惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
F
Fortinet All Blogs
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Hugging Face - Blog
Hugging Face - Blog
V
Visual Studio Blog
小众软件
小众软件
有赞技术团队
有赞技术团队
雷峰网
雷峰网
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
AWS News Blog
AWS News Blog
C
Cisco Blogs
美团技术团队
T
Threat Research - Cisco Blogs
C
CERT Recently Published Vulnerability Notes
人人都是产品经理
人人都是产品经理
宝玉的分享
宝玉的分享
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
W
WeLiveSecurity
D
DataBreaches.Net
博客园 - 司徒正美
Blog — PlanetScale
Blog — PlanetScale
IT之家
IT之家
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Simon Willison's Weblog
Simon Willison's Weblog
Google DeepMind News
Google DeepMind News
T
The Blog of Author Tim Ferriss
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
Vercel News
Vercel News
月光博客
月光博客
T
Tailwind CSS Blog
H
Help Net Security
aimingoo的专栏
aimingoo的专栏
P
Proofpoint News Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
Microsoft Security Blog
Microsoft Security Blog
V
V2EX
WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
Recent Announcements
Recent Announcements

The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More Why Most AI Deployments Stall After the Demo Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories [Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data The Hacker News The Hacker News Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More Deterministic + Agentic AI: The Architecture Exposure Validation Requires Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report) 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More Your MTTD Looks Great. Your Post-Alert Gap Doesn't North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs Browser Extensions Are the New AI Consumption Channel That No One Is Talking About Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories The Hidden Security Risks of Shadow AI in Enterprises Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP) Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign [Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign The Hidden Cost of Recurring Credential Incidents New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners The State of Trusted Open Source Report WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
The Hacker News
The Hacker News · 2026-06-22 · via The Hacker News

It’s Monday again.

This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.

The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.

Here’s the Monday recap. Let’s get into the week’s mess.

⚡ Threat of the Week

FortiBleed Campaign Identifies Over 80K Targets — A large-scale campaign codenamed FortiBleed has systematically targeted and compromised Fortinet FortiGate firewall and SSL VPN gateway devices worldwide. According to SOCRadar, it has been running since at least February 2026, with over 80,000 devices identified with working usernames and passwords that have been tested by suspected Russian-speaking threat actors using automated tools running around the clock. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. Fortinet also said the campaign likely involves the threat actors reusing credentials from previous incidents, such as CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719, along with employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA).

🔔 Top News

  • Salesforce Disables Klue App Integration After New Extortion Campaign — Salesforce revealed that it disabled the Klue Battlecards app integration within its platform in response to a security incident impacting the competitive intelligence company on June 11, 2026. "Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app's connection to Salesforce," the company said. "This issue is limited to Klue's app connection and does not arise from a vulnerability within the Salesforce platform." The development comes as an extortion group dubbed Icarus compromised and exfiltrated data from customers of Klue after obtaining access through a compromised legacy credential associated with an integration service. A number of companies have publicly acknowledged the incident, but noted the impact is limited.
  • The Gentlemen RaaS Develops GentleKiller EDR Killer Suite — The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for shutting down endpoint detection and response (EDR) products before deploying the encryptor. The centerpiece of the group's EDR-disabling capability is GentleKiller, an in-house developed framework that comes in eight different variants, each one impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver. GentleKiller targets over 400 processes belonging to 48 security products, including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET itself.
  • Splunk Flaw Actively Exploited in the Wild — Splunk's Product Security Incident Response Team (PSIRT) said it became aware of "limited exploitation" of CVE-2026-20253, a critical flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said. "The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials." In an analysis of the flaw, Resecurity said it's "particularly dangerous" as it can be exploited remotely without authentication or user interaction. "By chaining multiple weaknesses together, an attacker can progress from unauthenticated access to arbitrary file operations and ultimately Remote Code Execution (RCE)," it said. "A successful compromise may expose sensitive logs, credentials, security alerts, and operational data while providing attackers with a foothold for persistence, defense evasion, and lateral movement within the environment."
  • Unpatchable 'usbliter8' Exploit Targets Apple A12 and A13 Chips — Security researchers at Paradigm Shift released details of a working exploit dubbed usbliter8 that could be abused to achieve arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. The vulnerability is classified as a hardware bug residing in the Synopsys DWC2 USB controller, meaning the issue can never be patched. That said, a successful exploitation requires an attacker to have physical access to a vulnerable device. A proof-of-concept for usbliter8 has been made publicly available.
  • Operation Endgame Disrupts SocGholish Servers — Dutch law enforcement authorities, along with counterparts from Canada, Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. The takedown is part of Operation Endgame, an ongoing international law enforcement initiative to combat botnets and associated criminal infrastructures. It was launched in 2024. As part of the effort, 106 servers linked to SocGholish have been taken down, and 14,971 WordPress sites have been rid of the infections. Website owners have been notified to update their content management system (CMS), change their credentials, and delete any suspicious accounts.
  • Malicious Campaign Fakes Popularity to Deliver Crypto Clipper — A cryptocurrency-stealing malware campaign has been targeting cryptocurrency asset holders and online gamblers by faking its own popularity, dressing up booby-trapped sniper bots and crash-game predictors with bogus GitHub stars, inflated download counts, and artificial intelligence (AI)-narrated YouTube tutorials. The activity has been traced to a Rust-based clipper malware targeting Windows and macOS users. The lures are "edge" tools that promise easy money, crypto sniper bots, and "predictors" that claim to forecast crash-gambling games, aimed at traders and gamblers chasing shortcuts, while a WordPress phishing page acts as the hub, funneling victims to the downloads.
  • Rokarolla Android Trojan Combines Banking Fraud with Screen Surveillance — A new "invasive" Android trojan dubbed Rokarolla is being distributed via malicious websites, while masquerading as popular applications like TikTok or Google Chrome. It's designed to target 217 distinct cryptocurrency and banking applications by serving fake overlay login screens, in addition to leveraging 137 commands that grant it complete control of a compromised device. It can harvest lock screen credentials, exfiltrate sensitive contact lists and SMS data, monitor the screen to capture WhatsApp data, take screenshots by abusing Android's accessibility services, redirect cryptocurrency transactions, and utilize keyloggers to continuously record user input. The malware also actively hides its presence from the launcher screen and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect. "The infection process begins when a dropper misleads users into installing a secondary payload containing the core malware," Zimperium said. "By masquerading as Google Play Protect, the dropper facilitates the installation of this payload. This strategy allows the malware to evade Android restrictions and exploit Accessibility services."

🔥 Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-20262 (Cisco SD-WAN Manager), CVE-2026-54420 (LiteSpeed cPanel Plugin), CVE-2026-48907 (Widget Factory Joomla Content Editor), CVE-2026-4020 (Gravity SMTP WordPress Plugin), CVE-2026-47101, CVE-2026-47102, CVE-2026-40217, CVE-2026-49468 (LiteLLM), CVE-2026-24190 (NVIDIA Display Driver for Windows and Linux), CVE-2026-48558 (SimpleHelp), CVE-2026-39449 (Contact Form to Any API WordPress plugin), CVE-2026-39849, CVE-2026-44693 (Pi-hole FTL), CVE-2026-49980, CVE-2026-41179, CVE-2026-41176 (Rclone), CVE-2026-54157 (@lobehub/lobehub), CVE-2026-48746 (vllm), CVE-2026-48519 (Langflow), CVE-2026-38329 (Bludit CMS), CVE-2026-39949 (Cacti), CVE-2026-8444 (WP Review Slider Pro WordPress plugin), CVE-2026-52697 (Taskbuilder WordPress plugin), CVE-2026-52700 (WCMultiShipping WordPress plugin), CVE-2026-3326 (XStore WordPress theme), CVE-2026-2418 (Login with Salesforce WordPress plugin), CVE-2026-6379 (WP Photo Album Plus WordPress plugin), CVE-2026-2446 (PowerPack for LearnDash WordPress plugin), CVE-2025-15445 (Restaurant Cafeteria WordPress theme), CVE-2026-8443 (WP Review Slider Pro WordPress plugin), CVE-2026-6933 (Premmerce Dev Tools WordPress plugin), CVE-2026-9848 (WP Ticket Customer Service Software & Support Ticket System WordPress plugin), CVE-2026-52707 (Kastell WordPress theme), CVE-2026-52703 (FastDup WordPress plugin), CVE-2026-52706 (JetEngine WordPress plugin), CVE-2026-27429 (Nifty WordPress theme), CVE-2025-69129 (WordPress & WooCommerce Scraper WordPress plugin), CVE-2026-27400 (BookPro WordPress plugin), CVE-2026-8713 (Avada Builder WordPress plugin), from CVE-2026-12437 through CVE-2026-12443 (Google Chrome), CVE-2026-12326, CVE-2026-12327, CVE-2026-12328 (Mozilla Firefox), CVE-2026-8049, CVE-2026-8050 (SignalRGB kernel driver), CVE-2026-20266 (Splunk AI Toolkit), CVE-2026-41293, CVE-2026-43512, CVE-2026-42579, CVE-2026-42584, CVE-2026-43515 (Atlassian Confluence Data Center and Server), CVE-2026-20181, CVE-2026-20190 (Cisco Identity Services Engine and ISE Passive Identity Connector), CVE-2026-48933, CVE-2026-48618 (Node.js), CVE-2026-9862 (Fortra Core Privileged Access Manager), and multiple vulnerabilities in Crawl4AI Docker API (no CVEs).

🎥 Cybersecurity Webinars

  • Your Company Is Using More AI Than You Can See. Here’s How to Secure It → AI bots are actively accessing your company’s sensitive data—often without a clear human owner to hold accountable. Join this webinar to learn how to uncover hidden AI tools, lock down their permissions, and safely take back control of your network before a blind spot becomes a massive data breach.
  • Machine-Speed Attacks are Here: How to Stop AI-Powered Hackers → Hackers are now using AI to launch lightning-fast, highly convincing attacks that easily slip past traditional security. If your defenses rely on old, 'human-speed' tools, you're already falling behind. Join this critical webinar to see exactly how AI-powered threats operate—and get a clear, practical blueprint to lock down your network and stop machine-speed attacks in their tracks.

📰 Around the Cyber World

  • Flaws in SiderAI and MaxAI — Critical vulnerabilities have been disclosed in SiderAI (Spyder) and MaxAI (MaXSS) agentic side-panel Chrome extensions that can allow malicious websites to take screenshots of arbitrary websites or run arbitrary code by taking advantage of the add-ons' permissions. "Abusing these vulnerabilities allows attackers to compromise all browser sessions across any website, leading to the leakage of sensitive information, the invocation of arbitrary commands, and even account takeover," Rebora said. "Furthermore, there was a potential risk of stealing files from the underlying operating system." Both extensions have a "Featured" badge and have been collectively installed nearly 7 million times. Given that the issues remain unpatched, users are recommended to remove them until fixes are in place.
  • Israeli Company Linked to Popa Android TV Box Botnet — The Popa Android TV box botnet, which has been used for residential proxy traffic in ad fraud and website scraping, has been attributed to NetNut, operated by publicly traded Israeli company Alarum Technologies. Qurium, along with the Nokia Deepfield Emergency Response Team and Synthient, has found that Popa is a "residential proxy software family that turns consumer devices into internet relay nodes" by means of a software development kit. It's worth noting that Popa was first flagged by QiAnXin XLab in March 2025 as an Android component of the Vo1d botnet. "So Popa is not a traditional downloader or banking trojan, the ultimate goal of the code is just to implement a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening tunnels on demand," according to the report. "Not differently from many other types of malware, Popa does not connect directly to a fixed command-and-control server. The compromised device starts by connecting a limited set of domain names to later learn where to register and tunnel the traffic." The botnet has impacted millions of consumer TV boxes over the last four years. Alarum, which also maintains RoboVPN, a commercial VPN service that includes a residential-proxy SDK that turns the user's machine into an exit node for third-party traffic. In a statement shared with cybersecurity journalist Brian Krebs, NetNut and Alarum have disputed the allegations, calling them "demonstrably inaccurate assertions and flawed deductions rather than verified facts," adding "the SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems or otherwise compromise the devices on which they operate." The development comes weeks after another report from Include Security found that an iOS SDK that Bright Data embeds in consumer apps can turn devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic with users' consent.

  • Prinz Eugen Encrypts Recent Files — A new Go-based ransomware called Prinz Eugen has been observed targeting recently modified files for encryption. "It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk," Malwarebytes Threatdown said. It's suspected that the attackers gain initial access through compromised RDP credentials. The ransomware binary also takes steps to frustrate forensic analysis and recovery. The ransomware has been attributed to an actor called ROOTBOY, who has a track record of selling stolen data on cybercrime forums.
  • Okendo Reviews Widget Compromised in SmartApeSG Supply Chain Attack — Okendo Reviews widget, a popular customer review platform used by more than 18,000 brands, is said to have been compromised as part of attacks designed to deploy malware via embedded malicious JavaScript code. The activity, detected on May 14, 2026, has been tied to SmartApeSG, which was previously observed using ClickFix and FakeUpdates lures to distribute NetSupport Manager. "The injected JavaScript used obfuscation, environment checks, and staged execution," Zscaler said. "The SmartApeSG injected JavaScript behaved as a staged loader, and did not attempt to execute every action immediately. Instead, the JavaScript focused on control, reconstruction, and retrieval, which reduced the visibility of the script and gave the operator more flexibility." The end goal of the attacks is to serve bogus ClickFix prompts that lead to malware deployment. In the past, SmartApeSG has also relied on command-and-control (C2) servers hosted on Russian infrastructure providers to communicate with hosts infected with Remcos RAT through fake CAPTCHA prompts injected into websites that instructed users to execute commands copied to the clipboard. Okendo has since addressed the issue and restored the widget script to a clean state.
  • AI-Generated Websites Used to Deliver SmartRAT — Typosquatting domains hosting malicious content generated with AI-powered website creation tools are being used to deliver a PowerShell-based malware called SmartRAT (aka Banana RAT). The web page impersonates a Brazilian bank and a ClickFix lure to trick victims into running a PowerShell command that downloads the malware. "Threat actors are leveraging website builders to create convincing lures quickly and at scale, with capabilities ranging from basic credential theft to a ClickFix campaign that delivers remote access trojans (RATs)," Zscaler said. "SmartRAT supports encrypted C2 communications, remote control (screen/keyboard/mouse), credential theft (keylogging and banking overlays), and persistence via scheduled tasks and a Windows service."
  • ClickFix Delivers GuLoader — Another ClickFix has been observed using a combination of ClickFix and EtherHiding to deliver malware called GuLoader using a compromised WordPress site as an entry point. "The attack chain combines four distinct components, compromised WordPress, EtherHiding via BSC Testnet, ClickFix social engineering, and GULoader delivery via UNC path, into a single intrusion sequence where every traditional defensive layer has a structural reason to remain silent," Sicuranext said.

  • UnregStealer Targets Brazilian Banks — A new purpose-built trojan called UnregStealer has been targeting Latin America (LATAM) financial institutions. Described as a human-operated credential theft campaign, it was first discovered by IBM X-Force in May 2026. "Most LATAM banking trojans rely on automated infection chains and compiled malware, UnregStealer is different," the company said. "trojans rely on automated infection chains and compiled malware, UnregStealer is different. This trojan involves a real operator, who watches each victim's session live and pulls the trigger manually. This variation makes the campaign nearly invisible to sandboxes and behavioral detection systems that never see the payload activate." Attack chains begin with social engineering lures that masquerade as mandatory SSL certificate updates to deliver a PowerShell stager, ultimately resulting in the deployment of a malicious Chrome extension named "Certificado SSL Chrome" that's responsible for data theft and exfiltration. In recent months, LATAM financial institutions have been targeted by a JavaScript adversary-in-the-middle (AitM) framework called OverlordMX that also makes use of a human operator, who monitors victims in real time and manually triggers the necessary overlays to capture credentials. The campaign is assessed to be the work of a Spanish-speaking threat actor. "The attack operates in two stages: a web-inject layer that intercepts sensitive information from the victim, followed by a socially engineered RAT delivery that grants the operator full remote control of the victim’s device," IBM said.
  • Pushka Android Malware Detailed — An Android malware called Pushka is equipped to carry out on-device fraud, while granting remote access trojan (RAT) capabilities to the operators by abusing accessibility services. "Pushka can use fake overlay tactics to phish victims' credentials on their mobile devices and can further steal and exfiltrate data from their devices," IBM X-Force said. "Pushka's RAT capabilities can perform actions on behalf of the user, including entering the user's login credentials, and clicking buttons." Pushka was first spotted in September 2025 across different European countries. It uses fake TV apps as decoys to trick users into installing them. The app acts as a dropper, and uses Android's PackageInstaller.Session API to silently install its main payload while bypassing Android 13’s Restricted Settings. "This method replaces the traditional use of Intent.ACTION_INSTALL_PACKAGE and is specifically used to mimic the legitimate installation flow used by the Play Store, allowing the malware to evade the OS-level restrictions introduced in newer Android versions," IBM said.
  • Ransomware Ecosystem Consolidates in Q1 2026 — Data from Flare shows that the ransomware ecosystem is "reconsolidating around fewer, more capable operators after a fragmented stretch," led by brands like LockBit, Qilin, and The Gentlemen. The top 10 groups account for 71% of all Q1 2026 victims, with LockBit 5.0 logging 163 victims.
  • Australian Bank Accounts Targeted by Extension-Based Trojan — A highly sophisticated browser extension-based banking is targeting Australian banking customers. "This is not a traditional virus designed to crash systems or cause visible disruption," IBM said. "Instead, it is specifically engineered to function as an invisible threat, embedding itself within the browser and operating directly inside the victim's trusted, authenticated session." It comes with capabilities to alter displayed balances, transaction history, and transfer limits; intercept one-time passwords (OTP) before submission; steal active banking session cookies; track visited pages and transaction patterns; and maintain a persistent WebSocket C2 connection for real-time commands. Exactly how the extension is distributed is unclear. "Because the attack runs within a legitimate, authenticated session, it inherits the user’s trust context and security controls, effectively neutralizing traditional protections," the company added.
  • Chinese and Russian Influence Operations Use AI to Bypass Bot Detection — In a new report, Two Six Technologies said Russian and Chinese inauthentic accounts are likely using AI to enhance content quality rather than to increase content volume and exhibit fewer bot-like behaviours. "AI is enabling and motivating adversaries to craft better content and more human-like accounts," the company said. "Inauthentic accounts are using AI to add visual appeal to their content. To reach broader audiences, they are probably also using it for translation. Pro-Russia and pro-China accounts now have slower posting speeds, and more pro-Russia accounts are inactive for a long stretch each day, mimicking a human who sleeps."
  • Operation Escaneo Targets Mexican Federal and Financial Orgs — A sophisticated campaign targeting Latin American governments and financial institutions has come to light, thanks to an exposed attacker server ("62.171.185[.]97") that revealed the custom tools, exploitation chain, and persistence tactics adopted by the threat actors. "The campaign is characterised by a proprietary distributed reconnaissance engine (Kimera), a curated exploit armory targeting enterprise perimeter devices (Fortinet, Ivanti, Cisco), portable lateral movement toolkits, and layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," CloudSEK said. "The threat actor demonstrated capability to operate across Windows and Linux environments, compromise SAP ERP and Oracle database systems for command execution, extract cryptographic material and Active Directory datasets, and maintain long-dwell access through multiple redundant persistence mechanisms." The activity has been attributed medium confidence to a group called PanchoVilla (aka MexicanMafia).
  • GNU Savannah Security Flaw Fixed — The Free Software Foundation (FSF) said it has addressed an exploit demonstrated by Hacktron, alongside additional security issues. "After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain," the FSF said. "Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects."
  • 27-Year-Old Authentication Bypass in OpenBSD — Argus said it discovered a 27-year-old authentication bypass flaw in OpenBSD's PPP stack that could be used to sidestep Password Authentication Protocol (PAP) entirely. "OpenBSD's sppp_pap_input function used attacker-controlled length fields as the bcmp comparison length for credential validation," the company said. "Sending zero-length name and password fields caused bcmp to return 0 unconditionally, bypassing PAP authentication entirely." The flaw was introduced in July 1999. A fix was issued on June 14, 2026.
  • Abusing AI Features in SQL Server 2025 for C2 — SpecterOps has revealed that it's possible to weaponize native AI features in Microsoft SQL Server 2025, such as sp_invoke_external_rest_endpoint, CREATE EXTERNAL MODEL, and AI_GENERATE_EMBEDDINGS as a practical channel for data exfiltration and C2, assuming an attacker has compromised an account with the sysadmin role in the database. To counter the threat, it's essential to review SQL Server database logins, audit and alert usage of xp_cmdshell, SQL Agent Jobs, and CLR Assemblies, and set up notifications for any changes to sys.external_models or when sp_invoke_external_rest_endpoint is enabled.
  • ErrTraffic TDS Exposed — A traffic distribution system (TDS) known as ErrTraffic is being operated under a malware-as-a-service (MaaS) model for bad actors to direct users to ClickFix lures. ErrTraffic is a JavaScript framework that's injected into compromised WordPress sites. It employs the EtherHiding technique as a dead drop resolver to hide its C2 infrastructure within the blockchain. Sekoia's analysis of the framework has identified two distinct clusters of activity: Analytics and Beer. While Analytics interacts with the Polygon blockchain to fetch Vidar Stealer, the Beer cluster distributes several stealer families, including Vidar, Stealc, Remus and Salat. Alternatively, malvertising lures impersonating AI tools like Google Antigravity and OpenAI ChatGPT have also been used by the Analytics cluster to propagate DanaBot and Hijack Loader. A threat actor using the name LenAI has advertised and sold the ErrTraffic framework, with a one-month subscription costing $380. The attackers have also been found to use credential stuffing attacks to gain initial access to WordPress accounts and install PHP backdoors on the sites by masquerading as a must-use plugin.

  • Malicious Resumes Lead to Xctdoor Malware — AhnLab has disclosed details of a new campaign that uses malicious Windows Shortcut (LNK) files disguised as resumes that, upon execution, display decoy documents, while dropping additional scripts which then employ DLL side-loading to deploy Xctdoor, a Go-based backdoor previously attributed to North Korean threat actors. "This attack is a method of executing an LNK file disguised as a normal document, using a task scheduler and a startup program to ensure persistence, and then exploiting the normal executable to execute backdoor malware," AhnLab said.
  • Bypassing Microsoft Entra Conditional Access Policies — NetSPI said it found a way to bypass Microsoft Entra Conditional Access Policies by abusing Nested App Authentication to return access tokens for the Microsoft Graph API. "It was possible to use certain Nested App Authentication (or BroCI) flows to bypass any Conditional Access policy," security researcher Thomas Byrne said. "This vulnerability served mainly as a persistence mechanism as it would have required a successful phishing attack to return an initial refresh token before the vulnerable authentication flows could be carried out." A fix for the issue has since been rolled out by Microsoft.
  • Mexican Financial Sector Targeted by GitBait — At least a dozen Mexican banks have been targeted by a modular phishing infrastructure dubbed GitBait that abuses GitHub-hosted Pages and employs obfuscated scripts and a centralized credential exfiltration via SheetBest API. Per Group-IB, the large-scale campaign has been active for three years. The activity is "built on a fully serverless architecture that abuses GitHub Pages for hosting and the SheetBest API for credential exfiltration — eliminating the need for any dedicated backend infrastructure." It's believed that victims are reached through common phishing delivery channels such as SMS, messaging apps, email, or social media platforms. In all cases, the victim receives a fraudulent URL that directs them to a phishing page impersonating a trusted financial institution. The phishing pages harvest user credentials, payment card details, client identifiers, and passwords through a multi-stage flow that mimics legitimate banking authentication workflows. In some cases, the captured data is exfiltrated to a Telegram bot, marking a deviation from the SheetBest-based mechanism. More than 100 domains associated with the campaign have been identified.
  • Email Bombing Leads to Deno-Based Proxy and RAT — A large-scale email flooding campaign is being used as a pretext to target employees with bogus Microsoft Teams calls from an attacker impersonating internal IT support. Victims are then persuaded to download and execute a malicious archive from a fake self-service portal. The archive contains a modular Deno-based Remote Access Trojan and a TCP proxy framework spanning four different JavaScript files. "The JavaScript files implement a Deno-based remote access and tunneling agent," InfoGuard Labs said. "The main backdoor connects to a CloudFront-hosted WebSocket C2 endpoint, registers victim identity metadata, receives commands, and brokers traffic through local helper services." The proxy turns the compromised host into a pivot point for internal network access, allowing the attacker to route traffic through the victim machine.

🔧 Cybersecurity Tools

  • Aether → Because advanced malware often evades standard antivirus software by executing directly in a system's RAM, security teams need tools to inspect live memory. Aether is an open-source Windows threat-hunting tool that scans active, running processes for hidden payloads, code injections, and malicious behaviors, using a layered validation model to minimize false alarms during incident response.
  • AzureRedOps → It is an open-source offensive security toolkit designed to streamline Microsoft Entra ID and Azure red teaming. It unifies complex workflows—such as multi-flow token management, directory enumeration, and post-exploitation Microsoft Graph actions—into a single command-line interface.

Disclaimer: This is strictly for research and learning. It hasn't been through a formal security audit, so don't just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion

This week’s lesson: most attacks do not need a genius move. They need one trusted app, one stale login, one noisy plugin, or one user chasing a shortcut.

The fix starts in the dull places. Cut access. Clean old sites. Question helper tools. Watch the small cracks, because that is where the week usually starts leaking.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.