We just brought our edge block telemetry back online after a two-week instrumentation gap, and the first thing worth doing with a restored sensor is to ask what changed while it was dark. The answer, when we lined up the providers our infrastructure has been rejecting over the last thirteen days against the bulletproof hosts that used to be regulars in our block data, is that a whole cohort of them has simply gone quiet. This is an observation, not a victory lap, and the dist

The FBI's Boston field office went public today with the seizure side of an operation called Riptide, and the shape of it is the thing I want defenders to sit with, because it is the same lesson we have been writing all week from a different angle. The target was not a ransomware gang. It was a single virtual private network service — marketed as "First VPN Service," advertised almost exclusively on Russian-language criminal forums, in operation since roughly 2014 — that serv

In the June 2026 Android security bulletin Google patched a hundred and twenty-four flaws, and buried in that pile is one — CVE-2025-48595 — that they flagged with a specific, deliberate phrase: there are indications it may be under "limited, targeted exploitation." CISA agreed, added it to the Known Exploited Vulnerabilities catalog at the start of the month, and gave federal agencies an unusually short fuse to remediate. If you read Android bulletins for a living you alread

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog this month, with a remediation mandate for federal civilian agencies, and it is a SolarWinds Serv-U flaw — which by itself would be a routine patch note, except that when I cross-referenced it against our own KEV index this morning, it turned out to be the fifth Serv-U vulnerability on that list. Not the fifth SolarWinds product. The fifth time this one file-transfer server has been added to the catalog

This morning our adversary index pulled in a fresh profile for a ransomware crew called NightSpire, and by the time I sat down to look at the day's leak-site activity, NightSpire was sitting at the top of it — twenty-six victims claimed in a single daily digest, more than LockBit and DragonForce combined on the same day. That is not a fluke of one bad afternoon. NightSpire first surfaced in February 2025 as a closed, operator-driven crew, and across 2026 it has rolled past tw

For most of the past week our GitHub hunting cron has been pulling the same low tier of malware out of public repositories: Android remote-access trojans of the SpyNote family and Discord token-grabbers, the kid-grade stuff aimed at gamers and World Cup streamers, which I wrote about two days ago. This morning the stream changed character. At the top of today's catches are two repositories that are not aimed at teenagers: one tagged EDR-Bypass, an AV-and-EDR evasion toolkit,

Two days ago I wrote that Akira — the second most active ransomware crew on earth — has one favorite door, and that door is your SSL VPN: Cisco ASA, SonicWall, WatchGuard, missing MFA or stolen credentials, in and encrypting in under four hours. I said the edge appliance is the initial-access surface of the era. I did not expect the sequel to land this fast. As of this week, the number-one crew by volume, Qilin, is in the same place by a different vendor. Check Point disclose

I run a threat-intelligence company. My job is asymmetry — the structural fact that an adversary can act against you from a place your courts cannot reach, behind a hand-off chain you cannot attribute, with a cost-benefit math that says ignoring you is the rational move. It is the defining feature of the cyber conflict between China and the United States, and I write about it constantly. This month I learned it does not stay in the network. It arrives in your driveway, attach

Akira claimed a Swiss radiology network this week — Réseau Radiologique Romand, with around forty-eight gigabytes of data alleged stolen — and we are using the occasion to do something we should have done sooner: put Akira in our adversaries index as a full profile. It belongs there for a simple reason. Akira is, by publicly disclosed victim volume, the second most active ransomware operation on the planet right now, behind only Qilin, and unlike the sprawling supply-chain an

Today the security press named a new breach: a cyber-extortion crew called Crimson Collective claiming the theft of more than a million customer records from the US telecommunications provider Brightspeed. It is a real story and worth covering. It is also, for us, a story we filed ten days early — not the breach itself, which we cannot claim to have predicted to the day, but the actor behind it. Our adversaries index has carried a Crimson Collective profile since May 28, and

At 08:15 UTC this morning, our GitHub hunting cron did what it does every day — swept a set of high-signal search queries against public repositories with a word-boundary bait regex and a strong false-positive filter — and it pulled in a repo called android-shadowspy, tagged Android RAT. That is not remarkable on its own. What is remarkable is that it is routine. android-shadowspy is the newest entry in a steady, daily stream: across the catches our harvester has indexed, for

If you saw FreePBX exploitation in a surge this week and thought it was odd to still be seeing it, your instinct was correct, and the explanation is not a new vulnerability — it is a new exploit for an old one. The bug at the center of the surge is CVE-2025-57819, an authentication bypass in the FreePBX commercial Endpoint Manager that chains into SQL injection and then remote code execution, carrying the maximum CVSS score of 10.0. That bug is not fresh. It was exploited as

There is a specific category of vulnerability we keep writing about because WordPress keeps shipping it, and Everest Forms Pro is this month's entry. The bug, CVE-2026-3300, is a 9.8 — unauthenticated remote code execution — and the mechanism is almost insultingly direct. Everest Forms Pro is a commercial form builder with roughly four-thousand active installations, and its Calculation Addon has a function, process_filter(), whose job is to do math on the numbers a visitor ty

Aflac is notifying twenty-two-point-seven million people that their data was stolen, and the first thing to get straight is the timeline, because the headline version blurs it. The attack was not this week. Aflac detected the intrusion on June 12, 2025, contained it within hours, and confirmed it was not ransomware — a data-theft operation, not an encryption event. What is happening now, a year later, is the notification: the count of affected individuals has been finalized a

The number that should reframe how you think about the 2026 World Cup is not a score. It is four-thousand-three-hundred. That is roughly how many fake FIFA domains the FBI and tracking firms counted as already live and harvesting before the June 11 kickoff, with another estimated three-thousand-eight-hundred sitting parked and registered, ready to switch on the moment ticket demand peaks. The FBI's Internet Crime Complaint Center put out a public service announcement on May 2

The thing that makes this story worth your time is not that another credential-stealing worm is loose in the cloud. It is who the worm is hunting. Security researchers at Hunt.io and SentinelOne have documented a campaign tracked as PCPJack that hijacked roughly two-hundred-thirty servers across Amazon Web Services, Google Cloud, and Microsoft Azure and stitched them into a covert SMTP email-relay network — a distributed machine for sending mail that looks like it comes from

On June 3, CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog, and the detail that matters is not the 9.8 CVSS score, though it earns that. The detail that matters is where the flaw lives. It is not in Magento core. It is not in Adobe Commerce's authentication layer or its payment plane. It is in Mirasvit Full Page Cache Warmer — a third-party performance extension that a merchant's developer bolted on years ago to make category pages load faster, and th

Nine days ago we published a post with a deliberately uncomfortable thesis: that ShinyHunters adding DentaQuest to its leak site was not about the file count it claimed, it was about the vertical it chose. At the time the claimed exfil, per public dark-web monitoring, was seven-hundred-forty-four users plus one third-party employee credential — a number small enough that a casual reader would have filed it under "minor incident, move on." We did not file it that way. We filed

Two things happened while most of the country was asleep this weekend, and the security press is filing them as two stories. They are one story. Story one: Sierra Vista Hospital went down to LockBit, one of fifteen-plus organizations posted to ransomware leak sites in a forty-eight-hour window — a weekend surge from Akira, Play, Qilin, Brain Cipher, and LockBit, the exact Saturday-strike behavior we have been documenting since "35 Ransomware Victims in 48 Hours, Happy Easter.

On May 20, we indexed an IOC in our corpus named defender-attack-surface-campaign-2026-05-20. It named BlueHammer, RedSun, UnDefend, and two CVEs, as a single family of Microsoft Defender privilege-escalation flaws. We had been writing about the first of them, BlueHammer, since April 17. Eight days after our May 20 index entry, the broad news cycle caught up and the trade press started covering the cluster. We are telling you this not to take a victory lap — though forty days