The FBI has issued an alert about TeamPCP, a criminal group that compromises the developer and security tools organizations trust inside their build pipelines to steal cloud credentials at scale. Rather than targeting end users, TeamPCP injects malicious code into legitimate software such as the Trivy and KICS scanners and the LiteLLM library, then pushes trojanized updates that continuous integration systems pull in automatically. Its malware harvests AWS, Google Cloud, and Azure tokens, Kubernetes service-account credentials, and more. One technique the FBI highlights is taking over npm maintainer accounts by re-registering the maintainer's long-expired recovery email domain, then using password reset to publish malicious package versions.
The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.
The FBI has issued a public service announcement warning of hundreds of fake FIFA-themed phishing and fraud sites ahead of the 2026 World Cup running June 11 to July 19 in the US, Canada, and Mexico. Domains include fiffa[.]com and alternative TLDs (.org, .xyz, .live, .sale) plus fake employment portals like jobs-fifa[.]com and fifa-hiring[.]com. The fraudulent sites collect names, addresses, phone numbers, and banking/payment details; the data is used for fake-ticket sales, hospitality-package scams, identity theft, and fraudulent account creation. Group-IB and Bitdefender confirmed parallel malvertising via Google Search, Facebook, Telegram, and WhatsApp, with one major operation attributed to a Chinese-speaking gang.
The FBI has issued a flash alert warning that the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, and UNC3753) is now sending operatives physically to US law firms to steal data. SRG actors first pose as internal IT over phone or phishing email and try to get an employee to grant a remote-desktop session; if that fails, they dispatch someone in person to plug a USB drive or external hard drive into the target's computer. The group, formed from Conti/BazarCall operators after the 2022 Conti shutdown, has targeted US legal and financial firms since 2023, extorting victims via its leak site.
The FBI has issued a warning about Kali365, a phishing-as-a-service platform that fueled large Microsoft 365 attacks in April. Instead of stealing passwords, Kali365 customers trigger Microsoft device-login requests and trick victims into completing the authorization, capturing OAuth access and refresh tokens that grant immediate mailbox access. Arctic Wolf, which infiltrated the system, says Kali365 sells in three tiers from $250 for 30 days to $2,000 for the year and generates branded phishing lures impersonating Adobe, DocuSign, and SharePoint in dozens of languages. Threat actors set malicious inbox rules to suppress security notifications and extend dwell time.
The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.
A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.