See the no-go signals before they become incidents.
AhnLab SEcurity intelligence Center (ASEC) reports persistent targeting of Windows-based IIS and Apache Tomcat servers in Q1 2026. Attackers, notably the Larva-26001 threat actor, utilize web shell command execution, privilege escalation exploits like JuicyPotato, and port-forwarding tools to seize control of infected systems through RDP-mediated access and internal network lateral movement. Read more
The Larva-26002 threat actor is aggressively targeting mismanaged MS-SQL and MySQL servers on Windows. According to ASEC's Q1 2026 report, the group has evolved its toolkit to include ICE Cloud, a Go-based scanner. Attacks involve brute-force credential stuffing and exploiting the BCP utility to deploy malware for subsequent ransomware or reconnaissance operations. Read more
March 2026 saw a surge in complex cyberattacks targeting financial institutions, characterized by Lazarus Group watering hole exploits, large-scale dark web data leaks, and targeted phishing. Vulnerabilities in AnySign4PC were used for remote code execution, while ransomware groups like Apt73 and WorldLeaks intensified double extortion tactics, significantly raising the risk profile for global and South Korean banking infrastructure. Read more
The April 2026 dark web landscape was dominated by the leak of critical aerospace, defense, and military intelligence, including Boeing Artemis and Virginia-class submarine data. Notable activity from threat groups like ShinyHunters and the resurgence of BreachForums highlighted high-risk exposure across technology, financial, and government sectors, alongside the increasing commoditization of Phishing-as-a-Service and advanced malware builders. Read more
The April 2026 Ransomware Threat Trend Report from AhnLab reveals a significant shift in ransomware operations, with groups increasingly focusing on critical infrastructure sectors. The report details heighted activity in the manufacturing, healthcare, and finance industries globally, alongside the emergence of new threat groups and sustained campaigns by established actors like Qilin and INC Ransom. Read more
KISA and KrCERT/CC have identified a high-severity arbitrary file download vulnerability in Tagfree X-Free Uploader. Designated as CVE-2025-29865, the flaw stems from insufficient validation of server communication parameters. If exploited, attackers could leak sensitive information or download arbitrary files. Users are urged to update to XFU versions 1.0.1.0085 or 2.0.1.0035. Read more
A high-severity vulnerability (CVE-2025-29866) has been identified in Tagfree's X-Free Uploader, allowing unauthorized attackers to delete arbitrary files. With a CVSS score of 8.8, this improper privilege validation flaw enables data tampering and system disruption. South Korea's KISA recommends immediate patching to versions 1.0.1.0085 or 2.0.1.0035 to mitigate operational risks. Read more
A vulnerability in ESTsoft ALZip versions 12.01 through 12.29 fails to propagate 'Mark of the Web' (MoTW) Zone.Identifier streams when extracting files. This flaw, tracked as CVE-2025-29864, allows malicious content to bypass Windows security warnings, potentially leading to unauthorized code execution if users are tricked into opening unflagged malicious files. Read more
South Korea's KISA and KrCERT/CC have disclosed a high-severity type confusion vulnerability (CVE-2025-29867) in Hancom Office. The flaw resides in the DOC file processing logic, potentially allowing remote attackers to execute arbitrary code. Users of Hancom Office versions 2018 through 2024 must apply security updates to mitigate risks of system compromise through malicious documents. Read more
A high-severity buffer overflow vulnerability (CVE-2026-24497) has been identified in SimTech Systems' ThinkWise mind-mapping software. Affecting versions 7 through 22, the flaw allows remote attackers to execute arbitrary code. Users are urged to upgrade to ThinkWise 23 immediately to mitigate the risk of complete system compromise via malicious file formats. Read more