Italy extradited Chinese national Xu Zewei to the US on Friday, where he is accused of running a years-long Chinese government-linked spear-phishing campaign that targeted US Covid-19 researchers, universities, and law firms. The case is notable because it's the first time a European country has extradited a Chinese state-linked hacker to the US, and signals tighter coordination between European and US prosecutors on China-attributed cyber operations. Xu was arrested in Milan in July 2024 on a US warrant; Italy's highest court approved the extradition this month after his appeals were exhausted. He could spend decades in US federal prison.
Litecoin's privacy add-on, called MWEB, was attacked over the weekend in a way that forced the network to rewind 13 blocks of history (about 32 minutes) to undo invalid transactions. The interesting part for non-crypto people: developers had quietly fixed the bug between March 19 and 26 but never required mining pools to actually deploy the fix. Some pools updated, some didn't. Attackers waited 37 days and exploited the gap between patched and unpatched nodes, draining roughly $600,000 from cross-chain swap protocols including NEAR Intents. The pattern - quiet fix followed by slow rollout - is the same coordination failure that bites every distributed system, not just blockchains.
Der Spiegel reported on April 25 that German government sources now blame Russia for a large-scale Signal phishing campaign that compromised the account of Bundestag President Julia Klöckner. At least 300 Signal accounts of German political figures were targeted; investigators say attackers accessed chat histories, files, and phone numbers. Chancellor Friedrich Merz was in the same CDU group chat as Klöckner but his device showed no signs of compromise. The attack used pure social engineering - operators posed as Signal support and asked victims to share verification codes or PINs.
Researchers at SentinelOne found malware from 2005 that did something nobody had documented before: it quietly made engineering simulation programs give wrong answers. Instead of stealing data or crashing systems, it tampered with the math behind tools like LS-DYNA (used to design things like car crash safety and weapons), so the results looked normal but were subtly off. The malware, called fast16, is older than Stuxnet - the famous attack on Iran's nuclear program - by five years. Its name appears in leaked NSA files, suggesting the US built it. Discovered via an old file uploaded to VirusTotal in 2016.
Socket reported 73 newly identified malicious extensions on Open VSX, the marketplace used by VS Code, Cursor, and Windsurf editors. The extensions impersonate popular developer tools - same name, same icon, but published by newly-created GitHub accounts with empty repositories. Instead of being malicious from day one, they sit harmlessly for weeks gathering downloads and trust, then push a 'normal' update that silently installs malware. Six of the 73 extensions have already activated; the rest are still in the sleeper phase. The campaign is part of GlassWorm, an ongoing supply-chain attack family that has been working its way through npm, GitHub, and editor extension marketplaces since 2025.
Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.
ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.
Kaspersky identified 26 malicious iOS apps live on the Apple App Store impersonating major cryptocurrency wallets including MetaMask, Coinbase, Trust Wallet, Ledger, TokenPocket, imToken, Bitpie, and OneKey. The campaign, named FakeWallet and linked to the SparkKitty operation, has been running since fall 2025. The apps used typosquatted names, cloned icons, and stub functionality (games, calculators, task planners) to pass App Store review. Some embed compromised viewDidLoad routines that scan the screen for mnemonic words as the user types and exfiltrate seed phrases via RSA-encrypted payloads. Apple removed 25 of the 26 after disclosure; the developer behind the 26th was terminated.
Zscaler ThreatLabz attributed a March 12 campaign to Tropic Trooper (APT23, Earth Centaur, KeyBoy, Pirate Panda), the China-linked group active since 2011. The new wave targets Chinese-speaking users in Taiwan plus targets in South Korea and Japan with AUKUS-themed lures. Two notable changes: a custom AdaptixC2 Beacon listener instead of Cobalt Strike, and GitHub Issues as the C2 channel. The dropper is a trojanized SumatraPDF reader that runs a TOSHIS-variant shellcode loader and drops AdaptixC2 in memory. For high-value victims, operators push VS Code and configure a tunnel ('code tunnel user login --provider github') for full remote access.
NASA's Office of Inspector General published a retrospective on April 24 detailing how Chinese national Song Wu, an engineer at a state-owned Chinese aerospace and defense conglomerate, ran a multi-year spear-phishing campaign from January 2017 to December 2021. Song impersonated real US engineers known to his targets and asked over email for copies of specific aerospace modeling software and source code that could design or modify weapons platforms. Targets included staff at NASA, US Air Force, Navy, Army, FAA, major universities, and private aerospace firms. Several victims, believing they were helping a friend, sent the requested software - inadvertently violating US export control laws.
TrustStrike Labs