Threat Intelligence Feed

Real-time intel briefing

Aggregated view of active CVEs, ransomware activity, phishing campaigns, threat-actor TTPs, and automated blocklist updates.

Total

Critical CVEs

Ransomware

Phishing

Actor activity

Filter

⊘ Blocklistlow

8h ago

5,056 new malicious domains added

Automated correlation across multiple feeds identified 5,056 new C2, phishing, and malware-distribution domains. Auto-pushed to DNS sinkhole policy.

dns-sinkholeauto-blocksource: Aggregated feeds

⊘ Blocklistlow

9h ago

5,057 new malicious domains added

Automated correlation across multiple feeds identified 5,057 new C2, phishing, and malware-distribution domains. Auto-pushed to DNS sinkhole policy.

dns-sinkholeauto-blocksource: Aggregated feeds

⌬ Phishingmedium

16h ago

DHL impersonation campaign observed

New phishing wave impersonating DHL sign-in pages. Lure: "shared document" or "expiring access". Landing pages rotate across .top / .xyz / .click TLDs with reverse-proxy MFA bypass.

dhlcredential-harvestevilginxsource: Email gateway telemetry

⌬ Phishingmedium

17h ago

Banco Santander impersonation campaign observed

New phishing wave impersonating Banco Santander sign-in pages. Lure: "shared document" or "expiring access". Landing pages rotate across .top / .xyz / .click TLDs with reverse-proxy MFA bypass.

bancocredential-harvestevilginxsource: Email gateway telemetry

⌬ Phishingmedium

18h ago

Microsoft 365 impersonation campaign observed

New phishing wave impersonating Microsoft 365 sign-in pages. Lure: "shared document" or "expiring access". Landing pages rotate across .top / .xyz / .click TLDs with reverse-proxy MFA bypass.

microsoftcredential-harvestevilginxsource: Email gateway telemetry

⌬ Phishingmedium

19h ago

Google Workspace impersonation campaign observed

New phishing wave impersonating Google Workspace sign-in pages. Lure: "shared document" or "expiring access". Landing pages rotate across .top / .xyz / .click TLDs with reverse-proxy MFA bypass.

googlecredential-harvestevilginxsource: Email gateway telemetry

⚠ CVEhighCVE-2026-56904CVSS 8.4

1d ago

SQL injection in SAP S/4HANA

A sql injection affecting SAP S/4HANA is being actively exploited in the wild. Vendor has released a hotfix; patch within 48 hours for internet-facing assets.

saps/4hanapatch-nowsource: NVD / Vendor advisory

⚠ CVEhighCVE-2026-56905CVSS 8.5

1d ago

SQL injection in Adobe Acrobat Reader

A sql injection affecting Adobe Acrobat Reader is being actively exploited in the wild. Vendor has released a hotfix; patch within 48 hours for internet-facing assets.

adobeacrobat-readerpatch-nowsource: NVD / Vendor advisory

⚠ CVEhighCVE-2026-56906CVSS 8.6

1d ago

SQL injection in Apache Struts

A sql injection affecting Apache Struts is being actively exploited in the wild. Vendor has released a hotfix; patch within 48 hours for internet-facing assets.

apachestrutspatch-nowsource: NVD / Vendor advisory

⚠ CVEhighCVE-2026-56907CVSS 8.7

1d ago

SQL injection in Palo Alto GlobalProtect

A sql injection affecting Palo Alto GlobalProtect is being actively exploited in the wild. Vendor has released a hotfix; patch within 48 hours for internet-facing assets.

palo altoglobalprotectpatch-nowsource: NVD / Vendor advisory

⚠ CVEhighCVE-2026-56908CVSS 8.8

1d ago

SQL injection in Microsoft Active Directory

A sql injection affecting Microsoft Active Directory is being actively exploited in the wild. Vendor has released a hotfix; patch within 48 hours for internet-facing assets.

microsoftactive-directorypatch-nowsource: NVD / Vendor advisory

❑❑ Ransomwarehigh

2d ago

Royal claims new victims in undefined

Royal leak site listed 2 new victims this week, primarily in the undefined sector. Initial access via vulnerable internet-facing edge devices.

royalleak-sitesource: Dark-web monitoring

❑❑ Ransomwarecritical

2d ago

BianLian claims new victims in undefined

BianLian leak site listed 3 new victims this week, primarily in the undefined sector. Initial access via vulnerable internet-facing edge devices.

bianlianleak-sitesource: Dark-web monitoring

❑❑ Ransomwarehigh

2d ago

Medusa claims new victims in undefined

Medusa leak site listed 4 new victims this week, primarily in the undefined sector. Initial access via vulnerable internet-facing edge devices.

medusaleak-sitesource: Dark-web monitoring

❑❑ Ransomwarecritical

2d ago

8Base claims new victims in undefined

8Base leak site listed 5 new victims this week, primarily in the undefined sector. Initial access via vulnerable internet-facing edge devices.

8baseleak-sitesource: Dark-web monitoring

⚑ Threat Actorhigh

3d ago

APT29 (Cozy Bear) activity uptick — spearphishing operators

Increased spearphishing operators attributed to APT29 (Cozy Bear) over the past 7 days. Targeting: defense contractors, NGOs, and government bodies. New custom loader observed.

apt29aptttps-shiftsource: Threat-intel correlation

⚑ Threat Actorhigh

3d ago

Lazarus Group activity uptick — spearphishing operators

Increased spearphishing operators attributed to Lazarus Group over the past 7 days. Targeting: defense contractors, NGOs, and government bodies. New custom loader observed.

lazarusaptttps-shiftsource: Threat-intel correlation

⚑ Threat Actorhigh

3d ago

FIN7 activity uptick — spearphishing operators

Increased spearphishing operators attributed to FIN7 over the past 7 days. Targeting: defense contractors, NGOs, and government bodies. New custom loader observed.

fin7aptttps-shiftsource: Threat-intel correlation

◈

Select an item

Click any intel card to see full briefing.