Sometimes the most dangerous threats hide behind tools users trust every day. Security researchers uncovered a wave of AI-themed malicious extensions on Google Chrome that amassed over 300,000 installations while covertly siphoning credentials, session cookies, and email data from victims. At the same time, the threat actor Storm-2603 has been exploiting vulnerable SmarterMail servers to establish initial access and deploy Warlock ransomware within targeted organizations. Also, the BADIIS campaign is driving large-scale SEO poisoning operations, manipulating search results to funnel users seeking legitimate software into malware-laced distribution sites. Keep reading.
01
Malicious AI-themed browser extensions on Google Chrome, installed by over 300,000 users, were found harvesting credentials, session cookies, and email data from unsuspecting victims.
02
The threat actor Storm-2603 is exploiting vulnerabilities in SmarterMail servers to gain initial access and deploy Warlock ransomware against compromised organizations.
03
A fresh campaign distributing XWorm RAT, a commercially available RAT, is targeting victims through phishing and malicious attachments to enable surveillance and data exfiltration.
04
Researchers uncovered OysterLoader, a sophisticated multi-stage loader designed to evade detection and deliver secondary payloads while using anti-analysis and obfuscation techniques.
05
The ClickFix social engineering technique is being used to trick users into executing malicious scripts that ultimately deploy the StealC information-stealing malware for credential theft.
06
The BADIIS threat campaign leverages large-scale SEO poisoning to redirect victims to malware distribution sites, compromising users searching for popular software downloads.
07
An in-depth investigation into the DragonForce ransomware operation revealed a structured affiliate ecosystem, double-extortion tactics, and expanding global targeting across critical sectors.
08
Zimbra Collaboration Suite version 10.1.16 fixes a triple set of vulnerabilities—XSS, XXE, and LDAP injection—that could enable account takeover and remote code execution if left unpatched.
09
A critical vulnerability (CVE-2026-0969) in Next.js MDX processing allows attackers to inject malicious content that could lead to remote code execution in improperly secured web applications.
10
CISA added exploited flaws affecting SolarWinds products, Notepad++, and Microsoft software to its KEV catalog, urging immediate patching due to active in-the-wild exploitation.
