Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

NFCShare Android malware poses as bank app updates to steal card data

Researchers at D3Lab warn that new versions of the NFCShare Android malware are spreading as fake updates for real banking apps, hosted on GitHub to look legitimate. Targeting customers of European banks, the malware shows a fake verification screen that tells victims to hold their payment card against the phone. It then uses the phone's NFC chip to read the card number, type, and expiry, and tricks the victim into typing their 4-digit PIN, sending it all to the attacker's server. That stolen data feeds NFC relay fraud, where criminals use it to make contactless payments or withdrawals. The malware only works if users sideload it.

Check
On managed Android devices, look for banking apps installed from outside Google Play and any app that requests an NFC card scan during a verification step.
Affected
Android users, mainly customers of European banks, who sideload fake banking app updates from GitHub or other non-Play sources and follow prompts to scan their cards.
Fix
Install banking apps only from Google Play, keep Play Protect enabled, and never scan a payment card or enter a PIN in response to an in-app verification prompt.

Meta disrupts new NSO spyware phishing aimed at WhatsApp users

Meta says it caught and shut down fresh spear-phishing attempts linked to Israeli spyware maker NSO Group that tried to lure WhatsApp users into clicking malicious links leading to sites outside the app, mirroring the one-click attacks NSO has used to plant its Pegasus spyware. Meta also found and removed NSO-created test accounts and groups, and published the malicious domains involved. The company is now asking a US federal court to hold NSO in contempt for violating the permanent injunction issued last year barring it from targeting WhatsApp. High-risk users such as journalists, activists, and officials are the usual targets of this kind of mercenary spyware.

Check
Block the NSO-linked phishing domains Meta published at your web and DNS gateways, and review whether high-risk staff received WhatsApp messages pushing links to external sites.
Affected
WhatsApp users targeted by one-click social-engineering links, especially high-risk individuals like journalists, activists, and government officials who are typical mercenary-spyware targets.
Fix
Avoid clicking links in unsolicited WhatsApp messages, enable Lockdown Mode on iOS and Android for high-risk users, keep devices fully updated, and block the published malicious domains.

New C0XMO botnet exploits DD-WRT router flaw, wipes rival malware

Fortinet has uncovered a new botnet called C0XMO, built from the long-running Gafgyt malware family, that breaks into devices by exploiting an old flaw (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. A booby-trapped network request gives the attacker code execution with no login needed. Once in, C0XMO digs in with hidden files and cron jobs that re-run it every 15 minutes, then hunts down and deletes rival botnets and even researchers' security tools to keep the device to itself. A separate scanner spreads it across many chip types (ARM, MIPS, x86, and more), and infected devices are wired up to launch 19 kinds of denial-of-service floods.

Check
Audit routers and IoT devices for DD-WRT firmware vulnerable to CVE-2021-27137, and hunt Linux hosts for hidden .sys files, 15-minute cron jobs, and modified shell profiles.
Affected
DD-WRT router firmware with the vulnerable UPnP/SSDP service (CVE-2021-27137) reachable on UDP port 1900, plus Linux and IoT devices with weak Telnet or SSH credentials.
Fix
Update DD-WRT firmware to a fixed build, disable UPnP and internet-facing Telnet/SSH, set strong unique admin credentials, and remove the malware's cron jobs and hidden payloads.

Silent Ransom Group hits law firms with fake IT support calls

Mandiant has detailed how the extortion crew Silent Ransom Group (also tracked as Luna Moth and UNC3753) is breaking into US law firms and other professional-services companies through phone calls rather than malware. Attackers send a harmless-looking invoice or data-migration email, then call the target pretending to be internal IT support, talk them into starting a screen-share, and get them to install a remote management tool that hands over access. From there, Mandiant has seen data located, staged, and stolen in under an hour. The group skips encryption entirely, instead threatening to leak stolen files unless paid. A recent FBI alert added in-person office visits to the playbook.

Check
Review RMM and remote-access tool installs from the past month tied to inbound IT support calls, and flag invoice or data-migration emails sent from consumer addresses.
Affected
US law firms and financial and professional-services organizations whose staff can be phoned and talked into screen-sharing or installing remote management software.
Fix
Require staff to verify any IT support contact through a known internal channel before granting access, restrict who can install RMM tools, and enforce phishing-resistant MFA.

Five Eyes warns China is recruiting officials via fake job offers

The Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand) issued a joint bulletin, "Safeguarding Our Secrets," warning that Chinese military intelligence officers are posing as recruiters on sites like LinkedIn, Indeed, and Upwork. Fronting as think tanks, consultancies, or HR firms, they post fake jobs such as foreign-policy or defense-analyst roles, then use the interview process to pressure targets into handing over classified or non-public information. The agencies say current and former government, military, defense-contractor, research, and journalist personnel are all in scope, with extra focus on those tied to the Indo-Pacific. The goal is harvesting privileged military, political, and economic intelligence.

Check
Brief staff in sensitive government, defense, and research roles to scrutinize unsolicited recruiter and consulting approaches, and check whether anyone has shared non-public information during one.
Affected
Current and former Five Eyes government, military, defense-contractor, policy, research, and journalist personnel with access to classified or privileged information, especially those linked to the Indo-Pacific.
Fix
Verify recruiters and employers through official channels before engaging, never discuss sensitive work in interviews, and report suspected approaches to your security team or national agency.

Miasma worm hits 73 Microsoft GitHub repos, targets AI coding tools

The self-spreading Miasma worm, a variant of the Shai-Hulud malware linked to the group TeamPCP, has reached Microsoft's own code. Using a stolen access token, attackers pushed a malicious commit into the Azure durabletask repository, and GitHub disabled 73 repositories across four Microsoft organizations including Azure and MicrosoftDocs. The twist: the planted code runs automatically when a developer opens the project in an AI coding assistant like Claude Code, Cursor, Gemini CLI, or VS Code, then harvests cloud and developer credentials and uses them to infect more projects. It hides the trigger inside a build file (binding.gyp) that most security tools ignore.

Check
Search your GitHub orgs for commits, public repos, or build files matching Miasma naming patterns, and review AI coding agent configs (binding.gyp, agent rules) for unexpected auto-run payloads.
Affected
Organizations using npm, PyPI, or GitHub alongside AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code). Stolen maintainer tokens enable backdoored package and repo publishing.
Fix
Rotate GitHub, npm, and cloud credentials exposed to affected projects. Remove malicious commits and configs, enforce 2FA and short-lived tokens, and block install-time scripts in CI.

Free apps turn smart TVs into hidden web-scraping proxies

Researchers at Include Security have shown how a software kit made by Bright Data, embedded inside free apps on Samsung, LG, and Roku smart TVs, quietly turns those always-on devices into relays for someone else's web-scraping traffic. Users opt in through a consent screen buried in the TV's menu, then their home internet connection is used to fetch web pages for Bright Data's paying customers, many of them AI firms. The researchers found the control channel barely checks who is issuing commands, weaker than many malware families, and on iPhones the traffic even slips past VPNs and normal monitoring tools.

Check
On managed mobile devices, scan apps for the Bright Data SDK using the binary symbols BrdWebSocketFacade and BrdNetwork.DNSResolver, and watch networks for unexplained outbound scraping traffic.
Affected
Samsung, LG, Roku, and other smart TVs plus iOS and Android phones running free apps that bundle the Bright Data (formerly Luminati) residential-proxy SDK.
Fix
Uninstall apps that bundle the proxy SDK, decline the bandwidth-sharing consent prompt, and block the SDK on managed devices via MDM app-vetting and outbound network policy.

Android spyware Asin targets Arabic journalists via fake news and map apps

Security firm ESET has detailed a new Android spyware it calls Asin that targets Arabic-speaking users, likely journalists and open-source investigators. Victims are lured to convincing fake websites posing as a government news service, a secure PDF reader, and live war-map tools, some promoted through Facebook and Telegram pages. The sites offer apps such as GovLens, WarMap, and Syria Defense Map that work as advertised but hide spyware underneath. Because the apps come from outside official stores, victims must manually install them and grant permissions. ESET has not tied the campaign to a known group, and its exact goals remain unclear.

Check
Review managed Android devices for sideloaded apps named GovLens, WarMap, or Syria Defense Map, and check DNS and proxy logs for the known Asin distribution domains.
Affected
Android users in Arabic-speaking regions, especially journalists and OSINT researchers, who sideloaded apps from govlens[.]net, pdf-reader[.]help, live-war-map[.]com, or syriadefensemap[.]com.
Fix
Remove the malicious apps, block the listed domains at your DNS or proxy, disable installation from unknown sources, and run a mobile security scan on affected phones.

FIFA World Cup 2026 fraud wave hits fans before June 11 kickoff

With the FIFA World Cup kicking off June 11 across the US, Canada, and Mexico, the FBI and researchers at Group-IB and Fortinet warn that a large fraud operation is already running. Group-IB tracked more than 4,300 fake FIFA websites and a Chinese-speaking crew, GHOST STADIUM, that cloned the official site pixel-for-pixel, fake login and all, across 300-plus domains. Scams include bogus ticket, merchandise, and hospitality sites, fake streaming apps that hide banking malware, and betting sites that harvest passport scans for identity theft. With tickets scarce and 150 million requests filed, scammers are exploiting fans' urgency to steal logins, money, and personal data.

Check
Warn staff and remind yourself to verify any World Cup ticket, merchandise, or streaming offer, and check security logs for employee visits to lookalike FIFA domains.
Affected
Anyone buying World Cup tickets, merchandise, hospitality, or streaming access, plus job seekers; employees using work devices or accounts to shop for the tournament.
Fix
Buy only via fifa.com typed directly into the browser, avoid sponsored search results and emailed links, and block known fraudulent FIFA domains at your web gateway.

Chinese APT UNC5221 keeps 18-month Microsoft 365 access with Brickstorm backdoor

Volexity has detailed Chinese espionage group UNC5221 (also VerdantBamboo) maintaining access to a victim's Microsoft 365 environment using the Brickstorm backdoor plus previously undocumented malware named Plenet and AgentPSD. The actor sat on the network at least 18 months before detection and had also compromised the victim's MSP. UNC5221 has exploited edge-device zero-days since at least 2023; Brickstorm began as Golang, later Rust. In this case the group pivoted from a compromised Egnyte Storage Sync system through the victim's SSL VPN, then used Brickstorm proxying and stolen credentials to reach Microsoft 365 - deliberately blending with legitimate traffic to evade Conditional Access. It re-breached the org after remediation.

Check
Hunt for Brickstorm, Plenet, and AgentPSD indicators across edge devices and M365. Review Conditional Access logs for VPN-proxied logins blending with legitimate traffic. Audit MSP access paths into your environment.
Affected
Organizations (and their MSPs) running internet-facing edge devices and Egnyte/SSL-VPN infrastructure. UNC5221 maintains multi-year persistence via Brickstorm proxying and stolen credentials to reach Microsoft 365 undetected.
Fix
Apply Volexity IoCs. Harden Conditional Access against proxied logins, rotate credentials, and scrutinize MSP connections. Assume long dwell time - hunt historically and re-verify after remediation, since the group re-breached.