80 results

The Good, the Bad and the Ugly in Cybersecurity - Week 24

The Good | Authorities Dismantle Crypto Laundering Empire & Seize Espionage Domains Europol has dismantled a major cryptocurrency laundering network called "AudiA6", known for actively facilitating illicit transactions for ransomware syndic

Global Cyber Attacks Ease in May 2026, But Ransomware Surges 48% As Threats Reorganize

Attack Volumes Pull Back, But the Bigger Picture Tells a Different Story In May 2026, global cyber-attack activity eased from April's sharp rebound, though the underlying trends offer little genuine comfort. Organizations experienced an ave

Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)

Overview On June 8, 2026, Check Point published a security advisory for CVE-2026-50751 , a critical authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. The vulnerability a

CVE-2026-50751 · CVE-2026-50752 · CVE-2024-24919

Security Advisory - Action Required - Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751)

Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key excha

CVE-2026-50751

The Good, the Bad and the Ugly in Cybersecurity - Week 23

The Good | Fraud Networks Disrupted, Crypto Exchanges Sanctioned & Doxer Arrested This week, the DoJ's Scam Center Strike Force unveiled results from "Disruption Week," a first-of-its-kind joint initiative between U.S. agencies and private

Fraud, Ransomware, and Fake Apps Are Already Targeting FIFA 2026

The FIFA World Cup 2026 kicks off on June 11. Across 16 cities in the US, Canada, and Mexico, billions of people will be watching, traveling, betting, and spending. Threat actors have been watching too, and for far longer. Check Point Resea

Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection

As threats become more coordinated and faster to execute, endpoint protection has become the proving ground for modern defense. For the seventh consecutive time, Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for End

Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection

As threats become more coordinated and faster to execute, endpoint protection has become the proving ground for modern defense. For the seventh consecutive time, Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for End

The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

In this article Pre-encryption File encryption Post-encryption Defending against The Gentlemen ransomware Microsoft Defender detections and hunting guidance Indicators of compromise Ransomware that combines robust encryption with rapid late

2026 World Cup: Discussing The World's Biggest Game's Attack Surface

The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here. The post 2026 World Cup: Discussing The World's Biggest Game's Attack Surface a

Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect

Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploitation, and organizational risk. Key take

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

In this article Attack chain overview Mitigation and protection guidance References Learn more Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditiona

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

In this article Attack chain overview Mitigation and protection guidance References Learn more Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditiona

Q1 2026 Threat Landscape Report: Zero-clicks, geopolitical tensions, and some wins for law enforcement

The first quarter of 2026 reinforced that attackers are moving faster, operating with greater coordination, and exploiting weaknesses before most organizations can respond effectively. From escalating geopolitical tensions to increasingly a

The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress

Two recent incidents involving The Gentlemen ransomware show the use of defense evasion tactics, including logs being cleared and attempts to add antivirus exclusions.

Inside the RaaS Ecosystem: Operators, Affiliates & Attack Tradecraft | Huntress

The ransomware name on the ransom note doesn't tell the full story. See how RaaS affiliates drive initial access, persistence, and exfiltration and what defenders should watch for.

IT threat evolution in Q1 2026. Mobile statistics

IT threat evolution in Q1 2026. Mobile statistics IT threat evolution in Q1 2026. Non-mobile statistics In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network.

IT threat evolution in Q1 2026. Non-mobile statistics

IT threat evolution in Q1 2026. Non-mobile statistics IT threat evolution in Q1 2026. Mobile statistics The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information wa

CVE-2026-20131

The time of much patching is coming

Welcome to this week's edition of the Threat Source newsletter. Many solutions have been proposed to reduce software bugs: zero-defect mandates, pair programming, formal methods, and mathematical software proofs. The reality is that softwar

The Dark Side of Efficiency: When Network Controllers Become "God Mode" for Attackers

Imagine you build a massive corporate campus with every security control money can buy. Blast resistant doors. Biometric scanners. Guards at every entrance. Maybe something similar to the infamous Death Star. On paper, it looks fantastic. T

CVE-2026-20182 · CVE-2026-20127

State-sponsored actors, better known as the friends you don't want

State-sponsored actors don't break in. They log in, and they use your own tools to stay invisible for months. Responding to a state-sponsored threat is nothing like responding to ransomware, and the differences can make or break the outcome

What Cybersecurity Leaders Must Prioritize in 2026

The threat landscape has shifted. Here's what cybersecurity leaders need to know about RMM abuse, AI-powered attacks, ransomware, and identity threats in 2026.

Why the Stryker Attack Still Matters. And Five Steps You Can Take Today

The Stryker incident revealed that a "Weaponized Remote Wipe" via compromised MDM is a more permanent and difficult threat than ransomware. Learn concrete steps to secure management platforms and prevent your security shield from becoming a

Decoding NightSpire: Ransomware IOCs Aren't Set in Stone

A recent incident linked to the NightSpire ransomware workflow gives insight into why the RaaS structure and model, or lack thereof, are important - especially when it comes to scoping and recovering from the incident.

7 Key Manufacturing Cybersecurity Trends for 2026 | Huntress

Explore the latest manufacturing cybersecurity trends, from ransomware to OT takeovers, and real-world risks to production. Learn how to secure your plant.

3-2-1 Backup Rule: What It Is + How To Implement | Huntress

Discover how the 3-2-1 backup rule strengthens your backup strategy against ransomware. Plus, learn how to implement cloud backup best practices with ease.

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC Yuze, and a persistent BYOVD technique leveraging the NSec driver.

How the Huntress SOC Stopped a VPN-Based Ransomware Attack

Get an insider look at how the Huntress SOC stopped an unsecured VPN based ransomware attack. Learn why your business needs more than just software to stay secure.

The Evolving Linux Threat Landscape

Learn about the narrowing threat gap, the rise of cross-platform attacks (like WSL abuse), and the specific ransomware and nation-state actors targeting Linux endpoints in 2026.

Naming and shaming: How ransomware groups tighten the screws on victims

When corporate data is exposed on a dedicated leak site, the consequences linger long after the attack fades from the news cycle

Employee Monitoring and SimpleHelp Software Abused in | Huntress

Huntress uncovers ransomware operations abusing employee monitoring software and SimpleHelp RMM for persistence, and ransomware deployment.

Black Hat Europe 2025: Reputation matters - even in the ransomware economy

Being seen as reliable is good for 'business' and ransomware groups care about 'brand reputation' just as much as their victims

Hardening the Hypervisor | Huntress

Hypervisors are a major target for ransomware attacks. Get expert guidance from Huntress on how to protect your virtualized infrastructure. Learn how to secure access, put runtime controls in place, simplify patching, and improve your recov

This month in security with Tony Anscombe - November 2025 edition

Data exposure by top AI companies, the Akira ransomware haul, Operation Endgame against major malware families, and more of this month's cybersecurity news

Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that's being actively exploited in ransomware campaigns

CVE-2024-1086, a decade-old Linux kernel vulnerability, is now being actively exploited in ransomware campaigns. This blog breaks down how attackers are weaponizing the flaw to gain root privileges, why so many systems remain exposed, and h

CVE-2024-1086

Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses

In this blog entry, Trend™ Research explores how ransomware actors are shifting their focus to cloud-based assets, including the tactics used to compromise business-critical data in AWS environments.

Threats Plague Educational Organizations

Threat actors are targeting the education sector with data breaches, phishing emails, ransomware hits, brute force RDP attacks, and more.

Gootloader | Threat Detection Overview

Gootloader returns with new obfuscation techniques, including custom WOFF2 fonts and updated persistence mechanisms, while continuing its partnership with Vanilla Tempest for ransomware deployment. Dive in and discover what Huntress is seei

Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques

Trend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises.

Looking Through a Pinhole at a Qilin Ransomware Attack

Incident analysis is critical, but for newcomers, it can be daunting. Learn how to confirm commands, validate findings, and spot real impact during a Qilin ransomware event.

Cybersecurity Awareness Month 2025: Building resilience against ransomware

Ransomware rages on and no organization is too small to be targeted by cyber-extortionists. How can your business protect itself against the threat?

Dispelling Ransomware Deployment Myths

Huntress analyzes ransomware activity, uncovering attack patterns and key detection opportunities while dispelling ransomware myths.

Defending against database ransomware attacks

How attackers exploit exposed databases for extortion-and the defenses that work.

New LockBit 5.0 Targets Windows, Linux, ESXi

Trend™ Research analyzed source binaries from the latest activity from notorious LockBit ransomware with their 5.0 version that exhibits advanced obfuscation, anti-analysis techniques, and seamless cross-platform capabilities for Windows, L

The Dangers of Storing Unencrypted Passwords

Threat actors exploited SonicWall VPN, deployed Akira ransomware, and uninstalled Huntress Managed EDR agents after finding plaintext recovery codes. Learn how to secure your credentials and prevent similar attacks.

Obscura, an Obscure New Ransomware Variant

Huntress found a previously unseen ransomware variant called Obscura on a victim company's domain controller.

Cephalus Ransomware: Don't Lose Your Head

In mid-August, Huntress saw two incidents that linked back to a ransomware variant called Cephalus, which included DLL sideloading via a legitimate SentinelOne executable.

Exposing Data Exfiltration | Huntress

Threat actors often steal data during the course of their attacks. This is particularly true for ransomware threat actors, who do it before deploying file encryption in order to engage in "double extortion" activities. This activity can be

Kawabunga, Dude, You've Been Ransomed!

Thanks in large part to our customer base, Huntress sees a great deal of interesting activity, particularly from threat actors (but also from admins). Part of that activity includes not just ransomware variants that Huntress hasn't seen bef

Active Exploitation of SonicWall VPNs

A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. Huntress advises disabling the VPN service immediately or severely restricting access via IP allow-listing. We're seeing thre

Ukrainian national pleads guilty to role in Conti ransomware operation

A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. [...]

Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs

Authorities in Europe have disrupted AudiA6, a cryptocurrency laundering service used by ransomware gangs and cybercriminal networks. Europol, in a statement issued Thursday, said the dismantling of AudiA6 cut off a "key financial pipeline used to wash hundreds of millions in illicit profits." The service is estimated to have been used to launder more than €336 million (~$389 million) since the

The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis). According to a detailed report

Authorities dismantle 'AudiA6' ransomware crypto-laundering service

Law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to launder more than $380 million. [...]

Who Runs the Ransomware Group ‘The Gentlemen?’

A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group. A graphic created and shared by The Gentlemen ransomware group administrator Hastalamuerte on Breachforums in May 2026. Credit: ke-la.com. Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware. “A 90/10 affiliate revenue split — compared to the industry standard 80/20 — is accelerating the group’s growth by attracting experienced operators from competing programs,” the researchers wrote in April. Check Point found The Gentlemen are the second most active ransomware group by victim count so far this year, claiming at least 332 published victims since the group’s inception in mid-2025 and more than 240 in 2026 alone. According to Check Point, the group targets Internet-facing devices (VPNs, firewalls) as their entry point, and once inside moves quickly to encrypt entire networks within hours. Check Point says the administrator and primary operator of the ransomware group uses the nickname Zeta88 on the Russian-language cybercrime forums, and that this individual was previously known under the moniker Hastalamuerte . Check Point noted that a breach of the group’s backend infrastructure made it clear that Hastalamuerte/Zeta88 is the person who assembles the locker and RaaS panel, manages payments, and is essentially the administrator of the entire program who receives 10 percent of all ransoms. WHO IS HASTALAMUERTE? The cyber intelligence firm Intel 471 shows that the user Hastalamuerte is a Russian and English speaking perso

CISA gives feds 3 days to patch Check Point VPN bug exploited as zero-day

CISA has ordered U.S. government agencies to secure their Check Point Remote Access VPN and Mobile Access deployments against a critical vulnerability exploited in zero-day attacks by Qilin ransomware affiliates. [...]

Check Point links VPN zero-day attacks to Qilin ransomware gang

Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks. [...]

‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group “ Scattered Spider ” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors. Buchanan’s hacker handle “ Tylerb ” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native is facing the possibility of more than 20 years in prison. Two photos published in a Daily Mail story dated May 3, 2025 show Buchanan as a child (left) and as an adult being detained by airport authorities in Spain. “M&S” in this screenshot refers to Marks & Spencer, a major U.K. retail chain that suffered a ransomware attack last year at the hands of Scattered Spider. Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. As part of his guilty plea, Buchanan admitted conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022 that led to intrusions at a number of technology companies, including Twilio, LastPass, DoorDash, and Mailchimp. The group then used data stolen in those breaches to carry out SIM-swapping attacks that siphoned funds from individual cryptocurrency investors. In an unauthorized SIM-swap, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls to the victim’s device — such as one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Depar