EDR Killers Are Getting Smarter: 54 Tools Now Using Signed Drivers to Bypass Security

I’ve been tracking some concerning developments in the security space this week, and there’s one story that really caught my attention. We’re seeing a significant evolution in how attackers are dismantling our defenses, particularly when it comes to endpoint detection and response systems.

The BYOVD Problem Just Got Worse

A new analysis shows that 54 different EDR killer tools are now using the “bring your own vulnerable driver” (BYOVD) technique, exploiting a total of 34 signed but vulnerable drivers to disable security software. If you’re not familiar with BYOVD, it’s essentially attackers bringing legitimate, digitally signed drivers that happen to have security flaws, then exploiting those flaws to gain kernel-level access.

PolyShell Hits Magento Hard While Ransomware Groups Air Their Dirty Laundry

We’re seeing some interesting patterns this week that really highlight how the threat landscape keeps us on our toes. The biggest story is definitely the PolyShell vulnerability hitting Magento stores, but there’s also some fascinating drama unfolding in ransomware circles that gives us rare insight into how these operations actually work.

Every Magento Store is Now a Target

The PolyShell vulnerability affecting all Magento Open Source and Adobe Commerce version 2 installations is the kind of bug that makes every e-commerce security team’s stomach drop. We’re talking unauthenticated remote code execution – attackers don’t need credentials, they don’t need to social engineer anyone, they just need to find your Magento store and exploit it.

Major IoT Botnet Takedown Exposes the Scale of Our DDoS Problem

We just witnessed one of the largest coordinated botnet takedowns in recent memory, and honestly, the numbers should make every security professional take notice. The U.S. Justice Department, working with Canadian and German authorities, just dismantled four massive botnets that had compromised over three million IoT devices worldwide.

These weren’t your garden-variety botnets either. The four networks – dubbed Aisuru, Kimwolf, JackSkid, and Mossad – were behind some of the record-breaking DDoS attacks we’ve been tracking lately. When the feds say these botnets could knock “nearly any target offline,” that’s not hyperbole. We’re talking about the kind of firepower that can overwhelm even well-protected infrastructure.

The Marquis Attack Shows Why Third-Party Risk Just Got Real

You know that conversation we’ve been having for years about third-party risk? Well, it just got a lot less theoretical. The Marquis ransomware attack that hit back in August 2025 is finally getting the attention it deserves – and the numbers are staggering.

We’re talking about 672,000 people’s data stolen and operations disrupted at 74 banks across the United States. Let that sink in for a moment. One financial services provider gets compromised, and suddenly three-quarters of a hundred banks are dealing with operational issues. This isn’t just a breach; it’s a perfect case study in how interconnected our financial infrastructure really is.

When Zero-Days Come Knocking: Cisco’s Bad Week and the iOS Surveillance Arms Race

Last week felt like one of those reminders that attackers never take a break. While we were all trying to get through another Tuesday, the Interlock ransomware gang was busy exploiting a maximum severity RCE vulnerability in Cisco’s Secure Firewall Management Center software – and they’ve been at it since late January.

What makes this particularly frustrating is that this was a zero-day attack. The Interlock ransomware gang had months to work with this vulnerability before Cisco even knew it existed. For those of us managing Cisco environments, this hits close to home. FMC is supposed to be the central management platform for our firewall infrastructure – the thing that’s supposed to help us maintain security posture, not become the entry point for ransomware operations.

The Perfect Storm: When Zero-Days Meet AI and Critical Infrastructure

Well, this has been quite the week for security professionals. While we were all settling into our Tuesday routines, threat actors were apparently having a field day with some pretty serious vulnerabilities. Let me walk you through what caught my attention – and why you should care about each of these developments.

The Cisco FMC Nightmare That’s Already Being Exploited

First up, and probably the most urgent item on today’s agenda: Interlock ransomware is actively exploiting a critical Cisco Secure Firewall Management Center vulnerability. CVE-2026-20131 scored a perfect 10.0 on the CVSS scale – and for good reason.

When Honeypots Catch More Than Expected: A Week of Crypto Thieves and State Actors

I’ve been digging through this week’s security reports, and there’s a fascinating mix of stories that paint a pretty clear picture of where threat actors are focusing their attention right now. From mysterious honeypot messages to a billion-dollar AI security startup, let’s break down what’s actually happening out there.

The Curious Case of the Iranian Bot Message

Sometimes honeypots catch things that make you scratch your head. SANS reported on an interesting discovery in Cowrie logs where multiple sensors detected the same echo command on February 19th: “MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_w”.

AI Security’s Growing Pains: Why Traditional Defenses Are Falling Short

As someone who’s been watching the security space evolve over the past few years, I’ve noticed something troubling: we’re rushing headfirst into AI adoption while our security practices lag dangerously behind. This week’s news really drives that point home.

The Skills Gap is Real (And Getting Worse)

Let’s start with the elephant in the room. A new report from Pentera surveyed 300 US CISOs and found that most of us are trying to secure AI systems with tools and skills that simply aren’t up to the task. I can’t say I’m surprised, but it’s concerning to see the numbers confirm what many of us suspected.

Even Cybersecurity Firms Aren’t Safe: Lessons from This Week’s Attack Trends

I’ve been digging through this week’s security incidents, and there’s a pattern emerging that should make all of us pause and reassess our defenses. The most telling story? Hackers successfully targeted Outpost24, a cybersecurity firm, with a sophisticated seven-stage phishing campaign aimed at their C-suite executive.

Let me walk you through what happened and why it matters for all of us defending our organizations.

Supply Chain Attacks Are Getting Smarter While Ransomware Groups Adapt to Shrinking Profits

This week brought some sobering reminders about how creative attackers are getting with their methods. Between a sophisticated supply chain campaign hitting developer tools and ransomware groups pivoting their tactics due to declining profits, it’s clear that threat actors are adapting faster than many of us would like.

GlassWorm Returns with a Vengeance

The GlassWorm supply-chain campaign is back, and this time they’ve cast a much wider net. We’re talking about a coordinated attack that hit over 400 packages and repositories across GitHub, npm, and even VSCode/OpenVSX extensions.