Clickfix
Anatomy of the Interlock Campaign: How a ClickFix Gang Learned to Burn Firewall Zero-Days
For a year, the surest way to get hit by Interlock was to paste a command into your own Run dialog. On January 26, 2026, the group stopped waiting for users to make mistakes and started exploiting a pre-auth, root-level Cisco firewall zero-day instead. The same crew now runs both ends of the sophistication ladder — and that should change how you model initial access.
GREYVIBE: Russia's AI-Assisted APT Is Vibe-Coding Its Way Through Ukraine
WithSecure attributes a year-long espionage campaign against Ukraine to GREYVIBE, a Russia-nexus group that runs generative AI through nearly every phase of its operation — lure art, obfuscators, full-stack RAT development, and post-compromise commands.
Ghost CMS CVE-2026-26980: Unauthenticated SQL Injection Powers a 700-Site ClickFix Campaign
CVE-2026-26980 is a CVSS 9.4 unauthenticated SQL injection in Ghost's Content API. A patch shipped in February; attackers have since industrialized it into an automated campaign that has hijacked 700+ sites — including Harvard, Oxford, and DuckDuckGo — to serve ClickFix malware.