Unit 42 analyzes recent activity by Ashen Lepus (aka WIRTE). This group targeting diplomatic entities across the Middle East and other Arabic-speaking countries using a new malware suite named AshTag. https://t.co/xizH8yQIgq

Belarus-based #APT #WhiteLynx is using a #CAPTCHAmacro technique, enticing users to enable macros on Office docs, generating a CAPTCHA verification window to proceed. We found follow-up malware that communicates with agelessinvesting[.]xyz. Details at https://t.co/ThoU5diIgx

A new Rust-based ransomware family, 01flip, has a potential connection to LockBit. Our review details 01flip's victimology, functionality and evasion techniques, and concludes with potential attribution. https://t.co/3IQNykupqb

A significant update to our Threat Brief on CVE-2025-55182 analyzes unique post-exploitation activity. This activity includes reconnaissance, deployment of cryptominers, the backdoor Noodle RAT, stealthy malware dropper SNOWLIGHT and more: https://t.co/JfOS15kpkC

Open-source Model Context Protocol (MCP) helps to standardize how LLMs integrate and share data with external tools and resources. However, malicious MCP servers without proper controls are vulnerable to novel attack vectors. Read our analysis: https://t.co/iIylsrOLQG

We review two vulnerabilities affecting React (CVE-2025-55182) and Next.js (CVE-2025-66478), both with a CVSS score of 10.0. These vulns, in the React Server Components (RSC) Flight protocol, allow unauthenticated attackers to execute arbitrary code. https://t.co/JfOS15kpkC

Browser-update-themed lures are fueling a surge in #ClickFix activity. We've seen 10K-plus hits on sites that lead to ClickFix pages pushing a variety of malware types through #pastejacking. Details at https://t.co/jLHXBHpx60

Beware of #scams on #BlackFriday: Known threat actors are increasing email phishing, often linking to fraudulent luxury shopping sites. In addition, new domains are increasingly registered and used for #phishing and other scams. Stay alert! Details at https://t.co/ATncHpefP4

Retailers should be on high alert: Scattered LAPSUS$ Hunters is actively recruiting insiders from retail and hospitality. With holiday shopping in full swing, they’re targeting customer databases and threatening leaks. Read our new Insights blog for more: https://t.co/qM6RVNEfYY

We review digital risk through the capabilities of malicious LLMs, using WormGPT and KawaiiGPT as examples. This discussion of LLMs as a cybercrime-as-a-service product stresses the call for accountability from developers, regulators and researchers. https://t.co/zyzsPkZXGY

We're tracking ongoing sample testing of a malicious Chrome extension on VirusTotal, likely to evade detection before deployment. These samples impersonate a legitimate extension and use highly obfuscated JavaScript for C2 communication. Details at https://t.co/KQf1Jwl5Gj

Shai-Hulud 2.0: A new npm-focused campaign is significantly wider in scope than its previous iteration, affecting tens of thousands of GitHub repositories. Read our updated report: https://t.co/HKMBzmNHJ7

We are tracking indicators for a new #ransomware named "ShinySp1d3r" likely associated with the cybercrime group #BlingLibra (#ShinyHunters). Discovered samples are for Windows, but a Linux version will apparently be released at a later point. Details at https://t.co/QZ2XhqECu6

The security paradox: logging without alerting. Learn how an Akira ransomware attack led to prolonged compromise, and how Unit 42 stepped in to help. https://t.co/DP2kroT3L4

Two interconnected Gh0st RAT campaigns targeted Chinese-speaking users in 2025. While the first campaign used direct droppers, the second evolved to a complex, multi-stage infection chain, notably misusing signed software to bypass defenses. https://t.co/O2F8hPyeZl

Unit 42 is tracking indicators likely associated with an SSH-based backdoor potentially associated with the cybercrime group #SqueamishLibra (#FIN7). The #malware has likely been in use since at least 2022. Details at https://t.co/QoW6qjTrCF

A malicious #TDS campaign uses multi-layer #cloaking measures to evade detection, including anti-bot #CAPTCHA and multiple #fingerprint libraries (ThumbmarkJS & FingerprintJS). Our investigation revealed it distributes #PUP payloads. More info at https://t.co/2NOqK7AZAo

Authentication coercion attacks rely on remote procedure call (RPC) messages. In this article we analyze a case study where attackers exploited rare RPC functions. Included are practical mitigations. https://t.co/WXtNu7Odjs

🛡️ We added Samsung mobile devices out-of-bounds write vulnerability CVE-2025-21042 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec

Security alert-themed #phishing activity: emails appear to be sent from the recipient's own domain. These emails ask recipients to release blocked messages, but they lead to fake webmail login pages prefilled with the recipient's email address. Details at https://t.co/OYXKyMLgVK