North Korea's 🇰🇵 Kimsuky APT weaponizes GitHub as C2 infrastructure in multi-stage campaign targeting South Korean 🇰🇷 organizations. Attack chain uses obfuscated LNK files, PowerShell LOLBins, and legitimate cloud platforms to evade detection while maintaining persistent access.

BypassAV — Techniques Map for AV/EDR Evasion A structured map of essential techniques used to evade AV & EDR: • Execution methods • Memory-based evasion • Living-off-the-land (LOLBins) • Detection blind spots Focus on techniques, not tools. github.com/matro7sh/Bypas…

Huntress researchers Anna Pham & Michael Tigges write about having observed the use of Nightmare-Eclipse tooling - including BlueHammer, RedSun and UnDefend - during a real-world intrusion investigation. huntress.com/blog/nightmare…

[BinaryDefense] Chasing Phantoms: How a Multi-Stage Stealer Abuses Signed Binaries to Disappear binarydefense.com/resources/blog…

[BI.Zone] Unholy trinity: werewolves target law enforcers bi.zone/eng/expertise/…

[SecureList] FakeWallet crypto stealer spreading through iOS apps in the App Store securelist.com/fakewallet-cry…

[netskope] macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections netskope.com/blog/macos-cli…

[Breakglass] intel.breakglass.tech/post/sidewinde…

🧠 Malware Analysis Resource Hub (Curated List) Awesome Malware Analysis: tools + datasets + labs • Sandboxes, RE, memory forensics • Malware samples & corpora • IOC & threat intel resources • Detection + YARA tools • Domain & network analysis github.com/rshipp/awesome…

[KrebsOnSecurity] ‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty krebsonsecurity.com/2026/04/scatte…

[Huntress] Threat Advisory: Uptick in Bomgar RMM Exploitationhttps://www.huntress.com/blog/uptick-bomgar-exploitation

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Thefthttps://www.security.com/threat-intelligence/trigona-exfiltration-custom

[Symantec] Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Thefthttps://www.security.com/threat-intelligence/trigona-exfiltration-custom

[AnyRun] Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time any.run/cybersecurity-…

[SenitnelOne] fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet sentinelone.com/labs/fast16-my…

[Chainalysis] U.S. Government Unveils Sweeping Enforcement Actions Against Southeast Asian Scam Centers and Crypto Fraud Networks chainalysis.com/blog/asian-sca…

Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm aikido.dev/blog/shai-hulu…

github.com/MWR-CyberSec/V… A credential extraction BOF for Veeam Backup and Replication and Veeam One by Stephen Munro and Logan Kroeger from MWR CyberSec

Download our 142-page #EasterBunny report (open access): EasterBunny: advanced espionage artifacts attributed to APT29 lab52.io/blog/easterbun… #APT29

Mitesh Wani at Zscaler ThreatLabz details how attackers exploited OpenClaw’s skill architecture. The campaign was designed to trick AI agents or developers into executing hidden payloads, leading to the deployment of Remcos RAT and GhostLoader. zscaler.com/blogs/security…