ESET has found two previously unknown Windows versions of SprySOCKS, a backdoor until now seen only on Linux, attributed to the China-aligned espionage group FishMonger (also called Earth Lusca and linked to the i-Soon contractor). One variant loads two encrypted kernel drivers that hide the malware's processes, files, registry keys, and network connections, and divert command traffic through a random TCP port so the real listening port never shows. It keeps the Linux version's 30-plus commands and hardcoded command-and-control setup. ESET tied the activity to attacks in 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand, and Pakistan, with the group historically gaining entry through unpatched public-facing servers.
Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.
South Korea's Genians Security Center reports that the North Korean group ScarCruft (APT37) is sending spear-phishing emails dressed up as Microsoft Account security alerts to deliver a Python-based spy tool called NarwhalRAT. The emails warn of suspicious one-time-code activity and urge the recipient to open an attached advisory, which is actually a ZIP holding a malicious shortcut. Opening it kicks off a multi-stage, in-memory infection that leaves little on disk and gains persistence through a scheduled task. NarwhalRAT can log keystrokes, capture screenshots, record audio, and steal files from USB drives, and it disguises itself as the Korean browser Naver Whale while targeting South Korean users.
Cisco has patched a flaw in Catalyst SD-WAN Manager (formerly vManage), the console used to manage thousands of SD-WAN devices, that attackers were already exploiting as a zero-day to gain root. The bug (CVE-2026-20262) stems from weak validation of file uploads in the web interface, letting an authenticated low-privilege remote attacker create or overwrite any file on the system by sending crafted HTTP requests, and from there run commands as root. It affects every deployment type, including on-premises, Cisco-managed cloud, and the FedRAMP government edition, regardless of configuration. It is the latest in a run of exploited Cisco SD-WAN Manager zero-days this year.
A critical flaw in SimpleHelp, a remote support and management tool used by IT teams and managed service providers, lets an unauthenticated attacker create a privileged technician account and skip multi-factor authentication. The bug (CVE-2026-48558) only affects servers configured to use OpenID Connect (OIDC) single sign-on, including Azure AD, and stems from how the server validates identity assertions from the login provider. A rogue technician can then remote into managed machines and run scripts, giving attackers a foothold across every connected endpoint. Researchers found roughly 14,000 SimpleHelp servers exposed online, with about 7 percent using the vulnerable OIDC setup. The flaw affects versions 5.5.15 and earlier.
Researchers at Varonis disclosed SearchLeak, a flaw chain in Microsoft 365 Copilot Enterprise Search that let a single click on a legitimate microsoft.com link silently pull a victim's emails, calendar, and indexed files, including security and MFA codes, with no password or further interaction. It worked by smuggling instructions into the search URL's query parameter, which Copilot obeyed as commands, then exfiltrating the data through a Bing image request that bypassed content protections. Because the link used a real Microsoft domain, anti-phishing filters were unlikely to flag it. Microsoft assigned CVE-2026-42824, rated it critical, and fixed it on its backend, so no customer action is required.
Attackers compromised the content-delivery network of Awesome Motive, one of the biggest WordPress plugin makers, and injected malicious JavaScript into files served for OptinMonster, TrustPulse, and PushEngage, plugins running on more than 1.2 million sites. Discovered by Sansec, the code only triggered when a logged-in WordPress administrator viewed an affected site, at which point it stole authentication tokens, created a hidden rogue admin account, and installed a self-concealing backdoor plugin that exposed a web shell. The bad files were served on June 12 to 14. Awesome Motive says attackers stole a CDN API key after breaching its marketing site, and has since rotated credentials.
Google's Threat Intelligence Group has detailed a China-linked espionage cluster, tracked as UNC6508, that lurked inside North American medical, academic, and military research networks for more than a year. The attackers got in by planting a backdoor on victims' REDCap research-data servers to steal login credentials. The clever part was exfiltration: instead of using malware to ship data out, they quietly rewrote victims' own Google Workspace mail rules to auto-forward any message matching their target keywords to an attacker-controlled inbox, blending in with normal email behavior. The campaign focused on stealing sensitive research and defense-related communications, and went undetected for an unusually long time.
The North Korean campaign known as Contagious Interview is still expanding its assault on software developers, now leaning on poisoned developer tools and fake job offers. Researchers at Proofpoint and Expel describe obfuscated malicious npm packages, published from throwaway accounts, that install the OtterCookie infostealer through a post-install script, alongside recruitment and code-review phishing lures. The group is using generative AI to build its malware loaders and to set up fake companies and LinkedIn profiles for social engineering. Expel says the operation stole $12 million in cryptocurrency in the first three months of 2026, draining more than 26,000 wallets from over 2,700 infected developer machines.
Breach-tracking service Have I Been Pwned has added a fresh batch of stealer logs covering 56,278,397 accounts, harvested by infostealer malware from infected computers. Unlike a single company breach, stealer logs are credentials and session data scraped directly from victims' devices, often capturing the exact website-and-password pairs a person types, plus browser cookies that can let attackers skip login entirely. Because the data comes from malware on individual machines, exposure cuts across countless unrelated services. The scale is a reminder that infostealer infections, frequently spread through cracked software, malicious ads, and fake downloads, remain one of the biggest sources of credential theft.