PROVINTELL Cyber Security

02/04/2026

On 4 April 2026, we will be introducing our CodeRed-AI CoPilot ( ), which is integrated into our upgraded 3.0 providing our SOC analysts and customers with AI-native threat hunting capabilities on external and internal threats.

We named our AI agent "Ask SIMON", in our tribute and memory of The Late Simon Teh Seng Meng, who departed on 4 April 2022. He was our first SOC Manager, and best to be remembered as a good friend and dedicated colleague.

May his legacy and dedication to cybersecurity industry lives on.

30/03/2026

A targeted cyberattack on a South Asian financial institution used two , and , to maintain access, steal sensitive data, and monitor user activity. BRUSHWORM acted as the main backdoor by posing as a legitimate program, creating scheduled tasks for persistence, contacting a remote server to download payloads and exfiltrate documents, and spreading through USB drives with deceptive corporate-style filenames. BRUSHLOGGER operated separately by impersonating a trusted system library and silently capturing keystrokes and active window titles, allowing attackers to steal credentials, financial data, and internal communications. Although the malware was not highly sophisticated and showed weak coding practices, it still caused significant damage due to social engineering, USB propagation and limited endpoint visibility in the victim environment.



https://provintell.com/2026/03/30/malware-targets-financial-institutions-with-brushworm-and-brushlogger/

Contributed by: Fatini

A targeted cyberattack against a South Asian financial institution leveraged two custom malware tools to establish persistence, steal sensitive data, and capture user activity. Researchers said the operation relied on a modular backdoor, BRUSHWORM, and a keylogger, BRUSHLOGGER, delivered as separate...

21/03/2026

Selamat Hari Raya Aidilfitri 2026 ! Semoga Syawal ini membawa kegembiraan, kedamaian dan semangat baru kepada semua. Salam kemaafan, Maaf Zahir dan Batin atas segala silap salah.

Wishing you a blessed Hari Raya Aidilfitri 2026. May this festive season bring renewed joy, prosperity, and meaningful connections.

05/03/2026

is an AI-powered offensive security platform that has begun to be abused in real-world cyberattacks. Developed as an open-source red-team tool by a China-based coder known as , it combines over 100 security tools with generative AI services like Claude and DeepSeek to automate reconnaissance, vulnerability discovery, and attack-chain analysis. Its automated workflows and easy-to-use interface significantly lower the technical barrier for attackers, enabling large-scale campaigns such as the compromise of more than 600 Fortinet FortiGate devices across 55 countries. This highlights how AI is increasingly being integrated into offensive cyber operations, allowing attackers to scale and execute intrusions more efficiently.



https://provintell.com/2026/03/05/fortinet-infrastructure-targeted-in-campaign-using-open-source-ai-offensive-framework/

Contributed by: Thivya

CyberStrikeAI marks a new era in cyber threats, where an open-source AI-native platform designed for offensive security testing has been weaponized in real-world attacks. Developed by a China-based coder known as Ed1s0nZ, this Go-built tool integrates over 100 security tools, an intelligent orchestr...

23/02/2026

Amazon Threat Intelligence uncovered a Russian-speaking, financially motivated actor that compromised over 600 firewalls in 55+ countries by targeting exposed management interfaces and using large-scale credential stuffing instead of zero-days. After gaining access, the attacker exfiltrated configuration files with admin and VPN credentials, then moved laterally to domain controllers and backup systems like Veeam, using techniques such as DCSync, pass-the-hash, and NTLM relay in behavior aligned with ransomware staging. The campaign notably leveraged commercial generative AI to create reconnaissance tools and structured attack plans, enabling a scalable, assembly-line intrusion model despite the actor’s relatively low skill level, though poor operational security and visible AI-generated artifacts exposed weaknesses in their tradecraft.



Contributed by: Aiman

Amazon Threat Intelligence has uncovered a Russian-speaking, financially motivated threat actor that leveraged commercial generative AI services to compromise more than 600 FortiGate firewalls across 55+ countries between January 11 and February 18, 2026. Rather than exploiting zero-day vulnerabilit...

20/02/2026

In the year of the Fire Horse, may your endeavors gallop forward with unstoppable energy, turning visions into victories, challenges into breakthrough, fresh ideas into innovation.

Wishing you a year full of speed, strength and exciting leaps forward.

11/02/2026

(also known as or ) is a cybercrime group that launched a worm-like campaign in late 2025 targeting misconfigured cloud-native environments such as exposed Docker APIs, Kubernetes clusters, Redis servers, Ray dashboards, and React/Next.js apps vulnerable to React2Shell (CVE-2025-29927). Rather than using , the group builds a self-propagating cloud botnet by exploiting unauthenticated management interfaces to deploy malicious containers with persistence. Using tools like FRPS, XMRig, and Sliver, compromised workloads become scanners, crypto miners, proxies, and data exfiltration nodes. By automating common cloud misconfigurations instead of relying on zero-days, TeamPCP achieves cluster-wide control, primarily impacting Azure and AWS environments.

‑ScaleRansomwareCampaign

https://provintell.com/2026/02/11/automated-cloud-service-abuse-enables-teampcps-large-scale-ransomware-campaign/

Contributed by: Thivya

TeamPCP, also known as PCPcat or ShellForce, is a cybercrime group that launched a massive worm-like campaign in late 2025, specifically targeting cloud-native environments like exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and React/Next.js apps vulnerable to React2Shell....

11/02/2026

Fortinet has disclosed a CVSS 9.8 SQL Injection vulnerability in (v7.4.4) that allows unauthenticated attackers to execute unauthorized commands via crafted HTTP requests. What makes this especially concerning is that it impacts security management infrastructure itself, potentially enabling attackers to pivot deeper into enterprise environments.

*****on

https://provintell.com/2026/02/11/critical-sql-injection-flaw-exposes-forticlient-ems-to-remote-code-ex*****on/

Contributed by: Thivya

Fortinet recently published a PSIRT advisory (FG-IR-25-1142) highlighting a critical security flaw in FortiClient EMS, the enterprise management server for Fortinet’s endpoint products. This issue has been catalogued as CVE-2026-21643 and it stems from an SQL Injection vulnerability in version 7.4...

10/02/2026

A sophisticated targeted by compromising a legitimate maintainer’s credentials and injecting malicious code directly into official npm and PyPI packages. The tainted JavaScript and Python libraries silently stole crypto wallet data and enabled remote code ex*****on, exfiltrating information to attacker-controlled servers without raising typical red flags. By attacking both ecosystems simultaneously, the campaign impacted developers building bots and tools at scale, exploiting the trust placed in verified packages and escalating beyond earlier dYdX security incidents.

https://provintell.com/2026/02/10/malicious-dydx-libraries-used-to-steal-crypto-wallets-via-npm-and-pypi/

Contributed by: Thivya

A sophisticated supply chain attack targeting dYdX, a popular decentralized finance (DeFi) protocol, through malicious packages published on both npm and PyPI package registries. These packages masquerade as legitimate client libraries but harbor code designed to steal cryptocurrency wallet credenti...

06/02/2026

CVE-2026-25049 is a critical remote code ex*****on vulnerability in that allows attackers to bypass its JavaScript sandbox by abusing destructuring syntax and arrow functions. This technique slips past regex filtering, AST sanitization, and runtime checks that were designed around traditional property access patterns. As a result, attackers can recover the Function constructor and execute arbitrary code within the n8n runtime. When paired with unauthenticated webhooks, the vulnerability can be triggered remotely over simple HTTP requests, enabling credential theft, data exfiltration, backdoor installation, and lateral movement across connected systems.




https://provintell.com/2026/02/06/n8n-sandbox-breach-exposes-enterprise-ai-systems-to-complete-takeover/

Contributed by: Thivya

CVE-2026-25049 represents a critical remote code ex*****on (RCE) vulnerability in n8n, a popular open-source workflow automation platform used for integrating services like APIs, databases and apps. What sets this apart from typical sandbox escapes is its exploitation of JavaScript’s destructuring...

29/01/2026

Critical sandbox escape vulnerabilities in the workflow automation platform that allow attackers to achieve full remote code ex*****on on the host system. Tracked as CVE-2026-1470 and CVE-2026-0863, the flaws exploit weaknesses in how n8n sanitizes JavaScript and Python ex*****on within its Code nodes, enabling crafted expressions to break out of the intended sandbox. Rather than attacking the platform’s infrastructure directly, adversaries abuse the trust placed in “safe” automation logic turning flexibility into a compromise vector and underscoring how sandbox design flaws can silently collapse security boundaries in workflow engines.

The n8n workflow automation platform, widely used to link applications, APIs and custom logic in automated business processes, was recently found vulnerable to serious security flaws that allow attackers to run arbitrary code on the system hosting the service. These issues tracked as CVE-2026-1470 a...