Unknown

According to Socket, the campaign operates as a typosquatting worm: the attacker publishes malicious packages that mimic trusted names (e.g., look-alikes of common utilities and AI coding tools). When one of these malicious packages is installed and imported, it executes a sta... Between June and late 2025, threat actors compromised the shared hosting infrastructure used by Notepad++ and selectively hijacked update traffic destined for notepad-plus-plus.org. Rather than exploiting a vulnerability in Notepad++ code, the attackers abused access at the ho... In January 2026, the Plone security team disclosed a security incident affecting the Plone GitHub organization, in which an attacker used force pushes to insert malicious JavaScript code into multiple repositories. The activity was traced back to a compromised contributor acco... Threat actors abused native AWS email services to build phishing and spam infrastructure inside a compromised cloud environment. After obtaining exposed long-term AWS credentials, the attackers conducted IAM and service reconnaissance to assess email-sending capabilities. Whil... On 2026-01-17, a campaign was reported, involving an unknown actor, gaining initial access via Dangling resource,. The activity centers on CVE-2024-36401, a remote code execution vulnerability disclosed in 2024 that allows unauthenticated attackers to execute arbitrary commands on vulnerable GeoServer instances. Since disclosure, multiple threat actors have systematically scanned for expos... Amadey, an established malware loader active since at least 2018, was observed downloading second-stage payloads from a hijacked self-hosted GitLab instance hosted on gitlab[.]bzctoons[.]net. The infrastructure appears to belong to a legitimate organization, with evidence sugg... A new wave of the Shai-Hulud–style supply-chain attack has trojanized hundreds of npm packages—including widely used components from Zapier, ENS Domains, PostHog, and Postman—resulting in more than 25,000 GitHub repositories populated with stolen secrets. Beginning on November... Researchers uncovered an advanced persistent threat (APT) exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems (CitrixBleed2). The vulnerabilities, tracked as CVE-2025-20337 and CVE-2025-5777, were leveraged by the attackers to deploy ... A routine asset scan for a major entertainment company uncovered a massive gambling operation hiding behind legitimate e-commerce infrastructure. The discovery began with a simple subdomain takeover on Shopify-an abandoned DNS mapping that had been left active after decommissi... Researchers uncovered a coordinated campaign leveraging stolen AWS credentials to automate reconnaissance and abuse Amazon Simple Email Service (SES) for Business Email Compromise (BEC) operations. The attackers used a custom infrastructure dubbed TruffleNet, built around the ... Attackers obtain remote code execution through abuse of SQL-server environments (exploitation, SQL injection, or credential compromise) and attempt to install web shells. When detection (e.g., endpoint AV) blocks the web-shell stage they escalate to a multi-stage DLL loader ch... The infection began with the exploitation of a vulnerable Jenkins server (CVE-2024-238976), which enabled lateral movement into AWS EKS clusters. The threat actor deployed a malicious Docker image (kvlnt/vv) containing a Rust-based downloader (vGet) that retrieved an encrypted... On September 15, 2025, malicious versions of multiple popular packages were published to npm with a post-install script that harvested sensitive developer assets and exfiltrated data to attacker-created public GitHub repos named Shai-Hulud. Wiz Research estimates that this act... On September 5, 2025, GitGuardian reported a campaign titled "GhostAction": attackers with write access to GitHub repositories - gained by an unknown initial access vector - added a malicious GitHub Actions workflow that exfiltrates CI/CD secrets via HTTP POST to an attacker-c... The compromise introduced a malicious telemetry.js file triggered via a post-install script in the npm package. The payload executed only on Linux and macOS systems, systematically searching for sensitive files (wallets, keystores, .env, SSH keys) and extracting credentials (g... The attack chain begins with exploitation of the Apache ActiveMQ RCE vulnerability (CVE-2023-46604) on cloud Linux hosts. Upon gaining access, the attacker installs the Sliver C2 implant and modifies sshd settings to permit root login over SSH, then downloads and executes the ... Researchers identified active exploitation of CVE-2024-40766 in SonicWall's seventh-generation firewalls, specifically impacting SSL VPN functionality. Threat actors are bypassing multi-factor authentication (MFA), gaining privileged access, and deploying Akira ransomware. The... A newly discovered Linux backdoor, dubbed Plague, was embedded as a malicious PAM (Pluggable Authentication Module) component. Designed to silently bypass system authentication, Plague grants attackers persistent SSH access while evading all known antivirus detection and leavi... In April 2025, a threat actor exploited CVE-2025-31324, a critical vulnerability in SAP NetWeaver, to deploy the Auto-Color backdoor malware on a US-based chemical company's network. The intrusion began with suspicious ZIP file downloads and DNS tunneling to test exploitabilit... Wiz Research has uncovered an ongoing, sophisticated cryptomining campaign dubbed Soco404, which targets both Linux and Windows systems in cloud environments. The campaign exploits exposed PostgreSQL instances and vulnerable Apache Tomcat servers to achieve initial access, the... A phishing attack targeting a popular npm maintainer led to the compromise of several widely used packages, including eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and others. The attacker stole the maintainer’s npm token via a spoofed email and used it ... Microsoft has disclosed two actively exploited zero-day vulnerabilities in on-premises SharePoint Server—CVE-2025-53770 (RCE via unsafe deserialization) and CVE-2025-53771 (authentication bypass via Referer header spoofing). These flaws form a chained exploit known as ToolShel... The Linuxsys cryptominer is part of a long-running campaign active since at least 2021, consistently exploiting multiple web application vulnerabilities to deploy the Linuxsys coinminer on compromised systems. The attacker utilizes a stable methodology: exploiting n-day vulner... AWS customer faced a compromise through a SonicWall SMA 500v EC2 instance that was improperly exposed to the internet. The attacker connected via multiple Vultr VPS endpoints, performed network scans, and moved laterally between EC2 instances using RDP. Over 700 GB of data was... In February 2025, a UK-based AWS environment was infiltrated using compromised VPN credentials. The threat actor conducted internal reconnaissance with Nmap and staged data exfiltration using the Rclone tool, transferring sensitive files from AWS file servers, particularly fin... In early 2024, a Darktrace customer’s Azure environment was compromised after attackers stole access tokens linked to an external consultant’s account, obtained via cracked software. Using these tokens, the attacker authenticated into the Azure environment, modified security r... On 2025-07-02, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, targeting JDWP, TeamCity to achieve Resource hijacking. The following tools were observed: XMRig. In one attack chain, a Bash script retrieved from 0x0[.]st was used to install TinyProxy via common package managers like apt, yum, or dnf. The script then modified configuration files to allow unrestricted external access (Allow 0.0.0.0/0), exposing the proxy service on port ... In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery ... CVE-2025-3248 is an unauthenticated remote code execution (RCE) vulnerability in Langflow, a popular Python-based framework for building AI applications. The flaw lies in the code validation endpoint, which fails to enforce authentication or sandboxing when parsing and executi... Researchers uncovered a large-scale malvertising campaign, active primarily between March 26 and April 25, 2025, during which over 269,000 legitimate websites were compromised with highly obfuscated JavaScript code dubbed “JSFireTruck” (a euphemism for JSF*ck). Using only six ... On 2025-06-11, a campaign was reported, involving an unknown actor, gaining initial access via End-user compromise, while using Password spraying, Resource enumeration, targeting Microsoft OneDrive, Microsoft Outlook, Microsoft Teams to achieve Data exfiltration. The following tools were observed: TeamFiltration. A threat actor compromised 16 highly popular React Native and GlueStack packages, collectively downloaded over a million times weekly. The attackers inserted a stealthy backdoor into these packages using whitespace obfuscation to hide malicious code. The payload is a Remote Ac... Researchers discovered an active exploitation of a misconfigured Open WebUI instance—a self-hosted interface for large language models (LLMs)—that was exposed to the internet with administrator access enabled and no authentication. A threat actor leveraged this misconfiguratio... On May 8, 2025, GreyNoise observed a tightly coordinated and large-scale reconnaissance campaign launched from 251 malicious IP addresses, all hosted on Amazon AWS and geolocated in Japan. These IPs were active for only one day and collectively triggered 75 distinct scanning b... Wiz Threat Research has confirmed active in-the-wild exploitation of a vulnerability chain in Ivanti Endpoint Manager Mobile (EPMM), comprising CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (post-auth RCE). Exploited together, these flaws enable unauthenticated remot... RedisRaider begins by indiscriminately scanning the IPv4 space for Redis servers open on port 6379. Upon identifying a target, the malware checks the server OS and uses Redis commands to inject a base64-encoded shell script as a cron job. It writes this payload to disk by reco... Baidu reports an exploitation campaign targeting publicly-exposed instances of ComfyUI. ComfyUI provides a GUI for AI image generation workflows. By default, it does not implement authentication. A popular extension, ComfyUI-Manager, allows an attacker to execute remote code v... Researchers detected a malicious update to the popular npm package rand-user-agent, used for generating randomized user-agent strings. The attacker published multiple unauthorized versions (1.0.110, 2.0.83, 2.0.84) containing heavily obfuscated code designed to covertly instal... In early 2025, AhnLab Security Intelligence Center (ASEC) discovered a targeted attack campaign dubbed Larva-25003, believed to be operated by Chinese-speaking threat actors. The attackers gained access to poorly secured Microsoft IIS web servers in South Korea and deployed a ... CVE-2025-31324 is a critical zero-day vulnerability in the SAP NetWeaver Visual Composer component (CVSS 10.0) that enables unauthenticated remote code execution (RCE). The flaw, caused by missing authorization checks in the Metadata Uploader interface, allows attackers to upl... A recent malware campaign targeting Docker showcases a novel form of cryptojacking that abuses legitimate Web3 services for profit while employing heavy layers of obfuscation to evade detection. By leveraging publicly hosted Docker images, the attackers deploy Python scripts t... On April 3, 2025, Ivanti disclosed a critical vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure (ICS) VPN appliances version 22.7R2.5 and earlier. The flaw, initially underestimated as a denial-of-service risk, was later found to be a buffer overflow that allows r... Cado Security Labs has uncovered a cryptomining campaign exploiting misconfigured Jupyter Notebooks, affecting both Windows and Linux environments. The attackers use Jupyter as an entry point to deploy a cryptominer through a series of evasive techniques. On Windows, the attac... Researchers identified an ongoing attack campaign targeting organizations in Japan across sectors like technology, telecommunications, education, entertainment, and e-commerce. Active since at least January 2025, the attacker exploits CVE-2024-4577, a critical PHP-CGI remote c... The "360XSS" campaign is a widespread exploitation of a reflected cross-site scripting (XSS) vulnerability in the popular virtual tour framework Krpano, which allows external XML content to be injected via the xml query parameter. The vulnerability, known as CVE-2020-24901, st... Microsoft Threat Intelligence identified a threat actor exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks. This technique enables attackers to inject malicious code into web applications, leading to remote code execution on IIS serv... The nullifAI attack exploits Pickle file serialization, an insecure method for storing ML models, to distribute malware-laced PyTorch models on Hugging Face. Instead of using PyTorch’s default ZIP compression, the attackers compressed the models using 7z, preventing automatic ... Operation LongFang is a cyber-espionage campaign, attributed to a Chinese threat actor, targeting Latin American government entities. First detected in December 2024, it has been active for at least two years. The campaign's initial access was achieved by exploiting vulnerabil... The vulnerability CVE-2024-50603 was disclosed on 2025-01-07, with a detailed blog and proof-of-concept exploit released by researchers soon after. Evidence of exploitation in cloud environments were observed by Wiz Research, targeting publicly exposed, vulnerable machines. At... Threat actors recently targeted Fortinet FortiGate firewall devices with exposed management interfaces in a suspected zero-day campaign. Arctic Wolf observed unauthorized admin logins via the jsconsole interface, new account creation, SSL VPN configurations, and other system c... In June 2024, Unit 42 researchers identified a phishing campaign targeting approximately 20,000 users in European automotive, chemical, and industrial compound manufacturing sectors, particularly in Germany and the UK. The attackers employed fake forms created with HubSpot's F... CVE-2024-53677 is a critical vulnerability in Apache Struts 2 with a CVSS score of 9.5. This flaw in the file upload logic allows path traversal and uploading of malicious files, enabling remote code execution (RCE). Exploitation has been observed in the wild using public proo... Operation Digital Eye, a suspected China-nexus cyberespionage campaign, targeted business-to-business IT service providers in Southern Europe from late June to mid-July 2024. The attacks aimed to establish strategic footholds for further compromise of downstream entities. Thre... On December 3, 2024, a critical supply chain attack was uncovered targeting versions 1.95.6 and 1.95.7 of the widely-used @solana/web3.js JavaScript library. The attack involved a malicious backdoor injected via a compromised npm publish account. Once deployed, the backdoor ca... CVE-2023-46604 is a critical Remote Code Execution (RCE) vulnerability in Apache ActiveMQ. This vulnerability may allow a remote attacker with network access to a broker to run arbitrary commands due to an insecure deserialization in the OpenWire protocol.The vulnerability is ... Threat actors have developed an attack leveraging misconfigured JupyterLab and Jupyter Notebook servers to conduct illegal live streaming of sports events. By exploiting unauthenticated access to these environments, attackers deploy the open-source tool ffmpeg to capture and r... Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability (CVE-2024-0012) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authen... On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platf... Attackers are exploiting exposed Docker Remote API servers to deploy a new malware strain named "perfctl." This malware is designed to mine cryptocurrency and can evade detection by disabling security features and establishing persistence on compromised systems. The attackers ... CVE-2024-40711 arises from the deserialization of untrusted data in the Veeam Backup & Replication software. This vulnerability can be exploited with low-complexity attacks, making it a threat to organizations relying on Veeam’s platform for backup, disaster recovery, and data... In September 2024, threat actors conducted a campaign exploiting exposed AWS access keys to hijack AWS Bedrock services for operating illicit AI-powered roleplay chatbots. The attackers leverage compromised long-lived credentials (AKIA keys) discovered primarily through GitHub... Researchers investigated the "perfctl malware," a Linux malware targeting misconfigurations and vulnerabilities on Linux servers. Perfctl employs rootkits, privilege escalation exploits, and cryptomining activities. It also uses tactics such as process masquerading and deletin... Datadog Security Research has uncovered a sophisticated cryptojacking campaign targeting microservice technologies, specifically Docker and Kubernetes. The threat actors exploit exposed Docker Engine APIs to gain initial access, deploying cryptocurrency miners on compromised c... Cado Security Labs discovered two campaigns exploiting misconfigured Selenium Grid instances to deploy malware, including an exploit kit, cryptominer, and proxyjacker. Selenium Grid is widely used for browser automation and testing, but its default configuration lacks authenti... Researchers discovered a new Linux malware named "Hadooken" that specifically targets Oracle WebLogic servers. The malware exploits weak passwords to gain access and then deploys both Tsunami malware and a cryptominer. The attack flow involves using a combination of shell and ... Researchers discovered a new attack exploiting the CVE-2023-22527. The attack uses an in-memory fileless backdoor, known as the Godzilla webshell. The Godzilla backdoor uses AES encryption for communication and remains in memory, making it difficult to identify. It is recommen... The critical vulnerability CVE-2023-22527 is being actively exploited for cryptojacking activities, turning affected Confluence Data Center and Server instances into cryptomining networks. Attackers exploit this vulnerability through methods like deploying shell scripts and XM... A newly discovered backdoor, dubbed Backdoor.Msupedge, was used in an attack on a Taiwanese university, leveraging an unusual communication method through DNS traffic to reach its command-and-control (C&C) server. While DNS-based communication is known among threat actors, its... Researchers uncovered an extortion campaign that exploited exposed environment variable files (.env) in cloud environments. These files, which contained sensitive credentials, were accessed and leveraged by attackers to ransom data from victim organizations. The attackers used... On 2024-08-02, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, while using Jupyter Notebook misconfig abuse, targeting Jupyter Notebook to achieve Denial of service. The following tools were observed: Mineping. Wiz Research has detected an ongoing threat campaign dubbed “SeleniumGreed” that exploits exposed Selenium Grid services to deploy cryptominers. Selenium is a popular open-source suite used for testing web applications, allowing users to write tests that simulate user interact... Researchers discovered attackers targeting misconfigurations in the Jenkins Script Console to execute malicious Groovy scripts, leading to activities such as deploying cryptocurrency miners. By leveraging vulnerabilities and misconfigurations, such as improperly set authentica... Wiz Threat Research discovered a new variant of a cryptojacking campaign targeting misconfigured Kubernetes clusters in cloud environments. The threat actor abuses cluster anonymous access to deploy malicious container images from Docker Hub that contain a DERO miner. The thre... On 2024-06-06, a campaign was reported, involving an unknown actor, gaining initial access via End-user compromise, while using LLMjacking, Cloud key compromise, Cloud API e, targeting Amazon Bedrock to achieve Resource hijacking. On 2024-06-05, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using Vulnerability exploitation, targeting ThinkPHP to achieve Resource hijacking. The following tools were observed: Dama. On 2024-05-07, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Ivanti Connect Secure VPN to achieve Resource hijacking. The following tools were observed: Mirai. Researchers observed attackers exploiting critical vulnerabilities in the OpenMetadata platform to infiltrate Kubernetes environments for cryptomining. OpenMetadata, an open-source platform for managing data source metadata, was found to have several vulnerabilities (CVE-2024-... On 2024-03-19, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using LOLBin abuse, targeting TeamCity to achieve Resource hijacking, RansomOp. The following tools were observed: Jasmin, XMRig, Cobalt Strike, SparkRAT. Researchers uncovered a malicious campaign targeting the Meson Network, a decentralized content delivery network (CDN) that leverages blockchain for bandwidth marketplace operations. This campaign aimed to exploit the crypto token unlock event around March 15th, attempting to ... Researchers observed threat actors exploiting misconfiguration in servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware, which uses worm-like behavior to automate host discovery and compromise. After gaining access to misconfigured serv... On 2024-02-20, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using SSH propagation, targeting Confluence Server to achieve Resource hijacking. The following tools were observed: SSH-Snake. On 2024-02-15, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Confluence Server to achieve Resource hijacking. The following tools were observed: XMRig, Sliver. On 2024-02-08, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using Vulnerability exploitation, targeting Confluence Server to achieve Resource hijacking. The following tools were observed: C3Pool. Datadog observed an attacker leveraging a compromised IAM user access key to gain initial access to an AWS environment, at which point they immediately began spinning up hundreds of ECS Fargate clusters, within which they created ECS task definitions to launch containers based... On 2024-01-18, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Apache ActiveMQ to achieve Resource hijacking. The following tools were observed: Godzilla. On 2024-01-18, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using Proxyjacking, targeting Docker to achieve Resource hijacking. The following tools were observed: 9hits, XMRig. On 2024-01-16, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, Software misconfig, while using Exposed environment config abuse, targeting PHP, Apache HTTP Server, Laravel to achieve Resource hijacking. The following tools were observed: AndroxGh0st. FBot is a Python-based hacking toolkit, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio. FBot's primary purpose is to enable actors to hijack cloud, SaaS, and web services, with a secondary focus on acquiring accounts... Researchers identified attacks targeting Microsoft SQL (MSSQL) servers to encrypt the victims' files with Mimic (N3ww4v3) ransomware. The attacks are tracked as RE#TURGENCE and have been observed targeting Europe, the United States, and Latin America.Threat actors targeted pub... On 2024-01-10, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, Software misconfig, targeting Apache Flink, Apache Hadoop, Spring Framework, Redis to achieve Resource hijacking. Researchers detected a cyber attack campaign that installs the XMRig CoinMiner on Windows web servers operating Apache. The threat actor employed Cobalt Strike to manage the compromised system. Cobalt Strike, a commercial penetration testing tool, has recently become a common ... On 2023-11-13, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, while using Abusing exposed Docker socket, targeting Docker to achieve Resource hijacking. The following tools were observed: OracleIV. Unit 42 researchers identified a campaign dubbed EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. Qubitstrike is a cryptojacking campaing targeting exposed Jupyter Notebooks, as they may allow to execute commands remotely. After obtaining a shell on the remote host, the shell script executes a cryptocurrency miner and establishes persistence using a cron job that inserts a... On 2023-10-10, a campaign was reported, involving an unknown actor, gaining initial access via Supply chain vector, while using Package typosquatting, Package Starjacking, with unknown impact. On 2023-10-03, a campaign was reported, involving an unknown actor, gaining initial access via Web vulnerability, while using SQL injection, Use DNS for exfiltration, IMDS abuse, SQL commands, targeting Microsoft SQL Server to achieve Data exfiltration. The researchers observed a malicious IP address, previously flagged for conducting SSH brute force attempts, communicating with a malicious shell script named hoze. This script downloads xrx.tar, an archive that contains more scripts that uninstall security software and enable... On 2023-09-04, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting MinIO with unknown impact. On 2023-08-10, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting SugarCRM. The following tools were observed: Pacu, ScoutSuite. On 2023-03-30, a campaign was reported, involving an unknown actor, gaining initial access via Unknown, to achieve Data exfiltration. The following tools were observed: AlienFox. On 2023-03-23, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, to achieve Resource hijacking. On 2023-03-15, a campaign was reported, involving an unknown actor, gaining initial access via Cloud native misconfig, while using Cloud compute cryptojacking, K8s anonymous auth abuse, targeting Kubernetes to achieve Resource hijacking. The following tools were observed: DERO miner. On 2023-03-09, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Aspera Faspex to achieve RansomOp. The following tools were observed: IceFire. On 2023-02-03, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, to achieve RansomOp. The following tools were observed: Babuk. Permiso identified a credential harvesting campaign targeting cloud infrastructure for the purpose of harvesting credentials. The majority of the victim system were running public facing Juptyer Notebooks. At the time of writing there were about 50 compromised systems. The ini... Beginning in early September 2022, an unknown threat actor successfully compromised tens of thousands of websites mainly aimed at East Asian audiences, redirecting hundreds of thousands of their users to adult-themed content. In several cases, the threat actor connected to the... On 2022-05-11, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting WordPress to achieve Resource hijacking. Denonia is a newly discovered type of malware targeting AWS Lambda environments. It was recently exposed by Cado Security, who named it after the domain it communicates with. Once the malware is executed on the victim's host, it launches XMRig cryptominer.Denonia's delivery an... On 2021-10-26, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, 1-day vulnerability, targeting Jenkins, WebLogic to achieve Resource hijacking. The following tools were observed: Tsunami. On 2021-02-09, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, while using Escape to host via cgroups release_agent, targeting Docker to achieve Resource hijacking. On 2020-08-27, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, targeting Docker to achieve Resource hijacking. The following tools were observed: Cetus. On 2020-04-08, a campaign was reported, involving an unknown actor, gaining initial access via , targeting Kubernetes to achieve Resource hijacking. On 2019-10-16, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, targeting Docker to achieve Resource hijacking. The following tools were observed: Graboid. On 2018-09-12, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Redis, Apache CouchDB, Docker, Jenkins, Drupal, MODX to achieve Resource hijacking. The following tools were observed: ngrok. On 2013-05-07, a campaign was reported, involving an unknown actor, gaining initial access via Unknown, targeting Apache HTTP Server, NGINX, Lighttpd to achieve Resource hijacking. The following tools were observed: Cdorked.