Threat Actor Profile: Cl0p (CL0P) — Extortion-led Mass Compromise
1. Executive Summary Cl0p (often written “CL0P”) is a financially motivated extortion operation best known for high-scale data theft campaigns that disproportionately impact organisations running internet-facing Managed File Transfer (MFT)…
Threat Actor Profile: LAPSUS$ (a.k.a. Microsoft “DEV-0537” / “Strawberry Tempest”)
1. Executive Summary LAPSUS$ is an extortion-focused cybercriminal collective best known for high-tempo intrusions against large enterprises and service providers, frequently leveraging social engineering and identity compromise rather than exploiting…
UNC6201 Targets Dell RecoverPoint (CVE-2026-22769): Evolving Backdoors and Novel VMware Pivot Techniques
Mandiant and Google Threat Intelligence Group (GTIG) have released critical findings regarding UNC6201, a suspected PRC-nexus threat cluster. This group has been actively exploiting a Dell RecoverPoint for Virtual Machines…
CVE-2026-20841 — Windows Notepad (Store app) Markdown Link Handling Leads to Command Injection / Code Execution
1. Executive Summary CVE-2026-20841 is a high-severity command injection flaw in the modern Windows Notepad (Microsoft Store) application that can result in arbitrary code execution in the context of the…
Microsoft February 2026 Patch Tuesday — key takeaways
Microsoft’s February 2026 Patch Tuesday shipped fixes for 58 vulnerabilities, including six zero-days confirmed as actively exploited and three publicly disclosed issues. Microsoft also fixed five “Critical” flaws in this…
Salesforce “Connected Apps” Supply-Chain Campaign (UNC6040 / UNC6395) — ShinyHunters & Scattered Spider Overlap
1. Executive Summary A widespread data-theft and extortion campaign has targeted organisations’ Salesforce environments by abusing trusted third-party integrations and malicious OAuth “Connected Apps”—rather than exploiting a core Salesforce software…
Notepad++ Update Channel Supply-Chain Compromise (June–December 2025): Targeted Traffic Redirection Delivering Chrysalis / Cobalt Strike
1. Executive Summary Notepad++’s update mechanism (WinGUp) was abused in a targeted supply-chain compromise in 2025, where certain users’ update traffic was selectively redirected to attacker-controlled infrastructure and served trojanised…
Microsoft January 2026 Patch Tuesday — key takeaways
Microsoft’s January 2026 Patch Tuesday security release shipped fixes for 114 vulnerabilities, including three zero-days (one actively exploited) and eight Critical issues. The bulk of the fixes land in Windows,…
SolarWinds Orion Supply-Chain Compromise (SUNBURST / “Solorigate”)
1. Executive Summary The SolarWinds breach (often tracked as SUNBURST by Mandiant/FireEye and Solorigate by Microsoft) was a landmark software supply-chain compromise in which adversaries trojanised signed SolarWinds Orion software…
Oracle E-Business Suite (EBS) Targeted in Coordinated Intrusion Campaign
ERP Systems Remain a High-Value Objective for Financially Motivated and Ransomware Operators Executive Summary In November 2025, multiple enterprise breach investigations identified Oracle E-Business Suite (EBS) as a deliberate and…