Mozilla

A vulnerability in Firefox for iOS versions prior to 151.1 allows an attacker to bypass the security policy (CVE-2026-9078).

Multiple vulnerabilities in Mozilla Firefox ESR, Firefox, Firefox for iOS, and Thunderbird products can lead to arbitrary code execution, privilege escalation, and remote denial of service.

Multiple vulnerabilities in Mozilla Firefox, Firefox ESR, and Thunderbird could allow a remote attacker to execute arbitrary code, disclose information, bypass security restrictions, deceive the user, escalate privileges, or cause a denial-of-service condition.

Multiple vulnerabilities exist in Mozilla Firefox, Firefox ESR, and Thunderbird that could allow a remote attacker to execute arbitrary code, disclose sensitive information, bypass security measures, or conduct cross-site scripting or spoofing attacks.

Mozilla released security updates on May 19, 2026, addressing vulnerabilities in Firefox versions prior to 151, Firefox ESR versions prior to 115.36, and Firefox ESR versions prior to 140.11.

A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.

Mozilla released security updates to address vulnerabilities in Firefox and Firefox ESR versions, potentially allowing for exploitation if left unpatched.

Multiple vulnerabilities in Mozilla Thunderbird prior to versions 150.0.1 and Thunderbird ESR prior to 140.10.1 could allow a remote attacker to achieve arbitrary code execution, data confidentiality breach, and security policy bypass.

Mozilla released a security advisory addressing vulnerabilities in Firefox and Firefox ESR versions prior to 150.0.1, 140.10.1, and 115.35.1, potentially leading to arbitrary code execution or information disclosure.

Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands, leading to initial access and execution of arbitrary code.

The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.

A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.

OSX/CreativeUpdater is a macOS cryptominer distributed through compromised download links on the MacUpdate website, using a trojanized application bundle to execute a script that downloads and installs a persistent Monero miner using launch agents.

This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.

Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.

A Firefox zero-day exploit was used to target Mac users, resulting in the installation of the OSX.NetWire.A malware, which establishes persistence and communicates with a command and control server.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.

Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.

Detection of DNS-over-HTTPS (DoH) being enabled via registry modifications on Windows systems, potentially indicating defense evasion and obfuscation of network activity by masking DNS queries.

Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.

Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.

This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.