"We're trying to solve the problem of phishing giving attackers access to a user's mailbox or VPNs allowing access to networks. What this means is you have a secure network, all your devices connect through a secure network, and it's completely seamless to the user. It does not interfere with their speed. They can still get direct access to the internet, while the business apps, the important traffic is rooted through a secure network making sure that if someone gets your credentials, they cannot get into your mailbox." - Danny Jenkins
Powercat turns a simple download into full compromise
What happened: ThreatLocker Threat Intelligence observed a malware campaign dubbed Powercat that delivers malware by disguising itself as cheat tools for popular PC games. The campaign originated from a domain previously flagged for staging malicious binaries. The software executes a multi-stage infection chain that ultimately deploys an infostealer targeting gaming accounts, crypto wallets, browser data, and more. There are also indicators that attackers are utilizing stolen PII to target minors.
Why it matters:Attackers are constantly evolving tactics to blend more seamlessly into normal behavior, so they can more easily evade detection. User-initiated downloads are becoming a more common entry point in modern attacks, and threat actors typically blend social engineering tactics with technical sophistication. Disguising malware as software can give users a false sense of security and can turn a simple download into a full-scale compromise.
The big picture: Initial access often starts with user behavior and with attackers meeting users where they are. In this case, it is targeting users looking for specific software and delivering fake downloads. Organizations need to assume their employees will be duped by fake websites and downloads and enforce controls that would stop these unknown applications from executing in the first place. See how the attack works.
What happened: As is evident with the Powercat campaign, malicious websites and ads are increasingly being used to deliver malware and gain initial access to systems. Malicious ads may silently redirect the user to a malicious site or initiate code execution simply from loading an ad (no click necessary).
Why it matters:Malvertising is a scalable, hard-to-detect entry point. It bypasses traditional security assumptions. Users don't need to download anything suspicious because just browsing a legitimate page can be enough.
The big picture: Initial access for attackers is getting easier and more targeted at specific user behavior. As attackers continue to exploit trusted networks and pathways, assuming compromise is an organization's best defense. Deny by default and verify continuously. Read the full breakdown.
Insider threats are dangerous even when not malicious
What you need to know: Malicious insider threats remain a major cyber risk, but more and more incidents are driven by negligence or human error, rather than malicious intent. Employees, contractors, and third-party partners unintentionally expose systems through unauthorized downloads, mishandling data, or falling for social engineering attacks. No matter the insider's intent (or lack thereof), preventing insider threats relies on Zero Trust principles.
Why it matters: Weaponizing human error is an easy target for attackers in the current landscape. Rather than breaking in, they're tricking users to open the door. This shift makes unintentional insider threats even more difficult to defend against while maintaining efficient operations.
The big picture: The line between external and internal threats is blurring, and organizations cannot rely on trust. Proper onboarding and offboarding are crucial to mitigating malicious insider threats. Likewise, enforcing the principle of least privilege is crucial to mitigating unintended insider threats by limiting access to only what is strictly required for an employee to do their job. Privileged access management and strong password policies also help make your employees harder to manipulate. Best practices to prevent insider threats.
AI has lowered the barrier of entry and increased the capabilities of cybercriminals. Learn how to stay proactive in the face of AI-boosted attacks.
Familiar tools and timely lures are high-risk attack vectors
IRS phishing hits 29,000 users across 10,000 organizations
Tax season fuels credential theft and remote access attacks
What's happening: Microsoft warns of fresh malware and credential-harvesting campaigns impersonating the IRS this tax season. Emails use tax-related lures like refund notices, filing alerts, and payroll forms to trick users into opening malicious attachments, scanning QR codes, or clicking suspicious links. Campaigns are targeting both individuals and professionals handling sensitive tax documents and are accustomed to receiving similar emails at this time of year. Some campaigns steal credentials through phishing kits, while others deploy RMM tools to gain persistent access to compromised systems.
Why it matters: This attack follows an uptick in RMM adoption by cybercriminals. RMM tools are frequently used by IT departments, so they're easy to overlook or assume trust.
The big picture: Tax season, like open enrollment, creates a predictable attack window. While default-deny policies are critical to protecting your organization if an employee falls for a phishing email, user awareness is equally important during these windows when attacks are on the offensive.
Vulnerability scanner breached to inject credential-stealing scripts
What's happening: The Trivy vulnerability scanner was compromised in a supply chain attack that injected credential-stealing malware into its official GitHub Actions and releases. An attacker with residual credentials from a previous breach successfully force-pushed 75 version tags to distribute the malicious code, meaning organizations were unknowingly using affected versions and executing the payload into their CI/CD pipelines. Currently, version tag 0.35.0 is the only safe release.
Why it matters: More than 10,000 workflow files on GitHub reference this action, so the potential impact is massive. Furthermore, the attacker in this case acted in ways that deliberately avoided triggering alerts and made the history appear normal to evade detection.
The big picture: More than taking actions that have an increased chance of evading detection, this attack directly targets security tools many organizations rely on. More and more, attackers are exploiting trust first, software later.
Looking for more insights like these?
Cyber Hero Frontline explores the ideas and strategies shaping modern cybersecurity.
