Threats Affecting United States

An exposed attacker server has unveiled FortiBleed, a large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways globally. This operation involved credential harvesting through reuse, brute force, and hash cracking using a distributed GPU infrastructure with approximately 36 rented GPUs via Hashtopolis. The exposed directory contained 319 files revealing scanning tools, cracking infrastructure, credential databases, post-exploitation toolkits, and active VPN configurations. While initially reported as affecting 21,632 domains, analysis of the attacker's own tooling reveals only 918 organizations showed evidence of internal network compromise, with merely 148 confirmed cases where credentials were fully cracked. The operation ultimately aimed to sell initial access to compromised networks, with victims spanning 194 countries, predominantly India, United States, and Taiwan.

MediumCampaignUnited StatesBritish Indian Ocean TerritoryColombia+3#vpn compromise#hash cracking#fortibleed

A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices.

MediumMalwareUnited States#oxloader#donutloader#reloc section abuse

Global law enforcement, including agencies from the Netherlands, Canada, United States, and Germany, coordinated Operation Endgame to disrupt TA569, a prominent cybercriminal group tracked since 2018. The operation targeted SocGholish infrastructure, taking down over 100 servers and domains while remediating 14,971 compromised websites. TA569 pioneered web inject techniques using fake browser updates to distribute malware, often leading to ransomware attacks. The group compromised high-traffic websites across multiple industries, affecting millions of visitors globally. Their attack chains involved traffic distribution systems like Keitaro TDS and ParrotTDS, delivering GhoLoader payloads that could lead to ransomware deployment in enterprise environments. Law enforcement actions included server disruption and website disinfection, significantly impacting the threat actor's operations, infrastructure, and reputation within the cybercriminal ecosystem.

MediumMalwareUnited StatesAustraliaCanada+2#gholoader#operation endgame#ransomhub

A sophisticated espionage campaign attributed to UNC6508, a China-nexus threat actor, targeted North American academic, medical, and military research institutions for over a year. The adversary exploited REDCap servers, deployed custom INFINITERED malware to harvest credentials, and maintained persistent access through trojanized legitimate files that survived software upgrades. After remaining undetected for more than a year, the threat actor pivoted to administrative accounts and created malicious content compliance rules to silently exfiltrate emails containing defense intelligence, Indo-Pacific command operations, artificial intelligence research, uncrewed vehicle systems, cyber programs, and medical research data. The operation employed sophisticated techniques including obfuscation networks routing through US-based infrastructure, compromised routers, and dedicated exfiltration accounts, demonstrating advanced operational security aligned with strategic intelligence collection requirements.

MediumMalwareUnited StatesCanada#medical research targeting#unc6508#infinitered

An FBI investigation identified Denis Nikolayevich Obrezko, a Russian national, as facilitating cyber intrusions conducted by the Russia-aligned threat group Void Blizzard. Between June and July 2024, multiple U.S. companies across various sectors were targeted in a large-scale cyber espionage campaign involving mass email harvesting and unauthorized access. The threat actors utilized stolen session tokens, proxy services, and VPNs to authenticate to victim Office 365 environments and exfiltrate data. Obrezko allegedly obtained critical infrastructure including a virtual private server and domain registration used in these attacks. FBI investigation linked Obrezko through cryptocurrency transactions, email accounts, phone numbers, and IP addresses to domains and infrastructure used in the intrusion campaign. Eleven U.S. companies have confirmed unauthorized access, representing only a fraction of suspected victims nationwide.

MediumCampaignUnited States#void blizzard#cryptocurrency#denis obrezko

US Federal authorities have seized 13 domains allegedly used in a Chinese intelligence-linked operation to recruit Americans with access to classified government information. The websites posed as legitimate consulting firms, offering vague consultancy and advisory roles to current and former US government employees, military personnel, and security clearance holders. The operation, which began in November 2023, used fake company websites, online job postings, and social media recruiting to approach potential targets. Recruiters offered paid consulting work, then pressured candidates to share confidential insider information. The campaign employed false personas, stolen identities, AI-generated profile photos, encrypted messaging, cryptocurrency, and fake contracts to appear legitimate. Job postings appeared on platforms including Upwork, Expertia AI, and Hubstaff Talent, covering topics aligned with Chinese government interests.

MediumCampaignUnited States#job platforms#security clearance#recruitment operation

Between April and May 2026, a likely North Korean threat actor conducted phishing campaigns targeting developers across nearly 100 organizations in finance, cryptocurrency, education, and technology sectors. The attacks used recruitment and code review themes, delivering emails with links to actor-controlled GitHub repositories hosting malicious scripts. The infection chain exploited Visual Studio Code workflows and deployed malicious Visual Studio Extensions (VSIX) requiring minimal user interaction. Cross-platform malware was executed on macOS, Linux, and Windows systems, including the open-source Overlord framework. The campaigns specifically targeted developer assets including API tokens, cryptocurrency wallets, and credentials. Attackers employed fake company personas and professional-looking repositories masquerading as legitimate cryptocurrency and blockchain projects to establish credibility and lure victims.

MediumMalwareUnited States#wallet exfiltration#ottercookie#cryptocurrency theft

From January through May 2026, a financially motivated data theft extortion campaign executed by threat cluster UNC3753 targeted dozens of organizations across professional, legal, and financial services in the United States. The threat actors leverage voice phishing and social engineering techniques, posing as IT support to convince targets to host screen-sharing sessions and download remote monitoring and management utilities. Once inside environments, they conduct searches to locate and exfiltrate highly sensitive data including proprietary legal agreements, personally identifiable information, and financial records for subsequent extortion demands. The entire attack sequence often occurs within a single business day, with recent incidents showing data theft initiated in under an hour. Notably, threat actors have also accessed victims' systems in person, with individuals posing as IT technicians entering corporate offices to attempt direct exfiltration using USB storage media.

MediumMalwareUnited States#silentnight#bazarloader#ursnif

Over 900 automatic tank gauge (ATG) systems across the United States, used to monitor fuel and chemical storage tanks across various critical infrastructure sectors, have been found exposed online and are vulnerable to ongoing attacks. [...]

CriticalVulnerabilityUnited States

The WeedHack malware campaign is a large-scale operation targeting Minecraft players by distributing malicious mods, clients, cheats, and utilities. Since January 2026, it has infected over 116,000 systems globally, primarily in the US, Germany, India, and the UK. The malware operates as a malware-as-a-service (MaaS) infostealer, offering free and premium tiers that steal credentials, session IDs, cookies, and cryptocurrency wallet data, and provide remote access capabilities. Distribution relies heavily on YouTube videos and SEO poisoning to lure victims to malicious download sites. The campaign's scale is reflected in thousands of unique malicious files and hundreds of distribution URLs. Users are advised to only download Minecraft mods from official sources and use the in-game Marketplace for safety.

MediumMalwareUnited StatesGermanyIndia+1