---
source: newsletter
source_url: https://gbhackers.com/sandworm-shift-from-it-breaches/
title: "Sandworm Hackers Shift From IT Breaches to Critical OT Targets"
sha256: bd009ce17c812b0f685d2014044ac2e8d98718ad062f86f0be2ae3dee59d9840
date: 2026-05-16
review_value: 7
review_confidence: 8
review_recommendation: neutral
ingested: 2026-05-16
---
Published Time: 2026-05-14T13:06:15+00:00
Markdown Content:
# Sandworm Hackers Shift From IT Breaches to Critical OT Targets
[gbhackers.](https://gbhackers.com/)
Friday, May 15, 2026
[Linkedin](https://www.linkedin.com/company/cyber-threat-intel/ "Linkedin")
[RSS](https://gbhackers.com/feed/ "RSS")
[Twitter](https://x.com/gbhackers_news "Twitter")
[gbhackers.](https://gbhackers.com/)
*   [Home](https://gbhackers.com/)
*   [Threats](https://gbhackers.com/category/threatsattacks/)
*   [Cyber Attack](https://gbhackers.com/category/cyber-attack/)
*   [Data Breach](https://gbhackers.com/category/data-breach/)
*   [Vulnerability](https://gbhackers.com/category/vulnerability-android-2/)
*   [What is](https://gbhackers.com/category/what-is/)
*   [DFIR](https://gbhackers.com/category/incident-response/)
*   [Top 10](https://gbhackers.com/category/top-10/)
 Search
[](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
[Follow us On Linkedin](https://www.linkedin.com/company/cybersecurity-news/ "Follow us On Linkedin")
![Image 5: Sandworm Hackers Shift From IT Breaches to Critical OT Targets](https://gbhackers.com/wp-content/uploads/2026/05/Untitled-design-2026-05-14T183519.714.webp)
[cyber security](https://gbhackers.com/category/cyber-security/)[Cyber Security News](https://gbhackers.com/category/cyber-security-news/)
3 min.Read
[![Image 6: Mayura Kathir](https://secure.gravatar.com/avatar/fb526fdee24265698b1b6c6a44de0e17df52aab45a9582f55fab5b8a5928c4cf?s=96&d=mm&r=g)](https://gbhackers.com/author/mayura/ "Mayura Kathir")
By[Mayura Kathir](https://gbhackers.com/author/mayura/)
May 14, 2026
Share
[Facebook](https://www.facebook.com/sharer.php?u=https%3A%2F%2Fgbhackers.com%2Fsandworm-shift-from-it-breaches%2F "Facebook")[Twitter](https://twitter.com/intent/tweet?text=Sandworm+Hackers+Shift+From+IT+Breaches+to+Critical+OT+Targets&url=https%3A%2F%2Fgbhackers.com%2Fsandworm-shift-from-it-breaches%2F&via=GBHackers+Security+%7C+%231+Globally+Trusted+Cyber+Security+News+Platform "Twitter")[Pinterest](https://pinterest.com/pin/create/button/?url=https://gbhackers.com/sandworm-shift-from-it-breaches/&media=https://gbhackers.com/wp-content/uploads/2026/05/Untitled-design-2026-05-14T183519.714.webp&description=A%20new%20wave%20of%20cyber%20activity%20linked%20to%20the%20notorious%20Sandworm%20group%20is%20raising%20fresh%20alarms%20across%20global%20critical%20infrastructure. "Pinterest")[WhatsApp](https://api.whatsapp.com/send?text=Sandworm+Hackers+Shift+From+IT+Breaches+to+Critical+OT+Targets%20%0A%0A%20https://gbhackers.com/sandworm-shift-from-it-breaches/ "WhatsApp")
[](https://gbhackers.com/sandworm-shift-from-it-breaches/# "More")
A new wave of cyber activity linked to the notorious Sandworm group is raising fresh alarms across global critical infrastructure.
Security researchers warn that the [Russian state-backed threat actor](https://gbhackers.com/it-guy-jailed-ddos/) is no longer just infiltrating IT networks it is actively pivoting into operational technology (OT) environments where real-world disruption becomes possible.
The findings are based on telemetry collected from 10 industrial organizations across seven countries between July 2025 and January 2026.
Researchers identified 29 confirmed Sandworm-related incidents within a dataset of over 5.5 million alerts.
[According to a recent analysis](https://www.nozominetworks.com/blog/sandworm-activity-in-industrial-environments-what-the-data-reveals) by Nozomi Networks, Sandworm (also tracked as APT44, Seashell Blizzard, and Voodoo Bear) is intensifying its focus on industrial control systems (ICS), leveraging already compromised environments to move deeper into critical operations.
While initial access often occurred in IT environments, attackers consistently expanded toward OT systems, including engineering workstations, HMIs, and field controllers such as PLCs and RTUs.
LOTL (Living off the Land) depends on human operators using legitimate tools and access, rather than automated malware.
![Image 7: Sandworm alerts by day of the week (Source : Nozomi Networks).](https://cdn.prod.website-files.com/645a45d56fc4750d4edd96fe/69e673e96c0c76098eade548_1.png)
Sandworm alerts by day of the week (Source : Nozomi Networks).
This shift is significant. Unlike traditional cybercriminals, Sandworm is known for causing physical disruption. Its past operations include the Ukraine power grid attacks and the destructive NotPetya campaign.
## **Sandworm Hackers Shift From IT Breaches**
The analysis reveals several distinct operational traits:
*   Activity aligns with Moscow working hours, peaking midweek, suggesting structured and state-directed execution.
*   Lateral movement is aggressive, with infected machines targeting hundreds of internal systems.
*   Attackers rely heavily on existing compromises rather than new zero-day exploits.
*   Each compromised system showed early warning signs for an average of 43 days before escalation.
*   Once detected, Sandworm escalates activity instead of retreating, often shifting focus toward OT assets.
For example, in one case, a single infected system attempted lateral movement against 405 internal machines, triggering a 12-fold increase in alerts.
One of the most striking findings is Sandworm’s continued use of older exploit chains like EternalBlue, DoublePulsar, and WannaCry. Rather than developing new tools, the group exploits unpatched systems and lingering infections.
![Image 8: 
Warning window between first alert and Sandworm detection (Source : Nozomi Networks).](https://cdn.prod.website-files.com/645a45d56fc4750d4edd96fe/69e676cfeb5458c18f1e9e9a_warning_window_high_res.png)
Warning window between first alert and Sandworm detection (Source : Nozomi Networks).
In multiple environments, researchers observed that networks were already compromised with tools like Cobalt Strike and Metasploit before [Sandworm activity began](https://gbhackers.com/sandworm-hackers/). This suggests the group is opportunistic entering environments that are already “soft targets.”
Unlike ransomware groups that often retreat when discovered, Sandworm intensifies its operations. The report highlights a multi-dimensional escalation pattern, including:
*   Increased alert volume and diversity.
*   Deployment of new tools and techniques.
*   Expansion into new network segments and ports.
*   Shift toward high-impact tactics mapped to ICS environments.
In several cases, attackers directly targeted hundreds of engineering workstations and dozens of industrial controllers, confirming deliberate intent to disrupt operations.
Sandworm stands apart from other threat actors due to its mission. While ransomware groups seek financial gain and hacktivists pursue visibility, Sandworm operates as a military cyber-sabotage unit linked to Russia’s GRU Unit 74455.
![Image 9: Inhibit function response (Source : Nozomi Networks).](https://cdn.prod.website-files.com/645a45d56fc4750d4edd96fe/69e67914803109dd02f008dc_Inhibitresponse.png)
Inhibit function response (Source : Nozomi Networks).
Its campaigns often align with geopolitical events and, in some cases, precede physical military actions. Researchers also noted a slowdown in broader targeting during late 2025, likely due to resource concentration on a suspected power grid attack in Poland.
Perhaps the most critical takeaway is that Sandworm doesn’t rely on sophisticated zero-days. Instead, it exploits known vulnerabilities and ignores alerts.
Every affected system in the study generated weeks or even months of detectable warning signs before the attack escalated.
This means many incidents could have been prevented through basic cybersecurity hygiene: patching known vulnerabilities, investigating “routine” alerts, and limiting lateral movement.
As Sandworm continues to blur the line between cyber operations and physical disruption, organizations managing critical infrastructure face increasing pressure to act early. In this threat landscape, ignoring small alerts can lead to large-scale consequences.
**Follow us on[Google News](https://news.google.com/publications/CAAqKAgKIiJDQklTRXdnTWFnOEtEV2RpYUdGamEyVnljeTVqYjIwb0FBUAE?hl=en-IN&gl=IN&ceid=IN%3Aen),[LinkedIn](https://www.linkedin.com/company/cyber-threat-intel/), and[X](https://x.com/The_Cyber_News)to Get Instant Updates and Set GBH as a Preferred Source in[Google](https://www.google.com/preferences/source?q=https://gbhackers.com/).**
*   Tags
*   [cyber security](https://gbhackers.com/tag/cyber-security/)
*   [Cyber Security News](https://gbhackers.com/tag/cyber-security-news/)
[![Image 10: Mayura Kathir](https://secure.gravatar.com/avatar/fb526fdee24265698b1b6c6a44de0e17df52aab45a9582f55fab5b8a5928c4cf?s=500&d=mm&r=g)](https://gbhackers.com/author/mayura/ "Mayura Kathir")
[Mayura Kathir](https://gbhackers.com/author/mayura/)[https://gbhackers.com/](https://gbhackers.com/)
Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.
Hot this week
[](https://gbhackers.com/how-to-access-deep-anonymous-web-and-know-its-secretive-and-mysterious-activities/ "How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities")
[Infosec- Resources](https://gbhackers.com/category/infosec/)
### [How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities](https://gbhackers.com/how-to-access-deep-anonymous-web-and-know-its-secretive-and-mysterious-activities/ "How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities")
June 4, 2023[1](https://gbhackers.com/how-to-access-deep-anonymous-web-and-know-its-secretive-and-mysterious-activities/#comments)
 What is Deep Web The deep web, invisible web, or...
[](https://gbhackers.com/how-to-build-and-run-a-security-operations-center/ "How to Build and Run a Security Operations Center (SOC Guide) – 2023")
[SOC Architecture](https://gbhackers.com/category/architecture/)
### [How to Build and Run a Security Operations Center (SOC Guide) – 2023](https://gbhackers.com/how-to-build-and-run-a-security-operations-center/ "How to Build and Run a Security Operations Center (SOC Guide) – 2023")
June 3, 2023[12](https://gbhackers.com/how-to-build-and-run-a-security-operations-center/#comments)
 Today’s Cyber security operations center (CSOC) should have everything...
[](https://gbhackers.com/weaponized-teamviewer-component/ "Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component")
[Cyber Security News](https://gbhackers.com/category/cyber-security-news/)
### [Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component](https://gbhackers.com/weaponized-teamviewer-component/ "Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component")
October 18, 2023[0](https://gbhackers.com/weaponized-teamviewer-component/#respond)
 TeamViewer's popularity and remote access capabilities make it an...
[](https://gbhackers.com/web-server-penetration-testing-checklist/ "Web Server Penetration Testing Checklist – 2026")
[Checklist](https://gbhackers.com/category/checklist/)
### [Web Server Penetration Testing Checklist – 2026](https://gbhackers.com/web-server-penetration-testing-checklist/ "Web Server Penetration Testing Checklist – 2026")
January 6, 2026[0](https://gbhackers.com/web-server-penetration-testing-checklist/#respond)
 Web server pentesting is performed under three significant categories:identity,...
[](https://gbhackers.com/advanced-atm-penetration-testing-methods/ "ATM Penetration Testing –  Advanced Testing Methods to Find The Vulnerabilities")
[Infosec- Resources](https://gbhackers.com/category/infosec/)
### [ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities](https://gbhackers.com/advanced-atm-penetration-testing-methods/ "ATM Penetration Testing –  Advanced Testing Methods to Find The Vulnerabilities")
June 4, 2023[4](https://gbhackers.com/advanced-atm-penetration-testing-methods/#comments)
 ATM Penetration testing, Hackers have found different approaches to...
#### Topics
*   [](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Acquisition](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
More
*   [Adobe](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Adware](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [AI](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Amazon](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Amazon AWS](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [AMD](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Android](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Anti Virus](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Antimalware](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [ANY RUN](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Apache](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [API](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Apple](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [APT](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Artificial Intelligence](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Avast](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [AWS](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Azure](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Backdoor](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Bitcoin](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Bluetooth](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Botnet](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Browser](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Buffer over flow](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Bug Bounty](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Business](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Chatbots](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [ChatGPT](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Checklist](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Chrome](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cisco](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [CISO](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [CISO Advisory](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cloud](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cloud Security](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cloudflare](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Computer Security](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Course](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [CPU](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cross site Scripting](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [cryptocurrency](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cryptocurrency hack](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [CVE/vulnerability](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cyber Advisory](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cyber AI](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cyber Attack](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cyber Crime](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [cyber security](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cyber security Course](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cyber Security News](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Cyber Security Resources](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Dark Web](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Data Breach](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Data Governance](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [DDOS](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Deals](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [DeepSeek](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Discord](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [DNS](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Dos Attack](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Drive](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Dropbox](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Education](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Email](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Email Security](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Ethical Hacking](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Exploit](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Exploitation Tools](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Extratorrents](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [FACEBOOK](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Featured](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Firefox](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Firefox News](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Firewall](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Forensics Tools](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [game](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [GenAI](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [GitHub](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [GitLab](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Gmail](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Google](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Google dorks](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Governance](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [GRC](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Hacking Books](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Hacks](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Hardware Hacking](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [HBO](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [HTML](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [HTTP](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [IBM](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [IIS](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Incident Response](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Information Gathering](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Information Security Risks](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Infosec- Resources](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Insider Threats](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Instagram](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
*   [Intel](https://gbhackers.com/sandworm-shift-from-it-breaches/#)
[](https://gbhackers.com/gunra-ransomware-2/ "Gunra Ransomware Expands RaaS After Conti Locker Shift")
[cyber security](https://gbhackers.com/category/cyber-security/)
### [Gunra Ransomware Expands RaaS After Conti Locker Shift](https://gbhackers.com/gunra-ransomware-2/ "Gunra Ransomware Expands RaaS After Conti Locker Shift")
[0](https://gbhackers.com/gunra-ransomware-2/#respond)
 Gunra ransomware is rapidly evolving into a more structured...
[](https://gbhackers.com/vmware-fusion-flaw-gain-root-privileges/ "VMware Fusion Flaw Could Allow Attackers to Gain Root Privileges")
[CVE/vulnerability](https://gbhackers.com/category/cvevulnerability/)
### [VMware Fusion Flaw Could Allow Attackers to Gain Root Privileges](https://gbhackers.com/vmware-fusion-flaw-gain-root-privileges/ "VMware Fusion Flaw Could Allow Attackers to Gain Root Privileges")
[0](https://gbhackers.com/vmware-fusion-flaw-gain-root-privileges/#respond)
 A newly disclosed vulnerability in VMware Fusion has raised...
[](https://gbhackers.com/shai-hulud-worm-steals-dev-secrets/ "Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes")
[AWS](https://gbhackers.com/category/aws/)
### [Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes](https://gbhackers.com/shai-hulud-worm-steals-dev-secrets/ "Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes")
[0](https://gbhackers.com/shai-hulud-worm-steals-dev-secrets/#respond)
 Shai-Hulud is a major cybersecurity threat targeting the open-source...
[](https://gbhackers.com/pixel-10-zero-click-exploit-chain/ "Google Project Zero Details Pixel 10 Zero-Click Exploit Chain")
[Cyber Security News](https://gbhackers.com/category/cyber-security-news/)
### [Google Project Zero Details Pixel 10 Zero-Click Exploit Chain](https://gbhackers.com/pixel-10-zero-click-exploit-chain/ "Google Project Zero Details Pixel 10 Zero-Click Exploit Chain")
[0](https://gbhackers.com/pixel-10-zero-click-exploit-chain/#respond)
 A powerful zero-click exploit chain for the Pixel 10...
[](https://gbhackers.com/hackers-exploit-oauth-device/ "Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens")
[cyber security](https://gbhackers.com/category/cyber-security/)
### [Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens](https://gbhackers.com/hackers-exploit-oauth-device/ "Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens")
[0](https://gbhackers.com/hackers-exploit-oauth-device/#respond)
 Hackers are rapidly weaponizing a little-known Microsoft authentication feature...
[](https://gbhackers.com/praisonai-vulnerability-actively-exploited/ "PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public")
[CVE/vulnerability](https://gbhackers.com/category/cvevulnerability/)
### [PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public](https://gbhackers.com/praisonai-vulnerability-actively-exploited/ "PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public")
[0](https://gbhackers.com/praisonai-vulnerability-actively-exploited/#respond)
 A high-severity vulnerability in PraisonAI is drawing urgent attention...
[](https://gbhackers.com/orbit-rootkit-targets-linux/ "OrBit Rootkit Targets Linux to Steal SSH and Sudo Credentials")
[cyber security](https://gbhackers.com/category/cyber-security/)
### [OrBit Rootkit Targets Linux to Steal SSH and Sudo Credentials](https://gbhackers.com/orbit-rootkit-targets-linux/ "OrBit Rootkit Targets Linux to Steal SSH and Sudo Credentials")
[0](https://gbhackers.com/orbit-rootkit-targets-linux/#respond)
 Hackers are continuing to abuse a stealthy Linux rootkit...
[](https://gbhackers.com/microsoft-warns-hpe-operations/ "Microsoft Warns HPE Operations Agent Abused in Malware-Free Attacks")
[cyber security](https://gbhackers.com/category/cyber-security/)
### [Microsoft Warns HPE Operations Agent Abused in Malware-Free Attacks](https://gbhackers.com/microsoft-warns-hpe-operations/ "Microsoft Warns HPE Operations Agent Abused in Malware-Free Attacks")
[0](https://gbhackers.com/microsoft-warns-hpe-operations/#respond)
 Microsoft has revealed a stealthy intrusion campaign where attackers...
#### Related Articles
[](https://gbhackers.com/gunra-ransomware-2/ "Gunra Ransomware Expands RaaS After Conti Locker Shift")
### [Gunra Ransomware Expands RaaS After Conti Locker Shift](https://gbhackers.com/gunra-ransomware-2/ "Gunra Ransomware Expands RaaS After Conti Locker Shift")
[cyber security](https://gbhackers.com/category/cyber-security/)May 15, 2026
### [VMware Fusion Flaw Could Allow Attackers to Gain Root Privileges](https://gbhackers.com/vmware-fusion-flaw-gain-root-privileges/ "VMware Fusion Flaw Could Allow Attackers to Gain Root Privileges")
[CVE/vulnerability](https://gbhackers.com/category/cvevulnerability/)May 15, 2026
### [Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes](https://gbhackers.com/shai-hulud-worm-steals-dev-secrets/ "Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes")
[AWS](https://gbhackers.com/category/aws/)May 15, 2026
### [Google Project Zero Details Pixel 10 Zero-Click Exploit Chain](https://gbhackers.com/pixel-10-zero-click-exploit-chain/ "Google Project Zero Details Pixel 10 Zero-Click Exploit Chain")
[Cyber Security News](https://gbhackers.com/category/cyber-security-news/)May 15, 2026
### [Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens](https://gbhackers.com/hackers-exploit-oauth-device/ "Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens")
[cyber security](https://gbhackers.com/category/cyber-security/)May 15, 2026
#### Recent News
[![Image 11: PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public](blob:http://localhost/3801ee59277ed4fc41ede8082c6450a3)](https://gbhackers.com/gunra-ransomware-2/ "Gunra Ransomware Expands RaaS After Conti Locker Shift")
### [Gunra Ransomware Expands RaaS After Conti Locker Shift](https://gbhackers.com/gunra-ransomware-2/ "Gunra Ransomware Expands RaaS After Conti Locker Shift")
[Mayura Kathir](https://gbhackers.com/author/mayura/)-May 15, 2026
[![Image 12: PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public](blob:http://localhost/3801ee59277ed4fc41ede8082c6450a3)](https://gbhackers.com/vmware-fusion-flaw-gain-root-privileges/ "VMware Fusion Flaw Could Allow Attackers to Gain Root Privileges")
### [VMware Fusion Flaw Could Allow Attackers to Gain Root Privileges](https://gbhackers.com/vmware-fusion-flaw-gain-root-privileges/ "VMware Fusion Flaw Could Allow Attackers to Gain Root Privileges")
[Divya](https://gbhackers.com/author/divya/)-May 15, 2026
[![Image 13: PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public](blob:http://localhost/3801ee59277ed4fc41ede8082c6450a3)](https://gbhackers.com/shai-hulud-worm-steals-dev-secrets/ "Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes")
### [Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes](https://gbhackers.com/shai-hulud-worm-steals-dev-secrets/ "Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes")
[Mayura Kathir](https://gbhackers.com/author/mayura/)-May 15, 2026
[![Image 14: PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public](blob:http://localhost/3801ee59277ed4fc41ede8082c6450a3)](https://gbhackers.com/pixel-10-zero-click-exploit-chain/ "Google Project Zero Details Pixel 10 Zero-Click Exploit Chain")
### [Google Project Zero Details Pixel 10 Zero-Click Exploit Chain](https://gbhackers.com/pixel-10-zero-click-exploit-chain/ "Google Project Zero Details Pixel 10 Zero-Click Exploit Chain")
[Divya](https://gbhackers.com/author/divya/)-May 15, 2026
[![Image 15: PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public](blob:http://localhost/3801ee59277ed4fc41ede8082c6450a3)](https://gbhackers.com/hackers-exploit-oauth-device/ "Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens")
### [Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens](https://gbhackers.com/hackers-exploit-oauth-device/ "Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens")
[Mayura Kathir](https://gbhackers.com/author/mayura/)-May 15, 2026
[![Image 16: PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public](blob:http://localhost/3801ee59277ed4fc41ede8082c6450a3)](https://gbhackers.com/praisonai-vulnerability-actively-exploited/ "PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public")
### [PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public](https://gbhackers.com/praisonai-vulnerability-actively-exploited/ "PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public")
[Divya](https://gbhackers.com/author/divya/)-May 15, 2026
[gbhackers.](https://gbhackers.com/)
GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.
Company
*   [Advertise](https://gbhackers.com/advertise/)
*   [Vulnerability](https://gbhackers.com/category/vulnerability-android-2/)
*   [Contact Us](https://gbhackers.com/contact-us/)
Trending
[Infosec- Resources](https://gbhackers.com/category/infosec/)
### [How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities](https://gbhackers.com/how-to-access-deep-anonymous-web-and-know-its-secretive-and-mysterious-activities/ "How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities")
[SOC Architecture](https://gbhackers.com/category/architecture/)
### [How to Build and Run a Security Operations Center (SOC Guide) – 2023](https://gbhackers.com/how-to-build-and-run-a-security-operations-center/ "How to Build and Run a Security Operations Center (SOC Guide) – 2023")
[Cyber Security News](https://gbhackers.com/category/cyber-security-news/)
### [Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component](https://gbhackers.com/weaponized-teamviewer-component/ "Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component")
Categories
*   [Infosec- Resources](https://gbhackers.com/category/infosec/)
*   [SOC Resources](https://gbhackers.com/category/resources/)
*   [What is](https://gbhackers.com/category/what-is/)
*   [Top 10](https://gbhackers.com/category/top-10/)
*   [Advertise](https://gbhackers.com/advertise/)
*   [Vulnerability](https://gbhackers.com/category/vulnerability-android-2/)
*   [Contact Us](https://gbhackers.com/contact-us/)
Copyright @ 2016 - 2026 GBHackers On Security - All Rights Reserved
[Linkedin](https://www.linkedin.com/company/cybersecurity-news/ "Linkedin")
[RSS](https://feeds.feedburner.com/gbhackers/cybersecurity "RSS")
[Twitter](https://twitter.com/gbhackers_news "Twitter")
![Image 17](https://pixel.wp.com/g.gif?v=ext&blog=236592110&post=186173&tz=0&srv=gbhackers.com&j=1%3A15.6&host=gbhackers.com&ref=&fcp=320&rand=0.49165533132527883)