Three critical vulnerabilities are demanding your attention this weekend. One was exploited by ransomware operators before Cisco even issued a patch. Another just landed on CISA's Known Exploited Vulnerabilities list. The third leaves ScreenConnect servers open to session hijacking right now, if you haven't updated. This
ESET dropped a deep-dive this week that should be mandatory reading for anyone tracking Russian state-sponsored activity. Sednit — also known as APT28, Fancy Bear, and Forest Blizzard, operated by GRU Unit 26165 — has reactivated its advanced implant development team after what looked like a quiet stretch. The tooling is new.
APT28 went quiet on custom malware for a few years. Security teams moved on. That was the point. ESET published research this week documenting the full reactivation of Sednit's advanced implant development team — the same crew behind Xagent, Xtunnel, and the 2016 DNC hack. They've been
If you're running Langflow in your environment, stop reading this and go patch. Then come back. CVE-2026-33017, a critical unauthenticated remote code execution flaw in the Langflow AI framework, dropped a patch on March 17. By March 18 — roughly 20 hours later — attackers were already exploiting it. Sysdig
title: "AI Malware Development Is No Longer Experimental — It's Operational" slug: ai-malware-development-operational-2026 tags: [threat-intelligence, malware, ai-security, defenders] Somewhere in the first six weeks of 2026, a single threat actor built a Linux malware framework from scratch. 88,000 lines of code. eBPF rootkit, LKM rootkit, 30+
title: "Interlock Ransomware Has Been Inside Your Cisco Firewall Since January" Interlock ransomware has been quietly exploiting a CVSS 10 zero-day in Cisco's Secure Firewall Management Center since January 26. That's nearly two months of active exploitation before most defenders had any idea the
If you're running Cisco Secure Firewall Management Center, stop reading this and go patch. Then come back. CVE-2026-20131 is a perfect-score vulnerability — CVSS 10.0 — in Cisco's Firewall Management Center (FMC). Unauthenticated. Remote. Code execution as root. No credentials required, no interaction from the target, just
If you're running FortiGate NGFWs with AD integration, stop what you're doing and read this. SentinelOne's DFIR team published their investigation notes Monday on two separate FortiGate intrusions from early 2026. Both started the same way — a compromised appliance — and both ended badly. One
SentinelOne's DFIR team dropped a report this week that should land on every firewall admin's desk. They worked two separate FortiGate intrusion cases in early 2026. In one, the attacker sat quietly for three months before anyone noticed. In the other, they were pivoting to domain
If you install Python packages from GitHub, run CI/CD pipelines that pull from open-source repositories, or use VS Code or Cursor — read this now. GlassWorm is back for a third wave, and the scope has expanded significantly. Researchers confirmed today that the same threat actor has compromised 433 components
APT28 is supposed to be one of Russia's best. The GRU-linked group behind SolarWinds attribution debates and a decade of European espionage. Yet for roughly 500 days — from mid-2024 into early 2026 — they ran an active C2 server with open HTTP directories, staged payloads sitting out in the
Microsoft pushed an out-of-band hotpatch on March 13, 2026 to fix three remote code execution vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool. The update — KB5084597 — wasn't a response to new discoveries. These CVEs were already patched in the March 10 Patch Tuesday cycle.
