• ZipLine-linked spearphishing campaign uses PowerShell backdoor and Cloudflare Tunnel

      Telekom Security investigated a spearphishing campaign targeting organizations in several European countries. The campaign ultimately enables follow-on activity that, in at least one observed case, led to the deployment of Qilin ransomware. We are aware of multiple affected companies across different countries, most of them located in Austria. Not all of these organizations were encrypted, but at least one became a victim of Qilin ransomware. We assess this activity to be related to the ZipLine campaign, which was uncovered by Check Point Research in August 2025. While there are some differences in the current activity, the overall tradecraft shows multiple similarities, as described throughout this blog post.

      Continue Reading →

    • Mass exploitation of CVE-2026-1281 and CVE-2026-1340 in Ivanti EPMM

      In early 2026, two critical zero-day vulnerabilities in Ivanti’s mobile device management platform - CVE-2026-1281 and CVE-2026-1340 - emerged as significant drivers of incident activity across multiple sectors. Both flaws, rated CVSS 9.8 (critical), allow unauthenticated remote code execution, enabling attackers to compromise Ivanti Endpoint Manager Mobile (EPMM) appliances and potentially pivot into broader enterprise environments.

      Continue Reading →