IT News Analysis

// AI-powered news analysis

Latest Top 10 Articles

1
UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware

UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware

Russian state-sponsored threat actors have been observed leveraging the infamous ClickFix strategy to trick Ukrainian targets into infecting their own machines with data-stealing malware. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the activity has been attributed to UAC-0145 , a sub-cluster within Sandworm , an advanced hacking unit affiliated with GRU, Russia's primary foreign military intelligence agency. In these attacks, threat actors have been found to leverage fake CAPTCHA checks on compromised websites that instruct prospective targets to execute a PowerShell command in the terminal. "The mentioned command, as an example, could be intended for downloading and saving a VBS file in the Startup autorun directory; one of the variants of such a program was called GHETTOVIBE," CERT-UA said in an alert. The attacks also involve the use of SCOUTCURL, a PowerShell script that performs basic reconnaissance by harvesting details about t...

î ‚Jul 19, 2026
2
The AI Security Starter Pack

The AI Security Starter Pack

Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.

3
SonicWall SMA Zero-Days Exploited Before Disclosure to Gain Root Access

SonicWall SMA Zero-Days Exploited Before Disclosure to Gain Root Access

A previously undocumented threat actor has been attributed to the exploitation of recently disclosed SonicWall Secure Mobile Access (SMA) 1000 series VPN appliances as zero-days prior their public disclosure since June 22, 2026. Cybersecurity company Volexity is tracking the activity under the moniker UTA0533 . The discovery was made following an incident response investigation earlier this month. The impacted organization has not been identified. "This threat actor was observed using multiple zero-day exploits, malware designed specifically for SonicWall SMA VPN appliances, as well as other attacker tradecraft," security researchers Sean Koessel and Steven Adair said in an analysis. The vulnerabilities in question are CVE-2026-15409 (CVSS score: 10.0) and CVE-2026-15410 (CVSS score: 7.2), both of which could be chained to facilitate arbitrary command execution and take over susceptible devices. Patches for both the vulnerabilities were released by SonicWall this wee...

î ‚Jul 19, 2026
4
New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system. wp2shell is two bugs, not one, and both now carry CVE IDs. CVE-2026-63030 is the REST API batch-route confusion; CVE-2026-60137 is a SQL injection in WordPress core. Chained, they take an anonymous request all the way to code execution. Since Friday, the full mechanism has been published, and a working proof-of-concept has gone up on GitHub. Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, found the batch-route bug and reported it throug...

î ‚Jul 17, 2026
5
OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts. OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the details on Thursday. The fixed releases are OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 , all dated June 9. Every release on those branches before the fixed ones has it. Nothing in a normal patch pipeline will point you at them: there is no identifier for a scanner to match and no advisory to read. The flaw is that OpenSSL took the attacker's word for it. Every TLS handshake message carries a 4-byte header, three bytes of which declare how long the body will be. Older versions grew the receive buffer to that declared size the moment the header landed, before a single byte of the bo...

î ‚Jul 17, 2026
6
Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack. The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil , which was observed using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron, Aptos, and Binance Smart Chain to deliver a remote access trojan (RAT) capable reverse shell, credential harvesting, file exfiltration, and persistent backdoor injection. "This tactic makes disabling or destroying the C2 infrastructure extremely difficult," Checkmarx researcher Pavan Gudimalla said in an analysis published last month. The activity has been attributed to a threat actor named SuccessKey, with evidence of malicious activity detected as far back as February 27, 2026, when cryptocurrency wallets linked to ViteVenom were activated. While the typosquats pub...

î ‚Jul 17, 2026
8
New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys. A Shodan harvester keeps the scan queue stocked with ComfyUI, Ollama , n8n , Open WebUI , Langflow , and Gradio: the image generators, local model runners, and workflow builders that teams stand up fast and firewall late. The intel feed behind that counter shows 47 credential hauls and 41 model inventories in its last 100 records. Those inventories carry DeepSeek, GLM, and Kimi identifiers tagged :cloud, which suggests that what the bots catalogue reaches past the box itself. QiAnXin's XLab published a report on Friday, named the malware after the "n4d mesh controller" string in its source, and screenshotted the panel. The figures on it are the operator's own, captured July 10, and they do not agree with each other. A counter reading 17,700 total deploys sits above a funnel claiming 95,700 in the past 24 hours. On...

î ‚Jul 17, 2026
9
GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine . Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon Breath, and Miuuti Group), a Chinese cybercrime group known for its targeting of the gambling and gaming sectors using counterfeit websites to push malware-laced software. It's known to be active since at least 2015. "In April 2026, GoldenEyeDog used their malware to access a support member's device at DigiCert, a code-signing certificate provider, and leveraged their access to steal certificates intended for DigiCert customers," Expel security researcher Aaron Walton said in an analysis. "This attack highlighted the capability of the malware and operators." Central to the threat actor's operations is a modified version of Gh0st RAT (aka Farfli), a remote access trojan (RAT) w...

î ‚Jul 17, 2026
10
Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges. "Any user who ran the project ended up with a four-stage payload aligned with OtterCookie: a browser credential and crypto wallet stealer, a file stealer, a Socket.IO-based remote access trojan (RAT), and a clipboard stealer," Elastic Security Labs said in a report shared with The Hacker News. The findings once again highlight the continued targeting of software developers by state-sponsored hackers aligned with the Democratic People's Republic of Korea (DPRK) with an aim to steal sensitive data and plunder cryptocurrency wallets. The activity is being tracked under the moniker REF9403. The cybersecurity arm of the Dutch enterprise search and observability platform said it discovered the campaign after the threat actors targeted membe...

î ‚Jul 17, 2026