CloudSEK Updates

A new CloudSEK report reveals that Iran-linked APT35 (Charming Kitten) conducted years of cyber reconnaissance across GCC nations before coordinated missile strikes, suggesting cyber operations directly enabled kinetic targeting. Critical infrastructure across UAE, Saudi Arabia, Qatar, and others was pre-profiled and in some cases breached. The report highlights a dangerous shift—cyber warfare is no longer support, but a frontline weapon in modern conflict.

CloudSEK's BeVigil has identified 32 hardcoded Google API keys across 22 popular Android applications that inadvertently grant unauthorized access to Google's Gemini AI (Generative Language API) including uploaded datasets and cached contents.

This isn’t just another phishing campaign—it’s a global, industrial-scale traffic brokerage operation. CloudSEK uncovers how attackers are using over 300 trusted brands across 100+ countries to lure users through fake offers, profile them in real time, and funnel high-value victims into scams like crypto fraud and account takeovers. With thousands of active domains and highly localized tactics, the report exposes how cybercrime is becoming smarter, scalable, and dangerously efficient.

CloudSEK’s report uncovers a worrying pattern: over 36 months, attackers systematically targeted DevSecOps tools themselves—compromising trusted scanners, CI/CD pipelines, and open-source dependencies to steal credentials at scale. From 23,000 affected repositories to blockchain-based C2 infrastructure, these precision attacks show one thing clearly—security tools are now the most valuable attack surface.

CloudSEK’s latest report traces the lifecycle of RAMP, a ransomware-friendly underground forum that operated from 2021 until its FBI seizure in January 2026. Built as a safe haven for cybercriminals, it connected ransomware groups, affiliates, and access brokers at scale. Its takedown has fragmented the ecosystem, pushing actors into smaller, harder-to-track communities—raising new challenges for global cyber defense. Read the full report for a deeper look into how ransomware networks evolve and adapt.

Understanding How Exposed MLOps Platforms and Credential Leaks Allow Attackers to Steal Models, Poison Training Pipelines, Harvest Cloud Credentials, Execute Code on Agents, and Compromise the Entire AI Supply Chain.

This report examines 12 days of attack activity against a high-interaction honeypot emulating a vulnerable Oracle WebLogic Server. Immediately after public exploit code was released for the critical RCE vulnerability CVE-2026-21962, automated exploitation attempts surged, highlighting how quickly WebLogic flaws become weaponized.

This report uncovers active abuse of the ip6.arpa namespace. This technique bypasses traditional security controls, renders blocklists ineffective, and highlights a critical blind spot in DNS and email security. Proactive DNS anomaly detection and monitoring of staged infrastructure are essential to mitigate this emerging threat.

The MacSync Stealer campaign represents a sophisticated macOS threat that leverages SEO poisoning, fake GitHub repositories, and ClickFix social engineering to deliver malware. Attackers manipulate search engine rankings to redirect users to fraudulent repositories impersonating legitimate software, where victims are tricked into executing malicious commands.