Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Alleged Kimwolf IoT botmaster 'Dort' arrested in Ottawa, charged in US and Canada - swatting attacks against researchers cited

Krebs on Security reports that Jacob Butler, the 18-year-old Ottawa resident allegedly known online as 'Dort,' has been arrested and charged in both the US and Canada with running the Kimwolf IoT botnet. KrebsOnSecurity unmasked Butler as the operator on February 28 by tying together his email addresses, forum registrations, and public Telegram and Discord posts. Dort later threatened and swatted researchers including Synthient's Ben Brundage. Ontario Provincial Police executed a search warrant in Ottawa on March 19 and seized devices. Kimwolf competed with Aisuru, JackSkid, and Mossad for the same vulnerable-IoT population. Butler faces up to 10 years if extradited and convicted in the US.

Check
Search EDR and netflow telemetry for outbound connections from IoT devices to known Kimwolf, Aisuru, JackSkid, and Mossad C2 sets. Inventory unpatched IoT devices on residential and SMB networks.
Affected
IoT devices - mostly routers, NVRs, and consumer IP cameras - vulnerable to the unpatched flaws Kimwolf was using to spread. Synthient helped patch the underlying weakness earlier this year.
Fix
Update firmware on all IoT and network-edge devices and disable WAN-side admin interfaces. Block known Kimwolf C2 ranges. Monitor for the lateral spread patterns documented by Synthient.

Underminr domain-fronting attack hijacks brand reputations via CDN trust - 42% of websites globally, 51% in US, vulnerable

ADAMnetworks researchers have disclosed Underminr, a domain-fronting attack that abuses how major content delivery networks resolve HTTP requests, letting an attacker route malicious traffic so it appears to come from trusted brand domains. Protective DNS filters see the DNS lookup for the legitimate site and wave it through. ADAMnetworks estimates 42% of websites globally are vulnerable, 51% in the US, around one-third in Eastern Europe, and under 9% in China's heavily-regulated internet. The researchers say attackers are already using the technique. Boutique security-focused CDNs that perform domain verification are not vulnerable; the larger general-purpose providers carry most of the exposure.

Check
Inventory CDN providers and check whether each performs domain verification (validates Host header at edge). Search egress logs for traffic resolving a trusted domain but landing on attacker infrastructure.
Affected
Roughly 42% of websites worldwide, 51% in the US, hosted on CDNs that do not perform strict Host-header verification. Boutique CDNs that verify ownership are not vulnerable.
Fix
Move sensitive properties to CDNs that perform strict domain verification. Audit Protective DNS allowlists and pair them with TLS SNI or HTTP-Host inspection downstream. Treat domain-only allowlists as weak.

Hunt.io: Saudi Telecom hosts 72% of Middle East C2 servers; 1,350+ servers across 98 providers in 14 countries

Hunt.io has mapped 1,350+ command-and-control servers spread across 98 providers in 14 Middle Eastern countries over three months. Saudi Telecom Company (STC) hosts 981 of them - 72.4% of all observed regional C2 - the largest single-provider concentration the researchers have seen globally. Most of STC's hosting appears to be compromised customer systems rather than deliberate bulletproof hosting, but the effect is the same. Other heavy hosts include SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Iraqi provider Regxa, which Hunt.io flags as the highest bulletproof-hosting profile observed. Named campaigns hosted on this infrastructure include Eagle Werewolf espionage, DYNOWIPER attacks on Poland's energy sector, and RondoDox.

Check
Add STC, SERVERS TECH FZCO, OMC, Türk Telekom, and Regxa to your provider-level egress monitoring and threat-intel correlation. Pull Hunt.io's published IoC list for the named campaigns.
Affected
Any organization whose users or systems communicate with Middle Eastern infrastructure. Provider-level visibility (versus per-IP) is now the more durable signal as attackers rotate domains and IPs daily.
Fix
Shift detection rules from per-IP IoCs to provider/ASN-level monitoring where business-justified. Block known bulletproof providers like Regxa at egress. Add Cobalt Strike, AsyncRAT, Mirai, and Sliver beacon hunts.

Webworm Chinese APT adds EchoCreep (Discord C2) and GraphWorm (MS Graph API C2) backdoors, targets European governments

ESET has documented Chinese-aligned threat actor Webworm adding two new custom backdoors to its toolset: EchoCreep, which uses a Discord channel for command-and-control, and GraphWorm, which routes C2 through the Microsoft Graph API and uploads exfiltrated files to OneDrive. Webworm is staging tools out of a GitHub repository disguised as a WordPress fork and has been observed targeting government organizations in Belgium, Italy, Serbia, Poland, Spain, and a university in South Africa. The earliest EchoCreep Discord commands date to March 21, 2024; about 433 messages have been sent through the channel. Initial access is still unclear, but dirsearch and nuclei are involved.

Check
Search outbound traffic and EDR logs for connections to Discord webhook and CDN domains and Microsoft Graph API endpoints from unexpected hosts. Look for SoftEther VPN binaries on European-government endpoints.
Affected
Government organizations in Belgium, Italy, Serbia, Poland, Spain, and a South African university - Webworm's known European targets. The Graph and Discord C2 patterns also apply to other Chinese APTs.
Fix
Block Webworm GitHub staging repos and ESET-published IoCs. Restrict outbound Discord and Graph API usage where not a legitimate business need. Hunt for dirsearch and nuclei scan signatures.

Ukraine cyber-police identifies 18-year-old Odesa infostealer operator linked to 28,000 stolen accounts and $721K California fraud

Ukrainian cyberpolice working with US law enforcement have identified an 18-year-old man from Odesa as the suspected operator of an infostealer operation that ran from 2024 through 2025 against customers of a California online retailer. The malware harvested 28,000 customer accounts; the operators used about 5,800 of them to make $721,000 in unauthorized purchases, leaving the retailer with around $250,000 in direct losses including chargebacks. The suspect ran the back-end infrastructure for processing and selling stolen session tokens. Police searched two residences and seized computers, phones, and bank cards. No arrest has been announced yet.

Check
Search HIBP and stealer-log marketplaces for your domain. If you run e-commerce, audit accounts with card-not-present orders that didn't match the legitimate user's device fingerprint in 2024-2025.
Affected
Customers of an unnamed California online retailer; 28,000 accounts harvested, 5,800 used in $721K of unauthorized purchases. Operation linked to a single 18-year-old in Odesa, Ukraine.
Fix
For affected users: rotate passwords, revoke active sessions, check card statements. For retailers: deploy session-binding device fingerprinting and require re-authentication for high-value card-not-present orders.

B1ack's Stash dark-web carding marketplace dumps 4.6 million credit-card records for free as 'punishment' for seller misconduct

B1ack's Stash, a dark-web carding marketplace operating since at least 2023, has released roughly 4.6 million stolen credit-card records as a free download. The market frames the dump as punishment for sellers caught reselling its data on rival platforms; SOCRadar says the marketplace also suspended about 8 million additional CVV2 records. The records include full PAN, CVV2, expiration date, billing address, full name, email, phone number, and IP address, which makes them directly usable for card-not-present fraud and account-opening fraud. This is the third free dump B1ack's Stash has used as a customer-acquisition tactic since its 2024 emergence.

Check
Run BIN lookups across the leaked card ranges (via SOCRadar or Recorded Future feeds your IR partner provides) for your issued cards. Increase card-not-present fraud monitoring for 30-60 days.
Affected
Roughly 4.6 million cardholders in the dump - mostly US, Canada, UK, Australia, Puerto Rico per historical B1ack's Stash regional distribution. Direct fraud-of-card risk for all holders.
Fix
For impacted issuers: pre-emptive reissue of cards seen in the dump. For consumers: monitor card statements, enable transaction notifications, and freeze cards if anomalous transactions appear. Phishing risk also elevated.

Shai-Hulud wave: 600+ npm @antv packages compromised in one hour, GitHub Action 'actions-cool' tag hijack linked

Between 01:56 and 02:56 UTC on May 19, a Shai-Hulud-flavored attack published 639 malicious versions across 323 npm packages, mostly in the @antv chart and graph namespace, after compromising the maintainer account 'atool.' Affected libraries include @antv/g2, @antv/g6, echarts-for-react, timeago.js, and jest-canvas-mock (still 10M monthly downloads despite three years dormant). A linked attack hijacked 15 tags of the 'actions-cool' GitHub Action and replaced them with a credential stealer that reads runner memory and exfils to t.m-kosche[.]com - the same domain as the @antv campaign. Socket and Aikido say there are now 2,900+ GitHub repos generated by this wave.

Check
Audit package lockfiles and CI logs for installs of any @antv/* package or timeago.js, size-sensor, jest-canvas-mock, echarts-for-react published on May 19. Search workflows for 'actions-cool/maintain-one-comment@<tag>' references.
Affected
Developers and CI/CD pipelines that installed @antv packages or used the actions-cool GitHub Actions between May 19 01:56 UTC and the npm registry takedown.
Fix
Pin GitHub Actions to full commit SHAs, not tags. Block egress to t.m-kosche.com. Rotate every developer token, npm token, cloud credential, and SSH key on machines that ran affected builds.

Nx Console 18.95.0 VS Code extension compromised in 11-minute window - kitty.py persistence and credential theft

The Nx team has confirmed that version 18.95.0 of its VS Code extension was malicious and that a few users were compromised. The bad version was available on the marketplace for only 11 minutes on May 18 (12:36 to 12:47 UTC), but that was enough to plant Python-based persistence under ~/.local/share/kitty/cat.py and a macOS LaunchAgent at com.user.kitty-monitor.plist, then steal tokens, secrets, and SSH keys reachable from the machine. The Nx team has shipped a clean 18.100.0 release and published indicators of compromise. This is the second time Nx has been targeted within a year, after the August 2025 s1ngularity supply-chain attack on its npm packages.

Check
Identify VS Code endpoints with the Nx Console extension. Check for ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, /tmp/kitty-*, or any process with __DAEMONIZED=1.
Affected
Anyone who installed Nx Console 18.95.0 from the VS Code marketplace during the 11-minute window on May 18 (12:36-12:47 UTC). A few users are confirmed affected.
Fix
Update Nx Console to 18.100.0. Kill malicious processes, delete IoC files, remove the LaunchAgent, and rotate every credential reachable from the developer machine - tokens, secrets, SSH keys.

Storm-2949 abuses Microsoft 365 Self-Service Password Reset to hijack accounts, pivot from M365 into Azure production

Microsoft is tracking a financially motivated actor it calls Storm-2949 that abuses the Microsoft 365 Self-Service Password Reset flow to hijack high-value identities and then exfiltrate as much data as possible. The actor socially engineers IT staff and senior leaders, kicks off an SSPR reset, then poses as IT support and convinces the victim to approve the resulting MFA prompt. Once in, Storm-2949 uses Graph API and custom Python to enumerate the tenant, downloads thousands of OneDrive and SharePoint files in single actions, and pivots into Azure - VMs, Key Vaults, SQL, storage - via privileged custom RBAC roles.

Check
In Entra audit logs, find users who reset their password and within 24 hours added or had MFA removed. Pull Graph API calls enumerating users and service principals from new IPs.
Affected
Microsoft 365 tenants with SSPR enabled where help-desk identity is not strongly authenticated. High-privilege custom Azure RBAC roles assigned broadly amplify blast radius.
Fix
Require ticket-based identity verification for SSPR resets on admin and exec accounts. Enforce phishing-resistant FIDO2 MFA. Tighten custom-role assignments. Alert on mass OneDrive downloads via Defender for Cloud.

Microsoft dismantles Fox Tempest 'malware-signing-as-a-service' that abused Azure Artifact Signing for 1,000+ certificates

Microsoft's Digital Crimes Unit, supported by law enforcement, has disrupted Fox Tempest, a 'malware-signing-as-a-service' offering that abused Azure Artifact Signing (formerly Trusted Signing) to issue legitimate Microsoft-signed certificates for malware. Operators created more than 1,000 certificates and hundreds of Azure tenants using stolen US and Canadian identities, all valid for 72 hours to reduce takedown risk. Microsoft has revoked the certificates, seized the signspace[.]cloud domain, and taken hundreds of supporting VMs offline. The service signed Oyster, Lumma Stealer, Vidar, and ransomware payloads for Rhysida, Akira, INC, Qilin, and BlackByte, used by groups including Vanilla Tempest and Storm-0501.

Check
Search EDR and Defender SmartScreen logs for binaries signed by Microsoft Azure Artifact Signing certificates between 2025 and 2026-05-19. Cross-reference Microsoft's revoked certificate list.
Affected
Endpoints that trust Microsoft Azure Artifact Signing certificates without additional publisher verification. Especially relevant if previously targeted by Vanilla Tempest, Storm-0501, Storm-2561, or Storm-0249.
Fix
Tighten Defender SmartScreen and AppLocker rules so a publisher signature alone is not sufficient trust. Verify the named publisher of any Microsoft Artifact Signing-signed binary matches the expected software vendor.