CIRCLE WITH A DOT

(therecord.media) Cybercriminals Hijack Cargo Shipments Through Load Board Fraud, FBI Warns of Multi-Million Dollar TheftsFBI warns of a 60% surge in cargo thefts (2025: $725M) via cyber-enabled load board fraud. Threat actors compromise freight broker/carrier accounts, post fraudulent listings, and divert shipments—often undetected until loss is reported. Tactics include social engineering, malicious links, FMCSA profile tampering, and ransom demands.In brief - Cybercriminals are hijacking cargo shipments by breaching load boards, impersonating brokers, and redirecting freight. The FBI reports $725M in losses (2025), with attacks involving phishing, double-brokering, and regulatory tampering to facilitate theft.Technically - Attackers compromise load boards via phishing/malicious links, then impersonate brokers or carriers to post fraudulent freight listings. Double-brokering inserts unauthorized stops, while FMCSA profile alterations enable unauthorized shipments. Ransom demands are delivered via email or overseas contacts. Compromised carriers often remain unaware until brokers report missing cargo.Source: https://therecord.media/hackers-earning-millions-from-hijacked-cargo-fbi#Cybersecurity #ThreatIntel

The worms keep worming, unfortunately. The "Mini Shai-Hulud" attack appears to pivot to #PyPi with a compromise of a #pytorch library:https://discourse.ifin.network/t/pytorch-lightning-library-hit-by-supply-chain-attack/357#ThreatIntel #ThreatIntelligence #IFIN #Python

(malwarebytes.com) Scammers Exploit PayPal’s Legitimate Services to Deliver Deceptive Payment NotificationsNew PayPal-themed phishing campaign abuses legitimate email notifications, bypassing DKIM/SPF/DMARC via manipulated subject lines. Attackers alter genuine PayPal payment emails to falsely claim pending charges (e.g., $987.90) while the body shows nominal amounts (e.g., ¥1 JPY).In brief - Scammers exploit PayPal’s email system to send verified but deceptive payment alerts, tricking users into calling fraudulent support numbers. The attack leverages social engineering and PayPal’s remittance fields to weaponize subject lines, evading traditional email security.Technically - The campaign abuses PayPal’s payout templates, where arbitrary text in note/remittance fields surfaces in subject lines. Emails originate from service@paypal.com and pass authentication checks, but the subject line is altered to include fake charges and scammer contact details. Victims are coerced into installing remote access tools or divulging credentials.Source: https://www.malwarebytes.com/blog/news/2026/04/more-paypal-emails-hijacked-to-deliver-tech-support-scams#Cybersecurity #ThreatIntel

(acronis.com) Exploitation of AI Platforms: How Threat Actors Abuse Hugging Face and ClawHub for Malware DeliveryThreat actors are actively abusing AI platforms Hugging Face and ClawHub for large-scale malware delivery, exploiting trust in AI ecosystems to distribute trojans, cryptominers, and infostealers like AMOS. Over 575 malicious OpenClaw skills were identified across 13 developer accounts.In brief - Cybercriminals are weaponizing AI distribution platforms to deliver malware at scale, leveraging indirect prompt injection and social engineering to compromise Windows and macOS systems. The abuse of Hugging Face and ClawHub highlights critical risks in AI supply chains.Technically - Attackers use indirect prompt injection on ClawHub to turn AI agents into intermediaries, executing base64-encoded commands or installing password-protected archives. Payloads include AMOS stealer (macOS) and cryptominers (Windows), with persistence via scheduled tasks and Defender exclusions. On Hugging Face, campaigns like ITHKRPAW and FAKESECURITY employ obfuscated PowerShell, Cloudflare Workers, and dead-drop resolvers (e.g., Telegram bots) for C2. Techniques include XOR/AES encryption, process injection, and high-entropy overlays to evade detection.Source: https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw/#Cybersecurity #ThreatIntel

Copy fail is vibe-arg'ing at its finest...https://copy.fail/#threatintel, #linux

"Run a quick DNS speed test" they said… One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.That randomness is doing a lot of work.Across a handful of runs we saw clients touching:- Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)- Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)- Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants- Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants- Autodiscover for named orgs (useful for pre‑populating phish kits)- ~150 banking domains, globally distributedAll from a page load. No content fetched, just "harmless" handshakes.What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:- A spray of client IPs into sensitive identity and gov endpoints- Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")- Occasional redirects into less friendly corners of the web, courtesy of the long tailThe stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

Regarding #CopyFail,It is worth noting that the exploit can target any file and overwrite its contents. That's not just privilege escalation; that's the potential for stealthy persistence.Our thread now has more technical discussion and also some clever detections.https://discourse.ifin.network/t/copy-fail-732-bytes-to-root-on-every-major-linux-distributions/342/26#ThreatIntel #ThreatIntelligence #IFIN

(darktrace.com) The Erosion of Disclosure: How AI-Driven Vulnerability Discovery Reshapes Defensive StrategiesAI-driven vulnerability discovery (e.g., Anthropic Mythos) is eroding the efficacy of disclosure-based defenses, enabling pre-CVE exploitation and widening attacker-defender asymmetry.In brief - AI systems are accelerating zero-day discovery, rendering patch-centric defenses inadequate. Behavioral detection and Zero Trust frameworks are now critical to counter pre-disclosure threats.Technically - AI tools like Mythos and autonomous pentesters (e.g., XBOW) automate vulnerability identification, driving a 32% CVE increase in 2024. Traditional patch management fails against pre-disclosure exploits (e.g., Ivanti, SAP NetWeaver). Behavioral detection (e.g., Darktrace’s anomaly monitoring) identifies deviations from baselines, enabling pre-disclosure threat containment. Zero Trust architectures must prioritize continuous monitoring and rapid anomaly response over reactive patching.Source: https://www.darktrace.com/blog/mythos-vs-ethos-defending-in-an-era-of-ai-accelerated-vulnerability-discovery#Cybersecurity #ThreatIntel

cPanel/WHM auth bypass zero-day exploitedCVE-2026-41940, CVSS 9.8. Patch and restrict WHM ports now. OpenClaw bootstrap pairing flawCVSS 9.1 privilege escalation in pre-2026.3.22. Update older nodes and images.#CyberSecurity #CVE #ThreatIntel #PatchNowsolomonneas.dev/intel

(cyberscoop.com) The Identity Crisis in the Age of AI Agents: Why Traditional Security Models Are FailingAI-driven identity threats are outpacing legacy IAM systems, enabling large-scale impersonation and zero-day exploitation at machine speed. Anthropic’s Mythos AI discovered thousands of unknown vulnerabilities, while malicious actors leverage autonomous agents to bypass MFA, passwords, and biometrics.In brief - AI agents are eroding the human-machine identity boundary, enabling attackers to exploit IAM flaws at scale. Organizations must adopt phishing-resistant authentication and continuous behavioral monitoring to mitigate risks.Technically - AI models like Mythos autonomously uncover and exploit zero-days (e.g., in OS/browser stacks), while adversaries use AI agents to impersonate users, bypassing static auth methods. Security architectures must enforce least-privilege access for AI entities, implement device-bound credentials, and monitor agent behavior for anomalies. The shift from login-based to action-oriented verification is critical.Source: https://cyberscoop.com/ai-agent-identity-security-anthropic-mythos/#Cybersecurity #ThreatIntel

(rapid7.com) Critical Authentication Bypass Vulnerability in cPanel & WHM and WP Squared (CVE-2026-41940): Exploitation and MitigationCritical zero-day authentication bypass (CVE-2026-41940, CVSS 9.8) in cPanel & WHM and WP Squared is actively exploited in the wild. Attackers gain admin access via CRLF injection in session handling. Patch immediately—1.5M instances exposed.In brief - A severe authentication bypass flaw in cPanel & WHM/WP Squared (CVE-2026-41940) allows unauthenticated remote attackers to gain admin access. Exploitation is confirmed, with 1.5M systems at risk. Patching is urgent.Technically - CVE-2026-41940 stems from a CRLF injection in the `cpsrvd` daemon’s session file handling. Attackers manipulate the `whostmgrsession` cookie via crafted basic auth headers to inject `user=root` into session files, bypassing authentication. Affects cPanel & WHM 11.110.0–11.136.0 and WP Squared 11.136.1. PoC exploit published; no effective workarounds.Source: https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass#Cybersecurity #ThreatIntel

What is going on today??We're also tracking #CopyFail.https://discourse.ifin.network/t/copy-fail-732-bytes-to-root-on-every-major-linux-distributions/342#ThreatIntel #ThreatIntelligence #IFIN

New.Group-IB:Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/ Securonix:Deep#Door Stealer: Stealthy Python Backdoor and Credential Stealer Leveraging Tunneling, Multi-Layer Persistence, and In-Memory Surveillance Capabilities https://www.securonix.com/blog/deepdoor-python-backdoor-and-credential-stealer/#threatintel #threatintelligence @threatresearch #infosec #security #surveillance #Python #phishing #smishing

Looks like we have another #supplychain attack underway, this time facing #SAP-related NPM packages.https://discourse.ifin.network/t/sap-npm-packages-targeted-with-credential-stealing-malware/340#ThreatIntel #ThreatIntelligence #IFIN

China-linked phishing ops exposed100+ domains, journalists targetedOutsourced cyber campaigns risingSource: https://therecord.media/china-linked-hackers-led-phishing-campaigns-journalists Thoughts? Follow @technadu #InfoSec #Phishing #ThreatIntel

@orlysec @deepthoughts10 here’s a fun one.

(bridewell.com) The Strategic Value of Generative AI in Enhancing OT Security and Compliance for Critical InfrastructureGenerative AI is reshaping OT security by bridging IT/OT gaps and enhancing decision-making in critical infrastructure. Human oversight remains essential due to safety risks in autonomous response.In brief - Generative AI improves OT security by providing contextual insights for investigations, aiding compliance with frameworks like CAF v4.0, and enhancing anomaly detection via specialist OT tools. However, autonomous actions in OT environments are discouraged due to potential physical risks.Technically - Generative AI enriches OT security by aggregating distributed knowledge (asset dependencies, process impacts) and integrating with OT-specific detection tools (e.g., Nozomi, Claroty) for industrial protocol anomaly detection. ML-driven behavioral analytics support CAF v4.0 compliance (Objectives B/C) but require human-in-the-loop for response actions to mitigate safety risks in ICS environments.Source: https://www.bridewell.com/insights/blogs/detail/generative-ai-for-critical-infrastructure-where-it-helps-and-where-it-doesn't#Cybersecurity #ThreatIntel

(catonetworks.com) Critical Vulnerabilities in NVIDIA NeMo and Meta PyTorch Enable Remote Code Execution via Malicious AI ModelsCritical RCE vulnerabilities in NVIDIA NeMo (CVE-2025-33236, CVSS 7.8) and Meta PyTorch expose AI model pipelines to full system compromise. Hardcoded `trust_remote_code=True` in NeMo and a heap buffer overflow bypass in PyTorch turn AI models into attack vectors.In brief - High-severity flaws in NVIDIA NeMo and Meta PyTorch enable RCE via malicious AI models, risking cloud credentials and production infrastructure. These vulnerabilities highlight critical gaps in AI supply chain security, even when best practices are followed.Technically - NVIDIA NeMo’s hardcoded `trust_remote_code=True` allows arbitrary Python execution during HuggingFace model imports. Meta PyTorch’s `weights_only=True` is bypassed via storage size mismatches, triggering heap buffer overflows. Both enable RCE, data exfiltration, and system compromise, underscoring the need for secure-by-default configurations and sandboxing.Source: https://www.catonetworks.com/blog/cato-ctrl-new-vulnerabilities-in-nvidia-nemo-and-meta-pytorch/#Cybersecurity #ThreatIntel

(talosintelligence.com) Leveraging Generative AI to Deploy Adaptive Honeypots: Turning Attacker Automation into a Defensive AdvantageIn brief - Generative AI enables rapid deployment of adaptive honeypots, turning attacker automation into a defensive advantage by deceiving and studying automated threats in real-time. This approach shifts from passive detection to active deception, enhancing threat intelligence and defensive strategies.Technically - AI-driven honeypots consist of a network listener, simulated vulnerability (e.g., basic auth), and an AI framework (e.g., ChatGPT) for dynamic interaction. The AI impersonates environments like Linux shells or IoT devices, responding to attacker commands with context-aware outputs. For example, simulating a bash shell or smart fridge filesystem to observe and manipulate automated threats. This method leverages generative AI’s adaptability for scalable, customizable deception, enabling defenders to analyze tactics such as exploitation of CVEs (e.g., Shellshock/CVE-2014-6271) or port knocking techniques in controlled environments.Source: https://blog.talosintelligence.com/ai-powered-honeypots-turning-the-tables-on-malicious-ai-agents/#Cybersecurity #ThreatIntel

We welcome ATT&CK v19:https://attack.mitre.org/resources/updates/updates-april-2026/Blog post here:https://medium.com/mitre-attack/attack-v19-ff329cb65d66#redteam, #blueteam, #threatintel, #att&ck