Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

New 'TCLBanker' Android malware spreads itself by hijacking WhatsApp and Outlook to message every contact in the victim's address book

Researchers disclosed TCLBANKER, an Android banking trojan that adds worm-style self-propagation: once installed, it abuses Accessibility Services to read the victim's WhatsApp and Outlook contact lists and then send malicious download links to every contact as if from the victim. The malware targets banking and crypto-wallet apps with overlay screens that capture credentials, plus SMS-interception modules that grab one-time passcodes. Self-spreading via the victim's own messaging history defeats traditional URL-reputation controls. The campaign concentrates in Brazil, Spain, and Italy banking apps initially. Operators are renting access on Telegram for $1,500-3,000/month.

Check
Brief staff who manage Android devices that any 'app download' link sent through WhatsApp or Outlook from a known contact during business hours should be verified out-of-band before clicking. Review unfamiliar Android apps requesting Accessibility Services.
Affected
Android users in Brazil, Spain, and Italy initially - but worm-style spread will broaden the geography rapidly. Acute risk: anyone whose phone has Accessibility Services enabled for any third-party app. Banking and cryptocurrency app users face credential theft via overlay attacks. Contact networks of infected users get the lures next.
Fix
On managed Android devices: enforce MDM policies that block sideloading and require approval for any app requesting Accessibility Services. Disable Accessibility Services for apps that don't genuinely need it. Brief staff on the worm-spread pattern: contacts sending links to download apps is a hostile signal regardless of who the sender is.

New 'PCPJack' worm hunts down and removes competing malware before stealing cloud credentials - exploits five different vulnerabilities to spread

BleepingComputer and The Hacker News disclosed a new credential-stealing worm called PCPJack that hunts and removes the well-established TeamPCP malware family before installing itself - the first observed case of one cybercrime operation systematically displacing another at scale. PCPJack exploits five separate vulnerabilities to spread worm-like across cloud and Linux environments, then steals SSH keys, AWS credentials, GitHub tokens, and other secrets. Operators replace TeamPCP files in place rather than just disabling them, suggesting an attempt to inherit TeamPCP's existing victim base. The pattern signals a maturing cybercrime market.

Check
Search EDR and cloud logs for sudden disappearance of TeamPCP indicators on hosts that previously had them - that is the likely PCPJack handover signature. Hunt for outbound credential-theft traffic patterns matching the five CVEs PCPJack exploits.
Affected
Linux servers, cloud workloads (AWS, GCP, Azure), and CI/CD runners that previously had TeamPCP cryptominer infections. Any host running unpatched versions of the five CVEs PCPJack exploits is in scope. Cloud accounts where SSH keys, IAM access keys, or GitHub tokens are stored on compromised workloads face credential-theft escalation.
Fix
Patch all five CVEs PCPJack exploits per the Wiz and Datadog IoC publications. Rotate cloud credentials, SSH keys, and GitHub tokens on any host that may have had TeamPCP - do not assume TeamPCP cleanup means safety. Block PCPJack C2 domains at egress. Shift to short-lived IAM credentials via OIDC and remove static keys from VMs entirely.

Fake Claude AI website is delivering a brand-new Windows malware called 'Beagle' to people searching for the chatbot

BleepingComputer reports a fake Claude AI website is delivering a previously undocumented Windows malware called Beagle. The site impersonates Anthropic's Claude with a near-perfect clone of the official UI; visitors who click 'Download for Windows' get a Beagle installer rather than the legitimate Claude desktop app (Anthropic distributes Claude through claude.ai and the Mac App Store, not standalone Windows installers). Beagle harvests credentials from browsers, cryptocurrency wallets, Discord tokens, and SSH keys. Distribution is via Google Ads on Claude-related search terms - the same paid-placement abuse pattern hitting GoDaddy ManageWP, AWS, and Notion.

Check
Search proxy logs for visits to Claude-themed domains other than claude.ai or anthropic.com over the past 30 days. Hunt Windows endpoints for processes with Anthropic-branded names not signed by Anthropic.
Affected
Windows users searching for Claude or Anthropic products via Google search, particularly developers and AI-curious users. Acute risk: organizations whose staff use Claude through individual rather than enterprise accounts (no centralized management), and developers who pull AI tooling installers from search results. Cryptocurrency holders are at the highest risk.
Fix
Block Google Ads on AI-product searches via corporate browser policy or uBlock Origin. Brief staff that Anthropic distributes Claude through claude.ai and the Mac App Store - there is no standalone Windows installer. Treat any endpoint that downloaded a 'Claude installer' since April as compromised: rotate browser-stored credentials, crypto wallet keys, Discord tokens, and SSH keys.

Polish intelligence says hackers attacked control systems at Polish water treatment plants

Polish intelligence service ABW announced Wednesday that hackers attacked the industrial control systems at multiple Polish water treatment plants. The Record reports the targeting profile is consistent with state-aligned activity - patient reconnaissance, careful access, no data destruction. Polish authorities have not formally attributed the attack but the timing (alongside Russia-Ukraine conflict and Russia's interest in Polish infrastructure as a NATO frontline state) is unmistakable. Similar incidents have been reported in Germany, Austria, and the Netherlands over the past 12 months. No service disruption was reported, but the access establishes pre-positioning.

Check
If you run water, electric, gas, or transport infrastructure, audit your industrial control system (ICS) and SCADA networks for unfamiliar VPN connections, new remote access tool installations, or anomalous outbound traffic since January.
Affected
Water utilities, power grid operators, and other critical infrastructure operators in NATO frontline states (Poland, Baltic states, Romania, Finland) and adjacent countries. Acute risk for utilities running internet-reachable HMI or engineering workstations. Smaller municipal water utilities without dedicated OT security staff are most exposed because they cannot detect patient state-actor reconnaissance.
Fix
Air-gap or one-way-data-diode-isolate ICS networks from corporate IT where possible. Inventory and remove any unauthorized remote-access tools (TeamViewer, AnyDesk, ScreenConnect) on engineering workstations. Apply CISA's water utility cyber guidance and Poland's CERT.PL recommendations. Conduct a tabletop exercise focused on prolonged ICS reconnaissance scenarios.

North Korean hackers built a fake Korean game platform to spread Android spyware targeting ethnic Koreans living in China

ScarCruft (also called APT37 or Reaper) built a fake online gaming platform in Korean to spread BirdCall, a previously undocumented Android malware aimed at ethnic Koreans living in China. The Record reports the platform impersonated legitimate Korean-language game communities. BirdCall harvests device information, contacts, SMS, call logs, photos, and microphone audio - capabilities consistent with surveillance of diaspora communities rather than financial gain. ScarCruft has historically targeted North Korean defectors and journalists with similar Android malware lures.

Check
If your organization works with Korean-language communities or journalists covering North Korea, check Android devices for unfamiliar Korean game apps installed since early 2026. Review app permissions for SMS, contacts, and microphone access.
Affected
Android users in ethnic Korean communities in China, North Korean defectors, journalists covering North Korea, human-rights organizations, and South Korean policy researchers. Diaspora communities are the primary target. Organizations supporting diaspora communities or refugee networks face downstream risk through their constituents.
Fix
On managed Android devices: enforce Google Play Protect, block sideloading of APKs from unknown sources, and require MDM approval for any Korean-language gaming app. For at-risk individuals: reset Android devices that may have installed the fake platform, and use only verified Google Play apps. Follow Citizen Lab guidance for journalists working on North Korea topics.

Iranian hackers used Microsoft Teams chat to social-engineer victims, then dressed up their espionage as a Chaos ransomware attack to throw off blame

Rapid7 disclosed an Iranian state-sponsored intrusion that disguised itself as a Chaos ransomware attack to mask the real goal: cyber-espionage. The threat actor (assessed with moderate confidence as MuddyWater, linked to Iran's Ministry of Intelligence and Security) initiated chat requests through Microsoft Teams, walked employees into screen-sharing sessions, then captured credentials and manipulated MFA prompts. Some victims were asked to type their passwords into local text files during the call. Persistence came from a custom backdoor (Game.exe) deployed alongside DWAgent, AnyDesk, and RDP. The fake ransomware note and Chaos leak-portal entry concealed the espionage.

Check
Search Microsoft Teams logs for external chat invitations from unknown Entra tenants since January. Hunt endpoints for DWAgent, AnyDesk, ms_upd.exe, or Game.exe processes installed without IT approval.
Affected
Organizations allowing external Microsoft Teams chats by default - the campaign starts with chat invitations from attacker-controlled tenants. Acute risk for sectors MuddyWater historically targets: government, defense, telecoms, energy, and Israeli organizations. The 'IT Support' impersonation pattern works against any helpdesk-heavy enterprise. Iranian APT activity has been increasing through early 2026.
Fix
Restrict external Microsoft Teams chat to allowlisted partner tenants only. Block external screen-sharing requests by default. Brief staff that real IT support never asks them to type passwords into local files or read out MFA codes during a Teams call. Block Rapid7's published Stagecomp/Darkcomp code-signing certificate at the EDR layer.

Hackers bought Google ads pointing to a fake GoDaddy WordPress login page - any site manager who clicked saw their credentials stolen

BleepingComputer reports a phishing campaign that bought Google Ads to push a fake GoDaddy ManageWP login page to the top of search results. ManageWP is GoDaddy's centralized dashboard for managing multiple WordPress sites - so a successful phish gives the attacker simultaneous access to dozens or hundreds of sites under one account. The fake page is a near-perfect clone of managewp.com hosted on a typosquat domain; victims who enter credentials are redirected to the real site to mask the theft. Same Google Ads abuse template used recently against AWS, Notion, and other developer-tool brands.

Check
Brief staff who manage WordPress sites that they should never click Google Ads for login pages. Search proxy logs for visits to ManageWP-themed domains other than managewp.com over the past 30 days.
Affected
GoDaddy ManageWP customers, particularly agencies and freelancers managing multiple client WordPress sites under one account. Acute risk: small WordPress agencies whose ManageWP credentials enable simultaneous access to 50-500+ client sites. Anyone using GoDaddy hosting for WordPress.
Fix
Enable two-factor authentication on ManageWP accounts immediately. Reset ManageWP passwords for any user who recently clicked a Google Ads result for the brand. Add a corporate browser policy to suppress Google Ads on developer-tool searches. For agencies: rotate WordPress site credentials linked through ManageWP. Watch for unfamiliar admin user creation across managed sites.

Chinese hackers slipped a backdoor into the official DAEMON Tools installer for a month - thousands of computers in 100+ countries running tainted software signed with the real developer certificate

Kaspersky disclosed yesterday that the official DAEMON Tools installer - a popular Windows disk-image utility - has been distributing a backdoor since April 8. The trojanized versions (12.5.0.2421 through 12.5.0.2434) are downloaded from the legitimate vendor website and signed with valid AVB Disc Soft certificates. Thousands of infections recorded across 100+ countries, but follow-on payloads went to about a dozen targets in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand. Kaspersky attributes the attack to Chinese-speaking actors and says it remains active. Detection took roughly a month - similar timeline to the 2023 3CX supply-chain attack.

Check
Search Windows endpoints for DAEMON Tools versions 12.5.0.2421-12.5.0.2434, and verify file hashes of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Search proxy logs for env-check.daemontools.cc since April 8.
Affected
Windows endpoints with DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 installed since April 8, 2026. Compromised binaries are DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe in the DAEMON Tools install directory. Acute risk for organizations in Russia, Belarus, and Thailand and in retail, scientific, government, or manufacturing sectors - Kaspersky observed targeted second-stage payloads only on these.
Fix
Uninstall trojanized DAEMON Tools versions and reinstall from a verified clean release. Block env-check.daemontools.cc at the DNS resolver. Treat machines that ran trojanized versions as compromised: rotate credentials, hunt for QUIC RAT, and reimage if any second-stage payload is found. Apply application allowlisting to prevent vendor-signed but compromised binaries from running.

New Linux malware called 'Quasar Linux' targets developer laptops to steal credentials for npm, GitHub, AWS, and Docker - barely detected by antivirus

Trend Micro disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan designed for developer workstations and DevOps environments. The malware harvests credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes - then uses them to publish trojanized packages to public registries. QLNX runs entirely fileless and in-memory, dynamically compiling its rootkit and PAM backdoor on the target host using gcc, then loading them via /etc/ld.so.preload for system-wide interception. Capabilities include a 58-command RAT, dual-layer rootkit, keylogging, SSH lateral movement, and peer-to-peer mesh networking. Only four security tools detect the binary as malicious.

Check
Hunt Linux developer machines and CI runners for /etc/ld.so.preload entries you didn't put there, /tmp/.X*-lock files outside legitimate X server use, and gcc invocations on hosts that don't normally compile code.
Affected
Linux developer workstations and DevOps environments with credential access to npm, PyPI, GitHub, AWS, Docker, or Kubernetes. Acute risk for organizations with developers running root-capable Linux desktops, particularly those whose CI/CD pipelines pull dependencies from public registries. Compromised credentials enable supply-chain attacks against the organization's own published packages.
Fix
Deploy Linux EDR with eBPF visibility on every developer machine and CI runner - QLNX hides from userland tools but eBPF-aware sensors detect the kernel-level rootkit. Restrict /etc/ld.so.preload modifications via auditd alerts. For high-risk developers: use ephemeral build environments (containers, VMs) that don't carry persistent credentials. Trend Micro published IoCs.

Phishing campaign hit 80+ companies by getting employees to install legitimate remote-access software disguised as a Social Security letter

Securonix tracked a phishing campaign called VENOMOUS#HELPER that has hit 80+ organizations (mostly in the US) since April 2025 by getting employees to install legitimate remote-monitoring software they think is a Social Security Administration document. The lure is a fake SSA email asking the recipient to download their statement; the link points to a compromised Mexican business website hosting a SimpleHelp installer. Once installed, the attackers gain SYSTEM-level access, then quietly install ConnectWise ScreenConnect as a backup channel. The pattern aligns with initial-access broker activity: quiet persistence, then sale or hand-off to ransomware operators.

Check
Hunt every Windows endpoint for SimpleHelp and ConnectWise ScreenConnect installs not authorized by IT. Search proxy logs for connections to gruta.com.mx since April 2025.
Affected
Windows endpoints in organizations without strict application allowlisting. 80+ confirmed victims, mostly US, across multiple sectors. Acute risk: companies whose staff regularly receive government correspondence (SSA, IRS, state tax) where 'verify and download' lures feel routine. Initial access brokers run these campaigns to sell footholds, so any compromised host becomes a potential ransomware launchpad weeks later.
Fix
Enforce application allowlisting on Windows endpoints to block unapproved RMM software. Remove unauthorized SimpleHelp, ScreenConnect, PDQ Connect, LogMeIn Resolve, N-able, or Fleetdeck installs and treat the host as compromised. Block Securonix's published indicators (gruta.com.mx, server.cubatiendaalimentos.com.mx) at the network egress layer. Rotate credentials on affected hosts.