Category: Cybersecurity

Hackers are exploiting demand for OpenClaw by circulating a counterfeit installer that delivers Hologram, a Rust-based information-stealing framework built to harvest credentials from crypto wallets, password managers and browser extensions.Security analysis of the campaign shows a polished fake installer site distributing an archive named OpenClawx64.7z. Inside it is OpenClawx64. exe, a bloated 130MB executable designed to appear legitimate while frustrating automated sandbox checks. The payload is tied to a wider abuse pattern in which attackers mimic fast-growing AI tools, open-source

Cloud security teams are facing a new credential-theft campaign after researchers identified PCPJack, a worm-like malware framework built to compromise exposed container, database and cloud-native systems while stripping away traces of rival TeamPCP tooling.The framework targets internet-facing Docker APIs, Kubernetes environments, Redis and MongoDB instances, Ray dashboards and vulnerable web applications. Its operators appear less interested in cryptomining, a familiar revenue stream in cloud intrusions, and more focused on harvesting credentials that can be used for fraud, spam operations, extortion

Fraudulent Android apps promising private call records for any phone number drew more than 7.3 million downloads on Google Play before being removed, exposing fresh weaknesses in app-store screening, digital payments oversight and consumer protection around subscription fraud.The 28 apps, tracked under the name CallPhantom, advertised access to call histories, SMS records and WhatsApp call logs, a service they could not legitimately provide. Users were asked to pay before seeing the full results, but the information displayed after payment

Cybersecurity researchers have identified a targeted espionage-style malware campaign that uses GitHub Releases to conceal payload delivery, combining phishing, trusted cloud infrastructure and a fileless Python implant to steal sensitive data from Windows systems.The operation, tracked as Operation HumanitarianBait, begins with phishing emails carrying a malicious Windows shortcut file inside a RAR archive. The lure is built around Russian-language humanitarian aid material, including what appears to be an application form for assistance. Once opened, the shortcut launches a hidden infection

Commercial artificial intelligence models helped an unidentified adversary plan and conduct a cyber intrusion against the operational technology environment of a water and drainage utility in Mexico, sharpening concern over how widely available AI systems can accelerate attacks on critical infrastructure.Industrial security specialists at Dragos said the campaign targeted a municipal utility serving the Monterrey metropolitan area after a wider compromise of Mexican government organisations between December 2025 and February 2026. The intrusion began in the enterprise IT network and

Corporate login credentials have become a growing internal security weakness, with one in eight workers admitting they have sold access to company systems or know someone who has done so over the past year.The finding points to a shift in workplace fraud risk from external hacking alone to insider-enabled access, where criminals can enter corporate systems through legitimate credentials rather than breaking through technical defences. The issue is gaining urgency as businesses expand remote work, cloud platforms, contractor access and

Malicious NuGet packages masquerading as familiar. NET libraries have put developer workstations and build environments at risk of credential theft, with attackers using plausible package names, hidden version histories and obfuscated payloads to target users in Chinese software ecosystems.Five packages identified in the campaign — IR. DantUI, IR. OscarUI, IR. Infrastructure. Core, IR. Infrastructure. DataService. Core and IR. iplus32 — were published through the same account, bmrxntfj. They presented themselves as user interface and infrastructure components for. NET development, a

Cybercriminals are turning Vercel’s AI-assisted web development tools into a faster route for building convincing phishing pages, raising fresh concerns over how legitimate cloud platforms are being exploited to steal credentials and evade traditional email defences.Security analysts tracking the activity have identified a sharp rise in campaigns using Vercel-hosted pages to imitate widely recognised brands, including Microsoft, Spotify, Adidas, Ferrari, Louis Vuitton and Nike. The lures range from fake sign-in portals and calendar invites to bogus recruitment messages and brand-themed

Hackers are using sponsored Google search results to steal ManageWP credentials, raising fresh concerns over the exposure of agencies, developers and businesses that administer large fleets of WordPress websites through a single GoDaddy-owned dashboard.The campaign places a fraudulent advertisement above the legitimate ManageWP search result, copying the platform’s branding and directing users to a look-alike login page. Victims who search for ManageWP rather than typing the official address manually are led into an adversary-in-the-middle phishing flow that captures credentials and

Mac users are being targeted by a widening ClickFix campaign that disguises malicious commands as disk-cleaning and system-maintenance advice, turning routine troubleshooting into a route for credential theft, wallet compromise and cloud-data exposure.The attacks use pages that appear to offer help with storage optimisation, system clean-up or utility installation. Victims are instructed to copy commands into Terminal, or in some variants to trigger Apple’s Script Editor, under the impression that they are reclaiming disk space or installing trusted helper tools.

Cybersecurity investigators have linked a Microsoft Teams-based credential theft operation to MuddyWater, the state-sponsored threat group associated with Iran’s intelligence apparatus, after an intrusion first presented itself as an ordinary Chaos ransomware attack.The operation, detected in early 2026 and detailed this week, shows how trusted workplace collaboration tools are being turned into entry points for espionage. Attackers used Teams chats and screen-sharing sessions to trick employees into handing over credentials, assist with multi-factor authentication approvals and provide access that later

Cybersecurity teams are tracking a more capable strain of Salat Stealer, a Windows-focused malware family that has moved beyond routine credential theft into full remote access, surveillance and stealthy command-and-control activity.The Go-based tool, also tracked as WEB_RAT, combines the functions of an infostealer and a Remote Access Trojan. Its operators can harvest browser passwords, cookies, Telegram sessions, cryptocurrency wallet data and system details, while also opening remote shells, logging keystrokes, watching the clipboard, streaming desktop activity and accessing webcams. The

Cybercriminals are exploiting Microsoft’s Phone Link app to intercept text messages and one-time passwords from connected smartphones without installing malware on the phone itself, exposing a fresh weakness in cross-device authentication systems.The activity centres on CloudZ, a modular remote access trojan deployed on Windows machines, and a previously undocumented plugin called Pheno. The malware has been observed in an intrusion active since at least January 2026, using the trust relationship between a Windows PC and a paired mobile device to

Cybersecurity investigators have linked a deceptive ransomware-style intrusion to MuddyWater, a state-sponsored hacking group associated with Tehran’s intelligence apparatus, after forensic evidence showed the operation was built around espionage rather than financial extortion.The campaign, observed in early 2026, was presented to victims as an attack by an affiliate of the Chaos ransomware-as-a-service ecosystem. Yet the intrusion lacked a defining feature of ransomware: there was no file encryption. Instead, the attackers focused on social engineering, credential theft, multi-factor authentication manipulation, persistence,

Omani government networks have been hit by a wide-ranging espionage campaign attributed to Iran-linked operators, with evidence pointing to the theft of judicial records, identity data, staff credentials and internal system files from multiple state entities.The operation centred on the Ministry of Justice and Legal Affairs, where attackers used a custom ASP. NET webshell to maintain access, issue commands and extract data. Exposed attacker infrastructure showed more than 26,000 DotNetNuke user records taken from ministry systems, including staff email addresses

A newly documented Linux remote access trojan has sharpened concerns over software supply-chain security after researchers found it was built to steal developer and DevOps credentials that could be used to compromise trusted code repositories, cloud systems and package registries.The malware, known as Quasar Linux or QLNX, combines remote access functions with a rootkit, a Pluggable Authentication Module backdoor, keylogging and credential-harvesting features. Its design suggests an intent to establish long-term control over Linux developer environments rather than carry out

Microsoft has warned of a large-scale credential theft operation that used fake workplace compliance emails to target more than 35,000 users across over 13,000 organisations in 26 countries, underscoring how cybercriminals are refining corporate-style social engineering to bypass both human caution and automated defences.The campaign, observed between April 14 and 16, 2026, relied on emails that appeared to come from internal human resources, regulatory or conduct departments. The messages claimed that a code-of-conduct review or non-compliance case had been opened

North Korea-linked hackers compromised a gaming platform used by ethnic Koreans in China’s Yanbian region, turning Windows and Android game software into surveillance tools aimed at users in a strategically sensitive border community.Cybersecurity researchers identified the operation as the work of ScarCruft, also tracked as APT37, Reaper and Ricochet Chollima, a long-running espionage group aligned with Pyongyang. The campaign appears to have been active since late 2024 and centred on sqgame. net, a platform offering Yanbian-themed card and board games

 Cybersecurity vendor Trellix has confirmed unauthorised access to part of its source-code repository, raising fresh questions over the protection of development environments inside companies trusted to defend enterprises and public-sector networks.The privately held company said it had brought in external forensic specialists after identifying the intrusion and had notified law enforcement. Trellix said its investigation had so far found no evidence that its source-code release or distribution process was affected, or that the accessed code had been exploited. The company

Small US defence suppliers are being outmatched by nation-state hackers using poorly monitored network edges to gain long-term access before attacks become visible, new cyber threat analysis has warned.Team Cymru senior threat intelligence adviser Stephen Campbell said smaller companies inside the US Defense Industrial Base face a structural disadvantage because many hold sensitive contract, technical and personnel data but lack the network-level visibility available to major prime contractors. His assessment points to routers, firewalls, VPN concentrators and other edge devices

Malicious code inserted into four SAP-related npm packages exposed developer workstations and automated build systems to credential theft, marking a sharp escalation in attacks against open-source software supply chains used by enterprise technology teams.The compromised packages were published on April 29, 2026, and affected components tied to SAP’s Cloud Application Programming Model and Multi-Target Application build workflows. The malicious versions identified were @cap-js/sqlite 2.2.2, @cap-js/postgres 2.2.2, @cap-js/db-service 2.10.1 and mbt 1.2.48. Each carried installation-time code that could run before developers

 Microsoft detected about 8.3 billion email-based phishing threats in the first quarter of 2026, exposing a sharp shift in attacker behaviour as criminal groups moved deeper into QR codes, fake CAPTCHA pages, phishing-as-a-service kits and file-based payloads to bypass conventional email defences.The volume eased from about 2.9 billion threats in January to 2.6 billion in March, but the decline in headline numbers masked a more important change in tactics. Link-based threats dominated the quarter, accounting for 78 per cent of

A publicly released exploit for a critical cPanel and WebHost Manager flaw has intensified pressure on hosting companies and website operators after monitoring groups reported tens of thousands of likely compromised internet-facing systems.The vulnerability, tracked as CVE-2026-41940, allows unauthenticated attackers to bypass login controls and obtain administrative access to affected cPanel & WHM environments. The weakness carries a CVSS severity score of 9.8, placing it among the highest-risk flaws facing shared hosting providers, managed server operators and organisations running exposed

 More than 30,000 Facebook accounts have been compromised in a large phishing operation that exploited trusted internet services to make fraudulent messages appear legitimate, sharpening concerns over how cybercriminals are turning mainstream cloud tools into delivery channels for account theft.Cybersecurity researchers have identified the campaign as AccountDumpling, a Vietnamese-linked operation aimed largely at Facebook Business users, page administrators and account operators. The attackers used Google AppSheet to send authenticated emails, Netlify and Vercel to host deceptive pages, Google Drive to

Wireshark has issued version 4.6.5 after a large batch of security flaws was identified across its packet dissection engine, protocol parsers and file-handling components, underscoring the risk faced by administrators and security teams using the tool to inspect untrusted network traffic.The release fixes more than 40 vulnerabilities, including several flaws that may allow arbitrary code execution when malformed packets, crafted trace files or malicious configuration profiles are processed. The update affects one of the world’s most widely used network protocol

Google has issued an urgent Chrome security update after fixing 30 vulnerabilities, including four critical memory-related flaws that could expose users to attacks through compromised or malicious web pages.The update moves Chrome’s stable desktop channel to version 147.0.7727.137 or 147.0.7727.138, depending on platform, and is being rolled out across Windows, macOS and Linux. Users have been advised to restart the browser after the update is installed, as Chrome does not fully apply security fixes until the relaunch is completed.The four

A fake video meeting can now be enough to breach a Web3 company, with North Korea-linked BlueNoroff hackers using bogus Zoom calls, clipboard tricks and fileless PowerShell malware to steal credentials from cryptocurrency targets across multiple countries.The campaign marks a sharper turn in social engineering against the digital assets sector, where attackers are no longer relying only on malicious attachments or crude phishing pages. Instead, they are building convincing meeting environments, impersonating credible figures in the fintech and legal world,

A malicious npm dependency slipped into an AI-assisted crypto trading project has exposed how automated coding tools can be manipulated into importing software that steals credentials, wallet data and source code.The campaign, named PromptMink by security researchers, centres on the npm package @validate-sdk/v2, which presents itself as a utility for hashing, validation, encoding, decoding and random generation. Its actual function is to harvest secrets from infected developer environments, including files linked to crypto wallets, API keys and project credentials.The package

Cyber literacy has become the leading global people risk as employers confront ransomware, AI-enabled fraud, technology skills gaps and fragile workforce readiness, Marsh’s 2026 People Risks survey has found.The report, based on views from 4,517 human resources and risk professionals across 26 markets and 12 industries, places inadequate cyber threat literacy at the top of the global risk list. Technology skills shortages, including cyber and artificial intelligence capabilities, rank third, showing how quickly digital ambition is colliding with the limits

ZetaChain has paused cross-chain transactions after a smart contract attack targeted its GatewayEVM infrastructure, adding fresh pressure on interoperability projects that move assets and messages across multiple blockchains.The incident was flagged on April 27 when Blockaid warned users about an active exploit involving ZetaChain cross-chain contracts and urged anyone with approvals to GatewayEVM contracts on Ethereum, Arbitrum, Base and other EVM-compatible chains to revoke permissions immediately. ZetaChain later said the attack affected only internal team wallets, that no user funds

A hardcoded API key embedded in ClickUp’s public website exposed 959 corporate and government email addresses and more than 3,000 internal feature flags for over a year, intensifying scrutiny of security controls at widely used software-as-a-service platforms.The exposure was tied to a production JavaScript bundle that loaded before authentication, allowing anyone inspecting the page source to extract a third-party SDK token and send an unauthenticated request to a backend service. The data returned reportedly included enterprise email addresses, internal targeting

Vect 2.0 has emerged as a fast-evolving ransomware-as-a-service operation capable of striking Windows, Linux and VMware ESXi systems, raising concern among security teams responsible for hybrid corporate networks and virtualised infrastructure.The group’s latest tooling marks a shift from single-platform extortion campaigns towards attacks designed to spread across workstations, servers and hypervisors. That matters because ESXi environments often host multiple virtual machines on a single physical server, allowing one intrusion to disrupt a large part of an organisation’s operations. For companies

BlueNoroff has intensified its campaign against cryptocurrency executives by combining fake Zoom meetings, AI-generated video lures and fileless PowerShell malware in an intrusion that gave attackers access to a North American Web3 company for 66 days.The operation, first detected after an intrusion began on 23 January 2026, marks a sharper turn in North Korea-linked cyber activity against digital asset businesses. Instead of relying on crude phishing pages or malicious attachments, the attackers used a manipulated Calendly invitation, a typosquatted Zoom

Rival ransomware crews 0APT and KryBit have disrupted each other’s operations after leaking internal data, exposing an unusual cybercriminal feud that has given defenders a rare view into the infrastructure, tactics and credibility gaps behind emerging extortion groups.The confrontation began on 13 April 2026, when 0APT listed KryBit, Everest and RansomHouse as victims on its leak site. KryBit responded a day later by breaching 0APT’s infrastructure, defacing its leak site and publishing operational files that undermined 0APT’s own claims. The