Researchers found a serious bug in VECT 2.0, a new ransomware family making the rounds: the encryption routine corrupts any file larger than about 131 KB instead of encrypting it reversibly. Files smaller than the threshold encrypt and decrypt normally; everything bigger gets permanently destroyed. Operators don't seem to know yet, so victims who pay get a working decryption tool that recovers small files and tells them the large ones are 'corrupted' - which they are, because VECT broke them on the way in. The bug affects Windows, Linux, and VMware ESXi variants. Any large file on a VECT 2.0-hit system is irrecoverable regardless of whether the ransom is paid.
North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.
Russian security firm Positive Technologies attributed an ongoing intrusion campaign to PhantomCore, a pro-Ukrainian group also tracked as Head Mare, Rainbow Hyena, and UNG0901. The group is chaining three TrueConf video-conferencing vulnerabilities (patched by the vendor August 27, 2025) to bypass authentication and run commands on TrueConf servers in Russian organizations. After break-in, they drop a PHP web shell, create a rogue user named 'TrueConf2' with admin rights on the conferencing server, and pivot into the wider network using tools including Velociraptor, Memprocfs, DumpIt, and custom backdoors MacTunnelRAT and PhantomSscp. First attacks observed mid-September 2025.
Infoblox documented a telecom fraud campaign active since June 2020 that uses fake CAPTCHA verification pages to trick mobile users into sending SMS to premium-rate numbers, racking up dozens of international charges per victim. The operation runs across 35 phone numbers in 17 countries with high-fee destinations like Azerbaijan and Kazakhstan. Each fake CAPTCHA pre-populates the SMS field with a dozen recipients - so one tap charges the victim for 50+ international texts. Charges show up on bills weeks later, long after the fake CAPTCHA is forgotten. A separate finding: 120+ campaigns abusing the legitimate Keitaro traffic-distribution tool to route victims into the same scams plus crypto wallet-drainers.
Italy extradited Chinese national Xu Zewei to the US on Friday, where he is accused of running a years-long Chinese government-linked spear-phishing campaign that targeted US Covid-19 researchers, universities, and law firms. The case is notable because it's the first time a European country has extradited a Chinese state-linked hacker to the US, and signals tighter coordination between European and US prosecutors on China-attributed cyber operations. Xu was arrested in Milan in July 2024 on a US warrant; Italy's highest court approved the extradition this month after his appeals were exhausted. He could spend decades in US federal prison.
Litecoin's privacy add-on, called MWEB, was attacked over the weekend in a way that forced the network to rewind 13 blocks of history (about 32 minutes) to undo invalid transactions. The interesting part for non-crypto people: developers had quietly fixed the bug between March 19 and 26 but never required mining pools to actually deploy the fix. Some pools updated, some didn't. Attackers waited 37 days and exploited the gap between patched and unpatched nodes, draining roughly $600,000 from cross-chain swap protocols including NEAR Intents. The pattern - quiet fix followed by slow rollout - is the same coordination failure that bites every distributed system, not just blockchains.
Der Spiegel reported on April 25 that German government sources now blame Russia for a large-scale Signal phishing campaign that compromised the account of Bundestag President Julia Klöckner. At least 300 Signal accounts of German political figures were targeted; investigators say attackers accessed chat histories, files, and phone numbers. Chancellor Friedrich Merz was in the same CDU group chat as Klöckner but his device showed no signs of compromise. The attack used pure social engineering - operators posed as Signal support and asked victims to share verification codes or PINs.
Researchers at SentinelOne found malware from 2005 that did something nobody had documented before: it quietly made engineering simulation programs give wrong answers. Instead of stealing data or crashing systems, it tampered with the math behind tools like LS-DYNA (used to design things like car crash safety and weapons), so the results looked normal but were subtly off. The malware, called fast16, is older than Stuxnet - the famous attack on Iran's nuclear program - by five years. Its name appears in leaked NSA files, suggesting the US built it. Discovered via an old file uploaded to VirusTotal in 2016.
Socket reported 73 newly identified malicious extensions on Open VSX, the marketplace used by VS Code, Cursor, and Windsurf editors. The extensions impersonate popular developer tools - same name, same icon, but published by newly-created GitHub accounts with empty repositories. Instead of being malicious from day one, they sit harmlessly for weeks gathering downloads and trust, then push a 'normal' update that silently installs malware. Six of the 73 extensions have already activated; the rest are still in the sleeper phase. The campaign is part of GlassWorm, an ongoing supply-chain attack family that has been working its way through npm, GitHub, and editor extension marketplaces since 2025.
Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.