Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

TrickMo Android banker hides command-and-control inside Telegram's TON blockchain network to dodge takedowns

The TrickMo Android banking malware now routes its command-and-control through The Open Network (TON), the decentralized peer-to-peer network originally built around Telegram, making the C2 infrastructure much harder to identify or take down. ThreatFabric (which tracks this variant as Trickmo.C) has been watching it since January in campaigns hitting users in France, Italy, and Austria. The malware disguises itself as TikTok or streaming apps and steals banking credentials and crypto wallet keys via phishing overlays, keylogging, SMS interception, OTP suppression, and live screen recording. The new variant also adds SSH tunneling, port forwarding, and SOCKS5 proxy commands, turning infected phones into a pivot point.

Check
Check MDM logs for users in France, Italy, or Austria who side-loaded apps masquerading as TikTok or streaming services since January 2026. Flag corporate phones showing outbound TON network traffic.
Affected
Android devices belonging to users in France, Italy, and Austria that side-loaded apps disguised as TikTok or streaming services. Banking and cryptocurrency-wallet credentials, SMS-delivered OTPs, screen contents, and keystrokes are all at risk. The TON-based C2 means traditional domain blocking and DNS-based filters will miss this malware family entirely.
Fix
Confirm Google Play Protect is active and side-loading is blocked on all managed Android devices. For potentially infected users, perform a full factory reset, reinstall apps only from Google Play, and reset banking and cryptocurrency credentials from a known-clean device. Add TON .adnl traffic to egress monitoring - while you cannot decrypt it, unusual volumes from corporate networks are a signal.

GhostLock proof-of-concept abuses Windows file-sharing API to disrupt file access without encryption

A researcher at Israel Aerospace Industries published a proof-of-concept tool called GhostLock that uses a legitimate Windows API call to make files unreadable without encrypting anything. The technique abuses the dwShareMode parameter of CreateFileW - setting it to 0 grants the calling process exclusive access, so every other user or app trying to open the file gets a sharing violation. GhostLock automates this recursively across SMB shares from a standard domain user account, no elevation required. Researcher Kim Dvash frames it as a disruption attack, not destructive - data is not lost, but operational downtime can mirror a ransomware incident.

Check
Review your EDR and SIEM detection rules for behavior-based ransomware indicators. Verify they cover sharing-violation spikes and ShareAccess=0 file-open counts, not just mass file write or encryption activity.
Affected
Windows file servers and SMB shares in environments where any standard domain user account can authenticate. No CVE has been assigned - GhostLock abuses intended Windows file-sharing behavior, not a flaw. Behavioral detection systems focused on mass writes or encryption operations will not flag this attack pattern; the attack also requires no elevation.
Fix
Implement detection at the file server layer: monitor per-session open-file counts with ShareAccess=0 - the reliable signal Dvash identifies, which lives in storage platform management interfaces, not Windows event logs or EDR telemetry. Pull the SIEM queries and NDR rule from the GhostLock whitepaper as a detection template. Limit which domain user accounts have read or write access to critical shares.

Mr_Rot13 actor exploits cPanel CVE-2026-41940 to deploy cross-platform 'Filemanager' backdoor

QiAnXin XLab has tied the ongoing exploitation of cPanel's CVE-2026-41940 to a previously-quiet threat actor it tracks as Mr_Rot13, who has been operating since at least 2020. The attack chain exploits the cPanel and WHM authentication bypass to drop a Go-based infector that adds an attacker SSH key, plants a PHP web shell, and serves a fake login page to steal cPanel credentials (ROT13-encoded, exfiltrated to wrned[.]com). The final payload is a cross-platform backdoor called Filemanager that runs on Windows, macOS, and Linux. XLab counts over 2,000 attacker source IPs currently scanning for this flaw.

Check
Search cPanel and WHM authentication logs for unusual successful logins since April 28. Check /root/.ssh/authorized_keys on every cPanel host for unknown public keys, and search web roots for unfamiliar PHP files.
Affected
Any cPanel or WHM installation that was not patched against CVE-2026-41940 between disclosure on April 28, 2026, and now. Indicators of Mr_Rot13 compromise include the SSH public key added under root, the wrned[.]com credential exfiltration domain, the cp.dene[.]de[.]com infector source, and the wpsock[.]com Filemanager delivery domain.
Fix
If still unpatched, install the cPanel fix for CVE-2026-41940 immediately. On any host that was internet-exposed and unpatched, assume compromise: remove unknown SSH keys from root, sweep for unfamiliar PHP web shells, block the indicator domains wrned[.]com, cp.dene[.]de[.]com, and wpsock[.]com at egress, rotate cPanel and WHM root credentials, and check bash_history for evidence of attacker reconnaissance.

Mac malware campaign uses Google ads and 'Apple Support' Claude.ai chats to install infostealer

Hackers are buying Google ads that look like they go to claude.ai - and they do go to a real claude.ai page. But the page is a shared Claude chat dressed up as 'Apple Support' walking users through installing Claude on a Mac. The instructions tell people to paste a command into Terminal that quietly downloads MacSync, a Mac infostealer that grabs saved browser passwords, cookies, and contents of macOS Keychain (where Mac stores logins and keys). Because both the ad and the page are real claude.ai links, there is no fake domain to spot. Researcher Berk Albayrak first reported the campaign; BleepingComputer found a second active variant.

Check
Check macOS endpoint logs for Terminal executions of curl or base64 piped to bash in the last 7 days, and review who clicked sponsored Google results for 'Claude mac download'.
Affected
macOS users who searched Google for 'Claude mac download' or similar terms and ran a Terminal command from a shared Claude.ai chat attributed to 'Apple Support'. Two payload variants seen: a MacSync infostealer that exfiltrates Keychain and browser secrets, and a polymorphic in-memory shell payload that profiles the host and delivers a second stage via osascript.
Fix
Rotate browser-saved passwords and macOS Keychain credentials for any user who may have run the malicious command. Sign out and re-authenticate browser sessions to invalidate stolen cookies. Block the indicator domains customroofingcontractors[.]com and bernasibutuwqu2[.]com at network egress. Reinforce with users that they should never install software from chat or terminal instructions - only from official vendor download pages.

Hackers replaced installers on the official JDownloader website with a Windows remote access trojan - third 'trusted software website hijack' in a month

JDownloader's official website was compromised between May 5-7 and the alternative Windows installer plus the Linux shell installer were replaced with malware. The Windows payload is a Python-based remote access trojan; the Linux installer establishes root persistence and pulls additional binaries. Attackers exploited an unpatched flaw in the website's CMS that let them change download links without authentication. macOS downloads, Flatpak/Winget/Snap packages, and the main JDownloader.jar weren't touched. Third 'trusted software site' hijacked in 30 days after CPUID (CPU-Z, HWMonitor) in April and DAEMON Tools last week.

Check
Audit endpoints for JDownloader installations made between May 5 23:55 UTC and May 7. Check Programs and Features for publishers signed by 'Zipline LLC' or 'The Water Team' rather than 'AppWork GmbH'.
Affected
Windows endpoints that downloaded JDownloader through 'Download Alternative Installer' between May 5 23:55 UTC and May 7. Linux endpoints that ran the shell installer in the same window. Acute risk: any host running the malicious installer should be considered fully compromised. Unaffected: macOS users, Flatpak/Winget/Snap installs, in-app updates, and the main JDownloader.jar.
Fix
Reinstall the operating system on any host that ran a malicious JDownloader installer - the developers explicitly recommend this rather than scan-and-clean. Reset every credential entered on the host since installation: browser-stored passwords, SSH keys, cloud tokens. For corporate fleets running JDownloader: switch to Winget or Flatpak distribution channels.

A fake OpenAI repository on Hugging Face reached the trending #1 spot before getting caught - 244,000 downloads delivered an infostealer that grabs browser passwords, crypto wallets, and Discord tokens

HiddenLayer disclosed a malicious Hugging Face repository called Open-OSS/privacy-filter that typosquatted OpenAI's legitimate Privacy Filter project. The repo copied the original model card almost verbatim and shipped a loader.py file that, on Windows, fetched and executed an infostealer. The repo briefly hit Hugging Face's trending list at #1 and accumulated 244,000 downloads before the platform pulled it on May 7. The loader runs in an invisible PowerShell window, escalates privileges, adds itself to Microsoft Defender exclusions, and deploys Sefirah - a Rust-based infostealer that targets browser credentials, Discord tokens, cryptocurrency wallets, and SSH keys.

Check
Search proxy and DNS logs for connections to Hugging Face repository 'Open-OSS/privacy-filter' or downloads of 'loader.py' tied to it since April. Hunt Windows endpoints for sefirah.exe and unfamiliar Microsoft Defender exclusions.
Affected
Windows machines whose users downloaded from Open-OSS/privacy-filter between late April and May 7. AI/ML developers are the highest-risk role. Acute risk: developers whose machines hold cryptocurrency wallets, Discord tokens, and SSH keys to production. Cryptocurrency holders specifically targeted by Sefirah's wallet-extraction modules.
Fix
Block Open-OSS/privacy-filter at the network egress layer. For machines that may have run the loader: rotate every browser-stored credential, Discord token, SSH key, and cryptocurrency wallet seed. Enforce signature verification for Hugging Face models pulled into production. Treat all Hugging Face repositories as untrusted by default. Apply HiddenLayer's published Sefirah IoCs.

ShinyHunters is now extorting individual schools using stolen Canvas data - thousands of K-12 districts and universities receiving direct ransom demands

Update on the Instructure breach we covered May 4: ShinyHunters has shifted from extorting Instructure itself to extorting individual schools and universities with their own Canvas data. BleepingComputer and Krebs on Security report that 8,800+ institutions have received direct ransom demands referencing real student records, teacher accounts, and gradebook data from their own Canvas tenants. The campaign mirrors the 2025 PowerSchool aftermath. Some schools are receiving demands sized to the institution. Krebs notes affected schools are scrambling to comply with state student-privacy laws while negotiating with attackers.

Check
If your school uses Canvas, check whether you've received any direct extortion communications referencing real Canvas data since May 4. Audit Canvas API access logs for bulk data exports between February and April.
Affected
8,800+ schools, universities, and corporate training organizations using Canvas. K-12 districts face acute risk under state student-privacy laws (NY 2-d, California SOPIPA, ~130 similar statutes) plus COPPA for under-13 student data. Universities face FERPA exposure. Smaller institutions without legal counsel are most likely to pay rather than report.
Fix
Do not respond directly to extortion communications - report to FBI IC3 first and consult legal counsel before any contact. Notify affected students, parents, and faculty per state notification timelines (most require 30-60 days). Issue COPPA and FERPA notifications where applicable. Rotate Canvas API keys and re-authorize integrations. Track Instructure's response separately - many schools report the vendor unresponsive on individual cases.

New Linux backdoor 'PamDOORa' silently steals SSH credentials from every user logging into a compromised server - and erases its tracks from the logs

Group-IB and Flare disclosed PamDOORa, a new Linux backdoor for sale on the Russian-speaking Rehub cybercrime forum at $900 (down from $1,600). PamDOORa hijacks the Linux Pluggable Authentication Module (PAM) framework that handles SSH logins - so it intercepts every legitimate user's password as they authenticate, before any application-level logging fires. The backdoor injects a malicious pam_linux.so module into the authentication stack rather than replacing files. It also tampers with lastlog, btmp, utmp, and wtmp to erase attacker login traces - meaning incident response teams who SSH in to investigate will have their own credentials silently stolen. Group-IB notes the abuse method is not yet in MITRE ATT&CK.

Check
Audit /etc/pam.d/ for unfamiliar pam_*.so modules, particularly pam_linux.so. Compare loaded PAM modules against your distribution's default set. Hunt /tmp for files with random names containing XOR-encrypted credential captures.
Affected
All x86_64 Linux servers running OpenSSH for remote access. PamDOORa is post-exploitation, so attackers must already have root - but once installed it captures every SSH credential and persists invisibly. Acute risk: any Linux server compromised at any point in the past, regardless of remediation - PamDOORa survives standard cleanup unless PAM-specific auditing was performed.
Fix
Enable SELinux or AppArmor in enforcing mode to constrain PAM module loading. Install Auditd with DISA-STIG rules to alert on /etc/pam.d/ changes. Deploy rkhunter or chkrootkit for routine PAM rootkit detection. Treat any compromised Linux server as having fully exposed credentials - rotate every SSH key, password, and token.

28 fake apps on Google Play tricked 7.3 million Indian users into paying for fake call logs - charging up to $80 a year for fabricated data

ESET disclosed CallPhantom, a campaign of 28 fraudulent Android apps on Google Play that promised to reveal call histories, SMS records, and WhatsApp call logs for any phone number. Combined downloads: 7.3 million. After payment (weekly, monthly, or annual subscriptions up to $80), users receive fabricated phone numbers and names hardcoded into the apps. Targeting was India-focused (apps came pre-set with +91 country code and UPI integration via Google Pay, PhonePe, and Paytm) plus broader Asia-Pacific. Some apps embedded direct credit card forms, violating Play policy and making refunds harder. Google removed the 28 apps after ESET's report.

Check
If your organization issues Android devices to staff in India or APAC, check Google Play purchase histories for active subscriptions to call-history apps. Review corporate phone bills for unexpected UPI charges since November 2025.
Affected
Android users in India and broader Asia-Pacific, particularly those who searched Play Store for tools to retrieve call logs, SMS records, or WhatsApp histories. Indian users are the primary target due to UPI integration - 7.3M+ confirmed downloads. Corporate-issued Android devices used for personal app downloads face the same risk.
Fix
Cancel any active CallPhantom subscriptions through Play Store - Google has removed the apps. Request refunds via Play Store (subject to Google's time windows). For UPI-paid subscriptions, contact your UPI provider directly. Brief staff that no legitimate consumer app can reveal call logs of arbitrary phone numbers. For corporate fleets: apply MDM policies that block sideloading.

Two pro-Ukraine hacker groups appear to be teaming up to attack Russian companies - sharing servers and tools across phishing and espionage operations

Update on the Head Mare campaign we covered April 28: Kaspersky now reports that BO Team (also known as Black Owl) and Head Mare appear to be coordinating cyber operations against Russian organizations, sharing command-and-control infrastructure on the same compromised hosts. The likely division of labor: Head Mare phishes for initial access, then BO Team takes over for malware deployment. BO Team has shifted from destructive attacks to covert espionage, and in Q1 2026 hit 20 Russian organizations across manufacturing, telecoms, and oil and gas. The group uses BrockenDoor and Remcos backdoors. Earlier BO Team campaigns hit a Russian drone supplier and the federal digital signature authority.

Check
If your organization operates in Russia or has Russian subsidiaries, search proxy logs for BrockenDoor or Remcos C2 infrastructure since January. Hunt phishing emails referencing manufacturing, telecom, or oil and gas subjects with malicious documents.
Affected
Russian organizations across manufacturing, telecoms, and oil and gas - BO Team's Q1 2026 target list. By extension, Russian subsidiaries of Western multinationals operating in these sectors. The pattern of pro-Ukraine hacktivists coordinating with state-aligned operations means defenders cannot treat hacktivist incidents as opportunistic - they may be one stage of a longer espionage operation.
Fix
Block known BrockenDoor and Remcos C2 indicators per Kaspersky's published IoCs. Monitor for the phishing→malware deployment handoff pattern: phishing email landing followed within days by C2 traffic from a different actor. For organizations not in Russia: this is a template for how hacktivist groups in other regional conflicts may coordinate; expect the same pattern in Middle East and APAC tensions.