THREAT INTELLIGENCE
LIVE THREAT FEED
CVE-2025-1234 added to KEV catalog
PostgreSQL libpq buffer overflow actively exploited in the wild. Immediate patching recommended.
Scattered Spider shifts to AI-powered vishing
Scattered Spider observed using real-time AI voice cloning to impersonate IT support in phone-based social engineering attacks.
Operation Phantom Circuit targeting cloud infrastructure
New campaign attributed to Lazarus Group targeting AWS and Azure environments through compromised CI/CD pipelines.
47 new C2 domains linked to APT28 infrastructure
New command and control infrastructure identified using fast-flux DNS with .xyz and .top TLDs.
CISA Advisory: Secure-by-design for AI systems
New guidance on securing AI/ML systems against adversarial attacks, model poisoning, and inference-time manipulation.
Critical Nginx QUIC vulnerability disclosed
CVE-2025-6789: Memory corruption in nginx HTTP/3 QUIC implementation. No patch available yet.
Volt Typhoon targeting water utilities
Volt Typhoon confirmed to have compromised multiple US water treatment facilities. Living-off-the-land techniques used exclusively.
FIN7 distributing new POS malware variant
New POS memory scraper distributed via fake browser update campaigns targeting retail sector.
Microsoft Patch Tuesday: 12 critical vulnerabilities
March 2026 Patch Tuesday includes fixes for 12 critical and 45 important vulnerabilities across Windows, Office, and Azure services.
Redis Lua sandbox escape -- no patch available
CVE-2025-3456: Lua sandbox escape in Redis 7.x allowing authenticated command execution. Mitigation: disable Lua scripting.
APT28 observed using compromised Ubiquiti routers
APT28 building botnet from compromised Ubiquiti Edge OS routers for credential harvesting and proxy operations.
LLM-powered phishing campaigns surge 340%
AI-generated phishing emails have increased 340% in Q1 2026, with success rates 2.5x higher than traditional phishing.
THREAT ACTORS
Russian state-sponsored group linked to GRU military intelligence. Known for sophisticated credential harvesting, zero-day exploitation, and use of custom malware frameworks including X-Agent and X-Tunnel. Recently observed deploying AI-augmented phishing campaigns with LLM-generated content that bypasses traditional email filters.
North Korean state-sponsored group responsible for some of the largest cyber heists in history. Known for supply chain attacks, cryptocurrency theft, and custom malware. Recently pivoted to targeting DeFi protocols and AI/ML model supply chains with sophisticated watering hole attacks.
Financially motivated cybercrime group that has stolen over $1 billion from banks, retailers, and hospitality companies. Known for sophisticated social engineering, custom POS malware, and recent pivot to ransomware operations. Now using AI-generated voice deepfakes for social engineering attacks on help desks.
Young, English-speaking threat group known for aggressive social engineering tactics targeting help desks and IT support. Specializes in SIM swapping, MFA fatigue attacks, and identity provider compromise. Responsible for multiple high-profile breaches including major casino operators. Now combining social engineering with AI-powered voice cloning.
Chinese state-sponsored group focused on pre-positioning within US critical infrastructure for potential future disruption. Uses living-off-the-land techniques exclusively, making detection extremely difficult. Known for compromising SOHO routers and edge devices to build proxy networks.