CloudSEK Updates

CloudSEK's BeVigil has identified 32 hardcoded Google API keys across 22 popular Android applications that inadvertently grant unauthorized access to Google's Gemini AI (Generative Language API) including uploaded datasets and cached contents.

This isn’t just another phishing campaign—it’s a global, industrial-scale traffic brokerage operation. CloudSEK uncovers how attackers are using over 300 trusted brands across 100+ countries to lure users through fake offers, profile them in real time, and funnel high-value victims into scams like crypto fraud and account takeovers. With thousands of active domains and highly localized tactics, the report exposes how cybercrime is becoming smarter, scalable, and dangerously efficient.

CloudSEK’s report uncovers a worrying pattern: over 36 months, attackers systematically targeted DevSecOps tools themselves—compromising trusted scanners, CI/CD pipelines, and open-source dependencies to steal credentials at scale. From 23,000 affected repositories to blockchain-based C2 infrastructure, these precision attacks show one thing clearly—security tools are now the most valuable attack surface.

CloudSEK’s latest report traces the lifecycle of RAMP, a ransomware-friendly underground forum that operated from 2021 until its FBI seizure in January 2026. Built as a safe haven for cybercriminals, it connected ransomware groups, affiliates, and access brokers at scale. Its takedown has fragmented the ecosystem, pushing actors into smaller, harder-to-track communities—raising new challenges for global cyber defense. Read the full report for a deeper look into how ransomware networks evolve and adapt.

Understanding How Exposed MLOps Platforms and Credential Leaks Allow Attackers to Steal Models, Poison Training Pipelines, Harvest Cloud Credentials, Execute Code on Agents, and Compromise the Entire AI Supply Chain.

This report examines 12 days of attack activity against a high-interaction honeypot emulating a vulnerable Oracle WebLogic Server. Immediately after public exploit code was released for the critical RCE vulnerability CVE-2026-21962, automated exploitation attempts surged, highlighting how quickly WebLogic flaws become weaponized.

This report uncovers active abuse of the ip6.arpa namespace. This technique bypasses traditional security controls, renders blocklists ineffective, and highlights a critical blind spot in DNS and email security. Proactive DNS anomaly detection and monitoring of staged infrastructure are essential to mitigate this emerging threat.

The MacSync Stealer campaign represents a sophisticated macOS threat that leverages SEO poisoning, fake GitHub repositories, and ClickFix social engineering to deliver malware. Attackers manipulate search engine rankings to redirect users to fraudulent repositories impersonating legitimate software, where victims are tricked into executing malicious commands.

A new malware campaign is exploiting Ramadan shopping sentiment, luring Middle East users with fake discount coupons from trusted brands. Behind the offer lies a multi-stage attack that deploys a powerful RAT, enabling full system control and stealthy data exfiltration via AWS. The campaign highlights how seasonal themes and trusted brands are being weaponized at scale.