Blogs
Subscribe to learn about new product features, the latest in technology, solutions, and updates.
Latest Blogs
All Blogs
The Gentlemen Ransomware Leak Breakdown-From Attackers to Victims
The Gentlemen RaaS operation suffered an internal compromise, likely via third-party infrastructure, exposing credentials, internal chats, and operational data. The leak revealed a credential-driven attack model involving Active Directory abuse and GPO-based deployment, along with the evaluation of vulnerabilities such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Despite the breach and data monetization, the group continued operations, showing strong resilience and a mature affiliate-driven ransomware model.
May 25, 2026
GitHub Internal Repository Breach: TeamPCP Exfiltrates ~3,800 Private Data via Poisoned VS Code Extension.
TeamPCP reportedly used a malicious VS Code extension to compromise a GitHub employee’s device, steal credentials, and exfiltrate data from about ~3,800 internal repositories. The leak appears to involve GitHub’s internal source code and engineering systems, not customer repositories, and the actor allegedly tried to sell the data afterward.
May 22, 2026
Ransomware Report - April 2026
This report provides an in-depth assessment of ransomware victim distribution by sector and geography during April 2026, including a comparative analysis with March 2026 to identify shifts in threat actor activity, sector targeting patterns, geographic impact, and overall victim volume. The findings are intended to support cybersecurity leaders and response teams in strengthening defensive posture and operational preparedness.
May 02, 2026
Inside Vercel’s April 2026 Security Incident: Third‑Party OAuth, Elevated Access, and Customer Risk
A threat actor identified as ShinyHunters claimed responsibility for a security incident involving Vercel and advertised alleged data for sale on an underground forum. Vercel subsequently disclosed unauthorized access to portions of its internal infrastructure, attributing the incident to the compromise of a third-party AI tool (Context[.]ai). The attacker leveraged this access to take control of an employee’s Google Workspace account and gain entry into internal environments, where environment variables not classified as sensitive were accessible, while sensitive variables remained protected. Vercel confirmed that the impact is limited to a subset of customers and that the investigation into the full scope of exposure and potential data exfiltration is ongoing. While the threat actor claims broader access to internal systems, employee accounts, and API credentials, these claims remain unverified and may not reflect the confirmed scope of the incident. Overall, the incident highlights risks associated with third-party integrations, identity-based access, and improper classification of configuration data within modern cloud and SaaS environments.
Apr 20, 2026
LAMASHTU Threat Report: An Emerging Data Extortion Group Targeting Global Organizations
LAMASHTU is an emerging data extortion group observed in April 2026, operating through a centralized leak platform with structured and staged data disclosures, supported by peer-to-peer (torrent-based) distribution mechanisms that expand data dissemination beyond traditional leak sites. Its activity spans Europe, North America, and Asia-Pacific, with approximately 21% of victims concentrated in France, and targets data-rich sectors led by Business Services (~29%) and Manufacturing (~22%). The group demonstrates rapid operational execution, with 14+ victims disclosed within a short timeframe, while its operations are centered on large-scale exposure of sensitive data, creating sustained risk through continued accessibility and third-party exploitation. The inclusion of explicit ransom demands alongside exposure threats reflects a dual-impact extortion model, positioning LAMASHTU as a developing threat leveraging data exposure as a primary mechanism for coercion and financial gain.
Apr 17, 2026
Qilin Ransomware: The Operation Powering Large-Scale Attacks in 2026
Qilin (also known as Agenda) is a highly active ransomware operation leveraging a Ransomware-as-a-Service (RaaS) model, with 1,669 confirmed victims across more than 50 countries. The group demonstrated sustained growth in early 2026, recording 109 victims in January, 115 in February (+5.5%), and 141 in March (+22.6%), maintaining its position as the most active ransomware group during this period. Its global footprint and sector distribution indicate a strong focus on operationally critical and data-sensitive industries, particularly within mature economies. Recent activity highlights both established and evolving attack techniques, including exploitation of exposed services such as VPN gateways, Citrix environments, and internet-facing applications, alongside credential-based access through phishing, infostealer data, and initial access brokers. A notable development is the use of advanced defense evasion techniques such as Bring Your Own Vulnerable Driver (BYOVD), enabling interference with endpoint protections prior to payload execution. Combined with pre-encryption data exfiltration, abuse of legitimate administrative tools for lateral movement, and selective encryption strategies, these techniques improve operational efficiency, reduce detection opportunities, and increase the overall impact of attacks
Apr 13, 2026
Ransomware Report : March 2026
This report provides an in-depth assessment of ransomware victim distribution by sector and geography during March 2026, including a comparative analysis with February 2026 to identify shifts in threat actor activity, sector targeting patterns, geographic impact, and overall victim volume. The findings are intended to support cybersecurity leaders and response teams in strengthening defensive posture and operational preparedness.
Apr 01, 2026
Handala Hack Group Profile: From Hacktivist Branding to Cyber Warfare
Handala Hack is an Iranian state-directed destructive cyber group operated by Void Manticore, a unit affiliated with Iran's Ministry of Intelligence and Security (MOIS). Despite presenting itself as a pro-Palestinian hacktivist collective, the group functions as a government-backed offensive cyber capability. Since emerging in December 2023, the group has conducted at least 131 documented attacks across Israel, the United States, the United Kingdom, and Gulf states, targeting sectors including technology, government, energy, healthcare, and financial services — with Israel accounting for over 84% of victims and the United States accounting for approximately 7%.
Apr 01, 2026
215 Victims and Growing: NightSpire’s Rapid Rise in the Ransomware Landscape
NightSpire is an active ransomware operation first observed in February 2025, with at least 215 victims across North America, Europe, Asia-Pacific, the Middle East, and Africa. Likely a rebrand of the earlier Rbfs ransomware operation, the group employs a double-extortion strategy—combining data theft with file encryption—and operates dedicated data leak sites (DLS) on the dark web to pressure victims through public exposure and countdown timers.
Mar 28, 2026
Operation Epic Fury: Cyber War Assessment
On February 28, 2026, the United States and Israel launched a coordinated military and cyber campaign against Iran, codenamed Operation Epic Fury (US) and Operation Roaring Lion (Israel). The strikes targeted Iranian nuclear infrastructure, IRGC leadership, military command centers, and naval assets — resulting in the confirmed death of Supreme Leader Ali Khamenei and the near-total collapse of Iranian government command-and-control. Within hours, a parallel digital front erupted with a scale and complexity that has no clear historical precedent in the cyber domain.
Mar 26, 2026
Surge in Hacktivist and Cybercriminal Activity Targeting Indian Organization
Ongoing geopolitical tensions involving Iran, Israel, and the United States are driving a rise in cyber activity that poses a growing risk to India’s digital ecosystem. Recent threat intelligence highlights a concentration of attacks against Indian organizations and online services, as regional conflicts spill over into cyberspace and expand the potential threat surface for Indian entities. Observed activity includes website defacements, Distributed Denial-of-Service (DDoS) attacks, ransomware operations, data theft and leak claims, and repeated attempts to gain unauthorized access to exposed systems. Adversaries are predominantly abusing weaknesses in internet-facing infrastructure such as web servers, government and public service portals, and content management systems(CMS) to achieve disruption and enable possible data exfiltration. These operations have affected a wide range of Indian sectors, including government services, education, private industry, financial institutions, religious organizations, and infrastructure-related companies.
Mar 09, 2026
From Access to Encryption in Hours: TheGentlemen Ransomware Playbook Exposed
TheGentlemen is an active ransomware-as-a-service (RaaS) operation observed since February 2023, with at least 223 publicly listed victims across North America, Europe, Asia, and other regions. The group employs a double-extortion strategy, combining data theft with rapid network-wide encryption and publication of stolen data on its leak site, often proceeding without prolonged negotiation phases. Instead of relying heavily on sophisticated zero-day exploits, operators frequently gain initial access through exposed services and compromised credentials, then escalate privileges, disable security controls, and deploy ransomware across the domain. Their campaigns target a wide range of sectors — particularly manufacturing, technology, and financial services — indicating opportunistic yet consistent enterprise-focused operations.
Mar 05, 2026