Just when you believe the cybersecurity world has finally kicked its habit of sloppy, reckless practices, someone comes along with a brand-new operation loaded with suspicious software loaders, counterfeit installers, tired social-engineering tricks, and infrastructure so openly exposed you’d swear production environments are treated as public playgrounds — and right on cue, another researcher casually reveals a method that transforms a seemingly trivial initial foothold into a full-blown account takeover, because clearly a six-digit code and naive trust were the only barriers standing between your sensitive data and total compromise. Fantastic. Really loving the direction this is headed.
Then you’ve got the tangled supply chain situation… legitimately signed software binaries, corrupted updates, trusted tools commandeered as though it were still 2017, plus a handful of reports this week that read less like sophisticated hacking campaigns and more like amateur attackers stumbling onto easy pickings dressed up with corporate logos. What’s genuinely surprising isn’t that these tricks still succeed — it’s that pulling them off remains shockingly straightforward.
Anyway. Caffeine up. Let’s dive in.
-
Massive C2 infrastructure across the Middle East
Hunt.io reported that it uncovered more than 1,350 command-and-control (C2) servers spread across 98 infrastructure providers in the Middle East over a three-month window from February 1 through May 1, 2026. According to the findings, C2 infrastructure accounted for the overwhelming majority of malicious activity (roughly 96.8%), dwarfing phishing setups (approximately 0.5%) and publicly shared indicators of compromise (about 0.5%), with malicious open directories making up the remaining ~2.2%. Saudi Arabia’s STC (Saudi Telecom Company) alone was hosting 981 of those C2 servers — a staggering 72.4% of the entire regional count. IoT-driven botnets including Hajime, Mozi, and Mirai, combined with offensive toolkits such as Tactical RMM, Cobalt Strike, and Sliver, made up the most prevalent malware families running on Middle Eastern infrastructure.
-
Privilege escalation bug found in Azure Backup for AKS
Microsoft reportedly patched — without public acknowledgment — a privilege escalation vulnerability in Azure Backup for AKS. According to security researcher Justin O’Leary, an attacker assigned only the “Backup Contributor” Azure role, which carries zero Kubernetes permissions, could leverage this flaw to attain full cluster-admin access on any AKS cluster. The vulnerability, which has not been assigned a CVE, carries a CVSS score of 9.9 out of 10. Although Microsoft initially dismissed the finding as “AI-generated content,” it appears the issue has since been quietly fixed, with additional validation controls added that were not present as recently as March 2026.
-
Romanian cybercriminal sentenced to prison
A 46-year-old Romanian man convicted of hacking into an Oregon state government office in 2021 and carrying out additional cyberattacks throughout the United States has been sentenced to 56 months behind bars. Catalin Dragomir pleaded guilty in February to charges of aggravated identity theft and unlawfully obtaining information from a protected computer. He was apprehended in Romania in November 2024 and extradited to the U.S. in January 2025 to stand trial. According to the Justice Department, Dragomir “sold access to a computer connected to an Oregon state government network after breaching that machine in June 2021.” During the transaction, he provided the prospective buyer with samples of stolen personal identification data from the compromised system. He also marketed access to networks belonging to a wide range of other U.S. victims, inflicting combined losses of at least $250,000.
-
DAEMON Tools supply chain attack added to KEV catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed the DAEMON Tools supply chain attack into its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies deploy the required patches no later than May 30, 2026. The incident is tracked as CVE-2026-8398 with a CVSS v4 score of 9.3. As described in the CVE entry, attackers breached the vendor’s (AVB Disc Soft) build or distribution environment and inserted malicious code into three files: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Each of these binaries was signed with AVB Disc Soft’s authentic code-signing certificate, enabling the tampered installers to look fully legitimate and evade signature-based security controls.
-
Apple open-sources post-quantum cryptography code
Apple has released its post-quantum cryptography (PQC) implementations built into corecrypto, featuring quantum-resistant ML-KEM and ML-DSA algorithms. Alongside the code, Apple also published mathematical verification tools it developed internally to confirm compliance with FIPS 203 and FIPS 204 standards, making the results available for independent expert review. Apple noted that corecrypto runs continuously across its product ecosystem, handling encryption, decryption, hashing, random number generation, and digital signatures on more than 2.5 billion active devices. Because a serious bug in corecrypto could undermine the security of every application and feature relying on it, the company said it exercises extreme caution when introducing new code to the library and goes to great lengths to ensure thorough and comprehensive testing.
-
Silent Ransom Group ramps up attacks on law firms
The U.S. Federal Bureau of Investigation (FBI) has issued an alert stating that a threat group tracked as the Silent Ransom Group (SRG) — also referred to as Luna Moth, Chatty Spider, and UNC3753 — has intensified its focus on law firms through social-engineering campaigns that have been active since spring 2026. Law firms represent especially lucrative targets because of the volume of confidential client data they store. The FBI explained that SRG operators use phone calls and phishing emails to impersonate IT support staff, gaining initial access to victim machines and siphoning off data, typically by leveraging legitimate remote-access software or by dispatching someone physically to the target company’s offices to interact directly with workstations. While SRG has gone after organizations spanning the insurance, financial, and healthcare sectors, the group has maintained a consistent focus on U.S.-based law firms since spring 2023. During in-person visits, attackers tell the target that they need to take a forensic image of the device or create a backup file in response to the phishing incident. Once inside, they rapidly escalate their privileges and pivot to exfiltrating data — all without resorting to encryption or ransomware.
According to the FBI, SRG threat actors dispatch individuals directly to a target’s location to carry out the breach and siphon data onto an external storage device, such as a USB drive, plugged into the victim’s own machine.
Attackers distribute fake installers pretending to be well-known applications like ChatGPT, Claude, ZENOLOGY, Ableton Live, AutoTune, and Kontakt through GitHub and SourceForge. These bogus downloads secretly install a Deno-based backdoor called DinDoor (also known as Tsundere). “Compromised YouTube channels are being used to share links to these files,” noted Malwarebytes. Once executed, DinDoor can drop various other malicious payloads, including a stealthy remote access Trojan (RAT) leveraging the Deno JavaScript runtime.
The U.K. government has imposed sanctions on several cryptocurrency exchanges, including HTX (formerly Huobi Global), and the A7 network, which Russia reportedly uses to bypass current financial restrictions. HTX handles a massive volume of trades, reaching $3.3 trillion in 2025 alone. Reportedly, these entities provided services to the already-sanctioned Garantex exchange and the A7 payment system. Research shows that Huobi has moved over $4.9 billion in direct on-chain transactions to sanctioned groups since 2021. Additional targets of the sanctions include Bitpapa and Rapira Group, which has processed $375.6 million to Grinex.io, a successor to Garantex.
Anthropic has introduced two updates to bolster security for its Claude AI: a self-hosted sandbox for Managed Agents and a new code-level security review tool. The security plugin automatically scans code for weaknesses like injection flaws and unsafe scripting while the developer makes changes. This helps catch bugs early before human review is needed. According to Red Hat, the sandbox setup keeps any action execution securely on the user’s own servers while the AI handles the planning.
Cyberattacks against organizations in the DACH region rose 124% in 2025, with most incidents linked to hacktivism or ransomware. Over 60% of hacktivist actions involved defacing websites to push political agendas, attributed to groups like NoName057(16), Mr Hamza, and Dark Storm Team. Ransomware activity was largely dominated by actors using Akira, Qilin, and Safepay strains. Germany bore the brunt of these incidents at 80%, followed by Switzerland and Austria, and accounted for 18% of all attacks recorded across the entire European region.
Cybercriminals are riding the wave of enthusiasm for the FIFA World Cup 2026 to launch mass-scale fraud campaigns. Researchers have flagged over 55 malvertising campaigns focused on football, promoting fake e-commerce sites, fraudulent betting apps, and fake sweepstakes. Users in the U.K., Spain, Brazil, and Germany are among the most targeted. Scammers have flooded the internet with counterfeit merchandise shops and copied FIFA websites to harvest payments and personal details. One specific campaign, “GHOST STADIUM,” uses hundreds of domains accessible in 11 languages to trick users into entering credentials through a perfect imitation of FIFA’s login process, with much of the traffic being driven by Facebook advertisements.
A network of 126 Chrome extensions identified as WaSteal has been discovered posing as legitimate WhatsApp CRM tools. The extensions, which affected nearly 148,000 users, secretly siphon off personal data, voicemails, and tracking cookies to remote servers managed by the attackers. The primary operator, wascript.com.br, runs a white-label platform, with its largest tool, WaSeller, boasting around 100,000 installs. This particular tool contains a built-in GTM container that allows the attacker to run arbitrary code remotely without pushing an update that would require a new security review from Google.
GhostTree is a newly discovered
Any similarity between these attack names and the many foods used to name APT groups from China/Russia/North Korea such as Mustard, APT28, APT46, Broccoli, GingerBread, Capsicum, or Nautilus is purely coincidental.
0-day vulnerabilities
- On December 4, 2025, Vanbray disclosed a collection of authentication bypass and session management flaws affecting 13 vendors, including BeyondTrust, CyberArk, HashiCorp, Netskope, Palo Alto Networks, SonicWall, and Thycotic.
0-day attacks
- GhostHook exploits Windows global hooks to inject a malicious payload into newly launched processes. Because execution occurs at the kernel level, traditional endpoint monitoring tools are unable to detect or interrupt the malicious activity.
- Attackers leverage NTFS junctions to create endless file path loops, causing endpoint security products to stall indefinitely and leaving malicious files completely unscanned. “Our investigation revealed that by configuring a junction to reference its own parent directory, an adversary can trigger recursive loops that produce effectively infinite file paths,” Varonis explained. “With only two lines of code, an attacker can generate an unlimited number of valid paths, rendering it impossible to complete recursive directory scans using the dir command. The same applies to EDR products scanning folders for threats. An adversary places malware within the parent directory, sets up the GhostTree structure, and the containing folder becomes practically impossible to scan. The scan freezes. The malicious files go entirely unexamined.”
A newly emerged Phishing-as-a-Service (PhaaS) platform named Kali365, first detected in April 2026, has been actively targeting Microsoft 365 environments. According to the FBI, “Kali365 has been primarily distributed through Telegram, allowing malicious actors to steal Microsoft 365 access tokens and circumvent multi-factor authentication (MFA) without needing to intercept the user’s actual credentials. By subscribing to the Kali365 platform, adversaries can capture OAuth tokens and maintain persistent access to targeted users’ or organizations’ Microsoft 365 environments.” Similar to other PhaaS offerings, Kali365 lowers the barrier to entry for cybercrime, giving less experienced attackers access to AI-generated phishing lures, automated campaign templates, real-time target tracking dashboards, and OAuth token theft tools. Subscriptions are priced from $250 for 30 days up to $2,000 for a full year. In a report from last month, Arctic Wolf documented a device code phishing campaign leveraging Kali365 for initial access and subsequent malicious activity. “The campaign employed highly convincing lures directing victims to Microsoft’s legitimate device login page, where users unknowingly approved sessions initiated by threat actors,” the company reported. “Stolen OAuth access and refresh tokens granted immediate mailbox access and enabled post-compromise operations. In certain instances, attackers created malicious inbox rules to hide security alerts, extending their dwell time and reducing the victim’s awareness.” Barracuda Networks and Proofpoint have both flagged a surge in device code phishing campaigns over recent months. Barracuda reported detecting over 7 million device code attacks during March and April 2026. “This spike in device code phishing is a natural evolution of credential theft, as more users become aware of MFA bypass methods, forcing criminals to adopt more creative approaches,” Proofpoint observed.
PhishU has outlined a technique called Vaultjacking, which demonstrates how an adversary-in-the-middle (AitM) phishing page capturing a victim’s 6-digit Google Password Manager (GPM) PIN can unlock and decrypt their entire synced credential vault, “A single PIN provides access to Google’s Security Domain Secret, which decrypts every synced password and passkey stored in that account – not just individual credentials, but the entire vault,” said Curtis Brazzell, PhishU researcher and CEO. After the AitM page steals the user’s session cookies and GPM PIN, an attacker can register a passkey on the victim’s Google account for persistence and then unlock their entire synced credential vault from their own infrastructure.
A tampered MSI installer for RVTools has been used to distribute a modular Python-based remote access trojan (RAT) through a VBScript loader. The malware features a reconnaissance module that profiles the compromised host and maps Active Directory, along with a persistent command-and-control (C2) agent that encrypts stolen data and awaits operator instructions. “A key factor in this campaign’s effectiveness was the use of a legitimately issued Sectigo code-signing certificate, registered under what appears to be a front company – Xiamen Lunwei Huage Network Co.(Sectigo), Ltd,” K7 Labs stated. “At the time of delivery, the certificate was fully valid, meaning Windows SmartScreen and most endpoint security solutions raised no alerts. It has since been revoked, though revocation provides limited protection to environments that do not enforce real-time OCSP or CRL checks at the moment of execution.”
None of these methods required advanced technical skill. That’s the uncomfortable truth most people overlook. The majority of breaches still stem from trust exploitation, outdated configurations, careless access management, or users falling for social engineering tactics from someone who merely sounds moderately convincing on a phone call.
Patch more aggressively. Audit relentlessly. Stop assuming that digitally signed software, MFA prompts, or “internal-use-only” tools automatically guarantee safety. Attackers have already discovered the easy shortcuts. Perhaps it’s time defenders stop pretending those vulnerabilities don’t exist.
