CTM360 disclosed a large-scale fraud platform called FEMITBOT that uses Telegram's Mini App feature to host crypto scams, impersonate major brands, and distribute Android malware. The platform impersonates Apple, Coca-Cola, Disney, eBay, IBM, NVIDIA, BBC, and others - all backed by the same shared infrastructure identified by a common API response. The mini-apps display fake balances, countdown timers, and limited-time offers inside Telegram's WebView. Some campaigns push fake Android APKs hosted on the same domain as the API to ensure valid TLS certificates. Meta and TikTok tracking pixels measure conversion rates.
Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.
Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.
Socket disclosed a fresh wave of supply-chain attacks targeting Ruby gems and Go modules: more than 60 typosquatted packages were uploaded to RubyGems and the Go module registry, designed to look like legitimate dependencies developers might pull into a CI pipeline. Once installed, the packages exfiltrate environment variables (which typically include AWS keys, GitHub tokens, and database credentials in CI environments) to attacker-controlled servers. The targeting is deliberate: typosquats picked names close to popular gems and Go libraries. This is the same operational pattern as the SAP npm compromise covered Wednesday, but targeting Ruby and Go ecosystems.
Guardio documented a Vietnamese-linked fraud operation that has stolen roughly 30,000 Facebook business accounts by abusing Google's AppSheet no-code platform as a phishing relay. Because the phishing emails come from noreply@appsheet.com (a real Google address), they pass SPF, DKIM, and DMARC checks that normally catch fake-Meta emails. The lures impersonate Meta Support and threaten account deletion within 24 hours unless the user 'submits an appeal.' Stolen credentials, 2FA codes, and government ID photos are exfiltrated to Telegram. The operators then sell the stolen accounts back to victims through their own recovery service.
Kaspersky disclosed a previously undocumented cyber-espionage group called HeartlessSoul that has been targeting Russian government agencies and aviation companies since at least September 2025 to steal geographic information system (GIS) data - the specialized files containing detailed maps of roads, engineering networks, terrain, and strategic facilities. The targeting suggests state-aligned interest in Russian infrastructure mapping rather than financial gain. Kaspersky did not name a likely sponsor but the targeting profile is consistent with a Ukraine-aligned or Western-aligned operator. The group uses tailored phishing, custom malware, and persistent network access.
Trend Micro disclosed a China-aligned espionage cluster called SHADOW-EARTH-053 that has been targeting government and defense organizations across South, East, and Southeast Asia plus one NATO European country since at least December 2024. The group breaks in by exploiting unpatched Microsoft Exchange and IIS servers (using known flaws like ProxyLogon), drops a Godzilla web shell for persistent access, then uses DLL sideloading to load ShadowPad - a long-running Chinese implant. The targeting overlaps with Earth Alux and REF7707, suggesting either a shared operator or shared infrastructure across China-aligned groups. Targets include journalists and activists alongside government agencies.
CrowdStrike disclosed two cybercrime groups - Cordial Spider and Snarky Spider - running fast SaaS extortion attacks that stay almost entirely inside legitimate SaaS environments. The pattern: call employees pretending to be IT support, walk them through an 'MFA reset' that's actually a credential-harvesting site that mimics their company's branding, capture the password and MFA code, then immediately log into SSO and pivot through Microsoft 365, Salesforce, and other SaaS apps. The attackers register their own device for MFA and exfiltrate data within hours. Both groups overlap with the broader ShinyHunters ecosystem (UNC6240/UNC6661/UNC6671).
Google overhauled its Vulnerability Reward Program for Android and Chrome on May 1 in response to AI tools reshaping bug hunting. The maximum Pixel Titan M reward jumped to $1.5 million for a zero-click exploit with persistence. Chrome payouts dropped across categories. Google is rewarding 'actionable reports' with concrete exploits and suggested fixes rather than raw bug volume - a response to AI tools like Anthropic's Mythos and OpenAI's GPT-5.4-Cyber generating more vulnerability reports than security teams can triage. Google paid a record $17.1 million in 2025 (up 40% from 2024) and expects 2026 aggregate rewards to increase further despite per-bug cuts.
Anthropic launched Claude Security in public beta yesterday, an enterprise tool that scans code repositories for vulnerabilities, rates each finding's severity and confidence, and generates patch instructions that engineers can apply through Claude Code. The launch is direct response to Mythos and similar AI-driven offensive tools that have been compressing the time between vulnerability disclosure and active exploitation - LiteLLM was exploited 36 hours after disclosure last week, LMDeploy in 13 hours the week before. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, Trend, and Wiz are integrating Claude Opus 4.7 into their platforms.
TrustStrike Labs