Cybersecurity has evolved beyond issues of ransomware, data loss, or reputational damage; it is now a fundamental matter of national security. The 2026 State of Security Report released by Recorded Future confirms that government-backed cyber operations aimed at espionage and disruption have become commonplace. Geopolitics is now a significant risk factor for organizations, transforming cybersecurity into a strategic challenge heavily influenced by state behavior. International tensions and
threatintelligence (13)
A new report from blockchain data platform Chainalysis has revealed a significant rise in the use of cryptocurrency for illicit activities related to human trafficking. The research indicates that cryptocurrency payments to suspected human trafficking services increased by 85% year-on-year in 2025, with the total value reaching hundreds of millions of dollars across the identified services. The findings shed light on how criminal networks are adapting their financial operations, using digital
Sentinel Labs has provided a keen look into LLMs and SOC operations. For security teams, AI promised to write secure code, identify and patch vulnerabilities, and replace monotonous security operations tasks. Its key value proposition was raising costs for adversaries while lowering them for defenders.
To evaluate whether Large Language Models (LLMs) were both sufficiently performant and reliable to be deployed in the enterprise, a wave of new benchmarks was created. In 2023, these early benc
SentinelLABS has been researching how large language models (LLMs) are impacting cybersecurity for both defenders and adversaries. As part of our ongoing efforts in this area and our well-established research and tracking of crimeware actors, researchers have been closely following the adoption of LLM technology among ransomware operators. Analysts have observed that three structural shifts appear to be unfolding in parallel.
First, the barriers to entry continue to fall for those intent on cy
While analyzing one of the affiliate programs, Doctor Web’s researchers discovered a unique piece of malware with clicker functionality and called it a Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management.
Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost a website's behavioral ranking by artificially increasing its search engine rankings.
The Russian government's relationship with its cybercriminal ecosystem has transitioned from passive tolerance to active state management, marking a strategic shift. This report, covering 2024–2025, details the "Dark Covenant 3.0," characterized by selective enforcement, choreographed arrests, and direct coordination between criminal leaders and Russian intelligence intermediaries.
Insikt Group found that Russia leverages these criminal groups as geopolitical tools, with detentions and releases
Over the past year, FortiGuard Labs has been tracking a stealthy malware strain exploiting a range of vulnerabilities to infiltrate systems. Initially disclosed by a Chinese cybersecurity firm under the name “Gayfemboy,” the malware resurfaced in July with new activity, targeting vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco, and exhibiting signs of evolution in both form and behavior. This Fortinet research presents an in-depth analysis of Gayfemboy, r
Cybersecurity researchers are warning of a "significant spike" in brute-force traffic aimed at Fortinet SSL VPN devices. The coordinated activity, per threat intelligence firm GreyNoise, was observed on 03 August 2025, with over 780 unique IP addresses participating in the effort. As many as 56 unique IP addresses have been detected over the past 24 hours. All the IP addresses have been classified as malicious, with the IPs originating from the United States, Canada, Russia, and the Netherlan
Why hack when hackers are willing to sell guaranteed access to breached networks? Increasingly, cybercrooks agree they would rather outsource than bother with the tedium of actual network penetration, leading to a flourishing initial access market. Remote access to a victim's network now retails for an average price of $2,700, although about 40% of what's being sold goes for much less $500 to $1,000, noted in a report from cybersecurity firm Rapid7. Research is based on listings posted over
In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. Fortinet subsequently investigated this campaign and conducted a step-by-step analysis. DarkCloud is a known stealthy Windows-based information-stealer malware that was first identified in 2022. It is designed to steal sensitive information from the victim’s computer, including saved login credentials, financial data, conta
The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019.
Researchers also identified a new variant of the Lcryx ransomware, called Lcrypt0rx. Lcryx is a relatively new VBScript-based ransomware strain fi
Cybersecurity researchers have observed a surge in identity-driven cyberattacks targeting employee login credentials. According to a new report by eSentire’s Threat Response Unit (TRU), between 2024 and the first quarter of 2025, 19,000 identity-related cyber investigations revealed a 156% increase in such threats compared to 2023. These incidents now account for 59% of all confirmed threats across eSentire’s customer base of over 2000 organizations.[1]
One of the biggest enablers of this tre
The analysis from Fortinet below is part of an incident investigation led by their Incident Response Team. Their researchers discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware executable was difficult, a memory dump of the running malware process and a full memory dump of the compromised machine (the “fullout” file,
