Threat actors are actively abusing weak authentication controls across multiple attack vectors, with the GoBruteforcer botnet compromising more than 50,000 Linux servers worldwide by brute-forcing credentials across services such as FTP, MySQL, PostgreSQL, and phpMyAdmin. In parallel, a new ransomware strain, CrazyHunter, is focusing on healthcare organizations by exploiting weak Active Directory passwords and abusing SharpGPOAbuse to distribute malicious payloads at scale. Complementing these intrusions, an ongoing phishing campaign is evading email security controls by generating QR codes using HTML tables rather than images, directing victims to malicious subdomains. Keep reading further.
01
The GoBruteforcer botnet is targeting over 50,000 Linux servers globally, exploiting weak credentials in services like FTP, MySQL, PostgreSQL, and phpMyAdmin.
02
A new ransomware variant called CrazyHunter is targeting the healthcare sector by exploiting weak Active Directory passwords and leveraging SharpGPOAbuse for payload distribution.
03
A new wave of Android malware, known as Ghost Tap, is enabling cybercriminals to perform unauthorized remote NFC tap-to-pay transactions without physical access to victims' bank cards.
04
ToddyCat, a cyber-espionage group, has been targeting organizations across Europe and Asia. The actors initially compromised Microsoft Exchange servers and later weaponized the ProxyLogon flaw (CVE-2021-31207) to execute advanced, multi-stage intrusions.
05
A phishing campaign used HTML tables to render QR codes instead of images, bypassing security detection. The emails contained QR codes leading to malicious subdomains of lidoustoo[.]click.
06
Windows Packer pkr_mtsi, a custom malware loader, is driving large-scale malvertising and SEO-poisoning campaigns by delivering various malware families by disguising itself as legitimate software installers.
07
Three malicious npm packages (bitcoin-main-lib, bitcoin-lib-js, and bip40) targeted JavaScript developers by typosquatting the trusted BitcoinJS project to distribute the NodeCordRAT malware, which leveraged Discord servers for command-and-control.
08
Cybercriminals used a stealthy zero-day toolkit dubbed MAESTRO to move laterally and exploit three critical VMware ESXi flaws (CVE-2025-22226, CVE-2025-22224, CVE-2025-22225), remaining undetected for over a year while achieving kernel-level hypervisor compromise.
09
Trend Micro released a critical patch for Apex Central on-premise to address three vulnerabilities, including CVE-2025-69258, which allows unauthenticated RCE.
10
Cisco fixed a medium-severity vulnerability (CVE-2026-20029) in ISE and ISE-PIC caused by improper XML parsing that could allow authenticated administrators to access sensitive operating system files.
