Threat Actors & APTs

Oracle PeopleSoft customers are being hit in ongoing break-ins and extortion attacks that ShinyHunters says have affected more than 100 organizations and 300 PeopleSoft instances. The campaign reportedly targets both cloud and on-premises PeopleSoft deployments, with the attackers claiming to use a chain of older bugs and at least one zero-day, though no CVE has been confirmed by Oracle. Reported evidence includes extortion notes, exposed attacker tooling, and IP-based indicators of compromise tied to infrastructure previously linked to ShinyHunters. — PeopleSoft is widely used for payroll, HR, finance, procurement, and student systems, so a compromise can expose highly sensitive employee, customer, or student data. Organizations running PeopleSoft should urgently review logs for the listed IPs, investigate possible unauthorized SSH access, and prepare incident response while waiting for Oracle guidance.

Researchers say the China-linked JDY botnet has grown to more than 1,500 compromised small-office/home-office and internet-connected devices and is increasingly used to probe U.S. military and related networks. Black Lotus Labs says JDY is tied to China-nexus activity previously associated with Volt Typhoon and is used for distributed scanning, banner grabbing, TLS certificate collection, and fingerprinting to find vulnerable systems soon after flaws are disclosed, including scans for FortiClient EMS bug CVE-2026-35616. The botnet uses infected routers and IoT devices from vendors including Cisco, Ubiquiti, DrayTek, Hikvision, Linksys, Araknis, and Mimosa, with command-and-control routed through Tor hidden services. — This matters because compromised routers and IoT gear are being used to quietly map weak points in networks tied to sensitive U.S. targets, helping follow-on intrusions. Organizations should patch exposed network devices quickly, reduce internet-facing services, and watch for scanning and unusual activity from SOHO and IoT infrastructure.

Cisco says attackers are exploiting a new zero-day in Catalyst SD-WAN Manager, and affected organizations do not yet have a patch. The flaw, CVE-2026-20245, is a command-injection vulnerability in the command-line interface that lets an authenticated local attacker with netadmin privileges execute arbitrary commands as root by uploading a crafted file. Cisco said exploitation has been limited but observed cases where attackers pushed configuration changes to edge devices, and published indicators of compromise. — Organizations running Cisco Catalyst SD-WAN Manager face an actively exploited flaw that can give attackers full control of the system, with no fix available yet. Defenders should urgently check Cisco's indicators of compromise, restrict and review privileged access, hunt for abuse of related SD-WAN flaws, and prepare to patch as soon as Cisco releases updates.

A new report identifies a suspected real-world operator behind The Gentlemen, one of 2026's most active ransomware groups. KrebsOnSecurity, drawing on Check Point, Intel 471, Flashpoint, and Constella data, says the ransomware-as-a-service group has claimed at least 332 victims since mid-2025 and more than 240 in 2026, recruits affiliates with a 90/10 ransom split, and commonly gains entry through internet-facing VPN and firewall devices before rapidly encrypting networks. — This is a major ransomware actor by victim volume, so the attribution and tradecraft details help defenders prioritize monitoring of exposed remote-access and edge devices. Organizations should review exposure of VPNs and firewalls, harden remote access, and watch for intrusion patterns associated with fast-moving affiliate-led ransomware attacks.

Meta says NSO Group again targeted WhatsApp users despite a court order barring it from doing so. WhatsApp said it disrupted NSO-linked social-engineering attempts involving malicious links that redirected targets to external websites, plus test accounts and groups on the platform, and published related domains and indicators of compromise. The report did not include victim counts, timing, or confirmation of successful compromises. — This matters because it suggests a spyware vendor accused of abusing messaging users may still be actively targeting people after a legal ban. WhatsApp users, journalists, activists, and high-risk targets should treat unsolicited links and unusual group invites with caution, and defenders should review the published indicators immediately.

The UK has weakened proposed telecom security requirements that were drafted after the China-linked Salt Typhoon spying campaign against telecom networks. Recorded Future News reports the government dropped or delayed several measures after industry objections, including a proposed independent signalling intrusion detection system meant to detect abuse of telecom signalling traffic. The updated code takes effect in mid-July unless Parliament blocks it, and operators can still be judged against it under existing telecom security duties. — This affects how well UK phone and internet providers may detect and contain state-backed intrusions into core communications networks. Telecom operators, regulators, and enterprise customers should review the final code now because the changes may leave weaker safeguards against the kinds of access used for large-scale espionage.

Hackers posing as women seeking relationships or volunteers offering help tricked Russian military personnel into installing spyware or surrendering their Telegram accounts. Researchers at F6 say the previously undocumented SiribClone group has operated since at least summer 2025, targeting troops in border regions and combat zones with Android spyware dubbed SafeLoveStealer, desktop malware called SiribGrabber, and phishing sites masquerading as Telegram logins, invite pages, medical portals, and other services to steal messages, files, location data, and microphone audio. — This is an active espionage campaign aimed at people in combat zones and shows how romance lures and fake support offers can turn personal chats into battlefield surveillance. Anyone in sensitive roles should treat unsolicited Telegram contacts, app downloads, and login pages as high risk, avoid sideloading apps, and use phishing-resistant account protections where possible.

A likely North Korean-linked group sent more than 250 fake job and code-review emails to developers at nearly 100 organizations, mainly in the United States, to steal login credentials and cryptocurrency wallets. Proofpoint tracks the activity as UNK_DeadDrop and says the attackers used spoofed company brands and attacker-controlled GitHub repositories posing as coding tests or crypto projects; victims were told to clone and open the repos in tools such as Visual Studio Code or Cursor, triggering cross-platform malware on macOS, Linux, and Windows. — Developers and the companies that employ them are the direct targets, and a single successful lure can expose source code, cloud access, and crypto assets. Organizations should warn staff about unsolicited recruiting emails, scrutinize GitHub-based coding tests, and isolate or block unknown repositories and scripts.

Researchers say a compromised npm maintainer account ('atool') was used to publish hundreds of malicious package versions across the @antv namespace, including downstream widely used packages such as echarts-for-react and timeago.js. The payload steals GitHub Actions secrets and credentials from cloud, Kubernetes, Vault, wallet, and developer-tool paths, exfiltrates data via GitHub and fallback infrastructure, and can republish tampered packages using stolen npm tokens. Reports also link the campaign to malicious PyPI uploads, a compromised GitHub Action, and a VS Code extension. — This is a high-impact ecosystem compromise with downstream risk to developer workstations, CI environments, and software consumers through trusted package updates. Defenders should immediately identify affected package versions, rotate exposed secrets and npm tokens, review CI runners and GitHub repositories for exfiltration, and block known malicious artifacts.

The FBI says Silent Ransom Group is targeting U.S. law firms by pretending to be IT support, then stealing data and extorting victims without encrypting files. In 2026 attacks, the group reportedly used callback phishing emails, phone-based social engineering, remote desktop access, and in some cases sent an operative on site to insert a USB or external drive after a failed remote-access attempt; the attackers then used tools such as WinSCP and Rclone to exfiltrate data. — Law firms and other organizations should treat unsolicited IT calls, emails, and in-person support visits as potential attack vectors, not just remote phishing. The warning is urgent because the attackers use legitimate admin tools and leave few traces, so organizations should verify IT identities, restrict external-drive use, and harden remote-access workflows now.

A new botnet called C0XMO is infecting DD-WRT routers and other internet-connected devices so they can be used in denial-of-service attacks. Fortinet says the malware exploits CVE-2021-27137, an unauthenticated buffer overflow in DD-WRT, and also brute-forces Telnet and SSH logins while carrying binaries for multiple CPU architectures including ARM, MIPS, PowerPC, x86, and x86_64. The botnet establishes persistence with cron jobs and startup-file changes, then removes rival malware and tooling from infected systems. — Organizations and users with exposed routers, DVRs, and similar devices may be silently pulled into a botnet and used in attacks. Patch affected firmware where available, disable unnecessary remote administration, and change weak or reused device credentials immediately.

A China-linked espionage group kept access to a victim organization and its managed services provider for at least 18 months, using multiple backdoors to return even after cleanup. Volexity says UNC5221, also tracked as VerdantBamboo, used Brickstorm on Egnyte Storage Sync, pfSense, Synology NAS and a retired Linux email server, then used Plenet (also called Grimbolt) and AgentPSD to maintain persistence and reach the victim’s Microsoft 365 environment through stolen credentials and SSL VPN access. No new CVE is named in this report. — Organizations using Microsoft 365, MSPs, and internet-facing edge devices should treat this as a reminder that sophisticated attackers can survive remediation and re-enter through trusted providers. Review VPN and firewall changes, hunt for Brickstorm/Plenet/AgentPSD, audit MSP access paths, and rotate credentials and tokens tied to compromised systems.

U.S. officials believe suspected Iranian hackers broke into fuel-tank monitoring systems at gas stations in several states. The attackers targeted automatic tank gauges, or ATG systems, that were exposed online without passwords and changed displayed readings but reportedly could not alter actual fuel volumes. No physical damage has been reported, but officials warned the access could potentially hide leaks or create other safety and critical-infrastructure risks. — Gas stations and operators using older internet-connected monitoring gear may be at risk right now, especially if devices are reachable online without authentication. Operators should immediately remove ATG systems from direct internet exposure, require passwords, and review logs and display anomalies.

Sophos says it found a ransomware attack toolkit in a customer environment that was built with help from AI coding agents and used to hide from security software and map a victim's Windows network. The framework included Cobalt Strike traffic-masking profiles, Telegram-based command and control, a Cloudflare Worker redirector, and Python tools that generated Rust and Go payloads for evasion and execution. Sophos found operator logs referencing a ransom note and organizations listed on a ransomware leak site, indicating criminal use rather than legitimate red-team testing. — This shows AI tools are being used to speed up real ransomware tradecraft, especially defense evasion and internal network discovery. Defenders should review detections for Telegram and Cloudflare-backed command channels, unusual payload loaders, and suspicious Active Directory reconnaissance, and treat AI-assisted malware development as an operational threat rather than a theory.

MI5 and allied intelligence agencies warned that Chinese intelligence officers and their proxies are using job and networking platforms including LinkedIn, Indeed, and Upwork to spot and cultivate people with access to classified or otherwise sensitive government information. The advisory says the operators pose as recruiters, consultancies, think tanks, or research clients, rank applicants by likely access, request trial reports, then move conversations to encrypted messaging and pay through services such as PayPal, Zelle, Wise, Western Union, or cryptocurrency in exchange for non-public information. — This is a real-world espionage and social-engineering threat aimed at government, defense, foreign-affairs, academic, media, and policy workers. People in or near sensitive roles should treat unsolicited research, consulting, or recruiter outreach on these platforms as potentially hostile, report suspicious contact, and avoid sharing resumes or non-public work details casually.

A newly identified extortion group called Pink is calling employees while pretending to be IT support, then stealing account credentials and company data to demand payment. Palo Alto Networks Unit 42 says the group, tracked as CL-CRI-1147 and likely linked to the criminal network known as The Com, uses voice phishing and fake help-desk interactions to capture passwords and multifactor authentication (MFA) approvals, then raids services such as SharePoint, OneDrive, and Microsoft Teams. Unit 42 said Pink's leak site went live on May 31 and published domains and IP addresses tied to the campaign as indicators of compromise. — This matters to organizations that rely on cloud productivity tools because attackers do not need malware or software flaws if they can talk staff into handing over access. Companies should warn staff about unsolicited help-desk calls, tighten help-desk identity checks, review Microsoft 365 logs, and block or investigate the listed phishing infrastructure immediately.

Russia is asking its Supreme Court to ban Belarusian Cyber Partisans and Silent Crow as extremist organizations, a designation that can outlaw their activities, block their websites and channels, and expose associates to criminal penalties. The move follows the groups' claimed attacks on Russian and Belarusian government and infrastructure targets, including the July 2025 Aeroflot disruption that canceled more than 100 flights and allegedly involved data theft and destruction of airline IT systems. No CVE or software flaw is cited; this is a state action tied to politically motivated hacking and online speech. — This matters because Russia is using an extremism label against online groups tied to cyber operations, which can expand censorship and criminalize access to related information channels. People following these groups, especially in Russia, may face blocking or legal risk, while defenders and researchers should watch for knock-on effects on threat visibility and attribution.

A Chinese-speaking cybercrime group is using new malware and localized phishing messages to break into organizations in Europe and beyond. Proofpoint says TA4922, linked to activity overlaps with Silver Fox and Void Arachne, has targeted entities in Germany, Italy, the United Kingdom, South Africa, and parts of Southeast Asia since March 2026 using payroll, tax, VAT, invoice, and HR lures sent by email and messaging apps including WhatsApp, LINE, and Microsoft Teams. The campaigns deploy Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for remote access, file theft, credential theft, keylogging, screenshots, and webcam or audio capture. — Organizations in the targeted regions should treat this as an active intrusion and phishing threat, especially finance, HR, and compliance teams that may receive convincing local-language messages. Defenders should hunt for the named malware families and remote-management tools, tighten phishing controls, and warn staff to verify unexpected payroll, tax, invoice, or compliance messages across email and chat platforms.

Hackers secretly monitored and stole email data from a senior executive at a major global stock exchange for about five months. Broadcom’s Symantec and Carbon Black teams said the intrusion began in October 2025 and lasted until March 2026, with malware on the victim’s device disguised as Adobe and OneDrive software, scheduled-task persistence masked as Adobe, Lenovo, and OneDrive services, and exfiltration of Outlook mailbox data in small archives via Dropbox and OneDrive. The initial access method and the victim exchange were not disclosed, but investigators published indicators of compromise. — This is a high-impact espionage case because a stock exchange executive’s mailbox can expose market-moving information, internal deliberations, contacts, and travel details. Financial institutions and other high-value targets should hunt for the published indicators, review executive mailbox and endpoint activity, and scrutinize cloud-storage exfiltration and suspicious scheduled tasks.

The U.S. sanctioned Nobitex, Iran’s largest cryptocurrency exchange, saying it helped process transactions tied to ransomware actors and Iran’s Islamic Revolutionary Guard Corps. The Treasury’s Office of Foreign Assets Control also designated Nobitex executives and targeted other Iranian exchanges including Wallex, Bitpin, and Ramzinex as part of its "Economic Fury" campaign, alleging sanctions evasion and terrorist-financing support rather than a software flaw or CVE-tracked vulnerability. — This matters because ransomware groups and state-linked actors depend on payment channels to move money, and sanctions can disrupt those routes while raising compliance risk for exchanges, companies, and users who interact with them. Organizations handling crypto exposure should review sanctions screening and watch for links to designated wallets and entities.

CISA says attackers are now exploiting a Linux kernel bug that can let someone break out of a container and gain root-level control on the host system. The flaw, CVE-2022-0492, is an improper authentication issue in Linux cgroups v1 that allows modification of the release_agent mechanism, enabling privilege escalation and container escape; CISA added it to the Known Exploited Vulnerabilities catalog after Kaspersky reported real-world exploitation, and federal agencies were told to patch by June 5. — Organizations running Linux containers could be at risk of full host compromise if affected systems are unpatched. This is urgent for cloud, server, and platform teams: identify systems using cgroups v1, apply available kernel fixes, and review container hardening and isolation settings immediately.

Russia's domestic security service says foreign intelligence agencies hacked the mobile phones of senior Russian officials to spy on them. The FSB alleges malware on the devices collected correspondence, calls, geolocation, contact lists, and audio and video from the phones and their surroundings, and claims the operation relied on infrastructure from major international technology companies, including content delivery and security providers. No spyware family, infection method, or technical evidence was disclosed. — If true, this would be a significant government-targeted mobile espionage campaign with potential impact on sensitive state communications and surveillance exposure. Defenders should watch for technical indicators or vendor confirmations before taking the claims at face value, but mobile-device compromise at this level is high consequence.

A threat actor called DriveSurge has compromised thousands of real websites and is using them to redirect visitors into malware traps. Silent Push says the actor operates as an initial access broker, using the zTDS traffic distribution system to decide whether each visitor sees a ClickFix lure that tricks them into running malicious PowerShell commands or a FakeUpdate page posing as browser updates for Chrome, Firefox, Edge, Safari and others; researchers also found macOS-targeting JavaScript and more than 80 malicious injection domains. — People can get infected just by visiting a legitimate site that has been silently hijacked, so the risk extends beyond obviously shady pages. Organizations should hunt for the identified JavaScript injection patterns and domains, and users should only update browsers through the built-in updater and never paste commands from pop-ups into Terminal or PowerShell.

Dutch police say they helped dismantle a botnet made up of at least 17 million compromised devices, with 200 supporting servers traced to the Netherlands and seized or shut down with help from a hosting provider. Authorities and NCSC-NL did not name the botnet or specify the exact malware family, but said affected devices likely included poorly secured routers, mobile devices, and Internet of Things hardware commonly abused for phishing, distributed denial-of-service attacks, and online fraud. — A botnet this large can be used to hide attacks, knock services offline, and abuse ordinary people's devices without their knowledge. Users and organizations should check internet-connected devices for updates, replace default passwords, and avoid unofficial app sources while defenders watch for follow-on indicators once police release more details.

A previously unknown hacking group quietly targeted Russian maritime schools, diplomatic missions, energy facilities, government agencies and financial institutions for nearly two years. Kaspersky says the campaign dates back to at least 2024 and used phishing emails with ZIP attachments containing a malicious file disguised as a Microsoft Excel configuration file; recent attacks starting in January 2026 used the Ravage post-compromise framework from GitHub to run commands, move files and capture screenshots. The company did not name the group, provide victim totals, or attribute the activity to a known state or criminal actor. — This is a sustained espionage-style campaign against sensitive Russian sectors, showing that simple phishing attachments are still effective and that publicly available offensive tools are being folded into real operations. Organizations in similar sectors should review email defenses, hunt for Ravage-related activity, and investigate suspicious Excel-launched processes and dormant compromises.

Afghan Ministry of Finance and provincial government officials were targeted in a phishing campaign that installed remote-access malware on victims' computers. Seqrite attributed the activity with medium-to-high confidence to the Pakistan-linked SideCopy group, which used Pashto-language lure documents inside ZIP archives and delivered them through compromised Afghan government server infrastructure; opening the file installed XenoRAT, a remote access trojan, which then contacted attacker-controlled servers in Europe. — This matters because it shows a suspected state-linked espionage operation aimed at government financial and provincial officials, using trusted local-language lures and compromised government infrastructure to improve success. Afghan public-sector defenders should investigate suspicious ZIP attachments, review access to government-hosted domains, and hunt for XenoRAT-related activity.

European intelligence officials say Russia is increasingly using fake companies, middlemen, and cyber operations to steal Western technology, defense know-how, and software restricted by sanctions. The reported targets include defense research, dual-use camera and laser technology, machine-tool software updates, and critical infrastructure reconnaissance in Sweden, Finland, and the U.K. Officials also said Russia-linked actors attempted a destructive intrusion against a Swedish power plant last year but were detected before causing damage. — This matters to companies in defense, manufacturing, research, and critical infrastructure because they may be targeted both for theft and for pre-attack reconnaissance. Organizations should scrutinize customers and intermediaries for sanctions evasion, harden networks used for industrial systems, and watch for state-linked phishing, intrusion, and supply-chain targeting.

Charter Communications says it suffered a security incident after the ShinyHunters extortion group threatened to leak stolen data. The attackers claim they breached Charter on April 1 by using voice phishing (vishing) to compromise an employee's Microsoft Entra account, then used access to Charter's Salesforce environment to export about 40 million customer records, including names, contact details, plan information, support tickets, and some customer proprietary network information (CPNI); Charter disputes that sensitive personal data or CPNI was exfiltrated. — Charter serves tens of millions of customers, so even partial account and service data exposure could create follow-on phishing, fraud, and impersonation risks. Affected users should watch for targeted calls and emails referencing Spectrum or account details, while defenders should review identity-provider protections, help-desk verification, and Salesforce access logs.

Researchers say a previously undocumented Russia-linked group called GreyVibe has targeted Ukrainian military, government, civilian, and business organizations since August 2025. WithSecure says the actor used at least six spear-phishing campaigns, fake adult-club websites, Telegram and dating-site lures, and file-sharing links to deliver PhantomRelay and LegionRelay malware on Windows and Fallspy on Android; the report also says the group used ChatGPT, Gemini, Ideogram, and other generative artificial intelligence tools across lure creation, malware development, obfuscation, and post-compromise tooling. — This matters because it describes an active espionage-focused campaign against Ukrainian targets and shows how lower-sophistication operators can use generative artificial intelligence to scale convincing phishing and malware operations. Organizations supporting Ukraine should review indicators, harden email and mobile defenses, and warn users about archive-based lures, fake personas, and links delivered over chat and dating platforms.

Carnival Corporation says attackers stole customer data after socially engineering an employee and accessing part of its IT systems, affecting 5,995,277 people. The company says the intrusion was identified on April 14, 2026 and data theft was confirmed on April 22; ShinyHunters had claimed the breach in April and said it stole millions of records. Exposed data reportedly includes names, dates of birth, email addresses, gender, location, and loyalty-program details tied to Holland America's Mariner Society. — This is a major consumer data breach involving sensitive personal information that could fuel phishing, impersonation, and account-targeting scams. Affected customers should watch for breach notices, be cautious of unsolicited calls or emails referencing cruises or loyalty programs, and change passwords anywhere they were reused.

A Romanian hacker was sentenced in the United States for breaking into an Oregon state government office and selling that network access to others. Catalin Dragomir admitted hacking the state office in June 2021, selling access for $3,000 in Bitcoin, and trafficking data from at least 10 other U.S. organizations; the Justice Department said the broader activity caused more than $250,000 in losses. He received a 4 year and 8 month prison sentence after extradition from Romania. — This is a reminder that stolen network access to government systems is an active criminal market, not just a one-off intrusion. Public agencies and contractors should review identity controls, monitor for unauthorized remote access, and ensure former or unusual accounts and access paths are investigated quickly.

Security firms say they disrupted the GlassWorm botnet, a malware operation that infected developers and open source software ecosystems and could be used to steal credentials, cryptocurrency wallet data, and remote access to infected machines. CrowdStrike says GlassWorm spread through trojanized Visual Studio extensions on OpenVSX and later through GitHub and compromised Python projects, while using Solana blockchain transactions, Google Calendar, BitTorrent and VPS-hosted servers as layered command-and-control channels. The malware hid code with Unicode variation selectors and stole npm, GitHub and Git credentials, creating downstream software supply-chain risk. — This matters because a compromise of developers can spread to the software and updates many other organizations rely on. Teams should check for beaconing to 164.92.88[.]210, investigate developer machines and repositories for compromise, rotate exposed credentials, and review software supply-chain protections.

Researchers say the March cyberattack on Los Angeles Metro was likely carried out by Iranian state-linked hackers, not just a self-described hacktivist group. LA Metro said the breach caused internal operational disruption and required hundreds of servers to be checked before restoration, while the attackers claimed to have wiped hundreds of terabytes and stolen more than 1 terabyte of data. Gambit linked the operation to infrastructure associated with Black Shadow, a group previously attributed to Iran's Ministry of Intelligence and Security, and said the attackers also accessed systems including virtualization management, Microsoft IIS servers, and a train-monitoring operational technology system. — A breach at a major transit agency raises concern not only about data theft but also about disruption to public services and potential access to operational systems. Transit operators and other public-sector defenders should review exposure of administrative platforms and monitoring systems, hunt for data theft and destructive activity, and treat claimed hacktivist incidents as possible state-backed operations.

Hackers used a previously unknown flaw in Digital Knowledge’s KnowledgeDeliver learning platform to break into servers and plant persistent malware. Mandiant says CVE-2026-5426 affects KnowledgeDeliver deployments before February 24, 2026, because a standardized ASP.NET web.config file contained hardcoded machineKey values, enabling ViewState deserialization attacks for remote code execution. The observed intrusions deployed Godzilla web shells, altered JavaScript to show fake plugin alerts, and ultimately installed a tailored Cobalt Strike backdoor. — Organizations using KnowledgeDeliver, especially enterprise and education users, may already be compromised, not just vulnerable. Admins should urgently rotate machine keys, restrict access to the LMS, hunt for the published indicators of compromise, and check for web shells, modified JavaScript, and follow-on malware.

Lithuania says more than 600,000 entries from national data registers were leaked after someone used login credentials belonging to authorized institutions. Prosecutors said the exposed data mainly came from real-estate and legal-entity registers, authorities suspect a foreign country was involved, and access was tightened by blocking suspected accounts and forcing credential updates. — This is a major government-data exposure with potential risks to ordinary citizens as well as officials, diplomats, and security personnel. Organizations with access to Lithuanian state registers should urgently review account use, rotate credentials, and check for unauthorized queries or data exports.

An Iran-linked hacking group is using fake job offers and trojanized software downloads to break into aviation and software companies, including targets in Saudi Arabia, Australia, and the United States. Check Point says Nimbus Manticore (also known as Bohrium, TA455, and UNC1549) switched from DLL sideloading to AppDomain hijacking, using malicious .NET configuration files to load payloads, and deployed updated MiniJunk malware plus a new Windows DLL backdoor called MiniFast through ZIP files on OnlyOffice, a fake Zoom installer, and a fake SQL Developer site boosted with search-engine optimization. — This campaign shows continued state-linked targeting of sensitive industries during heightened regional tensions, with lures that can fool both job seekers and employees downloading familiar tools. Organizations in aviation, defense-adjacent, and software sectors should warn staff about recruiter and installer lures, review detections for MiniJunk and MiniFast, and hunt for suspicious .config-based AppDomain hijacking activity.

7-Eleven disclosed that attackers accessed systems used to store franchisee documents, with stolen data including names, addresses, and Social Security numbers. The company said it discovered the breach on April 8 and reported it to state regulators in Maine, Vermont, and Massachusetts. The disclosure follows ShinyHunters' late-April claim that it stole 7-Eleven data allegedly stored on Salesforce. — The breach exposes sensitive personal data tied to U.S. franchise operations, creating identity theft and follow-on phishing risk for affected individuals. Defenders and franchisees should watch for extortion fallout, credential abuse, and notices clarifying scope and attack path.

Dutch authorities say they seized 800 servers and arrested two men linked to a hosting operation that allegedly helped cyberattacks, disruption campaigns, and online disinformation. Investigators said the action targeted infrastructure connected to Stark Industries, an EU-sanctioned hosting provider, and two Dutch companies allegedly used to keep its services running after sanctions; reporting links the network to pro-Russian DDoS, or distributed denial-of-service, activity by NoName057(16). — This matters because the seizure hits infrastructure allegedly used to support both cyberattacks and influence operations in Europe. Defenders, hosting providers, and abuse teams should watch for fallout such as service migration, replacement infrastructure, and renewed DDoS activity from the same actors.

Russia has appointed a former cybersecurity executive reportedly tied to a military intelligence hacking unit to a senior Security Council role. The Record reports that Andrei Kozlov, formerly of Rostec's RT-Information Security and a Russian cybersecurity industry association, was named an aide to Security Council Secretary Sergei Shoigu; leaked data cited by The Insider allegedly links him to GRU Military Unit 26165, widely tracked as Fancy Bear or APT28, a group long accused of espionage, credential theft and influence operations. — This matters because it may show direct overlap between Russia's state security leadership and a unit publicly tied to past hacking and disinformation campaigns. Defenders and policymakers should treat it as contextual evidence when tracking future APT28 operations, influence activity and Russian state cyber posture.

Researchers say attackers are exploiting a weakness in shared content delivery network (CDN) infrastructure to make malicious connections look like they are going to legitimate websites. The technique, dubbed Underminr, is described as a variant of domain fronting that abuses mismatches between DNS lookups, server name indication (SNI), HTTP Host headers, edge IP addresses, and CDN tenant routing; ADAMnetworks says it affects roughly 88 million domains and has been used to bypass Protective DNS filtering, conceal command-and-control traffic, and tunnel VPN or proxy connections over TCP port 443. — Organizations that rely on DNS filtering or allowlists could miss malicious outbound traffic that appears to be headed to trusted domains. Defenders should review CDN egress controls, correlate DNS, SNI, Host header, and destination IP telemetry, and watch for guidance or mitigations from affected providers.

Canadian authorities arrested Ottawa resident Jacob Butler, alleged online as “Dort,” and U.S. prosecutors unsealed charges accusing him of running the Kimwolf Internet-of-Things botnet that hijacked millions of connected devices. The complaint says Kimwolf infected devices such as cameras and digital photo frames, issued more than 25,000 attack commands, powered distributed denial-of-service attacks measured at nearly 30 terabits per second, and was also rented to other criminals; the case follows March seizures of Kimwolf infrastructure and related botnets Aisuru, JackSkid, and Mossad. — This matters to internet providers, enterprises, and anyone running exposed connected devices because it shows how insecure Internet-of-Things products can be turned into large-scale attack infrastructure. Defenders should keep internet-facing devices patched, disable unnecessary exposure, and review mitigations tied to the exploitation path Kimwolf used to spread.

French and Dutch authorities, with Europol and partners from 16 countries, seized 33 servers and multiple domains tied to the 'First VPN' service, which investigators say was widely used in ransomware, fraud, and data-theft attacks. Authorities arrested or questioned a Ukrainian administrator, infiltrated the service, and said intelligence from the takedown identified thousands of users, with 506 users and 83 intelligence packages shared internationally. — The takedown targets a criminal privacy service that allegedly supported major cybercrime operations and may generate follow-on investigations into ransomware and data-theft cases. Defenders and incident responders should watch for new attribution and victim-notification leads emerging from the seized data.

Grafana says attackers gained access to its private GitHub repositories after a GitHub workflow token was missed during rotation following the TanStack npm supply-chain attack. The malicious TanStack package executed in Grafana's CI/CD environment, exfiltrated workflow tokens, and led to theft of source code plus some operational business contact information. Grafana says no customer production systems or cloud data were affected. — This matters to defenders because it shows how downstream victims of an npm supply-chain compromise can remain exposed if token rotation is incomplete. Organizations using GitHub Actions and affected TanStack packages should review CI/CD secrets, token scope, and repository access logs.

Belarus-linked hackers are sending fake course-certificate emails to Ukrainian government staff to infect their computers with espionage malware. CERT-UA says the campaign, active since spring 2026, uses compromised email accounts and messages posing as Ukraine’s Prometheus learning platform; a PDF leads victims to a ZIP that installs OysterFresh, then OysterBlues and OysterShuck, which collect host and user details and may later deliver Cobalt Strike. — This is a targeted government espionage campaign, so affected organizations should treat related Prometheus certificate emails as suspicious, hunt for the named malware and infrastructure, and isolate infected systems quickly. For users, the practical takeaway is not to open certificate attachments or download archives from unexpected training-platform emails, even if they come from known contacts.

A China-linked hacking group has been targeting telecommunications providers in Asia Pacific and parts of the Middle East with new malware for both Linux and Windows systems. Researchers at Lumen Black Lotus Labs and PwC attributed the campaign to Calypso, also called Red Lamassu, and say it has been active since at least mid-2022. The Linux implant, Showboat, is a modular post-compromise framework used for persistence, file transfer, and SOCKS5 proxying to move through victim networks, while the Windows implant, JFMBackdoor, uses DLL sideloading and supports remote commands, file operations, registry changes, screenshots, and anti-forensics. — Telecom providers are high-value targets because they sit in the middle of sensitive communications and critical infrastructure. Organizations in the sector should hunt for these malware families and related telecom-themed impersonation domains, review persistence mechanisms and proxy activity, and check Linux and Windows systems for signs of long-term intrusion.

GitHub confirmed that an employee device was compromised after installing a trojanized VS Code extension, leading to exfiltration of roughly 3,800 internal repositories. The company says it removed the malicious extension from the VS Code Marketplace, isolated the endpoint, and found no evidence that customer data stored outside the affected repos was impacted. TeamPCP claimed responsibility and advertised the stolen code for sale. — This is a significant source-code breach at a core software development platform, with potential downstream supply-chain and trust implications. GitHub users and defenders should watch for follow-on disclosures about exposed secrets, internal tooling, or abuse tied to the stolen repositories.

Ukrainian cyberpolice, working with U.S. law enforcement, identified an 18-year-old suspect from Odesa as a central operator in an infostealer campaign that stole browser sessions and credentials from users of a California online store between 2024 and 2025. Authorities say 28,000 accounts were compromised, 5,800 were used for unauthorized purchases totaling about $721,000, and devices and crypto-related evidence were seized in searches. — The case highlights ongoing risk from infostealers and stolen session tokens, which can enable account takeover and sometimes bypass MFA. Online retailers, fraud teams, and users should treat session theft as a significant threat and review account security, monitoring, and token invalidation practices.

ReliaQuest and SonicWall say attackers exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass MFA when admins installed patched firmware but did not complete required LDAP reconfiguration steps. Intrusions observed from February to March involved brute-forced credentials, internal reconnaissance, RDP access, and attempted deployment of Cobalt Strike and a BYOVD tool across multiple sectors and geographies. — Organizations using SonicWall Gen6 SSL-VPN may still be exposed even if they believe they are patched, because firmware updates alone do not fully mitigate the flaw. Defenders should verify the manual remediation, hunt for listed indicators, and treat exposed Gen6 devices as potentially compromised.

Microsoft said it seized domains and hundreds of VMs tied to Fox Tempest, a criminal service that abused Microsoft Artifact Signing using more than 580 fraudulent accounts created with fake identities. The operation allegedly sold code-signing certificates used to sign malware including Oyster, Lumma, Vidar, and Rhysida, and was linked to ransomware actors including Vanilla Tempest as well as INC, Qilin, and Akira affiliates. — Trusted code-signing helps malware bypass user suspicion and some security controls, so this service likely enabled broader, more effective intrusions. Defenders should review detections and hunting for suspicious signed binaries and malware families named by Microsoft.

SentinelOne documented Reaper, an updated SHub macOS infostealer delivered via fake WeChat and Miro installer sites spoofing trusted brands and abusing Script Editor instead of Terminal. The malware steals passwords, browser and Keychain data, Telegram sessions, and cryptocurrency wallet data, injects some wallet apps for continued theft, and installs a LaunchAgent-backed backdoor that beacons to C2 and can execute attacker-supplied code. — macOS users are being targeted with a more evasive stealer that bypasses recent Apple defenses against Terminal-based social engineering. Defenders should block the typosquatted infrastructure, hunt for the fake GoogleUpdate persistence path and LaunchAgent, and warn users about malicious installer lures.