Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Threat actors ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

Compromised cPanel access is being commoditized in fraudulent chat groups, creating a scalable supply of trusted hosting infrastructure for phishing, spam, and malware. A seven-day sample found over 200,000 posts about cPanel access, showing a mature resale ecosystem rather than isolated abuse. The market matters because a single account can enable persistence and broader hosting compromise across multiple domains.

Related Happenings

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Hecker-Sakuya-LiveGamer101 alliance reshapes ransomware ecosystem operations

Threat Actor Meta
First: 28.01.2026 15:15 Last: 28.01.2026 15:15 Sources 1

About this happening: **SilverInc** is operating a commercial **access-resale ecosystem** for exposed or weakly authenticated **LLM endpoints**, turning unauthorized access into a monetized supply chai...

Open Happening

Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints

Campaign
First: 28.01.2026 15:15 Last: 28.01.2026 15:15 Sources 1

About this happening: **Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...

Latest development: 29.01.2026 20:37

Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).

Open Happening

Major web skimming campaign targeting payment networks

Campaign
First: 13.01.2026 19:30 Last: 13.01.2026 19:30 Sources 1

About this happening: A **long-running Magecart web-skimming campaign** has been active since **2022** and targets checkout flows tied to **American Express, Diners Club, Discover, JCB, Mastercard, and...

Open Happening

Timeline

  1. 03.03.2026 17:01 2 articles · 2mo ago

    Flare discloses commoditized cPanel access market

    Initial Disclosure

    Flare security researchers describe a structured underground market in which threat actors openly advertise compromised cPanel credentials in fraudulent chat groups as plug-and-play infrastructure for phishing and scam campaigns, with a seven-day sample showing more than 200,000 posts and heavy duplication that suggests bulk resale and repeated amplification.

    Show sources
    Open in new tab