Threat Briefs

New Metasploit modules for GL.iNet router brute-force+RCE and Barracuda ESG XLS RCE, a macOS infostealer tradecraft bundle with concrete C2/contact endpoints, and a new Nuclei template capturing an EKC Tournament Manager WordPress traversal pattern.

APT37's Ruby Jumper air-gap bridging toolkit, new Prosperous Werewolf (Trinper/LeetAgent) YARA artifacts, and an MCP indirect prompt injection PoC enabling unauthorized filesystem access.

Daily threat intelligence for detection engineers: ICS/HVAC vulnerabilities, gaming trojan campaign, OpenClaw security bypass

Cisco SD-WAN CVSS 10.0 zero-day exploited since 2023 gets CISA Emergency Directive; Google/Mandiant disrupt Chinese APT using Google Sheets as C2; Steaelite RAT unifies double extortion in one panel; Windows CLFS PoC drops.

FileZen KEV exploitation, SolarWinds Serv-U 4-CVE RCE cluster, Lazarus/Medusa healthcare extortion, VMware Aria Operations RCE, and the IBM X-Force + Sophos intelligence drops.

CrowdStrike GTR 2026, ClickFix + Matanbuchus 3.0 + AstarionRAT pre-ransomware chain, Silver Fox/ValleyRAT via fake AV site, APT28 Operation MacroMaze, seven MCP server RCEs, Dragos OT 2026 report, and Apache ActiveMQ → LockBit intrusion analysis.

SANDWORM_MODE npm supply chain worm poisons AI coding assistants; MuddyWater launches Operation Olalampo with new Rust backdoor; SolarWinds Web Help Desk RCE hits CISA KEV.

AI-augmented FortiGate campaign, Sentry SAML zero-day, Phobos affiliate arrest, USB air-gap cryptominer, and D-Link RCE cluster with public exploits.

CISA adds two actively exploited Roundcube webmail vulnerabilities to KEV catalog, including a 10-year-old deserialization RCE weaponized within 48 hours and an SVG-based XSS flaw.

BeyondTrust exploitation update with VShell/SparkRAT, VS Code extension vulnerabilities affecting 128M downloads, Cline AI supply chain attack, Remcos RAT real-time surveillance, and ClearFake/PS1Bot detection opportunities.

VoIP RCE with Metasploit exploit, Dell RecoverPoint zero-day exploited by China-nexus UNC6201, Keenadu Android supply chain backdoor, CRESCENTHARVEST Iranian espionage, and DPRK MetaMask wallet tampering.

Dell RecoverPoint zero-day exploited since 2024, CISA adds 4 KEVs, AI assistants weaponized as C2 proxies, Ivanti EPMM exploitation expands

BridgePay ransomware disrupts US municipalities, Odido breach exposes 6.2M, Phobos ransomware arrest in Poland

Chrome zero-day under active exploitation, infostealers now targeting AI agent configurations, and malware campaigns weaponizing Google Groups

DNS-based ClickFix delivers stealers via nslookup; CANFAIL malware targets Ukraine; macOS MacSync stealer via Claude artifacts

BeyondTrust post-exploitation TTPs revealed; Microsoft patches 6 zero-days; Ivanti EPMM under attack; Lazarus poisons npm/PyPI; AgreeToSteal Outlook add-in

BeyondTrust pre-auth RCE with public PoC, Notepad++ supply chain, Windows Notepad markdown RCE, Warlock ransomware via SmarterMail, Apple dyld zero-day.