DAILY WORKFLOW ARCHIVE

2026-05-05 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-05-05 AI创业新闻

Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools

An active phishing campaign has been observed targeting multiple vectors since at least April 2025 with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, codenamed VENOMOUS#HELPER , has impacted over 80 organizations, most of which are in the U.S., according to Securonix. It shares overlaps with clusters previously tracked by Red Canary and Sophos, the latter of which has given it the moniker STAC6405 . While it’s not clear who is behind the campaign, the cybersecurity company said it aligns with a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation.

“In this case, a customized SimpleHelp and ScreenConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. Setting aside the fact that the use of legitimate RMM tools can evade detection, the deployment of both SimpleHelp and ScreenConnect indicates an attempt to create a “redundant dual-channel access architecture” that enables continued operations even when either of them is detected and blocked. It all begins with a phishing email impersonating the U.S. Social Security Administration (SSA), where the recipient is instructed to verify their email address and download a purported SSA statement by clicking on a link embedded in the message.

The link points to a legitimate-but-compromised Mexican business website (“gruta.com[.]mx”), indicating a deliberate strategy to evade email spam filters. The “SSA statement” is then downloaded from a second attacker-controlled domain (“server.cubatiendaalimentos.com[.]mx”), an executable that’s responsible for delivering the SimpleHelp RMM tool. It’s believed that the attacker gained access to a single cPanel user account on the legitimate hosting server to stage the binary. As soon as the victim opens the JWrapper-packaged Windows executable, thinking it’s a document, the malware installs itself as a Windows service with Safe Mode persistence, makes sure it’s running by means of a “self-healing watchdog” that automatically restarts it when killed, and periodically enumerates registered security products using the root\SecurityCenter2 WMI namespace every 67 seconds, and polls user presence every 23 seconds.

To facilitate fully interactive desktop access, the SimpleHelp remote access client acquires SeDebugPrivilege via AdjustTokenPrivileges , while “elev_win.exe” – a legitimate executable file associated with the software – is used to gain SYSTEM-level privileges. This, in turn, allows the operator to read the screen, inject keystrokes, and access user-context resources. This elevated remote access is then abused to download and install ConnectWise ScreenConnect, offering a fallback communication mechanism if the SimpleHelp channel is taken down. “The deployed SimpleHelp version (5.0.1) provides a comprehensive remote administration capability set,” the researchers said.

“The victim organization is left in a state where the attacker can return at any time, execute commands silently in the user’s desktop session, transfer files bidirectionally, and pivot to adjacent systems, while standard antivirus and signature-based controls see nothing but legitimately signed software from a reputable U.K. vendor.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass

Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The vulnerabilities in question are CVE-2026-4670 (CVSS score: 9.8), an authentication bypass vulnerability, and CVE-2026-5174 (CVSS score: 7.7), an improper input validation vulnerability that could allow privilege escalation. “Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces,” Progress Software said in an advisory.

“Exploitation may lead to unauthorized access, administrative control, and data exposure.” The shortcomings affect the following versions - MOVEit Automation <= 2025.1.4 (Fixed in MOVEit Automation 2025.1.5) MOVEit Automation <= 2025.0.8 (Fixed in MOVEit Automation 2025.0.9) MOVEit Automation <= 2024.1.7 (Fixed in MOVEit Automation 2024.1.8) Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau have been credited with discovering and reporting the two vulnerabilities. There are no workarounds that resolve the issues. While Progress makes no mention of the flaws being exploited in the wild, it’s essential that users apply the fixes as soon as possible for optimal protection, particularly given that prior flaws in MOVEit Transfer have been exploited by ransomware gangs like Cl0p. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More

This week, the shadows moved faster than the patches. While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems. The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling operations like legitimate businesses — except their product is chaos.

And the underground is getting uncomfortably professional. Here’s the full weekly cybersecurity recap: ⚡ Threat of the Week cPanel Flaw Comes Under Attack —A critical flaw in cPanel and WebHost Manager (WHM) has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-41940, could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. In some cases , the attacks have led to a complete wipe of entire websites and backups.

Other attacks have deployed Mirai botnet variants and a ransomware strain called Sorry. Is Your Security Program Built on Compliance Theater or Measurable Maturity? If you can’t measure your program’s maturity, you can’t improve it or defend its budget. The SANS Security Awareness & Culture Maturity Model™️ maps 5 stages of security culture development with concrete indicators, behavioral targets, and alignment to business risk priorities.

Download Now — Free ➝ 🔔 Top News Cybercrime Groups Use Vishing for Data Theft and Extortion —Two cybercrime groups tracked as Cordial Spider and Snarky Spider are carrying out “rapid, high-impact attacks” operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The groups employ voice calls, text messages, and emails, directing targeted employees to phishing pages masquerading as their employer’s legitimate single sign-on (SSO) page to capture credentials and provide attackers an entry point into systems, which they exploit for deeper access to victims’ SaaS environments. The attacks also use the initial access hooks to remove and set up multi-factor authentication devices under their control and delete emails that would otherwise alert organizations of potential malicious activity. According to CrowdStrike, “These actors use vishing to bypass MFA and move laterally across entire SaaS ecosystems with a single authenticated session, masking their tracks through residential proxy networks to blend in as legitimate home user traffic.

This is part of a larger trend of English-speaking ransomware crews that share similar playbooks but are branching off into their own distinct groups.” Copy Fail Linux Flaw Exploited —The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-31431, a vulnerability impacting various Linux distributions, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. It’s described as a logic bug in the Linux kernel’s authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. According to Theori and Xint, CVE-2026-31431 was the result of a series of unremarkable updates to the Linux kernel over the years, particularly one update from 2017 that was meant to speed up data encryption.

As a result, all major Linux distributions from 2017 are impacted. What complicates matters is that Copy Fail works 100% of the time, unlike most local privilege escalation (LPE) bugs that tend to be probabilistic in nature. More worryingly, it leaves no traces on disk as exploitation occurs in memory and enables container escape from any pod in a Kubernetes cluster. TeamPCP’s Supply Chain Attack Spree Continues —TeamPCP’s extensive supply chain campaign continued last week, as the cybercriminal group compromised several packages across the npm, PyPI, and Packagist ecosystems in a “Mini Shai Hulud” attack.

TeamPCP has in recent months compromised the packages of several open source software projects, including Trivy, a security scanner maintained by Aqua Security, and KICS, a Checkmarx-developed tool for static code analysis. Amit Genkin, threat researcher at Upwind, said the latest string of attacks represents a shift, where they are not only more frequent but harder to detect because they weaponize legitimate CI/CD pipelines to push out poisoned versions under real identities, allowing the activity to blend in with normal development workflows. “Campaigns like Shai-Hulud take that further by using each compromised pipeline to spread to the next, turning credential theft into a scaling problem across environments,” Genkin said . “For teams, the immediate priority is to check for the affected version and rotate any credentials tied to pipelines that may have run it, especially GitHub and cloud tokens.

Longer term, this is a signal to reduce how broadly pipeline credentials are scoped and to add visibility into what’s actually happening during installs and builds – because if you’re relying on traditional scanning or known indicators, this type of activity is easy to miss.” New Python Backdoor Enables Comprehensive Data Theft —A newly identified stealthy Python-based backdoor framework dubbed DEEP#DOOR provides attackers with persistent remote command execution and surveillance capabilities on Windows computers. Once active, the backdoor enables shell command execution, file manipulation, system and network reconnaissance, and surveillance operations such as keylogging, clipboard monitoring, screenshot capture, microphone and webcam access, and credentials and SSH key harvesting. Additionally, the malware can shift from data gathering to disruption and system manipulation, as it can overwrite the Master Boot Record, force system crashes, exhaust system resources by spawning numerous processes, and disable Microsoft Defender services. GitHub Flaw Leads to Remote Code Execution —Cybersecurity researchers from Wiz disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server (CVE-2026-3854, CVSS score: 8.7) that could allow an authenticated user to obtain remote code execution with a single “git push” command.

The vulnerability was severe enough that Microsoft rolled out a patch within six days of responsible disclosure. On GitHub.com, it allowed remote code execution on shared storage nodes, and on GitHub Enterprise Server, it granted full server compromise, enabling unauthorized access to all hosted repositories and internal secrets. “Exploitation could expose the codebases of nearly all of the world’s biggest enterprises, making this one of the most severe SaaS vulnerabilities ever found,” a Wiz spokesperson told The Hacker News. VECT 2.0 Ransomware’s Flawed Encryption Makes Data Recovery Impossible —VECT 2.0 ransomware has been found to wipe large files instead of merely encrypting them, making recovery impossible, even for the attackers.

VECT 2.0 is a ransomware-as-a-service (RaaS) program that first appeared in December 2025. The group quickly grabbed headlines after it announced on BreachForums that it was partnering with TeamPCP, the threat group behind several supply chain attacks, such as Trivy, Checkmarx KICS, LiteLLM, and Telnyx, in March and April 2026. VECT also announced a partnership with BreachForums itself, promising that every registered forum user will become an affiliate and be granted use of the ransomware, negotiation platform, and leak site for operations. Beazley Security, in an analysis of the ransomware, said the VECT 2.0 RaaS panel covers the “full operational lifecycle an affiliate needs from payload generation through to payout.” 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast.

These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-41940 (cPanel and WebHost Manager), CVE-2026-31431 aka Copy Fail (Linux Kernel), CVE-2026-42208 (LiteLLM), CVE-2026-3854 (GitHub.com and GitHub Enterprise Server), CVE-2026-32202 (Microsoft Windows Shell), CVE-2026-26268 ( Cursor ), CVE-2026-35414 (OpenSSH), CVE-2026-6770 (Mozilla Firefox and Tor Browser ), CVE-2026-42167 (ProFTPD), CVE-2026-24908, CVE-2026-23627, CVE-2026-24487 (OpenEMR), CVE-2026-6807 (GRASSMARLIN), CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, CVE-2026-7343 (Google Chrome), CVE-2026-7322, CVE-2026-7323, CVE-2026-7324 (Mozilla Firefox), CVE-2026-6100 (CPython), CVE-2026-0204 (SonicWall), CVE-2026-35414 (OpenSSH), CVE-2026-42511 (FreeBSD), CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, CVE-2026-40687 (Exim), CVE-2026-5402, CVE-2026-5403, CVE-2026-5405, CVE-2026-5656 (Wireshark), CVE-2026-42520, CVE-2026-42523, CVE-2026-42524 (Jenkins), CVE-2026-3008 (Notepad++), and CVE-2025-41658, CVE-2025-41659, CVE-2025-41660 (CODESYS). 🎥 Cybersecurity Webinars Learn to Spot Attack Paths Your AppSec Tools Completely Miss → Modern attackers chain tiny flaws across code, pipelines, and cloud into major breaches — while your AppSec tools stay blind. Join this free webinar with Wiz and The Hacker News to uncover the top real-world attack paths and learn exactly how to spot, map, and stop them fast.

Practical insights to prioritize real risks and strengthen your entire software lifecycle. How to Match AI Attack Speed with Autonomous Exposure Validation → Struggling with AI attacks moving faster than your team can respond? Join this free webinar from Picus Security & The Hacker News to discover Autonomous Exposure Validation – how to automatically find real risks, test attack paths, and fix them in minutes, not weeks. Practical, no-fluff insights to stay ahead without burnout.

Grab your spot now. Learn Latest AI Threats + Practical Ways to Kill Initial Access → Modern attackers are slipping past traditional defenses with AI-powered phishing, encrypted malware, and stealthy “Patient Zero” tactics. Want to stay ahead? Join this free webinar with Zscaler and The Hacker News to uncover the latest threat trends and practical Zero Trust strategies that actually stop initial compromise — before it becomes a full-blown breach.

No fluff, just real insights to protect your organization. 📰 Around the Cyber World OpenAI Debuts Advanced Account Security —OpenAI launched Advanced Account Security, a set of opt-in protections for ChatGPT users “designed for people at increased risk of digital attacks, as well as for those who want the strongest account protections available.” As part of the new program, the new controls strengthen sign-in protections, tighten account recovery, reduce exposure from compromised sessions, and give users more visibility into account activity. OpenAI has also partnered with Yubico to link two physical security keys, YubiKey C Nano and YubiKey C NFC, to ChatGPT accounts. That said, users can use any other FIDO-compliant security key, or use software-based passkeys for phishing-resistant authentication.

Over 8.8K Ransomware Attacks in 2025 —Fortinet said it recorded 7,831 confirmed ransomware victims globally in 2025, skyrocketing from approximately 1,600 identified victims in 2024. “Availability of crime service kits like WormGPT, FraudGPT, and BruteForceAI contributed to this 389% increase year-over-year (YoY),” Fortinet said . “The top three targeted sectors include manufacturing (1,284), business services (824), and retail (682). Geographic concentration includes the U.S.

(3,381), Canada (374), and Germany (291).” KidsProtect Android Surveillance Tool Marketed on the Web —A new Android surveillance tool called KidsProtect is being openly advertised on the clear web that gives an operator near-total secret control of a victim’s phone. “It can’t be removed without the attacker’s permission,” Certo said . “From a web-based dashboard, an operator can secretly record calls, stream live audio from the device’s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.” Assessed to be the work of a Greek-speaking developer, it’s available on a subscription basis starting from $60, allowing anyone to buy it, rebrand it, and start selling it as their own. New KYCShadow Android Malware Detected —An Android malware masquerading as a bank KYC verification application is being distributed via WhatsApp and primarily targeting users in India.

“The application operates as a multi-stage dropper that installs a secondary payload and establishes persistent command-and-control (C2) communication,” CYFIRMA said . “It combines native code obfuscation, Firebase-based remote execution, VPN-based traffic manipulation, and WebView-based phishing to systematically harvest sensitive user data.” Phishing Campaign Targets Pakistan Orgs —A highly targeted spear-phishing campaign targeting the Punjab Safe Cities Authority and PPIC3 in Pakistan has been found to use legitimate-sounding government infrastructure projects as lures to deliver malware. “The email carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from a BunnyCDN-hosted malicious infrastructure,” Joe Security said . “The attack chain establishes persistent remote access by abusing Microsoft’s legitimate VS Code tunnel service, with exfiltration notifications sent via a Discord webhook — a sophisticated technique designed to evade network-level detection.” Calendly-Themed Phishing Attacks on the Rise —Multiple threat clusters are leveraging Calendly-themed phishing to fingerprint site visitors and steal credentials and other data.

“Behind the shared Calendly branding sits a diverse set of phishing kits, including API-driven frameworks, real-time Socket.IO applications, fake CAPTCHA chains, and Telegram-based exfiltration,” urlscan said . Fraud Campaigns GovTrapand FEMITBOT Exposed —Threat actors have been observed deploying sophisticated tactics, including fake government portals, SMS phishing, and lookalike domains, to drive financial fraud and credential harvesting as part of an effort called GovTrap . The government impersonation scam mimics official portals with high accuracy, with links to the fake sites distributed via SMS or email. The end goal is to trick users into entering their personal and financial information, or make non-existent payments that are transferred through money mule accounts.

The collected payment card details are abused to facilitate fraudulent transactions. Another threat cluster has leveraged FEMITBOT, a malicious infrastructure that abuses Telegram Mini Apps to scale global fraud campaigns and Android malware delivery. “By leveraging Telegram’s native features, threat actors create highly convincing fake platforms across crypto, financial services, AI, and streaming sectors,” CTM360 said . “Built on a modular, template-driven architecture, FEMITBOT enables rapid deployment, brand impersonation, and campaign optimization using real-time tracking and analytics.” New PowerShell Desktop Stealer Spotted —A Pastebin-hosted PowerShell script disguised as “Windows Telemetry Update” comes with capabilities to steal Telegram Desktop session data via Telegram bot API exfiltration.

“The script collects host metadata, including username, hostname, and public IP via api.ipify[.]org, then checks for Telegram Desktop and Telegram Desktop Beta tdata directories,” Flare said . “If found, it terminates the Telegram process to release file locks, archives session material into ‘TEMP\diag.zip,’ and uploads the archive to the attacker-controlled operator chat via the Telegram Bot API sendDocument endpoint.” Surge in Teams Phishing in 2026 —eSentire said it has observed an increase in Microsoft Teams-based phishing since early 2026, in which threat actors impersonate IT support and help desk personnel to trick users into granting remote access to their devices. “These phishing attacks have often been linked to email bombing, followed by threat actors reaching out to users under the guise of providing assistance to resolve an issue,” eSentire said . “The objective of the attack is to trick the user into granting remote access to their device, and once obtained, threat actors will attempt to exfiltrate data and execute additional payloads to establish persistence or deploy ransomware.” New KarstoRAT Malware Enables Data Theft —First spotted in early 2026, KarstoRAT is capable of system reconnaissance, audio and webcam monitoring, screenshot capture, key logging, and token theft.

It also enables threat actors to download and run additional payloads, which could point to it being used for post-compromise control on infected machines. “KarstoRAT uses a command-and-control (C2) server that has a diverse set of open ports and services, indicating that it has a multi-purpose infrastructure created for C2 communication and payload distribution,” LevelBlue said . “Threat actors use a fake Blox Fruits (a popular Roblox game) virtual marketplace as a lure to trick players into downloading malware that will install KarstoRAT into their machines.” ClickUp Discloses Email Address Exposure —ClickUp said its client-side feature flag configuration exposed personally identifiable information. This included 893 customer email addresses that were embedded in feature flag targeting rules, along with one flag that improperly referenced a customer’s API token.

“The exposure was limited to 893 customer email addresses used in feature flag targeting rules to control which users see specific features during rollouts,” it said . “If your email address was among those included in a feature flag configuration, you have been directly contacted.” The incident did not expose any other data. Finnish Authorities Arrest Alleged Scattered Spider Member —Finnish authorities arrested 19-year-old Peter Stokes (aka Bouquet), a dual U.S.-Estonian citizen, as he tried to board a flight to Japan. U.S.

prosecutors have charged him as a key member of the notorious Scattered Spider hacking group, and he faces multiple counts of wire fraud, conspiracy, and computer intrusion. New Attacks Linked to Versatile Werewolf —The threat actor known as Versatile Werewolf (aka HeartlessSoul) has been linked to campaigns targeting Russian state structures and aviation companies via phishing emails with malicious archive attachments and malvertising campaigns to deliver a JavaScript trojan. The end goal is to obtain confidential data, particularly geospatial information. Alternatively, the threat actor is known to distribute malicious code using the legitimate SourceForge platform through a project called GearUP.

Versatile Werewolf is believed to be active since at least September 2025. Some of the attachments have exploded ZDI-CAN-25373 to trigger the infection chain. The malvertising campaign uses fake domains (“battleflight[.]pro”) to deliver bogus installers for aviation-related software to launch the same trojan. “The initial infection involves executing PowerShell commands or scripts designed to download a JavaScript loader from C2 servers,” Kaspersky said .

“This loader, in turn, loads and executes the main JS-RAT and its modules in memory, among which we found tools for data collection and exfiltration, keyloggers, screen capture tools, UAC bypass tools, and other payloads.” The company noted that the domain “battleflight[.]pro” resolves to an IP address that also hosts fake domains linked to the GOFFEE APT. “Both groups actively use PowerShell payloads to deliver and execute malicious modules,” it added. “GOFFEE also targets the public sector, which suggests the possibility of joint or coordinated campaigns.” Cisco Unveils Model Provenance Kit —Cisco unveiled a new open-source tool, named Model Provenance Kit, to help organizations address potential issues associated with the use of third-party AI models. “Much like a DNA test reveals biological origins, the Model Provenance Kit examines both metadata and the actual learned parameters of a model (like a unique genome that comprises a model), to assess whether models share a common origin and identify signs of modification,” Cisco said .

“This, combined with a constitution that defines provenance linkages, is an important step toward providing evidence-based assurance that the AI you deploy is what it says it is.” Abuse of Hugging Face and ClawHub for Malware Delivery —Threat actors are abusing legitimate AI platforms like Hugging Face and ClawHub for malware delivery, once again demonstrating how trust in AI ecosystems are being exploited. Acronis said it identified more than 575 malicious skills across 13 developer accounts that target both Windows and macOS systems with trojans, cryptocurrency miners, and AMOS stealer, a macOS-focused infostealer. “On Hugging Face, attackers leverage repositories to host payloads and act as staging infrastructure within multistep infection chains, distributing malware disguised as legitimate applications,” Acronis said . European Authorities Bust Cryptocurrency Fraud Ring —Albanian and Austrian authorities dismantled a cryptocurrency investment fraud ring that caused estimated losses of more than €50 million ($58.5 million) to victims worldwide.

The operation, which took place over two years, resulted in the arrest of ten individuals, the search of multiple premises, and the seizure of 891,735 in cash, 443 computers, 238 mobile phones, six laptops, and multiple storage devices. “The criminal network, allegedly operating several call centres in Tirana, Albania, is believed to have caused significant financial damage, totalling at least €50 million,” Europol said . “The call centres were professionally set up and organized, resembling legitimate business structures featuring a clear division of roles and hierarchical management.” The criminal network is estimated to have involved up to 450 employees across various departments. The scheme involved luring victims to seemingly legitimate online investment platforms through deceptive advertisements on social media or web searches, and coaxing them into making investments under the promise of huge returns.

Victims were then assigned retention agents, who masqueraded as investment advisors and used remote access software to gain full control of their devices. “The fraudsters feigned professional expertise and employed psychological pressure to persuade victims to make additional investments, falsely claiming they would be profitable,” Europol said. “In truth, the funds were never invested but were instead channelled into an intricate international money-laundering scheme, ultimately disappearing into the hands of the criminal organisation.” In some cases, the fraudsters reached out to the victims again and offered help with recovering their stolen funds, only to demand a €500 entry fee and defraud them a second time. Flaws in EnOcean’s SmartServer —Two security flaws have been disclosed in EnOcean’s SmartServer IoT platform that affect version 4.60.009 and prior.

According to
Claroty
“CVE-2026-20761 allows remote attackers to send malicious, crafted LON IP-852 messages that result in arbitrary command execution on devices. CVE-2026-22885 allows remote attackers to send malicious, crafted IP-852 messages that bypass ASLR memory protections and leak memory.” Successful exploitation of the flaws results in attackers obtaining control over building management and building automation systems running affected versions of this platform and legacy i.LON devices. Patches have been released for both vulnerabilities. Google Announces Android Credential Manager Update —Google has announced a new update to Android’s Credential Manager that allows apps to automatically verify a user’s personal Gmail address without requiring one-time passwords (OTPs) or email verification links.

“Google now issues a cryptographically verified email credential directly to Android devices,” the company said . “For users, this completely removes the need to manually verify their email through external channels. For developers, the API securely delivers these verified user claims for any scenario, whether you are building an account creation flow, a recovery process, or a high-risk step-up authentication.” Nearly 8.8K Secrets Leaked Online —According to Truffle Security , 8,792 verified, unique secrets have been leaked online through web-based development environments. The tokens were found across 22 million public projects hosted on Cloud Development Environments (CDEs) such as CodePen, CodeSandbox, JSFiddle, and StackBlitz.

Is There More to the Xygeni Compromise? —Multiple connections have been found between the compromise of the Xygeni vulnerability scanner on GitHub and a proxy botnet of hacked ASUS and TP-Link routers. Some of the TP-Link consumer routers have been compromised with Microsocks to unroll them to a residential proxy network. “These routers were also running a custom command-and-control beacon that was named ShadowLink,” Ctrl-Alt-Intel said .

“When we analysed the ShadowLink protocol, we found it was identical, down to a shared authentication secret, to the backdoor planted in the Xygeni GitHub Action used for that supply chain attack.” Brazilian Anti-DDoS Firm Behind DDoS Attacks on ISPs —Huge Networks, a Brazilian tech company that specializes in protecting networks from distributed denial-of-service (DDoS) attacks, has been enabling a botnet responsible for massive DDoS attacks against other internet service providers (ISPs) in the country, according to KrebsOnSecurity . The company has since said the malicious activity resulted from an intrusion first detected in January 2026 and claimed it was likely the work of a competitor. Canonical Target of Sustained DDoS Attack —Canonical disclosed its web infrastructure came under a “sustained, cross-border attack,” knocking Ubuntu servers offline for several hours. A pro-Iranian hacktivist group known as the Islamic Cyber Resistance in Iraq, aka 313 Team , claimed responsibility for the attack on Telegram.

The websites have since become operational . Last month, the group also disrupted access to the decentralized social media platform Bluesky. New Phishing Kit Bluekit Detailed —A new phishing kit named Bluekit is offering more than 40 templates targeting popular services and includes basic artificial intelligence (AI)-powered features for generating campaign drafts. Available templates can be used to target email accounts (Outlook, Hotmail, Gmail, Yahoo, ProtonMail), cloud and enterprise services (iCloud and Zoho), developer platforms (GitHub), and cryptocurrency services (Ledger).

What makes the kit stand out is the presence of an AI Assistant panel that supports multiple models, including Llama, GPT-4.1, Claude, Gemini, and DeepSeek, to help criminals draft phishing emails. It also has support for two-factor authentication, geolocation emulation, antibot cloaking, notifications, spoofing capabilities, voice cloning, and a mail sender. The development once again reinforces the broader trend of crimeware services integrating AI to streamline and scale their operations. Bluekit is the second kit to integrate AI features in as many months.

In April 2026, Abnormal Security shed light on a cybercrime platform called ATHR that uses AI vishing agents, credential harvesting panels, and built-in phishing mailers to execute and scale telephone-oriented attack delivery ( TOAD ) attacks. North Korea Calls U.S. Cyber Threat Claims a Fabrication — North Korea’s foreign ministry rejected U.S. accusations that the country poses a cyber threat, stating the U.S.

was spreading false information about a non-existent cyber threat from North Korea for political purposes, per Reuters . The ministry said it “would actively take all necessary measures for defending the interests of the state and protecting the rights and interests of its citizens in cyberspace.” 🔧 Cybersecurity Tools Model Provenance Kit → It is a free open-source Python tool from Cisco AI Defense that helps identify if a machine learning model is based on a known base model (like Llama, Mistral, GPT, etc.). It analyzes architecture, tokenizer, and weights to quickly compare two models or check against a database of ~150 popular base models. AutoFyn → It is an open-source tool from SignalPilot Labs that runs Claude AI in self-improving loops to optimize measurable goals.

Give it a GitHub repo, a clear task (like security hardening, bug fixing, or performance optimization), and a time budget — it works in sandboxed rounds, tracks progress with real evaluations, learns from failures, and delivers improved code via PRs. Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion Stay sharp out there. The pace of attacks is accelerating, and the margin for delay is shrinking. Patch what you can today, verify your supply chains, tighten SaaS access, and treat every “routine” login or pipeline run as potentially hostile. Small habits now will save major headaches later.

Until next Monday. Keep your defenses tight and your eyes open. The threats won’t wait — neither should we. See you in the next recap.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

2026: The Year of AI-Assisted Attacks

On December 4, 2025, a 17-year-old was arrested in Osaka under Japan’s Unauthorized Access Prohibition Act. The young man had run malicious code to extract the personal data of over 7 million users of Kaikatsu Club , Japan’s largest internet cafe chain. When asked, the young man shared his motivation for the hack: he wanted to buy Pokémon cards. In a sense, this is a fairly conventional story.

Since the 1990s, we’ve read about computing wunderkinds such as Kevin Mitnick, whose technical ability exceeded their judgment and who were drawn into high-profile cybercrimes in pursuit of status, profit, or excitement. But something is different in this story: the young man in question wasn’t technical. The rise of AI-assisted attacks In 2025, LLM-backed chat and agent systems crossed a threshold, going from useful but error-prone coding assistants to end-to-end coding powerhouses. Throughout the year, several measures of cybercrime frequency and severity approximately doubled.

Instances of malicious packages discovered on public repositories increased by 75% , cloud intrusions increased by 35% , and AI-generated phishing began outperforming human red teams entirely. A more qualitative difference, however, has been in the profiles of those conducting attacks. In February 2025, three teenagers (ages 14, 15, and 16) with no coding background used ChatGPT to build a tool that hit Rakuten Mobile ’s system ~220,000 times, spending their proceeds on gaming consoles and online gambling. In July 2025, a single actor using Claude Code, a more sophisticated agentic coding platform, conducted an extortion campaign targeting 17 organizations over the course of one month, using agentic AI to develop malicious code, organize stolen files, analyze financial records to calibrate demands, and draft extortion emails.

In December 2025, another individual used Claude Code and ChatGPT to breach the Mexican government , targeting more than 10 agencies and stealing over 195 million taxpayer records. While these attacks were possible before 2025, we are now seeing single-actor attacks that would have been characteristic of organized teams and smaller-scale attacks by nontechnical individuals that would have been more characteristic of attacks carried out by a talented hacker or engineer in the pre-AI era. In 2025, the barrier to entry for conducting a technically sophisticated attack has been significantly lowered. Bad numbers go up Throughout 2025, measures of bot activity, malware, targeted compromise, and phishing exhibited dramatic increases.

At the same time, measures of LLM capability on technical benchmarks leaped forward. In 2022, there were 55,000 malicious packages in public repositories, according to Sonatype . By 2025, that number had grown to 454,600. Notable leaps occurred in 2023 (the year GPT-4 was released) and 2025 (a marquee year for agentic coding).

Another practical measure of real-world attacker capability, time to exploit, is almost unrecognizable from the pre-AI era. Time to exploit measures the time from when a vulnerability is publicizeduntil an exploit for that vulnerability has been discovered in the wild. This number has come down from over 700 days in 2020 to only 44 days in 2025 . This means attackers are developing exploits for known vulnerabilities in less than 2 months, rather than in almost 2 years.

In fact, Mandiant’s M-Trends 2026 report found that time-to-exploit has effectively gone negative — exploits are now routinely arriving before patches, with 28.3% of CVEs exploited within 24 hours of disclosure. Throughout 2024, 2025, and early 2026, the performance of frontier models such as ChatGPT, Claude, and Gemini on benchmarks such as SWE-bench, a test of software development capability, rocketed through the roof. In August 2024, top models could resolve 33% of real GitHub issues on the bench. By December 2025, that number had climbed to just under 81%.

In late 2024 and especially 2025, AI-assisted coding hit an inflection point. Supercharging coding, however, has also supercharged offensive capabilities, and the environment in 2026 reflects these changes, with attacks occurring more frequently, with greater severity, and with greater impact. Can’t patch the pain away AI is speeding up both defenders and attackers. Unfortunately, based on data from 2025 and 2026, the arms race is favoring attackers.

The average time to remediate a known high- or critical-severity CVE is now 74 days, according to the Edgescan 2025 Vulnerability Statistics Report. In addition, 45% of vulnerabilities in systems maintained by large companies (1000+ employees) never get remediated. Organizations have also been feeling pressure from the increased malware found in public package repositories. In September 2025, the Shai-Hulud attack targeting the npm ecosystem compromised over 500 packages.

Over 487 organizations had secrets compromised , and $8.5m was stolen from Trust Wallet after attackers used exposed credentials to poison its Chrome extension. Many organizations instituted code freezes following the attack. The detection problem compounds this. In 2025, malicious npm packages posing as popular libraries like chalk and debug included documentation, unit tests, and code structured to appear as legitimate telemetry modules.

Static analysis and signature scanners missed them entirely — because the code, likely AI-generated, looked like real software. As Chainguard CEO Dan Lorenc has observed , “The complexity and scale of vulnerability management has outgrown the capabilities of most organizations to manage on their own.” Deleting categories of attack The lesson of 2025 is that you can’t outrun these attacks. The exploit window is shrinking faster than patch cycles can compress, and AI-generated malware is slipping past the detection tools that organizations have relied on for decades. The Venn diagram of “willing to do attacks” and “has technical ability to do attacks” used to be a sliver, but it is growing every month.

At the same time, we’re building more software, faster. And if the supply chain attacks are coming fast in 2026, what will 2027 look like with model capabilities dialed up to 10? Thinking in terms of speed and outrunning attacks will only get teams so far in the current environment. Rather, the smart move is to hit delete on entire categories of vulnerability, freeing up teams to focus on the remaining areas.

This is the approach behind Chainguard Libraries , which rebuilds every open source library from verified, attributable source code. The idea behind Libraries is to render whole categories of attacks structurally impossible, protecting users from CI/CD takeover, dependency confusion, long-lived token theft, or package distribution attacks. When tested against 8,783 malicious npm packages , Chainguard Libraries blocked 99.7%. Against approximately 3,000 malicious Python packages, it blocked roughly 98%.

454,600 malicious packages last year. 394,877 in a single quarter. An amateur in Algeria built ransomware that hit 85 targets in his first month. A 17-year-old exfiltrated 7 million records to buy Pokémon cards.

The tools that enabled these attacks are getting cheaper, faster, and more accessible. Instead of scrambling when the next Axios or Shai-Hulud hits next week or next month, you could just read about it over your cup of coffee while your organization populates production systems, artifact managers, and developer workstations from Chainguard Libraries. Note: This article was expertly written and contributed by Patrick Smyth, Principal Developer Relations Engineer, Chainguard. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia

The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor . The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities in January 2026. “Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a ‘list of tax violations,’” Kaspersky said . “Inside the archive was a modified Rust-based loader pulled from a public repository.

This loader would download and execute the well-known ValleyRAT backdoor.” The campaign is estimated to have impacted organizations across the industrial, consulting, retail, and transportation sectors. More than 1,600 phishing emails were flagged between early January and early February. What’s notable about these phishing waves is the delivery of a new ValleyRAT plugin that functions as a loader for a previously undocumented Python-based backdoor codenamed ABCDoor. The backdoor, per the Russian cybersecurity company, has been part of the threat actor’s arsenal since at least December 19, 2024, and was put to use in cyber attacks beginning February or March 2025.

The starting point of the attack chain is a phishing email containing a PDF file, which features two clickable links that lead to the download of a ZIP or RAR archive hosted on “abc.haijing88[.]com.” In the campaign detected in December 2025, the malicious code is said to have been embedded directly within the files attached to the email. Present within the archive is an executable that mimics a PDF file. The binary is a modified version of an open-source shellcode loader and antivirus bypass framework called RustSL . Silver Fox’s first recorded use of RustSL dates back to late December 2025.

The end goal of the Silver Fox RustSL variant is to unpack the encrypted malicious payload, while implementing country-based geofencing and environment checks to detect virtual machines and sandboxes. While the GitHub variant only includes China in its country list, the bespoke version features India, Indonesia, South Africa, Russia, and Cambodia. One variant of the loader has been found to employ a novel method called Phantom Persistence to establish persistence on the compromised host. It was first documented in June 2025.

“This method abuses functionality designed to allow applications requiring a reboot for updates to complete the installation process properly,” Kaspersky explained. “The attackers intercept the system shutdown signal, halt the normal shutdown sequence, and trigger a reboot under the guise of an update for the malware. Consequently, the loader forces the system to execute it upon OS startup.” The encrypted payload loaded by RustSL results in the download of the encrypted ValleyRAT (aka Winos 4.0) malware, with the core component (“login-module.dll_bin”) responsible for command-and-control (C2) communications, command execution, and retrieval and execution of additional modules. One of the custom modules deployed as part of the attack following a second geofencing check is ABCDoor, which contacts an external server via HTTPS and processes incoming messages to facilitate persistence, handle backdoor updates and removal, collect data such as screenshots, enable remote mouse and keyboard control, perform file system operations, manage system processes, and exfiltrate clipboard contents.

As recently as November 2025, Silver Fox has been observed using a JavaScript loader to deliver ABCDoor, with the loader distributed via self-extracting (SFX) archives that were packaged inside ZIP archives likely sent via phishing emails. Newer versions of RustSL have since expanded the geographic focus to include Japan. The highest number of attacks has been detected in India, Russia, and Indonesia, followed by South Africa and Japan. The majority of loader samples discovered have employed tax-themed lures to imitate the infection sequence.

“Since 2024, [Silver Fox] has evolved into a dual-track operational model that simultaneously conducts profitable extensive opportunistic activities and espionage activities,” S2W said . “In the early stages, the group targeted China for attacks, but later expanded its operational scope to Taiwan and Japan.” “The Silver Fox group primarily utilizes highly customized spear phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues of the target country and the target’s work characteristics.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks

A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940 , a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. The attack efforts have originated from the IP address “95.111.250[.]175,” primarily singling out government and military domains associated with the Philippines (.mil.ph and (.ph)) and Laos (*.gov.la), as well as MSPs and hosting providers, using publicly-available proof-of-concepts (PoCs). In addition, Ctrl-Alt-Intel revealed that the threat actor used a separate custom exploit chain for an Indonesian defense sector training portal prior to the cPanel attacks, employing a combination of authenticated SQL injection and remote code execution.

In this case, the attacker is said to have already been in possession of valid credentials to the portal in question. “The script uses hard-coded credentials and defeats the portal’s CAPTCHA by reading the expected CAPTCHA value out of the server-issued session cookie rather than solving the challenge normally,” Ctrl-Alt-Intel said. “Once authenticated and passing the CAPTCHA, the actor moves to a document-management function. The vulnerable parameter is the field used to save a document name, and the script injects SQL into that field when posting to the document-save endpoint.” Further analysis has determined that the threat actor is using the AdaptixC2 command-and-control (C2) framework to remotely commandeer the compromised endpoint.

Also used are tools like OpenVPN and Ligolo to facilitate persistent access to internal victim networks. “The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents,” Ctrl-Alt-Intel added. It’s currently not known who is behind the campaign, but the development comes as Censys said it uncovered evidence suggesting the cPanel vulnerability is being weaponized by multiple third-parties within 24 hours of public disclosure, including deploying Mirai botnet variants and a ransomware strain called Sorry. Per data from the Shadowserver Foundation, at least 44,000 IP addresses likely compromised via CVE-2026-41940 are said to have engaged in scanning and brute-force attacks against its honeypots on April 30, 2026.

As of May 3, the figure has dropped to 3,540. The development comes as cPanel has made available a new version of the detection script to help further remove additional false positives. Users are recommended to apply the patches as soon as possible and take steps to clean up the environment if indicators of compromise (IoCs) are detected. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Global Crackdown Arrests 276, Shuts 9 Crypto Scam Centers, Seizes $701M

A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans, resulting in millions of dollars in losses. The crackdown was led by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal Bureau of Investigation (FBI) and the Chinese Ministry of Public Security.

Among those arrested are individuals from Burma and Indonesia, who were apprehended by authorities from Dubai and Thailand. Thet Min Nyi, 27, Wiliang Awang, 23, Andreas Chandra, 29, Lisa Mariam, 29, and two fugitive co-conspirators have been charged with federal fraud and money laundering charges in the U.S. “Fraudsters who target Americans from overseas cannot operate with impunity, no matter where in the world they reside,” Assistant Attorney General A. Tysen Duva of the Justice Department’s (DoJ) Criminal Division said .

“Scam center organizers and fraudsters who defraud Americans and others will face justice in American courts and in courts around the world. In contemporary society, fraud is borderless, and law enforcement activity to combat it and eliminate it is as well.” According to the indictment, the defendants are alleged to have managed, worked for, and recruited others to work at three different companies named Ko Thet Company, Sanduo Group, and Giant Company that allegedly operated several scam centers. Thet Min Nyi is believed to be the manager and recruiter for the Ko Thet Company. The scams involved tricking users into parting with their money through bogus cryptocurrency investments after building trust over time, often by entering into friendly or romantic relationships, a long-running scheme known as pig butchering or romance baiting .

The illicit operation is closely intertwined with human trafficking, where foreign nationals are coerced into running the scams under slave-like conditions after being recruited with false offers of high-paying jobs. “After that, the scammers promoted investments in cryptocurrencies and assisted victims in setting up accounts and transferring cryptocurrency to investment platforms that, unbeknownst to the victims, were false,” the DoJ said. “The alleged scammers touted their own successes and returns in cryptocurrency investments and encouraged their victims to invest more. They also encouraged their victims to borrow money from friends and family and take out loans, to be able to ‘invest’ more.” But as soon as the funds were transferred to the platforms, the assets were laundered to other cryptocurrency accounts, including some belonging to the fraudsters.

The DoJ said the FBI has notified almost 9,000 victims and saved victims an estimated $562 million as of April 2026 following the launch of an initiative called Operation Level Up , which began in January 2024 as a way to proactively identify and alert victims of cryptocurrency investment fraud schemes. Two Chinese Nationals Charged for Crypto Scams News of the indictment comes days after the DoJ charged two Chinese nationals – Jiang Wen Jie (aka Jiang Nan) and Huang Xingshan (aka Ah Zhe and Huang Xing Saan) – for their role in a major cryptocurrency investment fraud operation and for allegedly running the Shunda scam compound in Min Let Pan, Myanmar. The defendants have also been accused of planning to open a second scam center in Cambodia after Burmese authorities seized the first in November 2025. Huang is assessed to have worked at Shunda as a high-level manager and personally participated in the physical punishment of trafficked compound workers, while Jiang served as a team leader overseeing workers who specifically targeted American victims in these schemes.

They were arrested by Thai authorities in early 2026 while en route to Burma from Cambodia. “The compound used scam websites and mobile applications disguised as legitimate investment platforms to defraud victims, including Americans,” the DoJ said. “Workers within the compound were trafficked individuals who were held against their will and forced to defraud victims under the threat of violence and torture.” In addition, the crackdown has led to the seizure of a Telegram channel (@pogojobhiring2023) with more than 6,500 followers that was used to recruit human trafficking victims to a scam compound in Cambodia in order to work a law enforcement impersonation scam and a cluster of 503 fake investment websites used to defraud U.S. victims.

The actions, led by a U.S. government Scam Center Strike Force, have also restrained more than $701 million in cryptocurrency alleged to be tied to money laundering from cryptocurrency scams. Treasury Sanctions Cambodian Senator Coinciding with these efforts, the U.S. Treasury Department has sanctioned a Cambodian senator behind a network of cyber scam compounds, and the State Department announced rewards of up to $10 million for information leading to the seizure or recovery of proceeds related to the Tai Chang scam center in Burma.

The sanctions target Cambodian Senator Kok An , Cambodian businessman Rithy Raksmei, their associates, and respective business operations, including holding companies like K99 Group for scam center operations. Kok An is assumed to have fled Thailand, with authorities issuing an arrest warrant for him and his children last July. “Kok An and his affiliates’ network of scam centers, operating out of casinos and office parks retrofitted for fraudulent activity, launder victims’ funds and provide a base to target U.S. citizens and commit human rights abuses with impunity,” the Office of Foreign Assets Control (OFAC) said.

Kok An is the second Cambodian senator to be sanctioned by the U.S. Treasury after Ly Yong Phat , who was implicated in September 2024 for his alleged role in trafficking people into forced labor at online scam centers. The proliferating industrial-scale fraud operations have prompted Cambodia’s parliament to pass the first law dedicated to targeting scam centres operating in the country. The law, which seeks to prevent scam centers from resurfacing after takedowns, will see those convicted of scams sentenced to anywhere between five and 10 years in prison and fined as much as $250,000.

Cambodian Scam Compound Linked to Android MaaS What’s more, an Android banking trojan has been uncovered, likely operating from multiple locations, including the K99 Triumph City compound owned by Cambodia’s K99 Group, that’s capable of facilitating real-time surveillance, credential theft, data exfiltration, as well as financial fraud. The banking trojan is said to have been used since at least 2023. The sophisticated malware-as-a-service (MaaS) platform shares infrastructure and behavioral overlaps with activity previously attributed to threat actors tracked as Vigorish Viper and Vault Viper , per a joint report from Infoblox and Vietnamese non-profit Chong Lua Dao. “The operation remains active, registering around 35 new domains per month – both registered domain generation algorithm (RDGA) domains and lookalike domains – that impersonate legitimate organizations and government services to distribute the malware,” researchers said .

“The domains are designed to spoof banks, pension funds, social security organizations, utility providers, and various revenue, immigration, telecom, and law enforcement agencies. More recently, the scope of the scam has expanded, both geographically and contextually, to include lures targeting airlines and e-commerce platforms, as well as countries in Africa and Latin America.” In all, 400 targeted lure domains are said to have been registered in 2025 and used to deceive and infect victims as part of what’s assessed to be a coordinated operation. The attack chain is as follows - Malicious URLs are distributed to users through SMS messages or emails that appear to come from government officials. Victims visit a fake Google Play Store app listing page or a government service website.

Once the APK is installed and launched, it escalates permissions to facilitate persistence. The malware connects to an external server and enables the operator to remotely keep tabs on the victim device and harvest data. Attackers inject bogus overlay screens on top of online banking apps to capture credentials and then use the access to transfer funds to accounts under their control. “The activity associated with this infrastructure continues to adapt and expand, sustaining large-scale campaigns targeting countries such as Thailand, Indonesia, the Philippines, and Vietnam, while increasingly diversifying into Africa and Latin America,” Infoblox and Chong Lua Dao noted.

“With access to large multilingual labor pools, growing technical capability, and sky-high profits, they are not only adopting but adapting and commoditizing malware, infrastructure, and social engineering techniques into versatile and scalable attack models. What emerges is an ecosystem that is agile, experimental, and commercially driven – one where tools are continuously repurposed, refined, and redeployed to maximize reach and profit.” Operation Atlantic Seizes $12M The developments unfold against the backdrop of Operation Atlantic , which has successfully frozen approximately $12 million from a cybercrime operation targeting cryptocurrency and investment scammers using a technique called “ approval phishing “ to gain access to crypto-wallets and empty their funds. Approval phishing refers to a form of cryptocurrency fraud in which victims are deceived into signing a blockchain transaction that grants a scammer complete control over their wallet, allowing them to drain all their assets. According to TRM Labs , these phishing attacks are “often wrapped inside investment scams or romance fraud.” “This tactic is often used in online investment fraud, often referred to as pig butchering, to lure victims into handing over ever-increasing amounts to scammers,” the U.S.

Secret Service said in a statement. More than 20,000 victims have been identified across 30 countries, including Canada, the U.K., and the U.S. Authorities have also confiscated more than 120 domains used by the threat actors behind the scheme for phishing, and identified an additional $33 million in funds that are believed to be linked to investment fraud schemes globally. In early April, the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) announced a new information-sharing initiative to strengthen cybersecurity across the digital asset industry.

As part of the effort, U.S. digital asset firms and industry organizations that meet the Treasury’s criteria will be eligible to receive actionable cybersecurity information at no extra cost. “The initiative will provide timely, actionable cybersecurity information to eligible U.S. digital asset firms and industry organizations, helping them better identify, prevent, and respond to cyber threats targeting their customers and networks,” the Treasury Department said .

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The nine-year-old flaw is also tracked as Copy Fail by Theori and Xint.

Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0. “Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation,” CISA said in an advisory. In a write-up published earlier this week, the researchers said Copy Fail is the result of a logic bug in the Linux kernel’s authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. It was introduced through three separate, individually harmless changes to the Linux kernel made in 2011, 2015, and 2017.

The high-severity security vulnerability impacts Linux distributions shipped since 2017, and permits an unprivileged local user to obtain root-level access by corrupting the kernel’s in-memory page cache of any readable file, including setuid binaries. This corruption could be carried out by unprivileged users and could result in code execution with root permissions. “Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk,” Google-owned Wiz said . “This enables attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby gain root privileges.” The prevalence of Linux in cloud environments means the vulnerability has a significant impact.

Kaspersky, in its analysis of the flaw, said Copy Fail poses a serious risk to containerized environments, as Docker, LXC, and Kubernetes “grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel” by default. “Copy Fail poses a risk of breaching container isolation and gaining control over the physical machine,” the Russian security vendor said . “At the same time, exploitation does not require the use of complex techniques, such as race conditions or memory address guessing, which lowers the entry barrier for a potential attacker.” “Detecting the attack is difficult because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior.” Adding to the urgency is the availability of a fully working exploit proof-of-concept (PoC), with Kaspersky stating Go and Rust versions of the original Python implementation have already been detected in open-source repositories. CISA did not share any details about how the vulnerability is being exploited in the wild.

However, the Microsoft Defender Security Research Team said it’s “seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days.” “The attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation,” it added . “Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds.” The tech giant has also detailed one possible route attackers could take to exploit the vulnerability - Conduct reconnaissance to identify a Linux host or container running a kernel version susceptible to Copy Fail. Prepare a small Python trigger for use against the endpoint. Execute the exploit from a low-privilege context, either as a regular Linux user on a host or a compromised container process with no special capabilities.

Exploit performs a controlled 4‑byte overwrite in the kernel page cache, leading to corruption of sensitive kernel‑managed data. Attacker escalates their process to UID 0 and obtain full root privileges. Federal Civilian Executive Branch (FCEB) agencies have been advised to apply the fixes by May 15, 2026, as updates have been pushed by impacted Linux distributions. If patching is not an immediate option, organizations are recommended to disable the affected feature, implement network isolation, and apply access controls.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Trellix Confirms Source Code Breach With Unauthorized Repository Access

Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a “portion” of its source code. It said it “recently identified” the compromise of its source code repository and that it began working with “leading forensic experts” to resolve the matter immediately. It also said it has notified law enforcement of the matter. Trellix did not disclose the exact nature of the data that may have been accessed by the attackers.

However, it pointed out that there are no indications that its source code has been affected or exploited. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited,” the company added. The company did not share any details about who may be behind the incident, and for how long the attackers had access to its systems. Trellix noted that additional information will be shared as appropriate once its investigation is complete.

Owned by Symphony Technology Group, Trellix was founded in January 2022 following the merger of McAfee Enterprise and FireEye. Around the same time, Mandiant, which was owned by FireEye, was acquired by Google in a deal worth $5.4 billion. When reached for comment, a spokesperson for Trellix acknowledged the breach and shared the same official statement posted on its website. (This is a developing story.

Please check back for more details.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign

A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a “phishing relay” to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are estimated to have been hacked as part of the campaign. “What we found wasn’t a single phishing kit,” security researcher Shaked Chen wrote in a report shared with The Hacker News.

“It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.” The findings are just the latest example of how Vietnamese threat actors continue to embrace various tactics to gain unauthorized access to victims’ Facebook accounts, which are then sold on underground ecosystems for monetary gain. The starting point of the latest attacks is a phishing email targeting Facebook Business account owners, claiming to be from Meta Support and urging them to submit an appeal, or risk getting their account permanently deleted. The emails are sent from a Google AppSheet address (“noreply@appsheet.com”), allowing them to bypass spam filters. This false sense of urgency is used to direct users to a fake web page designed to harvest their credentials.

It’s worth noting that a similar campaign was reported by KnowBe4 in May 2025. Over the past few weeks, these campaigns have adopted various kinds of lures designed to induce a “Meta-related panic.” These range from account disablement and copyright complaints to verification review, executive recruitment, and Facebook login alerts. The four main clusters identified by Guardio are listed below - Netlify-hosted Facebook help center pages that enable account takeover attacks, in addition to collecting dates of birth, phone numbers, and government-issued ID photos. The data is ultimately forwarded to an attacker-controlled Telegram channel.

Blue badge evaluation lures that guide victims to Vercel-hosted “Security Check” or “Meta Privacy Center” pages that are gated by a bogus CAPTCHA check before directing users to the phishing landing page to collect contact details, business information, credentials (after a forced retry), and two-factor authentication (2FA) codes and exfiltrate them to a Telegram channel. Google Drive-hosted PDFs masquerading as instructions to complete account verification to direct users to collect passwords, 2FA codes, government ID photos, and browser screenshots through html2canvas. The PDF documents are generated using a free Canva account. Fake job offers that impersonate companies like WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to build rapport with the recipients and ask them to join a call or continue the discussion on attacker-controlled sites.

Cumulatively, the Telegram channels associated with the first three clusters have been found to hold about 30,000 victim records, most of whom are located in the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico, and have been locked out of their own accounts. As for who is behind the operation, the smoking gun evidence has come from the PDFs generated as part of the third cluster using the free Canva account, with metadata listing a Vietnamese name “PHẠM TÀI TÂN” as the files’ author. Further open-source intelligence has led to the discovery of a website (“phamtaitan[.]vn”), where they offer digital marketing services. In a post shared on X in February 2023, the website’s handle said it “specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies.” “Taken together, they form a consistent picture of a large, Vietnamese-based, mega operation,” Chen said.

“This campaign is bigger than a single AppSheet abuse. It’s a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. Another entry in the pattern we keep surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Cybersecurity researchers are warning of two cybercrime groups that are carrying out “rapid, high-impact attacks” operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as The Com . “In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications,” CrowdStrike’s Counter Adversary Operations said in a report.

“By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders.” In a report published back in January 2026, Google-owned Mandiant revealed that the two clusters represent an expansion in threat activity that employs tactics consistent with extortion-themed attacks carried out by the ShinyHunters group. This involves impersonating IT staff in calls to deceive victims and obtain their credentials and multi-factor authentication (MFA) codes by directing them to phishing pages. Snarky Spider begins exfiltration in under an hour As recently as last week, Palo Alto Networks Unit 42 and Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) assessed with moderate confidence that the attackers behind CL-CRI-1116 are also most likely associated with The Com, adding that the intrusions primarily rely on living-off-the-land (LotL) techniques, as well as utilize residential proxies to conceal their geographic location and bypass basic IP-based reputation filters.

“CL-CRI-1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help desk personnel in combination with phishing login sites to steal credentials,” researchers Lee Clark, Matt Brady, and Cuong Dinh said. Attacks mounted by the two groups are known to register a new device in order to bypass MFA and maintain access to compromised access – but not before removing existing devices – following which the threat actors move to suppress automated email notifications related to unauthorized device registration by configuring inbox rules that automatically delete such messages. The next stage entails pivoting to targeting high-privileged accounts via further social engineering by scraping internal employee directories. Upon again elevated access, the adversaries break into target SaaS environments to look for high-value files and business-critical reports in Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, and then exfiltrate data of interest to infrastructure under its control.

“In most observed cases, these credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications,” CrowdStrike said. “By abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim’s entire SaaS ecosystem with a single authenticated session.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO. Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053 . The adversarial collective is assessed to be active since at least December 2024, while sharing some level of network overlap with CL-STA-0049, Earth Alux, and REF7707 . “The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells ( Godzilla ) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables,” security researchers Daniel Lunghi and Lucas Silva said in an analysis.

Targets of the campaigns include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European country that features in the threat actor’s victimology footprint is Poland. The cybersecurity vendor said it observed nearly half the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, also compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054, although no evidence of direct operational coordination has been observed. The starting point of the attacks is the exploitation of known security flaws to breach unpatched systems and drop web shells like Godzilla to facilitate persistent remote access.

The web shells function as a delivery vehicle for command execution, enabling reconnaissance and ultimately resulting in the deployment of the ShadowPad backdoor via AnyDesk. The malware is launched using DLL side-loading. In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT). It’s worth mentioning here that the Google Threat Intelligence Group (GTIG) linked this attack chain to a group known as UNC6595.

Also put to use are open-source tunneling tools like the IOX, GO Simple Tunnel (GOST), and Wstunnel, as well as RingQ to pack malicious binaries and evade detection. To facilitate privilege escalation, SHADOW-EARTH-053 has been found to use Mimikatz, while lateral movement is accomplished using a custom remote desktop protocol (RDP) launcher and C# implementation of SMBExec known as Sharp-SMBExec . “The primary entry vector used in this campaign were vulnerabilities in internet-facing IIS applications,” Trend Micro said. “Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS.” “In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching).” GLITTER CARP and SEQUIN CARP Go After Activists and Journalists The disclosure comes as the Citizen Lab flagged a new phishing campaign undertaken by two distinct China-affiliated threat actors targeting and impersonating journalists and civil society, including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists.

The wide-ranging campaigns were first detected in April and June 2025, respectively. The clusters have been codenamed GLITTER CARP , which has singled out the International Consortium of Investigative Journalists (ICIJ), and SEQUIN CARP , whose main target was ICIJ journalist Scilla Alecci and other international journalists writing about topics of critical interest to the Chinese government. “The actor employs well-thought-out digital impersonation schemes in phishing emails, including impersonation of known individuals and tech company security alerts,” the Citizen Lab said . “Although the targeted groups vary, this activity employs the same infrastructure and tactics across all cases, frequently reusing the same domains and same impersonated individuals across multiple targets.” GLITTER CARP, besides conducting broad-scale phishing attacks, has been tied to phishing campaigns targeting the Taiwanese semiconductor industry.

Some aspects of these efforts were previously documented by Proofpoint in July 2025 under the name UNK_SparkyCarp. SEQUIN CARP (aka UNK_DualTone), on the other hand, shares similarities with a group tracked by Volexity as UTA0388 and an intrusion set detailed by Trend Micro as TAOTH . The end goal of the campaigns is to obtain initial access to email-based accounts via credential harvesting, phishing pages, or by socially engineering the target into granting access to a third-party OAuth token. GLITTER CARP’s phishing emails also involve the use of 1x1 tracking pixels that point to a URL on the attacker’s domain to gather device information and confirm if they were opened by the recipients.

The Citizen Lab said it “observed concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick using different phishing tactics by a separate group (UNK_DropPitch).” This indicates some level of overlap between these groups, it added, although the precise nature of the relationship remains unknown. “Our analysis of the GLITTER CARP and SEQUIN CARP attacks shows that digital transnational repression increasingly operates through a distributed network of actors,” the research unit said. “The targets we identified in both GLITTER CARP and SEQUIN CARP align with the intelligence priorities of the Chinese government.” “The breadth of targeting documented in this report and by others, combined with the available information on China’s past and current use of contractors which mirrors the activity we have observed, suggests with a medium level of confidence that commercial entities hired by the Chinese state may have been behind both clusters of activity described here.” When reached for comment, Mark Kelly, staff threat researcher at Proofpoint, told The Hacker News via email that both UNK_SparkyCarp and UNK_DualTone have carried identity-focused phishing activity against a range of targets, characterizing the targeting of civil society members as likely a “longstanding feature of these groups’ targeting” rather than a recent shift. “We have observed UNK_SparkyCarp (GLITTER CARP) conducting credential phishing activity against academic, political, semiconductor, and legal sector targets in the United States, Europe, and Taiwan,” Kelly added.

“We have not observed the group targeting civil society specifically.” “However, this is very likely a result of our visibility, and we concur with the attribution within Citizen Lab’s reporting. We understand the group has been heavily active in targeting civil society groups of interest to the Chinese government for some time, which is further supported by domains spoofing perceived opposition groups, such as Falun Gong, that date back several years.” Proofpoint also noted that it has detected UNK_DualTone targeting multiple U.S.-based journalists in May 2025, and that the activity closely aligns with a campaign using lures related to protests planned on the occasion of the U.S. Army 250th Anniversary Parade. (The story was updated after publication on May 2, 2026, with additional insights from Proofpoint.) Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.