2026-04-21 AI创业新闻

SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760 , carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code. SGLang is a high-performance, open-source serving framework for large language models and multimodal models.

The official GitHub project has been forked over 5,500 times and starred 26,100 times. According to the CERT Coordination Center (CERT/CC), the vulnerability impacts the reranking endpoint “/v1/rerank,” allowing an attacker to achieve arbitrary code execution in the context of the SGLang service by means of a specially crafted GPT-Generated Unified Format ( GGUF ) model file. “An attacker exploits this vulnerability by creating a malicious GPT Generated Unified Format (GGUF) model file with a crafted tokenizer.chat_template parameter that contains a Jinja2 server-side template injection ( SSTI ) payload with a trigger phrase to activate the vulnerable code path,” CERT/CC said in an advisory released today. “The victim then downloads and loads the model in SGLang, and when a request hits the “/v1/rerank” endpoint, the malicious template is rendered, executing the attacker’s arbitrary Python code on the server.

This sequence of events enables the attacker to achieve remote code execution (RCE) on the SGLang server.” Per security researcher Stuart Beck, who discovered and reported the flaw , the underlying issue stems from the use of jinja2.Environment() without sandboxing instead of ImmutableSandboxedEnvironment. This, in turn, enables a malicious model to execute arbitrary Python code on the inference server. The entire sequence of actions is as follows - An attacker creates a GGUF model file with a malicious tokenizer.chat_template containing a Jinja2 SSTI payload The template includes the Qwen3 reranker trigger phrase to activate the vulnerable code path in “entrypoints/openai/serving_rerank.py” Victim downloads and loads the model in SGLang from sources like Hugging Face When a request hits the “/v1/rerank” endpoint, SGLang reads the chat_template and renders it with jinja2.Environment() The SSTI payload executes arbitrary Python code on the server It’s worth noting that CVE-2026-5760 falls under the same vulnerability class as CVE-2024-34359 (aka Llama Drama, CVSS score: 9.7), a now-patched critical flaw in the llama_cpp_python Python package that could have resulted in arbitrary code execution. The same attack surface was also rectified in vLLM late last year ( CVE-2025-61620 , CVSS score: 6.5).

“To mitigate this vulnerability, it is recommended to use ImmutableSandboxedEnvironment instead of jinja2.Environment() to render the chat templates,” CERT/CC said. “This will prevent the execution of arbitrary Python code on the server. No response or patch was obtained during the coordination process.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More

Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code.

Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust. There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory.

Attackers lean on real tools and normal workflows instead of custom builds. Some cases hint at supply-chain spread, where one weak link reaches further than expected. Go through the whole recap. The pattern across access, execution, and control only shows up when you see it all together.

⚡ Threat of the Week Vercel Discloses Data Breach —Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to “certain” internal Vercel systems. The incident originated from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, which was used by an employee at the company, it added. “The attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as ‘sensitive,’” the company said. It’s currently not known who is behind the incident, but a threat actor using the ShinyHunters persona has claimed responsibility for the hack.

Context.ai also disclosed a March 2026 incident involving unauthorized access to its AWS environment. However, it has since emerged that the attacker also likely compromised OAuth tokens for some of its consumer users. Furthermore, Hudson Rock uncovered that a Context.ai employee was compromised with Lumma Stealer in February 2026, raising the possibility that the infection may have triggered the “supply chain escalation.” 99% of What AI Found Is Still Unpatched. See the Defensive Answer Anthropic’s Mythos weaponized bugs that survived decades of human review.

Atlassian’s CISO, Frost & Sullivan, and leaders from Kraft Heinz and Glow Financial Services show how autonomous validation discovers what’s exploitable, proves controls hold, and re-validates fixes. Register for Free ➝ 🔔 Top News Law Enforcement Operation Brings Down DDoS-for-Hire Operation —Law enforcement agencies across Europe, the U.S., and other partner nations cracked down on the commercial DDoS-for-hire ecosystem, targeting both operators and customers of services used to target websites and knock them offline. As part of the effort, authorities took down 53 domains, arrested four people, and sent warning notifications to thousands of criminal users. The U.S.

Justice Department said court-authorized actions were undertaken to disrupt Vac Stresser and Mythical Stress. The actions are a persistent cat-and-mouse game, as booted services often reappear under new names and domains despite repeated takedowns. While these disruptions tend to have short-term results, the resilience of the criminal activity indicates that arrests need to be combined with infrastructure seizures, financial disruption, and user deterrence for lasting impact. Newly Discovered PowMix Botnet Hits Czech Workers —An active malicious campaign is targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025.

“PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections,” Cisco Talos said. The never-before-seen botnet is designed to facilitate remote access, reconnaissance, and remote code execution, while establishing persistence by means of a scheduled task. At the same time, it verifies the process tree to ensure that another instance of the same malware is not running on the compromised host. AI-Driven Pushpaganda Exploits Google Discover to for Ad Fraud —A novel ad fraud scheme has been found to leverage search engine poisoning (SEO) techniques and artificial intelligence (AI)-generated content to push deceptive news stories into Google’s Discover feed and trick users into enabling persistent browser notifications that lead to scareware and financial scams.

The Pushpaganda campaign has been found to target the personalized content feeds of Android and Chrome users. “This operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages,” HUMAN Security said. Google has since rolled out fixes and algorithmic updates to address the issue. Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT —A social engineering campaign has abused Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors.

Elastic Security Labs is tracking the activity under the name REF6598. It employs elaborate social engineering tactics through LinkedIn and Telegram to breach both Windows and macOS systems by tricking victims into opening a cloud-hosted vault in Obsidian. PHANTOMPULSE is an artificial intelligence (AI)-generated backdoor that uses the Ethereum blockchain for resolving its C2 server. On macOS, the attack is used to deliver an unspecified payload.

CPUID Downloads Hijacked to Serve STX RAT —Unknown threat actors hijacked the official CPUID download page to serve trojanized installers that ultimately led to the deployment of STX RAT, a remote access trojan with infostealer capabilities. The attack did not compromise CPUID’s original signed binaries, the threat actors served their own trojanized packages via redirect. “The threat actor compromised the official CPUID download page to serve a trojanized package, employing DLL sideloading as the initial execution vector followed by a layered, five-stage in-memory unpacking chain designed to evade detection,” Cyderes said . “The use of a timestomped compilation timestamp, reflective PE loading, and exclusively in-memory payload execution demonstrates a deliberate effort to hinder forensic analysis and bypass traditional security controls.” 108 Malicious Chrome Extensions Steal Google and Telegram Data —A cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited.

The extensions provide the expected functionality to avoid raising red flags, but malicious code running in the background connects to the threat actor’s C2 server to perform the nefarious activities. At the center of the campaign is a backend hosted on a Contabo virtual private server (VPS), with multiple subdomains handling session hijacking, identity collection, command execution, and monetization operations. There is evidence indicating a Russian malware-as-a-service (MaaS) operation, based on the presence of a payment and monetization portal in its C2 infrastructure. OpenAI Launches GPT-5.4-Cyber —OpenAI announced a new model, GPT-5.4-Cyber, specifically designed for use by digital defenders.

Artificial intelligence (AI) companies have repeatedly warned that more capable AI models could create an opening for bad actors to exploit vulnerabilities and security gaps in software with new speed and intensity. Unlike Anthropic, which said its new Claude Mythos model is only being privately released to a small number of trusted organizations due to concerns that it could be exploited by adversaries, OpenAI said “the class of safeguards in use today sufficiently reduce cyber risk enough to support broad deployment of current models,” but hinted at the need for more advanced protections in the long term. Defending critical software has long depended on the ability to find and fix vulnerabilities faster than attackers can exploit them. GPT-5.4-Cyber has a lower refusal boundary for legitimate cybersecurity work than standard GPT-5.4.

It adds capabilities aimed at advanced defensive workflows, including binary reverse engineering. “We don’t think it’s practical or appropriate to centrally decide who gets to defend themselves,” OpenAI stated. “Instead, we aim to enable as many legitimate defenders as possible, with access grounded in verification, trust signals, and accountability.” The use of AI for vulnerability discovery and analysis means that the barrier to entry for attackers is collapsing. Bad actors could ask an AI model to analyze differences between two versions of a binary and generate an exploit at a faster rate.

Rob T. Lee, chief of research at the SANS Institute, said the debut of Mythos and GPT-5.4-Cyber is “nothing more than one vendor trying to one-up another,” adding, “We need to start benchmarking how one AI model is able to find code vulnerabilities over another and how quickly they are doing it. There are real risks at stake here.” At the same time, researchers from AISLE and Xint found that it’s possible to replicate Mythos’s results with smaller, cheaper models. “The critical variable in AI vulnerability discovery is not the model alone,” Xint said.

“It is the structured system that decides where to look, validates that findings are real and exploitable, eliminates false positives, and delivers actionable remediation.” 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-20184 (Cisco Webex Services), CVE-2026-20147 (Cisco Identity Services Engine and ISE Passive Identity Connector), CVE-2026-20180, CVE-2026-20186 (Cisco Identity Services Engine), CVE-2026-33032 (nginx-ui), CVE-2026-32201 (Microsoft SharePoint Server), CVE-2026-27304 (Adobe ColdFusion), CVE-2026-39813, CVE-2026-39808 (Fortinet FortiSandbox), CVE-2026-40176, CVE-2026-40261 (Composer), CVE-2025-0520 (ShowDoc), CVE-2026-22039 ( Kyverno ), CVE-2026-27681 (SAP Business Planning and Consolidation and Business Warehouse), CVE-2026-34486 , CVE-2026-29146 (Apache Tomcat), CVE-2026-40175 (Axios), CVE-2026-32196 (Microsoft Windows Admin Center), CVE-2026-20204 (Splunk Enterprise), CVE-2026-20205 (Splunk MCP Server) CVE-2026-6296, CVE-2026-6297, CVE-2026-6298, CVE-2026-6299, CVE-2026-6358 , CVE-2026-5873 (Google Chrome), CVE-2026-34078 (Tails), CVE-2026-34622 (Adobe Acrobat Reader), CVE-2026-33413 (etcd), CVE-2026-1492 (User Registration & Membership plugin), CVE-2026-23818 (HPE Aruba Networking Private 5G Core On-Prem), CVE-2025-54236 (Magento), CVE-2026-26980 (Ghost CMS), CVE-2026-40478 ( Thymeleaf ), CVE-2026-41242 ( protobufjs ), CVE-2026-40871 ( Mailcow ), CVE-2026-5747 (AWS Firecracker), and CVE-2025-50892 (eudskacs.sys). 🎥 Cybersecurity Webinars The Force Awakens in AppSec: Rethinking Mythos & Organizational Defenses at AI Speed → This webinar explores how AI-powered hacking is making traditional security patching too slow to be effective.

It focuses on the “patch gap”— the dangerous time between a bug being found and fixed—and offers a new way to prioritize vulnerabilities based on real-world risk. The session provides practical strategies for security leaders to defend against automated, high-speed attacks. The Rise of the Agent: Moving to Autonomous Exposure Validation → This webinar explores how “agentic” AI is changing security testing by using autonomous AI agents to simulate real-world attacks. Unlike traditional scanners, these tools continuously find and validate which security gaps are actually reachable by hackers.

The session focuses on moving from slow, manual checks to automated exposure validation to stay ahead of AI-driven threats. 📰 Around the Cyber World Vect Partners with BreachForums and TeamPCP —Dataminr revealed that the Vect ransomware group has formalized partnerships with the BreachForums cybercrime marketplace and TeamPCP hacking group. The partnership will allow BreachForums members to deploy ransomware and will use the victims of TeamPCP’s supply chain attacks to attack organizations that are in a vulnerable state. “Between the two partnerships, Vect will lower the barrier to entry for ransomware actors, incentivize group members to carry out attacks, and exploit pre-existing breaches to broaden impact,” the company said .

“The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass dark web forum mobilization represents an unprecedented model of industrialized ransomware deployment.” MuddyWater Targets Global Organizations via Microsoft Teams —The Iranian hacking group known as MuddyWater has been observed using targeted social engineering to approach targets via Microsoft Teams by masquerading as IT support staff to trick them into running a botnet malware called Tsundere (aka Dindoor). “A notable aspect of this intrusion was the abuse of Deno, a legitimate JavaScript and TypeScript runtime typically used for backend application development,” CyberProof said . “The attacker leveraged deno.exe to execute a highly obfuscated, Base64‑encoded payload – tracked as DINODANCE – directly in memory, minimizing on-disk artifacts and complicating detection.” Once decoded, the malware establishes C2 communications with a remote server, exfiltrating basic host metadata such as username, hostname, and operating system details. Multi-Stage Intrusion Drops Direct-Sys Loader and CGrabber Stealer —An attack chain involving ZIP archives distributed through GitHub user attachment URLs is abusing DLL side-loading to deliver a malware loader called Direct-Sys Loader, which performs anti-analysis checks and then drops CGrabber.

The malware, for its part, avoids infecting machines running in the Commonwealth of Independent States (CIS) countries and collects browser credentials, crypto wallet data, password manager data, and a broad range of application artifacts. “By skipping execution on machines in those regions, they reduce the risk of attracting attention from local law enforcement and avoid targeting their own infrastructure or allies,” Cyderes said . “The Direct-Sys Loader and CGrabber Stealer represent a cohesive, multi-stage, stealth-focused malware ecosystem engineered with advanced detection-evasion capabilities.” Russian Hackers Target Ukrainian Agencies —Threat actors linked to Russia broke into more than 170 email accounts belonging to prosecutors and investigators across Ukraine in recent months,” Reuters reported , citing data from Ctrl-Alt-Intel . The espionage activity also targeted officials in Romania, Greece, Bulgaria, and Serbia.

Speaking to The Record, Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) confirmed that local government agencies were targeted in a long-running hacking campaign that it has been tracking since 2023, with the attacks weaponizing flaws in Roundcube webmail software to run malicious code as soon as a specially crafted message is opened. The campaign is believed to be the work of APT28 (aka Fancy Bear). Infostealer Lookup Services are Changing Cybercrime —Hudson Rock revealed that infostealer lookup services, some accessible via a simple search on Google, are rapidly fueling a new era of initial access, shifting how cyber attacks begin and transforming a complex hacking process into a simple, automated transaction. “These platforms have effectively turned billions of compromised credentials and active session cookies into a highly searchable, low-cost commodity available to the masses,” it said .

“Because this data is so easily accessible, organizations can no longer afford to be reactive.” AdaptixC2 Detailed —Kaspersky has detailed the inner workings of an open-source command-and-control (C2) framework known as AdaptixC2, which has seen increased adoption by bad actors over the past year. Written in Go and C++, AdaptixC2 is designed for post-exploitation and stealthy interaction with its malicious agents deployed on compromised systems. It also employs diverse network communication and post-exploitation techniques to get around traffic monitoring tools and minimize its footprint. “Unlike many general-purpose C2 platforms, AdaptixC2 focuses on advanced agent-to-C2 communication and specific evasion techniques designed to bypass modern security tools, including EDR and NDR solutions,” the company said .

“The framework provides the flexibility to develop custom agents while also including standard agent implementations in Go and C++ for Windows, macOS, and Linux. Additionally, it supports a modular approach to extending its functionality.” Adware Update Delivers EDR Killer —In an unusual attack, a browser-hijacking adware family rolled out a multi-phase update that attempted to disable security software on infected hosts. The adware is signed by Dragon Boss Solutions LLC, a U.A.E.-based company that claims to conduct search monetization research and has promoted modified versions of the Chrome browser (e.g., Chromstera, Chromnius, and Artificius). “The signed software silently fetches and executes payloads capable of killing antivirus products, all while running with SYSTEM privileges,” Huntress said .

The antivirus killing capability was observed starting in late March 2025, although the loader and updater components date back to late 2024. “The operation uses an off-the-shelf software update mechanism to deploy these MSI and PowerShell-based payloads. Establishing WMI persistence disables security applications and blocks reinstallation of protective software,” it added. The MSI installer, downloaded from a fallback update server, performs reconnaissance, queries for installed security products, and runs a PowerShell script (“ClockRemoval.ps1”) to terminate running processes, disable antivirus services by tampering with the Windows Registry, delete installation directories, and force deletion when uninstallers fail.

What’s significant is that the update mechanism can be modified to deploy any payload. To make matters worse, the primary update domain baked into the operation to retrieve the MSI installer – chromsterabrowser[.]com – was left unregistered, meaning any threat actor could have registered the domain for as little as $10 and push malicious updates, turning an adware infection into a potential supply chain compromise. The domain has since been sinkholed. That said, 23,565 unique IP addresses connected to the sinkhole during a 24-hour monitoring period.

The infections are concentrated around the U.S., France, Canada, the U.K., and Germany. These included universities, OT networks, government entities, primary and secondary educational institutions, healthcare organizations, and multiple Fortune 500 companies. India Will Not Require Smartphone Makers to Preload Aadhaar App —The Indian government will no longer require smartphone makers like Apple and Samsung to preload devices with a state-owned biometric identification app, Reuters reported . India’s IT ministry reviewed the proposal and “is not in favour of mandating the pre-installation of the Aadhaar App on smartphones,” UIDAI said in a statement.

The Aadhaar request was the sixth time in two years the government has sought pre-installation of state apps on phones, according to industry communications. Smartphone makers flagged concerns about device security and compatibility when they received the Aadhaar preload proposal, and also flagged higher production costs as they ‌would have ⁠been required to run separate manufacturing lines for India and export markets. SQL Injection Campaign Targets Payment Services —An active SQL injection campaign is operating through attacker infrastructure located in Canada. The campaign has targeted 35 websites, with confirmed successful SQL injection exploitation and data exfiltration affecting three organizations operating in the payment, real estate, and developer service sectors.

Attacker-side artifacts indicate coordinated and deliberate exploitation rather than opportunistic scanning. QEMU Abused for Defense Evasion —Threat actors are abusing QEMU , an open-source machine emulator and virtualizer, to hide malicious activity within virtualized environments. “Attackers are drawn to QEMU and more common hypervisor-based virtualization tools like Hyper-V, VirtualBox, and VMware because malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself,” Sophos said . Two clusters of activity have been detected: STAC4713, which has used QEMU as a covert reverse SSH backdoor to deliver tooling and harvest domain credentials with the end goal of likely deploying Payouts King ransomware (likely tied to former BlackBasta affiliates) after obtaining initial access via exploitation of known security flaws in SolarWinds Web Help Desk, and STAC3725, which exploits Citrix Bleed 2 (aka CVE-2025-5777) for obtaining a foothold and installs ScreenConnect for persistent remote access.

The threat actors then deploy a QEMU VM to install additional tools for conducting enumeration and credential theft. “Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos said. Fake Adobe Reader Site Drops ScreenConnect —Threat actors are using fake Adobe Acrobat Reader website lures to lure victims into installing ConnectWise’s ScreenConnect. The attack chain was detected in February 2026.

“The attack uses .NET reflection to keep payloads in memory only, which helps it evade signature-based defenses and hinder forensic examination,” Zscaler ThreatLabz said . “A VBScript loader dynamically reconstructs strings and objects at runtime to defeat static analysis and sandboxing. Auto-elevated Component Object Model (COM) objects are abused to bypass User Account Control (UAC) and run with elevated privileges without user prompts.” The attack employs an in-memory .NET loader that’s responsible for launching ScreenConnect. Nearly 6M Hosts Use FTP —Censys said it observed about 5,949,954 hosts running at least one internet-facing FTP service, down from over 10.1 million in 2024, which amounts to a decline of 40% in two years.

Of these, nearly 2.45 million hosts had no evidence of encryption. “Over 150,000 IIS FTP services return a 534 response, indicating TLS was never set up,” Censys said. “For most use cases, FTP can be replaced without significant disruption. If FTP must remain, enabling Explicit TLS is a configuration change, not a protocol upgrade, and both Pure-FTPd and vsftpd support it natively.” Malformed APKs Bypass Detections as New Android RATs Emerge —Threat actors are increasingly using malformed APKs , which refer to Android packages that can be installed and run on Android but are intentionally broken by using unsupported compression methods, header manipulation, or false password protection, to bypass static analysis tools and delay detection.

Cleafy has released an open-source tool called Malfixer to detect and fix malformed APKs. The development comes as Zimperium flagged four new Android malware families, RecruitRat, SaferRat, Astrinox (aka Mirax), and Massiv , that are capable of harvesting sensitive information and facilitating unauthorized financial transactions. In all, campaigns distributing these malware families target over 800 applications across the banking, cryptocurrency, and social media sectors. RecruitRat leverages recruitment-related social engineering and fraudulent job-seeking platforms for initial access.

SaferRat is distributed through fake websites that claim to offer free access to premium streaming platforms and legitimate video streaming software. All four banking trojans abuse the native Session Installation API to bypass Android’s sideloading restrictions and request accessibility services permissions to carry out their malicious activities. Over 200 PrestaShop Stores Expose Installer —More than 200 PrestaShop online stores have left their installation folder exposed online, allowing attackers to abuse the behavior to overwrite database configuration, gain admin access, and execute arbitrary code on the server. According to Sansec , the affected stores span 27 countries, including France, Italy, Poland, and the Czech Republic.

Another set of 15 stores has been found to expose the Symfony Profiler, which is enabled when PrestaShop runs in debug mode. How to Contain a Domain Compromise via Predictive Shielding —Microsoft detailed an attack chain in which a threat actor targeted a public sector organization in June 2025, methodically progressing from one state of the attack lifecycle to the next, starting with dropping a web shell following the exploitation of a file-upload flaw in an internet-facing Internet Information Services (IIS) server. The attacker then performed reconnaissance, escalated their privileges, leveraged the compromised IIS service account to reset the passwords of high-impact identities, and deployed Mimikatz to harvest credentials. Then, the threat actor abused privileged accounts and remotely created a scheduled task on a domain controller to capture NTDS snapshots.

The attacker also planted a Godzilla web shell on the Exchange Server and leveraged their privileged context to alter mailbox permissions, allowing them to read and manipulate all mailbox contents. The threat actor subsequently used Impacket to enumerate the role assignments and other activities that were flagged and blocked by Microsoft Defender. “The threat actor then launched a broad password spray from the initially compromised IIS server, unlocking access to at least 14 servers through password reuse,” Microsoft said. “They also attempted remote credential dumping against a couple of domain controllers and an additional IIS server using multiple domain and service principals.” After Microsoft Defender’s predictive shielding was enabled in late July 2025, the attacker’s attempts to sign in to Microsoft Entra Connect servers were blocked.

The campaign stopped on July 28, 2025. Cargo Theft Malware Actor Conducts Remote Access Campaigns —In November 2025, Proofpoint detailed a threat actor that used compromised load boards to gain access to trucking companies with the end goal of freight diversion and cargo theft. New research from the enterprise security company has revealed that the attacker abused multiple remote access tools like ScreenConnect, Pulseway, and SimpleHelp to establish persistence to a controlled decoy environment, with attempts made to identify financial access, payment platforms, and cryptocurrency assets to conduct freight fraud and broader financial theft. The actor maintained access for more than a month.

At least one ScreenConnect instance is said to have leveraged a third‑party signing‑as‑a‑service provider to re-sign the installer with a valid but fraudulent code‑signing certificate. “This reconnaissance focused on identifying financial access – such as banking, accounting, tax software, and money transfer services – as well as transportation‑related entities, including fuel card services, fleet payment platforms, and load board operators,” the company said . “The latter activity was likely designed to support crimes against the transportation industry, including cargo theft and related financial fraud.” British National Pleads Guilty to Scattered Spider Campaign —Tyler Robert Buchanan, who was extradited from Spain to the U.S. last April following his arrest in the European nation in June 2024, pleaded guilty to hacking a dozen companies and stealing at least $8 million in digital assets.

He pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. “From September 2021 to April 2023, Buchanan and other individuals conspired to conduct cyber intrusions and virtual currency thefts,” the U.S. Justice Department said . “The victims and intended victims included interactive entertainment companies, telecommunications companies, technology companies, business process outsourcing (BPO) and information technology (IT) suppliers, cloud communications providers, virtual currency companies, and individuals.” Buchanan and his co-conspirators conducted SMS phishing attacks targeting a victim company’s employees, tricking them into clicking on bogus links that exfiltrated their credentials via a phishing kit to an online Telegram channel under their control.

The stolen data was then used to access the accounts, gather confidential company information, and siphon millions of dollars’ worth of virtual currency after conducting SIM swapping attacks. 🔧 Cybersecurity Tools Cirro → It is an open-source tool designed to help security experts find hidden risks in cloud environments. It works by collecting data about people, their permissions, and the digital resources they use, then turning that information into a visual map. By showing how these different pieces are connected, the tool makes it easier to spot “attack paths”—the step-by-step routes a hacker could take to move through a system and reach sensitive data.

While it is currently focused on Azure, it is built to be flexible so users can add other platforms over time. Janus → It is an open-source tool designed to help security teams track technical failures during operations. It automatically pulls logs from command-and-control (C2) platforms like Mythic and Cobalt Strike to identify where tools failed or commands were blocked. By organizing these “friction points” into reports, Janus helps teams see exactly where their workflow slows down and what tasks need to be improved or automated.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law. Conclusion That wraps this week’s recap.

Most of it isn’t loud, but it shows how easy it is for trusted paths to turn into entry points and for normal activity to hide real access. Keep an eye on the basics. Check what you trust, watch how things run, and don’t ignore the small changes. Found this article interesting?

Why Most AI Deployments Stall After the Demo

The fastest way to fall in love with an AI tool is to watch the demo. Everything moves quickly. Prompts land cleanly. The system produces impressive outputs in seconds.

It feels like the beginning of a new era for your team. But most AI initiatives don’t fail because of bad technology. They stall because what worked in the demo doesn’t survive contact with real operations. The gap between a controlled demonstration and day-to-day reality is where teams run into trouble.

Most AI product demos are built to highlight potential, not friction. They use clean data, predictable inputs, carefully crafted prompts, and well-understood use cases. Production environments don’t look like that. In real operations, data is messy, inputs are inconsistent, systems are fragmented, and context is incomplete.

Latency matters. Edge cases quickly outnumber ideal ones. This is why teams often see an initial burst of enthusiasm followed by a slowdown once they try to deploy AI more broadly. What actually breaks in production Once AI moves from demo to deployment, a few specific challenges tend to emerge.

Data quality becomes a real issue. In security and IT environments, data is often spread across multiple tools with different formats and varying levels of reliability. A model that performs well on clean demo data can struggle when fed noisy or incomplete inputs. Latency becomes visible.

A model that feels fast in isolation can introduce meaningful delays when embedded in multi-step workflows running at scale. Edge cases start to matter. Production workflows include exceptions, unusual scenarios, and unpredictable user behavior. Systems that handle common cases well can break down quickly when confronted with real-world complexity.

Integration becomes a limiting factor. Most operational work requires coordinating across multiple systems. If an AI tool can’t connect deeply into those workflows, its impact stays limited regardless of how capable the underlying model is. Governance is where enthusiasm runs out Beyond technical challenges, governance has become one of the biggest reasons AI initiatives stall .

With general-purpose AI tools now widely accessible, organizations are grappling with serious questions around data privacy, appropriate use cases, approval processes, and compliance requirements. Many teams discover that while AI experimentation is easy, operationalizing AI safely requires clear policies and controls. Without them, even promising initiatives get stuck in review cycles or fail to scale. When done properly, governance transcends its goal of preventing misuse.

It becomes a framework that lets teams move quickly and confidently, with appropriate oversight built in from the start. What determines whether AI actually delivers Teams that successfully move beyond the demo tend to share a few habits. They test AI against real workflows rather than idealized scenarios, using real data, real processes, and real constraints. They evaluate performance under realistic conditions, measuring accuracy under load, monitoring latency, and understanding how the system behaves when inputs vary.

They prioritize integration depth, because AI operating in isolation rarely has much impact. And they pay close attention to the cost model, since AI usage can scale quickly and without visibility into consumption, costs can become a blocker. Perhaps most importantly, they invest in governance early. Clear policies, guardrails, and oversight mechanisms help teams avoid delays and build confidence in their deployments.

A practical checklist before you commit If you’re evaluating AI tools, a few steps can help surface limitations before they become blockers: run proofs of concept on high-impact, real-world workflows; use realistic data during testing; measure performance across accuracy, latency, and reliability; assess integration depth with your existing stack; and clarify governance requirements upfront. These aren’t complicated steps, but they make a significant difference in whether a promising demo leads to meaningful production deployment. Access the IT and security field guide to AI adoption . The bottom line AI has real potential to change how security and IT teams work.

But success depends less on the sophistication of the model and more on how well it fits into real workflows, integrates with existing systems, and operates within a clear governance framework. Teams that recognize this early are far more likely to move from experimentation to lasting impact. Looking for a structured approach to evaluating AI tools in practice? The IT and security field guide to AI adoption walks through selection criteria, evaluation questions, and a step-by-step process for finding solutions that hold up beyond the demo.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

Cybersecurity researchers have discovered a critical “by design” weakness in the Model Context Protocol’s ( MCP ) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain. “This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories,” OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar said in an analysis published last week. The cybersecurity company said the systemic vulnerability is baked into Anthropic’s official MCP software development kit (SDK) across any supported language, including Python, TypeScript, Java, and Rust. In all, it affects more than 7,000 publicly accessible servers and software packages totaling more than 150 million downloads.

At issue are unsafe defaults in how MCP configuration works over the STDIO (standard input/output) transport interface, resulting in the discovery of 10 vulnerabilities spanning popular projects like LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot - CVE-2025-65720 (GPT Researcher) CVE-2026-30623 (LiteLLM) - Patched CVE-2026-30624 (Agent Zero) CVE-2026-30618 (Fay Framework) CVE-2026-33224 (Bisheng) - Patched CVE-2026-30617 (Langchain-Chatchat) CVE-2026-33224 (Jaaz) CVE-2026-30625 (Upsonic) CVE-2026-30615 (Windsurf) CVE-2026-26015 (DocsGPT) - Patched CVE-2026-40933 (Flowise) These vulnerabilities fall under four broad categories, effectively triggering remote command execution on the server - Unauthenticated and authenticated command injection via MCP STDIO Unauthenticated command injection via direct STDIO configuration with hardening bypass Unauthenticated command injection via MCP configuration edit through zero-click prompt injection Unauthenticated command injection through MCP marketplaces via network requests, triggering hidden STDIO configurations “Anthropic’s Model Context Protocol gives a direct configuration-to-command execution via their STDIO interface on all of their implementations, regardless of programming language,” the researchers explained. “As this code was meant to be used in order to start a local STDIO server, and give a handle of the STDIO back to the LLM. But in practice it actually lets anyone run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed.” Interestingly, vulnerabilities based on the same core issue have been reported independently over the past year. They include CVE-2025-49596 (MCP Inspector), CVE-2026-22252 (LibreChat), CVE-2026-22688 (WeKnora), CVE-2025-54994 (@akoskm/create-mcp-server-stdio), and CVE-2025-54136 (Cursor).

Anthropic, however, has declined to modify the protocol’s architecture, citing the behavior as “expected. While some of the vendors have issued patches, the shortcoming remains unaddressed in Anthropic’s MCP reference implementation, causing developers to inherit the code execution risks. The findings highlight how AI-powered integrations can inadvertently expand the attack surface. To counter the threat, it’s advised to block public IP access to sensitive services, monitor MCP tool invocations, run MCP-enabled services in a sandbox, treat external MCP configuration input as untrusted, and only install MCP servers from verified sources.

“What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be,” OX Security said. “Shifting responsibility to implementers does not transfer the risk. It just obscures who created it.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems

Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and desalination systems. The malware has been codenamed ZionSiphon by Darktrace, highlighting its ability to set up persistence, tamper with local configuration files, and scan for operational technology (OT)-relevant services on the local subnet. According to details on VirusTotal, the sample was first detected in the wild on June 29, 2025, right after the Twelve-Day War between Iran and Israel that took place between June 13 and 24. “The malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls, highlighting growing experimentation with politically motivated critical infrastructure attacks against industrial operational technologies globally,” the company said .

ZionSiphon, currently in an unfinished state, is characterized by its Israel-focused targeting, going after a specific set of IPv4 address ranges that are located within Israel - 2.52.0[.]0 - 2.55.255[.]255 79.176.0[.]0 - 79.191.255[.]255 212.150.0[.]0 - 212.150.255[.]255 Besides encoding political messages that claim support for Iran, Palestine, and Yemen, the malware embeds Israel-linked strings in its target list that correspond to the nation’s water and desalination infrastructure. It also includes checks to ensure that in those specific systems. “The intended logic is clear: the payload activates only when both a geographic condition and an environment-specific condition related to desalination or water treatment are met,” the cybersecurity company said. Once launched, ZionSiphon identifies and probes devices on the local subnet, attempts protocol-specific communication using Modbus, DNP3, and S7comm protocols, and modifies local configuration files by tampering with parameters associated with chlorine doses and pressure.

An analysis of the artifact has found the Modus-oriented attack path to be the most developed, with the remaining two only including partially functional code, indicating that the malware is still likely in development. A notable aspect of the malware is its ability to propagate the infection over removable media. On hosts that do not meet the criteria, it initiates a self-destruct sequence to delete itself. “Although the file contains sabotage, scanning, and propagation functions, the current sample appears unable to satisfy its own target-country checking function even when the reported IP falls within the specified ranges,” Darktrace said.

“This behavior suggests that the version is either intentionally disabled, incorrectly configured, or left in an unfinished state.” “Despite these limitations, the overall structure of the code likely indicates a threat actor experimenting with multi‑protocol OT manipulation, persistence within operational networks, and removable‑media propagation techniques reminiscent of earlier ICS‑targeting campaigns.” The disclosure coincides with the discovery of a Node.js-based implant called RoadK1ll that’s designed to maintain reliable access to a compromised network while blending into normal network activity. “RoadK1ll is a Node.js-based reverse tunneling implant that establishes an outbound WebSocket connection to attacker-controlled infrastructure and uses that connection to broker TCP traffic on demand,” Blackpoint Cyber said. “Unlike a traditional remote access trojan, it carries no large command set and requires no inbound listener on the victim host. Its sole function is to convert a single compromised machine into a controllable relay point, an access amplifier, through which an operator can pivot to internal systems, services, and network segments that would otherwise be unreachable from outside the perimeter.” Last week, Gen Digital also took the wraps off a virtual machine (VM)-obfuscated backdoor that was observed on a single machine in the U.K.

and operated for a year between May 2022 and June 2023, before vanishing without any trace when its infrastructure expired. The implant has been dubbed AngrySpark . It’s currently not known what the end goals of the activity were. “AngrySpark operates as a three-stage system,” the company explained.

“A DLL masquerading as a Windows component loads via the Task Scheduler, decrypts its configuration from the registry, and injects position-independent shellcode into svchost.exe. That shellcode implements a virtual machine.” “The VM processes a 25KB blob of bytecode instructions, decoding and assembling the real payload – a beacon that profiles the machine, phones home over HTTPS disguised as PNG image requests, and can receive encrypted shellcode for execution.” The result is malware capable of establishing stealthy persistence, altering its behavior by switching the blob, and setting up a command-and-control (C2) channel that can fly under the radar. “AngrySpark is not only modular, it is also careful about how it appears to defenders,” Gen added. “Several design choices look specifically aimed at frustrating clustering, bypassing instrumentation, and limiting the forensic residue left behind.

The binary’s PE metadata has been deliberately altered to confuse toolchain fingerprinting.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials

Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to “certain” internal Vercel systems. The incident stemmed from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, that was used by an employee at the company. “The attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as ‘sensitive,’” the company said in a bulletin. Vercel said environment variables marked as “sensitive” are stored in an encrypted manner that prevents them from being read, and that there is currently no evidence suggesting that those values were accessed by the attacker.

It described the threat actor behind the incident as “sophisticated” based on their “operational velocity and detailed understanding of Vercel’s systems.” The company also said it’s working with Google-owned Mandiant and other cybersecurity firms, as well as notifying law enforcement and engaging with Context.ai to better understand the full scope of the breach. A “limited subset” of customers is said to have had their credentials compromised, with Vercel reaching out to them directly and urging them to rotate their credentials with immediate effect. The company is continuing to investigate what data was exfiltrated, and plans to contact customers if further evidence of compromise is discovered. Vercel is also advising Google Workspace administrators and Google account owners to check for the following application OAuth application: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com As additional mitigations, the following best practices have been recommended - Enable multi-factor authentication .

Review activity log for signs of suspicious activity. Audit and rotate environment variables that contain secrets and are not marked as sensitive. Use sensitive environment variables to ensure secrets are protected. Investigate recent deployments for anything unexpected or suspicious.

Ensure that Deployment Protection is set to Standard at a minimum. Rotate Deployment Protection tokens , if set. While Vercel has yet to share details about which of its systems were broken into, how many customers were affected, and who may be behind it, a threat actor using the ShinyHunters persona has claimed responsibility for the hack, selling the stolen data for an asking price of $2 million. Context.ai has also published a security bulletin in which it disclosed a March 2026 incident that saw it identify and block unauthorized access to its AWS environment.

However, it has since emerged that the attacker also likely compromised OAuth tokens for some of its consumer users. “We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel’s Google Workspace,” the company said . “Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted ‘Allow All’ permissions. Vercel’s internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel’s enterprise Google Workspace.” Context.ai said it immediately alerted all impacted customers and provided them with the necessary steps they needed to take.

It did not reveal how many customers were affected by the breach. In a report published today, Hudson Rock has uncovered that a Context.ai employee was compromised with Lumma Stealer in February 2026, raising the possibility that the infection may have triggered the “supply chain escalation.” The corporate credentials harvested during the attack consisted of Google Workspace credentials, along with keys and logins for Supabase, Datadog, and Authkit. Also present among the stolen records was the “support@context.ai” account, likely allowing the threat actor to escalate privileges, bypass security controls, and successfully pivot into Vercel’s infrastructure. The user is assessed to be a core member of the “context-inc” Vercel team.

“Logs indicate the user was actively searching for and downloading game exploits, specifically Roblox ‘auto-farm’ scripts and executors,” the cybersecurity company said . “These types of malicious downloads are notorious vectors for Lumma Stealer deployments.” “We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community,” Vercel CEO Guillermo Rauch said in a post on X. “In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive environment variable creation and management.” Update In an update shared on April 20, 2026, Vercel said it collaborated with Microsoft, GitHub, npm, and Socket and found no evidence of its npm packages being compromised as a result of the breach.

The company also said it’s releasing updates that are aimed at improving the security posture, including defaulting environment variable creation to “sensitive and enhancing team-wide management of environment variables. Additional details shared by Jaime Blasco, CTO of Nudge Security, have revealed that Google also removed Context.ai’s Google Chrome extension (ID: omddlmnhcofjbnbflmjginpjjblphbgk) from the Chrome Web Store on March 27, 2026. The extension has been found to embed another OAuth grant that enables read access to a user’s Google Drive files - 110671459871-f3cq3okebd3jcg1lllmroqejdbka8cqq.apps.googleusercontent.com OX Security, in its own analysis of the incident, said the initial access began when the Vercel employee installed the Context.ai browser extension and signed into it using their enterprise Google account, enabling the attacker to obtain unauthorized access and burrow deeper into Vercel’s environment. Although a group claiming to be ShinyHunters has taken responsibility for the attack, Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), noted in a LinkedIn post that the threat actor behind the attack is likely an “imposter attempting to use an established name to inflate their notoriety.” “This is the new attack surface, and we’ve seen it play out over and over again in the last year,” Blasco said.

Salesloft Drift, Gainsight, etc. Now Context.ai and Vercel. Different vendors, same story: attackers compromise a small AI or SaaS vendor, steal the OAuth tokens that vendor holds on behalf of its customers, and walk into hundreds of downstream enterprises using credentials the platform was designed to issue.” “None of this required a novel AI attack technique. Agentic AI makes it worse because these platforms sit at the center of a hub of OAuth grants with expansive scopes, usually at young companies without mature security programs behind them.

OAuth is the new lateral movement. Until the industry treats OAuth tokens as high-value credentials, we’re going to keep reading the same breach writeup with the vendor names swapped out.” (The story was updated after publication to reflect the latest developments.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

[Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data

In 2024, compromised service accounts and forgotten API keys were behind 68% of cloud breaches. Not phishing. Not weak passwords. Unmanaged non-human identities that nobody was watching.

For every employee in your org, there are 40 to 50 automated credentials: service accounts, API tokens, AI agent connections, and OAuth grants. When projects end or employees leave, most of these stay active. Fully privileged. Completely unmonitored.

Attackers don’t need to break in. They just pick up the keys you left out. Join our upcoming webinar where we’ll show you how to find and eliminate these “Ghost Identities” before they become a back door for hackers. AI agents and automated workflows are multiplying these credentials at a pace security teams can’t manually track.

Many carry admin-level access they never needed. One compromised token can give an attacker lateral movement across your entire environment, and the average dwell time for these intrusions is over 200 days. Traditional IAM wasn’t built for this. It manages people.

It ignores machines. What we’ll walk you through in this session: How to run a full discovery scan of every non-human identity in your environment A framework for right-sizing permissions across service accounts and AI integrations An automated lifecycle policy so dead credentials get revoked before attackers find them A ready-to-use Identity Cleanup Checklist you’ll get during the live session This isn’t a product demo. It’s a working playbook you can take back to your team the same week. Don’t let hidden keys compromise your data.

We’re hosting a live session to walk you through securing these non-human identities step-by-step. 📅 Save Your Spot Today: Register for the Webinar Here . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

$13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims

Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, said it’s suspending operations after it blamed Western intelligence agencies for a $13.74 million hack. The exchange said it fell victim to what it described as a large-scale cyber attack that bore hallmarks of foreign intelligence agency involvement.

This attack led to the theft of over 1 billion rubles in user funds. “Digital forensic evidence and the nature of the attack point to an unprecedented level of resources and technological sophistication – capabilities typically available exclusively to the agencies of hostile states,” the company said in a statement posted on its website. “Preliminary findings suggest the attack was coordinated with the specific objective of inflicting direct damage upon Russia’s financial sovereignty.” A spokesperson for the company went on to state that the exchange’s infrastructure had been under attack since the beginning of its operations, and that the latest development represents a new level of escalation aimed at destabilising the domestic financial sector. Grinex is believed to be a rebrand of Garantex, a cryptocurrency exchange that was sanctioned by the U.S.

Treasury Department in April 2022 for laundering funds linked to ransomware and darknet markets like Conti and Hydra. The Treasury renewed sanctions against Garantex in August 2025 for processing more than $100 million in illicit transactions and enabling money laundering. According to the Treasury and details shared by blockchain intelligence firms Elliptic and TRM Labs, Garantex is said to have moved its customer base to Grinex in response to the sanctions and remained operational by using a ruble-backed stablecoin called A7A5. In a report published earlier this February, Elliptic also disclosed that Rapira, a Georgia-incorporated exchange with an office in Moscow, has engaged in direct cryptoasset transactions to and from Grinex totaling more than $72 million, highlighting how exchanges with ties to Russia continue to enable sanctions evasion.

The British blockchain analytics firm said the Grinex asset theft occurred on April 15, 2026, at around 12:00 UTC, and that the stolen funds were subsequently sent to further accounts on the TRON or Ethereum blockchains. “This USDT was then converted to another asset, either TRX or ETH. By doing so, the thief avoided the risk of the stolen USDT being frozen by Tether,” it added. TRM Labs has identified about 70 addresses connected to the incident, noting that TokenSpot, a Kyrgyzstan-based exchange that likely operates as a front for Grinex, was simultaneously impacted.

On the same day Grinex suffered the breach, TokenSpot posted on its Telegram channel that the platform would be temporarily unavailable due to technical maintenance. On April 16, it announced that full operations had resumed. The attacker is estimated to have stolen less than $5,000 from TokenSpot. The funds were routed through two TokenSpot addresses to the same consolidation address used by the Grinex-linked wallets.

Chainalysis, in its own breakdown of the incident, said the stablecoin funds were quickly swapped for a non-freezable token and that this “frantic swapping” from stablecoins to more decentralized tokens is a tactic adopted by bad actors to launder their illicit proceeds before the assets can be frozen. “Given the exchange’s heavily sanctioned status, its restricted ecosystem, and the on-chain use of Garantex’s preferred obfuscation techniques, it is worth considering if this incident could be a false flag attack,” it said . “Whether this event represents a legitimate exploit by cybercriminals or an orchestrated false flag operation by Russia-linked insiders, the disruption of Grinex deals a significant blow to the infrastructure supporting Russian sanctions evasion.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai -botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to deliver a Mirai variant called Nexcorium . “IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings,” security researcher Vincent Li said . “Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks.” This is not the first time the vulnerability has been exploited in the wild.

Over the past year, the security issue has been leveraged to deploy a Mirai variant as well as a distinct, relatively new botnet called RondoDox . In September 2025, CloudSEK also disclosed details of a large-scale loader-as-a-service botnet that has been distributing RondoDox , Mirai, and Morte payloads through weak credentials and old flaws in routers, IoT devices, and enterprise apps. The attack activity outlined by Fortinet involves the exploitation of CVE-2024-3721 to obtain and drop a downloader script, which then launches the botnet payload based on the Linux system’s architecture. Once the malware is executed, it displays a message stating “nexuscorp has taken control.” “Nexcorium has a similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module,” the security vendor said.

The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices in the network and incorporates a list of hard-coded usernames and passwords for use in brute-force attacks targeting the victim’s hosts by opening a Telnet connection. If the Telnet login is successful, it attempts to obtain a shell, set up persistence using crontab and systemd service, and connect to an external server to await commands for launching DDoS attacks over UDP, TCP, and SMTP. Once persistence is established on the device, the malware deletes the original downloaded binary to evade analysis. “The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems,” Fortinet said.

“Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach.” The development comes as Unit 42 said it detected active, automated scans and probes attempting to exploit CVE-2023-33538 (CVSS score: 8.8), a command injection vulnerability impacting EoL TP-Link wireless routers, albeit using a flawed approach that doesn’t result in a successful compromise. It’s worth noting that the security flaw was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in June 2025. The vulnerability affects the following models - TL-WR940N v2 and v4 TL-WR740N v1 and v2 TL-WR841N v8 and v10 “Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real,” researchers Asher Davila, Malav Vyas, and Chris Navarrete said.

“Successful exploitation requires authentication to the router’s web interface.” The attacks, in this case, attempt to deploy a Mirai-like botnet malware, with the source code featuring numerous references to the string “ Condi .” It also comes equipped with the ability to update itself with a newer version and act as a web server to spread the infection to other devices that connect to it. Given that the affected TP‑Link devices are no longer actively supported, users are advised to replace them with a newer model and ensure that default credentials are not used. “For the foreseeable future, the security landscape will continue to be shaped by the persistent risk of default credentials in IoT devices,” Unit 42 said. “These credentials can turn a limited, authenticated vulnerability into a critical entry point for determined attackers.” Found this article interesting?

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun , and UnDefend , all of which were released as zero-days by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft’s handling of the vulnerability disclosure process. While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates. Microsoft moved to address BlueHammer as part of its Patch Tuesday updates released earlier this week.

The vulnerability is being tracked under the CVE identifier CVE-2026-33825 . However, the other flaws do not have a fix as of writing. In a series of posts shared on X, Huntress said it observed all three flaws being exploited in the wild, with BlueHammer being weaponized since April 10, 2026, followed by the use of RedSun and UnDefend proof-of-concept (PoC) exploits on April 16. “These invocations followed after typical enumeration commands: whoami /priv, cmdkey /list, net group, and others that indicate hands-on-keyboard threat actor activity,” it added.

The cybersecurity vendor said it has taken steps to isolate the affected organization to prevent further post-exploitation. When reached for comment, Microsoft confirmed that the BlueHammer exploit has been addressed via CVE-2026-33825 . “Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon aspossible,” a Microsoft spokesperson said. “We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.” (The story was updated after publication to include a response from Microsoft.) Found this article interesting?

Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul

Google this week announced a new set of Play policy updates to strengthen user privacy and protect businesses against fraud, even as it revealed it blocked or removed over 8.3 billion ads globally and suspended 24.9 million accounts in 2025. The new policy updates relate to contact and location permissions in Android, allowing third-party apps to access the contact lists and a user’s location in a more privacy-friendly manner. This includes a new Contact Picker, which offers a standardized, secure, and searchable interface for contact selection. “This feature allows users to grant apps access only to the specific contacts they choose, aligning with Android’s commitment to data transparency and minimized permission footprints,” Google said .

Previously, apps requiring access to a specific user’s contacts relied on READ_CONTACTS, an overly broad permission that granted apps the ability to access all contacts and their associated information. With the latest change introduced in Android 17, apps can specify which fields from a contact they need, such as phone numbers or email addresses, as opposed to reading the entire record. The updated policy will require all applicable apps to use the picker (or the Android Sharesheet ) as the main way to access users’ contacts, with READ_CONTACTS now reserved only for apps that can’t function without it. It’s advised to entirely remove the READ_CONTACTS permission from the app manifest declaration if it’s targeting Android versions 17 (currently in beta) and later.

“If your app requires full, ongoing access to a user’s contact list to function, you must justify this need by submitting a Play Developer Declaration in the Play Console,” Google noted. The second policy change revolves around a streamlined location button that Google has introduced in Android 17 that enables apps to request one-time access to a user’s precise location. In doing so, it allows the user to make a better choice about how much information they want to share and for what duration. What’s more, a persistent indicator will appear to alert a user every time a non-system app accesses their location.

To comply with this update, developers are being urged to review their apps’ location usage to ensure that they are requesting the minimum amount of location data necessary for them to function. “If your app targets Android 17 and above and uses precise location for discrete, temporary actions, implement the location button by adding the onlyForLocationButton flag in your manifest,” the tech giant said. “If your app requires persistent, precise location to function, you will need to submit a Play Developer Declaration in Play Console to show why the new button or coarse location isn’t sufficient for your app’s core features.” The declaration form is expected to be available before October 2026, with pre-review checks in the Play Console to go live starting October 27 to identify potential contacts or location permissions policy issues. Google is also implementing a secure way for businesses to transfer ownership of their apps through a native account transfer feature built into Play Console so as to stay protected against fraud.

The company is recommending that app developers handle account ownership changes through this feature starting May 27, 2026. “That means that unofficial transfers (like sharing login credentials or buying and selling accounts on third-party marketplaces), which leave your business vulnerable, are not permitted,” it said. Google Takes Aim at Malvertising The changes to the Android ecosystem come as Google said it’s harnessing the capabilities of Gemini, its artificial intelligence (AI) model, to detect and block malicious ads on its platform. More than 99% of policy-violating ads were caught by its systems in 2025 before they were shown to users, it noted.

“Unlike earlier keyword-based systems, our latest models better understand intent, helping us spot malicious content and preemptively block it, even when it’s designed to evade detection,” Keerat Sharma, vice president and general manager of Ads Privacy and Safety at Google, said in a post shared with The Hacker News. Taken together, the company removed or blocked 602 million ads and 4 million accounts that were associated with scams or scam-related activity last year. More than 4.8 billion ads were restricted, and over 480 million web pages were actioned for attempting to serve sexually explicit content, weapons promotion, online gambling, alcohol, tobacco, and malware. In contrast, Google suspended over 39.2 million advertiser accounts in 2024, and stopped 5.1 billion bad ads, restricted 9.1 billion ads, and blocked or restricted ads on 1.3 billion pages.

“Bad actors are using generative AI to create deceptive ads at scale, and Gemini helps us detect and block them in real time,” Google said. “By the end of last year, the majority of Responsive Search Ads created in Google Ads were reviewed instantly, and harmful content was blocked at submission – a capability we plan to bring to more ad formats this year.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions

The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. “CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST ,” it said . “This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon.” The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows - CVEs appearing in the U.S.

Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. CVEs for software used within the federal government. CVEs for critical software as defined by Executive Order 14028: this includes software that’s designed to run with elevated privilege or managed privileges, has privileged access to networking or computing resources, controls access to data or operational technology, and operates outside of normal trust boundaries with elevated access. Any CVE submission that doesn’t meet these thresholds will be marked as “Not Scheduled.” The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact.

“While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories,” it added. NIST said the CVE submissions during the first three months of 2026 are nearly one-third higher than they were last year, and it’s working faster than ever to enrich the submissions. It also said it enriched nearly 42,000 CVEs in 2025, which was 45% more than any prior year. In cases where a high-impact CVE has been categorized as unscheduled, users have the option to request enrichment by sending an email to “nvd@nist[.]gov.” NIST is expected to review those requests and schedule the CVEs for enrichment as applicable.

Changes have also been instituted for various other aspects of the NVD operations. These include - NIST will no longer routinely provide a separate severity score for a CVE where the CVE Numbering Authority has already provided a severity score. A modified CVE will be reanalyzed only if it “materially impacts” the enrichment data. Users can request specific CVEs to be reanalyzed by sending an email to the same address listed above.

All unenriched CVEs currently in backlog with an NVD publish date earlier than March 1, 2026, will be moved into the “Not Scheduled” category. This does not apply to CVEs that are already in the KEV catalog. NIST has updated the CVE status labels and descriptions , as well as the NVD Dashboard , to accurately reflect the status of all CVEs and other statistics in real time. “The announcement from NIST doesn’t come as a major surprise, given they’ve previously telegraphed intent to move to a ‘risk-based’ prioritization model for CVE enrichment,” Caitlin Condon, vice president of security research at VulnCheck, said in a statement shared with The Hacker News.

“On the plus side, NIST is clearly and publicly setting expectations for the community amid a huge and escalating rise in new vulnerabilities. On the other hand, a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative (or only) source of CVE enrichment data.” Data from the cybersecurity company shows that there are still approximately 10,000 vulnerabilities from 2025 without a CVSS score. NIST is estimated to have enriched 14,000 ‘CVE-2025’ vulnerabilities, accounting for about 32% of the 2025 CVE population. “This announcement underscores what we already know: We no longer live in a world where manual enrichment of new vulnerabilities is a feasible or effective strategy,” Condon said.

“Even without AI-driven vulnerability discovery accelerating CVE volume and validation challenges, today’s threat climate unequivocally demands distributed, machine-speed approaches to vulnerability identification and enrichment, along with a genuinely global perspective on risk that acknowledges the interconnected, interdependent nature of the worldwide software ecosystem – and the attackers who target it. After all, what we don’t prioritize for ourselves, adversaries will prioritize for us.” David Lindner, chief information security officer of Contrast Security, said NIST’s decision to only prioritize high-impact vulnerabilities marks the end of an era where defenders could leverage a single government-managed database to assess security risks, forcing organizations to pivot to a proactive approach to risk management that’s driven by threat intelligence. “Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics,” Lindner said. “While this transition may disrupt legacy auditing workflows, it ultimately matures the industry by demanding that we prioritize actual exposure over theoretical severity.

Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.