LATEST THREAT INTELLIGENCE.
Metro4Shell: Exploitation of React Native's Metro Server in the Wild
Description: A vulnerability in React Native's Metro Server, dubbed Metro4Shell, has been exploited in the wild since December 21, 2025. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on Windows systems. Exploitation involves a multi-stage PowerShell-based loader delivered through cmd.exe, which disables Microsoft Defender, establishes a connection to an attacker-controlled host, and executes a downloaded binary. The attacks originated from multiple IP addresses and targeted both Windows and Linux systems. Despite ongoing exploitation, the vulnerability has not received widespread public acknowledgment, highlighting the gap between actual threats and recognized risks in cybersecurity.
Created at: 2026-02-04T11:13:50.106000
Updated at: 2026-02-04T21:04:55.718000
The Godfather of Ransomware? Inside Cartel Ambitions
Description: DragonForce, a ransomware group that emerged in late 2023, has become a significant cyber threat. They employ a dual-extortion strategy, encrypting and exfiltrating data, and have targeted various sectors, particularly manufacturing and construction. The group offers a flexible ransomware-as-a-service platform with advanced features, supporting multiple platforms and encryption modes. DragonForce has announced a shift to a cartel model, allowing affiliates to create their own brands. They've also introduced automated registration for new affiliates and a 'Company Data Audit' service to enhance extortion campaigns. The group has engaged in conflicts with rival ransomware operations and claims to have formed a coalition with other major groups. While their connection to DragonForce Malaysia remains unsubstantiated, technical analysis reveals similarities with other ransomware families and sophisticated attack techniques.
Created at: 2026-02-04T11:13:50.721000
Updated at: 2026-02-04T21:02:33.469000
Anatomy of a Russian Crypto Drainer Operation
Description: A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.
Created at: 2026-02-04T15:24:26.608000
Updated at: 2026-02-04T21:00:52.735000
Punishing Owl Attacks Russia: A New Owl in the Hacktivists' Forest
Description: A new hacking group called Punishing Owl has emerged, targeting Russian critical infrastructure. Their first attack on December 12, 2025, compromised a Russian state security agency, leaking internal documents. The group used DNS manipulation, created fake subdomains, and sent phishing emails to the victim's partners. They employed a PowerShell stealer called ZipWhisper to exfiltrate browser data. Punishing Owl's attacks are politically motivated and focus exclusively on Russian targets, including government agencies, scientific institutions, and IT organizations. The group has established a presence on cybercriminal forums and social media, likely operating from Kazakhstan. Experts predict this group will continue to be a persistent threat in the Russian cyberspace.
Created at: 2026-02-04T15:26:42.463000
Updated at: 2026-02-04T20:58:11.370000
Compromised Routers, DNS, and a TDS Hidden in Aeza Networks
Description: A shadow DNS network and HTTP-based traffic distribution system (TDS) hosted in Aeza International, a sanctioned bulletproof hosting company, has been discovered. The system compromises routers, altering their DNS settings to use shadow resolvers. These resolvers selectively modify responses, directing users to malicious content. The TDS incorporates a clever DNS trick to evade detection by security groups. The system, operational since mid-2022, appears to be run by a financially motivated actor in affiliate marketing. It has the potential to interfere with devices on the network, alter DNS records, and conduct adversary-in-the-middle operations. The threat actor's ability to control DNS resolution poses significant risks beyond delivering unwanted advertising.
Created at: 2026-02-04T15:26:43.015000
Updated at: 2026-02-04T20:56:11.171000
New year, new sector: Targeting India's startup ecosystem
Description: Transparent Tribe, also known as APT36, has expanded its targeting to include India's startup ecosystem, particularly those in the cybersecurity domain. The group is using startup-oriented themed lure material delivered via ISO container-based files to deploy Crimson RAT. This campaign deviates from their typical government and defense targets, suggesting a shift in strategy towards companies providing open-source intelligence services and collaborating with law enforcement agencies. The attack chain involves spear-phishing emails, malicious LNK files, and batch scripts to execute the Crimson RAT payload. The malware employs extensive obfuscation techniques and uses a custom TCP protocol for command and control communications. This activity demonstrates the group's adaptation of proven tooling for new victim profiles while maintaining its core behavioral tactics, techniques, and procedures.
Created at: 2026-02-04T15:57:21.862000
Updated at: 2026-02-04T20:53:21.460000
AI-assisted cloud intrusion achieves admin access in 8 minutes
Description: An AWS environment was targeted in a sophisticated attack, with the threat actor gaining administrative privileges in under 10 minutes. The operation showed signs of leveraging large language models for automation and decision-making. Initial access was obtained through credentials found in public S3 buckets, followed by rapid privilege escalation via Lambda function code injection. The attacker moved laterally across 19 AWS principals, abused Amazon Bedrock for LLMjacking, and launched GPU instances for potential model training. The attack involved extensive reconnaissance, data exfiltration, and attempts to establish persistence. Notable techniques included IP rotation, role chaining, and the use of AI-generated code.
Created at: 2026-02-04T15:57:22.741000
Updated at: 2026-02-04T20:51:49.629000
Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in Southeast Asia
Description: A Chinese threat actor, Amaranth-Dragon, has been conducting highly targeted cyber-espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group swiftly exploited the CVE-2025-8088 vulnerability in WinRAR to deliver malicious payloads, including a custom loader and the Havoc C2 Framework. Their operations demonstrate sophisticated tactics, including geo-restricted command and control servers, use of legitimate hosting services, and a new Telegram-based remote access trojan. The campaigns coincide with significant local geopolitical events, increasing the likelihood of successful compromises. Technical analysis reveals similarities with APT-41, suggesting a possible connection or shared resources between the groups.
Created at: 2026-02-04T15:57:23.661000
Updated at: 2026-02-04T20:49:51.986000
Danger Bulletin: Cyberattacks Against Ukraine and EU Countries Using CVE-2026-21509 Exploit
Description: UAC-0001 (APT28) has launched cyberattacks against Ukraine and EU countries exploiting the CVE-2026-21509 vulnerability in Microsoft Office products. The threat actor created malicious DOC files targeting government bodies and EU organizations. The attack chain involves WebDAV connections, COM hijacking, and the use of the COVENANT framework, which utilizes Filen cloud storage for command and control. The campaign began shortly after the vulnerability's disclosure, with multiple documents discovered containing similar exploits. The attackers employ sophisticated techniques to evade detection and maintain persistence, including disguising malicious files as legitimate Windows components and creating scheduled tasks.
Created at: 2026-02-04T14:15:57.152000
Updated at: 2026-02-04T14:18:11.370000
341 Malicious Clawed Skills Found by the Bot They Were Targeting
Description: A massive malware campaign dubbed ClawHavoc has been uncovered in the ClawHub marketplace, targeting OpenClaw bots and their users. An AI bot named Alex, working with security researcher Oren Yomtov, discovered 341 malicious skills, including 335 from a single campaign. The malware, identified as Atomic Stealer (AMOS), uses sophisticated techniques to evade detection and steal sensitive data. The attack exploits users' trust in AI assistants, potentially compromising personal and financial information. In response, a new tool called Clawdex has been developed to help bots and users scan for malicious skills before installation.
Created at: 2026-02-04T12:44:15.808000
Updated at: 2026-02-04T14:00:37.214000
