2026-06-03 AI创业新闻
Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content
Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims’ systems. The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820 unique malicious JAR files and over 240 URLs responsible for distributing the malware have been identified. “This campaign utilizes SEO poisoning and YouTube to generate traffic to these malicious URLs,” security researcher Aayush Tyagi said .
“We also found two YouTube channels and multiple videos that demonstrate Minecraft Mods and Clients and redirect viewers to these URLs.” Central to the campaign is an enterprise-grade dashboard (“weedhack[.]to”) that enables customers to view stolen credentials and system information, as well as remotely keep tabs on the compromised systems. Furthermore, it allows criminals to create custom payloads that can target Minecraft versions 1.21.0 to 1.21.11, not to mention inject the malware into legitimate Minecraft mods. The starting point of the attack is a malicious JAR file (“DonutDupe.jar”) downloaded from the malicious websites. The file then retrieves details of the command-and-control (C2) server domain using a known technique called EtherHiding , which employs the Ethereum blockchain as a dead drop resolver.
In the next stage, the malware contacts the C2 server to fetch another Java-based JAR payload (“Elevator.jar”) that collects system information, configures Microsoft Defender exclusions, and serves as a conduit for dropping two additional JAR payloads. The third JAR payload (“SecurityManager.jar”) establishes persistence and acts as a stager for the final component (“Component.jar”) that deploys the remote access features. The threat actors behind the tooling leverage a Telegram channel to advertise their warez, broadcast updates, and provide customer support. The channel has more than 850 members.
The tool, for its part, comes in two tiers - Free, which includes a comprehensive infostealer that can target Minecraft session IDs and four Minecraft launchers; capture screenshots; and harvest files, system information, cookies, and passwords from 36 different web browsers, data from 56 browser-based cryptocurrency wallets and 12 desktop wallet apps, and credentials for Discord, Steam, and Telegram. Premium, which starts at $4.99 per month (or $24.99 for a lifetime license) and offers additional remote access capabilities, such as webcam access, keylogging, reverse shell execution, screen sharing with keyboard and mouse access, and file uploads and downloads. Attack chains revolve around SEO poisoning and YouTube videos containing descriptions that embed links to malicious Minecraft Clients to target unsuspecting users. The majority of Weedhack infections have been identified in the U.S., followed by Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.
“One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated malware for free,” Tyagi said. “This difference in cost and ease of access with detailed tutorials on how to use the malware significantly reduces the barrier to entry for prospective customers. Furthermore, its ability to steal Minecraft accounts attracts a younger audience. Both of these factors complement each other and make the campaign much more lethal.” McAfee Labs said it has also observed the malware acting as a trigger for cyberbullying, where the customers, who appear to be teenagers and young adults, are weaponizing its remote access capabilities to threaten, harass, and monitor their victims.
They have found a way to record victims via their webcams and shared the videos on the Telegram channel as “trophies.” CountLoader Delivers Crypto Clipper The disclosure comes as the cybersecurity company sheds light on a large-scale CountLoader campaign that’s estimated to have compromised 86,000 unique machines. CountLoader is a JavaScript loader that’s typically distributed via cracked software distribution sites. It’s known to deploy various payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. Of these compromises, approximately 9,000 infections are said to have resulted from the malware spreading via USB drives and removable media.
McAfee Labs said the highest number of infections was observed in India, followed by Indonesia, the U.S., and several countries across Southeast Asia, adding it was able to successfully sinkhole the malware communication infrastructure by registering a fake C2 domain. “The infection begins when an EXE file is executed,” the company said . “This file launches a PowerShell command, which downloads and executes an obfuscated JavaScript loader known as CountLoader. The loader is executed using ‘mshta.exe.’” Once executed, CountLoader sets up persistence, communicates with the C2 server, attempts to spread via USB drives, and awaits further instructions from the C2 server to download and execute payloads.
The final payload deployed in the latest set of attacks is a cryptocurrency clipper malware that hijacks clipboard content to redirect cryptocurrency transactions. Pirated Content Leads to Cryptocurrency Miners The findings also follow the discovery of a years-long campaign that has used illegal movie and TV show streaming sites to distribute a cryptocurrency miner under the guise of a fake update for a video player plugin. The bogus update downloads a ZIP archive, which then uses DLL side-loading to drop a fork of SilentCryptoMiner . The malware is equipped with a wide range of capabilities - Configure Defender exclusions, terminate Microsoft’s Malicious Software Removal Tool, and disable automatic hibernation and sleep mode to maximize the miner’s potential runtime on the device.
Repeatedly trigger User Account Control (UAC) prompts until the process is successfully executed with elevated privileges. Initiate a watchdog component that ensures the uninterrupted operation of the miner. Run a RAT agent that provides remote control capabilities, including running arbitrary commands, launching EXE files using “explorer.exe,” and running shellcode. Launch an XMRig-based CPU and a GPU miner.
“The archive contained a legitimate executable, HLS Installer.874.exe, alongside a malicious DLL. Launching the EXE triggered a DLL side-loading mechanism, injecting the malicious module into a legitimate program process and executing code within its context,” Kaspersky said . “The library contained the logic for deploying the miner and establishing persistence on the device.” It’s assessed that the activity is a continuation of a campaign that was documented by NTT Security in April 2023, which used fake browser crash warnings to drop the miner. “The threat actors leverage a variety of sites, ranging from online libraries to movie and TV show streaming platforms,” Kaspersky said.
“There is no telling what channels they will use to distribute the malicious archive in the future. However, the current case shows that users visiting pirated websites continue to take a serious risk.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Google on Monday released patches for 124 security vulnerabilities impacting its Android operating system for the month of June 2026, including one high-severity flaw in the Framework component that has come under active exploitation. Tracked as CVE-2025-48595 (CVSS score: 8.4), the security flaw has been described as a case of privilege escalation without requiring any user interaction. The vulnerability impacts devices running Android versions 14, 15, 16, and 16 QPR2 (Quarterly Platform Release 2). “In multiple locations, there is a possible way to achieve code execution due to an integer overflow,” according to a description of the vulnerability on CVE.org.
“This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.” Google has acknowledged there are indications that CVE-2025-48595 may be under “limited, targeted exploitation.” As is typically the case, the tech giant did not reveal any specifics about who may have been behind the activity, the targets affected, and the scale of such efforts. That said, similar flaws have been weaponized by commercial spyware vendors to target high-profile individuals as part of extremely targeted attacks. Elsewhere, a number of vulnerabilities have been patched in the System component, the most severe of which could lead to local escalation of privilege with no additional execution privileges needed.
Google has released two sets of patches - 2026-06-01 and 2026-06-05 security patch levels - with the latter including all fixes from the first set, along with patches for kernel and third-party chipset components from Imagination Technologies, MediaTek, Qualcomm, and Unisoc. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088 , a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an intermediate Visual Basic Script (VBScript) downloaders codenamed GammaLoad. The infection chain was observed by the French cybersecurity company in January 2026. “Their primary objectives are to fingerprint the host system, update the network configuration in the registry using dead drop resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers,” Sekoia said .
One of the payloads is a VBScript worm known as GammaWorm that establishes persistence via scheduled tasks and is designed to hide legitimate directories in network shares and USB drives and replace with malicious Windows Shortcut (LNK) files, resulting in the execution of arbitrary code retrieved from a command-and-control (C2) server. To resolve its C2, GammaWorm initiates a GET request via curl to a hard-coded public Telegram channel. By using legitimate platforms like Telegram, the idea is to blend in with regular traffic, avoid detection, and sustain long-term espionage operations. GammaWorm also relies on NTFS Alternate Data Streams ( ADS ) technique to conceal its core modules.
Another malware family delivered via GammaLoad is a modular information stealer codenamed GammaSteel that captures files matching certain extensions and exfiltrates them to an Amazon Web Services (AWS) S3 bucket or an attacker-controlled server as a fallback mechanism. Sekoia said the infection sequences could be used to distribute other malware families, such as GammaWipe (aka GamaWiper), depending on the threat actor’s objectives. “The exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive,” it noted. “In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first.” Gamaredon, a Russian state-sponsored intrusion-set officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure entities, using spear-phishing emails containing malicious attachments, in this booby-trapped RAR archives.
“This infection chain reveals a resilient, massive, and highly obfuscated modular design,” Sekoia said. “Because of its adaptability and the operator’s ability to update configurations on the fly, it is highly likely that this architecture will be reused in the future.” The development coincides with UAC-0184 ‘s targeting of Ukrainian military-related targets to deliver an executable associated with a legitimate program called PassMark BurnInTest via LNK lures. A second threat activity cluster that has targeted Ukraine is UAC-0247 (previously tracked as UAC-0244), which has singled out drone operators to deploy HTML Application (HTA) droppers through ZIP archives and a backdoor capable of establishing a reverse shell to attacker-controlled infrastructure. Threat hunters have also charted the evolution of PixyNetLoader , a malware loader attributed to APT28 in connection with campaigns exploiting a Microsoft Office vulnerability (CVE-2026-21509), to extract a COVENANT Grunt implant.
According to ExaTrack, the malware family has been detected in the wild since December 2024, with recent iterations discovered as recently as April 15, 2026. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The AI Security Vendor Test Most Vendors Hope You Skip
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw impacting Oracle WebLogic Server to its Known Exploited Vulnerabilities ( KEV ) Catalog, based on evidence of active exploitation. The vulnerability, CVE-2024-21182 (CVSS score: 7.5), allows an unauthenticated attacker with network access to take control of susceptible servers. It was patched by Oracle in July 2024.
“Oracle WebLogic contains an unspecified vulnerability that could allow an unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server,” CISA said. “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.” There are currently no public reports about how the vulnerability is being exploited in the wild. That said, prior flaws in the software have been repeatedly weaponized by various threat actors to enlist them into botnets , mine cryptocurrency , and deploy ransomware . Earlier this March, CloudSEK also disclosed that another maximum-severity security flaw in WebLogic (CVE-2026-21962, CVSS score: 10.0) witnessed automated exploitation attempts shortly after exploit code became publicly available.
In light of active exploitation of the flaw, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by June 4, 2026, to secure their networks. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
AI-Driven Exploitation is Destroying Vulnerability Management. Here’s How to Handle It.
AI-driven exploitation timelines are rapidly shrinking, and they are not going to stop shrinking. Vulnerabilities are being discovered, reproduced, and weaponized faster than ever in the history of enterprise security. As a result, the window between a vulnerability being disclosed and indiscriminate exploitation observed across the internet is now measured in hours, not days. The industry’s main answer has largely been: patch faster.
Regulators say it, boards expect it, and executives demand it. But for most enterprises, it is not a button defenders can press. Patching is a controlled process shaped by uptime requirements, stability testing, change windows, business approvals, compliance obligations, and the reality that production systems cannot be broken in the name of urgency. While patching is still essential, patching alone or even faster patching is no longer a complete answer to this “new normal” and influx of disclosed vulnerabilities.
Anthropic’s Project Glasswing update in May 2026 made the imbalance hard to ignore. The company said it, along with approximately 50 partners, used Claude Mythos Preview to identify more than 10,000 high- or critical-severity vulnerabilities across systemically important software in a single month, while many other organizations are reporting similar results with internal efforts, driven by AI. AI is industrializing vulnerability research, but not just for defenders or software vendors. Attackers are using the same tools, with the same speed advantage, to identify and reproduce vulnerabilities that are then used against the organizations they target.
So, what does this mean for exploitation timelines and defense? The Bottleneck Has Moved It’s no secret that exploitation timelines have been shrinking for years, and in recent years, it has not been uncommon for vulnerability disclosures to be followed by in-the-wild exploitation in single-digit hours . With AI, the window a large organization may have from being told there is a problem to seeing someone try to use it against them will only continue to compress. Remediation and patching, on the other hand, have not kept pace.
The Verizon 2026 DBIR is clear on this point: the median time for an organization to patch a critical vulnerability increased year over year, from 32 days to 43 days. The reality is brutal: while attackers operate on timelines measured in hours, defenders operate on timelines measured in weeks. That gap is where exploitation actually happens. Yes, there are more vulnerabilities.
Yes, attackers are moving faster. But the hardest part for defenders is that remediation isn’t getting, and maybe can’t get, faster. Telling organizations to “just patch faster” is like telling someone to “be taller.” It sounds useful and well-intentioned, but it is not something most teams can simply decide to do. Then there is pressure coming from regulators.
India’s CERT-IN recently issued guidance pointing toward sub-day patching expectations for certain critical vulnerabilities. The intent is clear, but this ignores operational reality. The realistic view is that some vulnerabilities will be targeted before they can be fully remediated. Security teams need to plan around that reality without creating new operational risk.
That means answering a few questions quickly: Do we use this technology? Is the vulnerability theoretical? Is the vulnerability exploitable within our environment? What would exploitation look like?
What temporary controls can reduce risk while the normal patching cycle runs? The operating model needs to shift to preempt, validate and mitigate. And here’s how to do it. Step 1: Preempt What Attackers Are Likely to Exploit Every disclosed vulnerability does not carry the same urgency.
Some vulnerabilities will never become exploited in the real world. Others have the traits attackers look for: broad deployment, internet reachability, repeatable exploitation, and a clear path to meaningful access to a target environment. In a scarily near future where we see hundreds, if not thousands of vulnerabilities disclosed daily, preemption means identifying which vulnerabilities are most likely to see in-the-wild exploitation so that a level of filtering can be done, and teams don’t spend critical time investigating everything. Severity still matters, but it has never been the whole picture.
In an AI-driven cycle, that filtering has to happen in the first hours after disclosure, before teams have worked through the full list. Narrowing the field early is what keeps organizations ahead of the exploitation window rather than reacting to it after the fact. Step 2: Rapidly React to Emerging Threats and Validate Exposure Once in-the-wild exploitation of an emerging threat is determined to be likely or confirmed, defenders need the ability to rapidly react and validate their organization’s specific exposure before attackers move. That means turning a new vulnerability disclosure or exploitation campaign into an environment-specific answer: are we exposed?
Where are we exposed? Who owns the affected systems? Is exploitability proven? Real-world rapid reaction to emerging threats should identify internet-facing systems across business units, departments, and subsidiaries, and contextualize the vulnerability with relevant threat intelligence.
Validation then confirms whether the vulnerable component is reachable by an attacker and exploitable in the real world. A possible vulnerability creates an investigation. But a validated, exploitable vulnerability, given the speed of in-the-wild exploitation, now necessitates rapid, autonomous action. The faster teams make that distinction, the faster they can decide what to mitigate, what to monitor, and what can move through normal remediation.
Speed without accuracy is panic, and accuracy without speed is irrelevant. Both must be combined when responding to an emerging threat, before exploitation begins. Step 3: Mitigate To Buy Time For Effective Remediation Once exposure is validated, remediation may still require testing, change control, and coordinated rollout. Mitigation reduces exploitability during that window.
For internet-facing systems, this might include access restrictions, disabling vulnerable functionality, WAF or API rules, IDS or IPS updates, isolation, configuration changes, monitoring, or temporary controls that block exploit patterns. Effective mitigation should also be informed by how exploitation works. A generic rule based on a CVE summary is weaker than a control built from the exploit path, payload, required conditions, and known-bad behavior. These controls do not need to be permanent.
They need to make exploitation slower, less reliable, and harder to scale while the organization patches safely. Autonomous mitigation closes the gap between the attacker’s speed and patching speed. It is the only control that operates in the same timeframe as exploitation. This Is What watchTowr is Built For The watchTowr Platform compresses the defender timeline to match AI-driven attack timelines.
By taking an attacker-led approach, the platform identifies exploitable weaknesses and vulnerabilities, and in the face of a relentless volume of emerging threats, continuously enables organizations to rapidly react and mitigate their exposure. By leveraging AI to bring together Proactive Threat Intelligence, External Attack Surface Management, and Autonomous Mitigation, the watchTowr Platform provides clarity: showing teams what attackers can see, what they can exploit, and what can be done to mitigate before compromise. Patching is still necessary, and absolutely essential. But in a world of exploitation driven by AI, patching alone cannot be done at the required speed while ensuring availability and preventing disruption.
The watchTowr Platform, an AI-Powered Preemptive Exposure Management solution, helps organizations preempt attackers, validate emerging threat exposure, and autonomously mitigate to gain the one thing attackers can’t outrun: time to respond. To schedule a demo and to learn more about Preemptive Exposure Management, visit watchtowr.com . Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Gartner: 70% of SOCs Will Pilot AI Agents. Only 15% Will See Results
How Leading Organizations Are Turning EDR Into Operational Resilience
Most organizations now recognize that endpoint protection alone is no longer sufficient. That’s why adoption of endpoint detection and response (EDR) has accelerated rapidly in recent years. Organizations understand that modern attacks move faster, evade traditional prevention controls, and require continuous visibility into suspicious activity across the environment. But owning EDR capabilities does not automatically create operational cyber resilience.
Many mid-sized organizations have invested in advanced endpoint security platforms and now have access to valuable detection and response functionality. Yet despite this investment, they often struggle to fully operationalize these capabilities. Lean security teams remain overwhelmed by alert volumes, investigations take too long, and response capacity is stretched thin. As threats become faster, more AI-enabled, and increasingly abuse legitimate tools to evade detection, organizations are realizing an important truth: visibility alone is no longer enough.
The organizations pulling ahead are not simply deploying more detection capabilities. They are proactively reducing attacker opportunity while operationalizing response in a way that is sustainable for lean teams. Why Organizations Struggle to Fully Operationalize EDR EDR provides critical visibility into suspicious activity, attack behavior, and in-progress threats. However, effective detection and response also require continuous monitoring, investigation, prioritization, and rapid containment.
This creates operational pressure that many lean IT and security teams struggle to sustain. Common barriers to fully leveraging EDR include: Too many alerts and insufficient investigation capacity Limited time to continuously monitor threats Skills shortages, especially around threat hunting and advanced response Operational fatigue caused by reactive workflows Difficulty prioritizing truly dangerous activity As a result, organizations often operate with strong visibility but inconsistent response maturity. This creates a dangerous gap between security capability and security outcomes. Why Modern Threats Are Increasing the Pressure AI-enabled attacks are accelerating operational pressure on already overstretched teams.
According to the 2025 Cybersecurity Assessment Report, 67% of organizations report seeing an increase in AI-powered attacks. This creates a difficult operational reality. By the time smaller teams investigate alerts, attackers may have already escalated privileges, moved laterally, or established persistence. Detection remains essential, but detection alone cannot compensate for excessive exposure, reactive workflows, and delayed response capacity.
This is especially true because attackers are no longer relying solely on malware or noisy intrusion techniques. Increasingly, they abuse legitimate administrative tools, stolen credentials, and trusted processes to quietly blend into normal activity. Bitdefender research analyzing more than 700,000 cyber incidents found that 84% of major attacks now leverage living-off-the-land (LOTL) techniques - a statistic that underscores just how inadequate purely reactive security postures have become. How Dynamic Hardening and MDR Elevate Security Without Adding Complexity For organizations looking to move beyond isolated visibility toward continuous operational resilience, Bitdefender offers two complementary capabilities worth examining closely: GravityZone PHASR and Managed Detection and Response (MDR).
Bitdefender GravityZone PHASR works by dynamically reducing exploitable conditions before attackers can take advantage of them. Rather than relying on static restrictions or broad application controls, PHASR leverages AI to adapt to user behavior and limit risky actions, unnecessary privileges, and the abuse of legitimate tools - all without disrupting productivity. This reduces the pathways attackers can exploit from the outset. Bitdefender MDR extends internal security teams with 24x7 monitoring, threat hunting, investigation, and rapid response delivered by experienced security operations professionals.
For lean teams already stretched by alert volumes, MDR provides the continuous operational capacity that in-house staff cannot realistically sustain alone. Together, these capabilities create a layered operational model on top of Bitdefender GravityZone EDR : GravityZone PHASR limits the attacker opportunity before incidents occur GravityZone EDR provides visibility into suspicious activity and behaviors Bitdefender MDR operationalizes continuous response and containment This layered approach allows organizations to significantly strengthen their security posture while reducing - rather than compounding - operational complexity. What Business Outcomes Organizations Are Achieving Organizations that operationalize their existing EDR investment with proactive hardening and MDR are achieving measurable security and business outcomes. These include: Reduced risk from the techniques used in 84% of high-severity attacks Faster detection and containment of threats before escalation Reduced operational burden and alert fatigue for lean teams Greater return on existing EDR investments Stronger cyber resilience across prevention, detection, and response Improved ability to demonstrate security maturity to customers, partners, insurers, and regulators More time for internal teams to focus on strategic transformation initiatives instead of reactive firefighting The result is not simply better security technology.
It is a more resilient and sustainable security operating model. The Future of Cyber Resilience Is Operationalized Security The organizations best positioned for the future are not necessarily the ones deploying the most security tools. They are the organizations that fully operationalize the right capabilities while proactively reducing attacker opportunity at the same time. Modern cyber resilience requires more than visibility.
It requires: Proactive reduction of exploitable conditions Continuous operational response capability Sustainable workflows for lean teams Integrated prevention, detection, and response work together Organizations that combine these capabilities are moving beyond reactive security operations toward a more mature model built around resilience, efficiency, and operational confidence. The shift is not about replacing what already works. For teams that have already invested in EDR, the opportunity is clear: extend that investment with dynamic hardening and expert-backed response to unlock its full potential. Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT
Cybersecurity researchers have disclosed details of a spear-phishing campaign likely undertaken by the Pakistan-aligned SideCopy group targeting Afghanistan’s Ministry of Finance with an open-source remote access trojan called Xeno RAT . “The campaign opens with a spear phishing delivery - a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename,” Seqrite Labs researcher Dixit Panchal said in a technical breakdown of the activity. Also targeted as part of the campaign are provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees. The campaign has been codenamed Operation XENOFISCAL.
The choice of Pashto for the lure file is a deliberate choice on the part of the attacker, as it’s the main language spoken in the Afghan government circles. This aspect reflects the attacker’s familiarity with the target environment. SideCopy is the name given to a Pakistan-linked threat group operating under the broader Transparent Tribe (aka APT36) umbrella, using a wide range of malware families to steal sensitive data from compromised hosts. In April 2025, the adversary was attributed to a set of attacks targeting various sectors in India with Xeno RAT, Spark RAT, and CurlBack RAT.
Viewed in that light, the latest campaign is a continuation of a broader cluster of malicious cyber activity aimed at South Asian entities. Once executed, the Windows Shortcut (LNK) file leverages “mshta.exe” to fetch a remote HTML Application (HTA) from a compromised Afghan education domain, leading to the execution of obfuscated JavaScript in memory. The malware also establishes Registry-based persistence by mimicking Microsoft Edge, while dropping Xeno RAT 1.8.7 and a decoy document as a distraction mechanism by means of a DLL-based loader. Xeno RAT is designed to connect with a remote server over TCP to handle commands sent by the operator.
The malware is equipped to load and execute external DLL modules, transmit data to the server, launch the malware via a scheduled task, retrieve antivirus information, support SOCKS5 proxy-based network tunneling, perform file operations, log keystrokes, take screenshots, monitor the clipboard, track webcam/microphone, delete persistence methods, and uninstall itself from the host. The disclosure comes as details have emerged of a targeted phishing operation leveraging weaponized Linux .desktop files to target the Indian military infrastructure using contract-related lures associated with Indian-armored vehicle procurement operations. The campaign is assessed to be the work of Transparent Tribe . “The campaign appears to target individuals connected to Indian military and defense infrastructure ecosystems using WhatsApp-based social engineering and staged shell payload delivery,” security researcher R.D.
Tarun said in a report published last month. “Once executed, the malicious .desktop launcher initiates a heavily obfuscated shell-based infection chain involving staged payload retrieval, inline decoding routines, and deployment of a Golang-based ELF implant tracked in this report as DeskRAT .” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
Password manager Dashlane has disclosed that “fewer than” 20 users on the personal subscription plan had their encrypted vaults downloaded following a brute-force attack launched by an unknown party. On May 31, 2026, the company said an “external” threat actor launched a brute-force attack against certain Dashlane user accounts with the aim of breaking two-factor authentication (2FA) protections and allowing them to register new devices on existing user accounts. Exactly how many users were targeted remains unknown, but Dashlane said the high volume of attempts on those accounts triggered temporary account suspensions and authentication issues due to its built-in security controls. Although access to the accounts has since been restored, the company has now revealed that the attackers were successful in a handful of cases, enabling them to download a copy of the encrypted vaults belonging to less than 20 personal plan users.
“We have directly notified each of these users,” it said . “If you’re a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account.” It’s worth noting that the vault data cannot be accessed without the Master Password. Unless this password is trivial and highly predictable, it’s unlikely that any attempts to crack open the vault will succeed. Dashlane also pointed out that its own internal systems were not impacted by the incident.
As a precautionary measure, users are advised to review the devices registered to their accounts and remove those they don’t recognize, enable 2FA, and use a strong Master Password that’s “long, unique, and difficult to guess.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma , has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. “This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation,” Socket said . Exactly who is behind the attack activity is presently unknown given that TeamPCP (aka Replicating Marauder, TGR-CRI-1135, and UNC6780), an infamous cybercrime group, has open-sourced the attack tools linked to the Shai-Hulud worm, opening the door for other threat actors to pull off similar attacks and making definitive attribution harder. The names of some of the affected packages are listed below - @redhat-cloud-services/vulnerabilities-client @redhat-cloud-services/tsc-transform-imports @redhat-cloud-services/topological-inventory-client @redhat-cloud-services/sources-client @redhat-cloud-services/rule-components @redhat-cloud-services/remediations-client @redhat-cloud-services/rbac-client Per analyses from Aikido Security , JFrog , Microsoft , OX Security , ReversingLabs , SafeDep , StepSecurity , and Wiz , the npm packages contain an obfuscated preinstall hook that’s designed to collect GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files.
Like observed in prior Mini Shai-Hulud waves, the malware also contains encrypted exfiltration logic that transmits the data to “api.anthropic[.]com:443/v1/api” and uses GitHub as a fallback mechanism. This indicates attempts made by the attacker to both steal credentials and weaponize them to further poison the software supply chain. “It commits the encrypted result envelope through the GitHub API,” Socket said. “The commit message can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:
“For npm, the payload calls the OIDC token exchange and whoami endpoints, repackages a tarball (updateTarball, package-updated.tgz), and signs the artifact through Sigstore,” SafeDep said. “Stolen credentials exfiltrate to attacker-created public GitHub repositories, each carrying the description Miasma: The Spreading Blight.” The first commit containing the “Miasma: The Spreading Blight” string appeared on May 29, 2026, OX Security noted, indicating that either this variant was active since then, or the threat actor started testing around that time. As for GitHub, the malware enumerates repositories the token can write to, reads action.yml/action.yaml via GraphQL, and commits a workflow through the createCommitOnBranch mutation so that the commit appears as a verified, signed change. Other actions carried out by the malware are listed below - Attempt privilege escalation by launching a container that bind-mounts the host /etc/sudoers.d and grants the CI runner passwordless sudo Check for endpoint protection from CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before commencing the malicious actions Establish persistence by injecting a SessionStart hook to Anthropic Claude Code and a tasks.json with “runOn”: “folderOpen” for Microsoft Visual Studio Code projects so that the malware is automatically launched during every session “One of the main changes in this new variant is the addition of new data collectors focused on cloud identities,” Wiz researchers said.
“Specifically, collectors for GCP and Azure identities were added that collect all identities the infected machine has access to. While previous versions of the malware primarily focused on extracting secrets from these environments, this variant suggests an increased attacker focus on gaining and leveraging access to the cloud itself. Unlike previous versions, the malware has also been found to generate a uniquely encrypted payload for each infection, thereby making detection and version tracking significantly more challenging. Evidence suggests that the compromise of a Red Hat employee’s GitHub account was the patient zero that was used to inject the payload into these packages.
The compromised account is said to have pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review. It’s recommended to isolate hosts that have installed the affected versions, remove the malicious versions, rotate exposed credentials, review for any signs of suspicious GitHub or npm activity, audit the environment for persistence artifacts that involve changes to configuration files (~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, .github/setup.js), and enforce strong access controls. “Because the malware includes background execution and potential developer-tool persistence mechanisms, uninstalling the npm package or deleting node_modules should not be considered sufficient cleanup,” Socket explained. “For CI/CD systems, suspend affected workflow runs, invalidate build artifacts produced during the exposure window, and review whether any release, container image, npm package, or deployment artifact was created after the malicious package was installed.” Update Dark web monitoring and threat intelligence firm Whiteintel said it “detected a Red Hat GitHub credential and session cookie in infostealer logs on April 13 and May 15, 2026,” raising the possibility that this information may have been used to break into the employee’s account.
The development is the latest in a number of supply chain attacks that have targeted the open-source ecosystems over the past couple of months. These attacks have impacted well-known projects, including Aqua Trivy, Checkmarx KICS, Bitwarden, SAP, TanStack, and GitHub, and Nx Console. Last month, a separate campaign codenamed Megalodon was found to have injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens, impacting both development and deployment pipelines in public GitHub repositories. “These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code (VS Code) extension and the ‘Megalodon’ supply chain intrusion campaign, demonstrate how cyber threat actors are abusing tools and processes that support enterprise, cloud, and DevOps environments - specifically CI/CD pipelines, code extensions and workflows,” the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) said . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
| Monday hit like a cron job with anger issues. A busted auth path here, a repo-side faceplant there, some “patched-ish” thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought ‘curl | sh’ had a personality. The vibe is simple: old bugs, new wrappers, faster abuse. Patch the obvious crap first. |
Then read the rest. ⚡ Threat of the Week PAN-OS GlobalProtect Authentication Bypass Under Exploitation
- Palo Alto Networks warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. The issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists, the network security company said.
Securing AI Use Within Your Organization Starts Here The risks of ungoverned AI within your organization are compounding at machine speed. Turn your AI security priorities into actionable steps with this step-by-step guide. Download Now ➝ 🔔 Top News Critical Unpatched Flaw in Gogs
- The popular open-source self-hosted Git service Gogs is affected by a critical-severity zero-day vulnerability that exposes servers to remote code execution (RCE), per Rapid7. The injection flaw can be exploited by authenticated attackers via pull requests with malicious branch names.
“Since Gogs ships with open registration enabled by default and no limit on repository creation, an unauthenticated attacker can simply create an account and repository on any default-configured instance,” the cybersecurity firm says. Any repository owner can enable rebase merging with a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user. Attackers with write access to repositories that have rebase enabled can exploit the flaw directly. “The result is arbitrary command execution as the Gogs server process user, giving the attacker the ability to compromise the server, read every repository on the instance (including other users’ private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository’s code,” Rapid7 said.
Gogs servers across Windows, Linux, and macOS that are running default configurations are affected. No patch has been released as of the time of publishing. GlassWorm C2 Taken Down
- CrowdStrike, Google, and the Shadowserver Foundation dismantled the GlassWorm malware operation by taking down all four of GlassWorm’s command-and-control (C2) channels simultaneously on May 26, 2026, at 2 p.m. UTC.
GlassWorm, since its emergence last year, has conducted a “multi-pronged campaign” using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX. The campaign is also known to have introduced malicious code through compromised npm and Python packages. By taking down all four channels at the same time, the action severed the operators’ access to the infected hosts and their ability to deliver new commands. Evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.
In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected endpoints to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections. Despite these efforts, the broader economics of repository abuse remain an ongoing issue. Open-source ecosystems continue to offer attackers low-cost distribution channels with a massive reach when compared to traditional software.
This also means operators behind such campaigns can resurface under new accounts, domains, or package names. In other words, it’s only a temporary disruption, not eradication. CERT-In Urges Organizations to Patch Exploited Flaws Within 12 Hours
- Organizations in India have been urged to patch actively exploited vulnerabilities impacting internet-facing or “crown jewel” systems within 12 hours, where feasible, so as to better respond to the speed artificial intelligence (AI) now brings to cyber attacks. CERT-In stopped short of framing the timelines as binding, describing them as indicative expectations to be applied according to operational criticality and threat exposure.
The agency also warned that AI-assisted attacks are dramatically compressing the time between vulnerability disclosure and exploitation. The framework also recommends one-day remediation for critical externally exposed vulnerabilities, three days for critical internal vulnerabilities affecting high-value systems, and five days for high-severity flaws based on risk prioritization. GREYVIBE Leans on AI for Ukraine Attacks
- A previously undocumented Russian group codenamed GREYVIBE has been found to make extensive use of large language models (LLMs) in its attacks against private, government, and military organizations in Ukraine. The end goal is to gather intelligence for the ongoing war.
“While the activities align with Russian state interests, several observed indicators suggest the group has ties to the broader cybercrime ecosystem, with the group potentially involving current or former cybercriminal actors,” WithSecure said. The threat actor is believed to have been active since August 2025. What’s notable is the extent to which AI appears to be enmeshed throughout the operation. The group’s use of AI is believed to be “operationally integrated rather than isolated or experimental.” AI Chatbot Recommendations Redirect Users to Cryptojacking Malware
- A new campaign is using searches for popular tools in AI chatbots to redirect users to sketchy sites that trick users into downloading booby-trapped executables that drop a cryptocurrency miner on compromised hosts.
The goals of the campaign are not merely financially motivated. The threat actors have also been found to establish persistent remote access to compromised hosts through ScreenConnect deployments, which could then be leveraged for follow-on activity, such as data theft, lateral movement, or ransomware. 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.
Check the list, patch what you have, and hit the ones marked urgent first - CVE-2026-8732 (WP Maps Pro plugin), CVE-2026-0257 (Palo Alto Networks PAN-OS and Prisma Access), CVE-2026-27771 (Gitea), CVE-2026-45659 (Microsoft SharePoint), from CVE-2026-9090 through CVE-2026-9098 (Casdoor), CVE-2026-48800 , CVE-2026-48778 , CVE-2026-48770 (Notepad++), CVE-2026-40933 ( Flowise ), from CVE-2026-9872 through CVE-2026-9893 (Google Chrome), CVE-2026-32996, CVE-2026-32997 (Veeam Backup & Replication), CVE-2026-44962 (Plesk), CVE-2026-4868, CVE-2026-1402, CVE-2026-6713 (GitLab), CVE-2026-46840, CVE-2026-46775, CVE-2026-46839, CVE-2026-2332 (Oracle), CVE-2026-4480 (Samba), CVE-2025-59199 aka Click Or Trick (Microsoft Windows 11), CVE-2026-9560 (OpenVPN Connect for macOS), CVE-2026-9312 (GitHub Enterprise Server), CVE-2026-3593, CVE-2026-5946, CVE-2026-5947 (BIND 9), CVE-2026-47783 (Memcached), CVE-2026-44930 (Apache CXF), CVE-2026-9089 (ConnectWise Automate), CVE-2026-4115 (PuTTY), CVE-2026-48095 (7-Zip), an argument injection vulnerability in Gogs , a remote code execution vulnerability in Microsoft Visual Studio Code Remote-SSH extension, and multiple vulnerabilities in Roundcube Webmail . 🎥 Cybersecurity Webinars Beyond Zero-Day: How Attackers Actually See Your Network → Zero-days are inevitable. The real battle is what attackers see once they’re inside. Join HD Moore (creator of Metasploit) in this webinar as he reveals how to map your network like an attacker - exposing hidden assets, forgotten bridges, and dangerous IT/IoT/OT connections most teams miss.
Why Automated Pentesting Falls Short - And How to Fix It → Automated pentesting tools promised comprehensive security validation, but in reality, they only scratch the surface. After a few runs, new findings drop sharply, leaving critical blind spots in detection, response, and control effectiveness. Join Autumn Stambaugh and Can Yüceel of Picus Security as they explain why automated pentesting alone isn’t enough - and how to build a complete validation program that actually closes the gaps. 📰 Around the Cyber World New Windows Flaw Under Attack
- Belgium’s Centre for Cybersecurity (CCB) has warned that a recently patched Windows flaw, CVE-2026-41089 , has come under active exploitation in the wild.
The vulnerability is a stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network. There are currently no details on how the vulnerability is being exploited. The vulnerability was addressed by Microsoft as part of its May 2026 Patch Tuesday update. Anthropic Confirms Mythos Release
- Anthropic has confirmed it intends to bring Mythos-class models to “all our customers in the coming weeks” and said it’s “making swift progress” on developing stronger cyber safeguards prior to their release.
New Linux Flaw CIFSwitch Uncovered
- A newly disclosed Linux local privilege escalation (LPE) vulnerability dubbed CIFSwitch has been found to enable low-privileged users to gain root access by abusing a logic flaw between the Linux kernel Common Internet File System (CIFS) client and the userspace helper package, cifs-utils. According to SpaceX security engineer Asim Viladi Oglu Manizada, the kernel-side bug has been around since 2007. A patch for the flaw has been pushed to mainline Linux as of May 19, 2026. Dashlane Warns of Brute-Force Attack
-
- Dashlane
- said
- “user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security measures.” The affected accounts have since been unsuspended.
The password management company also noted that it’s taking measures to address the issue, adding that there is no evidence of compromise of Dashlane’s systems. It’s not known who is behind the attack. Global Smishing Operation Impacts 19 Countries
- Hunt.io said it identified a coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus. “The same infrastructure hitting Romanian taxpayers was also targeting DPD delivery customers in the U.K.
and Ireland, road police portals in Bulgaria and Armenia, tax authorities in Greece, and T-Mobile users in the United States,” the company said . “1,628 malicious URLs confirmed active across 19 countries and multiple sectors.” The campaigns are designed to invoke a false sense of emergency using fabricated fines and trick users into making payments and entering their personal information. Microsoft Teams and Google Drive Abused to Deliver Java RAT
- An intrusion targeting a customer in the legal industry involved the use of Microsoft Teams voice phishing to deceive the victim into granting remote access via Quick Assist. It was followed by the deployment of a Java-based remote access trojan (RAT) named Nimbus RAT.
“Nimbus RAT is a self-contained implant that uses Google Drive and Google Sheets for command-and-control (C2), helping its network traffic appear benign,” eSentire said . “From initial Teams contact to RAT execution, the attack took less than 20 minutes.” The activity overlaps with similar Teams-based social engineering attacks carried out by BlackSuit affiliates. Tracking Site Visitors Via FROST
- New research has shown that malicious websites can track visitors by measuring tiny changes in SSD access times as a side channel, turning normal browser activity into a privacy leak. The attack, named FROST (short for Fingerprinting Remotely using OPFS-based SSD Timing), is a “side-channel attack from JavaScript that exploits OPFS [Origin Private File System] to leak sensitive information from the browser without requiring any user interaction on both Linux and macOS.” The attack “uses SSD contention measurements from within the browser to fingerprint user activity on a system,” a group of academics from the Graz University of Technology and Liebherr-Transportation Systems GmbH said.
“After tricking the victim into clicking a malicious link, an attacker can monitor the victim’s activity on the host system, such as website visits and application usage, without further user interaction.” The impact of the attack goes beyond website tracking. The study also demonstrated that it’s possible to fingerprint application usage, allowing attackers to potentially infer where specific apps were opened. Instagram Exploit Allegedly Enabled Account Takeover
- According to Dark Web Informer and ZachXBT , Instagram is said to have suffered from an exploit that made it possible to use Meta AI to reset passwords to accounts with no multi-factor authentication (MFA) enabled. To pull off the attack, bad actors simply had to use a VPN to approximately match their location to the target Instagram account’s region, begin the password reset process, and then prompt Meta’s AI support chatbot to change the email address associated with the account.
The end goal of the attack appears to link the target account with a new email address using the Meta AI chatbot, seize control of high-profile Instagram profiles, and sell them on the gray market for thousands of dollars. According to a report from 404 Media, bad actors have been aware of the loophole since March 2026. The exploit has since been patched , though it’s unclear how many accounts were impacted by the exploit. The incident highlights the dangers of granting AI agents overly broad permissions that could be abused to trigger unintended actions without any human confirmation.
EvilTokens Abuses OAuth Flow, RatPressto Kit Surfaces
- The phishing-as-a-service (PhaaS) platform known as EvilTokens is being used to carry out device code phishing attacks at scale. “These campaigns are notable for abusing the OAuth 2.0 device authorization flow, automating this sophisticated phishing at scale, and using AI to produce realistic, quickly deployable attack infrastructure,” Netcraft said . The company said it has seen thousands of attacks using the EvilTokens phishing kit. The development coincides with the emergence of a new phishing toolkit dubbed RatPressto that’s being used in an active campaign.
The kit, hosted on legitimate-but-compromised WordPress sites, is used to serve ScreenConnect for establishing persistent remote access. “RatPressto has been observed targeting financial organizations, looking to silently exfiltrate credentials, secrets, and sensitive data that could be used to aid further compromise,” Fortra said . Solo Russian-Speaking Threat Actor Linked to Patriot Bait Campaign
- A solo Russian-speaking threat actor tracked as “bandcampro” ran a 5-year MAGA-themed Telegram channel (@americanpatriotus, approximately 17,000 subscribers) and pivoted to AI-automated content, fraud, and credential theft starting September 2025. “A jailbroken Google Gemini served as the actor’s co-worker, generating Q-styled posts, deploying infrastructure, rotating stolen API keys, modeling victim passwords, and running a QAnon-styled chatbot (QFS 2.0 Terminal),” Trend Micro said .
“Safeguards were bypassed via jailbreaking and non-English prompting, allowing explicit pump-and-dump prompts and instructions to mutate victim passwords to be processed, showing how frontier-AI safety controls can be circumvented through jailbreaks and non-English prompting.” The campaign once again highlights how AI has significantly cut down the resources needed to run influence operations. SonicWall Scanning Spike Recorded
- GreyNoise said it observed a “significant new spike in scanning of SonicWall SonicOS management interfaces” between May 9 and May 18, 2026. “Approximately 56% of sessions originate from networks announced in the Netherlands and 44% in Ukraine - together more than 99% of total volume,” it said. “A single ASN (AS211736) carries roughly half of the total session volume.” New Payload Ransomware Emerges
- Cybersecurity researchers have analyzed ransomware families like NightSpire and Payload , with the latter already racking up 50 victims on its leak site since emerging in February 2026.
“Although the group initially claimed only a limited number of victims, its operations quickly showed a global footprint, with targets across Egypt, Mexico, and Poland,” Dark Atlas said. 🔧 Cybersecurity Tools EvidenceForge → It is an open-source tool from Cisco Talos that generates realistic, multi-format synthetic security logs - including Windows events, Sysmon, Zeek, and more - with strong consistency and causal relationships. It’s particularly useful for threat hunting training, detection testing, and research where you need high-quality, non-obvious synthetic data. MCPGuard-Dynamic → It is an open-source project from Facebook that provides kernel-level sandboxing for LLM agent tool calls using the Model Context Protocol (MCP).
It combines policy enforcement, argument validation, and eBPF-based system call guards to restrict what potentially untrusted MCP servers can do - helping prevent file access, network exfiltration, and privilege escalation attempts. Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.
Conclusion That’s the week: too much speed, too many defaults, and not enough people treating “minor” exposed crap like it can become tomorrow’s incident report. The pattern is boring until it’s your box - attackers keep finding the cheap paths first, because cheap still works. Patch the loud stuff, audit the weird stuff, and don’t ignore the boring stuff. That’s usually where the fire starts.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwan
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments to trigger an infection chain that uses a Rust loader to drop the final payload for data exfiltration and remote control. “When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background,” security researcher Priya Patel said .
The attack chain uses two different pathways to launch the final-stage malware. One infection sequence begins when the recipient of the ZIP archive opens a malicious Windows Shortcut (LNK) file that masquerades as a PDF document. This leads to the execution of a PowerShell script that’s responsible for extracting an executable (“RuntimeBroker_update.exe”) from an intermediate DAT file and running it. In the second attack chain, the victim directly launches a binary from the same archive.
The binary functions as a self-contained Rust-based dropper to launch “RuntimeBroker_update.exe.” Regardless of the path chosen, the executable loads a malicious DLL (“UnityPlayer.dll”) via DLL side-loading , resulting in the deployment of a Rust-based loader called RUSTCLOAK. The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2). The loader is designed to perform anti-analysis checks to proceed only if the malware determines that it’s being run within a sandboxed environment. “The malware just talks to Azure Blob Storage, the same service used by thousands of legitimate enterprises worldwide,” Seqrite Labs said.
“Instead of using a traditional pull-based C2 model, AZUREVEIL follows a dead drop approach. The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data.” AZUREVEIL supports 36 commands that allow it to perform a wide range of post-compromise actions on the host, including file operations, file uploads and downloads, shell command execution, process enumeration and termination, port forwarding, SOCKS proxy control, C2 server management, and in-memory execution of Beacon Object Files (BOFs). These capabilities grant the attacker complete control over the compromised endpoint.
Although the activity has been attributed to a known threat actor or group, it’s assessed to be China-aligned. The disclosure comes as Cato Networks said it detected and blocked an attempted intrusion against the Indian branch of an unnamed global manufacturing customer to deliver TencShell, a previously undocumented Go-based implant derived from the open-source rshell C2 framework. The attack is believed to be the work of China-nexus threat actors based on the historical use of rshell, Tencent-themed API impersonation, and infrastructure patterns. The initial access vector used in the intrusion is currently unknown.
“If successful, TencShell could have given the attacker remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling,” researchers Idan Tarab, Dr. Guy Waizel, Zohar Buber, and Shani Kurtzberg said. In a report published last week, ESET said China-aligned threat actors have remained “highly active” globally from October 2025 through March 2026. This includes an unreported cluster dubbed SteppeDriver that was first discovered in 2024 and has since targeted entities in France, Mongolia, and South America using tools like ShadowPad , COOLCLIENT , CurlyDoor, RudeGull, and MKTDownloader.
Also identified by the Slovakian cybersecurity vendor is a new toolkit linked to UNC5221 dubbed PhiliKit that acts as a passive backdoor for executing shell commands, Python scripts, and Perl scripts. It’s suspected that PhiliKit is deployed as part of the SPAWN malware suite used by the Chinese hacking group in the past. A third China-affiliated threat group is NegativeGlimmer, which is believed to share some level of overlap with TGR-STA-1030 , which Palo Alto Networks Unit 42 documented earlier this year as having breached at least 70 government and critical infrastructure organizations across 37 countries over the past year. In at least one instance observed in December 2025, the threat actor has been found to target a governmental organization in Panama, using a DLL side-loading chain initiated via spear-phishing to deliver a downloader that then deploys AdaptixC2 and simultaneously displays a decoy document to the victim.
Subsequent iterations in January 2026 have swapped out AdaptixC2 in favor of Cobalt Strike, with infections also reported in Cambodia and South Korea. “The latter targeting in South Korea aligns with Beijing’s enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy,” ESET’s Jean-Ian Boutin said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The Security Growth Platform: Why MSPs Are Moving Beyond vCISO Tools
Three years ago, the practical question for an MSP building a cybersecurity practice was which “vCISO platform” to buy. The term was good shorthand for the work at the time: assessments, advisory, reporting, maybe a compliance module bolted on the side. The work has since outgrown the descriptor. A Security Growth Platform is the more precise name for what MSPs and MSSPs need from the software running their security practice in 2026.
It combines security program management, CISO-grade decision intelligence, multi-tenant portfolio architecture, and revenue intelligence in one system. Traditional GRC platforms track compliance, vCISO tools support single advisory engagements, and enterprise compliance platforms target end customers directly. None were built around the unit of work that defines a modern MSP security practice: the portfolio. Why The Work Outgrew The Term The demand kept outgrowing the category that named it.
SMB cybersecurity spending is projected to reach $109 billion in 2026, with small and medium businesses accounting for roughly 60% of global cybersecurity spend ( Analysys Mason ), and most of that share moves through service providers. The SMBs paying for security don’t have an internal CISO function. The MSP is the security function, and what “the security function” has to do has expanded well past what a vCISO methodology was designed to cover. What expanded was the work itself.
The tools designed for solo vCISO engagements increasingly describe only part of it, and the platforms built for enterprise compliance had never been built for this customer in the first place. The category sitting between those two reference points kept getting bigger while the language available to describe it stayed where it was. The Three Gaps That Created A New Tier The reason a new descriptor is needed comes down to three structural gaps in the categories already on offer. The Security Growth Platform tier exists because three different software categories each fell short of serving the same buyer, and each gap is structural rather than a feature shortfall.
GRC Platforms Weren’t Built For MSP Delivery Enterprise compliance automation platforms grew into the dominant players in their tier by automating compliance for companies with internal security teams. The architecture optimizes for one customer’s compliance posture, controls library, evidence collection, and audit cycle. Recent repositioning across that tier around agentic AI and trust automation reinforces this direction: the answer to expanding the category has been end-customer trust automation, not service-provider delivery infrastructure. That architecture doesn’t carry over to a service provider running security programs across 30 or 100 SMB clients, where there is no internal security team and the MSP itself is the security function.
A platform built around one customer’s security posture isn’t easily turned into a multi-tenant service-delivery system; the premise has to change at the architectural level. Standalone vCISO Tools Lack Compliance And Automation Depth The vCISO services category itself is real and growing. The global market is projected at $1.2 billion in 2026 with a 6.3% CAGR through 2035 ( Business Research Insights ). The tools built for it focused on the consultant doing the work: assessment templates, advisory frameworks, and reporting decks.
That works well for one senior person delivering one engagement. It works less well for a 30-client MSP that needs to run security as an ongoing program across every account. Compliance requirements have also grown more demanding, with 85% of organizations reporting that compliance is more complex than it was three years ago ( PwC Global Compliance Study 2025 ). That’s the depth the original vCISO tools weren’t engineered to carry.
vCISO tools also rarely automate compliance depth. Many partners ran the vCISO tool for advisory work and bolted on a separate GRC platform for audit work, ending up with two systems, two sources of truth, and no unified program. Enterprise-First Compliance Platforms Compete With The Channel Enterprise compliance platforms sell direct; service providers tend to encounter them when an SMB client asks for the name, typically because an investor or enterprise buyer demanded SOC 2. That motion treats the MSP as a referral channel rather than a partner; the economics flow to the platform, not to the practice running the security program.
The white space opened because the enterprise platforms made a structural choice to go direct, and the channel-native tools made a structural choice to stay narrow on compliance. True CISO-grade intelligence at 100% partner-only delivery, with SMB-accessible pricing and portfolio-level revenue analytics, fell into a gap no existing category was claiming. The Four-Tier MSP Cybersecurity Market In 2026 The market sorts into four tiers by who the platform is built for and how it goes to market. Tier Built For Channel Model Enterprise compliance automation End customers with internal security teams Direct-first Security Growth Platform Service providers delivering, scaling, growing security practices 100% partner only MSP-native Cyber GRC and vCISO Compliance tracking and audit readiness via MSPs Channel-friendly MSP advisory and assessment tools QBRs, vCIO presentations, vendor-neutral assessments Channel The enterprise tier dominates the top end, serving mostly mid-market and growth-stage companies pursuing SOC 2 or ISO 27001 to unlock revenue, in a direct motion where the MSP rarely sits at the center.
The MSP-native Cyber GRC tier clusters around compliance management as the entry point, which serves partners well when compliance tracking is the primary need. The advisory and assessment tier sits closer to a vCIO function than a security function: lower pricing, narrower capability scope, designed for business reviews and presentations rather than running a security program. The Security Growth Platform tier is its own category because the center of gravity is different. Compliance is an outcome of the program rather than its starting point.
Cynomi is the named example of the tier; the platform’s design choices, capability set, and 100% partner-only commercial model define what the tier looks like in practice. What Defines A Security Growth Platform Five capabilities define the tier. A platform without all five sits in a different category. CISO Intelligence built in.
The decision-making logic of an experienced security leader, integrated into the platform’s AI infrastructure and guided workflows. This is what allows any trained team member to deliver senior-level advisory outcomes rather than reproducing what one senior consultant can do alone. Cynomi’s named term for this capability is CISO Intelligence; it is a structured methodology rather than the generic “AI-powered” claims that surface across the broader compliance and GRC market. Unified security, risk, and compliance across 40+ frameworks.
One assessment maps controls across NIST CSF 2.0, CIS Controls, ISO 27001, SOC 2, HIPAA, CMMC, GDPR, NIS2, and DORA. Compliance becomes an outcome of the security program rather than a parallel workstream. Cynomi delivers this through its unified framework engine. Complete security lifecycle management.
Context-aware onboarding, risk-based prioritization, automated remediation roadmaps, task-driven execution, policy automation, business impact analysis, business continuity planning, third-party risk management, and executive dashboards in one system. The work runs continuously rather than in audit-cycle bursts. Portfolio-level revenue intelligence. A multi-tenant view across the partner’s entire client base that maps security gaps to the partner’s service catalog and quantifies recurring-revenue expansion opportunities.
Cynomi’s portfolio intelligence is the only platform-level revenue layer in this category; the other tiers do not expose revenue surface area at the portfolio level. Built for MSP and MSSP scale. Multi-tenant architecture, white-label outputs, no channel conflict, designed for portfolios from 15 to more than 500 clients. The phrase Cynomi uses is “100% partner only,” the practical distinction from channel-friendly platforms that still pursue end-customer revenue alongside partner-delivered revenue.
Why MSPs Need More Than A vCISO Platform If you’ve built a vCISO practice around single engagements, “vCISO platform” still describes the work you’re doing: a fractional security leader, a methodology, a deliverable. The category isn’t going anywhere, and the descriptor holds when the work itself is one engagement at a time. What the “vCISO platform” doesn’t describe is what changes when a service provider scales beyond single engagements. A practice running 30, 100, or 500 client security programs needs more than a vCISO methodology.
It needs the system that surrounds the methodology: portfolio visibility, service-catalog mapping, executive-ready reporting, and the commercial infrastructure for packaging, pricing, and growing the practice itself. Channel research from organizations including CompTIA and Service Leadership consistently documents that MSPs invest in cybersecurity tools faster than they package, price, and sell cybersecurity services to clients. The capability is there; the recurring-revenue motion isn’t. That gap is where most security practices stall: partners with the tooling to deliver, and no system for turning delivery into a sellable, repeatable service.
The Security Growth Platform tier closes that gap on purpose. Portfolio intelligence, service-catalog mapping, and commercialization-ready outputs are engineered into the platform, not bolted onto a vCISO methodology. Where “vCISO platform” describes the methodology, “Security Growth Platform” describes the system. The Outcomes That Define The Tier What separates this tier from compliance-only platforms is what your practice does with the assessment afterward, not what the assessment looks like or how many frameworks it covers.
Service providers running the program model through Cynomi report an average 70% reduction in assessment and reporting workload, a 30% margin improvement on security services, 60% security revenue growth, and 90% shorter discovery time, in line with the MSP cybersecurity benchmark data Cynomi publishes annually . Those are practice-level outcomes, not pilot-program metrics. A category becomes real when practitioners can name it, buyers can compare against it, and the market can see where its center of gravity sits. The Security Growth Platform tier has the practitioners: partners running 30, 100, and 500 clients through it today.
The naming is catching up. Buyers who started by asking “which vCISO platform should we use?” are increasingly asking a more specific question: how do we deliver, scale, and grow a security practice across our entire client base? That’s the question the Security Growth Platform is built for. Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.