Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 17:34 19/07/2026 UTC
  • Vulnerability H score 75 WordPress core pre-auth RCE flaw watchTowr says public PoC exploits for the WordPress wp2shell pre-auth RCE (CVE-2026-63030/CVE-2026-60137) are now seeing in-the-wild use, increasing urgency to patch to 6.9.5 or 7.0.2.
  • Campaign H score 79 ShinyHunters social engineering campaign targeting employee SSO accounts ShinyHunters’ ongoing vishing/SSO-compromise campaign targeting Microsoft Entra, Okta, and Google employee accounts advances the threat by turning a single login into access to multiple connected SaaS systems for extortion.
  • Campaign H score 33 HelloNet ViPNet update-abuse campaign targeting Russian organizations The HelloNet ViPNet update-abuse campaign adds an update-path persistence mechanism (wtsapi32.dll sideload via itcsrvup64.exe plus svchost.exe injection), broadening impact across Russian sectors including government-linked targets.
  • Security Tool/Service H score 76 Incode launches On-Device Age Estimation for local age checks Incode’s On-Device Age Estimation launch advances biometric privacy by keeping facial processing local (not transmitted or stored) while preserving liveness/age-verification controls.
  • Malware Activity H score 29 ACR Stealer enterprise infostealer surge An ACR Stealer enterprise infostealer surge increases credential and data-loss risk by targeting browser-stored passwords, tokens, cookies, and documents via ClickFix/WebDAV/MSHTA delivery chains for exfiltration.
  • Campaign H score 24 UAC-0145 / Sandworm ClickFix campaign targeting Ukrainian targets The UAC-0145 / Sandworm ClickFix campaign’s expansion to at least 10 compromised sites advances infection risk in Ukraine by using fake CAPTCHA flows and PowerShell execution to deliver malware and Android lures.
Last updated: 10:49 19/07/2026 UTC

Latest updates

Browse →

HelloInjector/HelloProxy malware activity in ViPNet update abuse

Malware Activity

Updated: 19.07.2026 17:23 · First: 19.07.2026 17:23 · 📰 1 src / 1 articles · H score: 23

The HelloInjector loader is running HelloProxy in memory and pulling additional modules from a C2 server, enabling expanded control over Windows hosts. The malware is delivered as wtsapi32.dll through the ViPNet Update System and sideloaded by itcsrvup64.exe at startup. It injects into svchost.exe to gain elevated privileges and persistence across reboots. The activity is part of HelloNet, which is targeting Russian organizations across multiple sectors.

HelloNet ViPNet update-abuse campaign targeting Russian organizations

Campaign

Updated: 19.07.2026 17:23 · First: 19.07.2026 17:23 · 📰 1 src / 1 articles · H score: 33

The HelloNet campaign is abusing the ViPNet update path to deliver malware to Russian organizations, including government agencies. Active since at least May, it plants wtsapi32.dll in the update directory so itcsrvup64.exe sideloads it at startup. The loader injects into svchost.exe to gain elevated privileges and persistence, then downloads follow-on modules from C2 servers. Impacted sectors include energy, transport, education, and logistics, while attribution to a Chinese-speaking APT remains low confidence.

UAC-0145 / Sandworm ClickFix campaign targeting Ukrainian targets

Campaign

Updated: 19.07.2026 16:30 · First: 19.07.2026 16:30 · 📰 1 src / 1 articles · H score: 24

A UAC-0145 / Sandworm campaign is using ClickFix fake CAPTCHA pages on compromised websites to push malware onto Ukrainian targets, widening infection risk across at least 10 sites. The operation relies on PowerShell execution, page cloaking, and EtherHiding to steer victims toward malicious downloads. It also extends to Android lures packaged as security tools and a backdoor that can collect contacts, files, and geolocation.

WordPress core pre-auth RCE flaw

Vulnerability

Updated: 18.07.2026 00:20 · First: 18.07.2026 00:20 · 📰 2 src / 2 articles · H score: 75

WordPress Core's wp2shell chain combines CVE-2026-63030 and CVE-2026-60137 into pre-authentication remote code execution on 6.9.x and 7.0.x installs. Public PoC exploits are now on GitHub, and watchTowr says it is already seeing in-the-wild exploitation after those exploits appeared. WordPress has fixed the issue in 6.9.5 and 7.0.2, enabled forced auto-updates for affected sites, and Cloudflare has deployed WAF protections for both flaws on proxied plans, including free accounts.

ACR Stealer enterprise infostealer surge

Malware Activity

Updated: 18.07.2026 17:17 · First: 18.07.2026 17:17 · 📰 1 src / 1 articles · H score: 29

ACR Stealer attacks surged against enterprise customers, putting browser-stored passwords, authentication tokens, cookies, and sensitive documents at risk. The malware used ClickFix, WebDAV, and MSHTA delivery chains to reach victims. The activity matters because it is built to collect browser credentials and corporate files for exfiltration.

Incode launches On-Device Age Estimation

Commercial Activity

Updated: 18.07.2026 16:15 · First: 18.07.2026 16:15 · 📰 1 src / 1 articles · H score: 74

Incode Technologies launched On-Device Age Estimation, shifting facial age checks to the user's phone, tablet, or laptop and keeping the face on the device. The product runs facial age estimation and passive liveness detection locally, while only the age-check result and non-biometric session data move onward. That design reduces exposure of biometric data and avoids transmitting or storing the face image. It also gives platforms a privacy-preserving way to meet age assurance requirements without centralizing sensitive identity data.

Incode acquires Identiq

Industry Action

Updated: 18.07.2026 16:15 · First: 18.07.2026 16:15 · 📰 1 src / 1 articles · H score: 70

Incode Technologies acquired Identiq, consolidating privacy-enhancing cryptographic anti-fraud collaboration capabilities under one cybersecurity vendor. The deal pairs the acquisition with a $100 million commitment to privacy-preserving identity infrastructure and expands Incode's fraud-prevention and age-verification stack. It strengthens a security-focused platform designed to reduce biometric exposure while improving cross-institution fraud intelligence.

Incode launches On-Device Age Estimation for local age checks

Security Tool/Service

Updated: 18.07.2026 16:15 · First: 18.07.2026 16:15 · 📰 1 src / 1 articles · H score: 76

Incode Technologies launched On-Device Age Estimation in July, moving facial age checks and liveness verification onto the user's phone, tablet, or laptop. The change reduces biometric exposure because the face is not transmitted or stored. The product preserves age-verification and anti-spoof controls while keeping the biometric processing local.

WordPress core pre-auth RCE patch bundle (6.9.5, 7.0.2)

Security Patch Release

Updated: 18.07.2026 00:20 · First: 18.07.2026 00:20 · 📰 1 src / 1 articles · H score: 60

WordPress shipped 6.9.5 and 7.0.2, closing a pre-auth RCE in core for 6.9.0-6.9.4 and 7.0.0-7.0.1 sites. The update bundle also enabled forced updates through the auto-update system. Unpatched installations face code-execution risk from an anonymous request even on a default install with no plugins.

ShinyHunters social engineering campaign targeting employee SSO accounts

Campaign

Updated: 17.07.2026 23:45 · First: 17.07.2026 23:45 · 📰 1 src / 1 articles · H score: 79

The ShinyHunters extortion gang is running an ongoing social engineering campaign against employee Microsoft Entra, Okta, and Google SSO accounts, creating a path into connected business systems. The group uses vishing and SSO compromise to reach SaaS platforms and steal data for extortion. The operation has been active since last year and has increasingly focused on medtech companies. A successful login can expose multiple downstream services, broadening the blast radius of a single account takeover.

Abbott Laboratories hit by network compromise

Incident

Updated: 17.07.2026 23:45 · First: 17.07.2026 23:45 · 📰 1 src / 1 articles · H score: 65

Abbott Laboratories confirmed a cyber incident involving unauthorized access to a limited number of internal systems in its Cancer Diagnostics business. The company said the event did not affect operations, products, manufacturing, lab operations, or its ability to serve patients, limiting the immediate business impact. The incident is important because it involved a named healthcare company and internal systems tied to a diagnostics unit, even though Abbott says broader systems were not affected.

SuccessKey ViteVenom ChainVeil supply-chain campaign targeting Vite developers

Campaign

Updated: 17.07.2026 21:54 · First: 17.07.2026 21:54 · 📰 1 src / 1 articles · H score: 8

The SuccessKey-linked ViteVenom campaign is targeting Vite developers with seven malicious npm packages and a blockchain-based C2 path that delivers a RAT. The operation matters because it uses typosquatted package names and public-chain infrastructure to make takedown and detection harder while enabling credential harvesting and file exfiltration.

ViteVenom malicious npm packages delivering blockchain-backed RAT

Malware Activity

Updated: 17.07.2026 21:54 · First: 17.07.2026 21:54 · 📰 1 src / 1 articles · H score: 3

A cluster of seven malicious npm packages has targeted the Vite frontend ecosystem, delivering a blockchain-backed RAT loader that can harvest credentials and exfiltrate files. The packages were published between June 29 and July 3, 2026, while linked activity was detected back to February 27, 2026. The operation uses a four-tier C2 chain across Tron, Aptos, and Binance Smart Chain to hide payload pointers on public blockchains. The loader runs at import time, reducing detection opportunities and enabling persistent backdoor injection on developer systems.

OpenSSL servers HollowByte DoS denial-of-service flaw

Vulnerability

Updated: 17.07.2026 20:56 · First: 17.07.2026 20:56 · 📰 2 src / 2 articles · H score: 28

HollowByte is a new OpenSSL DoS flaw that lets unauthenticated attackers exhaust memory on affected servers with an 11-byte payload. The bug affects server-side TLS handshake handling, where OpenSSL trusts a declared message size before validating the incoming body. OpenSSL has fixed and backported the issue to 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, and operators are being urged to upgrade immediately.

OpenSSL HollowByte patch release

Security Patch Release

Updated: 17.07.2026 20:56 · First: 17.07.2026 20:56 · 📰 2 src / 2 articles · H score: 34

The OpenSSL team silently fixed HollowByte, a no-CVE DoS flaw in OpenSSL servers, and backported the patch to older releases. The fix lands in OpenSSL 4.0.1 and was also backported to 3.6.3, 3.5.7, 3.4.6, and 3.0.21. Organizations running OpenSSL-backed services should move to a fixed release because the bug can be triggered with a tiny 11-byte payload.

NadMesh botnet hunts exposed AI services for AWS keys and Kubernetes tokens

Malware Activity

Updated: 17.07.2026 20:12 · First: 17.07.2026 20:12 · 📰 1 src / 1 articles · H score: 25

The NadMesh botnet is actively hunting exposed AI services and stealing AWS keys and Kubernetes tokens, creating immediate cloud-account takeover risk. Its controller claims 3,811 unique AWS keys, showing the operation has already produced substantial loot. The targeting set includes ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio, plus exposed MCP, Docker, Jenkins, and Redis services. The activity matters because a single exposed host can yield cloud credentials, registry logins, and cluster access that extend far beyond the box itself.

NadMesh exposed AI services scanning campaign

Campaign

Updated: 17.07.2026 20:12 · First: 17.07.2026 20:12 · 📰 1 src / 1 articles · H score: 29

The NadMesh campaign is repeatedly resampling exposed ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio systems, keeping pressure on internet-facing AI and admin services. Its automated queueing and rescan logic raise the odds of credential theft and later abuse of whatever it finds. The operation is notable because it is not a one-pass scan; it keeps returning to the same high-value hosts and subnets. That sustained targeting broadens exposure across teams that deployed AI tooling before hardening it.

Ransomware targeting of government organizations rose to daily frequency in January-June 2026

Trend

Updated: 17.07.2026 18:00 · First: 17.07.2026 18:00 · 📰 1 src / 1 articles · H score: 39

Government organizations saw a sustained rise in ransomware during January-June 2026, reaching an average of one attack per day and increasing the risk of recurring disruption to public services. The measured total of 187 incidents was 13% higher than the prior half-year, showing a worsening trend rather than isolated events.

Ernst & Young third-party support ticket data leak involving client tax documents

Data Leak

Updated: 17.07.2026 17:55 · First: 17.07.2026 17:55 · 📰 1 src / 1 articles · H score: 30

Ernst & Young disclosed a data breach after an unauthorized third party accessed a third-party support ticket system used by its IT personnel and downloaded documents that may contain client tax, personal, and financial data. The exposure window ran from March 28 to April 12, with anomalous activity detected on April 23 and disclosure on July 17, 2026. EY says it secured the platform, removed the unauthorized access, and has no indication of misuse or further exposure. The leak matters because the compromised tickets may include sensitive records tied to tax filings and client identity data.

23AndMe hit by network compromise

Incident

Updated: 16.07.2026 16:47 · First: 16.07.2026 16:47 · 📰 2 src / 2 articles · H score: 55

23andMe disclosed a credential-stuffing breach that exposed data on 6.9 million customers, including genetic ancestry information. The unauthorized access ran from April 2023 to September 2023 before being disclosed in October 2023. The compromise turned account reuse into a large-scale privacy and identity risk, with stolen data later appearing for sale on the dark web.

European Commission DMA order on Google Android and Search access

Regulatory/Legal Action

Updated: 17.07.2026 14:44 · First: 17.07.2026 14:44 · 📰 1 src / 1 articles · H score: 28

The European Commission ordered Google to change Android assistant access and Search data-sharing terms under the Digital Markets Act, creating binding obligations across the EU. The decision expands rival AI assistants' reach into Android and requires anonymised Search data access for competitors. The order is enforceable now, with major implementation dates running into Android 18 and 1 August 2027.

Windows User Profile Service zero-day privilege-escalation flaw (LegacyHive)

Vulnerability

Updated: 17.07.2026 14:05 · First: 17.07.2026 14:05 · 📰 1 src / 1 articles · H score: 41

A public LegacyHive zero-day against Windows User Profile Service can escalate privileges on up-to-date Windows systems, creating admin-level compromise risk. The exploit appeared hours after Microsoft's July 2026 Patch Tuesday and has no CVE ID yet. Testing showed the flaw can let non-admin users alter the classes registry hive and trigger automatic code execution when an administrator logs in. The PoC was later modified to require extra credentials, but it still gives attackers a usable starting point for weaponization.

Armenia detains Aleksandr Ermakov on U.S. REvil extradition request

Law Enforcement

Updated: 17.07.2026 13:53 · First: 17.07.2026 13:53 · 📰 1 src / 1 articles · H score: 53

Armenia detained Aleksandr Ermakov on June 28 on a U.S. extradition request tied to a REvil ransomware case, keeping a cybercrime suspect in custody while his identity is disputed.

The Gentlemen ransomware gang's affiliate-driven rise to most-active RaaS operator

Threat Actor Meta

Updated: 17.07.2026 12:00 · First: 17.07.2026 12:00 · 📰 1 src / 1 articles · H score: 36

The Gentlemen ransomware gang became the most-active ransomware-as-a-service operator over a three-month period, overtaking Qilin with 300 incidents. Its rise is linked to aggressive affiliate recruitment and a pre-packaged intrusion kit that lowers operator skill requirements. The shift increases competitive pressure across the ransomware market and may pull affiliates away from rival crews.

ACR Stealer browser credential and document theft activity

Malware Activity

Updated: 17.07.2026 11:56 · First: 17.07.2026 11:56 · 📰 2 src / 2 articles · H score: 29

ACR Stealer is driving a surge of browser credential and document theft against enterprise customers. Microsoft said activity climbed from late April to mid-June 2026, with attackers using ClickFix, WebDAV, and MSHTA delivery chains to steal passwords, authentication tokens, cookies, session data, and Microsoft 365 documents. The malware archives collected data for exfiltration and can also target OneDrive and SharePoint content. Microsoft says the observed chains do not exploit a vulnerability and recommends blocking the loader paths and rotating exposed credentials and tokens.

DoNot Team Bangladesh military and defence espionage campaign

Campaign

Updated: 17.07.2026 11:46 · First: 17.07.2026 11:46 · 📰 1 src / 1 articles · H score: 38

A DoNot Team espionage campaign targeted Bangladesh's military and defence establishments, using spear-phishing RTF files to deliver a DLL implant and establish scheduled-task persistence. The operation relied on remote template injection, a VBA macro, and geofencing to deliver payloads only to intended victims. The implant disguised itself as OneDrive telemetry, profiled hosts, and beaconed to C2 over HTTPS, indicating a focused effort to maintain access and support intelligence collection.

GoSerpent malware activity targeting Southeast Asian entities

Malware Activity

Updated: 17.07.2026 11:46 · First: 17.07.2026 11:46 · 📰 1 src / 1 articles · H score: 26

GoSerpent is being used in cyber attacks against entities in Southeast Asia, with the activity focused on long-term access, intelligence gathering, and data exfiltration. The malware is aimed at government and diplomatic entities and can deploy follow-on tools for credential dumping and file collection. It also supports SOCKS5 proxying and remote access, helping operators hide traffic through compromised hosts. The toolset has expanded over time, with May 2026 activity adding new payloads for staged exfiltration.

U.S. prosecutors charge Chen and Zhang in investment-fraud money-laundering case

Law Enforcement

Updated: 17.07.2026 11:13 · First: 17.07.2026 11:13 · 📰 1 src / 1 articles · H score: 29

U.S. prosecutors charged Zhuoying Chen and Haojie Zhang in a cyber investment fraud money-laundering case, exposing a network that allegedly moved at least $43 million in stolen proceeds.

Microsoft SharePoint deserialization RCE (CVE-2026-58644)

Vulnerability

Updated: 17.07.2026 10:15 · First: 17.07.2026 10:15 · 📰 1 src / 1 articles · H score: 48

Microsoft SharePoint CVE-2026-58644 is a critical RCE now confirmed actively exploited in the wild, exposing SharePoint Server to remote code execution. Microsoft fixed the flaw in July 2026 Patch Tuesday after describing it as a deserialization of untrusted data issue. CISA added it to the KEV catalog and ordered federal agencies to patch it within three days.

CISA KEV directive for exploited SharePoint CVE-2026-58644

Public Sector Action

Updated: 17.07.2026 10:15 · First: 17.07.2026 10:15 · 📰 1 src / 1 articles · H score: 38

CISA added CVE-2026-58644 to its KEV catalog and ordered federal agencies to patch it within three days. The directive applies to an exploited Microsoft SharePoint remote code execution flaw and tightens remediation under BOD 26-04. The move accelerates federal response to a vulnerability with exploitation detected.