Threat Intelligence

Ransomware Is Getting Less Profitable and More Prolific

John Z Black Mar 17, 2026

Threat Intelligence #ransomware #mandiant #threat-intelligence #qilin #akira #wef #enterprise-risk

Mandiant's latest report shows ransomware payments declining while victim counts hit record highs. The ecosystem isn't dying. It's fragmenting faster than defenders can track.

Iran Didn't Need Malware to Cripple Stryker. They Just Used Microsoft Intune.

John Z Black Mar 17, 2026

Threat Intelligence #iran #stryker #handala #intune #mdm #wiper #healthcare #nation-state #critical-infrastructure

The Handala group wiped tens of thousands of Stryker devices using the company's own MDM platform. No malware. No exploit. Just admin access and the willingness to press the button.

Two Spy Campaigns, Two Completely Different Playbooks

John Z Black Mar 16, 2026

Threat Intelligence #espionage #apt #china #russia #signal #asean #military #threat-intelligence

A Chinese APT has been sitting inside Southeast Asian military networks for six years. Meanwhile, Russian hackers are stealing Signal accounts with fake support messages. Same goal, wildly different approaches.

The Software You Trust Is Becoming the Attack: Two Supply-Chain Strikes in One Week

John Z Black Mar 15, 2026

Threat Intelligence #supply-chain #developer-security #vs-code #appsflyer #malware #sdk-security

GlassWorm hijacked VS Code extension dependencies. AppsFlyer's SDK got compromised to serve crypto stealers. Both attacks exploited trust, not carelessness.

Hackers Used Stryker's Own IT Tool to Nuke Its Entire Device Fleet

John Z Black Mar 14, 2026

Threat Intelligence #handala #stryker #mdm #microsoft-intune #iran #wiper #healthcare #nation-state

An Iranian-linked group called Handala reportedly hijacked Microsoft Intune and wiped Stryker's devices at scale. The tool designed to secure their fleet became the weapon that destroyed it.

Storm-2561: Googling Your VPN Download Just Became a Security Risk

John Z Black Mar 13, 2026

Threat Intelligence #seo-poisoning #storm-2561 #vpn #credential-theft #malware #social-engineering

Microsoft exposed Storm-2561, a threat actor using SEO poisoning to serve fake VPN downloads that steal corporate credentials. The attack requires zero phishing emails. Just a search engine.

Iran Hit a Medical Device Giant, a NATO Parliament, and Your Instagram Feed on the Same Day

John Z Black Mar 12, 2026

Threat Intelligence #iran #handala #stryker #wiper-attack #critical-infrastructure #influence-operations #nato #threat-intelligence

March 11 wasn't three separate cyberattacks. It was one coordinated Iranian campaign across three fronts: a wiper on Stryker, a breach of Albania's parliament, and an influence op on Instagram. All in 24 hours.

APT28's Covenant Trick and North Korea's AirDrop Hack: How Nation-States Borrow Their Tools

John Z Black Mar 11, 2026

Threat Intelligence #apt28 #north-korea #nation-state #covenant #airdrop #threat-intelligence

Russia's APT28 hijacked an open-source red-team tool to hit Ukraine. North Korea's UNC4899 used Apple AirDrop to break into a crypto firm. Both attacks exploit the trust we put in legit software.

The Edge Is the Front Line: FortiGate, ASUS Routers, and the War on Network Perimeters

John Z Black Mar 11, 2026

Threat Intelligence #fortigate #asus #botnet #edge-devices #network-security #kadnap

Enterprise firewalls and consumer routers are getting hammered. FortiGate credential theft and the KadNap botnet show the same failure at the network edge.

ClickFix Is the Social Engineering Trick That Took Over 2026

John Z Black Mar 10, 2026

Threat Intelligence #clickfix #social-engineering #ransomware #teams #phishing #a0backdoor #castlerat #chrome-extensions

A dead-simple social engineering trick is showing up everywhere in 2026. Users paste a command into PowerShell or a Run dialog and boom, malware runs. Three separate campaigns hit this week alone.