Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 18:48 17/07/2026 UTC
Last updated: 12:19 17/07/2026 UTC

Latest updates

Browse →

OpenSSL servers HollowByte DoS denial-of-service flaw

Vulnerability

Updated: 17.07.2026 20:56 · First: 17.07.2026 20:56 · 📰 1 src / 1 articles · H score: 18

HollowByte is a new OpenSSL DoS flaw that lets unauthenticated attackers exhaust memory on affected servers with an 11-byte payload. The bug affects server-side TLS handshake handling, where OpenSSL trusts a declared message size before validating the incoming body. OpenSSL has fixed and backported the issue to 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, and operators are being urged to upgrade immediately.

OpenSSL HollowByte patch release

Security Patch Release

Updated: 17.07.2026 20:56 · First: 17.07.2026 20:56 · 📰 1 src / 1 articles · H score: 30

The OpenSSL team silently fixed HollowByte, a no-CVE DoS flaw in OpenSSL servers, and backported the patch to older releases. The fix lands in OpenSSL 4.0.1 and was also backported to 3.6.3, 3.5.7, 3.4.6, and 3.0.21. Organizations running OpenSSL-backed services should move to a fixed release because the bug can be triggered with a tiny 11-byte payload.

NadMesh botnet hunts exposed AI services for AWS keys and Kubernetes tokens

Malware Activity

Updated: 17.07.2026 20:12 · First: 17.07.2026 20:12 · 📰 1 src / 1 articles · H score: 25

The NadMesh botnet is actively hunting exposed AI services and stealing AWS keys and Kubernetes tokens, creating immediate cloud-account takeover risk. Its controller claims 3,811 unique AWS keys, showing the operation has already produced substantial loot. The targeting set includes ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio, plus exposed MCP, Docker, Jenkins, and Redis services. The activity matters because a single exposed host can yield cloud credentials, registry logins, and cluster access that extend far beyond the box itself.

NadMesh exposed AI services scanning campaign

Campaign

Updated: 17.07.2026 20:12 · First: 17.07.2026 20:12 · 📰 1 src / 1 articles · H score: 29

The NadMesh campaign is repeatedly resampling exposed ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio systems, keeping pressure on internet-facing AI and admin services. Its automated queueing and rescan logic raise the odds of credential theft and later abuse of whatever it finds. The operation is notable because it is not a one-pass scan; it keeps returning to the same high-value hosts and subnets. That sustained targeting broadens exposure across teams that deployed AI tooling before hardening it.

Ransomware targeting of government organizations rose to daily frequency in January-June 2026

Trend

Updated: 17.07.2026 18:00 · First: 17.07.2026 18:00 · 📰 1 src / 1 articles · H score: 39

Government organizations saw a sustained rise in ransomware during January-June 2026, reaching an average of one attack per day and increasing the risk of recurring disruption to public services. The measured total of 187 incidents was 13% higher than the prior half-year, showing a worsening trend rather than isolated events.

Ernst & Young third-party support ticket data leak involving client tax documents

Data Leak

Updated: 17.07.2026 17:55 · First: 17.07.2026 17:55 · 📰 1 src / 1 articles · H score: 30

Ernst & Young disclosed a data breach after an unauthorized third party accessed a third-party support ticket system used by its IT personnel and downloaded documents that may contain client tax, personal, and financial data. The exposure window ran from March 28 to April 12, with anomalous activity detected on April 23 and disclosure on July 17, 2026. EY says it secured the platform, removed the unauthorized access, and has no indication of misuse or further exposure. The leak matters because the compromised tickets may include sensitive records tied to tax filings and client identity data.

23AndMe hit by network compromise

Incident

Updated: 16.07.2026 16:47 · First: 16.07.2026 16:47 · 📰 2 src / 2 articles · H score: 55

23andMe disclosed a credential-stuffing breach that exposed data on 6.9 million customers, including genetic ancestry information. The unauthorized access ran from April 2023 to September 2023 before being disclosed in October 2023. The compromise turned account reuse into a large-scale privacy and identity risk, with stolen data later appearing for sale on the dark web.

European Commission DMA order on Google Android and Search access

Regulatory/Legal Action

Updated: 17.07.2026 14:44 · First: 17.07.2026 14:44 · 📰 1 src / 1 articles · H score: 28

The European Commission ordered Google to change Android assistant access and Search data-sharing terms under the Digital Markets Act, creating binding obligations across the EU. The decision expands rival AI assistants' reach into Android and requires anonymised Search data access for competitors. The order is enforceable now, with major implementation dates running into Android 18 and 1 August 2027.

Windows User Profile Service zero-day privilege-escalation flaw (LegacyHive)

Vulnerability

Updated: 17.07.2026 14:05 · First: 17.07.2026 14:05 · 📰 1 src / 1 articles · H score: 41

A public LegacyHive zero-day against Windows User Profile Service can escalate privileges on up-to-date Windows systems, creating admin-level compromise risk. The exploit appeared hours after Microsoft's July 2026 Patch Tuesday and has no CVE ID yet. Testing showed the flaw can let non-admin users alter the classes registry hive and trigger automatic code execution when an administrator logs in. The PoC was later modified to require extra credentials, but it still gives attackers a usable starting point for weaponization.

Armenia detains Aleksandr Ermakov on U.S. REvil extradition request

Law Enforcement

Updated: 17.07.2026 13:53 · First: 17.07.2026 13:53 · 📰 1 src / 1 articles · H score: 53

Armenia detained Aleksandr Ermakov on June 28 on a U.S. extradition request tied to a REvil ransomware case, keeping a cybercrime suspect in custody while his identity is disputed.

The Gentlemen ransomware gang's affiliate-driven rise to most-active RaaS operator

Threat Actor Meta

Updated: 17.07.2026 12:00 · First: 17.07.2026 12:00 · 📰 1 src / 1 articles · H score: 36

The Gentlemen ransomware gang became the most-active ransomware-as-a-service operator over a three-month period, overtaking Qilin with 300 incidents. Its rise is linked to aggressive affiliate recruitment and a pre-packaged intrusion kit that lowers operator skill requirements. The shift increases competitive pressure across the ransomware market and may pull affiliates away from rival crews.

ACR Stealer browser credential and document theft activity

Malware Activity

Updated: 17.07.2026 11:56 · First: 17.07.2026 11:56 · 📰 1 src / 1 articles · H score: 29

The ACR Stealer malware is actively stealing browser passwords, session tokens, and Microsoft 365 files from enterprise environments, turning ClickFix-style paste-and-run lures into credential and document theft. The activity spans late April to mid-June 2026 and uses both fileless and on-disk loader chains. Microsoft says the malware does not rely on a CVE and instead succeeds when a user pastes a command into the Run dialog.

DoNot Team Bangladesh military and defence espionage campaign

Campaign

Updated: 17.07.2026 11:46 · First: 17.07.2026 11:46 · 📰 1 src / 1 articles · H score: 38

A DoNot Team espionage campaign targeted Bangladesh's military and defence establishments, using spear-phishing RTF files to deliver a DLL implant and establish scheduled-task persistence. The operation relied on remote template injection, a VBA macro, and geofencing to deliver payloads only to intended victims. The implant disguised itself as OneDrive telemetry, profiled hosts, and beaconed to C2 over HTTPS, indicating a focused effort to maintain access and support intelligence collection.

GoSerpent malware activity targeting Southeast Asian entities

Malware Activity

Updated: 17.07.2026 11:46 · First: 17.07.2026 11:46 · 📰 1 src / 1 articles · H score: 26

GoSerpent is being used in cyber attacks against entities in Southeast Asia, with the activity focused on long-term access, intelligence gathering, and data exfiltration. The malware is aimed at government and diplomatic entities and can deploy follow-on tools for credential dumping and file collection. It also supports SOCKS5 proxying and remote access, helping operators hide traffic through compromised hosts. The toolset has expanded over time, with May 2026 activity adding new payloads for staged exfiltration.

U.S. prosecutors charge Chen and Zhang in investment-fraud money-laundering case

Law Enforcement

Updated: 17.07.2026 11:13 · First: 17.07.2026 11:13 · 📰 1 src / 1 articles · H score: 29

U.S. prosecutors charged Zhuoying Chen and Haojie Zhang in a cyber investment fraud money-laundering case, exposing a network that allegedly moved at least $43 million in stolen proceeds.

Microsoft SharePoint deserialization RCE (CVE-2026-58644)

Vulnerability

Updated: 17.07.2026 10:15 · First: 17.07.2026 10:15 · 📰 1 src / 1 articles · H score: 48

Microsoft SharePoint CVE-2026-58644 is a critical RCE now confirmed actively exploited in the wild, exposing SharePoint Server to remote code execution. Microsoft fixed the flaw in July 2026 Patch Tuesday after describing it as a deserialization of untrusted data issue. CISA added it to the KEV catalog and ordered federal agencies to patch it within three days.

CISA KEV directive for exploited SharePoint CVE-2026-58644

Public Sector Action

Updated: 17.07.2026 10:15 · First: 17.07.2026 10:15 · 📰 1 src / 1 articles · H score: 38

CISA added CVE-2026-58644 to its KEV catalog and ordered federal agencies to patch it within three days. The directive applies to an exploited Microsoft SharePoint remote code execution flaw and tightens remediation under BOD 26-04. The move accelerates federal response to a vulnerability with exploitation detected.

Microsoft security patch release for CVE-2026-56164

Security Patch Release

Updated: 14.07.2026 23:25 · First: 14.07.2026 23:25 · 📰 2 src / 4 articles · H score: 11

Microsoft released a record 622-CVE Patch Tuesday that includes two exploited flaws in SharePoint Server and Active Directory Federation Services, raising urgency for identity and collaboration systems. The top-priority fixes are CVE-2026-56164 and CVE-2026-56155, both elevation-of-privilege bugs already being used in attacks. Microsoft also bundled additional updates across Windows, Office, Edge, Azure, Defender, and developer tools. The release matters because defenders must triage a much larger-than-usual update set while attackers can immediately focus on the flaws already in use.

Microsoft Corp. security patch release for CVE-2026-56155

Security Patch Release

Updated: 14.07.2026 22:22 · First: 14.07.2026 22:22 · 📰 3 src / 3 articles · H score: 56

Microsoft released July 2026 Patch Tuesday updates that close at least 570 security holes in Windows and other software, expanding the remediation burden for defenders. The bundle includes nearly 60 critical vulnerabilities and three zero-days already exploited in the wild. It also covers issues such as CVE-2026-56155 in Active Directory Federation Services, CVE-2026-56164 in SharePoint, and CVE-2026-50661 in Windows BitLocker. The release is almost triple last month’s record patch count and adds operational risk during rollout.

Microsoft SharePoint Server actively exploited multi-CVE wave

Exploitation Wave

Updated: 15.07.2026 12:44 · First: 15.07.2026 12:44 · 📰 3 src / 4 articles · H score: 79

SharePoint Server exploitation wave remains active across internet-exposed on-premises instances, with CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 used to bypass authentication, reach remote code execution, and enable IIS machine key theft, persistence, and malware deployment. CISA added the exploited CVEs to the Known Exploited Vulnerabilities Catalog and urged operators to apply Microsoft's latest patches, verify installation, enable AMSI and Microsoft Defender Antivirus detections, reduce direct internet exposure, block SharePoint Central Administration, and use a Layer 7 reverse proxy where needed.

Active SharePoint exploitation around CVE-2026-56164 drives patching and federal response

Case

Updated: 17.07.2026 09:42 · First: 14.07.2026 23:25 · 📰 0 src / 5 articles

Microsoft SharePoint Server exploitation remains active around CVE-2026-56164, an unauthenticated privilege-escalation flaw affecting on-premises deployments. Separate reporting on internet-exposed servers also tracks exploitation involving CVE-2026-32201 and CVE-2026-45659, alongside post-compromise behaviors such as IIS machine key theft, persistence, and malware deployment. Microsoft has issued SharePoint fixes, and CISA has pushed immediate hardening, monitoring, and intrusion hunting where patching cannot be completed at once. Federal agencies face a July 17 deadline to secure or discontinue affected systems under BOD 26-04.

SonicWall SMA1000 SSRF and code injection flaws (multiple vulnerabilities)

Vulnerability

Updated: 15.07.2026 00:23 · First: 15.07.2026 00:23 · 📰 2 src / 2 articles · H score: 48

SonicWall SMA1000 devices face active exploitation of CVE-2026-15409 and CVE-2026-15410, creating urgent risk for exposed appliances. CVE-2026-15409 is a CVSS 10.0 SSRF flaw and CVE-2026-15410 is a CVSS 7.2 code injection issue in the management console. SonicWall says both flaws are being actively exploited in zero-day attacks and urges customers to install the newly released hotfixes immediately. CISA KEV listing confirms the flaws are already being used in attacks.

CISA BOD 26-04 SharePoint remediation deadline

Public Sector Action

Updated: 15.07.2026 12:44 · First: 15.07.2026 12:44 · 📰 2 src / 2 articles · H score: 77

CISA gave federal agencies until July 17 to secure or discontinue SharePoint servers affected by CVE-2026-56164, turning the remediation deadline into a mandatory federal action for exposed systems. The agency had already added CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 to the Known Exploited Vulnerabilities Catalog on April 14, July 1, and July 14. Agencies that cannot apply mitigations must discontinue the affected servers under BOD 26-04.

ClickLock ClickFix macOS targeting campaign

Campaign

Updated: 16.07.2026 15:33 · First: 16.07.2026 15:33 · 📰 3 src / 3 articles · H score: 33

Group-IB reported a ClickLock macOS campaign that uses ClickFix paste-a-command lures and coercive app-killing loops to force victims to enter their system login password. The operation has reached at least 100 targets across 33 countries since May 2026, with more than half in Europe. Group-IB also said the orchestrator script uploaded to VirusTotal on June 9 had zero detections, while the malware hid the cursor, showed a fake Cloudflare progress animation, pulled modules from compromised sites, stole Keychain and wallet data, and exfiltrated through Telegram.

Fairlife hit by ransomware attack

Incident

Updated: 17.07.2026 00:09 · First: 17.07.2026 00:09 · 📰 1 src / 1 articles · H score: 25

Fairlife, the Coca-Cola dairy subsidiary, suffered a ransomware incident that forced temporary suspension of U.S. production. The company said it detected unauthorized access to systems tied to production, and the disruption affects the brand’s U.S. facilities while recovery work continues. No data theft, extortion demand, or responsible ransomware group has been confirmed yet.

Claude Chrome synthetic click security flaw

Vulnerability

Updated: 16.07.2026 22:26 · First: 16.07.2026 22:26 · 📰 1 src / 1 articles · H score: 7

A flaw in Anthropic's Claude for Chrome browser extension lets a malicious extension simulate trusted clicks and trigger predefined AI workflows, creating abuse risk for connected services such as Gmail, Google Docs, Google Calendar, and Salesforce. The weakness is that the extension failed to check Event.isTrusted before executing a built-in task, so JavaScript-generated click events were treated like real user input. Manifold Security says the issue remains reproducible in version 1.0.80, which means the exposed workflow path is still present in the current release.

SHADOW#REACTOR fake .ttf phishing campaign targeting Windows systems

Campaign

Updated: 16.07.2026 18:00 · First: 16.07.2026 18:00 · 📰 1 src / 1 articles · H score: 31

A large-scale phishing campaign is delivering RATs and infostealers to Windows systems by disguising a malicious script as a .ttf font file. The operation has been active since late March 2026 and uses fileless delivery to reduce detection. It combines business-cooperation lures, scheduled-task persistence, and in-memory execution to push payloads including Agent Tesla, Remcos, XWorm, and Best Private LOGGER.

Lua loader payload wave delivering Remcos, Agent Tesla, XWorm, and Best Private LOGGER

Malware Activity

Updated: 16.07.2026 18:00 · First: 16.07.2026 18:00 · 📰 1 src / 1 articles · H score: 27

A Lua-based loader in a large-scale phishing operation is delivering rotating malware payloads to Windows systems, creating a fileless path for credential theft and persistent access. Each infected host receives one of four families: Remcos, Agent Tesla, XWorm, or Best Private LOGGER. The chain uses a fake .tff lure, scheduled-task persistence, and in-memory execution to reduce detection.

23AndMe multistate genetic-data settlement and ICO fine

Regulatory/Legal Action

Updated: 16.07.2026 16:47 · First: 16.07.2026 16:47 · 📰 2 src / 2 articles · H score: 35

23andMe agreed to pay $18 million to settle multistate claims over its failure to protect customers' genetic data, extending the legal fallout from the 2023 breach. Regulators said the company lacked basic safeguards such as multifactor authentication, password blocklisting, rate limiting, intrusion prevention, and breach-detection monitoring. The settlement also adds new security requirements, including a data security advisory board and risk analysis protocols. A separate UK ICO fine of £2.31 million adds further regulatory pressure over the same security failures.

N8n security patch release for CVE-2026-59208

Security Patch Release

Updated: 16.07.2026 16:33 · First: 16.07.2026 16:33 · 📰 1 src / 1 articles · H score: 24

n8n shipped fixes for CVE-2026-59208 on June 24, closing an Enterprise token-exchange flaw that could log a user into the wrong account when multiple external issuers were trusted. The bug affected releases below 2.27.4 and 2.28.0, and n8n later identified 2.27.4 and 2.28.1 as the fixed builds. The issue was limited to Enterprise-only token exchange deployments configured with more than one trusted issuer.