Over Security

Google Threat Intelligence Group (GTIG) has published a new report warning about AI model extraction/distillation attacks, in which private-sector firms and researchers use legitimate API access to systematically probe models and replicate their logic and reasoning.

Apple has released security updates to fix a zero-day vulnerability that was exploited in an "extremely sophisticated attack" targeting specific individuals.

Microsoft has fixed a "remote code execution" vulnerability in Windows 11 Notepad that allowed attackers to execute local or remote programs by tricking users into clicking specially crafted Markdown links, without displaying any Windows security warnings.

In occasione del Patch Tuesday di febbraio 2026 Microsoft ha rilasciato gli aggiornamenti per 59 vulnerabilità, incluse sei zero-day che sarebbero state già sfruttate diffusamente in attacchi reali. Focus su RCE, privilege escalation e sicurezza Windows. Ecco tutti i dettagli

The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials.

A member of the Crazy ransomware gang is abusing legitimate employee monitoring software and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment.

The Netherlands Police have arrested a a 21-year-old man from Dordrecht, suspected of selling access to the JokerOTP phishing automation tool that can intercept one-time passwords (OTP) for hijacking accounts.

The former boss of the L3Harris-owned hacking and surveillance tools maker Trenchant faces nine years in prison for selling several exploits to a Russian broker, which counts the Russian government among its customers.

Cyber resilience means anticipating threats, detecting them early, and recovering fast when incidents occur. Wazuh shows how its open source SIEM and XDR unify visibility, detection, and automated response to strengthen proactive defense.

A surge in LummaStealer infections has been observed, driven by social engineering campaigns leveraging the ClickFix technique to deliver the CastleLoader malware.

Gli infostealer non sono più 'semplice' malware da commodity. Dal rapporto dell'Acn emerge la centralità di questi strumenti nell’economia del cybercrime, dove le famiglie come LummaC2, RedLine e DcRat alimentano un mercato di log e credenziali rubate, a loro volta abilitanti a diverse pratiche criminali, come attacchi ransomware, BEC e compromissioni cloud

Il report riepilogativo del CERT-AgID evidenzia una crescita significativa sia in termini quantitativi sia qualitativi delle attività malevole osservate, con una notevole capacità di adattamento dei criminal hacker che sfruttano vettori consolidati introducendo tecniche di ingegneria sociale sempre più raffinate. I dati

For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting the The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions…

ZeroDayRAT is a commercial mobile spyware platform sold via Telegram that gives attackers full remote access to Android and iOS devices

In this post we examine why N-day vulnerabilities have become the "turn-key" weapon of choice for modern threat actors.

La formazione gratuita o a basso costo mette le aziende e i singoli con le spalle al muro: non sapere riconoscere truffe e minacce diventa una scelta. Ecco alcune piattaforme per colmare le lacune

La sentenza della Corte di Giustizia UE su WhatsApp riapre la partita sul reale equilibrio di potere tra Big Tech e regolatori europei. Ecco cosa ha chiarito la CGUE e perché ridefinisce il perimetro del potere regolatorio europeo

L’ecosistema del cybercrime dimostra ancora una volta una resilienza straordinaria: a meno di dodici mesi dall’operazione di smantellamento internazionale che sembrava averne decretato la fine, LummaStealer è riemerso con una catena di infezione profondamente rinnovata. Il ritorno di questo infostealer non è un semplice “rebranding”, ma una ristrutturazione tattica che vede l’introduzione di CastleLoader come …

We disclose new details about campaigns involving RenEngine and HijackLoader malware. Since March 2025, attackers have been distributing the Lumma stealer in a complex chain of infections, and in February 2026, ongoing attacks using ACR Stealer became known.

Instead, attackers are exploiting identity workflows, trusted access paths, and payroll self-service features to quietly steal money — one paycheck at a time. When identity recovery, trusted access paths, and payroll self-service converge, attackers gain a low-noise path to direct financial theft. Abuse of Trusted Access Paths Rather than accessing payroll directly from the internet, the adversary connected through a VDI environment that was implicitly trusted by downstream applications. Prior public reporting on payroll diversion and “payroll pirate” campaigns has largely focused on compromise through phishing or adversary-in-the-middle attacks to capture credentials/MFA, followed by direct access to SaaS platforms via single sign-on and abuse of mailbox rules or OAuth tokens to hide persistence and notifications. The attacker’s pivot to VDI demonstrates an awareness of existing defenses and a tactical evolution: rather than confronting hardened SaaS detection directly, they leveraged an implicitly trusted access path that erodes the effectiveness of conditional access policies and reduces anomalous telemetry, highlighting the need for defenders to correlate identity compromise signals across both identity recovery events and trusted internal access paths rather than treating them as separate domains. 2025: HR & Payroll Identified as First-Class Targets Industry guidance and HR security reporting increasingly highlighted payroll systems as high-risk assets, noting that self-service payroll changes and limited security telemetry make them attractive targets for attackers seeking fast, low-noise financial gain. Organizations need to: Treat payroll changes as high-risk financial events Elevate identity recovery workflows to the same risk tier as privileged access Break down visibility silos between security, HR, and finance The next evolution of fraud won’t announce itself with ransomware notes or data leaks. Payroll Access from Anonymized or High-Risk IP Infrastructure Alert when payroll systems are accessed from: VPN, proxy, or anonymization services IPs flagged as high-risk by identity providers IPs never previously associated with the user Especially valuable when paired with successful authentication, not failures.

DOJ recovered $52M in False Claims Act cyber cases as enforcement grows. Contractors face rising cybersecurity, scrutiny, and liability.

A February 2026 phishing kit embeds ss1.js, a so‑called SafeBrowsingBlocker that claims to bypass Google Safe Browsing. The analysis shows it cannot affect browser‑level interstitials, only page‑level telemetry, making it largely ineffective. IoCs and technical details inside.

Cyble analyzes expanding OTP/SMS bombing ecosystems using high‑speed APIs, SSL bypass, and cross‑platform automation.

The Gartner report identifies BforeAI for its Predictive Attack Intelligence service that "proactively alerts users to digital threats and orchestrates infrastructure takedowns."

The report contains statistics on spam and phishing in 2025, outlining the main trends: phishing and scam QR codes, ClickFix attacks, ChatGPT subscription lures and others.

Guerre di Rete ha una nuova pubblicazione, un ebook intitolato: Manualetto di sicurezza digitale per giornalisti e attivisti. Inizialmente l’ebook era stato spedito in anteprima ai partecipanti al nostro crowdfunding.