LATEST THREAT INTELLIGENCE.

VoidStealer: Debugging Chrome to Steal Its Secrets

Description: VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The technique involves attaching to the browser process as a debugger, setting breakpoints at strategic locations, and extracting the key when it's briefly present in plaintext. This approach offers a lower detection footprint compared to alternative bypass methods. The blog post dissects the technique step-by-step, from locating the target address for breakpoint placement to extracting the key. It also provides detection strategies for defenders, focusing on monitoring debugger attachments and suspicious browser memory reads.

Created at: 2026-03-20T09:51:33.321000

Updated at: 2026-03-20T21:06:50.989000

Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets

Description: A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.

Created at: 2026-03-20T09:51:35.029000

Updated at: 2026-03-20T21:05:12.398000

CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours

Description: A critical vulnerability in Langflow, an open-source visual framework for AI agents and RAG pipelines, was disclosed on March 17, 2026. The vulnerability, CVE-2026-33017, allows unauthenticated remote code execution on exposed Langflow instances. Within 20 hours, exploitation attempts were observed in the wild. Attackers rapidly developed working exploits from the advisory description and began scanning for vulnerable instances. The Sysdig Threat Research Team deployed honeypots to monitor the attacks, observing automated scanning, custom exploit scripts, and data harvesting activities. The rapid exploitation highlights the accelerating trend of shorter time-to-exploit for vulnerabilities, posing significant challenges for defenders. The attackers targeted high-value data, API keys, and potential software supply chain compromise.

Created at: 2026-03-20T09:51:34.102000

Updated at: 2026-03-20T21:02:18.495000

Law Firm Sites Hijacked in Suspected Supply-Chain Attack

Description: GrayCharlie, a threat actor active since mid-2023, compromises WordPress sites to inject links redirecting visitors to NetSupport RAT payloads via fake browser updates or ClickFix mechanisms. These infections often lead to Stealc and SectopRAT deployments. The group's infrastructure is primarily linked to MivoCloud and HZ Hosting Ltd. A cluster of US law firm sites was compromised around November 2025, possibly through a supply-chain attack. GrayCharlie uses two main attack chains: one involving fake browser updates and another using ClickFix-style lures. The group's objectives appear to focus on data theft and financial gain, with potential access selling to other threat actors.

Created at: 2026-02-18T16:28:06.616000

Updated at: 2026-03-20T16:41:27.242000

An Overview of The Gentlemen's TTPs

Description: This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense evasion techniques. Their initial access methods include exploiting public-facing applications and brute-force attacks. The Gentlemen utilize various execution, persistence, and privilege escalation techniques, while also focusing on credential access and lateral movement. The group's impact includes data encryption and inhibiting system recovery. The report highlights the group's ongoing efforts to improve their ransomware capabilities by reverse-engineering other malware samples.

Created at: 2026-03-20T08:24:49.787000

Updated at: 2026-03-20T08:28:04.105000

Beast Ransomware Toolkit: A Proactive Threat Intelligence Report

Description: This analysis delves into the Beast ransomware, a Ransomware-as-a-Service (RaaS) that emerged in June 2024 as a successor to Monster ransomware. The investigation focuses on a Beast ransomware server detected in March 2026, revealing the operators' toolkit and attack methodology. The toolkit includes various tools for reconnaissance, network mapping, credential theft, persistence, lateral movement, exfiltration, and impact. Notable findings include the presence of both Windows and Linux versions of Beast ransomware, indicating targeting of workstations and Linux servers on VMware ESXi hypervisors. The report highlights the importance of proactive collection of internet telemetry in identifying ransomware operators' toolkits before they can be used against targets.

Created at: 2026-03-20T08:12:00.222000

Updated at: 2026-03-20T08:20:55.619000

Copyright Lures Mask a Multi-Stage PureLog Stealer Attack on Key Industries

Description: A sophisticated malware campaign delivering PureLog Stealer has been identified, targeting healthcare, government, hospitality, and education sectors in multiple countries. The attack uses localized copyright violation lures to trick victims into executing a multi-stage infection chain. The malware employs encrypted payloads, remote key retrieval, and fileless execution techniques to evade detection. It utilizes a Python-based loader and dual .NET loaders to run PureLog Stealer entirely in memory. The campaign incorporates AMSI bypass, registry persistence, screenshot capture, and victim fingerprinting for stealth and intelligence gathering. Evidence confirms communication with PureLog-associated infrastructure.

Created at: 2026-03-20T08:13:38.405000

Updated at: 2026-03-20T08:18:20.719000

Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain Impersonation

Description: The threat group ShinyHunters has adopted a new tactic of subdomain impersonation for initial access, moving away from newly registered lookalike domains. They are utilizing mobile-first lures and outsourcing spam services to scale their operations. The group is likely reusing previously stolen CRM and ERP data to drive social engineering attacks. Their approach involves phone-guided adversary-in-the-middle phishing to capture credentials and authenticated sessions. ShinyHunters is also scaling vishing operations through paid contractors and specialized harassment services. This evolution in tactics allows for rapid identity-to-SaaS compromise without deploying malware, making traditional domain-based monitoring less effective.

Created at: 2026-03-19T14:23:02.178000

Updated at: 2026-03-20T08:05:16.104000

Analyzing the Current State of AI Use in Malware

Description: Unit 42 researchers investigated the use of large language models (LLMs) in malware creation and functionality. They examined two samples: a .NET infostealer incorporating OpenAI's GPT-3.5-Turbo model via API, and a Golang-based malware dropper leveraging an LLM for environment assessment. The infostealer's LLM integration was poorly implemented and non-functional, serving as 'AI theater'. The dropper used an LLM to evaluate system safety before deploying its payload. While these samples show experimentation with AI in malware, they highlight challenges in effective implementation. The researchers anticipate future advancements in AI-assisted malware creation and execution, emphasizing the need for evolved defenses against AI-driven threats.

Created at: 2026-03-19T15:13:43.584000

Updated at: 2026-03-20T08:02:53.039000

When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

Description: During tax season, threat actors exploit the urgency of time-sensitive tax-related emails to trick targets into opening malicious attachments, scanning QR codes, or following link chains. Recent campaigns identified by Microsoft Threat Intelligence use lures around W-2 forms, tax forms, and impersonation of government tax agencies and financial institutions. These campaigns aim to harvest credentials or deliver malware, often using phishing-as-a-service platforms for convincing credential theft and MFA bypass. Notable tactics include using legitimate remote monitoring tools, targeting specific industries and roles like accountants, and employing sophisticated social engineering techniques. The campaigns leverage various file formats, legitimate infrastructure, and multiple user interactions to complicate detection.

Created at: 2026-03-19T15:28:27.792000

Updated at: 2026-03-20T08:01:35.908000