INTELLIGENCEFEED

// GLOBAL_THREAT_INTELLIGENCE_FEED

SYSTEM_ONLINE :: MONITORING_ACTIVE

Top Intelligence5/31/2026

Active Exploitation of PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)

A critical authentication bypass vulnerability (CVE-2026-0257) in PAN-OS GlobalProtect gateways is under active exploitation.

[ READ_FULL_BRIEF ] →

Latest_Intercepts

UAT-4356 Targets Cisco Devices with FIRESTARTER Backdoor

Video

April 25, 2026

UAT-4356 Targets Cisco Devices with FIRESTARTER Backdoor

Threat actor UAT-4356 is actively exploiting n-day vulnerabilities in Cisco Firepower devices to deploy the FIRESTARTER backdoor, enabling arbitrary code execution. Immediate mitigation required.

Storm-2755 'Payroll Pirate' Attacks Target Canadian Staff

Video

April 11, 2026

Storm-2755 'Payroll Pirate' Attacks Target Canadian Staff

Threat Actor Storm-2755 is using AiTM phishing and SEO poisoning to bypass MFA, hijack sessions, and divert payroll deposits of employees in Canada. Analysis of TTPs included.

EvilTokens PhaaS Abuses Railway PaaS for M365 Attacks

Video

March 25, 2026

EvilTokens PhaaS Abuses Railway PaaS for M365 Attacks

Active device code phishing campaign attributed to the EvilTokens PhaaS platform is abusing Railway.com PaaS infrastructure to target Microsoft 365 identities, compromising over 340 organizations.

China-linked Actor CL-STA-1087 Hits Military with New Tools

Video

March 14, 2026

China-linked Actor CL-STA-1087 Hits Military with New Tools

Suspected China-based actor CL-STA-1087 targets Southeast Asian military orgs in a long-running espionage campaign using custom backdoors AppleChris and MemFun and a modified Mimikatz tool, Getpass.

March 5, 2026

APT28-Linked Campaign Deploys BadPaw & MeowMeow Malware

A new campaign, with moderate confidence attribution to APT28, is targeting Ukrainian entities with previously undocumented malware: the BadPaw loader and the MeowMeow backdoor. Report by ClearSky.

Critical Cisco SD-WAN Flaws Under Active Exploitation

Video

March 5, 2026

Critical Cisco SD-WAN Flaws Under Active Exploitation

Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, including a CVSS 9.8 auth bypass, are under active exploitation. Threat actors can gain root access and bypass authentication.

March 4, 2026

Silver Dragon APT Targets Govs via Google Drive C2

Intel Brief: Silver Dragon, an APT41-linked threat actor, is targeting government entities using Cobalt Strike and a novel Google Drive C2 channel. Multiple infection chains detailed.

OAuth Redirect Abuse Delivers Malware to Gov't Targets

Video

March 3, 2026

OAuth Redirect Abuse Delivers Malware to Gov't Targets

Threat actors are abusing legitimate OAuth redirect features in Entra ID and Google Workspace to deliver malware to government and public sector targets, bypassing conventional defenses.

Android Zero-Day CVE-2026-21385 Actively Exploited

Video

March 3, 2026

Android Zero-Day CVE-2026-21385 Actively Exploited

Google confirms active, targeted exploitation of CVE-2026-21385, a high-severity buffer over-read in Qualcomm's Android Graphics component. Immediate patching is required.

SloppyLemming Targets South Asian Governments with New Malware

Video

March 3, 2026

SloppyLemming Targets South Asian Governments with New Malware

Threat Actor SloppyLemming targets Pakistan & Bangladesh governments with dual attack chains. Vectors include spear-phishing delivering the BurrowShell backdoor and a new Rust-based keylogger.

MuddyWater's 'Operation Olalampo' Targets MENA

Video

February 23, 2026

MuddyWater's 'Operation Olalampo' Targets MENA

Iranian APT MuddyWater targets MENA region in 'Operation Olalampo.' Campaign utilizes new AI-assisted malware including GhostFetch, GhostBackDoor, and the Rust-based CHAR backdoor.

February 15, 2026

Single Actor Drives 83% of Ivanti EPMM RCE Attacks

A single threat actor, using a bulletproof hosting IP not on public IOC lists, is responsible for 83% of active RCE exploitation against critical Ivanti EPMM vulnerabilities. Patch immediately.

February 14, 2026

Lazarus Group Deploys RAT via Fake Developer Job Offers

North Korean threat actor Lazarus Group is targeting developers with fake job offers, using coding challenges to deploy a RAT via malicious npm and PyPi packages in a campaign dubbed 'Graphalgo'.

LummaStealer Resurgence via CastleLoader

Video

February 13, 2026

LummaStealer Resurgence via CastleLoader

Intel Brief: LummaStealer infostealer infections surge, delivered by the heavily obfuscated CastleLoader. Campaigns use social engineering and 'ClickFix' vectors to compromise systems.

Notepad++ Supply Chain Attack Delivers Chrysalis

Video

February 3, 2026

Notepad++ Supply Chain Attack Delivers Chrysalis

China-linked actor Lotus Blossom compromises Notepad++ hosting to deliver Chrysalis backdoor. Attack targeted outdated versions via update hijacking. IOCs and mitigations are available.

February 1, 2026

ShinyHunters Abuses SSO via Vishing for Cloud Data Theft

Threat actors, including ShinyHunters, are using vishing and phishing kits to steal SSO credentials, bypass MFA, and exfiltrate data from enterprise SaaS applications like Salesforce and Microsoft 365

Illicit Crypto Flows Hit Record $158 Billion in 2025: Critical Update

Video

January 31, 2026

Illicit Crypto Flows Hit Record $158 Billion in 2025: Critical Update

Illicit cryptocurrency flows surged by 145% to a record $158 billion in 2025, reversing a three-year decline. Sanctions evasion, nation-state activity, and AI-driven scams are key drivers.

January 30, 2026

CRITICAL: Active Exploitation of Dual Ivanti EPMM Zero-Days

Ivanti has confirmed active exploitation of two critical 9.8 CVSS zero-day RCE flaws. Organizations must apply emergency patches immediately to prevent full server compromise and lateral movement.