The UK government announced a ban on under-16s using social media, requiring age checks for new accounts and tightening access to major platforms. The rollout is set for spring 2027, with regulations due before Christmas and Ofcom asked to study verification methods. New users will likely need to upload an ID or pass a facial age scan, while long-standing accounts are mostly grandfathered. The move pushes UK social media toward verified access and away from anonymous account creation.

FishMonger ran a multi-country espionage campaign against government bodies in Honduras, Taiwan, Thailand and Pakistan across 2023 and 2024. The activity points to a sustained public-sector collection effort rather than an isolated intrusion. The campaign matters because it shows repeated targeting across several jurisdictions using the same operator identity and backdoor-based access pattern.

GhostTree and GhostBranch use recursive NTFS junction loops to generate effectively unlimited paths, allowing files in the same folder to evade EDR and Windows Defender recursive scans.

The FTC warned that Americans lost $3.5 billion to imposter scams in 2025, elevating a major public anti-fraud response around impersonation-driven theft. The agency tied the warning to its Impersonation Rule enforcement posture and said the fraud problem has continued to scale. The losses underscore how impersonation schemes are draining consumers through phone, text, email, social media, and search-based lures.

The Rokarolla Android banking trojan is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fraud from banks. It targets 217 banking and cryptocurrency apps and uses 137 commands to manage calls, texts, overlays, and screenshots. The malware spreads through malicious sites posing as TikTok or Google Chrome, then abuses Accessibility Services and default SMS/call handling to isolate victims and suppress alerts.

CISA added the LiteSpeed cPanel user-end plugin flaw to KEV and ordered Federal Civilian Executive Branch agencies to secure systems within three days under BOD 26-04. The action raises compliance urgency across the federal civilian footprint because the vulnerability is actively exploited and can lead to root escalation on affected shared hosting servers. Agencies are being pushed to treat the flaw as an immediate remediation item rather than a routine patch.

CISA put CVE-2026-54420 in LiteSpeed cPanel Plugin on the KEV catalog, ordering FCEB agencies to apply fixes by June 18, 2026. The flaw is a CVSS 8.5 privilege-escalation issue that can turn FTP or web shell access into root on shared hosting servers running CloudLinux/CageFS. LiteSpeed says affected builds include LiteSpeed cPanel Plugin before 2.4.8 and LiteSpeed WHM PlugIn before 5.3.2.0, with a fix in LiteSpeed WHM Plugin v5.3.2.1 bundled with cPanel plugin v2.4.8 or higher.

Fortinet FortiSandbox is facing an active exploitation wave that puts affected deployments at risk of unauthenticated remote code execution and privilege escalation. Defused said attackers are exploiting multiple critical vulnerabilities, including CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. The activity was observed during the past 24 hours, and Fortinet had already released fixes on April 14. Administrators need to move to the latest released versions to block incoming attacks.

CVE-2026-25089 is an unauthenticated operating system command injection in FortiSandbox-related products that was seen in active exploitation over the past 24 hours. The flaw can let an attacker send crafted HTTP requests to execute unauthorized commands on exposed systems.

Fortinet released April 14 security updates for FortiSandbox, covering CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. The patch release fixes three critical vulnerabilities that can enable unauthenticated privilege escalation and remote code execution. Administrators must upgrade affected deployments to the latest released versions to block incoming attacks.

Backdoor.Turn is a Go-based RAT now tied to covert command-and-control traffic hidden through Microsoft Teams TURN relay servers, creating a trusted-looking channel for remote access. Symantec says it is the first known in-the-wild malware to abuse this relay path. The activity was observed in December 2025 during an intrusion against a major U.S. services company. The malware's stealthy transport and post-exploitation features raise the risk of undetected compromise.

A DragonForce ransomware incident hit a major U.S. services company in December 2025, with attackers maintaining access for up to two months and hiding command-and-control traffic in Microsoft Teams. Researchers said the intrusion used a Go-based RAT dubbed Backdoor.Turn to blend traffic into Teams relay infrastructure and a QUIC session, then added persistence by changing settings, creating accounts, and modifying firewall rules. The activity ended with data exfiltration and systems encryption, and the initial foothold was likely through an SQL or MSSQL server flaw.

A multi-country espionage campaign tied to Earth Lusca / FishMonger is now linked to Operation FishMedley, a January–October 2022 effort that reached seven organizations across Taiwan, Hungary, Turkey, Thailand, France, and the U.S. The campaign matters because it shows coordinated targeting across multiple countries rather than a single isolated intrusion. The operation also reinforces the group's repeatable access and follow-on activity against government and organizational targets.

ESET identified previously undocumented Windows variants of SprySOCKS, a backdoor attributed to FishMonger and linked to I-Soon. The WIN_DRV and WIN_PLUS variants add kernel-level stealth and retain TCP, UDP, and WebSocket command-and-control, plus 30+ espionage commands. ESET traced activity to 2023-2024 against government bodies in Honduras, Taiwan, Thailand, and Pakistan, and found signs the activity may extend into a UEFI bootkit chain.

SprySOCKS now has documented Windows variants, WIN_DRV and WIN_PLUS, expanding a toolset first known as a Linux-only backdoor. The activity is tied to government organizations in Taiwan, Thailand, Pakistan, and Honduras and uses TCP, UDP, and WebSocket communications with more than 30 commands for system data collection, process and service management, and file operations. WIN_DRV adds kernel drivers for stealth, hiding processes, files, network connections, and registry keys while also supporting TCP traffic diversion. ESET links the activity to Earth Lusca / FishMonger and notes limited indications of a UEFI bootkit path involving CVE-2023-24932.

The FBI has renewed warnings about cryptocurrency investment scams that use couriers and cash pickups to bypass bank checks and keep victims sending money. The advisory says scammers tell targets that in-person cash is needed to continue investing or to pay fake withdrawal fines. It also warns that fraudsters may claim an account has been flagged and direct the victim to a courier as an alternative payment path.

ScarCruft (APT37) is using spear-phishing emails that impersonate Microsoft Account security alerts to deliver NarwhalRAT, creating a multi-stage malware threat that can steal data and maintain remote control on compromised hosts. The infection chain uses a ZIP archive with a malicious LNK file to start the payload dropper flow. NarwhalRAT supports keylogging, screenshot capture, ambient audio recording, and C2 execution, giving operators broad visibility into victim systems.

iRhythm Holdings disclosed a data breach involving third-party-hosted business applications after a threat actor used social engineering to access data and demanded payment on June 9, 2026. The company said it detected unauthorized activity on June 8, confirmed that some data was stolen, and is still determining the full scope. The exposed material includes proprietary data and patients’ protected health information, while products, clinical or medical device systems, and financial reporting systems were not impacted.

iRhythm Holdings disclosed a data breach after attackers used social engineering against third-party-hosted business applications and stole patients' personal and health information. The company said it detected unauthorized activity on June 8, 2026, was contacted on June 9 with claims of stolen proprietary data and patient protected health information, and later confirmed that some data has been stolen. iRhythm said the incident did not affect its products, clinical or medical device systems, manufacturing and distribution operations, or financial reporting systems, and it is still determining the full scope of the breach.

CISA added CVE-2026-20262 to its Known Exploited Vulnerabilities (KEV) catalog and required Federal Civilian Executive Branch (FCEB) agencies to apply Cisco's fixes by June 29, 2026, forcing federal remediation of an actively exploited Cisco SD-WAN flaw. The action targets Cisco Catalyst SD-WAN Manager after evidence showed abuse in the wild. Cisco said the flaw could let an authenticated remote attacker create or overwrite files and potentially reach root. The deadline gives federal agencies a clear remediation window for a live exploitation risk.

The U.S. Department of Justice and Homeland Security Investigations seized CFAKE.com and SOCFAKE.com, disrupting a deepfake pornography operation and taking the domains offline under a federal warrant. The action is the first publicly announced domain seizure under the TAKE IT DOWN Act. The domains allegedly hosted nonconsensual AI-generated nude images and videos of women, including public figures.

A critical CVE-2026-48558 in SimpleHelp remote management software lets unauthenticated attackers create privileged Technician accounts when OIDC is enabled, putting remote administration access at risk. The flaw affects 5.5.15 and older and 6.0 pre-release versions. SimpleHelp released 5.5.16 and 6.0RC2 on June 9 to fix the issue. No evidence of active exploitation was reported.

SimpleHelp released 5.5.16 and 6.0RC2 on June 9 to fix CVE-2026-48558, a critical OIDC authentication flaw that could let unauthenticated attackers create privileged Technician accounts. The update matters for deployments that rely on OIDC because the bug could bypass MFA and grant remote-management access. The patch narrows exposure for affected SimpleHelp 5.5.15 and older installations and 6.0 pre-release builds.

The INFINITERED malware was deployed on REDCap servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojanized REDCap system files, hijacked the upgrade process so reinfected code would survive updates, and harvested usernames and passwords from the login page. The malware also accepted commands through HTTP cookies and ran on every page load, extending persistence through November 2025.

The Contagious Interview cluster is running the UNK_DeadDrop phishing campaign to lure developers with recruitment and code review themes, reaching nearly 100 organizations. The operation routes targets to actor-controlled GitHub repositories and VS Code projects that can trigger malicious code with little interaction. The campaign spans finance, cryptocurrency, education, technology, and other sectors, raising the risk of malware execution and credential theft.

North Korea-aligned developer-targeting operations are shifting from fake interviews to recruitment-themed phishing at scale, increasing the risk of industrialized credential and wallet theft across developer communities. The change indicates a more automated and scalable adversary operating model built around malicious GitHub repositories and code-review lures.

A multi-plugin supply-chain campaign targeted Awesome Motive WordPress plugins OptinMonster, TrustPulse, and PushEngage, with malicious JavaScript delivered through the vendor’s CDN and triggered only when a WordPress administrator loaded an infected page. The code created rogue administrator accounts, installed a self-hiding backdoor plugin, and established follow-on access, putting up to 1.2 million websites at risk through the affected install base. Awesome Motive says attackers first reached a marketing server by exploiting a known UpdraftPlus flaw, stole the CDN API key, and then modified distributed JavaScript; the company has since rotated credentials and said its production systems were not breached.

Awesome Motive's WordPress plugin delivery paths for OptinMonster, TrustPulse, and PushEngage were hit in a CDN supply-chain incident after attackers stole a CDN API key from a server compromised through UpdraftPlus. The tampered JavaScript could activate when a WordPress administrator loaded an affected page, creating a rogue admin account, installing a hidden backdoor, and sending captured data to tidio[.]cc. OptinMonster is used on at least 1.2 million websites, and the incident exposed sites that loaded the poisoned files to site takeover risk.

PushEngage, OptinMonster, and TrustPulse were used to serve tampered JavaScript that only activated for logged-in WordPress administrators, then created attacker-controlled administrator access and installed hidden persistence. The exposure began on June 12, with PushEngage still serving malicious code on June 13 and into June 14 from some CDN servers. Any site that loaded the poisoned files needs compromise review even if the visible script has been replaced. Response has centered on file replacement, CDN cache clearing, credential rotation, and server-side hunting, while the initial access path into the delivery environment remains unresolved.

Cisco released security updates for CVE-2026-20262 in Catalyst SD-WAN Manager, covering multiple release trains after the zero-day was exploited to reach root privileges. The fixed-build map spans 20.9, 20.12, 20.15, 20.18, and 26.1 trains, and the issue affects on-prem and cloud-managed deployments. Administrators were told to upgrade and review logs for index.jsp and .war upload attempts.