- Home
- Cybercrime and Ransomware
- Emerging Tech
- Threat Intelligence
- Expert Insights
- Careers and Learning
- Compliance
Subscribe to Updates
Subscribe to our newsletter and never miss our latest news
Subscribe my Newsletter for New Posts & tips Let's stay updated!
Author: Staff Writer
John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.
Top Highlights Gunra ransomware has rapidly escalated from a localized threat to a global concern, expanding through a sophisticated Ransomware-as-a-Service (RaaS) model involving nearly 32 victims by March 2026. The group transitioned from relying on Conti-based code to developing its own customizable ransomware panel, enabling affiliate management, victim tracking, and targeted attack execution, while maintaining a low profile on dark web forums. Gunra’s ecosystem promotes a white-label approach, allowing affiliates to deploy attacks under various brands, complicating attribution efforts and increasing the threat’s proliferation across multiple sectors and regions. Defense strategies must include enhanced dark web monitoring, tracking emerging ransomware…
Essential Insights OrBit, a stealthy Linux rootkit derived from the publicly available Medusa, has been used by multiple hacker groups since 2022 to steal credentials and maintain covert access. It embeds deeply into Linux systems, hooks into over forty core functions, and hides in system files, making detection difficult while capturing login info via SSH and sudo. A significant enhancement in 2025 allowed OrBit to forge authentication outcomes, granting attackers near-total control over login permissions on compromised systems. Multiple threat actors, including state-sponsored and cybercrime groups, have exploited OrBit, using consistent artifacts and indicators like specific filenames and YARA rules…
Fast Facts Operational Technology (OT) in industrial sectors is increasingly targeted by ransomware, with 2,073 attacks over 12 months, highlighting escalated risks as IT/OT convergence grows. OT systems are crucial to national infrastructure, and cyber attacks threaten not only business continuity but also national resilience and public safety. Capital goods sectors, especially machinery and construction, are heavily impacted, demonstrating vulnerabilities in OT-dependent environments. Regulatory bodies now emphasize OT security, requiring organizations to treat OT risks with the same rigor as IT security, to safeguard operational, regulatory, and safety outcomes. The Issue Over the past year, operational technology (OT) systems across…
Top Highlights UNC6671 employs sophisticated voice phishing (vishing) combined with real-time adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication and gain deep access to cloud environments, primarily targeting Microsoft 365 and Okta. The group leverages automated scripting and API misuse, such as Python and PowerShell, to exfiltrate high-value data from SaaS platforms stealthily by mimicking legitimate user activity and exploiting session cookies. Indicators of compromise include script-driven access with User-Agent mismatches, origin from non-standard infrastructure, and use of tailored subdomains referencing passkey and enrollment themes, highlighting the importance of phishing-resistant MFA. Threat Summary, Attack Techniques, and Targets Google Threat Intelligence Group…
Essential Insights Attackers can exploit four OpenClaw vulnerabilities to bypass sandbox restrictions, read sensitive files, and plant backdoors, enabling persistent control and data theft. The chain of exploits allows malicious code execution, credential exposure, privilege escalation to owner level, and backdoor installation through a multi-step attack process. The vulnerabilities stem from unvalidated client-controlled flags and trust in spoofable tokens, making traditional detection methods less effective and increasing the attack surface. Threat, Attack Techniques, and Targets Cybersecurity researchers have revealed four security flaws in OpenClaw, called the Claw Chain. These flaws can be chained to perform theft of data, escalate privileges,…
Summary Points TeamPCP is covertly exploiting trusted CI/CD tools by injecting malicious code into popular components, enabling large-scale theft of sensitive credentials and secrets used in cloud and software pipelines. Their activities span multiple attack waves, compromising Docker images, GitHub workflows, extensions, and even signing pipelines, resulting in widespread exfiltration of cloud keys, SSH credentials, and developer tokens. The campaign leverages trusted infrastructure—such as container images and project signing processes—making detection difficult and amplifying the impact once a single control point is compromised. Trend Micro recommends strict security measures: enforcing least privilege, network egress controls, rotating compromised secrets, verifying image…
Essential Insights The G7 countries and the EU have published a detailed AI Software Bill of Materials (SBOM) to promote transparency, vulnerability tracking, and risk reduction in AI supply chains. Dell’s SupportAssist software is causing Windows Blue Screen of Death (BSOD) crashes, with a current fix to disable or uninstall the problematic version temporarily. The Linux kernel vulnerability called Dirty Frag has re-emerged as Fragnesia (CVE-2026-46300), enabling unprivileged users to gain root access by corrupting page cache memory. Ransomware attackers are increasingly threatening physical violence, with up to 46% in the U.S. threatening harm or causing physical damage, often with…
Fast Facts Gremlin stealer uses advanced obfuscation techniques, including resource-based payload concealment and instruction virtualization, to evade static analysis and detection. The malware exfiltrates sensitive data—such as browser cookies, session tokens, cryptocurrency wallets, and credentials—to hidden command-and-control servers, with new modules targeting Chromium browsers and active session hijacking. It employs sophisticated anti-analysis tactics like code obfuscation, string encryption, and control-flow chaos, making reverse engineering and detection highly challenging for defenders. Threat Overview, Techniques, and Targets The Gremlin stealer malware has recently upgraded its tactics to hide better. It now embeds its malicious payloads inside resource files and disguises them with…
Fast Facts Ransomware attacks have evolved into "Triple Extortion," targeting operational shutdowns, data exfiltration, and direct threats to customers and regulators, making recovery increasingly complex and costly. The case of Change Healthcare exemplifies the catastrophic financial and reputational damage, with over $3 billion in total impacts in 2024, most costs not covered by insurance, highlighting gaps in current coverage. Cyber insurance policies are becoming less reliable due to sub-limits, exclusions for state-backed attacks, and mismatched pricing, necessitating a shift from relying solely on insurance as a safety net. A mature incident response strategy—focused on strong network segmentation, offline backups, proactive…
Summary Points FrostyNeighbor, a Belarus-aligned hacking group active since 2016, has resurfaced with sophisticated cyberattacks targeting Ukrainian government organizations, utilizing layered infection chains that are increasingly difficult to detect. Their campaigns involve spearphishing with convincing malicious PDFs impersonating legitimate Ukrainian entities, followed by multi-stage payload delivery that includes JavaScript staging, decoy PDFs, and scheduled tasks for persistence. The attack chain incorporates server-side validation, with the group selectively validating targets before deploying advanced tools like Cobalt Strike to establish persistent remote access. Cybersecurity analysts recommend vigilant monitoring of infrastructure and suspicious unsolicited documents, emphasizing that FrostyNeighbor continually evolves tactics to evade…