2026-05-10 AI创业新闻
cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the “feature::LOADFEATUREFILE” adminbin call that could result in an arbitrary file read. CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the “plugin” parameter in the “create_user API” call that could result in arbitrary Perl code execution on behalf of the already authenticated account’s system user. CVE-2026-29203 (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation.
The shortcomings have been patched in the following versions - cPanel and WHM - 11.136.0.9 and higher 11.134.0.25 and higher 11.132.0.31 and higher 11.130.0.22 and higher 11.126.0.58 and higher 11.124.0.37 and higher 11.118.0.66 and higher 11.110.0.116 and higher 11.110.0.117 and higher 11.102.0.41 and higher 11.94.0.30 and higher 11.86.0.43 and higher WP Squared - 11.136.1.10 and higher cPanel has released 110.0.114 as a direct update for customers who are still on CentOS 6 or CloudLinux 6. Users are advised to update to the latest versions for optimal protection. While there is no evidence that the vulnerabilities have been exploited in the wild, the disclosure comes days after another critical flaw in the product ( CVE-2026-41940 ) has been weaponized by threat actors as a zero-day to deliver Mirai botnet variants and a ransomware strain called Sorry. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that’s capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076 . The malware family is assessed to be a major update of the Maverick , which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim’s contacts. The Maverick campaign is attributed to a threat cluster that Trend Micro calls Water Saci.
At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation. “The observed infection chain bundles a malicious MSI installer inside a ZIP file,” security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus said . “These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.” The malware leverages DLL side-loading against the application to launch a malicious DLL (“screen_retriever_plugin.dll”), which functions as a loader with a “comprehensive watchdog subsystem” that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection. Specifically, the malicious DLL will only execute if it was loaded by either “logiaipromptbuilder.exe” (the Logitech program) or “tclloader.exe” (likely a reference to an executable used during testing).
It also removes any usermode hooks placed by endpoint security software within “ntdll.dll” by replacing the library and disables Event Tracing for Windows (ETW) telemetry. What’s more, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks, using them to create an environment hash value that’s used to decrypt the embedded payload. The system language check ensures that the user’s default language is Brazilian Portuguese. “For example, if a debugger is present, it will produce an incorrect hash, so when the malware attempts to derive the decryption keys from the hash, the payload will not decrypt correctly, and TCLBANKER will stop executing,” Elastic explained.
The main component launched following these checks is the banking trojan that once again verifies if it’s running on a Brazilian system, and then proceeds to establish persistence using a scheduled task. Subsequently, it beacons out to an external server with an HTTP POST request containing basic system information. TCLBANKER also incorporates a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser’s address bar using UI Automation . This step targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.
The extracted URL is matched against a hard-coded list of targeted financial institutions. If there is a match, it establishes a WebSocket connection to a remote server and enters into a command dispatch loop, enabling the operator to perform a broad range of tasks - Run shell commands Capture screenshots Start/stop screen streaming Manipulate clipboard Launch a keylogger Remotely control mouse/keyboard Manage files and processes Enumerate running processes List visible windows Serve fake credential-stealing overlays To conduct data theft, TCLBANKER relies on a Windows Presentation Foundation (WPF)-based full-screen overlay framework to conduct social engineering using credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Updates, all while hiding overlays from screen capture tools. In tandem, the loader invokes the worming module to propagate the trojan via spam and phishing messages at scale. It employs a two-pronged approach that involves a WhatsApp Web worm that hijacks authenticated browser sessions and an Outlook email bot that abuses Microsoft Outlook to send fake emails to the victim’s contacts.
Like in the case of SORVEPOTEL , the WhatsApp worm retrieves a messaging template from the server and leverages the open-source project WPPConnect to automate the sending of messages to other users, while filtering out groups, broadcasts, and non-Brazilian numbers. The Outlook agent, on the other hand, is an email spambot that abuses the victim’s installed Microsoft Outlook application to send phishing emails from the victim’s email address, thereby bypassing spam filters and giving the messages an illusion of trust. “TCLBANKER hijacks a victim’s WhatsApp session and Outlook account to spam up to 3,000 contacts with the trojanized installer, this sends malware from the victim’s own accounts, through their own contacts, using legitimate infrastructure,” an Elastic spokesperson told The Hacker News. Traditional email gateways and reputation-based defenses are essentially blind to it.
REF3076 appears to be in early operational stages, with debug logging paths, test process names, and an incomplete phishing site present in the code. This indicates the campaign is still being fleshed out and could further evolve over time. “TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem,” Elastic concluded. “Techniques that were once the hallmark of more sophisticated threat actors: environment-gated payload decryption, direct syscall generation, real-time social engineering orchestration over WebSocket, are now being packaged into commodity crimeware.” “The campaign inherits the trust and deliverability of legitimate communications by hijacking victims’ WhatsApp sessions and Outlook accounts.
This is a distribution model that traditional email gateways and reputation-based defenses are ill-equipped to catch.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads
Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over 3 million downloads, before they were taken down from the official app storefront.The activity, codenamed CallPhantom by Slovakian cybersecurity company ESET, primarily targeted Android users in India and the broader Asia-Pacific region. “The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number,” ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. “To unlock this supposed feature, users are asked to pay – but all they get in return is randomly generated data.” The list of identified apps is below - Call history : any number deta (calldetaila.ndcallhisto.rytogetan.ynumber) Call History of Any Number (com.pixelxinnovation.manager) Call Details of Any Number (com.app.call.detail.history) Call History Any Number Detail (sc.call.ofany.mobiledetail) Call History Any Number Detail (com.cddhaduk.callerid.block.contact) Call History Of Any Number (com.basehistory.historydownloading) Call History of Any Numbers (com.call.of.any.number) Call History Of Any Number (com.rajni.callhistory) Call History Any Number Detail (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager) Call History Any Number Detail (com.callinformative.instantcallhistory.callhistorybluethem.callinfo) Call History Any Number detail (com.call.detail.caller.history) Call History Any Number Detail (com.anycallinformation.datadetailswho.callinfo.numberfinder) Call History Any Number Detail (com.callhistory.callhistoryyourgf) Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber) Call History Any Number Detail (com.callhistory.anynumber.chapfvor.history) Call History of Any Number (com.callhistory.callhistoryany.call) Call History Any Number Detail (com.name.factor) Call History Of Any Number (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber) Call History Of Any Number (com.chdev.callhistory) Phone Call History Tracker (com.phone.call.history.tracke) Call History- Any Number Deta (com.pdf.maker.pdfreader.pdfscanner) Call History Of Any Number (com.any.numbers.calls.history) Call History Any Number Detail (com.callapp.historyero) Call History - Any Number Data (all.callhistory.detail) Call History For Any Number (com.easyranktools.callhistoryforanynumber) Call History of Numbers (com.sbpinfotech.findlocationofanynumber) Call History of Any Number (callhistoryeditor.callhistory.numberdetails.calleridlocator) Call History Pro (com.all_historydownload.anynumber.callhistorybackup) At least one of the flagged apps was published under the developer name “Indian gov.in” in an attempt to build a false sense of trust and unsuspecting trick users into downloading it.
However, this trick masks a nefarious motive where victims are asked to make a payment in order to view details of a phone number’s call and SMS history. Once the payment is made, users are served entirely fabricated phone numbers and names directly embedded into the source code. Evidence indicates that the activity may have been active since at least November 2025 . A second cluster of these apps has been found to prompt users to enter their email address to which the purported details of any phone number would be delivered to.
As in the prior case, no data is generated until a payment is made. The payments either rely on subscriptions via Google Play Store’s official billing system or via third-party apps that support Unified Payments Interface (UPI), an instant payment system widely used in India. Ironically, this list includes Google Pay, Walmart-backed PhonePe, and Paytm. A third method includes payment card checkout forms directly inside the apps.
The last two approaches are in violation of Google’s policy. In at least one case, the apps implemented an additional trick to convince the user to make a payment. Should they exit the app without making any payment, it displays a deceptive notification claiming that a call history for a certain phone number had been successfully sent to their email address. Clicking on the notification directly takes the user to a subscription screen.
The subscription plans vary across the app, ranging anywhere from about $6 to $80. Users who may have fallen prey to the scam should have had their subscriptions canceled after the apps were removed from the Google Play Store. What makes this activity notable is that the apps have a simple user interface and do not request any sensitive permissions. And to top it all, they do not even contain any functionality to retrieve call, SMS, or WhatsApp data.
“Users who subscribed via official Google Play billing may be eligible for refunds under Google’s refund policies,” ESET said. “Purchases made via third‑party payment apps or through direct payment card entry cannot be refunded by Google, leaving users dependent on external payment providers or developers.” The disclosure comes as Group-IB said bad actors have stolen an estimated $2 million from Indonesian users as part of a fraud campaign that involved posing as the country’s tax platform, CoreTax, and other trusted brands. The campaign, which began in July 2025, has been linked to a financially motivated threat cluster called GoldFactory . “The attack chain integrates phishing websites, social engineering (WhatsApp), malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized transfer execution,” Group-IB said .
At a high level, these attacks involve using social engineering to distribute the fake apps via WhatsApp, which, when installed, deploy Android malware such as Gigabud RAT , MMRat , and Taotie that are capable of harvesting sensitive data and downloading additional components. The stolen information is then used to conduct account takeover attacks and financial theft. “The malware infrastructure supporting this fraud campaign is not limited to a single impersonated service. The same infrastructure has been observed actively abusing more than 16 trusted brands, collectively targeting Indonesia’s broader population of approximately 287 million,” Group-IB said.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches
The hardest part of cybersecurity isn’t the technology, it’s the people. Every major breach you’ve read about lately usually starts the same way: one employee, one clever email, and one “Patient Zero” infection. In 2026, hackers are using AI to make these “first clicks” nearly impossible to spot. If a single laptop gets compromised on your watch, do you have a plan to stop it from taking down the whole company?
Register for the Webinar: The Patient Zero Playbook What is “Patient Zero”? In medicine, Patient Zero is the first person to carry a disease into a population. In cybersecurity, it’s the first device an attacker hits. Once they are “in,” they don’t stay there—they move fast to find your data, your passwords, and your backups.
What You Will Learn Thisisn’t a boring lecture. It is a technical deep dive into how modern breaches start and how to kill them instantly. We are covering: The AI Phish: How attackers use generative AI to bypass your current filters. The 5-Minute Window: Why the first few minutes of an infection determine if you’ll be in the news tomorrow.
Zero Trust in Action: How to isolate an infected device so the “virus” has nowhere to go. The Recovery Blueprint: What to do the second you realize you have a Patient Zero. Why You Can’t Miss This Most security tools are great at finding “known” viruses. But they struggle with stealthy, custom-made attacks designed specifically for your company.
This webinar shows you how to build a defense that assumes someone will click a bad link—and ensures that click doesn’t cost you millions. Secure Your Spot – Register Now ➜ Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers’ systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling. “QLNX targets developers and DevOps credentials across the software supply chain,” Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a technical analysis of the malware. “Its credential harvester extracts secrets from high-value files such as .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files. The compromise of these assets could allow the operator to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines.” The malware’s ability to systematically harvest a wide range of credentials poses a severe risk to developer environments.
A threat actor who successfully deploys QLNX against a package maintainer gains unauthorized access to their publishing pipeline, allowing the attacker to push poisoned versions that can lead to cascading downstream impacts. QLNX executes filelessly from memory, masquerades itself as a kernel thread (e.g., kworker or ksoftirqd), and is capable of profiling the host to detect containerized environments, wiping system logs to cover up the tracks, and setting up persistence using no less than seven different methods, including systemd, crontab, and .bashrc shell injection. Furthermore, it exfiltrates the collected data to an attacker-controlled infrastructure, and receives commands that make it possible to execute shell commands, manage files, inject code into processes, take screenshots, log keystrokes, establish SOCKS proxies and TCP tunnels, run Beacon Object Files (BOFs), and even manage a peer-to-peer (P2P) mesh network. Exactly how the malware is delivered is unclear.
However, once a foothold is established, it enters a primary operational phase by running a persistent loop that continuously attempts to establish and maintain communication with the command-and-control (C2) server over raw TCP, HTTPS, and HTTP. In total, QLNX supports 58 distinct commands that give the operators complete control of the compromised host. QLNX also comes with a Pluggable Authentication Module ( PAM ) inline-hook backdoor that intercepts plaintext credentials during authentication events, logs outbound SSH session data, and transmits the data to the C2 server. The malware also supports a second PAM-based credentials logger that’s automatically loaded into every dynamically linked process to extract the service name, username, and authentication token.
It employs a two-tiered rootkit architecture: a userland rootkit deployed through the Linux dynamic linker’s LD_PRELOAD mechanism to ensure that the implant’s artifacts and processes stay hidden. There also exists a kernel-level eBPF component that uses BPF subsystem to conceal processes, files, and network ports from standard userland tools such as ps, ls, and netstat upon receiving instructions from the C2 server. “The QLNX implant was built for long-term stealth and credential theft,” Trend Micro said. “What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk
The dark secret of enterprise security operations is that defenders have quietly institutionalized the practice of not looking. This is not just anecdotal, but rather backed by a recent report investigating more than 25 million security alerts, including informational and low-severity, across live enterprise environments. The dataset behind these findings includes 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations including live memory scans, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails. The patterns that emerge from this data tell a consistent story.
Threat actors are exploiting the predictable gaps created by constrained, severity-based security operations, and they are doing it systematically. Understanding where those gaps actually live requires looking at the full alert picture, starting with the category most teams have been conditioned to ignore. The 1% problem that adds up to one missed breach per week In this analysis of 25M alerts, nearly 1% of confirmed incidents originated from alerts initially classified as low-severity or informational. On endpoints specifically, that figure climbed to nearly 2%.
At enterprise scale, percentages like these are not noise. The average organization generates approximately 450,000 alerts per year. One percent of that is roughly 54 real threats annually, about one per week, that never get investigated under a traditional SOC or MDR model. Detection did not fail.
Triage economics just made investigation impossible. These are not theoretical risks sitting at the edge of an attacker’s wishlist. They are real compromises hiding in the category of alerts that operations teams have been trained to deprioritize. EDR “mitigated” does not mean clean Endpoint findings from the report deserve special attention because they challenge a foundational assumption in most security programs: that EDR remediation can be trusted at face value.
Of the 82,000 alerts that underwent live forensic memory scans, 2,600 had active infections. Of those confirmed compromised endpoints, 51% had already been marked as “mitigated” by the source EDR vendor. In over half of confirmed endpoint compromises detected through forensic analysis, the EDR had closed the ticket and declared the threat resolved. Without memory-level forensics, those infections remain invisible.
The tools most organizations rely on as their endpoint safety net are reporting clean on machines that are not clean. The malware families found running in memory during these scans include Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer, not obscure proof-of-concept tools, but the workhorses of active criminal and nation-state operations. Phishing has left your email gateway behind The phishing data in the report reflects a fundamental shift in attacker methodology that most email security architectures are not designed to catch. Less than 6% of confirmed malicious phishing emails contained attachments.
Most relied on links and language. More significantly, attackers have migrated their infrastructure onto platforms that are trusted by default: Vercel, CodePen, OneDrive, and even PayPal’s own invoicing system. One campaign documented in the report uses PayPal’s legitimate payment request infrastructure to send threat emails, with callback numbers embedded in the payment notes and Unicode homoglyphs to defeat signature-based detection. The sending domain passes every standard authentication check because the mail genuinely originates from PayPal.
Cloudflare Turnstile CAPTCHA has become a reliable signal of malicious intent: sites using it were consistently more likely to be phishing pages, while Google reCAPTCHA correlated with legitimate infrastructure. Attackers are using the mechanisms built to stop bots to stop automated security scanners instead. Four new techniques for bypassing email gateways were identified in the data: Base64 payloads hidden inside SVG image files, links embedded in PDF annotation metadata invisible to surface-level scanners, dynamically loaded phishing pages served through legitimate OneDrive shares, and DOCX files concealing archived HTML content containing QR codes. None of these is exotic.
They are operational techniques being used at scale. Cloud telemetry shows attackers playing long games Cloud alert data from the report shows a pronounced concentration around defense evasion and persistence tactics, with relatively few high-impact behaviors like lateral movement or privilege escalation appearing in the signal. Attackers are being both cautious and patient. The dominant pattern is long-term access.
Token manipulation, abuse of legitimate cloud features, andobfuscation to avoid triggering higher-severity detections. The goal is to remain present and undetected, not to make noise. AWS misconfigurations compound this risk quietly. S3 accounts for roughly 70% of all cloud control violations in the dataset, with the most common issues centered on access management, server logging, and cross-account restrictions.
These findings rarely trigger alerts. Most are classified as low severity. And they have been repeatedly exploited once attackers establish any foothold, dramatically accelerating what they can do next. Why traditional SOCs and MDRs cannot close this gap This is an operational and capacity problem that technology alone did not solve until recently.
Human analysts do not scale with alert volume. As telemetry expands across endpoint, cloud, identity, network, and SaaS, every SOC eventually hits the same ceiling. The only way to operate within budget is aggressive triage: automate most closures, investigate only what looks critical, and trust that severity labels reflect reality. The 2026 data shows that trust is misplaced at scale.
MDR providers face identical constraints. The human-scaled operating model means approximately 60% of alerts still go unreviewed whether handled in-house or outsourced. Adding more analysts moves the ceiling but does not eliminate it. SOAR platforms give you workflow automation but require your team to design every playbook and still do not replace investigative execution.
The deeper problem is the feedback loop that never closes. When low-severity alerts are never investigated, missed threats never surface. Detection rules that fail to catch real attacks never get corrected. The system does not self-improve because the inputs it would need to improve are never examined.
What changes when you investigate everything Investigating all 25 million alerts in the above-cited report required removing the constraint that has historically made full coverage impossible. Specifically, human analyst capacity is the bottleneck. In this dataset, Intezer AI SOC was used to triage and investigate, with less than 2% of alerts escalated to a human analyst, 98% verdict accuracy, and sub-minute median triage time across the full volume. The effects of full-coverage investigation are measurable.
When every alert receives forensic-grade analysis regardless of severity, triage outcomes are grounded in evidence rather than assumptions about what low-severity labels mean. Early-stage threats that produce only weak initial signals,get surfaced before they progress. Detection engineering also benefits directly, because every investigation generates feedback that can be looped back into rule tuning at the source. The practical result for human analysts is a shift in where their time is spent.
Escalations become less frequent and higher confidence, which means analysts engage at the point of decision rather than spending capacity on discovery and initial classification. For the broader organization, this translates into a security posture that improves continuously rather than one that holds steady while the threat landscape moves around it. To explore the full report and research findings, see the 2026 AI SOC Report for CISOs by Intezer . Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials
Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that’s being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called “darkworm.” The backdoor is designed as a Pluggable Authentication Module ( PAM )-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It’s also capable of harvesting credentials from all legitimate users who authenticate through the compromised system. “The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH,” Flare.io researcher Assaf Morag said in a technical report. “Allegedly this would remain persistent on Linux systems (x86_64).” PamDOORa is the second Linux backdoor after Plague to be discovered targeting the PAM stack over the past year.
PAM is a security framework in Unix/Linux operating systems that grants system administrators the ability to incorporate multiple authentication mechanisms or update them (e.g., switching from passwords to biometrics) into an existing system through the use of pluggable modules without the need for rewriting existing applications. Because PAM modules typically run with root privileges , a compromised, misconfigured, or malicious module can introduce significant security risks and open the door to credential harvesting and unauthorized access. “Despite its strengths, the Pluggable Authentication Module’s (PAM) modularity introduces risks, as malicious modifications to PAM modules can create backdoors or steal user credentials, especially since PAM does not store passwords but transmits values in plaintext,” Group-IB noted in September 2024. “The pam_exec module, which allows the execution of external commands, can be exploited by attackers to gain unauthorized access or establish persistent control by injecting malicious scripts into PAM configuration files.” The Singaporean security vendor also detailed how it’s possible to manipulate PAM configuration for SSH authentication to execute a script via pam_exec, effectively allowing a bad actor to obtain a privileged shell on a host and facilitate stealthy persistence.
The latest findings from Flare.io show that PamDOORa, besides enabling credential theft, incorporates anti-forensic capabilities to methodically tamper with authentication logs to erase traces of malicious activity. Although there is no evidence that the malware has been put to use in real-world attacks, infection chains distributing the malware are likely to involve the adversary first obtaining root access to the host through some other means and deploying the PamDOORa PAM module to capture credentials and establish persistent access over SSH. Morag told The Hacker News that PamDOORa was compared with several similar PAM-based backdoors, including Plague. Although they share a similar approach of altering the PAM behavior to enable credential capture, the “small differences in the design” indicate that the backdoor does not overlap with any of them.
“But without comparing the two binaries, we cannot completely rule out,” Morag added. After an initial asking price of $1,600 on March 17, 2026, the “darkworm” persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale. “PamDOORa represents an evolution over existing open-source PAM backdoors,” Morag explained. “While the individual techniques (PAM hooks, credential capture, log tampering) are well-documented, the integration into a cohesive, modular implant with anti-debugging, network-aware triggers, and a builder pipeline places it closer to operator-grade tooling than the crude proof-of-concept scripts found in most public repositories.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel. Dubbed Dirty Frag , it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026. “Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability,” security researcher Hyunwoo Kim (@v4bel) said in a write-up.
“Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.” The vulnerability currently does not have a CVE identifier, as the embargo is said to have been broken after detailed information and an exploit for the xfrm-ESP Page-Cache Write vulnerability were published publicly by an unrelated third-party. Successful exploitation of the flaw could allow an unprivileged local user to gain elevated root access on most Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. According to the researcher, the xfrm-ESP Page-Cache Write vulnerability was introduced in a source code commit made in January 2017, while the RxRPC Page-Cache Write vulnerability was introduced in June 2023.
Interestingly, the same January 17, 2017, commit was the root cause behind another buffer overflow ( CVE-2022-27666 , CVSS score: 7.8) that affected various Linux distributions. xfrm-ESP Page-Cache Write, which is rooted in the IPSec (xfrm) subsystem, provides attackers with a 4-byte store primitive like Copy Fail and overwrites a small amount in the kernel’s page cache. However, the exploit requires the unprivileged user to create a namespace, a step that’s blocked by Ubuntu through AppArmor . In such an environment, xfrm-ESP Page-Cache Write cannot be triggered.
That’s where the second exploit, RxRPC Page-Cache Write, comes in. “RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions,” Kim explained. “For example, the default build of RHEL 10.1 does not ship rxrpc.ko. However, on Ubuntu, the rxrpc.ko module is loaded by default.” “Chaining the two variants makes the blind spots cover each other.
In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.” CloudLinx, in an advisory of its own, said the flaw resides in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path and is reachable via the XFRM user netlink interface.” “The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that are not privately owned by the kernel (e.g., pipe pages attached via splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the receive path decrypts directly over those externally-backed pages, exposing or corrupting plaintext that an unprivileged process still holds a reference to,” AlmaLinux said . Similar advisories have been released by other Linux distributions - Amazon Linux Debian ( xfrm-ESP Page-Cache Write , RxRPC Page-Cache Write ) Red Hat Enterprise Linux Rocky Linux SUSE Adding to the urgency is the release of a working proof-of-concept (PoC) that can be exploited to gain root in a single command. Until the patches are available, it’s advised to blocklist esp4, esp6, and rxrpc modules so they cannot be loaded - sudo sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true” It’s worth mentioning here that Dirty Frag, despite sharing some overlaps with Copy Fail, can be exploited irrespective of whether the Linux kernel’s algif_aead module is enabled or not.
“Note that Dirty Frag can be triggered regardless of whether the algif_aead module is available,” the researcher said. “In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.” Update The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6 . The RxRPC Page-Cache Write vulnerability has been assigned the identifier CVE-2026-43500, although no patch is available as of writing. “On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user,” Ubuntu said .
“In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host.” In an advisory, Google-owned Wiz described Dirty Frag as a vulnerability chain that combines two page-cache write primitives in the Linux kernel: one in the xfrm-ESP (IPsec) subsystem and another in RxRPC. “Both flaws allow modification of page-cache-backed memory that is not exclusively owned by the kernel, enabling corruption of sensitive files and ultimately privilege escalation,” researchers Merav Bar and Rami McCarthy said . “Unlike race-condition-based exploits, this bug class is deterministic and highly reliable, similar to previous vulnerabilities like Copy Fail and Dirty Pipe.” “To pull off this exploit, an attacker needs two things: access to specific vulnerable kernel interfaces and the ability to manipulate page-backed buffers (e.g., via splice()-related paths). However, there is a significant hurdle: the exploit usually requires high-level system permissions, such as CAP_NET_ADMIN.
This means exploitation is less likely in hardened containerized environments (e.g., Kubernetes with default seccomp profiles).” Limited In-The-Wild Exploitation Observed Microsoft said it’s currently observing limited in-the-wild activity to achieve privilege escalation using the “su” (aka substitute user) command, which it noted “may be indicative of techniques associated with either ‘Dirty Frag’ or ‘ Copy Fail ‘.” “The campaign shows a sequential attack timeline where an external connection gains SSH access and spawns an interactive shell, followed by staging and execution of an ELF binary (./update) that immediately triggers a privilege escalation via ‘su,’” Microsoft added . Upon gaining elevated access, the unknown threat actors have been found to modify a GLPI LDAP authentication file, perform reconnaissance of the GLPI directory and system configuration, and inspect an exploit artifact. This step is followed by the attackers accessing sensitive data and interacting with multiple PHP session files, including deleting and forcefully wiping some of them, likely in an attempt to disrupt active sessions and access to session contents. “Dirty Frag is notable because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to improve exploitation reliability,” Microsoft said.
“Rather than relying on narrow timing windows or unstable corruption conditions often associated with Linux local privilege escalation exploits, Dirty Frag appears designed to increase consistency across vulnerable environments.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows “a remotely authenticated user with administrative access to achieve remote code execution,” Ivanti said in an advisory released today. “We are aware of a very limited number of customers exploited with CVE-2026-6973.
Successful exploitation requires Admin authentication. If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340 , then your risk of exploitation from CVE-2026-6973 is significantly reduced.” It’s currently not known who is behind the exploitation efforts, if any of those attacks were successful, and what the end goals of the attacks were. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 10, 2026.
Also patched by Ivanti in EPMM are four other flaws - CVE-2026-5786 (CVSS score: 8.8) - An improper access control vulnerability that allows a remote authenticated attacker to gain administrative access. CVE-2026-5787 (CVSS score: 8.9) - An improper certificate validation vulnerability that allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. CVE-2026-5788 (CVSS score: 7.0) - An improper access control vulnerability that allows a remote unauthenticated attacker to invoke arbitrary methods. CVE-2026-7821 (CVSS score: 7.4) - An improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity.
“The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products,” the company said . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. “The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts,” SentinelOne security researcher Alex Delamotte said in a report published today. PCPJack is specifically designed to target cloud services like Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, allowing the operators to spread in a worm-like fashion, aswell as move laterally within the compromised networks. It’s assessed that the end goal of the cloud attack campaign is to generate illicit revenue for the threat actors through credential theft, fraud, spam, extortion, or resale of stolen access.
The What makes this activity notable is that it shares significant targeting overlaps with TeamPCP , a threat actor that rose to prominence late last year by exploiting known security vulnerabilities (e.g., React2Shell ) and misconfigurations in cloud services to enlist the endpoints in an ever-expanding network for conducting data theft and other post-exploitation actions. At the same time, PCPJack lacks a cryptocurrency mining component, unlike TeamPCP. While it’s not known why this obvious monetization strategy was not adopted, the similarities between the two clusters indicate that PCPJack could be the work of a former member of TeamPCP who is familiar with the group’s tradecraft. The starting point of the attack is a bootstrap shell script that’s used to prepare the environment – such as configuring the payload host – and download next-stage tooling, while simultaneously taking steps to infect its own infrastructure, terminate and remove processes or artifacts that are associated with TeamPCP, install Python, establish persistence, download six Python scripts, launch the orchestration script, and remove itself.
The six Python payloads are as follows - worm.py (written to disk as monitor.py), the main orchestrator that launches the purpose-built modules, conducts local credential theft, propagates the toolset to other hosts by exploiting known flaws ( CVE-2025-55182 , CVE-2025-29927 , CVE-2026-1357 , CVE-2025-9501 , and CVE-2025-48703 ), and uses Telegram for command-and-control (C2) parser.py (utils.py), to handle credential extraction to categorize stolen keys and secrets lateral.py (_lat.py), to facilitate reconnaissance, harvest secrets, and enable lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services crypto_util.py (_cu.py), to encrypt credentials before exfiltration to the attacker’s Telegram channel cloud_ranges.py (_cr.py), to collect IP address ranges assigned to Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly, and refresh the data every 24 hours cloud_scan.py (_csc.py), to run cloud port scanning for external propagation via Docker, Kubernetes, MongoDB, RayML, or Redis services Propagation targets for the orchestrator script come from parquet files that the worm pulls directly from Common Crawl, a non-profit that crawls the web and provides its archives and datasets to the public at no extra cost. “When exfiltrating system information and credentials, the PCPJack operator even collects success metrics on whether TeamPCP has been evicted from targeted environments in a ‘PCP replaced’ field sent to the C2,” Delamotte said. This “implies a direct focus on the threat actor’s activities rather than pure cloud attack opportunism.” Further analysis of the threat actor’s infrastructure has uncovered another shell script (“check.sh”) that detects the CPU architecture and fetches the appropriate Sliver binary. It also scans Instance Metadata Service (IMDS) endpoints, Kubernetes service accounts, and Docker instances for credentials associated with Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI, and transmits them to an external server.
“Overall, the two toolsets are well developed and indicate that the owner values making code as a modular framework, despite some redundancies in behavior,” SentinelOne said. “This campaign does not [deploy miners], and it deliberately removes the miner functions associated with TeamPCP. Despite that, this actor has well-defined scopes for extracting cryptocurrency credentials.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. While fixes are expected to be released starting May 13, 2026, customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it’s not used. As additional mitigation, the company is recommending that organizations disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress.
Customers with Advanced Threat Prevention can also block exploitation attempts by enabling Threat ID 510019 from Applications and Threats content version 9097-10022. In an advisory issued Wednesday, the network security company said it’s aware of limited exploitation of the flaw. It’s tracking the activity under the CL-STA-1132 , a suspected state-sponsored threat cluster of unknown provenance. “The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software.
Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process,” Palo Alto Networks Unit 42 said . The cybersecurity company said it has observed unsuccessful exploitation attempts against a PAN-OS device starting April 9, 2026, a week after which the attackers managed to successfully obtain remote code execution against the appliance and inject shellcode. As soon as initial access was achieved, the threat actors took steps to clear crash kernel messages, delete nginx crash entries and nginx crash records, and remove crash core dump files in an attempt to cover up the tracks. Post-exploitation activities conducted by the adversary included conducting Active Directory (AD) enumeration and dropping additional payloads like EarthWorm and ReverseSocks5 against a second device on April 29, 2026.
Both tools have been previously used by various China-nexus hacking groups. “Over the last five years, nation-state threat actors engaged in cyber espionage have increasingly focused their efforts on edge-network technological assets, including firewalls, routers, IoT devices, hypervisors and various VPN solutions, which provide high-privilege access while often lacking the robust logging and security agents found on standard endpoints,” Unit 42 said. “The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration. This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories
Bad week. Turns out the easiest way to get hacked in 2026 is still the same old garbage: shady packages, fake apps, forgotten DNS junk, scam ads, and stolen logins getting dumped into Discord channels like it’s normal. Some of these attack chains don’t even feel sophisticated anymore. More like some tired guy with a Telegram account and too much free time.
The worst part is how often this stuff still works. Meanwhile, AI tools are speeding up exploit hunting, browsers are keeping passwords sitting in memory for “performance reasons,” and even ransomware crews are pushing broken builds into the wild. Everybody’s scrambling to patch faster because attackers are automating faster. Anyway.
ThreatsDay’s rough this week. Let’s get into it. Credential theft campaign New MicroStealer Spotted A new stealer called MicroStealer has been observed targeting education and telecom sectors to steal sensitive data. It was first observed in the wild in December 2025.
“It specializes in stealing browser credentials, active session data, screenshots, cryptocurrency wallets, and system information,” ANY.RUN said . “It spreads quickly with low detection rates thanks to a sophisticated multi-stage delivery chain and exfiltrates data via Discord webhooks and attacker-controlled servers.” Location data crackdown FTC and Kochava Announce Settlement The Federal Trade Commission (FTC) and location data broker Kochava said they agreed to a settlement in which the company and its subsidiary Collective Data Solutions would be blocked from selling, sharing, or disclosing sensitive location data without consumers’ explicit consent. The company was found to be illegally obtaining and selling consumers’ yearly incomes, mobile device IDs, app usage, and nearly real-time geolocation data within 10 meters without their consent or awareness. While the proposed order does not impose a fine on Kochava, the company is required to establish a data retention schedule that will mandate consumers’ data be deleted in a predetermined time frame.
Quantum-safe email upgrade Proton Adds PQC Support in Proton Mail Proton has added support for post-quantum encryption as an optional feature in Proton Mail. “Once enabled, Proton Mail can generate and use post-quantum-ready keys for new encrypted emails to protect your personal messages and business communications against today’s threats and a future where current public-key cryptography may no longer be enough,” the Swiss privacy-focused company said . “Enabling PQC helps protect new encrypted emails going forward. It does not retroactively re-encrypt the emails already in your mailbox, for now.” Supply chain hardening pnpm 11 Rolls Out New Security Measures to Tackle Supply Chain Attacks pnpm 11 has been released with new supply chain protections in place, including defaulting the minimum release age to 24 hours to reduce the risk of installing compromised packages and blocking exotic sub-dependencies that resolve from non-standard sources, such as Git repositories or direct tarball URLs.
“Newly published package versions are not resolved until they are at least one day old. Teams can opt out by setting minimumReleaseAge: 0, but pnpm’s default posture now favors a built-in waiting period before fresh package releases enter installs,” Socket said . With most package compromise campaigns relying on automated installs to expand their reach, the new effort aims to reduce the risk of packages getting installed immediately after publication. AI age verification push Meta Plans to Use AI to Strengthen Underage Enforcement Meta said it’s deploying artificial intelligence (AI) tools to bolster its underage enforcement measures and remove people under 13 from its services like Facebook and Instagram.
Acknowledging that “knowing someone’s age online is a complex, industry-wide challenge,” the company said it’s using AI to analyze profiles for contextual clues, as well as scan photos and videos for physical cues to assess whether a user is under 13 on Instagram and Facebook. “We want to be clear: this is not facial recognition. Our AI looks at general themes and visual cues, for example, height or bone structure, to estimate someone’s general age; it does not identify the specific person in the image,” Meta said . “By combining these visual insights with our analysis of text and interactions, we can significantly increase the number of underage accounts we identify and remove.” North Korea-linked cybercrime case South Korean Court Upholds Jail Term for Man Who Hired N.
Korean Hacker South Korea’s highest court has upheld the one-year prison term for a man , identified as Oh Dae-hyun, who hired an unnamed North Korean cybercriminal to conduct attacks against rival game servers in exchange for a payment of more than $16,300 between October 2014 and March 2015. Per details revealed by NK News last November, the defendant operated an illegal online game server for Lineage and sought access to a file that would allow him to bypass the game’s security system and enable users to play the game at a lower cost. To obtain the file, the defendant is said to have communicated with a North Korean cyber actor via the Chinese messaging app QQ. The court also found Oh recruiting the same North Korean national to conduct distributed denial-of-service (DDoS) attacks on rival gaming servers.
Per court documents, the North Korean national is a head of the development team at a trading company under the Workers’ Party of Korea. The company is also believed to have been involved in the creation and sale of DDoS attack programs and cyberterrorism tools to generate revenue for Pyongyang. Critical ICS security flaws Vulnerabilities in Eclipse BaSyx V2 Two security vulnerabilities have been disclosed in Eclipse BaSyx V2 that pose a severe risk to industrial environments. The vulnerabilities in question are CVE-2026-7411 (CVSS score: 10.0), an unauthenticated path traversal flaw that could be exploited to write arbitrary files, leading to code execution, and CVE-2026-7412 (CVSS score: 8.6), a blind SSRF flaw that forces the BaSyx server to act as a proxy and execute HTTP POST requests to arbitrary internal or external targets.
The issues have been patched in version 2.0.0-milestone-10. “By chaining or utilizing these flaws, an external attacker can completely bypass network segmentation,” Mohamed Lemine Ahmed Jidou, security researcher and founder of AegisSec, told The Hacker News. “The compromised Digital Twin server can be weaponized to pivot internally and send unauthorized commands directly to isolated Programmable Logic Controllers (PLCs) and industrial sensors, posing a direct threat to physical manufacturing lines.” Critical MOVEit exposure <100 Exposed MOVEit Automation Instances Found Attack surface management platform Censys said it has observed less than 100 exposed MOVEit Automation web admin interfaces globally, with nearly two-thirds of hosts located in the U.S. The development comes in the aftermath of CVE-2026-4670 (CVSS score: 9.8), a critical authentication bypass flaw in MOVEit Automation that could potentially result in CVE-2026-4670 is a critical authentication bypass vulnerability in MOVEit Automation that could result in unauthorized access, administrative control, and data exposure.
Broken ransomware encryption VECT 2.0 Encryptor Weaknesses A new analysis of VECT 2.0 ransomware binaries has uncovered multiple critical flaws in both full and intermittent encryption modes, making data recovery impossible even if a ransom payment is made. “VECT’s FULL encryptor contains an insufficient memory allocation flaw that restricts successful encryption to files 32 KB or smaller,” Halcyon said . “VECT’s intermittent mode discards the nonces for all encrypted segments except the final one, retaining only the last 12-byte nonce in the file footer. The decryption algorithm requires the unique nonce for each segment, all segments preceding the final block are cryptographically unrecoverable by the victim and the attacker alike.” What’s more, a race condition vulnerability exists in the multi-threaded encryption implementation that causes files to be renamed with the .vect extension without their contents being encrypted.
In some cases, the contents of one file is saved and renamed as a different file name, or two different files are encrypted and saved with the same name, potentially resulting in the loss of one file. “These issues collectively undermine the reliability and repeatability of the Vect2.0 encryption and renaming logic,” Halcyon said. Oracle accelerates patching Oracle Shifts to Monthly Patch Cycle for Critical Flaws Oracle said it will supplement the quarterly Critical Patch Update (CPU) fixes with monthly security releases focused on high-priority vulnerabilities, citing the increased pace of AI-assisted vulnerability disclosures stemming from the adoption of AI models like Anthriopic Mythos to aid with code analysis, security testing, and vulnerability detection. Several vendors like Microsoft, SAP, Adobe, andGoogle (for Android) already release patches on a monthly cadence, most of which occur on the second Tuesday of each month.
Oracle’s release cycle, however, will be on the third Tuesday of each month. The first monthly Critical Security Patch Updates (CSPUs) will arrive on May 28, 2026. “CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high-priority issues without waiting for the next quarterly release,” Oracle said. “Security depends on identifying vulnerabilities quickly and applying fixes just as quickly.” Global smishing surge Scammers Use Fake Text Messages to Steal Data Scammers are sending tens of thousands of fraudulent text messages to mobile users across 12 countries, impersonating transport authorities, toll operators, and parking services, as part of a new mass smishing campaign, per Bitdefender Labs.
The active campaign, called Operation Road Trap, has been active since December 2025. More than 79,000 fraudulent messages have already been detected in 40 distinct SMS scam campaigns. Countries targeted include the U.S., Canada, Australia, New Zealand, France, Spain, Colombia, Brazil, India, the U.K., Ireland, and Luxembourg. “All messages share a common goal: to persuade recipients to pay a fake fine, hand over sensitive information, or install spyware,” the company said .
“At this stage, there’s no confirmed link tying these campaigns together, beyond a shared theme of messages about unpaid tolls, parking violations, or traffic fines.” The activity has not been attributed to a specific threat actor or group. Encrypted backup hardening Meta Announces Updates for End-to-End Encrypted Backups Meta has updated its infrastructure used for protecting end-to-end encrypted backups for WhatsApp and Messenger using a hardware security module (HSM)-based Backup Key Vault with two updates: over-the-air fleet key distribution for Messenger and a commitment to publishing evidence of secure fleet deployments. “The vault is deployed as a geographically distributed fleet across multiple datacenters, providing resilience through majority-consensus replication,” Meta said . “To verify the authenticity of the HSM fleet, clients validate the fleet’s public keys before establishing a session.
In WhatsApp, these keys are hardcoded into the application. To support Messenger – where new HSM fleets need to be deployed without requiring an app update – we built a mechanism to distribute fleet public keys over the air as part of the HSM response.” Fake ManageWP ads Malvertising Campaign Targets ManageWP Guardio has detailed a phishing campaign that’s delivered through Google sponsored search results and aims to steal credentials for ManageWP, GoDaddy’s WordPress admin platform, using an adversary-in-the-middle (AitM) phishing page. “The ad click first hits a cloaker, then flips real users to a fake ManageWP login while too easily dodging Google’s inspection of who authorized this sponsored search result,” Guardio said . “Attacker gets real-time login attempts to Telegram and controls it all from their C2.
They log in to the victims’ accounts on their end while orchestrating a fake login flow on the victim’s screen.” NuGet supply chain threat Malicious NuGet Packages Steal Data Five malicious NuGet packages published under the account bmrxntfj have been found to typosquat widely used Chinese .NET UI and infrastructure libraries. “Each package grafts a .NET Reactor protected infostealer payload onto a decompiled copy of a legitimate open source library,” Socket said . “The stealer targets saved credentials across 12 browsers, 8 desktop cryptocurrency wallets, 5 browser wallet extensions and exfiltrates to a newly-registered C2 domain.” The packages, IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, and IR.OscarUI,have been collectively downloaded approximately 65,000 times. Critical Salesforce flaws Security Flaws Disclosed in Salesforce Marketing Cloud Details have emerged about five now-patched, critical vulnerabilities in Salesforce Marketing Cloud that could be exploited to leak the entire contacts DB via a template injection and even access all emails ever sent using the service.
The vulnerabilities have been assigned the identifiers: CVE-2026-22585 , CVE-2026-22586 , CVE-2026-22582 , CVE-2026-22583 , and CVE-2026-2298 . The issues were fixed by Salesforce on January 24, 2026, following responsible disclosure by Searchlight Cyber. There is no evidence that the flaws were exploited to obtain unauthorized access to or misuse of customer data. Rust malware aviation campaign Aviation Sectors Targeted in Operation Silent Rotor Unmanned Aerial Systems (UAS) and aviation sectors in Russia, Tajikistan, Central Asia, Europe, and the Middle East are the target of a new campaign that uses spear-phishing lures to deliver ZIP archives containing a Rust-based executable (along with multiple decoy documents), which displays one of the lure documents, fingerprint the system, and contacts an attacker-controlled domain to fetch and execute a next-stage payload.
The activity, codenamed Operation Silent Rotor, has not been attributed to any known threat actor. “The campaign uses realistic aviation-related documents to gain the victim’s trust, with content linked to the ‘Unmanned Aviation 2026’ forum in Moscow,” Seqrite Labs said . “The delivered malware is a Rust-based executable that collects system information, communicates with a remote server over encrypted HTTPS, and downloads a second-stage payload for execution.” Stealthy Vidar infection chain Multi-Stage Campaign Drops Vidar Stealer A new multi-stage malware campaign has employed layered obfuscation and trusted Windows components to achieve stealthy execution and persistence, ultimately leading to the deployment of Vidar Stealer. The initial infection vectors for Vidar have leveraged various methods to deceive unsuspecting users: fake CAPTCHA or ClickFix pages, free game cheats, legitimate-but-compromised sites, and fake or trojanized GitHub repositories disguised as legitimate utilities, cracked software, or leaked development tools.
In one case detailed by Point Wild, the entry point is a Go-compiled dropper binary that extracts and deploys a VBScript file, which contains embedded PowerShell code to continue the infection chain. “The PowerShell script connects to a remote IP-based server and downloads the next-stage payload, which is delivered in JPEG and TXT file formats used as disguised carriers for malicious content or staged payload data rather than conventional executables,” the company said . “These files are further processed to retrieve or reconstruct the final payload, ultimately leading to Vidar execution.” Silent AI model downloads Google Chrome May Download a 4GB Model Weights File A new analysis from web privacy expert Alexander Hanff has found that Google Chrome installs a 4GB on-device AI model file to disk without users’ consent. It is a weights file associated with Gemini Nano.
If a user deletes the file, it’s automatically re-downloaded unless the “on-device AI” setting is turned off. Google noted in October 2025 that the “Gemini Nano model is automatically deleted if the device’s free disk space drops below a certain threshold” and is “purged if an enterprise policy disables the feature, or if a user hasn’t met other eligibility criteria for 30 days.” The company also said the on-device AI model is used for scam detection, tab organization, and summarization. Last month, the researcher detailed the various browser fingerprinting techniques (e.g., WebGL, WebGPU, CNAME cloaking , link decoration, and canvas fingerprinting, among others) used by online trackers and how Chrome doesn’t do anything to block them. In all, Chrome ships with over 30 active fingerprinting vectors, 23 distinct storage and tracking mechanisms, no native CNAME cloaking protection, and no fingerprinting defenses of any kind.
- It’s worth mentioning that Google
- abandoned
- its plans to deprecate third-party tracking cookies in Chrome after a six-year effort called Privacy Sandbox. Edge memory exposure
- Microsoft Edge Stores Passwords in Cleartext, But It’s Not as Severe as It Sounds
- An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they’re not in use by taking advantage of the fact that the browser stores them in cleartext in process memory. An attacker could
- exploit
- this behavior to
- create a memory dump
- of Edge’s “browser” sub-task via the Windows Task Manager. Security researcher Tom Jøran Sønstebyseter Rønning, who revealed the issue,
- said
- “When you save passwords in Edge, the browser decrypts every credential at startup and keeps them, resident in process memory.
This happens even if you never visit a site that uses those credentials. At the same time, Edge requires you to re-authenticate before showing those same passwords in the Password Manager UI – yet the browser process already has them all in plaintext.” Further testing has revealed that Edge is the only Chromium-based browser that exhibits this behavior, which Microsoft has described as by design to speed up the sign-in process. Unlike Edge, other browsers built on Chromium encrypt credentials only when needed, instead of keeping all passwords in memory at all times. It’s worth noting that to pull off a successful attack, a threat actor must have already compromised the device by some other means.
A similar method to extract cleartext credentials directly from Chromium’s memory was demonstrated by CyberArk in 2022. As VX-Underground noted in a post on X: “This method is interesting, I like the research performed, however, it isn’t something super critical. If you’re using this method in an enterprise environment, then that company has been completely compromised down to the bone, and they’ve got much larger issues.” 72-hour patch mandate U.S. Mulls Cutting Patch Deadlines to 3 Days for Exploited Flaws U.S.
cybersecurity officials are considering sharply shorter deadlines for fixing critical flaws in government IT systems, amid concerns bad actors could exploit them using artificial intelligence tools, Reuters reported . Under the new proposal, the deadline for patching vulnerabilities added to the Known Exploited Vulnerabilities (KEV) catalog would be slashed from three weeks to three days. According to a Flashpoint study , the time between vulnerability disclosure and exploitation has plunged 94% over the past five years. The time to exploit (TTE) dropped from 745 days in 2020 to just 44 days last year, dramatically reducing the time security and IT teams have to patch.
This phenomenon has exacerbated in recent months, with threat actors attempting to exploit newly disclosed flaws within 24 hours of public disclosure . “At face value, three days is aggressive. Traditional patching workflows involve change control, testing, and stakeholder sign-off, and compressing them into 72 hours runs counter to how most enterprises actually operate,” Ryan Dewhurst, watchTowr’s head of threat intelligence, told The Hacker News. “But the trend over recent months has been unambiguous.
Exploitation of emerging threats is accelerating, and industry data consistently shows high-impact vulnerabilities being weaponized far faster than a 3-day window would allow. CISA’s shift to a 3-day deadline is a candid acknowledgment of how little time defenders actually have, balanced against the operational realities that still make patching complex. The uncomfortable truth: if you need three days, you’re already operating behind the threat.” SEBI flags AI cyber risks India’s SEBI Issues Alert on Advanced AI Tools for Vulnerability Discovery The Securities and Exchange Board of India (SEBI) has released an advisory, stating the emergence of tools like Mythos “may give rise to heightened risk exposure by enabling identification and potential exploitation of existing vulnerabilities using speed and scale,” adding “it may also introduce concerns relating to data confidentiality, application integrity, and reliability of outputs.” SEBI said it’s also establishing a cyber task force to examine the cybersecurity risks posed by AI models and devise a mitigation strategy, facilitate threat intelligence sharing, flag vulnerabilities that could impact the securities markets, and review third-party vendors for their cybersecurity posture. AI-fueled cyber race Anthropic CEO Warns of Narrow Window to Fix Flaws Anthropic CEO Dario Amodei has warned that AI has created a narrow window of about six to 12 months for organizations across the world to fix tens of thousands of software vulnerabilities found by its AI model before Chinese AI catches up.The development comes as advanced AI models like Anthropic Mythos are being used to find vulnerabilities in widely used software.This includes the discovery of over 270 flaws in Mozilla Firefox , some of which went undetected for years.
According to Axios and Bloomberg , the U.S. National Security Agency has been testing the Mythos model despite the Pentagon’s insistence that the company poses a supply chain risk. An evaluation of Mythos and OpenAI GPT-5.5 has since revealed that both models are capable of solving multi-step cyber attack simulations end-to-end, demonstrating their growing offensive cyber skills. But the emergence of these models, albeit in a limited preview, has also raised concerns that it could outpace current cybersecurity defenses, turbocharge exploit development, and expose weaknesses faster than they can be fixed.
The worries stem from the dual-use nature of these systems, as the same capability that helps defenders identify hundreds of flaws can be turned against them if they end up in the wrong hands. Late last month, Bloomberg reported that a “small group of unauthorized users” had had access to Mythos through a third-party contractor that works for Anthropic since the day the model was officially announced. “These capabilities, however guardrailed, will not stay contained. Similar advances will appear across other major AI labs, Chinese models, and open source models,” Palo Alto Networks said .
“Attackers will find the seams in those guardrails. They will use advanced AI to discover zero-day vulnerabilities at scale, generate exploits in near real time, and develop autonomous attack agents unlike anything the industry has faced.” Android banking malware spike Android Malware Driven Financial Fraud Surges 67% A new analysis from Zimperium has uncovered that Android malware-driven financial transactions have increased 67% year-on-year. The mobile security company said it tracked 34 active malware families targeting 1,243 financial brands across 90 countries in 2025. TsarBot , Copybara , and HOOK are the top three malware families that collectively target more than 60% of the global banking and fintech apps analyzed.
“The U.S. has the highest concentration of targeted apps globally, with 162 banking applications under active targeting, up from 109 in 2023,” the company said . “Nearly half of the malware families analyzed have financial extortion capabilities, including ransomware capabilities, allowing attackers to encrypt files on the device.” Major cybercrime prosecutions Recent Law Enforcement Actions Bryan Fleming, the founder of the surveillance tool pcTattletale, was sentenced to time served and a $5,000 fine for operating stalkerware that allowed users to secretly keep tabs on victims. This case marks the first federal conviction of a spyware developer in more than a decade and signals a potential shift in how the government prosecutes creators of intrusive tracking technology.
Fleming pleaded guilty earlier this January. pcTattletale shut down in 2024 after suffering a data breach. Other actions announced by the U.S. Department of Justice include the indictment of Jonathan Spalletta , a Maryland resident, in connection with theft of more than $50 million from decentralized cryptocurrency exchange Uranium Finance in 2021, leading to its shutdown; the extradition of Gavril Sandu , a Romanian national, to the U.S.
for his alleged role in a voice phishing scheme; and the sentencing of Latvian national Deniss Zolotarjovs , a member of the Karakurt group, to 102 months in prison for his involvement in a series of ransomware attacks and extort payments from more than 54 companies. Zolotarjovs was extradited to the U.S. in August 2024. Hijacked .edu subdomains Attack Hijacks University Domains to Host Spam and Porn Bad actors have been observed taking over subdomains for the Massachusetts Institute of Technology, Harvard, Stanford, Johns Hopkins, and dozens of other universities to post explicit porn spam that Google indexed under the trusted “.edu” domains.
The attack was carried out by hijacking DNS records that the universities had abandoned. Fake AI app malware wave Searches for Claude and Antigravity Lead to Stealer Malware Malvertising campaigns on Google Search are using lures for Antigravity to direct users to a fake website that serves a trojanized installer designed to deliver a stealer malware capable of harvesting sensitive data from the compromised system. Similar campaigns have leveraged Google Ads to serve fake landing pages for Claude to deliver MacSync infostealer on macOS. The activity has been codenamed Claude Fraud .
In another campaign spotted by Malwarebytes, fake websites impersonating legitimate services like Proton VPN, code hosting platforms, and free web hosting providers such as onworks[.]net are being used to stage malicious payloads that deliver a new Rust-based infostealer dubbed NWHStealer. “Once installed, it can collect browser data, saved passwords, and cryptocurrency wallet information, which attackers may use to access accounts, steal funds, or carry out further attacks,” the company said. A new evolution of the Browser runtime to distribute the stealer. The use of fake websites as lures has been observed in two other campaigns: a fake website promoting a tool called TradingClaw that acts as a delivery vehicle for a stealer codenamed Needle Stealer and a typosquatting website impersonating Slack that’s used to drop a modified installer.
The executable, besides launching a working copy of Slack, sets up a HVNC session for remote attackers to browse, access accounts, and interact with the system. That’s the week. Same internet, new fires. Patch what you can, double-check what you install, and don’t trust random ads pretending to be tools.
See you next ThreatsDay. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.