Attackers are planning around your holidays. The question is whether you’ve done the same.

Day two of the Cyber AI & Automation Summit kicks off at 11AM ET. If you weren't able to attend yesterday, all Day One sessions are already available on-demand.

The post Virtual Event Today: Cyber AI & Automation Summit Day 2 appeared first on SecurityWeek.

As AI-generated threats continue to rise, more organisations are turning to red teaming to turn the tide. Nothing provides a better understanding of your security posture like letting a red team loose on your environment to simulate a real-world attack. 

Here is a list of some of the top red teaming tools you’ll find in 2026—along with what you’ll need to know to make your choice.  

Cobalt Strike (Fortra)  

Cobalt Strike is one of the most widely used red teaming tools in cybersecurity today. As one engineer noted, “It was the product that changed the industry” as its insights spurred the development of Endpoint Detection and Response (EDR). Now, nearly a decade and a half later, it continues to be the professional’s choice and is estimated to be in use by 60% of red teamers out there.  

Strengths 

• Vetted Exploits: One of Cobalt Strike’s key advantages is its interoperability. By integrating closely with Core Impact, it offers users full access to Core Impact’s library of core certified exploits, which is widely trusted by security experts over potentially risky open-source options.  

• Malleable C2: Traffic can be made to resemble legitimate apps (by altering URLs, headers, payload formatting, etc.), a mature and well-documented technique. 

• Integrated Workflow: Bundles payload generation, post-exploitation features, a team server for collaboration, and a single operator workflow—instead of making teams cobble together separate OSS components. 

• Superior Support: Commercial licensing comes with professional support; vendor maintenance, documentation, and live help. For teams that want compatibility with corporate tooling and predictable updates, this is key.  

• Mature Solution with Repeatable Results: Polished GUIs, established C2 features, team collaboration workflows, and vetted exploits mean repeatable, credible results.  

Limitations 

• Commercial Licensing: Commercial pricing can be high for smaller teams. 

• Legal Considerations: Cobalt Strike can only be used in authorised engagements. 

Watch Now: See Cobalt Strike explained in two minutes: https://www.youtube.com/watch?v=9BUxptcYZCk 

Mythic 

Mythic is an open-source, modular command-and-control (C2) framework perfect for creating customised “agents” across Windows, macOS, and Linux targets.  

Strengths 

• Highly Extensible: New features easily added or modified without an extensive overhaul. Every feature runs as a containerized microservice. 

• Fully Customisable: Used for openness, flexibility, and the ability to research and craft new payloads. 

• Development and Research: Many use Mythic for research, educational, and development purposes as it provides full control and zero licensing costs.  

Limitations 

• Requires Orchestration: Container orchestration, agent configuration, and more administrative effort than commercial tools are required. 

• Steep Learning Curve: Without a “turnkey” setup or a single-vendor installer, operators must be experienced to get Mythic up and running. 

AdaptixC2  

AdaptixC2 is a fairly new open-source red teaming tool that entered the market in January 2025. It offers flexibility, a modular architecture, and works across multiple operating systems. With no licensing costs, it is good for labs and bespoke engagements. 

Strengths 

• Cross-Platform Support: It offers support for Windows, Linux, and macOS agents. 

• “Extenders” and Plug-Ins: Add in additional capabilities like lateral movement, credential harvesting, and custom payloads. 

• Modifiable and Open-Source: Great for emulating bespoke adversaries as it is deeply customisable and easily expanded.  

Limitations 

• Less Mature: Being newer on the market means fewer “out of the box” modules and less battle-tested experience.  

• Less Standardised and Established: Integrating with other red-team ecosystems (toolchains, training, reporting workflows) may require more customisation. 

Sliver 

Developed by Bishop Fox, Sliver is an open-source adversary emulation platform that implants “slivers” (malicious binaries) across many architectures and supports multiple transport options. 

Strengths 

• Staged and Stageless Payloads: Sliver delivers both staged and stageless payloads to launch both larger, immediate-impact attacks and smaller, size-constricted ones. 

• Flexible Transport Options: Offers native support for DNS, HTTP(S), mTLS, WireGuard and custom transports for varied emulation of egress patterns.  

• Dynamic Code Generation: Reduces static detections (when configured properly) with per-binary keys and compile-time options to change fingerprints.  

Limitations 

• No Commercial SLA: Teams need to invest in their own internal support, testing, hardening, and expertise.  

• Payload Size: Some users report the need to reduce forensic artefacts.  

Havoc  

Havoc has rapidly gained traction in the red teaming community as one of the few open-source C2 tools to be designed with operator UX in mind.  

Strengths 

• Fully Customisable: Teams can extend, modify, and audit the framework (again, good for research, education, and custom engagements).  

• Fast Set Up: Documentation, tutorials, and YouTube walk-throughs shorten the learning curve, along with active community engagement. 

• Approachable UX: A GUI-driven framework smooths set up and provides a more polished, modern user experience comparable to commercial-grade tools. 

Limitations 

• Younger Ecosystem: Less battle-tested than older, more established red teaming tools; capabilities may evolve unevenly. 

• Operational Hardening Required: To achieve enterprise-grade OPSEC, internal investment is required: cleaning proxies, testing against EDR/XDR stacks, hardening listeners.   

Outflank Security Tooling (OST)  

Outflank Security Tooling, or OST, is a collection of advanced red teaming tools made “by red teamers, for red teamers.” This broad, evasive toolset emulates real-world attacks by simulating APT techniques, bypassing defences, and providing high-end offensive security. 

Strengths 

• Expert Maintained: OST is continuously updated by the hackers and experts that use it themselves, making it well-suited for mature and sensitive target environments. 

• Full Kill Chain Coverage: Get advanced tools to break the attack chain at any stage. Small teams can punch above their weight with shortcuts for hard stages like EDR evasion, initial access, and OPSEC-safe lateral movement. 

• Unique Industry Advantage: OST features techniques not yet weaponized or even published by other teams, giving organisations a unique advantage over other tools and attackers.  

Limitations 

• Vetted Audience: Because of its powerful capabilities, Outflank Security Tooling is not a tool for the masses. Instead, it is available only to a vetted community of responsible buyers and red team professionals because of its real-world attack potential. 

• OS-Specific Evasion: Evasion techniques are carefully crafted to work with certain operating systems and configurations, just like an attackers’ techniques. This means that an exploit designed for a Windows 11 endpoint may not work on Windows 10. 

Kali Linux 

Maintained by Offensive Security, Kali Linux is a Debian-based Linux construction used for red teaming, pen testing, and digital forensics. Rather than a specialised red teaming tool, it is a complete operating system and toolkit.  

Strengths 

• Preinstalled Security Tools: Kali Linux ships with 600+ preinstalled security tools (from John the Ripper to Burp Suite to Wireshark). 

• Free and Open Source: Users can modify, inspect, and rebuild it. No licensing or usage fees.  

• Open to Integration: Kali Linux serves as the foundation for red teaming tools, integrating with frameworks like Sliver and Havoc (C2 operators) to act as host. 

Limitations 

• Not a C2 Framework: While Kali Linux supports C2 frameworks, it is an environment—not a post-exploitation or C2 platform in its own right. 

• Inconsistent Tool Maturity: Tools can overlap, lead to inefficiencies, or (in the case of older tools) be buggy, outdated, or redundant.  

Matrix Table 

Tool	Overview	Use Case
Cobalt Strike	Commercial, professional-grade red teaming and post-exploitation platform used by ~60% of red teams worldwide.	Professional, repeatable red teaming engagements
Mythic	Open-source, modular C2 framework for research and custom agent creation.	Highly modular, customizable, cross-platform agent dev
AdaptixC2	New (2025) open-source C2 platform emphasizing modularity and cross-platform operation.	Highly modular, customizable, cross-platform agent dev
Sliver (BishopFox)	Open-source adversary emulation framework for red teaming with multi-transport implants (“slivers”).	Open-source research and adversary emulation
Havoc	Open-source GUI-based C2 framework designed for usability and community collaboration.	Modern GUI-driven open C2 alternative
Outflank Security Tooling (OST)	High-end offensive security red teaming toolkit created “by red teaming experts for red teaming experts.”	Advanced APT simulations and evasive tactics for mature, sensitive target environments.
Kali Linux	Debian-based Linux distro for penetration testing, digital forensics, and red teaming; acts as a tool platform.	Training and general-purpose pentesting

 

Conclusion: Commercial vs Open-Source 

Ultimately, the choice between commercial red teaming tools and open-source options depends on where you are willing to sacrifice. 

As SANS notes, “Balance the cost against the potential ROI. Open-source tools…may be cost-effective and community-driven, while commercial tools…often come with a additional capabilities and a curated database. This typically includes the latest threat intelligence, attack vectors, new campaigns and overall support.” 

Whether your organisation is looking for a cost-friendly option or a mature, licensed solution, there is a red teaming vendor that can fit your needs in 2026.  

FAQ:

What is a red team? 

A red team is a group of ethical hackers that play the part of adversaries in simulating a real-world cyberattack for the purpose of testing an organization’s cybersecurity defences. They play a key role in offensive security. 

 

What is the difference between a red team and a blue team? 

A red team attacks; a blue team defends. Though they play opposite roles in red team engagements, all are on the same side: improving the cybersecurity posture of the target organisation.  

This is why teams should prioritise blue team success over red team wins.  

Watch this explainer video for more: https://www.youtube.com/watch?v=E3ZMAipJvao 

 

How is red teaming different from penetration testing?
Pen testing searches for and catalogues vulnerabilities, specifically.  Red teaming leverages advanced and creative ways to breach an organisation, from social engineering to APTs and beyond. It is broader, less predictable, and tests everything from the tool stack to the response capabilities of the blue team.

 

What is the goal of a red team exercise?

The goal of a red team exercise is to uncover ways in which threat actors could leverage internal weaknesses, misconfigurations, and oversights – along with technical exploits and expertise – to access an organisation’s internal network, services, or applications and disrupt operations, exfiltrate data, and otherwise inflict harm.  

 

How do you get legal/ethical approval to run a red team? 

The red team engagement needs to be authorised and approved by the organisation and key stakeholders. Basic steps include: 

• Scope and Justification: Define what you’re testing and why 
• Sign-Off: Approval from legal, risk/compliance, SOC/security, IT/network operations, HR (if phishing), C-Suite sponsor 
• Rules of Engagement (RoE): Defines technical boundaries, allowed techniques, and things like safe words and kill switches. 

 

What kind of tools do red teams use?  

Red teams typically use command-and-control (C2) platforms to run red team engagements. These frameworks can be commercial-grade or open-sourced, and include tools such as: 

• Beacons/Agents/Slivers 

• Adversary Emulation Platforms 

• Exploit Frameworks 

• Lateral-Movement Tools 

• Post-Exploitation Tools (Outflank Security Tooling (OST)) 

• Payload Builders/Obfuscators/Packers 

• Transport and Tunneling Tools 

• Reconnaissance and Scanning Tools (Shodan, theHarvester) 

• Social Engineering and Phishing Toolkits (Social Engineering Toolkit (SET)) 

• Penetration Testing Tools (Core Impact) 

• Network/Application Testing Tools (Wireshark, Burp Suite) 

• Physical Tools (RFID cloners, lock-pick sets) 

• Command Libraries/Scripts/ Automation 

Cobalt Strike was one of the first public red team C2 frameworks and is a favourite in the red teaming community.  

What’s a purple team exercise and should we do one? 

A purple team exercise brings red teams and blue teams together in a collaborative security assessment. The focus is on bringing both skillsets to the table for the purpose of learning, teaching, and improving—not “winning.”  

A purple team mindset recognizes red and blue as the same team – with the ultimate goal of beating attackers – and fosters engagements that act as an open-communication training opportunity.  

The post The Best Red Teaming Tools of 2026: What You Need to Know appeared first on IT Security Guru.

Alan breaks down why Israeli cybersecurity isn’t just booming—it’s entering a full-blown renaissance, with record funding, world-class talent, and breakout companies redefining the global cyber landscape.

The post An Inside Look at the Israeli Cyber Scene appeared first on Security Boulevard.

HP’s latest threat report reveals rising use of sophisticated social engineering, SVG-based attacks, fake software updates, and AI-enhanced malware as cybercriminals escalate tactics to evade detection.

The post Report Surfaces Multiple Novel Social Engineering Tactics and Techniques appeared first on Security Boulevard.

This is a predictions blog. We know, we know; everyone does them, and they can get a bit same-y. Chances are, you’re already bored with reading them. So, we’ve decided to do things a little bit differently this year.  Instead of bombarding you with just our own predictions, we’ve decided to cast the net far [...]

The post 2026 API and AI Security Predictions: What Experts Expect in the Year Ahead appeared first on Wallarm.

The post 2026 API and AI Security Predictions: What Experts Expect in the Year Ahead appeared first on Security Boulevard.

Danielle Hillmer allegedly concealed the fact that her employer’s cloud platform did not meet DoD requirements.

The post Former Accenture Employee Charged Over Cybersecurity Fraud appeared first on SecurityWeek.

Using artificial intelligence in operational technology environments could be a bumpy ride full of trust issues and security challenges.

Road Town, British Virgin Islands, 11th December 2025, CyberNewsWire

The post 1inch Named Exclusive Swap Provider at Launch for Ledger Multisig appeared first on The Security Ledger with Paul F. Roberts.

Eleven companies took part in the evaluations and several have boasted 100% detection and coverage rates.

The post MITRE Posts Results of 2025 ATT&CK Enterprise Evaluations appeared first on SecurityWeek.

In April 2025, hackers stole personal information belonging to patrons and employees and their family members.

The post Pierce County Library Data Breach Impacts 340,000 appeared first on SecurityWeek.

Cary, North Carolina, USA, 11th December 2025, CyberNewsWire

The post INE Highlights Enterprise Shift Toward Hands-On Training Amid Widening Skills Gaps appeared first on The Security Ledger with Paul F. Roberts.

CyberVolk is a pro-Russia hacktivist persona we first documented in late 2024, tracking its use of multiple ransomware tools to conduct attacks aligned with Russian government interests. After seemingly lying dormant for most of 2025 due to Telegram enforcement actions, the group returned in August with a new RaaS offering called VolkLocker (aka CyberVolk 2.x).

In this post, we examine the functionality of VolkLocker, including its Telegram-based automation, encryption mechanisms, and affiliate features. Our analysis reveals an operation struggling with the challenges of expansion: taking one step forward with sophisticated Telegram automation, and one step backward with payloads that retain test artifacts enabling victim self-recovery.

Technical Details

VolkLocker payloads are written in Golang, with versions supporting both Linux and Windows. Base builds are shipped without obfuscation, and RaaS operators are encouraged to use UPX for packing rather than being offered native crypting or packing features as is common with many other RaaS offerings.

Operators building new VolkLocker payloads must provide a bitcoin address, Telegram bot token ID, Telegram chat ID, encryption deadline, desired file extension, and self-destruct options.

Upon launch, the ransomware checks its execution context and attempts privilege escalation if needed. Escalation uses the “ms-settings” UAC bypass technique (T1548.002), hijacking the HKCU\Software\Classes\ms-settings\shell\open\command registry key to execute with elevated privileges.

The malware performs environmental discovery and system enumeration, including process enumeration for virtual environment detection and hardware-based identification.

VolkLocker checks the local MAC address against known virtualization vendor prefixes. Registry locations associated with VirtualBox and VMware are also queried.

Once initialized, the ransomware enumerates all available drives (A: through Z:) and determines which files to encrypt based on exclusion lists for specific paths and extensions configured in the VolkLocker code.

Encryption Mechanism

VolkLocker uses AES-256 in GCM mode (Galois/Counter Mode) for file encryption. When the ransomware identifies a target file, it initializes an encryption engine using a 32-byte master key decoded from a 64-character hex string embedded in the binary.

For each file, the malware generates a random 12-byte nonce for the initialization vector using Golang’s crypto/rand package. The file is encrypted using the GCM Seal operation, which prepends the 12-byte nonce to the ciphertext and appends a 16-byte authentication tag. The original file is marked for deletion, and the encrypted file receives a custom extension (e.g., .locked, .cvolk).

Critical Design Flaw | Plaintext Key Backup

VolkLocker does not generate encryption keys dynamically. Instead, master keys are hardcoded as hex strings within the binaries. The same master key encrypts all files on a victim system.

Critically, this master key is also written to a plaintext file in the %TEMP% folder, creating a trivial decryption pathway for victims who discover it.

This design flaw exists in the backupMasterKey() function, which executes during initialization and performs the following:

• Constructs a file path at %TEMP%\system_backup.key (typically C:\Users\\AppData\Local\Temp\system_backup.key)
• Writes a plaintext file containing the victim’s unique identifier, the complete master encryption key, and the attacker’s Bitcoin address
• Applies Windows Hidden and System file attributes to obscure the file from casual directory listings
• The file format is:

  User: CV<16 hex characters>
  Key: <64 hex characters - THE MASTER KEY>
  BTC: <attacker's bitcoin address>
  

Since the ransomware never deletes this backup key file, victims could attempt file recovery by extracting the necessary values from the file.

The plaintext key backup likely represents a test artifact inadvertently shipped in production builds. CyberVolk operators may be unaware that affiliates are deploying builds with the backupMasterKey() function still embedded. Given that VolkLocker is a relatively new service, the presence of what appears to be debug functionality in live deployments suggests that the operation is struggling to maintain quality control while aggressively recruiting lesser-skilled affiliates.

System Lockdown & Persistence Features

VolkLocker modifies multiple registry keys to inhibit system recovery and analysis:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 4 /f

In addition, Windows Defender is targeted for termination via PowerShell:

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
sc config WinDefend start= disabled
net stop WinDefend /y

The malware also terminates processes associated with common analysis tools via taskkill.exe:

• processhacker.exe
• procexp.exe
• procexp64.exe
• taskmgr.exe

VolkLocker creates multiple identical copies of itself in various system locations to establish persistence:

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cvolk.exe
    %PUBLIC%\Documents\svchost.exe
    %SYSTEMDRIVE%\ProgramData\Microsoft\Network\wlanext.exe
    %TEMP%\WindowsUpdate.exe

Ransom Note and Countdown Timer

VolkLocker’s ransom note is a dynamic HTML application. The file cybervolk_ransom.html is written to %TEMP% and launched both after encryption completes and upon system startup. The ransom note displays a countdown timer with a default duration of 48 hours. The duration of the timer can be configured by the RaaS operators.

The JavaScript-based countdown timer is purely cosmetic. When it reaches zero, the triggerDestruction() function displays a shake animation and the message “ SYSTEM DESTROYED .”

However, a separate enforcement timer operates independently of the browser-based display.

This enforcement timer is synchronized with the system clock using Golang’s time.After() function. When it expires, it calls the SystemCorruptor() and DestroySystem() functions. The same destructive routine triggers if an incorrect decryption key is provided more than the configured maxAttempts value. The default is three times.

File & Backup Destruction Mechanism

During system destruction, VolkLocker deletes the following folders from the user profile:

• Documents
• Desktop
• Downloads
• Pictures

The malware also deletes Volume Shadow Copies:

vssadmin delete shadows /all /quiet

Finally, VolkLocker triggers a BSOD (Blue Screen of Death) after a 10-second delay by calling NtRaiseHardError() with a specific status code.

Telegram Integration

All aspects of the CyberVolk RaaS are managed through Telegram. Prospective customers and operational queries are directed to the main bot (CyberVolk_Kbot).

VolkLocker payloads include built-in Telegram automation for command and control. This aligns with CyberVolk’s operational model, where all communication, purchasing, and support occur through Telegram, a model the actors see as a “market differentiator”.

The default Telegram C2 supports the following commands:

The Telegram C2 is customizable. Some CyberVolk operators have published examples that include additional capabilities, such as keylogging control.

The telegramReporter() function alerts operators upon new infections, similar to Telegram-enabled infostealers. When a host is infected, basic system information and a screenshot are sent to the configured Telegram chat.

Expanded Services and Pricing

CyberVolk has expanded beyond ransomware. In November 2025, operators began advertising standalone RAT and keylogger tools, with the following advertised pricing model:

• RaaS (single OS): $800-$1,100 USD
• RaaS (Linux + Windows): $1,600-$2,200 USD
• Standalone RAT or Keylogger: $500 USD each

Intelligence suggests bundle discounts are available for customers purchasing multiple services.

Conclusion

Despite repeated Telegram account bans and channel removals throughout 2025, CyberVolk has reestablished its operations and expanded its service offerings.

However, storing master encryption keys in plaintext is a significant design blunder that undermines the ransomware’s effectiveness, allowing victims to recover files without acceding to the threat actor’s ransom demand.

Nevertheless, defenders should see CyberVolk’s adoption of Telegram-based automation as a reflection of broader trends among politically-motivated threat actors. These groups continue to lower barriers for ransomware deployment while operating on platforms that provide convenient infrastructure for criminal services.

The SentinelOne Singularity Endpoint Platform currently detects and prevents malicious behaviors and artifacts associated with CyberVolk Ransomware attacks.

Indicators of Compromise

CyberVolk (VolkLocker 2025) Linux
0948e75c94046f0893844e3b891556ea48188608

CyberVolk (VolkLocker 2025) Windows
dcd859e5b14657b733dfb0c22272b82623466321

Bitcoin Address
bc1qujgdzl0v82gh9pvmg3ftgnknl336ku26nnp0vy (CyberVolk)

Telegram Bot Token
8368663132:AAHBfe3xYPtg1IMynKhQy1BRzuF5UZRZspw (CyberVolk)

Container image scanning has come a long way over the years, but it still comes with its own set of, often unique, challenges. One of these being the difficulty in analyzing images for vulnerabilities when they contain a Rust payload. If you’re a big Rust user, you may have found that some software composition analysis […]

The post Beyond Cargo Audit: Securing Your Rust Crates in Container Images appeared first on Anchore.

The post Beyond Cargo Audit: Securing Your Rust Crates in Container Images appeared first on Security Boulevard.

Cary, North Carolina, USA, 11th December 2025, CyberNewsWire

The post INE Highlights Enterprise Shift Toward Hands-On Training Amid Widening Skills Gaps appeared first on Security Boulevard.

Discover how lattice-based cryptography enables granular policy enforcement for Model Context Protocol (MCP) security. Learn about quantum-resistant protection, parameter-level restrictions, and compliance in AI infrastructure.

The post Granular Policy Enforcement using lattice-based cryptography for MCP security. appeared first on Security Boulevard.

In November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various industries, but this was quickly detected and thwarted by the Trend Vision One™ platform.

The segmentation journey starts with visibility, goes through identity context, policy and enforcement, ultimately returning to enhanced visibility.

Security firms have seen cryptocurrency miners, Linux backdoors, botnet malware, and various post-exploitation implants in React2Shell attacks.

The post Wide Range of Malware Delivered in React2Shell Attacks appeared first on SecurityWeek.

The exploited flaw allows attackers to overwrite files outside the repository, leading to remote code execution.

The post Unpatched Gogs Zero-Day Exploited for Months appeared first on SecurityWeek.