Threat
alerts

The Qilin ransomware group has recently emerged as one of the most active ransomware operations, executing highly sophisticated campaigns that leverage the "Bring Your Own Vulnerable Driver" (BYOVD) technique. This method is used to systematically disable or bypass endpoint detection and response (EDR) solutions. By side-loading a malicious dynamic-link library (DLL) named msimg32.dll, Qilin initiates a complex, multi-stage infection chain capable of blinding and terminating over 300 different EDR drivers from nearly every security vendor on the market. The group typically gains initial access via stolen credentials and operates methodically, deploying the ransomware payload an average of six days after the initial compromise to maximise impact.

A highly critical supply chain attack was identified targeting the axios npm package, a widely utilised HTTP client library. The attack involved the hijack of a lead maintainer’s npm account, which was subsequently used to publish malicious versions of the library. These poisoned releases bypassed established GitHub Actions, CI/CD pipelines, and injected a hidden dependency designed to drop a cross-platform Remote Access Trojan (RAT).

A critical out-of-bounds (OOB) read vulnerability, identified as CVE-2026-3055, has been discovered in Citrix NetScaler ADC and NetScaler Gateway. The vulnerability allows unauthenticated attackers to remotely siphon sensitive data directly from the appliance's memory. A sibling vulnerability (CVE-2026-4368) was also identified, which can cause "session mixup," allowing low-privilege users to hijack high-privilege sessions.

Active since May 2025, the financially motivated cybercriminal group Storm-2561 has been utilising Search Engine Optimisation (SEO) poisoning to distribute counterfeit Virtual Private Network (VPN) clients. The campaign redirects users who are searching for legitimate enterprise VPN software to attacker-controlled websites. This leads to the deployment of digitally signed trojans that masquerade as trusted VPN clients, ultimately designed to harvest sensitive VPN credentials.

Unlike traditional state-sponsored espionage actors who remain dormant to ensure long-term intelligence collection, Handala’s operational doctrine is defined by a rapid "disrupt, leak, and amplify" lifecycle. The group prioritises immediate visibility, psychological warfare, and the maximisation of organisational and repetitional damage.

CVE-2026-20127 is a critical authentication bypass vulnerability (CVSS Base Score: 10.0) affecting the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The vulnerability has been exploited in the wild as a zero-day since at least 2023 by a highly sophisticated threat actor tracked by Cisco Talos as UAT-8616. This flaw allows an unauthenticated, remote attacker to bypass authentication mechanisms and obtain high-level administrative privileges on affected systems.

Exploitation of CVE-2026-22769, a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines (CVSS 10.0), represents a tactical pivot by the PRC-nexus threat cluster UNC6201. As organisations strengthen traditional endpoint defenses, this actor has redirected focus toward the "security blind spots" of enterprise infrastructure, providing a quiet environment for high-fidelity espionage.

The disclosure of CVE-2026-1731 marks a significant escalation in the exploitation of unauthenticated remote code execution (RCE) vulnerabilities within enterprise-tier management consoles. The flaw resides in a Java-based deserialisation engine where the absence of a look-ahead object filter allows attackers to inject malicious serialised payloads via the administrative API.

A coordinated investigation has revealed that the official update infrastructure for Notepad++ was compromised by the state-linked threat actor Lotus Blossom. Between June and December 2025, attackers hijacked the application's update mechanism to deliver a previously undocumented backdoor, identified as Chrysalis, to selected targets. The compromise involved the breach of a hosting provider to redirect update traffic, rather than the alteration of the Notepad++ source code itself.