OnlyFans creators are now acting as unexpected allies to CISOs of government and university organizations by leveraging DMCA takedown notices against malicious actors. These actors were previously exploiting compromised websites to host scams and malware, using stolen adult content to attract victims and monetize traffic.
Cybersecurity researchers have linked the April 2026 DigiCert security incident to a threat group named CylindricalCanine. This group is identified as a subgroup of GoldenEyeDog, a Chinese cybercrime entity previously associated with targeting the gambling and gaming industries.
This article covers several disparate cybersecurity and intelligence news items, including Iran's alleged tracking of US military phones, the emergence of CrashStealer malware targeting macOS, and a new blueprint for building secure AI models (CVD Blueprint). It also briefly mentions other stories like OpenClaw AI agents being exploited, ransomware impacting a naval defense firm, and a data breach at Lidl.
Cybercriminals are increasingly finding it difficult to use residential proxies for carding due to enhanced fraud detection. They are now combining proxies with other identity signals like browser fingerprints and device profiles to circumvent these defenses and improve their success rates.
North Korean threat actors are using steganography in SVG image files, hidden within fake coding tests and job postings, to deliver malware. The payload, aligned with the OTTERCOOKIE malware, includes components for stealing browser credentials, cryptocurrency, and files.
Military forces are under pressure to deploy autonomous capabilities rapidly, driven by investment and new defense strategies in the US, UK, and NATO. This race to accelerate acquisition necessitates a focus on trusted information infrastructure to keep pace with these advancements.
Armenia has detained a Russian tourist, Aleksandr Ermakov, based on a U.S. extradition request. The U.S. is seeking him as a suspect linked to the REvil ransomware group. However, the detained individual's wife claims the U.S. has arrested the wrong person, presenting a potential misidentification case.
Cybersecurity researchers have identified a new malware named GoSerpent, in use since late 2025, specifically targeting government and diplomatic entities in Southeast Asia. The malware, discovered by Kaspersky, is designed for long-term access and intelligence gathering, suggesting a sophisticated espionage campaign.
U.S. prosecutors have charged a man and a woman in New York for their involvement in a significant crime ring that laundered $43 million obtained through investment fraud scams. The charges stem from their alleged roles in facilitating the movement of illicit funds, which were derived from cyber-enabled investment schemes.
Russia's most sophisticated hacking groups are reportedly adopting the Clickfix social engineering technique to infect devices. This method, previously associated with financially motivated cybercriminals, is now being utilized by elite state-sponsored attackers.
Two hackers associated with the Scattered Spider group, Owen Flowers and Thalha Jubair, have been sentenced to five and a half years in prison each for their 2024 hack of Transport for London (TfL). The attack rendered 148 TfL systems inoperable and required all 27,000 employees to reset their passwords in person, resulting in significant losses and recovery costs for the transport authority.
Two individuals associated with the Scattered Spider hacking group have been sentenced to jail in the UK for a 2024 cyberattack. The attack specifically targeted Transport for London (TfL).
Two individuals associated with the cybercrime group Scattered Spider have been sentenced to prison for their roles in the 2023 cyberattack on Transport for London (TfL). This conviction marks the largest cybercrime prosecution in UK history.
Two key members of the Scattered Spider cybercrime group have been sentenced to five years and six months in prison each. This sentencing stems from their involvement in the 2024 hack of Transport for London (TfL). The conviction highlights the legal consequences for individuals engaged in sophisticated cyberattacks.
Over 20 Brazilian government websites have been compromised and used as a distribution channel for malware by the PhantomEnigma threat group. The campaign, uncovered by ANY.RUN, also revealed new backdoor functionalities and hidden infrastructure details.
The Daxin kernel-mode rootkit, linked to a China-affiliated threat actor, has reappeared after more than four years, infecting a manufacturing firm in Taiwan. Alongside Daxin, a new, previously unknown backdoor named Stupig has also been discovered.
A financially motivated Russian threat actor known as UAT-11795 is distributing a new backdoor malware called Starland RAT by trojanizing legitimate WebEx and Zoom applications. This malware is designed to steal user credentials and cryptocurrency from infected systems.
AI tools can now quickly aggregate and synthesize publicly available information about executives, creating a comprehensive profile that attackers can use for targeted social engineering attacks. This significantly reduces the time and effort required for reconnaissance, posing a new challenge for executive protection programs.
Spanish police have dismantled a significant cyber fraud ring that generated an estimated €140 million through various online attacks. The group's activities included phishing, malware distribution, and other forms of cybercrime, with proceeds being laundered through sophisticated financial schemes.
Dutch police have arrested suspects in a large-scale investment fraud ring that allegedly defrauded tens of thousands of victims out of over €100 million. The criminal group operated internationally, using fake investment platforms and social media to lure victims. Authorities seized assets and are continuing investigations into the full extent of the operation.
Security researchers have identified a new post-compromise tool named LegacyHive, allegedly developed by a prolific Microsoft tormentor. While initially hyped as a significant threat, experts now view it as a useful, albeit complex, tool for those with the technical expertise to implement it effectively.
The United States has charged several Russian individuals and firms with operating cybercrime services. These entities and individuals had previously been sanctioned by the US and its allies for their involvement in illicit cyber activities.
U.S. federal prosecutors have charged three Russian nationals for allegedly operating a bulletproof hosting service that supported ransomware gangs. This service is believed to have facilitated criminal activities resulting in over $62 million in damages to victims globally.
Cribl has acquired CardinalOps, a company specializing in detection engineering. This integration aims to enhance Cribl's platform by enabling customers to map detection rules and security controls to the MITRE ATT&CK framework, thereby identifying coverage gaps and operationalizing threat intelligence for SecOps teams.
Spanish police have dismantled a sophisticated cybercrime ring that defrauded victims out of €140 million through investment scams and business email compromise (BEC) attacks. Four individuals have been arrested as part of the operation, which also targeted money laundering activities associated with the illicit gains.
A threat actor has created nearly 300 GitHub repositories designed to impersonate legitimate software and security projects. These fake repositories are being used to distribute infostealer malware to unsuspecting users.
The cybercrime group D1R claimed to have stolen data from Synopsys and Bosch and threatened to release it unless a ransom was paid. Synopsys has investigated the claims and found no evidence to support a data breach at their company.
A Welsh administrator of the Doxbin website, Callum Dare, has been jailed for encouraging "swatting" incidents. He motivated others to conduct these dangerous hoaxes and created short videos from the footage of the incidents.
Attackers are using a technique called OAuth client ID spoofing to bypass security measures in Microsoft Entra ID environments. This allows them to validate stolen credentials without triggering login alerts, enabling account enumeration and further compromise.
The US and its allies have issued a warning about Russian state-sponsored advanced persistent threats (APTs) targeting critical infrastructure networks. These threat actors are compromising poorly secured routers to gain access to sensitive systems.
The U.S. Treasury Department has sanctioned two individuals and one entity for providing services that facilitated ransomware attacks. These sanctioned entities allegedly supplied VPN and malware services, thereby enabling cybercriminals to target U.S. organizations.
The U.S. Treasury Department has sanctioned a VPN service and a malware cryptor seller for facilitating ransomware attacks and other cybercriminal activities. These sanctions are aimed at disrupting the financial infrastructure supporting cybercrime, including attacks against American entities.
Attackers linked to the ShinyHunters group have been stealing data from Salesforce environments for the past year by exploiting existing trust relationships, primarily through OAuth connections, rather than exploiting platform vulnerabilities. This tactic allowed them to access corporate data by leveraging integrations with third-party vendors and applications.
Global security agencies have issued an advisory warning enterprises about the continued exploitation of poorly secured routers by Russian government-sponsored attackers. These actors leverage outdated SNMP protocols and weak authentication to gain access to device configurations, which can contain sensitive information.
US authorities including the NSA, FBI, and CISA have issued a warning about recent Russian cyberattacks targeting critical infrastructure in North America and Europe. The attackers are exploiting vulnerabilities and misconfigurations in routers, emphasizing the importance of timely security patching.
The UK and EU have jointly imposed sanctions on Russian individuals and entities, marking the first time such actions have been taken together. These sanctions are a response to alleged cyberattacks and disinformation campaigns conducted by Russia in the region. This coordinated action signifies a significant diplomatic move to hold Russia accountable for its cyber activities.
The US government, through CISA, has issued a warning that Russian state-sponsored hackers are targeting home routers. This activity is linked to the increasing use of residential proxies, where compromised routers are exploited to mask malicious traffic.
The European Union and the United Kingdom have officially attributed a cyberattack on Poland's power grid to Russian intelligence services. This attack, which occurred during winter, had the potential to leave approximately half a million people without power.
UK authorities have charged five individuals linked to Russian Coms, a platform used to spoof caller ID for fraudulent purposes. The platform facilitated over 1.8 million scam calls originating from Russia, with many targeting UK citizens. The investigation was conducted by the National Crime Agency (NCA).
Attackers leveraging a year-old infostealer infection may have gained access to the Argentine Football Association (AFA) network. This attack is linked to a 'World Cup grudge' and potentially targeted individuals associated with the AFA.
Russian FSB cyber actors are exploiting poorly configured and vulnerable networking devices to compromise critical infrastructure networks globally. This advisory provides updated tactics, techniques, and procedures (TTPs) to help defenders understand and counter this ongoing threat, building on previous FBI alerts.
The European Union and the United Kingdom have jointly imposed sanctions on numerous Russian individuals and entities. These sanctions are in response to Russia's alleged coordination of hacking groups responsible for cyberattacks across Europe.
The European Union has sanctioned individuals and entities accused of operating a long-term cyber spying network. This network is alleged to have targeted governments and conducted sabotage operations against critical infrastructure.
The US and eight allied nations have issued a joint warning about Russian state-sponsored hackers targeting vulnerable and misconfigured routers. These attacks aim to infiltrate critical infrastructure networks. The advisory highlights specific tactics used by these threat actors.
A misconfigured Python web server left exposed by an attacker revealed three ongoing Evilginx phishing operations targeting Microsoft 365 users. French security firm Lexfo was able to access the attacker's toolkit and identify the other operations through this single lapse in security.
Threat actors are actively scanning for and attempting to exploit Media Control Protocol (MCP) servers, as well as credentials for AI assistants. Attackers are leveraging these vulnerabilities to gain unauthorized access and potentially deploy malicious software.
Anomaly 6, a company that claims its phone-tracking technology can pinpoint U.S. intelligence officials, has been hired to investigate the mysterious "Havana Syndrome." The company previously boasted about its ability to track individuals, raising questions about its involvement in a sensitive government investigation.
Cybersecurity researchers have uncovered persistent cyber espionage campaigns targeting Pakistani law enforcement, with suspected China- and India-aligned threat actors exploiting the Balochistan Police portal. The attackers gained access to servers managing police and citizen data, including criminal records, between February 2024 and April 2026.
Multiple ongoing campaigns are exploiting ghost accounts to abuse the GitHub API for mass reconnaissance. These campaigns are designed to map GitHub organizations, including their repositories and member lists, potentially to identify targets for further exploitation.
An Armenian national has pleaded guilty in the U.S. to his involvement with the Ryuk ransomware operation. He faces up to 15 years in prison for deploying the ransomware to encrypt the systems of U.S. companies.