Midnight Blizzard: A Complete Profile of Russia's SVR Espionage Apparatus
APT29 — Cozy Bear, Midnight Blizzard — is Russia's SVR-aligned intelligence collection machine, responsible for SolarWinds, the 2024 Microsoft corporate email compromise, and ongoing targeting of European governments, diplomatic missions, and defence industrial base organisations. This deep dive covers their full operational history, tradecraft, tooling, and what defenders need to be doing now.
Flash Briefings
All briefings →CVE-2026-41089: Critical Windows Netlogon RCE Now Actively Exploited — Every Unpatched Domain Controller at Risk
Active exploitation of CVE-2026-41089, a pre-authentication zero-click RCE in Windows Netlogon, was confirmed by Belgium's Centre for Cybersecurity on 29 May. Successful exploitation gives an attacker SYSTEM-level control of the domain controller and full ownership of the Active Directory domain.
TA4922 Extends High-Tempo Campaign Operations to UK and Europe With Atlas RAT and Credential Stealer
Proofpoint has published intelligence on TA4922's geographic expansion into the UK, Germany, Italy, and South Africa — deploying two new malware families via tax-themed and HR-themed phishing. The group holds the highest campaign pace of any Proofpoint-tracked threat actor.
Screening Serpens Expands Arsenal With Six New RAT Variants in Aerospace, Defence, and Telecom Espionage Campaign
Palo Alto Networks Unit 42 has published new research detailing how Iran-nexus APT Screening Serpens deployed six previously undocumented RAT variants against US, Israeli, and UAE targets in aerospace, defence manufacturing, and telecommunications between February and April 2026.
Android Zero-Day Exploitation Confirmed: June 2026 Bulletin Signals Commercial Spyware Activity
Google's June 2026 Android Security Bulletin confirms active exploitation of CVE-2025-48595, a local privilege escalation requiring no user interaction. CISA's simultaneous KEV addition with a three-day federal deadline points to targeted commercial surveillance tool deployment against high-value individuals.
Deep Analysis
All analysis →APT28: Russia's GRU Hacking Unit and the Twenty-Year Campaign Against Western Democracy
APT28 — Fancy Bear, Forest Blizzard, GRU Unit 26165 — is Russia's Military Intelligence cyber arm and the most prolific nation-state attacker targeting Western governments, militaries, and democratic institutions. This deep dive covers their operational history, tradecraft, tooling, and current targeting priorities.
Cl0p: The Group That Turned File Transfer Vulnerabilities Into a Mass Exploitation Business
Cl0p is a financially motivated cybercriminal group that has systematically identified and mass-exploited zero-day vulnerabilities in enterprise file transfer software, compromising thousands of organisations globally. Their MOVEit campaign in 2023 was the largest data theft operation in the history of ransomware. This deep dive covers their operational model, technical approach, and what comes next.
LockBit: The Ransomware Operation That Survived Its Own Takedown
LockBit is the world's most prolific ransomware-as-a-service operation, responsible for more confirmed attacks than any other RaaS group. Despite Operation Cronos seizing its infrastructure and unmasking its administrator in 2024, the affiliate network remains active. This deep dive covers LockBit's operational model, technical capabilities, and what the post-Cronos resurgence means for defenders.
Commentary
All commentary →The AI Patch Wave Is Already Here -- and Defenders Are Already Behind
The NCSC warned in May that AI-accelerated vulnerability discovery would create a forced correction of technical debt. One month later, Anthropic's Project Glasswing has already found over 10,000 critical vulnerabilities in open source. The bottleneck is no longer finding bugs. It's fixing them.
A joint advisory from CISA, NCSC, and ten allied nations describes how China-linked threat actors have abandoned dedicated attack infrastructure in favour of networks of compromised home routers and IoT devices. The implication for defenders is worse than it sounds.
The Data That Nation-States Actually Want Is Sitting in Your Document Management System
Law firms and professional services firms are among the most intelligence-rich targets in the UK economy. Understanding why clarifies the threat -- and why perimeter security alone is the wrong response.