Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

China-linked group is sending 1,600 fake tax-audit emails to Indian and Russian companies, then dropping a brand-new backdoor called ABCDoor

Kaspersky tracked a China-based group called Silver Fox running a tax-themed phishing campaign against organizations in India, Russia, Indonesia, Japan, and South Africa. Phishing emails impersonate the Indian Income Tax Department or Russian tax service with subjects about audits or 'lists of tax violations.' Inside the attached archive sits a modified Rust loader that pulls down a known backdoor called ValleyRAT, plus a brand-new Python-based backdoor called ABCDoor. ABCDoor handles screen recording, keystroke control, clipboard theft, and file operations. Kaspersky logged 1,600+ phishing emails between January and February 2026 across industrial, consulting, retail, and transportation sectors.

Check
Search proxy and DNS logs for connections to abc.haijing88.com since December 2025. Hunt endpoints for pythonw.exe processes initiating outbound HTTPS to unfamiliar destinations.
Affected
Organizations in India, Russia, Indonesia, Japan, and South Africa, particularly in industrial, consulting, retail, and transportation sectors. Finance and accounting staff who routinely receive tax correspondence are the highest-risk role. Multinationals with operations in any of these regions face the same risk through local subsidiaries.
Fix
Block abc.haijing88.com and related Silver Fox infrastructure at the DNS resolver. Train finance staff that real tax correspondence never arrives as a ZIP or RAR archive of 'violations' to download. Quarantine any host running pythonw.exe with unexpected outbound HTTPS, and remove FFmpeg installations not authorized by IT. Rotate credentials on suspected compromised hosts and reimage.

Attackers are using stolen Amazon keys to send convincing phishing emails directly from Amazon's email service - bypassing every spam filter

Kaspersky reported a sharp rise in phishing campaigns sent through Amazon's Simple Email Service (SES). Because the emails come from Amazon's own infrastructure, they pass SPF, DKIM, and DMARC checks that normally catch fake-brand emails - and reputation-based blocks don't trigger because Amazon's mail servers have legitimate reputation. The pattern starts with attackers harvesting AWS access keys leaked in public GitHub repos, .env files, Docker images, and S3 buckets, then using those keys to send phishing through SES from the victim's own AWS account. Wiz documented similar abuse in 2025 with attackers escalating from sandbox mode (200 emails/day) to production mode (50,000+/day) by issuing PutAccountDetails across all AWS regions in 10 seconds.

Check
Open the SES console in every AWS region (not just your home region) and check sending statistics for unexpected volume. Search CloudTrail for ses:PutAccountDetails calls from unfamiliar IPs.
Affected
Any AWS account where IAM access keys could be exposed - public GitHub repos, .env files committed by mistake, Docker images that bundled credentials, or developer workstations. AWS accounts where SES has never been used legitimately are at acute risk because there's no baseline. Verified domain owners face inbox-reputation damage even if no breach happened on their systems.
Fix
Apply Service Control Policies that block ses:* actions in regions and accounts where SES isn't legitimately used. Replace static AWS access keys with IAM roles using short-lived credentials. Run TruffleHog or git-secrets across your repos to find leaked keys. Rotate any IAM keys older than 90 days. Configure CloudTrail alerts on SES API calls from unfamiliar IPs.

cPanel ransomware attackers are now hunting government agencies and the IT companies that manage them

Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.

Check
Audit /var/cpanel/sessions/raw/ for entries created since February 23, 2026. Search for files with the .sorry extension across hosted sites. Check authentication logs for unusual successful logins between February 23 and April 28.
Affected
Government agencies, MSPs, and hosting companies running unpatched cPanel infrastructure. Particularly acute: MSPs whose cPanel instances host downstream customer accounts - a single compromise spreads to many tenants. Federal agencies under BOD 22-01 must patch by May 21. State and local governments without that mandate face the same active threat without the same enforcement.
Fix
Patch cPanel to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. Restore from backups predating February 23 rather than just resuming operations. Rotate root, admin, and customer credentials. For MSPs: notify customers proactively before they discover compromise from a ransom note.

Microsoft says fake HR compliance emails fooled 35,000 people across 26 countries - phishing kit captured login tokens even with MFA enabled

Microsoft disclosed Monday that a phishing campaign between April 14 and 16 hit 35,000+ users across 13,000+ organizations in 26 countries (92% in the US). Lures impersonated internal HR with subjects like 'Internal case log issued under conduct policy.' Each email had a PDF attachment with a 'Review Case Materials' link that walked victims through Cloudflare CAPTCHAs and a final adversary-in-the-middle (AiTM) Microsoft sign-in page. AiTM proxies the real Microsoft login and captures session tokens after MFA - so traditional MFA is bypassed. Healthcare (19%), financial services (18%), and professional services (11%) were the most-targeted sectors.

Check
Search Exchange Online logs for emails between April 14-16 with subjects containing 'conduct policy' or 'awareness case log.' Hunt sign-in logs for OAuth grants from acceptable-use-policy-calendly.de or compliance-protectionoutlook.de.
Affected
Microsoft 365 / Entra ID tenants with users on traditional MFA (push, SMS, TOTP). AiTM bypasses any non-phishing-resistant MFA factor - only FIDO2 hardware keys and Windows Hello are immune. US users in healthcare, life sciences, financial services, and professional services are at acute risk based on Microsoft's targeting data.
Fix
Migrate users to phishing-resistant MFA (FIDO2 hardware keys, Windows Hello, passkeys) for all accounts. Enable Conditional Access policies that require token binding for high-privilege accounts. Turn on Zero-hour auto purge in Defender for Office 365 to retroactively quarantine campaign emails. Revoke session tokens for any user who visited a fake sign-in page.

China-linked spies breached the IBM subsidiary that runs IT for Italian government agencies and critical industries

La Repubblica reported a significant breach at Sistemi Informativi, a wholly-owned IBM Italy subsidiary that manages IT infrastructure for Italian public agencies and key industries. Multiple intelligence sources attribute the attack to Salt Typhoon, the China-linked espionage group that has hit US telecoms (AT&T, Verizon, Viasat), Canadian telecom firms, the US Army National Guard, Dutch government networks, and now Italian critical infrastructure. Salt Typhoon's hallmark is patience - prolonged data exfiltration, silent network observation, and infrastructure compromise rather than fast theft. The group has been active since at least 2019 and has reportedly hit 200+ companies across 80 countries.

Check
If your organization uses managed IT services for critical infrastructure (utilities, transport, healthcare, government), audit your provider's separation between corporate IT and customer environments this week.
Affected
Italian government agencies and key industries using Sistemi Informativi for IT infrastructure. More broadly: any organization where a single integrator holds access to multiple government databases - the breach pattern lets Salt Typhoon map critical infrastructure across many victims through one compromise. European telecoms and managed service providers are at acute risk.
Fix
Demand from any managed IT provider written attestation that customer environments are network-segregated from their corporate IT. Hunt for Salt Typhoon indicators: unauthorized configuration changes on edge devices, traffic to known Demodex C2 infrastructure, and anomalous data flows to Asian hosting providers. Treat the Italian breach as a reason to escalate vendor security reviews this quarter.

Scammers used Telegram's built-in mini-apps to impersonate Apple, NVIDIA, and Disney for crypto fraud and Android malware - all running on the same backend

CTM360 disclosed a large-scale fraud platform called FEMITBOT that uses Telegram's Mini App feature to host crypto scams, impersonate major brands, and distribute Android malware. The platform impersonates Apple, Coca-Cola, Disney, eBay, IBM, NVIDIA, BBC, and others - all backed by the same shared infrastructure identified by a common API response. The mini-apps display fake balances, countdown timers, and limited-time offers inside Telegram's WebView. Some campaigns push fake Android APKs hosted on the same domain as the API to ensure valid TLS certificates. Meta and TikTok tracking pixels measure conversion rates.

Check
Brief staff that any Telegram bot promoting cryptocurrency investments, asking them to deposit funds, or prompting them to install an APK is fraud - regardless of which brand the bot claims to represent.
Affected
Telegram users worldwide who interact with bots claiming to represent major brands. Acute risk for cryptocurrency-curious users targeted by 'investment opportunity' lures, and for Android users sideloading APKs from Telegram-shared links. Organizations whose brand is being impersonated face customer-trust damage even though the breach is in user behavior, not company systems.
Fix
Block sideloading of APKs on managed Android devices and require Google Play Protect to remain enabled. For brand protection teams: monitor Telegram for bots using your company name and report via Telegram's official channels - though the platform's Mini App vetting is essentially nonexistent so reactive moderation is the only path. Treat any 'official' Telegram bot as unverified by default.

Hackers are mass-encrypting websites by exploiting last week's cPanel flaw - 44,000 servers compromised so far in 'Sorry' ransomware attacks

Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.

Check
If you run any cPanel or WHM server and have not yet patched, treat the server as already compromised - patch immediately, then start incident response rather than just resuming operations.
Affected
All cPanel and WHM versions before the April 28 emergency patch. ~1.5 million internet-exposed cPanel instances per Shodan, with 44,000 confirmed compromised. Hosting providers, web agencies, e-commerce sites on shared hosting, and any small business website on cPanel are in scope. Anyone whose cPanel was internet-reachable between February 23 and April 28 should assume compromise even if they patched promptly.
Fix
Patch cPanel to a fixed version. After patching, hunt for indicators of compromise (Sorry's '.sorry' file extension, unfamiliar admin sessions, cron entries pointing to /tmp/, modified /var/cpanel/sessions/raw/ files). Restore from clean backups predating February 23 if possible. Block cPanel ports (2082-2087, 2095-2096) at the firewall to non-trusted IPs. Rotate every credential the cPanel host had access to.

New 'ConsentFix v3' attack lets criminals take over Microsoft 365 accounts even when MFA and passkeys are turned on

Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.

Check
Brief any Microsoft 365 admin or developer that any 'verification step' that asks them to paste a URL containing 'localhost' into a webpage is hostile, no matter how legitimate the page looks.
Affected
Any Microsoft 365 / Entra ID tenant. The attack bypasses MFA, passkeys, and most Conditional Access policies by abusing pre-consented Microsoft first-party apps. Acute risk for organizations whose admins, developers, or DevOps engineers regularly use Azure CLI - those users won't suspect a fake Azure CLI authorization page. Cloudflare Pages and Pipedream both look legitimate in network telemetry.
Fix
Apply token binding to trusted devices and require Conditional Access for first-party Microsoft apps where possible. Hunt Azure sign-in logs for Azure CLI authentications from unfamiliar IPs, especially against accounts that don't normally use it. Train developers to verify out-of-band any 'verification step' that asks them to paste URLs into a webpage. Use app authentication restrictions to limit which first-party apps can issue refresh tokens.

Attackers poisoned 60+ Ruby gems and Go modules, then waited for CI pipelines to install them and steal credentials

Socket disclosed a fresh wave of supply-chain attacks targeting Ruby gems and Go modules: more than 60 typosquatted packages were uploaded to RubyGems and the Go module registry, designed to look like legitimate dependencies developers might pull into a CI pipeline. Once installed, the packages exfiltrate environment variables (which typically include AWS keys, GitHub tokens, and database credentials in CI environments) to attacker-controlled servers. The targeting is deliberate: typosquats picked names close to popular gems and Go libraries. This is the same operational pattern as the SAP npm compromise covered Wednesday, but targeting Ruby and Go ecosystems.

Check
Review your CI pipelines for any Ruby gem or Go module added in the past month, and confirm every package name matches the canonical upstream exactly.
Affected
Any organization running CI/CD pipelines that install Ruby gems or Go modules without strict pinning. Particularly acute for organizations with broad CI environment variables (AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, DATABASE_URL exposed to install scripts). Developer workstations are also exposed when developers run 'gem install' or 'go get' without verifying package names.
Fix
Pin every Ruby gem and Go module to specific versions and verify the upstream name matches. Move CI secrets out of environment variables and into ephemeral credential providers (OIDC for AWS, GitHub's masked secrets, Hashicorp Vault). Review CI logs for installs of packages whose names look like typosquats. Use Socket, Snyk, or equivalent tools to flag suspicious packages before install.

Vietnamese fraudsters used Google's no-code app platform to send Facebook phishing emails that passed every spam check, then sold the stolen accounts back to victims

Guardio documented a Vietnamese-linked fraud operation that has stolen roughly 30,000 Facebook business accounts by abusing Google's AppSheet no-code platform as a phishing relay. Because the phishing emails come from noreply@appsheet.com (a real Google address), they pass SPF, DKIM, and DMARC checks that normally catch fake-Meta emails. The lures impersonate Meta Support and threaten account deletion within 24 hours unless the user 'submits an appeal.' Stolen credentials, 2FA codes, and government ID photos are exfiltrated to Telegram. The operators then sell the stolen accounts back to victims through their own recovery service.

Check
Brief every staff member who manages a Facebook business account that any email from 'noreply@appsheet.com' claiming to be Meta is hostile, regardless of how legitimate the formatting looks.
Affected
Facebook Business account owners worldwide, with 68.6% of victims based in the US. Acute risk for marketing teams, social media managers, and small business owners who manage Facebook ad accounts. Any organization using the same Facebook business account for paid ads since 2024 is in the broader target pool. Stolen accounts often hold credit card data and ad spend history.
Fix
Block emails from noreply@appsheet.com unless your organization legitimately uses Google AppSheet. Train staff that real Meta support never asks for 2FA codes via email. Enable Meta Business Manager 2FA with hardware keys (not SMS). For organizations already compromised, contact Meta Business Help directly through facebook.com - the 'recovery service' is the same operation that took the account.