2026-06-12 AI创业新闻
Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs
Authorities in Europe have disrupted AudiA6 , a cryptocurrency laundering service used by ransomware gangs and cybercriminal networks. Europol, in a statement issued Thursday, said the dismantling of AudiA6 cut off a “key financial pipeline used to wash hundreds of millions in illicit profits.” The service is estimated to have been used to launder more than €336 million (~$389 million) since the service was launched in 2021. “The platform became a central hub for ransomware actors and cybercriminals seeking to cash out stolen digital assets while hiding the money trail from authorities,” the agency added . The operators of AudiA6 are suspected to have also administered a dark web cybercrime forum known as Dark2Web, where cybercriminals advertised illicit services and connected with other threat actors across the world.
As part of the operation that took place on June 10, 2026, a number of coordinated actions were carried out, including - The arrest of two alleged administrators of Ukrainian and Russian nationality in Georgia Three property searches Takedown of 25 domains and seizure of more than 30 servers Seizure of more than 80 vehicles and multiple properties in Georgia Freezing cryptocurrency assets worth €692,000 ($798,000) and seizure of €86,000 ($99,400) in cryptocurrency Blocking Telegram accounts used by the network Replacing the clear web and dark web websites of AudiA6 and Dark2Web with a law enforcement seizure banner In tandem, the U.S. Department of Justice (DoJ) announced charges against the two arrested individuals - Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25 - accusing them of one count of conspiracy to launder monetary instruments and one count of sting money laundering. If convicted, both of them face a maximum possible sentence of 20 years in prison. “Out of the approximately 10,333 bitcoin deposited, approximately 393.39 BTC (valued at around $19,234,331 at the time of the transactions) were received directly from known darknet markets, ransomware organizations, cybercrime services, and other illicit sources, while additional funds were deposited indirectly from illicit sources into AudiA6 wallets,” the DoJ said .
Europol said the crackdown was the result of an earlier enforcement action carried out by the Polish Police that led to the arrest of an Ukrainian national in September 2025 for their alleged involvement in money laundering activities connected to the AudiA6 group. This made it possible for authorities to initiate a forensic examination of the seized electronic devices belonging to the suspect and identify additional individuals linked to the operation. AudiA6 has been described as an industrial-scale cryptocurrency laundering operation that relied on thousands of fraudulent exchange accounts opened using stolen or purchased identities. The criminal service has been linked to more than 15 investigations worldwide related to ransomware attacks and large-scale cryptocurrency theft.
Prior to its disruption, AudiA6 was marketed as a cryptocurrency mixing service guaranteeing anonymity and speed. It allowed customers to transfer their ill-gotten proceeds to wallets controlled by the group and received “cleaned” funds in return within an hour through a “complex chain of transactions” designed to conceal the origin of the funds. These transactions took place over private messaging platforms, with the operators charging commissions ranging from commissions of between 3 percent and 10 percent. “More than 6,000 Know Your Customer (KYC) records linked to money mule accounts were identified during the investigation,” Europol said.
“Many of the mule accounts were connected to Russian-speaking intermediaries recruited specifically to help move criminal proceeds through cryptocurrency exchanges.” AudiA6 is also said to have relied on both commercial email providers and email addresses linked to domains under their control to register money mule accounts with various cryptocurrency exchanges. The names of the domains are listed below - designli.pictures pheontx.eu smplfy.in sumato-soft.org technobrains.dev lett.email trayo.app deliverly.top inboxly.top postfast.eu postino.click inboxally.agency mailora.eu postify.email quix.express flowcomm.click qube.black deliverlett.com lettermail.eu In a report published in November 2021, Intel 471 disclosed that AudiA6 required a minimum balance of 27 bitcoins and that it charged a flat service fee between 3 percent and 5.5 percent. As recently as December 2025, a TRM Labs analysis found that funds stolen from the 2022 LastPass hack were routed through Cryptex and AudiA6. The investigation was carried out by the United States Secret Service and the IRS Criminal Investigation, along with the Polish Police and law enforcement partners from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, and the U.K.
The findings illustrate the rise of industrial-scale cryptocurrency laundering services that enable the cybercrime economy, as well as the use of fraudulent exchange accounts, mule wallets and privacy-focused tools designed to cover up the money trail and bypass anti-money laundering controls. “Ransomware groups and cybercriminal networks are increasingly relying on chain-hopping, decentralised exchanges and ‘mixer-as-a-service’ platforms to move illicit cryptocurrency across multiple blockchains within minutes, helping criminal profits disappear into the digital underground,” Europol said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest. Google’s Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.
The flaw, CVE-2026-35273 , is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10. It needs no login and no user interaction, just network access over HTTP, to take over the server. If you run PeopleSoft with the Environment Management Hub reachable from outside, that is your exposure, and the immediate move is to lock those endpoints down. The vulnerability sits in the Updates Environment Management component, the piece behind the Environment Management Hub (PSEMHUB).
Oracle lists PeopleTools 8.61 and 8.62 as affected and says earlier, unsupported versions are probably vulnerable too. It credits researchers from TrendAI Zero Day Initiative and TrendAI Research for the report. Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild; Oracle has not said whether it has seen exploitation. Its advisory points to a patch availability document behind a support login, and whether a full fix is broadly available is unclear.
For now, the guidance centers on mitigation. The operational detail became public because the attackers left their own gear exposed. Researcher @nahamike01 publicly flagged the open directories. Mandiant then triaged five sequential IP addresses running Python’s SimpleHTTP server on port 8888.
Those servers exposed the staging files: a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script. The agents called home to a command-and-control server at azurenetfiles.net, a domain picked to look like Azure NetApp Files. The script, named [victim]_fanout.sh, spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then drops a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. The command history shows the data compressed with zstd and an outbound SSH connection to the server hosting the public mirror of the ShinyHunters leak site.
Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. Sixty-eight percent were in higher education, most of them in the United States. Some blocked the activity; others were compromised and had data posted to the leak site. The University of Nottingham is one of the first confirmed victims.
Have I Been Pwned has counted about 455,000 unique email addresses in the leaked set, covering current students and alumni, with names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach. Oracle’s guidance is to disable the Environment Management Hub service on multi-server setups, or remove the PSEMHUB application outright on single-server setups. If you cannot do either, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter.
Mandiant warns that WAF body-inspection rules alone are not enough, since they can be bypassed. Restricting these endpoints does not break normal user sessions. Then hunt for signs of an existing compromise: WebLogic access logs showing external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector. Unexpected .jsp files under the PSEMHUB.war web application directory, or odd folders named logs, persistantstorage, or scratchpad under the PSEMHUB paths.
Recently changed .xml files under the web doc root’s envmetadata/data/environment, which can be abused for XMLDecoder persistence that fires on the next restart. Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, which the exploit chain may use to capture machine-account NetNTLM hashes. Apply Oracle’s update for your PeopleTools version once you confirm it is available in My Oracle Support. ShinyHunters says victim outreach has only just started, and it has not posted most of the organizations it claims, so more names are likely.
The method is the bigger tell. ShinyHunters has lately leaned on vishing, stolen tokens, and weak access controls to steal data from SaaS and education platforms, from Salesforce customers to Canvas . A server-side zero-day in on-premises ERP software is a step up from that, aimed at the same data-rich targets. The open question is whether this was a one-off borrowed zero-day or the start of ShinyHunters moving into ERP exploitation.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
Two security teams have shown, in separate research published this week, that OpenClaw , the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs. Imperva buried instructions inside shared contacts, vCards, and location pins that the agent executed without the victim ever seeing them. Varonis built a test agent on the platform, gave it a mailbox full of synthetic business data, and watched a single plain email talk it into forwarding mock AWS keys and a fake customer export to an outside address. The flaw Imperva found is patched in OpenClaw 2026.4.23, so update if you run it.
The phishing weakness Varonis found is not something a patch fixes; it comes down to limiting what the agent can do on its own. Different doors into the same room: the agent trusts what reaches it, and its access becomes the attacker’s. Hidden commands in a shared contact Imperva researcher Yohann Sillam looked at how OpenClaw hands messaging data to the model behind it. The problem is in the plumbing.
When the agent passes a shared contact, vCard, or location to the LLM, it flattens the object into the prompt text inline, with no boundary marking it as untrusted. The content the agent fetches from the web gets wrapped in an untrusted-content marker. Message objects do not. Only some fields travel to the model, and that is what the attack abuses.
A shared contact sends just the name field, serialized as <contact: name, number>. The angle brackets are legal in a name, so the model cannot tell where the real name ends and an injected instruction begins. The contact name is truncated where it shows on screen, both on WhatsApp and in the receiving app, so the victim does not see the payload either. The same trick works through a vCard’s full-name field, which WhatsApp supports natively, and through the label on a shared location pin.
In Imperva’s tests against Gemini 3.1 Pro (preview build), the hidden text told the agent to download and run a script from a server the researchers controlled. It did. A plain image with instructions buried in it failed, likely because that attack has been reported so often that models are now trained to resist it; the message-object route worked because models have seen far fewer examples of it. With OpenClaw’s memory on by default, Imperva warns, a single piece of widely shared content carrying a hidden instruction could quietly compromise the agents that ingest it, if they are not sandboxed.
Imperva disclosed the issue, and OpenClaw shipped a fix in version 2026.4.23 that moves contact names, vCard fields, and location labels out of the prompt body and into a separate untrusted-metadata channel. Imperva found the same flattening pattern in other personal AI assistants, so the underlying problem is not OpenClaw’s alone. A normal email is enough Varonis Threat Labs came at OpenClaw from the social angle. In research led by Itay Yashar, the team built an agent called Pinchy on the platform, wired it to a Gmail inbox stocked with realistic but synthetic business clutter and mock secrets, and ran it through four phishing simulations on Google Gemini 3.1 Pro and OpenAI Codex GPT-5.4.
They draw a line between prompt injection, which hides instructions in data, and what they call agent phishing: a believable request that arrives through a normal channel and works because the agent acts before checking who sent it. The agent failed both exfiltration tests. In the first, a message posing as a team lead named Dan, sent from an outside Gmail address, asked for staging access during a fake production incident. Pinchy found the credentials and forwarded mock AWS IAM access keys, database connection strings, and SSH credentials in plaintext.
The second pretext was softer: a routine-sounding request for the weekly customer export, supposedly for a QBR deck. The agent shipped out a synthetic dataset of 247 enterprise customers, contacts, and contract values included. Both failures happened under a strict profile that told the agent to verify senders first. The rule existed.
Urgency beat it once, routine beat it the second time. The agent did better when the threat was technical rather than social. It interacted with a gift-card phishing page but withheld real credentials and eventually flagged it; the strict profile blocked the page outright. On a malicious OAuth consent screen dressed up as a timesheet app, it inspected the redirect target, judged it suspicious, and stopped before granting access.
- That is the split Varonis draws out: the agent is better than many people at spotting bad URLs and fake login portals, and worse at the social judgment that makes a human pause when a colleague suddenly asks for credentials at an odd hour. The drive to be helpful is the attack surface. Varonis says OpenAI Codex GPT-5.4 was more cautious than Gemini 3.1 Pro about entering or sending data to outside sites without confirmation, but both fell for the social pretexts. The weak spot behind both attacks
- Varonis maps both attacks onto what Simon Willison calls the
- lethal trifecta
- an agent that can read private data, take in untrusted content, and send data back out.
OpenClaw has all three, which is why a poisoned contact and a friendly email end in the same place. That trust boundary is not only a prompt problem; it shows up in OpenClaw’s code as well. A separate InfoSec Write-ups analysis turned OpenClaw’s past advisories into static-analysis rules, then used them to find five more flaws across the Slack, Discord, Matrix, Zalo, and Microsoft Teams channel extensions. All five were the same bug: the startup code resolved each channel’s allowlist by mutable display name instead of a stable ID, so an attacker who renamed themselves to match an allowed user could slip onto the list and steer the agent.
OpenClaw has patched them. OpenClaw ships with broad access to files, shells, and more than twenty messaging platforms, and it has drawn a steady run of earlier prompt-injection and data-exfiltration warnings since it launched late last year. The Dutch data protection authority took the strongest line: the Autoriteit Persoonsgegevens told users and organisations not to run OpenClaw on systems that hold sensitive data, citing data-breach and account-takeover risks. What to do about it Anyone running OpenClaw should update to 2026.4.23 or later for the message-object fix.
The rest is architecture, not prompt wording, and Varonis lays out four controls. Treat the agent’s instruction file as an enforced, version-controlled policy, not a suggestion. Outbound mail needs a gate: no first-time sends to unfamiliar addresses without approval, so a hijacked agent cannot relay phishing from a trusted account. Connector access should track the trust level of whatever triggered the task, so an inbox handling outside email cannot also read the whole CRM.
And the riskiest actions, forwarding credentials or moving money, should wait for a human. Both teams land on the same mental model. Varonis frames it as treating the agent like a junior employee with system access and no instinct for what looks off, not as a security tool. Imperva gets there from the other direction, calling it an authenticated executor that trusts its inputs.
The fixes on offer today are specific patches and guardrails. The harder problem is still open. An agent useful enough to act on your email and run your commands is, by design, one that trusts input and wants to help, and nobody has a general fix for that yet. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML , a day after they published an exploit for Microsoft Defender. “This was an accidental discovery, it took a total of 4 hours to find this,” the researcher said in a post on Blogger. “If you ever attempted to use Windows Defender Offline Scan , you’re automatically vulnerable to a BitLocker bypass. I’m unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely.” The exploit works as follows - Copy an XML file (“unattend.xml”) and a recovery folder containing another XML file (“Recovery/WindowsRE/ReAgent.xml”) to the root of the recovery partition.
Reboot to Windows Recovery Environment ( WinRE ) by holding Shift while clicking Restart in the Windows power menu. If every step is followed correctly, the result is a shell spawned with unrestricted access to the BitLocker volume. “If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in) and follow steps above,” Chaotic Eclipse noted. In a post on Mastodon, security researcher Will Dormann opined the steps to reproduce GreatXML as “flawed,” adding triggering a Microsoft Defender Offline Scan requires a user to be both logged in to Windows and have admin credentials, at which point it’s trivial to turn off BitLocker anyway.
“The writeup for GreatXML suggests that the prerequisite is that Windows Defender Offline has been executed at some point in the past,” Dorman added. “And that after planting two files in WinRE, all you need to do is [Shift]-reboot into WinRE, and Windows will automatically go into Microsoft Defender Offline scan mode. But this is not the case in any of the 3 lineages of Win11 that I have handy.” The release of GreatXML comes not long after RoguePlanet , a zero-day flaw in Microsoft Defender that facilitates local privilege escalation (LPE) to SYSTEM, granting the attacker the ability to run arbitrary code or perform unauthorized actions. GreatXML is also the second BitLocker bypass released by Chaotic Eclipse after YellowKey (aka CVE-2026-45585 ), patches for which were released by Microsoft this week as part of Patch Tuesday updates.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis). According to a detailed report published by PRODAFT, the group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.Live. “In July 2025, Phantom Mantis transitioned into The Gentlemen, an independent partnership program no longer dependent on other RaaS groups,” the Swiss cybersecurity company said.
“Additionally, LARVA-368 relies heavily on artificial intelligence for the development and maintenance of ransomware and tools, as well as for assistance with post-exploitation procedures.” As for LARVA-368, the threat actor is assessed to have been a member of the Embargo (aka Primeval Mantis) ransomware group before launching their own operation under the name ArmCorp. It was subsequently rebranded to The Gentlemen four months later. The individual’s identity has since been outed by cybersecurity journalist Brian Krebs as a 36-year-old Alexander Andreevich Yapaev (Япаев Алексанр Андреевич) from the Russian city of Izhevsk. PRODAFT told The Hacker News that its findings match the same persona with “high confidence.” As detailed by Dark Atlas in August 2025, the shift coincided with a payment dispute between LARVA-368 and Qilin, with the threat actor accusing the RaaS operation of carrying out an exit scam and defrauding them of $48,000.
“Although Phantom Mantis was a very active affiliate group with over 20 targets registered on its affiliate panel in less than 30 days, the group’s admin (LARVA-368) and LARVA-367 (aka DevMan ), a former Phantom Mantis’s member, claimed that Pestilent Mantis was scamming affiliates and that there was an alleged ‘backdoor’ within the Pestilent Mantis’s affiliate panel victim chats,” PRODAFT noted. “Although we could not confirm these claims, there is a chance that LARVA-368 and LARVA-367 intentionally spread disinformation with the intent of recruiting Pestilent Mantis affiliates to Phantom Mantis by discrediting the group.” Phantom Mantis has also been observed paying for Premium accounts on underground forums to boost their visibility and fend off competition, with the group’s communication and the technical support handled by a separate Russian-speaking persona named The Gentlemen Data. Some of the other salient aspects of the extortion scheme compiled from various reports are as follows - In an analysis of the ransomware in late last year, LevelBlue’s Cybereason team described The Gentlemen as a “highly adaptive, fast-moving ransomware operation” that combines mature ransomware techniques with RaaS features, double extortion, cross-platform lockers, and flexible propagation, and affiliate support. The group has emerged as one of the most active threat actors, accounting for 10% of ransomware activity in April 2026.
“The Gentlemen follows an enterprise-focused chain beginning with initial access, via vulnerable internet-facing services or stolen credentials,” NCC Group said . “Analysis suggests The Gentlemen can adapt and change tactics during an attack, such as manipulating GPOs, compromising privileged accounts, and using custom methods to bypass endpoint protections.” Only about 13% of their victims are based in the U.S. The majority of the victims are concentrated in Thailand, the U.K., Brazil, Germany, and India. LARVA-368 uses The Gentlemen IM app accounts to support affiliates regarding encryption and any intrusion-related issue, such as providing EDR killers to bypass security solutions via the bring your own vulnerable driver (BYOVD) technique.
Support services for both The Gentlemen and The Gentlemen Data are available via Tox, SimpleX Chat, and Ricochet Refresh open-source messaging platforms. Potential affiliates are required to provide the administrator at least 1GB of data exfiltrated from a victim to gain access to the affiliate panel, a tactic designed to prevent researchers and law enforcement authorities from gaining access to the infrastructure under the guise of an affiliate. The affiliate panel supports user management, configuring new targets, and downloading ransomware to a specific target. Phantom Mantis provides five versions of ransomware that are designed for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (LVM).
The group courts affiliates with an aggressive profit-sharing model: 90% for affiliates and 10% for the operator. Initial access is obtained via edge devices such as VPN appliances, firewalls, and other internet-facing systems, with a specific focus on platforms like Cisco and Fortinet FortiGate. Infection chains involve the use of red team utilities like NetExec, RelayKing, TaskHound, PrivHound, and CertiHound to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery. A separate set of tools, such as EDRStartupHinder, gfreeze, glinker, and DumpBrowserSecrets, are used for evading security programs, while Velociraptor is employed for command-and-control (C2).
- The attacks also
- attempt
- to clear System, Application, and Security Windows Event Logs, disable Microsoft Defender, and add antivirus exclusions. The ransomware makes use of a
- hybrid cryptographic scheme
- X25519 key exchange combined with XChaCha20 symmetric encryption. Microsoft, which is tracking the cluster under the moniker Storm-2697, said the ransomware is written in Go and obfuscated with Garble to target the Windows environment. “When enabled with the –spread argument, it turns the malware from a single-host encryptor into a self-propagating worm that attempts to deploy its encryptor to every reachable system on the network,” the tech giant said .
“If the –wipe argument is provided, The Gentlemen ransomware performs an additional post-encryption routine to eliminate recoverable artifacts from disk.” According to ZeroFox, the ransomware crew likely runs a multi-channel extortion operation, combining ransomware attacks with email outreach and phone-based pressure tactics targeting victims. The group implements a “highly responsive development cycle,” an aspect exemplified by the release of a same-day patch after a decryptor was released in April 2026. The average dwell time of an intrusion ranges from two to six weeks from initial access to encryption, with the group particularly focusing on organizations running VMware infrastructure. Last month, a leak of an internal Rocket.Chat database used by the group - comprising 3,366 messages between November 2025 to late April 2026 - has shed further light on the group’s inner workings, including its use of known security flaws in VMware Aria Operations, Fortinet, Cisco, and Microsoft software, while painting a picture of a criminal enterprise whose members have a clear division of roles and responsibilities.
“The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591 , CVE-2025-32433 , and CVE-2025-33073 , and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline,” Check Point said . That’s not all. In March 2026, Hunt.io said it discovered an open directory hosted at “176.120.22[.]127:80” on the Russian bulletproof hosting provider Proton66 that exposed 126 files containing a complete ransomware operator toolkit attributed to a The Gentlemen RaaS affiliate. This included tools for reconnaissance, privilege escalation, defense evasion, credential theft, lateral movement, persistence, and pre-encryption preparation, essentially spanning all phases of the intrusion lifecycle.
“LARVA-368 is a threat actor specializing in extortion-related activities and has been active since at least 2020,” PRODAFT said. “The expertise acquired through previous collaborations with various RaaS groups provided the technical foundation necessary to establish The Gentlemen RaaS.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories
Most good security work is invisible by design. Today is the exception. The 2026 Cybersecurity Stars Awards winners are announced across 95 subcategories in four main award categories. The reason is simple.
Cybersecurity is full of work that deserves recognition and rarely gets it. Products that quietly close real gaps. Teams that stop incidents nobody reads about. Companies that raise the baseline for everyone else.
The Cybersecurity Stars Awards put names on that work, once a year, through independent judging. Every nomination was reviewed by an independent panel of judges and scored against three criteria: innovation, impact, and technical excellence. Entries were not ranked by popularity, brand size, or campaign reach. They were judged on the work itself.
Some subcategories have more than one winner. The awards recognize every entry that meets the standard, not just one per category. By design, the winners span four main categories and 97 subcategories, including agentic AI security, AI SecOps, AI security testing, post-quantum cryptography, continuous threat exposure management, extended detection and response, software supply chain security, identity threat detection and response, secure access service edge, and zero trust security, among many others. With 95 subcategories, the full list is the story.
The complete 2026 winners list is live now at awards.thehackernews.com/winners/2026/ . Congratulations to the winners, and thanks to every company, team, and practitioner who entered. Nominations for the 2027 awards open later this year. Join this waiting list to be the first to know when they do.
Security work is usually noticed only when something breaks. This is one day for the work that made sure it didn’t. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories
It’s been one of those weeks. You expect the usual noise: recycled malware, sloppy attacks, another easy target getting hit. Instead, there’s a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials. The bigger problem is how polished this all looks now.
Mule networks run like SaaS. Deepfake KYC bypass is sold as a feature. Endpoint tools can be quietly weakened using built-in OS settings, with no exploit needed. Here’s the full list of threats, tools, flaws, and updates worth knowing.
3.3B identity records exposed How Infostealers Fuel Identity-Based Attacks A new analysis from Flashpoint has revealed that “more than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets.” There are over 30 unique infostealer strains actively listed for sale across illicit marketplaces, forums, and underground communities, indicating the “scale and accessibility of the modern malware-as-a-service ecosystem.” Lumma, Acreed, Rhadamanthys, Vidar, and StealC were the most prolific stealers in 2025. India, Brazil, Indonesia, Vietnam, the Philippines, and the U.S. were the top six countries affected by stealer malware during the same period. MaaS RAT targets credentials New SilabRAT Spotted A threat actor named “o1oo1” has advertised an advanced remote access trojan (RAT) named SilabRAT that’s sold under a malware-as-a-service (MaaS) model for $5,000 a month on darknet forums since September 2025.
“SilabRAT is heavily focused on financial gain through credential theft,” Group-IB said . “It offers stability and is capable of bypassing existing security measures.” Delivered via ClickFix campaigns using Hijack Loader , the malware uses Hidden Virtual Network Computing (HVNC) to facilitate remote control capabilities, employs techniques like Browser Profile Cloning to replicate a user’s browser profile (user agent, extensions, storage, and other fingerprinting attributes) to the attacker’s system, and can identify wallet addresses or extract cryptocurrency-related artifacts. The Russian-speaking malware developer and vendor, “o1oo1,” has been active since late 2020, previously launching a service called AsmCrypt . 47% of tech intrusions North Korean Hackers Behind Nearly 50% of Tech Industry Hacks CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima , which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026.
Hands-on intrusions refer to cyber attacks in which a human operator controls and interacts with a system rather than relying solely on malware. “In their IT worker infiltration campaigns, they sought fraudulent employment at tech companies across North America, Europe, and Asia,” the cybersecurity company said . 13 domains seized U.S. Takes Down 13 Domains Linked to Alleged Chinese Intelligence Collection The U.S.
Department of Justice has announced the seizure of 13 internet domains masquerading as consulting companies used to target U.S. persons, including current and former security clearance holders with access to classified and sensitive U.S. government information. “These domain seizures offer a glimpse at how foreign actors can use promises of easy money to lure Americans into revealing sensitive or classified information that they are duty-bound to protect,” said Assistant Attorney General for National Security John A.
Eisenberg. “Anyone approached online with offers of easy income for vague ‘consulting’ work should treat those overtures with extreme caution and remain vigilant for warning signs of malicious targeting.” These sham companies advertised generic consulting or analyst jobs on platforms like Upwork, Expertia AI, Hubstaff Talent, Wellfound, and Post Job Free that sought to recruit current or former U.S. government and U.S. military employees to lend their expertise to unspecified clients.
The recruiters then pressured candidates to part with confidential information and reports from “insider” sources in exchange for cryptocurrency payments. The operation is assessed to have commenced in November 2023. The operation is assessed to have commenced in November 2023.. The announcement comes after the Five Eyes intelligence alliance countries warned of China aggressively using job platforms to target people for information.
In a statement shared with Reuters, the Chinese Embassy in Washington condemned the allegations and called them fabricated. Supply-chain toolkit exposed Miasma Toolkit Leaks Briefly The Miasma credential-stealing attack framework was briefly made available for free on GitHub, after multiple repositories with the name “Miasma-Open-Source-Release” began appearing since June 8, 2026. According to SafeDep, the source code has been published through compromised developer accounts. “The Miasma codebase appears to be larger than a supply chain worm,” SafeDep said .
“It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH-based lateral movement, and other attack vectors.” As opposed to relying on conventional command-and-control (C2) infrastructure, the malware employs three independent C2 channels using GitHub commit search, each with a different search string and crypto key: “DontRevokeOrItGoesBoom” to discover attacker-controlled personal access tokens (PATs) for data exfiltration, “TheBeautifulSandsOfTime” to deliver JavaScript, and “firedalazer” to deliver Python script URLs that act as a remote code execution backdoor. Miasma is assessed to be a variant of the Shai-Hulud worm. The campaign has since morphed into a Python variant called Hades , which represents the latest evolution of the sustained software supply chain campaign. As of last week, a total of 304 components have been impacted by Miasma.
Search uploads retained Google Announces Changes to Search Settings Google has revealed that it intends to save the images, files, audio, and video users upload to Search under a new “Search Services History” setting. This can include images, files, and audio/video recordings, such as Google Lens images, content you upload, and recordings from Search Live, Translate speaking practice, and voice searches, per Google . The tech giant said the Search Services History setting will be used to “provide, develop, and improve its services,” including its AI models, as well as offer personalized suggestions and ads if the new “ Personalized Recommendations “ option is switched on. These two settings are separate from Google’s Web & App Activity.
Cross-platform RAT emerges New Cross-Platform RAT SStar Agent Emerges Iru has analyzed a new cross-platform RAT called SStar Agent that’s designed for both Windows and macOS systems. “The macOS builds are heavily instrumented surveillance tools focused on recon and exfiltration, while the Windows build layers on a keyboard hook, clipboard monitor, and remote mouse/keyboard control,” the company said . “Notably, the malware includes a large POST request via endpoint /api/telemetry/report that constantly monitors and exfiltrates the entire directory tree to monitor files of interest. The gap between the Windows and macOS versions indicates this is still a work in progress.” The malware is delivered by means of a poisoned npm package named “tw-style-utils.” The lure is a bogus Web3 engineering take-home assessment, a GitHub repository (“star45674/smart-contract-engineer-role”) that’s likely distributed to targets.
While the repository itself is clean, the payload resides in the npm dependency. Although it’s not clear who is behind the malware, the activity overlaps with previously observed social engineering attacks mounted by North Korean hacking groups. Fake npm popularity New npm Deception Technique Called Download Pumping Tenable has detailed a technique dubbed download pumping, where attackers artificially inflate npm package download counts in order to make malicious packages appear legitimate and trustworthy to developers. This approach has been observed in a package named “ ambar-src ,” which reached more than 50,000 downloads in three days after attackers published hundreds of benign versions of the package before introducing the actual malicious payload.
“Every time a new version was published, automated systems like repository mirrors and analysis bots automatically downloaded it,” Tenable said . “Because the attackers systematically uploaded hundreds of versions, they artificially generated a massive wave of automated traffic, inflating the package’s download count to more than 50,000 downloads in just three days.” Exchange spoofing risk Ghost-Sender Exchange Misconfiguration Lets Attackers Spoof Any Email Address A weakness in certain configurations of Microsoft Exchange could be abused by attackers to send emails masquerading as any user to a vulnerable organization. The technique has been codenamed Ghost-Sender. “Using Exchange Online (or on-premises Exchange in hybrid mode) in combination with an external MX record, such as a third-party email server or spam protection solution, can allow the spoofing of emails from any sender to any recipient in the target tenant,” InfoGuard Labs said .
“This is regardless of the configured SPF, DKIM, and DMARC policies of the spoofed sender’s domain, and the emails are delivered without any further warning. It is possible to send emails from anyone, including external and internal email addresses. For internal senders, Outlook even resolves the sender’s profile picture.” Russia-focused phishing waves SiribClone, Cloud Atlas, and Others Target Russia A previously unknown group known as SiribClone has targeted Russian military personnel using bait applications for “safe photo exchange” to distribute malicious files for desktop and mobile devices. In some cases, members of the group have posed as women seeking romantic relationships to infect smartphones, computers, and Telegram accounts.
The group has been active since early 2025. Attacks targeting Android devices lead to the deployment of a spyware called SafeLoveStealer that can steal photographs, videos, documents, and location data. Windows systems, on the other hand, are infected by a stealer known as SiribGrabber. The malware is distributed via phishing emails containing ZIP archives disguised as military-themed documents.
In addition, the group operates phishing sites mimicking Telegram login pages to trick targets into entering their phone numbers, verification codes, and two-factor authentication passwords, allowing them to seize control of the accounts. Also linked to the threat actor is a tool called Kontur that stores stolen Telegram sessions and allows operators to review captured messages. Russian maritime universities, energy facilities, diplomatic missions, and government agencies have also been targeted through phishing campaigns by an unidentified group since at least July 2024. Recent attack waves have employed a C2 framework called Ravage , although two distinct phishing campaigns observed in 2024 have used Cobalt Strike.
The third hacking group to single out Russia (along with Belarus) is Cloud Atlas , which has resorted to sending phishing emails with ZIP archives containing malicious shortcuts that launch PowerShell scripts, paving the way for malware like VBShower and PowerShower , the latter of which is used to drop a credential grabber. Lateral movement via RDP, SSH, and RevSocks is achieved via PAExec or PsExec as part of a framework known as PowerAdmin. Furthermore, the attacks involve two new tools: PowerCloud, which collects user data with administrator privileges and writes it to Google Sheets, and Browser checker, a PowerShell script that checks whether browser processes (Chrome, Edge, Firefox, and others) are running. ClickFix backdoor expands MLTBackdoor Malware Observed A ransomware-related threat actor has put to use a new malware family called MLTBackdoor that’s delivered via ClickFix.
“MTLBackdoor supports a set of commands like downloading and uploading files from the victim’s system,” Zscaler ThreatLabz said . “However, one of the most powerful features is the ability to load Beacon Object Files (BOFs) to expand its capabilities.” The malware was discovered in May 2026. In recent months, ransomware and data extortion attacks involving DragonForce and World Leaks have employed backdoors like VIPERTUNNEL , a Python malware previously linked to RansomHub, and RustyRocket , a custom-built Rust tool to facilitate covert data exfiltration and persistent access. “Once an attacker runs it, RustyRocket can securely connect back to an attacker-controlled server using heavily encrypted and layered traffic that blends in with normal internet activity, making it very hard for defenders to detect,” Accenture’s T.
Ryan Whelan said. “This malware is an integrated communications architecture built for persistence and obfuscation.” WooCommerce card theft New Skimmer Campaign Targets WooCommerce Storefronts A new skimmer campaign is targeting WooCommerce sites to steal card details from checkout pages. “The skimmer impersonates the real Stripe payment element, validates cards in real time so the victim never suspects anything,” CloudSEK said . “The most ‘professional’ aspect of this sample is how hard it works to feel legitimate.
It re-implements the same client-side checks a real checkout performs.” 33,000 users targeted New Golang GoFlateLoader Delivers Infostealers A new Go-based loader named GoFlateLoader is being used to deliver multiple infostealers, including Amatera, Remus, Lumma, Vidar, StealC, and SvitStealer. “GoFlateLoader appears both in x86 (32-bit) and x86-64 (64-bit) variants, matching the bitness of the payload it is supposed to execute,” Gen Digital’s Avast said . “The loader is designed for in-memory payload execution and is deliberately inflated with a massive PE overlay to hinder detection.” The malware is delivered via cracked software and a malicious Traffic Distribution System (TDS) that has been used to deliver Remus Stealer, AnimateClipper, and the SessionGate framework. Since the beginning of April 2026, more than 33,000 unique users have been targeted, with the most affected countries including Brazil, India, Argentina, Mexico, Turkey, and Spain.
$862K damage case Ohio Contractor Sentenced to 24 Months in Prison for Hacking Former Employer Maxwell Schultz , 36, of Columbus, Ohio, has been sentenced to 24 months in federal prison for hacking into his employer’s network after his contract was terminated in May 2021. Impersonating another contractor, Schultz obtained login credentials, accessed the former employer’s systems, and executed a malicious PowerShell script that reset roughly 2,500 passwords, locking out employees and contractors and causing more than $862,000 in losses. Schultz pleaded guilty to the crime in November 2025. Fake banking updates NFCShare Android Malware Spreads via Fake Banking App Updates on GitHub A new phishing campaign impersonating Italian and European banking brands is being used to distribute an Android malware called NFCShare .
The attacks use phishing sites that aim to trick users into entering their credentials, after which they are prompted to update the banking application by downloading an APK file hosted on GitHub (“antoniocastaldo1998/app-scuola”). The end goal is to guide the user through a fake card verification flow: bring the card near the phone, keep it close while “authenticating,” and enter the card PIN. Under the hood, the app reads NFC card data (ISO-DEP) and exfiltrates it to a remote WebSocket endpoint. The activity shares tactical overlaps with other NFC relay malware, such as SuperCardX and RelayNFC .
The presence of Chinese text suggests a China-linked operator or tooling lineage. AI agent phishing risk Making OpenClaw AI Agents Fall for Phishing Four phishing simulations on an OpenClaw email agent codenamed Pinchy have revealed it to be susceptible to tactics commonly used to deceive human users. “In some cases, Pinchy not only failed at spotting the phishing attacks, it also performed risky actions that could potentially compromise a real-world organization,” Varonis said . “In one notable case, a casual email from ‘Dan’ asking the agent to share staging credentials was enough to forward AWS IAM keys, database passwords, and SSH access to an external Gmail.” This agent phishing is different from indirect prompt injection.
While the latter embeds malicious instructions inside data the model consumes to trigger unintended actions or responses, agent phishing operates above the application surface. “A believable request arrives through a normal communication channel, reads like a legitimate business message, and succeeds when the agent acts on it before verifying who asked,” Varonis added. AI fixes weak passwords Apple Unleashes AI to Replace Weak and Compromised Passwords Without User Intervention Apple has revealed that its upcoming version of Apple Intelligence, the company’s generative artificial intelligence (AI) system, will support capabilities to update its weak and compromised passwords with a single tap via the Passwords app. “Building on its ability to alert users about weak and compromised passwords, Passwords can now automatically fix these for users with just a tap,” Apple said .
“Using Apple Intelligence and Safari to agentically take action on a user’s behalf, Passwords securely navigates through websites to sign in and upgrade their accounts to strong passwords.” EDR telemetry throttled Using EDRChoker to Bypass Defenses A new technique called EDRChoker that interferes with the client-server connection of Endpoint Detection and Response (EDR) software to sidestep defenses. “EDRChoker uses policy-based Quality of Service (QoS) to throttle EDR agents to the lowest bandwidth; when agents attempt to connect, they will consistently time out due to the extremely low bandwidth,” a security researcher who goes by the name Zero Salarium said . “It takes a list of common EDR process names and creates QoS policies that limit those processes to 8 bits per second. At that bandwidth, an EDR agent becomes effectively isolated from its server.” Earlier this January, the researcher also demonstrated EDRStartupHinder, which prevents an EDR program from starting.
“EDRStartupHinder aims to exploit Windows Bindlink to redirect a DLL from System32 to another location, alongside taking advantage of the function that only loads DLLs signed by a program protected with Protected Process Light (PPL) to prevent AV/EDR services from starting,” the researcher said . Another technique devised by Binary Defense involves disabling critical security services, such as Windows Defender and Sysmon, without triggering traditional malware alerts. It modifies Windows Access Control Lists (ACLs) to add “Deny” Access Control Entries (ACEs) against core system libraries like “kernel32.dll.” Because these services rely on the DLL to function, the dependency chain is broken. Upon a system reboot, the protected services fail to start, leaving the endpoint without any defenses.
STX RAT supply chain grows Trojanized Packages Used to Deliver STX RAT The supply chain attack targeting CPUID to deliver STX RAT is broader in scope than previously thought, with a new analysis from Cyderes uncovering seven additional trojanized packages tied to the same campaign. “All packages follow the same delivery mechanism,” the cybersecurity company said . “The actor, operating under the alias Leda Elacoate (pufferfish11@firemail[.]cc), built and maintained a Bitbucket repository of trojanized installers over approximately one month, targeting a wide range of user demographics.” Among the impacted packages is X-VPN, a consumer VPN with over 100 million reported users. Users who installed X-VPN from official channels are not affected.
“The actor began with cryptocurrency exchange and trading software as lures, targeting users with likely access to financial accounts, and progressively expanded that lure portfolio across a social engineering decoy and VPN software,” Cyderes added. Agent Tesla via ZIP lures Phishing Campaign Delivers Agent Tesla Phishing emails masquerading as legitimate payment advice messages are being used to deliver ZIP archives, opening which triggers a multi-stage infection chain that leads to the deployment of Agent Tesla . “In simple terms, the victim opens what looks like a harmless file, but behind the scenes, a heavily obfuscated Batch script silently launches PowerShell, which then pulls and executes additional malicious code directly in memory,” Point Wild said . “From there, the attack escalates into a staged execution chain involving shellcode decoding, persistence setup, and process injection into legitimate Windows applications like charmap.exe.” Agent, Tesla is designed to steal browser credentials, log keystrokes, capture screenshots, and extract sensitive data from the system.
The collected information is then exfiltrated using SMTP-based communication, allowing malicious traffic to blend with normal-looking email activity. AI video lures spread malware Phishing Attacks Leverage TikTok, Instagram Reels Two social engineering campaigns are using AI-generated TikTok videos and Instagram Reels to direct users to sketchy sites that deploy Vidar Stealer and other dubious programs, in some cases requiring visitors to complete surveys before they could access the promised downloads. “One methodology involves fake tutorials for software installs, with professional-sounding voice-overs and clean graphics,” ReversingLabs said . “The second approach relies on posts demonstrating how to use premium software for free, spanning multiple videos, with a centralized tutorial being introduced after the account gains traction.” Routers turned into C2 nodes Chinese Hackers Target Southeast Asian Edge Devices A suspected China-nexus intrusion set has been identified conducting a large-scale campaign targeting edge network devices across Southeast Asia.
“The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router’s iptables subsystem to hijack downstream DNS traffic at scale,” a security researcher named Y4er said . “Correlated Windows-side tradecraft leverages a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading (version.dll), sharing identical C2 infrastructure and malleable C2 profiles with the router implant - confirming unified operational control. RMM abused in Brazil NinjaOne RMM Abuse Chain Detailed An active phishing campaign has been observed targeting Brazilian organizations with fake business-document lures, resulting in the download of a NinjaOne Remote Monitoring and Management (RMM) agent. “The campaign begins with phishing emails that redirect victims to Portuguese-language landing pages impersonating familiar Brazilian workflows, including SEFAZ-related fiscal documents, Reclame Aqui-style complaint processes, and secure document-delivery portals,” Cato Networks said .
“After completing a fake verification process, victims are prompted to download what appears to be a protected business document. Instead, the download delivers a legitimate NinjaOne RMM agent configured to provide remote access to attacker-controlled infrastructure, highlighting a previously undocumented abuse of NinjaOne in the Brazilian threat Landscape.” The development once again highlights how threat actors no longer need to rely on bespoke malware to infiltrate organizations. Money laundering goes MaaS How Mule-as-a-Service Economy Operates Cybersecurity company KELA has shed light on money mule networks, which play a crucial role in modern cybercrime and financial fraud ecosystems, enabling threat actors to launder and monetize proceeds through ransomware, scams, and Business Email Compromise (BEC), and other illicit schemes. “In recent years, traditional mule recruitment has increasingly evolved into professionalized Mule-as-a-Service (MaaS) ecosystems that provide scalable laundering infrastructure to cybercriminals,” KELA said , adding “mule operations increasingly rely on stolen identities, synthetic identities, compromised accounts, and AI-assisted onboarding techniques rather than solely recruiting human participants.” Threat actors have also been found to rely on forged documentation, deepfake-enabled KYC bypass methods, account takeover techniques, and automated account “warming” activity to set up resilient laundering infrastructures across multiple financial platforms.
AI chats exposed Browser Extensions Leak AI Conversations G DATA said it has witnessed a growing number of Google Chrome extensions that impersonate legitimate productivity tools while stealthily hijacking users’ conversations with AI chatbots. Some of these include Urban VPN , Smart Sidebar: ChatGPT, Claude & DeepSeek , and Chat AI, the last of which exhibits traits consistent with a campaign dubbed AiFrame . “User data generated through AI conversations may still be vulnerable to theft by threat actors utilizing plug-ins that pose as legitimate tools,” G DATA said. 507 Meta repos exposed From Misconfigured Grafana to Read-Write Access on 507 Private Meta Repos A public Meta IP address running an open Grafana instance acted as a pathway for read-write access to 507 private Meta repositories, netting the Sectricity Security Team a bug bounty of $157,000.
“The pivot was a wildcard SAN on the TLS certificate: *.llm-playground.aws.metafb.cloud, which exposed a quiet shadow estate behind metafb.cloud,” the cybersecurity company said . “By parsing JavaScript bundles across that estate, we uncovered references to a previously unseen domain: api.haloworld.xyz, which became the next pivot point. Slight (AI built wordlist given JS bundles, context, etc) fuzzing against api.haloworld.xyz then exposed /_api/gcp-token, an unauthenticated endpoint that handed out a valid GCP OAuth2 token.” The GCP token, in turn, granted read access to the project’s Secret Manager that contained a Vercel token. The Vercel token exposed 85 environment variables across Meta’s projects, including multiple GitHub personal access tokens (PATs) and other secrets.
One of those GitHub tokens had read/write access to 507 private repositories. 7M seniors’ data sold Fraudster Who Sold Personal Data of 7M Elderly Americans to Jamaican Scammers Jailed Troy Murray, 57, of Hickory, North Carolina, has been sentenced to more than 10 years in prison for selling the personal information of over 7 million elderly Americans to Jamaican lottery fraud scammers. He has also been ordered to pay a forfeiture in the amount of $5,214,688.48. Murray “devised a scheme where he organized, maintained, and sold lists containing the names, phone numbers, physical addresses, and, in some cases, ages and email addresses, of elderly Americans to individuals in Jamaica involved in lottery fraud schemes,” the U.S.
Justice Department said . “From 2016 to 2023, Murray sold these lists to Jamaican scammers, who perpetrated lottery fraud on elderly American consumers, earning Murray hundreds of thousands of dollars each year.” Each of these lists was sold for $500. One-packet crash bug Researcher Releases PoC for ComoDoS Security researcher Marcus Hutchins has released details and a proof-of-concept (PoC) exploit for ComoDoS, an integer underflow vulnerability residing in Comodo Internet Security’s firewall driver, Inspect.sys ( CVE-2026-49494 , CVSS score: 7.5). “Although the vulnerability can be used to remotely trigger both an out-of-bounds (OOB) read and out-of-bounds write in the Windows kernel, the limitations on both primitives lead me to believe it’s unlikely this bug could be weaponized into RCE,” Hutchins said .
“The bug does, however, enable you to remotely crash the target system with a single TCP/IP packet, even if the firewall is configured to block all ports.” The vulnerability remains unpatched as of writing. CI/CD secrets exposed Anthropic Patches Bug in Claude Code GitHub Action Microsoft said it discovered an issue in the Claude Code GitHub Action that could be exploited to expose CI/CD workflow secrets when AI agents process untrusted GitHub content, including issue bodies, pull request descriptions, and comments. “While Claude Code Action supported environment scrubbing for subprocess execution paths such as Bash, the Read tool was not subject to the same sandboxing model,” the Windows maker said . “It was eventually authorized to access /proc/self/environ, reading the workflow’s ANTHROPIC_API_KEY and potentially other credentials available to the runner.” Following responsible disclosure on April 29, 2026, the issue was fixed on May 5 with the release of Claude Code version 2.1.128.
The patch strengthens the Read tool by unconditionally rejecting a number of files in /proc/ in order to protect those files from exfiltration. Fake $200K job lure Nimbus Manticore Uses Dream Job Lures The Iranian hacking group known as Nimbus Manticore approached an employee via LinkedIn by impersonating a headhunter, luring them with a salary offer of $200,000 per year. Per Nextron Systems, the interaction is said to have redirected the victim to a fake hiring portal branded as Ebix Recruitment that prompted them to enter temporary credentials received from the recruiter to log in to the website. “After authentication, the portal prompted the victim to download a two-factor authentication application for ‘additional security,’” the company said .
“The advertised 2FA application was delivered as a ZIP archive and contained the malware payload.” The attack culminates with the deployment of a custom implant with data exfiltration and remote control capabilities. Backdoor with wiper modules BLUERABBIT Backdoor Comes with Ransomware and Destructive Features Cybersecurity researchers have flagged a new Golang backdoor called BLUERABBIT that routes C2 through RabbitMQ for tasking, Redis for state management, and MinIO for S3-compatible data exfiltration. “It is a full-spectrum intrusion tool: remote access, system profiling, file encryption with a .candy extension, and two distinct disk-wiping modules capable of rendering systems permanently unrecoverable,” Binary Defense said . The backdoor is assessed to be the work of an Iran-nexus threat actor.
It was first observed in mid-to-late March 2026, and is likely used for targeting entities in Israel. BLUERABBIT is “related to the same likely Iran-nexus activity cluster that previously leveraged BLUEWIPE and SEWERGOO in June 2025,” it added. The throughline is simple: attackers do not always need exploits. They need patience, stolen credentials, trusted tools, and one policy setting nobody has checked since the last reorg.
The perimeter is not the real problem anymore. The problem is everything inside it that still trusts by default. Same old lesson: audit what your agents can access, treat every identity in the pipeline as a risk, and check what your browser extensions are sending home. See you Thursday.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
AI Broke Vulnerability Management. That’s Why CISOs Are Moving Budget to BAS.
For thirty years, vulnerability management ran on a buffer: the months between when a vulnerability was found and when someone could figure out how to weaponize it. The solution was straightforward enough; triage by severity, schedule the fix, validate, and move on. The buffer was what made that work. Today, that buffer is gone.
AI didn’t make your team slower. It changed the other side of the equation, compressing discovery-to-exploit from months to hours . And the sad truth for defenders is that a process built for breathing room can’t survive without it. AI Turned Vulnerability Discovery Into a Volume Game In its May 2026 update, Anthropic reported that it and approximately 50 partners used Claude Mythos Preview to find more than 10,000 high- or critical-severity vulnerabilities in systemically important software in a single month.
Earlier figures were just as stark. Pointed at Firefox, the gated Mythos model wrote 181 working exploits , against just 2 from the previous frontier model. It surfaced vulnerabilities across every major OS and browser, including an OpenBSD bug that had sat undetected for 27 years . At the time of writing, more than 99% of what it found was still unpatched.
Figure 1. February 2026, FortiGate Campaign An AWS threat-intelligence report from February 2026 shows the flip side: no zero-days needed, just weak credentials, industrialized through a custom MCP server running offensive tools autonomously. AWS confirmed 600+ devices across 55+ countries; the actor’s logs, according to independent researchers, queued 2,516 devices across 106 countries. Either way, the rules have clearly changed.
What once took rare expertise now runs at machine speed and scale. The Vulnerability Weaponization Window Has Collapsed, Too Defenders used to have months between a CVE going public and its first confirmed exploitation in the wild, the window known as time-to-exploit (TTE) . That window has slammed shut. Zero Day Clock puts the 2026 average at roughly 24 hours, down from ~53 days in 2024.
Figure 2. Mean time-to-exploit (TTE) by Zero Day Clock The breach data agrees, too. Verizon’s 2026 DBIR ties 32% of initial-access techniques to exploitation of vulnerabilities and expects that number to climb , because AI coding assistants now put exploit-building, porting a tool to a new language, and discovering fresh flaws all within reach for attackers who’ve never had them before. Figure 3.
Generative AI-assisted techniques categorized as initial access methods by Verizon’s 2026 DBIR Telling Teams to Patch Faster Is Like Telling a Freighter to Brake on a Dime The industry’s reflex answer is to patch faster. Regulators are codifying it: Many regulations now point toward same-day fixes for some critical vulnerabilities. Boards expect it. Executives demand it.
But remediation isn’t a switch. Patches clear regression testing, wait for change windows, need to wait for approvals, and respect existing uptime and compliance commitments. Taking production down to outrun an exploit ends up being just a different outage. And the data shows everything’s moving the wrong way.
The Verizon 2026 DBIR tracked 13,000+ organizations: Median fix time for known-exploited vulnerabilities: 43 days , up from 32 the year before Amount that were fully patched: down from 38% to 26% When offense runs in hours and remediation runs in weeks, the breach almost always happens in between. Again, per Verizon’s DBIR, even the best-performing organizations close only 30-40% of known-exploited vulnerabilities in the first week after detection: a rate that’s barely moved despite years of steady investment. So, ordering teams to patch faster doesn’t change the physics, and it feels like ordering a freighter to brake on a dime. The Bottleneck Moved.
So Must the Strategy. For two decades, vulnerability management ran on a tidy set of assumptions: Find the flaws, Score them by severity, Patch the worst first. When a few dozen criticals landed per quarter, CVSS triage worked. Unfortunately, it doesn’t stand a chance against hundreds or thousands of disclosures a day.
Dipping back to Verizon’s DBIR one more time, the median organization had to patch 16 known-exploited vulnerabilities in 2025 , up from 11 the year before , a jump of nearly 50%. That was before AI-discovered flaws began flooding the catalog . Severity scores, meanwhile, don’t tell you whether a flaw is reachable in your environment, whether your controls will already block it, or whether it chains to anything that matters. A severity list where everything is a “9” or “10” essentially prioritizes nothing.
So the useful question stops being “what’s vulnerable?” and becomes “what’s actually exploitable against us right now: and would our defenses catch it if someone tried?” This is exactly the question Breach and Attack Simulation (BAS) was built to answer. Why BAS Becomes the Cornerstone Against AI-Powered Attacks BAS takes real-world adversary techniques, the TTPs behind the campaign in the latest headline, and safely runs them against your live prevention and detection stack. Not a scan. Not a theoretical mapping.
An actual exercise that shows what your tools will actually block, what they’ll detect, and what will slip through. In a world drowning in disclosures, that does three things that vulnerability management alone can’t. BAS: Separates the theoretical from the real. A flaw your WAF, IPS, and EDR already neutralize is a very different problem from one that waltzes straight in.
BAS shows which is which, so teams stop treating every CVE as a five-alarm fire. Validates the controls you’ve already paid for. Most enterprises run anywhere from ten to seventy security tools with countless overlapping policies; BAS measures whether they fire as configured and surfaces the residual risks hiding in the gaps. Buys time to patch safely.
- When you can prove a critical asset is already covered by hardened controls,
- the patch can move through normal change control instead of an emergency rollout
- . When it isn’t covered, you know to mitigate first. That payoff is starting to show up in budgets: field reports increasingly point to CISOs reserving dedicated spend for BAS that wasn’t a separate line item a year ago. This is the shift Gartner now labels
- Adversarial Exposure Validation
- blending security effectiveness (“A re my controls working?” ) with business context ( “Which assets matter most, and what’s truly reachable?” ) to prioritize by your organization’s reality instead of by hypothetical raw scores.
Paired with autonomous penetration testing , which proves whether an attacker can chain exposures from their initial foothold to your organization’s crown jewels, BAS completes the picture. One side asks, “Wait, can they breach us?” The other asks, “ But would we catch it?” Running together, BAS and autonomous pentesting replace guesswork with evidence. BAS Has to Run Autonomously at Machine Speed Too There’s a catch. If adversaries are operating autonomously, a validation cycle that takes a human a week to complete is obsolete on arrival.
Machine-speed attacks demand machine-speed defenses , and the only thing fast enough to counter autonomous offense is autonomous defense . The honest objection to pointing raw generative AI at this is safety. As Picus CTO Volkan Erturk has warned, a model told to invent an exploit might hand back a live malware sample, or hallucinate techniques a group never uses. You don’t want unvetted binaries detonating in production, or defenses built against attacks that don’t, or can’t, exist.
- You can watch it on demand
- here
- . Picus’ fix is to put the model in charge of coordination, not creation. Rather than asking AI to write payloads,
- Picus’ agentic BAS
- matches a fresh threat report against a curated, pre-vetted library of safe, ready-made test building blocks. A security team names a threat, and a
- multi-agent system takes it from there
- one agent identifies the threat and builds a research plan, others gather and validate the intelligence from multiple sources, and a builder agent maps the adversarial TTPs into attack chains ready for simulation.
The output is an accurate, ready-to-run simulation, assembled in minutes. This collapses the loop. A CISA alert or a forwarded headline becomes a scoped test, a posture score, prioritized mitigations, and an executive report, often in minutes, with humans reviewing exceptions rather than driving, and slowing down, every step. This Is What the Picus Platform Is Built For Patching is still essential, but where AI discovers flaws by the thousands and weaponizes them in hours, patching alone can’t be your whole strategy.
If the offense is autonomous, the defense has to operate at least at the same speed, and that’s exactly what Picus was built to do. What scales with the threat is validation: confirming what your controls will actually stop, proving what’s exploitable, and spending remediation time and talent only where it will change the outcome. AI-powered, agentic BAS is one of the core pillars of the Picus Platform , continuously testing whether your defenses block and detect what matters without waiting on a human to kick off the process or advance to the next cycle. And when a gap is uncovered, the platform points to the vendor-specific mitigation needed, and doesn’t just create another ticket on the pile, then re-validates to confirm that the gap has actually been closed.
The need to say, on the spot, whether a fresh headline puts the business at risk isn’t going away anytime soon. The Picus Platform gives security teams that answer before anyone asks. Find out if the next headline puts you at risk, before it drops. Request a demo.
Note: This article was written by Sıla Özeren Hacıoğlu , Security Research Engineer at Picus Security. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
The Vietnam-aligned threat actor known as OceanLotus has been attributed to two distinct campaigns that targeted domestic entities and stock investors with a backdoor known as SPECTRALVIPER. The campaigns involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation between mid-2024 and February 2026, as well as a supply chain attack leveraging FireAnt Metakit, a popular software platform used by stock investors in Vietnam. The second activity cluster took place from October 2025 to March 2026. The two sets of attacks represent a shift in operational focus, per ESET, with the threat actor placing an increasing emphasis on domestic espionage rather than external targets.
The group, active since 2012, also has a history of targeting China . “Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling,” the Slovakian cybersecurity company said in a report shared with The Hacker News. Prior attacks orchestrated by the adversarial collective have leveraged watering holes to digitally profile site visitors , with a specific focus on hundreds of individuals and organizations tied to media, human rights, and civil society causes in 2017 and 2018. Other campaigns have singled out Vietnamese human rights defenders and dissidents .
In December 2020, Meta linked OceanLotus’ activities with a Vietnamese IT company named CyberOne Group, which is also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited. Although the company denied the allegations, the public exposure led to the group going off the grid for nearly three years. Some of the key tools in its arsenal include SOUNDBITE (aka Denis), PHOREAL (aka Rizzo), WINDSHIELD (aka Remy), and, more recently, SPECTRALVIPER , which was first documented by Elastic Security Labs in June 2023 when the threat actor resurfaced in connection with a campaign targeting Vietnamese public companies. As recently as last month, Kaspersky said it discovered three malicious packages on the Python Package Index (PyPI) repository designed to deliver a previously unknown malware family called ZiChatBot on Windows and Linux systems.
The Russian cybersecurity company noted that the dropper used to deliver the malware shares a “64% similarity” to another dropper used by OceanLotus. The FireAnt Metakit Supply Chain Attack The latest findings from ESET show that the FireAnt Metakit supply chain attack likely began around October 2, 2025, and lasted until March 2026. The attack is said to have leveraged the software’s legitimate update URL to serve SPECTRALVIPER to a small subset of stock investors, indicating a more selective approach. The use of the FireAnt update server to directly distribute malicious payloads notwithstanding, the update configuration file located at “metakit.fireant[.]vn/Software/version.xml” lacks an integrity validation mechanism to ensure that the update binary (“setup.exe”) has not been tampered with.
“Due to the absence of signature validation, Metakit.exe executed the malicious downloader as a legitimate update,” ESET said. “Once launched, the downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server, requesting the next-stage payload.” The payload is a DLL side-loading chain that employs a legitimate binary to launch a rogue DLL (“DtlCrashCatch.dll”), which then injects itself into the OneDrive.Sync.Service.exe process to trigger the execution of SPECTRALVIPER. The backdoor subsequently contacts a command-and-control (C2) server (“financemachinelearning[.]com”) to send encrypted host information. ESET said it has not observed any further malicious updates being distributed through the compromised channel since March 9, 2026, raising the possibility that the threat actors concluded their campaign.
Vietnamese Transport Construction Corporation Targeted OceanLotus has also been found targeting an unnamed Vietnamese infrastructure and transport construction firm starting as far back as November 2024, covertly retaining access to the entity until February 2026. Although the exact initial access pathway used by the threat actor is unclear, it’s suspected to have involved the exploitation of remote code execution vulnerabilities in a public-facing Microsoft SQL server. The attacks, as before, paves the way for the deployment of the SPECTRALVIPER backdoor using DLL side-loading. Three different variants have been identified across multiple compromised hosts on the same network.
The malware contacts the C2 server (“gatewayrvcenter[.]com”) to transmit host-profiling data and receive instructions from the operator. SPECTRALVIPER also facilitates lateral movement and functions as a loader by injecting additional binaries or shellcode retrieved from the C2 server into target processes. “Overall, the available evidence points to a potential shift in OceanLotus’s operational patterns,” ESET said. “Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
GitHub has announced what it said are “breaking changes” coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the “npm install” command to trigger the execution of malicious code using npm lifecycle hooks. “Npm install” is used to download and install all the necessary dependencies for a Node.js project. Version 12 is scheduled for release next month.
Describing install-time lifecycle scripts as the “single largest code-execution surface in the npm ecosystem,” GitHub said the “npm install” command runs scripts from every transitive dependency, as a result of which a single compromised package anywhere in the dependency tree can run arbitrary code on a developer machine or CI runner. By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically during “npm install” as opposed to being trusted by default. “Making script execution opt-in closes that path while keeping it one command away for the packages you trust,” GitHub said. The changes are listed below - npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in the project.
npm install will no longer resolve Git dependencies, either direct or transitive, unless explicitly allowed via –allow-git. npm install will no longer resolve dependencies from remote URLs, such as https tarballs, unless explicitly allowed via –allow-remote. “This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it),” the Microsoft-owned subsidiary said about changes to the default “allowScripts” behavior. “prepare scripts from git, file, and link dependencies are blocked the same way.” By defaulting “–allow-git” to “none,” the setting closes out a code execution path where a Git dependency’s .npmrc configuration file used could override the Git executable, even with –ignore-scripts , a flag that prevents packages specified in a package.json file from automatically running built-in lifecycle scripts during the installation process.
GitHub recommends that developers prepare for these changes by upgrading to npm 11.16.0 or newer, running the normal install, and reviewing the warnings displayed. “Use npm approve-scripts –allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json,” it added. “After that, only the scripts you approved keep running once you upgrade. Anything you leave unapproved will stop.” Earlier this year, npm also introduced “min-release-age,” a setting that tells npm to reject any package version published less than a specified number of days as a safeguard against newly published malicious packages.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
Cybersecurity researchers have warned of a “resurgence and expansion” of JDY , a covert network associated with China-nexus state-sponsored threat actors. “The JDY botnet comprises over 1,500 SOHO [small office and home office] and IoT devices and operates as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale,” Lumen’s Black Lotus Labs said in a report shared with The Hacker News. JDY was first flagged as a cluster within another botnet codenamed KV-botnet in mid-December 2023. Primarily used for broader scanning against internet targets, the stealthy network comprising compromised SOHO routers, firewalls, and IoT devices has been put to use by Chinese hacking groups like Volt Typhoon.
Following KV-botnet’s takedown by the U.S. government in early 2024, the botnet operators began making behavioral changes to the network, with the second KV cluster largely going offline. It’s suspected that the botnet is offered by the operators to various hacking outfits, while carrying out reconnaissance and targeting on their own. The latest findings from Black Lotus Labs show that the malware has expanded in scope to infect a broader range of devices and act as a conduit to feed “structured reconnaissance data” into a larger scanning ecosystem for follow-on target identification and exploitation.
Specifically, the JDY cluster is being used to conduct targeted scanning and service fingerprinting with an aim to flag vulnerable infrastructure following public disclosures. This points to an industrialized reconnaissance effort, the results of which are leveraged by Chinese nation-state groups. This has been complemented by a growth in the botnet’s size, which has surged from 650 bots at the start of January 2024 to more than 1,500 compromised devices. Most of the hacked nodes are located in the U.S.
and Brazil, followed by Europe and Asia. Black Lotus Labs told The Hacker News that the cluster in Brazil is reflective of the fact that “we’re seeing more and more botnets made up of Brazilian victims these days.” Where previously the cluster primarily featured Cisco RV320 and RV325 routers, the present makeup of the botnet is a lot more diverse, including devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. “The botnet’s large number of U.S.-based SOHO/IoT devices enables the botnet operators to evade defenses and traditional IP-based controls, such as geofencing, IP reputation-based detection, and static blocklists,” Black Lotus Labs said. “By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked.
Additionally, using compromised SOHO and IoT devices helps this activity blend in with legitimate user traffic.” The architecture that powers the botnet is best described as layered: the operators use Tor nodes to manage infected infrastructure, including both the command-and-control (C2) and payload servers. The C2 servers direct the bots to perform targeted reconnaissance and system profiling, as opposed to indiscriminate scanning. Results of the scans are sent to central servers for ongoing intelligence gathering in an effort to further Chinese threat actors’ objectives. Attack chains weaponize newly disclosed vulnerabilities in edge devices (e.g., CVE-2026-35616) to deliver a shell script dropper that checks if the malware is already active, and if not, proceeds to download the primary payload based on the detected processor architecture (e.g., mips, mips64, mipsel, or mipsel64).
Once the malware is launched, it’s deleted from disk. The malware that facilitates scanning and target reconnaissance is designed to fingerprint the host, receive scanning tasks from a central C2 server, carry out high-volume TCP, SSL, UDP, and ICMP-assisted probing, capture responses (TLS certificates, metadata, etc.), and report the results back to the dispatch server. The goal is to conduct infrastructure reconnaissance rather than exploitation. A noteworthy functionality of the malware is its ability to adapt its scanning methodology based on its privileges on the local system.
If it can open a raw socket, an indication of root privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets. If raw sockets are unavailable or if the task is a web scan, the scanning engine resorts to using standard TCP and TLS connections or employs protocols like UDP and ICMP. This activity most likely informs asset discovery, vulnerability-targeting pipelines, and downstream exploitation or attack-orchestration systems, the cybersecurity company said. “JDY demonstrates how IoT/SOHO botnets and covert networks of compromised devices are being used for rapid vulnerability exploitation,” the company said.
“JDY’s growth and continued operation illustrate how modern reconnaissance networks persist despite takedowns and adapt as a durable capability within a broader adversary ecosystem.” “JDY’s evolution from a supporting component of the KV-botnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability. The capability persists, adapts, and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure. The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It’s tracked as CVE-2026-25089 (CVSS score: 9.1). “An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests,” Fortinet said .
The issue impacts the following products and versions - FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above) FortiSandbox 4.4.0 through 4.4.8 (Upgrade to 4.4.9 or above) FortiSandbox Cloud 5.0.4 through 5.0.5 (Upgrade to 5.0.6 or above) FortiSandbox PaaS 5.0.4 through 5.0.5 (Upgrade to 5.0.6 or above) On Tuesday, Ivanti also published fixes for two critical security flaws impacting Ivanti Sentry (formerly MobileIron Sentry) - CVE-2026-10520 (CVSS score: 10.0) - An operating system command injection vulnerability before versions R10.5.2, R10.6.2, and R10.7.1 that allows a remote unauthenticated user to achieve root-level remote code execution. CVE-2026-10523 (CVSS score: 9.9) - An authentication bypass vulnerability before versions R10.5.2, R10.6.2, and R10.7.1 that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. watchTowr Labs, which published additional details of CVE-2026-10520, said an attacker could exploit the vulnerability by issuing a specially crafted HTTP request to the “/mics/api/v2/sentry/mics-config/handleMessage” endpoint, which is then interpreted as a MICS configuration command and executed by a backend component named “handleExecute().” The patch shipped by Ivanti incorporates additional controls that block access to the vulnerable endpoint, causing unauthenticated requests to be redirected to the login page. “Ivanti did not just remove attacker control over the vulnerable execution path,” security researcher Sonny Macdonald said .
“They also added a layer of protection in front of it to make reaching the endpoint significantly more difficult. In other words: they added authentication.” Rounding off the list of updates is SAP, which pushed out fixes for four critical vulnerabilities in NetWeaver AS ABAP and ABAP Platform, as well as SAP Commerce Cloud and SAP Data Hub - CVE-2026-44748 (CVSS score: 9.9) - XML signature wrapping vulnerability in SAML authentication in SAP NetWeaver AS ABAP and ABAP Platform CVE-2026-27671 (CVSS score: 9.8) - Memory corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform CVE-2026-22732 (CVSS score: 9.1) - Potential Spring security vulnerability within SAP Commerce Cloud and SAP Data Hub CVE-2026-40128 (CVSS score: 9.0) - Directory traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) “The application allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents with tampered identity information to the verifier,” SAP security company Onapsis said . “Due to an improper XML signature verification, the manipulated identity information is accepted, leading to unauthorized access to sensitive user data and potential disruption of normal system usage.” As for CVE-2026-27671, the defect allows an unauthenticated attacker to send a crafted RFC request that exploits how the SAP kernel validates the RFC protocol to achieve memory corruption. There is no evidence that any of the aforementioned flaws have been exploited in the wild.
However, it’s always a safe practice to update to the latest version for optimal protection. Update In a post shared on X, the Shadowserver Foundation said it’s “observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public [proof-of-concept],” with at least two vulnerable instances backdoored. Ivanti has yet to update the advisory to reflect the exploitation status. The U.S.
Cybersecurity and Infrastructure Security Agency (CISA), on June 11, 2026, added the Ivanti Sentry flaw to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 14. “CVE-2026-10520 resides in the ConfigServiceController class within the Sentry web application, which is accessible via a POST request to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage,” Rapid7 said , describing the flaw as trivial to exploit. “The handleMessage endpoint accepts an attacker supplied message parameter that is parsed as an internal configuration command. This ultimately results in arbitrary OS command execution as root with an attacker control OS command.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.