ESET disclosed CallPhantom, a campaign of 28 fraudulent Android apps on Google Play that promised to reveal call histories, SMS records, and WhatsApp call logs for any phone number. Combined downloads: 7.3 million. After payment (weekly, monthly, or annual subscriptions up to $80), users receive fabricated phone numbers and names hardcoded into the apps. Targeting was India-focused (apps came pre-set with +91 country code and UPI integration via Google Pay, PhonePe, and Paytm) plus broader Asia-Pacific. Some apps embedded direct credit card forms, violating Play policy and making refunds harder. Google removed the 28 apps after ESET's report.
Update on the Head Mare campaign we covered April 28: Kaspersky now reports that BO Team (also known as Black Owl) and Head Mare appear to be coordinating cyber operations against Russian organizations, sharing command-and-control infrastructure on the same compromised hosts. The likely division of labor: Head Mare phishes for initial access, then BO Team takes over for malware deployment. BO Team has shifted from destructive attacks to covert espionage, and in Q1 2026 hit 20 Russian organizations across manufacturing, telecoms, and oil and gas. The group uses BrockenDoor and Remcos backdoors. Earlier BO Team campaigns hit a Russian drone supplier and the federal digital signature authority.
Researchers disclosed TCLBANKER, an Android banking trojan that adds worm-style self-propagation: once installed, it abuses Accessibility Services to read the victim's WhatsApp and Outlook contact lists and then send malicious download links to every contact as if from the victim. The malware targets banking and crypto-wallet apps with overlay screens that capture credentials, plus SMS-interception modules that grab one-time passcodes. Self-spreading via the victim's own messaging history defeats traditional URL-reputation controls. The campaign concentrates in Brazil, Spain, and Italy banking apps initially. Operators are renting access on Telegram for $1,500-3,000/month.
BleepingComputer and The Hacker News disclosed a new credential-stealing worm called PCPJack that hunts and removes the well-established TeamPCP malware family before installing itself - the first observed case of one cybercrime operation systematically displacing another at scale. PCPJack exploits five separate vulnerabilities to spread worm-like across cloud and Linux environments, then steals SSH keys, AWS credentials, GitHub tokens, and other secrets. Operators replace TeamPCP files in place rather than just disabling them, suggesting an attempt to inherit TeamPCP's existing victim base. The pattern signals a maturing cybercrime market.
BleepingComputer reports a fake Claude AI website is delivering a previously undocumented Windows malware called Beagle. The site impersonates Anthropic's Claude with a near-perfect clone of the official UI; visitors who click 'Download for Windows' get a Beagle installer rather than the legitimate Claude desktop app (Anthropic distributes Claude through claude.ai and the Mac App Store, not standalone Windows installers). Beagle harvests credentials from browsers, cryptocurrency wallets, Discord tokens, and SSH keys. Distribution is via Google Ads on Claude-related search terms - the same paid-placement abuse pattern hitting GoDaddy ManageWP, AWS, and Notion.
Polish intelligence service ABW announced Wednesday that hackers attacked the industrial control systems at multiple Polish water treatment plants. The Record reports the targeting profile is consistent with state-aligned activity - patient reconnaissance, careful access, no data destruction. Polish authorities have not formally attributed the attack but the timing (alongside Russia-Ukraine conflict and Russia's interest in Polish infrastructure as a NATO frontline state) is unmistakable. Similar incidents have been reported in Germany, Austria, and the Netherlands over the past 12 months. No service disruption was reported, but the access establishes pre-positioning.
ScarCruft (also called APT37 or Reaper) built a fake online gaming platform in Korean to spread BirdCall, a previously undocumented Android malware aimed at ethnic Koreans living in China. The Record reports the platform impersonated legitimate Korean-language game communities. BirdCall harvests device information, contacts, SMS, call logs, photos, and microphone audio - capabilities consistent with surveillance of diaspora communities rather than financial gain. ScarCruft has historically targeted North Korean defectors and journalists with similar Android malware lures.
Rapid7 disclosed an Iranian state-sponsored intrusion that disguised itself as a Chaos ransomware attack to mask the real goal: cyber-espionage. The threat actor (assessed with moderate confidence as MuddyWater, linked to Iran's Ministry of Intelligence and Security) initiated chat requests through Microsoft Teams, walked employees into screen-sharing sessions, then captured credentials and manipulated MFA prompts. Some victims were asked to type their passwords into local text files during the call. Persistence came from a custom backdoor (Game.exe) deployed alongside DWAgent, AnyDesk, and RDP. The fake ransomware note and Chaos leak-portal entry concealed the espionage.
BleepingComputer reports a phishing campaign that bought Google Ads to push a fake GoDaddy ManageWP login page to the top of search results. ManageWP is GoDaddy's centralized dashboard for managing multiple WordPress sites - so a successful phish gives the attacker simultaneous access to dozens or hundreds of sites under one account. The fake page is a near-perfect clone of managewp.com hosted on a typosquat domain; victims who enter credentials are redirected to the real site to mask the theft. Same Google Ads abuse template used recently against AWS, Notion, and other developer-tool brands.
Kaspersky disclosed yesterday that the official DAEMON Tools installer - a popular Windows disk-image utility - has been distributing a backdoor since April 8. The trojanized versions (12.5.0.2421 through 12.5.0.2434) are downloaded from the legitimate vendor website and signed with valid AVB Disc Soft certificates. Thousands of infections recorded across 100+ countries, but follow-on payloads went to about a dozen targets in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand. Kaspersky attributes the attack to Chinese-speaking actors and says it remains active. Detection took roughly a month - similar timeline to the 2023 3CX supply-chain attack.
TrustStrike Labs