Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
108 Malicious Chrome Extensions Exfiltrating Browser Data Removed from Web Store
Google has removed 108 extensions from the Chrome Web Store after researchers identified a coordinated malicious extension campaign conducting browser credential harvesting, session cookie theft, and clipboard monitoring across millions of installations. The extensions impersonated productivity tools, ad blockers, and security tools β with some active for over 18 months before detection. Enterprise Chrome deployments should audit installed extensions against the published IOC list.
Europol Dismantles β¬50M Crypto Investment Fraud Network β 12 Arrested Across Six Countries
Europol has coordinated the dismantling of a β¬50 million cryptocurrency investment fraud network operating across six European countries, resulting in 12 arrests, 30 property searches, and the seizure of cryptocurrency holdings, luxury assets, and fraud operation infrastructure. The network ran AI-enhanced investment scam call centres and operated fraudulent crypto trading platforms that fabricated returns to sustain victim investment before executing exit scams.
Five Eyes Advisory: China-Nexus Volt Typhoon and Flax Typhoon Using SOHO Router Botnets to Pre-Position in Critical Infrastructure
A joint advisory from CISA, NCSC-UK, the Australian Signals Directorate, and Four Eyes partners confirms that China-linked threat actors including Volt Typhoon and Flax Typhoon are systematically compromising small-office and home-office routers to build operational relay networks for espionage and pre-positioned attacks against critical national infrastructure. Organisations should audit edge device inventories and enforce firmware update policies.
Lotus Wiper Targets Venezuelan Energy Infrastructure in ICS-Aware Sabotage Campaign
A destructive wiper malware tracked as Lotus Wiper has been deployed against Venezuelan state energy company PDVSA and associated electricity generation infrastructure. Unlike generic wipers, Lotus Wiper includes ICS-aware modules that identify and corrupt engineering workstation configurations, HMI databases, and OT historian data before wiping. The campaign represents the most targeted wiper deployment against Latin American energy infrastructure on record.
MacSync Stealer Delivered via Malicious Google Ad Targeting macOS Homebrew Users
A macOS infostealer tracked as MacSync has been distributed through a malicious Google search advertisement impersonating the Homebrew package manager β a tool used by virtually all macOS developers. The campaign harvests browser credentials, session tokens, macOS keychain data, and cryptocurrency wallet files from developer machines. macOS users who installed Homebrew via a Google search in the past 30 days should verify their installation source.
Progress MOVEit Automation β Critical Authentication Bypass Vulnerability Disclosed, Patch Immediately
Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation, the workflow automation component of the MOVEit managed file transfer platform. Given MOVEit's history as the most mass-exploited enterprise application of 2023 (Cl0p ransomware, 2,700+ organisations), any new critical vulnerability requires emergency patching. Organisations should apply the patch and review automation workflow configurations before exploitation begins.
Wireshark CVE-2026-5656 β Remote Code Execution via Malicious PCAP File, Update to 4.4.6
A code execution vulnerability in Wireshark's PCAP/PCAPNG file parser allows a malicious capture file to trigger arbitrary code execution when opened by an analyst. CVE-2026-5656 affects all Wireshark versions prior to 4.4.6 across Windows, macOS, and Linux. The attack vector is especially concerning for security teams that open externally-sourced capture files during incident response or threat hunting β update Wireshark to 4.4.6 immediately.
AccountDumpling Abuses Google AppSheet as Legitimate Phishing Relay to Compromise 30,000 Facebook Accounts
The AccountDumpling campaign has compromised approximately 30,000 Facebook accounts by routing phishing emails through Google AppSheet β a legitimate no-code application platform β to bypass spam filters and email security gateways. The technique exploits trusted sender reputation of Google infrastructure and demonstrates the growing difficulty of filtering phishing delivered through legitimate SaaS platforms.
Opinion & Analysis
Commentary
Managed File Transfer Is a Permanent Attack Surface and You Should Treat It That Way
MOVEit's latest critical vulnerability is not a surprise β it is the latest instalment in an unending series. The industry keeps treating each managed file transfer vulnerability as an exceptional event requiring exceptional response, when the correct model is to treat MFT platforms as inherently hostile internet-facing infrastructure requiring architectural controls that assume compromise is inevitable.
CipherWatch Editorial
Security Intelligence Platform
Defenders Can't Block Google. That's Why Attackers Are Routing Through It.
AccountDumpling abuses Google AppSheet to deliver phishing. EtherRAT uses Cloudflare and Ethereum nodes for C2. DEEP#DOOR tunnels over Cloudflare. The pattern is consistent: sophisticated attackers have discovered that the fastest route past enterprise security controls is through infrastructure defenders cannot block. The defence posture that assumes blocking bad infrastructure will stop bad traffic is being systematically rendered obsolete.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
Five Eyes Warning: Chinese State Actors Pre-Positioning in Critical Infrastructure for Potential Sabotage
A joint advisory from the UK, US, Australian, Canadian, and New Zealand intelligence services has confirmed that Chinese state-sponsored hackers are systematically infiltrating Western critical infrastructure β energy, water, transport, and telecoms β not to steal information, but to establish the capability to disrupt or destroy services in a future conflict. This represents a strategic national security threat that directly affects organisations operating or supplying critical infrastructure.
MOVEit Automation Critical Vulnerability β Emergency Patching Required Immediately
Progress Software has disclosed a critical flaw in MOVEit Automation β the automated file-transfer workflow platform β that allows an attacker without any login credentials to gain full administrative access. Given that a previous vulnerability in the same product led to the largest mass data breach of 2023, affecting over 2,700 organisations globally, this disclosure demands emergency response, not a scheduled patch cycle.
New Multi-Sector Identity Attack Campaign Bypasses MFA via Vishing and SSO Hijacking β Finance, Technology, Logistics Targeted
Two coordinated threat actor clusters are conducting large-scale campaigns combining voice phishing against IT help desks and adversary-in-the-middle SSO attacks to gain persistent, MFA-bypassing access to enterprise Microsoft 365, Okta, and Entra ID environments. Active campaigns span finance, technology, and logistics sectors. Standard MFA provides no protection β only phishing-resistant authentication (FIDO2/passkeys) stops the SSO interception technique.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β