Author: Staff Writer

Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Essential Insights A Chinese state-linked hacking group, VerdantBamboo, has stealthily infiltrated corporate networks for over 18 months, using sophisticated malware to avoid detection and re-enter even after removal. The group utilized a modular Golang-based malware toolkit called BRICKSTORM, alongside other tools like PLENET and AGENTPSD, to maintain control over compromised systems, including firewalls, NAS, and storage appliances. They exploited misconfigured systems and stolen credentials to bypass security controls, establishing persistent access by re-entering via VPNs and backdoors after initial removal attempts. Vulnerabilities such as local privilege escalation in affected appliances were patched, but organizations must enforce multi-factor authentication, monitor network…

Read More

Top Highlights AI-driven tools like deepfakes, voice cloning, and synthetic identities enable highly convincing, localized scams that are increasing in scale and complexity. Malicious Android apps can now facilitate real-time surveillance, biometric data theft, and financial fraud, linking cybercrime directly to mobile device compromise. Organized crime groups leverage automation and cross-border coordination to sustain and expand sophisticated scam networks, complicating enforcement efforts across ASEAN markets. Threat, Attack Techniques, and Targets Organized scam groups in Southeast Asia are now using artificial intelligence to improve their attacks. They are creating deepfakes, cloning voices, and making synthetic identities. These tools help scammers personalize…

Read More

Top Highlights OP-512 targets legacy IIS servers with custom web shells, enabling remote access, file management, and automated reporting while evading detection. The threat employs timestomping and unique, purpose-built frameworks that resist traditional detection methods, complicating forensic analysis. Multiple China-linked clusters repeatedly focus on IIS vulnerabilities for espionage, using sophisticated, tailored malware frameworks to maintain persistent access. Threat, Attack Techniques, and Targets Cybersecurity researchers recently identified a new threat cluster called OP-512. This group targets Microsoft Internet Information Services (IIS) servers. Their goal appears to be espionage, especially against organizations linked to China. They focus on servers running legacy or…

Read More

Essential Insights Ransomware activity increased slightly in May 2026 with 661 global attacks, a 3% rise from April, mainly affecting the education and business sectors, while healthcare and utilities saw declines. The U.S. remained the top target, accounting for 272 attacks, with nearly 115TB of data stolen, predominantly by group Qilin, which claimed 97 attacks and targeted various international organizations. Ransomware groups like The Gentlemen and DragonForce also saw activity, with the latter claiming over 20.8 TB of stolen data across 51 attacks, although few incidents were confirmed. Despite a slight decrease in some sectors, overall ransomware threats are high…

Read More

Fast Facts VECT 2.0 ransomware often leaves files partially encrypted, renamed, or broken in a way that prevents even its own decryptor from fully restoring them, posing a significant recovery challenge. The malware renames files with a .vect extension before encryption, but this extension does not reliably indicate whether a file is encrypted or in what state, complicating recovery efforts. VECT’s encryption method involves splitting larger files and using multiple keys, but due to design flaws and buffer mismatches, some files may remain only partially encrypted or entirely unencrypted. Shared buffers and multithreaded processing create race conditions, resulting in files…

Read More

Essential Insights AI tools, including weaponized LLMs and deepfakes, are rapidly expanding in underground ransomware markets, with AI utility posts increasing from 38 in December 2025 to 1,486 in February 2026, simplifying entry for new cybercriminals. Ransomware attacks have grown by 20% since 2023, now predominantly targeting smaller enterprises (80%), with groups like Qilin earning millions—up to $193 million—by offering full-service cyberattack capabilities. Cybercriminals are adopting professional business models, selling exploits and stolen credentials through multiple channels, with AI-enhanced social engineering making phishing more convincing and widespread. Despite law enforcement efforts, the underground ransomware scene is becoming more profitable and…

Read More

Essential Insights Exploitation of CVE-2026-3300 in Everest Forms Pro allows unauthenticated attackers to execute arbitrary PHP code, enabling site takeover and creation of malicious admin accounts. Attackers are using skimming malware that abuses trusted services like Stripe and Google Tag Manager to covertly exfiltrate stolen card data from e-commerce platforms. A large-scale, ongoing campaign impersonates major brands via fake storefronts, utilizing WebSocket exfiltration and real-time 3DS challenge relaying to steal payment information undetected. Threat Overview, Attack Techniques, and Targets Threat actors are actively exploiting a critical vulnerability in the Everest Forms Pro plugin for WordPress. This flaw is identified as…

Read More

Essential Insights EU telecommunications ministers will review a comprehensive cybersecurity package aimed at enhancing resilience, securing ICT supply chains, and strengthening ENISA at the TTE Council on June 9. The package includes an update to the EU Cybersecurity Act (CSA2) and targeted amendments to the NIS2 Directive, focusing on strategic autonomy and streamlining certification schemes. A key component is a new Union-level ICT supply chain security framework designed to reduce cybersecurity risks across supply chains. The broader strategy emphasizes developing secure digital infrastructure, enhancing cross-border cooperation, and safeguarding critical sectors like ports, which handle the majority of EU trade and…

Read More

Top Highlights Cisco has disclosed a high-severity, actively exploited vulnerability (CVE-2026-20245) in its Catalyst SD-WAN Manager, allowing attackers with netadmin privileges to execute arbitrary commands and gain root access, risking full system compromise. The flaw stems from inadequate input sanitization during file uploads, enabling command injection, especially when combined with other vulnerabilities, increasing real-world attack potential. No patches are available yet; Cisco recommends upgrading to a previous fixed version, and advises monitoring logs for suspicious activity, especially commands related to script uploads. Organizations should collect forensic data before patching, review configurations post-upgrade, and consult Cisco TAC if signs of compromise…

Read More

Fast Facts Threat actor PCPJack hijacked cloud servers across AWS, Google Cloud, and Azure to operate a covert SMTP relay network for potentially large-scale spam, phishing, or malware distribution. They deployed Linux-based proxies and implants (Sliver, Chisel) with automated scripts to maintain persistence, filter for SMTP relay functionality, and exfiltrate proxy data, indicating sophisticated, scalable infrastructure. The operation’s infrastructure—comprising compromised servers, relay scripts, and persistent C2 mechanisms—suggests an opportunistic campaign capable of enabling extensive malicious activities at scale. Threat, Attack Techniques, and Targets The threat actor known as PCPJack hijacked cloud servers on AWS, Google Cloud, and Microsoft Azure. They…

Read More