Find notable cyber news and cases, enriched with sources, timelines, and signals.

Threat actors ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

Compromised cPanel access is being commoditized in fraudulent chat groups, creating a scalable supply of trusted hosting infrastructure for phishing, spam, and malware. A seven-day sample found over 200,000 posts about cPanel access, showing a mature resale ecosystem rather than isolated abuse. The market matters because a single account can enable persistence and broader hosting compromise across multiple domains.

Related Happenings

Underground credential ecosystem shift changes threat-actor operations

Threat Actor Meta
H score69 First: 22.06.2026 17:05 Last: 22.06.2026 17:05 Sources 1

About this happening: A **search-your-target** underground service layer is turning **stolen infostealer logs** into on-demand credentials, raising **account takeover** and **corporate intrusion** risk...

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
H score37 First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
H score82 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Hecker-Sakuya-LiveGamer101 alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score86 First: 28.01.2026 15:15 Last: 28.01.2026 15:15 Sources 1

About this happening: **SilverInc** is operating a commercial **access-resale ecosystem** for exposed or weakly authenticated **LLM endpoints**, turning unauthorized access into a monetized supply chai...

Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints

Campaign
H score80 First: 28.01.2026 15:15 Last: 28.01.2026 15:15 Sources 1

About this happening: **Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...

Latest development: 29.01.2026 20:37

Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).

Timeline

  1. 03.03.2026 17:01 2 articles · 4mo ago

    Flare discloses commoditized cPanel access market

    Initial Disclosure

    Flare security researchers describe a structured underground market in which threat actors openly advertise compromised cPanel credentials in fraudulent chat groups as plug-and-play infrastructure for phishing and scam campaigns, with a seven-day sample showing more than 200,000 posts and heavy duplication that suggests bulk resale and repeated amplification.

    Show sources