Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.
Carnival Corporation, the world's largest cruise-line operator with 90+ ships across Carnival, Princess, Holland America, Costa, P&O, Cunard, AIDA, and Seabourn, has confirmed a breach affecting 5,995,277 customers. The intrusion began April 10 when an employee was social-engineered into giving up account credentials; Carnival's IT team detected the unauthorized activity on April 14. ShinyHunters claimed responsibility in April and listed the company on its data leak site. Carnival served around 13.5 million guests in 2024 across its fleet. The company is now notifying affected individuals. The pattern aligns with the broader ShinyHunters SaaS-extortion playbook documented across Charter, Instructure, and others over the past quarter.
Microsoft is tracking a financially motivated actor it calls Storm-2949 that abuses the Microsoft 365 Self-Service Password Reset flow to hijack high-value identities and then exfiltrate as much data as possible. The actor socially engineers IT staff and senior leaders, kicks off an SSPR reset, then poses as IT support and convinces the victim to approve the resulting MFA prompt. Once in, Storm-2949 uses Graph API and custom Python to enumerate the tenant, downloads thousands of OneDrive and SharePoint files in single actions, and pivots into Azure - VMs, Key Vaults, SQL, storage - via privileged custom RBAC roles.
SentinelOne has documented a new variant of the SHub macOS infostealer family called Reaper. Victims are lured through fake WeChat and Miro installers hosted on typo-squatted Microsoft domains, then prompted to run what looks like an Apple security update. Reaper avoids macOS Tahoe's new Terminal protections by routing its commands through the applescript:// URL scheme. Once running, it steals browser credentials, crypto wallets, dev configs, iCloud data, and Telegram sessions, replaces legitimate Exodus, Ledger, and Trezor wallet apps with backdoored copies, and installs a persistent fake Google Software Update LaunchAgent that gives the attacker an ongoing remote shell. Files larger than 85MB are uploaded in 70MB chunks.
ReliaQuest researchers say initial access broker KongTuke has shifted from web-based ClickFix and FileFix lures to Microsoft Teams social engineering, taking as little as five minutes to gain persistent access. The attacker reaches employees from one of five rotating Microsoft 365 tenants, uses Unicode whitespace tricks to make the display name look like internal IT help desk, then talks the victim through pasting a PowerShell command. That command downloads a ZIP from Dropbox containing a portable WinPython runtime and a Python-based RAT called ModeloRAT. The new ModeloRAT variant adds a five-server C2 pool with automatic failover, self-update, and randomized URL paths, and several major EDR products did not detect it.
Hackers are buying Google ads that look like they go to claude.ai - and they do go to a real claude.ai page. But the page is a shared Claude chat dressed up as 'Apple Support' walking users through installing Claude on a Mac. The instructions tell people to paste a command into Terminal that quietly downloads MacSync, a Mac infostealer that grabs saved browser passwords, cookies, and contents of macOS Keychain (where Mac stores logins and keys). Because both the ad and the page are real claude.ai links, there is no fake domain to spot. Researcher Berk Albayrak first reported the campaign; BleepingComputer found a second active variant.
Guardio documented a Vietnamese-linked fraud operation that has stolen roughly 30,000 Facebook business accounts by abusing Google's AppSheet no-code platform as a phishing relay. Because the phishing emails come from noreply@appsheet.com (a real Google address), they pass SPF, DKIM, and DMARC checks that normally catch fake-Meta emails. The lures impersonate Meta Support and threaten account deletion within 24 hours unless the user 'submits an appeal.' Stolen credentials, 2FA codes, and government ID photos are exfiltrated to Telegram. The operators then sell the stolen accounts back to victims through their own recovery service.
Microsoft confirmed yesterday that a Windows Shell spoofing flaw, CVE-2026-32202, is being exploited in the wild. The bug lets an attacker craft files that appear in File Explorer with fake names, icons, and paths - so a malicious .exe can show up looking like a benign PDF, leading users to double-click and run it. Microsoft patched the bug in the April 14 Patch Tuesday but only confirmed in-the-wild exploitation on April 28, raising urgency for any environment that hasn't deployed April patches. The flaw is particularly dangerous on shared file servers, USB drops, and email attachments - any path where users trust File Explorer to tell them what's what.
North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.
Update on the ADT breach we covered April 25: Have I Been Pwned added the leaked dataset yesterday with 5,488,888 unique email addresses confirmed - lower than ShinyHunters' original 10 million claim but still the largest US home-security customer leak on record. Beyond the email, name, phone, and address fields ADT originally disclosed, the leak includes details ADT downplayed: account creation dates, premise types, internal account flags, ADT installer IDs, and prospect/customer status. None catastrophic alone, but combined gives attackers enough context to run convincing 'security audit' phone scams against named customers with real install dates and installer names.