Long weekends are good for people. They're also useful for attackers. That's not fearmongering. It's an operational reality. Threat actors understand how businesses work. They know when staffing is lighter, when response times may be slower, and when IT and security teams are more likely to be…
On April 27, 2026, a ransomware written in Golang was submitted to VirusTotal that appended the '.sorry' string to the encrypted filenames. Upon initial review, this was not the same as the 2018 Sorry ransomware, which was built using the open-source HiddenTear encryptor. This was novel, and that…
Cybercrime no longer stays neatly contained behind a screen. In Episode 369 of The 443 Podcast, Marc Laliberte and Corey Nachreiner unpack three recent threat stories that show how digital compromise can ripple outward into software supply chains, ransomware recovery, and even stolen freight…
WatchGuard telemetry identified two different phishing campaigns targeting Greek, Spanish, Slovenian, Bosnian and Latin and Central American companies, that use different techniques to delivery FormBook malware. FormBook is a data-stealing malware that targets Windows systems, primarily distributed…
In Episode 363 of The 443 Podcast, Corey Nachreiner speaks with Kristen Yang, Cybersecurity Analyst & Investigations Lead, about the threats security teams should be paying closest attention to right now. The conversation reinforces an uncomfortable truth for defenders: many successful attacks still…
The Green Blood Group was both the group name and the encryptor name of this operation. The group, or threat actor, operated for about a month, between January 2026 and February 2026. Although it's likely operations began shortly before that, possibly towards the end of 2025. During that time, at…
WatchGuard telemetry identified some malicious files being downloaded by victims, and almost all of them originated in Venezuela, indicating a possible malicious campaign targeting companies in this country. The malicious files are distributed via phishing emails that have a SVG file with a filename…
The cybersecurity landscape is shifting quickly. In Episode 361 of The443 Podcast, Marc Laliberte and Corey Nachreiner discuss three emerging issues shaping modern security: A critical authentication bypass in a popular JSON Web Token (JWT) library An autonomous AI bot exploiting GitHub repositories…
Introduction At the turn of the year, we were alerted to a doppelganger domain impersonating WatchGuard’s Mobile VPN with SSL, delivering a malicious spoofed client to steal credentials. Navigating directly to the doppelganger domain resulted in a benign informational WatchGuard VPN page. However…
A new ransomware operation known as Kyber has emerged. Their first and current only posted victim is L3Harris, a major defense contractor in the United States. The operators have provided a timer that ends around 6 PM EST on Sunday, October 19. The group claims to have stolen over 300 GB of data…