UNC3753 (Luna Moth) Escalates Campaign Against US Law Firms: Vishing, RMM Tools, and Now Physical Intrusion
Google Cloud Mandiant has documented a sustained UNC3753 (Luna Moth) campaign targeting US law firms from January–May 2026. The group uses vishing calls and RMM tools to exfiltrate...
Meet Pink: The New Extortion Group Using Vishing and Microsoft 365 Tools to Drain Enterprise Cloud Storage
A new extortion group called Pink (CL-CRI-1147) has emerged, targeting enterprise organizations through voice phishing to steal Microsoft 365 credentials and cloud files. With ties to the Com...
China-Linked OP-512 Uses Cryptographically Unique Web Shells in Patient IIS Server Espionage Campaign
ReliaQuest has uncovered OP-512, a new China-linked threat cluster targeting IIS servers with a custom web shell framework that generates cryptographically unique signatures per deployment, evading traditional detection....
Hackers Can Hijack Claude Code MCP Traffic to Steal OAuth Tokens — No Patch Coming
Researchers at Mitiga Labs demonstrated a five-step npm supply chain attack that rewrites ~/.claude.json to redirect Claude Code MCP traffic through attacker-controlled infrastructure, silently capturing OAuth tokens for...
Iran-Linked Black Shadow Group Obliterates IT, Backups and Recovery Systems Across US and Middle East
Operating under the cover name Ababil of Minab, Iran-linked APT group Black Shadow launched a wave of destructive attacks against US transit agencies, Israeli firms, and Middle East...
Threat Actors Use AI Agents and Cursor IDE to Automate Active Directory Attacks and Beat EDR
Sophos has uncovered a Russian-speaking threat actor using AI-assisted tools, Cobalt Strike, and a purpose-built automated lab to develop EDR bypass malware targeting Active Directory environments — with...
Critical Supply Chain Attack: 31 Red Hat Cloud Services npm Packages Backdoored to Steal Cloud and Dev Credentials
A sophisticated supply chain attack dubbed "Miasma: The Spreading Blight" has backdoored over 30 official @redhat-cloud-services npm packages, deploying credential-stealing malware that targets AWS, Azure, GCP secrets, GitHub...
Massive Supply Chain Attack: Poisoned VS Code Extension and “Megalodon” Campaign Steal Credentials from Millions of Developers
Two coordinated supply chain attacks poisoned the Nx Console VS Code extension (2.2M installs) and backdoored 5,561 GitHub repositories simultaneously, stealing cloud credentials and 3,800 internal GitHub source...