The coverage of Anthropic’s Mythos Red Team report has followed a predictable arc: a sensational headline, reactions ranging from alarm to dismissal, and little engagement with what the research actually demonstrates. That is worth correcting, because what Mythos reveals is not primarily a story about AI finding vulnerabilities. It is a story about why trusting software is no longer a viable strategy, and what the architectural response should be.
Bitdefender has analyzed the movements of dozens of ransomware groups executing campaigns against organizations based in the United States. As a result of this analysis, we can draw insights into patterns that emerged in early 2026. The analysis that follows expounds on key trends and developments. We also share predictions that underscore how ransomware operations and attack patterns may take shape during spring 2026.
Security solutions have become so complex that many small and lean security teams aren’t looking for another dashboard or additional source of alerts—even when they’re at RSA. Instead, they’re exploring ways to simplify security operations without reducing effectiveness.
The ransomware threat actor Coinbase Cartel first emerged in September 2025 and claimed 14 victims that month. The group focuses on data exfiltration, which aligns with a trend Bitdefender is tracking in the ongoing evolution of ransomware.
The promise of autonomous AI agents is rapidly turning into a security beachhead for initial access. Our labs have detected a series of malicious campaigns targeting OpenClaw (formerly known as Moltbot and Clawdbot), an open-source AI agent framework. The attacks are distributed through ClawHub, the public registry for OpenClaw skills.
One of the biggest challenges in threat intelligence is separating the hype from the hazard. We focus too much on complex, scary threats and too little on the dangerous ones - the simple, scalable techniques that work day in and day out.
TL;DR Ransomware groups are expected to rapidly weaponize this critical (CVSS 10.0) React vulnerability to establish initial access. This vulnerability leads to remote code execution for unauthenticated attacks, and potential impact is similar to Log4j.
TL;DR - The "Korean Leaks" campaign showcases a sophisticated supply chain attack against South Korea's financial sector. This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet) leveraging Managed Service Provider (MSP) compromise as the initial access vector.
New research reveals that a growing number of organizations are experiencing cyberattacks that leverage artificial intelligence. The 2025 Bitdefender Cybersecurity Assessment found that more than six-in-ten (63%) IT & cybersecurity professionals say their organization has experienced an attack involving AI within the last 12 months.
TL;DR Our telemetry indicates an active exploitation campaign targeting vulnerable Windows Server Update Services (WSUS) systems via CVE-2025-59287 (CVSS 9.8 – Critical).
Remember when the Internet of Things (IoT) was primarily about devices like smart speakers, thermostats, and connected lightbulbs? Today, IoT extends far beyond our homes — into our factories, hospitals, energy grids, and even the defense sector. Securing these devices is now a matter of national security.
I'd like to thank my coauthors, Victor Vrabie, Adrian Schipor, and Martin Zugec, for their invaluable contributions to this research.
TL;DR A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads. The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.
Login
