Attackers are abusing Microsoft's legitimate Device Authorization Grant (OAuth 2.0 Device Code Flow) to conduct phishing attacks that bypass traditional URL-based anti-phishing defenses. By pre-fetching a device code from Microsoft's identity platform and tricking victims into entering it on the genuine login.microsoftonline.com page, attackers harvest access and refresh tokens that grant persistent access to the victim's Microsoft 365 account. Two campaign variants were observed: one using password-protected PDF attachments impersonating a law firm, and another targeting Brazilian users via open redirects on cacoo.com.
FortiGuard Labs identified an ongoing Ousaban banking Trojan campaign targeting users in Spain and Portugal, delivered via phishing PDFs that redirect victims to geofenced malicious webpages. The attack chain involves a VBS script extracting a ZIP payload from a steganographic image, with the final Ousaban EXE establishing persistence via registry Run keys and communicating with C2 servers resolved through daily-changing DDNS hostnames. The malware targets over 25 Spanish and Portuguese financial institutions and employs a custom encryption algorithm shared with the Casbaneiro family to evade detection.
The Armored Likho APT group deploys a previously undocumented Python-based infostealer called BusySnake Stealer against government agencies and electric power sector organizations in Russia, Brazil, and Kazakhstan. The malware uses PyArmor Pro obfuscation, AI-generated first-stage loaders hosted on GitHub, and a modular C2 architecture to steal browser credentials, cookies, cryptocurrency wallets, 2FA secrets, Telegram data, and screenshots. The campaign demonstrates evolving TTPs including in-memory Python script execution, COM-based scheduled task persistence, and integrated reverse SSH tunneling that receives keys directly from the C2 server.
Recorded Future's Insikt Group evaluates Mexico's newly published 2025-2030 National Cybersecurity Plan, assessing it against the country's actual threat landscape from 2020-2026. Ransomware is the dominant threat with 223 documented incidents across 64 groups, while financial malware (Mispadu, Grandoreiro, Casabaneiro, Fenix botnet), state-sponsored espionage (TAG-141/FamousSparrow, TGR-STA-1030), hacktivism (Chronus Team, Guacamaya), and organized crime-linked money laundering via Chinese networks compound the risk. The 2026 FIFA World Cup will be an early operational test of Mexico's cyber resilience.
A widespread malware campaign is leveraging compromised WhatsApp accounts to distribute malicious VBScript files disguised as financial documents. The multi-stage infection chain abuses legitimate Windows utilities to download payloads, attempts to bypass UAC via registry modifications, and ultimately deploys a preconfigured ManageEngine Endpoint Central RMM agent to establish persistent remote access.
Trust Chains Broken at Scale While ClickFix Becomes a Service
This week, attackers stopped trying to kick down the front door and instead walked in through the trust chains that hold digital ecosystems together. North Korea's Sapphire Sleet compromised over 140 Mastra npm packages through a single typosquatted dependency, stealing cryptocurrency wallets and planting persistent backdoors on developer machines. The GlassWorm group trojanized Open VSX extensions with WebAssembly malware that uses the Solana blockchain as an unkillable command channel, while SmartApeSG hijacked the Okendo Reviews widget to serve malicious prompts on thousands of e-commerce sites. Even vendor integrations became a liability: the Klue breach exposed Recorded Future client data through a compromised OAuth token connecting a marketing tool to Salesforce.
Deception also became an industrial product. The ErrTraffic framework now operates as full Malware-as-a-Service, using blockchain smart contracts to hide its infrastructure and compromised WordPress sites to serve fake error prompts that trick users into running malicious commands. Attackers weaponized trusted AI platforms too—one campaign abused claude.ai's shared chat feature to deliver MacSync infostealer on macOS, while the shai_hulululud npm package uses prompt injection to blind AI-powered security scanners. On the infrastructure side, the FortiBleed campaign cracked credentials for over 73,000 FortiGate firewalls with a 45-GPU cluster, handing attackers valid keys to government and defense networks worldwide.
Defenders should immediately hunt for the easy-day-js dependency in their npm projects, reset credentials on any FortiGate firewall, enable Azure AD Graph Activity Logs to close a years-long reconnaissance visibility gap in Microsoft cloud environments, and audit OAuth tokens on all third-party vendor integrations.
ESET researchers analyzed the Gentlemen ransomware-as-a-service (RaaS) operation, highlighting their unique approach of providing an in-house developed EDR killer framework, GentleKiller, directly to affiliates. The framework leverages Bring Your Own Vulnerable Driver (BYOVD) techniques to terminate over 400 security processes and is augmented by third-party tools like HexKiller and HavocKiller, all standardized with a shared defense-evasion layer.
The ThreatLabz 2026 Phishing and Initial Access Report highlights a shift towards highly targeted, AI-enabled phishing campaigns against the public sector. Despite a 20% overall drop in phishing volume, attackers are increasingly utilizing AI site builders, encrypted delivery channels, and AiTM/BiTM techniques to bypass traditional MFA and secure initial access.
ThreatLabz identified a ClickFix campaign utilizing AI-generated typosquatting domains to impersonate Brazilian banks and deliver a PowerShell-based banking RAT dubbed SmartRAT. The malware establishes persistence via scheduled tasks or Windows services, communicates over a custom TCP protocol on port 51888, and features advanced capabilities including keylogging, fake banking overlays, and QR code interception for financial fraud.
This threat intelligence report highlights multiple critical vulnerabilities and active exploits, including a zero-day in Oracle PeopleSoft (CVE-2026-35273) exploited by ShinyHunters and an IKEv1 authentication bypass in Check Point VPNs (CVE-2026-50751) linked to Qilin ransomware. Additionally, the report details emerging AI-driven threats, a supply-chain compromise in the Arch User Repository deploying eBPF rootkits, and widespread patching efforts by Microsoft and Veeam.
The Zscaler ThreatLabz 2026 Phishing and Initial Access Report highlights a shift from high-volume phishing to highly targeted campaigns leveraging AI site builders and encrypted channels. Attackers are increasingly utilizing AiTM and BiTM techniques to bypass MFA, while conducting massive reconnaissance via cloud infrastructure to identify exposed entry points.
Threat actors are proactively targeting the 2026 FIFA World Cup ecosystem, employing mobile-first malware, QR-code phishing against event organizers, and real-time AiTM phishing kits to bypass MFA. The campaigns leverage AI-generated infrastructure and urgency-based lures to distribute Android cryptominers, Windows infostealers, and compromise corporate Google Workspace accounts.
Check Point Research uncovered a large-scale malware distribution ecosystem that uses search engine optimization and impersonated open-source project sites to drive traffic to a sophisticated Traffic Distribution System (TDS). The TDS employs click hijacking and strict gating to selectively deliver malware, including the SessionGate loader, RemusStealer, and AnimateClipper, while actively evading automated analysis through one-time key releases and file inflation.
A newly discovered malware campaign dubbed Argamal targets users downloading adult games, utilizing DLL sideloading and COM hijacking to deploy a sophisticated Remote Access Trojan (RAT). The malware establishes persistence by hijacking the Windows Color System Calibration Loader and grants attackers full system control, including surveillance, file exfiltration, and arbitrary command execution.
Session Hijacking and Developer Tool Poisoning Collapse Authentication Trust
This week, attackers proved that multi-factor authentication is no longer a reliable gatekeeper. Campaigns like Tycoon 2FA and Chinese-language PhaaS platforms intercept one-time passwords in real time and steal session tokens to maintain persistent access, while infostealers like EKZ Infostealer harvest browser cookies to bypass authentication entirely. Even when victims reset passwords and revoke sessions, attackers retain access through hidden device registrations — meaning standard incident response playbooks are now incomplete.
Developers remain the preferred entry point for supply chain compromise. The Glassworm botnet was disrupted after hiding malware in VSCode extensions and npm packages, while the Megalodon campaign poisoned GitHub Actions workflows across 5,500 repositories. A malicious Sicoob.Sdk NuGet package stole banking certificates from Brazilian developers, and North Korea's Lazarus group compromised the widely used axios npm library — a single attack touching millions of downstream applications.
Organizations must move beyond password-and-MFA reliance: adopt hardware security keys, shorten session lifetimes, delete attacker-registered devices before resetting credentials, and audit developer toolchains and CI/CD pipelines for tampering.
A malicious NuGet package named Sicoob.Sdk impersonated the official C# SDK for the Brazilian financial cooperative Sicoob. The package was designed to silently exfiltrate sensitive banking authentication material, including PFX certificates and passwords, as well as raw transaction data, to a third-party Sentry telemetry endpoint, posing a severe risk of API impersonation and financial data exposure.
Trend Micro MDR analyzed Banana RAT, a sophisticated banking trojan operated by SHADOW-WATER-063 targeting Brazilian financial institutions. The malware utilizes a server-side polymorphic build pipeline to deliver unique, AES-encrypted PowerShell payloads that execute filelessly in memory. Once active, it enables operator-driven fraud through remote input control, keylogging, deceptive banking overlays, and a specialized Pix QR code interception subsystem.
Kaspersky's Q1 2026 threat report highlights significant law enforcement actions against major ransomware operators, alongside the emergence of new ransomware groups like The Gentlemen. The quarter also saw active zero-day exploitation of Cisco Secure FMC (CVE-2026-20131) by the Interlock group, a rise in macOS-targeted crypto stealers and supply chain attacks via the Axios npm package, and persistent IoT botnet activity dominated by Mirai variants.
Infoblox Threat Intel uncovered a thriving underground economy on Telegram dedicated to unlocking stolen iPhones. Threat actors utilize specialized Windows binaries to extract device information and deploy targeted smishing campaigns via Apple lookalike domains to steal iCloud credentials, allowing them to bypass Activation Lock, wipe the device, and resell the hardware.
Kimsuky (APT43) has updated its arsenal with new PebbleDash and AppleSeed malware variants, including the Rust-based HelloDoor and httpMalice backdoors. The group is increasingly utilizing legitimate services like VSCode Remote Tunnels, Cloudflare Quick Tunnels, and DWAgent for covert C2 and post-exploitation access, primarily targeting South Korean entities and global defense sectors.
In Q1 2026, the ransomware ecosystem experienced significant consolidation, with top groups like Qilin, Akira, The Gentlemen, and LockBit 5.0 dominating the landscape. Notably, The Gentlemen leveraged a massive stockpile of pre-exploited FortiGate devices (CVE-2024-55591) to rapidly scale operations, while LockBit 5.0 returned with multi-platform capabilities and a strategic shift away from US targets to evade law enforcement.
Trend Micro identified two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, leveraging agentic AI to orchestrate attacks against Latin American government and financial institutions. The attackers utilized AI models like Anthropic's Claude to dynamically generate scripts, analyze configurations, and establish SOCKS5 tunnels for lateral movement, demonstrating a shift towards AI-assisted, signature-evasive intrusion operations.
In May 2026, threat actor SHADOW-AETHER-015 compromised Instructure's Canvas LMS backend, exposing sensitive data from 8,809 global educational institutions. The breach, likely facilitated via API exploitation or third-party integration compromise, exposed PII and private communications, creating significant risk for highly targeted follow-on spear-phishing and credential abuse campaigns.
Elastic Security Labs identified TCLBANKER, a new Brazilian banking trojan distributed via DLL sideloading that features robust anti-analysis mechanisms and environment-gated payload decryption. The malware deploys a full-featured banking trojan with a WPF-based social engineering overlay framework, alongside worm modules that self-propagate by hijacking WhatsApp Web sessions and Microsoft Outlook accounts.
Recorded Future analyzes the cyber and geopolitical risks associated with the US strategic pivot toward the Western Hemisphere. The shift, characterized by increased military intervention against transnational criminal organizations, presents three potential scenarios that elevate risks of state-sponsored espionage, industrialized cybercrime, and the proliferation of commercial spyware and surveillance infrastructure.
SHADOW-EARTH-053 is a China-aligned cyberespionage campaign exploiting legacy N-day vulnerabilities in Microsoft Exchange and IIS servers to target government and defense sectors primarily in Asia. The threat actors utilize GODZILLA web shells for persistence and deploy ShadowPad implants via DLL sideloading, sharing significant operational overlaps with another intrusion set tracked as SHADOW-EARTH-054.
A new phishing campaign targets Brazilian users with fake judicial summons to deliver agenteV2, a Nuitka-compiled interactive banking trojan. The malware establishes a persistent WebSocket backdoor for live screen streaming and remote shell access, enabling attackers to conduct real-time, operator-assisted financial fraud.
ESET researchers identified a new variant of the NGate Android malware that trojanizes the legitimate HandyPay application to facilitate NFC relay attacks and steal payment card PINs. Targeting users in Brazil through social engineering and fake app stores, the malware allows attackers to conduct unauthorized ATM cash-outs while requiring no suspicious device permissions.
In 2025, the Latin America and the Caribbean (LAC) region faced escalating cybercriminal activity driven by rapid digital adoption and economic instability. Threat actors heavily utilized Telegram and dark web forums to distribute ransomware, banking trojans, and infostealers, increasingly targeting the healthcare, manufacturing, and government sectors while adapting to law enforcement disruptions.