Stryker ‘Handala’ incident: global Microsoft environment disruption and reported remote device wipes
Disruptive Iran-nexus hacktivist operation claims large-scale data destruction as Stryker restores services and CISA investigates.
In-depth write-ups of high-impact intrusions, breaches and malware campaigns — how they happened, and what defenders can learn.
111 reports
Disruptive Iran-nexus hacktivist operation claims large-scale data destruction as Stryker restores services and CISA investigates.
A credential theft operation uses lookalike VPN download sites and GitHub-hosted ZIPs to drop signed malware that harvests VPN logins and configuration data.
A ClearSky report details a new loader and backdoor pair, and Scythe shows how to operationalise it as continuous adversary emulation.
Cisco Talos links the activity cluster to China-nexus tooling, including CrowDoor variants and ORB-style proxy infrastructure
Reverse engineering shows pragmatic obfuscation, hardcoded crypto, and cloud-native infrastructure supporting scalable intrusion delivery.
Cross-origin browser-to-localhost access, missing loopback throttling, and implicit device trust combine into a silent takeover path from a single web visit.
Censys has reported on Vshell (often stylised “VShell”) , a Go-based command-and-control (C2) platform used for post-compromise host management, pivoting, and proxying , and increasingly visible…
Scattered Lapsus$ Hunters (SLH, also styled SLSH in some reporting) is advertising for female callers to conduct vishing against IT helpdesks, offering $500 to $1,000 per call and providing…
Zscaler ThreatLabz reports a December 2025 campaign it tracks as Ruby Jumper , attributed with high confidence to APT37 (aka ScarCruft, Ruby Sleet, Velvet Chollima). The infection chain begins…
DPRK fake interview lures and recruitment-driven malware delivery dprk, contagious interview, deceptiveDevelopment, beavertail, invisibleferret, fake recruiters, coding challenges, it worker…
Short title: SANDWORM_MODE npm worm (CI secret theft + MCP poisoning) npm supply chain attack, SANDWORM_MODE, typosquatting, GitHub Actions compromise, CI secret exfiltration, MCP server…
Summary: Symantec links Lazarus tooling to Medusa RaaS extortion activity observed in the Middle East and against a U.S. healthcare target.