SecurityWeek’s weekly cybersecurity news digest provides a streamlined summary of significant events that might not warrant individual articles but are still crucial for understanding the wider threat environment.
This handpicked collection spotlights major stories involving newly discovered vulnerabilities, novel hacking techniques, regulatory changes, market analyses, and other important incidents, helping readers stay informed about the rapidly changing cybersecurity world.
This week’s top stories include:
US government pushes for 72-hour patching deadlines
US cybersecurity leaders are suggesting a dramatic cut in federal patching timelines, shrinking the remediation window from two weeks down to just 72 hours for severe vulnerabilities, according to Reuters. This change comes in response to advanced AI systems like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber, which empower attackers to exploit software weaknesses faster than ever before. It should be noted that CISA already directs certain federal agencies to apply patches within three days when the likelihood of exploitation is high.
Malware hijacks Windows Phone Link to capture OTPs
Cisco Talos has uncovered a modular malware operation involving the CloudZ remote access trojan and a recently developed plugin called Pheno. This malicious software captures one-time passwords and text messages by exploiting the Microsoft Phone Link app to pull information from synchronized SQLite databases on the infected computer. The attack sequence employs a Rust-based loader and reflective .NET execution to slip past security defenses.
Another Venezuelan ATM jackpotter faces deportation
David Jose Gomez Cegarra, a Venezuelan citizen, was sentenced to time already served for participating in an ATM jackpotting scheme that siphoned close to $300,000 from multiple banks. The criminals gained physical access to ATM hard drives to plant malware, which then triggered the machines to dispense cash. After being found guilty of bank larceny, Cegarra was ordered to pay $294,000 in restitution and handed over to ICE for removal from the country.
Train hacker apprehended in Taiwan
A 23-year-old student has been arrested in Taiwan for allegedly breaking into the high-speed rail system and sending counterfeit General Alarm signals to the central control room. By duplicating Tetra radio frequencies to activate manual emergency brakes, the individual caused multiple trains to halt. Police confiscated various radio and electronic equipment during the probe, and the accused is now facing multiple charges, including endangering public transportation safety.
IBM security leader emerges as leading contender for CISA director
Tom Parker, who heads security services at IBM, has become the frontrunner to lead the Cybersecurity and Infrastructure Security Agency (CISA) after Sean Plankey stepped aside. The Trump administration is said to prefer Parker’s deep private sector experience, which includes co-founding Hubble. Should he be confirmed, he will assume leadership of the agency currently managed by acting director Nick Andersen.
Drone conference attendees hit by Eurasian espionage campaign
Security researchers have uncovered a cyber espionage effort dubbed Operation Silent Rotor targeting the Eurasian drone sector. The attackers sent spear-phishing emails masquerading as communications from the Russian Aeronautical Information Center, tricking recipients into executing malware designed to siphon sensitive data. The operation was carefully timed to coincide with the Unmanned Aviation 2026 forum in Moscow, enabling the threat actors to breach high-priority targets within the industry.
More Americans jailed for running North Korean laptop farms
Matthew Isaac Knoot and Erick Ntekereze Prince each received 18-month prison sentences for helping North Korean IT workers penetrate nearly 70 US businesses and funnel $1.2 million to the sanctioned regime. The pair hosted company laptops at their residences and set up unauthorized remote access tools to make it appear as though the overseas employees were working from US locations.
Gaming platform compromised in North Korean espionage operation
The North Korea-affiliated hacking group ScarCruft carried out a focused surveillance campaign against individuals in China’s Yanbian region by infiltrating a gaming platform popular among ethnic Korean residents. By embedding malware within Windows update files and Android game installers, the group deployed the BirdCall backdoor to steal personal documents and record audio from compromised devices.
New Linux backdoor PamDOORa surfaces
A hacking group identified as ‘darkworm’ is selling the source code for PamDOORa, an advanced post-exploitation utility built to compromise the Linux Pluggable Authentication Module (PAM) framework. This backdoor grants persistent SSH access while also collecting plaintext passwords from legitimate users, including potentially incident responders investigating the breach. The malware is currently listed on a Russian cybercrime marketplace for $900.
Hard power cycles necessary to remove Firestarter implant from Cisco firewalls
The ArcaneDoor cyber espionage outfit is deploying a stealthy Linux-based malware named Firestarter to infiltrate Cisco firewalls. As reported by Eclypsium, this implant hooks into the core LINA process to avoid detection and survives firmware updates by re-establishing its persistence mechanism during the reboot process. Completely eliminating the infection requires performing a hard power cycle by physically unplugging the device from all power sources for a minimum of one minute.
Related: In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool Vulnerability
Related: In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
