ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

The ACR Stealer malware, active since 2024, is capable of exfiltrating sensitive data including browser passwords, active session tokens, PDFs, and Microsoft 365 files from synced cloud storage. It achieves initial access through user execution of malicious commands, as detailed by Microsoft's Defender Experts team.

New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

Cybersecurity researchers have identified a new malware named GoSerpent, in use since late 2025, specifically targeting government and diplomatic entities in Southeast Asia. The malware, discovered by Kaspersky, is designed for long-term access and intelligence gathering, suggesting a sophisticated espionage campaign.

Fake TTF files deliver stealthy malware in global phishing campaign

Threat actors are employing a global phishing campaign that abuses standard TrueType Font (TTF) files to deliver stealthy malware. This campaign uses heavily obfuscated JavaScript and a Lua-based loader disguised as a font file to evade detection and install malware like RATs and infostealers.

New ClickLock macOS malware traps users into revealing login password

A new macOS malware named ClickLock has been discovered that terminates visible processes, tricking users into entering their system login password. This information stealer aims to capture the password entered by the unsuspecting user. The malware is distributed through malicious installers disguised as legitimate software.

1M+ Emails Use Hidden Text to Dupe AI Security Filters

A recent article highlights how over a million emails are employing a technique called 'text salting' to bypass AI-powered security filters. This method involves embedding hidden text within emails, making them appear legitimate to AI and thus increasing the success rate of phishing campaigns.

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

A new modular malware named TELEPUZ has been observed spreading since late April 2026, utilizing websites infected with ClickFix lures. This malware is described as full-featured, lightweight, and modular, with capabilities for data theft and command execution.

20+ Hijacked Government Websites Became
an Attack Channel

Over 20 Brazilian government websites have been compromised and used as a distribution channel for malware by the PhantomEnigma threat group. The campaign, uncovered by ANY.RUN, also revealed new backdoor functionalities and hidden infrastructure details.

Russian hackers trojanize WebEx, Zoom apps to push Starland malware

A financially motivated Russian threat actor known as UAT-11795 is distributing a new backdoor malware called Starland RAT by trojanizing legitimate WebEx and Zoom applications. This malware is designed to steal user credentials and cryptocurrency from infected systems.

New Spirals ransomware encrypts victim network in under 24 hours

A new ransomware variant named Spirals has been observed rapidly encrypting victim networks within a 24-hour timeframe, encompassing initial access, data exfiltration, and final encryption. This rapid attack cycle highlights the increasing efficiency of ransomware operations.

Srsly Risky Biz: Ransomware Uses AI To Amp Up Negotiations

Ransomware operators are reportedly leveraging artificial intelligence to enhance their negotiation tactics. This development allows them to craft more persuasive and personalized demands, potentially increasing their success rate in extorting victims.

Police Disrupt a €140M Cyber Fraud Ring in Spain

Spanish police have dismantled a significant cyber fraud ring that generated an estimated €140 million through various online attacks. The group's activities included phishing, malware distribution, and other forms of cybercrime, with proceeds being laundered through sophisticated financial schemes.

Cyberattack threatens utterly critical infrastructure in Japan: KFC

A cyberattack has significantly disrupted operations at KFC Japan, impacting its online ordering system and potentially leading to store closures. The attack targeted a logistics partner, causing its systems to go offline and halting the delivery of crucial supplies.

CVE-2026-25089: Fortinet FortiSandbox OS Command Injection Vulnerability

A critical OS command injection vulnerability (CVE-2026-25089) has been identified in Fortinet FortiSandbox products. An unauthenticated attacker can exploit this flaw via crafted HTTP requests to execute unauthorized commands. Organizations are urged to apply vendor-provided mitigations and adhere to CISA's risk-based patching guidance.

Dutch police bust investment fraud ring stealing over €100 million

Dutch police have arrested suspects in a large-scale investment fraud ring that allegedly defrauded tens of thousands of victims out of over €100 million. The criminal group operated internationally, using fake investment platforms and social media to lure victims. Authorities seized assets and are continuing investigations into the full extent of the operation.

NPM ecosystem hit with two new supply chain compromises

Two significant supply chain compromises have affected the npm ecosystem, impacting multiple packages from AsyncAPI and Jscrambler Code Integrity. Attackers gained access through compromised development credentials and exploited a known vulnerability in GitHub Actions CI/CD workflows to inject malware into open-source packages. Affected organizations are advised to rebuild systems from clean images and rotate all credentials.

Identity Attacks Overtake Exploits as Top Ransomware Cause

Email-based attacks have surpassed exploit kits as the primary entry point for ransomware. Despite widespread adoption of multifactor authentication (MFA), it was ineffective in 97% of credential-based attacks, failing to prevent compromise.

Windows 0-day drops the same day Microsoft releases record number of patches

Microsoft has released a record number of patches for its operating systems and other products, addressing 76 vulnerabilities. Concurrently, a zero-day exploit dubbed HiveLegacy has surfaced, which researchers describe as a powerful primitive with the potential for further malicious activities.

TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

TuxBot v3 Evolution is a new IoT botnet framework that researchers believe was developed with the help of a large language model (LLM). While the AI generated code for the botnet, it included a disclaimer, indicating the developer did not fully implement the AI's suggestions.

Google Gemini CLI abused as a hacking agent, malware botnet operator

A Russian-speaking threat actor, "bandcampro," has been observed using Google's open-source Gemini Command Line Interface (CLI) as a hacking agent. This actor leveraged the AI tool to establish a small-scale botnet, demonstrating a novel abuse of generative AI capabilities for malicious purposes.

​ ​AsyncAPI npm packages infected with credential-stealing malware

Five malicious versions of AsyncAPI packages were published to the Node Package Manager (npm) as part of a supply-chain attack. These packages contained a remote access trojan designed to steal credentials and other sensitive information from infected systems.

OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

The OkoBot malware framework, active since April 2025 on Windows, includes a module specifically designed to phish users for their hardware wallet recovery phrases. This module injects fake recovery phrase prompts into legitimate desktop applications for Ledger and Trezor wallets on infected machines.

KAPE 101: A Kroll Artifact Parser and Extractor Cheatsheet

This article provides a cheatsheet for KAPE (Kroll Artifact Parser and Extractor), a tool used for efficiently locating, extracting, and parsing Windows forensic artifacts. These artifacts can be crucial for identifying adversary activity within the operating system.

Windows Bind Link Attacks Can Hide Malware From EDR Tools

Researchers at Bitdefender have discovered a new attack technique on Windows systems that leverages bind links. These links create conflicting filesystem views, allowing malware to evade detection by Endpoint Detection and Response (EDR) tools.

US charges alleged operators of Russian bulletproof hosting service

U.S. federal prosecutors have charged three Russian nationals for allegedly operating a bulletproof hosting service that supported ransomware gangs. This service is believed to have facilitated criminal activities resulting in over $62 million in damages to victims globally.

LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts

Researchers have identified a new Rust-based remote access trojan (RAT) called LabubaRAT that disguises itself as NVIDIA software. This RAT aims to establish a persistent foothold on Windows hosts, allowing attackers to profile the system and potentially control it.

ClickFix's Mushrooming Ecosystem Demands New Defense Tactics

ClickFix, a newly emerged attack vector, is being offered for rent and can bypass standard antivirus and EDR solutions. The most effective detection method currently identified is YARA analysis, indicating a growing need for updated defense strategies against this evolving threat.

LastPass, Bitwarden users targeted with fake security alerts

LastPass is alerting its users to a phishing campaign that employs deceptive security alerts to lure victims to fake websites. These fraudulent notices are designed to trick users into divulging sensitive information. The campaign appears to be targeting users of both LastPass and Bitwarden password managers.

New phishing kits target Microsoft 365 accounts, evade MFA

Two new phishing kits, named Jalisco and OmegaLord, are actively targeting Microsoft 365 accounts. These kits employ advanced techniques designed to bypass multi-factor authentication (MFA), posing a significant threat to user credentials and sensitive data.

Phishing for dummies: Forg365 lowers barrier to M365 account takeovers

A new phishing-as-a-service platform called Forg365, distributed via Telegram, is making Microsoft 365 account takeovers more accessible to less-skilled attackers. The platform utilizes AI for lure creation, device-code abuse, and adversary-in-the-middle techniques to bypass authentication controls and maintain access.

Multiple Jscrambler Packages Impacted by Supply Chain Attack

A threat actor successfully poisoned several Jscrambler NPM packages, leading to the distribution of a cross-platform credential stealer. This supply chain attack targeted widely used JavaScript packages, compromising users who updated to affected versions.

148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet

A campaign involving 148 npm packages, presented as student web proxies, was discovered to have turned visitors' browsers into a distributed denial-of-service (DDoS) botnet for approximately two weeks in May. The malicious packages utilized the npm registry as free hosting for a booby-trapped proxy site, targeting students attempting to circumvent internet restrictions.

New CrashStealer malware poses as Apple crash reporting tool

A new macOS information-stealing malware named CrashStealer has been discovered. It disguises itself as Apple's legitimate crash-reporting tool to trick users into installing it, subsequently stealing sensitive data such as credentials, keychain information, and cryptocurrency wallet details.