Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 Extra Tales

watchTower Labs has disclosed two safety flaws in Progress ShareFile (CVE-2026-2699 and CVE-2026-2701) that may very well be chained to realize pre-authenticated distant code execution. Whereas CVE-2026-2699 is an authentication bypass by way of the “/ConfigService/Admin.aspx” endpoint, CVE-2026-2701 refers to a case of post-authenticated distant code execution. An attacker may mix the 2 vulnerabilities to sidestep authentication and add internet shells. Progress launched fixes for the vulnerabilities with Storage Zone Controller 5.12.4 launched on March 10, 2026. There are about 30,000 internet-facing cases, making patching towards the failings essential.

A brand new Android malware named NoVoice has been distributed by way of greater than 50 apps that have been downloaded at the very least 2.3 million instances. Whereas apps masqueraded as utilities, picture galleries, and video games, and supplied the marketed performance, the malware tried to acquire root entry on the gadget by exploiting 22 Android vulnerabilities that acquired patches between 2016 and 2021. “If the exploits succeed, the malware gains full control of the device,” McAfee Labs mentioned. “From that moment onward, every app that the user opens is injected with attacker-controlled code. This allows the operators to access any app data and exfiltrate it to their servers.” The malware avoids infecting gadgets in sure areas, like Beijing and Shenzhen in China, and implements greater than a dozen checks for emulators, debuggers, and VPNs. It then contacts a distant server to ship gadget data and fetch applicable exploits to achieve root entry and disable SELinux. Upon gaining elevated entry, the rootkit modifies system libraries to facilitate the execution of malicious code when particular apps are opened, set up arbitrary apps, and allow persistence. NoVoice has been discovered to share some degree of overlap with Triada. One of many focused apps is WhatsApp, which enabled the malware to reap information from the app as quickly because it was launched. Google has since eliminated the apps. The very best focus of infections has been reported in Nigeria, Ethiopia, Algeria, India, and Kenya.

The U.S. Federal Bureau of Investigation (FBI) is warning of the info safety dangers related to foreign-developed cell purposes. “As of early 2026, many of the most downloaded and top-grossing apps in the United States are developed and maintained by foreign companies, particularly those based in China,” the FBI mentioned. “The apps that maintain digital infrastructure in China are subject to China’s extensive national security laws, enabling the Chinese government to potentially access mobile app users’ data.” The bureau additionally warned that these apps might harvest contact data beneath the pretext of inviting associates to make use of them, retailer private information in Chinese language servers, or comprise malware that might acquire information past what is allowed by the person. “This could include malicious code and hard-to-remove malware designed to exploit known vulnerabilities in various operating systems and insert a backdoor for escalated privileges, such as enabling the download and execution of additional malicious packages designed to provide unauthorized access to users’ data,” it added. The FBI didn’t title the apps, however TikTok, Shein, Temu, and DeepSeek match the profile.

The U.S. State Division has formally launched the Bureau of Rising Threats, a brand new unit tasked with defending U.S. nationwide safety towards cyber assaults towards crucial infrastructure, threats within the house area, and misuse of synthetic intelligence (AI) and different superior expertise dangers from Iran, China, Russia, and North Korea.

Li Xiong, the previous chairman of a Cambodian monetary conglomerate, HuiOne, has been extradited to China. He has been accused of working playing dens, fraud, illegal enterprise operations, and cash laundering. In accordance with Xinhua, Li is alleged to be a key member of the transnational cybercrime syndicate masterminded by Chen Zhi, the chairman of Prince Group, who was extradited to China in January 2026 and has been indicted by the U.S. for working large-scale, forced-labor “pig butchering” rip-off compounds in Southeast Asia. In Might 2025, the U.S. Treasury’s Monetary Crimes Enforcement Community labeled Huione Group “a financial institution of primary money laundering concern.”

Google mentioned it is rolling out the power to vary a username to Google Account customers within the U.S. “Your previous Google Account email ending in gmail.com will become an alternate email address,” Google mentioned in a assist doc. “You’ll receive emails to both your old and new addresses. The data saved in your account won’t be affected. This includes things like photos, messages, and emails sent to your previous email address.” Whereas customers can change again to their earlier electronic mail deal with at any time, it isn’t doable to create a brand new Google Account electronic mail ending in gmail.com for the following 12 months. The brand new electronic mail deal with can’t be deleted both.

A U.S. federal choose has quickly blocked the Trump administration’s designation of Anthropic as a provide chain danger. The AI firm had argued that the designation was inflicting instant and irreparable hurt. “Nothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for expressing disagreement with the government,” District Choose Rita Lin wrote within the ruling.

Cybercriminals have set their sights on Android customers by a brand new phishing scheme that disguises malicious purposes as beta-testing alternatives for ChatGPT and Meta promoting instruments. In these assaults, what seems to be an invite to promoting apps seems to be a rigorously deliberate try and steal Fb credentials and hijack management of person accounts. “These messages push malicious apps delivered through ‘firebase-noreply@google.com’ via Firebase App Distribution, a legitimate Google service for distributing pre-release apps to testers,” LevelBlue mentioned. “Once installed, these apps request Facebook credentials, leading to phishing and account takeover.” An analogous marketing campaign has leveraged phishing emails impersonating ChatGPT and Gemini to push customers into downloading malicious iOS apps from the Apple App Retailer. “Disguised as business or ad management tools, these apps prompt for Facebook credentials, leading to credential harvesting,” the corporate added.

Google has made ransomware detection and file restoration in Drive usually obtainable after launching the characteristic in beta in September 2025 to assist organizations decrease the influence of malware assaults on private computer systems. Ransomware detection pauses file syncing, and file restoration permits customers to bulk restore their information to a earlier model in Drive. “Compared to when the feature was in beta, we are now able to detect even more types of ransomware encryption and are able to do it faster,” Google mentioned. “Our latest AI model is detecting 14x more infections, leading to even more comprehensive protection.”

Cybersecurity firm Darktrace mentioned it has noticed a gentle improve in GhostSocks exercise throughout its buyer base since late 2025. “In one notable case from December 2025, Darktrace detected GhostSocks operating alongside Lumma Stealer, reinforcing that the partnership between Lumma and GhostSocks remains active despite recent attempts to disrupt Lumma’s infrastructure,” it mentioned. Initially marketed on the Russian underground discussion board xss[.]is as a malware-as-a-service (MaaS), GhostSocks allows risk actors to show compromised gadgets into residential proxies, leveraging the sufferer’s web bandwidth to route malicious visitors by it. It makes use of the SOCKS5 proxy protocol, making a SOCKS5 connection on contaminated gadgets. It started to be extensively adopted following its partnership with Lumma Stealer in 2024.

The variety of malware advisories throughout open-source ecosystems has elevated 13.6x since January 2024, as risk actors take management of trusted packages to poison the software program provide chain. “Of the 1,011 npm ATO [Account takeover] advisories recorded in the OSV database over all time, 930 were filed in 2025, a roughly 12x year-over-year increase representing 92% of all ATOs reported on npm,” Endor Labs mentioned. Among the many 2025 npm ATO instances, 38.4% of affected packages had greater than 1,000 month-to-month downloads, 18.5% exceeded 10,000, and 11.1% had greater than 100,000. Attackers are intentionally concentrating on packages which can be deeply embedded in manufacturing programs and automatic CI/CD pipelines, maximizing the blast radius of every compromise.”

An up to date model of the XLoader information-stealing malware (model 8.7) has been discovered to include a number of modifications to the code obfuscation to make automation and evaluation tougher. These embody the usage of encrypted strings which can be decrypted at runtime, encrypted code blocks consisting of features which can be decrypted at runtime, and improved strategies to hide hard-coded values and particular features, per Zscaler. XLoader additionally makes use of a mixture of a number of encryption layers with completely different keys for encrypting community visitors. “XLoader continues to be a highly active information stealer that constantly receives updates,” the corporate mentioned. “As a result of the malware’s multiple encryption layers, decoy C2 servers, and robust code obfuscation, XLoader has been able to remain largely under the radar.”

Cybersecurity researchers have discovered a number of zero-day vulnerabilities in ImageMagick that may very well be chained to realize distant code execution by a single picture or PDF add. In accordance with Pwn.ai, the assault works on the default configuration and essentially the most restrictive “secure” configuration. The difficulty impacts each main Linux distribution, in addition to WordPress installations that course of picture uploads. It stays unpatched as of writing. Within the interim, it is suggested to course of PDFs in an remoted sandbox with no community entry, disable XML-RPC in WordPress, and block GhostScript.

Adversaries are bypassing conventional CloudTrail detections, like StopLogging or DeleteTrail, and as an alternative utilizing lesser-known AWS APIs to blind logging programs. This contains creating “invisible activity zones” using PutEventSelectors, using StopEventDataStoreIngestion and DeleteEventDataStore to halt or destroy long-term forensic visibility, disabling anomaly detection via PutInsightSelectors, neutralizing cross-account protections through DeleteResourcePolicy and DeregisterOrganizationDelegatedAdmin. “The actual danger is within the sequence: individually, these API calls appear like routine upkeep—however chained collectively, they permit attackers to erase proof and evade detection fully,” Summary Safety mentioned.

The risk actor often known as LofyGang resurfaced with a pretend npm bundle (“undicy-http”) that delivers a dual-payload assault: a Node.js-based Distant Entry Trojan (RAT) with reside display screen streaming, and a local Home windows PE binary that makes use of direct syscalls to inject into browser processes and steal credentials, cookies, bank cards, IBANs, and session tokens from greater than 50 internet browsers and 90 cryptocurrency pockets extensions. The session hijacking module targets Roblox, Instagram, Spotify, TikTok, Steam, Telegram, and Discord. “The Node.js layer independently operates as a full RAT with remote shell, screen capture, webcam/microphone streaming, file upload, and persistence capabilities, all controlled through a WebSocket C2 panel,” JFrog mentioned. The Node.js layer additionally downloads a local PE binary to facilitate information exfiltration by way of a Discord webhook and a Telegram bot.