CISA’s CI Fortify initiative has expanded with detailed guidance for critical infrastructure (CI) operators to prepare for worst-case scenarios where third-party networks and upstream providers cannot be trusted and threat actors already have access to operational technology (OT) environments. The initiative now includes specific recommendations to identify critical customers, set service delivery targets, update business continuity plans for prolonged isolation, and collaborate with vendors to map dependencies. While welcomed by industry, experts caution that isolation alone is insufficient without layered control measures, and CISA emphasizes that adopting these capabilities enhances resilience against all disruptions, from cyber-attacks to physical events. The CI Fortify initiative was launched to bolster operational resilience across U.S. CI sectors, including water, energy, transportation, and communications. The framework prioritizes actionable steps such as developing isolation and recovery capabilities, testing manual and localized operations, and fostering collaboration with CISA to mitigate cyber threats. Acting Director Nick Andersen reinforced the urgency of implementation, framing CI Fortify as timely guidance to protect networks and critical services from threat actors aiming to degrade or disrupt infrastructure.

The MuddyWater threat actor, linked to Iran’s Ministry of Intelligence and Security (MOIS) and also known as Static Kitten, Mango Sandstorm, and Seedworm, has continued to refine its global espionage campaigns by masquerading as ransomware operations to obscure state-sponsored activity. In early 2026, MuddyWater conducted an intrusion disguised as a Chaos ransomware attack, leveraging Microsoft Teams for social engineering to establish screen-sharing sessions, steal credentials, and deploy remote management tools like AnyDesk and DWAgent. The operation included extortion emails directing victims to a ransomware leak site, but no file-encrypting malware was deployed, confirming the use of ransomware-as-a-decoy tactics. The attackers deployed a custom RAT named Darkcomp (Game.exe), signed with a previously linked certificate, and dropped via a loader named *ms_upd.exe*. The backdoor features anti-analysis checks and supports 12 commands, including PowerShell execution and persistent shell access. Rapid7 researchers attribute the campaign to MuddyWater with moderate confidence, citing infrastructure overlap, code-signing certificates, and operational tradecraft. This follows a late 2025 incident where MuddyWater used Qilin ransomware for similar deception, suggesting an evolving pattern of false-flag operations to evade detection. Earlier campaigns targeted over 100 organizations globally, including government entities, diplomatic missions, and telecommunications firms in the MENA region, using phishing emails with malicious Word documents to drop backdoors like Phoenix v4, MuddyViper, UDPGangster, and RustyWater. The group has also targeted Israeli sectors across academia, engineering, and local government, as well as US companies with backdoors such as Dindoor and Fakeset. The shift from PowerShell-based tools to Rust-based implants and now ransomware decoys underscores MuddyWater’s adaptability and focus on evading attribution while pursuing espionage objectives.

BleepingComputer will host a live webinar on June 2, 2026, at 12:00 PM ET titled \"From alert to containment: Fixing the gaps in network incident response\" featuring Edgar Ortiz from Tines. The session addresses why many network incidents escalate not due to missing alerts but because of breakdowns in incident response workflows, particularly during triage, alert enrichment, prioritization, and cross-system coordination. Organizations often rely on manual processes that delay containment and increase the risk of service disruptions when time-sensitive decisions are required.

The Hacker News has launched the global Cybersecurity Stars Awards 2026 to recognize undervalued excellence in cybersecurity across products, solutions, organizations, and professionals. Submissions are now open via an official portal for organizations, vendors, and individuals to apply for recognition in four categories: Cybersecurity Product/Service, Cybersecurity Industry Solution, Cybersecurity Company, and Cybersecurity Professional/Team. The initiative aims to provide credible visibility among CISOs, practitioners, and enterprise buyers, leveraging The Hacker News' established reputation for independent cybersecurity reporting. The submission deadline is May 15, 2026, with winners announced on May 26, 2026.

A critical unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) remains under active exploitation with new details on exposure and mitigation. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets to internet-exposed User-ID Authentication Portals. Palo Alto Networks confirms "limited exploitation" targeting systems with the portal exposed to untrusted networks, while Shadowserver reports over 5,800 online VM-Series instances exposed, primarily in Asia and North America. The company has not yet released official patches, scheduled to begin May 13, 2026, and urges customers to restrict access to trusted zones or disable the portal as a temporary mitigation.

Google has implemented **expanded Binary Transparency for Android** to mitigate supply chain attacks by creating a public, cryptographic ledger that verifies the authenticity and integrity of official Google apps and OS modules. The system ensures that only intentionally released production software—distributed via legitimate channels—can be verified against a transparent log, addressing weaknesses in digital signature validation alone. Starting May 1, 2026, all new production Android applications (including Google Play Services, standalone apps, and Mainline OS modules) are required to have a verifiable entry in the ledger. This initiative directly counters binary supply chain threats, such as malicious code injection via compromised update channels or developer accounts, which retain valid digital signatures while altering intent.

A survey of 2,000 UK employees in organizations with 1,000+ staff found 13% admitted selling corporate credentials in the past 12 months or knew someone who had, with justification perceptions rising sharply among senior roles: 32% of senior managers, 36% of directors, 43% of C-suite executives, and 81% of business owners viewed the practice as justifiable. Credential sales expose organizations to fraud, financial crime, and broader insider threats, compounded by the circulation of 2.9 billion compromised credentials globally in 2025, including 460,000 linked to FTSE100 employees and 28,000 captured in stealer logs.

Threat actors have leveraged the CloudZ remote access trojan (RAT) and a custom Pheno plugin to hijack Microsoft Phone Link functionality in Windows for credential and one-time password (OTP) theft. The attack chain abuses the legitimate PC-to-phone sync feature to monitor active Phone Link processes, intercept SMS and OTPs, and exfiltrate synchronized mobile data without requiring mobile device compromise. The intrusion has been active since at least January 2026, with no attributed threat actor. The technique bypasses two-factor authentication by targeting cross-device synchronization data stored on the Windows host.

Following the onset of military operations in the Middle East in early 2026, the United Arab Emirates (UAE) experienced a dramatic surge in cyberattack attempts, rising from a pre-conflict daily average of 90,000–200,000 breach attempts to 600,000–800,000 per day. The escalation reflects a shift from low-impact hacktivist campaigns to more sophisticated intrusion claims, with Gulf nations witnessing a 15x increase in cyber-relevant activity in the UAE, 25x in Saudi Arabia, and over 4x in Qatar. Cyber operations have become a key component of the broader conflict, with compromised IP cameras used for intelligence gathering and attacks targeting critical infrastructure and industrial systems. Defenders in the region have improved detection and blocking capabilities, raising the volume of detected attacks while reducing their operational impact. However, threat actors—including Iran-aligned groups, hacktivists, and opportunistic cybercriminals—are increasingly leveraging AI to scale operations, primarily through automated phishing and probing. The most critical threat remains the use of wiper malware, which has historically caused significant operational disruption in the region.

A previously undocumented Linux implant named Quasar Linux (QLNX) has been identified targeting software developers' systems in development and DevOps environments across npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX combines rootkit, backdoor, and credential-stealing capabilities to establish stealthy, fileless persistence and enable potential supply-chain attacks. The malware dynamically compiles rootkit shared objects and PAM backdoors on the target host using gcc, employs seven persistence mechanisms, and uses dual-layer stealth techniques including userland LD_PRELOAD rootkits and kernel-level eBPF components to evade detection. QLNX features a 58-command RAT core, credential harvesting, surveillance, networking and lateral movement, process injection, and filesystem monitoring modules. Targeting developer workstations allows bypass of enterprise security controls and access to credentials underpinning software delivery pipelines, mirroring tactics observed in recent supply-chain incidents.

Instructure confirmed a cybersecurity incident conducted by a criminal threat actor and is investigating the impact with external forensic experts. The ShinyHunters extortion gang has claimed responsibility and alleges theft of 280 million records tied to students and staff from 8,809 educational institutions, publishing detailed impact lists per institution. Multiple universities have acknowledged awareness of the breach and initiated internal reviews.

DAEMON Tools installers distributed from the official website and digitally signed with legitimate developer certificates have been trojanized to deliver a multi-stage malware payload since April 8, 2026. The attack compromises three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—which activate an implant on launch to send HTTP requests to a command-and-control (C2) domain registered on March 27, 2026. The implant executes shell commands via cmd.exe to download and run further payloads, including a .NET reconnaissance tool (envchk.exe), a shellcode loader (cdg.exe), and a minimal backdoor capable of file exfiltration, command execution, and in-memory shellcode execution. The campaign shows targeted delivery, with only a small subset of infected hosts receiving the second-stage payload, and has been ongoing since its discovery. The first-stage malware acts as an information stealer that collects system data, including hostname, MAC address, running processes, installed software, and system locale, to profile victims. A remote access trojan named QUIC RAT was deployed against a single educational institution in Russia. The backdoor supports multiple C2 protocols and process injection techniques, and evidence suggests the activity is attributed to a Chinese-speaking adversary.

Security leadership decisions before and after penetration testing critically determine the operational value of assessments rather than the testing itself. Misalignment on scope, objectives, and post-test remediation planning routinely reduces penetration tests to compliance exercises, failing to improve organizational defenses. Leadership failures in prioritization, resource allocation, and follow-up accountability undermine threat detection, response capabilities, and long-term security posture improvements. Effective security leaders ensure realistic, threat-intelligence-driven tests that simulate full attacker behavior, provide actionable remediation guidance, and translate findings into measurable risk reduction. Without these elements, even technically sound assessments yield minimal defensive improvements.

A 23-year-old university student in Taiwan allegedly disabled emergency braking controls on four high-speed trains for 48 minutes on April 5, 2026 by spoofing TETRA radio signals. The attack leveraged software-defined radio (SDR) interception of 19-year-old TETRA parameters, handheld radio cloning, and impersonation of legitimate beacons to transmit a high-priority "General Alarm" signal, activating emergency brakes. The incident disrupted a critical 350 km coastal corridor serving 81.8 million annual passengers and prompted investigation into long-unrotated TETRA configurations and verification layers.

A large-scale phishing campaign targeted over 35,000 users across 13,000 organizations between April 15–16, 2026, using forged internal compliance emails to harvest Microsoft credentials via adversary-in-the-middle (AiTM) techniques. The attack leveraged polished, enterprise-style HTML templates that mimicked legitimate internal communications, including preemptive authenticity claims and organization-specific references to increase credibility. Targets in 26 countries were affected, with a primary focus on US firms. The campaign employed urgent, time-bound prompts and fake PDF attachments with links to phishing pages protected by Cloudflare CAPTCHAs to evade detection and sandboxing.

The **ScarCruft (APT37) Ruby Jumper campaign** and its broader espionage operations continue to evolve, with the group now deploying an **Android variant of the BirdCall backdoor** via a **supply-chain attack on sqgame[.]net**, a Chinese gaming platform targeting Koreans in the **Yanbian region**—a transit hub for North Korean defectors. This marks ScarCruft’s first documented use of **mobile malware in a supply-chain context**, expanding its targeting beyond Windows systems to include **Android devices used by high-risk populations**. The Android BirdCall variant (internally named **'zhuagou'**) collects **geolocation data, contact lists, SMS/call logs, device metadata, and files of interest** (e.g., documents, audio recordings, certificates), while also **recording ambient audio during evening hours** (7 pm–10 pm local time) and using **anti-suspension techniques** (e.g., silent MP3 loops) to evade detection. The malware leverages **Zoho WorkDrive for C2**, with **12 separate accounts identified** in this campaign, aligning with the group’s broader abuse of legitimate cloud services. Earlier campaigns, such as **Ruby Jumper (December 2025–February 2026)**, demonstrated ScarCruft’s focus on **air-gapped network breaches** via **USB-based implants (THUMBSBD, VIRUSTASK)** and **cloud-abused C2 (Zoho WorkDrive)**, alongside **multi-stage infection chains** combining LNK files, PowerShell scripts, and Ruby runtime manipulation. The **supply-chain compromise of sqgame[.]net**—first observed in **late 2024**—involved **poisoned APKs** (`ybht.apk`, `sqybhs.apk`) and a **trojanized Windows DLL** (delivered via an update package) that deployed RokRAT as a precursor to BirdCall. This campaign underscores ScarCruft’s **adaptive tradecraft**, blending **supply-chain compromise with mobile surveillance** to exploit geopolitically sensitive targets. The **iOS game on the platform remained uncompromised**, likely due to Apple’s stringent review process.

A large-scale adversary-in-the-middle (AiTM) phishing campaign has targeted organizations in the United States and globally between April 14 and 16, 2026, using compliance-themed lures such as 'code of conduct review' to trick recipients into accessing malicious links. The campaign delivered over 35,000 phishing attempts across approximately 13,000 organizations in 26 countries, with 92% of targets located in the U.S. Sectors heavily impacted include healthcare and life sciences, financial services, professional services, technology, and software. The attack chain uses legitimate email delivery infrastructure, including cloud-hosted Windows virtual machines, and attacker-controlled domains to distribute PDF attachments that redirect victims through Cloudflare CAPTCHA pages to bypass automated analysis. Victims are ultimately prompted to enter credentials, enabling real-time interception of authentication tokens via AiTM phishing despite MFA protections.

The U.S. Federal Trade Commission (FTC) has moved to prohibit Idaho-based data broker Kochava and its subsidiary Collective Data Solutions (CDS) from selling or licensing precise geolocation data without consumers’ affirmative express consent, following a near-four-year legal dispute initiated in August 2022. Under the proposed order filed in the U.S. District Court for the District of Idaho, Kochava must implement safeguards including a sensitive location data program, supplier consent verification, consumer access and consent withdrawal mechanisms, third-party misuse reporting, and a data retention and deletion schedule. The order, if approved, will have the force of law and introduces significant operational restrictions on the company’s data brokerage activities.

Security teams remain unaware that end-of-life (EOL) open source software versions are systematically excluded from CVE investigations and scanner alerts due to investigative and scale limitations within the vulnerability disclosure ecosystem. The CVE ecosystem’s focus on supported versions creates a blind spot where EOL versions—often still present in enterprise environments—receive no official scrutiny, even when affected by disclosed vulnerabilities. Maintenance capacity constraints, driven by a doubling of global CVE volume in five years and a 37x surge in unscored CVEs, force maintainers to prioritize supported releases, leaving older versions uninvestigated. Approximately 80% of new CVEs affecting supported versions are later found to also impact EOL versions, yet these are not reflected in advisories. Public EOL data sources like endoflife.date track only ~7,000 EOL versions across 350 projects, while Sonatype and HeroDevs analysis reveals over 5.4 million EOL versions across major package registries, with 5–15% of enterprise dependency graphs containing EOL components. This exposure gap is exacerbated by AI-driven vulnerability research, which accelerates discovery of flaws in unsupported codebases but does not close the investigative gap for EOL software, further widening the risk for abandoned codebases.

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product owned by Salesloft, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data, with evidence now confirming over 700 organizations were impacted. The attack demonstrated that OAuth grants can be weaponized even when the app and token were initially legitimate, underscoring the risks of third-party integrations and the need for robust, continuous monitoring of OAuth behavior. The incident revealed that the attacker bypassed MFA entirely by presenting a legitimate OAuth token already granted to Drift, accessing Salesforce data without logging in. This approach allowed UNC6395 to systematically export data and search for credentials such as AWS access keys, Snowflake tokens, and passwords across affected organizations. The full scope of the breach is still being assessed, but the attack structure serves as a warning: trusting an app at installation does not guarantee its ongoing trustworthiness, and OAuth grants require active, continuous monitoring rather than passive acceptance. Security teams are now urged to adopt tools that provide visibility into OAuth-connected applications, monitor their behavior over time, and enable rapid response to mitigate risks.

In 2006, a penetration test targeting a credit union achieved a 75% success rate by deploying unmarked USB drives in employee parking lots, leading to covert network compromise via embedded malware. The engagement, later chronicled in a viral Dark Reading column, demonstrated the effectiveness of human curiosity and social engineering over technical sophistication, catalyzing widespread adoption of USB-based red teaming and user awareness programs. The test underscored systemic failures in endpoint security and user behavior, prompting organizations to implement policies restricting removable media usage and enhance security awareness training.

Threat actors are exploiting two critical unauthenticated remote code execution (RCE) vulnerabilities in widely deployed enterprise software: MetInfo CMS (CVE-2026-29014, CVSS 9.8) and Weaver E-cology (CVE-2026-22679, CVSS 9.3). MetInfo exploitation has surged since May 1, 2026, focusing on approximately 2,000 internet-facing instances primarily in China, with initial activity detected on April 25 against honeypots in the U.S. and Singapore. The flaw stems from insufficient input sanitization in the Weixin API request path, enabling unauthenticated PHP code injection and full server compromise via crafted requests. Patches were released on April 7, 2026. Weaver E-cology exploitation continues via debug functionality abused for stateless command execution, observed within a week of patches released March 12, 2026.

Google has restructured its Android and Chrome vulnerability reward programs to prioritize high-difficulty, high-impact exploits, offering bounties of up to $1.5 million for specific attack chains while reducing payouts for exploits that AI-assisted tools can more easily identify. The most lucrative rewards target full-chain, zero-click exploits targeting Pixel devices’ Titan M2 security chip, with persistence increasing payout potential. Chrome’s program now offers up to $250,000 for full-chain browser exploits, with an additional $250,128 bonus for exploiting MiraclePtr-protected memory allocations. Changes reflect advancements in automated bug discovery and analysis, shifting focus toward exploits requiring advanced technical skill to develop or exploit.

Apache released security updates on May 5, 2026 addressing multiple vulnerabilities across Apache HTTP Server 2.4.67 and MINA 2.2.7/2.1.12, including critical and high-severity issues enabling remote code execution (RCE), denial-of-service (DoS), information disclosure, and authentication bypass. The HTTP Server patch addresses 11 vulnerabilities, with five enabling code execution or DoS conditions and four allowing information disclosure. The MINA update resolves two critical-sequence flaws stemming from incomplete fixes in prior releases, requiring explicit class allowlisting for the ObjectSerializationDecoder to prevent insecure deserialization attacks.

A survey of 3,400 digital trust professionals reveals widespread adoption of AI tools in organizations with insufficient governance controls. Fewer than half (38%) have formal AI policies, while 25% lack any AI policy. Shadow AI usage risks exposing sensitive data to unmanaged large language models (LLMs), and 56% of respondents cannot estimate the time required to halt AI systems during a security incident. AI-powered cyber threats—particularly phishing, social engineering, and misinformation—are perceived as harder to detect and authenticate, with 71% reporting increased difficulty in identifying such attacks. Only 20% of organizations have processes to override malicious or compromised AI systems, and 43% acknowledge AI-based cybersecurity tools have improved detection capabilities, but governance gaps persist despite escalating risks.

A security analysis of over 1 million exposed AI services across 2 million hosts revealed systemic security failures in self-hosted large language model (LLM) infrastructure. Default deployments lacked authentication, exposing sensitive user data, chatbot conversations, and internal business logic. Instances of credential leaks, plaintext API keys, and unsecured agent management platforms were identified across government, marketing, and finance sectors. Unauthenticated Ollama APIs (31% of 5,200+ tested) enabled potential abuse of frontier models without accountability. Analysis confirmed insecure defaults, arbitrary code execution vulnerabilities, and inadequate sandboxing practices. The findings indicate that rapid AI adoption has outpaced security controls, with self-hosted AI tools exhibiting higher exposure risks than other software categories analyzed.

Deniss Zolotarjovs, a Latvian national extradited to the U.S., was sentenced to 8.5 years in prison for his role as a "cold case" negotiator within the Russian Karakurt extortion group. Zolotarjovs orchestrated extortion efforts against U.S. organizations, including a government entity whose 911 system was disrupted, and leveraged stolen personal and health data to coerce ransom payments. His activities contributed to an estimated $56+ million in losses across 54 victim companies, with ransom payments totaling $13+ million from an additional 41 victims.

A newly identified CloudZ remote access trojan (RAT) variant deploys a malicious plugin named Pheno that exploits Microsoft Phone Link on Windows 10/11 systems to intercept SMS messages and one-time passwords (OTPs) from paired Android or iOS devices without requiring direct compromise of the mobile endpoint. The intrusion has been active since at least January 2026 and is designed to harvest credentials and temporary authentication codes delivered via SMS or authenticator app notifications. The attack abuses Microsoft Phone Link’s local SQLite database and session monitoring to exfiltrate sensitive data via the compromised Windows host.

The UK National Cyber Security Centre (NCSC) has warned organizations of an imminent “patch wave” driven by AI-powered vulnerability discovery tools, potentially forcing rapid remediation of long-standing technical debt across software supply chains. Vendors are actively using restricted AI systems (e.g., Anthropic’s Mythos Preview, OpenAI’s GPT-5.4) to identify and remediate vulnerabilities in proprietary and open-source software, with disclosure and patching expected to surge once access is broadened. Threat actors are also anticipated to leverage similar capabilities, increasing exploitation pressure. Impact is expected to strain patch management processes, especially for perimeter, cloud, and on-premises systems, with knock-on effects for critical infrastructure. The NCSC emphasizes prioritizing external attack surfaces, enabling automation, and replacing end-of-life systems where patches are unavailable.

Trellix confirmed unauthorized access to a portion of its source code repository on May 4, 2026, engaging forensic experts and law enforcement while stating no evidence of exploitation or impact on source code release processes. Security experts warn that access to the source code could give threat actors a tactical roadmap to Trellix’s detection mechanisms, build paths, and potential weaknesses, enabling further supply chain attacks. The incident follows a pattern of recent attacks targeting security vendors and software supply chains, including compromises of vendors like Aqua Security and Checkmarx via the Trivy supply chain attack, which exposed enterprise secrets and involved collaborations between groups like TeamPCP and Lapsus$ for monetization and ransomware deployment.