Authorities in Poland have arrested four members of an organized cybercrime group accused of breaching telecommunications partners and hijacking email accounts to carry out SIM-swapping attacks. [...]

Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users' order histories to trick them into providing sensitive data or installing remote access software. [...]

Microsoft has quietly extended its free Windows 10 Extended Security Updates (ESU) program for consumers by an additional year, allowing enrolled devices to continue receiving security updates until October 12, 2027. [...]

A newly discovered macOS malware dubbed "Gaslight" is designed to confuse AI-assisted malware analysis tools by hiding prompt injection strings and fake debugging data within the executable. [...]

A major sports piracy ring linked to the illegal PirloTV streaming platform has been disrupted in an action that targeted 44 domains. [...]

The Bluekit phishing-as-a-service platform continues to evolve with nearly 70 new hostnames identified over the past week and by adding browser-in-the-middle capabilities for improved data theft. [...]

Fraudsters don't attack just one transaction. They target accounts, platforms, and entire ecosystems. IPQS explains the four elevations of fraud prevention and why broader visibility improves fraud detection. [...]

Account takeover attacks continue to challenge security teams because attackers often operate through legitimate accounts and trusted services. This webinar explores how behavioral AI can help organizations identify compromised accounts faster and automate response workflows. [...]

• ExtraHop’s Global Threat Landscape Report shows 49% of ransomware victims only detected attacks after data theft, up from 31% last year
• Average dwell time before detection is 2.5 weeks; attackers exploit encrypted channels, valid accounts, and alert fatigue to evade defenses
• Ransom payments fell from $3.6M to $2.8M, but payment frequency rose sharply, with 83% of surveyed victims paying in 2026 vs. 70% in 2025

Criminals are getting better at hiding within their victims’ infrastructure, lurking and stealing files without triggering any alarms whatsoever.

Earlier today, network detection and response experts ExtraHop released the “Global Threat Landscape Report”, based on a survey of more than 1,800 IT and security leaders worldwide. In it, it is said that roughly half (49%) of organizations that were struck by ransomware did not detect the threat until after the data was stolen.

This is up from 31% a year ago, ExtraHop stressed, showing the improvement criminals made within just 12 months.

Several factors

On average, cybercriminals have 2.5 weeks of quiet time before being spotted in ransomware incidents, the report stated. Furthermore, 14% of victims were unaware of an attack until receiving a ransom demand, which is also up from 6% a year ago.

“Prolonged dwell times often parallel a highly complex threat environment where critical alerts are obscured,” ExtraHop said in a press release shared with TechRadar Pro. The researchers uncovered several factors that led to delays in investigating critical alerts, including attackers using encrypted channels (41%), attacker activity mirroring legitimate workflows and processes (38%), using valid, high-privilege account permissions (34%), and alert fatigue (30%). Undermined baseline behavior also enabled anomalous actions to fly under the radar (27%).

The good news is that the average ransom payment dropped year-on-year, from $3.6 million down to $2.8 million. However, the bad news is that the payment frequency spiked. While in 2025 70% of respondents paid a ransom, this year 83% have done the same, at least among ExtraHop’s respondents.

When Chainalysis ran a similar survey recently, it said that in 2025 the number of successful ransomware attacks grew, while the number of payments remained relatively flat, meaning that in absolute numbers - there were fewer companies paying ransomware attackers.

The Federal Communications Commission approved new rules Thursday that boost cybersecurity regulations for the nation’s emergency alert systems and update security rules for the nation’s undersea cables.

The new rule would overhaul two national emergency systems, the Emergency Alert System and Wireless Emergency Alerts, to better protect against hijacking attacks from malicious actors.

The EAS is a national public warning system that state and local authorities use to disseminate information related to weather events, AMBER alerts and other emergencies via radio and television broadcasting stations. The WEA handles much of the same messaging via text.

A compromise of either system by a foreign government, cybercriminal group or other rogue actor could be used to sow chaos and disinformation in calmer times, or impede coordination efforts in the face of a genuine emergency. Any vulnerability in systems like the Emergency Alert System “can have serious consequences,” said FCC Commissioner Olivia Trusty in a statement after the vote.

“That is why it has been appropriate for the Commission to conduct a comprehensive review of the EAS framework by focusing on the security of the system itself,” Trusty continued. “As cybersecurity threats continue to evolve, EAS participants must take appropriate steps to safeguard the infrastructure that supports the delivery of life-saving alerts.”

The new rules amount to basic – but still critical – cyber hygiene practices for users accessing and updating the EAS and WEA systems. They must use strong passwords, quickly install security patches from vendors and use firewalls to limit access to their equipment.

The rule also creates a new authentication ID system to verify alerts before they’re submitted and avoid duplicate or unauthorized alerts from spreading.

Another rule passed by the Commission Thursday provided the first comprehensive update to the FCC’s submarine cable regulations in decades, and moves to tighten cybersecurity requirements in some areas while loosening them in others.

It exempts some undersea cable providers from submitting to stringent national security licensing reviews needed to land and operate cables that touch U.S. territory.

The review, called “Team Telecom,” is an interagency body led by the Department of Justice’s Foreign Investment Review Section and other federal agencies that advise the FCC on the national security implications of their telecom policies.

The new rules would presumptively exempt applications for undersea cable licensees when the provider can self-certify to “high security standards” that are “structured to increase certainty, predictability, and faster timelines for the licensing process.”

“Currently, all submarine cable applications get referred to Team Telecom…the changes adopted would exempt applications from applicants that have operated cables without incident, can certify to the highest national security standards, and agree to ongoing oversight and monitoring,” the FCC said in a release.

Other parts of the rule give the FCC greater oversight of critical functions within undersea cable operations. Owners and operators of submarine line terminal equipment, who connect submarine cables to land-based facilities in the U.S., will be subject to a new licensing requirement.

The rule also moves to update safeguards meant to address vulnerabilities related to principal equipment, third-party service providers, and other areas of concern in the undersea cable supply chain.

The post FCC passes new cybersecurity rules for emergency systems, undersea cables appeared first on CyberScoop.

A federal judge in Massachusetts struck down major sections of a Trump administration executive order  that would have restricted mail-in ballots through the U.S. Postal Service and required states to adopt federally approved voter lists.

The ruling Thursday from Judge Indira Talwani of the U.S. District Court of Massachusetts found those parts of the order were unconstitutional, while declaring another section that directs federal law enforcement agencies to investigate and prosecute noncompliant state and local officials legally nonbinding.

Talwani wrote that the U.S. Constitution empowers States and Congress in different roles but “does not grant the President any specific power over elections.”

While the White House has cited the 2002 Help America Vote Act (HAVA) and Civil Rights-era voting laws as justification, Talwani found those laws do not authorize the government to regulate state voter registration practices.

“Notably, nowhere in HAVA does Congress prescribe who should be included on State voter lists,” Talwani wrote. “Further, neither in HAVA nor any other federal statute does Congress authorize the federal government to create their own voting database. Instead, Congress, consistent with the Constitution, has left that authority to the States alone.”

Talwani also declined to remove President Trump and Commerce Secretary Howard Lutnick as named defendants in the suit, rejecting the administration’s argument that the court could not regulate or intrude upon the president’s’ constitutional authority “in the performance of his official duties.”

“Contrary to Defendants assertion, Presidential action is not inherently unreviewable,” Talwani wrote.

The order, issued in March, instructs the Homeland Security secretary, the director of U.S. Citizenship and Immigrations Services and the commissioner of the Social Security Administration to compile lists of American voters for each state, including their supposed citizenship status.

To build the lists, the agencies would rely on the controversial Systemic Alien Verification for Entitlements (SAVE) database that DHS has been building under the Trump administration, as well as Social Security and federal citizenship and naturalization records.

Those lists would then be sent to states, most of which have already refused similar Trump administration efforts to control voter registration.. The order instructs the Department of Justice to investigate  and prosecute  state and local election officials who issue  ballots to ineligible voters. 

The order also requires mail-in ballots to be sent in special barcoded envelopes for tracking. Crucially, it demands states provide lists of voters eligible for mail-in voting, and threatens to deny ballots to states that refuse. It also claims the attorney general is entitled to withhold federal funding from noncompliant states.

Talwani found that states have shown they already have a rigorous voter registration and verification process to ensure non-citizens and other ineligible voters aren’t able to vote in U.S. elections, and have laws in place to investigate and prosecute those who do.

Executive branch lawyers argued the order was merely an internal federal directive that does not impedestate authorities. But Talwani noted that states like Connecticut were already pulling staff from critical activities, such as translating election materials required under the Voting Rights Act, to develop compliance plans for the order.

Nearly half of the states in the lawsuit have already purchased mail-in ballots for this election cycle that are out of compliance with the Postal Service’s envelope and design standards.

Despite a string of losses in the courts and Congress, the White House has continued to assert broad authority over the way states and localities administer elections.

The Department of Justice has sued dozens of states to force them to hand over sensitive voter data. In the 10 cases decided so far, states have won every one.

In their opinions, judges cited the executive branch’s lack of inherent authority to create state voter lists. Others accused the DOJ of misusing Civil Rights-era laws designed to protect Black and minority voters,  creating an “unreliable” database that would disenfranchise  legitimate voters.

The Massachusetts ruling comes to the same conclusion, with Talwani writing “it is clear that the federal agencies charged with compiling Confirmed Citizen Lists lack the ability to create complete and accurate lists of the U.S. citizens residing in every State.”

On Wednesday, Trump canceled a signing ceremony for a bipartisan housing bill in an attempt to pressure  congressional Republicans to pass the SAVE America Act, which would implement many of the same changes to U.S. elections. In a Truth Social post, Trump said he considered passage of the bill to be a “National Emergency.”

The post Federal court rules Trump election-focused executive order illegal appeared first on CyberScoop.

ON CALL Supporting IT and keeping it secure is a serious endeavor. Which is why The Register lightens up Friday mornings with a fresh installment of On Call, the reader-contributed column that shares your tales of tech support trauma. This week, meet a reader we'll Regomize as "Colin" who told us about a recent gig at a customer that decided to improve the security of its Microsoft 365 implementation – chasing the Secure Score that Redmond uses to rate resilience. "We spent a good amount of time working with the customer and agreed a rollout plan to ensure multi-factor authentication (MFA) was enabled across the board in accordance with a security baseline." Colin and his crew knew what to do, so when they flicked the switch on various upgrades, all went smoothly. Until it didn't. "The following morning, one of the senior directors of the company – who was allegedly the COO of a cybersecurity company – called our service desk and started yelling." Amid the yelling and accusations, Colin and his colleagues picked out an allegation that the company had been brought to its knees by the need to register for MFA, which had crippled an invoicing system and would surely result in ruin within a disastrously short time frame. "Once she allowed us to speak, it turned out that the problem only impacted three or four phones," Colin wrote. The support team investigated and quickly learned the real problem was with the invoicing software, which promised MFA support but relied on buggy software to make it happen. The director didn't care for that explanation and ordered an instant rollback that we understand remains in place. Colin found it stunning that the former COO of a security company wasn't willing to wait for a workaround, so delivered the desired result: no MFA, and worse security. He told us this client often made nonsensical requests, such as demanding that a particular engineer – who cannot drive – visit a remote site ASAP to fix a printer. On another occasion, the same person claimed Colin's work on M365 caused a power outage! Have you ever been told to make IT worse? If so, click here to send On Call an email so we can make the column better on a future Friday. ®

Chinese cybersecurity vendor Qihoo 360 claims it’s built an AI bug-finder that’s better than Anthropic’s Mythos model. CEO Zhou Hongyi revealed the model in a speech at the 14th Beijing Cybersecurity Conference, which Qihoo 360 organizes. Chinese media outlets have transcribed the talk, in which Zhou described Mythos as “equivalent to a ‘cyber nuclear weapon’,” because the USA’s ban on foreign nationals accessing the model gives America a tool with which to find flaws in software upon which other nations rely. Zhou thinks China needs equivalent capabilities as a deterrent, but suggested replicating Mythos is not a viable approach. “Mythos follows a typical large-scale model approach: the strongest model, the strongest computing power, and the strongest chips – a strategy of sheer brute force,” he said. “However, this path has an implicit prerequisite: your model capabilities must be sufficiently strong. Objectively speaking, domestically developed models still lag behind by 20 percent to 30 percent in underlying capabilities.” The CEO therefore thinks China can’t wait for its own models to catch up and needs to find another way to build Mythos-grade bug-finders. Helpfully, Qihoo 360 has found those alternative methods by distilling its 20 years of experience fighting cyber-threats and colossal malware library into security-specific models and agents. The company has put that to work in what Zhou described as a “multi-agent swarm.” “If the American approach is about cultivating a genius hacker, the 360 approach is about organizing a professional attack and defense team,” he said. “When faced with a target, the swarm doesn't perform single-point analysis, but rather collaborates: first, it models the threat and filters high-risk attack surfaces; then, it follows the data flow across files to discover potential vulnerabilities.” The company’s agents apparently “automatically build sandbox environments, automatically generate exploit code, and conduct real-world testing. The result is that every vulnerability is ‘confirmed’ rather than just suspected. After completing a task, the swarm also summarizes and reviews its performance, becoming smarter with each use. This is something a single large model can hardly do.” Qihoo calls this approach “Tulongfeng” and says it’s already finding flaws in open-source and commercial software. “We automatically discovered a Windows kernel privilege escalation vulnerability that had been dormant for five years, an Office remote code execution vulnerability that had been dormant for eight years, and an Excel vulnerability that had been dormant for 10 years, earning official recognition from Microsoft,” Zhou boasted. The CEO said the tool found plenty of flaws in OpenClaw – a feat that human researchers have also achieved. Zhou said Qihoo 360 has created another AI-powered security tool called “Yitianzhen” that automatically simulates potential attacks against an organization’s cyber-defenses, then suggests and/or implements remediations. The company has created an alliance of local cybersecurity companies to use it and create a bulwark against Project Glasswing – the group of entities Anthropic allows to use Mythos under controlled conditions. US authorities have sanctioned Qihoo 360 on grounds that it probably supplies China’s military. China's National Computer Virus Emergency Response Center (CVERC) often cites and publicizes the company’s research, sometimes in its documents that allege the US hacks itself to make China look bad. ®

A new self-destructing backdoor called Mistic used in intrusions since April appears to be linked to a criminal gang that compromises corporate networks and then sells that access to ransomware groups, according to security researchers. This backdoor, also tracked as MLTBackdoor, was first documented by Zscaler earlier this month, with the security shop suggesting the novel malware is “likely used in ransomware attacks to establish a foothold for lateral movement.” In a Wednesday threat brief, Symantec and Carbon Black threat hunters say the backdoor has been used to access multiple organizations' networks over the past few months, including those in insurance, education, IT, and professional services. Additionally, the security sleuths reported, “Mistic may be linked to the financially motivated initial access broker (IAB) tracked publicly as KongTuke (which we track as Woodgnat) and it was used in one intrusion that also involved the group's ModeloRAT remote access trojan.” KongTuke and other IABs don’t deliver the final payload – such as ransomware – to compromised companies. Rather, they break into company systems, and then sell that foothold to other criminals, like ransomware gangs. Symantec and Carbon Black arrived at their low-confidence attribution after at least one case where Mistic was deployed in close proximity to ModeloRAT, the Python-based remote access trojan KongTuke also developed. KongTuke has previously been linked to attacks from various ransomware crews including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. “Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment,” Symantec and Carbon Black noted. Plus, Zscaler reported Mistic being delivered in a multi-stage ClickFix infection chain, which is another pointer to KongTuke, as the group is known to use that initial access technique. In one case that Symantec and Carbon Black responded to, Mistic was side-loaded through a legitimate file, MpExtMs.exe, and then loaded from a DLL named EndpointDlp.dll, which likely helped the backdoor blend in with legitimate software. Mistic has all the usual backdoor functionality: It can upload, download, move, rename, and delete files. It can also create new folders, and check for additional commands from the attacker-controlled command-and-control (C2) server. But here’s the stealthy part: it can run remote payloads from C2 directly in memory – so it doesn’t write malicious files to the hard drive – which helps it dodge file-based detection in antivirus and endpoint detection products. When the mission is accomplished, it then terminates and deletes itself. “The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term, stealthy access for attackers,” the threat hunters wrote. ®

The guidance aims to establish product cybersecurity requirements for IoT devices integrated into federal agencies’ networks.

The post NIST Opens Updated IoT Security Guidance to Public Review appeared first on SecurityWeek.

A 21-year-old using the alias "Snoopy" was sentenced to 18 months in prison for his role in hacking DraftKings accounts in the November 2022 cyberattack. [...]

New details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices. [...]

A malicious Microsoft Edge extension dubbed 'Edgecution' has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor. [...]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers actively exploiting flaws in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers. [...]

Microsoft, Europol, and international partners have disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame, which targets cybercriminal services and ransomware gangs. [...]