#0640KKasperskyabout 1 month ago6 min▣LLM reporthigh A cybercrime campaign is targeting users of pirated media sites with a fake video player update that deploys a modified SilentCryptoMiner and a Remote Access Trojan (RAT). The malware utilizes DLL side-loading, DNS tunneling for initial check-ins, and a DGA for C2 communications, while employing a Watchdog component to ensure persistence via a rogue Google Update service.
#0639
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security published a daily digest of 8 security advisories on May 27, 2026. The digest highlights critical updates across multiple enterprise platforms, notably including an out-of-band patch from Microsoft for a SharePoint Remote Code Execution vulnerability (CVE-2026-45659) and a mandatory signing key rotation for GitHub Enterprise Server.
#0638
Arctic Wolfabout 1 month ago6 min▣LLM reportcritical Threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient EMS, to deploy a novel credential stealer named EKZ Infostealer to managed endpoints. The attackers abused legitimate VPN scripting workflows to execute malicious PowerShell commands that downloaded the stealer, which subsequently harvested browser credentials and exfiltrated them to a threat-actor-controlled server.
#0637
Cisco Talosabout 1 month ago4 min▣LLM reporthigh Cisco Talos disclosed four heap-based buffer overflow vulnerabilities in MediaArea MediaInfoLib version 26.01. These flaws (CVE-2026-25104, CVE-2026-25713, CVE-2026-28764, CVE-2026-22554) can be triggered by processing a malicious media file, potentially leading to arbitrary code execution on the host system.
#0636
Cisco Talosabout 1 month ago3 min▣LLM reportlow Cisco Talos has introduced EvidenceForge, an open-source tool designed to generate high-fidelity, correlated synthetic security logs across multiple formats. The tool addresses the data bottleneck in detection engineering and SOC training by providing realistic datasets with causal ordering, background noise, and AI-assisted scenario authoring.
#0635
Huntressabout 1 month ago6 min▣LLM reporthigh Cybercriminals are shifting from traditional credential theft to session hijacking using infostealer malware, allowing them to bypass multi-factor authentication (MFA). By harvesting and replaying valid session tokens using automated tools, attackers gain rapid, stealthy access to corporate environments, which is then often monetized by Initial Access Brokers.
#0634
Elastic Security Labsabout 1 month ago6 min▣LLM reportcritical Tycoon 2FA is a prolific Phishing-as-a-Service (PhaaS) platform utilizing Adversary-in-the-Middle (AiTM) techniques to bypass MFA and steal session tokens across Microsoft 365 and Google Workspace. The kit employs sophisticated evasion tactics, automated post-compromise reconnaissance, and establishes durable persistence mechanisms, such as Device-PRT in Entra ID, which survive standard session revocation procedures.
#0633
CrowdStrikeabout 1 month ago5 min▣LLM reportcritical CrowdStrike, in collaboration with Google and Shadowserver, successfully dismantled the Glassworm botnet, a highly resilient threat targeting software developers. The threat actors utilized trojanized IDE extensions and malicious package dependencies to deploy GlasswormRAT, leveraging a complex C2 infrastructure spanning the Solana blockchain, BitTorrent DHT, and Google Calendar to maintain persistent access to developer environments.
#0632
CISAabout 1 month ago4 min▣LLM reportcritical ABB B&R Automation Runtime contains a critical Improper Resource Locking vulnerability (CVE-2025-3450) within its System Diagnostics Manager (SDM) component. An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted message over the network to delete data, resulting in a denial-of-service condition that halts the affected system node.
#0631
CISAabout 1 month ago4 min▣LLM reportcritical Eppendorf BioFlo 320 bioreactors are affected by a critical vulnerability (CVE-2026-7251, CVSS 9.8) involving a hard-coded password in the VNC server. If VNC is enabled, remote attackers can exploit this flaw to gain full control over the bioreactor's user interface and data. Eppendorf has released a software update (Version 5.0) that permanently removes VNC functionality to mitigate the risk.
#0630
Trend Microabout 1 month ago7 min▣LLM reporthigh Threat actors behind the ClearFake campaign are leveraging EtherHiding to host malicious JavaScript payloads within BNB Smart Chain testnet smart contracts, bypassing traditional URL-based blocking. The attack chain begins with a compromised watering hole site and uses a ClickFix social engineering overlay to trick Windows and macOS users into executing malicious commands. This leads to the deployment of SectopRAT and ACRStealer via WebDAV DLL loading and DLL sideloading, enabling extensive credential and browser session theft.
#0629RReversinglabsabout 1 month ago5 min▣LLM reportcritical A supply chain attack dubbed 'megalodon' compromises GitHub Action YAML configurations by injecting base64-encoded malicious scripts to exfiltrate repository data. Analysis of the C2 infrastructure, identified as the NEXUS Listener framework, links this activity to a prior campaign that exploited CVE-2026-41940 in cPanel servers to deploy cryptominers and steal high-value cloud credentials.
#0628
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reportmedium The Canadian Centre for Cyber Security issued two advisories concerning control systems. Moxa addressed multiple Linux kernel vulnerabilities (Copy Fail and Dirty Frag) across various product series, while ABB mitigated a concurrent connection handling issue in its PPT30 OPC-UA Server.
#0627
CISAabout 1 month ago5 min▣LLM reportcritical ABB Ability Camera Connect versions 1.5.0.14 and earlier contain multiple critical and high-severity vulnerabilities due to an outdated bundled VLC media player component. These flaws, including buffer overflows and integer underflows, could allow an attacker to execute arbitrary code or cause a denial of service via crafted media files. The risk is significantly reduced as the application is typically deployed in isolated, air-gapped ICS environments.
#0626
CISAabout 1 month ago4 min▣LLM reporthigh ABB LVS MConfig versions 1.4.9.21 and prior contain a high-severity vulnerability (CVE-2025-9970) where user credentials are stored in cleartext in application memory. An attacker with local or physical access to the host machine can export a memory dump during runtime to extract these passwords, potentially allowing unauthorized modification of low voltage switchgear components.
#0625
CISAabout 1 month ago4 min▣LLM reportmedium ABB Terra AC wallbox EV chargers are affected by a heap-based buffer overflow vulnerability (CVE-2025-5517, CVSS 6.8) due to improper length validation of OCPP fields. An attacker who hijacks the OCPP backend or intercepts unencrypted HTTP traffic can send crafted messages to execute arbitrary code, alter firmware, or cause a denial of service.
#0624
Check Pointabout 1 month ago5 min▣LLM reporthigh During March-April 2026, threat actors increasingly deployed commercial AI models for real-time offensive operations, including automated intelligence analysis, BEC drafting, and vulnerability exploitation. Key developments include the weaponization of agentic configuration files for persistent jailbreaks, the rise of AI-integrated PhaaS platforms like EvilTokens, and the mass harvesting of AI provider credentials. Furthermore, AI capabilities are compressing the vulnerability patch window, allowing attackers to weaponize newly disclosed CVEs within hours.
#0623
ANY.RUNabout 1 month ago6 min▣LLM reporthigh In May 2026, ANY.RUN observed a surge in sophisticated phishing and malware campaigns utilizing fileless execution, browser-based credential theft, and legitimate workflow abuse. Key threats included Agent Tesla credential harvesting, ClickFix fileless malware, BlobPhish in-memory page generation, and phishing-to-RMM chains bypassing traditional MFA via real-time OTP interception.
#0622
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily advisory digest summarizing security updates from IBM, Roundcube, Dell, Ubuntu, CISA (ICS), Red Hat, and cPanel. Organizations are strongly encouraged to review the respective vendor advisories and apply available patches to mitigate potential vulnerabilities across enterprise, cloud, and industrial control systems.
#0621
Check Pointabout 1 month ago5 min▣LLM reporthigh This threat intelligence report highlights multiple high-profile breaches, including 7-Eleven and GitHub, alongside the active exploitation of vulnerabilities in Windows Defender, Trend Micro, and Drupal. It also details emerging threats such as the Kali365 phishing kit, AI-driven prompt injection attacks, the Nimbus Manticore IRGC-linked campaign deploying the MiniFast backdoor, and a supply chain attack on Laravel Lang packages.