Microsoft Threat Intelligence specialists have identified an attack in which attackers used artificial intelligence for the first time to disguise phishing code. The goal was to steal credentials from companies in the United States. The malicious SVG file hid its true functionality behind a layer of pseudo-corporate terminology and a simulated analytics dashboard , allowing it to bypass simple checks. Analysis revealed that the code’s structure was uncharacteristic of handwriting and was likely generated by a generative model. The emails came from a hacked corporate account , with the sender’s address matching the recipient’s, and the actual addresses BCCed. The attachment mimicked

On September 19, a major cyber incident occurred in Europe, affecting Collins Aerospace, one of the world’s largest aerospace technology suppliers . The attack disrupted airline operations and affected flights at major European hubs. The impact was particularly noticeable at London Heathrow Airport, where passengers faced flight delays and cancellations throughout the weekend. According to law enforcement, the attack targeted Collins Aerospace systems that support and coordinate a series of technological processes related to aviation safety and flight operations. The disruption of these services rapidly impacted the supply chain and operational processes, causing disruptions to air transport in several EU countries. On

Developers learned to trust the tools that help their AI assistants handle routine tasks, from sending emails to using databases. But this trust proved vulnerable: the postmark-mcp package, downloaded over 1,500 times a week since version 1.0.16, silently forwarded copies of all emails to an external server owned by its author . Internal company correspondence, invoices, passwords, and confidential documents were at risk. The incident demonstrated for the first time that MCP servers can be used as a full-fledged conduit for supply chain attacks . Researchers at Koi Security identified the issue when their system detected a sudden change in packet behavior.

Rhadamanthys is an advanced information stealer that first emerged in 2022. Featuring a rapid development cycle—with at least ten different releases since its inception—the malware is promoted and marketed on underground forums. Despite a ban on its use against Russian and/or former Soviet republics, the product is still available on the black market; prices start at $250 for 30 days of access, a price that favors its spread among cybercriminals. Evasion features and techniques Rhadamanthys is designed to collect a wide range of data: system information, credentials, cryptocurrency wallets, passwords stored in browsers, cookies, and data from numerous applications. It integrates numerous

Active Directory (AD) contains the organization’s digital keys: unauthorized access to this service exposes sensitive information and credentials that can lead to a complete domain compromise. Among the most critical assets is the NTDS.dit file, which stores the domain dataset and password hashes. This article reconstructs a real-world case in which malicious actors gained elevated privileges, extracted NTDS.dit, and attempted to exfiltrate it by bypassing common controls. The strategic value of NTDS.dit In a Windows environment dominated by Active Directory, the NTDS.dit (NT Directory Services Directory Information Tree) file represents the central database for the domain: it contains user accounts, group policies,

In a new report, Zscaler ThreatLabz has revealed details of a new malware family called YiBackdoor , first observed in June 2025. From the outset, the analysis highlighted significant source code matches with the IcedID and Latrodectus downloaders, and it is this connection that Zscaler points to as crucial to understanding the new sample’s possible origin and role in the attacks. The malware is a modular DLL library with a basic set of host remote control functions and a plugin-based extension mechanism. By default, its functionality is limited, but attackers can load additional modules to expand its capabilities. The program copies itself

Researchers discovered a malicious package called fezbox in npm that steals victims’ cookies. To ensure the malicious activity remains undetected, QR codes are used to download the malware from the attackers’ server. According to Socket researchers, attackers have found a new use for QR codes: hiding malicious code within them. Analysts have reported that the packet contains hidden instructions to download a JPG image with a QR code, which is then processed to launch an obfuscated payload as part of the second stage of the attack. At the time of the malware’s discovery, the package had been downloaded at least 327 times

Dutch police have arrested two 17-year-old boys on suspicion of espionage activities, with possible links to Russia, the Telegraaf newspaper reported on Friday. The father of one of the young men claimed his son was recruited via Telegram by a pro-Russian hacker. In August, the boy allegedly showed up at the offices of Europol, Eurojust, and the Canadian Embassy in The Hague carrying a so-called “Wi-Fi sniffer,” a device capable of detecting nearby wireless networks and intercepting their data. The prosecutor has not provided official comment on the case, citing the young age of the suspects. However, it has been confirmed that

Cyber specialists from Ukraine’s defense intelligence have successfully carried out an attack that paralyzed Russia’s national payment system, SBP. DIU sources shared the news with Militarnyi . According to them, the attack targeted the infrastructure used to finance organizations supporting aggression against Ukraine. Following a large-scale DDOS attack on the SBP system and the TransTeleCom provider, a significant number of Russians lost the ability to make instant transfers and pay for online purchases. Residents of Yekaterinburg took to social media to complain about the service disruptions, as people were unable to pay for transportation or refuel at gas stations. The cyberattack also

Zorin OS has released a beta version of its new release, Zorin OS 18. Currently, only the GNOME-based Core edition is available , without the proprietary library. According to Artem Zorin, a lightweight Xfce-based Lite version will arrive later, after the stable release. The system is based on Ubuntu 24.04 Noble Numbat , released almost a year and a half ago. However, the developers adhere to the ” release when it’s ready ” principle, rather than relying on a calendar. The previous version, 17.3, remains current and stable, although some users have been forced to downgrade from Noble to Jammy due to