Threat Actors
Coverage of Threat Actors in the Nexus archive.
- Fake IT support calls on Microsoft Teams push EtherRAT malware
Threat actors are using Microsoft Teams voice calls to impersonate corporate IT support staff, tricking employees into installing EtherRAT malware. This malware grants attackers initial access to corporate networks.
- Data breach exposes up to 14.2 million email logins at six ISPs
A data breach at Japanese telecommunications company KDDI Corporation exposed up to 14.2 million email logins. Threat actors accessed an email system used by five other internet service providers in Japan.
- Order-tracking app Shop abused to push callback phishing attacks
Threat actors are exploiting Shop, an order-tracking app from Shopify, by inserting fake purchase receipts into users' order histories to deceive them into divulging sensitive information or installing remote access software.
- Steam Workshop abused to spread malware via Wallpaper Engine app
Threat actors are exploiting Steam Workshop, Valve's community hub for game-related content, to distribute malware hidden in wallpaper packages through the Wallpaper Engine app.
- Microsoft patches Exchange Server zero-day exploited in attacks
Microsoft has patched a zero-day vulnerability in Exchange Server that allows threat actors to execute arbitrary JavaScript code through cross-site scripting (XSS) attacks targeting Outlook Web Access users. The vulnerability is actively exploited, prompting the release of a security update.
- ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
ServiceNow disclosed a security incident where unknown threat actors exploited a flaw to gain unauthorized access to customer instances. The company applied a security update on June 5, 2026, to address the vulnerability.
- Exposed Fuel Tank Gauges Under Attack in the US
Threat actors are exploiting Internet-exposed fuel tank gauges to breach gas stations in the US, creating risks of disruption. The attack targets vulnerabilities in connected tank gauges, allowing unauthorized access.
- Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
Threat actors are exploiting a critical remote code execution vulnerability (CVE-2026-3300) in Everest Forms Pro, a WordPress plugin with 4,000 active installations, leading to site compromises. The vulnerability affects all versions up to 1.9.12.
- Hackers Are After the Gaps in Your Vulnerability Program: Here's Their Playbook
Hackers are targeting gaps in vulnerability programs by teaching newcomers to exploit vulnerable systems. Flare analyzes a popular underground tutorial revealing modern attacker workflows.
- Critical Windows Netlogon RCE flaw now exploited in attacks
The Centre for Cybersecurity Belgium (CCB) reported that threat actors are exploiting a critical Windows Netlogon vulnerability in attacks. The vulnerability, which was recently patched, is now being used in real-world exploits.
- Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
Threat actors are exploiting a critical security flaw in the WP Maps Pro WordPress plugin to create malicious administrator accounts. The plugin, which allows embedding customizable Google Maps and OpenStreetMap with location features, has over 15,000 sales on the Envato Market.
- Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Threat actors are exploiting a patched security flaw in FortiClient Endpoint Management Server (EMS) to deploy credential-stealing malware. Arctic Wolf reported that the campaign used trusted endpoint management infrastructure to deliver malware across managed endpoints, disguising the payload as a Fortinet endpoint update.
- GPU mining malware spreads via SEO poisoning, AI chatbots
Threat actors are spreading GPU mining malware through an SEO poisoning campaign that also manipulates AI chatbot recommendations to target high-performance computing systems. The coordinated effort focuses on cryptojacking, exploiting vulnerable hardware for cryptocurrency mining.
- Grand Theft Data: Threat Actors Weaponizing GTA 6 Hype, NordVPN Warns
Cybercriminals are exploiting the popularity of Grand Theft Auto 6 by distributing phishing traps and malware, according to a warning from NordVPN. The threat actors are using the game's hype to lure victims into malicious schemes.
- CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks
The Indian Computer Emergency Response Team (CERT-In) has mandated organizations to patch critical vulnerabilities in internet-exposed systems within 12 hours to counter AI and large language model (LLM)-assisted attacks by threat actors.
- Drupal critical update to fix bug with high exploitation risk
Drupal has announced a core security release to fix a critical bug with high exploitation risk, warning that threat actors might develop exploits within hours of the update disclosure. The update is scheduled for later today. This bug poses a significant risk to Drupal users.
- PyTorch Lightning Compromised in PyPI Supply Chain Attack to Steal Credentials
Threat actors compromised the PyTorch Lightning Python package, publishing malicious versions 2.6.2 and 2.6.3 on April 30, 2026, to steal credentials. Security firms Aikido Security, Socket, and StepSecurity reported the attack, which is part of an ongoing supply chain campaign.
- Webinar: How to Automate Exposure Validation to Match the Speed of AI Attacks
Researchers in February 2026 identified a significant shift in cyber threats: threat actors now use custom AI setups to automate attacks within the kill chain, including autonomous agents that map Active Directory and steal Domain Admin credentials rapidly. Defensive workflows struggle to keep pace with these advanced AI-driven tactics.
- LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure
A critical SQL injection vulnerability (CVE-2026-42208) in BerriAI's LiteLLM Python package was exploited in the wild within 36 hours of disclosure. The flaw, with a CVSS score of 9.3, allows attackers to modify underlying data through SQL injection attacks.
- Inside an OPSEC Playbook: How Threat Actors Evade Detection
Threat actors are publishing structured OPSEC playbooks to evade detection, with Flare revealing how these guides detail layered infrastructure, identity separation, and long-term evasion strategies.
- Robinhood account creation flaw abused to send phishing emails
Robinhood's account creation process was exploited by threat actors to inject phishing messages into legitimate emails, deceiving users into believing their accounts had suspicious activity. This security flaw allowed attackers to impersonate the platform and trick users into engaging with malicious links.
- Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud
Cybersecurity researchers have uncovered a telecommunications fraud campaign using fake CAPTCHA verification to trick users into sending international SMS messages, generating revenue for threat actors. The operation, involving 120 Keitaro campaigns, was detailed in a report by Infoblox, highlighting the scam's global impact.
- Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain
Cybersecurity researchers warned of malicious Docker images and VS Code extensions in Checkmarx's supply chain. Socket revealed threat actors overwrote tags like v2.1.20 and alpine in the 'checkmarx/kics' Docker Hub repository and introduced a fake v2.1.21 tag.
- Microsoft: Teams increasingly abused in helpdesk impersonation attacks
Microsoft is warning that threat actors are increasingly exploiting Microsoft Teams for helpdesk impersonation attacks, using legitimate tools to gain access and move laterally within enterprise networks. The abuse highlights growing security risks associated with collaboration platforms.
- Recently leaked Windows zero-days now exploited in attacks
Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. The vulnerabilities, described as zero-days, were leaked and are now being actively used in cyberattacks.
- Two-Factor Authentication Breaks Free from the Desktop
The article discusses how threat actors bypass security systems in non-traditional IT environments, emphasizing the need for two-factor authentication (2FA) as an added security layer in physical settings. It highlights 2FA's potential to counteract vulnerabilities outside standard digital defenses.
- Google expands Gemini AI use to fight malicious ads on its platform
Google is expanding the use of its Gemini AI models to detect and block harmful ads on its advertising platforms. The move aims to counter evolving tactics used by scammers and threat actors to evade detection.
- n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails
Threat actors have been exploiting n8n, an AI workflow automation platform, since October 2025 to bypass security filters and deliver malware via phishing emails. These campaigns automate malicious email distribution, enabling device fingerprinting and payload delivery through trusted infrastructure.
- Hims Breach Exposes the Most Sensitive Kinds of PHI
A breach at telehealth brand Hims exposed sensitive Protected Health Information (PHI), including personal health details like baldness, weight, and sexual health. The incident raises concerns about potential misuse of private medical data by threat actors.
- New VENOM phishing attacks steal senior executives' Microsoft logins
Threat actors utilizing the VENOM phishing-as-a-service platform are targeting senior executives' Microsoft credentials across multiple industries. The attacks involve stealing login information from C-suite executives, highlighting a significant cybersecurity risk.
- Webinar: From noise to signal - What threat actors are targeting next
The webinar focuses on identifying threat actor intentions through dark web activity and credential requests. It aims to teach proactive defense strategies by converting early warning signs into actionable security measures. Flare Systems is hosting the event to address emerging cybersecurity threats.
- Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025
A zero-day vulnerability in Adobe Reader has been exploited via malicious PDFs since December 2025, as reported by EXPMON's Haifei Li. The first malicious artifact, 'Invoice540.pdf', appeared on VirusTotal on November 28, 2025.
- Threat Actors Get Crafty With Emojis to Escape Detection
Threat actors are using emojis to evade detection by encoding malicious intent through symbols like 🤖, 🧰, and 💰💰💰. This method allows them to bypass filters and communicate covertly.
- Axios Attack Shows Complex Social Engineering Is Industrialized
The Axios NPM package attack exemplifies industrialized social engineering tactics targeting maintainers. Threat actors are scaling sophisticated campaigns to compromise software packages and infrastructure.
- Are We Training AI Too Late?
The article discusses the need for cybersecurity teams to address new threat sources rather than relying on past actors. It raises concerns about whether AI training is happening in time to combat evolving cyber threats.