2026-04-15 AI创业新闻

OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams

OpenAI on Tuesday unveiled GPT-5.4-Cyber , a variant of its latest flagship model, GPT‑5.4 , that’s specifically optimized for defensive cybersecurity use cases, days after rival Anthropic unveiled its own frontier model, Mythos . “The progressive use of AI accelerates defenders – those responsible for keeping systems, data, and users safe – enabling them to find and fix problems faster in the digital infrastructure everyone relies on,” OpenAI said . In conjunction with the announcement, the artificial intelligence (AI) company said it’s ramping up its Trusted Access for Cyber ( TAC ) program to thousands of authenticated individual defenders and hundreds of teams responsible for securing critical software. AI systems are inherently dual-use, as bad actors can repurpose technologies developed for legitimate applications to their own advantage and achieve malicious goals.

One core area of concern is that adversaries could invert the models fine-tuned for software defense to detect and exploit vulnerabilities in widely-used software before they can be patched, exposing users to significant risks. OpenAI said the goal is to democratize access to its models while minimizing such misuse, as well as strengthening its safeguards through a deliberate, iterative rollout. The idea is to enable responsible use at scale, give defenders a head start, and simultaneously shore up guardrails against jailbreaks and adversarial prompt injections as model capabilities become more advanced. “As model capabilities advance, our approach is to scale cyber defense in lockstep: broadening access for legitimate defenders while continuing to strengthen safeguards,” the company added.

The ChatGPT maker, which launched Codex Security as a way to find, validate, and propose fixes for vulnerabilities, revealed that the AI-powered application security agent has contributed to over 3,000 critical and high fixed vulnerabilities. OpenAI’s limited release follows the preview of Anthropic’s Mythos, a frontier model that’s being deployed in a controlled manner as part of Project Glasswing . The model, the company said, found “thousands” of vulnerabilities in operating systems, web browsers, and other software. “The strongest ecosystem is one that continuously identifies, validates, and fixes security issues as software is written,” OpenAI said.

“By integrating advanced coding models and agentic capabilities into developer workflows, we can give developers immediate, actionable feedback while they are building, shifting security from episodic audits and static bug inventories to ongoing, tangible risk reduction.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below - CVE-2026-40176 (CVSS score: 7.8) - An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer. CVE-2026-40261 (CVSS score: 8.8) - An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.

In both cases, Composer would execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory. The vulnerabilities affect the following versions -

= 2.3, < 2.9.6 (Fixed in version 2.9.6) = 2.0, < 2.2.27 (Fixed in version 2.2.27) If immediate patching is not an option, it’s advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It’s also recommended to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the “–prefer-dist” or the “preferred-install: dist” configuration setting. Composer said it scanned Packagist.org and did not find any evidence of the aforementioned vulnerabilities being exploited by threat actors by publishing packages with malicious Perforce information.

A new release is expected to be shipped for Private Packagist Self-Hosted customers. “As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026,” it said. “Composer installations should be updated immediately regardless.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security

Google has announced the integration of a Rust-based Domain Name System (DNS) parser into the modem firmware as part of its ongoing efforts to beef up the security of Pixel devices and push memory-safe code at a more foundational level. “The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area, while also laying the foundation for broader adoption of memory-safe code in other areas,” Jiacheng Lu, a software engineer part of the Google Pixel Team, said . The security boost via Rust integration is available for Pixel 10 devices, making it the first Pixel device to integrate a memory-safe language into its modem. The move builds upon a series of initiatives the tech giant has taken to harden the cellular baseband modem against exploitation.

In late 2023, it highlighted the role played by Clang sanitizers like Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan) to catch undefined behavior during program execution. A year later, it also detailed the various security measures built into the modem firmware to combat 2G exploits and baseband attacks that exploit memory-safety vulnerabilities like buffer overflows to achieve remote code execution. These security advances have been complemented by Google’s steady adoption of Rust into Android and low-level firmware . In November 2025, the company revealed that the number of memory safety vulnerabilities fell below 20% of total vulnerabilities discovered in the mobile operating system last year.

Google said it opted for the DNS protocol for its Rust implementation owing to the fact that it underpins modern cellular communications and that vulnerabilities in the system can expose users to malicious attacks when designed in a memory-unsafe language, resulting in out-of-bound memory accesses, as in the case of CVE-2024-27227 . “With the evolution of cellular technology, modern cellular communications have migrated to digital data networks; consequently, even basic operations such as call forwarding rely on DNS services,” it added. “Implementing the DNS parser in Rust offers value by decreasing the attack surfaces associated with memory unsafety.” To that end, Google has chosen the ” hickory-proto “ crate, a Rust-based DNS client, server, and resolver , to implement the protocol, while modifying it to support bare metal and embedded environments. Another important component of this change is the use of a custom tool called ” cargo-gnaw “ to easily resolve and maintain more than 30 dependencies introduced by the crate.

The internet company also noted that the DNS Rust crate is not optimized for use in memory-constrained systems, and that one possible code size optimization could be achieved by adding extra feature flags to ensure modularity and selectively compile only required functionality. “For the DNS parser, we declared the DNS response parsing API in C and then implemented the same API in Rust,” Google said. “The Rust function returns an integer standing for the error code. The received DNS answers in the DNS response are required tobe updated to in-memory data structures that are coupled with the original C implementation;therefore, we use existing C functions to do it.

The existing C functions are dispatched from the Rust implementation.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud

Cybersecurity researchers have unmasked a novel ad fraud scheme that has been found to leverage search engine poisoning (SEO) techniques and artificial intelligence (AI)-generated content to push deceptive news stories into Google’s Discover feed and trick users into enabling persistent browser notifications that lead to scareware and financial scams. The campaign, which has been found to target the personalized content feeds of Android and Chrome users, has been codenamed Pushpaganda by HUMAN’s Satori Threat Intelligence and Research Team. “This operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages,” researchers Louisa Abel, Vikas Parthasarathy, João Santos, and Adam Sell said in a report shared with The Hacker News. At its peak, about 240 million bid requests have been associated with 113 domains linked to the campaign over a seven-day period.

The threat, although observed targeting India, has since expanded to other regions like the U.S., Australia, Canada, South Africa, and the U.K. The findings demonstrate how threat actors abuse AI to hijack trusted discovery surfaces and turn them into delivery vehicles for scareware, deepfakes, and financial fraud, Gavin Reid, chief information security officer at HUMAN, said. Google has since rolled out a fix to address the spam issue. The entire scheme hinges on the scammers luring unsuspecting users through Google Discover to trick them into visiting misleading news stories filled with AI-generated content.

Once a user lands on one of the actor-controlled domains, they are coerced into enabling push notifications that deliver fake legal threats and scams. Specifically, the scareware notifications, once clicked, redirect users to additional sites operated by the threat actors, generating organic traffic to ads embedded in those sites and enabling them to generate illicit revenue. This is not the first time threat actors have weaponized push notifications to redirect to sketchy websites. In September 2025, Infoblox shed light on a threat actor known as Vane Viper that has engaged in systematic push notification abuse to serve ads and facilitate ClickFix-style social engineering campaigns.

“Malware-based threats involving push notifications, both for web and mobile platforms, aren’t a novel threat, especially when you consider the way in which they create a sense or urgency,” Lindsay Kaye, vice president of threat intelligence at HUMAN Security, told The Hacker News. “In many cases, users are quick to click, either to make them go away or to get more information, making them an effective tool in a malware author’s arsenal.” When reached for comment on the story, a Google spokesperson said, “We keep the vast majority of spam out of Discover through robust spam-fighting systems and policies against emerging forms of low quality, manipulative content. Prior to learning of this report, we launched a fix for the spam issue in question, maintaining our high bar for quality content on Discover.” The company also said it has instituted robust spam policies and spam-fighting systems to tackle abusive practices that surface unoriginal, low-quality content in Search and Discover, and that it rolls out regular algorithmic updates to flag policy-violating content that seek to manipulate Search and News rankings. According to its guidance about AI-generated content in Search, any use of AI to generate content primarily to manipulate search rankings is against its spam policies.

Instances of scaled content abuse include using generative AI tools or similar offerings to produce pages that do not offer any value for users; scraping feeds, search results, or other content; and creating multiple sites with the intent of hiding the scaled nature of the content. The disclosure also comes a little over a month after HUMAN identified a collection of more than 3,000 domains and 63 Android apps that it said constituted one of the largest ad fraud laundering marketplaces ever uncovered. Dubbed Low5 for its use of HTML5-based game and news sites, the operation has been found to monetize the domains as cashout sites for sophisticated fraud schemes, including BADBOX 2.0 . “The operation peaked at roughly 2 billion bid requests a day and may have operated on as many as 40 million devices worldwide,” the company said .

“Apps associated with Low5 include code that instructs user devices to visit one of the domains connected with the scheme and click on ads found there.” Cashout sites, also called ghost sites, are used to conduct content-driven fraud, where the attackers use bogus sites and apps to sell space to advertisers who may assume their ads will be viewed by humans. The Android apps in question have been removed from the Google Play Store. “A shared monetization layer spanning more than 3,000 domains allows multiple threat actors to plug into the same infrastructure, creating a distributed laundering system that increases threat resilience, complicates attribution, and enables rapid replication,” HUMAN added. “A key takeaway from this research is that monetization infrastructure can survive even after a specific fraud campaign is shut down.

If one malicious app or device network is removed, the same cashout domains can still be reused by other actors. Low5 reinforces the need for continuous, aggressive threat intelligence and detection expertise to hunt down cashout domains and flag them pre-bid.” (The story was updated after publication on April 15, 2026, with a response from Google.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads

A nascent Android remote access trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through advertisements on Meta. “Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real time,” Italian online fraud prevention firm Cleafy said . “Beyond traditional RAT behavior, Mirax enhances its operational value by turning infected devices into residential proxy nodes . Leveraging SOCKS5 protocol support and Yamux multiplexing, it establishes persistent proxy channels that allow attackers to route their traffic through the victim’s real IP address.” Details of Mirax first emerged last month when Outpost24’s KrakenLabs revealed that a threat actor going by the name “Mirax Bot” has been advertising a private malware-as-a-service (MaaS) offering on underground forums for $2,500 for a three-month subscription.

Also available for $1,750 per month is a lightweight variant that removes certain features like the proxy and the ability to bypass Google Play Protect using a crypter . Like other Android malware, Mirax supports the ability to capture keystrokes, steal photos, gather lock screen details, run commands, navigate the user interface, and monitor user activity on the compromised device. It can also dynamically fetch HTML overlay pages from a command-and-control (C2) server to be rendered over legitimate applications for credential theft. The incorporation of a SOCKS proxy, on the other hand, is a relatively lesser-known feature that sets it apart from conventional RAT behavior.

The proxy botnet offers several advantages in that it allows threat actors to get around geolocation-based restrictions, evade fraud detection systems, and conduct account takeovers or transaction fraud under the guise of increased anonymity and legitimacy. “Unlike typical MaaS offerings, Mirax is distributed through a highly controlled and exclusive model, limited to a small number of affiliates,” researchers Alberto Giust, Alessandro Strino, and Federico Valentini said. “Access appears to be prioritized for Russian-speaking actors with established reputations in underground communities, indicating a deliberate effort to maintain operational security and campaign effectiveness.” Attack chains distributing the malware use Meta ads to promote dropper app web pages, tricking unsuspecting users into downloading them. As many as six ads have been observed actively advertising a streaming service with free access to live sports and movies.

Of these, five ads are directed against users in Spain. One of the ads, which started running on April 6, 2026, has a reach of 190,987 accounts. The dropper app URLs implement a number of checks to ensure that they are accessed from mobile devices and to prevent automated scans from revealing their true color. The names of the malicious apps are listed below - StreamTV (org.lgvvfj.pluscqpuj or org.dawme.secure5ny) - Dropper app Reproductor de video (org.yjeiwd.plusdc71 or org.azgaw.managergst1d) - Mirax A notable aspect of the campaign is the use of GitHub to host the malicious dropper APK files.

In addition, the builder panel offers the ability to choose between two crypters – Virbox and Golden Crypt (aka Golden Encryption) – for enhanced APK protection. Once installed, the dropper instructs users to allow installation from unknown sources to deploy the malware. The process of extracting the final payload is a “sophisticated, multi-stage operation” that’s designed to sidestep security analysis and automated sandboxing tools. The malware, after getting installed on the device, masquerades as a video playback utility and prompts the victim to enable accessibility services, thereby allowing it to run in the background, display a fake error message stating the installation was unsuccessful, and serve bogus overlays to conceal malicious activities.

It also establishes multiple bidirectional C2 channels for tasking and data exfiltration - WebSocket on port 8443, to manage remote access and execute remote commands. WebSocket on port 8444, to manage remote streaming and data exfiltration. WebSocket on port 8445 (or a custom port), to set up the residential proxy using SOCKS5. “This convergence of RAT and proxy capabilities reflects a broader shift in the threat landscape,” Cleafy said.

“While residential proxy abuse has historically been associated with compromised IoT devices and low-cost Android hardware such as smart TVs, Mirax marks a new phase by embedding this functionality within a full-featured banking trojan.” “This approach not only increases the monetization potential of each infection but also expands the operational scope of attackers, who can now leverage compromised devices for both direct financial fraud and as infrastructure for wider cybercriminal activities.” The disclosure comes as Breakglass Intelligence detailed an Arabic-language Android RAT called ASO RAT that’s distributed via apps disguised as PDF readers and Syrian government applications. “The platform provides full device compromise capabilities – SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS launching from victim devices,” the company said . “A multi-user panel with role-based access control suggests this operates as a RAT-as-a-Service or supports a multi-operator team.” It’s currently not known what the exact end goals of the campaign are, but Syria-themed lures for the apps (e.g., SyriaDefenseMap and GovLens) suggest that it may be targeting individuals with an interest in Syrian military or governance matters as part of what’s suspected to be a surveillance operation. Found this article interesting?

Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report)

OX Security recently analyzed 216 million security findings across 250 organizations over a 90-day period. The primary takeaway: while raw alert volume grew by 52% year-over-year, prioritized critical risk grew by nearly 400%. The surge in AI-assisted development is creating a “velocity gap” where the density of high-impact vulnerabilities is scaling faster than remediation workflows. The ratio of critical findings to raw alerts nearly tripled, moving from 0.035% to 0.092%.

Key Findings from the 2026 Analysis: CVSS vs. Business Context: Technical severity scores are no longer the primary driver of risk. The most common elevation factors were High Business Priority (27.76%) and PII Processing (22.08%) . In modern environments, where a vulnerability lives is now more important than what the vulnerability is.

The AI Fingerprint: We observed a direct correlation between the adoption of AI coding tools and the quadrupling of critical findings (averaging 795 per org, up from 202). Increased code velocity is yielding more complex, context-dependent flaws that bypass basic linting and legacy scanners. Sector Variance: Risk profiles are not uniform. Insurance firms showed the highest density of critical findings (1.76%), while the Automotive sector generated the highest raw volume of alerts—likely due to the massive scale of codebase expansion in software-defined vehicles.

This is the second year OX has conducted this analysis to benchmark the state of Application Security. Full report, including methodology and industry-specific benchmarks, is available here . Found this article interesting? This article is a contributed piece from one of our valued partners.

108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited. According to Socket, the extensions (complete list here ) are published under five distinct publisher identities – Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt – and have collectively amassed about 20,000 installs in the Chrome Web Store. “All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator,” security researcher Kush Pandya said in an analysis. Of these, 54 add-ons steal Google account identity via OAuth2, 45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser is started, and the remaining ones engage in a variety of malicious behaviors - Exfiltrate Telegram Web sessions every 15 seconds Strip YouTube and TikTok security headers (i.e., Content Security Policy, X-Frame-Options, and CORS) and inject gambling overlays and ads Inject content scripts into every page the user visits Proxy all translation requests through the threat actor’s server In an attempt to lend a veneer of legitimacy, the identified extensions masquerade as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, text translation tools, and page utilities.

The advertised functionality is diverse, aiming to cast a wide net, while sharing the same backend. Unbeknownst to the users, however, malicious code running in the background captures session information, injects arbitrary scripts, and opens URLs of the attacker’s choosing. Some of the identified extensions are listed below - Telegram Multi-account (ID: obifanppcpchlehkjipahhphbcbjekfa), which extracts the user_auth token used by Telegram Web and exfiltrates the data to a remote server. It can also overwrite localStorage with threat actor-supplied session data and force-load the messaging application, effectively replacing the victim’s active Telegram session with the threat actor’s chosen session.

Web Client for Telegram - Teleside (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno), which strips Telegram’s security headers and injects scripts to steal Telegram sessions. Formula Rush Racing Game (ID: akebbllmckjphjiojeioooidhnddnplj), which steals the user’s Google account identity the first time the victim clicks the sign-in button. This includes details like email, full name, profile picture URL, and Google account identifier. “Five extensions use Chrome’s declarativeNetRequest API to strip security headers from target sites before the page loads,” Socket said.

“All 108 malicious extensions share the same backend, hosted at 144.126.135[.]238.” It’s currently not known who is behind the policy-violating extensions. However, an analysis of source code has uncovered Russian language comments across several add-ons. Users who have installed any of the extensions are advised to remove them with immediate effect and log out of all Telegram Web sessions from the Telegram mobile app. Found this article interesting?

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

A critical security vulnerability impacting ShowDoc , a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of file extension, allowing an attacker to upload arbitrary PHP files and achieve remote code execution. “[In] ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and [an] attacker is able to upload a web shell and execute arbitrary code on server,” according to an advisory released by Vulhub.

The vulnerability was addressed in ShowDoc version 2.8.7 , which was shipped in October 2020. The current version of the software is 3.8.1 . According to new details shared by Caitlin Condon, vice president of security research at VulnCheck, CVE-2025-0520 has come under active exploitation for the first time. The observed exploit involves leveraging the flaw to drop a web shell on a U.S.-based honeypot running a vulnerable version of ShowDoc.

Data shared by the company shows that there are more than 2,000 instances of ShowDoc online, most of which are located in China. The development is the latest example of how threat actors are increasingly exploiting N-day security vulnerabilities, regardless of their install base. Users who are running ShowDoc are advised to update to the latest version for optimal protection. Found this article interesting?

CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2026-21643 (CVSS score: 9.1) - An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. CVE-2020-9715 (CVSS score: 7.8) - A use-after-free vulnerability in Adobe Acrobat Reader that could result in remote code execution.

CVE-2023-36424 (CVSS score: 7.8) - An out-of-bounds read vulnerability in Microsoft Windows Common Log File System Driver that could result in privilege escalation. CVE-2023-21529 (CVSS score: 8.8) - A deserialization of untrusted data in Microsoft Exchange Server that could allow an authenticated attacker to achieve remote code execution. CVE-2025-60710 (CVSS score: 7.8) - An improper link resolution before file access vulnerability in Host Process for Windows Tasks that could allow an authorized attacker to elevate privileges locally . CVE-2012-1854 (CVSS score: 7.8) - An insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) that could result in remote code execution.

The addition of CVE-2026-21643 to the KEV catalog comes after Defused Cyber said it detected exploitation attempts targeting the flaw since March 24, 2026. Last week, Microsoft revealed that a threat actor it tracks as Storm-1175 has been weaponizing CVE-2023-21529 in attacks to deliver Medusa ransomware. As for CVE-2012-1854, the Windows maker acknowledged in an advisory released in July 2012 that it’s aware of “limited, targeted attacks” attempting to abuse the vulnerability. The exact nature of the attacks is presently unknown.

There are currently no public reports referencing the exploitation of the remaining three vulnerabilities. In light of active attacks, Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by April 27, 2026. Patches for the FortiClient EMS vulnerability should be implemented by April 16, 2026. Found this article interesting?

JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025

Banks and financial institutions in Latin American countries like Brazil and Mexico have continued to be the target of a malware family called JanelaRAT . A modified version of BX RAT, JanelaRAT is known to steal financial and cryptocurrency data associated with specific financial entities, as well as track mouse inputs, log keystrokes, take screenshots, and collect system metadata. “One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and perform malicious actions,” Kaspersky said in a report published today. “The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features.” Telemetry data gathered by the Russian cybersecurity vendor shows that as many as 14,739 attacks were recorded in Brazil in 2025 and 11,695 in Mexico.

It’s currently not known how many of these resulted in a successful compromise. First detected in the wild by Zscaler in June 2023, JanelaRAT has leveraged ZIP archives containing a Visual Basic Script (VBScript) to download a second ZIP file, which, in turn, comes with a legitimate executable and a DLL payload. The final stage employs the DLL side-loading technique to launch the trojan. In a subsequent analysis published in July 2025, KPMG said the malware is distributed via rogue MSI installer files masquerading as legitimate software hosted on trusted platforms like GitLab.

Attacks involving the malware have primarily singled out Chile, Colombia, and Mexico. “Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,” KPMG noted at the time. “These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components.” The scripts are also designed to identify installed Chromium-based browsers and stealthily modify their launch parameters (such as the “ –load-extension “ command line switch) to install the extension. The browser add-on then proceeds to gather system information, cookies, browsing history, installed extensions, and tab metadata, along with triggering specific actions based on URL pattern matches.

The latest attack chain documented by Kaspersky shows that phishing emails disguised as outstanding invoices are used to trick recipients into downloading a PDF file by clicking on a link, resulting in the download of a ZIP archive that initiates the aforementioned attack chain involving DLL side-loading to install JanelaRAT. At least since May 2024, JanelaRAT campaigns have shifted from Visual Basic scripts to MSI installers, which act as a dropper for the malware using DLL side-loading and establish persistence on the host by creating a Windows Shortcut (LNK) in the Startup folder that points to the executable. Upon execution, the malware establishes communications with a command-and-control (C2) server via a TCP socket to register a successful infection and keeps tabs on the victim’s activity to intercept sensitive banking interactions. JanelaRAT’s main goal is to obtain the title of the active window and compare it against a hard-coded list of financial institutions.

If there is a match, the malware waits 12 seconds before opening a dedicated C2 channel and executing malicious tasks received from the server. Some of the supported commands include - Sending screenshots to the C2 server Cropping specific screen regions and exfiltrating images Displaying images in full-screen mode (e.g., “Configuring Windows updates, please wait”) and impersonating bank-themed dialogs via fake overlays to harvest credentials Capturing keystrokes Simulating keyboard actions like DOWN, UP, and TAB for navigation Moving the cursor and simulating clicks Executing a forced system shutdown Running commands using “cmd.exe” and PowerShell commands or scripts Manipulating Windows Task Manager to hide its window from being detected Flagging the presence of anti-fraud systems Sending system metadata Detecting sandbox and automation tools “The malware determines if the victim’s machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input,” Kaspersky said. “If the inactivity period exceeds 10 minutes, the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again.

This makes it possible to track the user’s presence and routine to time possible remote operations.” “This variant represents a significant advancement in the actor’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize user visibility and adapt its behavior upon detection of anti-fraud software.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts

The U.S. Federal Bureau of Investigation (FBI), in partnership with the Indonesian National Police, has dismantled the infrastructure associated with a global phishing operation that leveraged an off-the-shelf toolkit called W3LL to steal thousands of victims’ account credentials and attempt more than $20 million in fraud. In tandem, authorities detained the alleged developer, who has been identified as G.L, and seized key domains linked to the phishing scheme. “The takedown cuts off a major resource used by cybercriminals to gain unauthorized access to victims’ accounts,” the FBI said in a statement.

The W3LL phishing kit allowed criminals to mimic legitimate login pages to deceive victims into handing over their credentials, thus allowing the attackers to seize control of their accounts. The phishing kit was advertised for a fee of about $500. The phishing kit enabled its customers to deploy bogus websites that mimicked their legitimate counterparts, masquerading as trusted login portals to harvest credentials. “This wasn’t just phishing – it was a full-service cybercrime platform,” FBI Atlanta Special Agent in Charge Marlo Graham said.

“We will continue to work with our domestic and foreign law enforcement partners, using all available tools to protect the public.” W3LL was first documented by Singapore-headquartered Group-IB in September 2023, highlighting the operators’ use of an underground marketplace called the W3LL Store (“w3ll[.]store”) that served approximately 500 threat actors and allowed them to purchase access to the W3LL Panel phishing kit alongside other cybercrime tools for business email compromise (BEC) attacks. The cybersecurity company described W3LL as an all-in-one phishing platform that offers a wide range of services, right from custom phishing tools and mailing lists to access to compromised servers. The threat actor behind the illicit service is believed to have been active since 2017, previously developing bulk email spam tools like PunnySender and W3LL Sender. Per the FBI, the W3LL Store also facilitated the sale of stolen credentials and unauthorized system access, including remote desktop connections.

More than 25,000 compromised accounts are estimated to have been peddled in the storefront between 2019 and 2023. “Primarily focused on Microsoft 365 credentials, W3LL utilizes adversary-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication,” Hunt.io said in a report published in March 2024. Then last year, French security company Sekoia, in its analysis of another phishing kit known as Sneaky 2FA , revealed the tool “reused a few bits of code” from the W3LL Store phishing syndicate, adding that cracked versions of W3LL have been circulated in the past few years. “Even after W3LLSTORE shut down in 2023, the operation continued through encrypted messaging platforms, where the tool was rebranded and actively marketed,” the FBI said.

“From 2023 to 2024 alone, the phishing kit was used to target more than 17,000 victims worldwide.” “The developer behind the tool collected and resold access to compromised accounts, amplifying the reach and impact of the scheme.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More

Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically non-existent. The variety this week is particularly nasty.

We have AI models being turned into autonomous exploit engines, North Korean groups playing the long game with social engineering, and fileless malware hitting enterprise workflows. There is also a major botnet takedown and new research proving that even fiber optic cables can be used to eavesdrop on your private conversations. Skim this before your next meeting. Let’s get into it.

⚡ Threat of the Week Adobe Acrobat Reader 0-Day Under Attack — Adobe released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. It has been described as a case of prototype pollution that could result in arbitrary code execution.

The development comes days after security researcher and EXPMON founder Haifei Li disclosed details of zero-day exploitation of the flaw to run malicious JavaScript code when opening specially crafted PDF documents through Adobe Reader. There is evidence suggesting that the vulnerability may have been under exploitation since December 2025. Your VPN is Helping Attackers Move as Fast as AI The Zscaler ThreatLabz 2026 VPN Risk Report reveals a dangerous disconnect: while attackers use AI to move at machine speed, legacy VPNs are leaving defenders blind and exposed. When you can’t see what’s happening, response time collapses and the odds of containment drop with it.

Get the Report ➝ 🔔 Top News U.S. Warns of Hacking Campaign by Iran-Affiliated Cyber Actors — U.S. agencies warned of a hacking campaign undertaken by Iranian threat actors hitting industrial control systems across the U.S. that has had disruptive and costly effects.

The attacks, ongoing since last month, targeted programmable logic controllers (PLCs) in the energy sector, water and wastewater utilities, and government facilities that are left exposed to the public internet with the apparent intention of sabotaging their systems. “In a few cases, this activity has resulted in operational disruption and financial loss,” the agencies said. The activity has not been attributed to any particular group. The attacks are part of a wider pattern of escalating Iran-linked operations as the war led by the U.S.

and Israel against Iran entered its sixth week. The U.S. and Iran have since agreed to a two-week ceasefire. Anthropic’s Mythos Model is a 0-Day and Exploit Generation Engine — A closed consortium including tech giants and top security vendors is getting early access to a general-purpose frontier model that Anthropic says can autonomously discover software vulnerabilities at scale.

Because there are concerns that frontier AI capabilities could be abused to launch sophisticated attacks, the idea is to use Mythos to improve the security of some of the most widely used software before bad actors get their hands on it. To that end, Project Glasswing aims to apply these capabilities in a controlled, defensive setting, enabling participating companies to test and improve the security of their own products. In early testing, Anthropic claims the model identified thousands of high-severity vulnerabilities across operating systems, web browsers, and other widely used software, not to mention devising exploits for N-day flaws, in some cases, under a day, significantly compressing the timeline typically required to build working exploits. “New AI models, especially those from Anthropic, have triggered a new set of actions for how we build and secure our products,” Cisco, which is one of the launch partners, said .

“While the capabilities now available to defenders are remarkable, they soon will also become available to adversaries, defining the critical inflection point we face today. Defensively, AI allows us to scan and secure vast codebases at a scale previously unimaginable. However, it also lowers the threshold for attackers, empowering less-skilled actors to launch complex, high-impact campaigns. Ultimately, AI is accelerating the pace of innovation for both defenders and adversaries alike.

The question is simply who gets ahead of it and how fast.” Law Enforcement Operation Fells APT28 Router Botnet — APT28 has been silently exploiting known vulnerabilities in small and home office (SOHO) routers since at least May 2025, and changing their DNS server settings to redirect victims to websites it controls for credential theft. The attack chain begins with Forest Blizzard gaining unauthorized access to poorly secured SOHO routers and silently modifying their default network settings so that DNS lookups for select websites are altered to direct users to their bogus counterparts. Specifically, the actor replaces the router’s legitimate DNS resolver configuration with actor-controlled DNS servers. Since endpoint devices, such as laptops, phones, and workstations, automatically inherit network configuration from routers via the Dynamic Host Configuration Protocol (DHCP), every device connecting through a compromised router unknowingly begins forwarding its DNS requests to Russian intelligence-controlled infrastructure.

For a select subset of high-priority targets, Forest Blizzard escalated beyond passive DNS collection to active Adversary-in-the-Middle (AiTM) attacks against Transport Layer Security (TLS) connections. The compromised router redirects the victim’s DNS query to the actor-controlled resolver. The malicious resolver returns a spoofed IP address, directing the victim’s device to actor-controlled infrastructure instead of the legitimate service. Forest Blizzard then intercepts the underlying plaintext traffic – potentially including emails, credentials, and sensitive cloud-hosted content.

The activity has gradually declined over the past few weeks. The operations are “likely opportunistic in nature, with the actor casting a wide net to reach many potential victims, before narrowing in on targets of intelligence interest as the attack develops,” per the U.K. government. “The GRU provides fraudulent DNS answers for specific domains and services – including Microsoft Outlook Web Access — enabling adversary-in-the-middle (AitM) attacks against encrypted traffic if users navigate through a certificate error warning.

These AitM attacks would allow the actors to see the traffic unencrypted.” The operation fits into a series of disruptions aimed at Russian government hackers dating back to 2018, including VPNFilter , Cyclops Blink , and MooBot . Drift Protocol Links Hack to North Korea — Drift Protocol has revealed that a North Korean state-linked group spent six months posing as a trading firm to steal $285 million in digital assets. The attack has been described as a meticulously planned intelligence operation that began in fall 2025, when a group of individuals approached Drift staff at a major cryptocurrency conference, presenting themselves as a quantitative trading firm seeking to integrate with the protocol. Over the next couple of months, the group built trust through in-person meetings, Telegram coordination, onboarding an Ecosystem Vault on Drift, and made a $1 million deposit of their own capital.

But once the exploit hit, the trading group vanished, with the chats and malware “completely scrubbed” to cover up the tracks. The Drift Protocol hack follows a pattern that is becoming increasingly frequent as this incident marks the 18th North Korea-linked act Elliptic has tracked in 2026. Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA — An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA). The targets included prominent Egyptian journalists and government critics, Mostafa Al-A’sar and Ahmed Eltantawy, along with an anonymous Lebanese journalist.

The spear-phishing attacks aimed to compromise their Apple and Google accounts by sending specially crafted links designed to capture their credentials. The attack has been found to share infrastructure overlaps with an Android spyware campaign that leveraged deceptive websites impersonating Signal, ToTok, and Botim to deploy ProSpy and ToSpy to unspecified targets in the U.A.E. While Bitter has not been attributed to espionage campaigns targeting civil society members in the past, the campaign once again demonstrates a growing trend of government agencies outsourcing their hacking operations to private hack-for-hire firms, which develop spyware and exploits for use by law enforcement and intelligence agencies to covertly access data on people’s phones. 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast.

These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-34621 (Adobe Acrobat Reader), CVE-2026-39987 (Marimo), CVE-2026-34040 (Docker Engine), CVE-2025-59528 (Flowise), CVE-2026-34976 (dgraph), CVE-2026-0049, CVE-2025-48651 (Android), CVE-2026-0740 (Ninja Forms – File Upload plugin), CVE-2025-58136 (Apache Traffic Server), CVE-2026-4350 (Perfmatters plugin), CVE-2026-32922 , CVE-2026-33579 , GHSA-9p3r-hh9g-5cmg , GHSA-g5cg-8x5w-7jpm , GHSA-8rh7-6779-cjqq , GHSA-hc5h-pmr3-3497 , GHSA-j7p2-qcwm-94v4 , GHSA-fqw4-mph7-2vr8 , GHSA-9hjh-fr4f-gxc4 , GHSA-hf68-49fm-59cq (OpenClaw), CVE-2026-29059, CVE-2026-23696, CVE-2026-22683 (Windmill), CVE-2026-34197 (Apache ActiveMQ), CVE-2026-4342 (Kubernetes), CVE-2026-34078 (Flatpak), CVE-2026-31790 (OpenSSL), CVE-2026-0775 (npm cli), CVE-2026-0776 (Discord Client), CVE-2026-0234 (Palo Alto Networks), CVE-2026-4112 (SonicWall), CVE-2026-5437 through CVE-2026-5445 (Orthanc DICOM Server), CVE-2026-30815, CVE-2026-30818 (TP-Link), CVE-2026-33784 (Juniper Networks Support Insights Virtual Lightweight Collector), CVE-2026-23869 (React Server Components), CVE-2026-5707, CVE-2026-5708, CVE-2026-5709 (AWS Research and Engineering Studio), CVE-2026-5173, CVE-2026-1092, CVE-2025-12664 (GitLab), CVE-2026-5860, CVE-2026-5858, CVE-2026-5859, from CVE-2026-5860 through CVE-2026-5873 (Google Chrome), CVE-2023-46233, CVE-2026-1188, CVE-2026-1342, CVE-2026-1346 (IBM Verify Identity Access and IBM Security Verify Access), CVE-2026-5194 (WolfSSL), and CVE-2026-20929 ( Windows HTTP.sys ). 🎥 Cybersecurity Webinars The Blueprint for AI Agent Governance: Identity, Visibility, and Control → As autonomous AI agents move from experimental “slideware” to production middleware, they’ve created a massive new attack surface: non-human identities. Join this webinar to cut through the vendor noise and get a practical blueprint for the three pillars of agent security—identity, visibility, and control.

Learn how to establish hardware-backed agent identities and implement forensic AI proxies to govern your machine workforce before the “ghosts” in your system become liabilities. State of AI Security 2026: From Experimental Apps to Autonomous Agents → AI is evolving from static tools to autonomous agents, outstripping traditional security faster than ever. With 87% of leaders citing AI as their top emerging risk, the “wait and see” approach is officially over. Join us to dissect the 2026 State of AI Security and gain a battle-tested roadmap for securing model runtimes, preventing agentic data leaks, and governing your machine workforce in production.

Validate 56% Faster: How AI Agents are Automating the Pentest Loop → Vulnerability backlogs are endless, but true exploitability is rare. Agentic Exposure Validation uses autonomous AI to safely test your defenses in real-time, proving which risks are real and which are just noise. Join us to learn how to automate your validation loop, prioritize the 1% of flaws that actually matter, and shrink your attack surface at machine speed. 📰 Around the Cyber World Fake Claude Website Drops PlugX — A fake website impersonating Anthropic’s Claude to push a trojanized installer that deploys known malware referred to as PlugX using a technique called DLL side-loading.

The domain mimics Claude’s official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected,” Malwarebytes said . “But in the background, it deploys a PlugX malware chain that gives attackers remote access to the system.” While PlugX is known to be widely shared among Chinese hacking groups and delivered via DLL side-loading, its source code has circulated in underground forums, indicating that other threat actors could also be weaponizing the malware in their own attacks. Seized VerifTools Servers Expose 915,655 Fake IDs — In August 2025, a joint law enforcement operation between the Netherlands and the U.S. led to the takedown of a fake ID marketplace called VerifTools .

Last week, Dutch police arrested eight suspects in a nationwide operation targeting users of the illicit platform as part of an identity fraud investigation. The male suspects, aged between 20 and 34, have been accused of identity fraud, forgery, and cybercrime-related offenses. In addition, nine suspects have been ordered to report to the police station. This includes seven men aged 18 to 35, and two girls aged 15 and 16.

Further investigation into VerifTools has revealed that there were 636,847 registered users from February 2021 to August 2025, with 915,655 fake documents generated between May 2023 and August 2025. Investigators also found 236,002 document images linked to the U.S. that were purchased for about $1.47 million between July 2024 and August 2025. U.K.

Government Threatens Tech Execs with Jail Time — The U.K. government said it submitted amendments to the Crime and Policing Bill that, besides criminalizing pornography depicting illegal sexual conduct between family members and adults roleplaying as children and prohibiting people from possessing or publishing such content, also aims to fine or imprison senior executives of companies who fail to remove people’s intimate images that have been shared without consent. Optical Fibers for Acoustic Eavesdropping — New research from the Hong Kong Polytechnic University and Chinese University of Hong Kong has uncovered a critical side channel within telecommunication optical fiber that enables acoustic eavesdropping. “By exploiting the sensitivity of optical fibers to acoustic vibrations, attackers can remotely monitor sound-induced deformations in the fiber structure and further recover information from the original sound waves,” a group of academics said in an accompanying paper.

“This issue becomes particularly concerning with the proliferation of Fiber-to-the-Home (FTTH) installations in modern buildings. Attackers with access to one end of an optical fiber can use commercially available Distributed Acoustic Sensing (DAS) systems to tap into the private environment surrounding the other end.” Storm-2755 Conducts Payroll Pirate Attacks — Microsoft said it observed an emerging, financially motivated threat actor dubbed Storm-2755 carrying out payroll pirate attacks targeting Canadian users by abusing legitimate enterprise workflows. “In this campaign, Storm-2755 compromised user accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, resulting in direct financial loss for affected individuals and organizations,” the company said . The tech giant also pointed out that the campaign is distinct from prior activity owing to differences in delivery and targeting.Particularly, this involves the exclusive targeting of Canadian users and the use of malvertising and search engine optimization (SEO) poisoning industry agnostic search terms like “Office 365” to lure victims to Microsoft 365 credential harvesting pages.

Also notable is the use of adversary‑in‑the‑middle (AiTM) techniques to hijack authenticated sessions, allowing the threat actor to bypass multi-factor authentication (MFA) and blend into legitimate user activity. MITRE Releases F3 Framework to Fight Cyber Fraud — MITRE has released the Fight Fraud Framework ( F3 ), which it described as a “first-of-its-kind effort to define and standardize the tactics and techniques used in cyber-enabled financial fraud.” The tactics cover the entire attack lifecycle: Reconnaissance, Resource Development, Initial Access, Defense Evasion, Positioning, Execution, and Monetization. By codifying the tradecraft used to conduct fraud, the idea is to help financial institutions better understand, detect, and prevent fraud through a shared framework of adversary behaviors, it added. “Fraud actors often blend traditional cyber techniques with domain-specific fraud tactics, making a unified cyber-fraud framework essential,” MITRE said .

“F3 helps defenders connect technical signals to real-world fraud events, enabling a shift from reactive response to proactive defense.” RegPhantom, a Stealthy Windows Kernel Rootkit — A new Windows kernel rootkit dubbed RegPhantom can give attackers code execution in kernel mode from an unprivileged user mode context without leaving any major visual evidence behind. “The malware abuses the Windows registry as a covert trigger mechanism: a usermode process can send an encrypted command through a registry write, which the driver intercepts and turns into arbitrary kernel-mode code execution,” Nextron Systems said . “What makes this threat notable is the combination of stealth, privilege, and trust abuse. The driver runs as a signed kernel component, allowing it to operate at the highest privilege level on Windows systems.

It does not rely on normal driver loading behavior for its payloads and instead reflectively maps code into kernel memory, making the loaded module invisible to standard tools that enumerate drivers. It also blocks the triggering registry write, wipes executed payload memory, and stores hook pointers in encoded form, which significantly reduces forensic visibility.” The first sample of RegPhantom in the wild was detected on June 18, 2025. APT28’s NTLMv2 Hash Relay Attacks Detailed — In more APT28 (aka Pawn Storm) news, the threat actor has been attributed to NTLMv2 hash relay attacks through different methods against a wide range of global targets across Europe, North America, South America, Asia, Africa, and the Middle East between April 2022 and November 2023. The threat actor is known to break into mail servers and the corporate virtual private network (VPN) services of organizations around the world through brute-force credential attacks since 2019.

“Pawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites,” Trend Micro said . Successful exploitation of CVE-2023-23397 allows an attacker to obtain a victim’s Net-NTLMv2 hash and use it for authentication against other systems that support NTLM authentication. The vulnerability, per Microsoft, has been exploited as a zero-day since April 2022. Select campaigns observed in October 2022 involved the use of phishing emails to drop a stealer that scanned the system periodically for files matching certain extensions and exfiltrated them to the free file-sharing service, free.keep.sh.

New RATs Galore — Trojanized FileZilla installers are being used to initiate an attack chain that leads to the deployment of STX RAT , a remote access trojan (RAT) with infostealer capabilities. Researchers have also discovered an active threat called DesckVB RAT , a JavaScript-based trojan that deploys a PowerShell payload, which subsequently loads a .NET-based loader directly into memory. “Once executed, the RAT establishes communication with a command-and-control (C2) server, enabling attackers to remotely control the compromised system, exfiltrate sensitive data, and carry out various malicious activities while maintaining a low detection footprint,” Point Wild said. Some of the other newly discovered RATs include CrystalX or WebCrystal RAT (a new malware-as-a-service (MaaS) and a rebrand of WebRAT promoted on Telegram and YouTube with remote access, data theft, keylogging, spyware, and clipper capabilities), RetroRAT (a malware distributed via PowerShell and .NET loaders as part of a campaign named Operation DualScript for system monitoring, financial activity tracking, clipboard hijacking to route cryptocurrency transactions, and remote command execution), ResokerRAT (a malware that uses Telegram for C2 and receive commands on the victim machine), and CrySome (a C# RAT that offers full-spectrum remote operations on compromised systems, along with deeply integrated persistence, AV killer, and anti-removal architecture that leverages recovery partition abuse and offline registry modification).

Phishing Campaign Delivers Remcos RAT in Fileless Manner — Phishing emails are being used to deliver Remcos RAT in what has been described as a fileless attack. “The attack chain is initiated through a phishing email containing a ZIP attachment disguised as a legitimate business document,” Point Wild said . “Upon execution, an obfuscated JavaScript dropper establishes the initial foothold and retrieves a remote PowerShell script, which acts as a reflective loader. This loader employs multiple layers of obfuscation, including Base64 encoding, raw binary manipulation, and rotational XOR encryption, to reconstruct and execute a .NET payload entirely in memory.” An important aspect of the campaign is the use of trusted system binaries to proxy malicious execution under the guise of legitimate processes.

The final RAT payload is retrieved dynamically from a remote C2 server, allowing the threat actor to switch payloads at any time. Tycoon 2FA Switches Infrastructure and Uses ProxyLine — The operators of the Tycoon 2FA phishing kit have been observed increasingly relying on ProxyLine, a commercial datacenter proxy service, to evade IP and geo‑based detection controls following its return after the coordinated global takedown of its infrastructure last month. Following the takedown, threat actors have pivoted to new infrastructure providers like HOST TELECOM LTD, Clouvider, GREEN FLOID LLC, and Shock Hosting LLC. One provider that has witnessed continued use pre- and post-takedown is M247 Europe SRL.

In addition, Gmail-targeted Tycoon 2FA campaigns have implemented WebSocket-based communication for real-time credential harvesting and reduced detection footprint compared to traditional HTTP POST requests. TeleGuard’s Security Failings Exposed — TeleGuard, an app that’s advertised as an “encrypted messenger [that] offers uncompromising data protection” and has been downloaded more than a million times, has been found to suffer from poor encryption that allows an attacker to trivially access a user’s private key and decrypt their messages. “TeleGuard also uploads users’ private keys to a company server, meaning TeleGuard itself could decrypt its users’ messages, and the key can also at least partially be derived from simply intercepting a user’s traffic,” security researchers told 404 Media. Google Brings E2EE to Gmail for Android and iOS — Google officially expanded support for end-to-end encryption (E2EE) to Android and iOS devices for Gmail client-side encryption (CSE) users.

“Users with a Gmail E2EE license can send an encrypted message to any recipient, regardless of what email address the recipient has,” Google said . The feature is currently limited to only Enterprise Plus customers with the Assured Controls or Assured Controls Plus add-on. Bad Actors Abuse GitHub and GitLab — Threat actors are turning to trusted services like GitHub and GitLab for spreading malware and stealing login credentials from unsuspecting users. About 53% of all campaigns abusing the GitHub domains have been found to deliver malware (e.g., XWorm , Venom RAT ), whereas 64% of campaigns abusing GitLab domains deliver malware (e.g., DCRat ).

Select campaigns have also adopted a dual threat attack chain, leveraging GitHub or GitLab to trick users into downloading Muck Stealer, after which a credential phishing page automatically opens. “These Git repository websites are necessary and can’tbe blocked because of their use by enterprise software and normal business operations,” Cofense said . “By uploading malware or credential phishing pages to repositories hosted on these domains, threat actors can generate phishing links that won’tbe blocked by many email-based security defenses like secure email gateways (SEG). GitHub and GitLab mark the latest trend in abuse of legitimate cloud collaboration platforms.” FBI Extracts Signal Messages from iOS Notification History Database — The U.S.

Federal Bureau of Investigation (FBI) managed to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, by taking advantage of the fact that copies of the content were saved in the device’s push notification database, 404 Media reported . The development reveals how physical access to a device can enable specialized software to run on it to yield sensitive data derived even from secure messaging apps in unexpected places. The problem is not limited to the Signal app, but one that stems from a more fundamental design decision regarding how Apple stores notifications. Signal already has a setting that blocks message content from displaying in push notifications.

Users who are concerned about their privacy are advised to consider turning the option on. Multiple Flaws in IBM WebSphere Liberty — Multiple security flaws have been disclosed in IBM WebSphere Liberty, a modular, cloud-friendly Java application server, that could be exploited to seize control of affected systems. The vulnerabilities offer multiple pathways for attackers to move from network-level exposure or limited access to full server compromise, according to Oligo Security . The most severe is CVE-2026-1561 (CVSS score: 5.4), which enables pre-authenticated remote code execution in SSO-enabled deployments due to unsafe deserialization in SAML Web SSO.

“IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF),” IBM said. “This may allow [a] remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.” 🔧 Cybersecurity Tools Betterleaks → It is the next-generation successor to Gitleaks, built to find exposed credentials with greater speed and accuracy. It eliminates the noise of false positives by moving beyond basic pattern matching to high-fidelity detection. Designed for modern CI/CD pipelines, it helps developers identify and fix leaked API keys and sensitive data before they become security liabilities.

Supply Chain Monitor → This tool provides end-to-end visibility into your software supply chain by monitoring CI/CD pipelines for suspicious activity. It tracks build integrity, detects unauthorized changes, and surfaces vulnerabilities in real-time. By integrating directly with your existing workflows, it helps ensure that the code you ship hasn’t been tampered with between the commit and production. Disclaimer: This is strictly for research and learning.

It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law. Conclusion That’s the wrap for this Monday. While the headlines usually focus on the high-level nation-state drama, remember that most of these attacks still rely on someone, somewhere, clicking a ”trusted” link or ignoring a basic patch.

Whether it’s an AI-driven exploit engine or a fake trading firm, the goal is always to find the path of least resistance into your environment. Stay sharp, keep your edge devices updated, and don’t let the noise of the news cycle distract you from the basics of your own defense. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.