Raw Cyber
Security
Intel
No sugar coating. No corporate jargon. Just real attack breakdowns, threat analysis, and the security knowledge you need to stop getting owned.
Briefings
PRT-Scan and the Five-Year Window: How AI Weaponized a Vulnerability GitHub Refused to Kill
The prt-scan campaign did not discover a new vulnerability. It automated a five-year-old one that survived three major incidents, a platform patch, and thousands of public warnings. Tracing pull_request_target from a $200 HackerOne report through tj-actions, Trivy, and hackerbot-claw to AI-weaponized mass exploitation.
Read Full BriefingSchools Under Siege: From Student Hackers to State-Sponsored Ransomware, Why Education Is Cybersecurity's Softest Target
Schools face cyberattacks from every direction: students launching DDoS attacks from their phones, ransomware gangs stealing millions of student records, and AI lowering the barrier for all of them. From the Northern Ireland C2K shutdown to the PowerSchool mega-breach, education is failing at cybersecurity fundamentals.
CVE-2026-5281: The Chrome Zero-Day That Targets the GPU Boundary
CVE-2026-5281 is not a simple browse-and-own vulnerability. It is an actively exploited use-after-free in Chrome's Dawn WebGPU layer that requires a prior renderer compromise, making it a second-stage chain link targeting the GPU process boundary.
Adobe BPO Breach: Five Technical Controls That Failed and How Defenders Can Fix Them
A threat actor called Mr. Raccoon allegedly exfiltrated 13 million support tickets, 15,000 employee records, and all HackerOne bug bounty submissions — not by hacking Adobe directly, but through a single compromised BPO contractor. No zero-days. No exotic malware. Five preventable control failures.
CVE-2026-20963: SharePoint Deserialization Flaw Now Under Active Exploitation
A critical deserialization vulnerability in on-premises Microsoft SharePoint Server sat quietly in January's Patch Tuesday bundle for two months before CISA confirmed active exploitation. Federal agencies were given 72 hours to patch. Many organizations still haven't.
When Hackers Claim a Breach: The Complex Reality Behind Stolen Data Announcements
A threat actor posts on an underground forum claiming hundreds of thousands of stolen records. The cybersecurity press picks it up. But behind every breach claim lies a tangled reality where verification is painstaking, fabrication is routine, and recycled data is everywhere.
CISA Adds Three Actively Exploited Flaws to KEV: SolarWinds, Ivanti, and Workspace ONE Under Fire
CISA added three actively exploited vulnerabilities to its KEV catalog on March 9, 2026: a critical RCE in SolarWinds Web Help Desk, an authentication bypass in Ivanti Endpoint Manager, and a years-old SSRF flaw in Omnissa Workspace ONE UEM. Federal agencies face hard patch deadlines.
The CyberGuardian Blueprint: A Practitioner's Framework for Building Real Cyber Defense
A structured, practitioner-built framework for building personal and organizational cyber defense from the ground up — covering identity hardening, network segmentation, threat visibility, and incident readiness with verifiable sources and actionable steps.
What Is MAPP? Microsoft's Vulnerability Early Warning Program Explained
MAPP shares Microsoft vulnerability data with security vendors before Patch Tuesday. How it works, who qualifies, and what the 2025 ToolShell attacks changed.
React2Shell and DPRK: How North Korea Used a CVSS 10.0 Flaw to Raid Crypto Infrastructure
React2Shell (CVE-2025-55182) gave North Korea a master key to crypto infrastructure. How DPRK-linked actors exploited the CVSS 10.0 RCE, bypassed WAFs, and pillaged AWS environments to steal source code, Docker images, and private keys.
SAP March 2026 Patch Day: A Seven-Year-Old Log4j Flaw Gets Its First Fix
SAP's March 2026 Security Patch Day delivers 20 security notes including two critical remote code execution vulnerabilities — one rooted in a seven-year-old Apache Log4j flaw that SAP is only now patching in its insurance quoting platform.
Cut the Bridge, Kill the Botnet: Why Articulation-Point Poisoning Is the Takedown Method Defenders Haven't Deployed
Graph theory identified a surgical method for fragmenting P2P botnets — targeting articulation points whose removal partitions the network. Here is why every major takedown has ignored it, and what happens when Volt Typhoon rebuilds in hours.
Endpoint Telemetry Is the Evidence Layer Behind Every MITRE ATT&CK Technique
SIEMs have detection logic for only 21% of ATT&CK techniques despite having the telemetry to cover 90%+. ATT&CK v18 replaced Data Sources with Detection Strategies and 1,700+ Analytics. Here is what that means for your sensor architecture.
Attacker Playbooks: How Threat Actors Operate in 2026
Ransomware affiliate chains, ClickFix at 47% of initial compromises, 29-minute breakout times, LOTL tradecraft, supply chain cascades, and the CaaS democratization problem — sourced from CrowdStrike, IBM X-Force, Rapid7, Picus, Chainalysis, and CISA.
SSH Hijacking: How Attackers Ride Trusted Sessions Into Your Infrastructure
Agent forwarding abuse, ControlMaster socket takeover, and authorized_keys manipulation. No exploits. No anomalous traffic. Used by Lazarus Group and SUNBURST in documented intrusions.
Operation Leak: How the FBI and Europol Dismantled LeakBase — and What It Means for the Cybercrime Ecosystem
14 countries. 13 arrests. 142,000 member accounts, 215,000 private messages, and years of IP logs secured as evidence. The forum was back on a new domain within days.
How Defenders Actually Use Shadowserver's Data Feeds
42 full IPv4 scans per day. 90+ report types. One of the largest sinkhole networks ever operated. Here is what practitioners actually do with it — and where it has proved operationally decisive.
Attackers Weaponize Deno Runtime to Deploy CastleRAT in Memory
The first documented case of attackers abusing the Deno JavaScript runtime as a malware execution framework. Payload encrypted inside a JPEG. Injected directly into memory. Never touches disk. Traditional AV never sees it.
Three CVEs. One Proxy. Every Pingora Deployment That Hasn't Upgraded Is Compromised.
CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836 hit Cloudflare's Pingora framework with CVSS scores up to 9.3. Request smuggling that bypasses WAFs and ACLs entirely. A cache poisoning flaw that requires no smuggling at all.
Coruna: The Exploit Kit That Turned iPhones Into ATMs for Cybercriminals
23 exploits. Five chains. Zero clicks. Nation-state surveillance capability leaked to Chinese cybercriminals in under a year. Researchers call it the first confirmed mass exploitation of iOS devices ever documented — and the EternalBlue moment for mobile.
Mail2Shell: The Zero-Click Exploit That Turns FreeScout Help Desks Into Attack Weapons
A single email. No clicks. No login. CVE-2026-28289 is a maximum-severity patch bypass in FreeScout granting full RCE. Version 1.8.206 — released specifically to fix this class of attack — is still fully vulnerable.
Inside the TriZetto Breach: How Attackers Spent Nearly a Year Inside Healthcare Infrastructure Serving 200 Million Americans
An unauthorized actor walked into Cognizant's TriZetto systems in November 2024, stayed for eleven months undetected, and walked out with data on 3,433,965 people. Social Security numbers. Medicare identifiers. Insurance records. Nobody noticed.
CVE-2026-3094: When a File Becomes a Weapon — Inside the Delta Electronics CNCSoft-G2 Vulnerability
A specially crafted DPAX project file. An engineer who opens it. A CNC machine on a production floor that moves metal. CVE-2026-3094 turns a routine industrial workflow into an attack vector. AZURITE, with confirmed Flax Typhoon overlaps, is documented to rapidly weaponize public PoCs against exactly this class of target.
The Password Is the Vulnerability: How Identity-Based Attacks Became the Dominant Threat of Our Time
Unit 42's 2026 Global Incident Response Report: 65% of intrusions rode on identity abuse, attackers reached exfiltration in 72 minutes, and encryption is decoupling from extortion. The perimeter hasn't moved. It has dissolved.
The EV Charging Grid Has No Front Door: Inside the Everon OCPP Vulnerabilities
Zero authentication on WebSocket endpoints means anyone can impersonate a charger, hijack sessions, and command the grid. CISA published eight nearly identical advisories in two weeks. The industry built this way on purpose.
When Your Competitor Becomes Your Attacker: The Infloww vs. OnlyMonster Cyber Espionage Case
A competitor didn't just copy Infloww's product — they allegedly broke into its servers and stole the playbook. The UK Commercial Court just said that is not a gray area.
Teaching AI to Hunt APTs by Feeding It Fake Ones
When real APT traffic is too rare to train on, researchers are fabricating it. The ET-SDG framework uses conditional GANs and Transformer feature learning to manufacture synthetic attack data — and the results are better than they should be.
MITRE Just Gave ATT&CK a Board of Directors — And It's About Time
After more than a decade of near-unilateral stewardship, MITRE stood up a formal advisory council to help steer the world's most widely adopted adversary knowledge base. The cybersecurity press gave it a paragraph or two. It deserves a lot more than that.
The Com Isn't a Hacker Group. It's a Generation.
They started by stealing usernames. They ended up classified as terrorists. Project Compass just made 30 arrests across 28 countries — and the network is still fully operational.
The AI Panel That Forgot It Was Part of the Browser: CVE-2026-0628 and the Privilege Problem Nobody Planned For
A low-permission Chrome extension could hijack the Gemini panel and inherit camera, microphone, and local file access. CVSS 8.8. Found within five weeks of general availability.
Patched in 2023. Weaponized Anyway. CVE-2023-43000 Is Now on CISA's KEV Catalog.
A use-after-free flaw in Apple's WebKit sat quietly exploited for over two years before Google's Threat Intelligence Group exposed it as a live weapon. CVE-2023-43000 is a confirmed component of the Coruna iOS exploit kit. CISA added it to the KEV catalog on March 5, 2026.
The Espionage Fails That Exposed It All: SloppyLemming's Year-Long Infiltration of South Asian Government Networks
A threat actor tracked as SloppyLemming spent an entire year quietly burrowing into Pakistan and Bangladesh's government, military, and telecom infrastructure — and left enough mistakes behind to reconstruct the whole operation.
You Can't Ban Your Way Out of the AI Browser Problem
Enterprises blocking ChatGPT are pushing employees to browser-native models and shadow AI tools IT can't see. The threat isn't the apps you know about — it's the ones you don't.
APT37's Ruby Jumper: The Air-Gap Attack That Hid Inside Legitimate Software for Two Years
North Korea's APT37 planted a persistent implant inside a legitimate South Korean software update pipeline. Ruby Jumper sat undetected in air-gapped environments for over two years before exfiltrating classified documents.
AI Agents Are the Identity Dark Matter Your IAM Can't See
Enterprises are deploying AI agents that authenticate, authorize, and act autonomously — but their identities exist outside every IAM system. No MFA. No audit trail. No deprovisioning workflow. They are the largest unmanaged identity surface in the enterprise.
The Ocean Is the New Attack Surface: How AI Is Turning Ships Into Targets
Maritime cyber incidents doubled in 2025. A single supply chain intrusion took 116 Iranian tankers offline. Deepfake audio cloned a CFO's voice and walked away with $25 million. AI has collapsed the exploit window to under 48 hours.
Diesel Vortex: How a Cybercrime Syndicate Turned America's Supply Chain Into a Phishing Goldmine
An Armenian-speaking, Russian-linked criminal group spent five months targeting freight brokers, trucking companies, and fleet operators. 52 phishing domains. 1,649 stolen accounts. A PhaaS platform ready to sell.
SANDWORM_MODE: The npm Worm That Turns Your AI Coding Assistant Into a Spy
19 malicious npm packages weaponized AI coding assistants by silently injecting rogue MCP servers into their configurations. Cursor, Claude Code, and Windsurf turned into unwitting data exfiltration agents.
Critical SCADA Vulnerabilities in Russian-Made MasterSCADA Platform Leave Global Infrastructure Exposed
Two CVSS 9.8 flaws in InSAT's MasterSCADA BUK-TS: unauthenticated SQL injection and OS command injection. CISA disclosed them. The vendor went silent. No patch, no workaround, no timeline.
When Valentine's Day Turns Hostile: UFP Technologies Ransomware Attack Exposes the Medical Device Industry's Growing Cyber Crisis
Hackers hit Massachusetts-based medical device manufacturer UFP Technologies on February 14, stealing corporate data and destroying systems. The fourth publicly traded medical device company breached in 18 months.
LockBit Is Dead, Long Live LockBit: How Ransomware Gangs Rebrand and Why It Doesn't Matter
Operation Cronos seized LockBit's infrastructure and unmasked its leader. The gang relaunched within a week. LockBit 5.0 is already hitting targets. Here's why ransomware takedowns fail to stick.
Silver Fox APT: Inside the Stealth Campaign Exploiting DLL Sideloading, BYOVD, and Trusted Software Against Taiwan and Beyond
A China-based APT weaponizing signed kernel drivers, trojanized tax software, and medical imaging apps. From phishing to kernel control in one silent chain. Taiwan is ground zero, but the group's reach is going global.
Under Attack: How Veeam Backup Servers Became the Most Dangerous Target in Enterprise Cybersecurity
Two critical Veeam CVEs weaponized by Akira, Fog, and Frag ransomware. A Chinese state-sponsored group exploiting a Dell RecoverPoint zero-day undetected for over a year. Backup infrastructure is now the primary objective.
Who's Verifying the Verifiers? The KYC Industry's Billion-Record Blind Spot
IDMerit, a KYC vendor used by banks and fintech companies across 180+ countries, was found with a fully exposed MongoDB instance containing over a terabyte of verified identity data. One billion records. Twenty-six countries. No authentication.
Your Security Camera Is Watching You Get Owned: CVE-2026-1670 in Honeywell CCTV Systems
CVE-2026-1670 is a CVSS 9.8 authentication bypass in Honeywell CCTV systems that lets unauthenticated attackers take full account control — and pivot into the networks these cameras are supposed to protect.
CVE-2026-20841: One Markdown Link in Notepad and Your Machine Is Owned
Windows Notepad's new Markdown engine passes crafted links straight to ShellExecuteExW with no protocol filtering. One Ctrl+click on a .md file gives attackers code execution in your user context. CVSS 8.8. PoC is public.
Your Defenders Are Playing Checkers. The AI Is Playing 4D Chess.
AI hasn't just made attacks faster. CrowdStrike's 2026 report shows breakout time has dropped to 29 minutes average, 27 seconds fastest, and 82% of attacks now use zero malware.
The Ransomware Kill Chain in 2026: From Phish to Full Encryption in Under 4 Hours
Average time-to-ransom rose to 20 hours in 2025 as ransomware groups shifted to low-and-slow tactics. The fastest gangs still do it in six. A Unit 42 AI simulation completed a full attack chain in 25 minutes.
PromptSpy: The First Android Malware Weaponizing Generative AI at Runtime — Full Attack Breakdown
ESET researchers have uncovered the first Android malware to plug a generative AI model directly into its execution flow. PromptSpy uses Google's Gemini to read the screen, figure out what to tap, and keep itself alive across any device.
Broken Access Control Owns Everything: Why OWASP's #1 Vulnerability Still Wrecks Apps in 2026
For two consecutive OWASP releases, Broken Access Control has held the number one spot. The 2021 data showed 100% of tested applications had some form of it.
Four CVEs, Two Emergency Patches, Seven Days: Chrome's February 2026 Security Crisis
A zero-day already burning in the wild. Two high-severity memory bugs in PDFium and V8. Two emergency patch events in seven days is not normal.
A Developer Left Admin Credentials in the Code. China Had Root for 18 Months.
CVE-2026-22769. CVSS 10.0. A hardcoded admin password gave Chinese APT group UNC6201 root-level access to enterprise backup infrastructure since mid-2024.
Medusa Ransomware Is Eating Healthcare Alive: Inside the Gang That Doesn't Negotiate
Over 500 organizations hit since January 2026. Triple extortion. Million-dollar demands. Medusa is systematically targeting hospitals with a RaaS model that keeps patient safety off the table entirely.
SSRF Is the Cloud Killer Nobody Patches
Server-Side Request Forgery handed attackers Capital One's 100 million records and a direct line to AWS metadata endpoints. One unvalidated URL parameter.
That API Key in Your Frontend? Attackers Found It Before Your Code Review Did
Over 13 million secrets in public GitHub repos. 3,000 production websites leaking keys through client-side JavaScript. Bots harvesting within five minutes.
Your SSO Is the Skeleton Key: How ShinyHunters Are Weaponizing Okta to Own Entire Enterprises
The SLSH alliance is calling your employees, spoofing your IT helpdesk number, and talking them through a phishing flow that defeats push MFA, OTP, and number matching in real time. 100+ enterprises targeted.
Hacked, Held Hostage, and Helpless: Why Your City Government Is a Sitting Duck
525 ransomware attacks on U.S. government entities since 2018. $1.09 billion in downtime. The pattern is always the same: underfunded IT and months of undetected access.
192 Poisoned Packages, One Fake Job Offer: Inside Lazarus Group's Graphalgo Campaign
North Korea's Lazarus Group ran a nine-month operation planting 192 malicious packages across npm and PyPI behind fake crypto job offers.
CVE-2026-1281: How a Single Bash Bug in Ivanti EPMM Handed Government Networks to a Bulletproof-Hosted Attacker
A pre-auth RCE in Ivanti's MDM platform. CVSS 9.8. One GET request. Government networks in the Netherlands, Finland, and the EU already breached.
How AsyncRAT Went Open Source and Became Everyone's Favorite Backdoor
Posted to GitHub in 2019 as a "legitimate remote admin tool." Now the 2nd most active malware family globally with 40+ forks and nation-state operators.
MCP Was Supposed to Be AI's USB-C Port. It's Actually AI's Biggest Attack Surface.
RCE in Anthropic's own reference servers. SQL injection copied into thousands of deployments. 7,000 MCP servers exposed on the open internet.
Qilin Ate the Ransomware Throne: Inside the Gang That Outpaced LockBit and Left a Body Count
A 578% spike in victims. A confirmed patient death. 31.2 petabytes of stolen data. Qilin absorbed every major gang's affiliates.
6 Zero-Days, All Exploited: Microsoft's February 2026 Patch Tuesday Is a Five-Alarm Fire
Microsoft just dropped patches for 6 zero-days already being exploited in the wild. From Windows Shell bypasses to RDP privilege escalation.
Your Passwords Are Already Stolen: Defending Against the Infostealer Epidemic
Infostealers siphoned 1.8 billion credentials in the first half of 2025. Your MFA won't save you if attackers steal your session cookies.
"Linux Is Secure" Is Getting People Owned: VoidLink and the New Era of Cloud-Native Malware
An AI-assisted developer built an 88,000-line Linux malware framework in weeks. VoidLink, React2Shell, and a wave of cloud-native ELF malware prove that "Linux is secure" is a dangerous myth.