Cybersec Sentinel

Fake Claude Code Install Guide Hides MacSync Infostealer in Active Google Ads Campaign

Fake Claude Code Install Guide Hides MacSync Infostealer in Active Google Ads Campaign

GroupAttribution unconfirmed; compromised Malaysian company's Google Ads account used as delivery infrastructure proxyTypeMalvertising / ClickFix Infostealer Campaign — cross-platform macOS and WindowsMalwareMacSync — macOS Malware as a Service infostealer targeting browser credentials, Keychain databases, session cookies, and cryptocurrency wallets; Trojan.Stealer.GJ / Trojan.Stealer.GK — Windows credential stealers delivered via mshta.

CloudZ RAT and Pheno Plugin Hijack Microsoft Phone Link to Bypass MFA Without Touching Your Phone

CloudZ RAT and Pheno Plugin Hijack Microsoft Phone Link to Bypass MFA Without Touching Your Phone

GroupUnknown threat actor, attribution unconfirmedTypeModular RAT with novel MFA-interception pluginCVEsNone assigned. Exploits legitimate Windows application behaviour rather than a software vulnerabilityMalwareCloudZ RAT — modular .NET remote access tool with credential theft, screen recording, and C2 capabilities. Pheno — previously undocumented plugin that hijacks Microsoft Phone Link to intercept SMS messages and OTPs

Copy Fail, The Nine-Year Linux Kernel Flaw That Gives Any User Root in Seconds

Copy Fail, The Nine-Year Linux Kernel Flaw That Gives Any User Root in Seconds

GroupNo attributed threat actor. Vulnerability discovered by Xint Code (Theori). Public PoC released April 2026.TypeLocal Privilege Escalation (LPE), Linux Kernel Logic Flaw, Container Escape PrimitiveCVEsCVE-2026-31431 (Linux kernel algif_aead page-cache corruption enabling root access, CVSS 7.8)MalwareNo associated malware family. Public 732-byte Python PoC (copy_fail_exp.py)

Snow Malware Suite Turns Microsoft Teams Into a Help Desk Trap

Snow Malware Suite Turns Microsoft Teams Into a Help Desk Trap

GroupUNC6692 (financially motivated cluster, attribution unconfirmed beyond Mandiant tracking ID)TypeModular custom malware suite, browser extension plus Python tunneler plus Python backdoorMalwareSNOWBELT (Chromium extension), SNOWGLAZE (WebSocket and SOCKS tunneler), SNOWBASIN (local HTTP backdoor)DeliveryEmail bombing followed by Microsoft Teams impersonation of internal IT helpdesk staffScore7.5 High. Active campaign, novel

Android NFC Stealer NGate Targets Brazil via Fake Lottery and Counterfeit Google Play Page

Android Malware

Android NFC Stealer NGate Targets Brazil via Fake Lottery and Counterfeit Google Play Page

GroupUnknown. Attribution unconfirmed. Financially motivated cybercriminal actor.TypeAndroid NFC Relay Malware / Mobile InfostealerMalwareAndroid/Spy.NGate.CC and Android/Spy.NGate.CB — trojanised versions of the legitimate HandyPay NFC relay application, augmented with AI-generated malicious code to capture payment card PINs and relay NFC card data to attacker-controlled devicesScore🟠 8.5

Storm Infostealer Ships Your Browser Credentials Home Before Decrypting Them

Storm Infostealer Ships Your Browser Credentials Home Before Decrypting Them

GroupUnknown cybercriminal operator(s); attribution unconfirmedTypeInfostealer-as-a-ServiceMalwareStorm; a session-hijacking credential stealer that exfiltrates encrypted browser data to attacker infrastructure for server-side decryption, bypassing Chrome App-Bound Encryption and endpoint detectionScore🟠 8.5 High. Actively deployed against confirmed victims across at least six countries, defeats Google Chrome's App-Bound Encryption, renders MFA

CPUID Supply Chain Attack Delivers STX RAT via Trojanised CPU-Z and HWMonitor Downloads

Supply Chain Attack

CPUID Supply Chain Attack Delivers STX RAT via Trojanised CPU-Z and HWMonitor Downloads

GroupAttribution unconfirmed. Infrastructure overlap identified with a March 2026 fake FileZilla distribution campaign. C2 domain first observed November 2025. Campaign tagged internally as "CityOfSin".TypeSupply Chain Attack / Remote Access Trojan / BackdoorMalwareSTX RAT (classified as Backdoor.Win64.Alien by Kaspersky) — a multi-stage, memory-resident remote access trojan with credential theft,

The Vault Your AI Cannot Open

The Vault Your AI Cannot Open

Building an AI-Excluded Zone for Sensitive Organisational Data Before the Problem Finds You There is a version of this conversation that happens in boardrooms about three years too late. A breach investigation reveals that an employee pasted a sensitive commercial contract into ChatGPT to get a quick summary. Another copied

BYOVD Ransomware Attacks Now Capable of Defeating Every Major EDR Product

BYOVD Ransomware Attacks Now Capable of Defeating Every Major EDR Product

GroupQilin (RaaS, cybercriminal); Warlock aka Water Manaul (cybercriminal)TypeRansomware with BYOVD EDR KillerMalwaremsimg32.dll (DLL sideload loader); rwdrv.sys (kernel memory driver); hlpdrv.sys (EDR killer driver); NSecKrnl.sys (Warlock BYOVD driver); Qilin ransomware; LockBit-derived Warlock payload (.x2anylock)Score🔴 9.5 Critical. Two active RaaS groups have deployed kernel-level tooling

Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

Supply Chain Attack

Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

GroupUNC1069 (North Korea-nexus, BlueNoroff-linked, financially motivated threat actor)Typenpm Supply Chain Compromise / Cross-Platform Remote Access TrojanMalwareSILKBELL: postinstall dropper embedded in plain-crypto-js@4.2.1. WAVESHAPER.V2: updated cross-platform RAT linked to prior BlueNoroff RustBucket campaignsScore🔴 9.5 Critical. Nation-state supply chain attack on one of npm's most downloaded