Decipher

The Google Threat Intelligence Group has uncovered a .NET backdoor known as STOCKSTAY, which has been a persistent component of the espionage toolkit utilized by the highly active and capable Russia-linked threat actor Turla since at least December 2022.

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data. None Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools. None Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.

Law enforcement agencies from a number of different countries have banded together to take down several malware variants, including SocGholish, StealC, and Amadey. In a Wednesday announcement, Europol said they worked with law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the UK, the U.S, and several private partners to carry out the disruption over the last two weeks.

Researchers have uncovered a clever new macOS implant called Gaslight that introduces a novel evolution in attacker tradecraft by utilizing prompt injection to target security analysts and LLM-assisted triage tools rather than just the sandbox environment. Gaslight is a Rust-based backdoor that researchers from SentinelOne have attributed to DPRK-aligned threat actors, and Apple’s XProtect detects the sample under the MACOS_BONZAI_COBUCH signature family.

The large-scale, automated campaign known as FortiBleed is still ongoing and to this point has successfully compromised more than 86,000 Fortinet firewall and VPN gateway devices across 194 countries. Researchers at SOCRadar discovered the operation a few days ago and found that it relied on an exposed operational server that contains the group's automated tooling, victim lists, and a database of validated credentials.

Microsoft security researchers have uncovered a significant supply chain attack targeting the Mastra-AI npm ecosystem, resulting in the compromise of over 80 packages via account takeover. The incident used a "phantom dependency" injection technique designed to evade detection while establishing persistent C2 communication.

Alex Pinto, one of the lead authors of the Verizon Data Breach Investigations Report, joins Dennis to talk about his organization's newest publication, the Breach Impact Study, which digs into the real world cost of breaches, both in dollars and in organizational impact. Spoiler: Breaches are expensive. Verizon BIS: https://www.verizon.com/business/resources/reports/2026-breach-impact-study-dbir.pdf

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data. None Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools. None Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.

ShinyHunters is at it again, this time using an Oracle zero day vulnerability to target over 100 global organizations in May and June, with more than half of these in the higher education sector. A new report by Mandiant and Google Threat Intelligence Group researchers identified the activity, which they said occurred between May 27 and June 9.

New research from Anthropic serves as a stark warning about how AI models will make it easier and faster for threat actors to develop exploits targeting known vulnerabilities. Anthropic researchers have previously evaluated how large language models (LLMs, which are AI systems trained to understand and generate human language) have impacted zero-day vulnerabilities.