惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
Hacker News: Ask HN
Hacker News: Ask HN
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
MyScale Blog
MyScale Blog
月光博客
月光博客
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
Martin Fowler
Martin Fowler
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
The GitHub Blog
The GitHub Blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
F
Full Disclosure
U
Unit 42
Jina AI
Jina AI
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
腾讯CDC
T
Threatpost
H
Hacker News: Front Page
P
Palo Alto Networks Blog
博客园 - 聂微东
Last Week in AI
Last Week in AI
有赞技术团队
有赞技术团队
Help Net Security
Help Net Security
L
LINUX DO - 热门话题
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy

The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More Why Most AI Deployments Stall After the Demo Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories [Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data The Hacker News The Hacker News Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More Deterministic + Agentic AI: The Architecture Exposure Validation Requires Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report) 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More Your MTTD Looks Great. Your Post-Alert Gap Doesn't North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs Browser Extensions Are the New AI Consumption Channel That No One Is Talking About Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories The Hidden Security Risks of Shadow AI in Enterprises Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP) Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign [Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign The Hidden Cost of Recurring Credential Incidents New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners The State of Trusted Open Source Report WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
info@thehack · 2026-05-04 · via The Hacker News

Ravie LakshmananMay 04, 2026Cybersecurity / Hacking

This week, the shadows moved faster than the patches.

While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems.

The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling operations like legitimate businesses — except their product is chaos. And the underground is getting uncomfortably professional.

Here’s the full weekly cybersecurity recap:

⚡ Threat of the Week

cPanel Flaw Comes Under Attack—A critical flaw in cPanel and WebHost Manager (WHM) has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-41940, could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. In some cases, the attacks have led to a complete wipe of entire websites and backups. Other attacks have deployed Mirai botnet variants and a ransomware strain called Sorry.

🔔 Top News

  • Cybercrime Groups Use Vishing for Data Theft and Extortion—Two cybercrime groups tracked as Cordial Spider and Snarky Spider are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The groups employ voice calls, text messages, and emails, directing targeted employees to phishing pages masquerading as their employer's legitimate single sign-on (SSO) page to capture credentials and provide attackers an entry point into systems, which they exploit for deeper access to victims' SaaS environments. The attacks also use the initial access hooks to remove and set up multi-factor authentication devices under their control and delete emails that would otherwise alert organizations of potential malicious activity. According to CrowdStrike, "These actors use vishing to bypass MFA and move laterally across entire SaaS ecosystems with a single authenticated session, masking their tracks through residential proxy networks to blend in as legitimate home user traffic. This is part of a larger trend of English-speaking ransomware crews that share similar playbooks but are branching off into their own distinct groups."
  • Copy Fail Linux Flaw Exploited—The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-31431, a vulnerability impacting various Linux distributions, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. It's described as a logic bug in the Linux kernel's authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. According to Theori and Xint, CVE-2026-31431 was the result of a series of unremarkable updates to the Linux kernel over the years, particularly one update from 2017 that was meant to speed up data encryption. As a result, all major Linux distributions from 2017 are impacted. What complicates matters is that Copy Fail works 100% of the time, unlike most local privilege escalation (LPE) bugs that tend to be probabilistic in nature. More worryingly, it leaves no traces on disk as exploitation occurs in memory and enables container escape from any pod in a Kubernetes cluster.
  • TeamPCP's Supply Chain Attack Spree Continues—TeamPCP's extensive supply chain campaign continued last week, as the cybercriminal group compromised several packages across the npm, PyPI, and Packagist ecosystems in a "Mini Shai Hulud" attack. TeamPCP has in recent months compromised the packages of several open source software projects, including Trivy, a security scanner maintained by Aqua Security, and KICS, a Checkmarx-developed tool for static code analysis. Amit Genkin, threat researcher at Upwind, said the latest string of attacks represents a shift, where they are not only more frequent but harder to detect because they weaponize legitimate CI/CD pipelines to push out poisoned versions under real identities, allowing the activity to blend in with normal development workflows. "Campaigns like Shai-Hulud take that further by using each compromised pipeline to spread to the next, turning credential theft into a scaling problem across environments," Genkin said. "For teams, the immediate priority is to check for the affected version and rotate any credentials tied to pipelines that may have run it, especially GitHub and cloud tokens. Longer term, this is a signal to reduce how broadly pipeline credentials are scoped and to add visibility into what's actually happening during installs and builds – because if you're relying on traditional scanning or known indicators, this type of activity is easy to miss."
  • New Python Backdoor Enables Comprehensive Data Theft—A newly identified stealthy Python-based backdoor framework dubbed DEEP#DOOR provides attackers with persistent remote command execution and surveillance capabilities on Windows computers. Once active, the backdoor enables shell command execution, file manipulation, system and network reconnaissance, and surveillance operations such as keylogging, clipboard monitoring, screenshot capture, microphone and webcam access, and credentials and SSH key harvesting. Additionally, the malware can shift from data gathering to disruption and system manipulation, as it can overwrite the Master Boot Record, force system crashes, exhaust system resources by spawning numerous processes, and disable Microsoft Defender services.
  • GitHub Flaw Leads to Remote Code Execution—Cybersecurity researchers from Wiz disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server (CVE-2026-3854, CVSS score: 8.7) that could allow an authenticated user to obtain remote code execution with a single "git push" command. The vulnerability was severe enough that Microsoft rolled out a patch within six days of responsible disclosure. On GitHub.com, it allowed remote code execution on shared storage nodes, and on GitHub Enterprise Server, it granted full server compromise, enabling unauthorized access to all hosted repositories and internal secrets. "Exploitation could expose the codebases of nearly all of the world's biggest enterprises, making this one of the most severe SaaS vulnerabilities ever found," a Wiz spokesperson told The Hacker News.
  • VECT 2.0 Ransomware's Flawed Encryption Makes Data Recovery Impossible—VECT 2.0 ransomware has been found to wipe large files instead of merely encrypting them, making recovery impossible, even for the attackers. VECT 2.0 is a ransomware-as-a-service (RaaS) program that first appeared in December 2025. The group quickly grabbed headlines after it announced on BreachForums that it was partnering with TeamPCP, the threat group behind several supply chain attacks, such as Trivy, Checkmarx KICS, LiteLLM, and Telnyx, in March and April 2026. VECT also announced a partnership with BreachForums itself, promising that every registered forum user will become an affiliate and be granted use of the ransomware, negotiation platform, and leak site for operations. Beazley Security, in an analysis of the ransomware, said the VECT 2.0 RaaS panel covers the "full operational lifecycle an affiliate needs from payload generation through to payout."

🔥 Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-41940 (cPanel and WebHost Manager), CVE-2026-31431 aka Copy Fail (Linux Kernel), CVE-2026-42208 (LiteLLM), CVE-2026-3854 (GitHub.com and GitHub Enterprise Server), CVE-2026-32202 (Microsoft Windows Shell), CVE-2026-26268 (Cursor), CVE-2026-35414 (OpenSSH), CVE-2026-6770 (Mozilla Firefox and Tor Browser), CVE-2026-42167 (ProFTPD), CVE-2026-24908, CVE-2026-23627, CVE-2026-24487 (OpenEMR), CVE-2026-6807 (GRASSMARLIN), CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, CVE-2026-7343 (Google Chrome), CVE-2026-7322, CVE-2026-7323, CVE-2026-7324 (Mozilla Firefox), CVE-2026-6100 (CPython), CVE-2026-0204 (SonicWall), CVE-2026-35414 (OpenSSH), CVE-2026-42511 (FreeBSD), CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, CVE-2026-40687 (Exim), CVE-2026-5402, CVE-2026-5403, CVE-2026-5405, CVE-2026-5656 (Wireshark), CVE-2026-42520, CVE-2026-42523, CVE-2026-42524 (Jenkins), CVE-2026-3008 (Notepad++), and CVE-2025-41658, CVE-2025-41659, CVE-2025-41660 (CODESYS).

🎥 Cybersecurity Webinars

  • Learn to Spot Attack Paths Your AppSec Tools Completely Miss → Modern attackers chain tiny flaws across code, pipelines, and cloud into major breaches — while your AppSec tools stay blind. Join this free webinar with Wiz and The Hacker News to uncover the top real-world attack paths and learn exactly how to spot, map, and stop them fast. Practical insights to prioritize real risks and strengthen your entire software lifecycle.
  • How to Match AI Attack Speed with Autonomous Exposure Validation → Struggling with AI attacks moving faster than your team can respond? Join this free webinar from Picus Security & The Hacker News to discover Autonomous Exposure Validation – how to automatically find real risks, test attack paths, and fix them in minutes, not weeks. Practical, no-fluff insights to stay ahead without burnout. Grab your spot now.
  • Learn Latest AI Threats + Practical Ways to Kill Initial Access → Modern attackers are slipping past traditional defenses with AI-powered phishing, encrypted malware, and stealthy “Patient Zero” tactics. Want to stay ahead? Join this free webinar with Zscaler and The Hacker News to uncover the latest threat trends and practical Zero Trust strategies that actually stop initial compromise — before it becomes a full-blown breach. No fluff, just real insights to protect your organization.

📰 Around the Cyber World

  • OpenAI Debuts Advanced Account Security —OpenAI launched Advanced Account Security, a set of opt-in protections for ChatGPT users "designed for people at increased risk of digital attacks, as well as for those who want the strongest account protections available." As part of the new program, the new controls strengthen sign-in protections, tighten account recovery, reduce exposure from compromised sessions, and give users more visibility into account activity. OpenAI has also partnered with Yubico to link two physical security keys, YubiKey C Nano and YubiKey C NFC, to ChatGPT accounts. That said, users can use any other FIDO-compliant security key, or use software-based passkeys for phishing-resistant authentication.
  • Over 8.8K Ransomware Attacks in 2025 —Fortinet said it recorded 7,831 confirmed ransomware victims globally in 2025, skyrocketing from approximately 1,600 identified victims in 2024. "Availability of crime service kits like WormGPT, FraudGPT, and BruteForceAI contributed to this 389% increase year-over-year (YoY)," Fortinet said. "The top three targeted sectors include manufacturing (1,284), business services (824), and retail (682). Geographic concentration includes the U.S. (3,381), Canada (374), and Germany (291)."
  • KidsProtect Android Surveillance Tool Marketed on the Web —A new Android surveillance tool called KidsProtect is being openly advertised on the clear web that gives an operator near-total secret control of a victim’s phone. "It can't be removed without the attacker's permission," Certo said. "From a web-based dashboard, an operator can secretly record calls, stream live audio from the device’s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras." Assessed to be the work of a Greek-speaking developer, it's available on a subscription basis starting from $60, allowing anyone to buy it, rebrand it, and start selling it as their own.
  • New KYCShadow Android Malware Detected —An Android malware masquerading as a bank KYC verification application is being distributed via WhatsApp and primarily targeting users in India. "The application operates as a multi-stage dropper that installs a secondary payload and establishes persistent command-and-control (C2) communication," CYFIRMA said. "It combines native code obfuscation, Firebase-based remote execution, VPN-based traffic manipulation, and WebView-based phishing to systematically harvest sensitive user data."
  • Phishing Campaign Targets Pakistan Orgs —A highly targeted spear-phishing campaign targeting the Punjab Safe Cities Authority and PPIC3 in Pakistan has been found to use legitimate-sounding government infrastructure projects as lures to deliver malware. "The email carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from a BunnyCDN-hosted malicious infrastructure," Joe Security said. "The attack chain establishes persistent remote access by abusing Microsoft's legitimate VS Code tunnel service, with exfiltration notifications sent via a Discord webhook — a sophisticated technique designed to evade network-level detection."
  • Calendly-Themed Phishing Attacks on the Rise —Multiple threat clusters are leveraging Calendly-themed phishing to fingerprint site visitors and steal credentials and other data. "Behind the shared Calendly branding sits a diverse set of phishing kits, including API-driven frameworks, real-time Socket.IO applications, fake CAPTCHA chains, and Telegram-based exfiltration," urlscan said.
  • Fraud Campaigns GovTrapand FEMITBOT Exposed —Threat actors have been observed deploying sophisticated tactics, including fake government portals, SMS phishing, and lookalike domains, to drive financial fraud and credential harvesting as part of an effort called GovTrap. The government impersonation scam mimics official portals with high accuracy, with links to the fake sites distributed via SMS or email. The end goal is to trick users into entering their personal and financial information, or make non-existent payments that are transferred through money mule accounts. The collected payment card details are abused to facilitate fraudulent transactions. Another threat cluster has leveraged FEMITBOT, a malicious infrastructure that abuses Telegram Mini Apps to scale global fraud campaigns and Android malware delivery. "By leveraging Telegram's native features, threat actors create highly convincing fake platforms across crypto, financial services, AI, and streaming sectors," CTM360 said. "Built on a modular, template-driven architecture, FEMITBOT enables rapid deployment, brand impersonation, and campaign optimization using real-time tracking and analytics."
  • New PowerShell Desktop Stealer Spotted —A Pastebin-hosted PowerShell script disguised as "Windows Telemetry Update" comes with capabilities to steal Telegram Desktop session data via Telegram bot API exfiltration. "The script collects host metadata, including username, hostname, and public IP via api.ipify[.]org, then checks for Telegram Desktop and Telegram Desktop Beta tdata directories," Flare said. "If found, it terminates the Telegram process to release file locks, archives session material into 'TEMP\diag.zip,' and uploads the archive to the attacker-controlled operator chat via the Telegram Bot API sendDocument endpoint."
  • Surge in Teams Phishing in 2026 —eSentire said it has observed an increase in Microsoft Teams-based phishing since early 2026, in which threat actors impersonate IT support and help desk personnel to trick users into granting remote access to their devices. "These phishing attacks have often been linked to email bombing, followed by threat actors reaching out to users under the guise of providing assistance to resolve an issue," eSentire said. "The objective of the attack is to trick the user into granting remote access to their device, and once obtained, threat actors will attempt to exfiltrate data and execute additional payloads to establish persistence or deploy ransomware."
  • New KarstoRAT Malware Enables Data Theft —First spotted in early 2026, KarstoRAT is capable of system reconnaissance, audio and webcam monitoring, screenshot capture, key logging, and token theft. It also enables threat actors to download and run additional payloads, which could point to it being used for post-compromise control on infected machines. "KarstoRAT uses a command-and-control (C2) server that has a diverse set of open ports and services, indicating that it has a multi-purpose infrastructure created for C2 communication and payload distribution," LevelBlue said. "Threat actors use a fake Blox Fruits (a popular Roblox game) virtual marketplace as a lure to trick players into downloading malware that will install KarstoRAT into their machines."
  • ClickUp Discloses Email Address Exposure —ClickUp said its client-side feature flag configuration exposed personally identifiable information. This included 893 customer email addresses that were embedded in feature flag targeting rules, along with one flag that improperly referenced a customer’s API token. "The exposure was limited to 893 customer email addresses used in feature flag targeting rules to control which users see specific features during rollouts," it said. "If your email address was among those included in a feature flag configuration, you have been directly contacted." The incident did not expose any other data.
  • Finnish Authorities Arrest Alleged Scattered Spider Member —Finnish authorities arrested 19-year-old Peter Stokes (aka Bouquet), a dual U.S.-Estonian citizen, as he tried to board a flight to Japan. U.S. prosecutors have charged him as a key member of the notorious Scattered Spider hacking group, and he faces multiple counts of wire fraud, conspiracy, and computer intrusion.
  • New Attacks Linked to Versatile Werewolf —The threat actor known as Versatile Werewolf (aka HeartlessSoul) has been linked to campaigns targeting Russian state structures and aviation companies via phishing emails with malicious archive attachments and malvertising campaigns to deliver a JavaScript trojan. The end goal is to obtain confidential data, particularly geospatial information. Alternatively, the threat actor is known to distribute malicious code using the legitimate SourceForge platform through a project called GearUP. Versatile Werewolf is believed to be active since at least September 2025. Some of the attachments have exploded ZDI-CAN-25373 to trigger the infection chain. The malvertising campaign uses fake domains ("battleflight[.]pro") to deliver bogus installers for aviation-related software to launch the same trojan. "The initial infection involves executing PowerShell commands or scripts designed to download a JavaScript loader from C2 servers," Kaspersky said. "This loader, in turn, loads and executes the main JS-RAT and its modules in memory, among which we found tools for data collection and exfiltration, keyloggers, screen capture tools, UAC bypass tools, and other payloads." The company noted that the domain "battleflight[.]pro" resolves to an IP address that also hosts fake domains linked to the GOFFEE APT. "Both groups actively use PowerShell payloads to deliver and execute malicious modules," it added. "GOFFEE also targets the public sector, which suggests the possibility of joint or coordinated campaigns."
  • Cisco Unveils Model Provenance Kit —Cisco unveiled a new open-source tool, named Model Provenance Kit, to help organizations address potential issues associated with the use of third-party AI models. "Much like a DNA test reveals biological origins, the Model Provenance Kit examines both metadata and the actual learned parameters of a model (like a unique genome that comprises a model), to assess whether models share a common origin and identify signs of modification," Cisco said. "This, combined with a constitution that defines provenance linkages, is an important step toward providing evidence-based assurance that the AI you deploy is what it says it is."
  • Abuse of Hugging Face and ClawHub for Malware Delivery —Threat actors are abusing legitimate AI platforms like Hugging Face and ClawHub for malware delivery, once again demonstrating how trust in AI ecosystems are being exploited. Acronis said it identified more than 575 malicious skills across 13 developer accounts that target both Windows and macOS systems with trojans, cryptocurrency miners, and AMOS stealer, a macOS-focused infostealer. "On Hugging Face, attackers leverage repositories to host payloads and act as staging infrastructure within multistep infection chains, distributing malware disguised as legitimate applications," Acronis said.
  • European Authorities Bust Cryptocurrency Fraud Ring —Albanian and Austrian authorities dismantled a cryptocurrency investment fraud ring that caused estimated losses of more than €50 million ($58.5 million) to victims worldwide. The operation, which took place over two years, resulted in the arrest of ten individuals, the search of multiple premises, and the seizure of 891,735 in cash, 443 computers, 238 mobile phones, six laptops, and multiple storage devices. "The criminal network, allegedly operating several call centres in Tirana, Albania, is believed to have caused significant financial damage, totalling at least €50 million," Europol said. "The call centres were professionally set up and organized, resembling legitimate business structures featuring a clear division of roles and hierarchical management." The criminal network is estimated to have involved up to 450 employees across various departments. The scheme involved luring victims to seemingly legitimate online investment platforms through deceptive advertisements on social media or web searches, and coaxing them into making investments under the promise of huge returns. Victims were then assigned retention agents, who masqueraded as investment advisors and used remote access software to gain full control of their devices. "The fraudsters feigned professional expertise and employed psychological pressure to persuade victims to make additional investments, falsely claiming they would be profitable," Europol said. "In truth, the funds were never invested but were instead channelled into an intricate international money-laundering scheme, ultimately disappearing into the hands of the criminal organisation." In some cases, the fraudsters reached out to the victims again and offered help with recovering their stolen funds, only to demand a €500 entry fee and defraud them a second time.
  • Flaws in EnOcean's SmartServer —Two security flaws have been disclosed in EnOcean's SmartServer IoT platform that affect version 4.60.009 and prior. According to Claroty: "CVE-2026-20761 allows remote attackers to send malicious, crafted LON IP-852 messages that result in arbitrary command execution on devices. CVE-2026-22885 allows remote attackers to send malicious, crafted IP-852 messages that bypass ASLR memory protections and leak memory." Successful exploitation of the flaws results in attackers obtaining control over building management and building automation systems running affected versions of this platform and legacy i.LON devices. Patches have been released for both vulnerabilities.
  • Google Announces Android Credential Manager Update —Google has announced a new update to Android's Credential Manager that allows apps to automatically verify a user's personal Gmail address without requiring one-time passwords (OTPs) or email verification links. "Google now issues a cryptographically verified email credential directly to Android devices," the company said. "For users, this completely removes the need to manually verify their email through external channels. For developers, the API securely delivers these verified user claims for any scenario, whether you are building an account creation flow, a recovery process, or a high-risk step-up authentication."
  • Nearly 8.8K Secrets Leaked Online —According to Truffle Security, 8,792 verified, unique secrets have been leaked online through web-based development environments. The tokens were found across 22 million public projects hosted on Cloud Development Environments (CDEs) such as CodePen, CodeSandbox, JSFiddle, and StackBlitz.
  • Is There More to the Xygeni Compromise? —Multiple connections have been found between the compromise of the Xygeni vulnerability scanner on GitHub and a proxy botnet of hacked ASUS and TP-Link routers. Some of the TP-Link consumer routers have been compromised with Microsocks to unroll them to a residential proxy network. "These routers were also running a custom command-and-control beacon that was named ShadowLink," Ctrl-Alt-Intel said. "When we analysed the ShadowLink protocol, we found it was identical, down to a shared authentication secret, to the backdoor planted in the Xygeni GitHub Action used for that supply chain attack."
  • Brazilian Anti-DDoS Firm Behind DDoS Attacks on ISPs —Huge Networks, a Brazilian tech company that specializes in protecting networks from distributed denial-of-service (DDoS) attacks, has been enabling a botnet responsible for massive DDoS attacks against other internet service providers (ISPs) in the country, according to KrebsOnSecurity. The company has since said the malicious activity resulted from an intrusion first detected in January 2026 and claimed it was likely the work of a competitor.
  • Canonical Target of Sustained DDoS Attack —Canonical disclosed its web infrastructure came under a "sustained, cross-border attack," knocking Ubuntu servers offline for several hours. A pro-Iranian hacktivist group known as the Islamic Cyber Resistance in Iraq, aka 313 Team, claimed responsibility for the attack on Telegram. The websites have since become operational. Last month, the group also disrupted access to the decentralized social media platform Bluesky.
  • New Phishing Kit Bluekit Detailed —A new phishing kit named Bluekit is offering more than 40 templates targeting popular services and includes basic artificial intelligence (AI)-powered features for generating campaign drafts. Available templates can be used to target email accounts (Outlook, Hotmail, Gmail, Yahoo, ProtonMail), cloud and enterprise services (iCloud and Zoho), developer platforms (GitHub), and cryptocurrency services (Ledger). What makes the kit stand out is the presence of an AI Assistant panel that supports multiple models, including Llama, GPT-4.1, Claude, Gemini, and DeepSeek, to help criminals draft phishing emails. It also has support for two-factor authentication, geolocation emulation, antibot cloaking, notifications, spoofing capabilities, voice cloning, and a mail sender. The development once again reinforces the broader trend of crimeware services integrating AI to streamline and scale their operations. Bluekit is the second kit to integrate AI features in as many months. In April 2026, Abnormal Security shed light on a cybercrime platform called ATHR that uses AI vishing agents, credential harvesting panels, and built-in phishing mailers to execute and scale telephone-oriented attack delivery (TOAD) attacks.
  • North Korea Calls U.S. Cyber Threat Claims a Fabrication — North Korea's foreign ministry rejected U.S. accusations that the country poses a cyber threat, stating the U.S. was spreading false information about a non-existent cyber threat from North Korea for political purposes, per Reuters. The ministry said it "would actively take all necessary measures for defending the interests of the state and protecting the rights and interests of its citizens in cyberspace."

🔧 Cybersecurity Tools

  • Model Provenance Kit → It is a free open-source Python tool from Cisco AI Defense that helps identify if a machine learning model is based on a known base model (like Llama, Mistral, GPT, etc.). It analyzes architecture, tokenizer, and weights to quickly compare two models or check against a database of ~150 popular base models.
  • AutoFyn → It is an open-source tool from SignalPilot Labs that runs Claude AI in self-improving loops to optimize measurable goals. Give it a GitHub repo, a clear task (like security hardening, bug fixing, or performance optimization), and a time budget — it works in sandboxed rounds, tracks progress with real evaluations, learns from failures, and delivers improved code via PRs.

Disclaimer: This is strictly for research and learning. It hasn't been through a formal security audit, so don't just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion

Stay sharp out there.

The pace of attacks is accelerating, and the margin for delay is shrinking. Patch what you can today, verify your supply chains, tighten SaaS access, and treat every “routine” login or pipeline run as potentially hostile. Small habits now will save major headaches later.

Until next Monday. Keep your defenses tight and your eyes open. The threats won’t wait — neither should we. See you in the next recap.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.