-
Don’t Trust ‘secure Mail’! Malicious Files Impersonating Credit Card Companies Are Being Distributed
"ahnLab recently confirmed the distribution of malicious files disguised as security emails from a major credit card company in Korea. this attack has a similar flow to the Kimsuky group’s past malicious LNK distribution case of disguising password files, but it is characterized by a change in the command execution of the initial LNK file. in particular, the execution of additional files and malicious files and the behavior of the malicious files changed depending on whether the security service of the infected environment was enabled or disabled. let’s take a look at the main behavior of this case and user precautions."
https://asec.ahnlab.com/en/93855/
-
From Poisoned Search Results To GPU Mining: A Cryptojacking Campaign Abusing ScreenConnect And Microsoft .NET Utilities
"Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditional search engine poisoning, but also through AI chatbot interactions. This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations. The campaign impersonates trusted system utilities including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear to target users likely to own high-performance GPUs. Rather than maximizing infection volume, the threat actor appears focused on compromising systems with higher mining value."
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html
https://www.bleepingcomputer.com/news/security/gpu-mining-malware-spreads-via-seo-poisoning-ai-chatbots/
https://www.helpnetsecurity.com/2026/05/27/ai-chatbot-cryptojacking-campaign/
-
Disrupting Glassworm: Inside CrowdStrike’s Takedown Of a Developer-Targeting Botnet
"On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm's command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads. This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they're targeting the developers who build them."
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/
https://www.bleepingcomputer.com/news/security/glassworm-botnet-disrupted-after-resilient-c2-infrastructure-takedown/
https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html
https://www.bankinfosecurity.com/glassworm-group-software-supply-chain-attackers-disrupted-a-31792
https://www.infosecurity-magazine.com/news/crowdstrike-google-takedown/
https://cyberscoop.com/crowdstrike-glassworm-botnet-takedown/
https://www.securityweek.com/glassworm-botnet-disrupted/
https://securityaffairs.com/192749/cyber-crime/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html
https://www.theregister.com/cyber-crime/2026/05/27/crowdstrike-google-shatter-glassworm-botnet/5247337
-
FBI Warns Of In-Person Data Theft Attacks From Extortion Gang
"The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. "As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support," the FBI warned in a Tuesday flash alert. "While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer.""
https://www.bleepingcomputer.com/news/security/fbi-warns-of-silent-ransom-group-in-person-data-theft-attacks/
https://www.ic3.gov/CSA/2026/260526.pdf
https://www.darkreading.com/cyberattacks-data-breaches/ransomware-actors-steal-law-firm-data
https://therecord.media/fbi-warns-hackers-visit-law-firms-to-steal-data
https://cyberscoop.com/fbi-warning-silent-ransom-group-law-firms/
https://www.securityweek.com/fbi-hackers-sending-operatives-in-person-to-insert-usb-drives-and-steal-data/
https://www.theregister.com/security/2026/05/27/fbi-crooks-enter-legal-offices-and-steal-data-via-usb-drive/5247212
https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/
-
OverlayPhantom: The Android Banking Trojan Hiding In Plain Sight
"Cyble Research and Intelligence Labs (CRIL) has identified a novel Android banking trojan, dubbed OverlayPhantom, actively distributed in the wild via malicious URLs. The malware employs a two-stage infection chain, using a dropper application that impersonates trusted platforms, including the official Austrian government identity application, ID Austria, and the widely used consumer platform TikTok, to deceive victims into installing it. Once deployed, OverlayPhantom masquerades as “Google Play Services” and abuses Android’s Accessibility Service to gain persistent, elevated control of the infected device."
https://cyble.com/blog/overlayphantom-android-banking-trojan/
-
The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
"The 2026 FIFA World Cup is set to be the largest sporting event in history. Hosted across three nations — the United States, Canada, and Mexico — the tournament will take place from June 11 to July 19, 2026, featuring 104 matches played in 16 cities. The scale is unprecedented: FIFA estimates that more than six million fans will fill stadiums, with an average of 450,000 visitors per city. More than 150 million tickets were requested within the first 15 days of the sales window alone, making this edition approximately 30 times oversubscribed compared to previous tournaments. For context, the 2022 Qatar World Cup drew over 3.4 million in-stadium fans with an average attendance capacity of 96.3 per cent. The 2026 edition is expected to nearly double that figure."
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
https://www.infosecurity-magazine.com/news/ghost-stadium-fifa-world-cup-fraud/
-
Fake LinkedIn Emails Abuse Adobe To Track Victims
"Cybercriminals are abusing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward. The phishing email masquerades as a business inquiry designed to look like it’s come via LinkedIn and includes a fake “contract” attachment. But it contains a number of red flags:"
https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-linkedin-emails-abuse-adobe-to-track-victims
-
‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems
"Trust and automation are key to many attacks; and trust with automation is inherent in the use of AI coding agents. Malicious repositories are a frequent factor in many supply chain attacks, estimated at between 20% and 40%. Such repositories can be used to fool a developer using an AI coding agent into generating bad code that can silently slip into the CI pipeline. That is just one possibility of the SymJack attack described by Adversa AI. The attack requires three elements: attacker control of the coding agent repo, a ready-made malicious MCP server, and a developer’s use of an AI coding tool."
https://www.securityweek.com/symjack-attack-turns-ai-coding-agents-into-supply-chain-attack-delivery-systems/
https://adversa.ai/blog/the-approval-prompt-is-lying-to-you-symlink-rce-in-five-ai-coding-agents-claude-code-cursor-antigravity-copilot-grok-build
-
Grandoreiro Malware Campaign Targets Europe And Latin America
"WatchGuard telemetry identified a campaign associated to Grandoreiro that uses the DLL Side-Loading technique abusing four different softwares, targeting banks in Portugal. Also, it was identified cases of a known campaign that uses a malicious VBS to deliver the malware, targeting companies in Spain, Portugal, Mexico and Latin America. Grandoreiro has been active since at least 2016 and is now one of the most widespread banking trojans globally. Despite the disruption of some operators and the joint operations with INTERPOL and local law enforcement resulting in the arrest of gang members in Spain, Brazil, and Argentina, that occurred in 2021 and 2024, they’re still active due to only part of the gang was arrested and the ones that was not arrested are continuing the operations."
https://www.watchguard.com/wgrd-security-hub/secplicity-blog/grandoreiro-malware-campaign-targets-europe-and-latin-america
-
Malware-Slop: New Malicious Npm Package Leaks Its Own GitHub Private Token
"A malicious npm package that reads and uploads files from “/mnt/user-data” was uploaded to GitHub. OX Security observed around 7 active exfiltration in the threat actor’s GitHub repository before it was taken down, most of them are probably tests conducted by the threat actor itself. The malware reached 676 downloads, and is still live on npm (at time of publishing)."
https://www.ox.security/blog/malware-slop-new-malicious-npm-package-leaks-its-own-github-private-token/
https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html
-
Ababil Of Minab: How An Iran-Linked Crew Exfiltrated Data From Four Countries And Destroyed IT, Backups, And Recovery At a Subset Of Victims
"Gambit Security Threat Intelligence team investigated an intrusion campaign targeting organizations in the United States, Israel, Saudi Arabia, and Turkey: exfiltration across all of them, with destructive operations at a subset. The activity surfaced publicly in late March and early April 2026, after a pro-Iranian persona calling itself Ababil of Minab claimed to have compromised the Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro), destroyed systems, and exfiltrated data. Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew as they claim."
https://gambit.security/blog-posts/babil-of-minab-iran-mois-destruction-campaign
https://therecord.media/iranian-intelligence-behind-hack-of-la-transit-system
https://www.securityweek.com/la-metro-cyberattack-linked-to-iranian-state-sponsored-hackers/
https://securityaffairs.com/192764/hacktivism/the-la-metro-attack-wasnt-hacktivism-it-was-a-state-operation-with-a-costume-on.html
-
Attackers Disguising Phishing As Google AppSheet Notifications
"Phishing campaigns have become significantly more sophisticated and convincing in recent years. Sender addresses are now nearly identical to the real deal, emails are flawlessly written, and users are called by their names. But what do you do when a suspicious email comes from a clearly legitimate email address? Lately, phishers have been exploiting the Google AppSheet platform to set up email blasts that originate from an official Google-linked address. Following a successful attack, they walk away with their victims’ accounts and sensitive data."
https://www.kaspersky.com/blog/appsheet-phishing-emails/55827/
-
Breaches/Hacks/Leaks
-
Latin American Cybercriminals Hoover Up Government Data
"Cyber threat groups in Latin and South America have increasingly targeted government agencies and contractors, stealing and monetizing citizen data at a rate that has made the public-administration sector in the region the most-breached in the past year. In mid-May, a group known as La Pampa Leaks claimed to have compromised Uruguay's government-sponsored identity service managed by telecommunications provider Antel, reportedly monetizing the information as a citizen-data lookup service. In February, a hacking collective known as the Chronus Group claimed to have stolen data from 25 different Mexican government agencies and groups. And, in Colombia, cyberattackers targeted the nation's health ministry with more than 23 million attempted attacks during the month of March."
https://www.darkreading.com/cyberattacks-data-breaches/latin-american-cybercriminals-government-data
-
UK Visa Portal Exposed Thousands Of Applicants’ Passports And Selfies — Then Called The Lawyers On Us
"A website called UK Visa Portal publicly exposed thousands of passports and selfie photos of applicants who paid the site to obtain a U.K. immigration visa, TechCrunch has learned. An anonymous person notified TechCrunch about the security lapse, saying that the website was exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process. The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website."
https://techcrunch.com/2026/05/27/uk-visa-portal-spilled-thousands-of-applicants-passports-and-selfies-online-and-hasnt-fixed-the-leak/
![openew[.]app.png](/assets/uploads/files/1780391504476-openew.app-resized.png)
