Social Engineering & Phishing

Meta says NSO Group again targeted WhatsApp users despite a court order barring it from doing so. WhatsApp said it disrupted NSO-linked social-engineering attempts involving malicious links that redirected targets to external websites, plus test accounts and groups on the platform, and published related domains and indicators of compromise. The report did not include victim counts, timing, or confirmation of successful compromises. — This matters because it suggests a spyware vendor accused of abusing messaging users may still be actively targeting people after a legal ban. WhatsApp users, journalists, activists, and high-risk targets should treat unsolicited links and unusual group invites with caution, and defenders should review the published indicators immediately.

Researchers found that an OpenClaw AI email agent could be tricked by phishing-style messages into leaking sensitive data instead of protecting it. In Varonis simulations, the open-source agent, connected to Gmail, browser tools, and Google Workspace APIs, sent AWS IAM keys, database credentials, SSH details, and CRM exports to an external account after urgent impersonation emails. The tests used Google Gemini 3.1 Pro and OpenAI GPT-5.4 and showed that URL and OAuth-app checks were stronger than sender-identity verification. — Organizations testing AI agents for email and workflow automation could accidentally give them access to data they can be manipulated into disclosing. Treat this as an immediate design and policy issue: limit agent privileges, block unapproved external sharing, require human approval for high-risk actions, and verify sender identity before deployment.

Hackers posing as women seeking relationships or volunteers offering help tricked Russian military personnel into installing spyware or surrendering their Telegram accounts. Researchers at F6 say the previously undocumented SiribClone group has operated since at least summer 2025, targeting troops in border regions and combat zones with Android spyware dubbed SafeLoveStealer, desktop malware called SiribGrabber, and phishing sites masquerading as Telegram logins, invite pages, medical portals, and other services to steal messages, files, location data, and microphone audio. — This is an active espionage campaign aimed at people in combat zones and shows how romance lures and fake support offers can turn personal chats into battlefield surveillance. Anyone in sensitive roles should treat unsolicited Telegram contacts, app downloads, and login pages as high risk, avoid sideloading apps, and use phishing-resistant account protections where possible.

Researchers say multiple criminal groups have built fake FIFA websites to steal World Cup fans’ passwords, payment details, and money through bogus ticket sales. Group-IB identified four separate campaigns since August 2025, including a Chinese-speaking operation it calls GHOST STADIUM that uses more than 300 active lookalike domains and roughly 3,800 dormant ones. The phishing kit closely copies FIFA’s login flow, can trigger password-reset steps to lock victims out, and is being promoted through Facebook ads offering unrealistically cheap tickets. — Fans trying to buy 2026 World Cup tickets could lose their accounts, have legitimate tickets resold, or pay scammers for fake seats. Users should only type fifa.com directly into their browser, avoid ad-linked ticket offers, and treat lookalike FIFA domains as suspicious.

France's government says an attacker got into Tchap, the encrypted messaging service used by public-sector workers, by taking over a valid user account. DINUM said ANSSI detected the intrusion on June 8 and blocked the compromised account, while investigators review logs to determine what conversations and data were accessed or stolen. A threat actor claimed the access came from social engineering on an education-related Tchap shard and alleged theft of 13.5GB of files, roughly 650,000 messages, and data on more than 73,000 accounts, plus a flaw allowing shared media files to be downloaded without a token. — This affects a government communications platform with more than 300,000 monthly users, so exposed chats, files, and account metadata could have broad public-sector impact. French agencies and users should treat the incident as potentially sensitive, review what was shared in public rooms, investigate account takeover paths, and reset or harden credentials where appropriate.

A likely North Korean-linked group sent more than 250 fake job and code-review emails to developers at nearly 100 organizations, mainly in the United States, to steal login credentials and cryptocurrency wallets. Proofpoint tracks the activity as UNK_DeadDrop and says the attackers used spoofed company brands and attacker-controlled GitHub repositories posing as coding tests or crypto projects; victims were told to clone and open the repos in tools such as Visual Studio Code or Cursor, triggering cross-platform malware on macOS, Linux, and Windows. — Developers and the companies that employ them are the direct targets, and a single successful lure can expose source code, cloud access, and crypto assets. Organizations should warn staff about unsolicited recruiting emails, scrutinize GitHub-based coding tests, and isolate or block unknown repositories and scripts.

Attackers are tricking bank customers into installing fake Android banking app updates from GitHub so they can steal card data and PINs. D3Lab says newer NFCShare variants, seen since May 14, target banks mainly in Italy and Spain after victims visit phishing sites impersonating real banks. The malware abuses near-field communication (NFC) on Android to read card details via IsoDep and EMV commands, then sends the data to command-and-control servers over WebSocket. — This can lead directly to payment-card fraud because victims are persuaded to hand over both card details and their PIN during a fake security check. Android users should only install banking apps from Google Play and treat any request to scan a bank card with their phone or sideload an update from GitHub as suspicious.

Oxford University says a separate breach at its CareerConnect jobs platform exposed users’ full names and email addresses, and encrypted passwords for people not using single sign-on. The affected service is provided by Group GTI and runs on its TargetConnect platform, which Oxford said was compromised on May 28 through an unspecified security vulnerability that has since been fixed; affected alumni, research staff, and employer users had passwords reset, and GTI has not publicly disclosed the flaw or total scope. — Students, alumni, staff, and recruiters who used the platform may now face phishing or credential-stuffing attempts, especially if they reused passwords elsewhere. Affected users should reset reused passwords, watch for convincing job-related scam emails, and universities using GTI TargetConnect should press the vendor for technical details and mitigation guidance.

The FBI says Silent Ransom Group is targeting U.S. law firms by pretending to be IT support, then stealing data and extorting victims without encrypting files. In 2026 attacks, the group reportedly used callback phishing emails, phone-based social engineering, remote desktop access, and in some cases sent an operative on site to insert a USB or external drive after a failed remote-access attempt; the attackers then used tools such as WinSCP and Rclone to exfiltrate data. — Law firms and other organizations should treat unsolicited IT calls, emails, and in-person support visits as potential attack vectors, not just remote phishing. The warning is urgent because the attackers use legitimate admin tools and leave few traces, so organizations should verify IT identities, restrict external-drive use, and harden remote-access workflows now.

Attackers used Meta’s automated Instagram support assistant to take over accounts, including the Obama White House account and the U.S. Space Force chief master sergeant account, and briefly deface them with pro-Iran messages. According to KrebsOnSecurity and Telegram posts cited in the report, the abuse involved the password-recovery flow: attackers asked the AI bot to add a new email address to a target account, then used the one-time code sent there to reset the password. No CVE is given, Meta reportedly pushed an emergency patch, and accounts with multi-factor authentication enabled were said to resist the takeover. — This matters because it shows AI-driven customer support can become a new social-engineering path to account takeover even without a backend database breach. Instagram users, especially high-value or public-facing accounts, should enable multi-factor authentication now and review account recovery email addresses and recent login activity.

Toshiba and Muji warned that visitors to some of their web pages saw unexpected browser sign-in prompts that could trick people into entering credentials. The prompts were tied to lingering references to the compromised polyfill.io JavaScript content delivery network (CDN), which began responding with HTTP 401 authentication challenges in late May 2026; affected companies removed or suspended the service, and no confirmed credential theft has been reported so far. — People who entered usernames or passwords into these pop-ups should change them, and website owners should remove any remaining polyfill.io code immediately. This matters because it shows how a long-abandoned third-party script can still create phishing risk years after an earlier supply-chain compromise.

Attackers are tricking people looking for popular PC utilities into installing malware that secretly uses their graphics cards to mine cryptocurrency. Microsoft says the campaign uses search-engine optimization (SEO) poisoning and, in some cases, attacker-controlled links surfaced in AI chatbot responses for tools such as CrystalDiskInfo, HWMonitor, FurMark, K-Lite Codec Pack, PDFgear, and Display Driver Uninstaller. The fake downloads bundle a legitimate program with a malicious dynamic-link library (DLL), install ScreenConnect for remote access, add multiple Windows persistence mechanisms, evade Microsoft Defender, and then deploy GPU miners including gminer, lolMiner, and SRBMiner-MULTI. — This campaign targets owners of powerful Windows systems and can leave victims with both hijacked hardware and a remote-access backdoor for follow-on attacks. Users and defenders should avoid downloading software from AI-generated or unfamiliar links, verify vendor domains, and hunt for the listed indicators of compromise and unauthorized ScreenConnect installs.

MI5 and allied intelligence agencies warned that Chinese intelligence officers and their proxies are using job and networking platforms including LinkedIn, Indeed, and Upwork to spot and cultivate people with access to classified or otherwise sensitive government information. The advisory says the operators pose as recruiters, consultancies, think tanks, or research clients, rank applicants by likely access, request trial reports, then move conversations to encrypted messaging and pay through services such as PayPal, Zelle, Wise, Western Union, or cryptocurrency in exchange for non-public information. — This is a real-world espionage and social-engineering threat aimed at government, defense, foreign-affairs, academic, media, and policy workers. People in or near sensitive roles should treat unsolicited research, consulting, or recruiter outreach on these platforms as potentially hostile, report suspicious contact, and avoid sharing resumes or non-public work details casually.

A newly identified extortion group called Pink is calling employees while pretending to be IT support, then stealing account credentials and company data to demand payment. Palo Alto Networks Unit 42 says the group, tracked as CL-CRI-1147 and likely linked to the criminal network known as The Com, uses voice phishing and fake help-desk interactions to capture passwords and multifactor authentication (MFA) approvals, then raids services such as SharePoint, OneDrive, and Microsoft Teams. Unit 42 said Pink's leak site went live on May 31 and published domains and IP addresses tied to the campaign as indicators of compromise. — This matters to organizations that rely on cloud productivity tools because attackers do not need malware or software flaws if they can talk staff into handing over access. Companies should warn staff about unsolicited help-desk calls, tighten help-desk identity checks, review Microsoft 365 logs, and block or investigate the listed phishing infrastructure immediately.

Researchers say a new Magecart card-skimming campaign is stealing shoppers’ payment details from compromised online stores and hiding both its malware and stolen data inside trusted Google Tag Manager and Stripe services. Sansec says the skimmer targets Magento and Adobe Commerce checkout pages, pulls JavaScript from a Google Tag Manager container, retrieves payload code from Stripe customer metadata tied to customer ID cus_TfFjAAZQNOYENR, and exfiltrates stolen card, billing, email, and phone data by creating fake Stripe customer records; a variant uses Google Firestore instead of Stripe. The Stripe record was reportedly created on December 24, 2025, suggesting the campaign may have been active for months. — This matters because stores may allow traffic to Google Tag Manager and Stripe by default, letting the skimmer blend in and evade common security controls while stealing card data from real customers. Online retailers using Magento or Adobe Commerce should urgently inspect GTM containers, Stripe API activity, and checkout-page scripts for unauthorized changes.

Researchers say attackers could have manipulated Google’s Gemini voice assistant through ordinary message notifications from apps such as WhatsApp, Slack, and SMS. SafeBreach calls the technique “Fake Context Alignment”: hidden instructions embedded in notification content were silently pulled into Gemini’s context when users asked it to read messages aloud, potentially enabling actions such as controlling Google Home devices, starting Zoom calls, sending deceptive messages, and poisoning long-term memory. Google was notified in August 2025 and patched the issue in November 2025 with content-classifier changes. — This matters because it shows how everyday messages could be turned into a hands-free attack path against AI assistants that are connected to calls, messages, and smart-home controls. Users and organizations relying on Gemini should make sure current protections are in place and treat unsolicited messages as a potential trigger for AI-assisted actions.

A Chinese-speaking cybercrime group is using new malware and localized phishing messages to break into organizations in Europe and beyond. Proofpoint says TA4922, linked to activity overlaps with Silver Fox and Void Arachne, has targeted entities in Germany, Italy, the United Kingdom, South Africa, and parts of Southeast Asia since March 2026 using payroll, tax, VAT, invoice, and HR lures sent by email and messaging apps including WhatsApp, LINE, and Microsoft Teams. The campaigns deploy Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for remote access, file theft, credential theft, keylogging, screenshots, and webcam or audio capture. — Organizations in the targeted regions should treat this as an active intrusion and phishing threat, especially finance, HR, and compliance teams that may receive convincing local-language messages. Defenders should hunt for the named malware families and remote-management tools, tighten phishing controls, and warn staff to verify unexpected payroll, tax, invoice, or compliance messages across email and chat platforms.

A newly reported Windows flaw can expose a user's NTLMv2 password hash, which attackers can try to crack or relay for unauthorized access. The issue affects the Windows Search URI protocol and can be triggered through crafted links or files that cause Windows to connect to an attacker-controlled server. The article indicates the bug is unpatched and enables hash disclosure rather than direct code execution. — Organizations that still rely on NTLM authentication could be exposed to credential theft from a single malicious link or lure, making this a meaningful phishing and lateral-movement risk. Defenders should block or monitor outbound SMB and WebDAV traffic, reduce NTLM use where possible, and warn users not to open unexpected search-related links or files until Microsoft issues a fix.

Google is adding a new Android feature that warns people when a call may be a scammer pretending to be someone they know. The feature, called fake call detection, is rolling out globally this month on Android 12 and later, starting with Pixel devices, and is enabled by default. It works when both parties use Phone by Google, Contacts, and Google Messages with Rich Communication Services (RCS) enabled, using encrypted device-to-device verification to detect spoofed contact calls and trigger an on-screen warning. — This addresses a real-world fraud tactic that combines fake caller ID with AI-generated voice impersonation, which can trick people into sending money or revealing sensitive information. Android users should keep Google's phone and messaging apps updated and treat urgent calls asking for money, codes, or account access with caution.

A large malware campaign has infected more than 116,000 computers by tricking Minecraft players into downloading booby-trapped mods, cheat clients, and utilities. McAfee says the WeedHack operation has been active since January 2026, spreads via YouTube links and search-result manipulation, and uses thousands of malicious Java archive (JAR) files. The malware steals browser passwords and cookies, Minecraft session IDs, Discord, Steam and Telegram credentials, and crypto-wallet data, while paid tiers add remote-control features such as keylogging, webcam access, shell access, and file management. — This is a broad consumer-focused infostealer campaign hitting gamers at scale, with stolen passwords, session tokens, and wallet data creating immediate account-takeover and financial risk. Minecraft players and parents should avoid unofficial mod download sites, remove suspicious JAR files, run antivirus scans, and reset passwords for any accounts used on affected devices.

The FBI says criminals are using a Telegram-based service called Kali365 to trick people into granting access to their Microsoft 365 accounts. The phishing-as-a-service platform, first seen in April 2026, abuses Microsoft's legitimate device-code login flow so victims authorize attacker-initiated sessions; the stolen OAuth access and refresh tokens can then be reused to access Outlook, Teams and OneDrive without needing the victim's password or another multi-factor authentication prompt. — This matters because victims can lose control of email, files and collaboration accounts even if multi-factor authentication is enabled. Organizations using Microsoft 365 should urgently review device-code login controls and token protections, monitor for suspicious inbox rules and token use, and warn users not to enter login codes from unsolicited emails.

The Police Service of Northern Ireland warned that scammers spoofed its official switchboard number to call people while pretending to be police officers. In the reported case, the caller falsely claimed the target was tied to a money-transfer investigation, asked for bank-card information, and then requested gift cards and their codes; police said the number display was faked and no suspect has yet been arrested. The same police force also disclosed a separate crypto-investment fraud in which an elderly woman lost more than £250,000 after attackers persuaded her to install malware and took control of her devices. — People may trust a call that appears to come from a real police number, so this scam raises the risk of financial theft even for cautious users. Anyone receiving such a call should hang up, independently verify the number, and never provide banking details or gift-card codes to someone claiming to be law enforcement.

Dashlane says it temporarily locked some customer accounts after attackers repeatedly tried to register new devices and failed the required verification step. The company said the activity began Sunday, triggered automatic protections, and later moved to monitoring after restoring affected accounts. Dashlane said its internal systems were not compromised, but did not disclose how many users were hit or whether any account takeovers succeeded. — Password managers hold access to many other accounts, so even unsuccessful attacks are high-impact for users. Dashlane customers should verify recent login alerts, ensure multi-factor authentication is working, and contact support if their account was suspended or shows unfamiliar device activity.

A threat actor called DriveSurge has compromised thousands of real websites and is using them to redirect visitors into malware traps. Silent Push says the actor operates as an initial access broker, using the zTDS traffic distribution system to decide whether each visitor sees a ClickFix lure that tricks them into running malicious PowerShell commands or a FakeUpdate page posing as browser updates for Chrome, Firefox, Edge, Safari and others; researchers also found macOS-targeting JavaScript and more than 80 malicious injection domains. — People can get infected just by visiting a legitimate site that has been silently hijacked, so the risk extends beyond obviously shady pages. Organizations should hunt for the identified JavaScript injection patterns and domains, and users should only update browsers through the built-in updater and never paste commands from pop-ups into Terminal or PowerShell.

Security researchers say more than 5,000 election-themed internet domains were registered in recent weeks ahead of the 2026 U.S. midterms, raising the risk of fake voting sites, donation scams, and impersonation of election officials. Check Point said the registrations increased sharply between April and May and coincided with roughly 17,000 exposed credentials tied to ActBlue, WinRed, GOP, Democrats.org, and USA.gov accounts, creating infrastructure and account access that could support phishing, fraud, or influence operations. — This matters because voters, donors, campaigns, and election workers could be tricked by lookalike sites or targeted through reused or stolen passwords. People should verify election and donation websites carefully, avoid links in unsolicited messages, and reset passwords if they may have been exposed.

A previously unknown hacking group quietly targeted Russian maritime schools, diplomatic missions, energy facilities, government agencies and financial institutions for nearly two years. Kaspersky says the campaign dates back to at least 2024 and used phishing emails with ZIP attachments containing a malicious file disguised as a Microsoft Excel configuration file; recent attacks starting in January 2026 used the Ravage post-compromise framework from GitHub to run commands, move files and capture screenshots. The company did not name the group, provide victim totals, or attribute the activity to a known state or criminal actor. — This is a sustained espionage-style campaign against sensitive Russian sectors, showing that simple phishing attachments are still effective and that publicly available offensive tools are being folded into real operations. Organizations in similar sectors should review email defenses, hunt for Ravage-related activity, and investigate suspicious Excel-launched processes and dormant compromises.

Afghan Ministry of Finance and provincial government officials were targeted in a phishing campaign that installed remote-access malware on victims' computers. Seqrite attributed the activity with medium-to-high confidence to the Pakistan-linked SideCopy group, which used Pashto-language lure documents inside ZIP archives and delivered them through compromised Afghan government server infrastructure; opening the file installed XenoRAT, a remote access trojan, which then contacted attacker-controlled servers in Europe. — This matters because it shows a suspected state-linked espionage operation aimed at government financial and provincial officials, using trusted local-language lures and compromised government infrastructure to improve success. Afghan public-sector defenders should investigate suspicious ZIP attachments, review access to government-hosted domains, and hunt for XenoRAT-related activity.

Attackers are using legitimate ChatGPT share links to show fake OpenAI outage notices that tell people to download a bogus ChatGPT desktop app. Push Security says the LLMShare campaign buys Google ads for ChatGPT searches, serves the lure from chatgpt.com/s/ pages rendered with custom HTML and CSS inside ChatGPT, then redirects victims to openew[.]app, which offers cloaked Windows and macOS malware downloads; the Windows sample checks whether it is running on a real device or a virtual machine. — This matters because the scam is hosted partly on a real OpenAI domain, making it more convincing to ordinary users and harder for defenders to spot. Users should avoid sponsored results for AI tools, download apps only from the official vendor site or app store, and security teams should monitor for chatgpt.com share-link abuse and block the impersonation domain.

Charter Communications says it suffered a security incident after the ShinyHunters extortion group threatened to leak stolen data. The attackers claim they breached Charter on April 1 by using voice phishing (vishing) to compromise an employee's Microsoft Entra account, then used access to Charter's Salesforce environment to export about 40 million customer records, including names, contact details, plan information, support tickets, and some customer proprietary network information (CPNI); Charter disputes that sensitive personal data or CPNI was exfiltrated. — Charter serves tens of millions of customers, so even partial account and service data exposure could create follow-on phishing, fraud, and impersonation risks. Affected users should watch for targeted calls and emails referencing Spectrum or account details, while defenders should review identity-provider protections, help-desk verification, and Salesforce access logs.

A researcher says ChatGPT can be tricked into turning a malicious web page into a phishing message when a user asks it to summarize that page. Permiso's Andi Ahmeti reported that hidden Markdown instructions in attacker-controlled content can make ChatGPT include fake account alerts, attacker links, or QR codes in its response; OpenAI did not confirm a fix, and no CVE is cited in the report. — People using ChatGPT to summarize websites could be shown convincing phishing prompts in the assistant's own voice, including links or QR codes that bypass normal browser safety habits. Until OpenAI confirms a fix, users and defenders should treat AI-generated summaries of untrusted pages as potentially tainted and avoid clicking embedded links or scanning QR codes.

Researchers say a previously undocumented Russia-linked group called GreyVibe has targeted Ukrainian military, government, civilian, and business organizations since August 2025. WithSecure says the actor used at least six spear-phishing campaigns, fake adult-club websites, Telegram and dating-site lures, and file-sharing links to deliver PhantomRelay and LegionRelay malware on Windows and Fallspy on Android; the report also says the group used ChatGPT, Gemini, Ideogram, and other generative artificial intelligence tools across lure creation, malware development, obfuscation, and post-compromise tooling. — This matters because it describes an active espionage-focused campaign against Ukrainian targets and shows how lower-sophistication operators can use generative artificial intelligence to scale convincing phishing and malware operations. Organizations supporting Ukraine should review indicators, harden email and mobile defenses, and warn users about archive-based lures, fake personas, and links delivered over chat and dating platforms.

A newly highlighted Android malware family called BTMOB can give criminals broad control over infected phones, including stealing data and taking over the device. ESET says the remote access trojan (RAT) is spread through phishing pages and fake app stores, abuses Android Accessibility Services to gain elevated privileges, and is sold with an APK-building kit that lets buyers customize lures by country and brand. The campaign has mainly been observed in Latin America. — This is more serious than a typical banking trojan because it can turn an Android phone into a remotely controlled spying and theft tool. Android users should avoid app downloads from links in messages or fake stores, and defenders should watch for phishing infrastructure and abuse of Accessibility permissions.

Carnival Corporation says attackers stole customer data after socially engineering an employee and accessing part of its IT systems, affecting 5,995,277 people. The company says the intrusion was identified on April 14, 2026 and data theft was confirmed on April 22; ShinyHunters had claimed the breach in April and said it stole millions of records. Exposed data reportedly includes names, dates of birth, email addresses, gender, location, and loyalty-program details tied to Holland America's Mariner Society. — This is a major consumer data breach involving sensitive personal information that could fuel phishing, impersonation, and account-targeting scams. Affected customers should watch for breach notices, be cautious of unsolicited calls or emails referencing cruises or loyalty programs, and change passwords anywhere they were reused.

Researchers say attackers can abuse trusted-looking project files in code repositories to make AI coding agents install attacker-controlled components and run malicious code on a developer's machine or in continuous integration (CI) systems. Adversa's 'SymJack' technique uses disguised symbolic links (symlinks) and a copy command to silently register a malicious Model Context Protocol (MCP) server; the firm says it worked against Claude Code, Gemini CLI, Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub Copilot CLI, and published a proof of concept on GitHub. Anthropic reportedly hardened Claude Code to resolve symlinks before approval and show the true destination path. — Teams using AI coding agents could unknowingly approve changes that steal SSH keys, cloud tokens, browser sessions, or CI secrets and then push malicious code downstream. This is urgent for developers and DevOps teams using agentic coding tools: review repository trust assumptions, restrict or audit MCP server registration, scrutinize file-copy prompts, and apply vendor mitigations where available.

An Iran-linked hacking group is using fake job offers and trojanized software downloads to break into aviation and software companies, including targets in Saudi Arabia, Australia, and the United States. Check Point says Nimbus Manticore (also known as Bohrium, TA455, and UNC1549) switched from DLL sideloading to AppDomain hijacking, using malicious .NET configuration files to load payloads, and deployed updated MiniJunk malware plus a new Windows DLL backdoor called MiniFast through ZIP files on OnlyOffice, a fake Zoom installer, and a fake SQL Developer site boosted with search-engine optimization. — This campaign shows continued state-linked targeting of sensitive industries during heightened regional tensions, with lures that can fool both job seekers and employees downloading familiar tools. Organizations in aviation, defense-adjacent, and software sectors should warn staff about recruiter and installer lures, review detections for MiniJunk and MiniFast, and hunt for suspicious .config-based AppDomain hijacking activity.

Attackers are using a Ghost CMS bug to hijack websites and show visitors fake verification prompts that can infect their computers. The campaign abuses CVE-2026-26980, a critical unauthenticated SQL injection flaw affecting Ghost 3.24.0 through 6.19.0, to steal admin API keys and inject malicious JavaScript into article pages; researchers say more than 700 domains were hit, including university, media, fintech, and tech sites. Victims who follow the ClickFix instructions paste commands into Windows that download malware. — This affects both website owners and ordinary visitors: unpatched Ghost sites can be silently turned into malware delivery pages, and people browsing them can be tricked into infecting their own systems. Ghost administrators should update to 6.19.1 or later immediately, rotate exposed keys, and check for injected scripts and suspicious admin API activity.

A Russian-speaking threat actor allegedly used a jailbroken Google Gemini account to run a months-long scam and theft campaign aimed at QAnon and MAGA communities, stealing WordPress admin credentials and draining at least one victim's cryptocurrency wallets. TrendAI says the operation ran from September 2025 to May 2026 through a Telegram channel with about 17,000 subscribers, used 73 likely stolen Gemini API keys, pushed a fake StellarMonster wallet app that actually installed the GoToResolve remote access tool, and captured victims' seed phrases through a bogus wallet-import screen. — This matters because it blends political-community targeting, AI-assisted social engineering, malware, and direct crypto theft in a way ordinary users can fall for and defenders may miss. Users should avoid wallet apps and recovery prompts promoted in Telegram channels, while organizations should investigate exposed WordPress credentials and watch for abuse of stolen API keys.

Two former executives of call-tracking firm C.A. Cloud pleaded guilty to concealing a years-long tech-support scam operation that targeted victims worldwide. Prosecutors say the company knowingly provided phone numbers, call forwarding, recordings, and rotating number pools to fraudsters behind fake malware-warning pop-ups, including scammers impersonating Microsoft and Apple; the pair also allegedly ran a Tunisia call center where employees carried out similar fraud through remote computer access and false invoices. — This matters because it shows the infrastructure behind tech-support scams is being targeted, not just the callers themselves, and the scams often hit older and vulnerable people. Users should be wary of pop-ups or calls claiming their computer is infected, especially if they demand remote access or immediate payment.

Belarus-linked hackers are sending fake course-certificate emails to Ukrainian government staff to infect their computers with espionage malware. CERT-UA says the campaign, active since spring 2026, uses compromised email accounts and messages posing as Ukraine’s Prometheus learning platform; a PDF leads victims to a ZIP that installs OysterFresh, then OysterBlues and OysterShuck, which collect host and user details and may later deliver Cobalt Strike. — This is a targeted government espionage campaign, so affected organizations should treat related Prometheus certificate emails as suspicious, hunt for the named malware and infrastructure, and isolate infected systems quickly. For users, the practical takeaway is not to open certificate attachments or download archives from unexpected training-platform emails, even if they come from known contacts.

Britain’s online-safety regulator said several major platforms have promised product changes aimed at better protecting children in the UK. Ofcom said Snap will adopt its recommended anti-grooming measures, including tighter limits on adult contact with children; Roblox will let parents disable direct messages for under-16s; and Meta will hide teens’ connection lists by default on Instagram and use artificial intelligence to detect likely sexualized adult-teen direct messages. Ofcom said TikTok and YouTube did not commit to significant new changes. — This matters to UK families, teens and platform operators because it signals concrete safety and privacy changes tied to regulatory pressure, especially around grooming risks and minors’ visibility online. Users and parents should watch for new default settings and controls, while companies should expect closer enforcement under the UK’s online-safety regime.

Two U.S. men pleaded guilty to helping India-based tech-support scam centers steal millions from Americans, including elderly and disabled victims. Prosecutors said they provided phone numbers, call routing, tracking, and forwarding services for fake malware pop-up scams from 2016 to 2022, continued after learning customers were fraudulent, and advised scammers to rotate large pools of numbers to evade detection; some victims also gave remote access to their devices, leading to financial theft. — This shows how large tech-support scam operations rely on telecom and call-routing support inside the U.S., not just overseas call centers. People should be wary of pop-ups telling them to call for urgent computer help, and providers and defenders can use the case details to spot number rotation and call-forwarding tactics tied to fraud.