Executive Summary A critical zero-day vulnerability has been discovered and is being actively exploited in several discontinued D-Link router models, including the D-Link DIR-600 , DIR-615 , and DIR-825 . This vulnerability, which enables remote code execution and authentication bypass via the device’s web management interface, exposes organizations to significant risk. Threat actors are leveraging this flaw to gain unauthorized access, deploy malware, and conscript devices

Executive Summary On January 3, 2026, multiple threat actors, self-identified as Scattered Lapsus$ Hunters (SLH), publicly claimed to have breached the systems of cybersecurity firm Resecurity and exfiltrated sensitive internal data. The attackers released screenshots on Telegram, purporting to show access to employee data, internal communications, threat intelligence reports, and client information. However, Resecurity responded with a detailed statement and technical evi

Executive Summary Transparent Tribe (also known as APT36 ), a persistent and highly adaptive state-sponsored threat actor, has initiated a sophisticated campaign targeting Indian government and academic institutions with new Remote Access Trojan (RAT) attacks. This campaign is characterized by the use of advanced spear-phishing techniques, weaponized Windows shortcut ( LNK ) files, and custom malware payloads designed for stealth, persistence, and data exfiltration. The att

Executive Summary A newly identified, highly sophisticated phishing campaign is actively exploiting the Google Cloud Application Integration email feature to deliver multi-stage phishing attacks. Cybercriminals are leveraging the trusted Google infrastructure to send phishing emails from legitimate Google domains, effectively bypassing traditional email security controls such as SPF, DKIM, and DMARC. The campaign employs a multi-stage redirection chain, utilizing both Goog

Executive Summary On May 26, 2025, Covenant Health detected unauthorized activity within its IT environment, later attributed to the Qilin ransomware group . The breach, which began on May 18, 2025, resulted in the compromise of sensitive data belonging to nearly 478,188 patients across multiple facilities. Exposed information included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment details, and health insurance information. The Q

Executive Summary The Kimwolf botnet represents a critical and rapidly evolving threat to enterprise and consumer networks worldwide. This Android-based malware ecosystem has infected over 1.8 million devices, with a focus on Android TV boxes , digital photo frames , and other IoT devices that are often shipped with weak security controls or pre-installed malicious software. Kimwolf leverages residential proxy networks to bypass traditional perimeter defenses, enabling atta

Executive Summary MongoDB has issued an urgent security advisory regarding a critical vulnerability, tracked as CVE-2025-14847 , that affects a wide range of MongoDB Server versions. This flaw enables unauthenticated remote attackers to read uninitialized heap memory and, under certain conditions, may be leveraged to achieve remote code execution (RCE). The vulnerability is particularly dangerous due to its low attack complexity, the absence of required user interaction, an

Executive Summary On December 22, 2025, the French national postal service, La Poste , and its banking arm, La Banque Postale , experienced a significant disruption due to a distributed denial of service (DDoS) cyberattack. The pro-Russian hacking group Noname057(16) publicly claimed responsibility for the attack, which rendered central computer systems offline, halted package tracking, and disrupted online payments during the peak Christmas delivery period. The French intel

Executive Summary A sophisticated cyber threat campaign has emerged, leveraging a typosquatted domain mimicking the legitimate Microsoft Activation Scripts (MAS) project to distribute advanced PowerShell malware. The malicious domain, get.activate[.]win , closely resembles the authentic get.activated.win site, exploiting minor typographical errors made by users seeking to activate Windows or Microsoft Office products. Unsuspecting users who execute activation scripts fro

Executive Summary A sophisticated malware campaign leveraging the WebRAT remote access trojan has been identified propagating through fake vulnerability exploits hosted on GitHub . Threat actors are capitalizing on the cybersecurity community’s demand for proof-of-concept (PoC) code by creating repositories that purport to offer exploits for high-profile vulnerabilities, including both real and fabricated CVE identifiers. Unsuspecting users, particularly junior security res

Executive Summary Publication Date: December 24, 2025 The US healthcare sector is facing a pivotal moment as the Department of Health and Human Services ( HHS ) advances a sweeping overhaul of the HIPAA Security Rule . This regulatory update, proposed in early 2025, is designed to address the escalating threat landscape targeting electronic protected health information ( ePHI ). However, the industry response has been marked by significant resistance, with leading healthcare

Executive Summary The Iranian advanced persistent threat (APT) group known as Infy (also referred to as "Prince of Persia") has re-emerged after a prolonged period of inactivity, orchestrating a new wave of cyber-espionage campaigns. Leveraging advanced malware variants and innovative command-and-control (C2) techniques, including the use of the Telegram messaging platform, Infy has demonstrated a significant evolution in its operational capabilities. The group’s latest ca

Executive Summary WatchGuard has issued a critical security advisory regarding active exploitation of a severe vulnerability in Fireware OS VPN services, specifically impacting the IKEv2 implementation. The vulnerability, tracked as CVE-2025-14733 , enables remote, unauthenticated attackers to execute arbitrary code on affected devices by exploiting an out-of-bounds write in the iked process. This flaw affects both mobile user VPNs and branch office VPNs configured with IK

Executive Summary A sophisticated campaign orchestrated by Russia-linked threat actors has been observed leveraging the Microsoft 365 OAuth device code authentication flow to facilitate large-scale account takeovers. This attack, attributed to the group tracked as Storm-2372 , exploits legitimate device code login mechanisms to harvest authentication tokens, bypassing traditional credential-based security controls. The campaign, active since at least August 2024, targets a b

Executive Summary A new wave of cyberattacks is exploiting the popularity of cracked software and the reach of YouTube to distribute two highly sophisticated malware loaders: CountLoader and GachiLoader . These loaders are engineered to deliver a variety of secondary payloads, including advanced information stealers and remote access tools, while employing advanced evasion techniques such as fileless execution, signed binary proxy abuse, and novel process injection. The camp

Executive Summary Danish authorities have publicly attributed a series of cyberattacks targeting critical infrastructure and public services in Denmark to Russian state-linked threat actors. In 2024, the Tureby Alkestrup Waterworks southwest of Copenhagen suffered a destructive cyberattack that manipulated water pressure controls, resulting in burst pipes and temporary water outages for up to seven hours for some households. The attack was attributed to the pro-Russian group

Executive Summary A sophisticated and rapidly evolving wave of phishing attacks is currently targeting Microsoft 365 accounts by exploiting the OAuth device code authorization flow. This attack vector, first observed in the wild in late summer 2024, enables adversaries to bypass both traditional credential theft defenses and multi-factor authentication (MFA) controls. The campaigns are orchestrated by a mix of financially motivated and state-aligned threat actors, including

Executive Summary A newly disclosed critical vulnerability, CVE-2025-14733 , has been identified in WatchGuard Firebox firewalls, representing a significant threat to organizations relying on these devices for perimeter security. This flaw, an out-of-bounds write in the Fireware OS iked process, enables unauthenticated remote attackers to execute arbitrary code on affected appliances. The vulnerability is being actively exploited in the wild, with multiple threat actors lev

Executive Summary In the second quarter of 2024, two highly sophisticated and distinct cyber threat campaigns have been observed targeting enterprise environments globally. The first campaign exploits critical vulnerabilities in Cisco VPN infrastructure, specifically affecting Cisco ASA and Cisco Secure Firewall devices, and is attributed to the advanced persistent threat group known as ArcaneDoor . The second campaign leverages a combination of social engineering, remote

Executive Summary Between February 2024 and December 2025, a coordinated criminal campaign targeted U.S. banks and credit unions using the advanced Ploutus malware to execute ATM jackpotting attacks. The U.S. Department of Justice (DOJ) has indicted 54 individuals, all allegedly linked to the Venezuelan gang Tren de Aragua (TdA) , a group designated as a foreign terrorist organization. The attackers gained physical access to ATMs, installed Ploutus via hard drive replacemen