ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories

The Pwn2Own Berlin 2026 hacking contest has concluded, with security researchers collecting $1,298,250 in rewards after exploiting 47 zero-day flaws in various products from Windows, Linux, VMware, and NVIDIA. DEVCORE won the event with 50.5 Master of Pwn points and $505,000 in rewards throughout the three-day contest after hacking Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, and Windows 11. STARLabs SG and Out Of Bounds followed with $242,500 (25 points) and $95,750 (12.75 points).

The U.K. National Cyber Security Centre (NCSC) has released new guidance for organizations to implement adequate security controls when rolling out agentic artificial intelligence (AI) tools in enterprise environments. “If an agent is over-privileged or poorly designed, a single failure can quickly become a serious incident,” NCSC said. “It is crucial, therefore, to think before you deploy.”

The Polish government is urging public officials and “entities within the National Cybersecurity System” to stop using Signal, instead directing them to use an encrypted messenger called mSzyfr developed by a leading Polish research organization, citing social engineering attacks orchestrated by advanced persistent threat (APT) groups. The development comes as multiple governments have warned of a rise in social engineering attacks, including efforts that involve threat actors impersonating Signal support, to take control of victims’ accounts.

The Dutch police said the identity of 74 of 100 suspects has been unmasked following the launch of an initiative called Game Over?! that displays blurred photos of 100 suspected fraudsters on billboards at various public places, as well as in television and online advertisements, giving the criminals two weeks to surrender before the images are unblurred. Of these, 34 suspects voluntarily reported to authorities, while the remaining suspects were identified through information provided by the public. The youngest suspect is only 14, and the oldest is 42 years old. Game Over?! was launched in March 2026.

U.S President Donald Trump said he and Chinese President Xi Jinping discussed cyber attacks and espionage activities carried out by both nations during the bilateral meetings last week. “They’re talking about the spying. Well, we do it too,” Trump said during his return flight to the U.S. “We spy like hell on them too,” adding “I told him, ‘we do a lot of stuff to you that you don’t know about and you’re doing things to us that we probably do know about.'” While Trump did not elaborate on the attacks carried out against China, the acknowledgement comes as China has been accused of conducting sweeping intrusions into U.S. networks.

The ransomware family known as Gunra has targeted five South Korean companies since it was first discovered in April 2025, S2W said. “When Gunra ransomware was first discovered, it utilized Conti-based ransomware,” the South Korean security vendor noted. “However, after transitioning to a RaaS (Ransomware-as-a-Service) model, the group developed and utilized its own ransomware.” As of March 2026, the group has claimed 32 victims.

Composer, a dependency manager for the PHP programming language, has urged its users to update Composer to version 2.9.8 or 2.2.28 (LTS). “The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKEN’s or GitHub App installation tokens to the GitHub Actions logs,” Composer said. The vulnerability has been assigned the CVE identifier CVE-2026-45793 (CVSS score: 7.5). The development came after GitHub introduced a new format for these tokens as of late last month. “The new format, including a – (hyphen) fails Composer’s validation and leads to disclosure of the GITHUB_TOKEN in logs,” Composer said. As workarounds, it’s advised to disable any GitHub Actions workflow that runs Composer commands until Composer has been updated.

In July 2022, cybersecurity firm Intezer detailed a Linux malware named OrBit that implements advanced evasion techniques, gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Nearly four years later, several new artifacts of the userland rootkit have been identified, indicating that the malware is being actively refined and maintained by its operators. “We discovered two parallel lineages: a full-featured ‘Lineage A’ build that tracks closely with the 2022 original, and a lite ‘Lineage B’ fork that drops entire capability domains (PAM, pcap, TCP-port hiding) in exchange for a smaller footprint,” researcher Nicole Fishbein said. “Along the way, the operators rotate XOR keys, shuffle install paths, swap backdoor credentials, add auditd-evasion hooks, and eventually bolt on a service-side PAM impersonation primitive.” OrBit has been put to use by Blockade Spider, a cybercrime group running Embargo ransomware campaigns. It’s assessed that OrBit is a fork of an open-source rootkit called Medusa, which first publicly surfaced in December 2022. “Based on this information, there are two options: either the Medusa author published a privately-circulated rootkit source that had already been deployed operationally, or the earliest OrBit sample was built from a pre-publication snapshot of the same tree,” Intezer said. “Either way, the 2022 OrBit sample and the December 2022 Medusa source tree are the same codebase. This suggests that the backdoor was created before its public release and has since been selectively forked, configured, and redeployed by multiple operators over four years.”

Two emerging campaigns, dubbed SHADOW-AETHER-040 and SHADOW-AETHER-064, have independently deployed agentic AI with “strikingly similar tactics” to facilitate intrusion operations against governments and financial organizations in Latin America. “Both campaigns established traffic tunnels to victim systems, enabling AI agents to conduct malicious attacks directly into victim internal network environments via ProxyChains and SSH,” Trend Micro said. “The AI agents dynamically generated multiple hacking tools and scripts, rather than relying on pre-built hacking tools. This reduced the likelihood of detection by traditional security solutions that rely on known tool signatures.” The two activity clusters are said to be the work of separate entities. The attackers bypassed AI safety controls by framing their requests as authorized penetration testing and red teaming exercises. Undertaken by a Spanish-speaking threat actor, SHADOW-AETHER-040 has compromised six government entities in Mexico between December 27, 2025, and January 4, 2026. This activity is consistent with Gambit Security’s report about large-scale compromise of multiple Mexican government organizations between December 2025 and February 2026 by an unknown adversary using Anthropic’s Claude and OpenAI’s GPT AI models to carry out the intrusion activities. According to Dragos, which is tracking the activity as TAT26-12, one of these attacks targeted a municipal water and drainage utility in January 2026, leading to an unsuccessful attempt to breach its operational technology environment. “Claude acted as the primary technical executor and independently identified the OT environment’s relevance to critical infrastructure, assessed its potential as a crown jewel asset, and investigated possible access pathways to breach the IT-OT boundary,” Dragos said. The second campaign, linked to a Portuguese-speaking hacking crew named SHADOW-AETHER-064, has been active since April and has singled out financial organizations in Brazil. The findings show how commercial AI tools are compressing the traditional attack kill chain, accelerating tasks like reconnaissance and exploit development that historically required significant time and operator expertise. Like in the case of VoidLink, while the tools assembled for these attacks may not be particularly sophisticated or novel, the speed at which AI models generate and improve upon them is operationally significant, essentially collapsing what would have taken days or weeks of manual development effort into hours.

According to the Wall Street Journal, Anthropic has begun letting users of its Mythos AI model share cybersecurity threats with others who may face similar vulnerabilities. “Last week, Anthropic began telling the companies they could share information about cyber threats and Mythos findings with other entities as long as it was done responsibly,” a spokesperson for the company was quoted as saying. “As the program has matured, we’ve adapted them to ensure key information can be shared broadly – including outside the program – for maximum defensive impact.” The development comes as Cloudflare said Mythos is a “real step forward” and is capable of chaining “small attack primitives together into a working exploit.” It’s also equipped to find vulnerabilities and prove they are exploitable. The web infrastructure and security company also said it has designed a multi-stage vulnerability discovery harness to scan codebases across “runtime, edge data path, protocol stack, control plane, and the open-source projects we depend on.” Just like Microsoft’s MDASH, different agents handle different responsibilities: “hunter” agents identify candidate vulnerabilities, others argue for or against their exploitability, while a deduplication stage collapses findings that share the same root cause. A tracer agent checks whether attacker-controlled input actually reaches the bug from outside the system, while a final “reporting” agent writes a structured report.

Discord has announced that all voice and video calls through the communication platform are now protected by default with end-to-end encryption (E2EE). The solution is powered by the DAVE protocol. “The DAVE protocol is open, and the implementation is open-source,” Discord said. “As of early March 2026, every voice and video call on Discord, whether in DMs, group DMs, voice channels, or Go Live streams, is end-to-end encrypted by default.” Discord said there are no plans to extend it to text messages. “Many of the features people use on Discord were built on the assumption that text isn’t end-to-end encrypted, and rebuilding them to work with encryption is a meaningful engineering challenge,” it added.

Microsoft has shed light on a “methodical, sophisticated, and multi-layered attack” orchestrated by Storm-2949 with an aim to exfiltrate sensitive data from an unnamed organization’s high-value assets. The attack, which is notable for abusing Microsoft’s Self-Service Password Reset (SSPR) process to trick the target into completing multi-factor authentication (MFA) prompts, led to the exfiltration of data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments. The social engineering attack targeted IT personnel and senior leadership so as to compromise their identities for post-compromise actions. The attacker is also said to have conducted discovery activities, installed ScreenConnect, and attempted to disable Microsoft Defender Antivirus protections. “Storm-2949 didn’t rely on traditional malware and other on-premises tactics, techniques, and procedures (TTPs),” Microsoft said. “Instead, they leveraged legitimate cloud and Azure management features to gain control-plane and data-plane access, which they then used to execute code remotely on VMs, and access sensitive cloud resources such as Key Vaults and storage accounts, among others. These activities allowed them to move laterally across cloud and endpoint environments while blending into expected administrative behavior.”

Apple said its App Store stopped over $2.2 billion in potentially fraudulent transactions and rejected over 2 million problematic app submissions in 2025. “Last year, Apple’s systems also successfully rejected 1.1 billion fraudulent customer account creations – blocking bad actors at the outset – and deactivated an additional 40.4 million customer accounts for fraud and abuse,” Apple said. “In 2025, Apple terminated 193,000 developer accounts over fraud concerns and rejected more than 138,000 developer enrollments. To further protect users from harmful software, Apple in 2025 detected and blocked 28,000 illegitimate apps on pirate storefronts, which include malware, pornography apps, gambling apps, and pirated versions of legitimate apps from the App Store.” Apple also rejected over 22,000 submissions for containing hidden or undocumented features and more than 443,000 submissions for privacy violations. In the last month alone, the iPhone maker said it prevented 2.9 million attempts to install or launch apps distributed illicitly outside the App Store or approved alternative app marketplaces.

Two U.S. nationals, CEO Adam Young, 42, of Miami, and Harrison Gevirtz, 33, of Las Vegas, have pleaded guilty to running a business that provided services to customers engaged in widespread telemarketing and tech-support fraud schemes targeting victims across the country. The services, which included telephone numbers, call routing services, call tracking, and call forwarding services, were offered to customers who engaged in tech-support fraud schemes. They are scheduled to be sentenced on June 16, 2026. The investigation also led to the conviction of five India-based telemarketing fraudsters and a former employee of their call routing company (Sahil Narang, Chirag Sachdeva, Abrar Anjum, Manish Kumar, and Jagmeet Singh Virk) for targeting and defrauding Americans. “Call centers based in India utilized Young and Gervitz’s business to route their ‘tech fraud’ scheme calls and, in some instances, advised those fraudsters on methods intended to reduce complaints and prevent account terminations,” the U.S. Justice Department said. The schemes used deceptive pop-up messages to falsely convince users that their computers had been infected with viruses or malware, urging them to contact a number to address the issue. In reality, the numbers connected the victims to call centers, where they were duped into paying hundreds of dollars for unnecessary or fictitious technical-support services. In some instances, the call center agents gained remote access to victims’ computers and obtained personal and financial information.

HP has released fixes for CVE-2026-8631 (CVSS score: 9.3), a critical heap-based buffer overflow vulnerability in HPLIP that could allow escalation of privileges and/or arbitrary code execution. “Because HPLIP is deeply integrated into the standard Linux printing architecture (CUPS), this flaw exposes millions of Linux endpoints and enterprise print servers,” security researcher Mohamed Lemine Ahmed Jidou, who discovered the flaw, told The Hacker News. “An unauthenticated attacker over the network – or a low-privileged local user – can silently exploit this by simply submitting a maliciously crafted print job. Successful exploitation grants the attacker arbitrary command execution on the host machine. This allows for immediate system compromise, unauthorized access to sensitive documents passing through the print spooler, and provides a stealthy foothold for lateral movement across corporate networks.”

AhnLab is warning of a new Telegram-oriented smishing campaign that’s designed to take control of victims’ accounts and steal account information using SMS messages that claim to be about non-existent security issues. “Threat actors hijack Telegram accounts by tricking users into entering their phone numbers and login codes on phishing sites,” AhnLab said. “Once an account is compromised, it can lead to personal information and chats being leaked, as well as secondary damage.”

A new sophisticated Android malware campaign dubbed Premium Deception has been observed conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia between March 2025 and January 2026. The activity involves more than 250 malicious applications that selectively target users based on their mobile operator, stealthily subscribing users to premium services without their knowledge or consent. Device metadata and subscription confirmations are sent to the operators via a Telegram-based exfiltration channel. “When deployed on devices with non-targeted operators, the malware employs a fallback mechanism to display benign content, thereby evading detection and maintaining persistence,” Zimperium zLabs said. Three distinct malware variants have been identified, each with varying levels of sophistication. There is no evidence that these apps were circulated via the Google Play Store. Instead, the scheme relies on social media platforms like Facebook and TikTok for distribution.

A new Brazilian banking trojan dubbed Banana RAT has become the latest malware to target financial institutions in the region. Unlike other Latin American banking malware that are typically written in Delphi, Banana RAT is a PowerShell-only client orchestrated by a Python (FastAPI) server-side polymorphism engine. Once active, it enables operator-driven fraud through remote input control, keylogging, clipboard monitoring, screen streaming, fake overlays, and Pix QR code interception targeting Brazilian banks. It also monitors foreground window titles and serves a bogus credential harvesting overlay when a victim opens a website that matches a target list of more than 30 bank and cryptocurrency exchanges. Trend Micro, which is tracking the activity under the moniker SHADOW-WATER-063, said the design diverges “meaningfully” from the Delphi binary architecture historically associated with the banking malware ecosystem comprising Grandoreiro, Mekotio, Casbaneiro, Guildma, and CHAVECLOAK. “The Brazilian cybercrime cartels are very sophisticated and organized, and they have been a bane to the financial sector since 2000,” Tom Kellermann, TrendAI’s vice president of AI Security and Threat Research, said. “The RATs and rootkits they develop are on par with those we have seen from Russia. Insufficient attention is being paid to cybercrime in LATAM, and the financial sector has good reason to be concerned as something wicked comes this way.”

A malicious Go module published as github.com/shopsprint/decimal has been flagged as a typosquat of the widely used github.com/shopspring/decimal arbitrary precision arithmetic library. It was first published in November 2017 and was weaponized in August 2023 when version v1.3.3 added a malicious functionality that “opens a DNS TXT record command-and-control channel to a threat actor-controlled subdomain on a free dynamic DNS provider,” per Socket. Although the GitHub repository and the shopsprint owner account have since been removed, the library continues to be served by proxy.golang[.]org. The payload “polls net.LookupTXT(“dnslog-cdn-images.freemyip.com”) every five minutes, and sleeps on DNS failure without logging or signaling an error,” researcher Kush Pandya said. “Each returned TXT value is passed directly to os/exec.Command and executed.”

The npm package art-template, a JavaScript template engine with about 26,000 weekly downloads, has been compromised through a maintainer account takeover to push malicious versions (from 4.13.3 through 4.13.6) designed to load external JavaScript from third-party domains. “Unauthorized code in template-web.js injects external <script> tags into any page using the browser bundle,” SafeDep said. “The external domain (v3.jiathis[.]com) serves a multi-stage payload when the request includes a Referer header. The payload injects Baidu Analytics tracking on all visitors and targets iPhone users with a hidden iframe chain leading to an obfuscated JavaScript payload. The final payload is the Coruna exploit kit.”

A malicious game distributed through Steam has been removed from Valve after it was observed profiling players’ systems and communicating with external infrastructure that allows it to deploy secondary payloads. The game, titled Beyond The Dark, masqueraded as a free indie horror title on Steam. The discovery was documented by YouTuber Eric Parker.

The exploitation of a zero-day vulnerability in Huawei enterprise router software led to a nationwide telecom outage in Luxembourg on July 23, 2025, The Record reported this week. The incident disrupted mobile, landline, and emergency communications for more than three hours. The attack is said to have caused Huawei enterprise routers to enter into a continuous restart loop, crashing parts of POST Luxembourg’s infrastructure. There are currently no details about the vulnerability, and it remains unclear if the issue was patched by Huawei.

The U.S. Federal Bureau of Investigation (FBI) has revealed that Americans have lost over $388 million last year to scams using cryptocurrency kiosks (aka crypto ATMs or Bitcoin ATMs). “Cryptocurrency kiosks are ATM-like devices or electronic terminals that allow users to exchange cash and cryptocurrency,” the FBI said. “Criminals may direct victims to send funds via cryptocurrency kiosks.” The development comes as CertiK noted that physical coercion attacks (aka wrench attacks) on cryptocurrency holders rose 75% year-over-year to 72 confirmed cases worldwide and $41 million in known losses in 2025, up 44% from 2024. This year alone, 34 verified incidents have been recorded internationally, compared to 24 over the same period in 2025.

Operational technology security company Nozomi Networks said it detected 29 events between July 2025 and January 2026 that “conclusively identified as Sandworm activity.” Based on data collected from customer and partner engagements, honey research, and telemetry, the activity follows a bureaucratic execution model, “peaking midweek and during post-lunch business hours, with Wednesday at approximately 2:00 PM Moscow time showing the highest alert volume.” Across the dataset, 17 Sandworm-infected machines were identified across the 10 customers. These systems conducted lateral movement against 923 unique internal targets. “Despite widespread awareness and patch availability, Sandworm continues to rely on older but proven exploit chains, including EternalBlue, DoublePulsar, and WannaCry,” Nozomi Networks said. “Perhaps the most critical finding: every single Sandworm-infected system produced 20 to 155 days of warning alerts prior to Sandworm activity.”

A new phishing campaign has been observed using invoice-themed lures to distribute malicious archives to trigger the execution of JavaScript code, which employs environment variables to hide malicious commands and uses a steganographic loader dubbed PawsRunner to deploy the PureLogs infostealer malware. “The embedded JavaScript uses a sophisticated technique to store decoded malicious commands in environment variables, which then triggers a decrypted steganographic .NET loader,” Fortinet said. “This loader retrieves the final payload by extracting encrypted data hidden within a cat image. This version of PureLogs uses extensive async/await patterns to improve task efficiency and complicate analysis.” A similar campaign was detailed by Swiss Post Cybersecurity in January 2026.

The notorious B1ack’s Stash dark web carding marketplace has announced the free download of 4.6 million stolen credit card records. According to SOCRadar, the released data includes full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses. Of these, 4.3 million records appear to be new and usable for illicit activities. Most of the records belong to victims from the U.S., Canada, the U.K., France, and Malaysia.

A new web-based scareware kit called CypherLoc is capable of combining “advanced evasion, aggressive browser controls, and psychological manipulation” to drive victims into calling fraudulent tech support phone numbers. Barracuda Networks said it has observed around 2.8 million attacks featuring the kit since the start of 2026. “The attack usually starts with a phishing email that directs the victim to a malicious web page through a link that is either embedded in the email body or in an attachment,” Barracuda said. “The web page initially appears harmless but gradually transitions into a fully controlled scareware environment. The trigger for this transition is hidden in the web page and will only decrypt if certain conditions are met.” The end result is a full-screen scareware interface that locks the browser and displays fake security messages that urge victims to contact support immediately.

New research has demonstrated that “publicly available social-media data and generative AI (GenAI) can be misused to automate and scale highly personalized, context-aware spear-phishing campaigns.” Researchers from the University of Texas at Arlington and Louisiana State University, Baton Rouge, said a “small amount of public activity per target” is enough for AI models to extract interests and contextual cues that could be exploited to carry out persuasive phishing campaigns that mirror a target’s style. The findings show that bad actors do not have to rely on stolen databases or extensive reconnaissance to carry out targeted phishing campaigns.

Bitdefender haș disclosed that attackers are continuing to exploit Microsoft HTML Application Host (MSHTA), a legacy utility available by default on Windows systems, for malware campaigns. “MSHTA remains a widely abused Living-off-the-Land binary (LOLBIN) despite being a legacy utility,” Bitdefender said. “Attackers use it across multiple malware categories, from commodity stealers to advanced threats. Campaigns frequently rely on multi-stage, fileless execution chains involving PowerShell and HTA scripts.” MSHTA has been abused in delivery chains for commodity stealers such as Lumma Stealer and Amatera, loaders such as CountLoader and Emmenhtal Loader (aka PEAKLIGHT), clipper malware, and more advanced threats like Purple Fox.

A contractor for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintained credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems exposed on a public GitHub repository (ironically named “Private-CISA”) since November 2025. The repository was discovered by GitGuardian on May 14, 2026. It harbored 844 MB of plain-text passwords, AWS tokens, and Entra ID SAML certificates belonging to the agency. The repository has since been pulled offline following responsible disclosure. There is no evidence that any sensitive data was compromised as a result of this incident.

Palo Alto Networks Unit 42 said it has identified 4,000 samples across 100 unique variants associated with a threat known as TamperedChef (aka EvilAI), which involves using trojanized versions of productivity software to deliver malicious payloads using malicious ads that direct users to sites hosting the applications. “TamperedChef-style malware samples share characteristics with potentially unwanted programs (PUPs) and adware,” Unit 42 said. “These include robust mechanisms to remain persistent, and end-user licensing agreements (EULAs) that attempt to legally cover the software’s questionable actions. However, TamperedChef-style malware is far more stealthy than PUPs or adware, remaining dormant for weeks to months before activating. This includes continuous command and control (C2) methods enabling adversaries to retrieve additional payloads, such as information stealers, proxy tooling or remote access Trojans (RATs).” The activity has been attributed to three distinct clusters distributing malicious apps since early 2023: CL-CRI-1089 (Calendaromatic, DocuFlex, and AppSuite PDF), CL-UNK-1090 (CrystalPDF, Easy2Convert, and PDF-Ezy), and CL-UNK-1110 (JustAskJacky, GoCookMate, RocketPDFPro, ManualReaderPro). While CL-CRI-1089 appears to target credentials and deploy adware and proxy-style payloads, the motivations of the other two clusters are unknown.