Kaspersky tracked a China-based group called Silver Fox running a tax-themed phishing campaign against organizations in India, Russia, Indonesia, Japan, and South Africa. Phishing emails impersonate the Indian Income Tax Department or Russian tax service with subjects about audits or 'lists of tax violations.' Inside the attached archive sits a modified Rust loader that pulls down a known backdoor called ValleyRAT, plus a brand-new Python-based backdoor called ABCDoor. ABCDoor handles screen recording, keystroke control, clipboard theft, and file operations. Kaspersky logged 1,600+ phishing emails between January and February 2026 across industrial, consulting, retail, and transportation sectors.
Kaspersky reported a sharp rise in phishing campaigns sent through Amazon's Simple Email Service (SES). Because the emails come from Amazon's own infrastructure, they pass SPF, DKIM, and DMARC checks that normally catch fake-brand emails - and reputation-based blocks don't trigger because Amazon's mail servers have legitimate reputation. The pattern starts with attackers harvesting AWS access keys leaked in public GitHub repos, .env files, Docker images, and S3 buckets, then using those keys to send phishing through SES from the victim's own AWS account. Wiz documented similar abuse in 2025 with attackers escalating from sandbox mode (200 emails/day) to production mode (50,000+/day) by issuing PutAccountDetails across all AWS regions in 10 seconds.
Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.
Microsoft disclosed Monday that a phishing campaign between April 14 and 16 hit 35,000+ users across 13,000+ organizations in 26 countries (92% in the US). Lures impersonated internal HR with subjects like 'Internal case log issued under conduct policy.' Each email had a PDF attachment with a 'Review Case Materials' link that walked victims through Cloudflare CAPTCHAs and a final adversary-in-the-middle (AiTM) Microsoft sign-in page. AiTM proxies the real Microsoft login and captures session tokens after MFA - so traditional MFA is bypassed. Healthcare (19%), financial services (18%), and professional services (11%) were the most-targeted sectors.
La Repubblica reported a significant breach at Sistemi Informativi, a wholly-owned IBM Italy subsidiary that manages IT infrastructure for Italian public agencies and key industries. Multiple intelligence sources attribute the attack to Salt Typhoon, the China-linked espionage group that has hit US telecoms (AT&T, Verizon, Viasat), Canadian telecom firms, the US Army National Guard, Dutch government networks, and now Italian critical infrastructure. Salt Typhoon's hallmark is patience - prolonged data exfiltration, silent network observation, and infrastructure compromise rather than fast theft. The group has been active since at least 2019 and has reportedly hit 200+ companies across 80 countries.
CTM360 disclosed a large-scale fraud platform called FEMITBOT that uses Telegram's Mini App feature to host crypto scams, impersonate major brands, and distribute Android malware. The platform impersonates Apple, Coca-Cola, Disney, eBay, IBM, NVIDIA, BBC, and others - all backed by the same shared infrastructure identified by a common API response. The mini-apps display fake balances, countdown timers, and limited-time offers inside Telegram's WebView. Some campaigns push fake Android APKs hosted on the same domain as the API to ensure valid TLS certificates. Meta and TikTok tracking pixels measure conversion rates.
Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.
Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.
Socket disclosed a fresh wave of supply-chain attacks targeting Ruby gems and Go modules: more than 60 typosquatted packages were uploaded to RubyGems and the Go module registry, designed to look like legitimate dependencies developers might pull into a CI pipeline. Once installed, the packages exfiltrate environment variables (which typically include AWS keys, GitHub tokens, and database credentials in CI environments) to attacker-controlled servers. The targeting is deliberate: typosquats picked names close to popular gems and Go libraries. This is the same operational pattern as the SAP npm compromise covered Wednesday, but targeting Ruby and Go ecosystems.
Guardio documented a Vietnamese-linked fraud operation that has stolen roughly 30,000 Facebook business accounts by abusing Google's AppSheet no-code platform as a phishing relay. Because the phishing emails come from noreply@appsheet.com (a real Google address), they pass SPF, DKIM, and DMARC checks that normally catch fake-Meta emails. The lures impersonate Meta Support and threaten account deletion within 24 hours unless the user 'submits an appeal.' Stolen credentials, 2FA codes, and government ID photos are exfiltrated to Telegram. The operators then sell the stolen accounts back to victims through their own recovery service.