Executive Summary A newly identified cyber threat campaign is exploiting the popularity and extensibility of Blender —a widely used open-source 3D creation suite—by weaponizing 3D asset files to deliver the advanced StealC V2 data-stealing malware. This campaign, attributed to Russian-speaking threat actors, leverages Blender’s legitimate “Auto Run Python Scripts” feature to execute malicious code embedded within .blend files. Once executed, the malware establishes persiste

Executive Summary The emergence of the JackFix attack marks a critical escalation in the ongoing evolution of social engineering and malware delivery tactics. JackFix is a sophisticated variant of the well-documented ClickFix technique, engineered specifically to circumvent both technical and human-centric mitigations that have been deployed in response to earlier campaigns. By leveraging advanced obfuscation, multi-stage payload delivery, and cross-platform compatibility,

Executive Summary Recent open-source intelligence and technical research have confirmed that millions of Android TV streaming boxes—primarily uncertified, off-brand, and low-cost models—are being conscripted into global botnets such as BADBOX 2.0 and Vo1d . These botnets are leveraged for ad fraud, credential stuffing, residential proxy abuse, and other cybercriminal activities. The infection is often present at the factory or delivered via malicious apps from unofficial mar

Executive Summary A critical supply chain attack has been identified in the npm JavaScript ecosystem, where at least 640 packages have been compromised by a new, highly sophisticated malware campaign dubbed Shai-Hulud . This attack leverages a self-replicating worm that targets open-source developers and organizations by exfiltrating sensitive credentials and secrets to attacker-controlled GitHub repositories. The campaign, first reported by security researcher Daniel Perei

Executive Summary On November 23, 2025, Iberia , Spain’s largest airline and a member of International Airlines Group (IAG) , publicly disclosed a customer data leak resulting from a security breach at a third-party supplier. The incident led to the exposure of customer names, email addresses, and Iberia Club loyalty identification numbers. No evidence indicates that account passwords or financial data were compromised. The breach was discovered after a threat actor claimed

Executive Summary Cox Enterprises, a major U.S. conglomerate operating in telecommunications and automotive services, experienced a data breach after cybercriminals exploited a zero-day vulnerability in the Oracle E-Business Suite ( Oracle EBS ). The breach occurred between August 9 and August 14, 2025, but was not detected until late September. The Cl0p ransomware group claimed responsibility for the attack, which leveraged CVE-2025-61882, a critical vulnerability that all

Executive Summary A critical security vulnerability, identified as CVE-2025-41115 and assigned a maximum CVSS score of 10.0, has been discovered in the SCIM (System for Cross-domain Identity Management) provisioning feature of Grafana Enterprise . This flaw enables remote attackers to impersonate any user, including administrators, and escalate privileges without user interaction, provided certain configuration conditions are met. The vulnerability is not present in the ope

Executive Summary On November 20–21, 2025, Salesforce disclosed a significant security incident involving unauthorized data access through Gainsight -published applications integrated with the Salesforce platform. The incident was not the result of a vulnerability in the Salesforce platform itself, but rather stemmed from the compromise and abuse of OAuth tokens issued to trusted third-party integrations. Attackers, attributed to the ShinyHunters (UNC6240) group, leverage

Executive Summary The Tsundere botnet represents a significant evolution in Windows malware, combining advanced evasion techniques with innovative command-and-control (C2) infrastructure. Since mid-2025, this botnet has rapidly expanded by leveraging fake game installers as lures and utilizing the Ethereum blockchain to store and rotate its C2 addresses. This approach not only complicates traditional takedown efforts but also demonstrates a growing trend of cybercriminals e

Executive Summary The China-linked advanced persistent threat group APT31 (also known as Judgement Panda , Violet Typhoon , and Zirconium ) has orchestrated a sophisticated cyber-espionage campaign targeting the Russian IT sector, with a particular focus on organizations serving government agencies. Leveraging legitimate cloud services such as Yandex Cloud and Microsoft OneDrive for command-and-control (C2) and data exfiltration, APT31 has demonstrated advanced tradecraft

Executive Summary A critical vulnerability, tracked as CVE-2025-61757 , has been identified in Oracle Identity Manager (OIM), a core component of the Oracle Fusion Middleware suite. This flaw, rated with a CVSS score of 9.8, enables unauthenticated remote attackers to achieve pre-authenticated remote code execution (RCE) on affected OIM instances. The vulnerability arises from a missing authentication check on a critical function, allowing attackers to bypass security contr

Executive Summary Eurofiber France has issued a warning regarding a data breach after a threat actor attempted to sell customer data online. The incident was detected when a hacker advertised what was claimed to be customer information from Eurofiber France on a cybercrime forum. The company has confirmed that unauthorized access to its systems occurred, potentially exposing sensitive customer data. At this stage, the full scope of the breach, including the specific data ty

Executive Summary A critical zero-day vulnerability, CitrixBleed 2 (CVE-2025-5777), is wreaking havoc across global enterprise networks by targeting Citrix NetScaler ADC and Citrix NetScaler Gateway appliances. This pre-authentication memory disclosure flaw enables remote attackers to extract sensitive memory contents from vulnerable devices, potentially leading to session hijacking, credential theft, and lateral movement within affected environments. The attack is highly

Executive Summary Amazon’s threat intelligence division has recently identified a highly sophisticated campaign leveraging zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC/Gateway . These vulnerabilities, tracked as CVE-2025-20337 for Cisco ISE and CVE-2025-5777 for Citrix NetScaler (dubbed “Citrix Bleed 2”), were actively exploited in the wild prior to public disclosure and patch release. The attackers demonstrated advanced techn

Executive Summary Between September 15 and September 23, 2025, a large-scale, self-propagating supply chain attack—publicly known as Shai-Hulud —compromised the npm JavaScript package registry. Over 46,000 fake and trojanized packages were published, with more than 500 legitimate packages confirmed as compromised, including widely used libraries such as @ctrl/tinycolor and @crowdstrike/commitlint . The attack leveraged a worm-like malware that harvested sensitive credential

Executive Summary Recent releases of Mozilla Firefox 145 and Google Chrome 142 have addressed multiple high-severity vulnerabilities that pose significant risks to enterprise and individual users alike. These vulnerabilities, if left unpatched, could enable remote code execution, sandbox escapes, and security policy bypasses, potentially allowing attackers to gain unauthorized access to sensitive data or escalate privileges within affected systems. While there is currently

Executive Summary Recent threat intelligence has uncovered a sophisticated campaign orchestrated by the North Korean state-sponsored group APT37 (also known as ScarCruft ), in which adversaries are abusing the legitimate Google Find Hub (formerly known as Find My Device ) service to remotely wipe Android devices. This attack chain leverages advanced social engineering, credential theft, and the exploitation of cloud-based device management features to achieve destructive ou

Executive Summary The resurgence of GlassWorm marks a significant escalation in the threat landscape for software supply chains, particularly those leveraging the Open VSX Registry and GitHub as distribution and collaboration platforms. GlassWorm is a highly sophisticated, self-propagating malware campaign that exploits the trust inherent in the Visual Studio Code (VS Code) extension ecosystem. By leveraging advanced obfuscation techniques, blockchain-based command and c

Executive Summary A sophisticated Android spyware campaign leveraging the newly discovered LANDFALL malware has been identified targeting users of Samsung Galaxy devices. This campaign exploits a critical zero-day vulnerability, CVE-2025-21042 , in the Samsung image processing library, libimagecodec.quram.so , enabling remote code execution via malicious DNG (Digital Negative) image files. The attack vector is primarily through WhatsApp , where threat actors deliver weapon

Executive Summary A critical supply chain attack, identified as GlassWorm , has been uncovered within the Visual Studio Code (VS Code) extension ecosystem. This campaign leverages malicious extensions to infiltrate developer environments, exfiltrate sensitive credentials, and propagate itself in a worm-like fashion. The attack is characterized by advanced obfuscation techniques, including the use of invisible Unicode characters, and a resilient blockchain-based command and c