Reports

UltraViolet Cyber's TIDE Team analyzes the May 2026 TanStack supply chain attack: how TeamPCP compromised 42 npm packages using chained GitHub Actions exploits, bypassed SLSA provenance verification, and spread a credential-stealing worm to 172 packages in five hours. Get the full breakdown and response guidance.

ShinyHunters breached Instructure’s Canvas platform twice in 10 days, impacting an estimated 275 million users across nearly 9,000 institutions. UltraViolet Cyber’s TIDE Team analyzes the attack path, extortion tactics, and the broader SaaS security implications.

CVE-2026-23918 turns two HTTP/2 frames into a worker crash, and on default httpd Docker images, into RCE. UltraViolet's TIDE Team breaks down what to do.

Critical GitHub Enterprise flaw enables RCE via git push. Patch immediately and audit access to reduce risk.

Dark AI and shadow AI are reshaping enterprise risk. UltraViolet's TIDE Team breaks down the threats, the exposure, and what security leaders should do now.

A CPUID software compromise delivered STX RAT through trusted tools like CPU-Z and HWMonitor, highlighting the growing risk of software supply chain attacks.

BYOVD attacks weaponize trusted drivers to disable EDR and blind defenses—now a core ransomware tactic used by groups like Qilin and Warlock.

Supply chain attack targeting Trivy and LiteLLM exposes CI/CD pipelines, enabling credential theft and downstream compromise at scale.

Tax-season phishing campaigns are surging. Learn how attackers use fake IRS forms to steal credentials, deliver malware, and target enterprise workflows.

MacOS ClickFix campaigns are evolving social engineering into a primary attack vector—tricking users into executing malicious Terminal commands that bypass traditional defenses.

A critical Nginx UI vulnerability (CVE-2026-27944) allows unauthenticated attackers to retrieve and decrypt system backups, exposing credentials, session data, and TLS keys. Learn how security teams should respond.

A critical pac4j-jwt vulnerability (CVE-2026-29000) enables JWT authentication bypass through improper signature verification, allowing attackers to forge tokens and impersonate users. Learn the impact and recommended defensive actions.

Iranian cyber operations are evolving toward identity compromise, social engineering, and cloud persistence. UltraViolet Cyber’s TIDE Team analyzes APT33, APT35, and APT42 tradecraft and the defensive steps security leaders should prioritize.

ClickFix MIMICRAT uses social engineering and fileless execution to evade detection, abusing trusted websites and PowerShell for stealth access.

SSHStalker targets weak SSH and legacy Linux kernels to build persistent IRC-controlled botnets. See how to harden and detect early.

The disclosure of a critical pre-authentication remote code execution flaw in BeyondTrust (CVE-2026-1731) underscores how privileged access and remote support platforms represent high-impact attack surfaces when exposed to the internet.

Notepad++ update infrastructure was hijacked for six months, turning a trusted developer tool into a stealthy supply-chain attack vector. Read the advisory.

Malicious VS Code extensions are exploiting trusted developer tools to exfiltrate code and credentials—quietly bypassing traditional security controls.

LinkedIn remains an active social engineering vector. Learn how threat actors use trusted outreach and DLL sideloading to gain stealthy enterprise access.

VoidLink is a stealthy Linux malware targeting cloud workloads and Kubernetes, exposing long-term risks to enterprise identity and control planes.

AI-powered IDEs introduce new supply chain risks as unclaimed extension namespaces enable malicious plug-ins via trusted recommendations.

A critical unauthenticated MongoDB flaw exposes server memory. Learn why MongoBleed elevates data leakage risk and what defenders should do now.

DPRK-linked actors are using QR codes to deliver mobile malware. UV TIDE analyzes the tradecraft and enterprise impact.

Browser extensions are quietly exfiltrating AI data. UltraViolet TIDE analyzes how a popular VPN extension intercepts prompts and responses.

React2Shell is a critical unauthenticated RCE flaw in React Server Components. Learn how attackers exploit it and what organizations must do to respond.

UltraViolet Cyber exposes AIRedScam, a SmartLoader-infostealer hidden in AI offensive tooling and aimed at junior–mid red teamers.

A new 7-Zip vulnerability (CVE-2025-11001) enables directory traversal and remote code execution. UltraViolet Cyber explains risks and how to remediate.

Adversaries are abusing desktop hypervisors like Hyper-V and QEMU to hide long-term persistence. Learn how to detect, govern, and defend against hidden VMs.

Malicious NuGet packages hiding delayed-activation malware show how trusted libraries can trigger years later. Read UltraViolet's guidance to secure your software supply chain.

Threat actors are using SEO poisoning to weaponize trusted tools like PuTTY and Teams, distributing fake installers signed with valid certificates. Learn how Rhysida ransomware exploits digital trust — and how to defend against it.

A new advisory from UltraViolet TIDE exposes CVE-2025-2783, a Chrome zero-day used in an espionage campaign to deploy commercial spyware. Learn how attackers bypassed sandbox protections and how to defend against similar browser-based threats.

Russia-linked APT group COLDRIVER is shifting from credential theft to full endpoint compromise with modular malware and PowerShell backdoors. TIDE’s outlines steps to defend high-value networks from evolving espionage threats.

This in-depth quarterly report uncovers how the convergence of operational technology and IT networks is exposing critical infrastructure systems—like access control, fire safety, HVAC, and UPS—to sophisticated cyber threats, and outlines actionable strategies for resilience.

F5 breach exposes BIG-IP source code and zero-days. See TIDE’s guidance for defending against downstream risk and supply chain compromise.

New SUDO vulnerability gives attackers reliable root access via chroot abuse. Exploited in the wild. Patch now to prevent local escalation.

XWorm 6.x uses modular plugins to steal credentials, evade detection, and deploy ransomware. Learn how to detect and defend against it.

LockBit 5.0 marks the return of one of the most prolific ransomware platforms, now targeting Windows, Linux, and VMware ESXi with advanced evasion techniques. Learn what UltraViolet Cyber’s TIDE team recommends to strengthen defenses.

A newly disclosed flaw in Microsoft Entra ID (CVE-2025-55241) exposes tenants to full administrative takeover by bypassing MFA and Conditional Access. Learn what UltraViolet Cyber’s TIDE team recommends for defense and governance.

ClickFix and FileFix attacks exploit user trust in system tools and browser features to deliver info-stealers and remote access malware. Learn how TIDE recommends defending against these evolving social engineering threats.

NPM supply chain attacks in 2025 show how compromised packages can spread malware to billions of downloads. Learn what TIDE recommends to reduce developer and enterprise risk.

Get actionable intelligence on Iranian cyber threat actors including APT42, APT33, and APT34. Learn their tactics and how to defend your organization in UltraViolet Cyber’s Q3 2025 Threat Advisory.

Download UltraViolet Cyber’s Airport & City Threat Intelligence Report. Get expert insights into ransomware, IoT exploits, and supply chain attacks targeting public infrastructure.

‘Hunters International’ runs a Ransomware-as-a-Service (RaaS) organization, with a focus on exfiltrating data over ransom extortion. ‘Hunters International’ (HI) know that most organizations do not pay ransoms and instead focus...

A backdoor specific to Windows devices has been discovered, delivered via recruitment-themed phishing campaigns. Elastic Security Labs has dubbed the backdoor ‘WARMCOOKIE’ due to data transfer across the HTTP cookie parameter...

MFA Bypass remains a popular and effective technique used in credential access and compromise of user accounts. Cisco Talos reports exploitation of MFA weaknesses involved in roughly 50% of engagements...

MuddyWater, the Iranian cyber espionage group associated with Iran’s Ministry of Intelligence (MOIS) has leaked part of their new backdoor tool, dubbed ‘BugSleep’. This advanced persistent group (APT) is known for...

RansomHub is a threat actor group offering a Ransomware-as-a-Service (RaaS) business model to affiliates for quick entry into, or expansion in, cybercrime. Regardless of the possibility of RansomHub being a re-branded operation...

After Microsoft finally disabled macros by default for files which bear the ‘Mark of the Web’ (MotW) flag, threat actors adapted by changing their initial infection vector. After initially switching to ISO and ZIP files, to MSI and LNK files...

In a constantly evolving digital landscape, adversaries are continuously devising new tactics and techniques to bypass security measures and compromise victim networks. A known documented method threat actors have been observed leveraging is...

Black Basta was at it again with a ransomware attack against Ascension healthcare system in the United States. Check out our latest report for detailed analysis (Tactics, Techniques and Procedures) and mitigation strategies...

Dive into our latest report on QakBot malware for a comprehensive technical analysis. Discover its evolution, attack methods, and effective defense strategies to protect your organization...

Zloader malware is back in action! This in-depth technical analysis unveils its latest attack methods, explores its evolution, and provides crucial detection helping organizations minimize security risks...

Three new exploited vulnerabilities found within Cisco’s ASA and FTD software labeled CVE-2024-20353 (CVSS score 8.6), CVE-2024-20359 (CVSS score 6.0), and CVE-2024-20358 (CVSS score 6.0). CISA strongly recommends affected Cisco customers apply the patches as quickly as their patch policy allows...

The UltraViolet Security Operations Center (SOC) monitors security events and detections 24 hours a day, 7 days a week. During our security operations, we can analyze various stages of Cyber-attacks using ingested logs, tools, threat intelligence and human intelligence...

A recent vulnerability labeled CVE-2024-3094 has been detected within the XZ Utils package. It affected the versions of xz/liblzma 5.6.0 and 5.6.1 before being quickly discovered by the OSS community...

The ‘Loop DoS’ attack generally follows this pattern: a threat actor identifies two DNS resolvers with a configuration which causes the servers to respond to messages with an error message of their own.

ZeroLogon is a Windows Netlogon vulnerability first detected in 2020. CVE-2020-1472 was assigned for this vulnerability. While Microsoft has released appropriate patching for this vulnerability following its discovery with several updates...

A proof-of-concept RCE (Remote Code Execution) exploit was co-discovered by researchers against Fortinet's FortiClient Enterprise Management Server (EMS); FortiClient EMS 7.2 (Versions 7.2.0 through 7.2.2) and FortiClient EMS 7.0 (7.0.1 through 7.0.10)...

RCE flaws found in ScreenConnect came into light recently. Identified vulnerabilities were CVE-2024-1709 and CVE-2024-1708. Exploiting this flaw, attackers could upload malicious files, bypass authentication and potentially gain control user account...

Learn how a sophisticated phishing campaign exploited a leading email service, intricating tactics like hiding malicious links in plain sight, replicating 2FA forms...

Tor Webtunnel, a sophisticated technology designed to mimic encrypted web traffic, to assist users in heavily censored regions, enabling bad actors to hide in plain sight with layered protection...

ThievingFox a collection of post-exploitation tools was developed initially for the purpose of legal and ethical penetration testing, the code and functionality may be altered to allow threat actors to employ ThievingFox for a variety of malicious intentions...

ResumeLooters represent a cybercriminal group, utilize a combination of SQL Injection and Cross-Site Scripting (XSS) attacks to compromise websites. These methods allow them to bypass security measures and access databases containing sensitive user information...

The past 30 days have not been great for Ivanti services. Four vulnerabilities related to Connect Secure have been disclosed throughout the course of the...

As technology progresses, defensive as well as offensive measures for security constantly evolve. Security researchers consistently find new ways to exploit...

LockBit 3.0 is the latest iteration of a longstanding, very effective, ransomware as a service (RaaS) group. This strain of malware operates by...

XWorm, ironically, behaves like a Remote Access Trojan (RAT) and includes multiple defensive measures against inspection by security researchers

Akira Ransomware Threat Actors Observed Targeting Cisco ASA SSL VPNs with Credential Stuffing Attacks

UltraViolet Cyber: Tear down the walls between red and blue teams & address risk exposure when it’s discovered—not weeks later.

Eliminate the risks of separate red and blue-teams by creating continuously optimized cybersecurity for the modern, constant-threat landscape.

Stay ahead of risk with automated penetration testing and remediation.

Simply generating alerts is not enough to thwart your adversaries. For true protection, shift to focusing on outcomes... at machine-speed!

There’s a Better Operator in You! Create Superior Red Team Operations by Outstripping Countermeasures & Cross-Platform Deep Pivoting

How prepared is your organization for a cybersecurity attack, like ransomware?

UVC is dedicated to partnering with our Federal customers to secure our Nations IT Services.

Eliminate the risks of separate red and blue-teams by creating continuously optimized cybersecurity for the modern, constant-threat landscape.