09 Jul, 2026

JadePuffer ransomware used AI agent to automate entire attack

Researchers identified what they believe is the first documented case of a ransomware operation, JadePuffer, conducted entirely by a large language model (LLM) agent. According to cloud security company Sysdig, JadePuffer used an autonomous AI agent for reconnaissance on the target, to steal credentials, move laterally, establish persistence, escalate privileges, and to encrypt data. The […]

3 mins read

FortiBleed credential-theft campaign linked to Lynx ransomware

The massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions. Earlier this month, a server containing credentials stolen from more than 73,000 Fortinet devices was discovered exposed on the internet. Researchers found the server contained downloaded FortiGate […]

3 mins read

Blackfield ransomware asks Nidec Corporation for $2 million ransom

The Blackfield ransomware gang is asking for a $2 million ransom from Nidec Corporation, a large Japanese manufacturer of electronic components for automotive and computing applications. Nidec is a leader in producing motors of all sizes, from micro-precision ones used in phones and hard drives to heavy-duty motors for robotics,  elevators, and large HVAC systems. […]

2 mins read

CISA: Windows BlueHammer flaw now exploited by ransomware gangs

CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks. Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as “Nightmare Eclipse” in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response […]

2 mins read

Stealthy Mistic backdoor linked to ransomware access broker KongTuke

A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors. The malware is believed to be linked to KongTuke/Woodgnat, an initial access broker active since at least 2024 that specializes in compromising corporate networks and selling that access to ransomware groups, including […]

3 mins read

New Prinz Eugen ransomware prioritizes recent files for encryption

A new ransomware operation named ‘Prinz Eugen’ prioritizes recently modified files for encryption and leaves no ransom note on the system. An investigation from Threatdown, the former corporate business unit of Malwarebytes, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land […]

3 mins read

Gentlemen ransomware uses multiple EDR killers to disable defenses

The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks. The gang employs a collection of EDR-killing tools, most notably a utility that researchers dubbed GentleKiller. The tool has at least eight variants and impersonates various legitimate security products, including Kaspersky, […]

2 mins read

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

DragonForce ransomware used a custom malware named ‘Backdoor.Turn’ to hide command-and-control traffic inside Microsoft Teams relay infrastructure. The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network). DragonForce is a ransomware operation active since […]

3 mins read

Ukrainian national pleads guilty to role in Conti ransomware operation

A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. The U.S. Department of Justice announced Thursday that 44-year-old Oleksii Oleksiyovych Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware attacks conducted between 2021 and […]

2 mins read

Authorities dismantle ‘AudiA6’ ransomware crypto-laundering service

Law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to launder more than $380 million. Europol says that the service has been linked to more than 15 distinct international investigations of ransomware attacks. It is believed that the platform acted as a central money laundering hub between 2022 and 2025. […]

3 mins read