Please Don’t Feed the Scattered Lapsus ShinyHunters
This piece profiles an extortion crew (“SLSH”) that pairs data theft with direct, personal harassment of executives and their families, including threats and swatting. The reporting highlights that the group’s behavior is less predictable than traditional ransomware operations, which increases risk if a victim engages. A key takeaway is that even limited back-and-forth can escalate pressure tactics quickly, so crisis comms and executive protection planning matter alongside technical response.
CISA flags critical SolarWinds RCE flaw as exploited in attacks
CISA flagged an actively exploited SolarWinds Web Help Desk issue (CVE-2025-40551) tied to untrusted deserialization that can enable unauthenticated remote code execution. SolarWinds shipped a fix in Web Help Desk 2026.1, and CISA set a short federal patch deadline, signaling real-world operator interest. If you run this product, treat it as internet-exposed software even when you believe it is internal, and validate both patch level and any compensating controls around access paths.
DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
Threat researchers describe a campaign (“DEAD#VAX”) delivering AsyncRAT using IPFS-hosted VHD attachments and heavily obfuscated scripts. The flow emphasizes in-memory execution and injection into trusted Windows processes, aiming to reduce disk artifacts and evade common detections. Defenders should review email and web gateway controls for disk image attachments, plus endpoint telemetry for suspicious mounting behavior and script-driven process injection patterns.
Black Basta: Defense Evasion Capability Embedded in Ransomware Payload
Broadcom’s threat intel team reports a Black Basta campaign where “bring your own vulnerable driver” capability is bundled inside the ransomware payload, rather than deployed as a separate tool. The writeup notes the use of a signed vulnerable driver to terminate security processes, leveraging kernel-mode access to impair defenses. Practically, this is a reminder to harden against vulnerable-driver abuse (blocklists, driver control policies) and to monitor for unexpected driver installs or service creation during lateral movement.
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan
Microsoft describes an evolution of the ClickFix campaign where attackers intentionally crash a victim’s browser and then social-engineer them into running commands to “fix” it. The variant (“CrashFix”) blends user disruption with living-off-the-land execution and Python-based payload delivery, reducing reliance on traditional exploit chains. This is a strong case for tightening script execution controls, improving user prompts and admin approval paths, and detecting suspicious command sequences launched shortly after browser failures.
Romania’s oil pipeline operator confirms cyberattack as hackers claim data theft
Romania’s national oil pipeline operator Conpet reported a cyber incident that disrupted parts of its IT infrastructure and took its website offline, while stating OT systems (including SCADA and telecommunications) remained functional and oil transport was unaffected. The Qilin ransomware group claimed responsibility and alleged nearly 1 TB of data theft, posting purported internal documents and scans. The incident underscores the operational importance of IT-OT segmentation and of having public-facing comms contingencies when core websites and customer communication channels are impacted.
