Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest moves that buy real risk reduction.

UNC3944, UNC6040, and UNC6395 are executing targeted campaigns against SaaS, cloud, and virtualization environments, leveraging vishing, OAuth abuse, and supply-chain compromise. Their TTPs require precise, telemetry-driven controls and detection.

Shamos, a new Atomic macOS Stealer (AMOS) variant attributed to COOKIE SPIDER, is targeting U.S. tech and education sectors via malvertising and fake support sites.

Your code assistant invents a “helpful” package; an attacker registers it; your pipeline installs it. As of Aug 27, 2025, this is moving from edge case to repeatable tactic. Here’s how to spot it fast and force your builds to fail-closed.

If your Redis still answers the internet, congrats — you’re on TA-NATALSTATUS’s payroll. They pop root through misconfig, hide miners by renaming ps/top, lock files with chattr +i, and kneecap rival crews. Fresh scans show exposed 6379s still feeding new botnets/miners. Are you sure yours isn’t world-readable? 🔍🔥

Hybrid attacks are hitting navigation and port systems harder than ever — from ransomware to GPS spoofing — threatening safety, operations, and global trade..

Three converging trends—ransomware, volatile regulations, and global instability—are reshaping risk for US tech, finance, and education. The common thread? Disruption spreads faster than most organizations can detect or respond.