Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
Australia ACSC Warns of ClickFix Campaign Delivering Vidar Infostealer β Fake CAPTCHA Bypass Technique Targeting Enterprise Users
The Australian Cyber Security Centre has issued a warning about an active ClickFix social engineering campaign delivering Vidar infostealer malware. ClickFix presents victims with fake CAPTCHA or browser-fix dialogs that instruct them to run PowerShell commands, bypassing standard malware delivery defences. The campaign has been observed across multiple Australian industry sectors.
Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation β 2FA Bypass via Automated Vulnerability Discovery
Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.
Instructure Confirms ShinyHunters Exploited Canvas LMS to Deface University Login Portals in Mass Extortion Campaign
Instructure has confirmed that the ShinyHunters threat group exploited a vulnerability in Canvas LMS to deface login portals across multiple university clients with extortion messages. The attack moved beyond the data exposure incident disclosed on May 3 into active defacement β university login pages were replaced with ransom demands visible to students and staff. Instructure is notifying affected institutions and has issued an emergency patch.
Attackers Abuse Google Ads and Claude.ai Conversations to Deliver macOS Malware to Developers
A campaign targeting macOS users β particularly developers β is abusing both Google Ads and Claude.ai chat conversations as malware delivery vectors. Malicious ads impersonating developer tools redirect to sites hosting macOS malware, while a second vector embeds download links in Claude.ai conversations shared with targets. The campaign has updated the MacSync infostealer family with new macOS Sequoia-compatible components.
TrickMo Android Banking Trojan Moves C2 to TON Blockchain β Decentralised Infrastructure Makes Takedown Near-Impossible
The TrickMo Android banking trojan has been updated to use the Telegram Open Network (TON) blockchain as its command-and-control infrastructure. TON's decentralised architecture means law enforcement cannot seize or sink-hole C2 servers β TrickMo operators gain persistent, censorship-resistant communications regardless of takedowns. The move signals a broader industry shift toward blockchain-based C2 that defenders have limited ability to disrupt at the infrastructure level.
VENOM Phishing Kit Targets Senior Microsoft 365 Executives via AiTM Session Interception
A new phishing-as-a-service platform named VENOM is specifically targeting C-suite and senior executive Microsoft 365 accounts using adversary-in-the-middle (AiTM) infrastructure to intercept authenticated sessions. Unlike generic phishing kits, VENOM's targeting logic filters for high-value accounts β CFOs, CEOs, legal counsel, and board-level contacts β and includes executive-tailored lures designed for low suspicion.
Zara Confirms Data Breach Affecting 197,000 Customers β ShinyHunters' April Extortion Claim Now Substantiated
Inditex has confirmed that a breach of Zara customer data exposed the personal information of approximately 197,000 people, substantiating the ShinyHunters extortion claim from late April 2026. Exposed data includes names, email addresses, postal addresses, phone numbers, and purchase history. European GDPR notification has been filed and affected customers are being contacted.
FreeBSD CVE-2026-42511 β NFS Stack Vulnerability Affecting Network Appliances and BSD-Based Storage
A new vulnerability in FreeBSD's NFS networking stack has been disclosed as CVE-2026-42511, distinct from the previously covered CVE-2026-4747 (the 17-year-old NFSv4 daemon RCE). CVE-2026-42511 affects the NFS client implementation and is exploitable by a malicious NFS server to achieve code execution on FreeBSD hosts connecting to untrusted NFS mounts β a relevant threat model for enterprise environments mounting network storage from potentially compromised infrastructure.
Opinion & Analysis
Commentary
The Risk Calculus Changed Today
Google's confirmation of the first AI-developed zero-day used in live exploitation is not a warning about the future. It is a statement about the present. The security industry's habit of treating AI-assisted exploitation as a 'horizon threat' just ran out of runway.
CipherWatch Editorial
Security Intelligence Platform
Post-Quantum Cryptography: The Decision Is Not Whether to Migrate, It Is When to Start Counting
Proton Mail's post-quantum encryption launch is another data point in an accelerating migration across email, messaging, and enterprise security platforms. The industry debate has shifted from 'should we?' to 'how urgent is the harvest-now-decrypt-later threat?' For most organisations the answer is more urgent than their current roadmap reflects β because the data being generated today has a longer confidentiality requirement than the planning horizon that informs most security investment decisions.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
ShinyHunters Breach Canvas LMS β University Login Portals Defaced Across US, UK, Australia in Mass Extortion Campaign
Hackers exploited a vulnerability in Canvas LMS β the learning management platform used by over 5,000 universities and school districts globally β to deface university login portals with ransom demands visible to students and staff. The operator of Canvas, Instructure, has confirmed the breach and issued emergency patches. Student and faculty personal data was also exposed. Educational institutions running Canvas should apply the emergency patch and begin FERPA/GDPR notification assessments immediately.
CVSS 10.0 Vulnerability in Industrial IoT Platform Allows Unauthenticated Takeover of OT-Connected Systems
A maximum-severity (CVSS 10.0) vulnerability in Eclipse BaSyx β industrial automation software used to connect IT and manufacturing systems under Industry 4.0 programmes β allows an internet-accessible attacker to take complete control of the software and the systems it is connected to, without any credentials. A companion vulnerability allows the attacker to probe the manufacturing network from the internet, bypassing network controls. Organisations running BaSyx as part of smart factory or Industry 4.0 programmes must patch immediately.
Two Enterprise Products Added to US Exploited Vulnerabilities List This Week β Ivanti MDM and AI Gateway
CISA added two enterprise products to its Known Exploited Vulnerabilities catalogue this week: Ivanti EPMM (mobile device management platform) and LiteLLM (AI gateway proxy). Active exploitation of both has been confirmed. The LiteLLM addition is significant as the first AI infrastructure component to enter KEV, reflecting the rapid adoption of AI tooling into enterprise production environments and the corresponding attacker interest.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β