North Korea’s APT37 Expands Toolkit to Breach Air-Gapped Networks
(Kevin Poireault – Infosecurity Magazine) A cyber espionage group linked to North Korea has been observed deploying a new malicious campaign using removable media infection tools to gain access to air-gapped systems. The group, APT37, is well-known hacking team active since at least 2012 and known under many names, including ScarCruft, Ruby Sleet, InkySquid, Ricochet Chollima and Velvet Chollima. Initially focused on the public and private sectors in South Korea, the group expanded its operations in 2017 to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities. – https://www.infosecurity-magazine.com/news/north-korea-apt37-expands-toolkit/
UK Vulnerability Monitoring Service Cuts Unresolved Security Flaws by 75%
(Beth Maundrill – Infosecurity Magazine) The UK government has claimed it has reduced its backlog of critical vulnerabilities by 75% and reduced cyber-attack fix times by 87%. Serious security weaknesses in public sector websites are fixed six times faster, cutting the average time from nearly two months to just over a week, the UK government said in an update published on 26 February. According to the official statement, the progress comes following the introduction of a specialist government vulnerability monitoring service (VMS), which came about as part of the blueprint for modern digital government policy paper published on January 21. – https://www.infosecurity-magazine.com/news/uk-vuln-monitoring-service-cuts/
‘Project Compass’ Cracks Down on ‘The Com’: 30 Members of Notorious Cybercrime Gang Arrested
(Danny Palmer – Infosecurity Magazine) A global law enforcement operation co-ordinated by Europol dubbed ‘Project Compass’ has taken action against ‘The Com’, a notorious online collective responsible for high-profile cyber-attacks and various forms of extortion and exploitation. The group, made up of a disparate network of mostly teenage boys and young men, has been linked to several high-profile ransomware campaigns, notably against Marks & Spencer, The Co-op and Harrods in 2025, as well as a series of cyber-attacks against Las Vegas Casinos in 2023. Common tactics deployed in cyber-attacks by The Com include phishing, vishing and SIM swapping, with the aim of breaching networks via account takeovers. – https://www.infosecurity-magazine.com/news/project-compass-com-arrests/
Aeternum Botnet Shifts Command Control to Polygon Blockchain
(Alessandro Mascellino – Infosecurity Magazine) A newly identified botnet loader is shifting command-and-control (C2) operations onto the Polygon blockchain, eliminating the central servers that authorities and security firms have historically targeted to dismantle malicious networks. Aeternum C2, uncovered by Qrator Research Lab while monitoring cybercrime forums, replaces conventional infrastructure with smart contracts hosted on the Polygon blockchain. Instead of communicating with hardcoded IP addresses or registered domains, infected machines retrieve instructions written directly to the blockchain, where transactions are publicly recorded and cannot be removed. For years, law enforcement agencies have disrupted operations such as Emotet, TrickBot and QakBot by seizing servers or suspending domains. Aeternum appears to remove that weak point entirely. – https://www.infosecurity-magazine.com/news/aeternum-botnet-c2-polygon/
iPhone and iPad are the first consumer devices cleared for NATO ‘RESTRICTED’ classification
(Pierluigi Paganini – Security Affairs) Apple announced that its iPhone and iPad have received NATO approval to handle classified information. The devices are now officially listed in the NATO Information Assurance Product Catalogue (NIAPC), allowing military personnel to use them securely for sensitive communications and operations. Devices listed in the NATO Information Assurance Product Catalogue (NIAPC) are commercial security products built in NATO member states, designed to protect NATO or national classified information. They meet strict information security standards, undergo NATO or national vetting, hold recognized certifications like Common Criteria or INFOSEC approvals, and receive explicit approval for handling classified data, often up to levels such as NATO Restricted or NATO Secret. – https://securityaffairs.com/188618/security/iphone-and-ipad-are-the-first-consumer-devices-cleared-for-natos-restricted-classification.html
Juniper issues emergency patch for critical PTX router RCE
(Pierluigi Paganini – Security Affairs) Juniper Networks issued an out-of-band security update for Junos OS Evolved to address a critical remote code execution vulnerability, tracked as CVE-2026-21902 (CVSS score of 9.3), impacting PTX routers.The company urges customers to apply the patch promptly to protect network infrastructure from potential exploitation. The flaw resides in the On-Box Anomaly Detection framework of Junos OS Evolved on PTX Series routers and lets unauthenticated remote attackers execute code as root. The service, enabled by default, should be restricted to internal processes but can be accessed externally due to incorrect permissions, allowing full device takeover. – https://securityaffairs.com/188609/security/juniper-issues-emergency-patch-for-critical-ptx-router-rce.html
How AI Aids Incident Response: Why Humans Alone Cannot Do IR Efficiently
(Pierluigi Paganini – Security Affairs) Incident response has always been a race against the clock. It starts ticking the moment an alert is triggered, and each minute thereafter can lead to lost revenue, regulatory exposure, reputational damage, or customer churn. Traditionally, incident response has relied on highly skilled analysts manually switching between tools, correlating logs, validating alerts, escalating findings, and drafting executive reports. It’s meticulous work, which is expensive and slow. AI changes that. Not by replacing humans, but by removing the friction that makes human-led investigation inefficient in the first place. – https://securityaffairs.com/188599/ai/how-ai-aids-incident-response-why-humans-alone-cannot-do-ir-efficiently.html
12 Million exposed .env files reveal widespread security failures
(Pierluigi Paganini – Security Affairs) Configuration mistakes rarely trigger alarms. A forgotten deny rule, an overlooked server setting, or a full project folder uploaded to production can quietly expose a company’s most sensitive secrets. In many cases, those secrets live inside simple environment files known as .env files. Researchers at Mysterium VPN identified 12,088,677 IP addresses serving publicly accessible .env-style files. “Researchers here at Mysterium VPN identified over 12 million IP addresses with publicly accessible .env-style files, revealing credentials and tokens, including JWT signing keys, API keys, database passwords, and service tokens.” reads the report published by Mysterium VPN. “The United States leads the count with nearly 2.8 million exposed IPs, accounting for around 23% of the total IP pool. The issue is global: Japan (1.1M), Germany (777K), India (652K), France (636K), and the UK (583K) also have substantial exposures, showing that this is a global security hygiene problem.” – https://securityaffairs.com/188590/hacking/12-million-exposed-env-files-reveal-widespread-security-failures.html
Trend Micro fixes two critical flaws in Apex One
(Pierluigi Paganini – Security Affairs) Trend Micro has addressed two critical vulnerabilities in Apex One that could allow attackers to achieve remote code execution on affected Windows systems. The company released security updates and strongly urged customers to apply the patches promptly to prevent potential exploitation and protect their environments from compromise. Trend Micro Apex One is an all-in-one advanced endpoint security solution. It provides ransomware protection, zero-day threat defense, EDR, predictive machine learning, DLP, and virtual patching via a single agent. – https://securityaffairs.com/188572/security/trend-micro-fixes-two-critical-flaws-in-apex-one.html
UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor
(Pierluigi Paganini – Security Affairs) Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. Initial access likely occurs through phishing, triggering a PowerShell script that downloads a batch file and then a malicious DLL named Dohdoor via sideloading. The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide its command-and-control traffic within legitimate HTTPS connections. This allows attackers to deploy additional payloads, such as Cobalt Strike, directly into memory while evading security detection and maintaining persistent access. – https://securityaffairs.com/188558/apt/uat-10027-campaign-hits-u-s-education-and-healthcare-with-stealthy-dohdoor-backdoor.html
The organizational challenges of personal data as a dual-threat asset
(IAPP) U.S. policymakers are increasingly viewing personal data as a dual-use asset, where data retention can create economic benefits while leaving the potential for exploitation by foreign adversaries. With wider access to troves of consumer personal information, regulators have raised concerns about the potential processing of military members’ sensitive personal data, including geolocation information – https://iapp.org/news/a/the-organizational-challenges-of-personal-data-as-a-dual-threat-asset
Greek court sentences Predator spyware gang
(Nektaria Stamouli – Politico) A Greek court on Thursday sentenced four people, including two Israelis, to prison over a major wiretapping scandal involving the illegal use of spyware to target politicians, business leaders and journalists. The Greek spying affair, known as “Predatorgate,” erupted in 2022 when Nikos Androulakis, leader of the main opposition PASOK party and then a member of the European Parliament, discovered that illegal spyware known as Predator had been installed on his phone. The scandal is one of Europe’s most significant political crises involving the use of commercial hacking software. Spain, Hungary and Poland have faced similar controversies, with spyware such as Pegasus and Candiru found on the phones of politicians and activists. The European Parliament launched a formal inquiry into the use of such tools in 2022. – https://www.politico.eu/article/predatorgate-greece-court-sentences-predator-spyware-gang/
