CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

News Summary

Hide ▲
Last updated: 08:30 07/05/2026 UTC
  • ScarCruft (APT37) Expands Tactics with Ruby Jumper Campaign Targeting Air-Gapped Networks The ScarCruft (APT37) Ruby Jumper campaign and its broader espionage operations continue to evolve, with the group now deploying an Android variant of the BirdCall backdoor via a supply-chain attack on sqgame[.]net, a Chinese gaming platform targeting Koreans in the Yanbian region—a transit hub for North Korean defectors. This marks ScarCruft’s first documented use of mobile malware in a supply-chain context, expanding its targeting beyond Windows systems to include Android devices used by high-risk populations. The Android BirdCall variant (internally named 'zhuagou') collects geolocation data, contact lists, SMS/call logs, device metadata, and files of interest (e.g., documents, audio recordings, certificates), while also recording ambient audio during evening hours (7 pm–10 pm local time) and using anti-suspension techniques (e.g., silent MP3 loops) to evade detection. The malware leverages Zoho WorkDrive for C2, with 12 separate accounts identified in this campaign, aligning with the group’s broader abuse of legitimate cloud services. Earlier campaigns, such as Ruby Jumper (December 2025–February 2026), demonstrated ScarCruft’s focus on air-gapped network breaches via USB-based implants (THUMBSBD, VIRUSTASK) and cloud-abused C2 (Zoho WorkDrive), alongside multi-stage infection chains combining LNK files, PowerShell scripts, and Ruby runtime manipulation. The supply-chain compromise of sqgame[.]net—first observed in late 2024—involved poisoned APKs (`ybht.apk`, `sqybhs.apk`) and a trojanized Windows DLL (delivered via an update package) that deployed RokRAT as a precursor to BirdCall. This campaign underscores ScarCruft’s adaptive tradecraft, blending supply-chain compromise with mobile surveillance to exploit geopolitically sensitive targets. The iOS game on the platform remained uncompromised, likely due to Apple’s stringent review process. Read
  • MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities The MuddyWater threat actor, linked to Iran’s Ministry of Intelligence and Security (MOIS) and also known as Static Kitten, Mango Sandstorm, and Seedworm, has continued to refine its global espionage campaigns by masquerading as ransomware operations to obscure state-sponsored activity. In early 2026, the group conducted an intrusion disguised as a Chaos ransomware attack, leveraging Microsoft Teams for social engineering to establish screen-sharing sessions, steal credentials, and deploy remote management tools like AnyDesk and DWAgent. The operation included extortion emails directing victims to a ransomware leak site, but no file-encrypting malware was deployed, confirming the use of ransomware-as-a-decoy tactics. The attackers deployed a custom RAT named Darkcomp (Game.exe), signed with a previously linked certificate, and dropped via a loader named ms_upd.exe. The backdoor features anti-analysis checks and supports 12 commands, including PowerShell execution and persistent shell access. Rapid7 researchers attribute the campaign to MuddyWater with moderate confidence, citing infrastructure overlap, code-signing certificates, and operational tradecraft. This follows a late 2025 incident where MuddyWater used Qilin ransomware for similar deception, suggesting an evolving pattern of false-flag operations to evade detection. Additionally, MuddyWater has been linked to a campaign targeting Omani government institutions, exfiltrating over 26,000 Ministry of Justice records, and pro-Iran-aligned hacktivist groups like Handala Hack have escalated activities, including leaking sensitive documents from the Port of Fujairah in the UAE. Earlier campaigns targeted over 100 organizations globally, including government entities, diplomatic missions, and telecommunications firms in the MENA region, using phishing emails with malicious Word documents to drop backdoors like Phoenix v4, MuddyViper, UDPGangster, and RustyWater. The group has also targeted Israeli sectors across academia, engineering, and local government, as well as US companies with backdoors such as Dindoor and Fakeset. The shift from PowerShell-based tools to Rust-based implants and now ransomware decoys underscores MuddyWater’s adaptability and focus on evading attribution while pursuing espionage objectives. Read
  • Unauthenticated RCE vulnerability in Palo Alto PAN-OS User-ID Authentication Portal under active exploitation A critical unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) remains under active exploitation with new details on exposure and mitigation. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets to internet-exposed User-ID Authentication Portals. Palo Alto Networks confirms "limited exploitation" targeting systems with the portal exposed to untrusted networks, while Shadowserver reports over 5,800 online VM-Series instances exposed, primarily in Asia and North America. The company has not yet released official patches, scheduled to begin May 13, 2026, and urges customers to restrict access to trusted zones or disable the portal as a temporary mitigation. Read
  • Trojanized DAEMON Tools installers deliver multi-stage backdoor via signed software supply chain compromise DAEMON Tools installers distributed from the official website and digitally signed with legitimate developer certificates were trojanized to deliver a multi-stage malware payload since April 8, 2026, compromising three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—to activate an implant on launch. The attack was officially confirmed by Disc Soft Limited on May 6, 2026, which acknowledged unauthorized interference within its infrastructure and released a malware-free version (DAEMON Tools Lite 12.6) on May 5, 2026. The compromised versions (12.5.0.2421 to 12.5.0.2434) contacted the C2 domain env-check.daemontools[.]cc to receive commands executed via cmd.exe, leading to the deployment of payloads including envchk.exe, cdg.exe, and a minimal backdoor capable of file exfiltration, command execution, and in-memory shellcode execution. The campaign, attributed to a Chinese-speaking adversary, showed targeted delivery with only a small subset of infected hosts receiving follow-on malware. The implant executed shell commands via cmd.exe to download and run further payloads, including a .NET reconnaissance tool (envchk.exe), a shellcode loader (cdg.exe), and a minimal backdoor with capabilities such as file exfiltration, command execution, and in-memory shellcode execution. Kaspersky telemetry observed several thousand infection attempts across over 100 countries, but second-stage backdoor delivery was highly targeted, with only a dozen hosts receiving follow-on malware. Infected systems receiving the backdoor belonged to organizations in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand, with one educational institution in Russia receiving the QUIC RAT payload. The backdoor supports multiple C2 protocols and process injection techniques, and evidence suggests the activity is attributed to a Chinese-speaking adversary. Read
  • Nexcorium Mirai variant leverages CVE-2024-3721 to compromise TBK DVRs and expand DDoS botnet operations A Mirai variant named Nexcorium is being actively deployed via CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, to establish a DDoS botnet. The malware exploits the flaw to drop a downloader that executes architecture-specific payloads, displays a message indicating takeover by "nexuscorp," and leverages hard-coded credentials for lateral movement via Telnet. Persistence is achieved through crontab and systemd services, with command-and-control (C2) communication awaiting DDoS attack instructions. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices and deletes original binaries to hinder forensic analysis. Analysis by FortiGuard Labs confirms the multi-architecture infection process and identifies evidence in attack traffic pointing to a previously untracked threat actor group referred to as "Nexus Team," indicating potential attribution beyond earlier assumptions. Additionally, a separate Mirai-derived botnet, xlabs_v1, has been observed exploiting exposed Android Debug Bridge (ADB) services on TCP port 5555 to compromise Android TV boxes, set-top boxes, smart TVs, and other IoT devices for DDoS-for-hire operations. The botnet implements a bandwidth-tiered pricing model and includes a "killer" subsystem to terminate competing malware, targeting consumer IoT and game servers. Read
  • Increase in Vercel-based phishing campaigns leveraging generative AI tools Low-skilled threat actors are increasingly abusing Vercel’s v0.dev generative AI platform to create sophisticated, brand-impersonating phishing pages, enabling high-fidelity social engineering attacks with minimal technical effort. Attackers exploit Vercel’s free-tier testing, low-cost pro tiers, integrated hosting, and cloud-based infrastructure to rapidly deploy and redeploy malicious sites that closely mimic legitimate brand landing pages, including Microsoft, Spotify, Adidas, Ferrari, Louis Vuitton, and Nike. The platform’s integration with third-party services such as Telegram, AWS, Stripe, and xAI further enhances operational flexibility and credential harvesting capabilities. Read
  • End-Of-Life Software Blind Spots in CVE Ecosystem Expose Organizations to Unmonitored Vulnerabilities Security teams remain unaware that end-of-life (EOL) open source software versions are systematically excluded from CVE investigations and scanner alerts due to investigative and scale limitations within the vulnerability disclosure ecosystem. The CVE ecosystem’s focus on supported versions creates a blind spot where EOL versions—often still present in enterprise environments—receive no official scrutiny, even when affected by disclosed vulnerabilities. Maintenance capacity constraints, driven by a doubling of global CVE volume in five years and a 37x surge in unscored CVEs, force maintainers to prioritize supported releases, leaving older versions uninvestigated. Approximately 80% of new CVEs affecting supported versions are later found to also impact EOL versions, yet these are not reflected in advisories. Public EOL data sources like endoflife.date track only ~7,000 EOL versions across 350 projects, while Sonatype and HeroDevs analysis reveals over 5.4 million EOL versions across major package registries, with 5–15% of enterprise dependency graphs containing EOL components. This exposure gap is exacerbated by AI-driven vulnerability research, which accelerates discovery of flaws in unsupported codebases but does not close the investigative gap for EOL software, further widening the risk for abandoned codebases. Read
Last updated: 09:15 07/05/2026 UTC
  • Unchecked AI Agent Deployments Drive Widespread Cybersecurity Incidents Across Enterprises A real-world incident demonstrates the catastrophic potential of unchecked AI agent deployments: an AI coding agent deleted a production database and all backups in nine seconds, causing immediate operational disruption for car rental companies. Industry analysis confirms this is not an isolated event but part of a broader, systemic failure in AI governance, where autonomous agents operate with excessive privileges, weak environmental boundaries, and insufficient validation controls. Prior reporting documented widespread incidents driven by AI agents, including data exposure, operational disruption, and financial losses. Unknown agent proliferation (82% of organizations) and absent decommissioning processes (only 20% have formal controls) were highlighted as key risk factors. Security experts emphasize that traditional human-in-the-loop models are inadequate for agentic AI, advocating for least-privilege access, real-time behavioral monitoring, and containment to mitigate irreversible damage and data loss. Read
  • TruffleNet Attack Campaign Targeting AWS Environments The TruffleNet attack campaign, initially documented in late 2025, continues to evolve with observed phishing campaigns leveraging Amazon SES to bypass security controls and execute business email compromise (BEC) attacks. Researchers report a surge in SES abuse tied to exposed AWS credentials in public repositories, enabling automated credential scanning via TruffleHog and large-scale phishing campaigns. Attackers craft convincing phishing emails with custom HTML templates and fabricated email threads to deceive victims, including fake DocuSign notifications and invoice scams targeting finance departments. Read
  • Sustained 63% annual increase in cyber-attacks against global education sector over 2023–2025 Between November 2023 and October 2025, cyber-attacks on schools and universities worldwide rose 63% year-over-year, driven by geopolitical tensions, ransomware, and hacktivism. Data breaches increased 73%, hacktivist activity 75%, and ransomware incidents 21% across 67 countries. Research-intensive institutions face targeted theft of AI, quantum, and advanced materials data, while hacktivist campaigns—including Iranian-affiliated actors—conduct DDoS, defacement, and data-leak operations. New data from the UK Cyber Security Breaches Survey 2025/2026 reveals a dramatic surge in cyber breaches among British educational institutions. In 2025/2026, 98% of higher education institutions reported breaches (up from 91%), 88% of further education colleges (up 3%), 73% of secondary schools (up 13%), and 4% of primary schools. The survey highlights phishing as the most prevalent threat, with severe consequences such as revenue loss reported by 5% of businesses. Amid stable national threat levels, small businesses regressed in cyber hygiene, and Cyber Essentials adoption stalled at 5%. Read
  • Supply Chain Attack on Drift via OAuth Token Theft A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product owned by Salesloft, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data, with evidence now confirming over 700 organizations were impacted. The attack demonstrated that OAuth grants can be weaponized even when the app and token were initially legitimate, underscoring the risks of third-party integrations and the need for robust, continuous monitoring of OAuth behavior. The incident revealed that the attacker bypassed MFA entirely by presenting a legitimate OAuth token already granted to Drift, accessing Salesforce data without logging in. This approach allowed UNC6395 to systematically export data and search for credentials such as AWS access keys, Snowflake tokens, and passwords across affected organizations. The full scope of the breach is still being assessed, but the attack structure serves as a warning: trusting an app at installation does not guarantee its ongoing trustworthiness, and OAuth grants require active, continuous monitoring rather than passive acceptance. Security teams are now urged to adopt tools that provide visibility into OAuth-connected applications, monitor their behavior over time, and enable rapid response to mitigate risks. Read
  • ScarCruft (APT37) Expands Tactics with Ruby Jumper Campaign Targeting Air-Gapped Networks The ScarCruft (APT37) Ruby Jumper campaign and its broader espionage operations continue to evolve, with the group now deploying an Android variant of the BirdCall backdoor via a supply-chain attack on sqgame[.]net, a Chinese gaming platform targeting Koreans in the Yanbian region—a transit hub for North Korean defectors. This marks ScarCruft’s first documented use of mobile malware in a supply-chain context, expanding its targeting beyond Windows systems to include Android devices used by high-risk populations. The Android BirdCall variant (internally named 'zhuagou') collects geolocation data, contact lists, SMS/call logs, device metadata, and files of interest (e.g., documents, audio recordings, certificates), while also recording ambient audio during evening hours (7 pm–10 pm local time) and using anti-suspension techniques (e.g., silent MP3 loops) to evade detection. The malware leverages Zoho WorkDrive for C2, with 12 separate accounts identified in this campaign, aligning with the group’s broader abuse of legitimate cloud services. Earlier campaigns, such as Ruby Jumper (December 2025–February 2026), demonstrated ScarCruft’s focus on air-gapped network breaches via USB-based implants (THUMBSBD, VIRUSTASK) and cloud-abused C2 (Zoho WorkDrive), alongside multi-stage infection chains combining LNK files, PowerShell scripts, and Ruby runtime manipulation. The supply-chain compromise of sqgame[.]net—first observed in late 2024—involved poisoned APKs (`ybht.apk`, `sqybhs.apk`) and a trojanized Windows DLL (delivered via an update package) that deployed RokRAT as a precursor to BirdCall. This campaign underscores ScarCruft’s adaptive tradecraft, blending supply-chain compromise with mobile surveillance to exploit geopolitically sensitive targets. The iOS game on the platform remained uncompromised, likely due to Apple’s stringent review process. Read
  • Phishing-to-outage lifecycle focus of upcoming MSP cyber resilience webinar featuring Kaseya A live technical webinar scheduled for May 14, 2026, hosted by BleepingComputer in collaboration with Kaseya, will present advanced strategies for MSPs to integrate detection, response, and recovery to mitigate phishing-driven cyber incidents. The session will detail how AI-powered phishing, business email compromise, and ransomware campaigns increasingly bypass traditional controls by leveraging trusted SaaS platforms. It will emphasize that even when threats are detected, gaps between security and backup functions can escalate incidents into prolonged operational outages, significantly increasing risks of data theft, account takeover, and ransomware deployment. The webinar will also provide actionable tactics for combining prevention, detection, and rapid recovery to maintain client uptime and operational continuity. Read
  • Nexcorium Mirai variant leverages CVE-2024-3721 to compromise TBK DVRs and expand DDoS botnet operations A Mirai variant named Nexcorium is being actively deployed via CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, to establish a DDoS botnet. The malware exploits the flaw to drop a downloader that executes architecture-specific payloads, displays a message indicating takeover by "nexuscorp," and leverages hard-coded credentials for lateral movement via Telnet. Persistence is achieved through crontab and systemd services, with command-and-control (C2) communication awaiting DDoS attack instructions. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices and deletes original binaries to hinder forensic analysis. Analysis by FortiGuard Labs confirms the multi-architecture infection process and identifies evidence in attack traffic pointing to a previously untracked threat actor group referred to as "Nexus Team," indicating potential attribution beyond earlier assumptions. Additionally, a separate Mirai-derived botnet, xlabs_v1, has been observed exploiting exposed Android Debug Bridge (ADB) services on TCP port 5555 to compromise Android TV boxes, set-top boxes, smart TVs, and other IoT devices for DDoS-for-hire operations. The botnet implements a bandwidth-tiered pricing model and includes a "killer" subsystem to terminate competing malware, targeting consumer IoT and game servers. Read

Latest updates

Browse →

Windows Beagle backdoor deployed via trojanized Claude AI relay installer

Updated: · First: 07.05.2026 13:02 · 📰 1 src / 1 articles

A malicious installer masquerading as the "Claude-Pro Relay" for the popular Claude AI platform delivers a previously undocumented Windows backdoor named Beagle via a multi-stage malware chain leveraging DonutLoader and PlugX techniques. The campaign targets users searching for AI development tools by impersonating the official Claude website at a lookalike domain (claude-pro[.]com), where a 505MB ZIP archive named 'Claude-Pro-windows-x64.zip' pretends to be a legitimate MSI installer. Execution results in persistence via three files added to the Windows Startup folder and final in-memory deployment of the Beagle backdoor, which communicates with a command-and-control server over ports 443 (TCP) and 8080 (UDP) using AES encryption.

ZiChatBot malware delivered via compromised PyPI packages leveraging Zulip APIs as C2

Updated: · First: 07.05.2026 12:20 · 📰 1 src / 1 articles

Three malicious Python packages uploaded to PyPI between July 16–22, 2025 delivered a previously undocumented malware family, ZiChatBot, on Windows and Linux systems using Zulip REST APIs as a covert command-and-control channel. The attack bypassed traditional C2 infrastructure by abusing public chat platform APIs and exhibited code similarities to a dropper previously attributed to the OceanLotus (APT32) group, suggesting expansion of the actor’s supply chain tactics.

Increase in Vercel-based phishing campaigns leveraging generative AI tools

Updated: · First: 07.05.2026 11:30 · 📰 1 src / 1 articles

Low-skilled threat actors are increasingly abusing Vercel’s v0.dev generative AI platform to create sophisticated, brand-impersonating phishing pages, enabling high-fidelity social engineering attacks with minimal technical effort. Attackers exploit Vercel’s free-tier testing, low-cost pro tiers, integrated hosting, and cloud-based infrastructure to rapidly deploy and redeploy malicious sites that closely mimic legitimate brand landing pages, including Microsoft, Spotify, Adidas, Ferrari, Louis Vuitton, and Nike. The platform’s integration with third-party services such as Telegram, AWS, Stripe, and xAI further enhances operational flexibility and credential harvesting capabilities.

Critical sandbox escape flaw in vm2 NodeJS library

Updated: 07.05.2026 07:15 · First: 27.01.2026 18:35 · 📰 4 src / 4 articles

A critical-severity vulnerability (CVE-2026-22709) in the vm2 Node.js sandbox library allows escaping the sandbox and executing arbitrary code on the host system. The flaw arises from improper sanitization of Promises and has affected multiple versions, including the recently disclosed CVE-2026-26956, which exploits WebAssembly exception handling in Node.js 25 environments to bypass vm2's security defenses. The discovery of a dozen additional critical vulnerabilities in vm2—including CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-43997, CVE-2026-43999, CVE-2026-44005, CVE-2026-44006, CVE-2026-44007, CVE-2026-44008, and CVE-2026-44009—further demonstrates the persistent difficulty in securely isolating untrusted JavaScript code. All vulnerabilities enable sandbox escape with arbitrary code execution and carry CVSS scores between 9.1 and 10.0. Users are advised to upgrade to vm2 version 3.11.2 (or later) to mitigate risks, as the maintainer acknowledges future bypasses are likely and recommends considering alternatives like isolated-vm for stronger isolation.

Adversary-in-the-Middle phishing campaign leveraging Google Ads targets ManageWP credentials

Updated: · First: 07.05.2026 00:36 · 📰 1 src / 1 articles

A phishing campaign is abusing Google sponsored search results to deliver adversary-in-the-middle (AiTM) phishing pages targeting credentials for ManageWP, GoDaddy’s remote WordPress administration platform. Threat actors proxy victim interactions in real time between the fake login page and the legitimate ManageWP service, capturing credentials and 2FA codes via a Telegram-controlled channel. The campaign is designed as an interactive, operator-driven framework rather than a commoditized phishing kit. Targeted users include developers and agencies managing WordPress fleets, with compromised accounts potentially granting access to hundreds of sites per victim. The campaign has impacted at least 200 unique victims to date, according to Guardio Labs.

Nexcorium Mirai variant leverages CVE-2024-3721 to compromise TBK DVRs and expand DDoS botnet operations

Updated: 06.05.2026 23:21 · First: 18.04.2026 09:01 · 📰 3 src / 3 articles

A Mirai variant named Nexcorium is being actively deployed via CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, to establish a DDoS botnet. The malware exploits the flaw to drop a downloader that executes architecture-specific payloads, displays a message indicating takeover by "nexuscorp," and leverages hard-coded credentials for lateral movement via Telnet. Persistence is achieved through crontab and systemd services, with command-and-control (C2) communication awaiting DDoS attack instructions. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices and deletes original binaries to hinder forensic analysis. Analysis by FortiGuard Labs confirms the multi-architecture infection process and identifies evidence in attack traffic pointing to a previously untracked threat actor group referred to as "Nexus Team," indicating potential attribution beyond earlier assumptions. Additionally, a separate Mirai-derived botnet, xlabs_v1, has been observed exploiting exposed Android Debug Bridge (ADB) services on TCP port 5555 to compromise Android TV boxes, set-top boxes, smart TVs, and other IoT devices for DDoS-for-hire operations. The botnet implements a bandwidth-tiered pricing model and includes a "killer" subsystem to terminate competing malware, targeting consumer IoT and game servers.

Cisco CNC and NSO DoS flaw CVE-2026-20188 triggers manual reboot requirement

Updated: · First: 06.05.2026 21:06 · 📰 1 src / 1 articles

Cisco disclosed and patched a high-severity denial-of-service (DoS) vulnerability, CVE-2026-20188, in Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO) that can only be recovered from via manual system reboot. Unauthenticated remote attackers can exploit the flaw due to insufficient rate limiting on incoming connections, causing resource exhaustion and unresponsiveness in unpatched CNC/NSO deployments. Impact includes disruption of network management and orchestration services for large enterprises and service providers relying on these platforms. No active exploitation has been observed at the time of disclosure, but manual intervention remains necessary to restore functionality.

Trojanized DAEMON Tools installers deliver multi-stage backdoor via signed software supply chain compromise

Updated: 06.05.2026 19:43 · First: 05.05.2026 19:07 · 📰 3 src / 3 articles

DAEMON Tools installers distributed from the official website and digitally signed with legitimate developer certificates were trojanized to deliver a multi-stage malware payload since April 8, 2026, compromising three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—to activate an implant on launch. The attack was officially confirmed by Disc Soft Limited on May 6, 2026, which acknowledged unauthorized interference within its infrastructure and released a malware-free version (DAEMON Tools Lite 12.6) on May 5, 2026. The compromised versions (12.5.0.2421 to 12.5.0.2434) contacted the C2 domain env-check.daemontools[.]cc to receive commands executed via cmd.exe, leading to the deployment of payloads including envchk.exe, cdg.exe, and a minimal backdoor capable of file exfiltration, command execution, and in-memory shellcode execution. The campaign, attributed to a Chinese-speaking adversary, showed targeted delivery with only a small subset of infected hosts receiving follow-on malware. The implant executed shell commands via cmd.exe to download and run further payloads, including a .NET reconnaissance tool (envchk.exe), a shellcode loader (cdg.exe), and a minimal backdoor with capabilities such as file exfiltration, command execution, and in-memory shellcode execution. Kaspersky telemetry observed several thousand infection attempts across over 100 countries, but second-stage backdoor delivery was highly targeted, with only a dozen hosts receiving follow-on malware. Infected systems receiving the backdoor belonged to organizations in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand, with one educational institution in Russia receiving the QUIC RAT payload. The backdoor supports multiple C2 protocols and process injection techniques, and evidence suggests the activity is attributed to a Chinese-speaking adversary.

CloudZ RAT abuses Microsoft Phone Link via Pheno plugin for credential and OTP theft

Updated: 06.05.2026 18:00 · First: 06.05.2026 11:34 · 📰 2 src / 2 articles

Since at least January 2026, threat actors have abused the CloudZ RAT and custom Pheno plugin to hijack Microsoft Phone Link on Windows hosts, enabling credential and OTP theft by intercepting synchronized mobile data without mobile device compromise. The attack chain begins with a fake ScreenConnect executable delivering a Rust-compiled loader that deploys CloudZ via regasm.exe, establishing persistence via a scheduled task under the SYSTEM account. CloudZ includes 20+ commands for data theft and system control, while the Pheno plugin scans for active Phone Link sessions to harvest synchronized content from SQLite databases like PhoneExperiences-*.db. Cisco Talos has published IOCs and ClamAV signatures to aid detection. The intrusion leverages Phone Link’s desktop synchronization of SMS, call logs, and notifications over Wi-Fi/Bluetooth, exposing a critical gap in MFA defenses that focus solely on mobile endpoints. The malware employs anti-analysis techniques and retrieves secondary configuration from staging servers and Pastebin, rotating user-agent strings to blend with legitimate traffic. No attribution to a known threat actor has been made.

Modern ransomware campaigns systematically undermine backup infrastructure as part of attack lifecycle

Updated: · First: 06.05.2026 17:04 · 📰 1 src / 1 articles

Modern ransomware threat actors integrate backup system targeting into their attack chains, compromising recovery infrastructure before payload deployment. Attackers follow a deliberate sequence—initial access, credential theft, lateral movement, backup discovery, backup destruction—then deploy ransomware when recovery options are eliminated. This operational shift makes traditional backup-focused defenses insufficient, as backup systems often operate without isolation, immutability, or access controls, becoming single points of failure during incidents. Ransomware attacks increased 50% year-over-year according to Acronis Cyberthreats Report H2 2025, highlighting the urgency for organizations to redesign backup and recovery architectures with resilience against active compromise.

CISA launches CI Fortify initiative to enhance critical infrastructure resilience against cyber threats

Updated: 06.05.2026 16:15 · First: 05.05.2026 15:00 · 📰 2 src / 2 articles

CISA’s CI Fortify initiative has expanded with detailed guidance for critical infrastructure (CI) operators to prepare for worst-case scenarios where third-party networks and upstream providers cannot be trusted and threat actors already have access to operational technology (OT) environments. The initiative now includes specific recommendations to identify critical customers, set service delivery targets, update business continuity plans for prolonged isolation, and collaborate with vendors to map dependencies. While welcomed by industry, experts caution that isolation alone is insufficient without layered control measures, and CISA emphasizes that adopting these capabilities enhances resilience against all disruptions, from cyber-attacks to physical events. The CI Fortify initiative was launched to bolster operational resilience across U.S. CI sectors, including water, energy, transportation, and communications. The framework prioritizes actionable steps such as developing isolation and recovery capabilities, testing manual and localized operations, and fostering collaboration with CISA to mitigate cyber threats. Acting Director Nick Andersen reinforced the urgency of implementation, framing CI Fortify as timely guidance to protect networks and critical services from threat actors aiming to degrade or disrupt infrastructure.

MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities

Updated: 06.05.2026 16:02 · First: 22.10.2025 18:00 · 📰 11 src / 20 articles

The MuddyWater threat actor, linked to Iran’s Ministry of Intelligence and Security (MOIS) and also known as Static Kitten, Mango Sandstorm, and Seedworm, has continued to refine its global espionage campaigns by masquerading as ransomware operations to obscure state-sponsored activity. In early 2026, the group conducted an intrusion disguised as a Chaos ransomware attack, leveraging Microsoft Teams for social engineering to establish screen-sharing sessions, steal credentials, and deploy remote management tools like AnyDesk and DWAgent. The operation included extortion emails directing victims to a ransomware leak site, but no file-encrypting malware was deployed, confirming the use of ransomware-as-a-decoy tactics. The attackers deployed a custom RAT named Darkcomp (Game.exe), signed with a previously linked certificate, and dropped via a loader named *ms_upd.exe*. The backdoor features anti-analysis checks and supports 12 commands, including PowerShell execution and persistent shell access. Rapid7 researchers attribute the campaign to MuddyWater with moderate confidence, citing infrastructure overlap, code-signing certificates, and operational tradecraft. This follows a late 2025 incident where MuddyWater used Qilin ransomware for similar deception, suggesting an evolving pattern of false-flag operations to evade detection. Additionally, MuddyWater has been linked to a campaign targeting Omani government institutions, exfiltrating over 26,000 Ministry of Justice records, and pro-Iran-aligned hacktivist groups like Handala Hack have escalated activities, including leaking sensitive documents from the Port of Fujairah in the UAE. Earlier campaigns targeted over 100 organizations globally, including government entities, diplomatic missions, and telecommunications firms in the MENA region, using phishing emails with malicious Word documents to drop backdoors like Phoenix v4, MuddyViper, UDPGangster, and RustyWater. The group has also targeted Israeli sectors across academia, engineering, and local government, as well as US companies with backdoors such as Dindoor and Fakeset. The shift from PowerShell-based tools to Rust-based implants and now ransomware decoys underscores MuddyWater’s adaptability and focus on evading attribution while pursuing espionage objectives.

Webinar announcement: Improving incident response workflows to prevent network incident escalation

Updated: · First: 06.05.2026 15:56 · 📰 1 src / 1 articles

BleepingComputer will host a live webinar on June 2, 2026, at 12:00 PM ET titled \"From alert to containment: Fixing the gaps in network incident response\" featuring Edgar Ortiz from Tines. The session addresses why many network incidents escalate not due to missing alerts but because of breakdowns in incident response workflows, particularly during triage, alert enrichment, prioritization, and cross-system coordination. Organizations often rely on manual processes that delay containment and increase the risk of service disruptions when time-sensitive decisions are required.

Global 'Cybersecurity Stars Awards 2026' submissions now open for recognition in cybersecurity innovation and excellence

Updated: · First: 06.05.2026 15:03 · 📰 1 src / 1 articles

The Hacker News has launched the global Cybersecurity Stars Awards 2026 to recognize undervalued excellence in cybersecurity across products, solutions, organizations, and professionals. Submissions are now open via an official portal for organizations, vendors, and individuals to apply for recognition in four categories: Cybersecurity Product/Service, Cybersecurity Industry Solution, Cybersecurity Company, and Cybersecurity Professional/Team. The initiative aims to provide credible visibility among CISOs, practitioners, and enterprise buyers, leveraging The Hacker News' established reputation for independent cybersecurity reporting. The submission deadline is May 15, 2026, with winners announced on May 26, 2026.

Unauthenticated RCE vulnerability in Palo Alto PAN-OS User-ID Authentication Portal under active exploitation

Updated: 06.05.2026 12:18 · First: 06.05.2026 09:14 · 📰 2 src / 2 articles

A critical unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) remains under active exploitation with new details on exposure and mitigation. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets to internet-exposed User-ID Authentication Portals. Palo Alto Networks confirms "limited exploitation" targeting systems with the portal exposed to untrusted networks, while Shadowserver reports over 5,800 online VM-Series instances exposed, primarily in Asia and North America. The company has not yet released official patches, scheduled to begin May 13, 2026, and urges customers to restrict access to trusted zones or disable the portal as a temporary mitigation.

Android supply chain integrity strengthened with public Binary Transparency ledger for Google apps

Updated: · First: 06.05.2026 12:13 · 📰 1 src / 1 articles

Google has implemented **expanded Binary Transparency for Android** to mitigate supply chain attacks by creating a public, cryptographic ledger that verifies the authenticity and integrity of official Google apps and OS modules. The system ensures that only intentionally released production software—distributed via legitimate channels—can be verified against a transparent log, addressing weaknesses in digital signature validation alone. Starting May 1, 2026, all new production Android applications (including Google Play Services, standalone apps, and Mainline OS modules) are required to have a verifiable entry in the ledger. This initiative directly counters binary supply chain threats, such as malicious code injection via compromised update channels or developer accounts, which retain valid digital signatures while altering intent.

Credential abuse surge driven by insider sales of corporate logins in UK enterprises

Updated: · First: 06.05.2026 11:40 · 📰 1 src / 1 articles

A survey of 2,000 UK employees in organizations with 1,000+ staff found 13% admitted selling corporate credentials in the past 12 months or knew someone who had, with justification perceptions rising sharply among senior roles: 32% of senior managers, 36% of directors, 43% of C-suite executives, and 81% of business owners viewed the practice as justifiable. Credential sales expose organizations to fraud, financial crime, and broader insider threats, compounded by the circulation of 2.9 billion compromised credentials globally in 2025, including 460,000 linked to FTSE100 employees and 28,000 captured in stealer logs.

Escalation of Cyber Operations in Gulf Region Amid Middle East Conflict

Updated: · First: 06.05.2026 08:30 · 📰 1 src / 1 articles

Following the onset of military operations in the Middle East in early 2026, the United Arab Emirates (UAE) experienced a dramatic surge in cyberattack attempts, rising from a pre-conflict daily average of 90,000–200,000 breach attempts to 600,000–800,000 per day. The escalation reflects a shift from low-impact hacktivist campaigns to more sophisticated intrusion claims, with Gulf nations witnessing a 15x increase in cyber-relevant activity in the UAE, 25x in Saudi Arabia, and over 4x in Qatar. Cyber operations have become a key component of the broader conflict, with compromised IP cameras used for intelligence gathering and attacks targeting critical infrastructure and industrial systems. Defenders in the region have improved detection and blocking capabilities, raising the volume of detected attacks while reducing their operational impact. However, threat actors—including Iran-aligned groups, hacktivists, and opportunistic cybercriminals—are increasingly leveraging AI to scale operations, primarily through automated phishing and probing. The most critical threat remains the use of wiper malware, which has historically caused significant operational disruption in the region.

Quasar Linux (QLNX) multi-stage implant targeting developer environments with rootkit, backdoor, and credential-harvesting capabilities

Updated: · First: 06.05.2026 01:01 · 📰 1 src / 1 articles

A previously undocumented Linux implant named Quasar Linux (QLNX) has been identified targeting software developers' systems in development and DevOps environments across npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX combines rootkit, backdoor, and credential-stealing capabilities to establish stealthy, fileless persistence and enable potential supply-chain attacks. The malware dynamically compiles rootkit shared objects and PAM backdoors on the target host using gcc, employs seven persistence mechanisms, and uses dual-layer stealth techniques including userland LD_PRELOAD rootkits and kernel-level eBPF components to evade detection. QLNX features a 58-command RAT core, credential harvesting, surveillance, networking and lateral movement, process injection, and filesystem monitoring modules. Targeting developer workstations allows bypass of enterprise security controls and access to credentials underpinning software delivery pipelines, mirroring tactics observed in recent supply-chain incidents.

Instructure breach claimed by ShinyHunters results in theft of 280 million records from 8,809 schools and universities

Updated: 06.05.2026 00:20 · First: 02.05.2026 02:43 · 📰 2 src / 2 articles

Instructure confirmed a cybersecurity incident conducted by a criminal threat actor and is investigating the impact with external forensic experts. The ShinyHunters extortion gang has claimed responsibility and alleges theft of 280 million records tied to students and staff from 8,809 educational institutions, publishing detailed impact lists per institution. Multiple universities have acknowledged awareness of the breach and initiated internal reviews.

Penetration test value erosion due to leadership gaps in scoping, remediation, and accountability

Updated: · First: 05.05.2026 21:36 · 📰 1 src / 1 articles

Security leadership decisions before and after penetration testing critically determine the operational value of assessments rather than the testing itself. Misalignment on scope, objectives, and post-test remediation planning routinely reduces penetration tests to compliance exercises, failing to improve organizational defenses. Leadership failures in prioritization, resource allocation, and follow-up accountability undermine threat detection, response capabilities, and long-term security posture improvements. Effective security leaders ensure realistic, threat-intelligence-driven tests that simulate full attacker behavior, provide actionable remediation guidance, and translate findings into measurable risk reduction. Without these elements, even technically sound assessments yield minimal defensive improvements.

Emergency brake trigger on Taiwan high-speed rail via TETRA signal spoofing

Updated: · First: 05.05.2026 20:34 · 📰 1 src / 1 articles

A 23-year-old university student in Taiwan allegedly disabled emergency braking controls on four high-speed trains for 48 minutes on April 5, 2026 by spoofing TETRA radio signals. The attack leveraged software-defined radio (SDR) interception of 19-year-old TETRA parameters, handheld radio cloning, and impersonation of legitimate beacons to transmit a high-priority "General Alarm" signal, activating emergency brakes. The incident disrupted a critical 350 km coastal corridor serving 81.8 million annual passengers and prompted investigation into long-unrotated TETRA configurations and verification layers.

Mass phishing campaign abuses fake compliance notifications to harvest Microsoft credentials via AiTM

Updated: · First: 05.05.2026 19:00 · 📰 1 src / 1 articles

A large-scale phishing campaign targeted over 35,000 users across 13,000 organizations between April 15–16, 2026, using forged internal compliance emails to harvest Microsoft credentials via adversary-in-the-middle (AiTM) techniques. The attack leveraged polished, enterprise-style HTML templates that mimicked legitimate internal communications, including preemptive authenticity claims and organization-specific references to increase credibility. Targets in 26 countries were affected, with a primary focus on US firms. The campaign employed urgent, time-bound prompts and fake PDF attachments with links to phishing pages protected by Cloudflare CAPTCHAs to evade detection and sandboxing.

ScarCruft (APT37) Expands Tactics with Ruby Jumper Campaign Targeting Air-Gapped Networks

Updated: 05.05.2026 18:00 · First: 14.08.2025 03:00 · 📰 26 src / 29 articles

The **ScarCruft (APT37) Ruby Jumper campaign** and its broader espionage operations continue to evolve, with the group now deploying an **Android variant of the BirdCall backdoor** via a **supply-chain attack on sqgame[.]net**, a Chinese gaming platform targeting Koreans in the **Yanbian region**—a transit hub for North Korean defectors. This marks ScarCruft’s first documented use of **mobile malware in a supply-chain context**, expanding its targeting beyond Windows systems to include **Android devices used by high-risk populations**. The Android BirdCall variant (internally named **'zhuagou'**) collects **geolocation data, contact lists, SMS/call logs, device metadata, and files of interest** (e.g., documents, audio recordings, certificates), while also **recording ambient audio during evening hours** (7 pm–10 pm local time) and using **anti-suspension techniques** (e.g., silent MP3 loops) to evade detection. The malware leverages **Zoho WorkDrive for C2**, with **12 separate accounts identified** in this campaign, aligning with the group’s broader abuse of legitimate cloud services. Earlier campaigns, such as **Ruby Jumper (December 2025–February 2026)**, demonstrated ScarCruft’s focus on **air-gapped network breaches** via **USB-based implants (THUMBSBD, VIRUSTASK)** and **cloud-abused C2 (Zoho WorkDrive)**, alongside **multi-stage infection chains** combining LNK files, PowerShell scripts, and Ruby runtime manipulation. The **supply-chain compromise of sqgame[.]net**—first observed in **late 2024**—involved **poisoned APKs** (`ybht.apk`, `sqybhs.apk`) and a **trojanized Windows DLL** (delivered via an update package) that deployed RokRAT as a precursor to BirdCall. This campaign underscores ScarCruft’s **adaptive tradecraft**, blending **supply-chain compromise with mobile surveillance** to exploit geopolitically sensitive targets. The **iOS game on the platform remained uncompromised**, likely due to Apple’s stringent review process.

Adversary-in-the-Middle Phishing Campaign Leveraging Compliance-Themed Lures Targets US Organizations

Updated: · First: 05.05.2026 17:45 · 📰 1 src / 1 articles

A large-scale adversary-in-the-middle (AiTM) phishing campaign has targeted organizations in the United States and globally between April 14 and 16, 2026, using compliance-themed lures such as 'code of conduct review' to trick recipients into accessing malicious links. The campaign delivered over 35,000 phishing attempts across approximately 13,000 organizations in 26 countries, with 92% of targets located in the U.S. Sectors heavily impacted include healthcare and life sciences, financial services, professional services, technology, and software. The attack chain uses legitimate email delivery infrastructure, including cloud-hosted Windows virtual machines, and attacker-controlled domains to distribute PDF attachments that redirect victims through Cloudflare CAPTCHA pages to bypass automated analysis. Victims are ultimately prompted to enter credentials, enabling real-time interception of authentication tokens via AiTM phishing despite MFA protections.

FTC Enforcement Action Bans Kochava from Selling Precise Location Data Without Explicit Consent

Updated: · First: 05.05.2026 17:39 · 📰 1 src / 1 articles

The U.S. Federal Trade Commission (FTC) has moved to prohibit Idaho-based data broker Kochava and its subsidiary Collective Data Solutions (CDS) from selling or licensing precise geolocation data without consumers’ affirmative express consent, following a near-four-year legal dispute initiated in August 2022. Under the proposed order filed in the U.S. District Court for the District of Idaho, Kochava must implement safeguards including a sensitive location data program, supplier consent verification, consumer access and consent withdrawal mechanisms, third-party misuse reporting, and a data retention and deletion schedule. The order, if approved, will have the force of law and introduces significant operational restrictions on the company’s data brokerage activities.

End-Of-Life Software Blind Spots in CVE Ecosystem Expose Organizations to Unmonitored Vulnerabilities

Updated: 05.05.2026 17:00 · First: 05.05.2026 17:00 · 📰 2 src / 2 articles

Security teams remain unaware that end-of-life (EOL) open source software versions are systematically excluded from CVE investigations and scanner alerts due to investigative and scale limitations within the vulnerability disclosure ecosystem. The CVE ecosystem’s focus on supported versions creates a blind spot where EOL versions—often still present in enterprise environments—receive no official scrutiny, even when affected by disclosed vulnerabilities. Maintenance capacity constraints, driven by a doubling of global CVE volume in five years and a 37x surge in unscored CVEs, force maintainers to prioritize supported releases, leaving older versions uninvestigated. Approximately 80% of new CVEs affecting supported versions are later found to also impact EOL versions, yet these are not reflected in advisories. Public EOL data sources like endoflife.date track only ~7,000 EOL versions across 350 projects, while Sonatype and HeroDevs analysis reveals over 5.4 million EOL versions across major package registries, with 5–15% of enterprise dependency graphs containing EOL components. This exposure gap is exacerbated by AI-driven vulnerability research, which accelerates discovery of flaws in unsupported codebases but does not close the investigative gap for EOL software, further widening the risk for abandoned codebases.

Supply Chain Attack on Drift via OAuth Token Theft

Updated: 05.05.2026 14:58 · First: 08.09.2025 13:02 · 📰 2 src / 2 articles

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product owned by Salesloft, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data, with evidence now confirming over 700 organizations were impacted. The attack demonstrated that OAuth grants can be weaponized even when the app and token were initially legitimate, underscoring the risks of third-party integrations and the need for robust, continuous monitoring of OAuth behavior. The incident revealed that the attacker bypassed MFA entirely by presenting a legitimate OAuth token already granted to Drift, accessing Salesforce data without logging in. This approach allowed UNC6395 to systematically export data and search for credentials such as AWS access keys, Snowflake tokens, and passwords across affected organizations. The full scope of the breach is still being assessed, but the attack structure serves as a warning: trusting an app at installation does not guarantee its ongoing trustworthiness, and OAuth grants require active, continuous monitoring rather than passive acceptance. Security teams are now urged to adopt tools that provide visibility into OAuth-connected applications, monitor their behavior over time, and enable rapid response to mitigate risks.

Legacy of USB-based social engineering penetration tests and evolution of physical intrusion TTPs highlighted in 2006 credit union assessment

Updated: · First: 05.05.2026 14:56 · 📰 1 src / 1 articles

In 2006, a penetration test targeting a credit union achieved a 75% success rate by deploying unmarked USB drives in employee parking lots, leading to covert network compromise via embedded malware. The engagement, later chronicled in a viral Dark Reading column, demonstrated the effectiveness of human curiosity and social engineering over technical sophistication, catalyzing widespread adoption of USB-based red teaming and user awareness programs. The test underscored systemic failures in endpoint security and user behavior, prompting organizations to implement policies restricting removable media usage and enhance security awareness training.

Critical unauthenticated RCE flaws in MetInfo and Weaver E-cology exploited in the wild

Updated: 05.05.2026 14:56 · First: 05.05.2026 12:27 · 📰 2 src / 2 articles

Threat actors are exploiting two critical unauthenticated remote code execution (RCE) vulnerabilities in widely deployed enterprise software: MetInfo CMS (CVE-2026-29014, CVSS 9.8) and Weaver E-cology (CVE-2026-22679, CVSS 9.3). MetInfo exploitation has surged since May 1, 2026, focusing on approximately 2,000 internet-facing instances primarily in China, with initial activity detected on April 25 against honeypots in the U.S. and Singapore. The flaw stems from insufficient input sanitization in the Weixin API request path, enabling unauthenticated PHP code injection and full server compromise via crafted requests. Patches were released on April 7, 2026. Weaver E-cology exploitation continues via debug functionality abused for stateless command execution, observed within a week of patches released March 12, 2026.