DAILY WORKFLOW ARCHIVE

2026-05-12 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-05-12 AI创业新闻

iOS 26.5 Brings Default End-to-End Encrypted RCS Messaging Between iPhone and Android

Apple on Monday officially released iOS 26.5 with support for end-to-end encryption (E2EE) to Rich Communication Services (RCS) in beta as part of a “cross-industry effort” to replace traditional SMS with a more secure alternative. To that end, E2EE RCS messaging is rolling out to iPhone users running iOS 26.5 with supported carriers and Android users on the latest version of Google Messages. The feature is enabled by default for both new and existing conversations in both platforms. RCS is a modern, internet-based messaging protocol that allows Android and iPhone users to send high-resolution photos and videos, see typing indicators, and receive read receipts, features all typically present in instant messaging apps.

It is built on an industry specification called the RCS Universal Profile . “When RCS messages are end-to-end encrypted, they can’t be read while they’re sent between devices,” Apple said in a statement. “Users will know that a conversation is end-to-end encrypted when they see a new lock icon in their RCS chats.” Apple began testing with E2EE in RCS messages in iOS and iPadOS 26.4 Beta, initially limiting it to only conversations between Apple devices. In early 2025, the GSM Association (GSMA) announced support for E2EE for safeguarding messages sent via the RCS protocol.

In a similar statement, Google said Google Messages for Android users will see a padlock icon to indicate that the cross-platform conversation is end-to-end encrypted. “This welcome progress is the result of close, cross‑industry collaboration between the GSMA RCS Working Group, including Apple, Google, and the wider mobile ecosystem,” Alex Sinclair, chief technology officer at GSMA, said . “Crucially, the new secure services are being delivered on an open, globally recognised foundation.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack

Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. “If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously,” the cybersecurity company said in a statement over the weekend. As of writing, Checkmarx has released 2.0.13-848.v76e89de8a_053 on both GitHub and the Jenkins Marketplace, although its incident update still notes that it’s “in the process of publishing a new version of this plugin.” It did not disclose how the malicious plugin version was published. The development is the latest attack orchestrated by TeamPCP targeting Checkmarx.

It arrives a couple of weeks after the notorious cybercrime group was attributed to the compromise of its KICS Docker image, two VS Code extensions, and a GitHub Actions workflow to push credential-stealing malware. The breach, in turn, resulted in the brief compromise of the Bitwarden CLI npm package to serve a similar stealer that can harvest a wide range of developer secrets. TeamPCP has been linked to a series of breaches since March 2026 as part of a sprawling campaign that exploits the inherent trust in the software supply chain to propagate its malware and expand its reach. According to details shared by security researcher Adnan Khan and SOCRadar , TeamPCP is said to have gained unauthorized access to the plugin’s GitHub repository and renamed it to “Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now.” The defaced repository was also updated to include the description: “Checkmarx fails to rotate secrets again.

with love – TeamPCP.” “The fact that TeamPCP is back inside Checkmarx systems just weeks later points to one of two possibilities: either the initial remediation was incomplete and credentials were not fully rotated, or the group retained a foothold that wasn’t identified during the March response,” SOCRadar said. “A second Checkmarx incident happening this soon suggests the group is actively watching for re-entry points, testing the depth of past remediations, and capitalizing on any gaps.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940 , a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. According to a new report from QiAnXin XLab, the security defect has been exploited by a number of threat actors shortly after its public disclosure late last month, resulting in malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation. “Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability,” XLab researchers said.

“These IPs are distributed across multiple regions globally, primarily originating from Germany, the United States, Brazil, the Netherlands, and other regions.” Further analysis of the ongoing exploitation activity has uncovered a shell script that uses wget or curl to download a Go-based infector from a remote server (“cp.dene.[de[.]com”) that’s designed to implant a compromised cPanel system with an SSH public key for persistent access, along with dropping a PHP web shell that facilitates file upload/download and remote command execution. The web shell is then used to inject JavaScript code to serve a customized login page to steal login credentials and siphon them to an attacker-controlled system that’s encoded using the ROT13 cipher (“ wrned[.]com “). Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that’s capable of infecting Windows, macOS, and Linux systems. The infector is also equipped to collect sensitive information from the compromised host, including bash history, SSH data, device information, database passwords, and cPanel virtual aliases (aka valiases), to a 3-member Telegram group created by a user named “0xWR.” In the infection sequence analyzed by XLab, Filemanager is delivered via a shell script downloaded from the “wpsock[.]com” domain.

The backdoor supports file management, remote command execution, and shell functionality. There are signs that the threat actor behind the operation has been operating silently in the shadows for years. This assessment is based on the fact that the command-and-control (C2) domain embedded in the JavaScript code has been put to use in a PHP-based backdoor (“ helper.php “) that was uploaded to the VirusTotal platform in April 2022. The domain was first registered in October 2020.

“Over the six years from 2020 to the present, the detection rate of Mr_Rot13’s related samples and infrastructure across security products has remained extremely low,” XLab said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation

Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. The activity is said to be the work of cybercrime threat actors who appear to have collaborated together to plan what the tech giant described as a “mass vulnerability exploitation operation.” “Our analysis of exploits associated with this campaign identified a zero-day vulnerability implemented in a Python script that enables the user to bypass two-factor authentication (2FA) on a popular open-source, web-based system administration tool,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. The tech giant said it worked with the impacted vendor to responsibly disclose the flaw and get it fixed in order to proactively disrupt the activity. It did not disclose the name of the tool.

Although there is no evidence to suggest that Google’s Gemini AI tool was used to aid the threat actors, GTIG assessed with high confidence that an AI model was weaponized to facilitate the discovery and weaponization of the flaw via a Python script that featured all hallmarks typically associated with large language model (LLM)-generated code. “For example, the script contains an abundance of educational docstrings, including a hallucinated CVSS score, and uses a structured, textbook Pythonic format highly characteristic of LLMs training data (e.g., detailed help menus and the clean _C ANSI color class),” GTIG added. The vulnerability, described as a 2FA bypass, requires valid user credentials for exploitation. It stems from a high-level semantic logic flaw arising as a result of a hard-coded trust assumption, something LLMs excel at spotting.

“AI is already accelerating vulnerability discovery, reducing the effort needed to identify, validate, and weaponize flaws,” Ryan Dewhurst, watchTowr’s Head of Threat Intelligence, told The Hacker News in a statement. “This is today’s reality: discovery, weaponization, and exploitation are faster. We’re not heading toward compressed timelines; we’ve been watching the timelines compress for years. There is no mercy from attackers, and defenders don’t get to opt out.” The development comes as AI is not only acting as a force multiplier for vulnerability disclosure and abuse, but is also enabling attackers to develop polymorphic malware and conduct autonomous malware operations, as observed in the case of PromptSpy , an Android malware that abuses Gemini to analyze the current screen and provide it with instructions to pin the malicious app in the recent apps list.

Further investigation of the backdoor has uncovered a broader set of capabilities to allow the malware to navigate the Android user interface and autonomously monitor and interpret real-time user activity to determine the next course of action using an autonomous agent module. PromptSpy is also equipped to capture victim biometric data to replay authentication gestures, such as a lock screen PIN or a pattern, to regain access to a compromised device. On top of that, it’s capable of preventing uninstallation by making use of an “AppProtectionDetector” module that identifies the on-screen coordinates of the “Uninstall” button and serves an invisible overlay just over the button to block a victim’s touch events and give the impression that the button is unresponsive. “While PromptSpy initializes using hardcoded default infrastructure and credentials, the malware is designed with high operational resilience, allowing adversaries to rotate critical components at runtime without redeploying the PromptSpy payload,” Google said.

“Specifically, the malware’s command-and-control (C2) infrastructure, including the Gemini API keys and the VNC relay server, can be updated dynamically via the C2 channel. This configuration model demonstrates the developers anticipated defensive countermeasures and engineered the backdoor to maintain presence even if specific infrastructure endpoints are identified and blocked by defenders.” Google said it took steps against PromptSpy by disabling all assets related to the malicious activity. No apps containing the malware have been discovered on the Play Store. Some other cases of Gemini-specific abuse spotted by Google are listed below - A suspected China-nexus cyber espionage group dubbed UNC2814 prompted Gemini by asking it to assume the role of a network security expert to trigger persona-driven jailbreaking and support vulnerability research into embedded device targets, including TP-Link firmware and Odette File Transfer Protocol (OFTP) implementations.

The North Korean threat actor known as APT45 (aka Andariel and Onyx Sleet) sent “thousands of repetitive prompts” that recursively analyze different CVEs and validate proof-of-concept (PoC) exploits. A Chinese hacking group known as APT27 leveraged Gemini to speed up the development of a fleet management application with an aim to likely manage an operational relay box (ORB) network. A cluster of Russia-nexus intrusion activity targeted Ukrainian organizations to deliver AI-enabled malware dubbed CANFAIL and LONGSTREAM, both of which use LLM-generated decoy code to conceal their malicious functionality. Threat actors have also been found experimenting with a specialized GitHub repository named “ wooyun-legacy “ that’s designed as a Claude code skill plugin featuring over 5,000 real-world vulnerability cases collected by the Chinese vulnerability disclosure platform WooYun between 2010 and 2016.

“By priming the model with vulnerability data, it facilitates in-context learning to steer the model to approach code analysis like a seasoned expert and identify logic flaws that the base model might otherwise fail to prioritize,” Google explained. Elsewhere, a suspected China-aligned threat actor is said to have deployed agentic tools like Hexstrike AI and Strix in an attack targeting a Japanese technology firm and a major East Asian cybersecurity platform to conduct automated discovery with minimal human oversight. Google also said it continues to see information operations (IO) actors from Russia, Iran, China, and Saudi Arabia using AI for common productivity tasks like research, content creation, and localization, even as it called out China-affiliated threat activity from UNC6201 that involved the use of a publicly available Python script to automatically register and immediately cancel premium LLM accounts. “This process highlights the methods adversaries leverage to procure high-tier AI capabilities at scale while insulating their malicious activity from account bans,” GTIG pointed out.

“Threat actors now pursue anonymized, premium-tier access to models through professionalized middleware and automated registration pipelines to illicitly bypass usage limits. This infrastructure enables large-scale misuse of services while subsidizing operations through trial abuse and programmatic account cycling.” Another China-linked activity flagged by Google originates from UNC5673 (aka TEMP.Hex), which has employed various publicly available commercial tools and GitHub projects to likely facilitate scalable LLM abuse. The findings overlap with recent reports about a thriving grey market of API relay platforms that allow local developers in China to illicitly access Anthropic Claude and Gemini. These relay or transfer stations route access to these AI models through proxy servers that are hosted outside mainland China.

The services are advertised on Chinese online marketplaces Taobao and Xianyu. In a study published in March 2026, academics from the CISPA Helmholtz Center for Information Security found 17 shadow APIs that claim to provide access to official model services without regional limitations via indirect access. A performance evaluation of these services uncovered evidence of model substitution, exposing AI applications to unintended safety risks. “On high-risk medical benchmarks like MedQA, the accuracy of the Gemini-2.5-flash model drops precipitously, from 83.82% with the official API to approximately 37.00% across all examined shadow APIs,” the researchers said in the paper.

What’s more, the proxy services can capture every prompt and response that passes through their servers, providing the operators with unlawful access to a goldmine of data that could then be used for fine-tuning models and conducting illicit knowledge distillation . In recent months, AI environments have also become the target of adversaries like TeamPCP (aka UNC6780), exposing developers to supply chain attacks and enabling attackers to burrow deeper into compromised networks for follow-on exploitation. “For example, threat actors with access to an organization’s AI systems could leverage internal models and tools to identify, collect, and exfiltrate sensitive information at scale or perform reconnaissance tasks to move deeper within a network,” Google said. “While the level of access and particular use depends heavily on the organization and the specific compromised dependency, this case study demonstrates the broadened landscape of software supply chain threats to AI systems.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More

Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there. The weird part is how normal this all sounds now.

Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping stolen access while defenders burn another weekend chasing logs and praying the weird traffic is just monitoring noise.

The Internet’s held together with duct tape and bad sleep. Anyway, Monday recap time. Same fire. New smoke.

⚡ Threat of the Week Ivanti EPMM and Palo Alto Networks PAN-OS Flaws Under Attack —Ivanti warned customers that attackers have successfully weaponized CVE-2026-6973, an improper input validation defect in Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company did not say when the first instance of exploitation occurred, or precisely how many customers have been impacted. In a related development, attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls. As in the case of Ivanti, Palo Alto Networks did not say when or how it became aware of active exploitation, but said threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026.

The memory corruption vulnerability, tracked as CVE-2026-0300, affects the authentication portal of PAN-OS and allows unauthenticated attackers to run code with root privileges on the PA-Series and VM-Series firewalls. Attack surface management platform Censys said it detected about 263,000 Internet-exposed hosts running PAN-OS. Patches are expected to be released starting May 13, 2026. Webinar: Transform Your SOC - From Generic Detection to Exposure Intelligence Join Gartner and XM Cyber on May 12th at 10 AM EST.

Learn to break the reactive cycle of alert fatigue by infusing real-time exposure context into your SIEM and SOAR. Discover how to prioritize threats based on their actual reachability to your critical assets. Reserve my Seat ➝ 🔔 Top News New Quasar Linux RAT Spotted —Attackers have found a new way to turn Linux systems into entry points for a supply chain or cloud infrastructure breach that are resilient to takedowns. The new malware framework, dubbed Quasar Linux or QLNX, is a modular Linux remote access trojan (RAT) that can harvest data from compromised systems.

But what sets it apart is its use of a peer-to-peer (P2P) mesh capability that turns individual compromises into an interconnected infection network, making the campaign difficult to kill and allowing infected hosts to communicate with one another rather than relying entirely on centralized servers. QLNX also combines kernel-level rootkit functionality, PAM-based authentication backdoors, and persistence mechanisms to stay hidden on compromised systems while enabling persistent access. It also hides malicious processes under names that mimic legitimate Linux services and system binaries to blend into routine workflows. “Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features,” Trend Micro said.

“The malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary.” PCPJack Replaces TeamPCP Malware to Steal Cloud Secrets —An unknown threat actor has launched a campaign to systematically clean up environments infected by the infamous TeamPCP hacking group and drop its own malicious tools to steal credentials from cloud, container, developer, productivity, and financial services for financial gain. Active since late April, the campaign is also capable of propagating itself by moving laterally both inside of a network and to other targets by breaking into open and exploitable cloud infrastructure. The broad credential harvesting sweep allows the malware to hack into more cloud servers and propagate the infection in a worm-like manner, while also rooting out any processes and artifacts belonging to TeamPCP. The external propagation is achieved by downloading parquet files from Common Crawl for target discovery.

While threat actors aiming for cloud environments have long built methods to delete competing malware, particularly in cryptojacking campaigns, the lack of a miner and its specific targeting of TeamPCP tooling has raised the possibility that it may be someone who was previously associated with the group, is part of a rival crew, or is an unrelated third-party mimicking TeamPCP’s tradecraft. MuddyWater Uses Chaos Ransomware as Decoy in New Attack —An Iranian state-sponsored espionage group pretended to be a regular ransomware gang in a new ransomware attack detected in early 2026. The Iranian hackers known as MuddyWater disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence within a victim environment. Although the attack involved reconnaissance, credential harvesting, and data exfiltration, no file-encrypting ransomware was deployed, which is inconsistent with Chaos attacks.

The victim was also added to the Chaos ransomware data leak site, but infrastructure and code-signing certificate evidence indicate the activity was likely used as a cover to mask the threat actor’s true espionage goals and to complicate attribution. Rapid7 told The Hacker News that there is no evidence to suggest that MuddyWater is operating as an affiliate of Chaos. DAEMON Tools Supply Chain Attack Leads to QUIC RAT —Hackers compromised installers of DAEMON Tools in a supply chain attack that affected users in more than 100 countries. The malicious versions, first observed in early April, impacted multiple releases of the software that were installed on thousands of machines across Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

The operation appears to be targeted. Most victims received only a data miner designed to gather system data, while a second, more advanced shellcode loader was deployed to just a handful of targets, including organizations in retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. It’s suspected that the attackers likely used the initial data collection to profile infected systems before selectively deploying an implant codenamed QUIC RAT. The malware was deployed against only one known target, an unidentified educational institution in Russia.

Kaspersky said the malicious code included Chinese-language elements, suggesting the attackers are familiar with the language, but stopped short of attributing the campaign to a specific group. Cybercrime Groups Use Vishing for Data Theft and Extortion —An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, which targets organizations across multiple industries, highlights a growing trend where attackers weaponize legitimate IT management tools to bypass security controls and maintain persistence on compromised systems. What makes the campaign noteworthy is its deliberate avoidance of traditional malware in favor of two commercially available remote monitoring and management (RMM) tools, SimpleHelp and ScreenConnect, for persistent control over victim machines.

The abuse of RMM tools by bad actors has surged in recent years as they offer a low-friction way to gain access to and maintain persistence on a victim environment. Because of how ubiquitous they are in enterprise environments, the tools are flagged as malicious, allowing the attackers to blend in with normal operations. 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-6973 (Ivanti Endpoint Manager Mobile), CVE-2026-0300 (Palo Alto Networks PAN-OS), CVE-2026-29014 (MetInfo), CVE-2026-22679 (Weaver E-cology), CVE-2026-4670, CVE-2026-5174 (Progress MOVEit Automation), CVE-2026-43284, CVE-2026-43500 (Linux Kernel), CVE-2026-7482 (Ollama), CVE-2026-42248, CVE-2026-42249 (Ollama for Windows), CVE-2026-29201, CVE-2026-29202, CVE-2026-29203 (cPanel and Web Host Manager), CVE-2026-23918 (Apache HTTP Server), CVE-2026-42778, CVE-2026-42779 (Apache MINA), CVE-2026-2005 , CVE-2026-2006 (PostgreSQL pgcrypto), CVE-2026-32710 (MariaDB), CVE-2026-23863, CVE-2026-23866 (Meta WhatsApp), CVE-2026-29146 (Apache Tomcat), CVE-2026-1046 (Mattermost Desktop), CVE-2026-0073 (Google Android), CVE-2026-20188 (Cisco Crosswork Network Controller and Network Services Orchestrator), CVE-2026-20185 (Cisco SG350 and SG350X Series Managed Switches), CVE-2026-20034, CVE-2026-20035 (Cisco Unity Connection), CVE-2026-7896, CVE-2026-7897, CVE-2026-7898 , CVE-2026-5865 (Google Chrome), CVE-2025-68670 ( xrdp ), CVE-2026-23864 (React Server Components), CVE-2026-23870 , CVE-2026-44575 , GHSA-26hh-7cqf-hhc6 , CVE-2026-44579 , CVE-2026-44574 , CVE-2026-44578 , CVE-2026-44573 ( Next.js ), CVE-2026-26129 , CVE-2026-26164 (Microsoft M365 Copilot), CVE-2026-33111 (Microsoft Copilot Chat), CVE-2026-44843 (LangChain), and CVE-2026-33309 (Langflow). 🎥 Cybersecurity Webinars The Hidden Attack Paths Your AppSec Tools Completely Miss in 2026 → This webinar shows the real attack paths that most AppSec tools miss — from code and CI/CD pipelines to cloud setups, dependencies, and secrets. See how attackers combine small weaknesses into big breaches, and learn simple ways to find and stop them. With Wiz experts Mike McGuire and Salman Ladha.

AI-Powered DDoS Attacks Are Here — And They’re Smarter, Faster & Deadlier in 2026 → Attackers are now using AI to launch DDoS attacks that are faster, smarter, and much harder to stop. This webinar shows how they instantly spot weak spots, create new attack methods, and dramatically increase success rates — plus easy ways defenders can fight back using smarter AI tools and proactive protection. Perfect for security leaders who want to stay ahead. 📰 Around the Cyber World JDownloader Website Compromised in Supply Chain Attack —The website for JDownloader, an open-source download management tool, was compromised last week to distribute malicious Windows and Linux installers.

The compromise occurred on May 6, 2026, at 12:01 a.m. UTC. While the Linux version embeds malicious shell code, the Windows version has been found to serve a Python-based remote access trojan (RAT) that enlists the compromised device in a bot network and runs arbitrary Python code supplied by the operator, per researcher Thomas Klemenc . “The attack has modified alternative download pages and exchanged links and details,” the developer behind JDownloader said in a post on Reddit.

“The bad ones are missing digital signatures and as such [Microsoft] SmartScreen will block/warn the execution of it.” Further investigation uncovered that the attack vector was an “unpatched security bug,” although it’s not clear which vulnerability was exploited by the threat actor to tamper with the site. Operation HookedWing Targets Over 500 Organizations —A long-running phishing campaign dating back to 2022 has stolen 2,000 credentials belonging to users from over 500 different organizations. According to SOCRadar, the campaign has mostly affected aviation, public administration, energy, and critical infrastructure. “The breadth of targeting, combined with the campaign’s longevity, points to a resource-capable operation rather than opportunistic activity,” it said .

The activity has been codenamed Operation HookedWing. The attack uses phishing emails with lures related to human resources, Microsoft, or Google to direct users to fake landing pages hosted on GitHub.io and Vercel, capture entered credentials via an injected form, and exfiltrate them to servers compromised or created by the threat actor. More than 20 distinct command-and-control (C2) domains and 100 distribution domains have been identified. Uptick in Use of Vercel for Phishing Campaigns —Threat actors are increasingly using Vercel to create large numbers of realistic phishing websites that impersonate well-known brands.

“Threat actors are able to redeploy phishing campaigns with ease if a web page is taken down,” Cofense said . “Vercel abuse has increased significantly over time and is likely to continue increasing as minimally skilled threat actors start using cheap or free force multipliers.” New ConsentFix V3 Attack Automates Microsoft Account Hijacking —Push Security said it identified a member of the XSS criminal forum advertising a new toolkit dubbed ConsentFix v3 that brings together ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. “ConsentFix v3 allows users to instrument the entire attack chain, enabling users to spin up ConsentFix infrastructure, create believable personas with which to interact with victims, craft and manage email campaigns, and automate the process of exchanging the captured OAuth token for session and refresh tokens to establish access to the compromised account,” Push Security said . The attack uses Cloudflare Workers for hosting the phishing pages, ZoomInfo for target identification, Dropbox for PDF hosting, and Pipedream as an exfiltration channel.

Workplace Fraud Trends in 2026 —A new report from Cifas has found that 13% of employees said: “they have either sold their company login details to a former colleague, or know someone who has, in the past 12 months.” Another 13% of respondents believed selling access to company systems was justifiable. “Selling login details might seem insignificant to those involved, but it can open the door to serious fraud and financial harm,” Cifas said. “These findings show how vital it is for organisations to build fraud‑aware cultures, where employees at all levels understand their responsibilities and the consequences of their actions.” India Pushes for Sovereign Hosting of Anthropic’s Claude AI Models —According to a report from MoneyControl, the Indian government is said to be pushing for sovereign hosting of Anthropic’s Claude artificial intelligence (AI) models within India. Officials have argued that advanced AI systems meant for sensitive sectors such as banking, telecom, and critical infrastructure cannot operate on foreign-hosted infrastructure due to jurisdictional, compliance, and national security risks.

OpenAI Rolls Out GPT-5.5-Cyber —OpenAI began rolling out GPT-5.5-Cyber, a security-focused variant of the model, in a limited preview capacity to select cybersecurity teams, a month after Anthropic’s Mythos debut. “The initial preview of cyber-permissive models like GPT‑5.5‑Cyber is not intended to significantly increase cyber capability beyond GPT‑5.5 – it’s primarily trained to be more permissive on security-related tasks,” OpenAI said . “The differences between model access levels are most pronounced when comparing prompts and responses.” FIRESTARTER Backdoor Targets Cisco Devices —Late last month, theU.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that an unnamed federal civilian agency’s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER .

The malware is noteworthy for its ability to survive reboots, firmware updates, and patches. In a new analysis, firmware security company Eclypsisum described the backdoor as a Linux ELF that hooks the LINA process and re-installs itself after receiving a termination signal. “When lina_cs runs, it copies its own contents from /usr/bin/lina_cs into memory and registers a signal handler, allowing the malware to take action in response to signals (e.g., when the system or user tells the process to restart),” security researcher Paul Asadoorian said . “It also triggers on runlevel 6, which is the system reboot runlevel on Linux.

Which means every time the device shuts down or reboots, FIRESTARTER’s persistence routine fires.” Google Rolls Out Ways for Developers to Push Safer Android Apps —Google said it has expanded Play Policy Insights in Android Studio to catch common policy issues, like missing login credentials, and detect security threats and abuse using its Play Integrity API. “With significantly shorter warm-up latency, you can use these real-time checks in your most speed-critical user journeys, like logins or payments, to catch unauthorized access and risky interactions,” Google said . “We’re adding support for post-quantum cryptography in Play App Signing this year, which will protect your apps and app updates from potential threats with the emergence of quantum computing.” Poland Says Hackers Breached its Water Treatment Plants —Poland’s Internal Security Agency (ABW) disclosed that it detected attacks on five water treatment plants in 2025, potentially allowing bad actors to take control of industrial equipment and, in the worst case, tamper with the safety of the water supply. The intelligence agency did not attribute the attacks to a specific threat actor or group, but Russian government hackers were attributed to a failed attempt to bring down the country’s energy grid towards the end of 2025.

Claude Leans More on Russian and Iranian Propaganda Sources —A new audit of Anthropic Claude has revealed that the AI chatbot “repeated false claims 15% of the time when it was asked about pro-Kremlin falsehoods in the voice of typical users, citing Russian state-affiliated media every time,” NewsGuard said . The figure represents a jump from only 4%. What’s more, since the start of the U.S.-Iran war, Claude cited Iranian state-affiliated media in one case when prompted on pro-Iran false claims, when previously it had never cited Iranian state-affiliated media. “This increase in citations to Kremlin propaganda sources, including when they spread false claims, suggests that Claude in recent months has become more vulnerable to state disinformation campaigns,” NewsGuard said.

WebSocket Backdoor Campaign Injects Skimmers —Palo Alto Networks Unit 42 said obfuscated WebSocket backdoors are being used to inject credit card skimmers into hundreds of compromised websites with the goal of sending stolen card information back to the attacker’s C2 domains. “Obfuscated JavaScript creates a WebSocket backdoor using dynamically executed JavaScript,” Unit 42 said . “The WebSocket sends an obfuscated JavaScript payload to inject a credit card skimmer into the web page.” How Backdoored Electron Applications Evade Defenses —Cybersecurity researchers have detailed a technique that hijacks trusted Electron applications to enable persistence and bypass application safe listing controls. “In advanced variations of the attack, minimal changes are made to the components of the Electron application,” LevelBlue said .

“This allows the application to function normally while at the same time loading the malicious command-and-control (C2) functionality in the background, hiding under the umbrella of the trusted process.” New Attacks Distribute Vidar Stealer, PlugX, and Beagle Malware —In an attack chain detailed by LevelBlue, threat actors have been found to leverage “MicrosoftToolkit.exe” as a starting point to launch an AutoIt script that drops the Vidar Stealer payload. “This intrusion highlights the continued effectiveness of script-based, multi-stage loaders in delivering commodity information stealers such as Vidar,” LevelBlue said . “A sophisticated multi-stage loader infection leveraging Windows-native tools and file-masquerading techniques. The attacker avoids dropping a single identifiable malware binary and instead reconstructs and executes payloads dynamically through staged file manipulation.” The development follows the discovery of a fake Claude website (“claude-pro[.]com”) that serves as a conduit for a fake MSI installer responsible for deploying a DonutLoader payload that drops a simple backdoor dubbed Beagle, which is capable of running commands and performing file uploads/downloads.

Critical Flaw in Cline’s Kanban Server —A critical vulnerability in Cline’s local Kanban server (CVSS score: 9.7) could have been exploited by an attacker to facilitate information disclosure through the runtime state stream, remote code execution through the terminal I/O endpoint, and denial-of-service through the terminal control endpoint. Oasis Security, which discovered the vulnerability, said the AI coding agent’s localhost WebSocket lacks origin validation and authentication. Because web browsers don’t enforce the same-origin policy on WebSocket connections, any website the developer visits can connect to these endpoints to achieve full compromise. “Any website a developer visited while running an affected version could silently connect to their machine, exfiltrate workspace data in real time, and inject commands into the developer’s AI agent,” Oasis Security said .

“The developer would see nothing unusual. They were just browsing the web.” Following responsible disclosure, the issue was addressed in Cline Kanban version 0.1.66 . Mozilla Uses AI to Detect 423 Flaws in Firefox —Mozilla revealed Anthropic’s Mythos Preview and other AI models helped it identify and ship 423 Firefox security bug fixes in April 2026, compared to 31 a year earlier. This includes a 20-year-old use-after-free bug that could be triggered using the XSLTProcessor DOM API without any user interaction, as well as various flaws in its sandbox system.

“This was due to a combination of two main factors,” Mozilla said . “First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models – steering them, scaling them, and stacking them to generate large amounts of signal and filter out the noise.” The development comes as AI is already accelerating vulnerability discovery, reducing the effort needed to identify, validate, and weaponize flaws. 60% of MD5 Password Hashes Can Be Cracked in Under an Hour —An analysis of 231 million unique passwords from dark web leaks between 2023 and 2026 has revealed that nearly 60% of them can be cracked in less than an hour.

To make matters worse, nearly half of all passwords (48%) can be cracked within a minute. “Attackers owe this boost in speed to graphics processors, which grow more powerful every year,” Kaspersky said . “While an RTX 4090 in 2024 could brute-force MD5 hashes at a rate of 164 gigahashes (billion hashes) per second, the new RTX 5090 has increased that speed by 34% – reaching 220 gigahashes per second.” New JobStealer Targets Windows and macOS —Threat actors are luring potential victims to malicious websites and asking them to download a video conferencing app under the pretext of an online interview, only to drop a stealer that can harvest data from cryptocurrency wallets. “The malicious program JobStealer, disguised as an online conferencing app, is downloaded from them,” Doctor Web said .

Some of the fake brands used by the threat actors include MeetLab, Juseo, Meetix, and Carolla. “To convince users that these platforms are fully functional, scammers create corresponding Telegram channels and social media accounts – for example, on X.” The attack leverages a ClickFix -like instruction to copy and paste a command that drops the stealer malware. More ClickFix Attacks —ClickFix attacks seem to show no signs of stopping anytime soon. The Australian Cyber Security Center (ACSC) warned that the ClickFix social engineering tactic is being used to deliver Vidar Stealer.

“The ClickFix attack typically begins with an adversary injecting a malicious payload delivery domain into the compromised website,” ACSC said. “The injected payload domain loads JavaScript code from an external API server. This code overwrites the content of the legitimate page, presenting a fraudulent Cloudflare verification prompt.” In recent months, ClickFix has evolved to abuse native Windows utilities like cmdkey and regsvr32 , as well as drop Node.js-based infostealer to Windows users via malicious MSI installers and an AppleScript-based infostealer to macOS. ClickFix-related attacks have also been found to leverage shareable chat features on ChatGPT and Grok , or blog sites and other user-driven content platforms, to trick users into running AMOS Stealer, MacSync, and Shub Stealer.

“Prior iterations of this campaign delivered the infostealers through disk image (.dmg) files that required users to manually install an application,” Microsoft said . “This recent activity reflects a shift in tradecraft, where threat actors instruct users to run Terminal commands that leverage native utilities to retrieve remotely hosted content, followed by script‑based loader execution.” Another campaign targeting Vietnam, Taiwan, and Spain has spread through fake Google documents containing a ClickFix command and malicious DMG files to deploy a new macOS stealer called NotnullOSX that exclusively targets victims holding over $10,000 in cryptocurrency holdings. ClickFix has also been used by a traffic distribution system (TDS) called ErrTraffic . “ErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script in the must-use plugin (mu-plugin) that captures administrator credentials and ensures persistence on compromised sites,” LevelBlue said .

“ErrTraffic utilizes the Traffic Distribution System (TDS) to filter site visitors and redirect them to ClickFix lures [via EtherHiding ]. ShinyHunters Extortion Campaign Targets Instructure —The ShinyHunters group targeted Instructure, the supplier of the Canvas learning management system (LMS), defacing the login portals for 330 colleges and universities . According to Dataminr , ShinyHunters has claimed to have exfiltrated 3.65TB of data across approximately 275 million records from nearly 9,000 affected organizations listed publicly, including Harvard, Stanford, Columbia, and Apple. Exposed data includes usernames, email addresses, course names, enrollment information, and messages.

Instructure has said no passwords, government IDs, birth dates, financial data, or course content were compromised. The threat actors exploited a “vulnerability regarding support tickets in our Free for Teacher environment,” the company added. Access to Free for Teacher has been disabled pending a full security review. As of writing, Canvas is fully back online and available for use.

The message shared by the notorious cybercrime group showed that the group has threatened to leak the trove of data, giving a deadline of May 12. The May 7, 2026, incident is a continuation of prior unauthorized activity detected in Canvas on April 29, 2026. Following the hack, the U.S. Federal Bureau of Investigation (FBI) cautioned individuals to be on the lookout for “unsolicited emails, calls, or texts claiming to be from your school, the LMS provider, or law enforcement and to verify the contact through known channels before responding.” 🔧 Cybersecurity Tools AiSOC → It is an open-source, self-hostable AI-powered Security Operations Center.

It brings together security alerts, uses AI agents to investigate them, maps findings to MITRE ATT&CK, and supports purple team exercises and incident triage — all within a single stack that you can run on your own infrastructure. Watcher → is an open-source platform that helps security teams monitor and detect emerging cyber threats. It uses AI to analyze threat data, track suspicious domains, watch for information leaks, and follow cybersecurity news from official sources — all in one dashboard. Built with Django and React, it runs easily with Docker.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law. Conclusion That’s the week: poisoned downloads, cloud messes, old bugs refusing to die, and attackers putting in barely more effort than a guy restarting a frozen router.

Everybody’s tired, nobody trusts installers anymore, and the internet somehow keeps getting worse in very predictable ways. See you next Monday, assuming nothing catches fire before then. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Your Purple Team Isn’t Purple — It’s Just Red and Blue in the Same Room

Defending a network at 2 am looks a lot like this: an analyst copy-pasting a hash from a PDF into a SIEM query. A red team script is being rewritten by hand so the blue team can use it. A patch waiting on a change-approval window that’s longer than the exploitation window itself. Nobody in that chain is incompetent .

Every human is doing their job correctly. The problem is the system, its workflows, and its messy handoffs. In contrast, the attacker’s clock has nearly disappeared. In 2024, the mean time from a CVE being published to a working exploit was 56 days.

By 2025, it had shrunk to 23 days. So far in 2026, it’s sitting at roughly 10 hours across 3,532 CVE-exploit pairs from CISA KEV, VulnCheck KEV, and ExploitDB. Figure 1. Today’s Vulnerability to Exploitation Windows is now 10 Hours The minor piece of good news is that the defender’s clock has accelerated to run in hours .

The really bad news is that the attacker’s clock has leapfrogged past it and now runs in seconds. It’s not even close to a fair fight. For a decade, the security industry has had a name for the practice that’s supposed to close this gap: purple teaming . It’s the right answer.

It just hasn’t been a practical one, until now . What Purple Teaming Actually Is Purple teaming is simple in concept. Red finds the paths an attacker would take. Blue validates whether detections fire and prevention holds.

They iterate. Red’s output becomes blue’s input. Blue’s output becomes red’s next input. The loop tightens your organization’s posture continuously instead of once a quarter.

That’s the idea, and again, it’s a solid one. The execution is where, sadly, it all falls apart. Three Reasons that Traditional Purple Teaming Hasn’t Been Operationalized Reason 1: Human purple teaming creates too much friction. Almost nobody runs purple teaming as a real loop.

The teams don’t talk often enough;and  when they do, people get pulled into long meetings, detailed reports, lengthy post-mortems, and family emergencies. The bottleneck is almost always human, in the most ordinary sense. Look at where defender hours actually go. Not inside the EDR — it fired.

Not inside the SIEM — it correlated. Not inside the scanner — it had the CVE. Response time dies in transit. The unread Slack message.

The copy-pasted hash. The PDF was emailed for review. The ticket waiting for eyeballs or approval. The red team script is being rebuilt by hand for the blue team.

This is the spaghetti handoff. Once you see the inefficiencies and failure points, you can’t unsee them. Reason 2: Orchestrating teams and tools is the real bottleneck The network team owns firewalls. The SOC consumes alerts.

Red runs exercises. Blue builds detections. VM chases CVEs. IT ops applies patches.

Each group operates one or more tools; each tool emits an artifact (a finding, an alert, a report, a ticket) that gets picked up, reinterpreted, and handed off. What these teams collectively produce is meant to be a service: a continuously validated security posture. In reality, it’s usually a jury-rigged mess, glued together by overtaxed humans typing bleary-eyed into Jira at midnight. So purple teaming has largely stayed aspirational.

A cool idea in vendor decks. Perhaps a quarterly exercise. Almost never operational. Certainly not operational enough.

Reason 3: Traditional purple teaming can’t keep up with AI-powered adversaries Here’s what’s changed. Attackers got an LLM. The defenders are still filling in a Jira ticket. For most organizations, the change-approval process alone is now longer than the exploitation window.

An AI-assisted attacker can compromise a system in 73 seconds. A defender, working through the standard handoff chain between SOC, red and blue teams, and IT, usually takes at least 24 hours to deploy a fix. Figure 2. Spaghetti Handoff between teams A quarterly purple team exercise, or even a monthly one, isn’t a loop anymore, it’s a box to be checked, a snapshot of a battle that’s already happened, and, usually, an exercise in futility.

Enter Autonomous Purple Teaming The same technology compressing the attacker’s clock can compress the defender’s. The good news is that autonomous purple teaming, by its very nature, is exactly the kind of workflow AI is good at: a tight, well-defined loop between two specialized functions, where the bottleneck has always been the human handoff and knowledge transfer rather than the work itself. When autonomous agents run the handoffs, the loop finally closes at machine speed. Red’s findings automatically become blue’s tests.

Blue’s gaps become red’s next exercise. No coffee breaks, no kids home from school, no holiday disruptions. The system people have been describing for ten years can now finally run as an ongoing methodology, not a calendar event. This isn’t “AI for security” in the sense most vendors have pitched over the last year: generate a YARA rule, summarize an alert, draft a ticket.

Those are task automations. Useful, and incrementally helpful. But true autonomy is something else : an agent running the entire loop end-to-end, with every step auditable so you can override, retune, or roll back. And it’s a dial, not a cliff.

Crawl is manual. Walk is scheduled with AI assist. Run is end-to-end with human review only where needed. What Autonomous Purple Teaming Looks Like in Practice: BAS, Automated Pentest, and AI-Powered Mobilization To be effective, autonomous purple teaming requires three components working as one system rather than separate tools: Automated Penetration Testing is red’s question, answered continuously: can an attacker reach the crown jewels in your environment, given today’s exposures and today’s controls?

Breach and Attack Simulation (BAS) is blue’s answer: did the firewall block it, did the EDR catch it, did the SIEM rule fire, did the response play out the way the runbook says it should? Figure 3. BAS and Automated Pentesting gives you the complete picture AI-powered mobilization is the part that used to be a human typing into Jira, now run by a chain of specialized agents. A CISA alert lands.

A CTI agent enriches it against your environment. A baseliner agent decides the threat is relevant and pulls the current posture from BAS, pentest, and exposure data. Red and blue agents run the simulation and validation in parallel. A mobilizer agent auto-deploys low-risk fixes, opens tickets for the moderate ones, and flags the rest for human review.

A reporter agent writes one executive view for leadership and one technical view for the SOC. No analysts in the chain. Every step is still visible in the operator console. No black box, just no humans in the typing-into-Jira seat.

The output isn’t 50,000 CVEs ranked by CVSS. It’s one continuous action queue across red and blue: what’s actually exploitable today, against your actual controls, and what to do about it before the exploitation window closes. That’s purple teaming, not just automation. It’s the loop the industry has been dreaming about,  finally running at the pace AI-powered threats now demand.

See it running inside a real enterprise A continuous loop is the right answer. But “continuous” still implies a human pacing it. When attackers operate at machine speed, the gap that matters isn’t between seeing and detecting; it’s between detecting and proving fast enough that an AI-driven adversary doesn’t find out first. This is where validation goes from continuous to autonomous: AI agents reading the alert, scoping the test, running the simulation, pushing the fix, and writing the report, while the SOC focuses on the big picture, and ideally catches up on some much-needed sleep.

We’ll be unpacking exactly what this looks like — the architecture, the agentic workflows, the operational reality of running this inside a real enterprise — at the Autonomous Validation Summit on May 12 & 14 , hosted with Frost & Sullivan and featuring practitioners from Kraft Heinz, Hacker Valley, and Glow Financial Services, alongside Picus CTO Volkan Erturk. See it in action at the summit → Note: This article was written by Sıla Özeren Hacıoğlu , Security Research Engineer at Picus Security. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads

A malicious Hugging Face repository managed to take a spot in the platform’s trending list by impersonating OpenAI’s Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter , masqueraded as its legitimate counterpart released by OpenAI late last month ( openai/privacy-filter ), including copying the entire description verbatim to trick unsuspecting users into downloading it. Access to the malicious model has since been disabled by Hugging Face. Privacy Filter was unveiled in April 2026 by the artificial intelligence (AI) company as a way to detect and redact personally identifiable information (PII) in unstructured text with an aim to incorporate strong privacy and security protections into applications.

“The repository had typosquatted OpenAI’s legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines,” the HiddenLayer Research Team said in a report published last week. The malicious project instructs users to clone the repository and run a batch script (“start.bat”) for Windows or a Python script (“loader.py”) for Linux or macOS systems to configure all necessary dependencies and start the model. Once launched, the Python script triggers malicious code responsible for disabling SSL verification, decoding a Base64-encoded URL hosted on JSON Keeper, and using it to extract a command that’s passed to PowerShell for subsequent execution.The use of JSON Keeper, a public JSON paste service, as a dead drop resolver allows the attackers to switch payloads on the fly without the need for modifying the repository. The PowerShell command is used to download a batch script from a remote server (“api.eth-fastscan[.]org”) and launch it using “cmd.exe.”The batch script functions as a second-stage downloader that prepares the environment by elevating its privileges by means of a User Account Control (UAC) prompt, configuring Microsoft Defender Antivirus exclusions, downloading the next-stage binary from the same domain, and setting up a scheduled task that launches a PowerShell script to run the executable.

Once the scheduled task is launched, the malware waits for two seconds before deleting itself. The final stage is an information stealer that’s designed to take screenshots and harvest data from Discord, cryptocurrency wallets and extensions, system metadata, files such as FileZilla configurations and wallet seed phrases, and web browsers based on the Chromium and Gecko rendering engines. “Despite using a scheduled task, this stage establishes no persistence: the task is destroyed before any reboot. It is being used as a one-shot SYSTEM-context launcher,” HiddenLayer explained.

The stealer also runs checks to detect debuggers and sandboxes, ascertains it’s not running in a virtual machine, and tries to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to evade behavioural detection. The stolen data is exfiltrated in JSON format to the “recargapopular[.]com” domain. Prior to it being disabled, the model is said to have reached the #1 trending position on Hugging Face with approximately 244,000 downloads and 667 likes within 18 hours. It’s suspected that these numbers were artificially inflated to give the repository an illusion of trust and get users to download it.

Further analysis of the activity has unearthed six more repositories that feature a similar Python loader to deploy the stealer - anthfu/Bonsai-8B-gguf anthfu/Qwen3.6-35B-A3B-APEX-GGUF anthfu/DeepSeek-V4-Pro anthfu/Qwopus-GLM-18B-Merged-GGUF anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF anthfu/supergemma4-26b-uncensored-gguf-v2 HiddenLayer said it also observed the “api[.]eth-fastscan[.]org” domain being used to serve a different Windows executable (“ o0q2l47f.exe “) that beacons out to “welovechinatown[.]info,” a command-and-control (C2) server previously put to use in a campaign in which a malicious npm package named trevlo was leveraged to deliver ValleyRAT (aka Winos 4.0). The Node.js library was downloaded more than 2,300 times after it was published by a user named “titaniumg” on April 4, 2026, although it’s not clear if the download count was artificially boosted using automated processes. It’s no longer available on npm. “The package’s postinstall hook silently executes an obfuscated JavaScript loader that spawns a base64-encoded PowerShell command, which in turn fetches and executes a second-stage PowerShell script from attacker-controlled infrastructure,” Panther noted last month.

“That script downloads and runs a Winos 4.0 stager binary (“CodeRun102.exe”) with full evasion, complete with hidden window execution, Zone Identifier removal, and process detachment.” The attack is noteworthy for the fact that it represents a new initial access vector for ValleyRAT, a modular remote access trojan that’s known to be distributed via phishing emails and search engine optimization (SEO) poisoning. The use of ValleyRAT is exclusively attributed to a Chinese hacking group dubbed Silver Fox. “The shared infrastructure suggests these campaigns are possibly linked and likely part of a broader supply chain operation targeting open-source ecosystems,” HiddenLayer said. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak

Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera. Ollama is a popular open-source framework that allows large language models (LLMs) to be run locally instead of on the cloud.

On GitHub, the project has more than 171,000 stars and has been forked over 16,100 times. “Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader,” according to a description of the flaw in CVE.org. “The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file’s actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer.” GGUF, short for GPT-Generated Unified Format, is a file format that’s used to store large language models so that they can be easily loaded and executed locally. It’s analogous to other popular model saving formats like PyTorch .pt/.pth (based on Python’s pickle module), safetensors, and Open Neural Network Exchange (ONNX).

The problem, at its core, stems from Ollama’s use of the unsafe package when creating a model from a GGUF file, specifically in a function named “WriteTo(),” thereby making it possible to execute operations that bypass the memory safety guarantees of the programming language. In a hypothetical attack scenario, a bad actor can send a specially crafted GGUF file to an exposed Ollama server with the tensor’s shape set to a very large number to trigger the out-of-bounds heap read during model creation using the /api/create endpoint. Successful exploitation of the vulnerability could leak sensitive data from the Ollama process memory. This may include environment variables, API keys, system prompts, and concurrent users’ conversation data.

This data can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The exploitation chain unfolds over three steps - Upload a crafted GGUF file with an inflated tensor shape to a network-accessible Ollama server using an HTTP POST request. Use the /api/create endpoint to activate model creation, firing the out-of-bounds read vulnerability. Use the /api/push endpoint to exfiltrate data from the heap memory to an external server.

“An attacker can learn basically anything about the organization from your AI inference — API keys, proprietary code, customer contracts, and much more,” Cyera security researcher Dor Attias said. “On top of that, engineers often connect Ollama to tools like Claude Code. In those cases, the impact is even higher – all tool outputs flow to the Ollama server, get saved in the heap, and potentially end up in an attacker’s hands.” Users are advised to apply the latest fixes, limit network access, audit running instances for internet exposure, and isolate and secure them behind a firewall. It’s also recommended to deploy an authentication proxy or API gateway in front of all Ollama instances, as the REST API does not provide authentication out of the box.

Two Unpatched Flaws in Ollama Lead to Persistent Code Execution The development comes as researchers at Striga detailed two vulnerabilities in Ollama’s Windows update mechanism that can be chained into persistent code execution. The shortcomings remain unpatched following disclosure on January 27, 2026, and have been published following the elapse of a 90-day disclosure period. According to Bartłomiej “Bartek” Dmitruk, co-founder of Striga, the Windows desktop client auto-starts on login from the Windows Startup folder, listens on 127.0.0[.]1:11434, and periodically polls for updates in the background via the /api/update endpoint to run any pending updates on the next app start. The identified vulnerabilities relate to a path traversal and a missing signature check that, when combined with the on-login routine, can permit an attacker with the ability to influence update responses to execute arbitrary code at every login.

The flaws are listed below - CVE-2026-42248 (CVSS score: 7.7) - A missing signature verification vulnerability that does not verify the update binary prior to installation, unlike its macOS version. CVE-2026-42249 (CVSS score: 7.7) - A path traversal vulnerability that stems from the fact that the Windows updater creates the local path for the installer’s staging directory directly from HTTP response headers without sanitizing it. To exploit the flaws, the attacker needs to be in control of an update server that’s reachable by the victim’s Ollama client. In such a situation, it could lead to a scenario where an arbitrary executable is supplied as part of the update process and gets written to the Windows Startup folder without raising any signature check issues.

To be able to control the update response, one approach involves overriding the OLLAMA_UPDATE_URL to point the client at a local server on plain HTTP. The attack chain also assumes AutoUpdateEnabled is on, which is the default setting. What’s more, the missing integrity check can lead to code execution on its own without the need for exploiting the path traversal vulnerability. In this case, the installer is dropped into the expected staging directory.

During the next launch from the Startup folder, the update process is invoked without re-verifying the signature, causing the attacker’s code to be executed instead. That being said, the remote code execution is not persistent, as the next legitimate update overwrites the staged file. By adding the path traversal flaw to the mix, a bad actor can redirect the executable to be written outside the usual path and achieve persistent code execution. According to CERT Polska, which took over the coordinated disclosure process, Ollama for Windows versions 0.12.10 through 0.17.5 are vulnerable to the two flaws.

In the interim, users are recommended to turn off automatic updates and remove any existing Ollama shortcut from the Startup folder (“%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup”) to disable the silent on-login execution pathway. “Any Ollama for Windows installation running version 0.12.10 through 0.22.0 is vulnerable,” Dmitruk said. “The path traversal writes attacker-chosen executables into the Windows Startup folder. The missing signature verification keeps them there: the post-write cleanup that would remove unsigned files on a working updater is a no-op on Windows.

On the next login, Windows runs whatever was left behind.” “The chain produces persistent, silent code execution at the privilege level of the user running Ollama. Realistic payloads include reverse shells, info-stealers exfiltrating browser secrets and SSH keys, or droppers that pivot to additional persistence mechanisms. Anything that runs as the current user. Removing the dropped binary from the Startup folder ends the persistence, but the underlying flaws remain.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the “feature::LOADFEATUREFILE” adminbin call that could result in an arbitrary file read. CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the “plugin” parameter in the “create_user API” call that could result in arbitrary Perl code execution on behalf of the already authenticated account’s system user. CVE-2026-29203 (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation.

The shortcomings have been patched in the following versions - cPanel and WHM - 11.136.0.9 and higher 11.134.0.25 and higher 11.132.0.31 and higher 11.130.0.22 and higher 11.126.0.58 and higher 11.124.0.37 and higher 11.118.0.66 and higher 11.110.0.116 and higher 11.110.0.117 and higher 11.102.0.41 and higher 11.94.0.30 and higher 11.86.0.43 and higher WP Squared - 11.136.1.10 and higher cPanel has released 110.0.114 as a direct update for customers who are still on CentOS 6 or CloudLinux 6. Users are advised to update to the latest versions for optimal protection. While there is no evidence that the vulnerabilities have been exploited in the wild, the disclosure comes days after another critical flaw in the product ( CVE-2026-41940 ) has been weaponized by threat actors as a zero-day to deliver Mirai botnet variants and a ransomware strain called Sorry. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that’s capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076 . The malware family is assessed to be a major update of the Maverick family, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim’s contacts. The Maverick campaign is attributed to a threat cluster that Trend Micro calls Water Saci.

At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation. “The observed infection chain bundles a malicious MSI installer inside a ZIP file,” security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus said . “These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.” The malware leverages DLL side-loading against the application to launch a malicious DLL (“screen_retriever_plugin.dll”), which functions as a loader with a “comprehensive watchdog subsystem” that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection. Specifically, the malicious DLL will only execute if it was loaded by either “logiaipromptbuilder.exe” (the Logitech program) or “tclloader.exe” (likely a reference to an executable used during testing).

It also removes any usermode hooks placed by endpoint security software within “ntdll.dll” by replacing the library and disables Event Tracing for Windows (ETW) telemetry. What’s more, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks, using them to create an environment hash value that’s used to decrypt the embedded payload. The system language check ensures that the user’s default language is Brazilian Portuguese. “For example, if a debugger is present, it will produce an incorrect hash, so when the malware attempts to derive the decryption keys from the hash, the payload will not decrypt correctly, and TCLBANKER will stop executing,” Elastic explained.

The main component launched following these checks is the banking trojan that once again verifies if it’s running on a Brazilian system, and then proceeds to establish persistence using a scheduled task. Subsequently, it beacons out to an external server with an HTTP POST request containing basic system information. TCLBANKER also incorporates a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser’s address bar using UI Automation . This step targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.

The extracted URL is matched against a hard-coded list of targeted financial institutions. If there is a match, it establishes a WebSocket connection to a remote server and enters into a command dispatch loop, enabling the operator to perform a broad range of tasks - Run shell commands Capture screenshots Start/stop screen streaming Manipulate clipboard Launch a keylogger Remotely control mouse/keyboard Manage files and processes Enumerate running processes List visible windows Serve fake credential-stealing overlays To conduct data theft, TCLBANKER relies on a Windows Presentation Foundation (WPF)-based full-screen overlay framework to conduct social engineering using credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Updates, all while hiding overlays from screen capture tools. In tandem, the loader invokes the worming module to propagate the trojan via spam and phishing messages at scale. It employs a two-pronged approach that involves a WhatsApp Web worm that hijacks authenticated browser sessions and an Outlook email bot that abuses Microsoft Outlook to send fake emails to the victim’s contacts.

Like in the case of SORVEPOTEL , the WhatsApp worm retrieves a messaging template from the server and leverages the open-source project WPPConnect to automate the sending of messages to other users, while filtering out groups, broadcasts, and non-Brazilian numbers. The Outlook agent, on the other hand, is an email spambot that abuses the victim’s installed Microsoft Outlook application to send phishing emails from the victim’s email address, thereby bypassing spam filters and giving the messages an illusion of trust. “TCLBANKER hijacks a victim’s WhatsApp session and Outlook account to spam up to 3,000 contacts with the trojanized installer, this sends malware from the victim’s own accounts, through their own contacts, using legitimate infrastructure,” an Elastic spokesperson told The Hacker News. Traditional email gateways and reputation-based defenses are essentially blind to it.

REF3076 appears to be in early operational stages, with debug logging paths, test process names, and an incomplete phishing site present in the code. This indicates the campaign is still being fleshed out and could further evolve over time. “TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem,” Elastic concluded. “Techniques that were once the hallmark of more sophisticated threat actors: environment-gated payload decryption, direct syscall generation, real-time social engineering orchestration over WebSocket, are now being packaged into commodity crimeware.” “The campaign inherits the trust and deliverability of legitimate communications by hijacking victims’ WhatsApp sessions and Outlook accounts.

This is a distribution model that traditional email gateways and reputation-based defenses are ill-equipped to catch.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over 3 million downloads, before they were taken down from the official app storefront.The activity, codenamed CallPhantom by Slovakian cybersecurity company ESET, primarily targeted Android users in India and the broader Asia-Pacific region. “The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number,” ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. “To unlock this supposed feature, users are asked to pay – but all they get in return is randomly generated data.” The list of identified apps is below - Call history : any number deta (calldetaila.ndcallhisto.rytogetan.ynumber) Call History of Any Number (com.pixelxinnovation.manager) Call Details of Any Number (com.app.call.detail.history) Call History Any Number Detail (sc.call.ofany.mobiledetail) Call History Any Number Detail (com.cddhaduk.callerid.block.contact) Call History Of Any Number (com.basehistory.historydownloading) Call History of Any Numbers (com.call.of.any.number) Call History Of Any Number (com.rajni.callhistory) Call History Any Number Detail (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager) Call History Any Number Detail (com.callinformative.instantcallhistory.callhistorybluethem.callinfo) Call History Any Number detail (com.call.detail.caller.history) Call History Any Number Detail (com.anycallinformation.datadetailswho.callinfo.numberfinder) Call History Any Number Detail (com.callhistory.callhistoryyourgf) Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber) Call History Any Number Detail  (com.callhistory.anynumber.chapfvor.history) Call History of Any Number (com.callhistory.callhistoryany.call) Call History Any Number Detail (com.name.factor) Call History Of Any Number (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber) Call History Of Any Number (com.chdev.callhistory) Phone Call History Tracker (com.phone.call.history.tracke) Call History- Any Number Deta (com.pdf.maker.pdfreader.pdfscanner) Call History Of Any Number (com.any.numbers.calls.history) Call History Any Number Detail (com.callapp.historyero) Call History - Any Number Data (all.callhistory.detail) Call History For Any Number (com.easyranktools.callhistoryforanynumber) Call History of Numbers (com.sbpinfotech.findlocationofanynumber) Call History of Any Number (callhistoryeditor.callhistory.numberdetails.calleridlocator) Call History Pro (com.all_historydownload.anynumber.callhistorybackup) At least one of the flagged apps was published under the developer name “Indian gov.in” in an attempt to build a false sense of trust and unsuspecting trick users into downloading it.

However, this trick masks a nefarious motive where victims are asked to make a payment in order to view details of a phone number’s call and SMS history. Once the payment is made, users are served entirely fabricated phone numbers and names directly embedded into the source code. Evidence indicates that the activity may have been active since at least November 2025 . A second cluster of these apps has been found to prompt users to enter their email address to which the purported details of any phone number would be delivered to.

As in the prior case, no data is generated until a payment is made. The payments either rely on subscriptions via Google Play Store’s official billing system or via third-party apps that support Unified Payments Interface (UPI), an instant payment system widely used in India. Ironically, this list includes Google Pay, Walmart-backed PhonePe, and Paytm. A third method includes payment card checkout forms directly inside the apps.

The last two approaches are in violation of Google’s policy. In at least one case, the apps implemented an additional trick to convince the user to make a payment. Should they exit the app without making any payment, it displays a deceptive notification claiming that a call history for a certain phone number had been successfully sent to their email address. Clicking on the notification directly takes the user to a subscription screen.

The subscription plans vary across the app, ranging anywhere from about $6 to $80. Users who may have fallen prey to the scam should have had their subscriptions canceled after the apps were removed from the Google Play Store. What makes this activity notable is that the apps have a simple user interface and do not request any sensitive permissions. And to top it all, they do not even contain any functionality to retrieve call, SMS, or WhatsApp data.

“Users who subscribed via official Google Play billing may be eligible for refunds under Google’s refund policies,” ESET said. “Purchases made via third‑party payment apps or through direct payment card entry cannot be refunded by Google, leaving users dependent on external payment providers or developers.” The disclosure comes as Group-IB said bad actors have stolen an estimated $2 million from Indonesian users as part of a fraud campaign that involved posing as the country’s tax platform, CoreTax, and other trusted brands. The campaign, which began in July 2025, has been linked to a financially motivated threat cluster called GoldFactory . “The attack chain integrates phishing websites, social engineering (WhatsApp), malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized transfer execution,” Group-IB said .

At a high level, these attacks involve using social engineering to distribute the fake apps via WhatsApp, which, when installed, deploy Android malware such as Gigabud RAT , MMRat , and Taotie that are capable of harvesting sensitive data and downloading additional components. The stolen information is then used to conduct account takeover attacks and financial theft. “The malware infrastructure supporting this fraud campaign is not limited to a single impersonated service. The same infrastructure has been observed actively abusing more than 16 trusted brands, collectively targeting Indonesia’s broader population of approximately 287 million,” Group-IB said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

The hardest part of cybersecurity isn’t the technology, it’s the people. Every major breach you’ve read about lately usually starts the same way: one employee, one clever email, and one “Patient Zero” infection. In 2026, hackers are using AI to make these “first clicks” nearly impossible to spot. If a single laptop gets compromised on your watch, do you have a plan to stop it from taking down the whole company?

Register for the Webinar: The Patient Zero Playbook What is “Patient Zero”? In medicine, Patient Zero is the first person to carry a disease into a population. In cybersecurity, it’s the first device an attacker hits. Once they are “in,” they don’t stay there—they move fast to find your data, your passwords, and your backups.

What You Will Learn Thisisn’t a boring lecture. It is a technical deep dive into how modern breaches start and how to kill them instantly. We are covering: The AI Phish: How attackers use generative AI to bypass your current filters. The 5-Minute Window: Why the first few minutes of an infection determine if you’ll be in the news tomorrow.

Zero Trust in Action: How to isolate an infected device so the “virus” has nowhere to go. The Recovery Blueprint: What to do the second you realize you have a Patient Zero. Why You Can’t Miss This Most security tools are great at finding “known” viruses. But they struggle with stealthy, custom-made attacks designed specifically for your company.

This webinar shows you how to build a defense that assumes someone will click a bad link—and ensures that click doesn’t cost you millions. Secure Your Spot – Register Now ➜ Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.