Cybersecurity Threat Landscape

Developments in the Axios Breach: Understanding the Social Engineering Used

North Korean threat group UNC1069 hijacked the Axios library through a sophisticated social engineering campaign. By impersonating tech executives in fake Slack workspaces, attackers pressured maintainers into installing malware disguised as system updates. This highlights the risk to developers.

US Government Agencies Warn of Iran Backed Cyber Attacks on US Critical Infrastructure

Iran-linked threat actors are pivoting from espionage to disruptive cyber warfare against critical infrastructure. Using malware like IOCONTROL, groups target internet-facing industrial controllers in the water and energy sectors. This escalation includes destructive wiper attacks on US firms.

Advertising Intelligence: Understanding the Risks of Ad-Based Surveillance Systems

Iranian-Linked Cyber Operations Threaten Civilian and Private Networks Exposure

The Federal Bureau of Investigation (FBI) warns that the threat actor group known as Handala uses specialized malware to target civilians and journalists. Linked to the Iranian Ministry of Intelligence and Security, these operations exploit messaging bots to exfiltrate sensitive data.

Supply Chain Attack Targeting Popular Javascript Tool Axios, and Open Source Security Scanner Trivy, Affecting Enterprise Environments

Recent supply chain attacks targeting Axios and Trivy have exposed critical vulnerabilities in enterprise software dependencies. These incidents allowed threat actors to steal credentials and install malicious software. Organizations are advised to rotate keys and audit systems.

Iranian-Linked Hacktivist Group Claim Attack on US Medtech Giant Stryker

Handala, an Iranian-linked threat group, sabotaged medical giant Stryker by weaponizing Microsoft Intune. By compromising a Global Admin account, they issued a mass remote wipe command, factory-resetting 80,000 devices. This signals a shift from cyber espionage to destructive sabotage.

Threat Actors Using Search Engine Poisoning to Distribute Fake Enterprise VPNs

Threat actors are using search engine optimization poisoning to distribute fake VPN clients impersonating Fortinet and Cisco. These malicious sites trick users into downloading credential-stealing malware, granting attackers direct, authenticated access to corporate networks.

U.S. and Australian Agencies Issue Warnings on Possible Cyberattacks in Connection with Ongoing Conflict in the Middle East

U.S. and international agencies warn of heightened cyber threats from Iran targeting financial institutions. Organizations face risks of operational disruption via DDoS attacks and reputational damage. Security leaders must prioritize proactive defense and cyber hygiene to mitigate impacts.

Threat Actors Weaponize PWAs in Fake Google Security Campaign

A phishing campaign uses the fraudulent domain google-prism[.]com to deploy malicious Progressive Web Apps and Android payloads. This attack steals credentials, locations, and contacts while mimicking native Google apps. Organizations should advise users to only use myaccount.google.com.

1Campaign Cybercrime Service Weaponizes Sponsored Search Ads

The 1Campaign service allows threat actors to bypass Google security by hiding malicious ads. Using fraud scoring, it hides phishing sites from scanners while targeting employees via sponsored links. Organizations should implement ad-blocking and mandate the use of official software channels.

Threat Actors Exploit AI Tools for Cyberattacks

Threat actors are weaponizing generative AI tools like CyberStrikeAI and ChatGPT to automate reconnaissance and craft sophisticated phishing campaigns. Additionally, a critical Google Cloud API flaw has exposed sensitive Gemini endpoints, risking massive financial loss and data theft.

State-Sponsored Hackers Weaponize Gemini AI for Cyber Operations

The Google Threat Intelligence Group reported that state-sponsored hackers from Russia, China, Iran, and North Korea are weaponizing the Gemini AI model. These actors use AI to accelerate reconnaissance, automate phishing, and refine malware, significantly increasing the scale of cyberattacks.

Cybercrime Group 0APT Weaponizing Fake Breaches for Real Extortion

Researchers identified "0APT," a cybercrime group using recycled data to falsely claim breaches for extortion. This "disruption without intrusion" tactic weaponizes public trust to cause reputational harm and drain resources, especially impactful for Philippine firms with limited security budgets.

Threat Actors Utilizing Malware to Compromise Devices in Crypto-theft Attacks; Increasing macOS Infection Reported

North Korean threat actors are targeting the fintech industry using AI deepfakes and "ClickFix" tactics to deploy malware on Windows and macOS. By impersonating executives in video calls, they trick victims into executing malicious commands to steal cryptocurrency and sensitive identity data.

Notepad++ Update Infrastructure Compromised by State-Sponsored Groups

Chinese state-sponsored threat actors hijacked the Notepad++ update infrastructure to distribute "Chrysalis" malware. This supply chain attack targeted developers and system administrators, weaponizing trusted software updates to maintain persistent remote access for regional espionage.

China-linked “PeckBirdy” Campaign Threatens Southeast Asian Networks

China-linked threat actors are utilizing the PeckBirdy framework to conduct fileless espionage across Southeast Asia. By mimicking legitimate traffic, the campaign targets government and energy infrastructure, including Philippine institutions, to maintain undetected access.

Fake Amazon Recruiters Exploit Job Seekers

Scammers are exploiting Amazon’s reputation to target job seekers with fraudulent offers. By mimicking official branding and moving conversations to encrypted messaging apps, threat actors trick victims into providing sensitive data or paying fake "training" fees under the guise of recruitment.

New Phishing Campaign Exploits Zoom Infrastructure

Researchers uncovered a new Telephone-Oriented Attack Delivery (TOAD) campaign that exploits Zoom’s infrastructure to bypass security filters. By abusing trusted domains to send legitimate-looking emails, attackers lure victims into fraudulent calls to bypass MFA and steal sensitive financial data.

Dangers of Free Online Converter Apps

Threat actors are using malvertising and fake online converter tools to distribute malware via deceptive "CAPTCHA" prompts. By mimicking legitimate productivity services, these fraudulent sites trick users into executing malicious commands and expose sensitive corporate documents to data theft.

Malicious Browser Extensions Steal Credentials and Breach Enterprise Systems

Malicious browser extension campaigns, including are targeting enterprise systems to steal credentials and session tokens. By masquerading as productivity tools, these extensions bypass traditional defenses to capture sensitive data and trigger social engineering attacks.

Microsoft Patches “Reprompt” Flaw: Single-click Copilot Vulnerability

Researchers uncovered a vulnerability in Microsoft Copilot which allows threat actors to exfiltrate chat histories via a single malicious link. The flaw enables silent command execution within browser-based sessions to send sensitive data to external servers without further user interaction.

Malicious Chrome Extensions Impersonating AI Tools Steal User Data

Two malicious Chrome extensions, "Prompt Poaching," were found harvesting ChatGPT and DeepSeek chat histories. Posing as productivity tools, they bypassed security—one even holding a "Featured" badge—to exfiltrate sensitive AI data and intellectual property.

Threat Actors Exploit Google Email Cloud Features In ‘Multi-Staged’ Phishing Attacks

Threat actors are abusing Google Cloud’s “Application Integration” tool to send phishing emails from a genuine Google address. By bypassing filters and using fake CAPTCHAs, the multi-stage attack tricks users into entering Microsoft 365 credentials on fraudulent login pages.

Clickfix Attack: Fake BSOD and Booking Targeting European Hospitality Sector

The ClickFix campaign "PHALT#BLYX" targets the hospitality sector using fake BSOD errors to trick users into executing malicious code. By following "fix" instructions, victims paste commands into the Windows Run box, installing the DCRAT trojan to grant attackers remote system control.