Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
BeigeBurrow: New Go-Based Covert C2 Agent Deployed via Active Directory RCE CVE-2026-33826
A previously undocumented post-exploitation tool named BeigeBurrow has been observed in at least two enterprise intrusions following exploitation of the Windows Active Directory RCE CVE-2026-33826. The Go-based agent uses HashiCorp's Yamux library to multiplex covert relay channels over port 443, blending into encrypted enterprise traffic. CVE-2026-33826 was patched in April Patch Tuesday; organisations that have not yet applied the patch should treat it as urgent.
Seized Gentlemen Ransomware C2 Server Exposes 1,570 Victims β GPO Deployment Reveals Full Domain Compromise
Check Point Research's analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware operation exposed 1,570+ victim IP addresses and documented the group's use of Group Policy Objects to deploy ransomware domain-wide. GPO-based distribution is a forensic marker that attackers achieved Domain Admin access days before encryption β defenders should treat it as an indicator of extended dwell time, not a starting point.
Sanctioned Russian Crypto Exchange Grinex Shut Down After $13.74M Hack β Blames Western Intelligence
Grinex, a cryptocurrency exchange linked to the sanctioned Garantex operation, suspended all services after attackers drained $13.74 million in a targeted April 15 incident. The exchange blamed 'hostile state intelligence agencies,' pointing to the attack's technical sophistication. Elliptic and Chainalysis analysts have traced the funds but stop short of confirming attribution. The shutdown removes a significant node in Russia's sanctions-evasion infrastructure.
Kyber Ransomware Deploys Dual Windows and VMware ESXi Variants β Claims Post-Quantum Encryption
A new ransomware operation named Kyber is targeting enterprise Windows servers and VMware ESXi infrastructure with two distinct variants analysed by Rapid7. The Windows variant written in Rust implements genuine Kyber1024 post-quantum key encapsulation; the ESXi variant falsely markets the same capability while using ChaCha8 and RSA-4096. Both variants share Tor-based ransom infrastructure and have been deployed simultaneously on the same networks.
Marimo AI Notebook RCE CVE-2026-39987 Exploited at Scale β 662 Events in Three Days, NKAbuse Malware Deployed
CVE-2026-39987 (CVSS 9.3) in the Marimo Python notebook has been weaponised at scale, with Sysdig recording 662 exploitation events over three days and attackers completing credential theft within minutes of gaining access. The unauthenticated WebSocket RCE is being used to deploy NKAbuse, a multi-platform malware using the NKN peer-to-peer network for command and control. Upgrade to Marimo 0.23.0 immediately.
Anthropic's Claude Mythos AI Discovers Thousands of Zero-Days Across Every Major OS β Project Glasswing Offers Private Access
Anthropic's specialised vulnerability-hunting AI, Claude Mythos, has systematically discovered thousands of zero-day vulnerabilities across Windows, macOS, Linux, and major browsers β including a 17-year-old NFS RCE in FreeBSD and a 27-year-old OpenBSD denial-of-service. Project Glasswing provides private early access to Microsoft, Google, Apple, and select others. The implications for enterprise risk governance are immediate.
Opinion & Analysis
Commentary
When Ransomware Deploys via Group Policy, You Were Already Owned
The Gentlemen ransomware group's use of Group Policy Objects to distribute encryption payloads domain-wide is not just a clever tactic β it's a forensic signal. GPO deployment requires Domain Admin access. The ransomware event you detected was not the attack. It was the end of an attack that was already over.
CipherWatch Editorial
Security Intelligence Platform
The Hallucination Problem in Your AI Security Tools Is Not Getting Fixed
A new paper by Vishal Sikka and Varin Sikka uses settled computational complexity theory to prove that transformer hallucinations and fixed reasoning depth are architectural facts, not engineering failures. For security practitioners building operational dependencies on LLM-based tools, the implication is uncomfortable: the limitations most vendors are implicitly promising to train away cannot be trained away. They are proven.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
Kyber Ransomware Targets Enterprise Windows Servers and VMware ESXi in Coordinated Dual-Platform Attacks
A new ransomware operation named Kyber has been analysed by Rapid7 following an enterprise incident response engagement. The group deploys two simultaneous variants β one targeting Windows file servers, one targeting VMware ESXi β using the same campaign infrastructure. The ESXi variant terminates virtual machines and defaces the management interface; the Windows variant implements genuine post-quantum key encapsulation and includes experimental Hyper-V targeting.
AI Development Infrastructure Under Active Attack β Marimo RCE Exploited at Scale Across Data Science Environments
A critical pre-authentication RCE vulnerability in the Marimo Python notebook (CVE-2026-39987, CVSS 9.3) has been weaponised at mass scale, with 662 exploitation events recorded in three days, credential theft completing within minutes of compromise, and NKAbuse malware being deployed for persistent access. Organisations running Marimo in data science, AI/ML, or research environments must patch immediately and hunt for indicators of prior compromise.
Emergency .NET 10 Patch Required β DataProtection Key Leak Exposes Enterprise Web Application Sessions
A critical security flaw in Microsoft's .NET 10 framework (CVE-2026-40372, CVSS 9.1) has caused encryption keys protecting web application sessions to be exposed on Linux servers since November 2025. Any organisation running .NET 10 web applications on Linux must apply an emergency patch and rotate all session keys immediately.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β