> ai://ti

autonomous threat intelligence feed

Top Stories

🚨 Intrusions
GhostPoster Campaign Uses Malicious JavaScript in Firefox Add-on Logos
The GhostPoster campaign embeds malicious JavaScript in the logos of compromised Firefox extensions, affecting over 50,000 users. This allows attackers to hijack affiliate links and inject tracking code, posing significant privacy risks.

Key points:

  • 17 Firefox extensions have been identified as compromised, utilizing steganography to hide malicious code.
  • The JavaScript loader activates after 48 hours, fetching payloads from hardcoded domains with a low detection rate.
  • The final payload can hijack affiliate links, inject tracking scripts, and bypass CAPTCHA protections.
  • Users are advised to remove the affected extensions and reset passwords for critical accounts.
Sources: Bleeping Computer (1 articles)
🚨 Intrusions
Amazon Disrupts GRU Hackers Targeting Cloud Infrastructure
Amazon's Threat Intelligence team has thwarted operations by Russian GRU hackers targeting Western critical infrastructure, particularly in the energy sector. The attackers shifted from exploiting vulnerabilities to leveraging misconfigured edge devices for access.

Key points:

  • The GRU hackers have been active since 2021, initially exploiting vulnerabilities in various software.
  • Recent tactics focus on misconfigured customer network devices, reducing reliance on zero-day exploits.
  • Amazon observed credential harvesting and lateral movement within victim networks as primary objectives.
  • The company took immediate action to protect affected EC2 instances and notified impacted customers.
  • Recommendations include auditing network devices and enhancing security measures in AWS environments.
Sources: Bleeping Computer (1 articles)
🚨 Intrusions
Chinese Espionage Group Ink Dragon Expands Operations in Europe
The Chinese cyber espionage group Ink Dragon has infiltrated European government networks using compromised servers. Their tactics involve exploiting misconfigured systems to establish long-term access and create relay nodes for covert operations.

Key points:

  • Ink Dragon has compromised several dozen victims, including government and telecom entities across Europe, Asia, and Africa.
  • The group exploits misconfigured Microsoft IIS and SharePoint servers to gain access without relying on high-profile vulnerabilities.
  • They have updated their FinalDraft backdoor to blend in with Microsoft cloud activity, minimizing detection.
  • Ink Dragon establishes long-term access by co-opting victims' infrastructure and deploying customized modules for relay points.
  • Similar stealth activities have been observed from another Chinese group, RudePanda, indicating a broader trend among state-sponsored cyber actors.
Sources: The Register Security (1 articles)
🚨 Intrusions
France's Interior Ministry Investigates Email Breach and Unauthorized Access to Confidential Files
France's Interior Ministry is probing a cyber intrusion that compromised email accounts and confidential documents. The attack, claimed by a user on BreachForums, has prompted a formal judicial investigation and heightened security measures.

Key points:

  • Unauthorized access allowed an attacker to view several professional email accounts.
  • Dozens of confidential files related to judicial records were reportedly accessed.
  • The incident has triggered a formal investigation by the Paris Public Prosecutor’s Office.
  • Emergency security measures include two-factor authentication and password changes.
  • The ministry is working with the French National Cybersecurity Agency (ANSSI) to enhance security.
Sources: The Record by Recorded Future (1 articles)

Other Updates

πŸ’£ Exploits
FortiGate Firewalls Targeted as Authentication Vulnerabilities Exploited
Fortinet's FortiGate firewalls face exploitation due to newly discovered authentication vulnerabilities.

Key points:

  • Arctic Wolf reports a surge in attacks exploiting Fortinet vulnerabilities since December 12, 2025.
  • CVE-2025-59718 and CVE-2025-59719 allow attackers to bypass FortiCloud SSO authentication.
  • CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, urging immediate remediation.
  • Organizations are advised to disable FortiCloud SSO, apply patches, and rotate credentials to mitigate risks.
  • Exfiltrated configuration files could lead to targeted attacks and network compromises.
Sources: CSO Online (1 articles)
πŸ“° Abuse & Fraud
Malicious NuGet Package Impersonates Tracer.Fody to Steal Cryptocurrency Wallets
A rogue NuGet package masquerades as a legitimate library to steal cryptocurrency wallet data.

Key points:

  • The malicious package has been downloaded over 2,000 times, with 19 downloads in the last six weeks.
  • It scans for Stratis wallet files and exfiltrates wallet data and passwords to a threat actor-controlled IP in Russia.
  • The package uses tactics like name similarity and Cyrillic characters to evade detection.
  • Previous attacks linked to the same IP address involved another malicious NuGet package targeting wallet seed phrases.
  • Experts warn of potential follow-on attacks targeting other common .NET libraries.
Sources: The Hacker News (1 articles)
πŸ“° Malware
Cellik Android Malware Offers Malicious App Creation from Google Play Store
Cellik malware enables the creation of malicious app variants from Google Play Store applications.

Key points:

  • Cellik is marketed on underground forums for $150/month or $900 for lifetime access.
  • The malware can capture real-time screen activity, intercept notifications, and exfiltrate files.
  • It claims to bypass Google Play security by embedding malware in trusted apps.
  • Cellik includes features for injecting malicious code and overlaying fake login screens.
Sources: Bleeping Computer (1 articles)
πŸ’£ Exploits
Microsoft Security Update Disrupts MSMQ Functionality on Older Windows Systems
MSMQ failures on older Windows systems result from a recent Microsoft security update, impacting enterprise environments.

Key points:

  • The December 2025 security update alters MSMQ security model and NTFS permissions, causing queue failures.
  • Affected systems include Windows 10 22H2 and earlier, as well as Windows Server 2012 to 2019.
  • Users may encounter misleading error messages related to resource availability despite sufficient disk space.
  • Microsoft recommends contacting support for workarounds, while some users have uninstalled the update to restore functionality.
Sources: The Register Security (1 articles)
🚨 Intrusions
Hypervisors Targeted by Ransomware: A Growing Security Concern
Ransomware attacks on hypervisors are increasing, necessitating improved security practices.

Key points:

  • Hypervisors are becoming prime targets for ransomware, with attacks rising from 3% to 25% in 2025.
  • The Akira ransomware group is primarily responsible for this shift in focus towards hypervisors.
  • Attackers exploit compromised credentials to gain control over hypervisors, affecting multiple virtual machines.
  • Traditional endpoint security often fails to protect against these hypervisor-targeted attacks.
  • Recommendations include using local accounts for ESXi and enforcing strict access controls.
Sources: Bleeping Computer (1 articles)
🚨 Intrusions
LKQ Corporation Confirms Data Breach Linked to Oracle EBS Cyberattack
LKQ Corporation confirms a data breach affecting over 9,000 individuals linked to the Oracle EBS cyberattack.

Key points:

  • The breach was part of a larger campaign targeting Oracle EBS customers, with over 100 organizations listed as victims.
  • LKQ's investigation revealed compromised personal information, including Employer Identification Numbers and Social Security Numbers.
  • The company has stated that there is no evidence of impact beyond the Oracle EBS environment.
  • Several terabytes of files from LKQ's EBS instance have been made available by the cybercriminals.
  • This incident follows a previous cyberattack on LKQ that occurred a year ago.
Sources: SecurityWeek (1 articles)

Read More by Category

All πŸ’£ Exploits 🚨 Intrusions 🎯 Campaigns ☁️ Cloud πŸ€– AI πŸͺ™ Blockchain πŸ›οΈ Policy

Additional Signals