Chinese Threat Actors Implant BPFdoor in Telecom Networks

Executive Summary According to a released report from Rapid7 Labs, Chinese threat actor Red Menshen is targeting telecommunication networks in undisclosed regions with the goal of carrying out espionage against corporate and government agencies. This campaign, reported on 26 March 2026, has been a long-term operation gaining access to telecom critical environments for an extended period…

Read More

WebRTC-Based Payment Skimmer Targeting ECommerce Sites Via PolyShell Vulnerability

Executive Summary On 24 March 2026, Sansec Researchers identified a novel payment skimmer leveraging WebRTC data channels rather than conventional web requests to load malicious code and exfiltrate stolen payment data, bypassing traditional security controls. Sansec reported the skimmer targeting ecommerce sites throughout March 2026 by exploiting a PolyShell vulnerability in Magento and Adobe Commerce. Key Takeaways  Novel Exfiltration Technique: This is reportedly the first observed instance of WebRTC being used…

Read More

2026 Unit 42 Global Incident Response Report

Executive Summary In 2025, Unit 42 responded to more than 750 major cyber incidents. Our teams worked with large organizations facing extortion, network intrusions, data theft and advanced persistent threats. Targets spanned every major industry and more than 50 countries. In each case, the situation had escalated to the point where the SOC called for…

Read More

ShinyHunters Utilize Public Audit Tool to Scan for Vulnerable Salesforce Aura Instances

Executive Summary The threat group known as ShinyHunters is actively exploiting misconfigurations in Salesforce Experience Cloud and a externally developed security auditing tool to exfiltrate sensitive data from hundreds of high-profile organizations. By repurposing Mandiant’s AuraInspector tool, the actors identify guest user profiles with excessive permissions that allow for the direct querying of internal CRM objects. The…

Read More

Middle East Conflict Cyber Threat Landscape and Defensive Options for Retail, Hospitality, and Travel Organizations

Executive Summary In late February 2026, the United States and Israel launched joint airstrikes against a wide array of facilities in Iran. Retaliatory strikes have followed, with the conflict escalating to multiple nations in the Middle East. Beyond physical threats to employees and facilities, cyber threats related to the conflict with potential impact on retail and hospitality…

Read More

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

Executive Summary On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system…

Read More

Threat Actors Leverage Brand Impersonation for Rewards Fraud, Credential Harvesting Campaigns, and Online Gambling Platforms

Summary Threat actors increasingly leverage airline brand impersonation to facilitate sophisticated reward fraud and illicit online gambling schemes, according to a report published by Help Net Security. Analysis of over 11,000 domains reveals a high-volume ecosystem where keywords such as “rewards” and “points” serve as primary lures for loyalty credential harvesting. Additionally, malicious operators exploit airline…

Read More

Phishing on the Edge of the Web and Mobile Using QR Codes

Executive Summary With QR codes having a notable presence in our everyday lives, some people instinctively scan them without hesitation. But QR codes are also a vector for attack. QR codes enable attackers to bypass organizational security by exploiting the weaker controls of personal mobile devices. By doing this, they can trick users into scanning…

Read More

Malwarebytes Confirms Avast Impersonation Refund Scam Targeting European Users

Summary A fraudulent website impersonating Avast’s visual identity targets French-speaking users by claiming a non-existent €499.99 charge requires a refund, according to a new report by Malwarebytes Labs. The operation utilizes a sophisticated blend of urgency, real-time live chat support via Tawk[.]to, and dynamic page elements to harvest full credit card details and personal information. Technical…

Read More

A Peek Into Muddled Libra’s Operational Playbook

Executive Summary During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which we believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of…

Read More