输入情报内容缺失，仅提供了标题“京公网安备 11000002002063号”和来源为360CERT安全报告，但实际URL指向公安局备案页面，未包含任何威胁情报描述、技术细节或攻击活动信息。由于缺乏有效内容，无法提取攻击事件、战术技术或影响范围。

该输入为网站备案号信息，并非威胁情报内容。未发现任何攻击活动、恶意软件、漏洞或安全事件相关细节。

该输入为一个来自360CERT的安全报告页面，标题为“京网文〔2020〕6051-1195号”，该标题实际对应的是北京市网络文化经营许可证编号，而非威胁情报内容。页面标签包含360、APT、恶意软件、报告，但摘要正文为空，未提供任何具体的攻击活动、技术细节或IOC。由于缺乏实际情报内容，本文无法提取有效威胁信息。

本次输入内容为一条来自360CERT安全报告的记录，但标题为备案信息，URL指向工信部备案系统，摘要为空，未提供任何有效威胁情报细节。标签包含360、apt、malware、report，但无具体内容支撑，无法确认是否存在实际攻击活动。报告可能为占位符或错误条目。

Unit 42 has discovered a new macOS Tahoe 26 forensic artifact that tracks user menu selections across the operating system. Learn more here. The post Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered appeared first on Unit 42.

该论文探讨了持续集成（CI）系统的信任问题，核心关注点是：即便源代码本身没有恶意代码，基于容器的CI系统仍可能被植入隐形恶意软件，且不在源码中留下任何痕迹。作者借鉴了Ken Thompson经典的编译器后门思想，证明了攻击者可以通过多种初始感染手段（例如利用CI系统的镜像拉取机制、缓存污染、或插件漏洞）入侵CI环境，随后通过绕过CI系统更新的持久化机制长期潜伏。攻击载荷包括数据窃取、在生产软件中植入后门等。此外，攻击者还能利用隐蔽信道对受感染的CI系统进行远程控制，动态更新攻击载荷或规避防御措施。作者在GitLab CI上实现了概念验证，并指出该攻击可迁移至主流CI平台。研究指出传统代码审查、静态分析等防护手段对此类攻击几近无效，揭示了现代软件供应链中一个被忽视的信任盲区。

In this week’s newsletter, Amy reminisces on the tech toys of their childhood, inspired by a hilarious lesson about why your digital privacy shouldn't be left on an open channel.

By Yarden Porat AI agents need memory. Frameworks like LangGraph provide it through checkpointers – persistence layers that store execution state. But what happens when that persistence layer isn’t locked down? Key Points Background LangGraph is an open-source framework for building stateful, multi-agent AI systems with built-in persistence. It’s an extension of LangChain, with over […] The post F

Decades of piling complexity onto non-standardized stacks have left security unsteerable. Juan Andrés Guerrero-Saade makes the case for a new approach.

Protect enterprise AI agents from supply chain risks by auditing third-party skills for hidden vulnerabilities and multi-stage attack chains. The post Trust No Skill: Integrity Verification for AI Agent Supply Chains appeared first on Unit 42.

该论文是首次针对Android恶意软件生态系统中隐蔽通信信道（Covert Channels, CC）使用情况的纵向研究。研究背景是：代理、VPN和Tor等工具虽然帮助隐私社区和受限地区用户对抗审查，但同样可能被恶意软件和僵尸网络滥用，以隐藏与外部命令与控制服务器的通信。尽管基于恶意软件的攻击日益增多，此前尚无纵向研究分析恶意应用如何利用CC规避检测。为填补这一空白，作者开发了一个多阶段分析管道，结合静态和动态分析，检查系统和网络层面的特征。该管道应用于一个包含350万个Android恶意软件样本的语料库，时间跨度从2009年至2025年7月。精心设计的静态验证规则发现了28.8万使用CC的APK，涉及511个恶意软件家族，CC使用率从2012年的0.30%指数增长至2025年的50%。在动态分析中，识别出19,308个唯一的IP地址，分布在85个国家，其中59个IP地址（17个国家）被明确验证存在CC。此外，进行了跨越16年的纵向数据集研究，发现CC使用方式不断演变：例如，一些恶意软件采用多种CC；另一些则定期在不同CC之间切换（一个家族在2019年至2025年间切换CC达40次）。研究揭示了CC在Android恶意软件中的广泛和增长趋势，为检测和防御提供了重要依据。

A shift in operational pattern of the infamous Vietnam-aligned APT group

Unit 42 research examines attack scenarios targeting cloud logging services. Learn how to defend against log manipulation and defense evasion. The post Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility appeared first on Unit 42.

Microsoft Patch Tuesday details for June 2026.

Learn how to investigate AI activity in Microsoft 365 Copilot and Azure AI services using a structured, telemetry-driven approach. This playbook helps security teams reconstruct events, assess data exposure, and detect potential threats faster. The post Reconstructing AI activity in investigations  appeared first on Microsoft Security Blog.

We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257. The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42.

Every organisation gets audited. The question is who does the auditing.

Attackers are increasingly targeting collaboration platforms like Microsoft Teams. Learn the risks and key steps to strengthen your organization's security. The post When “Hi, This Is IT” Comes Through Microsoft Teams appeared first on Unit 42.

As threat actors operationalize AI to accelerate attacks, they are also leveraging the wider global interest around AI itself as a social engineering lure. The post AI brands as bait: How threat actors are using the AI hype in social engineering appeared first on Microsoft Security Blog.

For the latest discoveries in cyber research for the week of 1st June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES DentaQuest, a U.S. dental benefits administrator owned by Sun Life, has suffered a data breach after threat group ShinyHunters leaked exfiltrated data. Analysts assessed that 2.6 million accounts were exposed, including names, emails, […] The post 8th Ju

Microsoft Threat Intelligence identified a prompt injection pathway in Claude Code GitHub Action that allowed access to workflow secrets under specific conditions. This research examines the attack chain, responsible disclosure process, Anthropic's mitigation, and guidance for securing AI-powered CI/CD workflows. The post Securing CI/CD in an agentic world: Claude Code Github action case appeared

A surge in real-world attacks against agentic AI systems is reshaping how we think about risk. Based on 12 months of red teaming, this update introduces seven new failure modes, from supply chain compromise to goal hijacking, and the practical mitigations teams need now. The post Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us  appeared first on M

Joe’s on-the-ground report from Cisco Live U.S. is here, complete with therapy dog pictures and tips on handling conference overstimulation.

该研究从行为心理学视角出发，系统分析恶意软件开发者的编码习惯与认知风格。研究者收集了大量泄露的恶意软件源代码，并与精心筛选的良性开源软件代码进行比较。通过静态应用安全测试（SAST）和多种软件度量指标（如代码行数、圈复杂度、注释密度、函数长度、抽象机制使用频率等），结合认知心理学和犯罪学理论，解释代码结构差异背后的行为含义。研究发现：恶意软件代码通常更短、注释更少，每个函数的圈复杂度更高，而类、闭包等抽象机制使用显著减少；漏洞类型上，恶意软件包含更多良性代码通常避免的安全问题，表明开发过程缺乏安全投资。这些模式暗示恶意开发者更注重快速实现、操作隐蔽和规避检测，而非代码长期可维护性。但度量数据显示，恶意代码与良性代码的差异尚不足以作为唯一的区分特征。本研究证明，定量代码分析可作为行为信号和战略选择的代理，为行为网络安全研究提供新方法，并为犯罪者行为画像的研究奠定基础。

Research by: Alexey Bukhteyev Key Takeaways Introduction When we search Google for a popular piece of software, we usually click the first result, sometimes without even looking at the rest, because official project sites tend to rank highest and appear near the top of the results. After landing on a site with a professional design and […] The post Impersonation, Click Hijacking, and TDS: Inside a

Microsoft Threat Intelligence 披露了一起大规模 npm 供应链攻击活动，代号 Miasma。攻击者入侵了 Red Hat 的 npm 组织 @redhat-cloud-services，篡改了超过 90 个版本的合法 package，在 CI/CD 环境和开发者机器中植入恶意代码。该恶意代码会窃取 GitHub 令牌、云服务凭证（如 AWS、Azure）以及本地存储的敏感信息，并通过蠕虫式传播机制，利用已感染的信任关系向其他项目自动推送恶意更新。攻击者在软件供应链的早期阶段（预安装脚本）执行恶意负载，实现了持久化驻留。受影响的主要是依赖 Red Hat 云服务组件的开发者和企业，可能引发大规模凭证泄露和横向移动。微软建议立即审计受影响的 npm 包版本，轮换所有可能暴露的凭证，并加强 CI/CD 管道的安全控制。

Palo Alto Unit 42 于2026年6月2日更新了关于 npm 供应链威胁格局的报告。报告指出，自 Shai Hulud 事件以来，npm 生态系统面临的攻击面持续演化，出现了可蠕虫式传播的恶意软件、针对 CI/CD 管道的持久化机制以及多阶段攻击等新型威胁。这些攻击通常利用软件包依赖关系、混淆技术以及自动化构建流程中的漏洞，在开发者环境中植入后门，进而影响下游用户。报告强调了 npm 作为关键软件供应链环节的脆弱性，并讨论了包括包签名验证、依赖审计、最小权限原则、CI/CD 安全加固在内的缓解措施。尽管未披露具体样本或 IOC，但该分析为安全团队理解当前 npm 威胁态势提供了重要参考。

Discover how Microsoft enables fast, secure AI development with MDASH and new security capabilities. The post Microsoft Build 2026: Securing code, agents, and models across the development lifecycle appeared first on Microsoft Security Blog.

ESET researchers show how Gamaredon facilitated Turla access to Ukrainian targets, revealing rare cooperation between FSB-linked espionage groups.

Operation FlutterBridge is a malvertising campaign targeting macOS users. It distributed the new backdoor FlutterShell, built using the Flutter framework. The post Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor appeared first on Unit 42.

AI accelerated tool development and testing, but humans drove the workflowCategories: Threat ResearchTags: AI, EDR

For the latest discoveries in cyber research for the week of 1st June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Carnival Corporation, a global cruise line operator, has confirmed a data breach affecting nearly 6 million people after attackers used social engineering to compromise an employee account. Exposed information may include names, contact […] The post 1st

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identify and disrupt related activity. The post Malicious npm packages abuse dependency confusion to profile developer environments appeared first on Mic

Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. The post Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection appeared first on Microsoft Security Blog.

The Mini Shai-Hulud campaign used malicious npm packages to target cloud and CI/CD credentials across developer environments. This report details the attack chain, detection opportunities, and mitigation guidance to help organizations identify and disrupt related activity. The post Typosquatted npm packages used to steal cloud and CI/CD secrets appeared first on Microsoft Security Blog.

In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.

Unit 42 explores trends in data theft and extortion, outlining key strategies for organizations as frontier AI models advance. The post Out of the Crypt: The Evolving Cyber Extortion Economy appeared first on Unit 42.

Talos researchers find 4 heap-based buffer overflow vulnerabilities in MediaArea's MediaInfoLib.

EvidenceForge generates high-quality, realistic, and consistent datasets across multiple log formats, enabling teams to effectively train personnel and validate detection models without the need for complex manual simulations.

Microsoft exposes a cryptojacking campaign using SEO poisoning and ScreenConnect to target high-performance PCs, with malicious sites also surfaced through AI chatbots. The post From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities appeared first on Microsoft Security Blog.

该论文系统性地研究了Android权限系统中两个被忽视的过时机制，这些机制持续破坏用户知情同意：（1）权限组（permission groups）机制：用户首次授权某个权限后，后续同一组内的新权限会被静默自动授予，用户无感知；（2）普通级自定义权限（normal-level custom permissions）：安装时自动授予，且允许跨应用访问，用户完全不可见。作者对AndroZoo仓库中的1930万APK（涵盖597万个独立应用标识符）进行了纵向分析，并在Android 16设备上进行了验证。在224万多个多版本应用中，381026个（17%）在已授权组内静默获得了新增权限。通过VirusTotal检测（主阈值为20），被标记为恶意软件的应用在组内扩展权限的比例高于良性应用（优势比=1.35，p<0.001）；该关联在所有测试阈值下均成立，且集中在权限密集型应用中（上四分位数优势比=2.06）。此外，还识别出307个跨开发者的普通级自定义权限对，这些配对允许无关应用访问联系人、短信、位置、认证凭据、用户身份和医疗记录，而无需任何用户提示。基于公开Android API的轻量级原型在96天单设备试点中，记录了13个应用的23次静默扩展事件，表明不修改操作系统即可实现更新时的透明度。研究表明，尽管Android平台已加固十年，但同意侵蚀问题依然存在，影响范围从冷门工具到广泛部署的预装软件。

Executive Summary During the March–April 2026 reporting period, AI use in offensive operations advanced from development and planning to real-time operational deployment. Multiple independent cases, involving individual criminal actors, mass exploitation platforms, ransomware groups, and state-sponsored espionage, show evidence of commercial AI models executing autonomous attack workflows across e

For the latest discoveries in cyber research for the week of 25th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES 7-Eleven, the global convenience store chain, confirmed a breach after an unauthorized access to systems used for franchisee documents. ShinyHunters claimed responsibility and said it stole more than 600,000 Salesforce records containing personal […] The

Microsoft has been recognized as a Leader in The Forrester Wave™: Workforce Identity Security Platforms, Q2 2026, receiving the highest scores in both the current offering and strategy categories. The post Microsoft recognized as a Leader in The Forrester Wave™ for Workforce Identity Security Platforms appeared first on Microsoft Security Blog.

微软威胁情报团队报告了一起针对Linux环境的多阶段入侵攻击事件。攻击始于一台暴露在公网的F5 BIG-IP边缘设备，该设备被作为初始访问入口。攻击者利用该设备作为跳板，通过内网横向移动至Confluence服务器，并试图窃取凭证和破坏身份认证系统。在攻击过程中，攻击者尝试了Kerberos中继攻击以提升权限和扩大访问范围。Microsoft Defender for Endpoint成功检测并阻止了多个攻击阶段，包括异常的网络连接和凭证访问行为。该事件展示了边缘设备暴露带来的严重风险，以及攻击者如何从边界设备深入内网核心系统。攻击者的具体身份未明确归因，但攻击手法具有APT组织特征。目前没有披露具体的漏洞利用（CVE），但强调了暴露的服务和配置不当带来的风险。微软建议组织加强边缘设备的安全配置，实施网络分段，并部署端点检测与响应（EDR）系统以监控横向移动和凭证滥用行为。

How Frontier firms secure AI at scale: read how Microsoft customers embed governance, identity, and cloud security to make protection an enabler of AI growth. The post Microsoft Security success stories: How St. Luke’s and ManpowerGroup are securing AI foundations appeared first on Microsoft Security Blog.

Key Findings Introduction During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran’s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks against US and Israeli entities, and exfiltrating data from cloud environments to support broader kinetic

Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns. The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns appeared first on Unit 42.

Open-source framework ROADtools is being misused by threat actors for cloud intrusions. Learn how to identify its malicious use. The post Paved With Intent: ROADtools and Nation-State Tactics in the Cloud appeared first on Unit 42.

In this edition of the Threat Source newsletter, William explores the value of being "ungovernable" in a professional setting, sharing how challenging the status quo and seeking out the smartest people in the room can lead to a more fulfilling and successful career.

Microsoft Security’s latest updates extend visibility, control, and protection across expanding ecosystems as organizations accelerate AI adoption. The post What’s new in Microsoft Security: May 2026 appeared first on Microsoft Security Blog.

Compromised @antv npm packages deploy the Mini Shai-Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and targets credentials across GitHub, AWS, Kubernetes, Vault, npm, and 1Password platforms. The post Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft appeared first on Microsoft Security Blog.

Read about the unique challenges and rewards of securing gaming platforms and how to better protect gaming communities. The post Securing the gaming culture of cultures appeared first on Microsoft Security Blog.

The AI systems shipping inside enterprises today are fundamentally different from the ones we were building even two years ago, because they have moved well past answering questions and into accessing your email, retrieving records from your CRM, writing and executing code, and taking actions on your behalf across dozens of connected systems. The post Introducing RAMPART and Clarity: Open source t

Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets. The post Tracking TamperedChef Clusters via Certificate and Code Reuse appeared first on Unit 42.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital's Norton VPN.The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability

Fox Tempest is a financially motivated threat actor operating a malware‑signing‑as‑a‑service (MSaaS) used by other cybercriminals, including Vanilla Tempest and Storm groups, to more effectively distribute malicious code, including ransomware. The post Exposing Fox Tempest: A malware-signing service operation appeared first on Microsoft Security Blog.

Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware, likely sold or shared among multiple Chinese-speaking cyber crime groups operating under a malware-as-a-service (MaaS) model for continuous monetization.

A complete decoupling from US technology is neither realistic nor necessary, but the changing environment does require nations and companies to reassess their relationships and dependencies

Brute-force attempts against SMB services can be early signs of an attackCategories: Threat ResearchTags: Ransomware, WantToCry, SMB

Storm-2949 turned stolen credentials into a cloud-wide breach, moving from identity compromise to large-scale data theft without using malware. This incident shows how threat actors can exploit trusted systems to operate undetected. The post How Storm-2949 turned a compromised identity into a cloud-wide breach appeared first on Microsoft Security Blog.

See how built-in security helps keep your growing business running, protect customer trust, and support growth. The post How to better protect your growing business in an AI-powered world appeared first on Microsoft Security Blog.

For the latest discoveries in cyber research for the week of 18th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Vodafone, a major international telecom, has sustained a source code leak claimed by the Lapsus$ extortion group. The company confirmed limited access to GitHub files through compromised third-party development software, while stating that […] The post 1

Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data. The post Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files appeared first on Unit 42.

In this week’s newsletter, Martin reflects on what the next iteration of AI tools means for vulnerability discovery and our ability to manage large-scale patch releases.

Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.

As AI agents gain autonomy, defense in depth must evolve, with application-layer design, identity, and human oversight at the center. The post Defense in depth for autonomous AI agents appeared first on Microsoft Security Blog.

Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. Over time, Kazuar has expanded from a relatively traditional backdoor into a highly modular peer-to-peer (P2P) botnet ecosystem designed to enable persistent, covert access to target environme

Exposed UIs, weak authentication, and risky defaults could turn cloud-native AI apps on Kubernetes into potential targets by threat actors. Learn how exploitable misconfigurations lead to RCE and data leaks. The post When configuration becomes a vulnerability: Exploitable misconfigurations in AI apps appeared first on Microsoft Security Blog.

Mick Baccio and Scott Roberts examine whether public breach signals and market timing models can turn cyber incidents into actionable trading opportunities.

Sophos X-Ops looks at the Atomic macOS Stealer and its capabilitiesCategories: Threat ResearchTags: MacOS, AMOS, infostealer

Key Points Introduction The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates. In 2026, based on victims listed on the data leak site (DLS), […

Philippe shares his unique journey from French engineering school to the front lines of cybersecurity, explaining how his lifelong love for solving puzzles helps him uncover critical security flaws before they can be exploited.

With advisories, this month’s count approaches 300 – though many are already in placeCategories: Threat Research, X-opsTags: Patch Tuesday, MICROSOFT PATCH TUESDAY

What if you could generate realistic attack telemetry on demand? Explore research methods that translate attacker behaviors (TTPs) into synthetic logs that can trigger detections at scale and without sensitive data. The post Accelerating detection engineering using AI-assisted synthetic attack logs generation appeared first on Microsoft Security Blog.

Today Microsoft is announcing a major step forward in AI-powered cyber defense: a new multi-model agentic scanning harness (codenamed MDASH). The post Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark appeared first on Microsoft Security Blog.

Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 16 that Microsoft marked as “critical”.

Read how to protect consumer websites and defend against modern DDoS attacks with layered security, resilient architecture, and graceful service degradation. The post Defending consumer web properties against modern DDoS attacks appeared first on Microsoft Security Blog.

Microsoft Incident Response investigated an attack operated through legitimate and trusted administrative mechanisms to blend seamlessly into routine operations and remain undetected demonstrating that intrusions have increasingly avoided using noisy exploits, obvious malware, or custom tooling, instead leveraging systems that organizations already trust within their environments. The post Undermi

Responding to a state-sponsored threat is nothing like responding to ransomware, and the differences can make or break the outcome. Learn why your IR plan might need revisiting, and the factors you should consider.

Seven things security teams can start doing today to reduce riskCategories: Threat ResearchTags: AI, CISO, risk

Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The post Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools appeared first on Unit 42.

For the latest discoveries in cyber research for the week of 11th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Instructure, the US education technology company behind the Canvas learning platform, has confirmed a major data breach affecting its cloud-hosted environment. Exposed data reportedly includes student and staff records and private messages, while […] The

Key Findings Ransomware in Q1 2026: Consolidation at Scale During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims. This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% […] The post The State of Ransomware – Q1 2026 appeared first on Ch

Smart glasses allow anyone to track and record the world around them. That could put your data and the privacy of those nearby at risk.

该论文对物联网（IoT）恶意软件的生命周期进行了大规模实证研究。作者收集了来自多个来源的物联网恶意软件样本（如蜜罐、公开样本库），并对其进行了长达数年的纵向分析。研究重点包括恶意软件的感染阶段（初始入侵、持久化、命令与控制通信）、传播机制（如利用漏洞、暴力破解）、以及恶意软件家族的演化关系。通过构建恶意软件行为图谱和家族聚类，作者揭示了不同恶意软件家族在代码重用、模块化设计上的共性，并量化了恶意软件存活时间、更新频率等指标。主要贡献包括：（1）首次对物联网恶意软件生命周期进行系统化、大规模的测量；（2）发现了恶意软件在传播和持久化策略上的趋势变化；（3）为防御者提供了针对性的缓解建议（如关闭未使用的端口、及时更新固件）。实验基于超过10万个样本，覆盖多个架构（MIPS、ARM、x86）。该研究有助于理解物联网威胁态势，并为安全团队制定检测和预防策略提供依据。

Dirty Frag is a newly disclosed Linux local privilege escalation vulnerability affecting kernel networking and memory-fragment handling components including esp4, esp6, and rxrpc. The vulnerability enables reliable escalation from an unprivileged user to root and may be leveraged after initial compromise through SSH access, web shells, containers, or low-privileged accounts. Microsoft Defender is

New research exposes how prompt injection in AI agent frameworks can lead to remote code execution. Learn how these vulnerabilities work, what’s impacted, and how to secure your agents. The post When prompts become shells: RCE vulnerabilities in AI agent frameworks appeared first on Microsoft Security Blog.

Cybersecurity concepts — logs, packets, DNS exfiltration, and more — are usually intangible, and its practitioners are prone to mental fatigue, Amy takes a second to yell at you to go touch grass.

This World Passkey Day, read how Microsoft is advancing passkey adoption to replace passwords, cut phishing risk, and deliver simpler, more secure sign-ins. The post World Passkey Day: Advancing passwordless authentication appeared first on Microsoft Security Blog.

Cloud attack framework skips cryptomining, harvests financial, messaging, and enterprise credentials for fraud, spam, and potential extortion.

Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution appeared first on Unit 42.

A malicious imitation of&nbsp;Anthropic’s&nbsp;Claude&nbsp;site leads to&nbsp;DLL sideloading&nbsp;– and&nbsp;a backdoorCategories: Threat ResearchTags: Claude, Beagle, Backdoor, malvertising, AI, DONUT, DLL sideloading, Sophos X-Ops

Microsoft is excited to be named an Overall Leader, and the Market Leader in the Kuppinger Cole Analyst’s 2026 Emerging AI Security Operations Center (SOC) report, as we see automation and AI as core components of the future of cybersecurity. The post ​​Microsoft named an overall leader in KuppingerCole Analyst’s 2026 Emerging AI Security Operations Center (SOC) report ​​ appeared first on Microso

Threat actors are targeting macOS users with fake utility fixes that trick them into running malicious Terminal commands. This campaign evades traditional defenses by stealing credentials, wallets, and sensitive data. The post ClickFix campaign uses fake macOS utilities lures to deliver infostealers appeared first on Microsoft Security Blog.

Joe FitzPatrick reveals how consumer imports of networked devices pose a real security risk to small businesses and critical infrastructure alike.

Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.

该论文针对Android应用中的逻辑炸弹（Logic Bomb）提出了一种新型的隐蔽触发机制。传统逻辑炸弹通常依赖静态条件（如日期、文件存在等）作为触发器，容易被安全分析工具通过静态特征或简单动态执行暴露。作者创新性地提出了“自动情境化隐蔽触发器”（Auto-Contextualized Covert Triggers），利用应用运行时的上下文信息（如传感器数据、网络状态、用户行为序列等）动态生成触发条件。该方法通过机器学习模型在正常使用环境中学习上下文特征，并自动组合成难以预测的触发逻辑。实验部分，作者在多个真实Android应用上实现了原型系统，并评估了其对抗静态分析和动态监测的能力。结果显示，该机制能有效绕过现有基于规则和简单行为分析的检测方法，显著提高了逻辑炸弹的隐蔽性。论文的主要贡献包括：形式化了情境化触发器的设计空间，提出了一种自动生成框架，并验证了其在实际环境中的有效性。读者对象为移动安全、恶意软件分析与防御的研究人员。

Copy Fail (CVE-2026-31431) is a critical Linux kernel LPE that allows stealthy root access. This flaw impacts millions of systems. Read our analysis. The post Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years appeared first on Unit 42.

Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.

Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”

Microsoft Defender Research observed a large-scale credential theft campaign that exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains. The post Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise appeared first on

For the latest discoveries in cyber research for the week of 4th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Medtronic, a global medical device maker, has disclosed a cyberattack on its corporate IT systems. An unauthorized party accessed data, while the company reported no impact on products, operations, or financial systems. Threat […] The post 4th May – Threa

2026年5月，微软安全博客披露了一个影响Linux系统的高危漏洞CVE-2026-31431，命名为“Copy Fail”。该漏洞允许攻击者在云环境和Kubernetes工作负载中实现本地权限提升至root。漏洞根因在于Linux文件复制操作中的缺陷，攻击者通过精心构造的条件可触发漏洞，获取完全控制权。微软称已有野外利用（exploit in the wild），表明该漏洞正被实际攻击者使用。受影响的系统包括主流Linux发行版以及部署在公有云（如Azure、AWS、GCP）和Kubernetes集群中的节点。由于漏洞影响范围广且利用公开，组织应立即采取行动：优先安装补丁、加强监控告警、实施最小权限原则，并对Kubernetes环境进行安全审计。此漏洞目前无已知的攻击组织关联，但鉴于其危害性，预计会被勒索软件或APT组织纳入武器库。

Unit 42 highlights the need for a comprehensive security strategy that spans every IT zone. Explore the full details here. The post Essential Data Sources for Detection Beyond the Endpoint appeared first on Unit 42.

​Today we’re announcing the general availability of Agent 365, plus previews of new capabilities to discover and manage shadow AI agents, including local agents like OpenClaw and Claude Code. The post Microsoft Agent 365, now generally available, expands capabilities and integrations appeared first on Microsoft Security Blog.

Unit 42 uncovers high-risk AI browser extensions. Disguised as productivity tools, they steal data, intercept prompts, and exfiltrate passwords. Protect your browser. The post That AI Extension Helping You Write Emails? It’s Reading Them First appeared first on Unit 42.

In this week’s newsletter, Hazel uses International Superhero Day as a springboard to explore why empathy — rather than just technical prowess — is the most essential, underrated superpower for navigating the human side of cybersecurity.

Stay ahead of emerging threats with Microsoft’s newest security innovations and updates, delivered through the In the Loop series. The post What’s new, updated, or recently released in Microsoft Security appeared first on Microsoft Security Blog.

In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics. The post Email threat landscape: Q1 2026 trends and insights appeared first on Microsoft Security Blog.

Warnings about helpdesk impersonation scams and Iran-linked hackers targeting critical sectors in the US, plus the most damaging scams of 2025 - here's some of what made the headlines this month

Embracing strong proactive security is something we can all do to mitigate our increased exposure to security threats. The post 8 best practices for CISOs conducting risk reviews appeared first on Microsoft Security Blog.

Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. We can take the advantage back. This blog shows how generative AI can be used to rapidly deploy adaptive honeypot systems.

With attackers moving faster than ever, it’s easy to feel overwhelmed. This blog breaks down five practical priorities from the Cisco Talos 2025 Year in Review to help defenders focus and prioritize, amidst all the noise.

Key Takeaways Background VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum. After claiming their first two victims in January 2026, the group got back into the public eye due to an announcement of a partnership with TeamPCP, the actor behind several supply-chain attacks […] The post VECT: Ransomware by

Learn how Microsoft Sentinel UEBA helps defenders distinguish benign AWS activity from attacker behavior by enriching raw CloudTrail logs with clear, binary behavioral signals derived from baseline user, peer, and device behavior patterns. The post Simplifying AWS defense with Microsoft Sentinel UEBA appeared first on Microsoft Security Blog.

For the latest discoveries in cyber research for the week of 27th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Vercel, a frontend cloud platform, has disclosed a security incident linked to a compromise at Context.ai, where stolen OAuth tokens enabled unauthorized access through a connected app. The company reported access to employee […] The post 27th April –