Skip to content
The Nexus
DossierENTITY

Threat Actors

Coverage of Threat Actors in the Nexus archive.

Earliest in view: Apr 1 · 10:40 UTCMost recent: Jul 6 · 20:23 UTC
Co-mentioned in this coverage
Recent coverage
  • SECURITYJul 6 · 20:23 UTCBLEEPING COMPUTER
    Fake IT support calls on Microsoft Teams push EtherRAT malware

    Threat actors are using Microsoft Teams voice calls to impersonate corporate IT support staff, tricking employees into installing EtherRAT malware. This malware grants attackers initial access to corporate networks.

  • SECURITYJun 28 · 14:13 UTCBLEEPING COMPUTER
    Data breach exposes up to 14.2 million email logins at six ISPs

    A data breach at Japanese telecommunications company KDDI Corporation exposed up to 14.2 million email logins. Threat actors accessed an email system used by five other internet service providers in Japan.

  • SECURITYJun 25 · 19:45 UTCBLEEPING COMPUTER
    Order-tracking app Shop abused to push callback phishing attacks

    Threat actors are exploiting Shop, an order-tracking app from Shopify, by inserting fake purchase receipts into users' order histories to deceive them into divulging sensitive information or installing remote access software.

  • SECURITYJun 16 · 18:27 UTCBLEEPING COMPUTER
    Steam Workshop abused to spread malware via Wallpaper Engine app

    Threat actors are exploiting Steam Workshop, Valve's community hub for game-related content, to distribute malware hidden in wallpaper packages through the Wallpaper Engine app.

  • SECURITYJun 10 · 13:44 UTCBLEEPING COMPUTER
    Microsoft patches Exchange Server zero-day exploited in attacks

    Microsoft has patched a zero-day vulnerability in Exchange Server that allows threat actors to execute arbitrary JavaScript code through cross-site scripting (XSS) attacks targeting Outlook Web Access users. The vulnerability is actively exploited, prompting the release of a security update.

  • SECURITYJun 10 · 07:02 UTCTHE HACKER NEWS
    ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances

    ServiceNow disclosed a security incident where unknown threat actors exploited a flaw to gain unauthorized access to customer instances. The company applied a security update on June 5, 2026, to address the vulnerability.

  • SECURITYJun 5 · 19:04 UTCDARK READING
    Exposed Fuel Tank Gauges Under Attack in the US

    Threat actors are exploiting Internet-exposed fuel tank gauges to breach gas stations in the US, creating risks of disruption. The attack targets vulnerabilities in connected tank gauges, allowing unauthorized access.

  • SECURITYJun 5 · 08:38 UTCTHE HACKER NEWS
    Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

    Threat actors are exploiting a critical remote code execution vulnerability (CVE-2026-3300) in Everest Forms Pro, a WordPress plugin with 4,000 active installations, leading to site compromises. The vulnerability affects all versions up to 1.9.12.

  • SECURITYJun 4 · 14:01 UTCBLEEPING COMPUTER
    Hackers Are After the Gaps in Your Vulnerability Program: Here's Their Playbook

    Hackers are targeting gaps in vulnerability programs by teaching newcomers to exploit vulnerable systems. Flare analyzes a popular underground tutorial revealing modern attacker workflows.

  • SECURITYJun 1 · 12:30 UTCBLEEPING COMPUTER
    Critical Windows Netlogon RCE flaw now exploited in attacks

    The Centre for Cybersecurity Belgium (CCB) reported that threat actors are exploiting a critical Windows Netlogon vulnerability in attacks. The vulnerability, which was recently patched, is now being used in real-world exploits.

  • SECURITYJun 1 · 08:45 UTCTHE HACKER NEWS
    Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

    Threat actors are exploiting a critical security flaw in the WP Maps Pro WordPress plugin to create malicious administrator accounts. The plugin, which allows embedding customizable Google Maps and OpenStreetMap with location features, has over 15,000 sales on the Envato Market.

  • SECURITYMay 28 · 15:26 UTCTHE HACKER NEWS
    Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

    Threat actors are exploiting a patched security flaw in FortiClient Endpoint Management Server (EMS) to deploy credential-stealing malware. Arctic Wolf reported that the campaign used trusted endpoint management infrastructure to deliver malware across managed endpoints, disguising the payload as a Fortinet endpoint update.

  • SECURITYMay 27 · 21:31 UTCBLEEPING COMPUTER
    GPU mining malware spreads via SEO poisoning, AI chatbots

    Threat actors are spreading GPU mining malware through an SEO poisoning campaign that also manipulates AI chatbot recommendations to target high-performance computing systems. The coordinated effort focuses on cryptojacking, exploiting vulnerable hardware for cryptocurrency mining.

  • SECURITYMay 26 · 19:57 UTCDECRYPT
    Grand Theft Data: Threat Actors Weaponizing GTA 6 Hype, NordVPN Warns

    Cybercriminals are exploiting the popularity of Grand Theft Auto 6 by distributing phishing traps and malware, according to a warning from NordVPN. The threat actors are using the game's hype to lure victims into malicious schemes.

  • SECURITYMay 26 · 09:13 UTCTHE HACKER NEWS
    CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

    The Indian Computer Emergency Response Team (CERT-In) has mandated organizations to patch critical vulnerabilities in internet-exposed systems within 12 hours to counter AI and large language model (LLM)-assisted attacks by threat actors.

  • SECURITYMay 20 · 12:52 UTCBLEEPING COMPUTER
    Drupal critical update to fix bug with high exploitation risk

    Drupal has announced a core security release to fix a critical bug with high exploitation risk, warning that threat actors might develop exploits within hours of the update disclosure. The update is scheduled for later today. This bug poses a significant risk to Drupal users.

  • SECURITYApr 30 · 16:31 UTCTHE HACKER NEWS
    PyTorch Lightning Compromised in PyPI Supply Chain Attack to Steal Credentials

    Threat actors compromised the PyTorch Lightning Python package, publishing malicious versions 2.6.2 and 2.6.3 on April 30, 2026, to steal credentials. Security firms Aikido Security, Socket, and StepSecurity reported the attack, which is part of an ongoing supply chain campaign.

  • SECURITYApr 29 · 12:02 UTCTHE HACKER NEWS
    Webinar: How to Automate Exposure Validation to Match the Speed of AI Attacks

    Researchers in February 2026 identified a significant shift in cyber threats: threat actors now use custom AI setups to automate attacks within the kill chain, including autonomous agents that map Active Directory and steal Domain Admin credentials rapidly. Defensive workflows struggle to keep pace with these advanced AI-driven tactics.

  • SECURITYApr 29 · 05:34 UTCTHE HACKER NEWS
    LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure

    A critical SQL injection vulnerability (CVE-2026-42208) in BerriAI's LiteLLM Python package was exploited in the wild within 36 hours of disclosure. The flaw, with a CVSS score of 9.3, allows attackers to modify underlying data through SQL injection attacks.

  • SECURITYApr 28 · 12:50 UTCBLEEPING COMPUTER
    Inside an OPSEC Playbook: How Threat Actors Evade Detection

    Threat actors are publishing structured OPSEC playbooks to evade detection, with Flare revealing how these guides detail layered infrastructure, identity separation, and long-term evasion strategies.

  • SECURITYApr 27 · 23:11 UTCBLEEPING COMPUTER
    Robinhood account creation flaw abused to send phishing emails

    Robinhood's account creation process was exploited by threat actors to inject phishing messages into legitimate emails, deceiving users into believing their accounts had suspicious activity. This security flaw allowed attackers to impersonate the platform and trick users into engaging with malicious links.

  • SECURITYApr 27 · 06:33 UTCTHE HACKER NEWS
    Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud

    Cybersecurity researchers have uncovered a telecommunications fraud campaign using fake CAPTCHA verification to trick users into sending international SMS messages, generating revenue for threat actors. The operation, involving 120 Keitaro campaigns, was detailed in a report by Infoblox, highlighting the scam's global impact.

  • SECURITYApr 22 · 17:55 UTCTHE HACKER NEWS
    Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain

    Cybersecurity researchers warned of malicious Docker images and VS Code extensions in Checkmarx's supply chain. Socket revealed threat actors overwrote tags like v2.1.20 and alpine in the 'checkmarx/kics' Docker Hub repository and introduced a fake v2.1.21 tag.

  • SECURITYApr 20 · 15:11 UTCBLEEPING COMPUTER
    Microsoft: Teams increasingly abused in helpdesk impersonation attacks

    Microsoft is warning that threat actors are increasingly exploiting Microsoft Teams for helpdesk impersonation attacks, using legitimate tools to gain access and move laterally within enterprise networks. The abuse highlights growing security risks associated with collaboration platforms.

  • SECURITYApr 17 · 06:14 UTCBLEEPING COMPUTER
    Recently leaked Windows zero-days now exploited in attacks

    Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. The vulnerabilities, described as zero-days, were leaked and are now being actively used in cyberattacks.

  • SECURITYApr 16 · 15:28 UTCDARK READING
    Two-Factor Authentication Breaks Free from the Desktop

    The article discusses how threat actors bypass security systems in non-traditional IT environments, emphasizing the need for two-factor authentication (2FA) as an added security layer in physical settings. It highlights 2FA's potential to counteract vulnerabilities outside standard digital defenses.

  • TECHNOLOGYApr 16 · 15:24 UTCBLEEPING COMPUTER
    Google expands Gemini AI use to fight malicious ads on its platform

    Google is expanding the use of its Gemini AI models to detect and block harmful ads on its advertising platforms. The move aims to counter evolving tactics used by scammers and threat actors to evade detection.

  • SECURITYApr 15 · 17:09 UTCTHE HACKER NEWS
    n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

    Threat actors have been exploiting n8n, an AI workflow automation platform, since October 2025 to bypass security filters and deliver malware via phishing emails. These campaigns automate malicious email distribution, enabling device fingerprinting and payload delivery through trusted infrastructure.

  • SECURITYApr 10 · 20:02 UTCDARK READING
    Hims Breach Exposes the Most Sensitive Kinds of PHI

    A breach at telehealth brand Hims exposed sensitive Protected Health Information (PHI), including personal health details like baldness, weight, and sexual health. The incident raises concerns about potential misuse of private medical data by threat actors.

  • SECURITYApr 9 · 21:37 UTCBLEEPING COMPUTER
    New VENOM phishing attacks steal senior executives' Microsoft logins

    Threat actors utilizing the VENOM phishing-as-a-service platform are targeting senior executives' Microsoft credentials across multiple industries. The attacks involve stealing login information from C-suite executives, highlighting a significant cybersecurity risk.

  • SECURITYApr 9 · 12:20 UTCBLEEPING COMPUTER
    Webinar: From noise to signal - What threat actors are targeting next

    The webinar focuses on identifying threat actor intentions through dark web activity and credential requests. It aims to teach proactive defense strategies by converting early warning signs into actionable security measures. Flare Systems is hosting the event to address emerging cybersecurity threats.

  • SECURITYApr 9 · 11:15 UTCTHE HACKER NEWS
    Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

    A zero-day vulnerability in Adobe Reader has been exploited via malicious PDFs since December 2025, as reported by EXPMON's Haifei Li. The first malicious artifact, 'Invoice540.pdf', appeared on VirusTotal on November 28, 2025.

  • SECURITYApr 8 · 20:21 UTCDARK READING
    Threat Actors Get Crafty With Emojis to Escape Detection

    Threat actors are using emojis to evade detection by encoding malicious intent through symbols like 🤖, 🧰, and 💰💰💰. This method allows them to bypass filters and communicate covertly.

  • SECURITYApr 6 · 20:55 UTCDARK READING
    Axios Attack Shows Complex Social Engineering Is Industrialized

    The Axios NPM package attack exemplifies industrialized social engineering tactics targeting maintainers. Threat actors are scaling sophisticated campaigns to compromise software packages and infrastructure.

  • SECURITYApr 1 · 10:40 UTCDARK READING
    Are We Training AI Too Late?

    The article discusses the need for cybersecurity teams to address new threat sources rather than relying on past actors. It raises concerns about whether AI training is happening in time to combat evolving cyber threats.