Author: Staff Writer

Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Fast Facts A phishing campaign called VENOMOUS#HELPER has targeted over 80 organizations since April 2025, using legitimate RMM tools to establish persistent access and evade detection. Attackers employ customized SimpleHelp and ScreenConnect RMMs to create a dual-channel architecture, ensuring continuous control even if one channel is blocked. The initial infection is via a phishing email impersonating the U.S. Social Security Administration, directing victims to a compromised Mexican website to download malicious payloads. The malware installs as a persistent Windows service, gains system privileges, and uses remote access tools to maintain stealthy, ongoing control over compromised systems. Phishing Campaign Sparks Widespread…

Read More

Quick Takeaways A stealthy phishing campaign, VENOMOUS#HELPER, leverages legitimate RMM tools like SimpleHelp and ScreenConnect to maintain persistent, undetectable access across over 80 organizations since April 2025. Attackers exploit trusted, signed remote management software to blend malicious activity with normal operations, causing a surge in RMM tool misuse and a decline in traditional hacking methods. The attack chain involves convincing phishing emails mimicking the Social Security Administration, leading targets to download malware that installs dual RMM tools for covert control. Experts emphasize the importance of vigilant security practices, like activity logging, SIEM/EDR monitoring, application whitelisting, and raising cybersecurity awareness among…

Read More

Summary Points A sophisticated threat actor tricked support analysts into executing a disguised malicious screensaver file, leading to the theft of EV Code Signing certificates used for signing malware. The attacker successfully compromised two support machines over a ten-day window, exploiting a gap caused by a faulty security sensor, and gained access to internal customer support tools. Using stolen certificates, the attacker digitally signed payloads of the “Zhong Stealer” malware, which was linked to Chinese cybercrime activities, and targeted cryptocurrency theft. DigiCert revoked all 60 affected certificates within 24 hours, implemented security enhancements, and identified several IP addresses involved in…

Read More

Summary Points MicroStealer is a stealthy infostealer malware first detected in December 2025, targeting telecom and education sectors by harvesting browser credentials, cookies, session tokens, and wallet files through social engineering. It spreads via fake installers, malicious downloads, and phishing, relying on user trust rather than exploiting vulnerabilities, making it difficult to detect early. Once inside, it steals active sessions for SaaS, VPNs, and cloud services, enabling lateral movement and difficult real-time detection, with data sold on underground markets for further cyberattacks. Defense requires behavior-based endpoint detection, multi-factor authentication, monitoring outbound traffic, and employee training to mitigate its sophisticated, layered…

Read More

Top Highlights A critical vulnerability (CVE-2026-4670, CVSS 9.8) in MOVEit Automation allows attackers to bypass authentication and gain unauthorized access. An additional flaw (CVE-2026-5174, CVSS 7.7) enables privilege escalation through improper input validation, risking administrative control. Exploitation of these vulnerabilities could lead to data exposure, lateral movement, and disruption, similar to past ransomware attacks like Cl0p. Threat Overview, Attack Techniques, and Targets Progress Software released patches for a serious security issue in MOVEit Automation. This flaw is labeled as CVE-2026-4670. It has a high severity score of 9.8. The issue is an authentication bypass. Attackers can exploit it to gain…

Read More

Quick Takeaways Two US cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentenced to four years in prison for conducting ransomware attacks using ALPHV BlackCat, which targeted over 1,000 victims including US healthcare and engineering firms. ALPHV BlackCat, developed in Rust for multi-OS compatibility, employed a ransomware-as-a-service model, enabling affiliates like Goldberg and Martin to execute attacks while core developers managed the malware infrastructure. The ransomware operators extorted approximately $1.2 million in Bitcoin from a single victim, with profits split 80/20 between affiliates and developers, complicating attribution due to separate roles. The FBI’s efforts included developing a decryption tool in…

Read More

Top Highlights A ransomware attack was detected at Sandhills Medical Foundation in McBee, South Carolina on May 8, 2025. Forensic analysis confirmed the breach involved an unauthorized third party accessing sensitive systems. Nearly a year later, the incident has prompted a class action investigation into the organization’s cybersecurity response and data handling. The case highlights ongoing concerns over the timeliness and effectiveness of protections for community health centers against cyber threats.** Underlying Problem Nearly a year after discovering a ransomware attack on May 8, 2025, Sandhills Medical Foundation, a federally qualified health center in McBee, South Carolina, is now under…

Read More

Fast Facts The Silver Fox group conducted targeted phishing campaigns using tax-themed lures in India, Russia, and Southeast Asia to deploy the novel ABCDoor backdoor via Rust-based loaders, enabling remote control and data exfiltration. Their malware leverages sophisticated geofencing checks and environment detection, including virtual machine and sandbox evasion, to maximize stealth during operations. The campaigns impact multiple sectors, including industrial and retail, with over 1,600 phishing emails exchanged in a short period, highlighting a shift towards persistent, multi-layered cyber espionage and intrusion strategies. Threat Overview, Attack Techniques, and Targets Silver Fox is a cybercrime group based in China that…

Read More

Essential Insights MITRE released ATT&CK v19, expanding the framework with granular updates, including a significant Defense Evasion split and enhanced ICS (Industrial Control Systems) sub-techniques for better industrial attack visibility. The update broadens cyber threat intelligence coverage by highlighting emerging threats such as AI-driven espionage, Iranian and Chinese advanced persistent threats, cross-domain operations, and supply chain compromises. Detection strategies have been extended into mobile environments and focus on behavioral analysis, emphasizing detection of AI-enabled techniques and social engineering tactics across multiple channels. New techniques formalize adversary use of AI (e.g., large-scale research and content generation) and social engineering behaviors, improving…

Read More

Essential Insights Cybercriminals exploit Telegram Mini Apps to run large-scale frauds, impersonate brands, and distribute Android malware, posing significant security threats. A critical cPanel vulnerability (CVE-2026-41940) has led to widespread server compromises and ransomware attacks, urging urgent patching among federal agencies. A new Linux flaw (CVE-2026-31431) affects systems since 2017, allowing attackers to gain full control, threatening cloud and server security. Google enhances bug bounty programs with increased payouts for Android and Chrome vulnerabilities, aiming to incentivize detailed and actionable security reports. The Core Issue Recently, cybersecurity experts uncovered a large-scale scam involving Telegram’s Mini Apps. These apps, which mimic…

Read More