Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 18:37 16/07/2026 UTC
Last updated: 15:04 16/07/2026 UTC

Latest updates

Browse →

SHADOW#REACTOR fake .ttf phishing campaign targeting Windows systems

Campaign

Updated: 16.07.2026 18:00 · First: 16.07.2026 18:00 · 📰 1 src / 1 articles · H score: 31

A large-scale phishing campaign is delivering RATs and infostealers to Windows systems by disguising a malicious script as a .ttf font file. The operation has been active since late March 2026 and uses fileless delivery to reduce detection. It combines business-cooperation lures, scheduled-task persistence, and in-memory execution to push payloads including Agent Tesla, Remcos, XWorm, and Best Private LOGGER.

Lua loader payload wave delivering Remcos, Agent Tesla, XWorm, and Best Private LOGGER

Malware Activity

Updated: 16.07.2026 18:00 · First: 16.07.2026 18:00 · 📰 1 src / 1 articles · H score: 27

A Lua-based loader in a large-scale phishing operation is delivering rotating malware payloads to Windows systems, creating a fileless path for credential theft and persistent access. Each infected host receives one of four families: Remcos, Agent Tesla, XWorm, or Best Private LOGGER. The chain uses a fake .tff lure, scheduled-task persistence, and in-memory execution to reduce detection.

23AndMe hit by network compromise

Incident

Updated: 16.07.2026 16:47 · First: 16.07.2026 16:47 · 📰 1 src / 1 articles · H score: 73

23andMe disclosed a credential-stuffing breach that exposed data on 6.9 million customers, including genetic ancestry information. The unauthorized access ran from April 2023 to September 2023 before being disclosed in October 2023. The compromise turned account reuse into a large-scale privacy and identity risk, with stolen data later appearing for sale on the dark web.

23AndMe multistate genetic-data settlement and ICO fine

Regulatory/Legal Action

Updated: 16.07.2026 16:47 · First: 16.07.2026 16:47 · 📰 1 src / 1 articles · H score: 55

23andMe agreed to pay $18 million to settle multistate claims over its failure to protect customers' genetic data, extending the legal fallout from the 2023 breach. Regulators said the company lacked basic safeguards such as multifactor authentication, password blocklisting, rate limiting, intrusion prevention, and breach-detection monitoring. The settlement also adds new security requirements, including a data security advisory board and risk analysis protocols. A separate UK ICO fine of £2.31 million adds further regulatory pressure over the same security failures.

N8n security patch release for CVE-2026-59208

Security Patch Release

Updated: 16.07.2026 16:33 · First: 16.07.2026 16:33 · 📰 1 src / 1 articles · H score: 24

n8n shipped fixes for CVE-2026-59208 on June 24, closing an Enterprise token-exchange flaw that could log a user into the wrong account when multiple external issuers were trusted. The bug affected releases below 2.27.4 and 2.28.0, and n8n later identified 2.27.4 and 2.28.1 as the fixed builds. The issue was limited to Enterprise-only token exchange deployments configured with more than one trusted issuer.

N8n Enterprise token exchange JWT issuer-binding flaw (CVE-2026-59208)

Vulnerability

Updated: 16.07.2026 16:33 · First: 16.07.2026 16:33 · 📰 1 src / 1 articles · H score: 33

n8n patched CVE-2026-59208, a JWT issuer-binding flaw in Enterprise token exchange that could log a user into the wrong account on multi-issuer deployments. The bug matched on sub alone and ignored iss, so a valid token from one trusted issuer could map to another user's local account. n8n shipped the fix on June 24, and the CVE became public on July 9.

ClickLock ClickFix macOS targeting campaign

Campaign

Updated: 16.07.2026 15:33 · First: 16.07.2026 15:33 · 📰 2 src / 2 articles · H score: 33

Group-IB reported a ClickLock Stealer macOS campaign using ClickFix paste-a-command lures and coercive app-killing loops to force victims to enter passwords. The operation has reached at least 100 victims across 33 countries since May 2026, with more than half in Europe. The malware hid the cursor, showed a fake Cloudflare progress animation, pulled modules from two compromised WordPress sites, stole Keychain and wallet data, and exfiltrated through Telegram. Group-IB also found the orchestrator script had zero detections on VirusTotal when uploaded on June 9.

ClickFix-based TELEPUZ distribution campaign

Campaign

Updated: 16.07.2026 15:50 · First: 16.07.2026 15:50 · 📰 1 src / 1 articles · H score: 35

The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and install malware. The infection chain uses PowerShell and rundll32.exe to load telepuz.dll, then enables data theft, cookie extraction, web injection, and remote command execution. The operation has been active since late April 2026 and uses clipboard hijacking/pastejacking to disguise the malicious prompt. Compromised infrastructure and fallback delivery paths make the distribution harder to block.

TELEPUZ modular malware spread via ClickFix lures

Malware Activity

Updated: 16.07.2026 15:50 · First: 16.07.2026 15:50 · 📰 1 src / 1 articles · H score: 29

The TELEPUZ malware family is actively spreading through ClickFix lures, raising the risk of credential theft and remote command execution on infected systems. The infection chain uses PowerShell to fetch a second-stage payload and launches telepuz.dll with rundll32.exe. Once running, TELEPUZ can log keystrokes, capture screenshots, extract Chromium cookies, and download additional modules. Its anti-VM checks, AMSI/ETW disabling, and service-installation steps make detection and containment harder.

ClickLock Stealer macOS forced-interaction infostealer activity

Malware Activity

Updated: 16.07.2026 15:33 · First: 16.07.2026 15:33 · 📰 2 src / 2 articles · H score: 27

ClickLock Stealer is a macOS infostealer that uses a ClickFix-style paste into Terminal and a fake system dialog to coerce password entry. Group-IB said the malware hit at least 100 victims across 33 countries in about two months, with more than half in Europe. It can drop LaunchAgents if the prompt is canceled, then run a coercion loop that keeps killing apps and can lock the desktop for up to 83 hours while stealing the login password, Keychain material, browser data, and crypto wallets. Exfiltration runs through Telegram rather than dedicated C2, and the initial sample was uploaded to VirusTotal on June 9 with zero detections.

PhantomEnigma trusted-delivery phishing campaign abusing Brazilian government websites

Campaign

Updated: 16.07.2026 14:58 · First: 16.07.2026 14:58 · 📰 1 src / 1 articles · H score: 25

The PhantomEnigma campaign abused more than 20 Brazilian government websites and compromised email infrastructure to route malware through trusted .gov.br links, increasing the chance that banks and public agencies would engage with the lure. The operation used fake police-themed documents and authenticated messages that passed SPF, DKIM, and DMARC checks to look legitimate. It then funneled victims through a multi-stage delivery chain that ended in a modular Inno/Node.js backdoor capable of persistence and follow-on payload delivery. The trusted infrastructure and rotating delivery paths made the operation harder to spot and expanded its reach.

Brazilian government websites hit by network compromise

Incident

Updated: 16.07.2026 14:58 · First: 16.07.2026 14:58 · 📰 1 src / 1 articles · H score: 28

More than 20 Brazilian government websites were hijacked and turned into malware delivery channels, exposing public-sector infrastructure to downstream abuse. The compromise affected trusted .gov.br hosts and helped a PhantomEnigma phishing chain look legitimate. The event matters because a public-sector web estate was repurposed to support malicious delivery against banks and agencies.

Sentencing of Owen Flowers and Thalha Jubair in TfL cyber-attack case

Law Enforcement

Updated: 16.07.2026 14:51 · First: 16.07.2026 14:51 · 📰 3 src / 3 articles · H score: 36

Owen Flowers and Thalha Jubair were sentenced for the TfL cyber-attack, putting the pair at the center of one of the UK's most significant Computer Misuse Act cases. The court said their conduct reflected “selfish bravado” as well as financial motive, and the prison terms were imposed at Woolwich Crown Court on 2026-07-16. The sentence followed guilty pleas entered on 2026-06-22.

Agent data injection proof-of-concept attacks expose trusted-data flaws in AI agents

Technical Analysis

Updated: 16.07.2026 14:32 · First: 16.07.2026 14:32 · 📰 1 src / 1 articles · H score: 25

Researchers disclosed agent data injection (ADI), a new attack class that can make shipping AI agents misclick, run attacker commands, and trust fake history across web and coding tools. The technique abuses trusted data fields such as sender names, button IDs, and prior tool results instead of smuggling direct instructions, which weakens defenses built for classic prompt injection. In tests against Claude in Chrome, Google's Antigravity, Nanobrowser, Claude Code, OpenAI's Codex, and Google's Gemini CLI, planted reviews, forged comments, and fake tool records changed agent behavior. The findings raise immediate risk for agents that ingest attacker-editable web content or GitHub text, especially where approval prompts hide the specific action being taken.

Daxin and Stupig active on a Taiwan manufacturing host in 2026

Malware Activity

Updated: 16.07.2026 14:17 · First: 16.07.2026 14:17 · 📰 1 src / 1 articles · H score: 27

The Daxin rootkit resurfaced on a compromised host in Taiwan in 2026, showing that the malware still maintains stealthy access inside a manufacturing network. The same machine also carried the Stupig backdoor, which can run commands as SYSTEM before sign-in. The pairing increases the risk of long-lived covert control and credential theft on the affected endpoint.

Suspected China-linked AI-assisted intrusion campaign targeting government and financial systems

Campaign

Updated: 16.07.2026 14:17 · First: 16.07.2026 14:17 · 📰 1 src / 1 articles · H score: 35

A suspected China-linked intrusion campaign is using Anthropic Claude Code and DeepSeek to automate intrusions and credential harvesting across government and financial systems in Afghanistan, Thailand, Taiwan, and the U.S., widening the operation's reach.

CISA BOD 26-04 Oracle EBS patch order

Public Sector Action

Updated: 16.07.2026 13:56 · First: 16.07.2026 13:56 · 📰 1 src / 1 articles · H score: 38

CISA ordered U.S. government agencies to patch vulnerable Oracle E-Business Suite instances by Saturday, July 18, tightening federal exposure to an actively exploited flaw. The directive covers CVE-2026-46817, a critical bug in the Oracle Payments File Transmission component that can let an unauthenticated attacker over HTTP take over affected systems. The order was issued under Binding Operational Directive (BOD) 26-04 after CISA added the flaw to its list of known exploited security issues.

Splunk and Zoom multiple-vulnerability patch release

Security Patch Release

Updated: 16.07.2026 13:54 · First: 16.07.2026 13:54 · 📰 1 src / 1 articles · H score: 49

Splunk and Zoom released security patches for multiple vulnerabilities across Splunk Enterprise and Zoom Workplace / Workplace VDI Client for Windows, addressing critical and high-severity defects. The updates cover Splunk flaws that could expose credentials and data, plus a CVSS 9.8 Zoom bug that could enable remote account takeover. Neither vendor said the bugs were exploited in the wild.

UAT-11795 trojanized installer campaign targeting users across multiple countries

Campaign

Updated: 16.07.2026 13:19 · First: 16.07.2026 13:19 · 📰 1 src / 1 articles · H score: 35

The UAT-11795 campaign is using trojanized installers to spread Starland RAT and steal credentials and cryptocurrency from users in multiple countries. Activity has continued since at least June 2025, with observed victims in the U.S., Germany, Romania, and Venezuela. The delivery chain abuses legitimate software lures such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT, and may be pushed through the ClickFix method. The operation also delivers CastleStealer and Remcos RAT, widening the theft and remote-access risk for exposed users.

UAT-11795 Starland RAT trojanized installer malware activity

Malware Activity

Updated: 16.07.2026 13:19 · First: 16.07.2026 13:19 · 📰 1 src / 1 articles · H score: 31

The UAT-11795 malware activity is using trojanized installers to deploy Starland RAT, putting credentials and cryptocurrency wallets at risk across multiple countries. The operation has been observed since at least June 2025 and has focused on users in the U.S., with additional victims in Germany, Romania, and Venezuela. Delivery uses lures such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. Once installed, the backdoor can persist, collect system and browser data, capture screenshots, and load additional payloads.

IT services firm in South Asia hit by ransomware attack

Incident

Updated: 16.07.2026 13:00 · First: 16.07.2026 13:00 · 📰 1 src / 1 articles · H score: 31

The IT services firm in South Asia suffered a Spirals ransomware intrusion that moved from initial access to data theft and encryption in less than 24 hours, putting operations and extortion exposure at immediate risk. The attacker reached the network through an exposed IIS server and used a web shell to expand access. The intrusion combined credential theft, lateral movement, and ransomware deployment into a fast-moving compromise.

IT services firm in South Asia data exposed after Spirals breach

Data Leak

Updated: 16.07.2026 13:00 · First: 16.07.2026 13:00 · 📰 1 src / 1 articles · H score: 31

Spirals stole data from an IT services firm in South Asia, creating extortion leverage and a threat of public exposure. The intrusion moved from initial access to data theft and encryption in less than 24 hours. Attackers compromised a public-facing IIS server, uploaded an ASP.NET web shell, and later threatened to release the stolen data within six days unless paid. The fast theft-and-extortion sequence increases the risk of follow-on disclosure and pressure on the victim.

Shark RV2320EDUS / AV1102ARUS cross-model AWS IoT Exec_Command RCE flaw

Vulnerability

Updated: 16.07.2026 12:23 · First: 16.07.2026 12:23 · 📰 1 src / 1 articles · H score: 78

A SharkNinja vacuum certificate flaw now enables root command execution on other Shark vacuums in the same AWS region, exposing camera feeds, house maps, and plaintext Wi‑Fi passwords. The issue affects Shark RV2320EDUS-based certificates and can be used against devices such as AV1102ARUS when their cloud shadow handler accepts Exec_Command updates.

AWS Device Defender overly permissive IoT policy remediation

Advisory/Mitigation

Updated: 16.07.2026 12:23 · First: 16.07.2026 12:23 · 📰 1 src / 1 articles · H score: 66

AWS's IOT_POLICY_OVERLY_PERMISSIVE_CHECK directs operators to replace broad IoT policies with device-scoped versions, closing a path that can let a compromised certificate affect all devices using the policy. The guidance matters because the same certificate can be used to read or modify cloud-managed device state across a fleet unless the policy is narrowed.

US government Gold Eagle vulnerability management launch

Public Sector Action

Updated: 16.07.2026 11:50 · First: 16.07.2026 11:50 · 📰 1 src / 1 articles · H score: 29

The US government launched Gold Eagle to coordinate vulnerability management and speed exploit detection and remediation across government and private-sector defenders. The program brings together CISA, the Treasury, and the Department of Defense, and it was trailed in Executive Order 14409 in June. Officials say the effort is designed to cut duplicate scanning and deliver actionable remediation intelligence through VINCE.

UEFI shim Secure Boot bypass (multiple vulnerabilities)

Vulnerability

Updated: 14.07.2026 15:46 · First: 14.07.2026 15:46 · 📰 3 src / 3 articles · H score: 1

Researchers identified 11 old, Microsoft-signed UEFI shim bootloaders that can bypass Secure Boot on systems trusting the Microsoft Corporation UEFI CA 2011 certificate, creating a path to arbitrary code execution during boot. The affected shims can let an attacker load malicious code before the operating system starts, enabling UEFI bootkits and other persistent malware. Microsoft revoked the impacted shims in June 2026 Patch Tuesday after responsible disclosure earlier in February 2026. The issues are tracked as CVE-2026-8863 and CVE-2026-10797.

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service

Updated: 23.06.2026 17:22 · First: 23.06.2026 17:22 · 📰 1 src / 1 articles · H score: 11

GitHub's actions/checkout now refuses common pwn request patterns by default, cutting the risk of attacker-controlled code execution in privileged GitHub Actions workflows. The guardrail applies to forked pull requests in pull_request_target and related workflow_run paths that can expose secrets and GITHUB_TOKEN access. The change began on June 18, 2026 and will be backported to supported major versions on July 16, 2026.

International investment-fraud call-center network

Threat Actor Meta

Updated: 16.07.2026 00:55 · First: 16.07.2026 00:55 · 📰 1 src / 1 articles · H score: 30

A multi-country investment-fraud network built around 20 call centers and 700-plus impersonators scaled victim grooming into an industrialized criminal service. The operation generated more than €100 million per month, showing a high-volume fraud ecosystem rather than isolated scams. Its long-running footprint, active since at least 2021, and its use of pseudonyms and technical concealment helped it evade disruption.

Dutch Police arrests and extradites suspects in international investment fraud scheme

Law Enforcement

Updated: 16.07.2026 00:55 · First: 16.07.2026 00:55 · 📰 1 src / 1 articles · H score: 27

Dutch Police arrested multiple suspects in an international investment fraud scheme tied to tens of thousands of victims. The main suspect was arrested in Poland, extradited to the Netherlands, and held in detention pending trial. Authorities also made additional arrests across Cyprus, Greece, and Belgium as the case expanded across borders.

Zoom Workplace Windows improper input validation account takeover security flaw (CVE-2026-53412)

Vulnerability

Updated: 15.07.2026 23:16 · First: 15.07.2026 23:16 · 📰 3 src / 3 articles · H score: 35

Zoom Workplace for Windows and related Windows clients were patched for CVE-2026-53412, a critical improper input validation flaw that could let an unauthenticated attacker take over accounts over the network. The issue affects Zoom Workplace for Windows before 7.0.0, the Windows VDI Client before 7.0.10/6.6.15/6.5.18, and the Meeting SDK for Windows before 7.0.0. Zoom said users should install the latest updates and reported no indications of exploitation in attacks.