- Services
- Products
- Compliance
- Markets
- Insights
- About
Threat Intel Update
This week’s theme: attackers exploiting trust signals and legitimate-looking infrastructure to bypass automated defenses.
FortiBleed has evolved from credential harvesting into direct ransomware delivery, now linked to negotiators for INC Ransom and Lynx. ClickFix operators are using on-demand payload servers and an AMSI-bypassing execution technique, while a FIFA World Cup phishing campaign personalized lures to evade three major secure email gateways.
A fake Perplexity AI extension harvested searches and address-bar keystrokes pre-submission. And a leaked Windows Defender zero-day has already moved from proof-of-concept to active ransomware use, proof of how fast disclosed flaws get weaponized when patches lag.
Cybersecurity News
- ClickFix Adds Live Payload Servers, Ducks Antivirus – ClickFix fake “verify you’re human” pages now pull commands from backend servers that generate a unique payload per visit, and a new variant drops payloads into the Downloads folder instead of the clipboard to dodge AMSI scanning. With no exploit or file needed to trigger AV, it’s become a top initial-access method for both criminal and state-linked actors, pushing defenders toward behavior-based detection. The Hacker News
- FortiBleed Credential Theft Now Feeds Ransomware Directly – An operator behind the FortiBleed FortiGate credential-harvesting campaign has been tied to negotiation panels for INC Ransom and Lynx. The campaign scanned over 11,000 FortiGate portals globally, gained admin access on 409 targets, and has already led to at least 12 ransomware deployments, confirming that mass credential theft is a direct pipeline into encryption events, not a standalone risk. The Hacker News
- Personalized World Cup Phishing Lure Slips Past Major Email Gateways – A phishing campaign personalizes emails with the target’s name, employer, and logo, offering a fake FIFA World Cup t-shirt to deliver malware called Voidrift. Hosted on a trusted domain, it bypassed Cisco IronPort, Microsoft ATP, and Abnormal Security, showing that personalization plus trusted hosting can beat layered automated filtering. Hackread
- Fake Perplexity Extension Captured Searches and Keystrokes Pre-Submission – A malicious Chrome extension impersonating Perplexity AI hijacked the default search provider and quietly routed both search queries and address-bar keystrokes to an attacker domain before showing real results. Google pulled it after Microsoft flagged it, but dormant code for expanded redirects and script execution suggests it was built to scale further. The Hacker News
- Leaked Windows Defender Flaw Now Powers Active Ransomware – CISA confirms ransomware groups are exploiting CVE-2026-33825 (“BlueHammer”), a Defender privilege-escalation bug leaked with proof-of-concept code in April and patched shortly after. Unpatched systems remain fully exposed, another case of a disclosed flaw going from leak to weaponized ransomware tool within month. BleepingComputer
Sign Up
To receive Threat Briefings by email.