A malicious installer masquerading as the "Claude-Pro Relay" for the popular Claude AI platform delivers a previously undocumented Windows backdoor named Beagle via a multi-stage malware chain leveraging DonutLoader and PlugX techniques. The campaign targets users searching for AI development tools by impersonating the official Claude website at a lookalike domain (claude-pro[.]com), where a 505MB ZIP archive named 'Claude-Pro-windows-x64.zip' pretends to be a legitimate MSI installer. Execution results in persistence via three files added to the Windows Startup folder and final in-memory deployment of the Beagle backdoor, which communicates with a command-and-control server over ports 443 (TCP) and 8080 (UDP) using AES encryption.

Three malicious Python packages uploaded to PyPI between July 16–22, 2025 delivered a previously undocumented malware family, ZiChatBot, on Windows and Linux systems using Zulip REST APIs as a covert command-and-control channel. The attack bypassed traditional C2 infrastructure by abusing public chat platform APIs and exhibited code similarities to a dropper previously attributed to the OceanLotus (APT32) group, suggesting expansion of the actor’s supply chain tactics.

Low-skilled threat actors are increasingly abusing Vercel’s v0.dev generative AI platform to create sophisticated, brand-impersonating phishing pages, enabling high-fidelity social engineering attacks with minimal technical effort. Attackers exploit Vercel’s free-tier testing, low-cost pro tiers, integrated hosting, and cloud-based infrastructure to rapidly deploy and redeploy malicious sites that closely mimic legitimate brand landing pages, including Microsoft, Spotify, Adidas, Ferrari, Louis Vuitton, and Nike. The platform’s integration with third-party services such as Telegram, AWS, Stripe, and xAI further enhances operational flexibility and credential harvesting capabilities.

A critical-severity vulnerability (CVE-2026-22709) in the vm2 Node.js sandbox library allows escaping the sandbox and executing arbitrary code on the host system. The flaw arises from improper sanitization of Promises and has affected multiple versions, including the recently disclosed CVE-2026-26956, which exploits WebAssembly exception handling in Node.js 25 environments to bypass vm2's security defenses. The discovery of a dozen additional critical vulnerabilities in vm2—including CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-43997, CVE-2026-43999, CVE-2026-44005, CVE-2026-44006, CVE-2026-44007, CVE-2026-44008, and CVE-2026-44009—further demonstrates the persistent difficulty in securely isolating untrusted JavaScript code. All vulnerabilities enable sandbox escape with arbitrary code execution and carry CVSS scores between 9.1 and 10.0. Users are advised to upgrade to vm2 version 3.11.2 (or later) to mitigate risks, as the maintainer acknowledges future bypasses are likely and recommends considering alternatives like isolated-vm for stronger isolation.

A phishing campaign is abusing Google sponsored search results to deliver adversary-in-the-middle (AiTM) phishing pages targeting credentials for ManageWP, GoDaddy’s remote WordPress administration platform. Threat actors proxy victim interactions in real time between the fake login page and the legitimate ManageWP service, capturing credentials and 2FA codes via a Telegram-controlled channel. The campaign is designed as an interactive, operator-driven framework rather than a commoditized phishing kit. Targeted users include developers and agencies managing WordPress fleets, with compromised accounts potentially granting access to hundreds of sites per victim. The campaign has impacted at least 200 unique victims to date, according to Guardio Labs.

A Mirai variant named Nexcorium is being actively deployed via CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 devices, to establish a DDoS botnet. The malware exploits the flaw to drop a downloader that executes architecture-specific payloads, displays a message indicating takeover by "nexuscorp," and leverages hard-coded credentials for lateral movement via Telnet. Persistence is achieved through crontab and systemd services, with command-and-control (C2) communication awaiting DDoS attack instructions. The malware also includes an exploit for CVE-2017-17215 to target Huawei HG532 devices and deletes original binaries to hinder forensic analysis. Analysis by FortiGuard Labs confirms the multi-architecture infection process and identifies evidence in attack traffic pointing to a previously untracked threat actor group referred to as "Nexus Team," indicating potential attribution beyond earlier assumptions. Additionally, a separate Mirai-derived botnet, xlabs_v1, has been observed exploiting exposed Android Debug Bridge (ADB) services on TCP port 5555 to compromise Android TV boxes, set-top boxes, smart TVs, and other IoT devices for DDoS-for-hire operations. The botnet implements a bandwidth-tiered pricing model and includes a "killer" subsystem to terminate competing malware, targeting consumer IoT and game servers.

Cisco disclosed and patched a high-severity denial-of-service (DoS) vulnerability, CVE-2026-20188, in Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO) that can only be recovered from via manual system reboot. Unauthenticated remote attackers can exploit the flaw due to insufficient rate limiting on incoming connections, causing resource exhaustion and unresponsiveness in unpatched CNC/NSO deployments. Impact includes disruption of network management and orchestration services for large enterprises and service providers relying on these platforms. No active exploitation has been observed at the time of disclosure, but manual intervention remains necessary to restore functionality.

DAEMON Tools installers distributed from the official website and digitally signed with legitimate developer certificates were trojanized to deliver a multi-stage malware payload since April 8, 2026, compromising three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—to activate an implant on launch. The attack was officially confirmed by Disc Soft Limited on May 6, 2026, which acknowledged unauthorized interference within its infrastructure and released a malware-free version (DAEMON Tools Lite 12.6) on May 5, 2026. The compromised versions (12.5.0.2421 to 12.5.0.2434) contacted the C2 domain env-check.daemontools[.]cc to receive commands executed via cmd.exe, leading to the deployment of payloads including envchk.exe, cdg.exe, and a minimal backdoor capable of file exfiltration, command execution, and in-memory shellcode execution. The campaign, attributed to a Chinese-speaking adversary, showed targeted delivery with only a small subset of infected hosts receiving follow-on malware. The implant executed shell commands via cmd.exe to download and run further payloads, including a .NET reconnaissance tool (envchk.exe), a shellcode loader (cdg.exe), and a minimal backdoor with capabilities such as file exfiltration, command execution, and in-memory shellcode execution. Kaspersky telemetry observed several thousand infection attempts across over 100 countries, but second-stage backdoor delivery was highly targeted, with only a dozen hosts receiving follow-on malware. Infected systems receiving the backdoor belonged to organizations in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand, with one educational institution in Russia receiving the QUIC RAT payload. The backdoor supports multiple C2 protocols and process injection techniques, and evidence suggests the activity is attributed to a Chinese-speaking adversary.

Since at least January 2026, threat actors have abused the CloudZ RAT and custom Pheno plugin to hijack Microsoft Phone Link on Windows hosts, enabling credential and OTP theft by intercepting synchronized mobile data without mobile device compromise. The attack chain begins with a fake ScreenConnect executable delivering a Rust-compiled loader that deploys CloudZ via regasm.exe, establishing persistence via a scheduled task under the SYSTEM account. CloudZ includes 20+ commands for data theft and system control, while the Pheno plugin scans for active Phone Link sessions to harvest synchronized content from SQLite databases like PhoneExperiences-*.db. Cisco Talos has published IOCs and ClamAV signatures to aid detection. The intrusion leverages Phone Link’s desktop synchronization of SMS, call logs, and notifications over Wi-Fi/Bluetooth, exposing a critical gap in MFA defenses that focus solely on mobile endpoints. The malware employs anti-analysis techniques and retrieves secondary configuration from staging servers and Pastebin, rotating user-agent strings to blend with legitimate traffic. No attribution to a known threat actor has been made.

Modern ransomware threat actors integrate backup system targeting into their attack chains, compromising recovery infrastructure before payload deployment. Attackers follow a deliberate sequence—initial access, credential theft, lateral movement, backup discovery, backup destruction—then deploy ransomware when recovery options are eliminated. This operational shift makes traditional backup-focused defenses insufficient, as backup systems often operate without isolation, immutability, or access controls, becoming single points of failure during incidents. Ransomware attacks increased 50% year-over-year according to Acronis Cyberthreats Report H2 2025, highlighting the urgency for organizations to redesign backup and recovery architectures with resilience against active compromise.

CISA’s CI Fortify initiative has expanded with detailed guidance for critical infrastructure (CI) operators to prepare for worst-case scenarios where third-party networks and upstream providers cannot be trusted and threat actors already have access to operational technology (OT) environments. The initiative now includes specific recommendations to identify critical customers, set service delivery targets, update business continuity plans for prolonged isolation, and collaborate with vendors to map dependencies. While welcomed by industry, experts caution that isolation alone is insufficient without layered control measures, and CISA emphasizes that adopting these capabilities enhances resilience against all disruptions, from cyber-attacks to physical events. The CI Fortify initiative was launched to bolster operational resilience across U.S. CI sectors, including water, energy, transportation, and communications. The framework prioritizes actionable steps such as developing isolation and recovery capabilities, testing manual and localized operations, and fostering collaboration with CISA to mitigate cyber threats. Acting Director Nick Andersen reinforced the urgency of implementation, framing CI Fortify as timely guidance to protect networks and critical services from threat actors aiming to degrade or disrupt infrastructure.

The MuddyWater threat actor, linked to Iran’s Ministry of Intelligence and Security (MOIS) and also known as Static Kitten, Mango Sandstorm, and Seedworm, has continued to refine its global espionage campaigns by masquerading as ransomware operations to obscure state-sponsored activity. In early 2026, the group conducted an intrusion disguised as a Chaos ransomware attack, leveraging Microsoft Teams for social engineering to establish screen-sharing sessions, steal credentials, and deploy remote management tools like AnyDesk and DWAgent. The operation included extortion emails directing victims to a ransomware leak site, but no file-encrypting malware was deployed, confirming the use of ransomware-as-a-decoy tactics. The attackers deployed a custom RAT named Darkcomp (Game.exe), signed with a previously linked certificate, and dropped via a loader named *ms_upd.exe*. The backdoor features anti-analysis checks and supports 12 commands, including PowerShell execution and persistent shell access. Rapid7 researchers attribute the campaign to MuddyWater with moderate confidence, citing infrastructure overlap, code-signing certificates, and operational tradecraft. This follows a late 2025 incident where MuddyWater used Qilin ransomware for similar deception, suggesting an evolving pattern of false-flag operations to evade detection. Additionally, MuddyWater has been linked to a campaign targeting Omani government institutions, exfiltrating over 26,000 Ministry of Justice records, and pro-Iran-aligned hacktivist groups like Handala Hack have escalated activities, including leaking sensitive documents from the Port of Fujairah in the UAE. Earlier campaigns targeted over 100 organizations globally, including government entities, diplomatic missions, and telecommunications firms in the MENA region, using phishing emails with malicious Word documents to drop backdoors like Phoenix v4, MuddyViper, UDPGangster, and RustyWater. The group has also targeted Israeli sectors across academia, engineering, and local government, as well as US companies with backdoors such as Dindoor and Fakeset. The shift from PowerShell-based tools to Rust-based implants and now ransomware decoys underscores MuddyWater’s adaptability and focus on evading attribution while pursuing espionage objectives.

BleepingComputer will host a live webinar on June 2, 2026, at 12:00 PM ET titled \"From alert to containment: Fixing the gaps in network incident response\" featuring Edgar Ortiz from Tines. The session addresses why many network incidents escalate not due to missing alerts but because of breakdowns in incident response workflows, particularly during triage, alert enrichment, prioritization, and cross-system coordination. Organizations often rely on manual processes that delay containment and increase the risk of service disruptions when time-sensitive decisions are required.

The Hacker News has launched the global Cybersecurity Stars Awards 2026 to recognize undervalued excellence in cybersecurity across products, solutions, organizations, and professionals. Submissions are now open via an official portal for organizations, vendors, and individuals to apply for recognition in four categories: Cybersecurity Product/Service, Cybersecurity Industry Solution, Cybersecurity Company, and Cybersecurity Professional/Team. The initiative aims to provide credible visibility among CISOs, practitioners, and enterprise buyers, leveraging The Hacker News' established reputation for independent cybersecurity reporting. The submission deadline is May 15, 2026, with winners announced on May 26, 2026.

A critical unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) remains under active exploitation with new details on exposure and mitigation. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets to internet-exposed User-ID Authentication Portals. Palo Alto Networks confirms "limited exploitation" targeting systems with the portal exposed to untrusted networks, while Shadowserver reports over 5,800 online VM-Series instances exposed, primarily in Asia and North America. The company has not yet released official patches, scheduled to begin May 13, 2026, and urges customers to restrict access to trusted zones or disable the portal as a temporary mitigation.

Google has implemented **expanded Binary Transparency for Android** to mitigate supply chain attacks by creating a public, cryptographic ledger that verifies the authenticity and integrity of official Google apps and OS modules. The system ensures that only intentionally released production software—distributed via legitimate channels—can be verified against a transparent log, addressing weaknesses in digital signature validation alone. Starting May 1, 2026, all new production Android applications (including Google Play Services, standalone apps, and Mainline OS modules) are required to have a verifiable entry in the ledger. This initiative directly counters binary supply chain threats, such as malicious code injection via compromised update channels or developer accounts, which retain valid digital signatures while altering intent.

A survey of 2,000 UK employees in organizations with 1,000+ staff found 13% admitted selling corporate credentials in the past 12 months or knew someone who had, with justification perceptions rising sharply among senior roles: 32% of senior managers, 36% of directors, 43% of C-suite executives, and 81% of business owners viewed the practice as justifiable. Credential sales expose organizations to fraud, financial crime, and broader insider threats, compounded by the circulation of 2.9 billion compromised credentials globally in 2025, including 460,000 linked to FTSE100 employees and 28,000 captured in stealer logs.

Following the onset of military operations in the Middle East in early 2026, the United Arab Emirates (UAE) experienced a dramatic surge in cyberattack attempts, rising from a pre-conflict daily average of 90,000–200,000 breach attempts to 600,000–800,000 per day. The escalation reflects a shift from low-impact hacktivist campaigns to more sophisticated intrusion claims, with Gulf nations witnessing a 15x increase in cyber-relevant activity in the UAE, 25x in Saudi Arabia, and over 4x in Qatar. Cyber operations have become a key component of the broader conflict, with compromised IP cameras used for intelligence gathering and attacks targeting critical infrastructure and industrial systems. Defenders in the region have improved detection and blocking capabilities, raising the volume of detected attacks while reducing their operational impact. However, threat actors—including Iran-aligned groups, hacktivists, and opportunistic cybercriminals—are increasingly leveraging AI to scale operations, primarily through automated phishing and probing. The most critical threat remains the use of wiper malware, which has historically caused significant operational disruption in the region.

A previously undocumented Linux implant named Quasar Linux (QLNX) has been identified targeting software developers' systems in development and DevOps environments across npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX combines rootkit, backdoor, and credential-stealing capabilities to establish stealthy, fileless persistence and enable potential supply-chain attacks. The malware dynamically compiles rootkit shared objects and PAM backdoors on the target host using gcc, employs seven persistence mechanisms, and uses dual-layer stealth techniques including userland LD_PRELOAD rootkits and kernel-level eBPF components to evade detection. QLNX features a 58-command RAT core, credential harvesting, surveillance, networking and lateral movement, process injection, and filesystem monitoring modules. Targeting developer workstations allows bypass of enterprise security controls and access to credentials underpinning software delivery pipelines, mirroring tactics observed in recent supply-chain incidents.

Instructure confirmed a cybersecurity incident conducted by a criminal threat actor and is investigating the impact with external forensic experts. The ShinyHunters extortion gang has claimed responsibility and alleges theft of 280 million records tied to students and staff from 8,809 educational institutions, publishing detailed impact lists per institution. Multiple universities have acknowledged awareness of the breach and initiated internal reviews.

Security leadership decisions before and after penetration testing critically determine the operational value of assessments rather than the testing itself. Misalignment on scope, objectives, and post-test remediation planning routinely reduces penetration tests to compliance exercises, failing to improve organizational defenses. Leadership failures in prioritization, resource allocation, and follow-up accountability undermine threat detection, response capabilities, and long-term security posture improvements. Effective security leaders ensure realistic, threat-intelligence-driven tests that simulate full attacker behavior, provide actionable remediation guidance, and translate findings into measurable risk reduction. Without these elements, even technically sound assessments yield minimal defensive improvements.

A 23-year-old university student in Taiwan allegedly disabled emergency braking controls on four high-speed trains for 48 minutes on April 5, 2026 by spoofing TETRA radio signals. The attack leveraged software-defined radio (SDR) interception of 19-year-old TETRA parameters, handheld radio cloning, and impersonation of legitimate beacons to transmit a high-priority "General Alarm" signal, activating emergency brakes. The incident disrupted a critical 350 km coastal corridor serving 81.8 million annual passengers and prompted investigation into long-unrotated TETRA configurations and verification layers.

A large-scale phishing campaign targeted over 35,000 users across 13,000 organizations between April 15–16, 2026, using forged internal compliance emails to harvest Microsoft credentials via adversary-in-the-middle (AiTM) techniques. The attack leveraged polished, enterprise-style HTML templates that mimicked legitimate internal communications, including preemptive authenticity claims and organization-specific references to increase credibility. Targets in 26 countries were affected, with a primary focus on US firms. The campaign employed urgent, time-bound prompts and fake PDF attachments with links to phishing pages protected by Cloudflare CAPTCHAs to evade detection and sandboxing.

The **ScarCruft (APT37) Ruby Jumper campaign** and its broader espionage operations continue to evolve, with the group now deploying an **Android variant of the BirdCall backdoor** via a **supply-chain attack on sqgame[.]net**, a Chinese gaming platform targeting Koreans in the **Yanbian region**—a transit hub for North Korean defectors. This marks ScarCruft’s first documented use of **mobile malware in a supply-chain context**, expanding its targeting beyond Windows systems to include **Android devices used by high-risk populations**. The Android BirdCall variant (internally named **'zhuagou'**) collects **geolocation data, contact lists, SMS/call logs, device metadata, and files of interest** (e.g., documents, audio recordings, certificates), while also **recording ambient audio during evening hours** (7 pm–10 pm local time) and using **anti-suspension techniques** (e.g., silent MP3 loops) to evade detection. The malware leverages **Zoho WorkDrive for C2**, with **12 separate accounts identified** in this campaign, aligning with the group’s broader abuse of legitimate cloud services. Earlier campaigns, such as **Ruby Jumper (December 2025–February 2026)**, demonstrated ScarCruft’s focus on **air-gapped network breaches** via **USB-based implants (THUMBSBD, VIRUSTASK)** and **cloud-abused C2 (Zoho WorkDrive)**, alongside **multi-stage infection chains** combining LNK files, PowerShell scripts, and Ruby runtime manipulation. The **supply-chain compromise of sqgame[.]net**—first observed in **late 2024**—involved **poisoned APKs** (`ybht.apk`, `sqybhs.apk`) and a **trojanized Windows DLL** (delivered via an update package) that deployed RokRAT as a precursor to BirdCall. This campaign underscores ScarCruft’s **adaptive tradecraft**, blending **supply-chain compromise with mobile surveillance** to exploit geopolitically sensitive targets. The **iOS game on the platform remained uncompromised**, likely due to Apple’s stringent review process.

A large-scale adversary-in-the-middle (AiTM) phishing campaign has targeted organizations in the United States and globally between April 14 and 16, 2026, using compliance-themed lures such as 'code of conduct review' to trick recipients into accessing malicious links. The campaign delivered over 35,000 phishing attempts across approximately 13,000 organizations in 26 countries, with 92% of targets located in the U.S. Sectors heavily impacted include healthcare and life sciences, financial services, professional services, technology, and software. The attack chain uses legitimate email delivery infrastructure, including cloud-hosted Windows virtual machines, and attacker-controlled domains to distribute PDF attachments that redirect victims through Cloudflare CAPTCHA pages to bypass automated analysis. Victims are ultimately prompted to enter credentials, enabling real-time interception of authentication tokens via AiTM phishing despite MFA protections.

The U.S. Federal Trade Commission (FTC) has moved to prohibit Idaho-based data broker Kochava and its subsidiary Collective Data Solutions (CDS) from selling or licensing precise geolocation data without consumers’ affirmative express consent, following a near-four-year legal dispute initiated in August 2022. Under the proposed order filed in the U.S. District Court for the District of Idaho, Kochava must implement safeguards including a sensitive location data program, supplier consent verification, consumer access and consent withdrawal mechanisms, third-party misuse reporting, and a data retention and deletion schedule. The order, if approved, will have the force of law and introduces significant operational restrictions on the company’s data brokerage activities.

Security teams remain unaware that end-of-life (EOL) open source software versions are systematically excluded from CVE investigations and scanner alerts due to investigative and scale limitations within the vulnerability disclosure ecosystem. The CVE ecosystem’s focus on supported versions creates a blind spot where EOL versions—often still present in enterprise environments—receive no official scrutiny, even when affected by disclosed vulnerabilities. Maintenance capacity constraints, driven by a doubling of global CVE volume in five years and a 37x surge in unscored CVEs, force maintainers to prioritize supported releases, leaving older versions uninvestigated. Approximately 80% of new CVEs affecting supported versions are later found to also impact EOL versions, yet these are not reflected in advisories. Public EOL data sources like endoflife.date track only ~7,000 EOL versions across 350 projects, while Sonatype and HeroDevs analysis reveals over 5.4 million EOL versions across major package registries, with 5–15% of enterprise dependency graphs containing EOL components. This exposure gap is exacerbated by AI-driven vulnerability research, which accelerates discovery of flaws in unsupported codebases but does not close the investigative gap for EOL software, further widening the risk for abandoned codebases.

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product owned by Salesloft, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data, with evidence now confirming over 700 organizations were impacted. The attack demonstrated that OAuth grants can be weaponized even when the app and token were initially legitimate, underscoring the risks of third-party integrations and the need for robust, continuous monitoring of OAuth behavior. The incident revealed that the attacker bypassed MFA entirely by presenting a legitimate OAuth token already granted to Drift, accessing Salesforce data without logging in. This approach allowed UNC6395 to systematically export data and search for credentials such as AWS access keys, Snowflake tokens, and passwords across affected organizations. The full scope of the breach is still being assessed, but the attack structure serves as a warning: trusting an app at installation does not guarantee its ongoing trustworthiness, and OAuth grants require active, continuous monitoring rather than passive acceptance. Security teams are now urged to adopt tools that provide visibility into OAuth-connected applications, monitor their behavior over time, and enable rapid response to mitigate risks.

In 2006, a penetration test targeting a credit union achieved a 75% success rate by deploying unmarked USB drives in employee parking lots, leading to covert network compromise via embedded malware. The engagement, later chronicled in a viral Dark Reading column, demonstrated the effectiveness of human curiosity and social engineering over technical sophistication, catalyzing widespread adoption of USB-based red teaming and user awareness programs. The test underscored systemic failures in endpoint security and user behavior, prompting organizations to implement policies restricting removable media usage and enhance security awareness training.

Threat actors are exploiting two critical unauthenticated remote code execution (RCE) vulnerabilities in widely deployed enterprise software: MetInfo CMS (CVE-2026-29014, CVSS 9.8) and Weaver E-cology (CVE-2026-22679, CVSS 9.3). MetInfo exploitation has surged since May 1, 2026, focusing on approximately 2,000 internet-facing instances primarily in China, with initial activity detected on April 25 against honeypots in the U.S. and Singapore. The flaw stems from insufficient input sanitization in the Weixin API request path, enabling unauthenticated PHP code injection and full server compromise via crafted requests. Patches were released on April 7, 2026. Weaver E-cology exploitation continues via debug functionality abused for stateless command execution, observed within a week of patches released March 12, 2026.