DAILY WORKFLOW ARCHIVE

2026-06-06 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-06-06 AI创业新闻

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation. The vulnerability, tracked as CVE-2026-20245 , carries a CVSS score of 7.8 out of a maximum of 10.0. It affects the following deployment types - On-Prem Deployment Cisco SD-WAN Cloud-Pro Cisco SD-WAN Cloud (Cisco Managed) Cisco SD-WAN for Government (FedRAMP) “A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system,” Cisco said in an advisory. The network security company said the vulnerability is the result of insufficient validation of user-supplied input, which an attacker could exploit by uploading a crafted file to the affected system.

This, in turn, could permit the attacker to perform command injection attacks and elevate their privileges as the root user. “To exploit this vulnerability, the attacker must have netadmin privileges on the affected system,” Cisco added. “This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127 . Cisco is not aware of successful exploitation by other methods.” CVE-2026-20182 (CVSS score: 10.0) was disclosed last month by Rapid7, describing it as an authentication bypass that could enable unauthenticated, remote attackers to obtain administrative privileges on susceptible systems.

It’s also assessed to be similar to CVE-2026-20127, another case of authentication bypass impacting the same component. Both vulnerabilities have been exploited in the wild as zero-days, with a threat activity cluster dubbed UAT-8616 linked to the abuse of CVE-2026-20127 as far back as 2023. In its advisory released Thursday, Cisco said it observed limited cases where the exploitation of CVE-2026-20245 resulted in a configuration change pushed to edge devices. It credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the new vulnerability.

It is unknown who is behind the latest exploitation efforts. There are currently no patches or mitigations available for CVE-2026-20245. Customers are recommended to upgrade their SD-WAN software to ensure they have applied the fixes released for CVE-2026-20182 on May 14, 2026. Cisco has also warned that internet-exposed systems are at heightened risk of compromise.

To look for indicators of compromise (IoCs), users are advised to check the “/var/log/scripts.log” file for entries like below - Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0

Jun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv

Jun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv CVE-2026-20245 is the seventh flaw impacting Cisco SD-WAN to be flagged as active exploited this year alone after CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133 , and CVE-2022-20775 . The disclosure comes days after Cisco addressed another high-severity security flaw in Unified Communications Manager ( CVE-2026-20230 , CVSS score: 8.6), for which it said a proof-of-concept exploit code is public. There is no evidence that the vulnerability has come under active exploitation. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog , the information stealer “scrapes every secret it can find on a developer’s machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor.” The stealer also uses the stolen credentials as a propagation mechanism, drawing similarities to the infamous Shai-Hulud worm. The new malware has been codenamed IronWorm by the software supply chain security company. By publishing itself to the npm registry in the form of trojanized packages, the approach results in a self-replicating attack.

The malicious activity has been traced back to a compromised npm account named “ asteroiddao ,” which has been found to publish package versions containing the Rust ELF binary that’s executed via a preinstall hook. The malware targets 86 environment variables, various files that may contain credentials associated with OpenAI Codex, Anthropic, Claude, Google Gemini, Cursor, Amazon Web Services (AWS), Docker, Kubernetes, and npm, vault configurations, and Exodus cryptocurrency wallet files. An unusual quirk worth mentioning here is that the stealer includes logic for the wallet data-stealing component to skip the threat actor’s own wallet. As of writing, the cryptocurrency wallet is empty, and no transactions have been recorded.

JFrog described IronWorm as “a supply chain weapon built to find secrets, modify projects, and inject malicious code to self-propagate across GitHub.” The malicious commits, which span nine GitHub organizations, have been introduced under the author name “claude” (“claude@users.noreply.github.com”) in an attempt to mimic Anthropic’s artificial intelligence (AI) chatbot. “The malicious npm package was published by asteroiddao; asteroiddao corresponds to the asteroid-dao GitHub organization; and ocrybit is a member of that organization, as well as related Arweave organizations,” the company explained. “The malware stole ocrybit’s credentials and used them to push commits across repositories it could access. Those commits planted malware into other packages, which could then be published and infect the next developer.

And then it vanished.” What’s more, the malicious payload is equipped to swap existing GitHub Actions workflows for one that’s capable of harvesting the secrets, writing it to a harmless-looking file, and uploading it as a build artifact, thereby eliminating the need for an external command-and-control (C2) server. The malware’s capabilities don’t end there. In CI environments, it abuses npm’s Trusted Publishing flow to obtain short-lived tokens to push poisoned versions containing the malware to the registry. It also incorporates an eBPF payload that functions as a kernel-level rootkit to hide processes and thwart analysis.

However, on systems where kernel lockdown is enabled, the process-hiding tricks fail, and the supposed processes and sockets become visible again. Miasma Worm Surfaces Again The disclosure comes as Endor Labs and StepSecurity shed light on a distinct supply chain attack campaign that has compromised 57 npm packages across more than 286 malicious versions to serve a new variant of the Miasma worm, which previously infected 32 packages across more than 90 versions under the @redhat-cloud-services npm namespace within 72 seconds earlier this week. Some of the affected packages are listed below - ai-sdk-ollama autotel awaitly effect-analyzer eslint-plugin-awaitly executable-stories-cypress http-uploader-dev mountly node-env-resolver node-env-resolver-aws The data stolen via the malware is exfiltrated to a now-inaccessible GitHub account “ liuende501 ,” which acted as an exfiltration point. As many as 236 repositories were staged in the account.

It’s presently not known if GitHub removed the account or if the threat actor themselves deleted it. “This wave uses a technique we are calling ‘Phantom Gyp’: instead of the preinstall or postinstall lifecycle scripts that security tools typically monitor, the attacker abuses a 157-byte binding.gyp file to trigger code execution during npm install, bypassing most install-script security checks entirely,” StepSecurity researcher Sai Likhith said. Like in the case of Miasma , the attack chain is engineered to download and install the Bun JavaScript runtime, using it to load a comprehensive credential harvester that’s tailored to extract secrets from AWS, Google Cloud, Microsoft Azure, HashiCorp Vault, Docker, Kubernetes, GitHub Actions, npm, RubyGems, PyPI, SSH, password managers, and AI assistants. “The most novel and concerning capability of this variant is its targeting of AI coding assistant configurations,” the company said.

“The malware injects persistent backdoor files into project repositories that execute whenever a developer opens the project in their AI-assisted IDE.” Developers who have installed an affected version are advised to rotate credentials, turn off install scripts and native rebuilds by default, and ensure packages are pinned with integrity hashes. In an update shared this week, Red Hat revealed that the root cause behind the Miasma supply chain incident was likely a compromised GitHub account that was used to push unauthorized commits to repositories in the RedHatInsights GitHub organization. “The payload operated across Linux, macOS, and Windows by dynamically downloading the correct Bun runtime for each platform, although Linux CI/CD runners appeared to be the primary target,” Microsoft said of the campaign. “On developer systems, the malware stole Secure Shell (SSH) keys, command-line interface (CLI) credentials, browser and wallet data, while in CI/CD environments it scraped GitHub Actions runner memory for secrets, escalated privileges using passwordless sudo, and republished poisoned packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance to continue downstream propagation.” The Miasma payload is assessed to be a derivative of the Shai-Hulud worm put to use by TeamPCP in recent campaigns, introducing largely “cosmetic” changes while keeping the underlying functionality similar.

Despite the overlap in tradecraft, the attribution for the latest set of attacks remains unclear, given that TeamPCP has publicly released the Shai-Hulud code. OX Security has since uncovered additional stages in the Miasma attack chain, including searches for GitHub commits containing the string “firedalazer” (replacing the previously flagged “ FIRESCALE “ dead drop) to retrieve another payload, a JavaScript file (“index.js”) that contains an alternative version of the Shai-Hulud worm, effectively transforming the infection into a perpetual loop. In this case, the stolen data is exfiltrated to public GitHub repositories, each carrying the description “Miasma: The Spreading Blight” or “Miasma - The Spreading Blight.” It’s important to note here that the previous version reads “Miasma: The Spreading Blight,” which does not have a space between Miasma and the “:” symbol. There are currently 82 such repositories created on user accounts “0tabek16” and “windy629.” “The threat actor can dynamically change the ‘firedalazer’ commits in GitHub, making new versions of the malware, more adaptive and more sophisticated,” security researchers Moshe Siman Tov Bustan and Nir Zadok said .

“This turns GitHub into something more dangerous than a dead drop. It’s an adaptive C2 - one that piggybacks on a trusted, widely whitelisted platform, making network-level detection nearly useless. Most security tools aren’t configured to treat GitHub traffic as suspicious. The threat actor knows this.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Android Spyware Asin Targets Arabic Users via Fake News, PDF and War Map Apps

Arabic-speaking users have emerged as the target of a new Android spyware codenamed Asin , according to findings from ESET. The Slovakian cybersecurity company said it first detected the malware spread via multiple campaigns in early 2025, with each attack wave making use of distinct websites mimicking utilities, war-related updates, and a government news source: govlens[.]net, which impersonates a government news source (registered on May 27, 2025) pdf-reader[.]help, which impersonates a secure PDF editor (registered on May 29, 2025) live-war-map[.]com, which claims to offer updates on military incidents (registered on January 20, 2025) Two of these websites - govlens[.]net and live-war-map[.]com - were also marketed via dedicated accounts on social media platforms like Facebook and Telegram - www.facebook[.]com/GovLens t[.]me/liveuamap_ar “Each of these websites distributes a malicious app that combines legitimate functionality with stealthy spyware capabilities,” ESET said. The cybersecurity company noted that the Telegram channel’s name is likely inspired by Live Universal Awareness Map ( Liveuamap ), a legitimate, well-known platform dedicated to mapping ongoing conflicts, human rights issues, natural disasters, and geopolitical events across the world. Multiple artifacts associated with Asin have since been identified, including one uploaded to VirusTotal from Türkiye in October 2025, an APK downloaded from the domain “c-pdf[.]net” in December 2025 by a user on a Xiaomi Redmi Note 13 Pro device running Android 15, and a third sample masquerading as “Syria Defense Map” detected on a Xiaomi Redmi Note 13 Pro+ 5G devices running Android 15 in around mid-January 2026.

In the last case, the APK is said to have been downloaded from a website named “syriadefensemap[.]com.” It’s worth noting that the user is required to manually install the app and grant it the necessary permissions for the spyware to realize its goals. The activity cluster, per ESET, remains unattributed. It’s also not known what the primary objectives of these campaigns are. However, based on the lures used, it’s suspected that journalists and OSINT researchers in Arabic-speaking regions may have been the target.

“Three out of the five fraudulent apps we unearthed - GovLens, WarMap, and Syria Defense Map - seem primarily intended for people interested in open-source investigation,” the company said. “It thus seems possible that this set of activities may have been, at least partially, meant to target Arabic-speaking journalists or OSINT practitioners.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The AI Security Vendor Test Most Vendors Hope You Skip

New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 (where “OP” stands for “opponent”) that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China. “OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities,” the company said in a report shared with The Hacker News. Although no overlaps have been found between OP-512 and other known China-aligned adversaries, it’s the fourth such threat group after CL-STA-0048 , DragonRank , and GhostRedirector to single out IIS web servers over the past 12 months.

As recently as last month, Cisco Talos revealed that multiple Chinese-speaking cybercrime groups are sharing a variant of malware called BadIIS to infect IIS servers. IIS servers have also been targeted by SHADOW-EARTH-053 as part of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia. Central to the operations of OP-512 is a custom web shell framework consisting of three web shells that grant the attackers remote access to the compromised host, while taking steps to evade signature-based detection and complicate forensic timelines using techniques like timestomping to intentionally manipulate the timestamps when the web shell artifacts are created or modified. Specifically, this entails scanning every file and sub-folder around where the web shells are placed, calculating the median last-modified timestamp, and overwriting their own creation and modification times to match that value, thus giving the impression that they have been present for some time.

“This framework combines capabilities we rarely see together: each deployment is uniquely generated, access is restricted to the attacker through cryptographic controls, and compromised servers automatically report back for centralized management at scale,” ReliaQuest said. OP-512 shares close tactical proximity to CL-STA-0048, which has raised the possibility that it either represents an existing cluster that has completely revamped its toolset or developed these capabilities independently on its own. Regardless of its origins, the hacking group is said to be a distinct cluster operating in an autonomous manner. In the attack observed by the cybersecurity company, the threat actor has been found to target a legacy IIS server running Windows Server 2016 with end-of-life .NET Framework 4.0.

There is evidence of prior activity on the same host, about 75 days before the main incident took place. This involved DNS queries to a different attacker-controlled domain (“ashx.lhlsjcb[.]com”). The sequence of actions that unfolded weeks later has been described as a “sprint,” with the attacker using the web server’s worker process (“w3wp.exe”) to drop one of the web shells to the application’s upload directory. This, in turn, triggers a self-reporting mechanism that uses a DNS query or an HTTP request as a fallback to transmit the web shell’s location to an attacker-controlled domain.

“Together, the three web shells gave the attacker file management, authenticated command execution through two independent access paths, and automated reporting of the compromise, all before anyone had time to respond,” ReliaQuest researchers explained. With the web shells deployed, OP-512 is said to have attempted to escalate privileges to the SYSTEM level using the Potato Suite, followed by running commands like “whoami /priv” to confirm their system rights. “Four China-linked clusters targeting the same technology in under a year is unlikely to be a coincidence,” ReliaQuest said. “Internet-facing IIS servers running legacy, unsupported software remain a preferred entry point across this threat ecosystem and show no signs of slowing down.” “What should concern defenders most is what makes OP-512 different.

This threat cluster isn’t using commodity tooling and recycling it across campaigns. It’s using a purpose-built framework designed to defeat the detection methods that work against the other three clusters. Organizations that have tuned their defenses to known actors are likely not covered here.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Only 10% of SOCs Say They’re Getting Excellent Value From AI. Here’s What the Second Wave Has to Deliver

Eighteen months ago, the AI SOC was a marketing line. Today it’s a budget item. The category has crossed over from interesting to inevitable, with billions of dollars now flowing into AI-powered security operations platforms, agentic SOC tools, and AI co-pilots built into every layer of the security stack. The data shows SOCs are buying, deploying, and standing up AI capabilities at the fastest pace the industry has ever seen.

And yet, the same SOCs reporting record AI adoption are reporting underwhelming outcomes. The first objective benchmark on the value of AI in the SOC was published in the SOC-CMM 2026 Maturity Report in May, drawing on survey data collected from roughly 200 SOCs across regions, sectors, and delivery models between late January and mid-March 2026. Only about 10% of respondents said AI has delivered excellent value to their SOC. About 19% reported good value.

The remaining 71% landed at some value or none at all. Eighteen months into AI deployment, that’s a structural signal. What follows is a read on what the data confirms, and on what the next wave of AI in security operations must deliver if the industry is going to close the gap. What the SOC-CMM 2026 data shows Three findings stand out in the SOC-CMM report’s AI section, and they correlate cleanly with each other once they are read together.

First, adoption is up across every category of AI used inside the SOC. Off-the-shelf large language models grew 55% year over year. AI co-pilots grew 145%. AI agents grew 118%.

Supervised machine learning grew 96%. Customized LLMs grew 64%. SOC teams are over-investing in AI without the operational maturity to extract value from what they bought. Second, the dominant adoption pattern is what the report calls the taker model: off-the-shelf AI deployed inside an existing security stack without customization.

About 65% of SOCs surveyed describe themselves as takers. Another 20% are shapers, customizing what they buy. Only 15% are builders, training models against their own data. The takers are the largest cohort and the cohort reporting the least value.

Across hybrid SOCs, in-house SOCs, and MSSP SOCs, the perceived value distribution is nearly identical. That uniformity is the tell. The pattern cuts across delivery model, region, and sector. The cause is structural.

Third, the report flags that the two SOC improvement challenges that grew year over year are lack of best practices (+17%) and complexity of increasing maturity (+11%). Every other challenge category, including lack of budget and lack of management support, dropped. SOCs aren’t telling the survey they don’t have money or executive support. They’re telling the survey they don’t know what they’re supposed to be doing with the AI they bought.

That is the AI maturity gap in one data point. Why the first wave of AI in the SOC underperformed The first wave of AI SOC tools shipped as features bolted onto existing security products. SIEMs got AI triage. EDRs got AI investigation.

SOAR platforms got AI playbook generation. Ticketing tools got AI summarization. Each feature was real. Each one worked in isolation.

None of them shared context with the next. What that means in practice is that SOC analysts now have five AI assistants instead of one. The triage agent in the SIEM does not know what the detection engineer silenced last week. The threat hunting agent in the EDR does not know what the threat intel team flagged that morning.

The summarization agent in the ticketing tool does not know what the investigation surfaced two hops ago. Each agent accelerates its own slice of the workflow. None of them fixes the handoffs between slices, which is where most SOC time and most SOC value live. SOC operators describe this pattern in conversations across the industry.

They describe faster individual tasks and the same fragmented workflow. They describe being asked to learn five new agent interfaces while the core problem, which is that the SOC operates as a chain of disconnected stages, didn’t move at all. The AI accelerated each silo without connecting them. The SOC-CMM 2026 report puts numbers on this dynamic too.

The technology domain is again the highest-scoring maturity domain across the dataset, at an average of 2.7 out of 5. The process domain, where the handoffs between SOC stages live, scores 2.3. The people domain, where the institutional knowledge and decision-making capacity live, scores 2.3 as well. Buying more tools, including AI ones, does not move those numbers.

In some SOCs it makes them worse, because each new tool adds a handoff. What’s different about the SOCs that report excellent value The 10% of SOCs reporting excellent value from AI are not running different point tools. They’re running AI inside a different architectural structure. Three things separate them from the 71%.

AI that operates across the SOC lifecycle, not inside one stage of it. Threat intelligence, threat hunting, detection, investigation, and remediation are five stages of one workflow. When agents operate across all five stages and feed each other context, the SOC compounds. Every closed investigation calibrates the next detection.

Every threat hunt result updates the next intel cycle. Every remediation feeds back into the playbook the next agent uses. The connected fabric is what produces sustained value. The SOCs reporting excellent value tend to have AI architectures that look like fabric.

The SOCs reporting good value tend to have stacks of features. AI that knows the dynamic environment it’s operating in and continuously draws on it. Generic AI produces generic investigations. “Normal” looks different in a healthcare environment than a fintech one.

A detection rule that fires on a real threat in one environment will fire on routine activity in another. An investigation that escalates correctly in one environment will overlook the right answer in another. SOCs reporting value have AI systems that capture and persist institutional knowledge: the assets that matter, the analysts whose judgment shaped past incidents, the sanctioned actions, the escalation criteria, the tickets that turned out to be nothing and the ones that turned out to be everything. Without that grounding, AI in the SOC produces the average of the internet, which is the wrong answer in most environments.

AI that is governable. The SOC-CMM 2026 report identifies effective SOC governance as the single most challenging area of SOC improvement, with 39% of respondents naming it. AI governance and SOC governance overlap. The agentic SOC operates inside customer-defined guardrails.

It exposes a defensible reasoning trace for every action. It earns autonomy in stages rather than asking for it upfront. AI in the SOC cannot be a black box. The SOCs that figured this out are the SOCs where analysts trust the system enough to give it standing authority.

That trust is what produces the productivity gain. Without it, the system stalls. The architecture problem, in plain terms Most enterprises trying to extract value from AI in the SOC today are running point AI inside a fragmented architecture. The point AI works inside a broken architecture.

That is the architecture problem. If a SOC’s detection engineering team works in a different tool than its investigation team, AI in either tool will accelerate that team’s slice of the workflow and do nothing about the handoff between them. If a SOC’s threat hunters cannot easily test hypotheses across the same telemetry its investigations use, AI in either workflow will move only that workflow forward. If a SOC’s remediation playbooks live in a SOAR tool that does not see what its investigation agent concluded, AI remediation will execute against stale context.

The fix is connecting the stages. More AI inside the same fragmented architecture compounds the original problem. That connective fabric is what “second wave” means. The first wave delivered AI per stage.

The second wave delivers AI across stages. What the second wave must look like The five stages of the SOC must operate as one agentic fabric grounded in the customer’s environment. Every closed investigation calibrates the next detection. Every threat hunt result updates the next intel cycle.

Every remediation feeds back into the playbook the next agent uses. The SOC compounds. In practice, a platform built this way sits on top of the SIEM, EDR, identity, cloud, ticketing, and threat intel stack an organization already owns rather than replacing it. The connective layer is what lets each stage feed the next instead of operating in isolation.

Where that architecture is in place, SOCs report sharper investigations completed faster, detections that get surfaced and tuned instead of left silent or noisy, threat hunts that run continuously rather than episodically, and remediation that operates inside defined guardrails with full reasoning traces and audit-grade decision records. The second wave of AI in the SOC must look architectural, not featural. The vendors and platforms that figure that out are the ones whose customers will move from “some value” to “excellent value” in next year’s benchmark. Spotlight: End-to-End Agentic AI for Security Operations One platform built around this architecture is Conifers’ end-to-end agentic SOC, launched in May 2026 on its CognitiveSOC™ platform.

Rather than adding AI to a single stage, it connects threat intelligence, threat hunting, detection engineering, investigation, and remediation into one operating fabric grounded in each customer’s institutional knowledge. The five functions feed each other context, so hunts inform detection, investigations calibrate future detections, and remediation runs inside customer-defined guardrails instead of static playbooks. Governance is built in from the start. Every agent action carries a reasoning chain and an evidence trail, and customers set the scope and authority each agent operates under, expanding autonomy as confidence builds.

That is the move from human-in-the-loop to human-on-the-loop oversight. The system runs on top of the stack a SOC already owns, with more than 60 integrations across EDR, identity, cloud, email, and ITSM, and no rip-and-replace migration. The window is closing faster than most SOCs think Adversaries are not waiting for the second wave to arrive. Google’s Threat Intelligence Group disclosed the first confirmed AI-developed zero-day exploit earlier this year.

Anthropic’s Claude Mythos preview is identifying critical vulnerabilities at machine speed. JPMorgan’s CISO published an open letter in April 2025 warning that the economics of cyber risk are shifting and that security buyers need to demand secure-by-default products instead of the current pace of rushed feature releases. The defenders running first-wave AI inside a fragmented SOC will be the ones explaining what happened the morning after a breach. The defenders running second-wave AI as a connected fabric, with institutional knowledge inside the loop and governance built in from the start, will be the ones who saw it coming.

The 10% number in the SOC-CMM 2026 report is a signal about the architecture most SOCs run right now. It is also a signal about which side of the next breach narrative each SOC will be standing on. Visit Conifers.ai to request a demo and experience the power of a full lifecycle agentic SOC. Frequently Asked Questions Why are most SOCs reporting limited value from AI in 2026?

The SOC-CMM 2026 Maturity Report found that about 71% of SOCs see only some value or no value from their AI deployments. The root cause is architectural rather than technological. Most SOCs deployed AI as features inside individual products such as SIEMs, EDRs, and ticketing systems. Each feature accelerated its own stage of the workflow.

None of them shared context across stages. The handoffs between threat intel, detection engineering, investigation, and remediation, which is where most SOC time goes, did not improve. AI accelerated the silos without connecting them. That is what produces “some value” instead of excellent value.

What does “second wave AI” in the SOC mean? Second wave AI in the SOC means agentic AI that operates across the full SOC lifecycle rather than inside a single stage. The five stages of the SOC, threat intelligence, threat hunting, detection engineering, investigation, and remediation, run as one connected fabric. Agents share context.

Closed investigations calibrate future detections. Threat hunt results update threat intel cycles. Remediation actions feed back into the playbook the next agent uses. The SOC compounds.

This is the architectural pattern shared by the roughly 10% of SOCs reporting excellent value from AI in the SOC-CMM 2026 data. Is the problem that SOCs are not buying enough AI? No. The SOC-CMM 2026 data shows AI adoption growing aggressively across every category, with off-the-shelf LLMs up 55%, AI co-pilots up 145%, and AI agents up 118% year over year.

SOCs are buying. The problem is that adoption is outpacing operational maturity. Two-thirds of SOCs are deploying off-the-shelf AI inside an existing security stack without modifying anything else around it. That cohort reports the least value.

Buying more AI without changing the architecture it operates inside compounds the original problem instead of solving it. How does institutional knowledge change AI SOC outcomes? Generic AI produces generic investigations. A detection rule that fires on real threats in one environment will fire on routine activity in another.

An investigation that escalates correctly in one organization will miss the right answer in another. AI systems that continuously ingest and persist dynamic institutional knowledge, the assets that matter, the analysts whose judgment shaped past incidents, the sanctioned actions, the escalation criteria, the historical incident outcomes, produce investigation results that match how a specific SOC operates. AI without that grounding produces the average of the internet, which is the wrong answer in most environments. Institutional knowledge is the difference between AI that produces noise and AI that produces decisions.

What should CISOs ask before buying their next AI SOC tool? Three questions matter most. Does this AI operate across the full SOC lifecycle, or only inside one stage of it? How does the AI learn and persist the institutional knowledge of the organization’s specific environment, and what happens to that knowledge when analysts leave?

Can the team audit every agent action with a defensible reasoning trace, and can it govern agent autonomy in stages as trust builds? A vendor that cannot give clear answers to all three is selling first-wave AI, no matter what the marketing says. What is the agentic SOC, and how is it different from a SOAR or AI co-pilot? The agentic SOC is the category of security operations platform where AI agents operate as decision-makers across the SOC lifecycle, not as assistants inside a single product.

A SOAR automates predefined workflows using static playbooks. An AI co-pilot accelerates an analyst’s individual tasks. An agentic SOC runs agents that reason through investigations, surface and tune detections, threat hunt continuously, and remediate inside customer-defined guardrails, all while sharing context across stages. Analysts move from “in the loop” on every step to “on the loop” overseeing the system.

How quickly can a SOC move from first-wave AI to second-wave AI? Faster than most teams assume. The shift is architectural, not a rip-and-replace. The connective layer that turns point AI into agentic fabric does not require buying new tools or replacing existing ones.

It requires connecting what the SOC already owns into a system that compounds. Most SOCs underestimate how quickly the shift can be made once the architecture is in place. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Gartner: 70% of SOCs Will Pilot AI Agents. Only 15% Will See Results

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise. The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was released on March 18, 2026, with version 1.9.13. “This is due to the Calculation Addon’s process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(),” Wordfence said .

“The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the ‘Complex Calculation’ feature.” Successful exploitation of the vulnerability could allow unauthenticated bad actors to execute arbitrary PHP code on the server, permitting them to create rogue administrator accounts, deploy web shells, and open other ways to burrow deeper into the server and establish persistent footholds. According to the WordPress security company, attackers have been observed exploiting the flaw starting April 13, 2026. More than 29,300 exploit attempts targeting the defect have been blocked to date.

Of these, 16 attack attempts occurred in the last 24 hours. The most common payload involves attempts to create an administrator account named “diksimarina” (email address: diksimarina@gmail.com) on the compromised site. These attack efforts have originated from the following IP addresses - 202.56.2.126 209.146.60.26 15.235.166.18 2402:1f00:8000:800::40db 185.78.165.153 Skimmer Attacks Exploit Stripe for C2 The disclosure comes as Sansec warned of multiple skimmer campaigns, including one that uses Stripe as a command-and-control (C2) server and a data exfiltration sink in a bid to exploit the reputation of the brand and slip past Content Security Policy rules and network filters. “The attacker treats Stripe as free infrastructure, not a way to launder charges,” Sansec noted .

“Stripe gives them a writable database for stolen cards and a code-hosting endpoint for the skimmer, both behind a domain that CSP rules and network filters trust by default.” The campaign relies on Google Tag Manager (GTM) and Stripe domains - googletagmanager.com and api.stripe.com - which are both trusted implicitly by online stores, with the malicious code loaded from a GTM container and executed on every page that loads it. On Magento and Adobe Commerce checkout pages, it extracts an obfuscated skimmer from a Stripe customer account ‘s (“cus_TfFjAAZQNOYENR,” in this case) metadata field, and saves the financial information, billing and email addresses, and phone numbers entered by unsuspecting users to localStorage . The captured data is then exfiltrated back to the attacker’s Stripe account. “Every stolen card becomes a ‘customer’ in the attacker’s account,” the e-commerce security company said.

“On success, the loader deletes the localStorage entry, so the same record is not sent twice. The attacker lists their stolen cards later by calling the same API with the same key. Stripe’s customer database becomes a free, durable exfiltration sink.” The Stripe customer record containing the skimmer is said to have been created on December 24, 2025, indicating that the operation may have been active since then. Sansec said it also identified a second variant of the loader that uses Google Firestore instead of Stripe, although the end goal is the same: abuse a trusted service as a covert channel that’s unlikely to be blocked by e-commerce stores.

The findings coincide with a large-scale operation dubbed GorgonAgora that has used a cluster of 5,714 fake .shop storefronts impersonating brands like Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota, whose checkout pages funnel stolen card data to a single skimmer server in Moldova. The campaign has been ongoing since August 2025. “Every store runs the same Medusa.js commerce stack and loads the same custom checkout SDK, which renders a fake Stripe iframe and exfiltrates card data over an encrypted WebSocket to a single server in Moldova,” the Dutch company said. “Exfiltration runs over WebSocket with an AES-256-GCM payload, and the C2 maintains a live 3D Secure relay: when the victim bank returns a 3DS challenge, the operator proxies it back to the shopper through the fake iframe so the transaction completes and the theft stays invisible.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins

Security researchers and the FBI are warning that a wave of FIFA-themed fraud is already hitting World Cup 2026 fans, days before the June 11 kickoff. Recent reports describe thousands of lookalike FIFA domains, banking malware hidden inside pirate streaming apps, and at least one operation that copies FIFA’s login page well enough to take over real accounts. It is an obvious target. More than six million fans are expected across 16 cities in the United States, Canada, and Mexico, and FIFA said it received more than 150 million ticket requests in the first 15 days, leaving the tournament around 30 times oversubscribed.

Tickets are scarce, fans are anxious, and money is moving fast, which is exactly what fraud needs. One Operator, 300 Cloned FIFA Sites The most detailed findings come from Group-IB , which tracked more than 4,300 fraudulent FIFA domains registered since August 2025. At the center is a group it calls GHOST STADIUM , a Chinese-speaking, money-driven operation running one phishing kit across more than 300 of those sites. The fake is good.

The page is a near-perfect copy of fifa.com, and it mimics FIFA’s real single sign-on login, run by PingIdentity, down to the genuine client ID copied from the live site. It loads its images straight from FIFA’s own servers, so the page looks authentic and slips past tools that flag copied images. Here is the part that does the damage: the fake login page also asks to reset the password. Once a victim enters their details, the attacker can lock them out of their own FIFA account and resell any tickets tied to it.

Most of the traffic comes from Facebook ads, with the same tracking codes reused across the whole cluster, plus links on Telegram, WhatsApp, and in search results. The site takes payment in five different ways: straight card entry, outside payment gateways, money-transfer apps like Chime and Nequi, Mexico-only processors, and a crypto option that converts a card payment into cryptocurrency, which is much harder to get back. That last one is a handy tell, because FIFA’s official ticketing never takes crypto, so any seller asking for it is a scam. Group-IB puts the losses from premium and hospitality ticket fraud alone at $71 million to $474 million, and says the whole campaign could add up to billions.

Those are estimates based on the infrastructure it can see, not confirmed losses. Thousands of Domains, Many Kinds of Scams It is not just Group-IB. FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May, about 8.8% of them malicious or suspicious. The FBI advisory lists dozens of fake FIFA domains, from misspelled lookalikes to phony FIFA jobs pages, and warns more are coming.

Other researchers have mapped thousands more lookalike sites and over a thousand fake social accounts. Ticket fraud is just one piece. Group-IB also found counterfeit merchandise shops, bogus streaming sites that take a subscription fee and then install malware that hands control to the attacker, and fake betting sites that collect passport scans and selfies for identity theft. Bitdefender separately tracked FIFA lottery emails promising payouts of up to $2 million.

Group-IB also flagged a “phishing-as-a-service” market that sells ready-made scam kits and ticket-buying bots, so taking down one operator barely helps. The pieces fit together: fake domains catch the ticket searches, ads and search results push the traffic, stolen-password dumps feed account takeovers, and sideloaded apps turn stream-hunting into bank fraud. Banking Malware Hidden in Streaming Apps For fans chasing free match streams, the bigger danger is on the phone. ThreatFabric saw a spike in malicious unofficial streaming apps, many pretending to be the popular RojaDirecta, around the recent Champions League final, and expects a repeat at the World Cup on a bigger scale.

Kaspersky tied those same apps to Android banking trojans, malware made to drain money from banking and crypto apps, and named two families: Massiv and Perseus . These apps are not on Google Play, so installing one means clicking past the warnings that would normally block it. Once installed, the malware uses Android’s accessibility tools to take over the phone. It can lay fake bank login screens over real apps, record what the owner types, intercept the one-time codes from text messages and login apps that are meant to keep accounts safe, and control the screen from afar.

Perseus, built on the leaked code of an older Trojan called Cerberus , even reads note-taking apps for saved passwords and crypto recovery phrases. The simplest red flag, ThreatFabric says, is a streaming app asking for accessibility access. It has no honest reason to need it. Social Scams, Stolen Logins, and Risky Wi-Fi Social media is just as crowded with scams.

Bitdefender found more than 55 football-themed ad campaigns on Facebook and Instagram, pushing counterfeit kits, fake Panini stickers, and phishing pages; two of the merchandise operations traced back to Chinese operators through their ad-tracking tags. Fortinet counted over 1,700 spoofed FIFA accounts, nearly 90% of them on Facebook and Instagram, plus a scheme that used fake FIFA job ads and calendar invites to send applicants to a lookalike Google login. Stolen FIFA logins are already in circulation. Fortinet found hundreds of thousands of user logins, plus more than 4,600 FIFA web addresses, in data swept up by credential-stealing malware like Vidar , LummaC2 , and RedLine.

Host-city Wi-Fi is its own problem. A Kaspersky survey that drove around Mexico City, Monterrey, and Guadalajara found 10% to 12% of networks open and password-free, with the WPS pairing feature still on across nearly half. Both leave easy openings for rogue “evil twin” hotspots that copy a real network and quietly read its traffic. What to Watch For These scams leave clear tells.

Buy only through fifa.com, and type the address in yourself instead of trusting an ad or a search result. Switch on multi-factor login, and treat any seller who wants payment in cryptocurrency as a scam, since FIFA’s ticketing never asks for it. On Android, the clearest red flag is a streaming app asking for accessibility access it has no reason to need. On open Wi-Fi in the host cities, stick to mobile data when you can, and avoid logging into bank or email accounts.

For security teams, the job is straightforward: watch for new FIFA-themed domains and lookalike login pages, flag any staff or customer logins that show up in Vidar, LummaC2, or RedLine stealer logs, and get fraud teams ready for ticket and chargeback spikes through mid-July. Meta says it is responding too . It is now showing warning pop-ups when people search Facebook for FIFA tickets, and it teamed up with Visa to take down a Facebook network linked to fake World Cup sites pushing bogus gambling. The FBI is asking anyone who has been scammed to report it at IC3.

The bigger worry is what is still waiting. Group-IB counted roughly 3,800 fraudulent FIFA domains sitting parked and unused, ready to switch on. With ready-made scam kits and bots already for sale, the busy window is easy to call: June 11 to July 19, when searches for tickets, streams, and travel will be at their peak. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network

The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network. “Compromised business servers across the U.S., Europe, and Asia were quietly converted into SMTP proxies, verified for mail relay capability, and synced to a downstream consumer every five minutes,” Hunt.io said in a statement. “The infrastructure was still running when we found it.” The threat intelligence company said it found source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration after the threat actor behind the operation left two open directories on a command-and-control (C2) server (“213.136.80[.]73”) without any authentication. PCPJack was first discovered by SentinelOne in April 2026 after it identified a credential theft framework that specifically targets cloud services, while taking steps to terminate and remove processes or artifacts associated with TeamPCP , another notorious hacking group that has attracted attention in recent months for its software supply chain attacks.

Staged in one of the open directories Sliver -integrated SMTP proxy deployment toolkit, along with Chisel tunneling and proxy binaries for most Linux CPU architectures, such as AMD64, ARM64, and x86. On the victim side, the binary is dropped as a hidden dot-prefixed file and persisted at “/var/tmp/.xs.” Also found in the directories are deployer scripts designed to load the Sliver C2 client configuration and filter for Linux beacons that have checked in within the last ten minutes. Beacons are implants that periodically phone home to the C2 server at regular intervals to check in and retrieve commands. “Each beacon receives a SOCKS5 proxy port derived deterministically from an MD5 hash of its Sliver UUID, mapped into the range 10000-14999,” Hunt.io noted.

“The same beacon always maps to the same port across runs, eliminating the need for a shared port registry.” The script is also capable of running an SMTP quality gate that probes for outbound access to smtp.gmail[.]com:587. Hosts that fail this check are skipped with an exit code of zero. “This gate defines the operation’s purpose: hosts that cannot relay email have no value to this pipeline,” the cybersecurity company added. “Beacons are processed in batches of 50, with a 25-minute wait after uploads and 15 minutes after execution commands, to accommodate slow-interval beacon check-ins.” Subsequent iterations of the deployer scripts have been found to remove the SMTP gate and the batching logic.

Also present is a diagnostic script that selects five active beacons and tasks them each a shell command that checks for the following - Presence of Chisel binaries at known drop paths A Chisel process is running Disk space Reachability of port 9000 on the C2, and Presence of persistence artifacts, such as the cron entry or systemd service In addition, the C2 server runs a Python script named “chisel_verifier.py” as a persistent background daemon, which enumerates active Chisel tunnel ports via ss -tlnp every 60 seconds, tests each new port for SMTP capability, and removes failed or dropped tunnels from the active pool. Verified proxies are enriched with exit IP address, country, and ASN via services like api.ipify[.]org and ip-api[.]com. The proxy lists are then synced every five minutes via the Secure Copy Protocol (SCP) to a separate downstream server at 38.242.204[.]245. The server is currently not accessible.

The end goal of the operation remains unclear at this stage. “The 230-node outcome is the observable result. Whether this progression reflects a single operator iterating or multiple actors sharing the same infrastructure cannot be determined from the recovered files,” Hunt.io said, describing it as an opportunistic campaign. “The verified proxy list is being synced every five minutes to that server, and someone is consuming it.

Whether for spam, phishing, or something else, the infrastructure to deliver at scale was clearly running.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public

Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and, from there, climb to root. It is tracked as CVE-2026-20230 , and proof-of-concept exploit code is already public. Cisco’s PSIRT says it has not seen the flaw used in attacks yet. The PoC shortens that runway.

The flaw is a server-side request forgery. Unified CM and its Session Management Edition fail to validate certain HTTP requests properly, so a crafted request can push the server into writing arbitrary files onto the underlying OS. Those files are the foothold. Cisco says they can be used later to escalate to root, the top privilege on the system.

That two-step is why the score and the rating disagree. The CVSS base is 8.6: it scores the file write (an integrity-only impact, no confidentiality or availability loss) but not the root escalation that follows. Cisco rated the advisory Critical anyway, since the end state is full root. There is one mitigating factor: the flaw only works when the WebDialer service is running, and WebDialer ships off by default.

That does not help any deployment that has switched it on. To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability. Under Tools > Control Center - Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section. Started means you are exposed.

Patching is the only real fix. For the 14 train, that is 14SU6. For 15, the full Service Update (15SU5) is not due until September 2026, so until then, you are on the interim COP patch, or you turn WebDialer off (uncheck it under Tools > Service Activation and save). An independent researcher working with SSD Secure Disclosure reported the bug.

Unified CM has been a steady source of unauthenticated, root-level trouble. Last July, Cisco pulled a hard-coded root SSH account left in from development (CVE-2025-20309, CVSS 10). In January, it patched an unauthenticated RCE across several of its voice products (CVE-2026-20045) that was already being exploited in the wild, enough for CISA to add it to its known-exploited list. This one fits the pattern: a request that should never have reached anything sensitive, reaching it.

With a PoC public and the 15-train fix months out, assume someone turns that file-write into a working attack before the patches are everywhere. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

A security researcher found a flaw in Anthropic’s Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic’s own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it. RyotaK of GMO Flatt Security reported the core bypass to Anthropic in January, and Anthropic fixed it within four days , with further hardening through the spring; the fixes are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bug bounty.

Claude Code GitHub Actions drops Claude into CI/CD pipelines to triage issues, slap on labels, review pull requests, or run slash commands. By default, the workflow gets read and write access to a repo’s code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is supposed to be picky about who can trigger it: only users with write access. The trigger check had a hole.

It waved through any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted things admins install. Trouble is, anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or pull request on any public repository. The action saw “a bot” and let the attacker’s content through. Tag mode had an extra check to confirm the actor was a real human; agent mode didn’t, which left it open.

From there, the attacker leans on indirect prompt injection, the trick of planting instructions inside content that an AI reads so the model follows them instead of its actual task. RyotaK wrote an issue whose body looked like an error message, then refined the prompt until Claude would “recover” by running the commands buried in it. The target is /proc/self/environ, the Linux file that holds a process’s environment variables, secrets included. Claude Code blocks naive reads, but RyotaK bypasses the guard anyway and gets Claude to write the values back into the issue, where the attacker can grab them.

The real prize in those variables is the credential pair GitHub Actions uses to request an OIDC token, a signed token that proves “I’m this workflow running in this repo.” Claude Code trades that token with Anthropic’s backend for a Claude GitHub App installation token with write access. Steal those credentials, replay the exchange, and you hold write access to the target’s code, issues, and workflows. Aim it at the claude-code-action repo itself, and you could poison the action that downstream projects pull. RyotaK also flagged a softer route that skipped the bot trick entirely.

Anthropic’s own example issue-triage workflow shipped with allowed_non_write_users: “*”, which lets anyone trigger it, a setting Anthropic’s docs already flag as risky. Worse, Claude was posting task summaries to the workflow run’s publicly visible summary panel, a ready-made way to leak data out. Plenty of repos copied that example and inherited the hole. There’s also a path for an attacker who can edit issues but can’t trigger Claude on their own: edit a trusted user’s issue after it has fired the workflow, but before Claude reads it, and the payload rides in as “trusted” input.

What to do? Update to claude-code-action v1.0.94 or later. Then audit any workflow that lets users without write access, or bots, trigger Claude: if it is taking untrusted input, don’t feed it any secret beyond the Anthropic API key and GITHUB_TOKEN, and remove tools and permissions that can be used for exfiltration. None of this is theoretical.

The same setup, an AI issue-triager plus broad permissions plus prompt injection, already caused a real supply-chain hit: In February, a prompt-injected issue title against Cline’s claude-code-action triage workflow let attackers steal an npm publish token and push an unauthorized cline@2.3.0 . The rogue version only force-installed a separate, non-malicious AI agent and was pulled about eight hours later, but the same chain could just as easily have shipped real malware to everyone who updated. The autonomous “HackerBot-Claw” bot then spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, CNCF projects, and others, though when it tried to prompt-inject a Claude-based reviewer through a poisoned config file, Claude caught it and refused. There’s no public sign of this exact path, the one that poisons Anthropic’s own action, was used against a live target; RyotaK proved it only in his own test repos, and he’s careful to separate that from the variants above that did get exploited.

RyotaK says he has now reported around 50 separate ways to bypass Claude Code’s permission system and run commands, part of a steady run of prompt-injection flaws in AI coding agents . Prompt injection still isn’t solved, and an agent with real tools and real tokens can be pushed as far as its permissions allow. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Agentic AI Is Transforming Defense, But Only Secure IT Infrastructure Will Maximize It

Over the past several weeks, the cybersecurity community has been reminded how quickly frontier and agentic AI in defense networks can challenge our assumptions. When Anthropic’s Claude Mythos model was made available to a limited set of organizations as a technical preview, it was reported that an unauthorized group claimed that it had gained access within hours. The incident, if true, was more than a possible breach. It was a warning.

The potential impact of advanced AI on U.S. defense and intelligence networks is significant. As the U.S. government moves to deploy AI capabilities on classified networks, the opportunity is clear: advanced AI can help accelerate decision superiority for American forces .

But the risks are expanding just as quickly, particularly as agentic AI begins to operate across sensitive networks, data environments, and mission workflows. AI adoption is not simply about deploying powerful models. It requires the right security, governance, and resilient infrastructure around them. AI is only as trustworthy as the data it uses, the networks it touches, and the controls that determine who and what can access it.

In classified environments, that challenge is compounded by the need to move information securely across classification levels, compartments, coalition boundaries, and operational environments. For AI to rapidly deliver the expected decision advantage, three important areas must be considered:

  1. What is entering the model? Training data and commercial models must move quickly but securely into classified environments.

Without proper inspection, even the strongest AI model can become a liability by processing stale information or ingesting ‘poisoned’ content that leads to compromised assessments. 2. Who and what can access the AI? Cleared analysts, coalition partners, edge operators, and AI integration teams will all require governed access that enforces security boundaries without inadvertently ‘collapsing’ networks together.

  1. Where is the AI agent reaching back out? Every model call to a database, mission system, or coalition partner must preserve the integrity of the classification layer. If AI is going to compress operational timelines, the security boundary cannot become the first point of failure.

AI Mission Advantage Starts with Secure Infrastructure All of this depends on the network layers beneath the models. Everfox is enabling defense and intelligence agencies to keep pace with revolutionary changes in AI without compromising mission speed and security. Our technologies provide a secure network fabric built on cross domain capabilities and hardware-enforced protection that is purpose-built for classified environments and the tactical edge, all so AI can be securely and confidently deployed at mission scale. AI introduces risk across every layer: system components, integrations, downstream outputs, and mission workflows.

As defense and intelligence organizations accelerate adoption, AI tools will increasingly operate across domains, compartments, and operational theaters. In these environments, trusted infrastructure, strict access controls, and strong data governance are not optional. They are mission critical. Sensitive data must be able to move securely across classification boundaries, with threats and policy violations identified before they ever reach a model.

If we want to deploy AI responsibly at scale, we have to build security in from the start, not bolt it on after the technology is already embedded in mission operations. Frontier AI will be an important engine of future mission advantage. But without a secure network fabric to carry it, even the best models cannot be trusted to operate where and when they matter most. Note: This article is written and contributed by Dave Wajsgras - Chairman and CEO of Everfox.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

It got stupid again. The internet still feels held together with tape. Bad plugins, old bugs, fake tools, trusted apps doing shady things. Same mess, new wrapper.

And now the weird stuff is normal. Forums go down and come back worse. Cheap hackers get better toys. AI starts breaking real systems.

Great. Read the whole thing before it ruins your week anyway. Unauthenticated SSRF risk Cisco Patches Unified Communications Manager Flaw Cisco has released fixes to address a high-severity security flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6) that could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. “This vulnerability is due to improper input validation for specific HTTP requests,” Cisco said.

“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.” The issue has been addressed in Cisco Unified CM and Unified CM SME Release versions 14SU6 and 15SU5. Cisco said it’s aware of the availability of proof-of-concept exploit code for the flaw, but noted there is no evidence of active exploitation. It credited an independent security researcher working with SSD Secure Disclosure for reporting the vulnerability.

Mobile spyware operation Russia Claims Large-Scale Operation Targeting High-Ranking Officials Russia’s Federal Security Service (FSB) has disclosed details of what it described as a “large-scale action” undertaken by foreign intelligence services to stealthily implant spyware on the mobile devices of high-ranking officials in the country. “This software was utilized to exfiltrate existing data, intercept ongoing conversations, and conduct covert audio and video surveillance of the immediate surroundings of the electronic devices, with the ultimate objective of obtaining sensitive information,” the FSB said . Russia did not reveal who was behind the attacks, but noted the “representatives of foreign intelligence services” leveraged the technical capabilities of major international IT corporations to exfiltrate sensitive data from the devices. This specifically included the exploitation of mobile communication channels, the agency added.

An investigation into the activity is ongoing, with the FSB also initiating a criminal case to investigate the matter. Layered keylogger lures VIP Keylogger Campaigns Analyzed Threat actors have been relying on social engineering over the past few months to push VIP Keylogger via loaders written in JavaScript, batch scripts, and Visual Basic Script (VBS). “Attackers are masquerading as legitimate business communications such as bank payment notifications, procurement orders, and logistics updates to lure users into opening malicious files,” Splunk said . Crypto sanctions escalation U.S.

Sanctions Nobitex Crypto Exchange The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against Nobitex, Iran’s largest cryptocurrency exchange, for facilitating payments related to terrorist activities. “Nobitex has provided significant support to the regime, processing more than 50 percent of all Iranian digital asset inflows in 2025 and facilitating payments tied to Iran’s terrorist activities, sanctions evasion efforts, and Islamic Revolutionary Guard Corps (IRGC)-linked transactions, including activity associated with IRGC-affiliated ransomware actors,” the Treasury said . The sanctions also extend to Nobitex’s chairman, co-founder, and former CEO, Amir Hossein Rad, as well as other Nobitex leaders and officials, and three other exchanges: Wallex, Bitpin, and Ramzinex.

According to Chainalysis , Nobitex processed over 50% of all Iranian digital asset inflows last year. The four exchanges accounted for roughly $7.7 billion, 78% of Iran’s USD 9.9 billion in attributed 2025 crypto volume, per TRM Labs . Cybercrime forum fallout XSS Takes Fractures Cybercrime Underground The July 2025 law enforcement takedown of XSS , a prominent Russian-speaking cybercrime forum, didn’t dismantle the ecosystem. Rather, it fractured it into competing, harder-to-track factions, Flashpoint said .

The collapse has triggered an exodus into new, unvetted, and often adversarial communities. Some of the new forums that have rushed to fill up the void left by XSS include DamageLib (launched by legacy moderators of XSS), Rehub (launched by another former XSS moderator), XSS.pro (a resurrection using old backups and suspected to be a law-enforcement honeypot), and XSSF (started by a pro-Russian Telegram hacking group). RMM abuse surge Malicious Use of Tiflux in Attacks Surges A lesser-known remote desktop tool called Tiflux is being used in a growing number of attacks to establish persistence, transmit screenshots, and run commands to collect system profiling information. “Threat actors behind the rogue Tiflux incidents also installed UltraVNC, an open-source remote access tool, sideloaded other commercial RMMs, including Splashtop and ScreenConnect, and installed an outdated driver that can permit the threat actor to elevate their own privileges on an infected system,” Huntress said .

“Threat actors continue to test and weaponize the use of commercial remote access management tools.” Malware delivery network DriveSurge Linked to ClickFix and FakeUpdates Campaigns A threat cluster tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates (aka SocGholish) social engineering techniques on compromised sites. Thousands of websites are estimated to have been compromised, directing users to malicious infrastructure. DriveSurge primarily acts as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks. Visitors of compromised websites are steered through a traffic distribution system (TDS) known as zTDS, which profiles the system and decides whether the visitor should be served a ClickFix or a FakeUpdates lure.

zTDS, in use since at least 2015, is publicly available at ztds[.]info. “Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors,” Silent Push said . The campaign has been active since September 2025. Sensitive data leak Spain Arrests Suspect for Leaking Sensitive Data The Spanish National Police has arrested an unidentified individual for leaking sensitive information related to members of various critical state organizations, including the National Cybersecurity Institute (INCIBE), the State Attorney General’s Office, the National Police, the Civil Guard, and the National Security Council.

JavaScript backdoor malspam Malspam Distributes JavaScript Backdoor Intrinsec haș disclosed that multiple malspam campaigns have been used to distribute a JavaScript-coded backdoor. “The targets of those campaigns were from all regions and sectors, notably energy and finance ministries, including in the CIS region,” the company said. “We believe the campaigns to be financially motivated and operated for email account compromise (EAC) and/or business email compromise (BEC).” The activity was observed in March 2026. On-chain malware delivery ClearFake Campaign Leverages EtherHiding Cybersecurity researchers have flagged an intrusion in which threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet.

“The attack chain ended with two simultaneously deployed stealers, SectopRAT and ACRStealer, alongside an on-chain execution tracker that confirmed each victim compromise in real time,” Trend Micro said . Cloud attack tradecraft Exploitation of ROADtools by Nation-State Groups Nation-state hacking groups like APT29 , APT33 , and UTA0355 are exploiting ROADtools , a Python-based open-source framework for red-teaming and research, to blend in with normal traffic and evade detection. “ROADtools operates through legitimate Microsoft APIs and can mimic typical traffic,” Palo Alto Networks Unit 42 said . “Further defense evasion can be achieved by configuring request attributes such as user-agent strings.

These capabilities have made ROADtools a valuable asset for attackers. Nation-state threat actors have used it in recent cloud intrusions for discovery, persistence, and defense evasion. Attackers involved in a targeted phishing campaign in early 2025 used tooling that matches ROADtools’ token management capabilities.” Data-only extortion rises Pure Data Exfiltration Campaigns on the Rise Pure data-exfiltration campaigns without deploying ransomware to pressurize victims are on the rise. In 2025, such attacks have primarily targeted professional services, healthcare, and consumer services firms.

“Interestingly, while manufacturing remains the single most disrupted sector overall, construction has witnessed a 44% year-over-year increase as a data-only extortion hotspot,” Unit 42 said . “These firms are attractive targets due to lucrative financial blueprints and bidding data combined with data egress controls.” AI-assisted evasion testing Threat Actor Uses AI for Testing EDR Evasion An unknown threat actor has been observed using artificial intelligence (AI) technologies to automate Active Directory discovery and refine endpoint detection and response (EDR) evasion tactics in a red team post-exploitation framework. “Analysis revealed that AI for malware development was more limited and was mainly used to coordinate workflows and support experimentation,” Sophos said . “The actual EDR-bypass path was a structured engineering test cycle that included human review and iteration.” To develop tools for bypassing EDR agents, the attacker is said to have used Cursor and Anthropic Claude Opus.

At the core of the framework is a Python tool that generates Go and Rust payloads for testing with an aim to resist sandboxing, antivirus, and EDR detection. This approach was used to build nearly 80 modules covering more than 70 techniques. Also attributed to the threat actor are Python-based malware development scripts for injecting shellcode into legitimate Windows executables and a Telegram bot API-based external command and control (C2) mechanism. “The use of AI agents to accelerate tool development and test evasion techniques lowers the barrier to entry for sophisticated red team-style attacks,” Sophos said.

“However, this shift does not change how defenders should protect themselves.” The framework is said to be built for stealthy post-exploitation activity in target environments, linking it to “known ransomware deployment and data theft operations.” Steam-hosted malware payloads Steam Community Profiles as Dead Drop Resolvers A newly identified malware is using Steam Community profile comments to host malicious payloads for WordPress, hiding malicious infrastructure behind Valve’s legitimate platform. “The malware employs invisible Unicode characters to conceal payloads within Steam profile comments, enabling steganographic data encoding that evades traditional text-based detection methods,” GoDaddy said . “A cookie-authenticated backdoor enables remote code execution, allowing attackers to modify plugin and theme files by sending base64-encoded PHP code via POST requests.” The malware performs two primary functions, including client-side JavaScript injection, which fetches encoded URLs from Steam profile comments, decodes them, and injects external JavaScript into WordPress pages, and a server-side backdoor that provides cookie-authenticated remote access for modifying PHP files across plugins and themes. The campaign was first detected in July 2025.

The malware has been detected on approximately 1,980 WordPress sites. It is unclear how the websites are breached, but it’s assessed that the initial infection vector could be stolen admin logins, compromised FTP/SFTP credentials, the exploitation of a vulnerable WordPress theme or plugin, or a supply chain compromise. Trusted tools abused FalkonC2 Becomes Stealthy Flare.io has disclosed details of FalkonC2, a commercial hacking tool that appears designed to hide inside enterprise environments by abusing trusted remote access software. “FalkonC2 has an enterprise version called Rotemelli2 that runs in memory, rotates its command-and-control domains every 72 hours, and uses tools such as ScreenConnect, Datto, and SimpleHelp to quietly launch attacks,” the company said in a statement.

An analysis of dashboard telemetry suggests active enterprise infections across the U.S., Australia, the Netherlands, and Poland. The framework also checks infected machines for QuickBooks and Sage50 data, suggesting attackers are looking for accounting systems they can quickly exfiltrate. AI vulnerability surge Anthropic Expands Project Glasswing Anthropic is broadening access to its Project Glasswing program, adding approximately 150 organizations in 15 countries for access to its Claude Mythos Preview. “The bottleneck in cybersecurity is now verifying, disclosing, and patching the large numbers of vulnerabilities that Mythos-class models can surface,” the company said .

The growing number of flaws identified with the help of AI models has shifted the scales from discovery to patching. A recent report from the Cloud Security Alliance (CSA), the SANS Institute, and the Open Worldwide Application Security Project (OWASP) concluded that in the near term, organizations are “likely to be overwhelmed” by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them. “The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible,” the report said . Linux flaw under attack CISA Adds Linux Kernel Flaw to KEV Catalog The U.S.

Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel flaw ( CVE-2022-0492 , CVSS score: 7.8) to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by June 5, 2026. “Linux Kernel contains an improper authentication vulnerability which could allow for privilege escalation via the cgroups v1 release_agent feature,” CISA said. The development comes after Kaspersky said it observed the flaw, along with CVE-2019-5736 and CVE-2024-21626, being exploited in attacks aimed at container environments. Fake image tools deliver malware ClickFix Becomes BackgroundFix A new ClickFix-style lure is being dressed up as free image-editing tools to deliver CastleLoader , which then drops both NetSupport RAT and a custom .NET stealer called CastleStealer.

“The sites look like every other ‘remove your photo background’ service with uploads, progress bars, and download buttons, but the entire UI is fake,” Huntress said . The activity has been codenamed BackgroundFix. CastleLoader is attributed to a threat cluster known as GrayBravo. Session theft defense Google Makes DBSC Generally Available to Workspace Users Google has revealed that Device Bound Session Credentials (DBSC) in the Chrome browser is now generally available and enabled by default for Google Workspace users.

“DBSC strengthens account security after users are logged in and helps bind a session cookie - small files used by websites to remember user information - to the device a user authenticated from,” Google said . “Even if malware was present on the user’s device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies.” The feature was formally released in April 2026. Adobe abused in phishing Fake LinkedIn Emails Abuse Adobe to Track Victims Cybercriminals are weaponizing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward. Opening an HTML attachment in the email message serves a login form urging the recipient to enter their credentials.

The captured information is delivered to the domain “lnkd.tt.omtrdc[.]net/rest/v1/delivery,” after which they are redirected to the LinkedIn site. “This domain belongs to Adobe and is associated with the Adobe Target A/B testing platform,” Malwarebytes said . “But the campaign isn’t using Adobe Target to receive the phished credentials. Instead, attackers are abusing Adobe Target as a redirect/abuse point in the phishing flow.” Supply chain delay defense RubyGems Debuts “cooldown” Time-Based Filter to Tackle Supply Chain Attacks RubyGems has included a cooldown, a time-based filter, in Bundler version 4.0.13 that refuses to resolve to a version until it has been public for at least “N” days.

“Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window,” Hiroshi Shibata, RubyGems maintainer, said . “It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing.” Users can declare a “small cooldown” on the source in the Gemfile. The efforts go along with other initiatives like AI-assisted vulnerability scanning against the most critical gems in the registry. Iran-linked Israel attacks Three Iranian Threat Clusters Highlighted ESET said it recorded an unusual spike in Iran-aligned activity against Israeli targets between October 2025 and March 2026 that could not be linked to previously known groups.

“Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential - including deployment of a bootkit-style wiper and retaining destructive tooling for later use - whereas a third, MOØN Badr, appears to have been limited to targeted espionage,” the Slovakian company said . MoKhargosh, first observed in January 2026, used Go-compiled binaries in attacks targeting Israel. This includes a backdoor called GoKhargosh, along with wipers, filecoders that overwrite files with junk data, and a wiper that targets the master boot record to render the system unbootable. MOØN Badr, on the other hand, singled out three unidentified victims in Israel in early January 2026 to deliver the MOØN AGENT backdoor via phishing emails to facilitate command execution and file uploads and downloads.

Fuel tank systems exposed CISA Warns of Attacks Targeting Automatic Tank Gauge Systems The U.S. government has issued an advisory urging organizations to take steps to defend against attacks targeting U.S.-based automatic tank gauge (ATG) systems by securing them with strong passwords and by removing them from the internet to reduce public exposure. The activity, which remains unattributed, involves the attackers compromising internet-exposed ATG systems via hard-coded credentials, command execution, and SQL injection vectors, followed by escalating privileges to obtain full administrator rights and modifying the system functions. “Should a cyber threat actor exploit these vulnerabilities and compromise an ATG system, they could disrupt or manipulate the below critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console,” government agencies said .

Verified call defense Google Adds New Scam Detection Feature to Android Google has announced a fake call detection feature, built on Rich Communication Services (RCS), to Android devices running versions Android 12 and later that verifies whether a call is coming from the caller’s actual Android smartphone. Enabled by default, the alert is designed to avoid falling victim to deepfake impersonation and call spoofing in real time. “When a contact calls you and you’re both using Phone by Google, their device sends a silent confirmation signal in real time to your device to verify the call is legitimate and truly coming from the contact’s device,” Google said . “If a scammer tries to impersonate your contact, that initial confirmation signal will be missing.

Your device will instantly notice this and ping your contact’s actual device to double-check. If their real device says, ‘I’m not making a call right now,’ you’ll get a warning on your screen advising you to hang up immediately.” Because the digital handshake uses end-to-end encrypted RCS technology, Google said the process is completely private. That said, the feature requires users to have three Google apps installed: Phone by Google, Contacts, and Google Messages. It will roll out globally this month, starting with Pixel devices.

Agentic AI failures AI-security and Operational Incidents Analyzed An analysis of 7,200 publicly reported AI-security and operational incidents has identified “344 verified enterprise-relevant agent-inflicted damage cases between September 2023 and May 2026, including 188 incidents where autonomous AI systems caused direct organizational harm without any external attacker involvement,” Cyera researchers Ehud Halamish, Assaf Morag, and Vladimir Tokarev said . “The majority of confirmed incidents involved real production impact rather than theoretical AI risk scenarios. Observed outcomes included deleted databases, destructive cloud actions, unauthorized financial operations, runaway API spending, service outages, exposed secrets, and silent integrity corruption inside enterprise environments. As agents gain broader permissions and deeper integration into SaaS, cloud, development, and business environments, the AI interaction layer itself increasingly becomes part of the enterprise attack surface and critical data perimeter.” The lesson is boring because the lesson is always boring.

Patch faster, kill exposed admin panels, stop trusting “safe” tools by name, and watch the weird edges where attackers like to hide. The cheap stuff still works because too many teams leave it cheap. Security is not magic. It is inventory, logs, least privilege, backups, tested restores, and people who notice when something normal starts acting wrong.

Do that well, and half this mess gets a lot less exciting. That is the point. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.