2026-06-23 AI创业新闻
WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool
Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files that lead to the installation of legitimate Remote Monitoring and Management (RMM) software. Per findings from Kaspersky, the active campaign is targeting users of WhatsApp Desktop and WhatsApp Web across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam. The highest concentration of victims has been reported in Malaysia. “The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment,” security researcher Fareed Radzi said .
“Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim’s system.” It’s suspected that the threat actor behind the operation managed to obtain surreptitious access to several WhatsApp accounts and then used them as a distribution vector for the VBScript files across their contacts. That said, exactly how these accounts are compromised is unclear. The heavily obfuscated VBScript files are dressed up as seemingly harmless business and financial documents, using names like “Financial Reports.vbs” or “Account Statement.vbs.” Some of the files are also named in other languages, such as Portuguese, French, German, and Malay, reflective of the global nature of the campaign. “In addition, the VBScript samples contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components,” Kaspersky explained.
“Many of these comments are written in Chinese and include references to Windows Update modules, certificate validation, system integrity checks, and deployment-related functionality.” The VBScript file is launched using “WScript.exe,” which then fetches and runs additional VBScript components required for the next stages of the attack. It’s worth noting that the infection chain behaves a little differently based on whether a victim is using WhatsApp Web or the WhatsApp Desktop application. In the case of the former, the attack relies on the user downloading the file to their system and then opening it from the downloaded folder or via the browser’s download history, assuming it to be a legitimate document. In WhatsApp Desktop, the malware is executed directly within the application, with the process tree revealing that “WhatsApp.Root.exe,” the background process associated with the client application, is responsible for spawning “WScript.exe.” The primary objective of the VBScript is to download two secondary VBScript payloads from a remote server, one of which attempts to tamper with Windows User Account Control (UAC) behavior, while the other downloads and executes a ZIP file containing the installation package for ManageEngine RMM Central.
The activity remains unattributed, however, the Russian cybersecurity company said it found infrastructure overlaps (“202.61.160[.]201”) with prior activity linked to Gh0st RAT and ValleyRAT . “Users should be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts,” Kaspersky said. “Script and executable file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should not be opened unless their legitimacy has been independently verified.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security Flaws
OpenAI on Monday said it’s releasing an improved version of its GPT‑5.5‑Cyber model to trusted defenders as part of the Daybreak initiative the artificial intelligence (AI) company announced last month. Calling GPT‑5.5‑Cyber its “strongest model yet for finding and helping patch software vulnerabilities,” OpenAI said the model can “sustain deeper analysis across large codebases” to identify security issues, validate them in a controlled environment, and develop and test patches. In tandem, the tech upstart is releasing an update to the Codex Security plugin to speed up the process of discovering and patching vulnerabilities in existing systems, alongside preventing new vulnerabilities from entering production codebases. “Developers can run deep scans or review recent changes, generate reports with severity, affected code locations, validation evidence, and remediation guidance, trace attack paths, build threat models, validate findings, and generate codebase-specific patches for review,” OpenAI said.
On top of that, the plugin can triage and validate existing findings from scanners, advisories, bug-bounty reports, or ticketing systems, and then facilitate patch generation at scale to quickly close a backlog of vulnerabilities. OpenAI is also launching a new initiative called Patch the Planet in partnership with Trail of Bits to help secure open-source projects. Initial participants include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org. These moves come as frontier models from Anthropic and OpenAI are accelerating vulnerability discovery, leaving software maintainers overwhelmed with an ever-increasing volume of bugs that need to be verified, triaged, and patched.
While previously the challenge lay in finding vulnerabilities, the bottleneck has now shifted to patching them. AI models come with capabilities to navigate large codebases, reason through attack paths, and flag security issues that might have otherwise stayed hidden. Case in point is a 29-year-old flaw in the Squid web proxy ( CVE-2026-47729 , aka Squidbleed) that can leak cleartext HTTP requests belonging to other users under certain conditions. Cyber experts have also raised concerns that more advanced AI models are turbocharging bad actors’ abilities to take advantage of security vulnerabilities, forcing the industry to plug the holes almost as soon as they are discovered.
“Threat actors with limited technical expertise can use publicly available AI models for malicious purposes,” the Canadian Centre for Cyber Security said in guidance released in May 2026. “Organizations should assume that AI-driven exploitation may bypass preventative controls, significantly outpace vendors’ capacity to publish corrective measures and challenge the organization’s ability to deploy.” Patch the Planet aims to reduce this undue burden placed on maintainers by letting security engineers review and validate findings, work with projects to develop patches and tests, and help build reusable vulnerability discovery workflows with the goal of improving security even after the initial fixes are released. “With Patch the Planet, we are working with researchers, maintainers, enterprises, and partners to make powerful cyber capability available to defenders with appropriate access, governance, and human oversight,” OpenAI said. The AI company also said the Daybreak initiative has already helped surface a number of vulnerabilities across various operating systems and web browsers - 8 kernel pointer information leak proofs-of-concept (PoCs) and 24 local privilege escalation exploits in the Linux Kernel A 23-year-old use-after-free in OpenBSD’s kernel implementation of System V semaphores 34 vulnerabilities and 7 local privilege escalation PoCs in FreeBSD 6 vulnerabilities in dnsmasq (CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, and CVE-2026-5172) A denial-of-service (DoS) technique called HTTP/2 Bomb impacting major HTTP/2 implementations, including NGINX, Apache, IIS, and Pingora 5 exploitable vulnerabilities in Google Chrome’s V8 JavaScript engine 10 exploitable Apple Safari vulnerabilities A WebAssembly vulnerability (CVE-2026-8390) in Mozilla Firefox “Patch the Planet is designed to put that full defensive loop in service of maintainers: discovery, validation, severity review, disclosure, patch development, testing, and deployment,” OpenAI said.
“Frontier models can make parts of that loop faster, but the aim is to give the people responsible for shared infrastructure better tools and more capacity, while preserving their agency over how changes land.” The developments go hand in hand with bad actors misusing AI to compress the time between finding and exploiting a weakness, shrinking the window defenders have to respond. The use of vibe-coded exploits also heralds a new chapter where the technology is not only lowering the barrier to exploit development, but also enabling attackers to cast a wide net across newly disclosed vulnerabilities with lesser effort. Intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. have warned that advanced AI models can expedite the speed, scale, and sophistication of cyber threats, while lowering the barrier for malicious actors and shrinking the window between vulnerability discovery and exploitation ever more quickly.
“Frontier Al models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months, the agencies noted . “In this environment, cyber resilience is integral to advancing business continuity, market confidence, and long-term value.” “Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy. Those that do not will face growing operational and strategic disadvantage.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code. “Attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels,” Wordfence said in an analysis published last week. The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2) As mentioned above, it’s worth emphasizing that the compromise only affects Pro plugin builds distributed through the vendor’s Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com. The free versions of the plugins on WordPress.org are not impacted.
The supply chain compromise associated with Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777 , along with a CVSS score of 10.0, indicating maximum severity. CVE-2026-10735 (CVSS score: 9.8) is the CVE identifier for the entire incident. The WordPress security company said the compromised versions of the plugins incorporate a loader that’s triggered on every admin page, causing it to fetch a payload from a remote server (“194.76.217[.]28:2871”), install it, and activate it as a fake plugin. Once it’s activated, the malware reports the victim domain back to the server and erases itself to cover up the tracks and complicate incident response efforts.
The counterfeit plugin, for its part, hides itself from the WordPress admin plugin list and is capable of capturing credentials in plaintext and two-factor authentication (2FA) codes. It also establishes multiple persistence methods that enable arbitrary file writes via a custom REST endpoint when provided a specific authentication token, as well as drop a web shell with command execution features. Lastly, it makes use of a PHP file named “install-persistent.php,” which is bundled as part of the plugin, to extract the below data - Full contents of wp-config.php, including database credentials, authentication keys, and debug settings All administrator accounts with registration dates Mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP WooCommerce order data from the last 3 months with payment method breakdown Once this information is displayed, the file is deleted. Evidence indicates that the attack could be a compromise of the build pipeline, as opposed to a direct poisoning of the packages.
What’s particularly dangerous about this attack is that it exposes site owners who purchased legitimate licenses and installed updates directly from the vendor’s official update system to malware. Upon being notified of the issue, ShapedPlugin has confirmed the incident, adding that it’s reviewing the distribution and release processes to ensure the integrity of its products going forward. New versions of the impacted plugins are expected to be released pending comprehensive security reviews and validation tests. Site owners who have installed the malicious versions are recommended to reset all passwords, revoke and regenerate 2FA secrets for all users, review administrator accounts for unauthorized additions, and check mail plugin configurations for modified SMTP credentials.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants
Cybersecurity researchers have disclosed details of four vulnerabilities in Dify , an open-source agentic workflow platform with more than 146,000 GitHub stars , that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers’ applications without requiring authentication. The vulnerabilities have been collectively codenamed DifyTap by Zafran Security. “Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify’s multi-tenant cloud service, allowing one customer’s data to be exposed to another,” researchers Ido Shani and Gal Zaban said . The security defects could have allowed attackers to read private AI chats from other customers’ applications, creating a covert exfiltration channel for every message and model response.
They also made it possible to traverse Dify’s internal Plugin Daemon API from unauthenticated requests and trigger cross-tenant internal API calls, as well as preview documents uploaded by other tenants and leak files across users within a tenant by attaching another user’s file unique identifier. Separately, Zafran said it also discovered that Dify’s file parsing stack relied on a version of PDFium, an open-source C++ library for PDF rendering, that was vulnerable to CVE-2024-5846 (CVSS score: 8.8), a two-year-old use-after-free bug that could allow a remote attacker to potentially exploit heap corruption via a crafted PDF file. The remaining vulnerabilities are listed below - CVE-2026-41947 (CVSS score: 9.1) - An authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. CVE-2026-41948 (CVSS score: 9.4) - A path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon’s internal REST API by exploiting insufficient URL path sanitization and access internal, private endpoints.
CVE-2026-41949 (CVSS score: 7.5/5.9) - An authorization bypass vulnerability in the file preview endpoint (“/console/api/files/{file_id}/preview”) that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file’s UUID. CVE-2026-41950 (CVSS score: 6.5) - An authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. The missing tenant ownership checks can be exploited to redirect all messages and responses from victim applications to an attacker-controlled LLM trace provider. It’s worth noting that anyone can freely register for a Dify account.
“Consequently, an attacker can configure their own tracing for any application they can access as a client, which includes all publicly accessible applications,” the researchers explained. “This allows an attacker to create a persistent exfiltration channel for all messages and responses sent in the application.” Following responsible disclosure, all vulnerabilities barring CVE-2026-41948 have been addressed in version 1.14.2 , which was shipped last month. A fix for the pending flaw is expected to be made available in the next release of Dify. “DifyTap demonstrates where the challenge lies in vulnerability visibility, particularly in container images, where differences between deployments can create visibility gaps that traditional scanners cannot detect,” the company said .
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
29-Year-Old Squid Proxy Bug ‘Squidbleed’ Can Leak Cleartext HTTP Requests
- A heap over-read in the Squid web proxy can leak another user’s cleartext HTTP request, including any credentials or session tokens it carries, to anyone already allowed to send traffic through the same proxy. The bug traces to a
- 1997 FTP-parsing change
- and is still live in Squid’s default configuration. Researchers at Calif.io
- disclosed it in June
- and named it
- Squidbleed
- (
- CVE-2026-47729
- ), after Heartbleed, which leaked memory the same way. Squid describes this as an attack by a
- trusted client
- someone already permitted to use the proxy, not any random host on the internet.
That matches Squid’s usual home, shared networks like schools, offices, and public Wi-Fi. In those setups, the attacker is just another user of the same proxy. The leak also only reaches traffic that Squid can read. Normal HTTPS rides an opaque CONNECT tunnel, so Squid never sees inside it; the exposed traffic is cleartext HTTP, plus TLS-terminating setups where Squid decrypts and inspects.
The attacker also needs the proxy to reach an FTP server they control on port 21. Both FTP and that port are on by default. How the leak works The bug sits in Squid’s FTP directory-listing parser. To handle old NetWare servers that padded listings with extra spaces, the code skips whitespace with a loop: while (strchr(w_space, *copyFrom)) ++copyFrom;.
If the attacker’s FTP server sends a listing line that ends right after the timestamp, with no filename, copyFrom lands on the string’s null terminator. strchr treats that terminating NUL as part of the string it searches, so it returns a pointer instead of NULL, and the loop never stops. It walks off the end of the buffer, and xstrdup copies whatever follows back to the attacker as a filename. The leaked bytes are the useful part.
Squid reuses freed memory buffers without zeroing them, so a 4KB buffer that recently held a victim’s HTTP request still holds most of it. A short FTP line overwrites only the first few bytes; the over-read returns the rest. Calif’s demo pulls an Authorization header from a victim sharing the same proxy, enough to act as that user. Proof-of-concept code is public , and no in-the-wild exploitation has been reported as of writing.
What to do If you patch, verify the fix, not just the version. Confirm the guard is in FtpGateway.cc, or check your distribution’s backport, since distros ship their own builds (Debian packages Squid 5.7). The public thread is still inconsistent: maintainer Amos Jeffries first said Squid 7.6 carried the fix, then corrected that to 7.7 , and on June 22 Debian’s Salvatore Bonaccorso noted the referenced commit looks like it is already in 7.6. The fix is small, a null-terminator check before the vulnerable strchr calls , merged to the development branch in April and v7 in May.
Squid 7.6 does separately patch CVE-2026-50012, an unrelated cache_digest heap overflow. The cleaner move is the one the researchers recommend anyway: turn FTP off. Chromium dropped FTP years ago, and most networks carry almost none of it, so disabling it removes this attack surface for free, whatever build you run. The risk is real but bounded.
SUSE rates it moderate, CVSS 6.5 , and the vector explains the score: the attacker needs proxy access (low privileges), and the only impact is confidentiality, nothing on integrity or availability. Calif credits Anthropic’s Claude Mythos Preview, the model behind Project Glasswing , with catching the strchr quirk almost at once, the same kind of buried parser bug AI agents have been surfacing elsewhere , including in FFmpeg. Calif hints Squid’s FTP code may not be the last place it forgot to stop reading. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer
Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER . According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the presence of explicit exclusions to prevent infecting machines located in the Commonwealth of Independent States (CIS) region. The campaign has been codenamed REF8372.
“The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode,” researchers Daniel Stepanic and Jia Yu Chan said in a technical breakdown. The attack begins when unsuspecting users enter queries such as “lts version of node.js” on search engines like Google, redirecting them to a fake website (“node-js[.]prentiva99[.]info”) surfaced via bogus ads published under the verified name “ВОЛОДИМИР ТЕРЕЩЕНКО” that’s purportedly based in Ukraine. It’s currently unknown if the advertiser account is linked to the actual threat actor, or if it’s a front account or a purchased identity. The advertiser account, along with its ad campaigns, was removed from Google on May 14, 2026.
Users who end up interacting with the site are served a batch script hosted on Storj, a decentralized, open-source cloud storage platform. The abuse of Storj once again illustrates how threat actors continue to leverage legitimate services to evade domain-based reputation filters. Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command and executing it with -Verb RunAs to trigger a Windows User Account Control (UAC) prompt. The attack then employs DLL side-loading to launch a rogue DLL, which then proceeds to decrypt and execute the CastleStealer payload.
OXLOADER also makes use of techniques like control-flow flattening (CFF) and mixed Boolean-Arithmetic (MBA) to evade static detection, while also taking steps to ensure it’s not run on sandboxed environments. CastleStealer is a .NET information stealer that was recently distributed alongside CastleLoader through a ClickFix-style lure masquerading as a free image-editing tool as part of a campaign codenamed BackgroundFix . CastleLoader is attributed to a threat activity cluster known as GrayBravo. “OXLOADER is in an early operational phase, but the engineering behind it suggests this family is worth watching,” Elastic said.
“The code obfuscation, anti-VM measures, benign-looking code used to masquerade its binaries, and unique staging techniques reflect deliberate engineering choices to evade analysis.” “That investment is paying off, resulting in low detection rates across static engines and detonation runs, giving OXLOADER a window to operate before it gets hunted down.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries
Google has set September 30, 2026, as the day it begins enforcing Android developer verification in the first four countries, and the major device-maker app stores are in from the start. On that date, certified Android phones in Brazil, Indonesia, Singapore, and Thailand will block normal installs of apps whose developers have not registered an identity with Google, whether the app comes from Google Play or the stores run by Samsung, Xiaomi, OPPO, vivo, Honor, and Transsion. Certified devices are the ones that ship with Google’s services and Play Protect, which, by F-Droid’s count, is more than 95 percent of Android devices outside China. Most users will not notice, which is the point.
Apps from verified developers keep installing as before. The friction lands on apps from developers Google has not verified, and is hardest on the independent and open-source channels, built on not needing Google’s permission to ship. Developers distributing through those stores need to verify and register before the deadline. Google says apps that miss it will be unavailable for new installation on certified devices in the four countries.
What flips on September 30 The check runs on the device. Google is pushing a new system service , the Android Developer Verifier, to phones on Android 8 and newer starting in June 2026, and it confirms an app is registered to a verified developer before the app installs. After September 30, in the four launch markets, an unregistered app will not install through the normal path. It can still be installed over Android Debug Bridge (ADB) or through the advanced flow , the deliberately high-friction route Google built earlier this year.
That route makes the user turn on developer mode, restart, wait 24 hours, and reauthenticate before sideloading an unverified app, and it goes global in August. Registration opened to all developers in March , and Google says it already covers nearly all installs on Google Play and a large majority of those from outside it. To register, a developer gives Google a legal name, address, and contact details, may have to upload a government ID, and proves ownership of each app by submitting an APK signed with their private key. Google is also adding APIs for bulk registration and package-name checks, with OAuth delegation so a third-party store can run parts of the process for developers.
The two interfaces, an Android Developer ID Status API and an Android Developer Console API, arrive in July. A separate lane for free limited-distribution accounts enters early access in July and launches globally in August; it lets students and hobbyists share apps with up to 20 devices, with no government ID and no fee. The standard full developer account carries a one-time $25 fee. Why the open-source camp is fighting it Google’s case is malware.
It says sideloaded sources carry far more of it than Google Play, and that scams increasingly work by talking a victim into installing a malicious APK on the spot. An identity check and a 24-hour wait are meant to break that. Google says it chose the four launch countries because they are hit hard by app scams, often from repeat offenders. The pushback has been loud since the program was announced in August 2025 .
F-Droid, the free-software app repository, says the requirement would end its project , because it builds and signs apps from many pseudonymous contributors who will not hand Google a legal identity. A Keep Android Open campaign backed by more than 70 organizations in 23 countries has asked Google to drop the ID checks for apps shipped outside Play. Google’s concessions, the advanced flow, and the 20-device accounts answer the complaint that sideloading was being killed. They do not touch the deeper one: a single company would sit at the installation path for nearly every Android device outside China and decide who gets the smooth lane.
Three questions stay open before the global rollout in 2027: whether Google spells out an appeals process for developers it flags by mistake, what it keeps in the identity registry and for how long, and whether it offers any path for repositories like F-Droid that cannot meet the per-app ownership check without changing how they work. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Stop Your Legacy Infrastructure from Hijacking Your AI Agents
Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security programs by using legacy infrastructure to hijack AI agents. AI adoption is moving faster than security programs can account for. Roughly 71% of organizations are piloting AI agents across their enterprise applications, and 31% have already moved them into production workflows. For this reason, organizations are legitimately pouring resources into securing AI workloads against model poisoning, prompt injection, data leakage, and other emerging threats.
Yet this focus misses everything underneath the AI layer. Because an unpatched server, a misconfigured Active Directory permission, or a cached credential on a developer’s machine are exposures that give attackers a direct route to everything your AI agents depend on - knowledge bases, cloud storage, Lambda functions, SaaS integrations, and the credentials that connect them. This means that threat actors don’t really need to attack your AI head-on - they just need to reach what it connects to. In this article, I’ll walk through how legacy infrastructure becomes the attack path into AI agent environments and what security teams can do to block those paths.
AI Agents Use What They Inherit Despite their novelty and power, in some ways AI agents operate like other assets in your environment. They authenticate through existing identity providers, store data in existing cloud buckets, execute tasks through existing Lambda functions, and inherit permissions from existing IAM roles. Every one of those dependencies carries whatever security debt the organization had before the AI deployment started. What’s more, most organizations are inadvertently compounding that debt.
According to Infosecurity Magazine , 70% of organizations grant their AI systems more privileged access than a human in the same role. Not surprisingly, this comes with a painful price tag. Organizations with over-privileged AI reported a 76% incident rate, compared to just 17% for those enforcing least privilege. All of those connections - identity providers, cloud buckets, Lambda functions, IAM roles - run through the infrastructure your teams have managed for years: Active Directory, cloud IAM, service accounts, stored credentials.
Yet none of it was designed with AI agents in mind, and most of it was provisioned long before the first agent went into production. The result is that an attacker who finds their way in through any of those layers doesn’t need to touch the AI. The agent’s own permissions do the work for them. How a CVE from 2025 Hijacks an AI Agent in 2026 The diagram below shows a typical enterprise AI agent architecture.
A customer success team uses an AI-powered Co-Pilot - hosted on AWS Bedrock - to query customer data exported from Salesforce into an S3 bucket. The Co-Pilot executes tasks through Lambda functions and integrates with business applications. John, a developer, builds and maintains the agent. Users across the organization interact with it daily.
Now here’s what happens when an attacker finds a way in. The following diagram shows an attack path my team modeled in a real enterprise environment. None of these exposures are exotic - they exist, in some combination, in most enterprise networks right now. What makes them dangerous is how they connect.
Here is how the attack developed, stage-by-stage. Stage 1: An S3 bucket becomes a critical asset. To feed the CSM Co-Pilot, the team exported Salesforce data into an S3 bucket. That export turned the bucket into a high-value target holding sensitive customer records.
Multiple users across the AWS account received overly broad read access to production S3 buckets - including John, the Co-Pilot developer, who never needed access to production data. On its own, this is a simple permissions misconfiguration. Stage 2: An unpatched server on the perimeter. An external-facing server runs Apache Tomcat.
That server is exposed to CVE-2025-24813
- a remote code execution flaw disclosed in March 2025 and added to CISA’s Known Exploited Vulnerabilities catalog the same month. It was never patched. Because the server sits in the enterprise environment and is joined to Active Directory, an attacker who exploits the vulnerability can dump cached credentials from server memory and compromise an AD user account. In isolation, this is a known vulnerability on a single server - serious, but not critical.
Stage 3: Active Directory misconfiguration enables lateral movement. That compromised AD account can abuse a Resource-Based Constrained Delegation misconfiguration to impersonate John and access his workstation. John uses AWS CLI to manage the Co-Pilot’s cloud resources, and behind the scenes, CLI stores AWS access keys on his machine. The attacker harvests those keys.
In isolation, this is an AD permissions issue - one of thousands that most environments carry. Now connect the three stages. The attacker exploits CVE-2025-24813 on the perimeter, dumps credentials, moves laterally through AD to John’s workstation, harvests his AWS access keys, and reads every record in the production S3 bucket - the same bucket that feeds the Co-Pilot’s knowledge base. The Co-Pilot agent is now compromised.
The attacker controls what it reads, what it trusts, and what it returns to users. No part of the AI stack was directly attacked. Three moderate findings - an overprivileged cloud key, an unpatched web server, an AD misconfiguration - became one critical attack path. What to Do About It The attack path I just described crosses four layers: network, identity, cloud, and AI.
Most security programs assess each of those layers independently, and the exposures in each one may already be known. An EASM tool flags the Tomcat server. An AD security tool catches the delegation misconfiguration. A CSPM tool picks up the overprivileged S3 access.
Each one reports a moderate finding which may not be remediated due to lower priority but in combination become a critical issue: a Tomcat vulnerability on the perimeter chains through AD into a developer’s cloud credentials and ends at an AI agent’s knowledge base. Closing these paths starts with an exposure management approach that treats AI agent dependencies (knowledge bases, storage buckets, Lambda functions, etc) as critical assets themselves. From there, map backward: what identity relationships, permissions, and infrastructure connect to those assets, and which of those connections carry exploitable exposures in the context of your environment? When you map the full path, choke points emerge - places where a single fix will block multiple routes to your AI assets.
If your exposure management platform can trace that full path - from legacy server through AD and cloud infrastructure to an AI agent’s knowledge base - you can fix the exposure before an attacker chains it. If it can’t, no amount of guardrails on the AI layer will close it. The Bottom Line AI agent adoption is accelerating across every enterprise department. And every new agent you deploy connects to infrastructure that is already exposed.
That means that the attack surface compounds with every deployment. The question for security leaders isn’t whether your AI layer is protected. It’s whether the environment in which those agents operate - including your bread-and-butter legacy infrastructure - is handing attackers the path to hijack them. Because attackers don’t need new techniques to compromise AI agents.
They just need the old ones - and an environment that lets them use the old to exploit the new. Note: This article was thoughtfully written and contributed for our audience by Zur Ulianitzky , SVP Product and Security Research, XM Cyber. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again. This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control. The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks.
Nothing clever. Just sloppy, cheap, and effective. Here’s the Monday recap. Let’s get into the week’s mess.
⚡ Threat of the Week FortiBleed Campaign Identifies Over 80K Targets — A large-scale campaign codenamed FortiBleed has systematically targeted and compromised Fortinet FortiGate firewall and SSL VPN gateway devices worldwide. According to SOCRadar, it has been running since at least February 2026, with over 80,000 devices identified with working usernames and passwords that have been tested by suspected Russian-speaking threat actors using automated tools running around the clock. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices.
Fortinet also said the campaign likely involves the threat actors reusing credentials from previous incidents, such as CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719, along with employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA). The $50K Per Hour Network Downtime Dilemma Reactive network operations slow teams down and increase business risk. Join Tines and Netskope to discover a practical five-step framework for improving visibility, accelerating response, and creating secure, reliable operations across modern hybrid environments. Save Your Spot ➝ 🔔 Top News Salesforce Disables Klue App Integration After New Extortion Campaign — Salesforce revealed that it disabled the Klue Battlecards app integration within its platform in response to a security incident impacting the competitive intelligence company on June 11, 2026.
“Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce,” the company said. “This issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform.” The development comes as an extortion group dubbed Icarus compromised and exfiltrated data from customers of Klue after obtaining access through a compromised legacy credential associated with an integration service. A number of companies have publicly acknowledged the incident, but noted the impact is limited. The Gentlemen RaaS Develops GentleKiller EDR Killer Suite — The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for shutting down endpoint detection and response (EDR) products before deploying the encryptor.
The centerpiece of the group’s EDR-disabling capability is GentleKiller, an in-house developed framework that comes in eight different variants, each one impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver. GentleKiller targets over 400 processes belonging to 48 security products, including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET itself. Splunk Flaw Actively Exploited in the Wild — Splunk’s Product Security Incident Response Team (PSIRT) said it became aware of “limited exploitation” of CVE-2026-20253, a critical flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. “In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint,” Splunk said.
“The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.” In an analysis of the flaw, Resecurity said it’s “particularly dangerous” as it can be exploited remotely without authentication or user interaction. “By chaining multiple weaknesses together, an attacker can progress from unauthenticated access to arbitrary file operations and ultimately Remote Code Execution (RCE),” it said . “A successful compromise may expose sensitive logs, credentials, security alerts, and operational data while providing attackers with a foothold for persistence, defense evasion, and lateral movement within the environment.” Unpatchable ‘usbliter8’ Exploit Targets Apple A12 and A13 Chips — Security researchers at Paradigm Shift released details of a working exploit dubbed usbliter8 that could be abused to achieve arbitrary code execution inside the SecureROM of Apple’s A12 and A13 chips. The vulnerability is classified as a hardware bug residing in the Synopsys DWC2 USB controller, meaning the issue can never be patched.
That said, a successful exploitation requires an attacker to have physical access to a vulnerable device. A proof-of-concept for usbliter8 has been made publicly available. Operation Endgame Disrupts SocGholish Servers — Dutch law enforcement authorities, along with counterparts from Canada, Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. The takedown is part of Operation Endgame, an ongoing international law enforcement initiative to combat botnets and associated criminal infrastructures.
It was launched in 2024. As part of the effort, 106 servers linked to SocGholish have been taken down, and 14,971 WordPress sites have been rid of the infections. Website owners have been notified to update their content management system (CMS), change their credentials, and delete any suspicious accounts. Malicious Campaign Fakes Popularity to Deliver Crypto Clipper — A cryptocurrency-stealing malware campaign has been targeting cryptocurrency asset holders and online gamblers by faking its own popularity, dressing up booby-trapped sniper bots and crash-game predictors with bogus GitHub stars, inflated download counts, and artificial intelligence (AI)-narrated YouTube tutorials.
The activity has been traced to a Rust-based clipper malware targeting Windows and macOS users. The lures are “edge” tools that promise easy money, crypto sniper bots, and “predictors” that claim to forecast crash-gambling games, aimed at traders and gamblers chasing shortcuts, while a WordPress phishing page acts as the hub, funneling victims to the downloads. Rokarolla Android Trojan Combines Banking Fraud with Screen Surveillance — A new “invasive” Android trojan dubbed Rokarolla is being distributed via malicious websites, while masquerading as popular applications like TikTok or Google Chrome. It’s designed to target 217 distinct cryptocurrency and banking applications by serving fake overlay login screens, in addition to leveraging 137 commands that grant it complete control of a compromised device.
It can harvest lock screen credentials, exfiltrate sensitive contact lists and SMS data, monitor the screen to capture WhatsApp data, take screenshots by abusing Android’s accessibility services, redirect cryptocurrency transactions, and utilize keyloggers to continuously record user input. The malware also actively hides its presence from the launcher screen and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect. “The infection process begins when a dropper misleads users into installing a secondary payload containing the core malware,” Zimperium said. “By masquerading as Google Play Protect, the dropper facilitates the installation of this payload.
This strategy allows the malware to evade Android restrictions and exploit Accessibility services.” 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-20262 (Cisco SD-WAN Manager), CVE-2026-54420 (LiteSpeed cPanel Plugin), CVE-2026-48907 (Widget Factory Joomla Content Editor), CVE-2026-4020 (Gravity SMTP WordPress Plugin), CVE-2026-47101, CVE-2026-47102, CVE-2026-40217 , CVE-2026-49468 (LiteLLM), CVE-2026-24190 (NVIDIA Display Driver for Windows and Linux), CVE-2026-48558 (SimpleHelp), CVE-2026-39449 (Contact Form to Any API WordPress plugin), CVE-2026-39849 , CVE-2026-44693 (Pi-hole FTL), CVE-2026-49980 , CVE-2026-41179 , CVE-2026-41176 (Rclone), CVE-2026-54157 (@lobehub/lobehub), CVE-2026-48746 (vllm), CVE-2026-48519 (Langflow), CVE-2026-38329 (Bludit CMS), CVE-2026-39949 (Cacti), CVE-2026-8444 (WP Review Slider Pro WordPress plugin), CVE-2026-52697 (Taskbuilder WordPress plugin), CVE-2026-52700 (WCMultiShipping WordPress plugin), CVE-2026-3326 (XStore WordPress theme), CVE-2026-2418 (Login with Salesforce WordPress plugin), CVE-2026-6379 (WP Photo Album Plus WordPress plugin), CVE-2026-2446 (PowerPack for LearnDash WordPress plugin), CVE-2025-15445 (Restaurant Cafeteria WordPress theme), CVE-2026-8443 (WP Review Slider Pro WordPress plugin), CVE-2026-6933 (Premmerce Dev Tools WordPress plugin), CVE-2026-9848 (WP Ticket Customer Service Software & Support Ticket System WordPress plugin), CVE-2026-52707 (Kastell WordPress theme), CVE-2026-52703 (FastDup WordPress plugin), CVE-2026-52706 (JetEngine WordPress plugin), CVE-2026-27429 (Nifty WordPress theme), CVE-2025-69129 (WordPress & WooCommerce Scraper WordPress plugin), CVE-2026-27400 (BookPro WordPress plugin), CVE-2026-8713 (Avada Builder WordPress plugin), from CVE-2026-12437 through CVE-2026-12443 (Google Chrome), CVE-2026-12326, CVE-2026-12327, CVE-2026-12328 (Mozilla Firefox), CVE-2026-8049, CVE-2026-8050 (SignalRGB kernel driver), CVE-2026-20266 (Splunk AI Toolkit), CVE-2026-41293, CVE-2026-43512, CVE-2026-42579, CVE-2026-42584, CVE-2026-43515 (Atlassian Confluence Data Center and Server), CVE-2026-20181, CVE-2026-20190 (Cisco Identity Services Engine and ISE Passive Identity Connector), CVE-2026-48933, CVE-2026-48618 (Node.js), CVE-2026-9862 (Fortra Core Privileged Access Manager), and multiple vulnerabilities in Crawl4AI Docker API (no CVEs). 🎥 Cybersecurity Webinars Your Company Is Using More AI Than You Can See.
Here’s How to Secure It → AI bots are actively accessing your company’s sensitive data—often without a clear human owner to hold accountable. Join this webinar to learn how to uncover hidden AI tools, lock down their permissions, and safely take back control of your network before a blind spot becomes a massive data breach. Machine-Speed Attacks are Here: How to Stop AI-Powered Hackers → Hackers are now using AI to launch lightning-fast, highly convincing attacks that easily slip past traditional security. If your defenses rely on old, ‘human-speed’ tools, you’re already falling behind.
Join this critical webinar to see exactly how AI-powered threats operate—and get a clear, practical blueprint to lock down your network and stop machine-speed attacks in their tracks. 📰 Around the Cyber World Flaws in SiderAI and MaxAI — Critical vulnerabilities have been disclosed in SiderAI (Spyder) and MaxAI (MaXSS) agentic side-panel Chrome extensions that can allow malicious websites to take screenshots of arbitrary websites or run arbitrary code by taking advantage of the add-ons’ permissions. “Abusing these vulnerabilities allows attackers to compromise all browser sessions across any website, leading to the leakage of sensitive information, the invocation of arbitrary commands, and even account takeover,” Rebora said . “Furthermore, there was a potential risk of stealing files from the underlying operating system.” Both extensions have a “Featured” badge and have been collectively installed nearly 7 million times.
Given that the issues remain unpatched, users are recommended to remove them until fixes are in place. Israeli Company Linked to Popa Android TV Box Botnet — The Popa Android TV box botnet, which has been used for residential proxy traffic in ad fraud and website scraping, has been attributed to NetNut , operated by publicly traded Israeli company Alarum Technologies. Qurium , along with the Nokia Deepfield Emergency Response Team and Synthient , has found that Popa is a “residential proxy software family that turns consumer devices into internet relay nodes” by means of a software development kit. It’s worth noting that Popa was first flagged by QiAnXin XLab in March 2025 as an Android component of the Vo1d botnet.
“So Popa is not a traditional downloader or banking trojan, the ultimate goal of the code is just to implement a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening tunnels on demand,” according to the report. “Not differently from many other types of malware, Popa does not connect directly to a fixed command-and-control server. The compromised device starts by connecting a limited set of domain names to later learn where to register and tunnel the traffic.” The botnet has impacted millions of consumer TV boxes over the last four years. Alarum, which also maintains RoboVPN, a commercial VPN service that includes a residential-proxy SDK that turns the user’s machine into an exit node for third-party traffic.
In a statement shared with cybersecurity journalist Brian Krebs, NetNut and Alarum have disputed the allegations, calling them “demonstrably inaccurate assertions and flawed deductions rather than verified facts,” adding “the SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems or otherwise compromise the devices on which they operate.” The development comes weeks after another report from Include Security found that an iOS SDK that Bright Data embeds in consumer apps can turn devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic with users’ consent. Prinz Eugen Encrypts Recently Modified Files — A new Go-based ransomware called Prinz Eugen has been observed targeting recently modified files for encryption. “It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk,” Threatdown said . It’s suspected that the attackers gain initial access through compromised RDP credentials.
The ransomware binary also takes steps to frustrate forensic analysis and recovery. The ransomware has been attributed to an actor called ROOTBOY, who has a track record of selling stolen data on cybercrime forums. Okendo Reviews Widget Compromised in SmartApeSG Supply Chain Attack — Okendo Reviews widget, a popular customer review platform used by more than 18,000 brands, is said to have been compromised as part of attacks designed to deploy malware via embedded malicious JavaScript code. The activity, detected on May 14, 2026, has been tied to SmartApeSG, which was previously observed using ClickFix and FakeUpdates lures to distribute NetSupport Manager.
“The injected JavaScript used obfuscation, environment checks, and staged execution,” Zscaler said . “The SmartApeSG injected JavaScript behaved as a staged loader, and did not attempt to execute every action immediately. Instead, the JavaScript focused on control, reconstruction, and retrieval, which reduced the visibility of the script and gave the operator more flexibility.” The end goal of the attacks is to serve bogus ClickFix prompts that lead to malware deployment. In the past, SmartApeSG has also relied on command-and-control (C2) servers hosted on Russian infrastructure providers to communicate with hosts infected with Remcos RAT through fake CAPTCHA prompts injected into websites that instructed users to execute commands copied to the clipboard.
Okendo has since addressed the issue and restored the widget script to a clean state. AI-Generated Websites Used to Deliver SmartRAT — Typosquatting domains hosting malicious content generated with AI-powered website creation tools are being used to deliver a PowerShell-based malware called SmartRAT (aka Banana RAT ). The web page impersonates a Brazilian bank and a ClickFix lure to trick victims into running a PowerShell command that downloads the malware. “Threat actors are leveraging website builders to create convincing lures quickly and at scale, with capabilities ranging from basic credential theft to a ClickFix campaign that delivers remote access trojans (RATs),” Zscaler said .
“SmartRAT supports encrypted C2 communications, remote control (screen/keyboard/mouse), credential theft (keylogging and banking overlays), and persistence via scheduled tasks and a Windows service.” ClickFix Delivers GuLoader — Another ClickFix has been observed using a combination of ClickFix and EtherHiding to deliver malware called GuLoader using a compromised WordPress site as an entry point. “The attack chain combines four distinct components, compromised WordPress, EtherHiding via BSC Testnet, ClickFix social engineering, and GULoader delivery via UNC path, into a single intrusion sequence where every traditional defensive layer has a structural reason to remain silent,” Sicuranext said. UnregStealer Targets Brazilian Banks — A new purpose-built trojan called UnregStealer has been targeting Latin America (LATAM) financial institutions. Described as a human-operated credential theft campaign, it was first discovered by IBM X-Force in May 2026.
“Most LATAM banking trojans rely on automated infection chains and compiled malware, UnregStealer is different,” the company said . “trojans rely on automated infection chains and compiled malware, UnregStealer is different. This trojan involves a real operator, who watches each victim’s session live and pulls the trigger manually. This variation makes the campaign nearly invisible to sandboxes and behavioral detection systems that never see the payload activate.” Attack chains begin with social engineering lures that masquerade as mandatory SSL certificate updates to deliver a PowerShell stager, ultimately resulting in the deployment of a malicious Chrome extension named “Certificado SSL Chrome” that’s responsible for data theft and exfiltration.
In recent months, LATAM financial institutions have been targeted by a JavaScript adversary-in-the-middle (AitM) framework called OverlordMX that also makes use of a human operator, who monitors victims in real time and manually triggers the necessary overlays to capture credentials. The campaign is assessed to be the work of a Spanish-speaking threat actor. “The attack operates in two stages: a web-inject layer that intercepts sensitive information from the victim, followed by a socially engineered RAT delivery that grants the operator full remote control of the victim’s device,” IBM said . Pushka Android Malware Detailed — An Android malware called Pushka is equipped to carry out on-device fraud, while granting remote access trojan (RAT) capabilities to the operators by abusing accessibility services.
“Pushka can use fake overlay tactics to phish victims’ credentials on their mobile devices and can further steal and exfiltrate data from their devices,” IBM X-Force said . “Pushka’s RAT capabilities can perform actions on behalf of the user, including entering the user’s login credentials, and clicking buttons.” Pushka was first spotted in September 2025 across different European countries. It uses fake TV apps as decoys to trick users into installing them. The app acts as a dropper, and uses Android’s PackageInstaller.Session API to silently install its main payload while bypassing Android 13’s Restricted Settings.
“This method replaces the traditional use of Intent.ACTION_INSTALL_PACKAGE and is specifically used to mimic the legitimate installation flow used by the Play Store, allowing the malware to evade the OS-level restrictions introduced in newer Android versions,” IBM said. Ransomware Ecosystem Consolidates in Q1 2026 — Data from Flare shows that the ransomware ecosystem is “reconsolidating around fewer, more capable operators after a fragmented stretch,” led by brands like LockBit, Qilin, and The Gentlemen. The top 10 groups account for 71% of all Q1 2026 victims, with LockBit 5.0 logging 163 victims. Australian Bank Accounts Targeted by Extension-Based Trojan — A highly sophisticated browser extension-based banking is targeting Australian banking customers.
“This is not a traditional virus designed to crash systems or cause visible disruption,” IBM said . “Instead, it is specifically engineered to function as an invisible threat, embedding itself within the browser and operating directly inside the victim’s trusted, authenticated session.” It comes with capabilities to alter displayed balances, transaction history, and transfer limits; intercept one-time passwords (OTP) before submission; steal active banking session cookies; track visited pages and transaction patterns; and maintain a persistent WebSocket C2 connection for real-time commands. Exactly how the extension is distributed is unclear. “Because the attack runs within a legitimate, authenticated session, it inherits the user’s trust context and security controls, effectively neutralizing traditional protections,” the company added.
Chinese and Russian Influence Operations Use AI to Bypass Bot Detection — In a new report, Two Six Technologies said Russian and Chinese inauthentic accounts are likely using AI to enhance content quality rather than to increase content volume and exhibit fewer bot-like behaviours. “AI is enabling and motivating adversaries to craft better content and more human-like accounts,” the company said . “Inauthentic accounts are using AI to add visual appeal to their content. To reach broader audiences, they are probably also using it for translation.
Pro-Russia and pro-China accounts now have slower posting speeds, and more pro-Russia accounts are inactive for a long stretch each day, mimicking a human who sleeps.” Operation Escaneo Targets Mexican Federal and Financial Orgs — A sophisticated campaign targeting Latin American governments and financial institutions has come to light, thanks to an exposed attacker server (“62.171.185[.]97”) that revealed the custom tools, exploitation chain, and persistence tactics adopted by the threat actors. “The campaign is characterised by a proprietary distributed reconnaissance engine (Kimera), a curated exploit armory targeting enterprise perimeter devices (Fortinet, Ivanti, Cisco), portable lateral movement toolkits, and layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels,” CloudSEK said . “The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms.” The activity has been attributed medium confidence to a group called PanchoVilla (aka MexicanMafia). GNU Savannah Security Flaw Fixed — The Free Software Foundation (FSF) said it has addressed an exploit demonstrated by Hacktron, alongside additional security issues.
“After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah’s software supply chain,” the FSF said . “Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects.” 27-Year-Old Authentication Bypass in OpenBSD — Argus said it discovered a 27-year-old authentication bypass flaw in OpenBSD’s PPP stack that could be used to sidestep Password Authentication Protocol (PAP) entirely. “OpenBSD’s sppp_pap_input function used attacker-controlled length fields as the bcmp comparison length for credential validation,” the company said .
“Sending zero-length name and password fields caused bcmp to return 0 unconditionally, bypassing PAP authentication entirely.” The flaw was introduced in July 1999. A fix was issued on June 14, 2026. Abusing AI Features in SQL Server 2025 for C2 — SpecterOps has revealed that it’s possible to weaponize native AI features in Microsoft SQL Server 2025, such as sp_invoke_external_rest_endpoint, CREATE EXTERNAL MODEL, and AI_GENERATE_EMBEDDINGS as a practical channel for data exfiltration and C2, assuming an attacker has compromised an account with the sysadmin role in the database. To counter the threat, it’s essential to review SQL Server database logins, audit and alert usage of xp_cmdshell, SQL Agent Jobs, and CLR Assemblies, and set up notifications for any changes to sys.external_models or when sp_invoke_external_rest_endpoint is enabled.
ErrTraffic TDS Exposed — A traffic distribution system (TDS) known as ErrTraffic is being operated under a malware-as-a-service (MaaS) model for bad actors to direct users to ClickFix lures. ErrTraffic is a JavaScript framework that’s injected into compromised WordPress sites. It employs the EtherHiding technique as a dead drop resolver to hide its C2 infrastructure within the blockchain. Sekoia’s analysis of the framework has identified two distinct clusters of activity: Analytics and Beer.
While Analytics interacts with the Polygon blockchain to fetch Vidar Stealer, the Beer cluster distributes several stealer families, including Vidar, Stealc, Remus and Salat. Alternatively, malvertising lures impersonating AI tools like Google Antigravity and OpenAI ChatGPT have also been used by the Analytics cluster to propagate DanaBot and Hijack Loader. A threat actor using the name LenAI has advertised and sold the ErrTraffic framework, with a one-month subscription costing $380. The attackers have also been found to use credential stuffing attacks to gain initial access to WordPress accounts and install PHP backdoors on the sites by masquerading as a must-use plugin .
Malicious Resumes Lead to Xctdoor Malware — AhnLab has disclosed details of a new campaign that uses malicious Windows Shortcut (LNK) files disguised as resumes that, upon execution, display decoy documents, while dropping additional scripts which then employ DLL side-loading to deploy Xctdoor , a Go-based backdoor previously attributed to North Korean threat actors. “This attack is a method of executing an LNK file disguised as a normal document, using a task scheduler and a startup program to ensure persistence, and then exploiting the normal executable to execute backdoor malware,” AhnLab said . Bypassing Microsoft Entra Conditional Access Policies — NetSPI said it found a way to bypass Microsoft Entra Conditional Access Policies by abusing Nested App Authentication to return access tokens for the Microsoft Graph API. “It was possible to use certain Nested App Authentication (or BroCI) flows to bypass any Conditional Access policy,” security researcher Thomas Byrne said .
“This vulnerability served mainly as a persistence mechanism as it would have required a successful phishing attack to return an initial refresh token before the vulnerable authentication flows could be carried out.” A fix for the issue has since been rolled out by Microsoft. Mexican Financial Sector Targeted by GitBait — At least a dozen Mexican banks have been targeted by a modular phishing infrastructure dubbed GitBait that abuses GitHub-hosted Pages and employs obfuscated scripts and a centralized credential exfiltration via SheetBest API. Per Group-IB , the large-scale campaign has been active for three years. The activity is “built on a fully serverless architecture that abuses GitHub Pages for hosting and the SheetBest API for credential exfiltration — eliminating the need for any dedicated backend infrastructure.” It’s believed that victims are reached through common phishing delivery channels such as SMS, messaging apps, email, or social media platforms.
In all cases, the victim receives a fraudulent URL that directs them to a phishing page impersonating a trusted financial institution. The phishing pages harvest user credentials, payment card details, client identifiers, and passwords through a multi-stage flow that mimics legitimate banking authentication workflows. In some cases, the captured data is exfiltrated to a Telegram bot, marking a deviation from the SheetBest-based mechanism. More than 100 domains associated with the campaign have been identified.
Email Bombing Leads to Deno-Based Proxy and RAT — A large-scale email flooding campaign is being used as a pretext to target employees with bogus Microsoft Teams calls from an attacker impersonating internal IT support. Victims are then persuaded to download and execute a malicious archive from a fake self-service portal. The archive contains a modular Deno-based Remote Access Trojan and a TCP proxy framework spanning four different JavaScript files. “The JavaScript files implement a Deno-based remote access and tunneling agent,” InfoGuard Labs said .
“The main backdoor connects to a CloudFront-hosted WebSocket C2 endpoint, registers victim identity metadata, receives commands, and brokers traffic through local helper services.” The proxy turns the compromised host into a pivot point for internal network access, allowing the attacker to route traffic through the victim machine. 🔧 Cybersecurity Tools Aether → Because advanced malware often evades standard antivirus software by executing directly in a system’s RAM, security teams need tools to inspect live memory. Aether is an open-source Windows threat-hunting tool that scans active, running processes for hidden payloads, code injections, and malicious behaviors, using a layered validation model to minimize false alarms during incident response. AzureRedOps → It is an open-source offensive security toolkit designed to streamline Microsoft Entra ID and Azure red teaming.
It unifies complex workflows—such as multi-flow token management, directory enumeration, and post-exploitation Microsoft Graph actions—into a single command-line interface. Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.
Conclusion This week’s lesson: most attacks do not need a genius move. They need one trusted app, one stale login, one noisy plugin, or one user chasing a shortcut. The fix starts in the dull places. Cut access.
Clean old sites. Question helper tools. Watch the small cracks, because that is where the week usually starts leaking. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Canada’s Spy Agency Used First-of-Its-Kind Warrant to Clean Botnet-Infected Devices
Canada’s spy service got a judge’s permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence Service has used its threat reduction warrant powers this way. The warrant let CSIS alter, degrade, and destroy botnet data on the infected machines and cut the devices loose from the networks.
The targets were Canada-based servers, small office and home office (SOHO) routers, and Internet of Things devices: Ring doorbells, security cameras, TVs, and other Wi-Fi-enabled appliances. Justice Catherine Kane granted the warrant on May 1, 2024, renewed it that August, and issued the confidential reasons in February 2026. The warrant stayed out of public view for more than two years, until this month’s redacted release. CSIS needed the order because the cleanup would likely have been a crime without it.
Reaching into someone else’s device and wiping data is computer mischief under the Criminal Code, so the Service needed a judge’s sign-off before touching the machines. The court found the threat to Canada clearly established and imminent, and the measures necessary, reasonable, and proportional. It stressed the operation went after devices, not people: no user identities sought, no content intercepted, any personal data swept up incidentally destroyed. The two botnets ran the standard relay playbook.
A command tier issued the orders; a layer of infected devices relayed the traffic. By routing through hijacked Canadian hardware, a foreign state can look like an ordinary connection, a home worker, or an ISP customer, while it probes critical infrastructure, government, and military networks. The owner of the infected doorbell gets left looking responsible for traffic they never sent. The court flagged the energy sector among the targets and warned that the adversaries could direct the botnets to probe and potentially disrupt Canadian infrastructure.
The public ruling settles the what: two foreign adversaries, a threat to Canada’s security, the court found clearly made out. What it strips is the who. The timing and the technique match a specific moment in early 2024, but The Bureau, which surfaced the ruling , says it cannot tell from the redacted reasons whether Canada’s two botnets were both Chinese, both Russian, or one of each. The foreign-state hand is a finding.
The flag is the redaction. Same Tactic, a Different Authority That moment was a run of court-ordered botnet cleanups in the United States. In a December 2023 operation, the FBI used the botnet’s own command channel to delete the KV-botnet malware from hundreds of U.S. SOHO routers, mostly end-of-life Cisco and NetGear boxes that the China-linked Volt Typhoon was using to hide access it had planted ahead of a possible crisis inside American communications, energy, water, and transportation systems.
Weeks later, it ran a near-identical operation against a separate network of Ubiquiti routers that Russia’s GRU, the APT28 group , had turned into an espionage relay. Canada’s cyber centre had joined the allied warnings about state actors abusing SOHO and IoT gear. Same court-ordered shape both times: neglected consumer gear, a state operator, a judge signing off on remote disinfection. The difference is who holds the warrant.
The U.S. operations were law enforcement, FBI, and DOJ acting under search-and-seizure authority. Canada’s is an intelligence service using threat reduction measures, the CSIS’s power to actively disrupt a threat rather than just collect intelligence on it, written into the CSIS Act years ago and reworked in the National Security Act, 2017 , which took effect in 2019. CSIS had never reached for it like this until now.
It Still Comes Down to Old Routers The lesson for defenders is the boring one. The botnets feed on the gear nobody maintains: end-of-life routers still wired into the network, IoT kits that never took their last firmware update, anything sitting on default credentials with a management panel facing the internet. A government cleanup does not touch that. In the U.S.
operations, the malware came off, but the weaknesses stayed, and a reboot or factory reset could undo the fix and reopen the door to reinfection. Retiring the dead hardware and locking down what stays is on the owner, not the agency that cleaned up after them. One loose end the public ruling does not close: the application, by The Bureau’s account, leaned on IP addresses CSIS had collected without a warrant, weeks after the Supreme Court of Canada held in R. v.
Bykovets that an IP address carries a reasonable expectation of privacy. Whether that squares with CSIS’s collection authorities, and whether the owners of the disinfected devices were ever told, stay open. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network
A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin’s XLab calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising. The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in.
Infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, then ship the results back to the operator. Each router becomes a footprinting node and a relay that hides where the real attacker is. Old chips, older bugs The campaign goes after routers built on Realtek’s RTL819X chips, hardware that was current around 2012 to 2015. XLab first saw it on March 12, 2026, spreading from a single IP, 107.150.106.14.
The binary it pushed was a Linux ELF that no engine on VirusTotal flagged, exploiting two flaws from another era: CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones. The infected pool is mostly D-Link, with the DIR-850L alone making up about 75 percent. By geography, it skews to South Korea (around 48 percent) and China (around 32 percent), then Sweden, Malaysia, and Singapore. A second strain appeared on April 26, aimed at QNAP NAS boxes through CVE-2025-11837, a code injection flaw in QNAP’s Malware Remover .
The bug was shown at Pwn2Own Ireland 2025 and patched in November 2025, months before this strain began using it. The way in is the appliance’s own malware-removal tool. XLab hasn’t measured the NAS infections, so the 4,300 figure covers RTL819X routers only. Two builds, same job One build is lean, and one is fuller.
The router build is written in C and kept light, because the old hardware can’t run more, so it sticks to mass DNS scanning and traffic tunneling. The NAS build is written in Go and does much more. It scans internal and external networks and runs recon tools like fscan, ksubdomain, and httpx. A “ScriptWork” task executes attacker-supplied Go, Java, or Python source code on the box, so the operator never has to compile a binary per target.
Each infected node, which XLab calls an Executor, talks to its C2 over HTTP/HTTPS, with Protobuf-encoded traffic obfuscated by a simple XOR (the Go build adds gzip). The operator splits a large scan into chunks and spreads them across the fleet, footprinting in parallel. XLab says the same DNS scanning can be aimed at resolvers to generate denial-of-service traffic. Persistence comes from a Dropbear SSH server on a fixed port, 2332 on routers, or gs-netcat on NAS.
The hardcoded key, sh_#@!_2024_secret, carries a “2024” that may point to a 2024 start, though XLab can’t confirm it. Where this fits The shape is familiar. In May 2025, the FBI and Justice Department tore down the 5socks and Anyproxy services , which had turned years-old Linksys and Cisco routers running TheMoon malware into residential proxies sold by the month. The espionage version looks much the same.
Mandiant has tracked operational relay box networks , or ORBs: meshes of compromised end-of-life routers and IoT that state actors use to scan and relay while staying hard to trace. Recent router ORBs like LapDogs farm devices through n-day bugs the way AryStinger does. AryStinger isn’t pinned to anyone yet, and XLab says it’s still working on who is behind it. What’s clear is the model: forgotten hardware, ancient CVEs, turned into quiet infrastructure for the opening moves of an intrusion.
What to do If you run any of the affected gear, the checks are simple. Look for outbound connections to AryStinger’s C2 and download domains (the ajb8.com and related hosts in XLab’s IOC list ), check /tmp/bin for binaries you didn’t put there, and look for processes named syswapd0h or syswapd0w. The durable fix is the one everyone keeps repeating: retire end-of-life routers that no longer get firmware, and turn off remote administration on anything exposed. A box that stopped getting patches in 2016 is not going to start now.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific
A new report from INTERPOL has revealed a “dramatic increase” in cybercrime in Asia and the South Pacific, fueled by rapid digitalization, internet penetration, new technologies, organized criminal networks, and a disparity in cybersecurity maturity. According to INTERPOL’s 2025/2026 Asia and South Pacific Cyberthreat Assessment Report, phishing has emerged as the most widespread and financially damaging form of cybercrime, with a third of countries in the region reporting more than 10,000 cases between January 2024 and March 2025. In all, over half of INTERPOL member countries have reported that cybercrime accounted for no less than 30% of all crimes recorded nationally. “The findings in this report highlight a rapidly evolving cyber threat landscape across Asia and the South Pacific, where cybercriminals are leveraging artificial intelligence, ransomware-as-a-service models and sophisticated social engineering techniques on an industrial scale,” Neal Jetton, INTERPOL Cybercrime Director, said in a statement.
“As digital adoption accelerates across the region, strengthening operational cooperation, information sharing, and cyber resilience remains essential to protecting communities and critical infrastructure.” The growing sophistication of cybercriminal tradecraft has led to a surge in ransomware attacks, as well as deepfake and artificial intelligence (AI)-driven scams that involve impersonating business executives to authorize fraudulent transactions. The region is estimated to have registered more than 135,000 ransomware-related attacks in 2024. A vast majority of the incidents impacted the real estate, manufacturing, and financial services sectors. This has been complemented by the industrialization of cyber-enabled scams by transnational organized crime syndicates in countries like Cambodia, Laos, Myanmar, and the Philippines, who have set up extensive scam centers that make use of forced labor to carry out investment scams, preying on people across the world after building friendly or romantic relationships with them.
“Organized crime in Myanmar, Cambodia, and Laos used deepfakes in ‘romance baiting’ scams, blending AI personas and social engineering to fuel $37 billion in regional cybercrime losses,” INTERPOL said. Some of the other regional trends captured by the report include the following - Banking trojans and information stealers materialized as the second most prevalent type of cybercrime, with malware families like RedLine , Lumma , LokiBot , Negasteal , and ZBot taking up the top spots. 5.5 out of every 1,000 individuals in the Asia and South Pacific region clicked on phishing links monthly, nearly double the global average of 2.9 per 1,000. Distributed denial-of-service (DDoS) attacks surged by 92% in 2024 compared to the previous year.
System intrusions accounted for approximately 80% of all data breaches in 2024. Use of deepfake technology for sexual exploitation, blackmail, or coercion. Exploitation of misconfigured systems, weak encryption, insecure APIs, and insufficient monitoring to breach target networks. Ransomware groups weaponize companies’ regulatory obligations to intensify pressure during extortion attempts.
“In response, law enforcement organizations across the region – supported by INTERPOL – are scaling up joint efforts to combat cybercrime,” INTERPOL said. “These include the coordination of operations against cybercriminal infrastructure, collaborative investigations, specialized training initiatives, and the creation of policies to improve cyber resilience.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.