<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"><channel>
<title>ThreatIntelReport</title><link>https://www.threatintelreport.com/</link>
<description>Evidence-led cyber threat intelligence for defenders</description><language>en</language>
<item><title>OpenClaw lures fuel ClickFix infostealer infections as agentic AI ecosystems become a new credential target</title><link>https://www.threatintelreport.com/articles/openclaw-lures-fuel-clickfix-infostealer-infections-as-agentic-ai-ecosystems-become-a-new-credential-target/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/openclaw-lures-fuel-clickfix-infostealer-infections-as-agentic-ai-ecosystems-become-a-new-credential-target/</guid>
<pubDate>Thu, 12 Mar 2026 18:19:26 +0000</pubDate>
<category>Tactics &amp; Techniques</category>
<description>A rapid wave of lookalike sites, social ads and poisoned “skills” is exploiting OpenClaw’s popularity to push StealC v2, AMOS and other stealers through user-driven install flows.</description></item><item><title>Microsoft incident responders publish a playbook for detecting prompt abuse in enterprise AI tools</title><link>https://www.threatintelreport.com/articles/microsoft-incident-responders-publish-a-playbook-for-detecting-prompt-abuse-in-enterprise-ai-tools/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/microsoft-incident-responders-publish-a-playbook-for-detecting-prompt-abuse-in-enterprise-ai-tools/</guid>
<pubDate>Thu, 12 Mar 2026 18:03:00 +0000</pubDate>
<category>Industry News</category>
<description>Indirect prompt injection via URL fragments can manipulate AI outputs while evading traditional server-side visibility.</description></item><item><title>Stryker ‘Handala’ incident: global Microsoft environment disruption and reported remote device wipes</title><link>https://www.threatintelreport.com/articles/stryker-handala-incident-global-microsoft-environment-disruption-and-reported-remote-device-wipes/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/stryker-handala-incident-global-microsoft-environment-disruption-and-reported-remote-device-wipes/</guid>
<pubDate>Thu, 12 Mar 2026 18:03:00 +0000</pubDate>
<category>Incident Reports</category>
<description>Disruptive Iran-nexus hacktivist operation claims large-scale data destruction as Stryker restores services and CISA investigates.</description></item><item><title>Hudson Rock ties Polyfill.io supply-chain compromise to DPRK operator via Lumma Stealer telemetry</title><link>https://www.threatintelreport.com/articles/hudson-rock-ties-polyfill-io-supply-chain-compromise-to-dprk-operator-via-lumma-stealer-telemetry/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/hudson-rock-ties-polyfill-io-supply-chain-compromise-to-dprk-operator-via-lumma-stealer-telemetry/</guid>
<pubDate>Thu, 12 Mar 2026 18:03:00 +0000</pubDate>
<category>Industry News</category>
<description>Infostealer logs from 2024 allegedly expose Funnull backend access and a separate Gate.us compliance infiltration.</description></item><item><title>Storm-2561 pushes fake VPN installers via SEO poisoning to steal enterprise credentials</title><link>https://www.threatintelreport.com/articles/storm-2561-pushes-fake-vpn-installers-via-seo-poisoning-to-steal-enterprise-credentials/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/storm-2561-pushes-fake-vpn-installers-via-seo-poisoning-to-steal-enterprise-credentials/</guid>
<pubDate>Thu, 12 Mar 2026 18:03:00 +0000</pubDate>
<category>Incident Reports</category>
<description>A credential theft operation uses lookalike VPN download sites and GitHub-hosted ZIPs to drop signed malware that harvests VPN logins and configuration data.</description></item><item><title>BadPaw and MeowMeow: steganographic .NET malware hits Ukrainian targets</title><link>https://www.threatintelreport.com/articles/badpaw-and-meowmeow-steganographic-net-malware-hits-ukrainian-targets/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/badpaw-and-meowmeow-steganographic-net-malware-hits-ukrainian-targets/</guid>
<pubDate>Thu, 12 Mar 2026 16:58:59 +0000</pubDate>
<category>Incident Reports</category>
<description>A ClearSky report details a new loader and backdoor pair, and Scythe shows how to operationalise it as continuous adversary emulation.</description></item><item><title>UAT-9244 hits South American telcos with TernDoor, PeerTime and BruteEntry</title><link>https://www.threatintelreport.com/articles/uat-9244-hits-south-american-telcos-with-terndoor-peertime-and-bruteentry/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/uat-9244-hits-south-american-telcos-with-terndoor-peertime-and-bruteentry/</guid>
<pubDate>Fri, 06 Mar 2026 08:54:01 +0000</pubDate>
<category>Incident Reports</category>
<description>Cisco Talos links the activity cluster to China-nexus tooling, including CrowDoor variants and ORB-style proxy infrastructure</description></item><item><title>BadAudio and APT24: “good enough” OPSEC powering a multi-vector espionage chain</title><link>https://www.threatintelreport.com/articles/badaudio-and-apt24-good-enough-opsec-powering-a-multi-vector-espionage-chain/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/badaudio-and-apt24-good-enough-opsec-powering-a-multi-vector-espionage-chain/</guid>
<pubDate>Mon, 02 Mar 2026 13:04:07 +0000</pubDate>
<category>Incident Reports</category>
<description>Reverse engineering shows pragmatic obfuscation, hardcoded crypto, and cloud-native infrastructure supporting scalable intrusion delivery.</description></item><item><title>Iran crisis cyber risk rises as defacements and disruptive activity reported</title><link>https://www.threatintelreport.com/articles/iran-crisis-cyber-risk-rises-as-defacements-and-disruptive-activity-reported/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/iran-crisis-cyber-risk-rises-as-defacements-and-disruptive-activity-reported/</guid>
<pubDate>Mon, 02 Mar 2026 10:11:00 +0000</pubDate>
<category>Trends &amp; Analysis</category>
<description>Iran • hacktivists • IRGC • MOIS • DDoS • wipers • ransomware • critical infrastructure</description></item><item><title>OpenClaw “ClawJacked” chain: malicious websites can hijack local AI agents via localhost WebSockets</title><link>https://www.threatintelreport.com/articles/openclaw-clawjacked-chain-malicious-websites-can-hijack-local-ai-agents-via-localhost-websockets/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/openclaw-clawjacked-chain-malicious-websites-can-hijack-local-ai-agents-via-localhost-websockets/</guid>
<pubDate>Mon, 02 Mar 2026 09:41:16 +0000</pubDate>
<category>Incident Reports</category>
<description>Cross-origin browser-to-localhost access, missing loopback throttling, and implicit device trust combine into a silent takeover path from a single web visit.</description></item><item><title>DPRK FAMOUS CHOLLIMA OPSEC failure exposes npm publisher IPs through public disposable inboxes</title><link>https://www.threatintelreport.com/articles/dprk-famous-chollima-opsec-failure-exposes-npm-publisher-ips-through-public-disposable-inboxes/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/dprk-famous-chollima-opsec-failure-exposes-npm-publisher-ips-through-public-disposable-inboxes/</guid>
<pubDate>Sat, 28 Feb 2026 16:59:58 +0000</pubDate>
<category>Threat Actors</category>
<description>Affected ecosystem: npm registry and developer tooling supply chain Primary issue: OPSEC leakage from disposable email inbox exposure combined with npm publish notification metadata Exploitation…</description></item><item><title>FAMOUS CHOLLIMA: DPRK employment fraud and developer-lure intrusion set</title><link>https://www.threatintelreport.com/articles/famous-chollima-dprk-employment-fraud-and-developer-lure-intrusion-set/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/famous-chollima-dprk-employment-fraud-and-developer-lure-intrusion-set/</guid>
<pubDate>Sat, 28 Feb 2026 16:55:07 +0000</pubDate>
<category>Threat Actors</category>
<description>FAMOUS CHOLLIMA is a DPRK-aligned activity cluster that multiple vendors associate with job-themed social engineering, developer targeting, and monetisation that can include cryptocurrency theft…</description></item><item><title>Akamai SIRT Identifies Zerobot Botnet Exploiting n8n and Tenda Vulnerabilities</title><link>https://www.threatintelreport.com/articles/akamai-sirt-identifies-zerobot-botnet-exploiting-n8n-and-tenda-vulnerabilities/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/akamai-sirt-identifies-zerobot-botnet-exploiting-n8n-and-tenda-vulnerabilities/</guid>
<pubDate>Sat, 28 Feb 2026 16:06:29 +0000</pubDate>
<category>Vulnerabilities &amp; Exploits</category>
<description>Akamai SIRT identifies Mirai variant campaign actively targeting critical RCE flaws in automation platforms and routers</description></item><item><title>AirSnitch: Client isolation in Wi-Fi is not delivering the security most defenders expect</title><link>https://www.threatintelreport.com/articles/airsnitch-client-isolation-in-wi-fi-is-not-delivering-the-security-most-defenders-expect/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/airsnitch-client-isolation-in-wi-fi-is-not-delivering-the-security-most-defenders-expect/</guid>
<pubDate>Fri, 27 Feb 2026 12:08:49 +0000</pubDate>
<category>Trends &amp; Analysis</category>
<description>NDSS 2026 research shows practical injection and machine-in-the-middle paths across WPA2/WPA3, guest SSIDs, and enterprise multi-AP deployments</description></item><item><title>Vshell (VShell): a Mandarin-language C2 framework surfacing alongside Cobalt Strike on exposed infrastructure</title><link>https://www.threatintelreport.com/articles/vshell-vshell-a-mandarin-language-c2-framework-surfacing-alongside-cobalt-strike-on-exposed-infrastructure/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/vshell-vshell-a-mandarin-language-c2-framework-surfacing-alongside-cobalt-strike-on-exposed-infrastructure/</guid>
<pubDate>Fri, 27 Feb 2026 11:21:37 +0000</pubDate>
<category>Incident Reports</category>
<description>Censys has reported on Vshell (often stylised “VShell”) , a Go-based command-and-control (C2) platform used for post-compromise host management, pivoting, and proxying , and increasingly visible…</description></item><item><title>Preventing the Access That Powers Ransomware Lateral Movement (Part 2/2)</title><link>https://www.threatintelreport.com/articles/preventing-the-access-that-powers-ransomware-lateral-movement-2026/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/preventing-the-access-that-powers-ransomware-lateral-movement-2026/</guid>
<pubDate>Fri, 27 Feb 2026 06:45:00 +0000</pubDate>
<category>Tactics &amp; Techniques</category>
<description>Designing upstream controls that cut off access brokers, endpoint breakout, and perimeter device exploitation before T1021 starts</description></item><item><title>Ransomware Lateral Movement in 2026: Detection Opportunities (Part 1/2)</title><link>https://www.threatintelreport.com/articles/ransomware-lateral-movement-in-2026-detection-opportunities-part-1-2/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/ransomware-lateral-movement-in-2026-detection-opportunities-part-1-2/</guid>
<pubDate>Fri, 27 Feb 2026 06:15:00 +0000</pubDate>
<category>Tactics &amp; Techniques</category>
<description>Ransomware lateral movement techniques in 2026 are increasingly identity-led, cloud-aware, and executed through legitimate admin channels, forcing defenders to prioritise high-fidelity telemetry,…</description></item><item><title>Security debt surges as legacy vulnerabilities accumulate</title><link>https://www.threatintelreport.com/articles/security-debt-surges-as-legacy-vulnerabilities-accumulate/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/security-debt-surges-as-legacy-vulnerabilities-accumulate/</guid>
<pubDate>Fri, 27 Feb 2026 03:02:00 +0000</pubDate>
<category>Industry News</category>
<description>Veracode’s 2026 State of Software Security finds remediation capacity falling behind development velocity, with third-party components driving the longest-lived high-risk exposure.</description></item><item><title>Scattered Lapsus$ Hunters recruits women for paid helpdesk vishing</title><link>https://www.threatintelreport.com/articles/scattered-lapsus-hunters-recruits-women-for-paid-helpdesk-vishing/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/scattered-lapsus-hunters-recruits-women-for-paid-helpdesk-vishing/</guid>
<pubDate>Thu, 26 Feb 2026 20:50:00 +0000</pubDate>
<category>Incident Reports</category>
<description>Scattered Lapsus$ Hunters (SLH, also styled SLSH in some reporting) is advertising for female callers to conduct vishing against IT helpdesks, offering $500 to $1,000 per call and providing…</description></item><item><title>Scattered Spider threat actor profile</title><link>https://www.threatintelreport.com/articles/scattered-spider-threat-actor-profile/</link>
<guid isPermaLink="true">https://www.threatintelreport.com/articles/scattered-spider-threat-actor-profile/</guid>
<pubDate>Thu, 26 Feb 2026 20:45:00 +0000</pubDate>
<category>Threat Actors</category>
<description>Scattered Spider is a financially motivated eCrime collective best known for high-success social engineering against enterprise IT help desks, often enabling account takeover in SSO and hybrid…</description></item>
</channel></rss>