DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxyhttps://research.checkpoint.com/2026/dfir-report-the-gentlemen/Read on HackerWorkspace: https://hackerworkspace.com/article/dfir-report-the-gentlemen-systembc-a-sneak-peek-behind-the-proxy#cybersecurity #incidentresponse #threatintelligence

LLM as a Judge Evaluation Guide | Promptfoohttps://www.promptfoo.dev/docs/guides/llm-as-a-judge/Read on HackerWorkspace: https://hackerworkspace.com/article/llm-as-a-judge-evaluation-guide-promptfoo#cybersecurity #aisecurity #vulnerability

️ CRITICAL: ️ A threat actor operating under the alias spider321 has shared samples of an alleged databa...Threat actor spider321 publicly disclosed a database containing ~90,000 records of US law enforcement personnel with full names, emails, phone numbers, IP addresses, and home zip codes. This PII exposes officers to direct targeting, harassment, and social engineering attacks. The breach significant…https://threatnoir.com/focus#infosec #cybersecurity

️ CRITICAL: 52M-Download protobuf.js Library Hit by RCE in Schema HandlingA critical RCE vulnerability (CVSS 9.4) was discovered in protobuf.js, a JavaScript library downloaded 52M times monthly. Attackers can inject malicious code through crafted schema names that bypass input validation in the Function constructor. Any application using protobufjs versions 8.0.0 or ear…https://threatnoir.com/focus#infosec #cybersecurity

️ CRITICAL: CVE-2026-34197: 13-Year-Old Apache ActiveMQ RCE via Jolokia API Surfaces for In-the-Wild AttacksApache ActiveMQ Classic has a 13-year-old RCE vulnerability (CVE-2026-34197) in the Jolokia API that is actively exploited in the wild. Attackers chain vm:// URIs with remote Spring XML configs to execute arbitrary code as the broker process. Any organization running ActiveMQ Classic without the Ap…https://threatnoir.com/focus#infosec #cybersecurity

(checkpoint.com) The Gentlemen Ransomware-as-a-Service: Multi-Platform RaaS Operation with Advanced Lateral Movement and GPO-Based Mass DeploymentNew RaaS operation "The Gentlemen" has compromised 320+ victims with multi-platform ransomware (Windows/Linux/ESXi) and advanced GPO-based deployment tactics.In brief - Emerging RaaS group "The Gentlemen" employs double extortion, targeting enterprises via Domain Admin access, Cobalt Strike, and mass ransomware deployment through Group Policy Objects. Over 320 victims reported, with 1,570+ SystemBC proxy victims globally.Technically - The Gentlemen ransomware uses X25519 key exchange with XChaCha20 encryption (Windows: Go, ESXi: C). Features include CLI-driven partial encryption (1-9%), GPO deployment, PsExec/WMI lateral movement, and defense evasion via Defender disabling, firewall shutdown, and SMB1 re-enablement. Attack chain observed: Cobalt Strike (91.107.247[.]163) → Mimikatz credential harvesting → SystemBC SOCKS5 tunneling (45.86.230[.]112) → AnyDesk persistence → GPO-scheduled ransomware detonation. ESXi variant shuts down VMs via vim-cmd before encrypting VMFS datastores.Source: https://research.checkpoint.com/2026/dfir-report-the-gentlemen/#Cybersecurity #ThreatIntel

ANSSI reports a 2025 drop in ransomware attacks in France, but SMBs remain primary targets. French businesses must enhance cyber defenses. #France #Ransomware #CyberSecurityhttps://verisizintisi.com/en/blog/2026-04-20-france-anssi-ransomware-attacks-smbs-target-2025

State of (in)security - Week 16, 2026Week 16 of 2026 saw 17 advisories and 22 incidents, with 16.7 million individuals impacted, driven largely by the McGraw-Hill Salesforce misconfiguration breach (13.5M) alongside major ransomware, phishing, and third-party compromises affecting healthcare, finance, and tech sectors. Key vulnerabilities included actively exploited zero-days in Microsoft products, critical flaws in Cisco, Fortinet, SAP, and Adobe, and a systemic RCE risk in the MCP protocol.**This week third party libraries and AI are the focus: If you're using Claude Code, update immediately to the latest version and stop using authentication helpers. Instead, set the ANTHROPIC_API_KEY environment variable directly. If you use Axios in your applications, start planning an update to version 1.15.0 or later. Make sure your nginx-ui instances are isolated from the internet and accessible from trusted networks only.**#cybersecurity #infosec #knowledge #weeklyreporthttps://beyondmachines.net/event_details/state-of-in-security-week-16-2026-q-8-4-u-9/gD2P6Ple2L

New ransom group blog posts!Group name: qilinPost title: The Go SolutionInfo: https://cti.fyi/groups/qilin.htmlGroup name: qilinPost title: GUEGUEN AvocatsInfo: https://cti.fyi/groups/qilin.htmlGroup name: qilinPost title: City'ProInfo: https://cti.fyi/groups/qilin.html#ransomware #cti #threatintelligence #cybersecurity #infosec

(trmlabs.com) Russia-Linked Cryptomus and Parallel Service Heleket: Shared Infrastructure Enabling Sanctions Evasion and Illicit Crypto FlowsNew reporting confirms Russia-linked Cryptomus and Heleket are operationally connected, enabling sanctions evasion and illicit crypto flows post-enforcement. TRM Labs assesses high-confidence linkage via shared infrastructure, personnel, and on-chain activity.In brief - Russia-linked crypto payment processors Cryptomus and Heleket are likely the same operation rebranded to evade sanctions and KYC controls. Heleket now handles 80% of illicit flows, with 60% tied to sanctioned exchange Garantex. The shift follows FINTRAC’s penalty against Cryptomus and mirrors broader ‘Russian rebrand’ evasion tactics.Technically - On-chain analysis reveals Garantex as a liquidity provider for Heleket’s hot wallets (Jan 2025), with Heleket’s illicit inflow ratio at 0.6%—5x the peer average. Shared infrastructure includes domain registrar ties, identical fee structures (0.4%), and personnel overlap. Over 75K transactions link Cryptomus to Iranian exchanges (e.g., Nobitex), while forum posts confirm user credential crossover. Volume displacement aligns with Cryptomus’ post-KYC decline.Source: https://www.trmlabs.com/resources/blog/russia-linked-payment-processor-cryptomus-likely-behind-launch-of-parallel-service-heleket#Cybersecurity #ThreatIntel

@Matthijs85 ik hoopte eigenlijk op iets strafrechtelijks. Niet dit enge business model voor hedgefunds waarmee je uiteindelijk een bedroevend klein bedrag als schikking krijgt, en er geen vervolging van de verantwoordelijken komt.

At #RSAC, Claroty CSO Grant Geyer sat down with NYSE TV to discuss the trends shaping CPS security—from evolving geopolitical threats to the future of connected environments.️ Watch here: https://youtu.be/Q-RQppMcA_g?si=MGSIwKPkCSw2cn7H#FloorTalk #Cybersecurity #CPS #OTSecurity

New event added: NOPcon Sep 17, 2026 Istanbul https://nopcon.tr/#infosec #cybersecurity #conference #Nopcon #Turkey

Brussels launched an age checking app. Hackers say it takes 2 minutes to break it.https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/#Europe #EU #AgeVerification #privacy #cybersecurity

You know it’s bad when…the issue gets escalated and nobody wants to own it.#CyberSecurity #IncidentResponse #ITLife

New daily playlist: the latest talks and tutorials in cybersecurity and hacking. Stay sharp, stay safe. https://www.youtube.com/playlist?list=PLXqx05yil_meUBYK8AFb7RNltnpYbSuVU#CyberSecurity #InfoSec #EthicalHacking #OnlineSafety #Phishing

A thoughtful piece by Anthropic on the shift we face as AI accelerates offensive work, and how to adjust.We're right to stress out about teams' abilities to patch systems quickly enough. In my mind, the only sustainable approach to vulnerability management is modern design patterns and shrinking the attack surface. That means fewer components to patch, simpler architectures, and deny-by-default settings in our products and in what we deploy.These aren't new ideas, but AI-accelerated offense makes them necessary rather than aspirational.https://claude.com/blog/preparing-your-security-program-for-ai-accelerated-offense#Cybersecurity #InfoSec #AI

protobuf.js RCE can trigger arbitrary JS execution when apps load attacker influenced schemas. Patch to 8.0.1 or 7.5.5.🟡 Tycoon 2FA crews are leaning into device code phishing to steal sessions and bypass MFA. Reinforce user training and conditional access.#CyberSecurity #ThreatIntel #AppSec #IdentitySecuritysolomonneas.dev/intel

Impac Mortgage Holdings Reports Two-Year-Old Data Breach Affecting Over 19,000 IndividualsImpac Mortgage Holdings disclosed a data breach that exposed the Social Security numbers of 19,253 individuals after an unknown actor accessed its systems in early 2024. The company waited two years after discovery to notify the public and is now offering credit monitoring services.****#cybersecurity #infosec #incident #databreachhttps://beyondmachines.net/event_details/impac-mortgage-holdings-reports-two-year-old-data-breach-affecting-over-19000-individuals-u-v-h-c-a/gD2P6Ple2L

T-minus 10 days!!!In #CyberSecurity terms, I'm about to deliberately walk into an entirely new threat landscape with no local threat intel, a foreign language I'm still actively patching. The attack surface has changed. The adversaries are now cobblestones, bureaucratic Portuguese, and the very real possibility that I will confidently order the wrong thing at a restaurant and just go with it. Threat level: manageable. Vibes: elevated!!The honeypots aren't moving. They never do - that's the whole point. They stay scattered where they are, quietly doing their thing, collecting everything. The only thing changing is where the intel gets delivered. Starting April 29th, that's Porto.I'm a little concerned they're going to start sending it in #Portuguese. ‍️ Half my home lab is already there ahead of me. ZimaBoard, #opnsense the Pis - all running, all waiting, probably judging me for not arriving sooner. Home Assistant is next on the list once I land, which means I get to find out whether my automations survived the relocation or whether I'm about to have a very intimate conversation with Portuguese error messages. Could go either way.And yes, I'm leaving behind the Chicago "L". The L. An elevated rail system so charmingly held together by decades of deferred maintenance and sheer Chicagoan stubbornness that honestly, it's kind of a security metaphor. I'm going to miss the ambiance of a train that sounds like it's actively negotiating with physics.The Metro stop is literally across the street from my apartment. It's clean. It's modern. It's quiet. The trains run on time. I don't know how I'll cope. @sashatheflamingo is excited but has concerns about the cobblestones hurting her feet. I told her she can ride on my shoulder. Problem solved. The flamingo adapts. 🦩 And if you're in the security community and haven't looked at #BSidesPorto yet - June 26th and 27th - I don't know what to tell you except that you're going to miss an awesome event if you don't get your tickets - NOW! And come find me. I'll be the one who showed up 60 days before the conference and is still figuring out which bus/metro train goes where.The operation doesn't stop. It just changes coordinates. The #honeypots already know. They figured it out before I told them. (That's kind of their whole thing.)