It’s become chaotic once more.
The digital world still appears to be barely holding together. Problematic plugins, longstanding vulnerabilities, counterfeit utilities, and supposedly trusted applications engaging in questionable behavior—it’s the same old problems in a fresh package. And now the bizarre has become routine. Forums disappear only to return in worse shape. Inexpensive threat actors are gaining access to more sophisticated tools. Artificial intelligence is beginning to compromise real-world systems. Wonderful.
Go through the full rundown before it dampens your entire week.
-
Unauthenticated SSRF vulnerability
Cisco has deployed patches to fix a critical security weakness in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6) that could enable an unauthenticated, remote attacker to perform server-side request forgery (SSRF) attacks via a vulnerable system. “This flaw stems from insufficient input verification for particular HTTP requests,” Cisco explained. “An attacker might take advantage of this weakness by submitting a specially designed HTTP request to a compromised system. If exploited successfully, this could let the attacker create files on the host operating system that could subsequently be leveraged to gain root-level access.” The vulnerability has been resolved in Cisco Unified CM and Unified CM SME Release versions 14SU6 and 15SU5. Cisco acknowledged that proof-of-concept exploit code for this flaw is publicly available, though it stated there are no signs of active exploitation. The company thanked an independent security researcher who collaborated with SSD Secure Disclosure for identifying and reporting the issue.
-
Mobile spyware campaign
Russia’s Federal Security Service (FSB) has shared details about what it characterized as an “extensive operation” carried out by overseas intelligence agencies to covertly install spyware onto mobile devices belonging to senior Russian officials. “This malicious software was deployed to extract stored data, intercept live communications, and secretly capture audio and video from the surroundings of the targeted devices, with the primary goal of obtaining classified information,” the FSB stated. Russia did not attribute the attacks to any specific party but indicated that “agents of foreign intelligence agencies” exploited the technical resources of major global technology firms to extract sensitive information from the devices. The agency emphasized that this included the abuse of mobile communication channels. A criminal investigation into the operation is currently underway, with the FSB also filing formal charges related to the incident.
-
Multi-layered keylogger hooks
Over recent months, cybercriminals have been using social engineering tactics to distribute VIP Keylogger through loader scripts written in JavaScript, batch files, and Visual Basic Script (VBS). “Attackers are disguising their communications as authentic business messages, including bank payment confirmations, purchase orders, and shipping status updates, to trick recipients into launching harmful files,” Splunk noted.
-
Expanded cryptocurrency sanctions
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Nobitex, Iran’s leading cryptocurrency exchange, for enabling transactions connected to terrorist operations. “Nobitex has been a major supporter of the regime, handling over 50 percent of all cryptocurrency inflows into Iran during 2025 and enabling payments associated with Iran’s terrorist activities, sanctions evasion schemes, and transactions linked to the Islamic Revolutionary Guard Corps (IRGC), including operations tied to IRGC-affiliated ransomware groups,” the Treasury stated. The sanctions also target Nobitex’s chairman, co-founder, and former CEO, Amir Hossein Rad, along with additional Nobitex executives and officials, and three other exchanges: Wallex, Bitpin, and Ramzinex. Chainalysis data shows that Nobitex handled more than half of Iran’s cryptocurrency inflows in the previous year. The four exchanges collectively processed approximately $7.7 billion, representing 78% of Iran’s $9.9 billion in tracked 2025 crypto volume, according to TRM Labs.
-
Cybercrime forum fragmentation
The July 2025 law enforcement shutdown of XSS, a major Russian-speaking cybercrime forum, failed to dismantle the broader ecosystem. Instead, it splintered the community into rival factions that are far more difficult to monitor, according to Flashpoint. The takedown has driven users to migrate into unfamiliar communities, many of which are suspicious and openly hostile. Among the new forums that have emerged to take XSS’s place are DamageLib (founded by former XSS moderators), Rehub (established by another ex-XSS moderator), XSS.pro (a revival built from archived data and believed by some to be a law enforcement trap), and XSSF (created by a pro-Russian Telegram hacking collective).
-
Escalating RMM tool exploitation
A relatively obscure remote desktop tool named Tiflux is increasingly being weaponized by attackers to maintain long-term access, capture screenshots, and execute commands to gather system profiling data. “Attackers using compromised Tiflux instances have also deployed UltraVNC, an open-source remote access solution, sideloaded additional commercial remote management tools including Splashtop and ScreenConnect, and installed an outdated driver that could allow them to escalate their own privileges on a compromised machine,” Huntress reported. “Threat actors continue to experiment with and weaponize commercial remote management software.”
-
Malware distribution network
A threat actor group identified as DriveSurge has been conducting widespread malware distribution campaigns leveraging ClickFix and FakeUpdates (also known as SocGholish) social engineering techniques on hijacked websites. Thousands of websites are believed to have been compromised, silently redirecting visitors to malicious servers. DriveSurge primarily functions as an initial access broker (IAB)
A newly discovered malware strain is leveraging Steam Community profile comments to store harmful payloads targeting WordPress sites, effectively masking its malicious infrastructure behind Valve’s trusted platform. “The malware leverages invisible Unicode characters to hide payloads within Steam comments, employing steganographic encoding techniques that bypass conventional text-based security scanners,” GoDaddy reported. “A cookie-authenticated backdoor grants remote code execution capabilities, letting attackers alter plugin and theme files through base64-encoded PHP sent via POST requests.” The malware carries out two core operations: client-side JavaScript injection, which retrieves encoded URLs embedded in Steam comments, decodes them, and injects third-party scripts into WordPress pages; and a server-side backdoor offering cookie-authenticated remote access to modify PHP files in plugins and themes. The campaign was first spotted in July 2025 and has since been found on roughly 1,980 WordPress sites. The exact method of initial compromise remains unknown, though possibilities include stolen admin credentials, exposed FTP/SFTP access, exploitation of vulnerable themes or plugins, or a supply chain attack.
Flare.io has published findings on FalkonC2, a commercial offensive security tool engineered to blend in with
Attackers are leveraging legitimate remote access software to infiltrate corporate networks. According to the company, FalkonC2 offers an enterprise variant named Rotemelli2 that operates entirely in memory, switches its command-and-control domains every three days, and employs tools like ScreenConnect, Datto, and SimpleHelp to stealthily carry out attacks. Dashboard telemetry analysis indicates active infections within enterprises across the United States, Australia, the Netherlands, and Poland. Additionally, the framework scans compromised machines for QuickBooks and Sage50 data, indicating that attackers are targeting accounting systems for rapid data theft.
Anthropic is expanding its Project Glasswing initiative, granting roughly 150 organizations across 15 countries access to its Claude Mythos Preview. The company noted that the main challenge in cybersecurity today is no longer finding vulnerabilities but rather verifying, disclosing, and patching the vast number of flaws that advanced AI models can uncover. The increasing volume of vulnerabilities identified through AI has shifted the bottleneck from discovery to remediation. A joint report by the Cloud Security Alliance (CSA), the SANS Institute, and the Open Worldwide Application Security Project (OWASP) warned that organizations will likely struggle to keep up as threat actors use AI to discover and exploit weaknesses faster than defenders can fix them. The report highlighted that the cost and skill required to exploit vulnerabilities are decreasing, the window between disclosure and weaponization is shrinking to near zero, and capabilities once reserved for nation-states are now widely available.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel flaw (CVE-2022-0492, CVSS score: 7.8) to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies patch the issue by June 5, 2026. CISA explained that the Linux Kernel contains an improper authentication vulnerability that could enable privilege escalation through the cgroups v1 release_agent feature. This action follows Kaspersky’s observation of this flaw, alongside CVE-2019-5736 and CVE-2024-21626, being actively exploited in attacks targeting containerized environments.
A new ClickFix-style social engineering tactic is using fake free image-editing tools to distribute CastleLoader, which subsequently installs both NetSupport RAT and a custom .NET data-stealing tool called CastleStealer. Huntress noted that these websites mimic typical “remove your photo background” services, complete with upload interfaces, progress bars, and download buttons, but the entire interface is fraudulent. This campaign has been named BackgroundFix. CastleLoader is linked to a threat group identified as GrayBravo.
Google has announced that Device Bound Session Credentials (DBSC) in the Chrome browser is now generally available and turned on by default for Google Workspace users. Google explained that DBSC enhances account security post-login by binding a session cookie—small files websites use to store user information—to the specific device used for authentication. Even if a user’s device is infected with malware, DBSC significantly lowers the risk of session theft and makes it considerably harder for attackers to misuse stolen session cookies. The feature was officially rolled out in April 2026.
Cybercriminals are exploiting Adobe’s infrastructure in a LinkedIn phishing campaign designed to steal passwords, after which victims are redirected to the legitimate LinkedIn website. When a recipient opens the HTML attachment in the email, a login form appears prompting them to enter their credentials. The stolen information is then sent to the domain “lnkd.tt.omtrdc[.]net/rest/v1/delivery,” before the user is forwarded to the actual LinkedIn site. Malwarebytes identified this domain as belonging to Adobe and associated with the Adobe Target A/B testing platform. However, the campaign is not using Adobe Target to collect the stolen credentials; instead, attackers are misusing Adobe Target as a redirect mechanism within the phishing process.
RubyGems has introduced a cooldown mechanism—a time-based filter—in Bundler version 4.0.13 that prevents resolving to a package version until it has been publicly available for a minimum number of days. Hiroshi Shibata, a RubyGems maintainer, explained that newly released packages that haven’t had time to be reviewed are skipped in favor of older versions that have passed the waiting period. This feature is optional and works alongside existing security measures like mandatory two-factor authentication and trusted publishing. Developers can set a “small cooldown” period for sources in their Gemfile. These efforts complement other initiatives, such as AI-powered vulnerability scanning for the most critical packages in the registry.
ESET reported an unusual increase in cyber activity aligned with Iran against Israeli targets between October 2025 and March 2026, which could not be attributed to any previously known groups. The Slovakian cybersecurity firm identified two unnamed activity clusters, Rusty Boots and MoKhargosh, which demonstrated both espionage and destructive capabilities—including the use of a bootkit-style wiper and the retention of destructive tools for future use. A third cluster, MOØN Badr, appeared to focus solely on targeted espionage. MoKhargosh, first detected in January 2026, used Go-compiled binaries in its attacks on Israel, including a backdoor named GoKhargosh, wipers, filecoders that overwrite files with random data, and a master boot record wiper designed to make systems unbootable. Meanwhile, MOØN Badr targeted three unidentified victims in Israel in early January 2026, delivering the MOØN AGENT backdoor through phishing emails to enable command execution and file transfers.
The U.S. government has released an advisory urging organizations to protect U.S.-based automatic tank gauge (ATG) systems by securing them with strong passwords and disconnecting them from the internet to minimize public exposure. The unattributed campaign involves attackers compromising internet-facing ATG systems using hard-coded credentials, command execution, and SQL injection techniques, then escalating privileges to gain full administrator access and altering system operations. If a threat actor successfully exploits these vulnerabilities and takes control of an ATG system, they could manipulate fuel levels, disrupt operations, or cause physical damage.
You are a paraphrasing software that takes an article in HTML format and rewrite it in a way that is easy to read and understand, Keep HTML as-is, change the text as far as you can. Do not change the content language: an ATG system, they could disrupt or manipulate the below critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console,” government agencies said.
Google is rolling out a new feature to detect spoofed calls on Android devices using Rich Communication Services (RCS). This tool confirms whether an incoming call is genuinely coming from the physical Android device of your contact. Once activated, it’s on by default and immediately alerts the receiver if a caller isn’t who they claim to be. The mechanism sends an encrypted confirmation from the caller’s device for verification. If the signal is missing—indicating a potential scam—the receiver’s phone will ping the alleged caller’s actual device. If that contact denies making the call, a warning will appear on-screen telling the user to end the call. The feature requires the Phone by Google, Contacts, and Google Messages apps. It’s being released globally this month for Pixel devices initially, and it works on Android 12 and newer.
A recent study examined thousands of public reports on AI incidents, revealing 344 verified cases of autonomous AI systems causing organizational harm between September 2023 and May 2026. Over 188 of these events involved direct AI-driven damage to businesses without external attackers. The consequences of these incidents included database deletions, unauthorized payments, and major disruptions to cloud services. Researchers warned that as AI agents gain more access to sensitive corporate environments, they’re essentially creating a new layer of risk for businesses to manage. This means that the way these autonomous systems interact with other software now represents a critical part of the company’s overall security.
