Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Microsoft exposes Storm-1175 - China-based ransomware group deploying Medusa with zero-day exploits in under 24 hours

Microsoft Threat Intelligence published a detailed report on Storm-1175, a China-based financially motivated group that deploys Medusa ransomware at extreme speed - sometimes moving from initial access to full ransomware deployment within 24 hours. The group exploits internet-facing systems using a mix of zero-day and recently disclosed (n-day) vulnerabilities, having weaponized over 16 flaws across 10 products since 2023. Two vulnerabilities were exploited as zero-days a full week before public disclosure. Recent targets include healthcare, education, finance, and professional services organizations in the US, UK, and Australia. Their playbook: exploit a web-facing flaw, create persistence via new accounts and web shells, steal credentials with Mimikatz, disable Defender via registry modifications, exfiltrate data with Rclone, then deploy Medusa across the network.

Check
Review your internet-facing asset inventory. Storm-1175 specifically scans for exposed web applications running Exchange, Ivanti, ConnectWise, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.
Affected
Organizations running any of: Microsoft Exchange, Ivanti Connect Secure/Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, BeyondTrust, Oracle WebLogic - especially if internet-facing and not fully patched.
Fix
Patch all internet-facing systems immediately - Storm-1175 weaponizes new CVEs within days. Enable tamper protection on Microsoft Defender and set DisableLocalAdminMerge to prevent attackers from adding antivirus exclusions. Monitor for credential theft indicators (LSASS access, WDigest caching). Block Rclone and unauthorized RMM tools at the perimeter. Prioritize alerts for new account creation and web shell deployment.

Axios npm attack attributed to North Korean hackers UNC1069 - part of broader campaign targeting open-source maintainers

The Axios supply chain attack we covered on March 31 has now been attributed to UNC1069, a North Korean threat group linked to BlueNoroff that specializes in financially motivated attacks against crypto exchanges and financial institutions. Google's Mandiant confirmed the attackers social-engineered the lead maintainer through a fake video call, deploying a RAT via the compromised npm account. Socket warns this wasn't a one-off - the same actors have compromised accounts spanning some of the most widely depended-upon packages in the npm registry.

Check
Re-check your environments for axios 1.14.1 or 0.30.4. If you found and removed them previously, verify credential rotation was completed.
Affected
axios 1.14.1 and 0.30.4 on npm. Socket warns additional high-trust npm packages may be compromised by the same actor - monitor for advisories.
Fix
Pin to axios 1.14.0 or 0.30.3. Rotate all credentials on any system that ran the poisoned versions. Block sfrclak[.]com and 142.11.206.73 on port 8000. Enforce OIDC-backed provenance verification for critical npm dependencies.

NoVoice Android rootkit hid inside 50+ Google Play apps - 2.3 million downloads, survives factory reset

McAfee uncovered a rootkit campaign called Operation NoVoice that distributed malware through more than 50 legitimate-looking apps on Google Play - cleaners, games, and gallery tools - downloaded at least 2.3 million times. Once opened, the apps silently profile the device and download root exploits targeting Android vulnerabilities patched between 2016 and 2021. After rooting, the malware replaces core system libraries so every app the user opens runs attacker code. It survives factory resets on older devices because the payload lives on the system partition.

Check
Check your Android fleet for devices running security patch levels older than May 2021, and audit for any of the removed apps.
Affected
Android devices with security patch level before 2021-05-01. The rootkit primarily targets older or unpatched devices, though patched devices that installed the apps may have been exposed to other payloads.
Fix
Update Android devices to security patch level 2021-05-01 or later. Devices confirmed infected on Android 7 or older require a full firmware reflash - factory reset will not remove the rootkit. Remove any apps matching the McAfee IOC list. Consider MDM policies that block app installs from unknown or low-reputation publishers.

EvilTokens phishing kit commoditizes Microsoft device code attacks for business email compromise

A new phishing-as-a-service kit called EvilTokens is being sold on Telegram, turning OAuth device code phishing against Microsoft accounts into a turnkey attack. Victims receive emails with PDFs or HTML files containing QR codes or links to pages impersonating Adobe, DocuSign, or SharePoint. The kit captures Microsoft authentication tokens in real time - bypassing MFA - and gives attackers persistent access for business email compromise. The developer says Gmail and Okta support is coming next.

Check
Review your Microsoft Entra ID logs for unusual device code authentication flows, especially from unfamiliar locations or devices.
Affected
Any organization using Microsoft 365 with users who may click on phishing emails disguised as document-sharing notifications.
Fix
Restrict or disable the device code authentication flow in Microsoft Entra ID conditional access policies if your organization doesn't need it. Deploy phishing-resistant MFA (FIDO2 hardware keys). Train finance, HR, and sales teams to recognize fake document verification pages. Monitor for anomalous token grants in Entra ID sign-in logs.

CrystalRAT malware-as-a-service sells remote access, crypto theft, and keylogging on Telegram

Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.

Check
Alert staff about fake software cracks and activators - the most common delivery vector for CrystalRAT infections.
Affected
Windows users who download software from unofficial sources. Current victims are primarily in Russia, but the MaaS model means geographic expansion is expected.
Fix
Block known CrystalRAT C2 infrastructure at the network level. Ensure endpoint detection tools are updated with Kaspersky's published IOCs. Train staff to verify crypto wallet addresses before confirming transfers - clipboard hijacking swaps addresses silently.

Axios npm package compromised - cross-platform RAT deployed via hijacked maintainer account

Attackers hijacked the npm account of Axios's lead maintainer and published two poisoned versions of one of JavaScript's most popular libraries - 83 million weekly downloads. Versions 1.14.1 and 0.30.4 inject a hidden dependency called plain-crypto-js that drops a cross-platform RAT targeting macOS, Windows, and Linux. The malware phones home within seconds of npm install, then deletes itself to avoid detection. Both release branches were hit within 39 minutes of each other.

Check
Check if any project or CI/CD pipeline installed Axios in the last 48 hours.
Affected
axios 1.14.1 and 0.30.4 on npm. Also @shadanai/openclaw and @qqbrowser/openclaw-qbot which bundle the same payload.
Fix
Downgrade to axios 1.14.0 or 0.30.3. Remove plain-crypto-js from node_modules. Rotate all credentials on affected systems. Block sfrclak[.]com and 142.11.206.73 on port 8000.

New Russian CTRL toolkit spreads via fake private key folders - hijacks RDP and steals credentials

Researchers at Censys discovered a previously undocumented Russian-origin toolkit called CTRL, distributed through Windows shortcut files disguised as private key folders. Once a victim double-clicks the LNK file, a multi-stage chain deploys credential harvesting through a fake Windows Hello PIN prompt, a keylogger, RDP session hijacking, and reverse proxy tunneling. All stolen data exits through the RDP tunnel, leaving minimal forensic traces compared to traditional command-and-control patterns.

Check
Warn staff about Windows shortcut files received via email or messaging, especially any labeled as private keys or credentials.
Affected
Any Windows system where a user opens the malicious LNK file. The toolkit targets .NET Framework 4.7.2 environments.
Fix
Block the domains hui228[.]ru and IPs 146.19.213.155, 194.33.61.36, 109.107.168.18. Train staff to never open shortcut files from untrusted sources. Monitor for unusual FRP tunnel traffic on port 7000.

New RoadK1ll implant turns compromised hosts into silent network relays via WebSocket tunneling

Blackpoint discovered a new Node.js-based implant called RoadK1ll during an incident response engagement. It's not a traditional RAT - it carries no large command set. Instead, it does one thing well: turn a compromised machine into a controllable relay point that lets attackers pivot to internal systems that would normally be unreachable from outside. It communicates over WebSocket, blends into normal web traffic, supports multiple concurrent connections, and auto-reconnects if disrupted.

Check
Monitor endpoints for unexpected Node.js processes maintaining persistent outbound WebSocket connections to unfamiliar addresses.
Affected
Any Windows or Linux system where an attacker has achieved initial access. RoadK1ll is a post-compromise tool deployed after initial entry.
Fix
Validate network segmentation controls to ensure compromised hosts cannot freely reach sensitive internal services. Block outbound WebSocket traffic to unknown IPs on non-standard ports. Check for the IOCs published by Blackpoint.

New Infinity Stealer malware targets macOS through fake Cloudflare CAPTCHA pages

A new macOS infostealer called Infinity Stealer tricks users through fake Cloudflare CAPTCHA pages - a technique called ClickFix. Victims paste a command into Terminal thinking they're verifying their identity, but it silently installs malware. The payload is compiled with Nuitka - turning Python into native macOS binaries that are much harder for security tools to detect. It steals browser credentials, Keychain data, and crypto wallets.

Check
Alert your team - especially Mac users - to never paste unknown commands into Terminal from websites.
Affected
Any macOS user who encounters a Cloudflare-style CAPTCHA asking them to open Terminal.
Fix
Train staff to recognize fake CAPTCHA pages. Block the domain update-check[.]com. Run endpoint detection on macOS devices.

Russian APT TA446 weaponizes leaked DarkSword exploit kit to target iPhones via spear-phishing

The leaked DarkSword iOS exploit kit is already being weaponized. Proofpoint attributes a new spear-phishing campaign to TA446 (also known as COLDRIVER/Star Blizzard), a Russian FSB-linked group that has never previously targeted Apple devices. The emails spoof Atlantic Council discussion invitations and redirect iPhone users to the exploit kit, which deploys the GHOSTBLADE dataminer. Proofpoint warns the targeting is unusually broad - hitting government, finance, legal, and education sectors.

Check
Ensure all company iPhones and iPads are updated, and alert staff about spoofed discussion invitation emails.
Affected
iPhones running iOS 18.4 through 18.7.1. TA446 targets government, think tank, higher education, financial, and legal organizations.
Fix
Update to iOS 18.7.2 or later. Block the domains escofiringbijou[.]com, motorbeylimited[.]com, and bridetvstreaming[.]org. Enable Lockdown Mode on high-risk devices.