Future of Clinical Trials
On 12 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion (the “Joint Opinion”) on the proposed E...
-
Kuse Web App Abused to Host Phishing Document
Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users’ trust in Kuse to carry ...
-
MSP cyber protection news, April 27, 2026
UNC6692 abused Microsoft Teams interactions to deliver the Snow malware toolkit, Bitwarden confirmed a short-lived supply chain compromise affecting its CLI npm package, and mor...
-
UK data protection complaints – new complaints handling obligations for controllers from 19 June
The changes to data controllers’ complaints handling obligations, made via the Data (Use and Access) Act, will come into force on 19 June 2026. These include a new obligation t...
-
How scheduling defaults and off-hours blindness are silently degrading backup reliability
Data backup is the last line of defense for any organization. Industry research shows that 60% of small-to-medium enterprises that suffer a major data loss event go out of busin...
-
U.S. SEC Clears Path for Decentralized Crypto Asset Security Trading With Broker Registration Exception for User Interfaces
On April 13, 2026, the staff of the Division of Trading and Markets (Staff) of the U.S. Securities and Exchange Commission (SEC or the Commission) issued a statement (Statement)...
-
Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics
Acronis Threat Research Unit (TRU) identified a new variant of the LOTUSLITE backdoor with a theme related to India's banking sector, delivered via DLL sideloading using a legit...
-
Heimdal Expands AI Strategy with AI Wingman and Third-Party AI Containment
COPENHAGEN, Denmark, 21 April 2026 — Heimdal today unveiled the next phase of its AI strategy, expanding AI Wingman with three new layers – Assist, Triage and SOC – alongside th...
-
Acronis Cyberthreats Update, April 2026
The Acronis Cyberthreats Update covers current cyberthreat activity and trends, as observed by Acronis Threat Research Unit (TRU) and Acronis sensors. Figures presented here wer...
-
MSP cyber protection news, April 20, 2026
Payouts King ransomware uses hidden QEMU virtual machines to evade endpoint detection, New AgingFly malware campaign compromises public sector and health care systems in Ukraine...
-
The Vulnerability Management Race Is Over. It’s Time to Focus on Exposure.
With Anthropic’s Mythos Preview announcement, the race to patch all vulnerabilities is over. As defenders, we must move on. We must focus on what adversaries can do after they e...
-
UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now
The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also...
-
Backup retry storms: How you can improve backup reliability
Backup reliability is judged by whether recovery points are actually available when needed, not by whether a platform offers a retry button. The right response to a persistent b...
-
Emulating the Persuasive NightSpire Ransomware
AttackIQ has released a new attack graph that emulates the behaviors of NightSpire Ransomware, a financially motivated ransomware and data extortion group that emerged in early ...
-
New JanaWare ransomware targets Turkey via Adwind RAT
The Acronis TRU team identified a threat cluster leveraging a customized Adwind (Java RAT) variant with polymorphic characteristics to deliver a ransomware module, tracked as ‘J...
-
MSP cyber protection news, April 13, 2026
Medusa‑linked Storm‑1175 conducts fast‑moving attacks that escalate quickly to ransomware, Iran‑linked actors launch widespread password spraying attacks against Microsoft 365 a...
-
How to approach governance of AI agents
Current approaches to agentic AI governance seem more focused on trying to apply governance after a system is developed, like a Band-Aid, instead of baking in reasonable governa...
-
Immutable backups: The critical gap between backup success and real recovery readiness
Backups were once judged by a single question: Did the job succeed? That is no longer enough. In a ransomware event, the more important question is whether the attacker can dele...
-
Navigating AI compliance with HIPAA essentials
Healthcare providers are increasingly deploying artificial intelligence (AI) tools for diagnostics, documentation and operational efficiency. In fact, over the last few months, ...
-
Emulating the Multi-Stage RoningLoader Malware
AttackIQ has released a new assessment template that emulates the behaviors of RoningLoader, a multi-stage loader observed in recent intrusion campaigns. RoningLoader operates t...
