Funnel Builder WordPress plugin bug exploited to steal credit cards

BleepingComputer 15 May 2026 SEV 4/10

vulnerability iot_ot_security

Funnel Builder WordPress plugin bug exploited to steal credit cards Home News Security Funnel Builder WordPress plugin bug exploited to steal credit cards Bill Toulas May 15, 2026 03:30 PM A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. The flaw has not received an official identifier and can be leveraged without authentication. It affects all versions of the plugin before 3.15.0.3.

Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own

BleepingComputer 15 May 2026 SEV 4/10

vulnerability cloud_security

Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own Home News Security Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own Sergiu Gatlan May 15, 2026 01:47 PM ​During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. Pwn2Own Berlin 2026 hacking competition takes place at the OffensiveCon conference from May 14 to May 16 and focuses on enterprise technologies and artificial intelligence. Security researchers can earn over $1,000,000 in cash and prizes by hacking fully patched products in the web browser, enterprise applications, cloud-native/container environments, virtualization, local privilege escalation, servers, local inference, and LLM categories.

Popular node-ipc npm package compromised to steal credentials

BleepingComputer 15 May 2026 SEV 4/10

supply_chain malware

Popular node-ipc npm package compromised to steal credentials Home News Security Popular node-ipc npm package compromised to steal credentials Bill Toulas May 15, 2026 01:10 PM Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. The node-ipc package is a Node.js module that enables various processes to communicate through all forms of sockets, including Unix, Windows, UDP, TLS, and TCP. Despite the maintainer publishing in March 2022 weaponized versions that targeted Russia and Belarus-based systems with a data-overwriting module, in protest to the Russian invasion of Ukraine, the package still has more than 690,000 weekly downloads on npm.

Microsoft backpedals: Edge to stop loading passwords into memory

BleepingComputer 15 May 2026 SEV 4/10

identity_threat vulnerability

Microsoft backpedals: Edge to stop loading passwords into memory Home News Microsoft Microsoft backpedals: Edge to stop loading passwords into memory Sergiu Gatlan May 15, 2026 10:49 AM Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design." This behavior was disclosed on May 4 by security researcher Tom Jøran Sønstebyseter Rønning, who demonstrated that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use. Rønning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users' Edge processes (without admin privileges, the PoC only allows accessing Edge processes launched by the same user). He also said he reported the issue to Microsoft and was told the behavior was "by design" before he publicly disclosed it.

Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution

BleepingComputer 15 May 2026 SEV 4/10

malware identity_threat Conti

Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution Home News Security Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution Sponsored by Flare May 15, 2026 10:02 AM In recent months, a new infostealer malware known as REMUS has emerged across the cybercrime landscape, drawing attention from security researchers and malware analysts. Several technical analyses published in recent months focused on the malware’s capabilities, infrastructure, and similarities to Lumma Stealer, including browser targeting mechanisms, and credential theft functionality and more. However, far less attention has been given to the underground operation behind the malware itself.

Welcome to BlackFile: Inside a Vishing Extortion Operation

Mandiant Research 15 May 2026 SEV 4/10

phishing data_breach Conti Play

Welcome to BlackFile: Inside a Vishing Extortion Operation | Google Cloud Blog Threat Intelligence Welcome to BlackFile: Inside a Vishing Extortion Operation May 15, 2026 Google Threat Intelligence Group Google Threat Intelligence Visibility and context on the threats that matter most. Contact Us & Get a Demo Written by: Austin Larsen, Tyler McLellan, Genevieve Stark, Dan Ebreo Introduction Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand, that targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. The group primarily targets Microsoft 365 and Okta infrastructure, leveraging Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data for subsequent extortion attempts.

Living Off the Pipeline: Defending Against CI/CD Subversion

SentinelOne Labs 15 May 2026 SEV 4/10

supply_chain malware Conti Play

Living Off the Pipeline: Defending Against CI/CD Subversion May 15, 2026 SentinelOne The software supply chain has become one of the most attractive targets for modern adversaries, but the attacks seen in 2025 did not focus solely on poisoning dependencies or hijacking packages. Increasingly, attackers are targeting the infrastructure that powers the software delivery lifecycle itself. Build servers, CI/CD runners, package managers, and developer workstations all sit inside an organization’s trusted delivery path.

The Good, the Bad and the Ugly in Cybersecurity – Week 20

SentinelOne Labs 15 May 2026 SEV 4/10

vulnerability data_breach Conti Play

The Good, the Bad and the Ugly in Cybersecurity – Week 20 May 15, 2026 SentinelOne The Good | Authorities Dismantle Major Dark Web Marketplaces & Arrest Key Admins European authorities dismantled a lucrative, rebooted version of the ‘Crimenetwork’ cybercrime marketplace and arrested its primary administrator in Mallorca, Spain . When German police first disrupted the original platform in late 2024 and apprehended its operator, a 35-year-old suspect allegedly constructed an identical infrastructure to resume operations just days after. In the last two years, the resurrected criminal hub has amassed an extensive user base, attracting over 22,000 registered individuals and 100 specialized vendors who actively trafficked in stolen data, illegal services, and narcotics.

Microsoft to automatically roll back faulty Windows drivers

BleepingComputer 15 May 2026 SEV 3/10

vulnerability cloud_security

Microsoft to automatically roll back faulty Windows drivers Home News Microsoft Microsoft to automatically roll back faulty Windows drivers Sergiu Gatlan May 15, 2026 08:29 AM Microsoft is introducing a new capability that will allow it to remotely roll back problematic Windows drivers delivered through Windows Update. Called Cloud-Initiated Driver Recovery, the new feature will remove the need for hardware partners or end users to manually fix driver issues once drivers have been distributed to devices. The recovery process is entirely managed by Microsoft, with no partner-side actions required, and will only be initiated for Windows drivers rejected due to quality issues during shiproom evaluation.

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

Unit 42 15 May 2026 SEV 5/10

malware vulnerability Conti

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files Threat Research Center Threat Research Malware Malware min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Pranay Kumar Chhaparwal Mark Lim Published: May 15, 2026 Categories: Malware Threat Research Tags: API Cryptocurrency Gremlin stealer Obfuscation Payload Telegram VirusTotal Executive Summary This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. Gremlin stealer siphons sensitive information from compromised systems and exfiltrates it to attacker‑controlled servers for potential publication or sale.

TeamPCP hackers advertise Mistral AI code repos for sale

BleepingComputer 14 May 2026 SEV 4/10

supply_chain vulnerability

TeamPCP hackers advertise Mistral AI code repos for sale Home News Security TeamPCP hackers advertise Mistral AI code repos for sale Ionut Ilascu May 14, 2026 06:50 PM The TeamPCP hacker group is threatening to leak source code from the Mistral AI project unless a buyer is found for the data. In a post on a hacker forum, the threat actor is asking $25,000 for a set of nearly 450 repositories. Mistral AI is a French artificial intelligence company founded by former researchers from Google's DeepMind and Meta, which provides open-weight large language models (LLMs), both open source and proprietary.

Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin

BleepingComputer 14 May 2026 SEV 5/10

vulnerability iot_ot_security

Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin Home News Security Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin Bill Toulas May 14, 2026 05:07 PM Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics. The flaw, tracked as CVE-2026-8181, was introduced on April 23 with the release of version 3.4.0 of the plugin.

OpenAI confirms security breach in TanStack supply chain attack

BleepingComputer 14 May 2026 SEV 4/10

supply_chain identity_threat Conti

OpenAI confirms security breach in TanStack supply chain attack Home News Security OpenAI confirms security breach in TanStack supply chain attack Lawrence Abrams May 14, 2026 03:07 PM OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution. In a security advisory published today, the company said the incident did not impact customer data, production systems, intellectual property, or deployed software. The company says the breach is linked to the recent "Mini Shai-Hulud" supply-chain campaign by the TeamPCP extortion gang, which targeted developers by slipping malicious updates into trusted and popular software packages.

Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight

BleepingComputer 14 May 2026 SEV 4/10

vulnerability iot_ot_security Play

Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight Home News Security Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight Sponsored by NMFTA May 14, 2026 11:21 AM Written by Ben Wilkens, director of cybersecurity, NMFTA Working in cybersecurity, you are well aware of the playbook that ransomware operators use. Stolen credentials, established persistence, network recon, pivoting to a high-value target cash out. These techniques are well documented; we have attack frameworks and well-documented kill chains for their techniques.

Kimsuky targets organizations with PebbleDash-based tools

Securelist 14 May 2026 SEV 5/10

malware vulnerability Mustang Panda Lazarus

Disclosing new PebbleDash-based tools by Kimsuky | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Executive summary Background Initial access Deployed malware HelloDoor: first Rust-based PebbleDash variant httpMalice: latest backdoor variant of PebbleDash MemLoad downloads httpTroy AppleSeed HappyDoor Post-exploitation VSCode (launched by the JSE dropper) VSCode (launched by VSCode installer) DWAgent Infrastructure Victims Attribution Conclusion Indicators of compromise File hashes Domains and IPs Authors Sojun Ryu Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group’s latest campaigns. Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021.

FrostyNeighbor: Fresh mischief and digital shenanigans

WeLiveSecurity 14 May 2026 SEV 4/10

malware supply_chain Conti Play

FrostyNeighbor: Fresh mischief and digital shenanigans ESET Research ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations Damien Schaeffer 14 May 2026 10 min. read This blogpost covers newly discovered activities attributed to FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running continual cyberoperations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe, according to our telemetry.

Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense

Recorded Future Research 14 May 2026 SEV 4/10

vulnerability iot_ot_security Conti

Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense Executive Summary Artificial intelligence is often discussed as a tool for automating and accelerating existing cybersecurity workflows. While that framing is accurate, it is incomplete. The most consequential shift occurs when AI is combined with threat intelligence — both intelligence about attacker capabilities and TTPs, and intelligence about our own defensive weaknesses and exposure.

NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals

Recorded Future Research 14 May 2026 SEV 4/10

vulnerability iot_ot_security Play

NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals NIST Stopped Scoring Most CVEs. The Signal You Actually Need Was Never in NVD. As of April 15, 2026, NIST enriches only CVEs that appear in the CISA Known Exploited Vulnerabilities catalog, federal government software, or software designated critical under Executive Order 14028.

How Rapid7 is bringing Cyber GRC closer to security operations

Rapid7 Blog 12 May 2026 SEV 4/10

vulnerability iot_ot_security Salt Typhoon Conti

How Rapid7 is Bringing Cyber GRC Closer To Security Operations Back to Blog Security Operations How Rapid7 is bringing Cyber GRC closer to security operations Sabeen Malik May 8, 2026 | Last updated on May 12, 2026 | xx min read DISCOVER RAPID7 MDR Sabeen Malik is VP, Global Government Affairs and Public Policy at Rapid7. ⠀ Security teams need a better way to connect what they detect, what they fix, and what they can prove. The pace of modern security operations no longer works in defenders’ favor.

State of ransomware in 2026

Securelist 12 May 2026 SEV 4/10

ransomware vulnerability Mustang Panda Kimsuky

Reviewing the trends in ransomware attacks in 2026 | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Ransomware attacks decline but remain a major threat The continued rise of EDR killers and defense evasion tooling The appearance of new families adopting post-quantum cryptography The shift to encryptionless extortion Industrialization of initial access (Access-as-a-Service) Ransomware developments on the dark web Law enforcement actions Top ransomware groups in 2025 New actors in 2026 Conclusion and protection recommendations Authors Fabio Assolini Marc Rivero Maher Yamout Darya Gorodilova With International Anti-Ransomware Day taking place on May 12, Kaspersky presents its annual report on the evolving global and regional ransomware cyberthreat landscape. Ransomware remains one of the most persistent and adaptive cyberthreats. In 2026: New families continue to emerge, adopting post-quantum cryptography ciphers .

GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access

Mandiant Research 11 May 2026 SEV 4/10

vulnerability malware APT27 Conti

Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog Threat Intelligence GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access May 11, 2026 Google Threat Intelligence Group Google Threat Intelligence Visibility and context on the threats that matter most. Contact Us & Get a Demo Executive Summary Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. This report, based on insights derived from Mandiant incident response engagements, Gemini, and GTIG’s proactive research, highlights the dual nature of the current threat environment where AI serves as both a sophisticated engine for adversary operations and a high-value target for attacks.

Eyes wide open: How to mitigate the security and privacy risks of smart glasses

WeLiveSecurity 11 May 2026 SEV 3/10

iot_ot_security vulnerability Play

Eyes wide open: How to mitigate the security and privacy risks of smart glasses Privacy Smart glasses allow anyone to track and record the world around them. That could put your data and the privacy of those nearby at risk. Phil Muncaster 11 May 2026 5 min.

Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild

Elastic Security Labs 09 May 2026 SEV 5/10

vulnerability iot_ot_security

Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild — Elastic Security Labs 9 May 2026 • Ruben Groenewoud • Eric Forte • Samir Bousseaden Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild This research analyzes the Linux kernel privilege escalation vulnerabilities Copy Fail and DirtyFrag, which exploit subtle page cache corruption bugs to create reliable paths to root access. Additionally, Elastic Security Labs is releasing detection logic for these vulnerabilities. 4 min read Detection Engineering Introduction Recent Linux kernel privilege escalation vulnerabilities, Copy Fail (CVE-2026-31431) , Copy Fail 2, and DirtyFrag, highlight how subtle page cache corruption bugs can become practical, reliable paths to root.

Metasploit Wrap-Up 05/08/2026

Rapid7 Blog 08 May 2026 SEV 4/10

vulnerability malware

Metasploit Wrap-Up 05/08/2026 Back to Blog Products and Tools Metasploit Wrap-Up 05/08/2026 Alan David Foster May 8, 2026 | Last updated on May 8, 2026 | xx min read Spring cleanup This week’s Metasploit updates focused on foundational improvements and expanded target reach. Key enhancements were made to the recently released Copy Fail exploit module, which now benefits from payload fixes in linux/x64/exec and linux/armle/exec. These changes expand its capability, enabling the use of the cmd/unix/python/meterpreter/reverse_tcp payload on x64 targets and introducing support for ARMLE Linux.

Canvas Breach Disrupts Schools & Colleges Nationwide

Krebs on Security 08 May 2026 SEV 4/10

iot_ot_security ransomware Play

Canvas Breach Disrupts Schools & Colleges Nationwide – Krebs on Security Advertisement An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions. A screenshot shared by a reader showing the extortion message that was shown on the Canvas login page today. Canvas parent firm Instructure responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students.

Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response

Elastic Security Labs 08 May 2026 SEV 4/10

cloud_security vulnerability Conti

Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response — Elastic Security Labs 8 May 2026 • Erik-Jan de Kruijf Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response This article shows how a customized Elastic Security ES|QL detection rule can identify web server probing and fuzzing activity in Traefik logs and automatically block the attacking IP via Cloudflare. 8 min read Enablement Introduction Self-hosted services exposed through a reverse proxy inevitably attract automated scanners probing for misconfigurations, admin panels, and vulnerable endpoints. In this article, I show how to turn routine Traefik access logs into an active defensive control using Elastic Security and Cloudflare.

Rapid7 and OpenAI: Helping Defenders Move at Machine Speed

Rapid7 Blog 07 May 2026 SEV 3/10

vulnerability iot_ot_security

Rapid7 and OpenAI: Advancing AI For Preemptive Security Back to Blog Artificial Intelligence Rapid7 and OpenAI: Helping Defenders Move at Machine Speed Wade Woolwine May 7, 2026 | Last updated on May 7, 2026 | xx min read DISCOVER RAPID7 MDR Wade Woolwine is Senior Director, Product Security at Rapid7. Announcing OpenAI's Trusted Access for Cyber program CIOs and CISOs are telling us the same thing in different ways: Advances in frontier AI are accelerating the threat environment and putting pressure on security operating models built for a different pace. Vulnerabilities can be discovered faster, exploitation windows are shrinking, and attackers are increasingly using automation to move with greater speed and scale.

Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at Scale

Rapid7 Blog 07 May 2026 SEV 4/10

vulnerability cloud_security Conti

Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at Scale Back to Blog Exposure Management Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at Scale James Davis May 7, 2026 | Last updated on May 7, 2026 | xx min read DISCOVER RAPID7 CTEM Let's be honest, the patching window just shrank to something no practitioner or organization can keep up with. Organizations now need to operate in an environment that must assume breach, which means fundamentals like attack surface management, micro-segmentation, identity management, and attack path validation – aka a few core pillars of CTEM – just became the most important initiatives within the cybersecurity department. Rapid7 is the only vendor that provides a truly unified platform to master Continuous Threat Exposure Management (CTEM) .

Fake call logs, real payments: How CallPhantom tricks Android users

WeLiveSecurity 07 May 2026 SEV 3/10

supply_chain malware Play

Fake call logs, real payments: How CallPhantom tricks Android users ESET Research ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down Lukas Stefanko 07 May 2026 11 min. read There’s an app for everything nowadays… right? Well, looking up call records for a phone number of choice is one of those things, as potentially millions of Android users found out after paying for app subscriptions promising just that.

Fixing the password problem is as easy as 123456

WeLiveSecurity 07 May 2026 SEV 3/10

identity_threat data_breach

Fixing trivial passwords is as easy as 123456 Digital Security Fixing the password problem is as easy as 123456 How come it’s still possible to ‘secure’ an online account with a six-digit string? Tony Anscombe 07 May 2026 4 min. read most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass ’s latest annual report on passwords exposed in data breaches globally.

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

Elastic Security Labs 07 May 2026 SEV 5/10

malware phishing Conti Play

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs 7 May 2026 • Jia Yu Chan • Daniel Stepanic • Seth Goodwin • Terrance DeJesus TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook REF3076 uses a trojanized Logitech installer to deploy TCLBANKER, a Brazilian banking trojan with environment-gated payloads, WPF fraud overlays, and self-propagating WhatsApp and Outlook worm modules. 17 min read Malware Analysis , Threat Intelligence Elastic Security Labs identified a new Brazilian banking trojan that we are tracking as TCLBANKER, a malware family we assess is a major update of the MAVERICK / SORVEPOTEL family. The campaign, tracked as REF3076, features a loader with robust anti-analysis capabilities that deploys two embedded .NET Reactor-protected modules: a full-featured banking trojan and a worm module for self-propagation.

Quantum Risk Explained

Recorded Future Research 07 May 2026 SEV 4/10

ransomware vulnerability Conti

Quantum Risk Explained Quantum Risk Explained: What, When, How? Summary Quantum computing is moving from theory toward early practical use, with direct implications for encryption, authentication, and long-term data confidentiality. The primary risk is the eventual emergence of cryptographically relevant quantum computers (CRQCs), which would break today’s public-key cryptography and undermine encryption, digital identity, and software trust at scale.

OceanLotus suspected of using PyPI to deliver ZiChatBot malware

Securelist 06 May 2026 SEV 5/10

malware supply_chain Mustang Panda Kimsuky

OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Introduction Technical details Spreading Malicious wheel packages Initial infection Windows version Dropper for ZiChatBot Linux version ZiChatBot Infrastructure Victims Attribution Conclusions Indicators of compromise Authors GReAT Introduction Through our daily threat hunting, we noticed that, beginning in July 2025, a series of malicious wheel packages were uploaded to PyPI (the Python Package Index). We shared this information with the public security community, and the malware was removed from the repository. We submitted the samples to Kaspersky Threat Attribution Engine (KTAE) for analysis.

Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware

Rapid7 Blog 06 May 2026 SEV 5/10

malware ransomware MuddyWater Conti

Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware Back to Blog Threat Research Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware Alexandra Blia | Ivan Feigl May 6, 2026 | Last updated on May 7, 2026 | xx min read DISCOVER RAPID7 MDR Executive summary In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a "false flag" masquerade. Technical artifacts, including a specific code-signing certificate and Command-and-Control (C2) infrastructure, suggest with moderate confidence that this activity is linked to MuddyWater (Seedworm), an Iranian Advanced Persistent Threat (APT) affiliated with the Ministry of Intelligence and Security (MOIS).

Websites with an undefined trust level: avoiding the trap

Securelist 06 May 2026 SEV 4/10

iot_ot_security phishing Mustang Panda Kimsuky

How to spot a suspicious website | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Executive summary Introduction The dangers of shady websites Common types of suspicious sites How to identify suspicious or fraudulent websites Visual and manual clues Technical indicators to check How to protect yourself Tools and databases for detecting suspicious websites Preventive measures An overview of detection statistics for sites with an undefined trust level Most visited suspicious sites Africa MENA Latin America East Asia South Asia CIS Europe Canada Oceania Conclusion Authors Lama Saqqour Anna Larkina Executive summary A suspicious website is a web resource that cannot be definitively classified as phishing, but whose activities are unsafe. Such sites manipulate users, tricking them into voluntarily transferring money for non-existent services, signing up for hidden subscriptions, or disclosing personal data through carefully crafted terms of service. These include fake online stores, dubious crypto exchanges, investment platforms, and services with paid subscriptions.

Threat Activity Enablers: The Backbone of Today’s Threat Landscape

Recorded Future Research 06 May 2026 SEV 3/10

vulnerability apt Conti

Threat Activity Enablers: The Backbone of Today’s Threat Landscape This article introduces threat activity enablers (TAEs), the infrastructure providers and networks that underpin modern cyber threats across both criminal and state-sponsored activity. These entities sustain operations by enabling resilient, high-risk infrastructure that persists despite sanctions, takedowns, and public exposure. Behind every ransomware demand, botnet, or threat activity group is a server sitting in a data center.

Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more.

Recorded Future Research 06 May 2026 SEV 3/10

supply_chain ransomware Conti

Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. For security professionals evaluating threat intelligence vendors, the Gartner Magic Quadrant offers an indispensable perspective. Gartner analysts’ thorough and nuanced analysis cuts through the noise, making it easier for teams to understand each platform’s approach, strengths, and considerations—and helping them determine whether a particular vendor fits their organization’s unique needs.

A rigged game: ScarCruft compromises gaming platform in a supply-chain attack

WeLiveSecurity 05 May 2026 SEV 4/10

malware supply_chain Lazarus Conti

A rigged game: ScarCruft compromises gaming platform in a supply-chain attack ESET Research ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games Filip Jurčacko 05 May 2026 18 min. read ESET researchers uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor.

Your UEBA is lying to you: Why entity record quality decides everything

Elastic Security Labs 05 May 2026 SEV 4/10

iot_ot_security vulnerability Conti

UEBA & entity analytics: Why entity record quality matters — Elastic Security Labs 5 May 2026 • Erik Huang • Mike Paquette Your UEBA is lying to you: Why entity record quality decides everything Most entity analytics systems are confidently wrong. They track users who do not exist, generate risk scores built on noise, and call it behavioral analytics. Learn why the entities records you don't create matter as much as the ones you do and how a confidence-tiered model changes the game.

AI-generated hunting leads: The hunt starts before you ask the question

Elastic Security Labs 05 May 2026 SEV 3/10

iot_ot_security ransomware Conti

Proactive threat hunting with Elastic’s AI-generated hunting leads — Elastic Security Labs 5 May 2026 • Erik Huang • Mike Paquette AI-generated hunting leads: The hunt starts before you ask the question Introducing AI-generated hunting leads, proactive, environment-aware threat hypotheses powered by Elastic Entity analytics and integrated AI reasoning. 4 min read Product Updates Threat hunting has always been a human art; a practitioner staring at logs, forming a hypothesis, and patiently chasing it down. What if the hardest part of the hunt (knowing where to look) could be done for you, automatically, in milliseconds, and tuned specifically to your environment?

Know who to watch before the incident finds you

Elastic Security Labs 05 May 2026 SEV 3/10

iot_ot_security data_breach

Entity Analytics Watchlists in Elastic Security: organizational risk context as a scoring signal — Elastic Security Labs 5 May 2026 • Erik Huang • Jared Burgett Know who to watch before the incident finds you Elastic Security v9.4 introduces Entity Analytics Watchlists, a way to codify what your team already knows about high-risk entities and feed that context directly into risk scoring, without custom pipelines or detection engineering overhead 5 min read Product Updates Elastic Security v9.4 introduces Entity Analytics Watchlists, a new capability in the Entity Analytics suite that lets security teams create named, weighted lists of users, hosts, and services and feed that context directly into the platform's risk scoring pipeline. The gap this closes isn't awareness, as most security teams already know which entities deserve elevated scrutiny. The gap is that SIEMs have had no way to express that organizational knowledge as a risk signal.

Elastic Workflows GA: automation where your security data already lives

Elastic Security Labs 05 May 2026 SEV 3/10

cloud_security malware Conti

Elastic Workflows GA: Security automation built into your SIEM — Elastic Security Labs 5 May 2026 • Tinsae Erkailo Elastic Workflows GA: automation where your security data already lives Elastic Workflows is generally available in 9.4, bringing production-ready security automation with deeper case management integration, human-in-the-loop support, natural language authoring, and more. 8 min read Product Updates Elastic Workflows is generally available in 9.4. It is the automation layer built directly into Elastic, running where your data lives across Security, Observability, and Search.

Hacking Embodied AI

Recorded Future Research 05 May 2026 SEV 4/10

vulnerability iot_ot_security Conti Play

Hacking Embodied AI Summary Embodied AI has arrived. Humanoid and quadruped robots are moving off factory floors and into everyday operations, military deployments, and critical infrastructure. Technological advances in large language models LLMs and robotics are enabling robots to perform complex tasks autonomously.

The Most Powerful Women Of The Channel 2026: Power 100

Proofpoint Threat Insight 04 May 2026 SEV 4/10

cloud_security vulnerability Conti Play

The Most Powerful Women Of The Channel 2026: Power 100 The Power 100 is culled from the ranks of CRN’s Women of the Channel and spotlights the female executives at vendors and distributors whose insight and influence help drive channel success. Each year CRN honors 100 women who are driving the channel through their leadership, business acumen and partner advocacy. These women -- named to the Power 100 -- are standout executives from vendors and distributors among the broader class of the CRN 2026 Women of the Channel list.

“Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security

Securelist 04 May 2026 SEV 4/10

phishing malware Mustang Panda Kimsuky

Phishing campaigns and BEC attacks through Amazon SES | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Introduction The dangers of Amazon SES abuse How compromise happens Examples of phishing with Amazon SES Amazon SES and BEC Takeaways Authors Roman Dedenok Introduction The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data. To achieve this, scammers employ a wide range of tactics, from redirect links to QR codes. Additionally, they heavily rely on legitimate sources for malicious email campaigns.

One agent, the right skills: Elastic Security 9.4 brings domain expertise on demand to every SOC workflow

Elastic Security Labs 04 May 2026 SEV 4/10

identity_threat data_breach Play

Cybersecurity Skills in Elastic Security: How they work & getting started — Elastic Security Labs 4 May 2026 • Dhrumil Patel One agent, the right skills: Elastic Security 9.4 brings domain expertise on demand to every SOC workflow Elastic Security 9.4 introduces skills, modular AI capabilities that teach the Elastic AI Agent how to detect, investigate, and hunt like a specialist. This is how they work, and why they matter for the SOC. 12 min read Product Updates Three things land on you at once: Attack Discovery correlated 12 alerts into a credential-harvesting campaign overnight, your team just onboarded a new fleet of macOS endpoints and needs detection rules for LOLBin abuse, and a risk score spike on a service account just crossed the critical threshold.

Elastic Conversational Entity Analytics: threat hunting in a single conversation

Elastic Security Labs 04 May 2026 SEV 3/10

iot_ot_security vulnerability

Elastic Conversational Entity Analytics for threat hunting — Elastic Security Labs 4 May 2026 • Erik Huang • Paulo da Silva Junior Elastic Conversational Entity Analytics: threat hunting in a single conversation Conversational Entity Analytics delivers Entity Analytics features as rich inline attachments and Canvas previews into Agent Builder, so you don’t have to leave the conversation. 4 min read Product Updates Entity Analytics is a core security analytics capability that extends Elastic Security from event-centric to entity-centric investigation. This security context equips threat hunters to stop chasing isolated alerts and instead uncover the full narrative of a potential compromise.

From plain English to production rule: AI-native Elasticsearch ES|QL detection in Elastic Security

Elastic Security Labs 04 May 2026 SEV 3/10

identity_threat vulnerability

ES|QL detection rules, generated from plain English by Elastic Security's AI Agent — Elastic Security Labs 4 May 2026 • Kseniia Ignatovych From plain English to production rule: AI-native Elasticsearch ES|QL detection in Elastic Security Elastic Security now lets analysts describe a threat behavior in plain language and receive a complete, validated Elasticsearch ES|QL detection rule in return, no query expertise required. 10 min read Product Updates Elastic Security now includes AI-powered detection rule creation, built into the rule creation workflow. Analysts describe a threat behavior in plain English and receive a complete, validated Elasticsearch Query Language (ES|QL) rule in return, with MITRE ATT&CK mappings, severity recommendations, and a preview against live data, all without leaving the platform or writing a single line of query syntax.

Essential Data Sources for Detection Beyond the Endpoint

Unit 42 01 May 2026 SEV 4/10

cloud_security iot_ot_security Conti

Essential Data Sources for Detection Beyond the Endpoint Threat Research Center Insights General General min read Related Products Cortex Cortex XDR Cortex XSIAM Unit 42 Frontier AI Defense Unit 42 Incident Response By: Corey Berman Matt Gayford Published: May 1, 2026 Categories: General Insights Tags: Cloud Security IAM Incident response Threat detection 2026 Unit 42 Global Incident Response Report delivers a sharp wake-up call: Threat actors are now moving 4x faster to exfiltration than in 2025. While the endpoint remains a critical first line of defense, the rapid proliferation of cloud services, microservices and remote users has expanded the attack surface beyond what any single tool can monitor. In 75% of incidents Unit 42 investigated, critical evidence of the initial intrusion was present in the logs.

Metasploit Wrap-Up 05/01/2026

Rapid7 Blog 01 May 2026 SEV 4/10

vulnerability malware

Metasploit Wrap-Up 05/01/2026 Back to Blog Products and Tools Metasploit Wrap-Up 05/01/2026 Christopher Granleese May 1, 2026 | Last updated on May 1, 2026 | xx min read MCP server This release our very own  cdelafuente-r7  finished implementing the Metasploit MCP Server (msfmcpd), bringing Model Context Protocol support to Metasploit Framework. MCP lets AI applications like Claude, Cursor, or your own custom agents query Metasploit data. Think of it as a middleware layer that exposes 8 standardized tools for searching modules and pulling reconnaissance data, all built on the official  Ruby MCP SDK .

The Good, the Bad and the Ugly in Cybersecurity – Week 18

SentinelOne Labs 01 May 2026 SEV 4/10

supply_chain vulnerability Silk Typhoon

The Good, the Bad and the Ugly in Cybersecurity – Week 18 May 1, 2026 SentinelOne The Good | Authorities Dismantle State-Backed Espionage & Cybercrime Rings This week, authorities successfully secured the extradition of Xu Zewei, an alleged Chinese Ministry of State Security (MSS) contract hacker , from Italy to the U.S. to face severe federal cyberespionage charges. Operating alongside the Silk Typhoon group, Xu systematically compromised internet-facing systems during a highly coordinated intelligence-gathering campaign between February 2020 and June 2021.

DFIR: From alert to root cause using Osquery without leaving Elastic Security

Elastic Security Labs 01 May 2026 SEV 4/10

iot_ot_security ransomware Conti Play

DFIR: From alert to root cause using Osquery without leaving Elastic Security — Elastic Security Labs 1 May 2026 • Raquel Tabuyo DFIR: From alert to root cause using Osquery without leaving Elastic Security Learn how to perform distributed, real-time Digital Forensics and Incident Response (DFIR) using Osquery and Elastic to investigate threats at scale without relying on disk imaging. 10 min read Product Updates Modern DFIR doesn't start with a disk image. That model worked when environments were smaller, endpoints were static, and time wasn't the primary constraint.

The Iran War: What You Need to Know

Recorded Future Research 01 May 2026 SEV 4/10

apt iot_ot_security APT34 APT35

The Iran War: What You Need to Know Last updated: 1 May 2026 at 1500 GMT New from Insikt Group: Iran War — Future Scenarios and Business Implications Insikt Group has published a dedicated Cone of Plausibility analysis examining how the Iran conflict could evolve over the next 6–12 months — from a fragile ceasefire baseline to regional war, regime collapse, and nuclear crisis. Each scenario includes business implications and 0–90 day priority actions. This report is updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict.

That AI Extension Helping You Write Emails? It’s Reading Them First

Unit 42 30 Apr 2026 SEV 5/10

malware vulnerability Play

That AI Extension Helping You Write Emails? It’s Reading Them First Threat Research Center Threat Research Malware Malware min read Related Products Advanced DNS Security Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Prisma AIRS Prisma Browser Secure Access Service Edge (SASE) Unit 42 Incident Response By: Shresta Bellary Seetharam Nabeel Mohamed Billy Melicher Oleksii Starov Qinge Xie Fang Liu Published: April 30, 2026 Categories: Malware Threat Research Tags: AI browser Browser extension GenAI Infostealer Malware Remote Access Trojan Search hijacker Spyware Executive Summary We found 18 AI browser extensions marketed as productivity tools that are not as they seem. This group includes extensions such as: One that surveils your emails as you compose them Another that intercepts ChatGPT prompts A third that exfiltrates passwords Leveraging the rise of generative AI (GenAI), these extensions deliver remote access Trojans (RATs), meddler-in-the-middle (MitM) attacks and infostealers that target prompts, user behavior and browser sessions.

Anti-DDoS Firm Heaped Attacks on Brazilian ISPs

Krebs on Security 30 Apr 2026 SEV 5/10

iot_ot_security malware Conti Play

Anti-DDoS Firm Heaped Attacks on Brazilian ISPs – Krebs on Security Advertisement A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link.

Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

Securelist 30 Apr 2026 SEV 5/10

malware ransomware Mustang Panda Kimsuky

Analyzing the Silver Fox tax campaign and the new ABCDoor backdoor | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Email campaign RustSL loader Silver Fox RustSL The steganography.rs module Encrypted malicious payload format The guard.rs module Phantom Persistence Attack chain and payloads Custom ValleyRAT modules ABCDoor Python backdoor ABCDoor versions Evolution of ABCDoor distribution methods Victims Conclusion Detection by Kaspersky solutions Indicators of compromise Authors Anton Kargin Vladimir Gursky Victoria Vlasova Anna Lazaricheva In December 2025, we detected a wave of malicious emails designed to look like official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. We have attributed this activity to the Silver Fox threat group.

Building with AI: Here's What No Briefing Will Tell You

Recorded Future Research 30 Apr 2026 SEV 3/10

iot_ot_security vulnerability

Building with AI: Here's What No Briefing Will Tell You Executives making AI decisions without hands-on building experience have a comprehension gap that no briefing can close. AI is rapidly eroding most traditional competitive moats, and proprietary data's real value now comes down to how long it would take a competitor to reconstruct it. As AI equalizes development speed, the most valuable engineers are those with sharp judgment and companies need to actively protect the foundational skills that make that judgment possible I've spent the last three months building with AI.

Risk Scenarios for the US’s Strategic Pivot

Recorded Future Research 30 Apr 2026 SEV 4/10

vulnerability ransomware Conti Play

Risk Scenarios for the US’s Strategic Pivot Summary The United States (US) is shifting toward a more force-driven security strategy primarily relying on military operations and economic pressure to counter transnational criminal organizations and limit Chinese, Russian, and Iranian influence in the Western Hemisphere. Regional outcomes diverge across three core scenarios: US-aligned authoritarian cooperation with fragile stability Political fragmentation enabling criminal expansion and governance breakdown A strategic realignment toward BRICS that reduces US influence and increases great power competition Each scenario increases the risks of political instability, regulatory fragmentation, and cyber threats, including increased surveillance, cybercrime, and targeting of critical infrastructure and multinational businesses. Figure 1: Overview of possible scenarios resulting from the US’s strategic pivot to Western Hemisphere security (Source: Recorded Future) Analysis The US 2025 National Security Strategy formalized a shift toward hemispheric priorities and narrower strategic objectives.

CI/CD pipeline abuse: the problem no one is watching

Elastic Security Labs 29 Apr 2026 SEV 5/10

supply_chain vulnerability Play

CI/CD pipeline abuse: the problem no one is watching — Elastic Security Labs 29 April 2026 • Mika Ayenson, PhD CI/CD pipeline abuse: the problem no one is watching How we built an open-source, drop-in CI template that uses signal extraction and LLM reasoning to catch CI/CD abuse in GitHub Actions, GitLab CI, and Azure DevOps pipelines. 9 min read Detection Engineering , Enablement , Tools Preamble In 2025 and 2026, we watched a pattern play out across the industry. Attackers stopped going after production servers directly and started targeting the automation that deploys to them.

Lazarus Doesn't Need AGI

Recorded Future Research 28 Apr 2026 SEV 3/10

supply_chain phishing Lazarus

Lazarus Doesn't Need AGI Last week’s reporting on unauthorized access to Claude Mythos reads as an AI security story. It is also, structurally, a North Korea (DPRK) story. Even if the current suspects turn out to be Discord hobbyists.

The Money Mule Solution: What Every Scam Has in Common

Recorded Future Research 28 Apr 2026 SEV 3/10

iot_ot_security data_breach Conti Play

The Money Mule Solution: What Every Scam Has in Common Scams are a $450B–$1T global problem , and unlike card fraud, they don't require a breach; just convincing a victim to send money themselves. The mule account is the most stable target : every scam needs an exit point, and intelligence gathered before a transaction occurs is more actionable than behavioral monitoring after the fact. CYBERA's approach uses agentic personas to engage active scammers and extract verified mule account details, confirmed intelligence, not probabilistic scoring.

Monitoring Claude Code/Cowork at scale with OTel in Elastic

Elastic Security Labs 25 Apr 2026 SEV 3/10

cloud_security vulnerability

Claude Code/Cowork monitoring at scale with Otel & Elastic — Elastic Security Labs 25 April 2026 • Spencer Niemi Monitoring Claude Code/Cowork at scale with OTel in Elastic How Elastic's InfoSec team built a monitoring pipeline for Claude Code and Claude Cowork using their native OTel export capabilities and Elastic's OTel ingestion infrastructure. 8 min read Enablement , Generative AI As AI coding assistants become standard tools in engineering workflows, security teams face a new challenge: how do you maintain visibility into what an AI agent is doing (and why) across your organization? When those agents can execute shell commands, read files, call APIs, and interact with internal systems via MCP connectors, you need real-time observability to support threat detection, incident response, and compliance.

The Good, the Bad and the Ugly in Cybersecurity – Week 17

SentinelOne Labs 24 Apr 2026 SEV 4/10

malware ransomware Volt Typhoon Flax Typhoon

The Good, the Bad and the Ugly in Cybersecurity – Week 17 April 24, 2026 SentinelOne The Good | Two Cybercrime Leaders Face Justice for Fraud, Identity Theft & Extortion Tyler Robert Buchanan, a 24-year-old British national believed to be a leader of the UNC3944 cybercrime group, has pleaded guilty in the U.S . to wire fraud and aggravated identity theft. Prosecutors say Buchanan and four accomplices stole at least $8 million in cryptocurrency by targeting employees at multiple organizations with SMS phishing attacks between 2021 and 2023.

The calm before the ransom: What you see is not all there is

WeLiveSecurity 24 Apr 2026 SEV 4/10

ransomware data_breach Conti Play

The calm before the ransomware storm: What you see is not all there is Ransomware The calm before the ransom: What you see is not all there is A breach claims the systems as well as the confidence that was, in retrospect, a major vulnerability Tomáš Foltýn 24 Apr 2026 5 min. read There’s a bit of a pattern in the history of organizational failures that repeats too often to be a coincidence: A system runs smoothly for a long stretch, causing everyone to grow confident in it. Almost invariably, this also quietly erodes the vigilance that kept the system running smoothly in the first place.

PhantomRPC: A new privilege escalation technique in Windows RPC

Securelist 24 Apr 2026 SEV 4/10

vulnerability phishing Mustang Panda Kimsuky

Disclosing PhantomRPC – a privilege escalation vulnerability in RPC | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Intro MSRPC Impersonation in Windows Interaction between Group Policy service and TermService Coercing the Group Policy service RPC architecture flow Identifying RPC calls to unavailable servers Additional privilege escalation paths User interaction: From Edge to RDP Background services: From WDI to RDP Abusing the Local Service account: From ipconfig to DHCP Abusing Time Vulnerability disclosure Detection and defense Conclusion Authors Haidar Kabibo Intro Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues.

From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026

Recorded Future Research 24 Apr 2026 SEV 3/10

vulnerability supply_chain Conti

From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Key Takeaways The real challenge in cybersecurity isn’t intelligence or visibility, it’s speed. Attackers operate at machine speed, while most organizations are still constrained by manual, human-driven workflows. Traditional threat intelligence falls short because it stops at insight.

Frontier AI and the Future of Defense: Your Top Questions Answered

Unit 42 23 Apr 2026 SEV 3/10

vulnerability cloud_security

Frontier AI and the Future of Defense: Your Top Questions Answered Threat Research Center Insights General General min read Related Products Unit 42 AI Security Assessment Unit 42 Frontier AI Defense Unit 42 Incident Response By: Sam Rubin Published: April 23, 2026 Categories: General Insights Tags: GenAI LLM N-day Open source Over the last several weeks, Palo Alto Networks and Unit 42 have been talking with CISOs and security leaders globally to discuss the emergence of frontier AI models and their broader implications on cybersecurity. While the potential for AI-driven innovation is immense, the speed and scale at which these models can be weaponized poses a generational challenge to traditional security programs. We’ve compiled the 10 most frequent questions we are receiving from customers to help you navigate this transition with practical, intelligence-led guidance.

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Mandiant Research 23 Apr 2026 SEV 5/10

malware phishing Conti Play

How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite | Google Cloud Blog Threat Intelligence Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite April 23, 2026 Mandiant Mandiant Services Stop attacks, reduce risk, and advance your security. Contact Mandiant Written by: JP Glab, Tufail Ahmed, Josh Kelley, Muhammad Umair Introduction Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization.

Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System

Unit 42 23 Apr 2026 SEV 4/10

cloud_security vulnerability Conti Play

Lessons From Building an Autonomous Cloud Offensive Multi-Agent System Threat Research Center Threat Research Cloud Cybersecurity Research Cloud Cybersecurity Research min read Related Products Cortex Cortex Cloud Cortex XDR Cortex XSIAM Unit 42 AI Security Assessment Unit 42 Cloud Security Assessment Unit 42 Incident Response By: Yahav Festinger Chen Doytshman Published: April 23, 2026 Categories: Cloud Cybersecurity Research Threat Research Tags: AI Cloud Data exfiltration GCP Google Cloud LLMs Multi-agent Penetration testing Executive Summary The offensive capabilities of large language models (LLMs) have until recently existed as theoretical risks – frequently discussed at security conferences and in conceptual industry reports, but rarely discovered in practical exploits. However, in November 2025, Anthropic published a pivotal report documenting a state-sponsored espionage campaign. In this operation, AI didn't just assist human operators – it became the operator, performing 80-90% of the campaign autonomously, at speeds that no human team could match.

GopherWhisper: A burrow full of malware

WeLiveSecurity 23 Apr 2026 SEV 3/10

malware supply_chain

GopherWhisper: A burrow full of malware ESET Research ESET Research has discovered a new China-aligned APT group that we’ve named GopherWhisper, which targets Mongolian governmental institutions Eric Howard 23 Apr 2026 6 min. read ESET researchers have discovered a previously undocumented China-aligned APT group that we named GopherWhisper. The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal.

Critical minerals and cyber operations

Recorded Future Research 23 Apr 2026 SEV 4/10

apt vulnerability APT1 Conti

Critical minerals and cyber operations Summary Critical elements and rare earth elements REEs are no longer commodities; they are strategic dependencies. Chinaʼs dominance in processing and refining provides it with enormous geopolitical leverage over other industrialized economies. Geopolitical competition over mining and refining critical elements and REEs is accelerating.

Hypersonic Supply Chain Attacks: One Solution That Didn’t Need to Know the Payload

SentinelOne Labs 22 Apr 2026 SEV 4/10

supply_chain vulnerability

Hypersonic Supply Chain Attacks: One Solution That Didn't Need to Know the Payload Hypersonic Supply Chain Attacks: One Solution That Didn’t Need to Know the Payload April 22, 2026 Matt Berry In 2026, the question for security leaders is not whether a supply chain attack is coming. Every serious organization should assume it is. The question is whether their defense architecture can stop a payload it has never seen before.

When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks

Unit 42 22 Apr 2026 SEV 4/10

vulnerability ransomware Play

When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks Threat Research Center Threat Research Malware Malware min read Related Products Cloud-Delivered Security Services IoT Security Unit 42 Incident Response By: Emmanuel Zhou Adam Robbie Rick Wyble Zhutian Liu Zhiyun Qian Zhaowei Tan Srikanth V. Krishnamurthy Mathy Vanhoef Published: April 22, 2026 Categories: Malware Threat Research Tags: AirSnitch MitM Network security Port stealing WiFi encryption Wireless WPA2 WPA3 Executive Summary Enterprises have long trusted Wi-Fi encryption and client isolation to secure their wireless infrastructure. However, we conducted research presented at the NDSS Symposium 2026 that reveals that these safeguards can be breached by a novel set of attack techniques that we call AirSnitch.

AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation?

Recorded Future Research 22 Apr 2026 SEV 4/10

vulnerability iot_ot_security Conti Play

Reality: Is AI Really Rewriting the Vulnerability Equation? AI vulnerability research and discovery capabilities are improving, but they have not changed the fundamentals of vulnerability management. Instead, they are scaling up problems familiar to vulnerability managers: patch prioritization and remediation backlogs.

Evolution of Chinese-Language Guarantee Telegram Marketplaces

Recorded Future Research 22 Apr 2026 SEV 4/10

iot_ot_security vulnerability Conti Play

Evolution of Chinese-Language Guarantee Telegram Marketplaces Executive Summary Chinese-language, Telegram-based “guarantee” marketplaces are increasingly popular among Chinese-speaking criminal groups despite the widely publicized shutdown of Huione Guarantee in 2025. Although these guarantee marketplaces operate similarly to Huione Guarantee, they differ in their focus on particular aspects of cybercrime and in their targeting of specific geographies. To better understand these Chinese-language guarantee marketplaces, Insikt Group observed and analyzed another increasingly popular guarantee marketplace, dubbed Dabai Guarantee (“大白担保”).

‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty

Krebs on Security 21 Apr 2026 SEV 4/10

iot_ot_security phishing Scattered Spider Conti

‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty – Krebs on Security Advertisement A 24-year-old British national and senior member of the cybercrime group “ Scattered Spider ” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors. Buchanan’s hacker handle “ Tylerb ” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves.

New NGate variant hides in a trojanized NFC payment app

WeLiveSecurity 21 Apr 2026 SEV 4/10

malware vulnerability Conti Play

New NGate variant hides in a trojanized NFC payment app ESET Research ESET researchers discover another iteration of NGate malware, this time possibly developed with the assistance of AI Lukas Stefanko 21 Apr 2026 10 min. read ESET Research has discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated.

The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation

Elastic Security Labs 21 Apr 2026 SEV 4/10

malware vulnerability Conti Play

The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation — Elastic Security Labs 21 April 2026 • Cyril François • Daniel Stepanic • Jia Yu Chan The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation Elastic Security Labs explores the ongoing arms race between LLM-driven reverse engineering and obfuscation. 23 min read Generative AI , Detection Engineering , Malware Analysis Introduction Over the past few years, we have observed a significant evolution in the capabilities of LLMs to be productive and to carry out various tasks that address real-world problems, such as program synthesis, malware research, or vulnerability research. Specifically in the context of reverse engineering, LLMs are particularly effective given the right tools because they are very good at reading source code even without symbols.

Emerging Enterprise Security Risks of AI

Recorded Future Research 21 Apr 2026 SEV 4/10

vulnerability supply_chain Conti Play

Emerging Enterprise Security Risks of AI Summary Agentic AI adoption is accelerating rapidly as enterprise software and applications increasingly incorporate task-specific AI agents, enabling autonomous execution of complex tasks at machine speed. The autonomy and scale of AI agents introduce significant enterprise risk , as errors, misconfigurations, or malicious manipulation can propagate quickly across interconnected systems, amplifying the potential impact of incidents. Agentic AI will exacerbate existing weaknesses in software supply chains, as vulnerable or malicious open-source components can be deployed faster and at scale.

Automation at Machine Speed: Rethinking Execution in Modern Cybersecurity

SentinelOne Labs 20 Apr 2026 SEV 3/10

vulnerability cloud_security Conti

Automation at Machine Speed: Rethinking Execution in Modern Cybersecurity April 20, 2026 SentinelOne In our previous posts, we explored the Identity Paradox and the rising risks at the enterprise edge . Together, these blogs highlighted how attackers gain initial access and leverage unmanaged devices to escalate privileges. The next phase of intrusion – execution – demonstrates how modern adversaries, aided by automation and AI, operate at speeds and a scale that challenge traditional human-centered defenses.