Blogs and Articles

CloudSEK’s report uncovers a worrying pattern: over 36 months, attackers systematically targeted DevSecOps tools themselves—compromising trusted scanners, CI/CD pipelines, and open-source dependencies to steal credentials at scale. From 23,000 affected repositories to blockchain-based C2 infrastructure, these precision attacks show one thing clearly—security tools are now the most valuable attack surface.

CloudSEK’s latest report traces the lifecycle of RAMP, a ransomware-friendly underground forum that operated from 2021 until its FBI seizure in January 2026. Built as a safe haven for cybercriminals, it connected ransomware groups, affiliates, and access brokers at scale. Its takedown has fragmented the ecosystem, pushing actors into smaller, harder-to-track communities—raising new challenges for global cyber defense. Read the full report for a deeper look into how ransomware networks evolve and adapt.

Understanding How Exposed MLOps Platforms and Credential Leaks Allow Attackers to Steal Models, Poison Training Pipelines, Harvest Cloud Credentials, Execute Code on Agents, and Compromise the Entire AI Supply Chain.

This report examines 12 days of attack activity against a high-interaction honeypot emulating a vulnerable Oracle WebLogic Server. Immediately after public exploit code was released for the critical RCE vulnerability CVE-2026-21962, automated exploitation attempts surged, highlighting how quickly WebLogic flaws become weaponized.

This report uncovers active abuse of the ip6.arpa namespace. This technique bypasses traditional security controls, renders blocklists ineffective, and highlights a critical blind spot in DNS and email security. Proactive DNS anomaly detection and monitoring of staged infrastructure are essential to mitigate this emerging threat.

The MacSync Stealer campaign represents a sophisticated macOS threat that leverages SEO poisoning, fake GitHub repositories, and ClickFix social engineering to deliver malware. Attackers manipulate search engine rankings to redirect users to fraudulent repositories impersonating legitimate software, where victims are tricked into executing malicious commands.

A new malware campaign is exploiting Ramadan shopping sentiment, luring Middle East users with fake discount coupons from trusted brands. Behind the offer lies a multi-stage attack that deploys a powerful RAT, enabling full system control and stealthy data exfiltration via AWS. The campaign highlights how seasonal themes and trusted brands are being weaponized at scale.

LSPosed, a powerful framework for rooted Android devices, has been weaponized by attackers to remotely inject fraudulent SMS messages and spoof user identities in modern payment ecosystems. This report exposes a critical vulnerability: the exploitation of LSPosed modules to intercept and modify sensitive system APIs, enabling precise identity theft and unauthorized financial transactions. It reveals the devastating potential of this technique for large-scale payment fraud and identity takeover.

The February 28 launch of Operation Epic Fury has pushed the Iran–Israel conflict into an open multi-domain war. While the strikes occurred in the Middle East, the ripple effects are already reaching Southeast Asia, where cyber operations, energy disruptions, financial sanctions, and geopolitical tensions could create immediate risk for governments, businesses, and critical infrastructure. This briefing explains why the region may soon find itself on the frontline of a wider cyber and economic confrontation.