TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More

[email protected] (The Hacker News) · 2 days ago · Read original ↗

ATT&CK techniques detected

24 predictions
T1195.001Compromise Software Dependencies and Development Tools
98%
“kics, a checkmarx - developed tool for static code analysis. amit genkin, threat researcher at upwind, said the latest string of attacks represents a shift, where they are not only more frequent but harder to detect because they weaponize legitimate ci / cd pipelines to push out …”
T1204.002Malicious File
97%
“to deliver a javascript trojan. the end goal is to obtain confidential data, particularly geospatial information. alternatively, the threat actor is known to distribute malicious code using the legitimate sourceforge platform through a project called gearup. versatile werewolf is…”
T1566.002Spearphishing Link
93%
“projects as lures to deliver malware. " the email carried two malicious attachments : a word document with a vba macro dropper and a pdf with a fake adobe reader lure, both delivering payloads from a bunnycdn - hosted malicious infrastructure, " joe security said. " the attack ch…”
T1486Data Encrypted for Impact
90%
“##thub. com, it allowed remote code execution on shared storage nodes, and on github enterprise server, it granted full server compromise, enabling unauthorized access to all hosted repositories and internal secrets. " exploitation could expose the codebases of nearly all of the …”
T1566.001Spearphishing Attachment
86%
“projects as lures to deliver malware. " the email carried two malicious attachments : a word document with a vba macro dropper and a pdf with a fake adobe reader lure, both delivering payloads from a bunnycdn - hosted malicious infrastructure, " joe security said. " the attack ch…”
T1566.001Spearphishing Attachment
82%
“##sapp and viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras. " assessed to be the work of a greek - speaking developer, it ' s available on a subscription basis starting from $ 60, allowing anyone to buy it, rebrand it, and start …”
T1657Financial Theft
81%
“caused significant financial damage, totalling at least €50 million, " europol said. " the call centres were professionally set up and organized, resembling legitimate business structures featuring a clear division of roles and hierarchical management. " the criminal network is e…”
T1195.001Compromise Software Dependencies and Development Tools
80%
“##ri and xint, cve - 2026 - 31431 was the result of a series of unremarkable updates to the linux kernel over the years, particularly one update from 2017 that was meant to speed up data encryption. as a result, all major linux distributions from 2017 are impacted. what complicat…”
T1566.002Spearphishing Link
78%
“. this included 893 customer email addresses that were embedded in feature flag targeting rules, along with one flag that improperly referenced a customer ’ s api token. " the exposure was limited to 893 customer email addresses used in feature flag targeting rules to control whi…”
T1588.006Vulnerabilities
73%
“##04 ( sonicwall ), cve - 2026 - 35414 ( openssh ), cve - 2026 - 42511 ( freebsd ), cve - 2026 - 40684, cve - 2026 - 40685, cve - 2026 - 40686, cve - 2026 - 40687 ( exim ), cve - 2026 - 5402, cve - 2026 - 5403, cve - 2026 - 5405, cve - 2026 - 5656 ( wireshark ), cve - 2026 - 4252…”
T1567Exfiltration Over Web Service
72%
“capabilities to steal telegram desktop session data via telegram bot api exfiltration. " the script collects host metadata, including username, hostname, and public ip via api. ipify [. ] org, then checks for telegram desktop and telegram desktop beta tdata directories, " flare s…”
T1190Exploit Public-Facing Application
72%
“initial access hooks to remove and set up multi - factor authentication devices under their control and delete emails that would otherwise alert organizations of potential malicious activity. according to crowdstrike, " these actors use vishing to bypass mfa and move laterally ac…”
T1566.002Spearphishing Link
70%
“. a pro - iranian hacktivist group known as the islamic cyber resistance in iraq, aka 313 team, claimed responsibility for the attack on telegram. the websites have since become operational. last month, the group also disrupted access to the decentralized social media platform bl…”
T1588.006Vulnerabilities
56%
“weekly recap : ai - powered phishing, android spying tool, linux exploit, github rce & more this week, the shadows moved faster than the patches. while most teams were still triaging last month ’ s alerts, attackers had already turned control panels into kill switches, kernels in…”
T1566.002Spearphishing Link
54%
“and lookalike domains, to drive financial fraud and credential harvesting as part of an effort called govtrap. the government impersonation scam mimics official portals with high accuracy, with links to the fake sites distributed via sms or email. the end goal is to trick users i…”
T1059.001PowerShell
47%
“that also hosts fake domains linked to the goffee apt. " both groups actively use powershell payloads to deliver and execute malicious modules, " it added. " goffee also targets the public sector, which suggests the possibility of joint or coordinated campaigns. " - cisco unveils…”
T1219Remote Access Tools
46%
“their device, and once obtained, threat actors will attempt to exfiltrate data and execute additional payloads to establish persistence or deploy ransomware. " - new karstorat malware enables data theft — first spotted in early 2026, karstorat is capable of system reconnaissance,…”
T1498.001Direct Network Flood
44%
“a residential proxy network. " these routers were also running a custom command - and - control beacon that was named shadowlink, " ctrl - alt - intel said. " when we analysed the shadowlink protocol, we found it was identical, down to a shared authentication secret, to the backd…”
T1598.002Spearphishing Attachment
44%
“projects as lures to deliver malware. " the email carried two malicious attachments : a word document with a vba macro dropper and a pdf with a fake adobe reader lure, both delivering payloads from a bunnycdn - hosted malicious infrastructure, " joe security said. " the attack ch…”
T1584.008Network Devices
41%
“a residential proxy network. " these routers were also running a custom command - and - control beacon that was named shadowlink, " ctrl - alt - intel said. " when we analysed the shadowlink protocol, we found it was identical, down to a shared authentication secret, to the backd…”
T1566.001Spearphishing Attachment
38%
“to deliver a javascript trojan. the end goal is to obtain confidential data, particularly geospatial information. alternatively, the threat actor is known to distribute malicious code using the legitimate sourceforge platform through a project called gearup. versatile werewolf is…”
T1587Develop Capabilities
35%
“kics, a checkmarx - developed tool for static code analysis. amit genkin, threat researcher at upwind, said the latest string of attacks represents a shift, where they are not only more frequent but harder to detect because they weaponize legitimate ci / cd pipelines to push out …”
T1059.001PowerShell
33%
“to deliver a javascript trojan. the end goal is to obtain confidential data, particularly geospatial information. alternatively, the threat actor is known to distribute malicious code using the legitimate sourceforge platform through a project called gearup. versatile werewolf is…”
T1583.005Botnet
30%
“a residential proxy network. " these routers were also running a custom command - and - control beacon that was named shadowlink, " ctrl - alt - intel said. " when we analysed the shadowlink protocol, we found it was identical, down to a shared authentication secret, to the backd…”

Summary

This week, the shadows moved faster than the patches. While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems. The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling