Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Threat Actor Uses Phishing to Breach Orgs for Ransomware Gangs

An initial access broker associated with the Payouts King ransomware group is using Microsoft Teams phishing to deploy a malicious Microsoft Edge web browser extension, according to researchers at Zscaler. Once the hackers have a foothold within an organization, they sell the access to the ransomware gang to conduct follow-on attacks.

Compromised @injectivelabs/sdk-ts exfiltrates wallet keys through fake telemetry

A malicious release of @injectivelabs/sdk-ts, an npm package that pulls around 50,000 weekly downloads, shipped code that records wallet mnemonics and private keys as they are derived and ships them to an attacker-controlled endpoint. The bad version, 1.20.21, was live on npm for under an hour on June 8, 2026 before the maintainer noticed and published a clean fix.

Unmasking BitRAT's C2 over HTTPS

BitRAT is a potent and versatile Remote Access Trojan (RAT) commonly sold on underground forums. Its popularity stems from a robust feature set and an emphasis on stealth, allowing it to evade detection by hiding command-and-control (C2) communications over seemingly benign protocols. This makes traditional detection methods more challenging. By examining the subtle artifacts it leaves behind, even in encrypted traffic, defenders can expose these elusive threats.

Threat Actors to Watch: SafePay, FancyBear, and ShinyHunters

From a fast-scaling ransomware operator to a Russian state-sponsored espionage group now experimenting with LLM-powered malware, and a data extortion collective that has weathered arrests without slowing down, these three threat actors span the full spectrum of financially and geopolitically motivated cybercrime. CYJAX breaks down what each group does, why they matter, and what security teams should know.

Ransomware in the age of agentic AI with Behnaz Karimi [337]

Today we're speaking with Behnaz Karimi, an independent researcher specializing in ransomware and agentic AI systems, Senior Cybersecurity Analyst at Accenture, and founder of Tremorina, about how ransomware is evolving to target AI systems, machine learning pipelines, and autonomous agents.

Ep. 5: The Heists

In the decade after Sony, North Korea learned something fundamental: Destructive cyberattacks make headlines. Financial cyberattacks make money. One year after Sony, North Korea pulled off one of the most audacious bank heists in history and reshaped cybercrime in the process. Today, the regime has expanded those same tactics into billion dollar cryptocurrency heists and sprawling money laundering schemes designed to evade sanctions and bankroll the state – and its nuclear weapons program.

Identifying and detecting ScoutC2 malware

At Corelight Labs, our mission is to help organizations stay a step ahead of evolving threats. When our researchers came across Censys' detailed write-up on ScoutC2, a rapidly growing open-source command-and-control (C2) framework favored by threat actors, we knew we needed to bolster community defenses quickly.

What is a Ransomware Attack? Definition, Types & Prevention Strategies

Ransomware isn’t just a rising threat, it’s a daily reality for thousands of businesses around the world. These attacks are faster, smarter, and more damaging than ever, with global losses projected to reach $275 billion a year by 2031, according to Cybersecurity Ventures. Understanding how ransomware works is the first step toward stopping it. In this blog, we’ll break down how these attacks unfold and what you can do to defend your systems.

Ep. 66 - Poisoned Pipelines: TeamPCP and the FBI Flash on Weaponized Dev Tools

A criminal crew with APT-grade patience is trojanizing the very tools defenders trust. Host Tova Dvorin sits down with Adrian Culley to break down FBI FLASH-20260702-01 (coordinated with CISA) on TeamPCP — the group compromising Trivy, KICS, LiteLLM, and the Telnyx SDK to sit inside CI/CD pipelines. Inside: the CanisterWorm and SANDCLOCK credential stealers, the self-replicating "Mini Shai-Hulud" worm across npm and PyPI, npm account takeovers via expired recovery domains, and five concrete defenses — starting with searching your GitHub org for "tpcp-docs" right now.

BlackMatter Ransomware Explained: Delivery Methods, Tactics, and Targets

Emerging in July 2021, BlackMatter is a ransomware-as-a-service (RaaS) platform that permits the developers of the ransomware to generate income through the actions of their cybercriminal associates, referred to as BlackMatter actors, who utilize it against targets. BlackMatter is potentially a reimagining of DarkSide, another RaaS that remained operational from September 2020 to May 2021.