Threat Intelligence Database
Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threat Intelligence
Click on any threat for detailed analysis and mitigation recommendations
Shared Claude Chats Meet ClickFix 0 A ClickFix campaign has been identified that abuses Anthropic's Claude platform through shareable chat links to distribute MacSync Stealer targeting macOS users. Attackers utilized malvertising with paid Google ads to direct victims searching for Claude-related terms to malicious shared Claude chats falsely labeled as 'Apple Support.' These chats contained obfuscated installation commands that, when executed, deployed a multi-stage infection chain. The malware steals credentials from browsers and password managers, cryptocurrency wallet data, sensitive files, and system information. The campaign ran from June 12-19, 2026, targeting primarily Mac users with Russian-language comments in the code suggesting Russian-speaking threat actors. Domains used adopted themes related to U.S. local services to appear legitimate. Join the discussion | AlienVault OTX General | 07/15/2026, 16:14:14 UTC Added: 07/15/2026, 22:03:24 UTC |
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload 0 Eleven malicious NuGet packages distributed as .NET command-line tools masquerade as game utilities and cheats for popular games including Albion Online, GTA5RP, GrandRP, and Throne and Liberty. Each package functions as a first-stage downloader that uses DNS-over-HTTPS to bypass local controls, requests UAC elevation to resync system time, and fetches a second-stage PyInstaller payload named pepesoft.exe from GitHub and Hugging Face under username pepegit666. The payload binds to hardware fingerprints, enforces licensing through Google Sheets telemetry, honors remote ban-lists, and in three variants exposes Telegram bot commands enabling screenshot capture and remote control. All packages share identical AWS credentials and mutex identifiers, linking them to a single Russian-speaking operator running a commercial game-automation service marketed through pepesoft.ru and Telegram channel pepesoft777. Join the discussion | AlienVault OTX General | 07/15/2026, 16:29:28 UTC Added: 07/15/2026, 22:03:24 UTC |
Operation Fake KickOff: Attackers Abuse Recruiters and SaaS to Harvest Work Credentials 0 A sophisticated multi-stage phishing operation has been active since April 2025, systematically exploiting legitimate SaaS platforms and cloud services to steal corporate credentials. The campaign utilizes 232 phishing domains and 80 command-and-control servers, primarily impersonating human resources consulting firms, with Robert Half Inc. and Aquent LLC representing 50% of targeted brands. Attackers leverage legitimate platforms like Salesforce, SendGrid, and Zoho for email delivery, directing victims to fake Calendly interview pages that mimic real recruiter identities. The operation deploys an adversary-in-the-middle toolkit using browser-in-the-box techniques to create replica Google sign-in pages, capable of harvesting credentials and bypassing MFA through email, SMS, Google Authenticator, and prompt notifications. The campaign specifically targets corporate email accounts, filtering out personal providers, with stolen data exfiltrated to Render-hosted servers and Telegram bots. Join the discussion | AlienVault OTX General | 07/15/2026, 20:49:51 UTC Added: 07/15/2026, 22:03:24 UTC |
Fake crypto scams try to piggyback off SpaceX IPO 0 Scammers are exploiting public interest in the SpaceX IPO through fraudulent investment portals impersonating SpaceX, Elon Musk, and major financial brands including Fidelity and Robinhood. The campaign uses themed domains to lure victims into fake onboarding processes that mimic legitimate investment procedures, including W-8BEN tax forms for non-U.S. investors. Victims are asked to select investment tiers and ultimately directed to deposit funds via cryptocurrency wallets for Bitcoin, Ethereum, and USDT. The operation mirrors techniques used by threat actor TA2730 but focuses on direct cryptocurrency theft rather than credential harvesting. One Bitcoin wallet associated with the campaign received approximately $8,700. The infrastructure includes randomized domains and SpaceX-themed domains designed to appear legitimate during the investment process. Join the discussion | AlienVault OTX General | 07/15/2026, 20:49:52 UTC Added: 07/15/2026, 22:03:24 UTC |
Dutch police bust investment fraud ring stealing over €100 million 0 Dutch police arrested multiple individuals involved in an international investment fraud ring that operated call centers to deceive tens of thousands of victims. The scheme used fake investment platforms showing fictitious profits to convince victims to transfer funds, mainly via cryptocurrency. The criminal organization reportedly made over €100 million per month at its peak and has been active since at least 2021. The main suspect, a known hacker, was arrested and extradited to the Netherlands. Authorities linked at least 550 fraud reports and $28.6 million in losses to this group. The fraudsters used technical means to conceal their identities and locations, complicating law enforcement efforts. MediumVulnerability Join the discussion | Bleeping Computer | 07/15/2026, 21:55:50 UTC Added: 07/15/2026, 22:03:09 UTC |
CVE-2026-63175: CWE-613 Insufficient Session Expiration in Lookyloo PlaywrightCaptureCVE-2026-63175 0 Lookyloo PlaywrightCapture versions up to 1.40.2 suffer from insufficient session expiration due to mutable class-level variables used for capture-specific data. This flaw allows multiple capture objects within the same Python process to share sensitive state such as HTTP headers, cookies, credentials, and proxy settings. As a result, in multi-user or concurrent deployments, data from one capture session may leak into another, risking unauthorized access and data disclosure. The vulnerability is addressed by refactoring the code to use instance-level variables for isolation between captures. Join the discussion | CVE Database V5 | 07/15/2026, 21:26:26 UTC Added: 07/15/2026, 21:48:21 UTC |
CVE-2026-55445: CWE-287: Improper Authentication in whyour qinglongCVE-2026-55445 0 Qinglong, a timed task management platform, has an authentication bypass vulnerability prior to version 2.20.1. The issue arises because the init guard middleware checks the /api/user/init endpoint but not the /open/user/init endpoint. Due to a rewrite rule that applies after authentication checks, an unauthenticated attacker can send a PUT request to /open/user/init to reset administrator credentials on an already initialized instance. This vulnerability is classified as improper authentication (CWE-287) and has a critical severity with a CVSS score of 9.3. The issue is fixed in version 2.20.1. Join the discussion | CVE Database V5 | 07/15/2026, 21:20:01 UTC Added: 07/15/2026, 21:48:21 UTC |
CVE-2026-54458: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideoCVE-2026-54458 0 WWBN AVideo versions prior to 29.0 contain a stored DOM-based Cross-Site Scripting (XSS) vulnerability in the YPTSocket plugin. An unauthenticated attacker can exploit this flaw by sending crafted WebSocket connection parameters that are stored and broadcast to all connected clients, including administrators. This leads to arbitrary JavaScript execution in the context of the admin dashboard, enabling theft of cookies, CSRF tokens, and full administrative takeover. The vulnerability has been patched in version 29.0. Join the discussion | CVE Database V5 | 07/15/2026, 21:33:27 UTC Added: 07/15/2026, 21:48:21 UTC |
CVE-2026-45313: CWE-284: Improper Access Control in sandboxie-plus SandboxieCVE-2026-45313 0 Sandboxie-Plus versions prior to 1.17.6 contain an improper access control vulnerability in the GuiServer component. This flaw allows a sandboxed process to supply thread and function pointer handles that are not validated, enabling execution of arbitrary code in an unsandboxed host process with SYSTEM privileges. The issue is fixed in version 1.17.6. Join the discussion | CVE Database V5 | 07/15/2026, 21:21:23 UTC Added: 07/15/2026, 21:48:21 UTC |
CVE-2026-30623: n/aCVE-2026-30623 0 LiteLLM version 1.18.10 contains a remote code execution vulnerability in its MCP server creation functionality. The application accepts JSON configurations to add MCP servers, which include arbitrary command and argument values. These values are executed on the host system without validation, allowing attackers to execute arbitrary operating system commands. Exploitation results in remote code execution with the privileges of the LiteLLM process. Join the discussion | CVE Database V5 | 07/15/2026, 00:00:00 UTC Added: 07/15/2026, 21:48:21 UTC |
Showing 1 to 10 of 11986 results