Live

Intelligence Feed

Latest threat intelligence articles from trusted security sources, auto-processed to extract entities, IoCs, and TTPs.

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

2d ago · hacker-news

PamStealer is a new macOS information stealer distributed via fake Maccy websites, impersonating a legitimate clipboard manager. It uses a two-stage infection chain, starting with a malicious AppleScript dropper that downloads a Rust-based payload. The malware validates the victim's login password using macOS PAM, establishes persistence, and steals credentials, browser data, cryptocurrency wallets, and iCloud Keychain contents before exfiltrating them to attacker-controlled servers.

3 IoCs
European Parliament Member Investigating Spyware Was Hacked With Pegasus

2d ago · hacker-news

Former European Parliament member Stelios Kouloglou was repeatedly targeted with Pegasus spyware during his tenure on the PEGA Committee, which investigated misuse of commercial spyware. Forensic analysis revealed two infections in October 2022 and March 2023, both exploiting a zero-click vulnerability in Apple's HomeKit (PWNYOURHOME) affecting iOS 15.5. The attacks coincided with key committee activities and may be linked to a Pegasus operator targeting multiple EU jurisdictions, possibly overlapping with a campaign against exiled journalists.

1 IoCs 1 Malware
Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

2d ago · hacker-news

A threat actor known as Armored Likho is conducting cyber espionage and financially motivated attacks against government agencies and the power sector in Russia, Brazil, and Kazakhstan. The group uses a mix of modular RATs, infostealers, and tools like Go2Tunnel for remote access and data exfiltration. A new Python-based infostealer, BusySnake Stealer, has been identified, which steals credentials, cookies, screenshots, and documents while evading detection through obfuscation and dynamic code execution. The attacks begin with spear-phishing emails delivering malicious payloads via RAR archives or weaponized LNK files exploiting CVE-2025-9491.

5 IoCs
New Avalon Malware Framework Packs CrownX Ransomware Capabilities

1d ago · hacker-news

A new modular malware framework dubbed Avalon has been discovered, capable of executing a multi-stage attack chain that includes credential theft, lateral movement, and ransomware deployment via its CrownX component. The attack begins with a phishing email containing a password-protected archive hosted on Proton Drive, which delivers a malicious ISO image. The framework employs advanced defense evasion techniques, disables recovery mechanisms, and exfiltrates sensitive data before encrypting systems. Notably, Avalon shows signs of AI-assisted development, lowering the barrier for less sophisticated actors to deploy complex malware.

3 IoCs 1 CVEs
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

1d ago · hacker-news

A critical Linux kernel vulnerability dubbed 'Bad Epoll' (CVE-2026-46242) allows unprivileged users to escalate privileges to root, affecting Linux systems and Android devices. The flaw is a use-after-free race condition in the epoll subsystem, exploitable even from within Chrome's sandbox. A working proof-of-concept exists, though no active exploitation has been observed. The bug is patched in newer kernels, but older 6.1-based systems like the Pixel 8 remain unaffected.

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

1d ago · hacker-news

Security firm runZero disclosed seven unpatched vulnerabilities in FatFs, a widely used filesystem library in embedded devices, which could allow attackers with physical access or control over firmware updates to achieve memory corruption and potential code execution. The most severe vulnerability, CVE-2026-6682, is a high-severity integer overflow in FAT32 volume mounting. Due to the decentralized nature of FatFs and lack of responsive upstream maintenance, downstream vendors must independently patch affected systems, increasing the risk of prolonged exposure across IoT, industrial, and consumer devices.

1 IoCs
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

1d ago · hacker-news

North Korean threat actors associated with the Contagious Interview campaign have launched the PolinRider operation, distributing 108 malicious packages and browser extensions across npm, Packagist, Go, and Google Chrome. The attack targets developers in the cryptocurrency sector through social engineering, compromising maintainer accounts to inject obfuscated JavaScript payloads into legitimate repositories. These payloads deliver second-stage malware such as DEV#POPPER RAT and OmniStealer by leveraging blockchain infrastructure and malicious VS Code task files, while using Git history manipulation to evade detection.

2 IoCs 1 Malware
U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

1d ago · hacker-news

A U.S. government entity, likely Union County, Ohio, paid approximately $1 million to a threat actor named Kairos following a data theft extortion incident. Unlike traditional ransomware attacks, Kairos did not encrypt systems but instead exfiltrated sensitive data—including files from the prosecutor's office—and threatened to leak it unless paid. The attack highlights a growing trend of pure data-theft extortion, where the leverage is the threat of public data disclosure rather than encryption. The payment of 9.44 BTC was traced through blockchain to exchanges including Bybit, OKX, and the Russian service BELQI, but no confirmation of data deletion was verifiable.

1 IoCs 1 Actors
CISA: Microsoft SharePoint RCE flaw now actively exploited

3d ago · bleeping-computer

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a high-severity remote code execution vulnerability in Microsoft SharePoint, tracked as CVE-2026-45659, is now under active exploitation. The flaw allows authenticated attackers with low privileges to execute arbitrary code remotely on unpatched SharePoint servers without user interaction. Microsoft addressed the vulnerability in May 2026 updates, but over 10,000 exposed servers remain at risk. CISA has added the flaw to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by a strict deadline.

Cisco finally confirms attackers exploiting Unified CM flaw

3d ago · bleeping-computer

Cisco has confirmed active exploitation of a critical vulnerability (CVE-2026-20230) in its Unified Communications Manager (Unified CM) software. The flaw allows unauthenticated attackers to perform server-side request forgery (SSRF) attacks via crafted HTTP requests. Cisco urges customers to apply patches immediately or disable the vulnerable WebDialer service as a mitigation. The vulnerability follows a trend of repeated security issues in Cisco Unified CM devices.

Microsoft fixes bug that removed Copilot buttons in Outlook

3d ago · bleeping-computer

Microsoft resolved a bug that caused Copilot buttons to disappear in Classic Outlook for Windows users with the Copilot Chat (Basic) license. The issue was fixed via a service update on June 29, 2026, and users are advised to restart Outlook or update to the latest build. Microsoft is also investigating Outlook crashes linked to Kaspersky Antivirus's Kaspersky Mail Checker (mcou.dll).

ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds

3d ago · bleeping-computer

ConsentFix and ClickFix are social engineering attacks that hijack Microsoft 365 accounts by exploiting user trust in routine workflows. ClickFix tricks users into executing malicious commands via fake verification prompts, while ConsentFix abuses OAuth consent flows by luring victims into dragging a localhost callback link, surrendering OAuth tokens. These attacks bypass traditional security measures by mimicking legitimate processes, requiring no malware or credential theft. Attackers leverage publicly shared blueprints and common platforms like Dropbox to distribute lures.

Google loses final appeal to overturn €4.1 billion EU fine

3d ago · bleeping-computer

The article discusses the European Union's antitrust case against Google, culminating in a final ruling by the Court of Justice of the European Union (CJEU) dismissing Google's appeal against a €4.1 billion fine. The case centers on Google's historical use of Android licensing agreements to promote its Chrome browser and search services, which was deemed anti-competitive. There is no mention of cyber threat activity, malware, or malicious infrastructure in the article.

Claude Fable relaunch disappoints users with nerfed performance

2d ago · bleeping-computer

The relaunch of Claude Fable, Anthropic's powerful AI model, has disappointed users due to degraded performance and increased restrictions. Despite being available to all users, the model is heavily capped and frequently falls back to the less capable Opus 4.8 due to strict safety guardrails. Users report that prompts involving security-related terms or systems programming trigger fallbacks, impacting usability. Anthropic attributes this behavior to an expanded safety margin rather than intentional model degradation.

Claude Fable 5 isn’t permanently leaving subscriptions, Anthropic says

2d ago · bleeping-computer

Anthropic has temporarily removed access to its powerful Claude Fable 5 model from subscription plans after July 7, shifting usage to a credit-based system due to unexpectedly high demand and capacity constraints. The company clarifies this is not a permanent change and intends to reintegrate Fable 5 into subscription plans once sufficient infrastructure capacity is available. Fable 5 remains fully accessible via the Claude API and consumption-based Enterprise plans. Users are advised that the model may return to subscriptions in the future as capacity allows.

ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit

2d ago · bleeping-computer

ARToken, a phishing-as-a-service (PhaaS) platform, is linked to the EvilTokens Microsoft 365 phishing toolkit, enabling attackers to steal authentication tokens and bypass multi-factor authentication via device code phishing. The platform provides affiliates with persistent access through Primary Refresh Tokens (PRTs) and supports automated business email compromise (BEC) operations using AI. It allows for mailbox monitoring, file exfiltration from SharePoint and OneDrive, and deployment via Cloudflare Workers, indicating a sophisticated, multi-tenant attack infrastructure.

2 IoCs
NetNut proxy network disrupted, 2 million infected devices cut off

1d ago · bleeping-computer

A joint operation led by Google and the FBI disrupted the NetNut residential proxy network, which leveraged at least 2 million compromised Android devices, including smart TVs and streaming boxes, to provide anonymized internet access for cybercriminals and espionage groups. The botnet, powered by trojanized applications like Badbox 2.0, enabled malicious actors to conceal their traffic using victims' residential IP addresses. The disruption involved seizing infrastructure, disabling C2 accounts on Google's platforms, and warning users via Play Protect, significantly impacting the broader proxy services ecosystem.

1 IoCs
← Previous